6.0.0-git
2019-03-23

[#12186] activesync component does not username canonified by authusername() hook
Summary activesync component does not username canonified by authusername() hook
Queue Horde Base
Queue Version Git master
Type Bug
State Resolved
Priority 1. Low
Owners mrubinsk (at) horde (dot) org
Requester enrico.scholz (at) sigma-chemnitz (dot) de
Created 2013-04-16 (2167 days ago)
Due
Updated 2013-05-03 (2150 days ago)
Assigned 2013-05-02 (2151 days ago)
Resolved 2013-05-03 (2150 days ago)
Milestone
Patch No

History
2013-05-03 13:19:21 Michael Rubinsky State ⇒ Resolved
 
2013-05-03 11:33:30 enrico (dot) scholz (at) sigma-chemnitz (dot) de Comment #15 Reply to this comment
Many thanks; things are working now as expected.
2013-05-02 20:36:43 Michael Rubinsky Comment #14
State ⇒ Feedback
Reply to this comment
Now, perhaps?
2013-05-02 20:36:03 Git Commit Comment #13 Reply to this comment
Changes have been made in Git (master):

commit fd97a0a73130b5e06aea2d1f21c42285f55c2823
Author: Michael J Rubinsky <mrubinsk@horde.org>
Date:   Thu May 2 16:26:18 2013 -0400

     Bug: 12186  Use the Horde username, not the auth username.

  .../Core/lib/Horde/Core/ActiveSync/Driver.php      |    6 +++++-
  horde/admin/activesync.php                         |    7 +++----
  horde/lib/Prefs/Special/Activesync.php             |    6 ++----
  3 files changed, 10 insertions(+), 9 deletions(-)

http://git.horde.org/horde-git/-/commit/fd97a0a73130b5e06aea2d1f21c42285f55c2823
2013-05-02 18:52:53 enrico (dot) scholz (at) sigma-chemnitz (dot) de Comment #12 Reply to this comment
Last patch opens a security/privacy hole.  The user 
'a@mail.other-realm' sees now the activesync information (including 
serial number) from user 'a@realm'.

All the activesync related database tables still contain only the 
unqualified 'a' username (afais, only
'horde_activesync_device_mailmap' contains the correct 'a@realm').

Adminstrator screen (login as 'admin@realm') shows ActiveSync devices 
of 'b@other-realm' as owned by (nonexisting) 'b@realm'.
2013-05-02 11:22:57 enrico (dot) scholz (at) sigma-chemnitz (dot) de Comment #11 Reply to this comment
Thanks; I will test it.
What do you mean the user 'a@realm.org' still does not see it? You 
said the user doesn't log in with an email address? If the user logs 
in as 'a', it should be visible.
To clarify things: 'a@realm.org' is not an email address but an 
internal mangled name so that user 'a' reading mails on IMAP host 
'mail.realm.org' can be distinguished from user 'a' reading mails on 
IMAP server 'mail.other-realm.org'.

Ideally, users have to enter only their username ('a') and choose the 
correct mailserver (which is preselected based on HTTP vhost).   
ActiveSync users enter their username ('a') and Horde has to mangle 
the username based on the IMP backend server (determined by vhost -> 
$servers[]->prefered).
2013-05-01 21:02:47 Michael Rubinsky Comment #10
State ⇒ Resolved
Reply to this comment
Closing, verified to work as expected locally.

2013-05-01 21:02:01 Git Commit Comment #9 Reply to this comment
Changes have been made in Git (master):

commit a9450a21b521361da536f15efcd4d96cd519bc9f
Author: Michael J Rubinsky <mrubinsk@horde.org>
Date:   Wed May 1 17:00:15 2013 -0400

     Convert the username in the admin list of activesync devices also.

     Bug: 12186

  horde/admin/activesync.php |    7 ++++---
  1 files changed, 4 insertions(+), 3 deletions(-)

http://git.horde.org/horde-git/-/commit/a9450a21b521361da536f15efcd4d96cd519bc9f
2013-05-01 20:46:18 Michael Rubinsky Comment #8 Reply to this comment
The patch will not fix devices that have already paired with the
server. You will need to either have the users create a new account on
the device, or an admin can remove the device state on the server. In
other words, only newly created devices will be saved with the
correctly normalized username.
I tried it but the user 'a@realm.org' still does not see it and 
device is listed for user 'a' in the administrator overview.
What do you mean the user 'a@realm.org' still does not see it? You 
said the user doesn't log in with an email address? If the user logs 
in as 'a', it should be visible. The last comment is correct, the 
administrative overview still loads with the un-mangled username since 
it comes directly from the ActiveSync state table. I will add the 
conversion there as well so it will be displayed as the Horde 
username, not the Auth username.

[Show Quoted Text - 21 lines]
2013-04-23 17:07:06 enrico (dot) scholz (at) sigma-chemnitz (dot) de Comment #7 Reply to this comment
The patch will not fix devices that have already paired with the 
server. You will need to either have the users create a new account 
on the device, or an admin can remove the device state on the 
server. In other words, only newly created devices will be saved 
with the correctly normalized username.
I tried it but the user 'a@realm.org' still does not see it and device 
is listed for user 'a' in the administrator overview.

A

| select * from horde_prefs;

lists 'a@realm.org' as pref_uid.  But

| select * from horde_activesync_device_users;

returns an entry with the non-canonified 'a' user only.
This is expected. A user should only be able to login on the device 
with the same username he logs in to horde with on the desktop.
That's the case here.  User is loggin in as 'a' in the webfrontend and 
enters 'a' as userid in the android email application.

The webfrontend calls "authusername('a', True) -> 'a@realm.org'" while 
ActiveSync seems to miss this step.

2013-04-22 16:04:11 Michael Rubinsky State ⇒ Feedback
 
2013-04-22 16:04:00 Michael Rubinsky Comment #6 Reply to this comment
Thanks for the quick response.  But the patch seems to make things 
worse.  Some more words about my setup:
<snip>
Without the patch:

* entering 'a' as its userid on a Android devices associated the 
device; but it is visible to the administrator in the global 
activesync device list.  User 'a' does not see it in its 
configuration screen.
The patch will not fix devices that have already paired with the 
server. You will need to either have the users create a new account on 
the device, or an admin can remove the device state on the server. In 
other words, only newly created devices will be saved with the 
correctly normalized username.
* entering 'a@realm.org' as userid made the device visible to the 
user too.  But I had to wrote a preauthenticate() hook which strips 
the '@realm.org' away. Without this hook, authentication to mailbox0 
happens as 'a@realm.org'.

With the patch the device is not visible anymore for the last point.
This is expected. A user should only be able to login on the device 
with the same username he logs in to horde with on the desktop.
2013-04-20 10:53:02 enrico (dot) scholz (at) sigma-chemnitz (dot) de Comment #5 Reply to this comment
Thanks for the quick response.  But the patch seems to make things 
worse.  Some more words about my setup:

* there are two virtualhosts 'mail.realm.org' and 
'mail.other-realm.org' which access two different mailservers 
'mailbox0' and 'mailbox1'.

* when user 'a' logs in on 'mail.realm.org' the authusername() hook 
normalizes its name to 'a@realm.org' but authentication on 'mailbox0' 
happens with plain 'a'

* similarly, user 'b' logging in on 'mail.other-realm.org' gets 
canonified to 'b@other-realm.org'

There are situations where both mailbox0 and mailbox1 have accounts 
for userid 'c' which is associated with two different people.   
Accounts must be kept distinct hence.

Ideally, the @realm.org and @other-realm.org canonification should 
happen transparently and not visible to users.


Without the patch:

* entering 'a' as its userid on a Android devices associated the 
device; but it is visible to the administrator in the global 
activesync device list.  User 'a' does not see it in its configuration 
screen.

* entering 'a@realm.org' as userid made the device visible to the user 
too.  But I had to wrote a preauthenticate() hook which strips the 
'@realm.org' away. Without this hook, authentication to mailbox0 
happens as 'a@realm.org'.


With the patch the device is not visible anymore for the last point.
2013-04-18 16:17:56 Michael Rubinsky State ⇒ Resolved
 
2013-04-17 17:32:34 Git Commit Comment #4 Reply to this comment
Changes have been made in Git (FRAMEWORK_5_0):

commit f12f57792147157e21af1aae02ad1d4cee1ec4cc
Author: Michael J Rubinsky <mrubinsk@horde.org>
Date:   Wed Apr 17 13:21:08 2013 -0400

     Must converUserName to the auth name to access the state data.

     Bug: 12186

  horde/lib/Prefs/Special/Activesync.php |    4 ++--
  1 files changed, 2 insertions(+), 2 deletions(-)

http://git.horde.org/horde-git/-/commit/f12f57792147157e21af1aae02ad1d4cee1ec4cc
2013-04-17 17:24:34 Michael Rubinsky Version ⇒ Git master
Queue ⇒ Horde Base
Priority ⇒ 1. Low
 
2013-04-17 17:24:09 Michael Rubinsky Comment #3
Assigned to Michael Rubinsky
State ⇒ Feedback
Reply to this comment
I added the conversion for the activesync device prefs, but I don't 
see how it was wrong for the sent folder value. The username used is 
from $registry->getAuth(), which already has the conversion to the 
horde username applied.
2013-04-17 17:22:52 Git Commit Comment #2 Reply to this comment
Changes have been made in Git (master):

commit 5c09d06df5da725a94b8dfc365e0362371908254
Author: Michael J Rubinsky <mrubinsk@horde.org>
Date:   Wed Apr 17 13:21:08 2013 -0400

     Must converUserName to the auth name to access the state data.

     Bug: 12186

  horde/lib/Prefs/Special/Activesync.php |    4 ++--
  1 files changed, 2 insertions(+), 2 deletions(-)

http://git.horde.org/horde-git/-/commit/5c09d06df5da725a94b8dfc365e0362371908254
2013-04-16 21:47:37 enrico (dot) scholz (at) sigma-chemnitz (dot) de Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 2. Medium
Summary ⇒ activesync component does not username canonified by authusername() hook
Queue ⇒ Horde Framework Packages
Milestone ⇒
Patch ⇒ No
Reply to this comment
I am using a similar hack as described in 
http://wiki.horde.org/ImpH4Realm to allow to serve multiple mail realms.

For the normal webfrontend, things are working fine.  But the 
activesync component seems to ignore the canonified username and 
associates itself with the plain user id.

This causes problems because

* user (--> with preferences keyed for user@realm) do not see their 
activesync devices (keyed for plain 'user')

* flags for special folders (sent) which are configured by 
'user@realm' are not propagated through activesync because activesync 
preferences or for another idenity.


Issue can be reproduced by:

1. add custom authusername() hook which adds e.g. '@realm'

2. login both with webfrontend and with activesync

Saved Queries