Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"home" not honored while using user_saml #292

Open
sistason opened this issue Jul 6, 2023 · 0 comments
Open

"home" not honored while using user_saml #292

sistason opened this issue Jul 6, 2023 · 0 comments
Labels
question Further information is requested

Comments

@sistason
Copy link

sistason commented Jul 6, 2023

It appears notify_push takes it's UID from the foldername in the mount-directory it detects changes in and does not read the home column when the user is one from user_saml.
Background: The user_saml app has users with uid,displayname,home in the database, so you can set different files directory independent from their UIDs.

In my case, I use a numeric ID >100000 for a SAML user different from their human-readable UID. So user1 can have their files at /data/100001 for example. This allows unique identification via the numeric ID and the UID visible to others can be changed around without much hassle.

This seems to lead notify_push to look for a user of uid=100001 instead of searching the actual oc_user_saml_users table in the database for the corresponding home (and falling back to uid=$directoryname, as the column is usually empty).
The result of this is that users regularly (I guess when notify_push detects a filechange somewhere) get thrown out of their session and Nextcloud force-reloads the active window throwing users out of their email-drafts, opened documents, etc.

I think this is the relevant notify_push part where we see the discrepancy that its verifying credentials using the numerical IDs and otherwise talking to the users via their uid. Note that the numerical id in L2 (1000072) is not the corresponding id of the user in L4 ($UID).

nextcloud-notify_push-1  | [2023-07-06 17:40:36.173025 +00:00] DEBUG [notify_push] src/lib.rs:263: new websocket connection from Some(:IPv6:)
nextcloud-notify_push-1  | [2023-07-06 17:40:36.218248 +00:00] DEBUG [notify_push::nc] src/nc.rs:27: Verifying credentials for 100072
nextcloud-notify_push-1  | [2023-07-06 17:40:36.301556 +00:00] WARN [notify_push::connection] src/connection.rs:75: Invalid credentials
nextcloud-notify_push-1  | [2023-07-06 17:40:46.494053 +00:00] DEBUG [notify_push::connection] src/connection.rs:145: Sending ping to $UID

This is the nextcloud.log at that point:

{
  "reqId": "REDACTED",
  "level": 0,
  "time": "2023-07-06T17:40:36+00:00",
  "remoteAddr": "REDACTED-IPv6",
  "user": "--",
  "app": "no app in context",
  "method": "GET",
  "url": "/index.php/apps/notify_push/uid",
  "message": "Current user is not logged in",
  "userAgent": "--",
  "version": "25.0.8.2",
  "exception": {
    "Exception": "OC\\AppFramework\\Middleware\\Security\\Exceptions\\NotLoggedInException",
    "Message": "Current user is not logged in",
    "Code": 401,
    "Trace": [
      {
        "file": "/var/www/html/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php",
        "line": 97,
        "function": "beforeController",
        "class": "OC\\AppFramework\\Middleware\\Security\\SecurityMiddleware",
        "type": "->",
        "args": [
          [
            "OCA\\NotifyPush\\Controller\\AuthController"
          ],
          "getUid"
        ]
      },
      {
        "file": "/var/www/html/lib/private/AppFramework/Http/Dispatcher.php",
        "line": 125,
        "function": "beforeController",
        "class": "OC\\AppFramework\\Middleware\\MiddlewareDispatcher",
        "type": "->",
        "args": [
          [
            "OCA\\NotifyPush\\Controller\\AuthController"
          ],
          "getUid"
        ]
      },
      {
        "file": "/var/www/html/lib/private/AppFramework/App.php",
        "line": 172,
        "function": "dispatch",
        "class": "OC\\AppFramework\\Http\\Dispatcher",
        "type": "->",
        "args": [
          [
            "OCA\\NotifyPush\\Controller\\AuthController"
          ],
          "getUid"
        ]
      },
      {
        "file": "/var/www/html/lib/private/Route/Router.php",
        "line": 298,
        "function": "main",
        "class": "OC\\AppFramework\\App",
        "type": "::",
        "args": [
          "OCA\\NotifyPush\\Controller\\AuthController",
          "getUid",
          [
            "OC\\AppFramework\\DependencyInjection\\DIContainer"
          ],
          [
            "notify_push.Auth.getUid"
          ]
        ]
      },
      {
        "file": "/var/www/html/lib/base.php",
        "line": 1048,
        "function": "match",
        "class": "OC\\Route\\Router",
        "type": "->",
        "args": [
          "/apps/notify_push/uid"
        ]
      },
      {
        "file": "/var/www/html/index.php",
        "line": 36,
        "function": "handleRequest",
        "class": "OC",
        "type": "::",
        "args": []
      }
    ],
    "File": "/var/www/html/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php",
    "Line": 153,
    "message": "Current user is not logged in",
    "exception": {},
    "CustomMessage": "Current user is not logged in"
  }
}

As I am not capable of debugging this myself, can you confirm that notify_push does not check the home column for user_saml users? Or is it rather that you use the Nextcloud API instead of the database so this is something Nextcloud internal which does not check the home column?

If so, could this be added? :)
@joshtrichards joshtrichards added the question Further information is requested label Oct 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joshtrichards @sistason