Usernames containing + cannot be autoprovisioned

[cakiwi]

Describe the bug

Usernames containing + cannot be autoprovisioned

Steps to reproduce

Steps to reproduce the behavior:

1. Run a deployment using keycloak.
2. Set realm login to use email as username (not required, can just set the username to contain +)
3. Register a user using + in the local part. a+b@example.org
4. Sign-in to oCIS

Expected behavior

Login to oCIS should occur.

Actual behavior

Login Error.
Your user session is invalid or has expired.
If you like to login with a different user please proceed to exit.

{"level":"error","service":"proxy","error":"500 Internal Server Error","time":"2022-07-01T16:59:23Z","message":"Error creating user"}
{"level":"error","service":"proxy","error":"500 Internal Server Error","time":"2022-07-01T16:59:23Z","message":"Autoprovisioning user failed"}
{"level":"error","service":"proxy","error":"500 Internal Server Error","time":"2022-07-01T16:59:23Z","message":"Could not get user by claim"}
{"level":"error","service":"proxy","error":"500 Internal Server Error","time":"2022-07-01T16:59:23Z","message":"Error creating user"}
{"level":"error","service":"proxy","error":"500 Internal Server Error","time":"2022-07-01T16:59:23Z","message":"Autoprovisioning user failed"}
{"level":"error","service":"proxy","error":"500 Internal Server Error","time":"2022-07-01T16:59:23Z","message":"Could not get user by claim"}

Setup

owncloud/ocis:2.0.0-beta.4

https://owncloud.dev/ocis/deployment/ocis_keycloak/
Originally changed realm login to use email as username.

[C0rby]

Just some notes because I can't work on this for the next two weeks.

So the issue is here: https://github.com/cs3org/reva/blob/0b65112600ccfd07504c8927d96c7a1e9ac85e7b/pkg/utils/ldap/identity.go#L534

We aren't escaping the memberName correctly which results in this error when parsing the filter:
LDAP Result Code 201 "Filter Compile Error": ldap: invalid characters for escape in filter: encoding/hex: invalid byte: U+002B '+' (&(objectclass=groupOfNames)(member=uid=corby\+,ou=users,o=libregraph-idm))

Our filter looks like this (&(objectclass=groupOfNames)(member=uid=corby\\5c+,ou=users,o=libregraph-idm)) but the parser expects (&(objectclass=groupOfNames)(member=uid=corby\\2B,ou=users,o=libregraph-idm))"

My temporary change to check the fix was this:

func (i *Identity) getGroupMemberFilter(memberName string) string {
      return fmt.Sprintf("(&%s(objectclass=%s)(%s=%s))",
          i.Group.Filter,
          i.Group.Objectclass,
          i.Group.Schema.Member,
~         strings.ReplaceAll(memberName, "+", "2B"),
      )
  }

With that change logging into oCIS was possible.

[rhafer]

Our filter looks like this (&(objectclass=groupOfNames)(member=uid=corby\\5c+,ou=users,o=libregraph-idm))

Actually I think that filter is correct. However, it seems there is a but in libregraph/idm that fails to correctly reescape the filter when decompiling it from BER to string. And the later for what ever reason tries to re-compile that string to BER, which fails because of wrong escaping 🤦‍♂️

Somewhere here: https://github.com/libregraph/idm/blob/491c539a42bb90395ea23dcc11181891f244f2b4/pkg/ldapserver/search.go#L25

I think the is mainly caused by idm using it's own fliter compliation/de-compliation code instead of the stuff coming from go-ldap.

[rhafer]

Should be fixed with: libregraph/idm#68

[rhafer]

Fix has been merged into ocis with: #4132

[rhafer]

Actually it still doesn't fully work. 😭 let's reopen...

[rhafer]

final fix was in idm libregraph/idm#71 which was merged with #4200