ipa/0032-Pass-all-pkiuser-groups-as-suplementary-when-validat.patch

From 934d4a291d44a40b5ea006aa1f09afa8e4a985fc Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 2 Dec 2024 10:27:15 -0500
Subject: [PATCH] Pass all pkiuser groups as suplementary when validating an
 HSM

We were doing a "best effort" when validating the HSM token is
visible with a valid PIN when it came to groups. A specific
workaround was added for softhsm2 but this didn't carry over
to other HSMs that may have group-specific read/write access.

Use the new capability in ipaplatform.constants.py::Group to be
able to use generate a valid entry from a group GID. Pair this
with os.getgrouplist() and all groups will be passed correctly
via ipautil.run().

Fixes: https://pagure.io/freeipa/issue/9709

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
 ipaserver/install/ca.py | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index 520e3fc5de1084e7c22c0cf7eaa86e1d3c421373..2959aceed5cd2fd4851457eaa4aeac3c0905d27d 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -211,11 +211,7 @@ def hsm_validator(token_name, token_library, token_password):
         )
     pkiuser = constants.PKI_USER
     pkigroup = constants.PKI_GROUP
-    if 'libsofthsm' in token_library:
-        import grp
-        group = grp.getgrnam(constants.ODS_GROUP)
-        if str(constants.PKI_USER) in group.gr_mem:
-            pkigroup = constants.ODS_GROUP
+    group_list = os.getgrouplist(pkiuser, pkigroup.gid)
     with certdb.NSSDatabase() as tempnssdb:
         tempnssdb.create_db(user=str(pkiuser), group=str(pkigroup))
         # Try adding the token library to the temporary database in
@@ -231,7 +227,7 @@ def hsm_validator(token_name, token_library, token_password):
         # It may fail if p11-kit has already registered the library, that's
         # ok.
         ipautil.run(command, stdin='\n', cwd=tempnssdb.secdir,
-                    runas=pkiuser, suplementary_groups=[pkigroup],
+                    runas=pkiuser, suplementary_groups=group_list,
                     raiseonerr=False)
 
         command = [
@@ -242,7 +238,7 @@ def hsm_validator(token_name, token_library, token_password):
         ]
         lines = ipautil.run(
             command, cwd=tempnssdb.secdir, capture_output=True,
-            runas=pkiuser, suplementary_groups=[pkigroup]).output
+            runas=pkiuser, suplementary_groups=group_list).output
         found = False
         token_line = f'token: {token_name}'
         for line in lines.split('\n'):
@@ -265,7 +261,7 @@ def hsm_validator(token_name, token_library, token_password):
         ]
         result = ipautil.run(args, cwd=tempnssdb.secdir,
                              runas=pkiuser,
-                             suplementary_groups=[pkigroup],
+                             suplementary_groups=group_list,
                              capture_error=True, raiseonerr=False)
         if result.returncode != 0 and len(result.error_output):
             if 'SEC_ERROR_BAD_PASSWORD' in result.error_output:
-- 
2.47.1
ipa-4.12.2-7 - Resolves: RHEL-70760 Fix typo in ipa-migrate log file i.e 'Privledges' to 'Privileges' - Resolves: RHEL-70481 ipa-server-upgrade fails after established trust with ad - Resolves: RHEL-69927 add support for python cryptography 44.0.0 - Resolves: RHEL-69908 All user groups are not being included during HSM token validation - Resolves: RHEL-69900 Upgrade to ipa-server-4.12.2-1.el9 OTP-based bind to LDAP without enforceldapotp is broken Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> 2024-12-11 09:47:47 +00:00			`From 934d4a291d44a40b5ea006aa1f09afa8e4a985fc Mon Sep 17 00:00:00 2001`
			`From: Rob Crittenden <rcritten@redhat.com>`
			`Date: Mon, 2 Dec 2024 10:27:15 -0500`
			`Subject: [PATCH] Pass all pkiuser groups as suplementary when validating an`
			`HSM`

			`We were doing a "best effort" when validating the HSM token is`
			`visible with a valid PIN when it came to groups. A specific`
			`workaround was added for softhsm2 but this didn't carry over`
			`to other HSMs that may have group-specific read/write access.`

			`Use the new capability in ipaplatform.constants.py::Group to be`
			`able to use generate a valid entry from a group GID. Pair this`
			`with os.getgrouplist() and all groups will be passed correctly`
			`via ipautil.run().`

			`Fixes: https://pagure.io/freeipa/issue/9709`

			`Signed-off-by: Rob Crittenden <rcritten@redhat.com>`
			`Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>`
			`Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>`
			`---`
			`ipaserver/install/ca.py \| 12 ++++--------`
			`1 file changed, 4 insertions(+), 8 deletions(-)`

			`diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py`
			`index 520e3fc5de1084e7c22c0cf7eaa86e1d3c421373..2959aceed5cd2fd4851457eaa4aeac3c0905d27d 100644`
			`--- a/ipaserver/install/ca.py`
			`+++ b/ipaserver/install/ca.py`
			`@@ -211,11 +211,7 @@ def hsm_validator(token_name, token_library, token_password):`
			`)`
			`pkiuser = constants.PKI_USER`
			`pkigroup = constants.PKI_GROUP`
			`- if 'libsofthsm' in token_library:`
			`- import grp`
			`- group = grp.getgrnam(constants.ODS_GROUP)`
			`- if str(constants.PKI_USER) in group.gr_mem:`
			`- pkigroup = constants.ODS_GROUP`
			`+ group_list = os.getgrouplist(pkiuser, pkigroup.gid)`
			`with certdb.NSSDatabase() as tempnssdb:`
			`tempnssdb.create_db(user=str(pkiuser), group=str(pkigroup))`
			`# Try adding the token library to the temporary database in`
			`@@ -231,7 +227,7 @@ def hsm_validator(token_name, token_library, token_password):`
			`# It may fail if p11-kit has already registered the library, that's`
			`# ok.`
			`ipautil.run(command, stdin='\n', cwd=tempnssdb.secdir,`
			`- runas=pkiuser, suplementary_groups=[pkigroup],`
			`+ runas=pkiuser, suplementary_groups=group_list,`
			`raiseonerr=False)`

			`command = [`
			`@@ -242,7 +238,7 @@ def hsm_validator(token_name, token_library, token_password):`
			`]`
			`lines = ipautil.run(`
			`command, cwd=tempnssdb.secdir, capture_output=True,`
			`- runas=pkiuser, suplementary_groups=[pkigroup]).output`
			`+ runas=pkiuser, suplementary_groups=group_list).output`
			`found = False`
			`token_line = f'token: {token_name}'`
			`for line in lines.split('\n'):`
			`@@ -265,7 +261,7 @@ def hsm_validator(token_name, token_library, token_password):`
			`]`
			`result = ipautil.run(args, cwd=tempnssdb.secdir,`
			`runas=pkiuser,`
			`- suplementary_groups=[pkigroup],`
			`+ suplementary_groups=group_list,`
			`capture_error=True, raiseonerr=False)`
			`if result.returncode != 0 and len(result.error_output):`
			`if 'SEC_ERROR_BAD_PASSWORD' in result.error_output:`
			`--`
			`2.47.1`