129 lines
4.5 KiB
Diff
129 lines
4.5 KiB
Diff
|
From be1e3bbfc13aff9a583108376f245b81cc3666fb Mon Sep 17 00:00:00 2001
|
||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||
|
Date: Thu, 9 Sep 2021 15:26:55 -0400
|
||
|
Subject: [PATCH] Don't store entries with a usercertificate in the LDAP cache
|
||
|
|
||
|
usercertificate often has a subclass and both the plain and
|
||
|
subclassed (binary) values are queried. I'm concerned that
|
||
|
they are used more or less interchangably in places so not
|
||
|
caching these entries is the safest path forward for now until
|
||
|
we can dedicate the time to find all usages, determine their
|
||
|
safety and/or perhaps handle this gracefully within the cache
|
||
|
now.
|
||
|
|
||
|
What we see in this bug is that usercertificate;binary holds the
|
||
|
first certificate value but a user-mod is done with
|
||
|
setattr usercertificate=<new_cert>. Since there is no
|
||
|
usercertificate value (remember, it's usercertificate;binary)
|
||
|
a replace is done and 389-ds wipes the existing value as we've
|
||
|
asked it to.
|
||
|
|
||
|
I'm not comfortable with simply treating them the same because
|
||
|
in LDAP they are not.
|
||
|
|
||
|
https://pagure.io/freeipa/issue/8986
|
||
|
|
||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||
|
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||
|
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
||
|
---
|
||
|
ipapython/ipaldap.py | 14 +++++++++++---
|
||
|
1 file changed, 11 insertions(+), 3 deletions(-)
|
||
|
|
||
|
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
|
||
|
index f94b784d6..ced8f1bd6 100644
|
||
|
--- a/ipapython/ipaldap.py
|
||
|
+++ b/ipapython/ipaldap.py
|
||
|
@@ -1821,9 +1821,17 @@ class LDAPCache(LDAPClient):
|
||
|
entry=None, exception=None):
|
||
|
# idnsname - caching prevents delete when mod value to None
|
||
|
# cospriority - in a Class of Service object, uncacheable
|
||
|
- # TODO - usercertificate was banned at one point and I don't remember
|
||
|
- # why...
|
||
|
- BANNED_ATTRS = {'idnsname', 'cospriority'}
|
||
|
+ # usercertificate* - caching subtypes is tricky, trade less
|
||
|
+ # complexity for performance
|
||
|
+ #
|
||
|
+ # TODO: teach the cache about subtypes
|
||
|
+
|
||
|
+ BANNED_ATTRS = {
|
||
|
+ 'idnsname',
|
||
|
+ 'cospriority',
|
||
|
+ 'usercertificate',
|
||
|
+ 'usercertificate;binary'
|
||
|
+ }
|
||
|
if not self._enable_cache:
|
||
|
return
|
||
|
|
||
|
--
|
||
|
2.31.1
|
||
|
|
||
|
From 86588640137562b2016fdb0f91142d00bc38e54a Mon Sep 17 00:00:00 2001
|
||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||
|
Date: Fri, 10 Sep 2021 09:01:48 -0400
|
||
|
Subject: [PATCH] ipatests: Test that a user can be issued multiple
|
||
|
certificates
|
||
|
|
||
|
Prevent regressions in the LDAP cache layer that caused newly
|
||
|
issued certificates to overwrite existing ones.
|
||
|
|
||
|
https://pagure.io/freeipa/issue/8986
|
||
|
|
||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||
|
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||
|
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
||
|
---
|
||
|
ipatests/test_integration/test_cert.py | 29 ++++++++++++++++++++++++++
|
||
|
1 file changed, 29 insertions(+)
|
||
|
|
||
|
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
|
||
|
index 7d51b76ee..b4e85eadc 100644
|
||
|
--- a/ipatests/test_integration/test_cert.py
|
||
|
+++ b/ipatests/test_integration/test_cert.py
|
||
|
@@ -16,6 +16,7 @@ import string
|
||
|
import time
|
||
|
|
||
|
from ipaplatform.paths import paths
|
||
|
+from ipapython.dn import DN
|
||
|
from cryptography import x509
|
||
|
from cryptography.x509.oid import ExtensionOID
|
||
|
from cryptography.hazmat.backends import default_backend
|
||
|
@@ -183,6 +184,34 @@ class TestInstallMasterClient(IntegrationTest):
|
||
|
)
|
||
|
assert "profile: caServerCert" in result.stdout_text
|
||
|
|
||
|
+ def test_multiple_user_certificates(self):
|
||
|
+ """Test that a user may be issued multiple certificates"""
|
||
|
+ ldap = self.master.ldap_connect()
|
||
|
+
|
||
|
+ user = 'user1'
|
||
|
+
|
||
|
+ tasks.kinit_admin(self.master)
|
||
|
+ tasks.user_add(self.master, user)
|
||
|
+
|
||
|
+ for id in (0,1):
|
||
|
+ csr_file = f'{id}.csr'
|
||
|
+ key_file = f'{id}.key'
|
||
|
+ cert_file = f'{id}.crt'
|
||
|
+ openssl_cmd = [
|
||
|
+ 'openssl', 'req', '-newkey', 'rsa:2048', '-keyout', key_file,
|
||
|
+ '-nodes', '-out', csr_file, '-subj', '/CN=' + user]
|
||
|
+ self.master.run_command(openssl_cmd)
|
||
|
+
|
||
|
+ cmd_args = ['ipa', 'cert-request', '--principal', user,
|
||
|
+ '--certificate-out', cert_file, csr_file]
|
||
|
+ self.master.run_command(cmd_args)
|
||
|
+
|
||
|
+ # easier to count by pulling the LDAP entry
|
||
|
+ entry = ldap.get_entry(DN(('uid', user), ('cn', 'users'),
|
||
|
+ ('cn', 'accounts'), self.master.domain.basedn))
|
||
|
+
|
||
|
+ assert len(entry.get('usercertificate')) == 2
|
||
|
+
|
||
|
@pytest.fixture
|
||
|
def test_subca_certs(self):
|
||
|
"""
|
||
|
--
|
||
|
2.31.1
|
||
|
|