Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

do not allow conflicting usernames where only difference is case #596

Conversation

mishaschwartz
Copy link
Collaborator

Do not allow users to have the same username that only differs in terms of upper/lowercase
Ziggurat foundations assumes that users will not have usernames that differ in terms of case.
This means that if the database contains a user with the username "Test" and another with the username "test". The login procedure will not know to differentiate the two.

Resolves #595

Copy link

codecov bot commented Nov 8, 2023

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (436c7f9) 80.92% compared to head (d6d1666) 81.01%.
Report is 9 commits behind head on master.

Additional details and impacted files
@@            Coverage Diff             @@
##           master     #596      +/-   ##
==========================================
+ Coverage   80.92%   81.01%   +0.09%     
==========================================
  Files          73       73              
  Lines       10194    10194              
  Branches     1824     1824              
==========================================
+ Hits         8249     8259      +10     
+ Misses       1622     1616       -6     
+ Partials      323      319       -4     
Files Coverage Δ
magpie/__meta__.py 100.00% <100.00%> (ø)
magpie/api/exception.py 92.45% <100.00%> (ø)
magpie/api/management/user/user_utils.py 97.23% <100.00%> (ø)
magpie/models.py 90.12% <100.00%> (ø)
magpie/ui/utils.py 73.74% <100.00%> (+2.35%) ⬆️

... and 1 file with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Copy link
Collaborator

@fmigneault fmigneault left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The valid user name regex should be updated to directly disallow uppercase.
We shouldn't have to go back everywhere to apply lower().

There should also be a new migration script (see the makefile migrate/revision target to generate the next script) that applies lower() to any existing user name just to make sure.

Finally, I propose that another more explicit message is added to check_user utility to verify if user_name != user_name.lower() and raise the relevant error that will better guide the registering user why their user name is considered invalid.

@@ -135,7 +135,7 @@ def _get_group(grp_name):
user_params = {"with_param": False}
if user_checked:
user_params["with_param"] = True
if compare_digest(user_checked.user_name, user_name):
if compare_digest(user_checked.user_name.lower(), user_name.lower()):
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We must avoid tweaking the values. That can give timing attack information. If lowercase is enforced anyway from the next version, that will not be necessary.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@@ -567,7 +567,7 @@ def create_user(self, data):
if len(user_name) > get_constant("MAGPIE_USER_NAME_MAX_LENGTH", self.request):
data["invalid_user_name"] = True
data["reason_user_name"] = "Too Long"
if user_name in [usr["user_name"] for usr in user_details]:
if user_name.lower() in [usr["user_name"].lower() for usr in user_details]:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not needed here. Enforce it directly from the DB/API.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the point of these checks then?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The best would be to avoid duplicating the logic in the UI and leave all validations on the API side that can report more specific error messages.
However, given how small this change is, it is fine to leave it as is.
Disregard my previous comment.

CHANGES.rst Outdated
Comment on lines 12 to 16
* Do not allow users to have the same username that only differs in terms of upper/lowercase
Ziggurat foundations assumes that users will not have usernames that differ in terms of case.
This means that if the database contains a user with the username "Test" and another with the username "test". The
login procedure will not know to differentiate the two.
(fixes `#595 <https://github.com/Ouranosinc/Magpie/issues/595>`_).
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use format `User` and ``user_name`` as employed for the rest of the docs.

Missing dot at the end of the first line.
Move the (fixes ...) definition after the first line (after upper/lowercase), no dot in between.

Move under section

Bug Fixes
~~~~~~~~~~~~~~~~~~~~~

@fmigneault
Copy link
Collaborator

@tlvu
Just FYI to validate on your side if this is already applied in your platforms.
The (eventual) migration script could break deployment if there is a conflicting case-insensitive user name. In the meantime, if there are such users, they probably get funky responses anyway.

@tlvu
Copy link
Contributor

tlvu commented Nov 9, 2023

@tlvu Just FYI to validate on your side if this is already applied in your platforms. The (eventual) migration script could break deployment if there is a conflicting case-insensitive user name. In the meantime, if there are such users, they probably get funky responses anyway.

@fmigneault Thanks for the heads up. Due to the sanitized {username} from JupyterHub, we do not have duplicate capital case in our usernames.

@mishaschwartz
Copy link
Collaborator Author

The valid user name regex should be updated to directly disallow uppercase.

I'm very confused now. The whole point of the strategy that you suggested here: bird-house/birdhouse-deploy#396 (especially overriding the normalize_username function) was to allow there to be usernames with uppercase characters.

If we now want to disallow all uppercase characters here, we could have avoided making those changes in the first place.

We shouldn't have to go back everywhere to apply lower().

This is what ziggurat foundations does, if we want to conform with that code then we have to ensure that we're matching names in a case-insensitive way.

@mishaschwartz
Copy link
Collaborator Author

Finally, I propose that another more explicit message is added to check_user utility to verify if user_name != user_name.lower() and raise the relevant error that will better guide the registering user why their user name is considered invalid.

The easiest way to do this would be to just remove the soft checks here: https://github.com/Ouranosinc/Magpie/pull/596/files#diff-5de931472d59cdf71cb9fe436020658d35e0d8ec69aea8d7aeb0cd79e4314024R570

I'm not really sure why these checks are needed in the first place

@mishaschwartz
Copy link
Collaborator Author

Closed in favour of #597

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[BUG] login confuses usernames that differ in terms of upper/lower case
3 participants