ipa release 4.9.12-6
- ipa-kdb: fix error handling of is_master_host() Resolves: RHBZ#2214638 - ipatests: enable firewall rule for http service on acme client Resolves: RHBZ#2230256 - User plugin: improve error related to non existing idp Resolves: RHBZ#2224572 - Prevent admin user from being deleted Resolves: RHBZ#1821181 - Fix memory leak in the OTP last token plugin Resolves: RHBZ#2227783
This commit is contained in:
parent
046e99f183
commit
ff08f7c5db
@ -0,0 +1,85 @@
|
|||||||
|
From b5793c854035a122ed4c66f917cc427e5024e46a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Julien Rische <jrische@redhat.com>
|
||||||
|
Date: Aug 02 2023 11:52:30 +0000
|
||||||
|
Subject: ipa-kdb: fix error handling of is_master_host()
|
||||||
|
|
||||||
|
|
||||||
|
Adding proper error handling to the is_master_host() function to allow
|
||||||
|
it to make the difference between the absence of a master host object
|
||||||
|
and a connection failure. This will keep the krb5kdc daemon from
|
||||||
|
continuing to run with a NULL LDAP context.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9422
|
||||||
|
|
||||||
|
Signed-off-by: Julien Rische <jrische@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
|
index 8da7543..83cb991 100644
|
||||||
|
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
|
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
|
@@ -401,27 +401,29 @@ static krb5_error_code ipadb_add_asserted_identity(struct ipadb_context *ipactx,
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn)
|
||||||
|
+static krb5_error_code
|
||||||
|
+is_master_host(struct ipadb_context *ipactx, const char *fqdn, bool *result)
|
||||||
|
{
|
||||||
|
- int ret;
|
||||||
|
+ int err;
|
||||||
|
char *master_host_base = NULL;
|
||||||
|
- LDAPMessage *result = NULL;
|
||||||
|
- krb5_error_code err;
|
||||||
|
+ LDAPMessage *ldap_res = NULL;
|
||||||
|
|
||||||
|
- ret = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s",
|
||||||
|
+ err = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s",
|
||||||
|
fqdn, ipactx->base);
|
||||||
|
- if (ret == -1) {
|
||||||
|
- return false;
|
||||||
|
- }
|
||||||
|
+ if (err == -1)
|
||||||
|
+ return ENOMEM;
|
||||||
|
+
|
||||||
|
err = ipadb_simple_search(ipactx, master_host_base, LDAP_SCOPE_BASE,
|
||||||
|
- NULL, NULL, &result);
|
||||||
|
+ NULL, NULL, &ldap_res);
|
||||||
|
free(master_host_base);
|
||||||
|
- ldap_msgfree(result);
|
||||||
|
- if (err == 0) {
|
||||||
|
- return true;
|
||||||
|
- }
|
||||||
|
+ ldap_msgfree(ldap_res);
|
||||||
|
+ if (err != KRB5_KDB_NOENTRY && err != 0)
|
||||||
|
+ return err;
|
||||||
|
+
|
||||||
|
+ if (result)
|
||||||
|
+ *result = err != KRB5_KDB_NOENTRY;
|
||||||
|
|
||||||
|
- return false;
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
||||||
|
@@ -692,9 +694,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
||||||
|
if ((is_host || is_service)) {
|
||||||
|
/* it is either host or service, so get the hostname first */
|
||||||
|
char *sep = strchr(info3->base.account_name.string, '/');
|
||||||
|
- bool is_master = is_master_host(
|
||||||
|
- ipactx,
|
||||||
|
- sep ? sep + 1 : info3->base.account_name.string);
|
||||||
|
+ bool is_master;
|
||||||
|
+
|
||||||
|
+ ret = is_master_host(ipactx,
|
||||||
|
+ sep ? sep + 1 : info3->base.account_name.string,
|
||||||
|
+ &is_master);
|
||||||
|
+ if (ret)
|
||||||
|
+ return ret;
|
||||||
|
+
|
||||||
|
if (is_master) {
|
||||||
|
/* Well known RID of domain controllers group */
|
||||||
|
if (info3->base.rid == 0) {
|
||||||
|
|
@ -0,0 +1,39 @@
|
|||||||
|
From f68468718c1e01df4a9180e17d7e24d961850e19 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Date: Wed, 14 Jun 2023 17:32:02 +0530
|
||||||
|
Subject: [PATCH] ipatests: enable firewall rule for http service on acme
|
||||||
|
client
|
||||||
|
|
||||||
|
when system hardning done i.e in case of STIG, sometimes http challanges
|
||||||
|
can't be validated by CA if port 80 is not open. This fix enable it to facilitate
|
||||||
|
the communication.
|
||||||
|
|
||||||
|
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_acme.py | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
|
||||||
|
index c69e810da70..414fae8d751 100644
|
||||||
|
--- a/ipatests/test_integration/test_acme.py
|
||||||
|
+++ b/ipatests/test_integration/test_acme.py
|
||||||
|
@@ -10,6 +10,7 @@
|
||||||
|
|
||||||
|
from ipalib.constants import IPA_CA_RECORD
|
||||||
|
from ipatests.test_integration.base import IntegrationTest
|
||||||
|
+from ipatests.pytest_ipa.integration.firewall import Firewall
|
||||||
|
from ipatests.pytest_ipa.integration import tasks
|
||||||
|
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
|
||||||
|
from ipaplatform.osinfo import osinfo
|
||||||
|
@@ -82,6 +83,9 @@ def prepare_acme_client(master, client):
|
||||||
|
acme_host = f'{IPA_CA_RECORD}.{master.domain.name}'
|
||||||
|
acme_server = f'https://{acme_host}/acme/directory'
|
||||||
|
|
||||||
|
+ # enable firewall rule on client
|
||||||
|
+ Firewall(client).enable_services(["http", "https"])
|
||||||
|
+
|
||||||
|
# install acme client packages
|
||||||
|
if not skip_certbot_tests:
|
||||||
|
tasks.install_packages(client, ['certbot'])
|
@ -0,0 +1,193 @@
|
|||||||
|
From 99aa03413421cf2839e89e10ca279ec19233dd01 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Jul 20 2023 08:23:36 +0000
|
||||||
|
Subject: User plugin: improve error related to non existing idp
|
||||||
|
|
||||||
|
|
||||||
|
The user and stageuser commands return the following error
|
||||||
|
when the user is created/updated with a non existing idp:
|
||||||
|
$ ipa user-add testuser --first test --last user --idp dummy
|
||||||
|
ipa: ERROR: no such entry
|
||||||
|
|
||||||
|
The error is not descriptive enough and has been modified to
|
||||||
|
display instead:
|
||||||
|
$ ipa user-add testuser --first test --last user --idp dummy
|
||||||
|
ipa: ERROR: External IdP configuration dummy not found
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9416
|
||||||
|
|
||||||
|
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
|
||||||
|
index 73b76d3..ba5f9b7 100644
|
||||||
|
--- a/ipaserver/plugins/baseuser.py
|
||||||
|
+++ b/ipaserver/plugins/baseuser.py
|
||||||
|
@@ -708,7 +708,11 @@ class baseuser_mod(LDAPUpdate):
|
||||||
|
if 'ipaidpuser' not in obj_classes:
|
||||||
|
entry_attrs['objectclass'].append('ipaidpuser')
|
||||||
|
|
||||||
|
- answer = self.api.Object['idp'].get_dn_if_exists(cl)
|
||||||
|
+ try:
|
||||||
|
+ answer = self.api.Object['idp'].get_dn_if_exists(cl)
|
||||||
|
+ except errors.NotFound:
|
||||||
|
+ reason = "External IdP configuration {} not found"
|
||||||
|
+ raise errors.NotFound(reason=_(reason).format(cl))
|
||||||
|
entry_attrs['ipaidpconfiglink'] = answer
|
||||||
|
|
||||||
|
# Note: we could have used the method add_missing_object_class
|
||||||
|
diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py
|
||||||
|
index 51438a8..852e51b 100644
|
||||||
|
--- a/ipaserver/plugins/stageuser.py
|
||||||
|
+++ b/ipaserver/plugins/stageuser.py
|
||||||
|
@@ -404,7 +404,11 @@ class stageuser_add(baseuser_add):
|
||||||
|
if 'ipaidpuser' not in entry_attrs['objectclass']:
|
||||||
|
entry_attrs['objectclass'].append('ipaidpuser')
|
||||||
|
|
||||||
|
- answer = self.api.Object['idp'].get_dn_if_exists(cl)
|
||||||
|
+ try:
|
||||||
|
+ answer = self.api.Object['idp'].get_dn_if_exists(cl)
|
||||||
|
+ except errors.NotFound:
|
||||||
|
+ reason = "External IdP configuration {} not found"
|
||||||
|
+ raise errors.NotFound(reason=_(reason).format(cl))
|
||||||
|
entry_attrs['ipaidpconfiglink'] = answer
|
||||||
|
|
||||||
|
self.pre_common_callback(ldap, dn, entry_attrs, attrs_list, *keys,
|
||||||
|
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
|
||||||
|
index 643b44f..a337e1f 100644
|
||||||
|
--- a/ipaserver/plugins/user.py
|
||||||
|
+++ b/ipaserver/plugins/user.py
|
||||||
|
@@ -638,7 +638,11 @@ class user_add(baseuser_add):
|
||||||
|
if 'ipaidpuser' not in entry_attrs['objectclass']:
|
||||||
|
entry_attrs['objectclass'].append('ipaidpuser')
|
||||||
|
|
||||||
|
- answer = self.api.Object['idp'].get_dn_if_exists(rcl)
|
||||||
|
+ try:
|
||||||
|
+ answer = self.api.Object['idp'].get_dn_if_exists(rcl)
|
||||||
|
+ except errors.NotFound:
|
||||||
|
+ reason = "External IdP configuration {} not found"
|
||||||
|
+ raise errors.NotFound(reason=_(reason).format(rcl))
|
||||||
|
entry_attrs['ipaidpconfiglink'] = answer
|
||||||
|
|
||||||
|
self.pre_common_callback(ldap, dn, entry_attrs, attrs_list, *keys,
|
||||||
|
|
||||||
|
From dbcbe9a39c99008c6858bab53e2807b7bf01ba65 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Jul 20 2023 08:23:36 +0000
|
||||||
|
Subject: xmlrpc tests: add a test for user plugin with non-existing idp
|
||||||
|
|
||||||
|
|
||||||
|
Add new tests checking the error returned for
|
||||||
|
ipa user-add ... --idp nonexistingidp
|
||||||
|
ipa user-mod ... --idp nonexistingidp
|
||||||
|
ipa stageuser-add ... --idp nonexistingidp
|
||||||
|
ipa stageuser-mod ... --idp nonexistingidp
|
||||||
|
|
||||||
|
The expected error message is:
|
||||||
|
ipa: ERROR: External IdP configuration nonexistingidp not found
|
||||||
|
|
||||||
|
Related: https://pagure.io/freeipa/issue/9416
|
||||||
|
|
||||||
|
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
|
||||||
|
index 394015f..9ae5561 100644
|
||||||
|
--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
|
||||||
|
+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
|
||||||
|
@@ -39,6 +39,8 @@ gid = u'456'
|
||||||
|
invalidrealm1 = u'suser1@NOTFOUND.ORG'
|
||||||
|
invalidrealm2 = u'suser1@BAD@NOTFOUND.ORG'
|
||||||
|
|
||||||
|
+nonexistentidp = 'IdPDoesNotExist'
|
||||||
|
+
|
||||||
|
invaliduser1 = u'+tuser1'
|
||||||
|
invaliduser2 = u'tuser1234567890123456789012345678901234567890'
|
||||||
|
invaliduser3 = u'1234'
|
||||||
|
@@ -431,6 +433,15 @@ class TestCreateInvalidAttributes(XMLRPC_test):
|
||||||
|
invalidrealm2))):
|
||||||
|
command()
|
||||||
|
|
||||||
|
+ def test_create_invalid_idp(self, stageduser):
|
||||||
|
+ stageduser.ensure_missing()
|
||||||
|
+ command = stageduser.make_create_command(
|
||||||
|
+ options={u'ipaidpconfiglink': nonexistentidp})
|
||||||
|
+ with raises_exact(errors.NotFound(
|
||||||
|
+ reason="External IdP configuration {} not found".format(
|
||||||
|
+ nonexistentidp))):
|
||||||
|
+ command()
|
||||||
|
+
|
||||||
|
|
||||||
|
@pytest.mark.tier1
|
||||||
|
class TestUpdateInvalidAttributes(XMLRPC_test):
|
||||||
|
@@ -466,6 +477,15 @@ class TestUpdateInvalidAttributes(XMLRPC_test):
|
||||||
|
message=u'invalid \'gidnumber\': must be at least 1')):
|
||||||
|
command()
|
||||||
|
|
||||||
|
+ def test_update_invalididp(self, stageduser):
|
||||||
|
+ stageduser.ensure_exists()
|
||||||
|
+ command = stageduser.make_update_command(
|
||||||
|
+ updates={u'ipaidpconfiglink': nonexistentidp})
|
||||||
|
+ with raises_exact(errors.NotFound(
|
||||||
|
+ reason="External IdP configuration {} not found".format(
|
||||||
|
+ nonexistentidp))):
|
||||||
|
+ command()
|
||||||
|
+
|
||||||
|
|
||||||
|
@pytest.mark.tier1
|
||||||
|
class TestActive(XMLRPC_test):
|
||||||
|
diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
|
||||||
|
index 8ac19a4..baa2867 100644
|
||||||
|
--- a/ipatests/test_xmlrpc/test_user_plugin.py
|
||||||
|
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
|
||||||
|
@@ -86,6 +86,8 @@ expired_expiration_string = "1991-12-07T19:54:13Z"
|
||||||
|
# Date in ISO format (2013-12-10T12:00:00)
|
||||||
|
isodate_re = re.compile(r'^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z$')
|
||||||
|
|
||||||
|
+nonexistentidp = 'IdPDoesNotExist'
|
||||||
|
+
|
||||||
|
|
||||||
|
@pytest.fixture(scope='class')
|
||||||
|
def user_min(request, xmlrpc_setup):
|
||||||
|
@@ -542,6 +544,18 @@ class TestUpdate(XMLRPC_test):
|
||||||
|
command()
|
||||||
|
user.delete()
|
||||||
|
|
||||||
|
+ def test_update_invalid_idp(self, user):
|
||||||
|
+ """ Test user-mod --idp with a non-existent idp """
|
||||||
|
+ user.ensure_exists()
|
||||||
|
+ command = user.make_update_command(
|
||||||
|
+ updates=dict(ipaidpconfiglink=nonexistentidp)
|
||||||
|
+ )
|
||||||
|
+ with raises_exact(errors.NotFound(
|
||||||
|
+ reason="External IdP configuration {} not found".format(
|
||||||
|
+ nonexistentidp)
|
||||||
|
+ )):
|
||||||
|
+ command()
|
||||||
|
+
|
||||||
|
|
||||||
|
@pytest.mark.tier1
|
||||||
|
class TestCreate(XMLRPC_test):
|
||||||
|
@@ -770,6 +784,17 @@ class TestCreate(XMLRPC_test):
|
||||||
|
user_radius.check_create(result)
|
||||||
|
user_radius.delete()
|
||||||
|
|
||||||
|
+ def test_create_with_invalididp(self):
|
||||||
|
+ testuser = UserTracker(
|
||||||
|
+ name='idpuser', givenname='idp', sn='user',
|
||||||
|
+ ipaidpconfiglink=nonexistentidp
|
||||||
|
+ )
|
||||||
|
+ with raises_exact(errors.NotFound(
|
||||||
|
+ reason="External IdP configuration {} not found".format(
|
||||||
|
+ nonexistentidp)
|
||||||
|
+ )):
|
||||||
|
+ testuser.create()
|
||||||
|
+
|
||||||
|
|
||||||
|
@pytest.mark.tier1
|
||||||
|
class TestUserWithGroup(XMLRPC_test):
|
||||||
|
|
169
0010-Prevent-admin-user-from-being-deleted_rhbz#1921181.patch
Normal file
169
0010-Prevent-admin-user-from-being-deleted_rhbz#1921181.patch
Normal file
@ -0,0 +1,169 @@
|
|||||||
|
From f215d3f45396fa29bdd69f56096b50842df14908 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Aug 01 2023 22:03:03 +0000
|
||||||
|
Subject: Prevent the admin user from being deleted
|
||||||
|
|
||||||
|
|
||||||
|
admin is required for trust operations
|
||||||
|
|
||||||
|
Note that testing for removing the last member is now
|
||||||
|
irrelevant because admin must always exist so the test
|
||||||
|
for it was removed, but the code check remains. It is done
|
||||||
|
after the protected member check.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/8878
|
||||||
|
|
||||||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
|
||||||
|
index a337e1f..6f5e349 100644
|
||||||
|
--- a/ipaserver/plugins/user.py
|
||||||
|
+++ b/ipaserver/plugins/user.py
|
||||||
|
@@ -138,14 +138,23 @@ MEMBEROF_ADMINS = "(memberOf={})".format(
|
||||||
|
)
|
||||||
|
|
||||||
|
NOT_MEMBEROF_ADMINS = '(!{})'.format(MEMBEROF_ADMINS)
|
||||||
|
+PROTECTED_USERS = ('admin',)
|
||||||
|
|
||||||
|
|
||||||
|
def check_protected_member(user, protected_group_name=u'admins'):
|
||||||
|
'''
|
||||||
|
- Ensure the last enabled member of a protected group cannot be deleted or
|
||||||
|
- disabled by raising LastMemberError.
|
||||||
|
+ Ensure admin and the last enabled member of a protected group cannot
|
||||||
|
+ be deleted or disabled by raising ProtectedEntryError or
|
||||||
|
+ LastMemberError as appropriate.
|
||||||
|
'''
|
||||||
|
|
||||||
|
+ if user in PROTECTED_USERS:
|
||||||
|
+ raise errors.ProtectedEntryError(
|
||||||
|
+ label=_("user"),
|
||||||
|
+ key=user,
|
||||||
|
+ reason=_("privileged user"),
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
# Get all users in the protected group
|
||||||
|
result = api.Command.user_find(in_group=protected_group_name)
|
||||||
|
|
||||||
|
@@ -868,6 +877,12 @@ class user_mod(baseuser_mod):
|
||||||
|
|
||||||
|
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
|
||||||
|
dn, oc = self.obj.get_either_dn(*keys, **options)
|
||||||
|
+ if options.get('rename') and keys[-1] in PROTECTED_USERS:
|
||||||
|
+ raise errors.ProtectedEntryError(
|
||||||
|
+ label=_("user"),
|
||||||
|
+ key=keys[-1],
|
||||||
|
+ reason=_("privileged user"),
|
||||||
|
+ )
|
||||||
|
if 'objectclass' not in entry_attrs and 'rename' not in options:
|
||||||
|
entry_attrs.update({'objectclass': oc})
|
||||||
|
self.pre_common_callback(ldap, dn, entry_attrs, attrs_list, *keys,
|
||||||
|
diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
|
||||||
|
index baa2867..df105a2 100644
|
||||||
|
--- a/ipatests/test_xmlrpc/test_user_plugin.py
|
||||||
|
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
|
||||||
|
@@ -978,22 +978,32 @@ class TestManagers(XMLRPC_test):
|
||||||
|
|
||||||
|
@pytest.mark.tier1
|
||||||
|
class TestAdmins(XMLRPC_test):
|
||||||
|
- def test_remove_original_admin(self):
|
||||||
|
- """ Try to remove the only admin """
|
||||||
|
+ def test_delete_admin(self):
|
||||||
|
+ """ Try to delete the protected admin user """
|
||||||
|
tracker = Tracker()
|
||||||
|
- command = tracker.make_command('user_del', [admin1])
|
||||||
|
+ command = tracker.make_command('user_del', admin1)
|
||||||
|
|
||||||
|
- with raises_exact(errors.LastMemberError(
|
||||||
|
- key=admin1, label=u'group', container=admin_group)):
|
||||||
|
+ with raises_exact(errors.ProtectedEntryError(label=u'user',
|
||||||
|
+ key=admin1, reason='privileged user')):
|
||||||
|
+ command()
|
||||||
|
+
|
||||||
|
+ def test_rename_admin(self):
|
||||||
|
+ """ Try to rename the admin user """
|
||||||
|
+ tracker = Tracker()
|
||||||
|
+ command = tracker.make_command('user_mod', admin1,
|
||||||
|
+ **dict(rename=u'newadmin'))
|
||||||
|
+
|
||||||
|
+ with raises_exact(errors.ProtectedEntryError(label=u'user',
|
||||||
|
+ key=admin1, reason='privileged user')):
|
||||||
|
command()
|
||||||
|
|
||||||
|
def test_disable_original_admin(self):
|
||||||
|
- """ Try to disable the only admin """
|
||||||
|
+ """ Try to disable the original admin """
|
||||||
|
tracker = Tracker()
|
||||||
|
command = tracker.make_command('user_disable', admin1)
|
||||||
|
|
||||||
|
- with raises_exact(errors.LastMemberError(
|
||||||
|
- key=admin1, label=u'group', container=admin_group)):
|
||||||
|
+ with raises_exact(errors.ProtectedEntryError(label=u'user',
|
||||||
|
+ key=admin1, reason='privileged user')):
|
||||||
|
command()
|
||||||
|
|
||||||
|
def test_create_admin2(self, admin2):
|
||||||
|
@@ -1011,21 +1021,11 @@ class TestAdmins(XMLRPC_test):
|
||||||
|
admin2.disable()
|
||||||
|
tracker = Tracker()
|
||||||
|
|
||||||
|
- with raises_exact(errors.LastMemberError(
|
||||||
|
- key=admin1, label=u'group', container=admin_group)):
|
||||||
|
+ with raises_exact(errors.ProtectedEntryError(label=u'user',
|
||||||
|
+ key=admin1, reason='privileged user')):
|
||||||
|
tracker.run_command('user_disable', admin1)
|
||||||
|
- with raises_exact(errors.LastMemberError(
|
||||||
|
- key=admin1, label=u'group', container=admin_group)):
|
||||||
|
- tracker.run_command('user_del', admin1)
|
||||||
|
admin2.delete()
|
||||||
|
|
||||||
|
- with raises_exact(errors.LastMemberError(
|
||||||
|
- key=admin1, label=u'group', container=admin_group)):
|
||||||
|
- tracker.run_command('user_disable', admin1)
|
||||||
|
- with raises_exact(errors.LastMemberError(
|
||||||
|
- key=admin1, label=u'group', container=admin_group)):
|
||||||
|
- tracker.run_command('user_del', admin1)
|
||||||
|
-
|
||||||
|
|
||||||
|
@pytest.mark.tier1
|
||||||
|
class TestPreferredLanguages(XMLRPC_test):
|
||||||
|
|
||||||
|
From 7d62d84bdd3c2acd2f4bf70bb5fabf14c72e8ee7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Aug 08 2023 14:50:32 +0000
|
||||||
|
Subject: ipatests: update expected webui msg for admin deletion
|
||||||
|
|
||||||
|
|
||||||
|
The deletion of the admin is now forbidden (even if it is
|
||||||
|
not the last member of the admins group) and the error
|
||||||
|
message has changed from "admin cannot be deleted or
|
||||||
|
disabled because it is the last member of group admins"
|
||||||
|
to " user admin cannot be deleted/modified: privileged user".
|
||||||
|
|
||||||
|
Update the expected message in the webui test.
|
||||||
|
|
||||||
|
Related: https://pagure.io/freeipa/issue/8878
|
||||||
|
|
||||||
|
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_webui/test_user.py b/ipatests/test_webui/test_user.py
|
||||||
|
index 8d44fbd..a8a92d0 100644
|
||||||
|
--- a/ipatests/test_webui/test_user.py
|
||||||
|
+++ b/ipatests/test_webui/test_user.py
|
||||||
|
@@ -50,8 +50,7 @@ INV_FIRSTNAME = ("invalid 'first': Leading and trailing spaces are "
|
||||||
|
FIELD_REQ = 'Required field'
|
||||||
|
ERR_INCLUDE = 'may only include letters, numbers, _, -, . and $'
|
||||||
|
ERR_MISMATCH = 'Passwords must match'
|
||||||
|
-ERR_ADMIN_DEL = ('admin cannot be deleted or disabled because it is the last '
|
||||||
|
- 'member of group admins')
|
||||||
|
+ERR_ADMIN_DEL = ('user admin cannot be deleted/modified: privileged user')
|
||||||
|
USR_EXIST = 'user with name "{}" already exists'
|
||||||
|
ENTRY_EXIST = 'This entry already exists'
|
||||||
|
ACTIVE_ERR = 'active user with name "{}" already exists'
|
||||||
|
|
@ -0,0 +1,114 @@
|
|||||||
|
From 9438ce9207445e4ad4a9c7bdf0c9e569cabac571 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Aug 01 2023 06:07:06 +0000
|
||||||
|
Subject: Fix memory leak in the OTP last token plugin
|
||||||
|
|
||||||
|
|
||||||
|
Three memory leaks are addressed:
|
||||||
|
|
||||||
|
1. String values retrieved from the pblock need to be manually
|
||||||
|
freed.
|
||||||
|
|
||||||
|
2. The list of objectclasses retreived from the pblock need to be
|
||||||
|
freed.
|
||||||
|
|
||||||
|
3. Internal search results need to be freed.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9403
|
||||||
|
|
||||||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
diff --git a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
|
||||||
|
index b7a2ba7..11106b2 100644
|
||||||
|
--- a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
|
||||||
|
+++ b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
|
||||||
|
@@ -54,7 +54,7 @@ void *ipa_otp_lasttoken_plugin_id;
|
||||||
|
|
||||||
|
static bool entry_is_token(Slapi_Entry *entry)
|
||||||
|
{
|
||||||
|
- char **ocls;
|
||||||
|
+ char **ocls = NULL;
|
||||||
|
|
||||||
|
ocls = slapi_entry_attr_get_charray(entry, SLAPI_ATTR_OBJECTCLASS);
|
||||||
|
for (size_t i = 0; ocls != NULL && ocls[i] != NULL; i++) {
|
||||||
|
@@ -64,6 +64,7 @@ static bool entry_is_token(Slapi_Entry *entry)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ slapi_ch_array_free(ocls);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -138,7 +139,8 @@ static bool is_pwd_enabled(const char *user_dn)
|
||||||
|
static bool is_allowed(Slapi_PBlock *pb, Slapi_Entry *entry)
|
||||||
|
{
|
||||||
|
Slapi_DN *target_sdn = NULL;
|
||||||
|
- const char *bind_dn;
|
||||||
|
+ char *bind_dn;
|
||||||
|
+ bool rv = false;
|
||||||
|
|
||||||
|
/* Ignore internal operations. */
|
||||||
|
if (slapi_op_internal(pb))
|
||||||
|
@@ -147,23 +149,35 @@ static bool is_allowed(Slapi_PBlock *pb, Slapi_Entry *entry)
|
||||||
|
/* Load parameters. */
|
||||||
|
(void) slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn);
|
||||||
|
(void) slapi_pblock_get(pb, SLAPI_CONN_DN, &bind_dn);
|
||||||
|
- if (target_sdn == NULL || bind_dn == NULL) {
|
||||||
|
- LOG_FATAL("Missing parameters!\n");
|
||||||
|
- return false;
|
||||||
|
+ if (bind_dn == NULL) {
|
||||||
|
+ LOG_FATAL("bind_dn parameter missing!\n");
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ if (target_sdn == NULL) {
|
||||||
|
+ LOG_FATAL("target_sdn parameter missing!\n");
|
||||||
|
+ goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (entry != NULL
|
||||||
|
? !entry_is_token(entry)
|
||||||
|
- : !sdn_in_otp_container(target_sdn))
|
||||||
|
- return true;
|
||||||
|
+ : !sdn_in_otp_container(target_sdn)) {
|
||||||
|
+ rv = true;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- if (!sdn_is_only_enabled_token(target_sdn, bind_dn))
|
||||||
|
- return true;
|
||||||
|
+ if (!sdn_is_only_enabled_token(target_sdn, bind_dn)) {
|
||||||
|
+ rv = true;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- if (is_pwd_enabled(bind_dn))
|
||||||
|
- return true;
|
||||||
|
+ if (is_pwd_enabled(bind_dn)) {
|
||||||
|
+ rv = true;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- return false;
|
||||||
|
+done:
|
||||||
|
+ slapi_ch_free_string(&bind_dn);
|
||||||
|
+ return rv;
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline int send_error(Slapi_PBlock *pb, int rc, const char *errstr)
|
||||||
|
diff --git a/daemons/ipa-slapi-plugins/libotp/otp_token.c b/daemons/ipa-slapi-plugins/libotp/otp_token.c
|
||||||
|
index a3cbfb0..4be4ede 100644
|
||||||
|
--- a/daemons/ipa-slapi-plugins/libotp/otp_token.c
|
||||||
|
+++ b/daemons/ipa-slapi-plugins/libotp/otp_token.c
|
||||||
|
@@ -398,6 +398,7 @@ static struct otp_token **find(const struct otp_config *cfg, const char *user_dn
|
||||||
|
}
|
||||||
|
|
||||||
|
error:
|
||||||
|
+ slapi_free_search_results_internal(pb);
|
||||||
|
slapi_pblock_destroy(pb);
|
||||||
|
return tokens;
|
||||||
|
}
|
||||||
|
|
19
ipa.spec
19
ipa.spec
@ -189,7 +189,7 @@
|
|||||||
|
|
||||||
Name: %{package_name}
|
Name: %{package_name}
|
||||||
Version: %{IPA_VERSION}
|
Version: %{IPA_VERSION}
|
||||||
Release: 5%{?rc_version:.%rc_version}%{?dist}
|
Release: 6%{?rc_version:.%rc_version}%{?dist}
|
||||||
Summary: The Identity, Policy and Audit system
|
Summary: The Identity, Policy and Audit system
|
||||||
|
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -215,6 +215,11 @@ Patch0003: 0003-Upgrade-add-PKI-drop-in-file-if-missing_rhbz#2215336.patch
|
|||||||
Patch0004: 0004-Upgrade-fix-replica-agreement_rhbz#2216551.patch
|
Patch0004: 0004-Upgrade-fix-replica-agreement_rhbz#2216551.patch
|
||||||
Patch0005: 0005-OTP-fix-data-type-to-avoid-endianness-issue_rhbz#2218293.patch
|
Patch0005: 0005-OTP-fix-data-type-to-avoid-endianness-issue_rhbz#2218293.patch
|
||||||
Patch0006: 0006-Backport-test-updates-8-9-release_rhbz#2218847.patch
|
Patch0006: 0006-Backport-test-updates-8-9-release_rhbz#2218847.patch
|
||||||
|
Patch0007: 0007-ipa-kdb-fix-error-handling-of-is_master_host_rhbz#2214638.patch
|
||||||
|
Patch0008: 0008-ipatests-enable-firewall-rule-for-http-service-on-acme-client_rhbz#2230256.patch
|
||||||
|
Patch0009: 0009-User-plugin-improve-error-related-to-non-existing-idp_rhbz#2224572.patch
|
||||||
|
Patch0010: 0010-Prevent-admin-user-from-being-deleted_rhbz#1921181.patch
|
||||||
|
Patch0011: 0011-Fix-memory-leak-in-the-OTP-last-token-plugin_rhbz#2227783.patch
|
||||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||||
Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
|
Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
|
||||||
Patch1003: 1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch
|
Patch1003: 1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch
|
||||||
@ -1729,6 +1734,18 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Aug 10 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.12-6
|
||||||
|
- ipa-kdb: fix error handling of is_master_host()
|
||||||
|
Resolves: RHBZ#2214638
|
||||||
|
- ipatests: enable firewall rule for http service on acme client
|
||||||
|
Resolves: RHBZ#2230256
|
||||||
|
- User plugin: improve error related to non existing idp
|
||||||
|
Resolves: RHBZ#2224572
|
||||||
|
- Prevent admin user from being deleted
|
||||||
|
Resolves: RHBZ#1821181
|
||||||
|
- Fix memory leak in the OTP last token plugin
|
||||||
|
Resolves: RHBZ#2227783
|
||||||
|
|
||||||
* Mon Jul 17 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.12-5
|
* Mon Jul 17 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.12-5
|
||||||
- Upgrade: fix replica agreement, fix backported patch
|
- Upgrade: fix replica agreement, fix backported patch
|
||||||
Related: RHBZ#2216551
|
Related: RHBZ#2216551
|
||||||
|
Loading…
Reference in New Issue
Block a user