From 5a872dd20c6cc51ec55178416a1ea9346d30b08e Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 15 Nov 2022 10:36:47 -0500 Subject: [PATCH] import ipa-4.10.0-7.el9_1 --- ...fix-canonicalization-issue-in-Web-UI.patch | 62 +++++++++++++++++++ SPECS/freeipa.spec | 7 ++- 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0015-fix-canonicalization-issue-in-Web-UI.patch diff --git a/SOURCES/0015-fix-canonicalization-issue-in-Web-UI.patch b/SOURCES/0015-fix-canonicalization-issue-in-Web-UI.patch new file mode 100644 index 0000000..6ca8590 --- /dev/null +++ b/SOURCES/0015-fix-canonicalization-issue-in-Web-UI.patch @@ -0,0 +1,62 @@ +From a0928fe164712303a7c24ee61500ac7326bd9e4a Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 23 Aug 2022 16:58:07 +0300 +Subject: [PATCH] fix canonicalization issue in Web UI + +When Kerberos principal alias is used to login to a Web UI, we end up +with a request that is authenticated by a ticket issued in the alias +name but metadata processed for the canonical user name. This confuses +RPC layer of Web UI code and causes infinite loop to reload the page. + +Fix it by doing two things: + + - force use of canonicalization of an enterprise principal on server + side, not just specifying that the principal is an enterprise one; + + - recognize that a principal in the whoami()-returned object can have + aliases and the principal returned by the server in the JSON response + may be one of those aliases. + +Fixes: https://pagure.io/freeipa/issue/9226 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Armando Neto +--- + install/ui/src/freeipa/ipa.js | 8 +++++++- + ipaserver/rpcserver.py | 1 + + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js +index 758db1b00..a08d632e9 100644 +--- a/install/ui/src/freeipa/ipa.js ++++ b/install/ui/src/freeipa/ipa.js +@@ -271,7 +271,13 @@ var IPA = function () { + var cn = that.whoami.data.krbcanonicalname; + if (cn) that.principal = cn[0]; + if (!that.principal) { +- that.principal = that.whoami.data.krbprincipalname[0]; ++ var principal = data.principal; ++ var idx = that.whoami.data.krbprincipalname.indexOf(principal); ++ if (idx > -1) { ++ that.principal = principal; ++ } else { ++ that.principal = that.whoami.data.krbprincipalname[0]; ++ } + } + } else if (entity === 'idoverrideuser') { + that.principal = that.whoami.data.ipaoriginaluid[0]; +diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py +index 1f85e9898..4e8a08b66 100644 +--- a/ipaserver/rpcserver.py ++++ b/ipaserver/rpcserver.py +@@ -1109,6 +1109,7 @@ class login_password(Backend, KerberosSession): + ccache_name, + armor_ccache_name=armor_path, + enterprise=True, ++ canonicalize=True, + lifetime=self.api.env.kinit_lifetime) + + if armor_path: +-- +2.37.3 + diff --git a/SPECS/freeipa.spec b/SPECS/freeipa.spec index a386ef9..fe340ad 100644 --- a/SPECS/freeipa.spec +++ b/SPECS/freeipa.spec @@ -198,7 +198,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 6%{?rc_version:.%rc_version}%{?dist} +Release: 7%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -232,6 +232,7 @@ Patch0011: 0011-ipatests-Fix-expected-object-classes.patch Patch0012: 0012-doc-Update-LDAP-grace-period-design-with-default-val.patch Patch0013: 0013-Set-default-gracelimit-on-group-password-policies-to.patch Patch0014: 0014-Set-default-on-group-pwpolicy-with-no-grace-limit-in.patch +Patch0015: 0015-fix-canonicalization-issue-in-Web-UI.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -1740,6 +1741,10 @@ fi %endif %changelog +* Tue Oct 25 2022 Rafael Jeffman - 4.10.0-7 +- Resolves: rhbz#2124547 Attempt to log in as "root" user with admin's password in Web UI does not properly fail +- Resolves: rhbz#2137555 Attempt to log in as "root" user with admin's password in Web UI does not properly fail [rhel-9.1.0.z] + * Fri Aug 19 2022 Florence Blanc-Renaud - 4.10.0-6 - Resolves: rhbz#2110014 ldap bind occurs when admin user changes password with gracelimit=0 - Resolves: rhbz#2112901 RFE: Allow grace login limit to be set in IPA WebUI