ipa/0006-host-update-System-Manage-Host-Keytab-permission_rhel#22286.patch

From 3842116185de6ae8714f30b57bd75c7eddde53d8 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Jan 15 2024 13:50:10 +0000
Subject: host: update System: Manage Host Keytab permission


Since commit 5c0e7a5fb420377dcc06a956695afdcb35196444, a new extended
operation to get a keytab is supposed to be used. This keytab
setting/retrieval extended operation checks access rights of the bound
DN to write to a virtual attribute 'ipaProtectedOperation;write_keys'.

If the write isn't allowed, the operation is rejected and ipa-getkeytab
tool falls back to an older code that generates the keytab on the client
and forcibly sets to the LDAP entry. For the latter, a check is done to
make sure the bound DN is allowed to write to 'krbPrincipalKey' attribute.

This fallback should never happen for newer deployments. When enrollemnt
operation is delegated to non-administrative user with the help of 'Host
Enrollment' role, a host can be pre-created or created at enrollment
time, if this non-administrative user has 'Host Administrators' role. In
the latter case a system permission 'System: Manage Host Keytab' grants
write access to 'krbPrincipalKey' attribute but lacks any access to the
virtual attributes expected by the new extended operation.

There is a second virtual attribute, 'ipaProtectedOperation;read_keys',
that allows to retrieve existing keys for a host. However, during
initial enrollment we do not allow to retrieve and reuse existing
Kerberos key: while 'ipa-getkeytab -r' would give ability to retrieve
the existing key, 'ipa-join' has no way to trigger that operation.
Hence, permission 'System: Manage Host Keytab' will not grant the right
to read the Kerberos key via extended operation used by 'ipa-getkeytab
-r'. Such operation can be done later by utilizing 'ipa
service/host-allow-retrieve-keytab' commands.

Fix 'System: Manage Host Keytab' permission and extend a permission test
to see that we do not fallback to the old extended operation.

Fixes: https://pagure.io/freeipa/issue/9496

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

diff --git a/ACI.txt b/ACI.txt
index e6d6e3d..236bb43 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -147,7 +147,7 @@ aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipahost)")(ve
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "userpassword")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Enrollment Password";allow (write) groupdn = "ldap:///cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(&(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))(objectclass=ipahost))")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "ipaprotectedoperation;write_keys || krblastpwdchange || krbprincipalkey")(targetfilter = "(&(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))(objectclass=ipahost))")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "createtimestamp || entryusn || ipaallowedtoperform;read_keys || ipaallowedtoperform;write_keys || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab Permissions";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Manage Host Keytab Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 3ef510e..b02c8b5 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -409,7 +409,8 @@ class host(LDAPObject):
                                         api.env.container_hostgroup,
                                         api.env.basedn),
             ],
-            'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey'},
+            'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey',
+                                   'ipaprotectedoperation;write_keys'},
             'replaces': [
                 '(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)',
             ],
diff --git a/ipatests/test_integration/test_user_permissions.py b/ipatests/test_integration/test_user_permissions.py
index 3333a4f..cd1096f 100644
--- a/ipatests/test_integration/test_user_permissions.py
+++ b/ipatests/test_integration/test_user_permissions.py
@@ -277,6 +277,9 @@ class TestInstallClientNoAdmin(IntegrationTest):
         self.master.run_command(['ipa', 'privilege-add-permission',
                                  '--permissions', 'System: Add Hosts',
                                  'Add Hosts'])
+        self.master.run_command(['ipa', 'privilege-add-permission',
+                                 '--permissions', 'System: Manage Host Keytab',
+                                 'Add Hosts'])
 
         self.master.run_command(['ipa', 'role-add-privilege', 'useradmin',
                                  '--privileges', 'Host Enrollment'])
@@ -301,6 +304,10 @@ class TestInstallClientNoAdmin(IntegrationTest):
                                                encoding='utf-8')
         assert msg in install_log
 
+        # Make sure we do not fallback to an old keytab retrieval method anymore
+        msg = "Retrying with pre-4.0 keytab retrieval method..."
+        assert msg not in install_log
+
         # check that user is able to request a host cert, too
         result = tasks.run_certutil(client, ['-L'], paths.IPA_NSSDB_DIR)
         assert 'Local IPA host' in result.stdout_text
ipa release 4.9.13-4 - Improve server affinity for CA-less deployments Resolves: RHEL-22283 - host: update system: Manage Host Keytab permission Resolves: RHEL-22286 - adtrustinstance: make sure NetBIOS name defaults are set properly Resolves: RHEL-21938 - ipatests: Fix healthcheck report when nsslapd accesslog logbuffering is set to off Resolves: RHEL-19672 Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com> 2024-01-23 21:39:46 +00:00			`From 3842116185de6ae8714f30b57bd75c7eddde53d8 Mon Sep 17 00:00:00 2001`
			`From: Alexander Bokovoy <abokovoy@redhat.com>`
			`Date: Jan 15 2024 13:50:10 +0000`
			`Subject: host: update System: Manage Host Keytab permission`


			`Since commit 5c0e7a5fb420377dcc06a956695afdcb35196444, a new extended`
			`operation to get a keytab is supposed to be used. This keytab`
			`setting/retrieval extended operation checks access rights of the bound`
			`DN to write to a virtual attribute 'ipaProtectedOperation;write_keys'.`

			`If the write isn't allowed, the operation is rejected and ipa-getkeytab`
			`tool falls back to an older code that generates the keytab on the client`
			`and forcibly sets to the LDAP entry. For the latter, a check is done to`
			`make sure the bound DN is allowed to write to 'krbPrincipalKey' attribute.`

			`This fallback should never happen for newer deployments. When enrollemnt`
			`operation is delegated to non-administrative user with the help of 'Host`
			`Enrollment' role, a host can be pre-created or created at enrollment`
			`time, if this non-administrative user has 'Host Administrators' role. In`
			`the latter case a system permission 'System: Manage Host Keytab' grants`
			`write access to 'krbPrincipalKey' attribute but lacks any access to the`
			`virtual attributes expected by the new extended operation.`

			`There is a second virtual attribute, 'ipaProtectedOperation;read_keys',`
			`that allows to retrieve existing keys for a host. However, during`
			`initial enrollment we do not allow to retrieve and reuse existing`
			`Kerberos key: while 'ipa-getkeytab -r' would give ability to retrieve`
			`the existing key, 'ipa-join' has no way to trigger that operation.`
			`Hence, permission 'System: Manage Host Keytab' will not grant the right`
			`to read the Kerberos key via extended operation used by 'ipa-getkeytab`
			`-r'. Such operation can be done later by utilizing 'ipa`
			`service/host-allow-retrieve-keytab' commands.`

			`Fix 'System: Manage Host Keytab' permission and extend a permission test`
			`to see that we do not fallback to the old extended operation.`

			`Fixes: https://pagure.io/freeipa/issue/9496`

			`Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>`
			`Reviewed-By: Rob Crittenden <rcritten@redhat.com>`

			`---`

			`diff --git a/ACI.txt b/ACI.txt`
			`index e6d6e3d..236bb43 100644`
			`--- a/ACI.txt`
			`+++ b/ACI.txt`
			`@@ -147,7 +147,7 @@ aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipahost)")(ve`
			`dn: cn=computers,cn=accounts,dc=ipa,dc=example`
			`aci: (targetattr = "userpassword")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Enrollment Password";allow (write) groupdn = "ldap:///cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ipa,dc=example";)`
			`dn: cn=computers,cn=accounts,dc=ipa,dc=example`
			`-aci: (targetattr = "krblastpwdchange \|\| krbprincipalkey")(targetfilter = "(&(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))(objectclass=ipahost))")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)`
			`+aci: (targetattr = "ipaprotectedoperation;write_keys \|\| krblastpwdchange \|\| krbprincipalkey")(targetfilter = "(&(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))(objectclass=ipahost))")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)`
			`dn: cn=computers,cn=accounts,dc=ipa,dc=example`
			`aci: (targetattr = "createtimestamp \|\| entryusn \|\| ipaallowedtoperform;read_keys \|\| ipaallowedtoperform;write_keys \|\| modifytimestamp \|\| objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab Permissions";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Manage Host Keytab Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";)`
			`dn: cn=computers,cn=accounts,dc=ipa,dc=example`
			`diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py`
			`index 3ef510e..b02c8b5 100644`
			`--- a/ipaserver/plugins/host.py`
			`+++ b/ipaserver/plugins/host.py`
			`@@ -409,7 +409,8 @@ class host(LDAPObject):`
			`api.env.container_hostgroup,`
			`api.env.basedn),`
			`],`
			`- 'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey'},`
			`+ 'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey',`
			`+ 'ipaprotectedoperation;write_keys'},`
			`'replaces': [`
			`'(targetattr = "krbprincipalkey \|\| krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)',`
			`],`
			`diff --git a/ipatests/test_integration/test_user_permissions.py b/ipatests/test_integration/test_user_permissions.py`
			`index 3333a4f..cd1096f 100644`
			`--- a/ipatests/test_integration/test_user_permissions.py`
			`+++ b/ipatests/test_integration/test_user_permissions.py`
			`@@ -277,6 +277,9 @@ class TestInstallClientNoAdmin(IntegrationTest):`
			`self.master.run_command(['ipa', 'privilege-add-permission',`
			`'--permissions', 'System: Add Hosts',`
			`'Add Hosts'])`
			`+ self.master.run_command(['ipa', 'privilege-add-permission',`
			`+ '--permissions', 'System: Manage Host Keytab',`
			`+ 'Add Hosts'])`

			`self.master.run_command(['ipa', 'role-add-privilege', 'useradmin',`
			`'--privileges', 'Host Enrollment'])`
			`@@ -301,6 +304,10 @@ class TestInstallClientNoAdmin(IntegrationTest):`
			`encoding='utf-8')`
			`assert msg in install_log`

			`+ # Make sure we do not fallback to an old keytab retrieval method anymore`
			`+ msg = "Retrying with pre-4.0 keytab retrieval method..."`
			`+ assert msg not in install_log`
			`+`
			`# check that user is able to request a host cert, too`
			`result = tasks.run_certutil(client, ['-L'], paths.IPA_NSSDB_DIR)`
			`assert 'Local IPA host' in result.stdout_text`