From 46b3f6f720a67679b7413b5680d203f02f62a262 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 25 Oct 2022 03:39:28 -0400 Subject: [PATCH] import ipa-4.9.8-8.module+el8.6.0+16878+6c033536 --- ...ization-issue-in-Web-UI_rhbz#2133051.patch | 62 +++++++++++++++++++ SPECS/ipa.spec | 7 ++- 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0014-fix-canonicalization-issue-in-Web-UI_rhbz#2133051.patch diff --git a/SOURCES/0014-fix-canonicalization-issue-in-Web-UI_rhbz#2133051.patch b/SOURCES/0014-fix-canonicalization-issue-in-Web-UI_rhbz#2133051.patch new file mode 100644 index 0000000..4fa0b23 --- /dev/null +++ b/SOURCES/0014-fix-canonicalization-issue-in-Web-UI_rhbz#2133051.patch @@ -0,0 +1,62 @@ +From 109cd579e3b089b7fad4c92bf25594eba1af8a21 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 23 Aug 2022 16:58:07 +0300 +Subject: [PATCH] fix canonicalization issue in Web UI + +When Kerberos principal alias is used to login to a Web UI, we end up +with a request that is authenticated by a ticket issued in the alias +name but metadata processed for the canonical user name. This confuses +RPC layer of Web UI code and causes infinite loop to reload the page. + +Fix it by doing two things: + + - force use of canonicalization of an enterprise principal on server + side, not just specifying that the principal is an enterprise one; + + - recognize that a principal in the whoami()-returned object can have + aliases and the principal returned by the server in the JSON response + may be one of those aliases. + +Fixes: https://pagure.io/freeipa/issue/9226 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Armando Neto +--- + install/ui/src/freeipa/ipa.js | 8 +++++++- + ipaserver/rpcserver.py | 1 + + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js +index 758db1b00..a08d632e9 100644 +--- a/install/ui/src/freeipa/ipa.js ++++ b/install/ui/src/freeipa/ipa.js +@@ -271,7 +271,13 @@ var IPA = function () { + var cn = that.whoami.data.krbcanonicalname; + if (cn) that.principal = cn[0]; + if (!that.principal) { +- that.principal = that.whoami.data.krbprincipalname[0]; ++ var principal = data.principal; ++ var idx = that.whoami.data.krbprincipalname.indexOf(principal); ++ if (idx > -1) { ++ that.principal = principal; ++ } else { ++ that.principal = that.whoami.data.krbprincipalname[0]; ++ } + } + } else if (entity === 'idoverrideuser') { + that.principal = that.whoami.data.ipaoriginaluid[0]; +diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py +index 1f85e9898..4e8a08b66 100644 +--- a/ipaserver/rpcserver.py ++++ b/ipaserver/rpcserver.py +@@ -1109,6 +1109,7 @@ class login_password(Backend, KerberosSession): + ccache_name, + armor_ccache_name=armor_path, + enterprise=True, ++ canonicalize=True, + lifetime=self.api.env.kinit_lifetime) + + if armor_path: +-- +2.37.3 + diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index ec2a8c3..d844e77 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -191,7 +191,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 7%{?rc_version:.%rc_version}%{?dist} +Release: 8%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -224,6 +224,7 @@ Patch0010: 0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053 Patch0011: 0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch Patch0012: 0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch Patch0013: 0013-Backport_test_fixes_in_python3_ipatests_rhbz#2057505.patch +Patch0014: 0014-fix-canonicalization-issue-in-Web-UI_rhbz#2133051.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -1714,6 +1715,10 @@ fi %changelog +* Fri Oct 7 2022 Rafael Jeffman - 4.9.8-8 +- Fix canonicalization issue in Web UI + Resolves: RHBZ#2133051 + * Thu Feb 24 2022 Rafael Jeffman - 4.9.8-7 - ipatests: Backport test fixes in python3-ipatests. Resolves: RHBZ#2057505