UCS OX License credential check fails with 403 for valid credentials because python-requests User-Agent is blocked

Hi,

I found what looks like a bug in the UCS OX credential verification.
On our UCS 5.2-5errata367 we encountered an issue with openxchange complaining that the license couldnt be verified, all credentials were checked and valid, and updates could be pulled from the repositories, still the warning persisted.

We narrowed down the issue to
/usr/lib/python3/dist-packages/univention/management/console/modules/oxldb/oxldbcore.py

On a UCS system, OXLDB.check_credentials() reports the credentials as invalid:

  python3 - <<'PY'
  from univention.management.console.modules.oxldb import oxldbcore
  ox = oxldbcore.OXLDB()
  res = ox.check_credentials(username="REDACTED", password="REDACTED")
  print("RESULT:", repr(res), type(res))
  PY

Output:

RESULT: 'Access forbidden: the access has been denied by the OX repository server during verfication of the given credentials'

But the same credentials work fine with curl against the same URL:

  curl -kI -u 'REDACTED:REDACTED' \
    https://software.open-xchange.com/products/appsuite/7.10.6/

Response:

HTTP/1.1 200 OK

I then tested the HTTP behavior directly in Python:

  python3 - <<'PY'
  import requests

  url = 'https://software.open-xchange.com/products/appsuite/7.10.6/'
  auth = ('REDACTED', 'REDACTED')

  tests = [
      ('default HEAD', lambda: requests.head(url, auth=auth, verify=False, timeout=20)),
      ('curl-UA HEAD', lambda: requests.head(
          url, auth=auth, verify=False, timeout=20,
          headers={'User-Agent': 'curl/8.5.0', 'Accept': '*/*'}
      )),
  ]

  for name, fn in tests:
      r = fn()
      print(name, r.status_code, r.request.headers.get('User-Agent'))
      r.close()
  PY

Result:

  default HEAD 403 python-requests/2.28.1
  curl-UA HEAD 200 curl/8.5.0

So the issue seems to be:

• UCS uses requests.head() in oxldbcore.py
• with the default python-requests/… User-Agent the OX repo returns 403
• with a curl-like User-Agent the same request returns 200
• valid credentials are therefore reported as invalid

Relevant code in oxldbcore.py:

req = requests.head(url, auth=(user, passwd), proxies=proxies, verify=verification)

A local workaround was to set an explicit User-Agent, for example:

  req = requests.head(
      url,
      auth=(user, passwd),
      proxies=proxies,
      verify=verification,
      headers={'User-Agent': 'curl/8.5.0'},
      timeout=20,
  )

That made the UCS credential check succeed.

Could you check whether this should be fixed in the UCS OX module? It looks like a false negative in credential validation rather than an actual authentication failure.

Potentially this is also some kind of security bouncer on the openxchange repository that is too restrictive and doesnt like the python user-agent

If needed, I can provide the exact UCS package versions from the affected host.

this bug has been confirmed by openxchange:

Regarding the 403 error during the license check — I was able to reproduce this behavior, our repository server rejects requests with the default python-requests user-agent and I assume this either default behavior or part of a filter setting . Please raise this with Univention so they can update their client code to send a proper User-Agent header.

Does the univention team read messages posted here? whats the best way to get in touch? Thank you

Thank you for the detailed bug report and asking OX for confirming the issue.

I created the following bug report with it:
https://forge.univention.org/bugzilla/show_bug.cgi?id=59136

If there are updates I will share them here.

OX seems to statically block python-request.* as User-Agent

OX-Connector/3.1.0 or similar as UserAgent works, so this seems to be a static block from side of open-xchange. Nevertheless, the User-Agent should be adjustable if they have concern about that.