Closed Bug 1592922 Opened 5 years ago Closed 4 years ago

AutoConfig (MCD): getLDAPAttributes() > processLDAPValues() ("user supplied method") fails in TB 68

Categories

(Core :: AutoConfig (Mission Control Desktop), defect)

Product:
Core
Component:
AutoConfig (Mission Control Desktop)
Version:
68 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
84 Branch
Tracking Flags:
Tracking Status
thunderbird_esr78 + fixed
firefox-esr78 83+ fixed
firefox82 --- wontfix
firefox83 --- fixed
firefox84 --- fixed

People

(Reporter: mojmir21, Assigned: mkaply)

References

Details

Attachments

(2 files)

Bug 1592922 - Fix typo in autoconfig's prefcalls.js. r=mkaply DONTBUILD
47 bytes, text/x-phabricator-request
Details | Review
Bug 1592922 - Account for possibility of sandbox when calling processLDAPValues. r?kmag!
47 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
pascalc
: approval-mozilla-esr78+
Details | Review

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0

Steps to reproduce:

Mozilla.cfg:
getLDAPAttributes("ldap.***.***.cz","ou=people,dc=fio,dc=cz","uid=" + env_user,"uid,cn,mail,labeledURI");

Actual results:

Error: getLDAPAttibutes fail: ReferenceError: processLDAPValues is not defined

Expected results:

It should work with "getLDAPAttributes", not "getLDAPAttibutes". Last version not afected is 60.9.0

Mike, looks like a typo here in Mozilla core code:
https://searchfox.org/comm-central/rev/a1c52b2c68bc40266e42e193a785106e767db946/mozilla/extensions/pref/autoconfig/src/prefcalls.js#158

I'll do a patch and you can find the right component for it.

So what's the issue here? That there is a typo in the error message or that the function doesn't work?

(In reply to Jorg K (GMT+2) from comment #3)

So what's the issue here? That there is a typo in the error message or that the function doesn't work?

The function doesn't work.

Attachment #9105527 - Attachment description: Bug 1592922 - Fix typo in autoconfig's prefcalls.js. r=mkaply → Bug 1592922 - Fix typo in autoconfig's prefcalls.js. r=mkaply DONTBUILD
Pushed by mozilla@jorgk.com: https://hg.mozilla.org/integration/autoland/rev/eecadaaac3e5 Fix typo in autoconfig's prefcalls.js. r=mkaply DONTBUILD

Mike, thanks for the review. I fully agree about the DONTBUILD, although I've see M-C developers push comment changes of a few lines causing an entire build.

Now that we fixed the typo, what can be said about the malfunction? What is that LDAP stuff residing in M-C? Does that call into TB's LDAP handling? It does, incredible:
https://searchfox.org/comm-central/rev/a1c52b2c68bc40266e42e193a785106e767db946/mozilla/extensions/pref/autoconfig/src/prefcalls.js#146
https://searchfox.org/comm-central/search?q=nsILDAPURL&case=false&regexp=false&path=
https://searchfox.org/comm-central/search?q=nsILDAPSyncQuery&case=false&regexp=false&path=

Note that TB's LDAP handling with SSL is broken in TB 68, see bug 1576364.

Ben, more LDAP chagrin.

Flags: needinfo?(benc)
Keywords: leave-open

Hmm.

  1. The offending function, processLDAPValues doesn't appear to exist anywhere:
    https://searchfox.org/comm-central/search?q=processLDAPValues&path=
    Comment just above where it's called says "user supplied method".
    I had to look it what the autoconfig module actually is - it's MCD, Mission Control Desktop, AKA AutoConfig). The linked page has an example processLDAPValues function.

  2. I really don't know what the status of the "autoconfig" module is. Even supplying a processLDAPValues function, I suspect there might be issues...

  3. If it's supposed to work under both TB and Firefox, presumably its LDAP support should be disabled under Firefox, given that the LDAP support won't even be available? If it's TB-specific, then presumably the whole module should be moved out into comm-central.

Flags: needinfo?(benc)

I have used autoconfig for thunderbird (on Ubuntu) pretty much the way it is described in MCD and it has worked just fine until now. I use it to set up default email and address book for a few hundred users.

I reported a bug which might be related to the issues described here bug 1628580

IMO the processLDAPValues function, which has to be self-defined in autoconfiguration, seem to not process values returned by LDAP.
This is blocking us to update 1600 Users :-/

Hello, any update on this problem ?
How could I know if the function getLDAPAttributes is returning something ?
can I debug it ?

Thomas, geoff, note comment 10. also, need a component.

Flags: needinfo?(geoff)
Flags: needinfo?(bugzilla2007)
See Also: → 1628580

This bug and lack of support for Enterprise configurations for Thunderbird holding us from update and maybe looking at different mail client.

(In reply to Wayne Mery (:wsmwk) from comment #12)

Thomas, geoff, note comment 10. also, need a component.

The original product/component for this is Core : AutoConfig (Mission Control Desktop).
Which currently has 7 open bugs, all assigned to Mike Kaply.
We'll have to check with him about the status of that component and if it's still advisable to move our bugs there.

AutoConfig (MCD) lives here as an mozilla extension:
https://searchfox.org/comm-central/source/mozilla/extensions/pref/autoconfig/src/prefcalls.js

getLDAPAttributes() is found in prefcalls.js and is part of the API:
https://searchfox.org/comm-central/rev/48425df835d9ba232b7db39fcd72f93051e3e870/mozilla/extensions/pref/autoconfig/src/prefcalls.js#216-232

var APIs = {
  pref,
  defaultPref,
  lockPref,
  unlockPref,
  getPref,
  clearPref,
  setLDAPVersion,
  getLDAPAttributes,
  getLDAPValue,
  displayError,
  getenv,
};

for (let [defineAs, func] of Object.entries(APIs)) {
  Cu.exportFunction(func, gSandbox, { defineAs });
}

processLDAPValues (user provided function) gets called inside API function getLDAPAttributes():
https://searchfox.org/comm-central/rev/48425df835d9ba232b7db39fcd72f93051e3e870/mozilla/extensions/pref/autoconfig/src/prefcalls.js#128-160

function getLDAPAttributes(host, base, filter, attribs, isSecure) {
  [snip]
  processLDAPValues(ldapquery.getQueryResults(url, gVersion));
}

processLDAPValues(ldapquery.getQueryResults(url, gVersion));
https://searchfox.org/comm-central/rev/48425df835d9ba232b7db39fcd72f93051e3e870/mozilla/extensions/pref/autoconfig/src/prefcalls.js#156

It would be good to know this from affected users:

  • After using API function getLDAPAttributes(), does your own function, processLDAPValues(), get called at all?
  • Can we have an updated error message now that the spelling error has been fixed?
Component: Untriaged → Preferences
Flags: needinfo?(yves.rossler)
Flags: needinfo?(mojmir21)
Flags: needinfo?(bugzilla2007)
Summary: getLDAPAttibutes vs getLDAPAttributes in Thunderbird 68 → AutoConfig (MCD): getLDAPAttributes() > processLDAPValues() ("user supplied method") fails in TB 68

Kris:

When we implemented the Sandboxing:

https://hg.mozilla.org/mozreview/gecko/rev/ad42d9c4fc178abff2730a8e0d6f63ef01264e35#index_header

We didn't take into account that getLDAPAttributes needs to call a local function in the autoconfig file called "processLDAPValues". Basically user created it and LDAP code calls it:

https://searchfox.org/mozilla-central/source/extensions/pref/autoconfig/src/prefcalls.js#156

Do you think itis just a matter of adding that function to the list of APIs? Or is there something else we need to do to enable calling that function in the sandbox?

Flags: needinfo?(kmaglione+bmo)

We did consider it, we just decided not to worry about it, since it wasn't used or tested.

The fix would be to call gSandbox.processLDAPValues, or change the API to have the caller pass a callback or expect a promise instead (which would be preferable, especially the promise variant).

That said, I seem to recall there having been other issues with that API, where it wanted to accept or return XPCOM objects which the sandbox couldn't have access to. Looking at the code now, though, it seems to just deal with strings, so maybe it would be fine.

Flags: needinfo?(kmaglione+bmo)

So to preface this, what happens in practice is that when prefcalls.js calls processLDAPValues, startup hangs. Thunderbird never comes up, and you have to Ctrl+C.

The fix would be to call gSandbox.processLDAPValues, or change the API to have the caller pass a callback or expect a promise instead (which would be preferable, especially the promise variant).

I tried gSandbox.processLDAPValues, but I got the same results, hang at startup.

Going to get a debug build going so I can take a closer look.

debug build provides no extra info on the console. Just a straight up hang at startup.

Looking in the debugger, we hang doing the actual evaluate:

https://searchfox.org/mozilla-central/rev/e0eb861a187f0bb6d994228f2e0e49b2c9ee455e/js/xpconnect/src/Sandbox.cpp#2017

so looking into this more, the hang was because of the failed ldap query in my testing.

I ran some tests and the call to processLDAPValues should be working (and is working in my faked tests).

prefcalls.js is able to call function in firefox.cfg with no problem. You can test this yourself by adding a new function in a CFG file and adding a new API to prefcalls.js

And FYI, all this can be tested by modifying dist/bin/defaults/autoconfig/prefcalls.js directly. No need to do a build or anything.

So what I need is a test LDAP environment so I can debug what is actually happening.

It works if you disable the sandbox

pref("general.config.sandbox_enabled", false);

I'm looking into how to fix with sandbox enabled.

I just ran some quick checks againt 52/68/78 and processLDAPValues is properly called in all of them.

The problems I'm seeing seem to only happen with local builds. I have a very simple autoconfig:

// 
var ldapHost = "ldap.adams.edu";
var ldapBase = "dc=example,dc=com";
 
var ldapFilter = "uid=" + "bcdavis";

var ldapAttrs = new Array( "cn", "email" );
 
// Define how to process LDAP results before we make the call
function processLDAPValues(queryResults)
{  
    Components.utils.reportError(queryResults);
}
 
// Call upon LDAP for the values in ldapAttrs array
// Uses the previous processLDAPValues()
getLDAPAttributes( ldapHost, ldapBase, ldapFilter, ldapAttrs.join(",") );

And while the LDAP connection fails, it properly called processLDAPValues.

I can't move any further on this unless I'm connected with someone experiencing this problem.

Everything I've tested works.

Hi, as the reporter of the issue I could test your fix, if you give me instructions how to apply it to an installation (preferably v78).

regards

Flags: needinfo?(yves.rossler)

Hi, as the reporter of the issue I could test your fix, if you give me instructions how to apply it to an installation (preferably v78).

What's confusing me here is that in my testing, I don't get this error (and I tested 78).

So what I'd like to know is if this is still a problem.

I did a simple config:

pref("general.config.obscure_value", 0);
pref("general.config.filename", "firefox.cfg");
pref("general.config.sandbox_enabled", false);

//
var ldapHost = "ldap.adams.edu";
var ldapBase = "dc=example,dc=com";

var ldapFilter = "uid=" + "bcdavis";

var ldapAttrs = new Array( "cn", "email" );

// Define how to process LDAP results before we make the call
function processLDAPValues(queryResults)
{
    Components.utils.reportError(queryResults);
}

// Call upon LDAP for the values in ldapAttrs array
// Uses the previous processLDAPValues()
getLDAPAttributes( ldapHost, ldapBase, ldapFilter, ldapAttrs.join(",") );

In particular, does adding this line:

pref("general.config.sandbox_enabled", false);

to your autoconfig.js file make things work.

I just tried with the last version (78.3.3, x64), the issue persists.
Sandbox is disabled in autoconfig.js
Here my processLDAPValues function:

function processLDAPValues(queryResults){
if( queryResults ) {
// Build the userInfo object for later use
for( var attr in ldapAttrs ) {
userInfo[ ldapAttrs[attr] ] = getLDAPValue( queryResults, ldapAttrs[attr] );
}
} else {
throw( "No LDAP results" );
}
}

Behaviour: at Thunderbird start: I first get the thrown "No LDAP results" message, then autoconfig errors because of missing values.
Using wireshark I can see that the requested values are returned from our LDAP server.

I also tried using your function but doesn't work either

regards

So we're definitely getting farther because previously processLDAPValues wasn't defined. Looking into why no values were passed to processLDAPValues

Assignee: nobody → mozilla

So the patch I put up does cause us to call processLDAPValues properly in some cases, but ldapquery.getQueryResults is returning no results.

As with yr, I verified that Wireshark shows we are making the LDAP connection and getting the results.

But here:

https://dxr.mozilla.org/comm-release/rev/6ff411885e6f02b6a5b41a64606ee38802a2231b/ldap/xpcom/src/nsLDAPSyncQuery.cpp#350

we are getting no results.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Pushed by mozilla@kaply.com: https://hg.mozilla.org/integration/autoland/rev/e6ba460ddb06 Account for possibility of sandbox when calling processLDAPValues. r=kmag

(In reply to Mike Kaply [:mkaply] from comment #27)

Mike, thank you so much for following up on this after our email conversation!!!

So the patch I put up does cause us to call processLDAPValues properly in some cases, but ldapquery.getQueryResults is returning no results.

I'm not sure if I'm understanding you correctly here, or maybe there's a typo?
Does this mean that even with your patch applied, there are still (other?) cases that fail?

But here:
https://dxr.mozilla.org/comm-release/rev/6ff411885e6f02b6a5b41a64606ee38802a2231b/ldap/xpcom/src/nsLDAPSyncQuery.cpp#350
we are getting no results.

Flags: needinfo?(mozilla)

I'm not sure if I'm understanding you correctly here, or maybe there's a typo?
Does this mean that even with your patch applied, there are still (other?) cases that fail?

Yes. My patch fixes the autoconfig calling issues, but ldapquery.getQueryResults is returning no results, even though I see the LDAP query via wireshark and it returns results.

My next plan is to completely back out the sandbox fix in a local build to see if it causes this, or if there was some other change that broke LDAP querying in Autoconfig.

LDAP logging isn't working for me and there appear to no LDAP experts around anymore.

Flags: needinfo?(mozilla)

(In reply to Mike Kaply [:mkaply] from comment #31)

I'm not sure if I'm understanding you correctly here, or maybe there's a typo?
Does this mean that even with your patch applied, there are still (other?) cases that fail?

Yes. My patch fixes the autoconfig calling issues

That's a great step forward!

but ldapquery.getQueryResults is returning no results, even though I see the LDAP query via wireshark and it returns results.
My next plan is to completely back out the sandbox fix in a local build to see if it causes this, or if there was some other change that broke LDAP querying in Autoconfig.

Awesome. You rock!

Flags: needinfo?(geoff)

So in bug 1662433, they said things worked in 68 with

pref("general.config.sandbox_enabled", false);

but started failing in 78.

I'm even more confused now.

The last version I can make MCD work is in 68.2.2

(In reply to marinar from comment #34)

The last version I can make MCD work is in 68.2.2

So you're saying it doesn't work in 68.3? This is starting to sound like a Thunderbird problem...

I'll check locally.

You are absolutely correct. So there are two issues here.

  1. Needed to flip sandbox pref for things to work (I've fixed that).

  2. LDAP Autoconfig stopped working completely between 68.2.2 and 68.3. My bet is this is going to be unrelated to autoconfig...

I'm going to mark this bug as fixed.

This bug was about the API being broken which I fixed. Now the problem is that bug 1576364 broke LDAP in Autoconfig.

This will be tracked in bug 1662433.

Where should this fix be uplifted to be in the next Thunderbird release?

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED

It should go be uplifted through beta, then m-c esr78.

Target Milestone: --- → 84 Branch

I wonder if it's worth uplifting if LDAP is still broke because of 1662433

Comment on attachment 9182984 [details]
Bug 1592922 - Account for possibility of sandbox when calling processLDAPValues. r?kmag!

Beta/Release Uplift Approval Request

  • User impact if declined: Unable to call Autoconfig in Sandbox autoconfig environment.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: Use instructions here:

https://bugzilla.mozilla.org/show_bug.cgi?id=1662433#c21

for autoconfig test. We aren't testing that it works entirely, just that there is no error making the call.

  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Autoconfig only, function is already broken.
  • String changes made/needed:

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: thunderbird
  • User impact if declined: Unable to call Autoconfig in Sandbox autoconfig environment.
  • Fix Landed on Version: 84
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Autoconfig only, function is already broken.
  • String or UUID changes made by this patch:
Attachment #9182984 - Flags: approval-mozilla-esr78?
Attachment #9182984 - Flags: approval-mozilla-beta?
Attachment #9105527 - Flags: approval-mozilla-esr78? approval-mozilla-beta?
status-thunderbird83: affected → ---
Component: Preferences → AutoConfig (Mission Control Desktop)
Product: Thunderbird → Core
Version: 68 → 68 Branch

Comment on attachment 9105527 [details]
Bug 1592922 - Fix typo in autoconfig's prefcalls.js. r=mkaply DONTBUILD

This patch landed a year ago.

Attachment #9105527 - Flags: approval-mozilla-esr78?
Attachment #9105527 - Flags: approval-mozilla-beta?
Flags: qe-verify+

Mike, Magnus I don't get why this needs an uplift in beta/ESR now. It seems from the recent comments in this bug that this is a longstanding issue, can't this just ride the 84 train or this fix be cherry-picked by Thunderbird if you have an urgent need for it in the next release and also have a fix in time for bug 1662433?

Flags: needinfo?(mozilla)
Flags: needinfo?(mkmelin+mozilla)

The sooner the better, it's non functional at the moment, so we'd uplift as soon as we can (next beta, and then 78.5).
It's not the end of the world if it rides the 84 train and then into ESR 78.6, but OTOH the patch landed in this bug is a no-op for Firefox since there is no LDAP support in Firefox. So no risk as such.

Flags: needinfo?(mkmelin+mozilla)

(In reply to Magnus Melin [:mkmelin] from comment #43)

The sooner the better, it's non functional at the moment, so we'd uplift as soon as we can (next beta, and then 78.5).
It's not the end of the world if it rides the 84 train and then into ESR 78.6, but OTOH the patch landed in this bug is a no-op for Firefox since there is no LDAP support in Firefox. So no risk as such.

The old autoconfig doc (https://developer.mozilla.org/en-US/docs/Archive/Misc_top_level/MCD,_Mission_Control_Desktop_AKA_AutoConfig) mentions that the Firefox home page can be set by the user labeledURI LDAP field and the code example given uses the processLDAPValues(), is that no longer possible with today's Firefox?

Flags: needinfo?(mkmelin+mozilla)

(In reply to Pascal Chevrel:pascalc from comment #44)

(In reply to Magnus Melin [:mkmelin] from comment #43)

The sooner the better, it's non functional at the moment, so we'd uplift as soon as we can (next beta, and then 78.5).
It's not the end of the world if it rides the 84 train and then into ESR 78.6, but OTOH the patch landed in this bug is a no-op for Firefox since there is no LDAP support in Firefox. So no risk as such.

The old autoconfig doc (https://developer.mozilla.org/en-US/docs/Archive/Misc_top_level/MCD,_Mission_Control_Desktop_AKA_AutoConfig) mentions that the Firefox home page can be set by the user labeledURI LDAP field and the code example given uses the processLDAPValues(), is that no longer possible with today's Firefox?

Yeah, that's wrong. LDAP isn't even in the Firefox tree.

It's Thunderbird only.

Flags: needinfo?(mozilla)

The reason this became urgent is it is blocking major companies from moving to Thunderbird 78. It was a problem before that no one researched why it was happening.

Correct. And because it blocks upgrading, it is by extension a security issue.

Comment on attachment 9182984 [details]
Bug 1592922 - Account for possibility of sandbox when calling processLDAPValues. r?kmag!

Thanks for the additional context, taking for beta and ESR as this is not impacting Firefox so this is low risk.

Attachment #9182984 - Flags: approval-mozilla-esr78?
Attachment #9182984 - Flags: approval-mozilla-esr78+
Attachment #9182984 - Flags: approval-mozilla-beta?
Attachment #9182984 - Flags: approval-mozilla-beta+
Flags: needinfo?(mkmelin+mozilla)

This never affected Firefox. The LDAP interfaces it affects only exist in comm-central.

status-firefox82: wontfixunaffected
status-firefox83: fixedunaffected
status-firefox84: fixedunaffected

It's easier for uplift tracking if we leave the flags as they previously were. Feel free to s/firefox/gecko if it makes it mentally easier to be happy with.

status-firefox82: unaffectedwontfix
status-firefox83: unaffectedfixed
status-firefox84: unaffectedfixed
QA Whiteboard: [qa-triaged]

Hi, is there a way for QA to verify this fix in Firefox or its only Thunderbird related?
Thanks!

Flags: needinfo?(mozilla)

No, this can only be verified on Thunderbird.

Flags: needinfo?(mozilla)

Based on previous comments, removing the qe-verify+ flag.

QA Whiteboard: [qa-triaged]
Flags: qe-verify+

Hello,
is this bug fixed in the 78.5.1 release ?
Thank you

It is.

Hello
I tried to plug the same autoconfig settings as in 68 to Thunderbird 78.5.1, but it seems it is not even reading config file.
The failover.js was not created. The sandbox is set to false.
Anybody had any success in making MCD working?

Please advise.
Thank you

Hi,
The update to version 78.5.1 worked for us. Thank you very much!
We only used the sandbox setting to get a CA Cert distributed via autoconfig. We now use the GPO's for this.
So our sandbox is enabled again. getLDAPAttributes still working

Thunderbird or Firefox?
Can you please send sample autoconfig.js and .cfg

Thank you

Flags: needinfo?(mojmir21)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: