Bug #10570
Regex search on node properties is broken: returns all nodes with a property when no using invalid value
Description
The search on node properties, for the regex part, is completly broken and always returns all nodes: :
[2017-04-07 11:18:14] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [0] Start search for { returnType:'NodeReturnType' with 'And' criteria [serializedNodeProperty.name.value regex datacenter:Europe] } [2017-04-07 11:18:14] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [0] |-- LDAPObjectType(ou=Nodes,cn=rudder-configuration,One,LDAPObjectTypeFilter((objectClass=*)),None,DNJoin,Set((And,RegexFilter(serializedNodeProperty,.*.*)))) [2017-04-07 11:18:14] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [0] |--- SearchRequest(baseDN='ou=Nodes,cn=rudder-configuration', scope=ONE, deref=NEVER, sizeLimit=0, timeLimit=0, filter='(&(objectClass=*)(objectClass=*))', attrs={1.1, serializedNodeProperty}) [2017-04-07 11:18:14] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [0] |---- 5 result(s) [2017-04-07 11:18:14] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [0] |---- post-process with filters: [(And,RegexFilter(serializedNodeProperty,.*.*))] [2017-04-07 11:18:14] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [0] |---- results (post-process): 5 [2017-04-07 11:18:14] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [0] |-- 5 sub-results (merged) [2017-04-07 11:18:14] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [0] |- (final query) LDAPObjectType(ou=Nodes,ou=Accepted Inventories,ou=Inventories,cn=rudder-configuration,One,LDAPObjectTypeFilter((objectClass=*)),Some((|(nodeId=0c846655-cb06-486f-ace4-eaeb11372097)(nodeId=root)(nodeId=8b168194-c0b4-41ab-b2b5-9571a8906d59)(nodeId=fc846655-cb06-486f-ace4-eaeb11372097)(nodeId=717b63d1-01fe-4d4f-a7e5-cfb7c0d47b4f))),DNJoin,Set()) [2017-04-07 11:18:14] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [0] |--- SearchRequest(baseDN='ou=Nodes,ou=Accepted Inventories,ou=Inventories,cn=rudder-configuration', scope=ONE, deref=NEVER, sizeLimit=0, timeLimit=0, filter='(&(objectClass=*)(|(nodeId=0c846655-cb06-486f-ace4-eaeb11372097)(nodeId=root)(nodeId=8b168194-c0b4-41ab-b2b5-9571a8906d59)(nodeId=fc846655-cb06-486f -ace4-eaeb11372097)(nodeId=717b63d1-01fe-4d4f-a7e5-cfb7c0d47b4f)))', attrs={...snip...}) [2017-04-07 11:18:14] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [0] |---- 5 result(s) [2017-04-07 11:18:14] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [0] `-> 5 results
On 4.0, the results works as expected (even if the post-process seems false, to):
[2017-04-07 11:25:38] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [940835812988] Start search for { returnType:'NodeReturnType' with 'And' criteria [serializedNodeProperty.name.value regex .*foo.*] } [2017-04-07 11:25:38] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [940835812988] |-- LDAPObjectType(ou=Nodes,cn=rudder-configuration,One,LDAPObjectTypeFilter((objectClass=*)),None,DNJoin,Set((And,RegexFilter(serializedNodeProperty,.*.*)))) [2017-04-07 11:25:38] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [940835812988] |--- SearchRequest(baseDN='ou=Nodes,cn=rudder-configuration', scope=ONE, deref=NEVER, sizeLimit=0, timeLimit=0, filter='(&(objectClass=*)(objectClass=*))', attrs={1.1, serializedNodeProperty}) [2017-04-07 11:25:38] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [940835812988] |---- 11 result(s) [2017-04-07 11:25:38] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [940835812988] |---- post-process with filters: [(And,RegexFilter(serializedNodeProperty,.*.*))] [2017-04-07 11:25:38] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [940835812988] |---- results (post-process): 0 [2017-04-07 11:25:38] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [940835812988] |-- 0 sub-results (merged) [2017-04-07 11:25:38] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [940835812988] `-> early stop query (empty sub-query)
Related issues
Associated revisions
Fixes #10570: Regex search on node properties is broken: returns all nodes with a property when no using invalid value
Fixes #10570: Regex search on node properties is broken: returns all nodes with a property when no using invalid value
History
#1
Updated by François ARMAND about 1 year ago
- Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
- User visibility set to Getting started - demo | first install | level 1 Techniques
- Effort required set to Small
I'm setting criticity to "critical", because it means that people using that feature and migrating to 4.1 may encounter data loss (dyn group can be broken).
#2
Updated by Vincent MEMBRÉ about 1 year ago
- Status changed from New to In progress
- Assignee set to Vincent MEMBRÉ
#3
Updated by François ARMAND about 1 year ago
- Severity changed from Critical - prevents main use of Rudder | no workaround | data loss | security to Major - prevents use of part of Rudder | no simple workaround
Ok, so in fact, it is not a regression. We just have more luck in the environment, and so it won't break existing things (it's just that the problem is not raised when nodes don't have properties). I'm decreasing the severity to major, because it "just" make some part of Rudder not usable.
#4
Updated by Vincent MEMBRÉ about 1 year ago
More explanation.
A value in a 'name=value' field (here Node properties, but it's the same for environment variable) needs an = to make a difference between name and value.
If you enter a value without "=" in a regex query, it fails to split the value and it should fail. But we ignore the error and replace by ".*.*"
Which matches any property and so every Node with a property is a valid result... Which is clearly not what we want
Which should make an error when the data is not valid
#5
Updated by Vincent MEMBRÉ about 1 year ago
- Target version changed from 4.1.1 to 3.1.19
#6
Updated by Vincent MEMBRÉ about 1 year ago
- Status changed from In progress to Pending technical review
- Assignee changed from Vincent MEMBRÉ to François ARMAND
- Pull Request set to https://github.com/Normation/rudder/pull/1626
#7
Updated by Vincent MEMBRÉ about 1 year ago
- Subject changed from Regex search on node properties is broken: returns all node to Regex search on node properties is broken: returns all nodes with a property when no using invalid value
#8
Updated by Vincent MEMBRÉ about 1 year ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|1b4b8ea885f1fb1153b2a6861bf6a9d358f951eb.
#9
Updated by Vincent MEMBRÉ about 1 year ago
- Status changed from Pending release to Released
#10
Updated by François ARMAND 12 months ago
- Related to Bug #10599: Impossible to search or build groups based on JSON values in node properties added