Compare commits

...

No commits in common. "a9" and "c8-stream-DL1" have entirely different histories.

89 changed files with 8387 additions and 7600 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/freeipa-4.11.0.tar.gz
SOURCES/freeipa-4.9.13.tar.gz

View File

@ -1 +1 @@
991d8a605a9547e1dbdbbdf283f6eb20f759de4d SOURCES/freeipa-4.11.0.tar.gz
da1bb0220894d8dc06afb98dcf087fea38076a79 SOURCES/freeipa-4.9.13.tar.gz

View File

@ -0,0 +1,73 @@
From 06b4c61b4484efe2093501caf21b03f1fc14093b Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 19 Oct 2023 12:47:03 +0200
Subject: [PATCH] group-add-member fails with an external member
The command ipa group-add-member --external aduser@addomain.test
fails with an internal error when used with samba 4.19.
The command internally calls samba.security.dom_sid(sid) which
used to raise a TypeError but now raises a ValueError
(commit 9abdd67 on https://github.com/samba-team/samba).
IPA source code needs to handle properly both exception types.
Fixes: https://pagure.io/freeipa/issue/9466
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/dcerpc.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index c1db2f9a499..ee0a229d1f0 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -303,7 +303,7 @@ def get_domain_by_sid(self, sid, exact_match=False):
# Parse sid string to see if it is really in a SID format
try:
test_sid = security.dom_sid(sid)
- except TypeError:
+ except (TypeError, ValueError):
raise errors.ValidationError(name='sid',
error=_('SID is not valid'))
From aa3397378acf1a03fc8bbe34b9fae33e84588b34 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Fri, 20 Oct 2023 10:20:57 +0200
Subject: [PATCH] Handle samba changes in samba.security.dom_sid()
samba.security.dom_sid() in 4.19 now raises ValueError instead of
TypeError. Fix the expected exception.
Related: https://pagure.io/freeipa/issue/9466
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/dcerpc.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index ee0a229d1f0..3e4c71d9976 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -97,7 +97,7 @@
def is_sid_valid(sid):
try:
security.dom_sid(sid)
- except TypeError:
+ except (TypeError, ValueError):
return False
else:
return True
@@ -457,7 +457,7 @@ def get_trusted_domain_object_sid(self, object_name,
try:
test_sid = security.dom_sid(sid)
return unicode(test_sid)
- except TypeError:
+ except (TypeError, ValueError):
raise errors.ValidationError(name=_('trusted domain object'),
error=_('Trusted domain did not '
'return a valid SID for '

View File

@ -1,44 +0,0 @@
From 4c8512168f6a9f224277a4db055f5432af37a552 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 28 Sep 2023 17:39:32 +0200
Subject: [PATCH] ipatests: fix healthcheck test without DNS
ipa-healthcheck has added a new check for ipa-ca record
missing. The test needs to be adapted to handle the new check.
Fixes: https://pagure.io/freeipa/issue/9459
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_ipahealthcheck.py | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 6e01642f36a3d39ac7b3c2721664b21356bf424b..822f550d2ee241a9dd14c99d75199e6207b78e9c 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -1640,13 +1640,19 @@ class TestIpaHealthCheckWithoutDNS(IntegrationTest):
"Got {count} ipa-ca AAAA records, expected {expected}",
"Expected URI record missing",
}
- else:
+ elif (parse_version(version) < parse_version('0.13')):
expected_msgs = {
"Expected SRV record missing",
"Unexpected ipa-ca address {ipaddr}",
"expected ipa-ca to contain {ipaddr} for {server}",
"Expected URI record missing",
}
+ else:
+ expected_msgs = {
+ "Expected SRV record missing",
+ "Expected URI record missing",
+ "missing IP address for ipa-ca server {server}",
+ }
tasks.install_packages(self.master, HEALTHCHECK_PKG)
returncode, data = run_healthcheck(
--
2.41.0

View File

@ -1,4 +1,4 @@
From 2c52a7dfd26ac561786e72e4304acbf9585698b6 Mon Sep 17 00:00:00 2001
From ae006b436cfb4ccee5972cf1db0a309fcd80e669 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 6 Oct 2023 20:16:29 +0000
Subject: [PATCH] Check the HTTP Referer header on all requests
@ -23,7 +23,7 @@ Signed-off-by: Rob Crittenden <rcritten@redhat.com>
1 file changed, 31 insertions(+), 3 deletions(-)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index b7116469d73f9a8595dbb2d1a3f39abe851f4fc3..198fc9e7dbae281f797dcccf96d21d475ff31e8c 100644
index 4e8a08b66..3555014ca 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -156,6 +156,19 @@ _success_template = """<html>
@ -56,7 +56,7 @@ index b7116469d73f9a8595dbb2d1a3f39abe851f4fc3..198fc9e7dbae281f797dcccf96d21d47
class WSGIExecutioner(Executioner):
"""
Base class for execution backends with a WSGI application interface.
@@ -898,6 +908,9 @@ class jsonserver_session(jsonserver, KerberosSession):
@@ -897,6 +907,9 @@ class jsonserver_session(jsonserver, KerberosSession):
logger.debug('WSGI jsonserver_session.__call__:')
@ -66,7 +66,7 @@ index b7116469d73f9a8595dbb2d1a3f39abe851f4fc3..198fc9e7dbae281f797dcccf96d21d47
# Redirect to login if no Kerberos credentials
ccache_name = self.get_environ_creds(environ)
if ccache_name is None:
@@ -950,6 +963,9 @@ class KerberosLogin(Backend, KerberosSession):
@@ -949,6 +962,9 @@ class KerberosLogin(Backend, KerberosSession):
def __call__(self, environ, start_response):
logger.debug('WSGI KerberosLogin.__call__:')
@ -76,7 +76,7 @@ index b7116469d73f9a8595dbb2d1a3f39abe851f4fc3..198fc9e7dbae281f797dcccf96d21d47
# Redirect to login if no Kerberos credentials
user_ccache_name = self.get_environ_creds(environ)
if user_ccache_name is None:
@@ -968,6 +984,9 @@ class login_x509(KerberosLogin):
@@ -967,6 +983,9 @@ class login_x509(KerberosLogin):
def __call__(self, environ, start_response):
logger.debug('WSGI login_x509.__call__:')
@ -86,7 +86,7 @@ index b7116469d73f9a8595dbb2d1a3f39abe851f4fc3..198fc9e7dbae281f797dcccf96d21d47
if 'KRB5CCNAME' not in environ:
return self.unauthorized(
environ, start_response, 'KRB5CCNAME not set',
@@ -1016,6 +1035,9 @@ class login_password(Backend, KerberosSession):
@@ -1015,6 +1034,9 @@ class login_password(Backend, KerberosSession):
logger.debug('WSGI login_password.__call__:')
@ -96,7 +96,7 @@ index b7116469d73f9a8595dbb2d1a3f39abe851f4fc3..198fc9e7dbae281f797dcccf96d21d47
# Get the user and password parameters from the request
content_type = environ.get('CONTENT_TYPE', '').lower()
if not content_type.startswith('application/x-www-form-urlencoded'):
@@ -1148,6 +1170,9 @@ class change_password(Backend, HTTP_Status):
@@ -1147,6 +1169,9 @@ class change_password(Backend, HTTP_Status):
def __call__(self, environ, start_response):
logger.info('WSGI change_password.__call__:')
@ -106,7 +106,7 @@ index b7116469d73f9a8595dbb2d1a3f39abe851f4fc3..198fc9e7dbae281f797dcccf96d21d47
# Get the user and password parameters from the request
content_type = environ.get('CONTENT_TYPE', '').lower()
if not content_type.startswith('application/x-www-form-urlencoded'):
@@ -1365,6 +1390,9 @@ class xmlserver_session(xmlserver, KerberosSession):
@@ -1364,6 +1389,9 @@ class xmlserver_session(xmlserver, KerberosSession):
logger.debug('WSGI xmlserver_session.__call__:')
@ -117,5 +117,5 @@ index b7116469d73f9a8595dbb2d1a3f39abe851f4fc3..198fc9e7dbae281f797dcccf96d21d47
# Redirect to /ipa/xml if no Kerberos credentials
--
2.43.0
2.41.0

View File

@ -1,47 +0,0 @@
From ca4ac6c06dd37deab5ba7c4df8789acf9e45d03e Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 28 Sep 2023 12:48:37 +0200
Subject: [PATCH] ipatests: fix healthcheck test for --indent option
ipa-healthcheck --indent option expects an integer. The error
message changed with ipa-healthcheck 0.13.
Recent versions also check that the value is in the range 0-32.
The test must be compatible with old and new versions.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_ipahealthcheck.py | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 822f550d2ee241a9dd14c99d75199e6207b78e9c..35fcfe10508589ded021207a4eba4fb0143495b4 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -2412,12 +2412,19 @@ class TestIpaHealthCLI(IntegrationTest):
cmd = self.base_cmd + ["--indent", option]
result = self.master.run_command(cmd, raiseonerr=False)
assert result.returncode == 2
- assert 'invalid int value' in result.stderr_text
+ assert ('invalid int value' in result.stderr_text
+ or 'is not an integer' in result.stderr_text)
- # unusual success, arguably odd but not invalid :-)
+ version = tasks.get_healthcheck_version(self.master)
for option in ('-1', '5000'):
cmd = self.base_cmd + ["--indent", option]
- result = self.master.run_command(cmd)
+ result = self.master.run_command(cmd, raiseonerr=False)
+ if parse_version(version) >= parse_version('0.13'):
+ assert result.returncode == 2
+ assert 'is not in the range 0-32' in result.stderr_text
+ else:
+ # Older versions did not check for a given allowed range
+ assert result.returncode == 0
def test_severity(self):
"""
--
2.41.0

View File

@ -1,4 +1,4 @@
From 14720c7690bda2b538dfc1d742eb4eb152dfd8a2 Mon Sep 17 00:00:00 2001
From f1f8b16def3e809f5773bb8aa40aefb21699347b Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 12 Oct 2023 20:34:01 +0000
Subject: [PATCH] Integration tests for verifying Referer header in the UI
@ -42,7 +42,7 @@ Signed-off-by: Rob Crittenden <rcritten@redhat.com>
create mode 100644 ipatests/test_ipaserver/test_referer.py
diff --git a/ipatests/test_ipaserver/httptest.py b/ipatests/test_ipaserver/httptest.py
index 6cd034a719690646ee9238a5c6061e791e1c6fb5..8924798fc93c14e45beaf232a958d22398f61954 100644
index 6cd034a71..8924798fc 100644
--- a/ipatests/test_ipaserver/httptest.py
+++ b/ipatests/test_ipaserver/httptest.py
@@ -36,7 +36,7 @@ class Unauthorized_HTTP_test:
@ -67,7 +67,7 @@ index 6cd034a719690646ee9238a5c6061e791e1c6fb5..8924798fc93c14e45beaf232a958d223
headers = {'Content-Type': self.content_type,
'Accept-Language': self.accept_language,
diff --git a/ipatests/test_ipaserver/test_changepw.py b/ipatests/test_ipaserver/test_changepw.py
index c3a47ab265f08db11ddfee2182401ccba90cf8df..df38ddb3d9e74baf908372be0780fcefbb258a5d 100644
index c3a47ab26..df38ddb3d 100644
--- a/ipatests/test_ipaserver/test_changepw.py
+++ b/ipatests/test_ipaserver/test_changepw.py
@@ -53,10 +53,11 @@ class test_changepw(XMLRPC_test, Unauthorized_HTTP_test):
@ -101,7 +101,7 @@ index c3a47ab265f08db11ddfee2182401ccba90cf8df..df38ddb3d9e74baf908372be0780fcef
diff --git a/ipatests/test_ipaserver/test_login_password.py b/ipatests/test_ipaserver/test_login_password.py
new file mode 100644
index 0000000000000000000000000000000000000000..9425cb7977fbc87210bf91464e0257830a938baf
index 000000000..9425cb797
--- /dev/null
+++ b/ipatests/test_ipaserver/test_login_password.py
@@ -0,0 +1,88 @@
@ -195,7 +195,7 @@ index 0000000000000000000000000000000000000000..9425cb7977fbc87210bf91464e025783
+ assert response.getheader('X-IPA-Rejection-Reason') is None
diff --git a/ipatests/test_ipaserver/test_referer.py b/ipatests/test_ipaserver/test_referer.py
new file mode 100644
index 0000000000000000000000000000000000000000..4eade8bbaf304c48bf71c16892858d899b43cf88
index 000000000..4eade8bba
--- /dev/null
+++ b/ipatests/test_ipaserver/test_referer.py
@@ -0,0 +1,136 @@
@ -336,7 +336,7 @@ index 0000000000000000000000000000000000000000..4eade8bbaf304c48bf71c16892858d89
+
+ assert_equal(response.status, 400, self.app_uri)
diff --git a/ipatests/util.py b/ipatests/util.py
index 929c3e899c3317acf59f2030b069898f4b282abc..61af0c40d07b31ef9e8ce1f069b05b2088605231 100644
index 5c0152b90..c69d98790 100644
--- a/ipatests/util.py
+++ b/ipatests/util.py
@@ -163,12 +163,12 @@ class ExceptionNotRaised(Exception):
@ -355,5 +355,5 @@ index 929c3e899c3317acf59f2030b069898f4b282abc..61af0c40d07b31ef9e8ce1f069b05b20
def assert_not_equal(val1, val2):
--
2.43.0
2.41.0

View File

@ -1,35 +0,0 @@
From 8ffcce91c694d83f6698a0539b970f41ea056e2d Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 21 Sep 2023 10:32:41 +0200
Subject: [PATCH] ipatests: fix test_ipactl_scenario_check
The test is comparing the PID of services before and after
calling ipactl start, expecting to have the same value.
It should not compare the pid for ipa-dnskeysyncd as this service
is automatically restarted upon failure.
Fixes: https://pagure.io/freeipa/issue/9415
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_installation.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index 39fbff2b674296b0696defa7bac3efe35c89e0b7..68a442a9cd7746eec728ee38fda34dbc5361c59b 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -695,7 +695,7 @@ def get_pki_tomcatd_pid(host):
def get_ipa_services_pids(host):
ipa_services_name = [
"krb5kdc", "kadmin", "named", "httpd", "ipa-custodia",
- "pki_tomcatd", "ipa-dnskeysyncd"
+ "pki_tomcatd"
]
pids_of_ipa_services = {}
for name in ipa_services_name:
--
2.41.0

View File

@ -0,0 +1,265 @@
From 013be398bced31f567ef01ac2471cb7529789b4a Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Mon, 9 Oct 2023 15:47:03 +0200
Subject: [PATCH] ipa-kdb: Detect and block Bronze-Bit attacks
The C8S/RHEL8 version of FreeIPA is vulnerable to the Bronze-Bit attack
because it does not implement PAC ticket signature to protect the
"forwardable" flag. However, it does implement the PAC extended KDC
signature, which protects against PAC spoofing.
Based on information available in the PAC and the
"ok-to-auth-as-delegate" attribute in the database. It is possible to
detect and reject requests where the "forwardable" flag was flipped by
the attacker in the evidence ticket.
---
daemons/ipa-kdb/ipa_kdb.h | 13 +++
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 6 +
daemons/ipa-kdb/ipa_kdb_mspac.c | 173 ++++++++++++++++++++++++++++
ipaserver/install/server/install.py | 8 ++
4 files changed, 200 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 7aa5be494..02b2cb631 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -367,6 +367,19 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
const char *test_realm, size_t size,
char **trusted_realm);
+/* Try to detect a Bronze-Bit attack based on the content of the request and
+ * data from the KDB.
+ *
+ * context krb5 context
+ * request KDB request
+ * detected Set to "true" if a bronze bit attack is detected and the
+ * pointer is not NULL. Remains unset otherwise.
+ * status If the call fails and the pointer is not NULL, set it with a
+ * message describing the cause of the failure. */
+krb5_error_code
+ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
+ bool *detected, const char **status);
+
/* DELEGATION CHECKS */
krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext,
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
index f2804c9b2..1032dff0b 100644
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
@@ -185,6 +185,12 @@ ipa_kdcpolicy_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata,
const char **status, krb5_deltat *lifetime_out,
krb5_deltat *renew_lifetime_out)
{
+ krb5_error_code kerr;
+
+ kerr = ipadb_check_for_bronze_bit_attack(context, request, NULL, status);
+ if (kerr)
+ return KRB5KDC_ERR_POLICY;
+
*status = NULL;
*lifetime_out = 0;
*renew_lifetime_out = 0;
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 83cb9914d..b4e22d431 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -3298,3 +3298,176 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
return KRB5_KDB_NOENTRY;
}
+
+krb5_error_code
+ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
+ bool *detected, const char **status)
+{
+ krb5_error_code kerr;
+ const char *st = NULL;
+ size_t i, j;
+ krb5_ticket *evidence_tkt;
+ krb5_authdata **authdata, **ifrel = NULL;
+ krb5_pac pac = NULL;
+ TALLOC_CTX *tmpctx = NULL;
+ krb5_data fullsign = { 0, 0, NULL }, linfo_blob = { 0, 0, NULL };
+ DATA_BLOB linfo_data;
+ struct PAC_LOGON_INFO_CTR linfo;
+ enum ndr_err_code ndr_err;
+ struct dom_sid asserted_identity_sid;
+ bool evtkt_is_s4u2self = false;
+ krb5_db_entry *proxy_entry = NULL;
+
+ /* If no additional ticket, this is not a constrained delegateion request.
+ * Skip checks. */
+ if (!(request->kdc_options & KDC_OPT_CNAME_IN_ADDL_TKT)) {
+ kerr = 0;
+ goto end;
+ }
+
+ evidence_tkt = request->second_ticket[0];
+
+ /* No need to check the Forwardable flag. If it was not set, this request
+ * would have failed earlier. */
+
+ /* We only support general constrained delegation (not RBCD), which is not
+ * available for cross-realms. */
+ if (!krb5_realm_compare(context, evidence_tkt->server, request->server)) {
+ st = "S4U2PROXY_NOT_SUPPORTED_FOR_CROSS_REALMS";
+ kerr = ENOTSUP;
+ goto end;
+ }
+
+ authdata = evidence_tkt->enc_part2->authorization_data;
+
+ /* Search for the PAC. */
+ for (i = 0; authdata != NULL && authdata[i] != NULL; i++) {
+ if (authdata[i]->ad_type != KRB5_AUTHDATA_IF_RELEVANT)
+ continue;
+
+ kerr = krb5_decode_authdata_container(context,
+ KRB5_AUTHDATA_IF_RELEVANT,
+ authdata[i], &ifrel);
+ if (kerr) {
+ st = "S4U2PROXY_CANNOT_DECODE_EVIDENCE_TKT_AUTHDATA";
+ goto end;
+ }
+
+ for (j = 0; ifrel[j] != NULL; j++) {
+ if (ifrel[j]->ad_type == KRB5_AUTHDATA_WIN2K_PAC)
+ break;
+ }
+ if (ifrel[j] != NULL)
+ break;
+
+ krb5_free_authdata(context, ifrel);
+ ifrel = NULL;
+ }
+
+ if (ifrel == NULL) {
+ st = "S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC";
+ kerr = ENOENT;
+ goto end;
+ }
+
+ /* Parse the PAC. */
+ kerr = krb5_pac_parse(context, ifrel[j]->contents, ifrel[j]->length, &pac);
+ if (kerr) {
+ st = "S4U2PROXY_CANNOT_DECODE_EVICENCE_TKT_PAC";
+ goto end;
+ }
+
+ /* Check that the PAC extanded KDC signature is present. If it is, it was
+ * already tested.
+ * If absent, the context of the PAC cannot be trusted. */
+ kerr = krb5_pac_get_buffer(context, pac, KRB5_PAC_FULL_CHECKSUM, &fullsign);
+ if (kerr) {
+ st = "S4U2PROXY_MISSING_EXTENDED_KDC_SIGN_IN_EVIDENCE_TKT_PAC";
+ goto end;
+ }
+
+ /* Get the PAC Logon Info. */
+ kerr = krb5_pac_get_buffer(context, pac, KRB5_PAC_LOGON_INFO, &linfo_blob);
+ if (kerr) {
+ st = "S4U2PROXY_NO_PAC_LOGON_INFO_IN_EVIDENCE_TKT";
+ goto end;
+ }
+
+ /* Parse the PAC Logon Info. */
+ tmpctx = talloc_new(NULL);
+ if (!tmpctx) {
+ st = "OUT_OF_MEMORY";
+ kerr = ENOMEM;
+ goto end;
+ }
+
+ linfo_data.length = linfo_blob.length;
+ linfo_data.data = (uint8_t *)linfo_blob.data;
+ ndr_err = ndr_pull_union_blob(&linfo_data, tmpctx, &linfo,
+ PAC_TYPE_LOGON_INFO,
+ (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ st = "S4U2PROXY_CANNOT_PARSE_ENVIDENCE_TKT_PAC_LOGON_INFO";
+ kerr = EINVAL;
+ goto end;
+ }
+
+ /* Check that the extra SIDs array is not empty. */
+ if (linfo.info->info3.sidcount == 0) {
+ st = "S4U2PROXY_NO_EXTRA_SID";
+ kerr = ENOENT;
+ goto end;
+ }
+
+ /* Search for the S-1-18-2 domain SID, which indicates the ticket was
+ * obtained using S4U2Self */
+ kerr = ipadb_string_to_sid("S-1-18-2", &asserted_identity_sid);
+ if (kerr) {
+ st = "S4U2PROXY_CANNOT_CREATE_ASSERTED_IDENTITY_SID";
+ goto end;
+ }
+
+ for (i = 0; i < linfo.info->info3.sidcount; i++) {
+ if (dom_sid_check(&asserted_identity_sid,
+ linfo.info->info3.sids[0].sid, true)) {
+ evtkt_is_s4u2self = true;
+ break;
+ }
+ }
+
+ /* If the ticket was obtained using S4U2Self, the proxy principal entry must
+ * have the "ok_to_auth_as_delegate" attribute set to true. */
+ if (evtkt_is_s4u2self) {
+ kerr = ipadb_get_principal(context, evidence_tkt->server, 0,
+ &proxy_entry);
+ if (kerr) {
+ st = "S4U2PROXY_CANNOT_FIND_PROXY_PRINCIPAL";
+ goto end;
+ }
+
+ if (!(proxy_entry->attributes & KRB5_KDB_OK_TO_AUTH_AS_DELEGATE)) {
+ /* This evidence ticket cannot be forwardable given the privileges
+ * of the proxy principal.
+ * This is a Bronze Bit attack. */
+ if (detected)
+ *detected = true;
+ st = "S4U2PROXY_BRONZE_BIT_ATTACK_DETECTED";
+ kerr = EBADE;
+ goto end;
+ }
+ }
+
+ kerr = 0;
+
+end:
+ if (st && status)
+ *status = st;
+
+ krb5_free_authdata(context, ifrel);
+ krb5_pac_free(context, pac);
+ krb5_free_data_contents(context, &linfo_blob);
+ krb5_free_data_contents(context, &fullsign);
+ talloc_free(tmpctx);
+ ipadb_free_principal(context, proxy_entry);
+ return kerr;
+}
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 4e4076410..bfbb83bcb 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -981,6 +981,14 @@ def install(installer):
# Set the admin user kerberos password
ds.change_admin_password(admin_password)
+ # Force KDC to refresh the cached value of ipaKrbAuthzData by restarting.
+ # ipaKrbAuthzData has to be set with "MS-PAC" to trigger PAC generation,
+ # which is required to handle S4U2Proxy with the Bronze-Bit fix.
+ # Not doing so would cause API malfunction for around a minute, which is
+ # long enough to cause the hereafter client installation to fail.
+ service.print_msg("Restarting the KDC")
+ krb.restart()
+
# Call client install script
service.print_msg("Configuring client side components")
try:
--
2.41.0

View File

@ -1,88 +0,0 @@
From d9ad56155e76f97ad9326d5c1bcc6e19eea3a0da Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 9 Oct 2023 13:54:17 +0200
Subject: [PATCH] ipalib: fix the IPACertificate validity dates
The class IPACertificate builds objects from x509 Certificate
objects and creates the not_valid_before and not_valid_after values
by converting to a timestamp + applying timezone delta to UTC + reading
from the timestamp. This results in applying twice the delta.
Use a simpler method that replaces the timezone info with UTC in the
datetime object.
Fixes: https://pagure.io/freeipa/issue/9462
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipalib/x509.py | 6 ++----
ipatests/test_ipalib/test_x509.py | 25 +++++++++++++++++++++++++
2 files changed, 27 insertions(+), 4 deletions(-)
diff --git a/ipalib/x509.py b/ipalib/x509.py
index 7396688ae60cff76069c7325bab69441babfb8a7..769d480077e0d167646424627f252c336336f531 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -266,13 +266,11 @@ class IPACertificate(crypto_x509.Certificate):
@property
def not_valid_before(self):
- return datetime.datetime.fromtimestamp(
- self._cert.not_valid_before.timestamp(), tz=datetime.timezone.utc)
+ return self._cert.not_valid_before.replace(tzinfo=datetime.timezone.utc)
@property
def not_valid_after(self):
- return datetime.datetime.fromtimestamp(
- self._cert.not_valid_after.timestamp(), tz=datetime.timezone.utc)
+ return self._cert.not_valid_after.replace(tzinfo=datetime.timezone.utc)
@property
def tbs_certificate_bytes(self):
diff --git a/ipatests/test_ipalib/test_x509.py b/ipatests/test_ipalib/test_x509.py
index c25e8a0b5b6b918e50b155890fe20cfdd4d747c4..74287c84a581a800fa1c2700ad749fcacbc9d249 100644
--- a/ipatests/test_ipalib/test_x509.py
+++ b/ipatests/test_ipalib/test_x509.py
@@ -26,6 +26,7 @@ from binascii import hexlify
from configparser import RawConfigParser
import datetime
from io import StringIO
+import os
import pickle
import pytest
@@ -253,6 +254,30 @@ class test_x509:
b'+\x06\x01\x05\x05\x07\x03\x01'
)
+ def test_cert_with_timezone(self):
+ """
+ Test the not_before and not_after values in a diffent timezone
+
+ Test for https://pagure.io/freeipa/issue/9462
+ """
+ # Store initial timezone, then set to New York
+ tz = os.environ.get('TZ', None)
+ os.environ['TZ'] = 'America/New_York'
+ # Load the cert, extract not before and not after
+ cert = x509.load_pem_x509_certificate(goodcert_headers)
+ not_before = datetime.datetime(2010, 6, 25, 13, 0, 42, 0,
+ datetime.timezone.utc)
+ not_after = datetime.datetime(2015, 6, 25, 13, 0, 42, 0,
+ datetime.timezone.utc)
+ # Reset timezone to previous value
+ if tz:
+ os.environ['TZ'] = tz
+ else:
+ del os.environ['TZ']
+ # ensure the timezone doesn't mess with not_before and not_after
+ assert cert.not_valid_before == not_before
+ assert cert.not_valid_after == not_after
+
def test_load_pkcs7_pem(self):
certlist = x509.pkcs7_to_certs(good_pkcs7, datatype=x509.PEM)
assert len(certlist) == 1
--
2.41.0

View File

@ -1,135 +0,0 @@
From 9b0b723a0e62f18d41be53900ab8a3e710708563 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 18 May 2023 09:23:32 -0400
Subject: [PATCH] Allow password policy minlength to be removed like other
values
This is a side-effect of adding the libpwquality options. It
imposes its own hardcoded minimum password length so some care
was needed to ensure that it isn't set too low.
So if there are no libpwquality options used then it's fine to
have no minlength in the policy.
Fixes: https://pagure.io/freeipa/issue/9297
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaserver/plugins/pwpolicy.py | 10 +++--
ipatests/test_integration/test_pwpolicy.py | 45 +++++++++++++++++++++-
2 files changed, 50 insertions(+), 5 deletions(-)
diff --git a/ipaserver/plugins/pwpolicy.py b/ipaserver/plugins/pwpolicy.py
index 5ea3e6b78c9ee98d204b8382fbed9e21edf51d10..15cfef45b69743c852e43d58b7428976b9e55681 100644
--- a/ipaserver/plugins/pwpolicy.py
+++ b/ipaserver/plugins/pwpolicy.py
@@ -462,6 +462,7 @@ class pwpolicy(LDAPObject):
return False
has_pwquality_value = False
+ min_length = 0
if not add:
if len(keys) > 0:
existing_entry = self.api.Command.pwpolicy_show(
@@ -470,14 +471,15 @@ class pwpolicy(LDAPObject):
existing_entry = self.api.Command.pwpolicy_show(
all=True,)['result']
existing_entry.update(entry_attrs)
- min_length = int(get_val(existing_entry, 'krbpwdminlength'))
-
+ if existing_entry.get('krbpwdminlength'):
+ min_length = int(get_val(existing_entry, 'krbpwdminlength'))
has_pwquality_value = has_pwquality_set(existing_entry)
else:
- min_length = int(get_val(entry_attrs, 'krbpwdminlength'))
+ if entry_attrs.get('krbpwdminlength'):
+ min_length = int(get_val(entry_attrs, 'krbpwdminlength'))
has_pwquality_value = has_pwquality_set(entry_attrs)
- if min_length and min_length < 6 and has_pwquality_value:
+ if min_length < 6 and has_pwquality_value:
raise errors.ValidationError(
name='minlength',
error=_('Minimum length must be >= 6 if maxrepeat, '
diff --git a/ipatests/test_integration/test_pwpolicy.py b/ipatests/test_integration/test_pwpolicy.py
index 41d6e9070a90c2bde7b3182ad6ecf1a923bba203..652c95e47bdab8bbe137f660d0b2ea2c0496c53e 100644
--- a/ipatests/test_integration/test_pwpolicy.py
+++ b/ipatests/test_integration/test_pwpolicy.py
@@ -36,7 +36,9 @@ class TestPWPolicy(IntegrationTest):
cls.master.run_command(['ipa', 'group-add-member', POLICY,
'--users', USER])
cls.master.run_command(['ipa', 'pwpolicy-add', POLICY,
- '--priority', '1', '--gracelimit', '-1'])
+ '--priority', '1',
+ '--gracelimit', '-1',
+ '--minlength', '6'])
cls.master.run_command(['ipa', 'passwd', USER],
stdin_text='{password}\n{password}\n'.format(
password=PASSWORD
@@ -92,6 +94,12 @@ class TestPWPolicy(IntegrationTest):
"--minlength", "0",
"--minclasses", "0",],
)
+ # minlength => 6 is required for any of the libpwquality settings
+ self.master.run_command(
+ ["ipa", "pwpolicy-mod", POLICY,
+ "--minlength", "6"],
+ raiseonerr=False,
+ )
@pytest.fixture
def reset_pwpolicy(self):
@@ -212,6 +220,7 @@ class TestPWPolicy(IntegrationTest):
assert 'Password is too simple' in \
result.stdout_text
+ self.reset_password(self.master)
# test with valid password
for valid in ('Passw0rd', 'password1!', 'Password!'):
self.kinit_as_user(self.master, PASSWORD, valid)
@@ -252,6 +261,40 @@ class TestPWPolicy(IntegrationTest):
assert result.returncode != 0
assert 'minlength' in result.stderr_text
+ def test_minlength_empty(self, reset_pwpolicy):
+ """Test that the pwpolicy minlength can be blank
+ """
+ # Ensure it is set to a non-zero value to avoid EmptyModlist
+ self.master.run_command(
+ ["ipa", "pwpolicy-mod", POLICY,
+ "--minlength", "10",]
+ )
+ # Enable one of the libpwquality options, removing minlength
+ # should fail.
+ self.master.run_command(
+ ["ipa", "pwpolicy-mod", POLICY,
+ "--maxrepeat", "4",]
+ )
+ result = self.master.run_command(
+ ["ipa", "pwpolicy-mod", POLICY,
+ "--minlength", "",], raiseonerr=False
+ )
+ assert result.returncode != 0
+
+ # Remove the blocking value
+ self.master.run_command(
+ ["ipa", "pwpolicy-mod", POLICY,
+ "--maxrepeat", "",]
+ )
+
+ # Now erase it
+ result = self.master.run_command(
+ ["ipa", "pwpolicy-mod", POLICY,
+ "--minlength", "",]
+ )
+ assert result.returncode == 0
+ assert 'minlength' not in result.stderr_text
+
def test_minlength_add(self):
"""Test that adding a new policy with minlength is caught.
"""
--
2.41.0

View File

@ -0,0 +1,212 @@
From 3add9ba03a0af913d03b1f5ecaa8e48e46a93f91 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Jan 15 2024 13:42:08 +0000
Subject: Server affinity: Retain user-requested remote server
We want to avoid splitting a replica server installation between
two hosts where possible so if a CA or KRA is requested then
we only try to install against a remote server that also provides
those capabilities. This avoids race conditions.
If a CA or KRA is not requested and the user has provided a
server to install against then use that instead of overriding it.
Extend the logic of picking the remote Custodia mode
(KRA, CA, *MASTER*) to include considering whether the
CA and KRA services are requested. If the service(s) are
not requested the the associated hostname may not be
reliable.
Fixes: https://pagure.io/freeipa/issue/9491
Related: https://pagure.io/freeipa/issue/9289
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 27fbdef..8096b6a 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -782,6 +782,7 @@ def promotion_check_host_principal_auth_ind(conn, hostdn):
def remote_connection(config):
+ logger.debug("Creating LDAP connection to %s", config.master_host_name)
ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
xmlrpc_uri = 'https://{}/ipa/xml'.format(
ipautil.format_netloc(config.master_host_name))
@@ -1087,7 +1088,7 @@ def promote_check(installer):
'CA', conn, preferred_cas
)
if ca_host is not None:
- if config.master_host_name != ca_host:
+ if options.setup_ca and config.master_host_name != ca_host:
conn.disconnect()
del remote_api
config.master_host_name = ca_host
@@ -1096,8 +1097,7 @@ def promote_check(installer):
conn = remote_api.Backend.ldap2
conn.connect(ccache=installer._ccache)
config.ca_host_name = ca_host
- config.master_host_name = ca_host
- ca_enabled = True
+ ca_enabled = True # There is a CA somewhere in the topology
if options.dirsrv_cert_files:
logger.error("Certificates could not be provided when "
"CA is present on some master.")
@@ -1135,7 +1135,7 @@ def promote_check(installer):
'KRA', conn, preferred_kras
)
if kra_host is not None:
- if config.master_host_name != kra_host:
+ if options.setup_kra and config.master_host_name != kra_host:
conn.disconnect()
del remote_api
config.master_host_name = kra_host
@@ -1143,10 +1143,9 @@ def promote_check(installer):
installer._remote_api = remote_api
conn = remote_api.Backend.ldap2
conn.connect(ccache=installer._ccache)
- config.kra_host_name = kra_host
- config.ca_host_name = kra_host
- config.master_host_name = kra_host
- kra_enabled = True
+ config.kra_host_name = kra_host
+ config.ca_host_name = kra_host
+ kra_enabled = True # There is a KRA somewhere in the topology
if options.setup_kra and options.server and \
kra_host != options.server:
# Installer was provided with a specific master
@@ -1372,10 +1371,10 @@ def install(installer):
otpd.create_instance('OTPD', config.host_name,
ipautil.realm_to_suffix(config.realm_name))
- if kra_enabled:
+ if options.setup_kra and kra_enabled:
# A KRA peer always provides a CA, too.
mode = custodiainstance.CustodiaModes.KRA_PEER
- elif ca_enabled:
+ elif options.setup_ca and ca_enabled:
mode = custodiainstance.CustodiaModes.CA_PEER
else:
mode = custodiainstance.CustodiaModes.MASTER_PEER
From 701339d4fed539713eb1a13495992879f56a6daa Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Jan 18 2024 14:53:28 +0000
Subject: Server affinity: Don't rely just on [ca|kra]_enabled for installs
ca_enable and kra_enabled are intended to be used to identify that
a CA or KRA is available in the topology. It was also being used
to determine whether a CA or KRA service is desired on a replica
install, rather than options.setup_[ca|kra]
Fixes: https://pagure.io/freeipa/issue/9510
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 8096b6a..191913d 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1143,7 +1143,8 @@ def promote_check(installer):
installer._remote_api = remote_api
conn = remote_api.Backend.ldap2
conn.connect(ccache=installer._ccache)
- config.kra_host_name = kra_host
+ config.kra_host_name = kra_host
+ if options.setup_kra: # only reset ca_host if KRA is requested
config.ca_host_name = kra_host
kra_enabled = True # There is a KRA somewhere in the topology
if options.setup_kra and options.server and \
@@ -1381,7 +1382,7 @@ def install(installer):
custodia = custodiainstance.get_custodia_instance(config, mode)
custodia.create_instance()
- if ca_enabled:
+ if options.setup_ca and ca_enabled:
options.realm_name = config.realm_name
options.domain_name = config.domain_name
options.host_name = config.host_name
@@ -1397,7 +1398,7 @@ def install(installer):
service.print_msg("Finalize replication settings")
ds.finalize_replica_config()
- if kra_enabled:
+ if options.setup_kra and kra_enabled:
kra.install(api, config, options, custodia=custodia)
service.print_msg("Restarting the KDC")
From e6014a5c1996528b255480b67fe2937203bff81b Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Jan 23 2024 15:32:58 +0000
Subject: Server affinity: call ca.install() if there is a CA in the topology
This should not have been gated on options.setup_ca because we need
the RA agent on all servers if there is a CA in the topology otherwise
the non-CA servers won't be able to communicate with the CA.
Fixes: https://pagure.io/freeipa/issue/9510
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index c93ae1f..187f803 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -387,9 +387,10 @@ def install_step_0(standalone, replica_config, options, custodia):
promote = False
else:
cafile = os.path.join(replica_config.dir, 'cacert.p12')
- custodia.get_ca_keys(
- cafile,
- replica_config.dirman_password)
+ if replica_config.setup_ca:
+ custodia.get_ca_keys(
+ cafile,
+ replica_config.dirman_password)
ca_signing_algorithm = None
ca_type = None
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index f8d4733..4c1c07c 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1359,11 +1359,13 @@ def install(installer):
custodia = custodiainstance.get_custodia_instance(config, mode)
custodia.create_instance()
- if options.setup_ca and ca_enabled:
+ if ca_enabled:
options.realm_name = config.realm_name
options.domain_name = config.domain_name
options.host_name = config.host_name
options.dm_password = config.dirman_password
+ # Always call ca.install() if there is a CA in the topology
+ # to ensure the RA agent is present.
ca.install(False, config, options, custodia=custodia)
# configure PKINIT now that all required services are in place
@@ -1375,7 +1377,8 @@ def install(installer):
service.print_msg("Finalize replication settings")
ds.finalize_replica_config()
- if options.setup_kra and kra_enabled:
+ if kra_enabled:
+ # The KRA installer checks for itself the status of setup_kra
kra.install(api, config, options, custodia=custodia)
service.print_msg("Restarting the KDC")

View File

@ -1,7 +1,8 @@
From 3842116185de6ae8714f30b57bd75c7eddde53d8 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 21 Dec 2023 09:38:57 +0200
Subject: [PATCH] host: update System: Manage Host Keytab permission
Date: Jan 15 2024 13:50:10 +0000
Subject: host: update System: Manage Host Keytab permission
Since commit 5c0e7a5fb420377dcc06a956695afdcb35196444, a new extended
operation to get a keytab is supposed to be used. This keytab
@ -38,14 +39,11 @@ Fixes: https://pagure.io/freeipa/issue/9496
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ACI.txt | 2 +-
ipaserver/plugins/host.py | 3 ++-
ipatests/test_integration/test_user_permissions.py | 7 +++++++
3 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/ACI.txt b/ACI.txt
index e6d6e3d1586c098f528d17fe940a1364b415654f..236bb43677bd9d84798a7ab418412b337fbf5c59 100644
index e6d6e3d..236bb43 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -147,7 +147,7 @@ aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipahost)")(ve
@ -58,7 +56,7 @@ index e6d6e3d1586c098f528d17fe940a1364b415654f..236bb43677bd9d84798a7ab418412b33
aci: (targetattr = "createtimestamp || entryusn || ipaallowedtoperform;read_keys || ipaallowedtoperform;write_keys || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab Permissions";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Manage Host Keytab Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=computers,cn=accounts,dc=ipa,dc=example
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 3ef510edc77a07ad504f07614d0c5524a3c34646..b02c8b55fde037c5fa0a9c73575b22e3c7177806 100644
index 3ef510e..b02c8b5 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -409,7 +409,8 @@ class host(LDAPObject):
@ -72,7 +70,7 @@ index 3ef510edc77a07ad504f07614d0c5524a3c34646..b02c8b55fde037c5fa0a9c73575b22e3
'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)',
],
diff --git a/ipatests/test_integration/test_user_permissions.py b/ipatests/test_integration/test_user_permissions.py
index 3333a4f6b961961aea7dadf2eb36d7ed3b31e410..cd1096ff3582f9c0cfdb16b5ed876164139f1a1b 100644
index 3333a4f..cd1096f 100644
--- a/ipatests/test_integration/test_user_permissions.py
+++ b/ipatests/test_integration/test_user_permissions.py
@@ -277,6 +277,9 @@ class TestInstallClientNoAdmin(IntegrationTest):
@ -96,6 +94,4 @@ index 3333a4f6b961961aea7dadf2eb36d7ed3b31e410..cd1096ff3582f9c0cfdb16b5ed876164
# check that user is able to request a host cert, too
result = tasks.run_certutil(client, ['-L'], paths.IPA_NSSDB_DIR)
assert 'Local IPA host' in result.stdout_text
--
2.43.0

View File

@ -1,70 +0,0 @@
From cfb8748b23e93f84c2a6b03cc55d1116d7d1332e Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Tue, 10 Oct 2023 15:22:27 +0530
Subject: [PATCH] ipatests: Skip the test failing due to FIPS policy
1. test_certmonger_reads_token_HSM test in test_installaton.py
is failing in FIPS/STIG mode with the below error.
SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.
Error attempting to import private key in STIG mode
2. Adding the posfix config change, because there was a crash
seen in smtpd in FIPS mode.
ie. postconf -e smtpd_tls_fingerprint_digest=sha256
KCS: https://access.redhat.com/solutions/6958957
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_epn.py | 4 +++-
ipatests/test_integration/test_installation.py | 2 ++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
index 8ea79cefbdd067b148ef0b7050c9fc803339371a..b391e32219bb0a799c8d75c113af5da24aa58b46 100644
--- a/ipatests/test_integration/test_epn.py
+++ b/ipatests/test_integration/test_epn.py
@@ -180,7 +180,6 @@ def configure_starttls(host):
postconf(host, 'smtpd_tls_session_cache_timeout = 3600s')
# announce STARTTLS support to remote SMTP clients, not require
postconf(host, 'smtpd_tls_security_level = may')
-
host.run_command(["systemctl", "restart", "postfix"])
@@ -208,6 +207,9 @@ def configure_ssl_client_cert(host):
# CA certificates of root CAs trusted to sign remote SMTP client cert
postconf(host, f"smtpd_tls_CAfile = {paths.IPA_CA_CRT}")
+ if host.is_fips_mode:
+ postconf(host, 'smtpd_tls_fingerprint_digest = sha256')
+
host.run_command(["systemctl", "restart", "postfix"])
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index 68a442a9cd7746eec728ee38fda34dbc5361c59b..bf4163abc0f138ed42c639eee3e95df52da43a71 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -35,6 +35,7 @@ from ipatests.pytest_ipa.integration.env_config import get_global_config
from ipatests.test_integration.base import IntegrationTest
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
from ipatests.test_integration.test_cert import get_certmonger_fs_id
+from ipatests.pytest_ipa.integration import skip_if_fips
from ipaplatform import services
@@ -298,6 +299,7 @@ class TestInstallCA(IntegrationTest):
tasks.install_replica(self.master, self.replicas[1], setup_ca=False)
tasks.install_ca(self.replicas[1], extra_args=["--skip-schema-check"])
+ @skip_if_fips()
def test_certmonger_reads_token_HSM(self):
"""Test if certmonger reads the token in HSM
--
2.41.0

View File

@ -1,50 +0,0 @@
From d4271391adc45c781092db0fb89b802743a9dda8 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 11 Sep 2023 21:37:05 +0000
Subject: [PATCH] The PKI JSON API the revocation reason key may be
case-sensitive
PKI 11.4.0 changed the reason keyword in the REST API from lower-case
to camel-case in https://github.com/dogtagpki/pki/commit/926eb221ce6
Use Reason instead of reason as the keyword for revocations
for PKI 11.4.0+
Related: https://pagure.io/freeipa/issue/9345
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
---
ipaserver/plugins/dogtag.py | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 1c2c51824eecb71cfa8146ceb30435c5ad5d79c7..0036803c86652b557ebeb3cd048877bc01a6b71a 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -274,6 +274,8 @@ if six.PY3:
logger = logging.getLogger(__name__)
+pki_version = pki.util.Version(pki.specification_version())
+
# These are general status return values used when
# CMSServlet.outputError() is invoked.
CMS_SUCCESS = 0
@@ -1130,7 +1132,11 @@ class ra(rabase.rabase, RestClient):
serial_number = int(serial_number, 0)
path = 'agent/certs/{}/revoke'.format(serial_number)
- data = '{{"reason":"{}"}}'.format(reasons[revocation_reason])
+ if pki_version < pki.util.Version("11.4.0"):
+ keyword = "reason"
+ else:
+ keyword = "Reason"
+ data = '{{"{}":"{}"}}'.format(keyword, reasons[revocation_reason])
http_status, _http_headers, http_body = self._ssldo(
'POST', path,
--
2.41.0

View File

@ -1,8 +1,8 @@
From eab52d3cda9bbec716008c040551bd11facd0e11 Mon Sep 17 00:00:00 2001
From 2f17319df6147832dceff7c06154363f8d58b194 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 17 Jan 2024 12:27:26 +0200
Subject: [PATCH] adtrustinstance: make sure NetBIOS name defaults are set
properly
Date: Jan 18 2024 09:07:31 +0000
Subject: adtrustinstance: make sure NetBIOS name defaults are set properly
Some tools may pass None as NetBIOS name if not put explicitly by a
user. This meant to use default NetBIOS name generator based on the
@ -13,12 +13,11 @@ Fixes: https://pagure.io/freeipa/issue/9514
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/adtrustinstance.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index d55ba849157bee8e335e2e0772514fc15ec11193..2ff68dfb46371a6118eb67515347eb762a37e1ec 100644
index bf0cc3b..bb5b61a 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -189,6 +189,8 @@ class ADTRUSTInstance(service.Service):
@ -30,6 +29,4 @@ index d55ba849157bee8e335e2e0772514fc15ec11193..2ff68dfb46371a6118eb67515347eb76
self.suffix = ipautil.realm_to_suffix(self.realm)
self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \
--
2.43.0

View File

@ -1,102 +0,0 @@
From 0539d97f3e9d2b7d80549ff08d78fe55afcc2dbb Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 26 Oct 2023 13:59:21 -0400
Subject: [PATCH] WIP: Get the PKI version from the remote to determine the
argument
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
---
ipaserver/plugins/dogtag.py | 55 ++++++++++++++++++++++++++++++++-----
1 file changed, 48 insertions(+), 7 deletions(-)
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 0036803c86652b557ebeb3cd048877bc01a6b71a..7cd51ae58ae0edfe69f0ac7fa190290e2669b0d2 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -274,8 +274,6 @@ if six.PY3:
logger = logging.getLogger(__name__)
-pki_version = pki.util.Version(pki.specification_version())
-
# These are general status return values used when
# CMSServlet.outputError() is invoked.
CMS_SUCCESS = 0
@@ -1059,6 +1057,39 @@ class ra(rabase.rabase, RestClient):
return cmd_result
+ def get_pki_version(self):
+ """
+ Retrieve the version of a remote PKI server.
+
+ The REST API request is a GET to the info URI:
+ GET /pki/rest/info HTTP/1.1
+
+ The response is: {"Version":"11.5.0","Attributes":{"Attribute":[]}}
+ """
+ path = "/pki/rest/info"
+ logger.debug('%s.get_pki_version()', type(self).__name__)
+ http_status, _http_headers, http_body = self._ssldo(
+ 'GET', path,
+ headers={
+ 'Content-Type': 'application/json',
+ 'Accept': 'application/json',
+ },
+ use_session=False,
+ )
+ if http_status != 200:
+ self.raise_certificate_operation_error('get_pki_version',
+ detail=http_status)
+
+ try:
+ response = json.loads(ipautil.decode_json(http_body))
+ except ValueError as e:
+ logger.debug("Response from CA was not valid JSON: %s", e)
+ raise errors.RemoteRetrieveError(
+ reason=_("Response from CA was not valid JSON")
+ )
+
+ return response.get('Version')
+
def revoke_certificate(self, serial_number, revocation_reason=0):
"""
@@ -1125,6 +1156,20 @@ class ra(rabase.rabase, RestClient):
detail='7 is not a valid revocation reason'
)
+ # dogtag changed the argument case for revocation from
+ # "reason" to "Reason" in PKI 11.4.0. Detect that change
+ # based on the remote version and pass the expected value
+ # in.
+ pki_version = pki.util.Version(self.get_pki_version())
+ if pki_version is None:
+ self.raise_certificate_operation_error('revoke_certificate',
+ detail="Remove version not "
+ "detected")
+ if pki_version < pki.util.Version("11.4.0"):
+ reason = "reason"
+ else:
+ reason = "Reason"
+
# Convert serial number to integral type from string to properly handle
# radix issues. Note: the int object constructor will properly handle
# large magnitude integral values by returning a Python long type
@@ -1132,11 +1177,7 @@ class ra(rabase.rabase, RestClient):
serial_number = int(serial_number, 0)
path = 'agent/certs/{}/revoke'.format(serial_number)
- if pki_version < pki.util.Version("11.4.0"):
- keyword = "reason"
- else:
- keyword = "Reason"
- data = '{{"{}":"{}"}}'.format(keyword, reasons[revocation_reason])
+ data = '{{"{}":"{}"}}'.format(reason, reasons[revocation_reason])
http_status, _http_headers, http_body = self._ssldo(
'POST', path,
--
2.41.0

View File

@ -1,8 +1,8 @@
From 7e76329f76b7605ac6ec255c53b3c15d368a63f7 Mon Sep 17 00:00:00 2001
From 5afda72afc6fd626359411b55f092989fdd7d82d Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 13 Nov 2023 09:48:09 -0500
Subject: [PATCH] ipatests: ignore nsslapd-accesslog-logbuffering WARN in
healthcheck
Date: Jan 15 2024 13:39:21 +0000
Subject: ipatests: ignore nsslapd-accesslog-logbuffering WARN in healthcheck
Log buffering is disabled in the integration tests so we can have all
the logs at the end. This is causing a warning to show in the 389-ds
@ -18,24 +18,24 @@ Fixes: https://pagure.io/freeipa/issue/9400
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
---
.../test_integration/test_ipahealthcheck.py | 28 +++++++++++++++++++
.../test_replica_promotion.py | 5 +++-
2 files changed, 32 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 5d79f2b529e819a291228776c4cc278463f02e59..278f75abdd772a59178a61e2ab63e3178fef2518 100644
index 7fb8e40..14fba26 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -10,6 +10,7 @@ from __future__ import absolute_import
@@ -9,6 +9,7 @@ from __future__ import absolute_import
from configparser import RawConfigParser, NoOptionError
from datetime import datetime, timedelta, timezone
UTC = timezone.utc
from datetime import datetime, timedelta
+import io
import json
import os
import re
@@ -209,6 +210,28 @@ def run_healthcheck(host, source=None, check=None, output_type="json",
@@ -208,6 +209,28 @@ def run_healthcheck(host, source=None, check=None, output_type="json",
return result.returncode, data
@ -64,7 +64,7 @@ index 5d79f2b529e819a291228776c4cc278463f02e59..278f75abdd772a59178a61e2ab63e317
@pytest.fixture
def restart_service():
"""Shut down and restart a service as a fixture"""
@@ -266,6 +289,7 @@ class TestIpaHealthCheck(IntegrationTest):
@@ -265,6 +288,7 @@ class TestIpaHealthCheck(IntegrationTest):
setup_dns=True,
extra_args=['--no-dnssec-validation']
)
@ -72,7 +72,7 @@ index 5d79f2b529e819a291228776c4cc278463f02e59..278f75abdd772a59178a61e2ab63e317
def test_ipa_healthcheck_install_on_master(self):
"""
@@ -558,6 +582,7 @@ class TestIpaHealthCheck(IntegrationTest):
@@ -552,6 +576,7 @@ class TestIpaHealthCheck(IntegrationTest):
setup_dns=True,
extra_args=['--no-dnssec-validation']
)
@ -80,7 +80,7 @@ index 5d79f2b529e819a291228776c4cc278463f02e59..278f75abdd772a59178a61e2ab63e317
# Init a user on replica to assign a DNA range
tasks.kinit_admin(self.replicas[0])
@@ -698,6 +723,7 @@ class TestIpaHealthCheck(IntegrationTest):
@@ -692,6 +717,7 @@ class TestIpaHealthCheck(IntegrationTest):
'output_type=human'
])
)
@ -88,7 +88,7 @@ index 5d79f2b529e819a291228776c4cc278463f02e59..278f75abdd772a59178a61e2ab63e317
returncode, output = run_healthcheck(
self.master, failures_only=True, config=config_file
)
@@ -713,6 +739,7 @@ class TestIpaHealthCheck(IntegrationTest):
@@ -707,6 +733,7 @@ class TestIpaHealthCheck(IntegrationTest):
'output_file=%s' % HC_LOG,
])
)
@ -96,7 +96,7 @@ index 5d79f2b529e819a291228776c4cc278463f02e59..278f75abdd772a59178a61e2ab63e317
returncode, _unused = run_healthcheck(
self.master, config=config_file
)
@@ -2408,6 +2435,7 @@ class TestIpaHealthCLI(IntegrationTest):
@@ -2396,6 +2423,7 @@ class TestIpaHealthCLI(IntegrationTest):
cls.master, setup_dns=True, extra_args=['--no-dnssec-validation']
)
tasks.install_packages(cls.master, HEALTHCHECK_PKG)
@ -105,7 +105,7 @@ index 5d79f2b529e819a291228776c4cc278463f02e59..278f75abdd772a59178a61e2ab63e317
def test_indent(self):
"""
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index d477c3a20df80f16d47a55c9359ce165049dd907..b71f2d5d7e1517ab73d79b62477a3377839b0b7a 100644
index d477c3a..b71f2d5 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -13,7 +13,7 @@ import pytest
@ -127,6 +127,49 @@ index d477c3a20df80f16d47a55c9359ce165049dd907..b71f2d5d7e1517ab73d79b62477a3377
def _check_dnsrecords(self, hosts_expected, hosts_unexpected=()):
domain = DNSName(self.master.domain.name).make_absolute()
rset = [
--
2.41.0
From f1cfe7d9ff2489dbb6cad70999b0e1bd433c0537 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Jan 15 2024 13:39:21 +0000
Subject: ipatests: fix expected output for ipahealthcheck.ipa.host
ipa-healthcheck commit e69589d5 changed the output when a service
keytab is missing to not report the GSSAPI error but to report
that the keytab doesn't exist at all. This distinguishes from real
Kerberos issues like kvno.
Fixes: https://pagure.io/freeipa/issue/9482
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
---
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 14fba26..8aae9fa 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -629,9 +629,15 @@ class TestIpaHealthCheck(IntegrationTest):
ipahealthcheck.ipa.host when GSSAPI credentials cannot be obtained
from host's keytab.
"""
- msg = (
- "Minor (2529639107): No credentials cache found"
- )
+ version = tasks.get_healthcheck_version(self.master)
+ if parse_version(version) >= parse_version("0.15"):
+ msg = (
+ "Service {service} keytab {path} does not exist."
+ )
+ else:
+ msg = (
+ "Minor (2529639107): No credentials cache found"
+ )
with tasks.FileBackup(self.master, paths.KRB5_KEYTAB):
self.master.run_command(["rm", "-f", paths.KRB5_KEYTAB])

View File

@ -1,48 +0,0 @@
From 411107e1d1fa64b15978b7c69522613fbf3aa827 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Fri, 29 Sep 2023 10:31:00 +0200
Subject: [PATCH] ipatests: fix expected output for
ipahealthcheck.meta.services
ipa-healthcheck commit 31be12b introduced a change in the output
message when pki-tomcatd is not running.
With versions <= 0.12, the service name is displayed as
pki_tomcatd (with an underscore), but with 0.13+ it is
pki-tomcatd (with a dash).
Fixes: https://pagure.io/freeipa/issue/9460
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_ipahealthcheck.py | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 35fcfe10508589ded021207a4eba4fb0143495b4..5d79f2b529e819a291228776c4cc278463f02e59 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -454,6 +454,11 @@ class TestIpaHealthCheck(IntegrationTest):
assert data[0]["result"] == "SUCCESS"
assert data[0]["kw"]["status"] is True
+ version = tasks.get_healthcheck_version(self.master)
+ # With healthcheck newer versions, the error msg for PKI tomcat
+ # contains the string pki-tomcatd instead of pki_tomcatd
+ always_replace = parse_version(version) >= parse_version("0.13")
+
for service in svc_list:
restart_service(self.master, service)
returncode, data = run_healthcheck(
@@ -466,7 +471,7 @@ class TestIpaHealthCheck(IntegrationTest):
for check in data:
if check["check"] != service:
continue
- if service != 'pki_tomcatd':
+ if service != 'pki_tomcatd' or always_replace:
service = service.replace('_', '-')
assert check["result"] == "ERROR"
assert check["kw"]["msg"] == "%s: not running" % service
--
2.41.0

View File

@ -1,8 +1,8 @@
From d09acb5869c5d0faa35b8784c1fea1c1be3f014f Mon Sep 17 00:00:00 2001
From dcb9d6edc7ae4278cd552e87f644705faa13d558 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 26 Jan 2024 20:53:39 +0200
Subject: [PATCH] kdb: PAC generator: do not fail if canonical principal is
missing
Date: Jan 31 2024 08:31:13 +0000
Subject: kdb: PAC generator: do not fail if canonical principal is missing
krbCanonicalName is mandatory for services but IPA services created
before commit e6ff83e (FreeIPA 4.4.0, ~2016) had no normalization done
@ -16,12 +16,11 @@ Fixes: https://pagure.io/freeipa/issue/9465
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 2866304e1e374fb6a8dc3400dd1f56583d9d9197..16374a59468975ebaea5ce18ac6445ec577e5e6a 100644
index 9e1431c..8035036 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -496,8 +496,16 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
@ -43,6 +42,4 @@ index 2866304e1e374fb6a8dc3400dd1f56583d9d9197..16374a59468975ebaea5ce18ac6445ec
}
ret = krb5_parse_name(ipactx->kcontext, strres, &princ);
--
2.43.0

View File

@ -1,7 +1,8 @@
From 34b58d8ee93ab385c1f3ba1166377fc1008a9c17 Mon Sep 17 00:00:00 2001
From bac601b7f35827236a106f7137f378e4888260da Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Wed, 24 Jan 2024 15:50:17 +0100
Subject: [PATCH] ipa-kdb: Fix memory leak during PAC verification
Date: Jan 30 2024 15:17:44 +0000
Subject: ipa-kdb: Fix memory leak during PAC verification
Commit 0022bd70d93708d325855d5271516d6cd894d6e8 introduced a memory leak
during the copy of some PAC buffers, because of an unfreed memory
@ -11,12 +12,11 @@ Fixes: https://pagure.io/freeipa/issue/9520
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 28 +++++++++++++---------------
1 file changed, 13 insertions(+), 15 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 1558e2bead288d9d00014e9b3b059934e80b54e4..2866304e1e374fb6a8dc3400dd1f56583d9d9197 100644
index a18beff..9e1431c 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2316,6 +2316,7 @@ krb5_error_code ipadb_common_verify_pac(krb5_context context,
@ -40,7 +40,7 @@ index 1558e2bead288d9d00014e9b3b059934e80b54e4..2866304e1e374fb6a8dc3400dd1f5658
for (i = 0; i < num_buffers; i++) {
if (types[i] == KRB5_PAC_SERVER_CHECKSUM ||
types[i] == KRB5_PAC_PRIVSVR_CHECKSUM ||
@@ -2398,32 +2405,21 @@ krb5_error_code ipadb_common_verify_pac(krb5_context context,
@@ -2395,32 +2402,21 @@ krb5_error_code ipadb_common_verify_pac(krb5_context context,
DATA_BLOB pac_attrs_data;
krb5_boolean pac_requested;
@ -77,7 +77,7 @@ index 1558e2bead288d9d00014e9b3b059934e80b54e4..2866304e1e374fb6a8dc3400dd1f5658
continue;
}
@@ -2470,6 +2466,8 @@ done:
@@ -2467,6 +2463,8 @@ done:
if (kerr != 0 && (new_pac != *pac)) {
krb5_pac_free(context, new_pac);
}
@ -86,6 +86,4 @@ index 1558e2bead288d9d00014e9b3b059934e80b54e4..2866304e1e374fb6a8dc3400dd1f5658
krb5_free_data_contents(context, &pac_blob);
free(types);
return kerr;
--
2.43.0

View File

@ -1,7 +1,8 @@
From 33638de180a8157e369ad6c61f9e3406d9e85404 Mon Sep 17 00:00:00 2001
From 381af470779ea87335f57038dcbe72cd042ae6bb Mon Sep 17 00:00:00 2001
From: Stanislav Levin <slev@altlinux.org>
Date: Tue, 23 Jan 2024 19:12:53 +0300
Subject: [PATCH] ipapython: Clean up krb5_error
Date: Jan 30 2024 15:11:05 +0000
Subject: ipapython: Clean up krb5_error
`krb5_error` has different definition in MIT krb.
https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/types/krb5_error.html
@ -30,12 +31,11 @@ To prevent confusion of types `krb5_error` was replaced with
Fixes: https://pagure.io/freeipa/issue/9519
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipapython/session_storage.py | 25 ++++++++++++-------------
1 file changed, 12 insertions(+), 13 deletions(-)
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
index c43ef7d4e8ef5931f6d74d360be131fe46159dc7..371cf152472d54c9a59b60bece9559323ede78b7 100644
index c43ef7d..371cf15 100644
--- a/ipapython/session_storage.py
+++ b/ipapython/session_storage.py
@@ -111,7 +111,7 @@ class KRB5Error(Exception):
@ -139,6 +139,100 @@ index c43ef7d4e8ef5931f6d74d360be131fe46159dc7..371cf152472d54c9a59b60bece955932
krb5_unparse_name.errcheck = krb5_errcheck
krb5_free_unparsed_name = LIBKRB5.krb5_free_unparsed_name
--
2.43.0
From 2a4bad8bb3295c5c0f5a760ecd41871c4c5a0c56 Mon Sep 17 00:00:00 2001
From: Stanislav Levin <slev@altlinux.org>
Date: Jan 30 2024 15:11:05 +0000
Subject: ipapython: Correct return type of krb5_free_cred_contents
According to https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_free_cred_contents.html
> krb5_free_cred_contents - Free the contents of a krb5_creds structure.
>
> void krb5_free_cred_contents(krb5_context context, krb5_creds * val)
> param:
> [in] context - Library context
>
> [in] val - Credential structure to free contents of
>
> This function frees the contents of val , but not the structure itself.
https://github.com/krb5/krb5/blob/5b00197227231943bd2305328c8260dd0b0dbcf0/src/lib/krb5/krb/kfree.c#L166
This leads to undefined behavior and `krb5_free_cred_contents` can
raise KRB5Error (because of garbage data) while actually its foreign
function doesn't.
Fixes: https://pagure.io/freeipa/issue/9519
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
index 371cf15..dc36f54 100644
--- a/ipapython/session_storage.py
+++ b/ipapython/session_storage.py
@@ -200,8 +200,7 @@ krb5_cc_end_seq_get.errcheck = krb5_errcheck
krb5_free_cred_contents = LIBKRB5.krb5_free_cred_contents
krb5_free_cred_contents.argtypes = (krb5_context, ctypes.POINTER(krb5_creds))
-krb5_free_cred_contents.restype = krb5_error
-krb5_free_cred_contents.errcheck = krb5_errcheck
+krb5_free_cred_contents.restype = None
krb5_principal_compare = LIBKRB5.krb5_principal_compare
krb5_principal_compare.argtypes = (krb5_context, krb5_principal,
From beb402afdbf32c01eed860e9416356f7b492ad74 Mon Sep 17 00:00:00 2001
From: Stanislav Levin <slev@altlinux.org>
Date: Jan 30 2024 15:11:05 +0000
Subject: ipapython: Propagate KRB5Error exceptions on iterating ccache
`ipapython.session_storage.get_data` iterates over
credentials in a credential cache till `krb5_cc_next_cred` returns
an error. This function doesn't expect any error on calling
other kerberos foreign functions during iteration. But that can
actually happen and KRB5Error exceptions stop an iteration while
they should be propagated.
With this change iteration will exactly stop on `krb5_cc_next_cred`
error as it was supposed to be.
Fixes: https://pagure.io/freeipa/issue/9519
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
index dc36f54..e890dc9 100644
--- a/ipapython/session_storage.py
+++ b/ipapython/session_storage.py
@@ -312,8 +312,12 @@ def get_data(princ_name, key):
checkcreds = krb5_creds()
# the next function will throw an error and break out of the
# while loop when we try to access past the last cred
- krb5_cc_next_cred(context, ccache, ctypes.byref(cursor),
- ctypes.byref(checkcreds))
+ try:
+ krb5_cc_next_cred(context, ccache, ctypes.byref(cursor),
+ ctypes.byref(checkcreds))
+ except KRB5Error:
+ break
+
if (krb5_principal_compare(context, principal,
checkcreds.client) == 1 and
krb5_principal_compare(context, srv_princ,
@@ -328,8 +332,6 @@ def get_data(princ_name, key):
else:
krb5_free_cred_contents(context,
ctypes.byref(checkcreds))
- except KRB5Error:
- pass
finally:
krb5_cc_end_seq_get(context, ccache, ctypes.byref(cursor))

View File

@ -1,45 +0,0 @@
From faf8be455a6ab4f5b1bed00a611e655535ed31e7 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 14 Nov 2023 13:21:30 -0500
Subject: [PATCH] ipatests: fix expected output for ipahealthcheck.ipa.host
ipa-healthcheck commit e69589d5 changed the output when a service
keytab is missing to not report the GSSAPI error but to report
that the keytab doesn't exist at all. This distinguishes from real
Kerberos issues like kvno.
Fixes: https://pagure.io/freeipa/issue/9482
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
---
ipatests/test_integration/test_ipahealthcheck.py | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 278f75abdd772a59178a61e2ab63e3178fef2518..785e9abbae3b807f100a3d875e0c0b23f868be83 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -635,9 +635,15 @@ class TestIpaHealthCheck(IntegrationTest):
ipahealthcheck.ipa.host when GSSAPI credentials cannot be obtained
from host's keytab.
"""
- msg = (
- "Minor (2529639107): No credentials cache found"
- )
+ version = tasks.get_healthcheck_version(self.master)
+ if parse_version(version) >= parse_version("0.15"):
+ msg = (
+ "Service {service} keytab {path} does not exist."
+ )
+ else:
+ msg = (
+ "Minor (2529639107): No credentials cache found"
+ )
with tasks.FileBackup(self.master, paths.KRB5_KEYTAB):
self.master.run_command(["rm", "-f", paths.KRB5_KEYTAB])
--
2.41.0

View File

@ -1,4 +1,4 @@
From 37dfe80132d665b1fced67540457362c3ee00a7b Mon Sep 17 00:00:00 2001
From b56a80581ef388e19d5761020454e51463036cd6 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 23 Jan 2024 14:47:50 +0200
Subject: [PATCH] sidgen: ignore staged users when generating SIDs
@ -29,7 +29,7 @@ Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2 files changed, 14 insertions(+)
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
index 0feff7eec9999a76bf950b8b9fc9fa25b3a2fa88..bd46982d06b3272874f256a8b0c2293fa4829f5b 100644
index 0feff7eec..bd46982d0 100644
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
@@ -45,6 +45,8 @@
@ -42,7 +42,7 @@ index 0feff7eec9999a76bf950b8b9fc9fa25b3a2fa88..bd46982d06b3272874f256a8b0c2293f
#define DOMAIN_ID_RANGE_FILTER OBJECTCLASS"=ipadomainidrange"
#define POSIX_ACCOUNT "posixaccount"
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
index 6f784804cd39acdf88ceceb0e21b272a04fa13fc..cb763ebf8c733e50483c23856a248eb536c796f1 100644
index 6f784804c..cb763ebf8 100644
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
@@ -454,6 +454,7 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry,
@ -81,3 +81,29 @@ index 6f784804cd39acdf88ceceb0e21b272a04fa13fc..cb763ebf8c733e50483c23856a248eb5
--
2.43.0
From 07150b71537744f491d022c737ef04775c72a10a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 23 Jan 2024 14:53:39 +0200
Subject: [PATCH] sidgen: fix missing prototypes
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
---
daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
index bd46982d0..aec862796 100644
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
@@ -106,3 +106,6 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry,
const char *base_dn,
const char *dom_sid,
struct range_info **ranges);
+
+int sidgen_task_init(Slapi_PBlock *pb);
+int ipa_sidgen_init(Slapi_PBlock *pb);
--
2.43.0

View File

@ -1,38 +0,0 @@
From bc69177ef80d1873026ad91a6e449b9cf20028b9 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 19 Oct 2023 12:47:03 +0200
Subject: [PATCH] group-add-member fails with an external member
The command ipa group-add-member --external aduser@addomain.test
fails with an internal error when used with samba 4.19.
The command internally calls samba.security.dom_sid(sid) which
used to raise a TypeError but now raises a ValueError
(commit 9abdd67 on https://github.com/samba-team/samba).
IPA source code needs to handle properly both exception types.
Fixes: https://pagure.io/freeipa/issue/9466
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/dcerpc.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 741f0608f93449f5a3959a47734f965ab484a1e5..7e585c87639db093222fe2cebca5c9094a22d7ce 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -303,7 +303,7 @@ class DomainValidator:
# Parse sid string to see if it is really in a SID format
try:
test_sid = security.dom_sid(sid)
- except TypeError:
+ except (TypeError, ValueError):
raise errors.ValidationError(name='sid',
error=_('SID is not valid'))
--
2.43.0

View File

@ -1,41 +0,0 @@
From c6623f9ce4e1bde729ed6f729da5981c9f26c728 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Fri, 20 Oct 2023 10:20:57 +0200
Subject: [PATCH] Handle samba changes in samba.security.dom_sid()
samba.security.dom_sid() in 4.19 now raises ValueError instead of
TypeError. Fix the expected exception.
Related: https://pagure.io/freeipa/issue/9466
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/dcerpc.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 7e585c87639db093222fe2cebca5c9094a22d7ce..675572c036e4ea5434d2c6808dd301b425229b38 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -97,7 +97,7 @@ logger = logging.getLogger(__name__)
def is_sid_valid(sid):
try:
security.dom_sid(sid)
- except TypeError:
+ except (TypeError, ValueError):
return False
else:
return True
@@ -457,7 +457,7 @@ class DomainValidator:
try:
test_sid = security.dom_sid(sid)
return unicode(test_sid)
- except TypeError:
+ except (TypeError, ValueError):
raise errors.ValidationError(name=_('trusted domain object'),
error=_('Trusted domain did not '
'return a valid SID for '
--
2.43.0

View File

@ -0,0 +1,310 @@
From 67ca47ba4092811029eec02f8af9c34ba7662924 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Mon, 9 Oct 2023 15:47:03 +0200
Subject: [PATCH] ipa-kdb: Ensure Bronze-Bit check can be enabled
MIT krb5 1.19 and older do not implement support for PAC ticket
signature to protect the encrypted part of tickets. This is the cause of
the Bronze-Bit vulnerability (CVE-2020-17043). The Bronze-Bit attack
detection mechanism introduced in a847e248 relies on the content of the
PAC.
However, since CVE-2022-37967, the content of the PAC can no longer be
trusted if the KDC does not support PAC extended KDC signature (aka.
PAC full checksum). This signature is supported in MIT krb5 since
version 1.21.
Support for the PAC extended KDC signature was backported downstream to
krb5 1.18.2 for CentOS 8 Stream (dist-git commit 7d215a54). This makes
the content of the PAC still trustworthy there.
This commit disables the Bronze-Bit attack detection mechanism at build
time in case krb5 does not provide the krb5_pac_full_sign_compat()
function.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-kdb/ipa_kdb.h | 4 ++++
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 7 +++++++
daemons/ipa-kdb/ipa_kdb_mspac.c | 4 ++++
3 files changed, 15 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 02b2cb631..c6926f7d5 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -367,6 +367,8 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
const char *test_realm, size_t size,
char **trusted_realm);
+#if KRB5_KDB_DAL_MAJOR_VERSION <= 8
+# ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT
/* Try to detect a Bronze-Bit attack based on the content of the request and
* data from the KDB.
*
@@ -379,6 +381,8 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
krb5_error_code
ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
bool *detected, const char **status);
+# endif
+#endif
/* DELEGATION CHECKS */
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
index 1032dff0b..ee0546c01 100644
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
@@ -185,11 +185,18 @@ ipa_kdcpolicy_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata,
const char **status, krb5_deltat *lifetime_out,
krb5_deltat *renew_lifetime_out)
{
+#if KRB5_KDB_DAL_MAJOR_VERSION <= 8
+# ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT
krb5_error_code kerr;
kerr = ipadb_check_for_bronze_bit_attack(context, request, NULL, status);
if (kerr)
return KRB5KDC_ERR_POLICY;
+# else
+# warning Support for Kerberos PAC extended KDC signature is missing.\
+ This makes FreeIPA vulnerable to the Bronze-Bit exploit (CVE-2020-17049).
+# endif
+#endif
*status = NULL;
*lifetime_out = 0;
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index b4e22d431..05d5b407d 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -3299,6 +3299,8 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
return KRB5_KDB_NOENTRY;
}
+#if KRB5_KDB_DAL_MAJOR_VERSION <= 8
+# ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT
krb5_error_code
ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
bool *detected, const char **status)
@@ -3471,3 +3473,5 @@ end:
ipadb_free_principal(context, proxy_entry);
return kerr;
}
+# endif
+#endif
--
2.43.0
From 27b96c17dd51d076e04d97662b7c788658a5094a Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Jan 26 2024 09:35:57 +0000
Subject: ipa-kdb: Disable Bronze-Bit check if PAC not available
The Bronze-Bit check introduced in commit
a847e2483b4c4832ee5129901da169f4eb0d1392 requires the MS-PAC to be
present in the evidence ticket in order for S4U2Proxy requests to be
accepted. This actually requires SIDs to be set.
However, domains that were initialized before commit
e527857d000e558b3288a7a210400abaf2171237 may still not have SIDs
configured. This would results in all S4U2Proxy requests to fail
(including all the HTTP API requests).
This present commit disables the check for the Bronze-Bit exploit
(CVE-2020-17049) in case the domain is not able to generate PACs.
Instead, it prints a warning message in the KDC logs each time a
S4U2Proxy request is processed.
Fixes: https://pagure.io/freeipa/issue/9521
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index c6926f7..621c235 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -370,17 +370,21 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
#if KRB5_KDB_DAL_MAJOR_VERSION <= 8
# ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT
/* Try to detect a Bronze-Bit attack based on the content of the request and
- * data from the KDB.
+ * data from the KDB. This check will work only if the domain supports MS-PAC.
*
* context krb5 context
* request KDB request
- * detected Set to "true" if a bronze bit attack is detected and the
- * pointer is not NULL. Remains unset otherwise.
+ * supported If not NULL, set to "false" in case the Bronze-Bit exploit
+ * detection process silently failed to complete because the
+ * domain does not meet requirements. Set to "true" otherwise.
+ * detected If not NULL, set to "true" if a Bronze-Bit attack is detected.
+ * Set to "false" otherwise.
* status If the call fails and the pointer is not NULL, set it with a
* message describing the cause of the failure. */
krb5_error_code
ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
- bool *detected, const char **status);
+ bool *supported, bool *detected,
+ const char **status);
# endif
#endif
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
index ee0546c..713e9a0 100644
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
@@ -188,10 +188,18 @@ ipa_kdcpolicy_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata,
#if KRB5_KDB_DAL_MAJOR_VERSION <= 8
# ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT
krb5_error_code kerr;
+ bool supported;
- kerr = ipadb_check_for_bronze_bit_attack(context, request, NULL, status);
+ kerr = ipadb_check_for_bronze_bit_attack(context, request, supported, NULL,
+ status);
if (kerr)
return KRB5KDC_ERR_POLICY;
+
+ if (!supported)
+ krb5_klog_syslog(LOG_WARNING, "MS-PAC not available. This makes "
+ "FreeIPA vulnerable to the Bronze-Bit exploit "
+ "(CVE-2020-17049). Please generate SIDs to enable "
+ "PAC support.");
# else
# warning Support for Kerberos PAC extended KDC signature is missing.\
This makes FreeIPA vulnerable to the Bronze-Bit exploit (CVE-2020-17049).
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 05d5b40..a18beff 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -3303,11 +3303,14 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
# ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT
krb5_error_code
ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
- bool *detected, const char **status)
+ bool *supported, bool *detected,
+ const char **status)
{
krb5_error_code kerr;
const char *st = NULL;
size_t i, j;
+ bool in_supported = true, in_detected = false;
+ struct ipadb_context *ipactx;
krb5_ticket *evidence_tkt;
krb5_authdata **authdata, **ifrel = NULL;
krb5_pac pac = NULL;
@@ -3327,6 +3330,21 @@ ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
goto end;
}
+ ipactx = ipadb_get_context(context);
+ if (!ipactx) {
+ kerr = KRB5_KDB_DBNOTINITED;
+ goto end;
+ }
+
+ /* Handle the case where the domain is not able to generate PACs (probably
+ * because SIDs are not set). In this case, we just skip the Bronze-Bit
+ * check. */
+ if (!ipactx->mspac) {
+ in_supported = false;
+ kerr = 0;
+ goto end;
+ }
+
evidence_tkt = request->second_ticket[0];
/* No need to check the Forwardable flag. If it was not set, this request
@@ -3451,8 +3469,7 @@ ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
/* This evidence ticket cannot be forwardable given the privileges
* of the proxy principal.
* This is a Bronze Bit attack. */
- if (detected)
- *detected = true;
+ in_detected = true;
st = "S4U2PROXY_BRONZE_BIT_ATTACK_DETECTED";
kerr = EBADE;
goto end;
@@ -3464,6 +3481,10 @@ ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
end:
if (st && status)
*status = st;
+ if (supported)
+ *supported = in_supported;
+ if (detected)
+ *detected = in_detected;
krb5_free_authdata(context, ifrel);
krb5_pac_free(context, pac);
From 81aa6ef695838a4b2fb5a53e773ea379a492913d Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Fri, 9 Feb 2024 16:36:03 +0100
Subject: [PATCH] ipd-kdb: Fix some mistakes in
ipadb_check_for_bronze_bit_attack()
Fixes: https://pagure.io/freeipa/issue/9521
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
daemons/ipa-kdb/ipa_kdb.h | 3 ++-
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 2 +-
daemons/ipa-kdb/ipa_kdb_mspac.c | 5 +++--
3 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 621c23591..5de5ea7a5 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -382,7 +382,8 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
* status If the call fails and the pointer is not NULL, set it with a
* message describing the cause of the failure. */
krb5_error_code
-ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
+ipadb_check_for_bronze_bit_attack(krb5_context context,
+ const krb5_kdc_req *request,
bool *supported, bool *detected,
const char **status);
# endif
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
index 713e9a0c8..44959f3de 100644
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
@@ -190,7 +190,7 @@ ipa_kdcpolicy_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata,
krb5_error_code kerr;
bool supported;
- kerr = ipadb_check_for_bronze_bit_attack(context, request, supported, NULL,
+ kerr = ipadb_check_for_bronze_bit_attack(context, request, &supported, NULL,
status);
if (kerr)
return KRB5KDC_ERR_POLICY;
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 80350364a..886ed7785 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -3308,13 +3308,14 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
#if KRB5_KDB_DAL_MAJOR_VERSION <= 8
# ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT
krb5_error_code
-ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
+ipadb_check_for_bronze_bit_attack(krb5_context context,
+ const krb5_kdc_req *request,
bool *supported, bool *detected,
const char **status)
{
krb5_error_code kerr;
const char *st = NULL;
- size_t i, j;
+ size_t i, j = 0;
bool in_supported = true, in_detected = false;
struct ipadb_context *ipactx;
krb5_ticket *evidence_tkt;
--
2.43.0

View File

@ -0,0 +1,272 @@
From 00f8ddbfd2795228b343e1c39c1944b44d482c18 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 24 Nov 2023 11:46:19 +0200
Subject: [PATCH 1/4] ipa-kdb: add better detection of allowed user auth type
If default user authentication type is set to a list that does not
include a password or a hardened credential, the resulting configuration
might be incorrect for special service principals, including a krbtgt/..
one.
Add detection of special principals to avoid these situations and always
allow password or hardened for services.
Special handling is needed for the following principals:
- krbtgt/.. -- TGT service principals
- K/M -- master key principal
- kadmin/changepw -- service for changing passwords
- kadmin/kadmin -- kadmin service principal
- kadmin/history -- key used to encrypt history
Additionally, implicitly allow password or hardened credential use for
IPA services and IPA hosts since applications typically use keytabs for
that purpose.
Fixes: https://pagure.io/freeipa/issue/9485
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
daemons/ipa-kdb/ipa_kdb.c | 62 ++++++++++++++++++++++++++++++++++-----
1 file changed, 54 insertions(+), 8 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 06d511c76..dbb98dba6 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -26,6 +26,7 @@
#include "ipa_kdb.h"
#include "ipa_krb5.h"
#include "ipa_hostname.h"
+#include <kadm5/admin.h>
#define IPADB_GLOBAL_CONFIG_CACHE_TIME 60
@@ -207,6 +208,19 @@ static const struct {
{ "idp", IPADB_USER_AUTH_IDP },
{ "passkey", IPADB_USER_AUTH_PASSKEY },
{ }
+},
+ objclass_table[] = {
+ { "ipaservice", IPADB_USER_AUTH_PASSWORD },
+ { "ipahost", IPADB_USER_AUTH_PASSWORD },
+ { }
+},
+ princname_table[] = {
+ { KRB5_TGS_NAME, IPADB_USER_AUTH_PASSWORD },
+ { KRB5_KDB_M_NAME, IPADB_USER_AUTH_PASSWORD },
+ { KADM5_ADMIN_SERVICE, IPADB_USER_AUTH_PASSWORD },
+ { KADM5_CHANGEPW_SERVICE, IPADB_USER_AUTH_PASSWORD },
+ { KADM5_HIST_PRINCIPAL, IPADB_USER_AUTH_PASSWORD },
+ { }
};
void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le,
@@ -217,17 +231,49 @@ void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le,
*userauth = IPADB_USER_AUTH_NONE;
vals = ldap_get_values_len(lcontext, le, IPA_USER_AUTH_TYPE);
- if (!vals)
- return;
-
- for (i = 0; vals[i]; i++) {
- for (j = 0; userauth_table[j].name; j++) {
- if (strcasecmp(vals[i]->bv_val, userauth_table[j].name) == 0) {
- *userauth |= userauth_table[j].flag;
- break;
+ if (!vals) {
+ /* if there is no explicit ipaUserAuthType set, use objectclass */
+ vals = ldap_get_values_len(lcontext, le, "objectclass");
+ if (!vals)
+ return;
+
+ for (i = 0; vals[i]; i++) {
+ for (j = 0; objclass_table[j].name; j++) {
+ if (strcasecmp(vals[i]->bv_val, objclass_table[j].name) == 0) {
+ *userauth |= objclass_table[j].flag;
+ break;
+ }
+ }
+ }
+ } else {
+ for (i = 0; vals[i]; i++) {
+ for (j = 0; userauth_table[j].name; j++) {
+ if (strcasecmp(vals[i]->bv_val, userauth_table[j].name) == 0) {
+ *userauth |= userauth_table[j].flag;
+ break;
+ }
}
}
}
+
+ /* If neither ipaUserAuthType nor objectClass were definitive,
+ * check the krbPrincipalName to see if it is krbtgt/ or K/M one */
+ if (*userauth == IPADB_USER_AUTH_NONE) {
+ ldap_value_free_len(vals);
+ vals = ldap_get_values_len(lcontext, le, "krbprincipalname");
+ if (!vals)
+ return;
+ for (i = 0; vals[i]; i++) {
+ for (j = 0; princname_table[j].name; j++) {
+ if (strncmp(vals[i]->bv_val, princname_table[j].name,
+ strlen(princname_table[j].name)) == 0) {
+ *userauth |= princname_table[j].flag;
+ break;
+ }
+ }
+ }
+
+ }
/* If password auth is enabled, enable hardened policy too. */
if (*userauth & IPADB_USER_AUTH_PASSWORD) {
*userauth |= IPADB_USER_AUTH_HARDENED;
--
2.43.0
From 69ae9febfb4462766b3bfe3e07e76550ece97b42 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 24 Nov 2023 11:54:04 +0200
Subject: [PATCH 2/4] ipa-kdb: when applying ticket policy, do not deny PKINIT
PKINIT differs from other pre-authentication methods by the fact that it
can be matched indepedently of the user authentication types via certmap
plugin in KDC.
Since PKINIT is a strong authentication method, allow its authentication
indicator and only apply the ticket policy.
Fixes: https://pagure.io/freeipa/issue/9485
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
index 436ee0e62..2802221c7 100644
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
@@ -119,11 +119,8 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_RADIUS]);
} else if (strcmp(auth_indicator, "pkinit") == 0) {
valid_auth_indicators++;
- if (!(ua & IPADB_USER_AUTH_PKINIT)) {
- *status = "PKINIT pre-authentication not allowed for this user.";
- kerr = KRB5KDC_ERR_POLICY;
- goto done;
- }
+ /* allow PKINIT unconditionally -- it has passed already at this
+ * point so some certificate was useful, only apply the limits */
pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_PKINIT]);
} else if (strcmp(auth_indicator, "hardened") == 0) {
valid_auth_indicators++;
--
2.43.0
From 62c44c9e69aa2721990ca3628434713e1af6f59b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 24 Nov 2023 12:20:55 +0200
Subject: [PATCH 3/4] ipa-kdb: clarify user auth table mapping use of
_AUTH_PASSWORD
Related: https://pagure.io/freeipa/issue/9485
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
daemons/ipa-kdb/ipa_kdb.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index dbb98dba6..4e6cacf24 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -195,6 +195,9 @@ done:
return base;
}
+/* In this table all _AUTH_PASSWORD entries will be
+ * expanded to include _AUTH_HARDENED in ipadb_parse_user_auth()
+ * which means there is no need to explicitly add it here */
static const struct {
const char *name;
enum ipadb_user_auth flag;
--
2.43.0
From c3bc938650b19a51706d8ccd98cdf8deaa26dc28 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 24 Nov 2023 13:00:48 +0200
Subject: [PATCH 4/4] ipatests: make sure PKINIT enrollment works with a strict
policy
Previously, for a global policy which does not include
'password', krb5kdc restart was failing. Now it should succeed.
We set admin user authentication type to PASSWORD to simplify
configuration in the test.
What matters here is that global policy does not include PKINIT and that
means a code in the ticket policy check will allow PKINIT implicitly
rather than explicitly.
Related: https://pagure.io/freeipa/issue/9485
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
.../test_integration/test_pkinit_install.py | 26 +++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/ipatests/test_integration/test_pkinit_install.py b/ipatests/test_integration/test_pkinit_install.py
index caa0e6a34..5c2e7af02 100644
--- a/ipatests/test_integration/test_pkinit_install.py
+++ b/ipatests/test_integration/test_pkinit_install.py
@@ -23,6 +23,24 @@ class TestPkinitClientInstall(IntegrationTest):
def install(cls, mh):
tasks.install_master(cls.master)
+ def enforce_password_and_otp(self):
+ """enforce otp by default and password for admin """
+ self.master.run_command(
+ [
+ "ipa",
+ "config-mod",
+ "--user-auth-type=otp",
+ ]
+ )
+ self.master.run_command(
+ [
+ "ipa",
+ "user-mod",
+ "admin",
+ "--user-auth-type=password",
+ ]
+ )
+
def add_certmaperule(self):
"""add certmap rule to map SAN dNSName to host entry"""
self.master.run_command(
@@ -86,6 +104,14 @@ class TestPkinitClientInstall(IntegrationTest):
cabundle = self.master.get_file_contents(paths.KDC_CA_BUNDLE_PEM)
client.put_file_contents(self.tmpbundle, cabundle)
+ def test_restart_krb5kdc(self):
+ tasks.kinit_admin(self.master)
+ self.enforce_password_and_otp()
+ self.master.run_command(['systemctl', 'stop', 'krb5kdc.service'])
+ self.master.run_command(['systemctl', 'start', 'krb5kdc.service'])
+ self.master.run_command(['systemctl', 'stop', 'kadmin.service'])
+ self.master.run_command(['systemctl', 'start', 'kadmin.service'])
+
def test_client_install_pkinit(self):
tasks.kinit_admin(self.master)
self.add_certmaperule()
--
2.43.0

View File

@ -1,43 +0,0 @@
From c7f999599efe9f3f237f8ad3b7c739714051e3e9 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 7 Dec 2023 08:35:45 +0100
Subject: [PATCH] test_install: restart services after date change
The test TestKRAinstallAfterCertRenew is moving the
date in the future in order to reach the grace period where
certmonger detects some certificates need to be renewed.
Restart the services after the date change.
Fixes: https://pagure.io/freeipa/issue/9405
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
---
ipatests/test_integration/test_installation.py | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index bf4163abc0f138ed42c639eee3e95df52da43a71..02fa5bc56d63421c28a5dd1fa02f9f75d305e7bf 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -1569,6 +1569,8 @@ class TestKRAinstallAfterCertRenew(IntegrationTest):
grace_date = cert_expiry - timedelta(days=10)
grace_date = datetime.strftime(grace_date, "%Y-%m-%d %H:%M:%S")
self.master.run_command(['date', '-s', grace_date])
+ # restart service after date change
+ self.master.run_command(['ipactl', 'restart'])
# get the count of certs track by certmonger
cmd = self.master.run_command(['getcert', 'list'])
@@ -1591,6 +1593,8 @@ class TestKRAinstallAfterCertRenew(IntegrationTest):
cert_expiry = cert_expiry + timedelta(days=3)
cert_expiry = datetime.strftime(cert_expiry, "%Y-%m-%d %H:%M:%S")
self.master.run_command(['date', '-s', cert_expiry])
+ # restart service after date change
+ self.master.run_command(['ipactl', 'restart'])
passwd = "{passwd}\n{passwd}\n{passwd}".format(passwd=admin_pass)
self.master.run_command(['kinit', 'admin'], stdin_text=passwd)
--
2.43.0

View File

@ -1,40 +0,0 @@
From eabdbbc00613963deffe42ea17dfb0a690c62e3f Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 12 Dec 2023 08:34:44 -0500
Subject: [PATCH] Issue 9497 - Add new password policy logging function
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-slapi-plugins/common/util.h | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-slapi-plugins/common/util.h b/daemons/ipa-slapi-plugins/common/util.h
index 1eaf47facb717fe6a95d89fe02311205eabc3e96..db7cf7181ceaf710a5a082c4e80eb66567180be5 100644
--- a/daemons/ipa-slapi-plugins/common/util.h
+++ b/daemons/ipa-slapi-plugins/common/util.h
@@ -30,7 +30,7 @@
* Program may make changes or additions to the list of Approved
* Interfaces.
*
- * Copyright (C) 2010 Red Hat, Inc.
+ * Copyright (C) 2010-2023 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
@@ -67,6 +67,10 @@
"[file %s, line %d]: " fmt, \
__FILE__, __LINE__, ##__VA_ARGS__)
+#define LOG_PWDPOLICY(fmt, ...) \
+ slapi_log_error(SLAPI_LOG_PWDPOLICY, log_func, fmt, ##__VA_ARGS__)
+
+/* "Trace" logging is very expensive and should be avoided/replaced. TBD */
#define LOG_TRACE(fmt, ...) \
slapi_log_error(SLAPI_LOG_TRACE, log_func, fmt, ##__VA_ARGS__)
--
2.43.0

View File

@ -1,7 +1,7 @@
From 9e950f89bedeb83267369d60b4a83c77f89e71d6 Mon Sep 17 00:00:00 2001
From 48846e98e5e988d600ddf81c937f353fcecdea1a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 27 Nov 2023 16:11:08 -0500
Subject: [PATCH] hbactest was not collecting or returning messages
Subject: [PATCH 1/2] hbactest was not collecting or returning messages
hbactest does a number of internal searches, one of which
can exceed the configured sizelimit: hbacrule-find
@ -19,7 +19,7 @@ Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/ipaclient/plugins/hbactest.py b/ipaclient/plugins/hbactest.py
index 1b54530b236cf654bc8ece7ab4e329850f5a6815..e0f93b9c265a176cb872fcf2728dbb3a66a264d9 100644
index 1b54530b2..e0f93b9c2 100644
--- a/ipaclient/plugins/hbactest.py
+++ b/ipaclient/plugins/hbactest.py
@@ -38,6 +38,8 @@ class hbactest(CommandOverride):
@ -32,7 +32,7 @@ index 1b54530b236cf654bc8ece7ab4e329850f5a6815..e0f93b9c265a176cb872fcf2728dbb3a
if o == 'value':
continue
diff --git a/ipaserver/plugins/hbactest.py b/ipaserver/plugins/hbactest.py
index 887a35b7e67b257a2e54d51990af953ff8fbb316..568c13174ba617f2742b8f42c11b36dbde549cc2 100644
index 887a35b7e..568c13174 100644
--- a/ipaserver/plugins/hbactest.py
+++ b/ipaserver/plugins/hbactest.py
@@ -24,6 +24,8 @@ from ipalib import Command, Str, Flag, Int
@ -80,3 +80,60 @@ index 887a35b7e67b257a2e54d51990af953ff8fbb316..568c13174ba617f2742b8f42c11b36db
--
2.43.0
From d1e09c68af8ac77f656dd639af5d9a7f07c41f9d Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 28 Nov 2023 13:35:13 -0500
Subject: [PATCH 2/2] ipatests: Verify that hbactest will return messages
Limit the sizelimit of the hbactest request to confirm that
the output includes a SearchResultTruncated message.
Fixes: https://pagure.io/freeipa/issue/9486
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_xmlrpc/test_hbactest_plugin.py | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_xmlrpc/test_hbactest_plugin.py b/ipatests/test_xmlrpc/test_hbactest_plugin.py
index 73c4ce232..e2e66c759 100644
--- a/ipatests/test_xmlrpc/test_hbactest_plugin.py
+++ b/ipatests/test_xmlrpc/test_hbactest_plugin.py
@@ -134,6 +134,7 @@ class test_hbactest(XMLRPC_test):
assert ret['value']
assert ret['error'] is None
assert ret['matched'] is None
+ assert 'messages' not in ret
assert ret['notmatched'] is None
def test_c_hbactest_check_rules_enabled_detail(self):
@@ -200,7 +201,23 @@ class test_hbactest(XMLRPC_test):
nodetail=True
)
- def test_g_hbactest_clear_testing_data(self):
+ def test_g_hbactest_searchlimit_message(self):
+ """
+ Test running 'ipa hbactest' with limited --sizelimit
+
+ We know there are at least 6 rules, 4 created here + 2 default.
+ """
+ ret = api.Command['hbactest'](
+ user=self.test_user,
+ targethost=self.test_host,
+ service=self.test_service,
+ nodetail=True,
+ sizelimit=2,
+ )
+
+ assert ret['messages'] is not None
+
+ def test_h_hbactest_clear_testing_data(self):
"""
Clear data for HBAC test plugin testing.
"""
--
2.43.0

View File

@ -1,68 +0,0 @@
From 7e31f111c83bed966157b0660e9640e18450b1a2 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 12 Dec 2023 08:36:49 -0500
Subject: [PATCH] Issue 9497 - Update logging in ipa_enrollment
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
.../ipa-enrollment/ipa_enrollment.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
index 26cbb69d713767909fd62fb77e7defdd323ec7ac..b72ad5ef1c81997d89b2f94528da516b5df3d285 100644
--- a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
+++ b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
@@ -30,7 +30,7 @@
* Program may make changes or additions to the list of Approved
* Interfaces.
*
- * Copyright (C) 2005 Red Hat, Inc.
+ * Copyright (C) 2005-2023 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
@@ -132,7 +132,8 @@ ipa_join(Slapi_PBlock *pb)
Slapi_DN *sdn;
Slapi_Backend *be;
Slapi_Entry **es = NULL;
- int rc=0, ret=0, res, i;
+ int rc=0, ret=0, res;
+ size_t i;
int is_root=0;
char *krbLastPwdChange = NULL;
char *fqdn = NULL;
@@ -204,7 +205,7 @@ ipa_join(Slapi_PBlock *pb)
/* if there is none or more than one, freak out */
if (i != 1) {
- LOG_TRACE("Too many entries, or entry no found (%d)", i);
+ LOG_TRACE("Too many entries, or entry no found (%lu)\n", i);
if (i == 0)
errMesg = "Host not found.\n";
else
@@ -217,7 +218,7 @@ ipa_join(Slapi_PBlock *pb)
/* Is this host already enrolled? */
krbLastPwdChange = slapi_entry_attr_get_charptr(targetEntry, "krbLastPwdChange");
if (NULL != krbLastPwdChange) {
- LOG_TRACE("Host already enrolled");
+ LOG_TRACE("Host already enrolled\n");
errMesg = "Host already enrolled.\n";
rc = LDAP_OPERATIONS_ERROR;
goto free_and_return;
@@ -313,8 +314,8 @@ done:
ret = slapi_pblock_set(pb, SLAPI_EXT_OP_RET_OID, JOIN_OID);
if (!ret) ret = slapi_pblock_set(pb, SLAPI_EXT_OP_RET_VALUE, &retbval);
if (ret) {
- errMesg = "Could not set return values";
- LOG("%s\n", errMesg);
+ errMesg = "Could not set return values\n";
+ LOG("%s", errMesg);
rc = SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
}
--
2.43.0

View File

@ -1,4 +1,4 @@
From 3b2f3d41e4de0bcb78bfaecb32e06cbd22b809c2 Mon Sep 17 00:00:00 2001
From 16a739e0260f97705827f972d53c828809dbfdb2 Mon Sep 17 00:00:00 2001
From: Masahiro Matsuya <mmatsuya@redhat.com>
Date: Tue, 9 Jan 2024 23:12:11 +0900
Subject: [PATCH] ipatests: wait for replica update in test_dns_locations
@ -9,12 +9,13 @@ It can be resolved by waiting for the update with wait_for_replication.
Fixes: https://pagure.io/freeipa/issue/9504
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
(cherry picked from commit 905a55a4ef926068630ebd2ab375f58c24dedcd1)
---
ipatests/test_integration/test_dns_locations.py | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ipatests/test_integration/test_dns_locations.py b/ipatests/test_integration/test_dns_locations.py
index 44900af8015ff62728f64bc626eedfcead41e214..89a310892954cbee88d1cf38683e80a2e47122ef 100644
index 44900af80..89a310892 100644
--- a/ipatests/test_integration/test_dns_locations.py
+++ b/ipatests/test_integration/test_dns_locations.py
@@ -534,6 +534,9 @@ class TestDNSLocations(IntegrationTest):

View File

@ -1,47 +0,0 @@
From e4aebc121c9242390da86fe6bda3e8c28edfb746 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 12 Dec 2023 08:37:41 -0500
Subject: [PATCH] Issue 9497 - update debug logging in ipa_graceperiod
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
index 345e1dee7d163167373ca82dedb1e827f0e1bc8c..7a2d4f2aaea677d1fb3553fe49e6aa17c3e7a38c 100644
--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
+++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
@@ -30,7 +30,7 @@
* Program may make changes or additions to the list of Approved
* Interfaces.
*
- * Copyright (C) 2022 Red Hat, Inc.
+ * Copyright (C) 2022-2023 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
@@ -447,7 +447,7 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
LOG_TRACE("grace limit disabled, skipping\n");
goto done;
} else if (grace_limit < -1) {
- LOG_FATAL("Invalid passwordGraceLimit value %d\n", grace_limit);
+ LOG_FATAL("Invalid passwordGraceLimit value %ld\n", grace_limit);
return LDAP_OPERATIONS_ERROR;
}
@@ -480,7 +480,7 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
slapi_pwpolicy_make_response_control(pb, -1, grace_limit - grace_user_time , -1);
}
} else if (grace_user_time >= grace_limit) {
- LOG_TRACE("%s password is expired and out of grace limit\n", dn);
+ LOG_PWDPOLICY("%s password is expired and out of grace limit\n", dn);
errstr = "Password is expired.\n";
ret = LDAP_INVALID_CREDENTIALS;
--
2.43.0

View File

@ -1,4 +1,4 @@
From febfd9c64d748a435a9d0756d4710898a0e2aa49 Mon Sep 17 00:00:00 2001
From c3ac69e9cf8dfcc31ed11fc988c37bd99d3ec3cf Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Wed, 14 Feb 2024 17:47:00 +0100
Subject: [PATCH] ipa-kdb: Rework ipadb_reinit_mspac()
@ -16,21 +16,22 @@ Fixes: https://pagure.io/freeipa/issue/9535
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
(cherry picked from commit 7f072e348d318e928f6270a182ca04dee8716677)
---
daemons/ipa-kdb/ipa_kdb.c | 14 +-
daemons/ipa-kdb/ipa_kdb.h | 4 +-
daemons/ipa-kdb/ipa_kdb_mspac.c | 342 +++++++++++++-----------
daemons/ipa-kdb/ipa_kdb_mspac.c | 340 +++++++++++++-----------
daemons/ipa-kdb/ipa_kdb_mspac_private.h | 2 +-
daemons/ipa-kdb/ipa_kdb_mspac_v6.c | 5 +-
daemons/ipa-kdb/ipa_kdb_mspac_v9.c | 16 +-
daemons/ipa-kdb/ipa_kdb_principals.c | 6 +-
7 files changed, 219 insertions(+), 170 deletions(-)
7 files changed, 218 insertions(+), 169 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 4e6cacf24e27b05538db2c95ab85400bb83e3d58..903e19e83bbe383b878a3b9261dd501f96058d51 100644
index 0c6325df9..fcadb8ee7 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -449,6 +449,7 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
@@ -443,6 +443,7 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
struct timeval tv = { 5, 0 };
LDAPMessage *res = NULL;
LDAPMessage *first;
@ -38,7 +39,7 @@ index 4e6cacf24e27b05538db2c95ab85400bb83e3d58..903e19e83bbe383b878a3b9261dd501f
int ret;
int v3;
@@ -528,16 +529,9 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
@@ -522,16 +523,9 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
}
/* get adtrust options using default refresh interval */
@ -59,10 +60,10 @@ index 4e6cacf24e27b05538db2c95ab85400bb83e3d58..903e19e83bbe383b878a3b9261dd501f
ret = 0;
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 59484d8bb69236a4ef59aeefdf9658a71c8cd520..8459ab8e0bb76c8da5c18101b0521bea86e8aecc 100644
index 5de5ea7a5..7baf4697f 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -371,7 +371,9 @@ krb5_error_code ipadb_v9_issue_pac(krb5_context context, unsigned int flags,
@@ -352,7 +352,9 @@ krb5_error_code ipadb_v9_issue_pac(krb5_context context, unsigned int flags,
krb5_data ***auth_indicators);
#endif
@ -74,7 +75,7 @@ index 59484d8bb69236a4ef59aeefdf9658a71c8cd520..8459ab8e0bb76c8da5c18101b0521bea
void ipadb_mspac_struct_free(struct ipadb_mspac **mspac);
krb5_error_code ipadb_check_transited_realms(krb5_context kcontext,
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 16374a59468975ebaea5ce18ac6445ec577e5e6a..b0eb3324bf4b7d8eeb7b332c39de4023784f6337 100644
index 886ed7785..deed513b9 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -793,16 +793,16 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
@ -247,7 +248,7 @@ index 16374a59468975ebaea5ce18ac6445ec577e5e6a..b0eb3324bf4b7d8eeb7b332c39de4023
result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
&client_sid, false);
if (result) {
@@ -2634,7 +2637,7 @@ static char *get_server_netbios_name(struct ipadb_context *ipactx)
@@ -2631,7 +2634,7 @@ static char *get_server_netbios_name(struct ipadb_context *ipactx)
void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
{
@ -256,7 +257,7 @@ index 16374a59468975ebaea5ce18ac6445ec577e5e6a..b0eb3324bf4b7d8eeb7b332c39de4023
if (!*mspac) return;
@@ -2789,7 +2792,8 @@ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
@@ -2786,7 +2789,8 @@ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
LDAPDN dn = NULL;
char **sid_blocklist_incoming = NULL;
char **sid_blocklist_outgoing = NULL;
@ -266,7 +267,7 @@ index 16374a59468975ebaea5ce18ac6445ec577e5e6a..b0eb3324bf4b7d8eeb7b332c39de4023
ret = asprintf(&base, "cn=ad,cn=trusts,%s", ipactx->base);
if (ret == -1) {
@@ -2874,7 +2878,7 @@ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
@@ -2871,7 +2875,7 @@ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
t[n].upn_suffixes_len = NULL;
if (t[n].upn_suffixes != NULL) {
@ -275,7 +276,7 @@ index 16374a59468975ebaea5ce18ac6445ec577e5e6a..b0eb3324bf4b7d8eeb7b332c39de4023
for (; t[n].upn_suffixes[len] != NULL; len++);
@@ -2989,108 +2993,114 @@ done:
@@ -2986,108 +2990,114 @@ done:
return ret;
}
@ -335,8 +336,16 @@ index 16374a59468975ebaea5ce18ac6445ec577e5e6a..b0eb3324bf4b7d8eeb7b332c39de4023
+ /* SKIP */
+ err = 0;
+ goto end;
+ }
+
}
- }
-
- /* clean up in case we had old values around */
- ipadb_mspac_struct_free(&ipactx->mspac);
- ipactx->mspac = calloc(1, sizeof(struct ipadb_mspac));
- if (!ipactx->mspac) {
- kerr = ENOMEM;
- goto done;
+ if (ipactx->mspac->num_trusts == 0) {
+ /* Check if there is any trust configured. If not, just return
+ * and do not re-initialize the MS-PAC structure. */
@ -350,18 +359,9 @@ index 16374a59468975ebaea5ce18ac6445ec577e5e6a..b0eb3324bf4b7d8eeb7b332c39de4023
+ }
+ goto end;
+ }
}
+ }
}
- /* clean up in case we had old values around */
- ipadb_mspac_struct_free(&ipactx->mspac);
-
- ipactx->mspac = calloc(1, sizeof(struct ipadb_mspac));
- if (!ipactx->mspac) {
- kerr = ENOMEM;
- goto done;
- }
-
- ipactx->mspac->last_update = now;
-
- kerr = ipadb_simple_search(ipactx, ipactx->base, LDAP_SCOPE_SUBTREE,
@ -459,7 +459,7 @@ index 16374a59468975ebaea5ce18ac6445ec577e5e6a..b0eb3324bf4b7d8eeb7b332c39de4023
}
/* result and lentry not valid any more from here on */
@@ -3098,53 +3108,81 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_rein
@@ -3095,53 +3105,81 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_rein
result = NULL;
lentry = NULL;
@ -582,7 +582,7 @@ index 16374a59468975ebaea5ce18ac6445ec577e5e6a..b0eb3324bf4b7d8eeb7b332c39de4023
}
krb5_error_code ipadb_check_transited_realms(krb5_context kcontext,
@@ -3154,11 +3192,11 @@ krb5_error_code ipadb_check_transited_realms(krb5_context kcontext,
@@ -3151,11 +3189,11 @@ krb5_error_code ipadb_check_transited_realms(krb5_context kcontext,
{
struct ipadb_context *ipactx;
bool has_transited_contents, has_client_realm, has_server_realm;
@ -596,7 +596,7 @@ index 16374a59468975ebaea5ce18ac6445ec577e5e6a..b0eb3324bf4b7d8eeb7b332c39de4023
return KRB5_KDB_DBNOTINITED;
}
@@ -3220,7 +3258,7 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
@@ -3217,7 +3255,7 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
char **trusted_realm)
{
struct ipadb_context *ipactx;
@ -606,7 +606,7 @@ index 16374a59468975ebaea5ce18ac6445ec577e5e6a..b0eb3324bf4b7d8eeb7b332c39de4023
bool result = false;
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
index 7f0ca7a7966ff159828f81283f8d067476abc594..e650cfa73c558c53b28f75de26d83132e8c4b234 100644
index 7f0ca7a79..e650cfa73 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h
+++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
@@ -31,7 +31,7 @@ struct ipadb_mspac {
@ -619,7 +619,7 @@ index 7f0ca7a7966ff159828f81283f8d067476abc594..e650cfa73c558c53b28f75de26d83132
time_t last_update;
};
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_v6.c b/daemons/ipa-kdb/ipa_kdb_mspac_v6.c
index faf47ad1b9b979a9acb8020eff5d663124b250ac..96cd50e4c8afe141880dd7e2e9472623cef667d8 100644
index faf47ad1b..96cd50e4c 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac_v6.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac_v6.c
@@ -233,6 +233,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
@ -642,7 +642,7 @@ index faf47ad1b9b979a9acb8020eff5d663124b250ac..96cd50e4c8afe141880dd7e2e9472623
kerr = ipadb_get_pac(context, flags, client, server, NULL, authtime, &pac);
if (kerr != 0 && kerr != ENOENT) {
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_v9.c b/daemons/ipa-kdb/ipa_kdb_mspac_v9.c
index 3badd5b088b3f017546d5df3cecbf7427fedd59d..60db048e1f328c3a31b58d2a3b17d9cac615467c 100644
index 3badd5b08..60db048e1 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac_v9.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac_v9.c
@@ -46,6 +46,7 @@ ipadb_v9_issue_pac(krb5_context context, unsigned int flags,
@ -678,18 +678,18 @@ index 3badd5b088b3f017546d5df3cecbf7427fedd59d..60db048e1f328c3a31b58d2a3b17d9ca
client, server, replaced_reply_key,
authtime, &new_pac);
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 139f091aa9f920af14a9ba91f4d83151e23a6a20..16a15748fb94ff31d91aa656532a7b40fa4f195a 100644
index fadb132ed..07cc87746 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -1598,6 +1598,7 @@ static krb5_error_code dbget_alias(krb5_context kcontext,
-1,
};
size_t i = 0;
@@ -1495,6 +1495,7 @@ static krb5_error_code dbget_alias(krb5_context kcontext,
krb5_db_entry *kentry = NULL;
krb5_data *realm;
krb5_boolean check = FALSE;
+ const char *stmsg = NULL;
/* For TGS-REQ server principal lookup, KDC asks with KRB5_KDB_FLAG_REFERRAL_OK
* and client usually asks for an KRB5_NT_PRINCIPAL type principal. */
@@ -1685,8 +1686,11 @@ static krb5_error_code dbget_alias(krb5_context kcontext,
/* TODO: also support hostbased aliases */
@@ -1562,8 +1563,11 @@ static krb5_error_code dbget_alias(krb5_context kcontext,
if (kerr == KRB5_KDB_NOENTRY) {
/* If no trusted realm found, refresh trusted domain data and try again
* because it might be a freshly added trust to AD */

View File

@ -1,46 +0,0 @@
From be805c1150fd0c2e6ac2276f8535b14d57557aad Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 12 Dec 2023 08:38:47 -0500
Subject: [PATCH] Issue 9497 - update debug logging in ipa_lockout
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
index a8095ccd371bfd29e3148ab2ad8c982a08f0b7e0..366018094bdc42c914d7743a89519ba1e1a6e124 100644
--- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
+++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
@@ -30,7 +30,7 @@
* Program may make changes or additions to the list of Approved
* Interfaces.
*
- * Copyright (C) 2010 Red Hat, Inc.
+ * Copyright (C) 2010-2023 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
@@ -823,13 +823,15 @@ static int ipalockout_preop(Slapi_PBlock *pb)
if (failedcount >= max_fail) {
if (lockout_duration == 0) {
errstr = "Entry permanently locked.\n";
+ LOG_PWDPOLICY("Entry '%s' is permanently locked.\n", dn);
ret = LDAP_UNWILLING_TO_PERFORM;
goto done;
}
if (time_now < last_failed + lockout_duration) {
/* Too many failures */
- LOG_TRACE("Too many failed logins. %lu out of %d\n", failedcount, max_fail);
+ LOG_PWDPOLICY("Too many failed logins for '%s'. %lu out of %d\n",
+ dn, failedcount, max_fail);
errstr = "Too many failed logins.\n";
ret = LDAP_UNWILLING_TO_PERFORM;
}
--
2.43.0

View File

@ -1,7 +1,8 @@
From 7f1142504d41a821357168acd2484c7cb7c1a4c2 Mon Sep 17 00:00:00 2001
From 44a762413c83f9637399afeb61b1e4b1ac111260 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 13 Feb 2024 13:30:15 +0100
Subject: [PATCH] ipatests: fix tasks.wait_for_replication method
Date: Feb 14 2024 12:24:48 +0000
Subject: ipatests: fix tasks.wait_for_replication method
With the fix for https://pagure.io/freeipa/issue/9171, the
method entry.single_value['nsds5replicaupdateinprogress'] now
@ -14,15 +15,14 @@ Fixes: https://pagure.io/freeipa/issue/9530
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/pytest_ipa/integration/tasks.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index ee6dec7a1d2416b442a6ce20e41b09d84f43b5c7..418c63f2c17e4fc0a2f625bca9a02879c1a1566f 100755
index 9068ba6..952c9e6 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -1520,7 +1520,7 @@ def wait_for_replication(ldap, timeout=30,
@@ -1510,7 +1510,7 @@ def wait_for_replication(ldap, timeout=30,
statuses = [entry.single_value[status_attr] for entry in entries]
wrong_statuses = [s for s in statuses
if not re.match(target_status_re, s)]
@ -31,6 +31,4 @@ index ee6dec7a1d2416b442a6ce20e41b09d84f43b5c7..418c63f2c17e4fc0a2f625bca9a02879
msg = 'Replication not finished'
logger.debug(msg)
elif wrong_statuses:
--
2.43.0

View File

@ -1,56 +0,0 @@
From 473b1e465ba93ec313bc7cea62bb8d545f37e8bd Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 12 Dec 2023 08:39:14 -0500
Subject: [PATCH] Issue 9497 - update debug logging in ipa_modrdn
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c b/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c
index 6cec5f242b7d23d3752e5bc30c67e034abc96abb..8be192a5e94211f94a7f3a8a62409250b723ddb5 100644
--- a/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c
+++ b/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c
@@ -30,7 +30,7 @@
* Program may make changes or additions to the list of Approved
* Interfaces.
*
- * Copyright (C) 2010 Red Hat, Inc.
+ * Copyright (C) 2010-2023 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
@@ -350,7 +350,6 @@ ipamodrdn_load_plugin_config(void)
{
int status = EOK;
int result;
- int i;
Slapi_PBlock *search_pb;
Slapi_Entry **entries = NULL;
@@ -379,7 +378,7 @@ ipamodrdn_load_plugin_config(void)
goto cleanup;
}
- for (i = 0; (entries[i] != NULL); i++) {
+ for (size_t i = 0; (entries[i] != NULL); i++) {
/* We don't care about the status here because we may have
* some invalid config entries, but we just want to continue
* looking for valid ones. */
@@ -680,7 +679,8 @@ ipamodrdn_change_attr(struct configEntry *cfgentry,
slapi_modify_internal_pb(mod_pb);
slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &ret);
if (ret != LDAP_SUCCESS) {
- LOG_FATAL("Failed to change attribute with error %d\n", ret);
+ LOG_FATAL("Failed to change attribute '%s' in '%s' with error %d\n",
+ cfgentry->tattr, targetdn, ret);
ret = EFAIL;
}
ret = EOK;
--
2.43.0

View File

@ -1,4 +1,4 @@
From b1390d1ad7e94256148a6b26431ff1e97fb8b7b3 Mon Sep 17 00:00:00 2001
From 163f06cab678d517ab30ab6da59ae339f39ee7cf Mon Sep 17 00:00:00 2001
From: Francisco Trivino <ftrivino@redhat.com>
Date: Fri, 27 May 2022 17:31:40 +0200
Subject: [PATCH] Vault: add support for RSA-OAEP wrapping algo
@ -11,12 +11,13 @@ Fixes: https://pagure.io/freeipa/issue/9191
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
(cherry picked from commit b1fb31fd20c900c9ff1d5d28dfe136439f6bf605)
---
ipaclient/plugins/vault.py | 57 ++++++++++++++++++++++++++++++--------
1 file changed, 45 insertions(+), 12 deletions(-)
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index bdd988ad186c1d773b454608e63c585c332af22a..a29bd6e5f437d9d07f2d995d7bc884e7f2419c27 100644
index d4c84eb6b..ed16c73ae 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -119,8 +119,8 @@ def encrypt(data, symmetric_key=None, public_key=None):
@ -41,7 +42,7 @@ index bdd988ad186c1d773b454608e63c585c332af22a..a29bd6e5f437d9d07f2d995d7bc884e7
label=None
)
)
@@ -703,14 +703,39 @@ class ModVaultData(Local):
@@ -705,14 +705,39 @@ class ModVaultData(Local):
return transport_cert, wrapping_algo
def _do_internal(self, algo, transport_cert, raise_unexpected,
@ -86,7 +87,7 @@ index bdd988ad186c1d773b454608e63c585c332af22a..a29bd6e5f437d9d07f2d995d7bc884e7
options['session_key'] = wrapped_session_key
name = self.name + '_internal'
@@ -721,7 +746,7 @@ class ModVaultData(Local):
@@ -723,7 +748,7 @@ class ModVaultData(Local):
errors.ExecutionError,
errors.GenericError):
_kra_config_cache.remove(self.api.env.domain)
@ -95,7 +96,7 @@ index bdd988ad186c1d773b454608e63c585c332af22a..a29bd6e5f437d9d07f2d995d7bc884e7
raise
return None
@@ -731,15 +756,23 @@ class ModVaultData(Local):
@@ -733,15 +758,23 @@ class ModVaultData(Local):
"""
# try call with cached transport certificate
result = self._do_internal(algo, transport_cert, False,

View File

@ -1,82 +0,0 @@
From 0f78feeca51a7abe49fbabf22991bf89eba7b12a Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 12 Dec 2023 08:39:47 -0500
Subject: [PATCH] Issue 9497 - update debug logging in ipa_otp_counter
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
.../ipa-otp-counter/ipa_otp_counter.c | 13 +++++++++----
daemons/ipa-slapi-plugins/ipa-otp-counter/ldapmod.h | 4 +++-
2 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-otp-counter/ipa_otp_counter.c b/daemons/ipa-slapi-plugins/ipa-otp-counter/ipa_otp_counter.c
index da047d7dc58e27b37ad29c39bde44e33602ab4c5..5e03450c5164ee450736fc61b40ef769bc4572dd 100644
--- a/daemons/ipa-slapi-plugins/ipa-otp-counter/ipa_otp_counter.c
+++ b/daemons/ipa-slapi-plugins/ipa-otp-counter/ipa_otp_counter.c
@@ -33,7 +33,7 @@
* Authors:
* Nathaniel McCallum <npmccallum@redhat.com>
*
- * Copyright (C) 2014 Red Hat, Inc.
+ * Copyright (C) 2014-2023 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
@@ -295,14 +295,16 @@ preop_mod(Slapi_PBlock *pb)
}
if (!simulate(mods, attr, cpre, &cpost) && repl == 0) {
- msg = slapi_ch_smprintf("Invalid operation sequence on %s", attr);
+ msg = slapi_ch_smprintf("Invalid operation sequence on %s (%s)",
+ attr, slapi_entry_get_dn_const(epre));
goto error;
}
if (cpost < cpre) {
if (repl == 0) {
- msg = slapi_ch_smprintf("Will not %s %s",
- cpost == COUNTER_UNSET ? "delete" : "decrement", attr);
+ msg = slapi_ch_smprintf("Will not %s %s (%s)",
+ cpost == COUNTER_UNSET ? "delete" : "decrement",
+ attr, slapi_entry_get_dn_const(epre));
goto error;
}
@@ -321,6 +323,9 @@ preop_mod(Slapi_PBlock *pb)
error:
rc = LDAP_UNWILLING_TO_PERFORM;
+ if (msg) {
+ LOG("%s - error %d\n", msg, rc);
+ }
slapi_send_ldap_result(pb, rc, NULL, msg, 0, NULL);
if (slapi_pblock_set(pb, SLAPI_RESULT_CODE, &rc)) {
LOG_FATAL("slapi_pblock_set failed!\n");
diff --git a/daemons/ipa-slapi-plugins/ipa-otp-counter/ldapmod.h b/daemons/ipa-slapi-plugins/ipa-otp-counter/ldapmod.h
index 45f43904b2288a97802ad2d698a30be972e2d8b7..324107c487f53e11774c51f248b00043e44b0bcc 100644
--- a/daemons/ipa-slapi-plugins/ipa-otp-counter/ldapmod.h
+++ b/daemons/ipa-slapi-plugins/ipa-otp-counter/ldapmod.h
@@ -33,7 +33,7 @@
* Authors:
* Nathaniel McCallum <npmccallum@redhat.com>
*
- * Copyright (C) 2014 Red Hat, Inc.
+ * Copyright (C) 2014-2023 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
@@ -41,6 +41,8 @@
#include <slapi-plugin.h>
+#define IPA_PLUGIN_NAME "ipa-otp-counter"
+
long long
ldapmod_get_value(const LDAPMod *mod, long long def);
--
2.43.0

View File

@ -1,8 +1,8 @@
From c6f79e0453c9d417173ca7ecfbd5e233c6a89a9f Mon Sep 17 00:00:00 2001
From 84798137fabf75fe79aebbd97e4b8418de8ab0f2 Mon Sep 17 00:00:00 2001
From: Francisco Trivino <ftrivino@redhat.com>
Date: Fri, 19 Jan 2024 18:15:28 +0100
Subject: [PATCH] Vault: improve vault server archival/retrieval calls error
handling
Subject: [PATCH] Vault: improve vault server archival/retrieval calls
error handling
If a vault operation fails, the error message just says "InternalError". This commit
improves error handling of key archival and retrieval calls by catching the PKIException
@ -12,12 +12,13 @@ Related: https://pagure.io/freeipa/issue/9191
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
(cherry picked from commit dc1ab53f0aa0398d493f7440b5ec4d70d9c7d663)
---
ipaserver/plugins/vault.py | 40 +++++++++++++++++++++++++-------------
1 file changed, 26 insertions(+), 14 deletions(-)
diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py
index a47cf7bd306154b24fd6dc0223718faf55440489..0bcc2a1ce4bb5f61b3a69fd0cc8d2b4516e20b63 100644
index 574c83a9a..13c4fac9a 100644
--- a/ipaserver/plugins/vault.py
+++ b/ipaserver/plugins/vault.py
@@ -45,6 +45,7 @@ if api.env.in_server:
@ -28,7 +29,7 @@ index a47cf7bd306154b24fd6dc0223718faf55440489..0bcc2a1ce4bb5f61b3a69fd0cc8d2b45
if six.PY3:
unicode = str
@@ -1096,16 +1097,21 @@ class vault_archive_internal(PKQuery):
@@ -1094,16 +1095,21 @@ class vault_archive_internal(PKQuery):
pki.key.KeyClient.KEY_STATUS_INACTIVE)
# forward wrapped data to KRA
@ -60,7 +61,7 @@ index a47cf7bd306154b24fd6dc0223718faf55440489..0bcc2a1ce4bb5f61b3a69fd0cc8d2b45
response = {
'value': args[-1],
@@ -1176,11 +1182,17 @@ class vault_retrieve_internal(PKQuery):
@@ -1174,11 +1180,17 @@ class vault_retrieve_internal(PKQuery):
kra_client.keys.encrypt_alg_oid = algorithm_oid
# retrieve encrypted data from KRA

View File

@ -1,96 +0,0 @@
From 5eb6af01873d0f70ff5b02c972867877da8e7c50 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 12 Dec 2023 08:40:13 -0500
Subject: [PATCH] Issue 9497 - update debug logging in ipa_otp_lasttoken
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
.../ipa-otp-lasttoken/ipa_otp_lasttoken.c | 25 ++++++++++++-------
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
index 11106b239f9de9074125979cfae7c02e434936e1..c1318f8eb19a5ff7da016eb145eece2f56925235 100644
--- a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
+++ b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
@@ -33,7 +33,7 @@
* Authors:
* Nathaniel McCallum <npmccallum@redhat.com>
*
- * Copyright (C) 2013 Red Hat, Inc.
+ * Copyright (C) 2013-2023 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
@@ -46,7 +46,7 @@
#include "util.h"
-#define PLUGIN_NAME "ipa-otp-lasttoken"
+#define IPA_PLUGIN_NAME "ipa-otp-lasttoken"
#define OTP_CONTAINER "cn=otp,%s"
static struct otp_config *otp_config;
@@ -191,9 +191,14 @@ static inline int send_error(Slapi_PBlock *pb, int rc, const char *errstr)
static int preop_del(Slapi_PBlock *pb)
{
+ char *dn = NULL;
+
if (is_allowed(pb, NULL))
return 0;
+ slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn);
+ LOG("Can't delete last active token (%s)", dn);
+
return send_error(pb, LDAP_UNWILLING_TO_PERFORM,
"Can't delete last active token");
}
@@ -221,10 +226,12 @@ static int preop_mod(Slapi_PBlock *pb)
return 0;
/* If a protected attribute is modified, deny. */
- for (int i = 0; mods != NULL && mods[i] != NULL; i++) {
- for (int j = 0; errors[j].attr != NULL; j++) {
- if (strcasecmp(mods[i]->mod_type, errors[j].attr) == 0)
+ for (size_t i = 0; mods != NULL && mods[i] != NULL; i++) {
+ for (size_t j = 0; errors[j].attr != NULL; j++) {
+ if (strcasecmp(mods[i]->mod_type, errors[j].attr) == 0) {
+ LOG("%s (%s)", errors[j].msg, slapi_entry_get_dn_const(entry));
return send_error(pb, LDAP_UNWILLING_TO_PERFORM, errors[j].msg);
+ }
}
}
@@ -284,7 +291,7 @@ static int ipa_otp_lasttoken_start(Slapi_PBlock *pb)
int ipa_otp_lasttoken_init(Slapi_PBlock *pb)
{
static const Slapi_PluginDesc preop_desc = {
- PLUGIN_NAME,
+ IPA_PLUGIN_NAME,
"FreeIPA",
"FreeIPA/1.0",
"Protect the user's last active token"
@@ -297,14 +304,14 @@ int ipa_otp_lasttoken_init(Slapi_PBlock *pb)
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01);
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, (void *) &preop_desc);
ret |= slapi_register_plugin("betxnpreoperation", 1, __func__, preop_init,
- PLUGIN_NAME " betxnpreoperation", NULL,
+ IPA_PLUGIN_NAME " betxnpreoperation", NULL,
ipa_otp_lasttoken_plugin_id);
ret |= slapi_register_plugin("postoperation", 1, __func__, postop_init,
- PLUGIN_NAME " postoperation", NULL,
+ IPA_PLUGIN_NAME " postoperation", NULL,
ipa_otp_lasttoken_plugin_id);
ret |= slapi_register_plugin("internalpostoperation", 1, __func__,
intpostop_init,
- PLUGIN_NAME " internalpostoperation", NULL,
+ IPA_PLUGIN_NAME " internalpostoperation", NULL,
ipa_otp_lasttoken_plugin_id);
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN,
(void *)ipa_otp_lasttoken_start);
--
2.43.0

View File

@ -1,4 +1,4 @@
From 601de6985ce0efdd701bfd8361cea72c4b87f39b Mon Sep 17 00:00:00 2001
From a406fd9aec7d053c044e73f16b05489bebd84bc8 Mon Sep 17 00:00:00 2001
From: Francisco Trivino <ftrivino@redhat.com>
Date: Fri, 19 Jan 2024 17:12:07 +0100
Subject: [PATCH] kra: set RSA-OAEP as default wrapping algo when FIPS is
@ -12,6 +12,7 @@ Fixes: https://pagure.io/freeipa/issue/9191
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
(cherry picked from commit f2eec9eb208e62f923375b9eaf34fcc491046a0d)
---
install/share/ipaca_default.ini | 3 +++
ipaserver/install/dogtaginstance.py | 4 +++-
@ -20,7 +21,7 @@ Reviewed-By: Rob Crittenden <rcritten@redhat.com>
4 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/install/share/ipaca_default.ini b/install/share/ipaca_default.ini
index 62e0729d1b6332fce142cd1d85ccc461539d06ae..44cda15920176c9eebb9a3d16f089210ff17dcdd 100644
index 082f507b2..691f1e1b7 100644
--- a/install/share/ipaca_default.ini
+++ b/install/share/ipaca_default.ini
@@ -166,3 +166,6 @@ pki_audit_signing_subject_dn=cn=KRA Audit,%(ipa_subject_base)s
@ -32,7 +33,7 @@ index 62e0729d1b6332fce142cd1d85ccc461539d06ae..44cda15920176c9eebb9a3d16f089210
+pki_use_oaep_rsa_keywrap=%(fips_use_oaep_rsa_keywrap)s
\ No newline at end of file
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 7fdf2e0ed0f3ed99a6672f527d38dda0ce5ef8bb..e0aa129ad3b0114afc4d1eae7f1ed76bb41276ae 100644
index c2c6b3f49..c3c726f68 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -1020,7 +1020,9 @@ class PKIIniLoader:
@ -47,10 +48,10 @@ index 7fdf2e0ed0f3ed99a6672f527d38dda0ce5ef8bb..e0aa129ad3b0114afc4d1eae7f1ed76b
@classmethod
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index d0636a56c3d2c09a5c83c08cc1fc12768212ac3e..0fd148697dadd59ad87eb401528761010a1555de 100644
index 13cb2dcaa..0e04840a1 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -284,6 +284,18 @@ class KRAInstance(DogtagInstance):
@@ -277,6 +277,18 @@ class KRAInstance(DogtagInstance):
# A restart is required
@ -70,10 +71,10 @@ index d0636a56c3d2c09a5c83c08cc1fc12768212ac3e..0fd148697dadd59ad87eb40152876101
"""
When renewing a KRA subsystem certificate the configuration file
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index f42faea049c720c931ce7ea865e3c35acbc08b5d..31d4f8398cfb0251cc59ada909eb55635b83e960 100644
index e4dc7ae73..c84516b56 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1794,6 +1794,18 @@ def upgrade_configuration():
@@ -1780,6 +1780,18 @@ def upgrade_configuration():
else:
logger.info('ephemeralRequest is already enabled')

View File

@ -1,766 +0,0 @@
From 3a8fe8c3a9de8d0e17ab4064ac689bce2b4b5042 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 12 Dec 2023 08:41:10 -0500
Subject: [PATCH] Issue 9497 - update debug logging in ipa-pwd-extop
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
.../ipa-slapi-plugins/ipa-pwd-extop/common.c | 25 +++--
.../ipa-pwd-extop/encoding.c | 5 +-
.../ipa-pwd-extop/ipa_pwd_extop.c | 106 ++++++++++--------
.../ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 59 +++++-----
4 files changed, 105 insertions(+), 90 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index 5251713c68855e10b0980af71696d944e683ae90..d30764bb2a05c7ca4a33ea114a2dc19af39e216f 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -33,7 +33,7 @@
* Authors:
* Simo Sorce <ssorce@redhat.com>
*
- * Copyright (C) 2007-2010 Red Hat, Inc.
+ * Copyright (C) 2007-2023 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
@@ -81,7 +81,8 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
char **encsalts;
char **tmparray;
char *tmpstr;
- int i, ret;
+ int ret;
+ size_t i;
config = calloc(1, sizeof(struct ipapwd_krbcfg));
if (!config) {
@@ -327,7 +328,8 @@ int ipapwd_getPolicy(const char *dn,
"ipaPwdUserCheck", NULL};
Slapi_Entry **es = NULL;
Slapi_Entry *pe = NULL;
- int ret, res, scope, i;
+ int ret, res, scope;
+ size_t i;
int buffer_flags=0;
Slapi_ValueSet* results = NULL;
char *actual_type_name = NULL;
@@ -545,7 +547,7 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
}
sdn = slapi_sdn_new_dn_byref(dn);
if (!sdn) {
- LOG_FATAL("Unable to convert dn to sdn %s", dn ? dn : "<NULL>");
+ LOG_FATAL("Unable to convert dn to sdn %s\n", dn ? dn : "<NULL>");
*errMesg = "Internal Error";
rc = LDAP_OPERATIONS_ERROR;
goto done;
@@ -564,7 +566,7 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
/* get the kerberos context and master key */
*config = ipapwd_getConfig();
if (NULL == *config) {
- LOG_FATAL("Error Retrieving Master Key");
+ LOG_FATAL("Error Retrieving Master Key\n");
*errMesg = "Fatal Internal Error";
rc = LDAP_OPERATIONS_ERROR;
}
@@ -594,7 +596,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
/* Find the entry with the password policy */
ret = ipapwd_getPolicy(data->dn, data->target, &pol);
if (ret) {
- LOG_TRACE("No password policy, use defaults");
+ LOG_TRACE("No password policy, use defaults\n");
}
break;
case IPA_CHANGETYPE_ADMIN:
@@ -620,14 +622,14 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
*/
ret = ipapwd_getPolicy(data->dn, data->target, &tmppol);
if (ret) {
- LOG_TRACE("No password policy, use defaults");
+ LOG_TRACE("No password policy, use defaults\n");
} else {
pol.max_pwd_life = tmppol.max_pwd_life;
pol.history_length = tmppol.history_length;
}
break;
default:
- LOG_TRACE("Unknown password change type, use defaults");
+ LOG_TRACE("Unknown password change type, use defaults\n");
break;
}
@@ -860,7 +862,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
case IPA_CHANGETYPE_DSMGR:
case IPA_CHANGETYPE_ADMIN:
/* Mark as administratively reset which will unlock acct */
- ret = ipapwd_setdate(data->target, smods,
+ ret = ipapwd_setdate(data->target, smods,
"krbLastAdminUnlock",
data->timeNow, false);
if (ret != LDAP_SUCCESS)
@@ -951,7 +953,7 @@ Slapi_Value **ipapwd_setPasswordHistory(Slapi_Mods *smods,
char **new_pwd_history = NULL;
int n = 0;
int ret;
- int i;
+ size_t i;
pwd_history = slapi_entry_attr_get_charray(data->target,
"passwordHistory");
@@ -1083,10 +1085,9 @@ int ipapwd_set_extradata(const char *dn,
void ipapwd_free_slapi_value_array(Slapi_Value ***svals)
{
Slapi_Value **sv = *svals;
- int i;
if (sv) {
- for (i = 0; sv[i]; i++) {
+ for (size_t i = 0; sv[i]; i++) {
slapi_value_free(&sv[i]);
}
}
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
index 7b2f341229b4f3bf48105c3856c0d6778da154a5..43ae6f0a645c8f3ff0fa2d147891f93efff0eb20 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
@@ -33,7 +33,7 @@
* Authors:
* Simo Sorce <ssorce@redhat.com>
*
- * Copyright (C) 2007-2010 Red Hat, Inc.
+ * Copyright (C) 2007-2023 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
@@ -231,7 +231,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
if (!*svals) {
/* errMesg should have been set in encrypt_encode_key() */
- LOG_FATAL("key encryption/encoding failed\n");
+ LOG_FATAL("key encryption/encoding failed (%s)\n", *errMesg);
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
@@ -267,6 +267,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
}
(*ntvals)[0] = slapi_value_new();
if (slapi_value_set((*ntvals)[0], nt_key, 16) == NULL) {
+ LOG("Failed to set value for nt_key");
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 0d630ca04c38b739bb0d8bf22c162af9d3e15566..43c31becae45c1c91c7c2adf498aedbd05af9a69 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -33,7 +33,7 @@
* Authors:
* Simo Sorce <ssorce@redhat.com>
*
- * Copyright (C) 2007-2010 Red Hat, Inc.
+ * Copyright (C) 2007-2023 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
@@ -108,7 +108,7 @@ static void filter_keys(struct ipapwd_krbcfg *krbcfg,
struct ipapwd_keyset *kset,
bool allow_nthash)
{
- int i, j;
+ size_t i, j;
for (i = 0; i < kset->num_keys; i++) {
for (j = 0; j < krbcfg->num_supp_encsalts; j++) {
@@ -151,11 +151,11 @@ static void filter_enctypes(struct ipapwd_krbcfg *krbcfg,
bool allow_nthash)
{
/* first filter for duplicates */
- for (int i = 0; i + 1 < *num_kenctypes; i++) {
- for (int j = i + 1; j < *num_kenctypes; j++) {
+ for (size_t i = 0; i + 1 < *num_kenctypes; i++) {
+ for (size_t j = i + 1; j < *num_kenctypes; j++) {
if (kenctypes[i].ks_enctype == kenctypes[j].ks_enctype) {
/* duplicate, filter out */
- for (int k = j; k + 1 < *num_kenctypes; k++) {
+ for (size_t k = j; k + 1 < *num_kenctypes; k++) {
kenctypes[k].ks_enctype = kenctypes[k + 1].ks_enctype;
kenctypes[k].ks_salttype = kenctypes[k + 1].ks_salttype;
}
@@ -166,8 +166,8 @@ static void filter_enctypes(struct ipapwd_krbcfg *krbcfg,
}
/* then filter for supported */
- for (int i = 0; i < *num_kenctypes; i++) {
- int j;
+ for (size_t i = 0; i < *num_kenctypes; i++) {
+ size_t j;
/* Check if supported */
for (j = 0; j < krbcfg->num_supp_encsalts; j++) {
@@ -184,7 +184,7 @@ static void filter_enctypes(struct ipapwd_krbcfg *krbcfg,
}
if (j == krbcfg->num_supp_encsalts) {
/* Unsupported, filter out */
- for (int k = i; k + 1 < *num_kenctypes; k++) {
+ for (size_t k = i; k + 1 < *num_kenctypes; k++) {
kenctypes[k].ks_enctype = kenctypes[k + 1].ks_enctype;
kenctypes[k].ks_salttype = kenctypes[k + 1].ks_salttype;
}
@@ -344,6 +344,8 @@ parse_req_done:
rc = ipapwd_check_max_pwd_len(strlen(newPasswd), &errMesg);
if (rc) {
+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
+ bindDN, errMesg);
goto free_and_return;
}
@@ -456,7 +458,7 @@ parse_req_done:
char *cur_pw;
if (oldPasswd == NULL || *oldPasswd == '\0') {
- LOG_FATAL("Old password was not provided!\n");
+ LOG_FATAL("Old password was not provided for '%s'!\n", dn);
rc = LDAP_INVALID_CREDENTIALS;
goto free_and_return;
}
@@ -466,7 +468,7 @@ parse_req_done:
cur_pw = slapi_entry_attr_get_charptr(targetEntry,
"userPassword");
if (!cur_pw) {
- LOG_FATAL("User has no current password?\n");
+ LOG_FATAL("User '%s' does not have a current password?\n", dn);
rc = LDAP_UNWILLING_TO_PERFORM;
goto free_and_return;
}
@@ -485,7 +487,7 @@ parse_req_done:
slapi_value_free(&pw);
if (ret != 0) {
- LOG_TRACE("Invalid password!\n");
+ LOG_TRACE("Invalid password for '%s'!\n", dn);
rc = LDAP_INVALID_CREDENTIALS;
goto free_and_return;
}
@@ -579,11 +581,9 @@ parse_req_done:
/* special cases */
if ((strcasecmp(dn, bindDN) != 0) &&
(strcasecmp(ipa_changepw_principal_dn, bindDN) != 0)) {
- int i;
-
pwdata.changetype = IPA_CHANGETYPE_ADMIN;
- for (i = 0; i < krbcfg->num_passsync_mgrs; i++) {
+ for (size_t i = 0; i < krbcfg->num_passsync_mgrs; i++) {
if (strcasecmp(krbcfg->passsync_mgrs[i], bindDN) == 0) {
pwdata.changetype = IPA_CHANGETYPE_DSMGR;
break;
@@ -606,6 +606,8 @@ parse_req_done:
errMesg = ipapwd_error2string(ret);
ret = ipapwd_to_ldap_pwpolicy_error(ret);
slapi_pwpolicy_make_response_control(pb, -1, -1, ret);
+ LOG_PWDPOLICY("Failed to set password credentials for"
+ " '%s': %s\n", dn, errMesg);
rc = LDAP_CONSTRAINT_VIOLATION;
goto free_and_return;
}
@@ -666,7 +668,7 @@ free_and_return:
if (targetEntry) slapi_entry_free(targetEntry);
if (ber) ber_free(ber, 1);
- LOG("%s", errMesg ? errMesg : "success");
+ LOG("%s\n", errMesg ? errMesg : "success");
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
@@ -732,7 +734,8 @@ static Slapi_Entry *get_entry_by_principal(const char *principal)
"krbCanonicalName",
"enrolledBy", NULL };
Slapi_Entry **es = NULL;
- int res, ret, i;
+ int res, ret;
+ size_t i;
Slapi_Entry *entry = NULL;
/* Find ancestor base DN */
@@ -774,7 +777,7 @@ static Slapi_Entry *get_entry_by_principal(const char *principal)
/* if there is none or more than one, freak out */
if (i != 1) {
- LOG_TRACE("Too many entries, or entry no found (%d)", i);
+ LOG_TRACE("Too many entries, or entry no found (%ld)\n", i);
goto free_and_return;
}
entry = slapi_entry_dup(es[0]);
@@ -809,7 +812,7 @@ static bool is_allowed_to_access_attr(Slapi_PBlock *pb, char *bindDN,
*/
be = get_realm_backend();
if (!be) {
- LOG_FATAL("Could not fetch REALM backend!");
+ LOG_FATAL("Could not fetch REALM backend!\n");
return false;
}
if (slapi_pblock_set(pb, SLAPI_BACKEND, be)) {
@@ -868,7 +871,8 @@ static void remove_user_password(Slapi_Mods *smods,
if ((NULL != pw) && (NULL == krbLastPwdChange)) {
slapi_mods_add_mod_values(smods, LDAP_MOD_DELETE,
"userPassword", NULL);
- LOG_TRACE("Removing userPassword from host entry\n");
+ LOG_TRACE("Removing userPassword from host entry '%s'\n",
+ slapi_entry_get_dn_const(targetEntry));
}
}
if (krbLastPwdChange) slapi_ch_free_string(&krbLastPwdChange);
@@ -891,8 +895,9 @@ static int store_new_keys(Slapi_Entry *target, char *svcname, char *bind_dn,
rc = set_krbLastPwdChange(smods, time_now);
if (rc) {
rc = LDAP_OPERATIONS_ERROR;
- LOG_FATAL("Failed to set krbLastPwdChange");
- err_msg = "Internal error while storing keytab data\n";
+ LOG_FATAL("Failed to set krbLastPwdChange for target '%s'\n",
+ slapi_entry_get_dn_const(target));
+ err_msg = "Internal error while storing keytab data";
goto done;
}
@@ -905,8 +910,9 @@ static int store_new_keys(Slapi_Entry *target, char *svcname, char *bind_dn,
rc = ipapwd_apply_mods(slapi_entry_get_dn_const(target), smods);
if (rc != LDAP_SUCCESS) {
rc = LDAP_OPERATIONS_ERROR;
- LOG_FATAL("Failed to apply mods");
- err_msg = "Internal error while saving keys\n";
+ LOG_FATAL("Failed to apply mods to target '%s'\n",
+ slapi_entry_get_dn_const(target));
+ err_msg = "Internal error while saving keys";
goto done;
}
@@ -914,8 +920,9 @@ static int store_new_keys(Slapi_Entry *target, char *svcname, char *bind_dn,
svcname, time_now);
if (rc != LDAP_SUCCESS) {
rc = LDAP_OPERATIONS_ERROR;
- LOG_FATAL("Failed to set extradata");
- err_msg = "Internal error while saving keytab extradata\n";
+ LOG_FATAL("Failed to set extradata for target '%s'\n",
+ slapi_entry_get_dn_const(target));
+ err_msg = "Internal error while saving keytab extradata";
goto done;
}
@@ -1003,7 +1010,7 @@ static int decode_setkeytab_request(krb5_context krbctx,
kset->mkvno = mkvno;
rtag = ber_peek_tag(ber, &tlen);
- for (int i = 0; rtag == LBER_SEQUENCE; i++) {
+ for (size_t i = 0; rtag == LBER_SEQUENCE; i++) {
krb5_key_data *newset;
ber_tag_t ctag;
ber_int_t type;
@@ -1181,29 +1188,29 @@ static int encode_setkeytab_reply(struct ipapwd_keyset *kset,
rc = ber_printf(ber, "{i{", (ber_int_t)kset->keys[0].key_data_kvno);
if (rc == -1) {
rc = LDAP_OPERATIONS_ERROR;
- LOG_FATAL("Failed to ber_printf the kvno");
+ LOG_FATAL("Failed to ber_printf the kvno\n");
goto done;
}
- for (int i = 0; i < kset->num_keys; i++) {
+ for (size_t i = 0; i < kset->num_keys; i++) {
rc = ber_printf(ber, "{i}", (ber_int_t)kset->keys[i].key_data_type[0]);
if (rc == -1) {
rc = LDAP_OPERATIONS_ERROR;
- LOG_FATAL("Failed to ber_printf the enctype");
+ LOG_FATAL("Failed to ber_printf the enctype\n");
goto done;
}
}
rc = ber_printf(ber, "}}");
if (rc == -1) {
rc = LDAP_OPERATIONS_ERROR;
- LOG_FATAL("Failed to ber_printf the termination");
+ LOG_FATAL("Failed to ber_printf the termination\n");
goto done;
}
rc = ber_flatten(ber, &bvp);
if (rc == -1) {
rc = LDAP_OPERATIONS_ERROR;
- LOG_FATAL("Failed to ber_flatten the buffer");
+ LOG_FATAL("Failed to ber_flatten the buffer\n");
goto done;
}
@@ -1306,7 +1313,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
/* get next kvno for entry (will be 1 if this is new) and fix keyset */
kvno = ipapwd_get_cur_kvno(targetEntry) + 1;
- for (int i = 0; i < kset->num_keys; i++) {
+ for (size_t i = 0; i < kset->num_keys; i++) {
kset->keys[i].key_data_kvno = kvno;
}
@@ -1352,7 +1359,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
rc = encode_setkeytab_reply(kset, &bvp);
if (rc) {
- errMesg = "Internal Error.\n";
+ errMesg = "Internal Error.";
goto free_and_return;
}
@@ -1372,7 +1379,7 @@ free_and_return:
if (targetEntry) slapi_entry_free(targetEntry);
if (svals) {
- for (int i = 0; svals[i]; i++) {
+ for (size_t i = 0; svals[i]; i++) {
slapi_value_free(&svals[i]);
}
free(svals);
@@ -1382,7 +1389,7 @@ free_and_return:
if (rc == LDAP_SUCCESS)
errMesg = NULL;
- LOG("%s", errMesg ? errMesg : "success");
+ LOG("%s\n", errMesg ? errMesg : "success");
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
@@ -1403,7 +1410,6 @@ static int decode_getkeytab_request(struct berval *extop, bool *wantold,
krb5_key_salt_tuple *enctypes = NULL;
bool newkt;
bool ret;
- int i;
ret = ipaasn1_dec_getkt(extop->bv_val, extop->bv_len, &newkt,
&svcname, &password, &etypes, &numtypes);
@@ -1423,7 +1429,7 @@ static int decode_getkeytab_request(struct berval *extop, bool *wantold,
goto done;
}
- for (i = 0; i < numtypes; i++) {
+ for (size_t i = 0; i < numtypes; i++) {
enctypes[i].ks_enctype = etypes[i];
enctypes[i].ks_salttype = KRB5_KDB_SALTTYPE_NORMAL;
}
@@ -1466,7 +1472,7 @@ static int encode_getkeytab_reply(krb5_context krbctx,
/* uses last key kvno */
kvno = keys[num_keys-1].key_data_kvno;
- for (int i = 0; i < num_keys; i++) {
+ for (size_t i = 0; i < num_keys; i++) {
krb5_enc_data cipher = { 0 };
krb5_data plain = { 0 };
krb5_int16 plen;
@@ -1516,7 +1522,7 @@ static int encode_getkeytab_reply(krb5_context krbctx,
rc = LDAP_SUCCESS;
done:
- for (int i = 0; i < ksc.nkeys; i ++) {
+ for (size_t i = 0; i < ksc.nkeys; i++) {
free(ksc.ksdata[i].key.contents);
}
if (rc != LDAP_SUCCESS) {
@@ -1632,7 +1638,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
* this operation. */
if (bind_dn == NULL || *bind_dn == '\0') {
/* Refuse the operation because they're bound anonymously */
- err_msg = "Anonymous Binds are not allowed.\n";
+ err_msg = "Anonymous Binds are not allowed.";
rc = LDAP_INSUFFICIENT_ACCESS;
goto free_and_return;
}
@@ -1648,7 +1654,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value);
if (!extop_value) {
LOG_FATAL("Failed to retrieve extended op value from pblock\n");
- err_msg = "Failed to retrieve extended operation value\n";
+ err_msg = "Failed to retrieve extended operation value";
rc = LDAP_OPERATIONS_ERROR;
goto free_and_return;
}
@@ -1674,7 +1680,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
/* get Entry by krbPrincipalName */
target_entry = get_entry_by_principal(service_name);
if (!target_entry) {
- err_msg = "PrincipalName not found.\n";
+ err_msg = "PrincipalName not found.";
rc = LDAP_NO_SUCH_OBJECT;
goto free_and_return;
}
@@ -1690,7 +1696,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
if (!acl_ok) {
LOG_FATAL("Not allowed to retrieve keytab on [%s] as user [%s]!\n",
service_name, bind_dn);
- err_msg = "Insufficient access rights\n";
+ err_msg = "Insufficient access rights";
rc = LDAP_INSUFFICIENT_ACCESS;
goto free_and_return;
}
@@ -1701,6 +1707,8 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
/* if password was passed-in, check its length */
rc = ipapwd_check_max_pwd_len(strlen(password), &err_msg);
if (rc) {
+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
+ bind_dn, err_msg);
goto free_and_return;
}
}
@@ -1712,7 +1720,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
if (!acl_ok) {
LOG_FATAL("Not allowed to set keytab on [%s]!\n",
service_name);
- err_msg = "Insufficient access rights\n";
+ err_msg = "Insufficient access rights";
rc = LDAP_INSUFFICIENT_ACCESS;
goto free_and_return;
}
@@ -1745,7 +1753,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
if (!svals) {
rc = LDAP_OPERATIONS_ERROR;
LOG_FATAL("encrypt_encode_keys failed!\n");
- err_msg = "Internal error while encrypting keys\n";
+ err_msg = "Internal error while encrypting keys";
goto free_and_return;
}
@@ -1765,7 +1773,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
rc = encode_getkeytab_reply(krbctx, krbcfg->kmkey, mkvno,
keys, num_keys, &bvp);
if (rc != LDAP_SUCCESS) {
- err_msg = "Internal Error.\n";
+ err_msg = "Internal Error.";
goto free_and_return;
}
@@ -1776,7 +1784,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
free_and_return:
if (rc == LDAP_SUCCESS) err_msg = NULL;
- LOG("%s", err_msg ? err_msg : "success");
+ LOG("%s\n", err_msg ? err_msg : "success");
slapi_send_ldap_result(pb, rc, NULL, err_msg, 0, NULL);
/* Free anything that we allocated above */
@@ -1787,7 +1795,7 @@ free_and_return:
if (target_entry) slapi_entry_free(target_entry);
if (keys) ipa_krb5_free_key_data(keys, num_keys);
if (svals) {
- for (int i = 0; svals[i]; i++) {
+ for (size_t i = 0; svals[i]; i++) {
slapi_value_free(&svals[i]);
}
free(svals);
@@ -2031,7 +2039,7 @@ int ipapwd_init( Slapi_PBlock *pb )
"ipapwd_post_init_betxn", ipapwd_post_init_betxn,
"IPA pwd post ops betxn", NULL,
ipapwd_plugin_id);
- }
+ }
slapi_register_plugin("preoperation", 1,
"ipapwd_pre_init", ipapwd_pre_init,
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 45626523ffa1030cdff4f3e0ccdfa1618a51ccaf..6898e6596e1cbbb2cc69ba592401619ce86899d8 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -33,7 +33,7 @@
* Authors:
* Simo Sorce <ssorce@redhat.com>
*
- * Copyright (C) 2007-2010 Red Hat, Inc.
+ * Copyright (C) 2007-2023 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
@@ -248,6 +248,13 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
return 0;
}
+ /* Get target DN */
+ ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
+ if (ret) {
+ rc = LDAP_OPERATIONS_ERROR;
+ goto done;
+ }
+
/* Ok this is interesting,
* Check this is a clear text password, or refuse operation */
if ('{' == userpw[0]) {
@@ -280,6 +287,8 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
} else {
rc = ipapwd_check_max_pwd_len(strlen(userpw_clear), &errMesg);
if (rc) {
+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
+ slapi_sdn_get_dn(sdn), errMesg);
goto done;
}
userpw = slapi_ch_strdup(userpw_clear);
@@ -329,13 +338,6 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
goto done;
}
- /* Get target DN */
- ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
- if (ret) {
- rc = LDAP_OPERATIONS_ERROR;
- goto done;
- }
-
/* time to get the operation handler */
ret = slapi_pblock_get(pb, SLAPI_OPERATION, &op);
if (ret != 0) {
@@ -359,7 +361,6 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
pwdop->pwdata.changetype = IPA_CHANGETYPE_DSMGR;
} else {
char *binddn;
- int i;
pwdop->pwdata.changetype = IPA_CHANGETYPE_ADMIN;
@@ -367,7 +368,7 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
slapi_pblock_get(pb, SLAPI_CONN_DN, &binddn);
/* if it is a passsync manager we also need to skip resets */
- for (i = 0; i < krbcfg->num_passsync_mgrs; i++) {
+ for (size_t i = 0; i < krbcfg->num_passsync_mgrs; i++) {
if (strcasecmp(krbcfg->passsync_mgrs[i], binddn) == 0) {
pwdop->pwdata.changetype = IPA_CHANGETYPE_DSMGR;
break;
@@ -385,6 +386,8 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
if ((pwdop->pwdata.changetype != IPA_CHANGETYPE_DSMGR) &&
(ret != 0) ) {
errMesg = ipapwd_error2string(ret);
+ LOG_PWDPOLICY("Failed to add password credentials for '%s': %s\n",
+ slapi_sdn_get_dn(sdn), errMesg);
rc = LDAP_CONSTRAINT_VIOLATION;
goto done;
}
@@ -507,6 +510,13 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
goto done;
}
+ /* Get target DN */
+ ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
+ if (ret) {
+ rc = LDAP_OPERATIONS_ERROR;
+ goto done;
+ }
+
/* grab the mods - we'll put them back later with
* our modifications appended
*/
@@ -568,6 +578,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
rc = ipapwd_check_max_pwd_len(bv->bv_len, &errMesg);
if (rc) {
+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
+ slapi_sdn_get_dn(sdn), errMesg);
goto done;
}
slapi_ch_free_string(&unhashedpw);
@@ -591,14 +603,6 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
/* OK we have something interesting here, start checking for
* pre-requisites */
-
- /* Get target DN */
- ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
- if (ret) {
- rc = LDAP_OPERATIONS_ERROR;
- goto done;
- }
-
tmp_sdn = slapi_sdn_dup(sdn);
if (tmp_sdn) {
/* xxxPAR: Ideally SLAPI_MODIFY_EXISTING_ENTRY should be
@@ -795,6 +799,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
const char *userpw_clear = &userpw[strlen("{CLEAR}")];
rc = ipapwd_check_max_pwd_len(strlen(userpw_clear), &errMesg);
if (rc) {
+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
+ slapi_sdn_get_dn(sdn), errMesg);
goto done;
}
unhashedpw = slapi_ch_strdup(userpw_clear);
@@ -806,9 +812,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
slapi_ch_free_string(&userpw);
} else if (slapi_is_encoded(userpw)) {
-
- LOG("Pre-Encoded passwords are not valid\n");
- errMesg = "Pre-Encoded passwords are not valid\n";
+ errMesg = "Pre-Encoded passwords are not valid";
+ LOG("%s (%s)\n", errMesg, slapi_sdn_get_dn(sdn));
rc = LDAP_CONSTRAINT_VIOLATION;
goto done;
}
@@ -843,7 +848,6 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
} else {
char *binddn;
Slapi_DN *bdn, *tdn;
- int i;
/* Check Bind DN */
slapi_pblock_get(pb, SLAPI_CONN_DN, &binddn);
@@ -857,18 +861,16 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
pwdop->pwdata.changetype = IPA_CHANGETYPE_ADMIN;
/* if it is a passsync manager we also need to skip resets */
- for (i = 0; i < krbcfg->num_passsync_mgrs; i++) {
+ for (size_t i = 0; i < krbcfg->num_passsync_mgrs; i++) {
if (strcasecmp(krbcfg->passsync_mgrs[i], binddn) == 0) {
pwdop->pwdata.changetype = IPA_CHANGETYPE_DSMGR;
break;
}
}
-
}
slapi_sdn_free(&bdn);
slapi_sdn_free(&tdn);
-
}
pwdop->pwdata.dn = slapi_ch_strdup(slapi_sdn_get_dn(sdn));
@@ -884,6 +886,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
if ((pwdop->pwdata.changetype != IPA_CHANGETYPE_DSMGR) &&
(ret != 0)) {
errMesg = ipapwd_error2string(ret);
+ LOG_PWDPOLICY("Check Password Policy failed for (%s) - %s/n",
+ pwdop->pwdata.dn, errMesg);
rc = LDAP_CONSTRAINT_VIOLATION;
goto done;
}
@@ -976,7 +980,6 @@ static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods,
int num_keys;
int mkvno;
int ret;
- int i;
ret = slapi_entry_attr_find(entry, "ipaNTHash", &attr);
if (ret == 0) {
@@ -1008,7 +1011,7 @@ static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods,
ret = LDAP_UNWILLING_TO_PERFORM;
- for (i = 0; i < num_keys; i++) {
+ for (size_t i = 0; i < num_keys; i++) {
char nthash[16];
krb5_enc_data cipher;
krb5_data plain;
@@ -1511,6 +1514,8 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
} else {
rc = ipapwd_check_max_pwd_len(credentials->bv_len, &errMesg);
if (rc) {
+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
+ slapi_sdn_get_dn(sdn), errMesg);
goto invalid_creds;
}
}
--
2.43.0

View File

@ -1,4 +1,4 @@
From ac44c3d0a69aa2b3f8230c3ab13dca5ab5a78dd0 Mon Sep 17 00:00:00 2001
From a8e433f7c8d844d9f337a34db09b0197f2dbc5af Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Tue, 20 Feb 2024 15:14:24 +0100
Subject: [PATCH] ipa-kdb: Fix double free in ipadb_reinit_mspac()
@ -7,15 +7,16 @@ Fixes: https://pagure.io/freeipa/issue/9535
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
(cherry picked from commit dd27d225524aa81c038a970961a4f878cf742e2a)
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index b0eb3324bf4b7d8eeb7b332c39de4023784f6337..9723103d8a77294ed7457d9b48bfc0d98b9ccef1 100644
index deed513b9..0964d112a 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -3087,6 +3087,7 @@ ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit,
@@ -3084,6 +3084,7 @@ ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit,
}
free(resstr);

View File

@ -1,47 +0,0 @@
From a2fcfb9e17c4e7f2b4c57fa1eccdfe27d0c085d3 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 12 Dec 2023 08:41:43 -0500
Subject: [PATCH] Issue 9497 - update debug logging in ipa_uuid
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
index 87d8be2d88d9ff9bbf7d47eab57b765063f7a230..2fa84f5167341667050e3cfd4bda4c4a4991d06d 100644
--- a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
+++ b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
@@ -30,7 +30,7 @@
* Program may make changes or additions to the list of Approved
* Interfaces.
*
- * Copyright (C) 2010 Red Hat, Inc.
+ * Copyright (C) 2010-2023 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
@@ -1185,7 +1185,7 @@ static int ipauuid_pre_op(Slapi_PBlock *pb, int modtype)
* enforce is enabled. */
errstr = slapi_ch_smprintf("Only the Directory Manager "
"can set arbitrary values "
- "for %s\n", cfgentry->attr);
+ "for %s", cfgentry->attr);
ret = LDAP_INSUFFICIENT_ACCESS;
goto done;
}
@@ -1221,7 +1221,7 @@ done:
}
if (ret) {
- LOG("operation failure [%d]\n", ret);
+ LOG("operation failure [%d] - %s\n", ret, errstr);
slapi_send_ldap_result(pb, ret, NULL, errstr, 0, NULL);
slapi_ch_free((void **)&errstr);
ret = EFAIL;
--
2.43.0

View File

@ -1,8 +1,8 @@
From 8b598814d1e51466ebbe3e0a392af92370d0c93b Mon Sep 17 00:00:00 2001
From b039f3087a13de3f34b230dbe29a7cfb1965700d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 7 Feb 2024 13:09:54 +0200
Subject: [PATCH] rpcserver: validate Kerberos principal name before running
kinit
Date: Feb 23 2024 09:49:27 +0000
Subject: rpcserver: validate Kerberos principal name before running kinit
Do minimal validation of the Kerberos principal name when passing it to
kinit command line tool. Also pass it as the final argument to prevent
@ -27,18 +27,11 @@ Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipalib/install/kinit.py | 47 ++++++++++++++++++-
ipaserver/rpcserver.py | 9 ++--
ipatests/setup.py | 1 +
ipatests/test_ipalib_install/__init__.py | 0
ipatests/test_ipalib_install/test_kinit.py | 29 ++++++++++++
5 files changed, 80 insertions(+), 6 deletions(-)
create mode 100644 ipatests/test_ipalib_install/__init__.py
create mode 100644 ipatests/test_ipalib_install/test_kinit.py
diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
index cc839ec38d1dbcb1cf3b0334592d04baf0dba23b..4ad4eaa1c30f2fb0ab02be411917e304eb527d32 100644
index cc839ec..4ad4eaa 100644
--- a/ipalib/install/kinit.py
+++ b/ipalib/install/kinit.py
@@ -6,12 +6,16 @@ from __future__ import absolute_import
@ -152,10 +145,10 @@ index cc839ec38d1dbcb1cf3b0334592d04baf0dba23b..4ad4eaa1c30f2fb0ab02be411917e304
# this workaround enables us to capture stderr and put it
# into the raised exception in case of unsuccessful authentication
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 198fc9e7dbae281f797dcccf96d21d475ff31e8c..4f65b7e057c3d184ffadd4f28872ec3cceb73077 100644
index 3555014..60bfa61 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -1135,10 +1135,6 @@ class login_password(Backend, KerberosSession):
@@ -1134,10 +1134,6 @@ class login_password(Backend, KerberosSession):
canonicalize=True,
lifetime=self.api.env.kinit_lifetime)
@ -166,7 +159,7 @@ index 198fc9e7dbae281f797dcccf96d21d475ff31e8c..4f65b7e057c3d184ffadd4f28872ec3c
except RuntimeError as e:
if ('kinit: Cannot read password while '
'getting initial credentials') in str(e):
@@ -1156,6 +1152,11 @@ class login_password(Backend, KerberosSession):
@@ -1155,6 +1151,11 @@ class login_password(Backend, KerberosSession):
raise KrbPrincipalWrongFAST(principal=principal)
raise InvalidSessionPassword(principal=principal,
message=unicode(e))
@ -178,8 +171,89 @@ index 198fc9e7dbae281f797dcccf96d21d475ff31e8c..4f65b7e057c3d184ffadd4f28872ec3c
class change_password(Backend, HTTP_Status):
diff --git a/ipatests/prci_definitions/gating.yaml b/ipatests/prci_definitions/gating.yaml
index 91be057..400a248 100644
--- a/ipatests/prci_definitions/gating.yaml
+++ b/ipatests/prci_definitions/gating.yaml
@@ -310,3 +310,15 @@ jobs:
template: *ci-ipa-4-9-latest
timeout: 3600
topology: *master_1repl_1client
+
+ fedora-latest-ipa-4-9/test_ipalib_install:
+ requires: [fedora-latest-ipa-4-9/build]
+ priority: 100
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-latest-ipa-4-9/build_url}'
+ test_suite: test_ipalib_install/test_kinit.py
+ template: *ci-ipa-4-9-latest
+ timeout: 600
+ topology: *master_1repl
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
index b2ab765..7c03a48 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
@@ -1801,3 +1801,15 @@ jobs:
template: *ci-ipa-4-9-latest
timeout: 5000
topology: *master_2repl_1client
+
+ fedora-latest-ipa-4-9/test_ipalib_install:
+ requires: [fedora-latest-ipa-4-9/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-latest-ipa-4-9/build_url}'
+ test_suite: test_ipalib_install/test_kinit.py
+ template: *ci-ipa-4-9-latest
+ timeout: 600
+ topology: *master_1repl
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
index b7b3d3b..802bd2a 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
@@ -1944,3 +1944,16 @@ jobs:
template: *ci-ipa-4-9-latest
timeout: 5000
topology: *master_2repl_1client
+
+ fedora-latest-ipa-4-9/test_ipalib_install:
+ requires: [fedora-latest-ipa-4-9/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-latest-ipa-4-9/build_url}'
+ selinux_enforcing: True
+ test_suite: test_ipalib_install/test_kinit.py
+ template: *ci-ipa-4-9-latest
+ timeout: 600
+ topology: *master_1repl
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
index eb3849e..1e1adb8 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
@@ -1801,3 +1801,15 @@ jobs:
template: *ci-ipa-4-9-previous
timeout: 5000
topology: *master_2repl_1client
+
+ fedora-previous-ipa-4-9/test_ipalib_install:
+ requires: [fedora-previous-ipa-4-9/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-previous-ipa-4-9/build_url}'
+ test_suite: test_ipalib_install/test_kinit.py
+ template: *ci-ipa-4-9-previous
+ timeout: 600
+ topology: *master_1repl
diff --git a/ipatests/setup.py b/ipatests/setup.py
index 6217a1ba5d82ba7fa79cc4c073270abe307cd2ed..0aec4a70dbd75d416e4288e1204130daf46bda94 100644
index 6217a1b..0aec4a7 100644
--- a/ipatests/setup.py
+++ b/ipatests/setup.py
@@ -41,6 +41,7 @@ if __name__ == '__main__':
@ -192,10 +266,12 @@ index 6217a1ba5d82ba7fa79cc4c073270abe307cd2ed..0aec4a70dbd75d416e4288e1204130da
"ipatests.test_ipaserver",
diff --git a/ipatests/test_ipalib_install/__init__.py b/ipatests/test_ipalib_install/__init__.py
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
index 0000000..e69de29
--- /dev/null
+++ b/ipatests/test_ipalib_install/__init__.py
diff --git a/ipatests/test_ipalib_install/test_kinit.py b/ipatests/test_ipalib_install/test_kinit.py
new file mode 100644
index 0000000000000000000000000000000000000000..f89ea17d7874c28bad2524ebf456d2caeafddd1f
index 0000000..f89ea17
--- /dev/null
+++ b/ipatests/test_ipalib_install/test_kinit.py
@@ -0,0 +1,29 @@
@ -228,6 +304,89 @@ index 0000000000000000000000000000000000000000..f89ea17d7874c28bad2524ebf456d2ca
+ validate_principal(principal)
+ except Exception as e:
+ assert e.__class__ == exception
--
2.44.0
From 96a478bbedd49c31e0f078f00f2d1cb55bb952fd Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Feb 23 2024 09:49:27 +0000
Subject: validate_principal: Don't try to verify that the realm is known
The actual value is less important than whether it matches the
regular expression. A number of legal but difficult to know in
context realms could be passed in here (trust for example).
This fixes CVE-2024-1481
Fixes: https://pagure.io/freeipa/issue/9541
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
index 4ad4eaa..d5fb56b 100644
--- a/ipalib/install/kinit.py
+++ b/ipalib/install/kinit.py
@@ -15,7 +15,6 @@ from ipaplatform.paths import paths
from ipapython.ipautil import run
from ipalib.constants import PATTERN_GROUPUSER_NAME
from ipalib.util import validate_hostname
-from ipalib import api
logger = logging.getLogger(__name__)
@@ -39,7 +38,9 @@ def validate_principal(principal):
if ('/' in principal) and (' ' in principal):
raise RuntimeError('Invalid principal: bad spacing')
else:
- realm = None
+ # For a user match in the regex
+ # username = match[1]
+ # realm = match[2]
match = user_pattern.match(principal)
if match is None:
match = service_pattern.match(principal)
@@ -48,16 +49,11 @@ def validate_principal(principal):
else:
# service = match[1]
hostname = match[2]
- realm = match[3]
+ # realm = match[3]
try:
validate_hostname(hostname)
except ValueError as e:
raise RuntimeError(str(e))
- else: # user match, validate realm
- # username = match[1]
- realm = match[2]
- if realm and 'realm' in api.env and realm != api.env.realm:
- raise RuntimeError('Invalid principal: realm mismatch')
def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
diff --git a/ipatests/test_ipalib_install/test_kinit.py b/ipatests/test_ipalib_install/test_kinit.py
index f89ea17..8289c4b 100644
--- a/ipatests/test_ipalib_install/test_kinit.py
+++ b/ipatests/test_ipalib_install/test_kinit.py
@@ -17,13 +17,16 @@ from ipalib.install.kinit import validate_principal
('test/ipa.example.test@EXAMPLE.TEST', None),
('test/ipa@EXAMPLE.TEST', RuntimeError),
('test/-ipa.example.test@EXAMPLE.TEST', RuntimeError),
- ('test/ipa.1example.test@EXAMPLE.TEST', RuntimeError),
+ ('test/ipa.1example.test@EXAMPLE.TEST', None),
('test /ipa.example,test', RuntimeError),
- ('testuser@OTHER.TEST', RuntimeError),
- ('test/ipa.example.test@OTHER.TEST', RuntimeError),
+ ('testuser@OTHER.TEST', None),
+ ('test/ipa.example.test@OTHER.TEST', None)
])
def test_validate_principal(principal, exception):
try:
validate_principal(principal)
except Exception as e:
assert e.__class__ == exception
+ else:
+ if exception is not None:
+ raise RuntimeError('Test should have failed')

View File

@ -1,7 +1,8 @@
From ca561f72d05b937e727db76c42d807ba07661494 Mon Sep 17 00:00:00 2001
From d7c1ba0672fc8964f7674a526f3019429a551372 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 1 Mar 2024 15:12:33 -0500
Subject: [PATCH] Vault: add additional fallback to RSA-OAEP wrapping algo
Date: Mar 06 2024 08:34:57 +0000
Subject: Vault: add additional fallback to RSA-OAEP wrapping algo
There is a fallback when creating the wrapping key but one was missing
when trying to use the cached transport_cert.
@ -17,15 +18,14 @@ Related: https://pagure.io/freeipa/issue/9191
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaclient/plugins/vault.py | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index a29bd6e5f437d9d07f2d995d7bc884e7f2419c27..96edf09a2060e7b39e1e96c6fa65ae095ec18e73 100644
index ed16c73..1523187 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -755,8 +755,12 @@ class ModVaultData(Local):
@@ -757,8 +757,12 @@ class ModVaultData(Local):
Calls the internal counterpart of the command.
"""
# try call with cached transport certificate
@ -40,6 +40,4 @@ index a29bd6e5f437d9d07f2d995d7bc884e7f2419c27..96edf09a2060e7b39e1e96c6fa65ae09
if result is not None:
return result
--
2.44.0

View File

@ -1,8 +1,8 @@
From e95201fe2f816fc5cc795793782ea71642994a94 Mon Sep 17 00:00:00 2001
From 656a11ae961f8d1afad54567cfe8ccb53e084a67 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 11 Mar 2024 11:48:01 +0200
Subject: [PATCH] dcerpc: invalidate forest trust info cache when filtering out
realm domains
Date: Mar 20 2024 10:06:07 +0000
Subject: dcerpc: invalidate forest trust info cache when filtering out realm domains
When get_realmdomains() method is called, it will filter out subdomains
of the IPA primary domain. This is required because Active Directory
@ -24,12 +24,11 @@ Fixes: https://pagure.io/freeipa/issue/9551
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/dcerpc.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index ed9f0c0469d5f43da198c8447138530fb32c03c6..691da0332d60f51cd4e21e99625aa273be566baf 100644
index b6139db..7ee553d 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -1103,6 +1103,7 @@ class TrustDomainInstance:
@ -48,6 +47,4 @@ index ed9f0c0469d5f43da198c8447138530fb32c03c6..691da0332d60f51cd4e21e99625aa273
realm_domains = self.api.Command.realmdomains_show()['result']
# Use realmdomains' modification timestamp
--
2.44.0

View File

@ -1,56 +0,0 @@
From e8810696a38b70af286a2a2aae464ba4294e1fb5 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 28 Nov 2023 13:35:13 -0500
Subject: [PATCH] ipatests: Verify that hbactest will return messages
Limit the sizelimit of the hbactest request to confirm that
the output includes a SearchResultTruncated message.
Fixes: https://pagure.io/freeipa/issue/9486
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_xmlrpc/test_hbactest_plugin.py | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_xmlrpc/test_hbactest_plugin.py b/ipatests/test_xmlrpc/test_hbactest_plugin.py
index 73c4ce232066dd7e45bc9a636f9fd955d50d6818..e2e66c759ab4bd1ac3e6dd2ab380c6359fc90042 100644
--- a/ipatests/test_xmlrpc/test_hbactest_plugin.py
+++ b/ipatests/test_xmlrpc/test_hbactest_plugin.py
@@ -134,6 +134,7 @@ class test_hbactest(XMLRPC_test):
assert ret['value']
assert ret['error'] is None
assert ret['matched'] is None
+ assert 'messages' not in ret
assert ret['notmatched'] is None
def test_c_hbactest_check_rules_enabled_detail(self):
@@ -200,7 +201,23 @@ class test_hbactest(XMLRPC_test):
nodetail=True
)
- def test_g_hbactest_clear_testing_data(self):
+ def test_g_hbactest_searchlimit_message(self):
+ """
+ Test running 'ipa hbactest' with limited --sizelimit
+
+ We know there are at least 6 rules, 4 created here + 2 default.
+ """
+ ret = api.Command['hbactest'](
+ user=self.test_user,
+ targethost=self.test_host,
+ service=self.test_service,
+ nodetail=True,
+ sizelimit=2,
+ )
+
+ assert ret['messages'] is not None
+
+ def test_h_hbactest_clear_testing_data(self):
"""
Clear data for HBAC test plugin testing.
"""
--
2.43.0

View File

@ -0,0 +1,335 @@
From 3bba254ccdcf9b62fdd8a6d71baecf37c97c300c Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 3 Apr 2023 08:37:28 +0200
Subject: [PATCH] ipatests: mark known failures for autoprivategroup
Two tests have known issues in test_trust.py with sssd 2.8.2+:
- TestNonPosixAutoPrivateGroup::test_idoverride_with_auto_private_group
(when called with the "hybrid" parameter)
- TestPosixAutoPrivateGroup::test_only_uid_number_auto_private_group_default
(when called with the "true" parameter)
Related: https://pagure.io/freeipa/issue/9295
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipatests/test_integration/test_trust.py | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index 0d5b71cb0..12f000c1a 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -1154,11 +1154,15 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust):
self.gid_override
):
self.mod_idrange_auto_private_group(type)
- (uid, gid) = self.get_user_id(self.clients[0], nonposixuser)
- assert (uid == self.uid_override and gid == self.gid_override)
+ sssd_version = tasks.get_sssd_version(self.clients[0])
+ bad_version = sssd_version >= tasks.parse_version("2.8.2")
+ cond = (type == 'hybrid') and bad_version
+ with xfail_context(condition=cond,
+ reason="https://pagure.io/freeipa/issue/9295"):
+ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser)
+ assert (uid == self.uid_override and gid == self.gid_override)
test_group = self.clients[0].run_command(
["id", nonposixuser]).stdout_text
- # version = tasks.get_sssd_version(self.clients[0])
with xfail_context(type == "hybrid",
'https://github.com/SSSD/sssd/issues/5989'):
assert "domain users@{0}".format(self.ad_domain) in test_group
@@ -1232,8 +1236,11 @@ class TestPosixAutoPrivateGroup(BaseTestTrust):
posixuser = "testuser1@%s" % self.ad_domain
self.mod_idrange_auto_private_group(type)
if type == "true":
- (uid, gid) = self.get_user_id(self.clients[0], posixuser)
- assert uid == gid
+ sssd_version = tasks.get_sssd_version(self.clients[0])
+ with xfail_context(sssd_version >= tasks.parse_version("2.8.2"),
+ "https://pagure.io/freeipa/issue/9295"):
+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
+ assert uid == gid
else:
for host in [self.master, self.clients[0]]:
result = host.run_command(['id', posixuser], raiseonerr=False)
--
2.44.0
From ed2a8eb0cefadfe0544074114facfef381349ae0 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Feb 12 2024 10:43:39 +0000
Subject: ipatests: add xfail for autoprivate group test with override
Because of SSSD issue 7169, secondary groups are not
retrieved when autoprivate group is set and an idoverride
replaces the user's primary group.
Mark the known issues as xfail.
Related: https://github.com/SSSD/sssd/issues/7169
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index 3b9f0fb..2b94514 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -1164,8 +1164,12 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust):
assert (uid == self.uid_override and gid == self.gid_override)
test_group = self.clients[0].run_command(
["id", nonposixuser]).stdout_text
- with xfail_context(type == "hybrid",
- 'https://github.com/SSSD/sssd/issues/5989'):
+ cond2 = ((type == 'false'
+ and sssd_version >= tasks.parse_version("2.9.4"))
+ or type == 'hybrid')
+ with xfail_context(cond2,
+ 'https://github.com/SSSD/sssd/issues/5989 '
+ 'and 7169'):
assert "domain users@{0}".format(self.ad_domain) in test_group
@pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
@@ -1287,5 +1291,9 @@ class TestPosixAutoPrivateGroup(BaseTestTrust):
assert(uid == self.uid_override
and gid == self.gid_override)
result = self.clients[0].run_command(['id', posixuser])
- assert "10047(testgroup@{0})".format(
- self.ad_domain) in result.stdout_text
+ sssd_version = tasks.get_sssd_version(self.clients[0])
+ bad_version = sssd_version >= tasks.parse_version("2.9.4")
+ with xfail_context(bad_version and type in ('false', 'hybrid'),
+ "https://github.com/SSSD/sssd/issues/7169"):
+ assert "10047(testgroup@{0})".format(
+ self.ad_domain) in result.stdout_text
From d5392300d77170ea3202ee80690ada8bf81b60b5 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Feb 12 2024 10:44:47 +0000
Subject: ipatests: remove xfail thanks to sssd 2.9.4
SSSD 2.9.4 fixes some issues related to auto-private-group
Related: https://pagure.io/freeipa/issue/9295
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index 12f000c..3b9f0fb 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -1155,7 +1155,8 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust):
):
self.mod_idrange_auto_private_group(type)
sssd_version = tasks.get_sssd_version(self.clients[0])
- bad_version = sssd_version >= tasks.parse_version("2.8.2")
+ bad_version = (tasks.parse_version("2.8.2") <= sssd_version
+ < tasks.parse_version("2.9.4"))
cond = (type == 'hybrid') and bad_version
with xfail_context(condition=cond,
reason="https://pagure.io/freeipa/issue/9295"):
@@ -1237,7 +1238,9 @@ class TestPosixAutoPrivateGroup(BaseTestTrust):
self.mod_idrange_auto_private_group(type)
if type == "true":
sssd_version = tasks.get_sssd_version(self.clients[0])
- with xfail_context(sssd_version >= tasks.parse_version("2.8.2"),
+ bad_version = (tasks.parse_version("2.8.2") <= sssd_version
+ < tasks.parse_version("2.9.4"))
+ with xfail_context(bad_version,
"https://pagure.io/freeipa/issue/9295"):
(uid, gid) = self.get_user_id(self.clients[0], posixuser)
assert uid == gid
From 34d048ede0c439b3a53e02f8ace96ff91aa1609d Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mar 14 2023 16:50:25 +0000
Subject: ipatests: adapt for new automembership fixup behavior
The automembership fixup task now needs to be called
with --cleanup argument when the user expects automember
to remove user/hosts from automember groups.
Update the test to call create a cleanup task equivalent to
dsconf plugin automember fixup --cleanup
when it is needed.
Fixes: https://pagure.io/freeipa/issue/9313
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
diff --git a/ipatests/test_integration/test_automember.py b/ipatests/test_integration/test_automember.py
index 7acd0d7..8b27f4d 100644
--- a/ipatests/test_integration/test_automember.py
+++ b/ipatests/test_integration/test_automember.py
@@ -4,6 +4,7 @@
"""This covers tests for automemberfeature."""
from __future__ import absolute_import
+import uuid
from ipapython.dn import DN
@@ -211,11 +212,27 @@ class TestAutounmembership(IntegrationTest):
# Running automember-build so that user is part of correct group
result = self.master.run_command(['ipa', 'automember-rebuild',
'--users=%s' % user2])
+ assert msg in result.stdout_text
+
+ # The additional --cleanup argument is required
+ cleanup_ldif = (
+ "dn: cn={cn},cn=automember rebuild membership,"
+ "cn=tasks,cn=config\n"
+ "changetype: add\n"
+ "objectclass: top\n"
+ "objectclass: extensibleObject\n"
+ "basedn: cn=users,cn=accounts,{suffix}\n"
+ "filter: (uid={user})\n"
+ "cleanup: yes\n"
+ "scope: sub"
+ ).format(cn=str(uuid.uuid4()),
+ suffix=str(self.master.domain.basedn),
+ user=user2)
+ tasks.ldapmodify_dm(self.master, cleanup_ldif)
+
assert self.is_user_member_of_group(user2, group2)
assert not self.is_user_member_of_group(user2, group1)
- assert msg in result.stdout_text
-
finally:
# testcase cleanup
self.remove_user_automember(user2, raiseonerr=False)
@@ -248,11 +265,27 @@ class TestAutounmembership(IntegrationTest):
result = self.master.run_command(
['ipa', 'automember-rebuild', '--hosts=%s' % host2]
)
+ assert msg in result.stdout_text
+
+ # The additional --cleanup argument is required
+ cleanup_ldif = (
+ "dn: cn={cn},cn=automember rebuild membership,"
+ "cn=tasks,cn=config\n"
+ "changetype: add\n"
+ "objectclass: top\n"
+ "objectclass: extensibleObject\n"
+ "basedn: cn=computers,cn=accounts,{suffix}\n"
+ "filter: (fqdn={fqdn})\n"
+ "cleanup: yes\n"
+ "scope: sub"
+ ).format(cn=str(uuid.uuid4()),
+ suffix=str(self.master.domain.basedn),
+ fqdn=host2)
+ tasks.ldapmodify_dm(self.master, cleanup_ldif)
+
assert self.is_host_member_of_hostgroup(host2, hostgroup2)
assert not self.is_host_member_of_hostgroup(host2, hostgroup1)
- assert msg in result.stdout_text
-
finally:
# testcase cleanup
self.remove_host_automember(host2, raiseonerr=False)
From 9b777390fbb6d4c683bf7d3e5f74d5443209b1d5 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 24 Mar 2023 08:15:00 +0200
Subject: [PATCH] test_xmlrpc: adopt to automember plugin message changes in
389-ds
Another change in automember plugin messaging that breaks FreeIPA tests.
Use common substring to match.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_xmlrpc/xmlrpc_test.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipatests/test_xmlrpc/xmlrpc_test.py b/ipatests/test_xmlrpc/xmlrpc_test.py
index cf11721bfca..5fe1245dc65 100644
--- a/ipatests/test_xmlrpc/xmlrpc_test.py
+++ b/ipatests/test_xmlrpc/xmlrpc_test.py
@@ -64,7 +64,7 @@ def test(xs):
# Matches an automember task finish message
fuzzy_automember_message = Fuzzy(
- r'^Automember rebuild task finished\. Processed \(\d+\) entries\.$'
+ r'^Automember rebuild task finished\. Processed \(\d+\) entries'
)
# Matches trusted domain GUID, like u'463bf2be-3456-4a57-979e-120304f2a0eb'
From 8e8b97a2251329aec9633a5c7c644bc5034bc8c2 Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Wed, 20 Mar 2024 14:29:46 +0530
Subject: [PATCH] ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation
testcases.
Currently the test is using IPA_NSSDB_PWDFILE_TXT which is /etc/ipa/nssdb/pwdfile.txt
which causes error in STIG mode.
[root@master slapd-TESTRELM-TEST]# certutil -M -n 'TESTRELM.TEST IPA CA' -t ',,' -d . -f /etc/ipa/nssdb/pwdfile.txt
Incorrect password/PIN entered.
Hence modified the test to include paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE/pwd.txt.
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_ipahealthcheck.py | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 8aae9fad776..a96de7088aa 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -2731,17 +2731,18 @@ def remove_server_cert(self):
Fixture to remove Server cert and revert the change.
"""
instance = realm_to_serverid(self.master.domain.realm)
+ instance_dir = paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
self.master.run_command(
[
"certutil",
"-L",
"-d",
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance,
+ instance_dir,
"-n",
"Server-Cert",
"-a",
"-o",
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
+ instance_dir
+ "/Server-Cert.pem",
]
)
@@ -2760,15 +2761,15 @@ def remove_server_cert(self):
[
"certutil",
"-d",
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance,
+ instance_dir,
"-A",
"-i",
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
+ instance_dir
+ "/Server-Cert.pem",
"-t",
"u,u,u",
"-f",
- paths.IPA_NSSDB_PWDFILE_TXT,
+ "%s/pwdfile.txt" % instance_dir,
"-n",
"Server-Cert",
]

View File

@ -1,126 +0,0 @@
From c90ba9478b663bd5bcac9bb3af4272ee1406816b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 24 Nov 2023 11:46:19 +0200
Subject: [PATCH] ipa-kdb: add better detection of allowed user auth type
If default user authentication type is set to a list that does not
include a password or a hardened credential, the resulting configuration
might be incorrect for special service principals, including a krbtgt/..
one.
Add detection of special principals to avoid these situations and always
allow password or hardened for services.
Special handling is needed for the following principals:
- krbtgt/.. -- TGT service principals
- K/M -- master key principal
- kadmin/changepw -- service for changing passwords
- kadmin/kadmin -- kadmin service principal
- kadmin/history -- key used to encrypt history
Additionally, implicitly allow password or hardened credential use for
IPA services and IPA hosts since applications typically use keytabs for
that purpose.
Fixes: https://pagure.io/freeipa/issue/9485
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
daemons/ipa-kdb/ipa_kdb.c | 62 ++++++++++++++++++++++++++++++++++-----
1 file changed, 54 insertions(+), 8 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 06d511c762006f6a1e6e7a0ec663bc059489cf64..dbb98dba6d6d273e86e39e8ca8b8877d13f4299b 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -26,6 +26,7 @@
#include "ipa_kdb.h"
#include "ipa_krb5.h"
#include "ipa_hostname.h"
+#include <kadm5/admin.h>
#define IPADB_GLOBAL_CONFIG_CACHE_TIME 60
@@ -207,6 +208,19 @@ static const struct {
{ "idp", IPADB_USER_AUTH_IDP },
{ "passkey", IPADB_USER_AUTH_PASSKEY },
{ }
+},
+ objclass_table[] = {
+ { "ipaservice", IPADB_USER_AUTH_PASSWORD },
+ { "ipahost", IPADB_USER_AUTH_PASSWORD },
+ { }
+},
+ princname_table[] = {
+ { KRB5_TGS_NAME, IPADB_USER_AUTH_PASSWORD },
+ { KRB5_KDB_M_NAME, IPADB_USER_AUTH_PASSWORD },
+ { KADM5_ADMIN_SERVICE, IPADB_USER_AUTH_PASSWORD },
+ { KADM5_CHANGEPW_SERVICE, IPADB_USER_AUTH_PASSWORD },
+ { KADM5_HIST_PRINCIPAL, IPADB_USER_AUTH_PASSWORD },
+ { }
};
void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le,
@@ -217,17 +231,49 @@ void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le,
*userauth = IPADB_USER_AUTH_NONE;
vals = ldap_get_values_len(lcontext, le, IPA_USER_AUTH_TYPE);
- if (!vals)
- return;
-
- for (i = 0; vals[i]; i++) {
- for (j = 0; userauth_table[j].name; j++) {
- if (strcasecmp(vals[i]->bv_val, userauth_table[j].name) == 0) {
- *userauth |= userauth_table[j].flag;
- break;
+ if (!vals) {
+ /* if there is no explicit ipaUserAuthType set, use objectclass */
+ vals = ldap_get_values_len(lcontext, le, "objectclass");
+ if (!vals)
+ return;
+
+ for (i = 0; vals[i]; i++) {
+ for (j = 0; objclass_table[j].name; j++) {
+ if (strcasecmp(vals[i]->bv_val, objclass_table[j].name) == 0) {
+ *userauth |= objclass_table[j].flag;
+ break;
+ }
+ }
+ }
+ } else {
+ for (i = 0; vals[i]; i++) {
+ for (j = 0; userauth_table[j].name; j++) {
+ if (strcasecmp(vals[i]->bv_val, userauth_table[j].name) == 0) {
+ *userauth |= userauth_table[j].flag;
+ break;
+ }
}
}
}
+
+ /* If neither ipaUserAuthType nor objectClass were definitive,
+ * check the krbPrincipalName to see if it is krbtgt/ or K/M one */
+ if (*userauth == IPADB_USER_AUTH_NONE) {
+ ldap_value_free_len(vals);
+ vals = ldap_get_values_len(lcontext, le, "krbprincipalname");
+ if (!vals)
+ return;
+ for (i = 0; vals[i]; i++) {
+ for (j = 0; princname_table[j].name; j++) {
+ if (strncmp(vals[i]->bv_val, princname_table[j].name,
+ strlen(princname_table[j].name)) == 0) {
+ *userauth |= princname_table[j].flag;
+ break;
+ }
+ }
+ }
+
+ }
/* If password auth is enabled, enable hardened policy too. */
if (*userauth & IPADB_USER_AUTH_PASSWORD) {
*userauth |= IPADB_USER_AUTH_HARDENED;
--
2.43.0

View File

@ -1,41 +0,0 @@
From 1fb026105ef397612a504722b2bcac29fbc69676 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 24 Nov 2023 11:54:04 +0200
Subject: [PATCH] ipa-kdb: when applying ticket policy, do not deny PKINIT
PKINIT differs from other pre-authentication methods by the fact that it
can be matched indepedently of the user authentication types via certmap
plugin in KDC.
Since PKINIT is a strong authentication method, allow its authentication
indicator and only apply the ticket policy.
Fixes: https://pagure.io/freeipa/issue/9485
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
index 436ee0e62665594062e7be37e5b7925f76e921a0..2802221c79fe63ab4bd33bfbe4859517f3d91ec5 100644
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
@@ -119,11 +119,8 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_RADIUS]);
} else if (strcmp(auth_indicator, "pkinit") == 0) {
valid_auth_indicators++;
- if (!(ua & IPADB_USER_AUTH_PKINIT)) {
- *status = "PKINIT pre-authentication not allowed for this user.";
- kerr = KRB5KDC_ERR_POLICY;
- goto done;
- }
+ /* allow PKINIT unconditionally -- it has passed already at this
+ * point so some certificate was useful, only apply the limits */
pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_PKINIT]);
} else if (strcmp(auth_indicator, "hardened") == 0) {
valid_auth_indicators++;
--
2.43.0

View File

@ -1,11 +1,11 @@
From 3b58080f67eb940023d612aabd30533f1dc9387f Mon Sep 17 00:00:00 2001
From 0a48726e104282fb40d8f471ebb306bc9134cb0c Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Tue, 19 Mar 2024 12:24:40 +0100
Subject: [PATCH] kdb: fix vulnerability in GCD rules handling
The initial implementation of MS-SFU by MIT Kerberos was missing a
condition for granting the "forwardable" flag on S4U2Self tickets.
Fixing this mistake required adding special case for the
The initial implementation of MS-SFU by MIT Kerberos was missing some
a condition for granting the "forwardable" flag on S4U2Self tickets.
Fixing this mistake required to add a special case for the
check_allowed_to_delegate() function: if the target service argument is
NULL, then it means the KDC is probing for general constrained
delegation rules, not actually checking a specific S4U2Proxy request.
@ -26,11 +26,10 @@ Signed-off-by: Julien Rische <jrische@redhat.com>
---
daemons/ipa-kdb/README.s4u2proxy.txt | 19 ++-
daemons/ipa-kdb/ipa_kdb_delegation.c | 191 +++++++++++++++------------
doc/designs/rbcd.md | 18 +++
3 files changed, 136 insertions(+), 92 deletions(-)
2 files changed, 118 insertions(+), 92 deletions(-)
diff --git a/daemons/ipa-kdb/README.s4u2proxy.txt b/daemons/ipa-kdb/README.s4u2proxy.txt
index 254fcc4d1c6..ab34aff369a 100644
index 254fcc4d1..ab34aff36 100644
--- a/daemons/ipa-kdb/README.s4u2proxy.txt
+++ b/daemons/ipa-kdb/README.s4u2proxy.txt
@@ -12,9 +12,7 @@ much more easily managed.
@ -74,10 +73,10 @@ index 254fcc4d1c6..ab34aff369a 100644
Note that here I use the term proxy in a different way than it is used in
the krb interfaces. It may seem a bit confusing but I think people will
diff --git a/daemons/ipa-kdb/ipa_kdb_delegation.c b/daemons/ipa-kdb/ipa_kdb_delegation.c
index ce5409d2bae..fbeeaaa84cb 100644
index de82174ad..3581f3c79 100644
--- a/daemons/ipa-kdb/ipa_kdb_delegation.c
+++ b/daemons/ipa-kdb/ipa_kdb_delegation.c
@@ -99,120 +99,110 @@ static bool ipadb_match_member(char *princ, LDAPDerefRes *dres)
@@ -91,120 +91,110 @@ static bool ipadb_match_member(char *princ, LDAPDerefRes *dres)
return false;
}
@ -266,7 +265,7 @@ index ce5409d2bae..fbeeaaa84cb 100644
krb5_free_unparsed_name(kcontext, client_princ);
krb5_free_unparsed_name(kcontext, target_princ);
return kerr;
@@ -231,7 +221,7 @@ krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext,
@@ -223,7 +213,7 @@ krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext,
char *srv_principal = NULL;
krb5_db_entry *proxy_entry = NULL;
struct ipadb_e_data *ied_server, *ied_proxy;
@ -275,7 +274,7 @@ index ce5409d2bae..fbeeaaa84cb 100644
if (proxy != NULL) {
/* Handle the case where server == proxy, this is allowed in S4U */
@@ -269,27 +259,54 @@ krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext,
@@ -261,26 +251,53 @@ krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext,
goto done;
}
@ -337,40 +336,6 @@ index ce5409d2bae..fbeeaaa84cb 100644
+ ldap_msgfree(ldap_gcd_acl);
return kerr;
}
diff --git a/doc/designs/rbcd.md b/doc/designs/rbcd.md
index c3665ed8f70..fa41c57ee8e 100644
--- a/doc/designs/rbcd.md
+++ b/doc/designs/rbcd.md
@@ -173,6 +173,7 @@ any user. However, to make it usable for S4U2Proxy (constrained delegation),
the service ticket must be forwardable. In such case the Kerberos service would
be able to impersonate user and requires an explicit administrative permission.
+
IPA API provides a way to record this permission in both host and service
command families. The following commands have option
`--ok-to-auth-as-delegate=BOOL`:
@@ -183,6 +184,23 @@ command families. The following commands have option
This flag is equivalent to MS-SFU's `TrustedToAuthenticationForDelegation`
boolean setting.
+The behavior of FreeIPA regarding S4U2Self-granted tickets differs depending of
+the krb5 version that was used to compile:
+
+* **krb5 1.20+**: KDC will always respond to S4U2Self TGS-REQ with forwardable
+ tickets, except if the requester principal is set as impersonator service in
+ at least one general constrained delegation rule (even if the rule has no
+ target set)
+* **krb5 1.19-**: KDC will respond to all S4U2Self TGS-REQs with non-forwardable
+ tickets
+
+In both cases, granting the `ok-to-auth-as-delegate` permission to a principal
+will override this default behavior and allow it to obtain forwardable tickets
+to itself. In practice, it means the `ok-to-auth-as-delegate` permission is
+required if you want to grant a service the special privilege to impersonate
+any user against services configured as targets in a general constrained
+delegation rule.
+
### General constrained delegation design
General constrained delegation uses two objects: a rule and a target.
--
2.44.0

View File

@ -1,31 +0,0 @@
From fab08337dac0eb6322dc5ebe730b2541f4bb6111 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 24 Nov 2023 12:20:55 +0200
Subject: [PATCH] ipa-kdb: clarify user auth table mapping use of
_AUTH_PASSWORD
Related: https://pagure.io/freeipa/issue/9485
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
daemons/ipa-kdb/ipa_kdb.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index dbb98dba6d6d273e86e39e8ca8b8877d13f4299b..4e6cacf24e27b05538db2c95ab85400bb83e3d58 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -195,6 +195,9 @@ done:
return base;
}
+/* In this table all _AUTH_PASSWORD entries will be
+ * expanded to include _AUTH_HARDENED in ipadb_parse_user_auth()
+ * which means there is no need to explicitly add it here */
static const struct {
const char *name;
enum ipadb_user_auth flag;
--
2.43.0

View File

@ -1,4 +1,4 @@
From dfd4492efd47d45bcac4ee1d32d21cae91142df8 Mon Sep 17 00:00:00 2001
From 542e12325afc2f64298f90296760235bfdcef04a Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Mon, 25 Mar 2024 18:25:52 +0200
Subject: [PATCH] kdb: apply combinatorial logic for ticket flags
@ -61,7 +61,7 @@ Signed-off-by: Julien Rische <jrische@redhat.com>
4 files changed, 365 insertions(+), 53 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 8459ab8e0bb..58a0339fc98 100644
index 7baf4697f..85cabe142 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -94,6 +94,34 @@
@ -99,7 +99,7 @@ index 8459ab8e0bb..58a0339fc98 100644
struct ipadb_mspac;
struct dom_sid;
@@ -187,6 +215,21 @@ struct ipadb_e_data {
@@ -178,6 +206,21 @@ struct ipadb_e_data {
struct dom_sid *sid;
};
@ -122,10 +122,10 @@ index 8459ab8e0bb..58a0339fc98 100644
int ipadb_get_connection(struct ipadb_context *ipactx);
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 16a15748fb9..6a26849860c 100644
index 07cc87746..6eb542d4f 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -765,9 +765,12 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
@@ -706,9 +706,12 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
"krbTicketFlags", &result);
if (ret == 0) {
entry->attributes = result;
@ -140,7 +140,7 @@ index 16a15748fb9..6a26849860c 100644
ret = ipadb_ldap_attr_to_int(lcontext, lentry,
"krbMaxTicketLife", &result);
@@ -971,7 +974,12 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
@@ -912,7 +915,12 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
goto done;
}
if (ret == 0) {
@ -154,7 +154,7 @@ index 16a15748fb9..6a26849860c 100644
ret = ipadb_ldap_attr_to_str(lcontext, lentry,
"uid", &uidstring);
if (ret != 0 && ret != ENOENT) {
@@ -1339,23 +1347,150 @@ done:
@@ -1251,23 +1259,150 @@ done:
return ret;
}
@ -184,8 +184,10 @@ index 16a15748fb9..6a26849860c 100644
+ if (!ied->ipa_user) {
+ kerr = 0;
+ goto end;
+ }
+
}
- /* By default require preauth for all principals */
- return KRB5_KDB_REQUIRES_PRE_AUTH;
+ kerr = krb5_dbe_get_string(ipactx->kcontext, entry,
+ IPA_KDB_STRATTR_FINAL_USER_TKTFLAGS, &str);
+ if (kerr)
@ -278,10 +280,8 @@ index 16a15748fb9..6a26849860c 100644
+ if (-1 == ec) {
+ kerr = ENOMEM;
+ goto end;
}
- /* By default require preauth for all principals */
- return KRB5_KDB_REQUIRES_PRE_AUTH;
+ }
+
+ kerr = ipadb_simple_search(ipactx, policy_dn, LDAP_SCOPE_BASE,
+ "(objectclass=krbticketpolicyaux)",
+ tktflags_attr, &res);
@ -317,7 +317,7 @@ index 16a15748fb9..6a26849860c 100644
}
static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
@@ -1368,6 +1503,7 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
@@ -1280,6 +1415,7 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
char *policy_dn = NULL;
LDAPMessage *res = NULL;
LDAPMessage *first;
@ -325,7 +325,7 @@ index 16a15748fb9..6a26849860c 100644
int result;
int ret;
@@ -1376,12 +1512,18 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
@@ -1288,12 +1424,18 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
return KRB5_KDB_DBNOTINITED;
}
@ -344,7 +344,7 @@ index 16a15748fb9..6a26849860c 100644
ret = asprintf(&policy_dn, "cn=%s,cn=kerberos,%s",
ipactx->realm, ipactx->base);
if (ret == -1) {
@@ -1425,12 +1567,13 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
@@ -1337,12 +1479,13 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
}
}
if (polmask & TKTFLAGS_BIT) {
@ -364,7 +364,7 @@ index 16a15748fb9..6a26849860c 100644
}
}
@@ -1454,13 +1597,27 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
@@ -1366,13 +1509,27 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
if (polmask & MAXRENEWABLEAGE_BIT) {
entry->max_renewable_life = 604800;
}
@ -395,7 +395,7 @@ index 16a15748fb9..6a26849860c 100644
done:
ldap_msgfree(res);
free(policy_dn);
@@ -2048,6 +2205,36 @@ static void ipadb_mods_free_tip(struct ipadb_mods *imods)
@@ -1864,6 +2021,36 @@ static void ipadb_mods_free_tip(struct ipadb_mods *imods)
imods->tip--;
}
@ -432,7 +432,7 @@ index 16a15748fb9..6a26849860c 100644
static krb5_error_code ipadb_get_ldap_mod_str(struct ipadb_mods *imods,
char *attribute, char *value,
int mod_op)
@@ -2464,6 +2651,93 @@ static krb5_error_code ipadb_get_ldap_mod_auth_ind(krb5_context kcontext,
@@ -2275,6 +2462,93 @@ static krb5_error_code ipadb_get_ldap_mod_auth_ind(krb5_context kcontext,
return ret;
}
@ -526,7 +526,7 @@ index 16a15748fb9..6a26849860c 100644
static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
struct ipadb_mods *imods,
krb5_db_entry *entry,
@@ -2539,36 +2813,9 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
@@ -2350,36 +2624,9 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
/* KADM5_ATTRIBUTES */
if (entry->mask & KMASK_ATTRIBUTES) {
@ -566,7 +566,7 @@ index 16a15748fb9..6a26849860c 100644
/* KADM5_MAX_LIFE */
diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c
index 1ba6d25eecb..2e663c506da 100644
index 1ba6d25ee..2e663c506 100644
--- a/util/ipa_krb5.c
+++ b/util/ipa_krb5.c
@@ -38,6 +38,12 @@ const char *ipapwd_password_max_len_errmsg = \
@ -599,7 +599,7 @@ index 1ba6d25eecb..2e663c506da 100644
+ return false;
+}
diff --git a/util/ipa_krb5.h b/util/ipa_krb5.h
index 7d2ebae9840..d0280940a93 100644
index 7d2ebae98..d0280940a 100644
--- a/util/ipa_krb5.h
+++ b/util/ipa_krb5.h
@@ -174,3 +174,7 @@ static inline bool
@ -610,3 +610,6 @@ index 7d2ebae9840..d0280940a93 100644
+/* Implement boolean string parsing function from MIT krb5:
+ * src/lib/krb5/krb/libdef_parse.c:_krb5_conf_boolean() */
+bool ipa_krb5_parse_bool(const char *str);
--
2.45.1

View File

@ -0,0 +1,127 @@
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index 6f5e349..febc22f 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -144,8 +144,7 @@ PROTECTED_USERS = ('admin',)
def check_protected_member(user, protected_group_name=u'admins'):
'''
Ensure admin and the last enabled member of a protected group cannot
- be deleted or disabled by raising ProtectedEntryError or
- LastMemberError as appropriate.
+ be deleted.
'''
if user in PROTECTED_USERS:
@@ -155,6 +154,12 @@ def check_protected_member(user, protected_group_name=u'admins'):
reason=_("privileged user"),
)
+
+def check_last_member(user, protected_group_name=u'admins'):
+ '''
+ Ensure the last enabled member of a protected group cannot
+ be disabled.
+ '''
# Get all users in the protected group
result = api.Command.user_find(in_group=protected_group_name)
@@ -796,6 +801,7 @@ class user_del(baseuser_del):
# If the target entry is a Delete entry, skip the orphaning/removal
# of OTP tokens.
check_protected_member(keys[-1])
+ check_last_member(keys[-1])
preserve = options.get('preserve', False)
@@ -1128,7 +1134,7 @@ class user_disable(LDAPQuery):
def execute(self, *keys, **options):
ldap = self.obj.backend
- check_protected_member(keys[-1])
+ check_last_member(keys[-1])
dn, _oc = self.obj.get_either_dn(*keys, **options)
ldap.deactivate_entry(dn)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index c0cb4d0..c2a55b8 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -1530,6 +1530,30 @@ class TestIPACommand(IntegrationTest):
assert 'Discovered server %s' % self.master.hostname in result
+ def test_delete_last_enabled_admin(self):
+ """
+ The admin user may be disabled. Don't allow all other
+ members of admins to be removed if the admin user is
+ disabled which would leave the install with no
+ usable admins users
+ """
+ user = 'adminuser2'
+ passwd = 'Secret123'
+ tasks.create_active_user(self.master, user, passwd)
+ tasks.kinit_admin(self.master)
+ self.master.run_command(['ipa', 'group-add-member', 'admins',
+ '--users', user])
+ tasks.kinit_user(self.master, user, passwd)
+ self.master.run_command(['ipa', 'user-disable', 'admin'])
+ result = self.master.run_command(
+ ['ipa', 'user-del', user],
+ raiseonerr=False
+ )
+ self.master.run_command(['ipa', 'user-enable', 'admin'])
+ tasks.kdestroy_all(self.master)
+ assert result.returncode == 1
+ assert 'cannot be deleted or disabled' in result.stderr_text
+
class TestIPACommandWithoutReplica(IntegrationTest):
"""
diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
index 3c58845..68c6c48 100644
--- a/ipatests/test_xmlrpc/test_user_plugin.py
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
@@ -1045,8 +1045,8 @@ class TestAdmins(XMLRPC_test):
tracker = Tracker()
command = tracker.make_command('user_disable', admin1)
- with raises_exact(errors.ProtectedEntryError(label=u'user',
- key=admin1, reason='privileged user')):
+ with raises_exact(errors.LastMemberError(label=u'group',
+ key=admin1, container=admin_group)):
command()
def test_create_admin2(self, admin2):
@@ -1064,8 +1064,8 @@ class TestAdmins(XMLRPC_test):
admin2.disable()
tracker = Tracker()
- with raises_exact(errors.ProtectedEntryError(label=u'user',
- key=admin1, reason='privileged user')):
+ with raises_exact(errors.LastMemberError(label=u'group',
+ key=admin1, container=admin_group)):
tracker.run_command('user_disable', admin1)
admin2.delete()
diff --git a/ipatests/test_webui/test_user.py b/ipatests/test_webui/test_user.py
index a8a92d0..9083e50 100644
--- a/ipatests/test_webui/test_user.py
+++ b/ipatests/test_webui/test_user.py
@@ -50,6 +50,8 @@ INV_FIRSTNAME = ("invalid 'first': Leading and trailing spaces are "
FIELD_REQ = 'Required field'
ERR_INCLUDE = 'may only include letters, numbers, _, -, . and $'
ERR_MISMATCH = 'Passwords must match'
+ERR_ADMIN_DISABLE = ('admin cannot be deleted or disabled because '
+ 'it is the last member of group admins')
ERR_ADMIN_DEL = ('user admin cannot be deleted/modified: privileged user')
USR_EXIST = 'user with name "{}" already exists'
ENTRY_EXIST = 'This entry already exists'
@@ -546,7 +548,7 @@ class test_user(user_tasks):
self.select_record('admin')
self.facet_button_click('disable')
self.dialog_button_click('ok')
- self.assert_last_error_dialog(ERR_ADMIN_DEL, details=True)
+ self.assert_last_error_dialog(ERR_ADMIN_DISABLE, details=True)
self.dialog_button_click('ok')
self.assert_record('admin')

View File

@ -1,71 +0,0 @@
From 02b17c8560a6aabb4be1109a3a794412f527c83c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 24 Nov 2023 13:00:48 +0200
Subject: [PATCH] ipatests: make sure PKINIT enrollment works with a strict
policy
Previously, for a global policy which does not include
'password', krb5kdc restart was failing. Now it should succeed.
We set admin user authentication type to PASSWORD to simplify
configuration in the test.
What matters here is that global policy does not include PKINIT and that
means a code in the ticket policy check will allow PKINIT implicitly
rather than explicitly.
Related: https://pagure.io/freeipa/issue/9485
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
.../test_integration/test_pkinit_install.py | 26 +++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/ipatests/test_integration/test_pkinit_install.py b/ipatests/test_integration/test_pkinit_install.py
index caa0e6a34dc7e50359a41314e419a0d5be0c3aa8..5c2e7af0231677d4653ea2f82fa3dffed711a10d 100644
--- a/ipatests/test_integration/test_pkinit_install.py
+++ b/ipatests/test_integration/test_pkinit_install.py
@@ -23,6 +23,24 @@ class TestPkinitClientInstall(IntegrationTest):
def install(cls, mh):
tasks.install_master(cls.master)
+ def enforce_password_and_otp(self):
+ """enforce otp by default and password for admin """
+ self.master.run_command(
+ [
+ "ipa",
+ "config-mod",
+ "--user-auth-type=otp",
+ ]
+ )
+ self.master.run_command(
+ [
+ "ipa",
+ "user-mod",
+ "admin",
+ "--user-auth-type=password",
+ ]
+ )
+
def add_certmaperule(self):
"""add certmap rule to map SAN dNSName to host entry"""
self.master.run_command(
@@ -86,6 +104,14 @@ class TestPkinitClientInstall(IntegrationTest):
cabundle = self.master.get_file_contents(paths.KDC_CA_BUNDLE_PEM)
client.put_file_contents(self.tmpbundle, cabundle)
+ def test_restart_krb5kdc(self):
+ tasks.kinit_admin(self.master)
+ self.enforce_password_and_otp()
+ self.master.run_command(['systemctl', 'stop', 'krb5kdc.service'])
+ self.master.run_command(['systemctl', 'start', 'krb5kdc.service'])
+ self.master.run_command(['systemctl', 'stop', 'kadmin.service'])
+ self.master.run_command(['systemctl', 'start', 'kadmin.service'])
+
def test_client_install_pkinit(self):
tasks.kinit_admin(self.master)
self.add_certmaperule()
--
2.43.0

View File

@ -0,0 +1,13 @@
diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py
index b3f9347..75e8680 100644
--- a/ipaserver/install/ipa_otptoken_import.py
+++ b/ipaserver/install/ipa_otptoken_import.py
@@ -539,7 +539,7 @@ class OTPTokenImport(admintool.AdminTool):
# Load the keyfile.
keyfile = self.safe_options.keyfile
- with open(keyfile) as f:
+ with open(keyfile, "rb") as f:
self.doc.setKey(f.read())
def run(self):

View File

@ -0,0 +1,114 @@
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 38693c9..35cec89 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1327,6 +1327,8 @@ class CAInstance(DogtagInstance):
generation master:
- in CS.cfg ca.crl.MasterCRL.enableCRLCache=true
- in CS.cfg ca.crl.MasterCRL.enableCRLUpdates=true
+ - in CS.cfg ca.listenToCloneModifications=true
+ - in CS.cfg ca.certStatusUpdateInterval != 0
- in /etc/httpd/conf.d/ipa-pki-proxy.conf the RewriteRule
^/ipa/crl/MasterCRL.bin is disabled (commented or removed)
@@ -1342,15 +1344,30 @@ class CAInstance(DogtagInstance):
updates = directivesetter.get_directive(
self.config, 'ca.crl.MasterCRL.enableCRLUpdates', '=')
enableCRLUpdates = updates.lower() == 'true'
+ listen = directivesetter.get_directive(
+ self.config, 'ca.listenToCloneModifications', '=')
+ enableToClone = listen.lower() == 'true'
+ updateinterval = directivesetter.get_directive(
+ self.config, 'ca.certStatusUpdateInterval', '=')
# If the values are different, the config is inconsistent
- if enableCRLCache != enableCRLUpdates:
+ if not (enableCRLCache == enableCRLUpdates == enableToClone):
raise InconsistentCRLGenConfigException(
"Configuration is inconsistent, please check "
- "ca.crl.MasterCRL.enableCRLCache and "
- "ca.crl.MasterCRL.enableCRLUpdates in {} and "
+ "ca.crl.MasterCRL.enableCRLCache, "
+ "ca.crl.MasterCRL.enableCRLUpdates and "
+ "ca.listenToCloneModifications in {} and "
"run ipa-crlgen-manage [enable|disable] to repair".format(
self.config))
+ # If they are the same then we are the CRL renewal master. Ensure
+ # the update task is configured.
+ if enableCRLCache and updateinterval == '0':
+ raise InconsistentCRLGenConfigException(
+ "Configuration is inconsistent, please check "
+ "ca.certStatusUpdateInterval in {}. It should "
+ "be either not present or not zero. Run "
+ "ipa-crlgen-manage [enable|disable] to repair".format(
+ self.config))
except IOError:
raise RuntimeError(
"Unable to read {}".format(self.config))
@@ -1407,6 +1424,11 @@ class CAInstance(DogtagInstance):
str_value = str(setup_crlgen).lower()
ds.set('ca.crl.MasterCRL.enableCRLCache', str_value)
ds.set('ca.crl.MasterCRL.enableCRLUpdates', str_value)
+ ds.set('ca.listenToCloneModifications', str_value)
+ if setup_crlgen:
+ ds.set('ca.certStatusUpdateInterval', None)
+ else:
+ ds.set('ca.certStatusUpdateInterval', '0')
# Start pki-tomcat
logger.info("Starting %s", self.service_name)
diff --git a/ipatests/test_integration/test_crlgen_manage.py b/ipatests/test_integration/test_crlgen_manage.py
index 2a733bd..c6f41eb 100644
--- a/ipatests/test_integration/test_crlgen_manage.py
+++ b/ipatests/test_integration/test_crlgen_manage.py
@@ -61,6 +61,16 @@ def check_crlgen_status(host, rc=0, msg=None, enabled=True, check_crl=False):
ext.value.crl_number)
assert number_msg in result.stdout_text
+ try:
+ value = get_CS_cfg_value(host, 'ca.certStatusUpdateInterval')
+ except IOError:
+ return
+
+ if enabled:
+ assert value is None
+ else:
+ assert value == '0'
+
def check_crlgen_enable(host, rc=0, msg=None, check_crl=False):
"""Check ipa-crlgen-manage enable command
@@ -125,6 +135,23 @@ def break_crlgen_with_CS_cfg(host):
check_crlgen_status(host, rc=1, msg="Configuration is inconsistent")
+def get_CS_cfg_value(host, directive):
+ """Retrieve and return the a directive from the CA CS.cfg
+
+ This returns None if the directives is not found.
+ """
+ content = host.get_file_contents(paths.CA_CS_CFG_PATH,
+ encoding='utf-8')
+ value = None
+ for line in content.split('\n'):
+ l = line.lower()
+
+ if l.startswith(directive.lower()):
+ value = line.split('=', 1)[1]
+
+ return value
+
+
class TestCRLGenManage(IntegrationTest):
"""Tests the ipa-crlgen-manage command.
@@ -196,6 +223,9 @@ class TestCRLGenManage(IntegrationTest):
Install a CA clone and enable CRLgen"""
tasks.install_ca(self.replicas[0])
+ value = get_CS_cfg_value(self.replicas[0],
+ 'ca.certStatusUpdateInterval')
+ assert value == '0'
check_crlgen_enable(
self.replicas[0], rc=0,
msg="make sure to have only a single CRL generation master",

View File

@ -0,0 +1,337 @@
diff --git a/ipaserver/plugins/idrange.py b/ipaserver/plugins/idrange.py
index d5b184f..b38ea73 100644
--- a/ipaserver/plugins/idrange.py
+++ b/ipaserver/plugins/idrange.py
@@ -549,6 +549,12 @@ class idrange_add(LDAPCreate):
self.obj.handle_ipabaserid(entry_attrs, options)
self.obj.handle_iparangetype(entry_attrs, options,
keep_objectclass=True)
+ self.add_message(
+ messages.ServiceRestartRequired(
+ service=services.knownservices.dirsrv.service_instance(""),
+ server=_('<all IPA servers>')
+ )
+ )
return dn
diff --git a/ipatests/test_xmlrpc/test_range_plugin.py b/ipatests/test_xmlrpc/test_range_plugin.py
index f912e04..e3f4c23 100644
--- a/ipatests/test_xmlrpc/test_range_plugin.py
+++ b/ipatests/test_xmlrpc/test_range_plugin.py
@@ -372,6 +372,8 @@ IPA_LOCAL_RANGE_MOD_ERR = (
"domain. Run `ipa help idrange` for more information"
)
+dirsrv_instance = services.knownservices.dirsrv.service_instance("")
+
@pytest.mark.tier1
class test_range(Declarative):
@@ -464,6 +466,11 @@ class test_range(Declarative):
),
value=testrange1,
summary=u'Added ID range "%s"' % (testrange1),
+ messages=(
+ messages.ServiceRestartRequired(
+ service=dirsrv_instance,
+ server='<all IPA servers>').to_dict(),
+ ),
),
),
@@ -633,6 +640,11 @@ class test_range(Declarative):
),
value=testrange2,
summary=u'Added ID range "%s"' % (testrange2),
+ messages=(
+ messages.ServiceRestartRequired(
+ service=dirsrv_instance,
+ server='<all IPA servers>').to_dict(),
+ ),
),
),
@@ -792,6 +804,11 @@ class test_range(Declarative):
),
value=unicode(domain7range1),
summary=u'Added ID range "%s"' % (domain7range1),
+ messages=(
+ messages.ServiceRestartRequired(
+ service=dirsrv_instance,
+ server='<all IPA servers>').to_dict(),
+ ),
),
),
@@ -1079,6 +1096,11 @@ class test_range(Declarative):
),
value=testrange9,
summary=u'Added ID range "%s"' % (testrange9),
+ messages=(
+ messages.ServiceRestartRequired(
+ service=dirsrv_instance,
+ server='<all IPA servers>').to_dict(),
+ ),
),
),
diff --git a/ipaserver/plugins/idrange.py b/ipaserver/plugins/idrange.py
index b38ea73..b12e1b8 100644
--- a/ipaserver/plugins/idrange.py
+++ b/ipaserver/plugins/idrange.py
@@ -549,12 +549,15 @@ class idrange_add(LDAPCreate):
self.obj.handle_ipabaserid(entry_attrs, options)
self.obj.handle_iparangetype(entry_attrs, options,
keep_objectclass=True)
- self.add_message(
- messages.ServiceRestartRequired(
- service=services.knownservices.dirsrv.service_instance(""),
- server=_('<all IPA servers>')
+
+ if entry_attrs.single_value.get('iparangetype') in (
+ 'ipa-local', self.obj.range_types.get('ipa-local', None)):
+ self.add_message(
+ messages.ServiceRestartRequired(
+ service=services.knownservices.dirsrv.service_instance(""),
+ server=_('<all IPA servers>')
+ )
)
- )
return dn
@@ -568,7 +571,8 @@ class idrange_del(LDAPDelete):
try:
old_attrs = ldap.get_entry(dn, ['ipabaseid',
'ipaidrangesize',
- 'ipanttrusteddomainsid'])
+ 'ipanttrusteddomainsid',
+ 'iparangetype'])
except errors.NotFound:
raise self.obj.handle_not_found(*keys)
@@ -602,6 +606,20 @@ class idrange_del(LDAPDelete):
key=keys[0],
dependent=trust_domains[0].dn[0].value)
+ self.add_message(
+ messages.ServiceRestartRequired(
+ service=services.knownservices['sssd'].systemd_name,
+ server=_('<all IPA servers>')
+ )
+ )
+
+ if old_attrs.single_value.get('iparangetype') == 'ipa-local':
+ self.add_message(
+ messages.ServiceRestartRequired(
+ service=services.knownservices.dirsrv.service_instance(""),
+ server=_('<all IPA servers>')
+ )
+ )
return dn
@@ -804,10 +822,20 @@ class idrange_mod(LDAPUpdate):
assert isinstance(dn, DN)
self.obj.handle_ipabaserid(entry_attrs, options)
self.obj.handle_iparangetype(entry_attrs, options)
+
+ if entry_attrs.single_value.get('iparangetype') in (
+ 'ipa-local', self.obj.range_types.get('ipa-local', None)):
+ self.add_message(
+ messages.ServiceRestartRequired(
+ service=services.knownservices.dirsrv.service_instance(""),
+ server=_('<all IPA servers>')
+ )
+ )
+
self.add_message(
messages.ServiceRestartRequired(
service=services.knownservices['sssd'].systemd_name,
- server=keys[0]
+ server=_('<all IPA servers>')
)
)
return dn
diff --git a/ipatests/test_xmlrpc/test_range_plugin.py b/ipatests/test_xmlrpc/test_range_plugin.py
index e3f4c23..531fe4a 100644
--- a/ipatests/test_xmlrpc/test_range_plugin.py
+++ b/ipatests/test_xmlrpc/test_range_plugin.py
@@ -26,7 +26,8 @@ import six
from ipalib import api, errors, messages
from ipalib import constants
from ipaplatform import services
-from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid
+from ipatests.test_xmlrpc.xmlrpc_test import (
+ Declarative, fuzzy_uuid, Fuzzy, fuzzy_sequence_of)
from ipatests.test_xmlrpc import objectclasses
from ipatests.util import MockLDAP
from ipapython.dn import DN
@@ -374,6 +375,8 @@ IPA_LOCAL_RANGE_MOD_ERR = (
dirsrv_instance = services.knownservices.dirsrv.service_instance("")
+fuzzy_restart_messages = fuzzy_sequence_of(Fuzzy(type=dict))
+
@pytest.mark.tier1
class test_range(Declarative):
@@ -610,7 +613,8 @@ class test_range(Declarative):
desc='Delete ID range %r' % testrange1,
command=('idrange_del', [testrange1], {}),
expected=dict(
- result=dict(failed=[]),
+ result=dict(failed=[],
+ messages=fuzzy_restart_messages),
value=[testrange1],
summary=u'Deleted ID range "%s"' % testrange1,
),
@@ -714,7 +718,8 @@ class test_range(Declarative):
desc='Delete ID range %r' % testrange2,
command=('idrange_del', [testrange2], {}),
expected=dict(
- result=dict(failed=[]),
+ result=dict(failed=[],
+ messages=fuzzy_restart_messages),
value=[testrange2],
summary=u'Deleted ID range "%s"' % testrange2,
),
diff --git a/ipatests/test_xmlrpc/test_range_plugin.py b/ipatests/test_xmlrpc/test_range_plugin.py
index 531fe4a..3646952 100644
--- a/ipatests/test_xmlrpc/test_range_plugin.py
+++ b/ipatests/test_xmlrpc/test_range_plugin.py
@@ -613,8 +613,8 @@ class test_range(Declarative):
desc='Delete ID range %r' % testrange1,
command=('idrange_del', [testrange1], {}),
expected=dict(
- result=dict(failed=[],
- messages=fuzzy_restart_messages),
+ result=dict(failed=[]),
+ messages=fuzzy_restart_messages,
value=[testrange1],
summary=u'Deleted ID range "%s"' % testrange1,
),
@@ -718,8 +718,8 @@ class test_range(Declarative):
desc='Delete ID range %r' % testrange2,
command=('idrange_del', [testrange2], {}),
expected=dict(
- result=dict(failed=[],
- messages=fuzzy_restart_messages),
+ result=dict(failed=[]),
+ messages=fuzzy_restart_messages,
value=[testrange2],
summary=u'Deleted ID range "%s"' % testrange2,
),
@@ -809,11 +809,6 @@ class test_range(Declarative):
),
value=unicode(domain7range1),
summary=u'Added ID range "%s"' % (domain7range1),
- messages=(
- messages.ServiceRestartRequired(
- service=dirsrv_instance,
- server='<all IPA servers>').to_dict(),
- ),
),
),
@@ -836,6 +831,7 @@ class test_range(Declarative):
result=dict(failed=[]),
value=[domain1range1],
summary=u'Deleted ID range "%s"' % domain1range1,
+ messages=fuzzy_restart_messages,
),
),
@@ -862,12 +858,7 @@ class test_range(Declarative):
command=('idrange_mod', [domain3range2],
dict(ipabaseid=domain3range1_base_id)),
expected=dict(
- messages=(
- messages.ServiceRestartRequired(
- service=services.knownservices['sssd'].systemd_name,
- server=domain3range2
- ).to_dict(),
- ),
+ messages=fuzzy_restart_messages,
result=dict(
cn=[domain3range2],
ipabaseid=[unicode(domain3range1_base_id)],
@@ -933,12 +924,7 @@ class test_range(Declarative):
command=('idrange_mod', [domain2range1],
dict(ipabaserid=domain5range1_base_rid)),
expected=dict(
- messages=(
- messages.ServiceRestartRequired(
- service=services.knownservices['sssd'].systemd_name,
- server=domain2range1
- ).to_dict(),
- ),
+ messages=fuzzy_restart_messages,
result=dict(
cn=[domain2range1],
ipabaseid=[unicode(domain2range1_base_id)],
@@ -973,12 +959,7 @@ class test_range(Declarative):
command=('idrange_mod', [domain2range1],
dict(ipaautoprivategroups='true')),
expected=dict(
- messages=(
- messages.ServiceRestartRequired(
- service=services.knownservices['sssd'].systemd_name,
- server=domain2range1
- ).to_dict(),
- ),
+ messages=fuzzy_restart_messages,
result=dict(
cn=[domain2range1],
ipabaseid=[unicode(domain2range1_base_id)],
@@ -1000,12 +981,7 @@ class test_range(Declarative):
command=('idrange_mod', [domain2range1],
dict(ipaautoprivategroups='false')),
expected=dict(
- messages=(
- messages.ServiceRestartRequired(
- service=services.knownservices['sssd'].systemd_name,
- server=domain2range1
- ).to_dict(),
- ),
+ messages=fuzzy_restart_messages,
result=dict(
cn=[domain2range1],
ipabaseid=[unicode(domain2range1_base_id)],
@@ -1027,12 +1003,7 @@ class test_range(Declarative):
command=('idrange_mod', [domain2range1],
dict(ipaautoprivategroups='hybrid')),
expected=dict(
- messages=(
- messages.ServiceRestartRequired(
- service=services.knownservices['sssd'].systemd_name,
- server=domain2range1
- ).to_dict(),
- ),
+ messages=fuzzy_restart_messages,
result=dict(
cn=[domain2range1],
ipabaseid=[unicode(domain2range1_base_id)],
@@ -1054,12 +1025,7 @@ class test_range(Declarative):
command=('idrange_mod', [domain2range1],
dict(ipaautoprivategroups='')),
expected=dict(
- messages=(
- messages.ServiceRestartRequired(
- service=services.knownservices['sssd'].systemd_name,
- server=domain2range1
- ).to_dict(),
- ),
+ messages=fuzzy_restart_messages,
result=dict(
cn=[domain2range1],
ipabaseid=[unicode(domain2range1_base_id)],
@@ -1116,6 +1082,7 @@ class test_range(Declarative):
result=dict(failed=[]),
value=[testrange9],
summary=u'Deleted ID range "%s"' % testrange9,
+ messages=fuzzy_restart_messages,
),
),

View File

@ -1,46 +0,0 @@
From 8bdfbe8d2b203c64444390985011b2372f3bc08e Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Wed, 20 Dec 2023 18:42:25 +0530
Subject: [PATCH] ipatests: Skip ds_encryption tests on RHEL9 SUT.
test_ipahealthcheck_ds_encryption tests are failing
in RHEL9 SUT because in this test tls protocol version
is set to TLS1.0 using the below command, but its
reset to TLS1.2 causing the test to fail.
'dsconf', 'slapd-TESTREALM-TEST', 'security', 'set', '--tls-protocol-min=TLS1.0'
Hence the test is skipped to be run on RHEL9.0 SUT.
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/test_integration/test_ipahealthcheck.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 785e9abbae3b807f100a3d875e0c0b23f868be83..40c84898894681d8daf386b522118a6a7f793227 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -158,7 +158,6 @@ TOMCAT_CONFIG_FILES = (
paths.CA_CS_CFG_PATH,
)
-
def run_healthcheck(host, source=None, check=None, output_type="json",
failures_only=False, config=None):
"""
@@ -1262,6 +1261,10 @@ class TestIpaHealthCheck(IntegrationTest):
)
self.master.run_command(cmd)
+ @pytest.mark.skipif((osinfo.id == 'rhel'
+ and osinfo.version_number >= (9,0)),
+ reason=" TLS versions below 1.2 are not "
+ "supported anymore in RHEL9.0 and above.")
def test_ipahealthcheck_ds_encryption(self, modify_tls):
"""
This testcase modifies the default TLS version of
--
2.43.0

View File

@ -1,61 +0,0 @@
From b465cf6ea596907a2845c38df9c2446efe8e65ae Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 4 Jan 2024 17:32:45 -0500
Subject: [PATCH] ACME: Don't treat pki-server ca-config-show failures as fatal
Up to PKI 11.5.0 even when a pki-server call failed it had a
return value of 0. This was fixed in 11.5.0 which breaks
ipa-acme-manage pruning. If a configuration value is not set
then the call fails and the tool gives up with an error like:
ERROR: No such parameter: jobsScheduler.job.pruning.certRetentionUnit
In previous versions this resulted in an empty string so the tool
displayed the default value.
So now upon failure look in the stderr output for "No such parameter"
and return an empty string so the behavior is consistent between
both old and new PKI server versions.
Fixes: https://pagure.io/freeipa/issue/9503
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaserver/install/ipa_acme_manage.py | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/ipaserver/install/ipa_acme_manage.py b/ipaserver/install/ipa_acme_manage.py
index e7c35ff6fb5b7a30ac9e2c0c18f8db805cf06ee9..dc2359f49dfdd5c8f44ab96ee11a7240f8937e11 100644
--- a/ipaserver/install/ipa_acme_manage.py
+++ b/ipaserver/install/ipa_acme_manage.py
@@ -261,8 +261,13 @@ class IPAACMEManage(AdminTool):
result = run(args, raiseonerr=False, capture_output=True,
capture_error=True)
if result.returncode != 0:
+ # See if the parameter doesn't exist. If not then no
+ # user-specified value has been set.
+ # ERROR: No such parameter: jobsScheduler...
+ if 'No such parameter' in result.error_output:
+ return ''
raise RuntimeError(result.error_output)
- return result
+ return result.output.strip()
def ca_config_set(directive, value,
prefix='jobsScheduler.job.pruning'):
@@ -274,9 +279,8 @@ class IPAACMEManage(AdminTool):
raise RuntimeError('Updating %s failed' % directive)
def ca_config_show(directive):
- result = run_pki_server('ca-config-show', directive,
- prefix='jobsScheduler.job.pruning')
- return result.output.strip()
+ return run_pki_server('ca-config-show', directive,
+ prefix='jobsScheduler.job.pruning')
def config_show():
status = ca_config_show('enabled')
--
2.43.0

View File

@ -0,0 +1,58 @@
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 619be83..9be1b67 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -55,7 +55,7 @@ from ipapython.dn import DN
from ipapython.ipautil import datetime_from_utctimestamp
from ipaserver.plugins.service import normalize_principal, validate_realm
from ipaserver.masters import (
- ENABLED_SERVICE, CONFIGURED_SERVICE, is_service_enabled
+ ENABLED_SERVICE, CONFIGURED_SERVICE, HIDDEN_SERVICE, is_service_enabled
)
try:
@@ -300,7 +300,7 @@ def caacl_check(principal, ca, profile_id):
def ca_kdc_check(api_instance, hostname):
master_dn = api_instance.Object.server.get_dn(unicode(hostname))
kdc_dn = DN(('cn', 'KDC'), master_dn)
- wanted = {ENABLED_SERVICE, CONFIGURED_SERVICE}
+ wanted = {ENABLED_SERVICE, CONFIGURED_SERVICE, HIDDEN_SERVICE}
try:
kdc_entry = api_instance.Backend.ldap2.get_entry(
kdc_dn, ['ipaConfigString'])
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index b71f2d5..7ef44c5 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -26,6 +26,7 @@ from ipalib.constants import (
)
from ipaplatform.paths import paths
from ipapython import certdb
+from ipatests.test_integration.test_cert import get_certmonger_fs_id
from ipatests.test_integration.test_dns_locations import (
resolve_records_from_server, IPA_DEFAULT_MASTER_SRV_REC
)
@@ -1241,6 +1242,23 @@ class TestHiddenReplicaPromotion(IntegrationTest):
'ipa-crlgen-manage', 'status'])
assert "CRL generation: enabled" in result.stdout_text
+ def test_hidden_replica_renew_pkinit_cert(self):
+ """Renew the PKINIT cert on a hidden replica.
+
+ Test for https://pagure.io/freeipa/issue/9611
+ """
+ # Get Request ID
+ cmd = ['getcert', 'list', '-f', paths.KDC_CERT]
+ result = self.replicas[0].run_command(cmd)
+ req_id = get_certmonger_fs_id(result.stdout_text)
+
+ self.replicas[0].run_command([
+ 'getcert', 'resubmit', '-f', paths.KDC_CERT
+ ])
+ tasks.wait_for_certmonger_status(
+ self.replicas[0], ('MONITORING'), req_id, timeout=600
+ )
+
class TestHiddenReplicaKRA(IntegrationTest):
"""Test KRA & hidden replica features.

View File

@ -1,125 +0,0 @@
From 6340e88341b09b06391b35e50e8c4d7619b12dab Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 1 Dec 2023 08:51:05 -0500
Subject: [PATCH] Fix ipa-client-automount install/uninstall with new install
states
Issue 8384 introduced a new installation state for the statestore
to identify when client/server installation is completely finished
rather than relying on has_files().
The problem is that ipa-client-automount may be called during
ipa-client-install and since installation is not complete at that
point the automount install was failing with "IPA client not
configured".
Add a new state, 'automount', to designate that automount installation
is in process. If check_client_configuration() fails it checks to
see if [installation] automount is True. If so it continues with the
installation.
This also addresses an issue where the filestore and statestore are
shared between the client and automount installers but the client
wasn't refreshing state after automount completed. This resulted in
an incomplete state and index file of backed-up files which caused
files to not be restored on uninstall and the state file to be
orphaned.
Fixes: https://pagure.io/freeipa/issue/9487
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaclient/install/client.py | 14 ++++++++++++--
ipaclient/install/ipa_client_automount.py | 14 ++++++++------
2 files changed, 20 insertions(+), 8 deletions(-)
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 7e3adee351ae31ed9fcbba422fcc03a1f904e1f9..976d3821dd6d66b5b7653298c628a2bc267fa8c6 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -1273,7 +1273,7 @@ def create_sshd_ipa_config(options):
logger.info('Configured %s', paths.SSHD_IPA_CONFIG)
-def configure_automount(options):
+def configure_automount(options, statestore):
logger.info('\nConfiguring automount:')
args = [
@@ -1286,12 +1286,15 @@ def configure_automount(options):
if not options.sssd:
args.append('--no-sssd')
+ statestore.backup_state('installation', 'automount', True)
try:
result = run(args)
except Exception as e:
logger.error('Automount configuration failed: %s', str(e))
else:
logger.info('%s', result.output_log)
+ finally:
+ statestore.delete_state('installation', 'automount')
def configure_nisdomain(options, domain, statestore):
@@ -3305,7 +3308,11 @@ def _install(options, tdict):
configure_sshd_config(fstore, options)
if options.location:
- configure_automount(options)
+ configure_automount(options, statestore)
+
+ # Reload the state as automount install may have modified it
+ fstore._load()
+ statestore._load()
if options.configure_firefox:
configure_firefox(options, statestore, cli_domain)
@@ -3368,12 +3375,15 @@ def uninstall(options):
fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE)
+ statestore.backup_state('installation', 'automount', True)
try:
run([paths.IPA_CLIENT_AUTOMOUNT, "--uninstall", "--debug"])
except CalledProcessError as e:
if e.returncode != CLIENT_NOT_CONFIGURED:
logger.error(
"Unconfigured automount client failed: %s", str(e))
+ finally:
+ statestore.delete_state('installation', 'automount')
# Reload the state as automount unconfigure may have modified it
fstore._load()
diff --git a/ipaclient/install/ipa_client_automount.py b/ipaclient/install/ipa_client_automount.py
index b4b3387530afa9e80d13dd69e9d80080702f9e07..ee27872868b9ceaffdc58a9cf3fa89938e045526 100644
--- a/ipaclient/install/ipa_client_automount.py
+++ b/ipaclient/install/ipa_client_automount.py
@@ -340,14 +340,16 @@ def configure_nfs(fstore, statestore, options):
def configure_automount():
- try:
- check_client_configuration()
- except ScriptError as e:
- print(e.msg)
- sys.exit(e.rval)
+ statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE)
+ if not statestore.get_state('installation', 'automount'):
+ # not called from ipa-client-install
+ try:
+ check_client_configuration()
+ except ScriptError as e:
+ print(e.msg)
+ sys.exit(e.rval)
fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
- statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE)
options, _args = parse_options()
--
2.43.0

View File

@ -1,73 +0,0 @@
From 18764964b72ba237eba5f7b1078185b2f0393d72 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 1 Dec 2023 10:47:24 -0500
Subject: [PATCH] ipatests: Test client install/uninstall with automount
enabled
The automount installation was failing. Confirm that it is fixed.
The uninstall was not restoring all files/configuration. Verify
that the index and state files are gone which means that all state
and files were restored.
Fixes: https://pagure.io/freeipa/issue/9487
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
.../test_installation_client.py | 25 +++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/ipatests/test_integration/test_installation_client.py b/ipatests/test_integration/test_installation_client.py
index 56e1593bfcfa3eb7f9918fc6f2993d836884ea38..f8567b39eead4dffd522aad504fa72a086969257 100644
--- a/ipatests/test_integration/test_installation_client.py
+++ b/ipatests/test_integration/test_installation_client.py
@@ -8,12 +8,14 @@ Module provides tests for various options of ipa-client-install.
from __future__ import absolute_import
+import os
import pytest
import re
import shlex
import textwrap
from ipaplatform.paths import paths
+from ipalib.sysrestore import SYSRESTORE_STATEFILE, SYSRESTORE_INDEXFILE
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
from ipatests.pytest_ipa.integration.firewall import Firewall
@@ -90,6 +92,29 @@ class TestInstallClient(IntegrationTest):
assert 'includedir {dir}'.format(
dir=paths.SSSD_PUBCONF_KRB5_INCLUDE_D_DIR
).encode() not in krb5_cfg
+ tasks.uninstall_client(self.clients[0])
+
+ def test_install_with_automount(self):
+ """Test that installation with automount is successful"""
+ tasks.install_client(self.master, self.clients[0],
+ extra_args=['--automount-location', 'default'])
+
+ def test_uninstall_with_automount(self):
+ """Test that uninstall with automount is successful and complete"""
+ tasks.uninstall_client(self.clients[0])
+ index = os.path.join(
+ paths.IPA_CLIENT_SYSRESTORE, SYSRESTORE_INDEXFILE
+ )
+ state = os.path.join(
+ paths.IPA_CLIENT_SYSRESTORE, SYSRESTORE_STATEFILE
+ )
+ for filepath in (index, state):
+ try:
+ self.clients[0].get_file_contents(filepath)
+ except IOError:
+ pass
+ else:
+ pytest.fail("The client file %s was not removed" % filepath)
class TestClientInstallBind(IntegrationTest):
--
2.43.0

View File

@ -1,66 +0,0 @@
From 526147ec9362124191a54c9ae8debd0234af3d49 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 1 Dec 2023 09:08:48 -0500
Subject: [PATCH] ipa-client-automount: Don't use deprecated
ipadiscovery.IPADiscovery
This class was moved to ipaclient/discovery.py in e6d560af66 to make
it available to PyPI.
Related: https://pagure.io/freeipa/issue/9487
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaclient/install/ipa_client_automount.py | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/ipaclient/install/ipa_client_automount.py b/ipaclient/install/ipa_client_automount.py
index ee27872868b9ceaffdc58a9cf3fa89938e045526..297a784c4e1b6f1d29d51b6d3fd4b91d05672b9c 100644
--- a/ipaclient/install/ipa_client_automount.py
+++ b/ipaclient/install/ipa_client_automount.py
@@ -36,7 +36,7 @@ from six.moves.urllib.parse import urlsplit
from optparse import OptionParser # pylint: disable=deprecated-module
from ipapython import ipachangeconf
-from ipaclient.install import ipadiscovery
+from ipaclient import discovery
from ipaclient.install.client import (
CLIENT_NOT_CONFIGURED,
CLIENT_ALREADY_CONFIGURED,
@@ -384,12 +384,12 @@ def configure_automount():
sys.exit(CLIENT_ALREADY_CONFIGURED)
autodiscover = False
- ds = ipadiscovery.IPADiscovery()
+ ds = discovery.IPADiscovery()
if not options.server:
print("Searching for IPA server...")
ret = ds.search(ca_cert_path=ca_cert_path)
logger.debug('Executing DNS discovery')
- if ret == ipadiscovery.NO_LDAP_SERVER:
+ if ret == discovery.NO_LDAP_SERVER:
logger.debug('Autodiscovery did not find LDAP server')
s = urlsplit(api.env.xmlrpc_uri)
server = [s.netloc]
@@ -409,14 +409,14 @@ def configure_automount():
server = options.server
logger.debug("Verifying that %s is an IPA server", server)
ldapret = ds.ipacheckldap(server, api.env.realm, ca_cert_path)
- if ldapret[0] == ipadiscovery.NO_ACCESS_TO_LDAP:
+ if ldapret[0] == discovery.NO_ACCESS_TO_LDAP:
print("Anonymous access to the LDAP server is disabled.")
print("Proceeding without strict verification.")
print(
"Note: This is not an error if anonymous access has been "
"explicitly restricted."
)
- elif ldapret[0] == ipadiscovery.NO_TLS_LDAP:
+ elif ldapret[0] == discovery.NO_TLS_LDAP:
logger.warning("Unencrypted access to LDAP is not supported.")
elif ldapret[0] != 0:
sys.exit('Unable to confirm that %s is an IPA server' % server)
--
2.43.0

View File

@ -1,98 +0,0 @@
From d2ffa10df62bba45aa63232d3ad9a5ebf7158eea Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 5 Dec 2023 14:34:31 -0500
Subject: [PATCH] Server affinity: Retain user-requested remote server
We want to avoid splitting a replica server installation between
two hosts where possible so if a CA or KRA is requested then
we only try to install against a remote server that also provides
those capabilities. This avoids race conditions.
If a CA or KRA is not requested and the user has provided a
server to install against then use that instead of overriding it.
Extend the logic of picking the remote Custodia mode
(KRA, CA, *MASTER*) to include considering whether the
CA and KRA services are requested. If the service(s) are
not requested the the associated hostname may not be
reliable.
Fixes: https://pagure.io/freeipa/issue/9491
Related: https://pagure.io/freeipa/issue/9289
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaserver/install/server/replicainstall.py | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 27fbdef8ec9aa5ae343352ebf3c61d74d65c8958..8096b6accb4c94fefdfcc06f19584c63c24d7baf 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -782,6 +782,7 @@ def promotion_check_host_principal_auth_ind(conn, hostdn):
def remote_connection(config):
+ logger.debug("Creating LDAP connection to %s", config.master_host_name)
ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
xmlrpc_uri = 'https://{}/ipa/xml'.format(
ipautil.format_netloc(config.master_host_name))
@@ -1087,7 +1088,7 @@ def promote_check(installer):
'CA', conn, preferred_cas
)
if ca_host is not None:
- if config.master_host_name != ca_host:
+ if options.setup_ca and config.master_host_name != ca_host:
conn.disconnect()
del remote_api
config.master_host_name = ca_host
@@ -1096,8 +1097,7 @@ def promote_check(installer):
conn = remote_api.Backend.ldap2
conn.connect(ccache=installer._ccache)
config.ca_host_name = ca_host
- config.master_host_name = ca_host
- ca_enabled = True
+ ca_enabled = True # There is a CA somewhere in the topology
if options.dirsrv_cert_files:
logger.error("Certificates could not be provided when "
"CA is present on some master.")
@@ -1135,7 +1135,7 @@ def promote_check(installer):
'KRA', conn, preferred_kras
)
if kra_host is not None:
- if config.master_host_name != kra_host:
+ if options.setup_kra and config.master_host_name != kra_host:
conn.disconnect()
del remote_api
config.master_host_name = kra_host
@@ -1143,10 +1143,9 @@ def promote_check(installer):
installer._remote_api = remote_api
conn = remote_api.Backend.ldap2
conn.connect(ccache=installer._ccache)
- config.kra_host_name = kra_host
- config.ca_host_name = kra_host
- config.master_host_name = kra_host
- kra_enabled = True
+ config.kra_host_name = kra_host
+ config.ca_host_name = kra_host
+ kra_enabled = True # There is a KRA somewhere in the topology
if options.setup_kra and options.server and \
kra_host != options.server:
# Installer was provided with a specific master
@@ -1372,10 +1371,10 @@ def install(installer):
otpd.create_instance('OTPD', config.host_name,
ipautil.realm_to_suffix(config.realm_name))
- if kra_enabled:
+ if options.setup_kra and kra_enabled:
# A KRA peer always provides a CA, too.
mode = custodiainstance.CustodiaModes.KRA_PEER
- elif ca_enabled:
+ elif options.setup_ca and ca_enabled:
mode = custodiainstance.CustodiaModes.CA_PEER
else:
mode = custodiainstance.CustodiaModes.MASTER_PEER
--
2.43.0

View File

@ -1,120 +0,0 @@
From 95b066d629de935bfb52e732ce52026e18e9c64d Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 10 Jan 2024 16:45:12 -0500
Subject: [PATCH] get_directive: don't error out on substring mismatch
This function is designed to retrieve a value from an
ini-like file. In particular PKI CS.cfg.
In an attempt to be more efficient a substring search,
using startswith(), is used before calling a regular
expression match.
The problem is that if the requested directive is a
substring of a different one then it will pass the
startswith() and fail the regular expression match
with a ValueError, assuming it is malformed.
There is no need for this. The caller must be able to
handle None as a response anyway. So continue if
no match is found.
This was seen when PKI dropped storing certificate blobs
in CS.cfg. The CA certificate is stored in ca.signing.cert.
If it isn't present then ca.signing.certnickname will match
the substring but not the directive. This should not be
treated as an error.
Fixes: https://pagure.io/freeipa/issue/9506
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipapython/directivesetter.py | 5 ++-
.../test_ipapython/test_directivesetter.py | 33 +++++++++++++++++++
2 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/ipapython/directivesetter.py b/ipapython/directivesetter.py
index f4e496c7f0f785a909bfb5b8196582fb5dd865ea..732e1c239ca375e6ec08882e4731f97cb1ff58a9 100644
--- a/ipapython/directivesetter.py
+++ b/ipapython/directivesetter.py
@@ -182,6 +182,9 @@ def get_directive(filename, directive, separator=' '):
if separator == ' ':
separator = '[ \t]+'
+ if directive is None:
+ return None
+
result = None
with open(filename, "r") as fd:
for line in fd:
@@ -193,7 +196,7 @@ def get_directive(filename, directive, separator=' '):
if match:
value = match.group(1)
else:
- raise ValueError("Malformed directive: {}".format(line))
+ continue
result = unquote_directive_value(value.strip(), '"')
result = result.strip(' ')
diff --git a/ipatests/test_ipapython/test_directivesetter.py b/ipatests/test_ipapython/test_directivesetter.py
index 08a30124b12c3bd8edf8fa7930377faf7b181f5d..ff86559e0a3eb018e4a26a489c190a0da380ce1f 100644
--- a/ipatests/test_ipapython/test_directivesetter.py
+++ b/ipatests/test_ipapython/test_directivesetter.py
@@ -18,6 +18,10 @@ WHITESPACE_CONFIG = [
'foobar\t2\n',
]
+SUBSTRING_CONFIG = [
+ 'foobar=2\n',
+]
+
class test_set_directive_lines:
def test_remove_directive(self):
@@ -88,6 +92,7 @@ class test_set_directive:
class test_get_directive:
def test_get_directive(self, tmpdir):
+ """Test retrieving known values from a config file"""
configfile = tmpdir.join('config')
configfile.write(''.join(EXAMPLE_CONFIG))
@@ -97,6 +102,34 @@ class test_get_directive:
assert '2' == directivesetter.get_directive(str(configfile),
'foobar',
separator='=')
+ assert None is directivesetter.get_directive(str(configfile),
+ 'notfound',
+ separator='=')
+
+ def test_get_directive_substring(self, tmpdir):
+ """Test retrieving values from a config file where there is
+ a similar substring that is not present.
+ """
+ configfile = tmpdir.join('config')
+ configfile.write(''.join(SUBSTRING_CONFIG))
+
+ assert None is directivesetter.get_directive(str(configfile),
+ 'foo',
+ separator='=')
+ assert '2' == directivesetter.get_directive(str(configfile),
+ 'foobar',
+ separator='=')
+
+ def test_get_directive_none(self, tmpdir):
+ """Test retrieving a value from a config file where the
+ directive is None. i.e. don't fail.
+ """
+ configfile = tmpdir.join('config')
+ configfile.write(''.join(EXAMPLE_CONFIG))
+
+ assert None is directivesetter.get_directive(str(configfile),
+ None,
+ separator='=')
class test_get_directive_whitespace:
--
2.43.0

View File

@ -1,54 +0,0 @@
From 851ce93ac07044172a7db56d54ab9e1d7c7ec79f Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 15 Jan 2024 09:05:58 -0500
Subject: [PATCH] Server affinity: Don't rely just on [ca|kra]_enabled for
installs
ca_enable and kra_enabled are intended to be used to identify that
a CA or KRA is available in the topology. It was also being used
to determine whether a CA or KRA service is desired on a replica
install, rather than options.setup_[ca|kra]
Fixes: https://pagure.io/freeipa/issue/9510
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/server/replicainstall.py | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 8096b6accb4c94fefdfcc06f19584c63c24d7baf..191913ddb973b94bcd8ad920570edcee27349ffd 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1143,7 +1143,8 @@ def promote_check(installer):
installer._remote_api = remote_api
conn = remote_api.Backend.ldap2
conn.connect(ccache=installer._ccache)
- config.kra_host_name = kra_host
+ config.kra_host_name = kra_host
+ if options.setup_kra: # only reset ca_host if KRA is requested
config.ca_host_name = kra_host
kra_enabled = True # There is a KRA somewhere in the topology
if options.setup_kra and options.server and \
@@ -1381,7 +1382,7 @@ def install(installer):
custodia = custodiainstance.get_custodia_instance(config, mode)
custodia.create_instance()
- if ca_enabled:
+ if options.setup_ca and ca_enabled:
options.realm_name = config.realm_name
options.domain_name = config.domain_name
options.host_name = config.host_name
@@ -1397,7 +1398,7 @@ def install(installer):
service.print_msg("Finalize replication settings")
ds.finalize_replica_config()
- if kra_enabled:
+ if options.setup_kra and kra_enabled:
kra.install(api, config, options, custodia=custodia)
service.print_msg("Restarting the KDC")
--
2.43.0

View File

@ -1,69 +0,0 @@
From 5dbb3101cee7a96ec8eef40be8e802d456c0d06c Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 22 Jan 2024 08:36:27 -0500
Subject: [PATCH] Server affinity: call ca.install() if there is a CA in the
topology
This should not have been gated on options.setup_ca because we need
the RA agent on all servers if there is a CA in the topology otherwise
the non-CA servers won't be able to communicate with the CA.
Fixes: https://pagure.io/freeipa/issue/9510
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/ca.py | 7 ++++---
ipaserver/install/server/replicainstall.py | 7 +++++--
2 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index c93ae1fce4c8848d493677eafee7952740e51631..187f8032b6190799027135d5d3932dbdee4dea8a 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -387,9 +387,10 @@ def install_step_0(standalone, replica_config, options, custodia):
promote = False
else:
cafile = os.path.join(replica_config.dir, 'cacert.p12')
- custodia.get_ca_keys(
- cafile,
- replica_config.dirman_password)
+ if replica_config.setup_ca:
+ custodia.get_ca_keys(
+ cafile,
+ replica_config.dirman_password)
ca_signing_algorithm = None
ca_type = None
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 191913ddb973b94bcd8ad920570edcee27349ffd..b3fd27e6a15db298f9a97d514d24662c83141013 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1382,11 +1382,13 @@ def install(installer):
custodia = custodiainstance.get_custodia_instance(config, mode)
custodia.create_instance()
- if options.setup_ca and ca_enabled:
+ if ca_enabled:
options.realm_name = config.realm_name
options.domain_name = config.domain_name
options.host_name = config.host_name
options.dm_password = config.dirman_password
+ # Always call ca.install() if there is a CA in the topology
+ # to ensure the RA agent is present.
ca.install(False, config, options, custodia=custodia)
# configure PKINIT now that all required services are in place
@@ -1398,7 +1400,8 @@ def install(installer):
service.print_msg("Finalize replication settings")
ds.finalize_replica_config()
- if options.setup_kra and kra_enabled:
+ if kra_enabled:
+ # The KRA installer checks for itself the status of setup_kra
kra.install(api, config, options, custodia=custodia)
service.print_msg("Restarting the KDC")
--
2.43.0

View File

@ -1,47 +0,0 @@
From f8a616dc6196324145372713da772fe9b2352e53 Mon Sep 17 00:00:00 2001
From: Stanislav Levin <slev@altlinux.org>
Date: Tue, 23 Jan 2024 19:19:43 +0300
Subject: [PATCH] ipapython: Correct return type of krb5_free_cred_contents
According to https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_free_cred_contents.html
> krb5_free_cred_contents - Free the contents of a krb5_creds structure.
>
> void krb5_free_cred_contents(krb5_context context, krb5_creds * val)
> param:
> [in] context - Library context
>
> [in] val - Credential structure to free contents of
>
> This function frees the contents of val , but not the structure itself.
https://github.com/krb5/krb5/blob/5b00197227231943bd2305328c8260dd0b0dbcf0/src/lib/krb5/krb/kfree.c#L166
This leads to undefined behavior and `krb5_free_cred_contents` can
raise KRB5Error (because of garbage data) while actually its foreign
function doesn't.
Fixes: https://pagure.io/freeipa/issue/9519
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipapython/session_storage.py | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
index 371cf152472d54c9a59b60bece9559323ede78b7..dc36f54939a838bcb933dfb0089410d9b00f9e4d 100644
--- a/ipapython/session_storage.py
+++ b/ipapython/session_storage.py
@@ -200,8 +200,7 @@ krb5_cc_end_seq_get.errcheck = krb5_errcheck
krb5_free_cred_contents = LIBKRB5.krb5_free_cred_contents
krb5_free_cred_contents.argtypes = (krb5_context, ctypes.POINTER(krb5_creds))
-krb5_free_cred_contents.restype = krb5_error
-krb5_free_cred_contents.errcheck = krb5_errcheck
+krb5_free_cred_contents.restype = None
krb5_principal_compare = LIBKRB5.krb5_principal_compare
krb5_principal_compare.argtypes = (krb5_context, krb5_principal,
--
2.43.0

View File

@ -1,53 +0,0 @@
From 59b8a9fb7169561c7ba9168fe84f47ae94e5ce23 Mon Sep 17 00:00:00 2001
From: Stanislav Levin <slev@altlinux.org>
Date: Tue, 23 Jan 2024 19:52:34 +0300
Subject: [PATCH] ipapython: Propagate KRB5Error exceptions on iterating ccache
`ipapython.session_storage.get_data` iterates over
credentials in a credential cache till `krb5_cc_next_cred` returns
an error. This function doesn't expect any error on calling
other kerberos foreign functions during iteration. But that can
actually happen and KRB5Error exceptions stop an iteration while
they should be propagated.
With this change iteration will exactly stop on `krb5_cc_next_cred`
error as it was supposed to be.
Fixes: https://pagure.io/freeipa/issue/9519
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipapython/session_storage.py | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
index dc36f54939a838bcb933dfb0089410d9b00f9e4d..e890dc9b11475cc26d212ccbe040df3cfbfba6e8 100644
--- a/ipapython/session_storage.py
+++ b/ipapython/session_storage.py
@@ -312,8 +312,12 @@ def get_data(princ_name, key):
checkcreds = krb5_creds()
# the next function will throw an error and break out of the
# while loop when we try to access past the last cred
- krb5_cc_next_cred(context, ccache, ctypes.byref(cursor),
- ctypes.byref(checkcreds))
+ try:
+ krb5_cc_next_cred(context, ccache, ctypes.byref(cursor),
+ ctypes.byref(checkcreds))
+ except KRB5Error:
+ break
+
if (krb5_principal_compare(context, principal,
checkcreds.client) == 1 and
krb5_principal_compare(context, srv_princ,
@@ -328,8 +332,6 @@ def get_data(princ_name, key):
else:
krb5_free_cred_contents(context,
ctypes.byref(checkcreds))
- except KRB5Error:
- pass
finally:
krb5_cc_end_seq_get(context, ccache, ctypes.byref(cursor))
--
2.43.0

View File

@ -1,26 +0,0 @@
From a1f42f0258d9e84928a112e4c39419aad0cebb3b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 23 Jan 2024 14:53:39 +0200
Subject: [PATCH] sidgen: fix missing prototypes
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
---
daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
index bd46982d06b3272874f256a8b0c2293fa4829f5b..aec862796a8364de84e26fbca96a270a8fb508fc 100644
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
@@ -106,3 +106,6 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry,
const char *base_dn,
const char *dom_sid,
struct range_info **ranges);
+
+int sidgen_task_init(Slapi_PBlock *pb);
+int ipa_sidgen_init(Slapi_PBlock *pb);
--
2.43.0

View File

@ -1,65 +0,0 @@
From 8c1f56dbab5de1c06fc424f3c58d366274d70688 Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Mon, 29 Jan 2024 22:07:43 +0530
Subject: [PATCH] ipatests: Skip tests for ipahealtcheck tests for specific pki
version
CADogtagCertsConfigCheck is no more available on RHEL9, hence the
respective tests are skipped.
Check 'CADogtagCertsConfigCheck' not found in Source 'pki.server.healthcheck.meta.csconfig'
Ref: https://issues.redhat.com/browse/RHEL-21367
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
.../test_integration/test_ipahealthcheck.py | 23 +++++++++++++++----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 28200e0961a23996935c7b1c2b76f2b4b127e066..7323b073273bd95d7b62d19fd5afe03edb2a21da 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -507,6 +507,11 @@ class TestIpaHealthCheck(IntegrationTest):
Testcase checks behaviour of check DogtagCertsConfigCheck in
ipahealthcheck.dogtag.ca when tomcat config file is removed
"""
+ version = tasks.get_pki_version(self.master)
+ if version >= parse_version("11.5"):
+ pytest.skip("Skipping test for 11.5 pki version, since the "
+ "check CADogtagCertsConfigCheck itself is skipped "
+ "See ipa-healthcheck ticket 317")
returncode, data = run_healthcheck(
self.master,
"ipahealthcheck.dogtag.ca",
@@ -1453,13 +1458,21 @@ class TestIpaHealthCheck(IntegrationTest):
This testcase checks that CADogtagCertsConfigCheck can handle
cert renewal, when there can be two certs with the same nickname
"""
- if (tasks.get_pki_version(self.master) < tasks.parse_version('11.4.0')):
+ if (tasks.get_pki_version(
+ self.master) < tasks.parse_version('11.4.0')):
raise pytest.skip("PKI known issue #2022561")
- self.master.run_command(['ipa-cacert-manage', 'renew', '--self-signed'])
+ elif (tasks.get_pki_version(
+ self.master) >= tasks.parse_version('11.5.0')):
+ raise pytest.skip("Skipping test for 11.5 pki version, since "
+ "check CADogtagCertsConfigCheck is "
+ "not present in source "
+ "pki.server.healthcheck.meta.csconfig")
+ self.master.run_command(
+ ['ipa-cacert-manage', 'renew', '--self-signed']
+ )
returncode, data = run_healthcheck(
- self.master,
- "pki.server.healthcheck.meta.csconfig",
- "CADogtagCertsConfigCheck",
+ self.master, "pki.server.healthcheck.meta.csconfig",
+ "CADogtagCertsConfigCheck"
)
assert returncode == 0
for check in data:
--
2.43.0

View File

@ -1,42 +0,0 @@
From b00fd308831428400b96442290ec7bc90bde348f Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 30 Jan 2024 10:43:00 +0100
Subject: [PATCH] ipatests: remove xfail thanks to sssd 2.9.4
SSSD 2.9.4 fixes some issues related to auto-private-group
Related: https://pagure.io/freeipa/issue/9295
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
ipatests/test_integration/test_trust.py | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index 12f000c1ad1cbce2710900b0e364a501ed6b8e52..3b9f0fbd51f11ff2c97fed50f7bb61a67326b183 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -1155,7 +1155,8 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust):
):
self.mod_idrange_auto_private_group(type)
sssd_version = tasks.get_sssd_version(self.clients[0])
- bad_version = sssd_version >= tasks.parse_version("2.8.2")
+ bad_version = (tasks.parse_version("2.8.2") <= sssd_version
+ < tasks.parse_version("2.9.4"))
cond = (type == 'hybrid') and bad_version
with xfail_context(condition=cond,
reason="https://pagure.io/freeipa/issue/9295"):
@@ -1237,7 +1238,9 @@ class TestPosixAutoPrivateGroup(BaseTestTrust):
self.mod_idrange_auto_private_group(type)
if type == "true":
sssd_version = tasks.get_sssd_version(self.clients[0])
- with xfail_context(sssd_version >= tasks.parse_version("2.8.2"),
+ bad_version = (tasks.parse_version("2.8.2") <= sssd_version
+ < tasks.parse_version("2.9.4"))
+ with xfail_context(bad_version,
"https://pagure.io/freeipa/issue/9295"):
(uid, gid) = self.get_user_id(self.clients[0], posixuser)
assert uid == gid
--
2.43.0

View File

@ -1,52 +0,0 @@
From ed2a8eb0cefadfe0544074114facfef381349ae0 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Fri, 9 Feb 2024 10:42:59 +0100
Subject: [PATCH] ipatests: add xfail for autoprivate group test with override
Because of SSSD issue 7169, secondary groups are not
retrieved when autoprivate group is set and an idoverride
replaces the user's primary group.
Mark the known issues as xfail.
Related: https://github.com/SSSD/sssd/issues/7169
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
ipatests/test_integration/test_trust.py | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index 3b9f0fbd51f11ff2c97fed50f7bb61a67326b183..2b945140dbc477f8bcd0d3b26513000d2006fa82 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -1164,8 +1164,12 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust):
assert (uid == self.uid_override and gid == self.gid_override)
test_group = self.clients[0].run_command(
["id", nonposixuser]).stdout_text
- with xfail_context(type == "hybrid",
- 'https://github.com/SSSD/sssd/issues/5989'):
+ cond2 = ((type == 'false'
+ and sssd_version >= tasks.parse_version("2.9.4"))
+ or type == 'hybrid')
+ with xfail_context(cond2,
+ 'https://github.com/SSSD/sssd/issues/5989 '
+ 'and 7169'):
assert "domain users@{0}".format(self.ad_domain) in test_group
@pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
@@ -1287,5 +1291,9 @@ class TestPosixAutoPrivateGroup(BaseTestTrust):
assert(uid == self.uid_override
and gid == self.gid_override)
result = self.clients[0].run_command(['id', posixuser])
- assert "10047(testgroup@{0})".format(
- self.ad_domain) in result.stdout_text
+ sssd_version = tasks.get_sssd_version(self.clients[0])
+ bad_version = sssd_version >= tasks.parse_version("2.9.4")
+ with xfail_context(bad_version and type in ('false', 'hybrid'),
+ "https://github.com/SSSD/sssd/issues/7169"):
+ assert "10047(testgroup@{0})".format(
+ self.ad_domain) in result.stdout_text
--
2.43.0

View File

@ -1,89 +0,0 @@
From 5781369e78fd83cee64a4d306198423c7a126ba0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 22 Feb 2024 08:29:31 -0500
Subject: [PATCH] validate_principal: Don't try to verify that the realm is
known
The actual value is less important than whether it matches the
regular expression. A number of legal but difficult to know in
context realms could be passed in here (trust for example).
This fixes CVE-2024-1481
Fixes: https://pagure.io/freeipa/issue/9541
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipalib/install/kinit.py | 12 ++++--------
ipatests/test_ipalib_install/test_kinit.py | 9 ++++++---
2 files changed, 10 insertions(+), 11 deletions(-)
diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
index 4ad4eaa1c30f2fb0ab02be411917e304eb527d32..d5fb56bf041c6f61515fc3ce4cc1ca1cfbcdbab7 100644
--- a/ipalib/install/kinit.py
+++ b/ipalib/install/kinit.py
@@ -15,7 +15,6 @@ from ipaplatform.paths import paths
from ipapython.ipautil import run
from ipalib.constants import PATTERN_GROUPUSER_NAME
from ipalib.util import validate_hostname
-from ipalib import api
logger = logging.getLogger(__name__)
@@ -39,7 +38,9 @@ def validate_principal(principal):
if ('/' in principal) and (' ' in principal):
raise RuntimeError('Invalid principal: bad spacing')
else:
- realm = None
+ # For a user match in the regex
+ # username = match[1]
+ # realm = match[2]
match = user_pattern.match(principal)
if match is None:
match = service_pattern.match(principal)
@@ -48,16 +49,11 @@ def validate_principal(principal):
else:
# service = match[1]
hostname = match[2]
- realm = match[3]
+ # realm = match[3]
try:
validate_hostname(hostname)
except ValueError as e:
raise RuntimeError(str(e))
- else: # user match, validate realm
- # username = match[1]
- realm = match[2]
- if realm and 'realm' in api.env and realm != api.env.realm:
- raise RuntimeError('Invalid principal: realm mismatch')
def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
diff --git a/ipatests/test_ipalib_install/test_kinit.py b/ipatests/test_ipalib_install/test_kinit.py
index f89ea17d7874c28bad2524ebf456d2caeafddd1f..8289c4b75c9de3b17748a6abffe0538d08f2698f 100644
--- a/ipatests/test_ipalib_install/test_kinit.py
+++ b/ipatests/test_ipalib_install/test_kinit.py
@@ -17,13 +17,16 @@ from ipalib.install.kinit import validate_principal
('test/ipa.example.test@EXAMPLE.TEST', None),
('test/ipa@EXAMPLE.TEST', RuntimeError),
('test/-ipa.example.test@EXAMPLE.TEST', RuntimeError),
- ('test/ipa.1example.test@EXAMPLE.TEST', RuntimeError),
+ ('test/ipa.1example.test@EXAMPLE.TEST', None),
('test /ipa.example,test', RuntimeError),
- ('testuser@OTHER.TEST', RuntimeError),
- ('test/ipa.example.test@OTHER.TEST', RuntimeError),
+ ('testuser@OTHER.TEST', None),
+ ('test/ipa.example.test@OTHER.TEST', None)
])
def test_validate_principal(principal, exception):
try:
validate_principal(principal)
except Exception as e:
assert e.__class__ == exception
+ else:
+ if exception is not None:
+ raise RuntimeError('Test should have failed')
--
2.44.0

View File

@ -1,294 +0,0 @@
From 82eca6c0a994c4db8f85ea0d5c012cd4d80edefe Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 30 Jan 2024 11:17:27 +0200
Subject: [PATCH] ipa-pwd-extop: allow enforcing 2FA-only over LDAP bind
When authentication indicators were introduced in 2016, ipa-pwd-extop
plugin gained ability to reject LDAP BIND when an LDAP client insists
the authentication must use an OTP token. This is used by ipa-otpd to
ensure Kerberos authentication using OTP method is done with at least
two factors (the token and the password).
This enfrocement is only possible when an LDAP client sends the LDAP
control. There are cases when LDAP clients cannot be configured to send
a custom LDAP control during BIND operation. For these clients an LDAP
BIND against an account that only has password and no valid token would
succeed even if admins intend it to fail.
Ability to do LDAP BIND without a token was added to allow users to add
their own OTP tokens securely. If administrators require full
enforcement over LDAP BIND, it is cannot be achieved with LDAP without
sending the LDAP control to do so.
Add IPA configuration string, EnforceLDAPOTP, to allow administrators to
prevent LDAP BIND with a password only if user is required to have OTP
tokens. With this configuration enabled, it will be not possible for
users to add OTP token if one is missing, thus ensuring no user can
authenticate without OTP and admins will have to add initial OTP tokens
to users explicitly.
Fixes: https://pagure.io/freeipa/issue/5169
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
API.txt | 2 +-
.../ipa-slapi-plugins/ipa-pwd-extop/common.c | 47 +++++++++++++------
.../ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h | 2 +
.../ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 14 ++++++
doc/api/config_mod.md | 2 +-
ipaserver/plugins/config.py | 3 +-
ipatests/test_integration/test_otp.py | 46 ++++++++++++++++++
7 files changed, 98 insertions(+), 18 deletions(-)
diff --git a/API.txt b/API.txt
index 7d91077fc340ababee5c9a4b8a695290728b9135..5ed1f5327d9154bf2b301a781b723213c7677ed9 100644
--- a/API.txt
+++ b/API.txt
@@ -1082,7 +1082,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('ca_renewal_master_server?', autofill=False)
option: Str('delattr*', cli_name='delattr')
option: Flag('enable_sid?', autofill=True, default=False)
-option: StrEnum('ipaconfigstring*', autofill=False, cli_name='ipaconfigstring', values=[u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout', u'KDC:Disable Default Preauth for SPNs'])
+option: StrEnum('ipaconfigstring*', autofill=False, cli_name='ipaconfigstring', values=[u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout', u'KDC:Disable Default Preauth for SPNs', u'EnforceLDAPOTP'])
option: Str('ipadefaultemaildomain?', autofill=False, cli_name='emaildomain')
option: Str('ipadefaultloginshell?', autofill=False, cli_name='defaultshell')
option: Str('ipadefaultprimarygroup?', autofill=False, cli_name='defaultgroup')
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index d30764bb2a05c7ca4a33ea114a2dc19af39e216f..1355f20d3ab990c81b5b41875d659a9bc9f97085 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -83,6 +83,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
char *tmpstr;
int ret;
size_t i;
+ bool fips_enabled = false;
config = calloc(1, sizeof(struct ipapwd_krbcfg));
if (!config) {
@@ -241,28 +242,35 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
config->allow_nt_hash = false;
if (ipapwd_fips_enabled()) {
LOG("FIPS mode is enabled, NT hashes are not allowed.\n");
+ fips_enabled = true;
+ }
+
+ sdn = slapi_sdn_new_dn_byval(ipa_etc_config_dn);
+ ret = ipapwd_getEntry(sdn, &config_entry, NULL);
+ slapi_sdn_free(&sdn);
+ if (ret != LDAP_SUCCESS) {
+ LOG_FATAL("No config Entry?\n");
+ goto free_and_error;
} else {
- sdn = slapi_sdn_new_dn_byval(ipa_etc_config_dn);
- ret = ipapwd_getEntry(sdn, &config_entry, NULL);
- slapi_sdn_free(&sdn);
- if (ret != LDAP_SUCCESS) {
- LOG_FATAL("No config Entry?\n");
- goto free_and_error;
- } else {
- tmparray = slapi_entry_attr_get_charray(config_entry,
- "ipaConfigString");
- for (i = 0; tmparray && tmparray[i]; i++) {
+ tmparray = slapi_entry_attr_get_charray(config_entry,
+ "ipaConfigString");
+ for (i = 0; tmparray && tmparray[i]; i++) {
+ if (strcasecmp(tmparray[i], "EnforceLDAPOTP") == 0) {
+ config->enforce_ldap_otp = true;
+ continue;
+ }
+ if (!fips_enabled) {
if (strcasecmp(tmparray[i], "AllowNThash") == 0) {
config->allow_nt_hash = true;
continue;
}
}
- if (tmparray) slapi_ch_array_free(tmparray);
}
-
- slapi_entry_free(config_entry);
+ if (tmparray) slapi_ch_array_free(tmparray);
}
+ slapi_entry_free(config_entry);
+
return config;
free_and_error:
@@ -571,6 +579,13 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
rc = LDAP_OPERATIONS_ERROR;
}
+ /* do not return the master key if asked */
+ if (check_flags & IPAPWD_CHECK_ONLY_CONFIG) {
+ free((*config)->kmkey->contents);
+ free((*config)->kmkey);
+ (*config)->kmkey = NULL;
+ }
+
done:
return rc;
}
@@ -1103,8 +1118,10 @@ void free_ipapwd_krbcfg(struct ipapwd_krbcfg **cfg)
krb5_free_default_realm(c->krbctx, c->realm);
krb5_free_context(c->krbctx);
- free(c->kmkey->contents);
- free(c->kmkey);
+ if (c->kmkey) {
+ free(c->kmkey->contents);
+ free(c->kmkey);
+ }
free(c->supp_encsalts);
free(c->pref_encsalts);
slapi_ch_array_free(c->passsync_mgrs);
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
index 79606a8c795d166590c4655f9021aa414c3684d9..97697000674d8fbbe3a924af63261482db173852 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
@@ -70,6 +70,7 @@
#define IPAPWD_CHECK_CONN_SECURE 0x00000001
#define IPAPWD_CHECK_DN 0x00000002
+#define IPAPWD_CHECK_ONLY_CONFIG 0x00000004
#define IPA_CHANGETYPE_NORMAL 0
#define IPA_CHANGETYPE_ADMIN 1
@@ -109,6 +110,7 @@ struct ipapwd_krbcfg {
char **passsync_mgrs;
int num_passsync_mgrs;
bool allow_nt_hash;
+ bool enforce_ldap_otp;
};
int ipapwd_entry_checks(Slapi_PBlock *pb, struct slapi_entry *e,
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 6898e6596e1cbbb2cc69ba592401619ce86899d8..69023515018d522651bccb984ddd8e9174c22f59 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -1431,6 +1431,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
"krbPasswordExpiration", "krblastpwchange",
NULL
};
+ struct ipapwd_krbcfg *krbcfg = NULL;
struct berval *credentials = NULL;
Slapi_Entry *entry = NULL;
Slapi_DN *target_sdn = NULL;
@@ -1505,6 +1506,18 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
/* Try to do OTP first. */
syncreq = otpctrl_present(pb, OTP_SYNC_REQUEST_OID);
otpreq = otpctrl_present(pb, OTP_REQUIRED_OID);
+ if (!syncreq && !otpreq) {
+ ret = ipapwd_gen_checks(pb, &errMesg, &krbcfg, IPAPWD_CHECK_ONLY_CONFIG);
+ if (ret != 0) {
+ LOG_FATAL("ipapwd_gen_checks failed!?\n");
+ slapi_entry_free(entry);
+ slapi_sdn_free(&sdn);
+ return 0;
+ }
+ if (krbcfg->enforce_ldap_otp) {
+ otpreq = true;
+ }
+ }
if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials, otpreq))
goto invalid_creds;
@@ -1543,6 +1556,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
return 0;
invalid_creds:
+ free_ipapwd_krbcfg(&krbcfg);
slapi_entry_free(entry);
slapi_sdn_free(&sdn);
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
diff --git a/doc/api/config_mod.md b/doc/api/config_mod.md
index c479a034416068c72c0d70deabb149acf8002e44..b3203c350605af5a386544c858a9a5f7f724342f 100644
--- a/doc/api/config_mod.md
+++ b/doc/api/config_mod.md
@@ -27,7 +27,7 @@ No arguments.
* ipauserobjectclasses : :ref:`Str<Str>`
* ipapwdexpadvnotify : :ref:`Int<Int>`
* ipaconfigstring : :ref:`StrEnum<StrEnum>`
- * Values: ('AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout', 'KDC:Disable Default Preauth for SPNs')
+ * Values: ('AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout', 'KDC:Disable Default Preauth for SPNs', 'EnforceLDAPOTP')
* ipaselinuxusermaporder : :ref:`Str<Str>`
* ipaselinuxusermapdefault : :ref:`Str<Str>`
* ipakrbauthzdata : :ref:`StrEnum<StrEnum>`
diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
index eface545def441d1a6fe9bdb054ab62eaa6589d3..45bd0c108dc958e3e141055901ea3872bc30d511 100644
--- a/ipaserver/plugins/config.py
+++ b/ipaserver/plugins/config.py
@@ -247,7 +247,8 @@ class config(LDAPObject):
doc=_('Extra hashes to generate in password plug-in'),
values=(u'AllowNThash',
u'KDC:Disable Last Success', u'KDC:Disable Lockout',
- u'KDC:Disable Default Preauth for SPNs'),
+ u'KDC:Disable Default Preauth for SPNs',
+ u'EnforceLDAPOTP'),
),
Str('ipaselinuxusermaporder',
label=_('SELinux user map order'),
diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
index 8e2ea563f1190e39fab0cab2f54da1f382c29356..d2dfca4cbf8c60955e888b6f92bd88a2608bb265 100644
--- a/ipatests/test_integration/test_otp.py
+++ b/ipatests/test_integration/test_otp.py
@@ -21,6 +21,9 @@ from ipaplatform.paths import paths
from ipatests.pytest_ipa.integration import tasks
from ipapython.dn import DN
+from ldap.controls.simple import BooleanControl
+
+from ipalib import errors
PASSWORD = "DummyPassword123"
USER = "opttestuser"
@@ -450,3 +453,46 @@ class TestOTPToken(IntegrationTest):
assert "ipa-otpd" not in failed_services.stdout_text
finally:
del_otptoken(self.master, otpuid)
+
+ def test_totp_ldap(self):
+ master = self.master
+ basedn = master.domain.basedn
+ USER1 = 'user-forced-otp'
+ binddn = DN(f"uid={USER1},cn=users,cn=accounts,{basedn}")
+
+ tasks.create_active_user(master, USER1, PASSWORD)
+ tasks.kinit_admin(master)
+ # Enforce use of OTP token for this user
+ master.run_command(['ipa', 'user-mod', USER1,
+ '--user-auth-type=otp'])
+ try:
+ conn = master.ldap_connect()
+ # First, attempt authenticating with a password but without LDAP
+ # control to enforce OTP presence and without server-side
+ # enforcement of the OTP presence check.
+ conn.simple_bind(binddn, f"{PASSWORD}")
+ # Add an OTP token now
+ otpuid, totp = add_otptoken(master, USER1, otptype="totp")
+ # Next, enforce Password+OTP for a user with OTP token
+ master.run_command(['ipa', 'config-mod', '--addattr',
+ 'ipaconfigstring=EnforceLDAPOTP'])
+ # Next, authenticate with Password+OTP and with the LDAP control
+ # this operation should succeed
+ otpvalue = totp.generate(int(time.time())).decode("ascii")
+ conn.simple_bind(binddn, f"{PASSWORD}{otpvalue}",
+ client_controls=[
+ BooleanControl(
+ controlType="2.16.840.1.113730.3.8.10.7",
+ booleanValue=True)])
+ # Remove token
+ del_otptoken(self.master, otpuid)
+ # Now, try to authenticate without otp and without control
+ # this operation should fail
+ try:
+ conn.simple_bind(binddn, f"{PASSWORD}")
+ except errors.ACIError:
+ pass
+ master.run_command(['ipa', 'config-mod', '--delattr',
+ 'ipaconfigstring=EnforceLDAPOTP'])
+ finally:
+ master.run_command(['ipa', 'user-del', USER1])
--
2.44.0

View File

@ -1,63 +0,0 @@
From a319811747b44dc9b06294df0270b17dbd2b2026 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sat, 2 Mar 2024 09:31:46 +0200
Subject: [PATCH] ipa-pwd-extop: add MFA note in case of a successful LDAP bind
with OTP
In case there is a successful OTP authentication attempt, register it as
an operation note on the BIND operation in LDAP. 389-ds then will print
a multi-factor authentication note in both access and security logs
according to https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html
Fixes: https://pagure.io/freeipa/issue/5169
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 10 ++++++++++
server.m4 | 8 ++++++++
2 files changed, 18 insertions(+)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 69023515018d522651bccb984ddd8e9174c22f59..43a7f54778382edd66da8f18c20de443ed98ab3d 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -1551,6 +1551,16 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
/* Attempt to write out kerberos keys for the user. */
ipapwd_write_krb_keys(pb, discard_const(dn), entry, credentials);
+#ifdef USE_OP_NOTE_MFA_AUTH
+ /* If it was a successful authentication with OTP required, mark it
+ * for access log to notice multi-factor authentication has happened
+ * https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html
+ */
+ if (!syncreq && otpreq) {
+ slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_MFA_AUTH);
+ }
+#endif
+
slapi_entry_free(entry);
slapi_sdn_free(&sdn);
return 0;
diff --git a/server.m4 b/server.m4
index f97ceddea0388067f4353fd9a03a5e5d27b1672b..4918edc762ef9987625a10348bd4bad59ed9beb3 100644
--- a/server.m4
+++ b/server.m4
@@ -31,6 +31,14 @@ PKG_CHECK_MODULES([DIRSRV], [dirsrv >= 1.3.0])
# slapi-plugin.h includes nspr.h
DIRSRV_CFLAGS="$DIRSRV_CFLAGS $NSPR_CFLAGS"
+bck_cflags="$CFLAGS"
+CFLAGS="$CFLAGS $DIRSRV_CFLAGS"
+AC_CHECK_DECL([SLAPI_OP_NOTE_MFA_AUTH], [
+ AC_DEFINE(USE_OP_NOTE_MFA_AUTH,1,
+ [Use LDAP operation note for multi-factor LDAP BIND])],
+ [], [[#include <dirsrv/slapi-plugin.h>]])
+CFLAGS="$bck_cflags"
+
dnl -- sss_idmap is needed by the extdom exop --
PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap])
PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap >= 1.15.2])
--
2.44.0

View File

@ -1,42 +0,0 @@
From db804280eff7ab7dea50c797c3c951ae790af2e2 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 14 Mar 2024 12:19:12 +0200
Subject: [PATCH] ipa-pwd-extop: declare operation notes support from 389-ds
locally
The function slapi_pblock_set_flag_operation_notes(); is defined in
ldap/servers/slapd/pblock.c in 389-ds but is only available through
slapi-private.h header, not through slapi-plugin.h public API.
It was introduced in ~1.4.1.7 (~2019) via https://pagure.io/389-ds-base/issue/50349.
Since we only use it with an MFA note, all versions of the 389-ds that
will support MFA note will have this function.
Fixes: https://pagure.io/freeipa/issue/9554
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 43a7f54778382edd66da8f18c20de443ed98ab3d..cc170fc4b81f8ecad88f4ff4401b5651c43aaf55 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -1414,6 +1414,11 @@ done:
}
+#ifdef USE_OP_NOTE_MFA_AUTH
+/* defined in ldap/servers/slapd/pblock.c in 389-ds but not exposed via slapi-plugin.h */
+extern void slapi_pblock_set_flag_operation_notes(Slapi_PBlock *pb, uint32_t opflag);
+#endif
+
/* PRE BIND Operation
*
* Used for:
--
2.44.0

View File

@ -1,68 +0,0 @@
From a1aa66dc59b55fef641dcf0539de0d3602f6a8a0 Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Wed, 20 Mar 2024 14:29:46 +0530
Subject: [PATCH] ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation
testcases.
Currently the test is using IPA_NSSDB_PWDFILE_TXT which is /etc/ipa/nssdb/pwdfile.txt
which causes error in STIG mode.
[root@master slapd-TESTRELM-TEST]# certutil -M -n 'TESTRELM.TEST IPA CA' -t ',,' -d . -f /etc/ipa/nssdb/pwdfile.txt
Incorrect password/PIN entered.
Hence modified the test to include paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE/pwd.txt.
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_ipahealthcheck.py | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 7323b073273bd95d7b62d19fd5afe03edb2a21da..7e8f7da3664a88f927ff80ae222780156676c40b 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -2766,17 +2766,18 @@ class TestIpaHealthCheckWithExternalCA(IntegrationTest):
Fixture to remove Server cert and revert the change.
"""
instance = realm_to_serverid(self.master.domain.realm)
+ instance_dir = paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
self.master.run_command(
[
"certutil",
"-L",
"-d",
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance,
+ instance_dir,
"-n",
"Server-Cert",
"-a",
"-o",
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
+ instance_dir
+ "/Server-Cert.pem",
]
)
@@ -2795,15 +2796,15 @@ class TestIpaHealthCheckWithExternalCA(IntegrationTest):
[
"certutil",
"-d",
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance,
+ instance_dir,
"-A",
"-i",
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
+ instance_dir
+ "/Server-Cert.pem",
"-t",
"u,u,u",
"-f",
- paths.IPA_NSSDB_PWDFILE_TXT,
+ "%s/pwdfile.txt" % instance_dir,
"-n",
"Server-Cert",
]
--
2.44.0

View File

@ -0,0 +1,69 @@
From 0d44e959e5bbe822b51137a8e7cf48fa25533805 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Fri, 10 Dec 2021 12:15:36 -0300
Subject: [PATCH] Revert "freeipa.spec: depend on bind-dnssec-utils"
This reverts commit f89d59b6e18b54967682f6a37ce92ae67ab3fcda.
---
freeipa.spec.in | 4 +---
ipaplatform/base/paths.py | 2 +-
ipaplatform/fedora/paths.py | 1 +
ipaserver/dnssec/bindmgr.py | 1 -
4 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 8f5c370e5..e20edb7bc 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -576,11 +576,9 @@ Requires: %{name}-server = %{version}-%{release}
Requires: bind-dyndb-ldap >= 11.2-2
Requires: bind >= %{bind_version}
Requires: bind-utils >= %{bind_version}
-# bind-dnssec-utils is required by the OpenDNSSec integration
-# https://pagure.io/freeipa/issue/9026
-Requires: bind-dnssec-utils >= %{bind_version}
%if %{with bind_pkcs11}
Requires: bind-pkcs11 >= %{bind_version}
+Requires: bind-pkcs11-utils >= %{bind_version}
%else
Requires: softhsm >= %{softhsm_version}
Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 7d21367ec..42a47f1df 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -259,7 +259,6 @@ class BasePathNamespace:
IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key"
IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader"
IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running"
- DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
+ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
- DNSSEC_KEYFROMLABEL_9_17 = "/usr/bin/dnssec-keyfromlabel"
GETSEBOOL = "/usr/sbin/getsebool"
GROUPADD = "/usr/sbin/groupadd"
diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py
index 4e993c063..92a948966 100644
--- a/ipaplatform/fedora/paths.py
+++ b/ipaplatform/fedora/paths.py
@@ -36,6 +36,7 @@ class FedoraPathNamespace(RedHatPathNamespace):
NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
if HAS_NFS_CONF:
SYSCONFIG_NFS = '/etc/nfs.conf'
+ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
paths = FedoraPathNamespace()
diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py
index 0c79cc03d..a15c0e601 100644
--- a/ipaserver/dnssec/bindmgr.py
+++ b/ipaserver/dnssec/bindmgr.py
@@ -127,7 +127,6 @@ class BINDMgr:
)
cmd = [
paths.DNSSEC_KEYFROMLABEL,
- '-E', 'pkcs11',
'-K', workdir,
'-a', attrs['idnsSecAlgorithm'][0],
'-l', uri
--
2.31.1

View File

@ -0,0 +1,60 @@
From 7807bcc55b4927fc327830d2237200772d2e1106 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Fri, 17 Jun 2022 15:40:04 -0300
Subject: [PATCH] webui IdP: Remove arrow notation due to uglify-js limitation.
uglify-js 2.x series do not support ECMAScript 6 arrow notation ('=>')
for callback definition.
This patch changes the arrow definition callbacks for regular anonymous
function definitions.
---
install/ui/src/freeipa/idp.js | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/install/ui/src/freeipa/idp.js b/install/ui/src/freeipa/idp.js
index ada09c075..be3c4f0e6 100644
--- a/install/ui/src/freeipa/idp.js
+++ b/install/ui/src/freeipa/idp.js
@@ -227,7 +227,7 @@ IPA.add_idp_policy = function() {
// For custom template we show custom fields
// and mark all of them required and passed to the RPC
// If show_custom is false, the opposite happens
- custom_fields.forEach(fname => {
+ custom_fields.forEach(function(fname) {
widget_f = that.container.fields.get_field(fname);
widget_f.set_required(show_custom);
widget_f.set_enabled(show_custom);
@@ -235,7 +235,7 @@ IPA.add_idp_policy = function() {
});
// For template fields we show them if custom aren't shown
- template_fields.forEach(fname => {
+ template_fields.forEach(function(fname) {
widget_f = that.container.fields.get_field(fname);
widget_f.set_enabled(!show_custom);
widget_f.widget.set_visible(!show_custom);
@@ -252,7 +252,7 @@ IPA.add_idp_policy = function() {
var value = prov_f.get_value()[0];
// First, clear template fields from the previous provider choice
- template_fields.forEach(fname => {
+ template_fields.forEach(function(fname) {
widget_f = that.container.fields.get_field(fname);
widget_f.widget.set_visible(false);
widget_f.set_required(false);
@@ -260,9 +260,9 @@ IPA.add_idp_policy = function() {
});
// Second, enable and get required template-specific fields
- idp.templates.forEach(idp_v => {
+ idp.templates.forEach(function(idp_v) {
if (idp_v['value'] == value) {
- idp_v['fields'].forEach(fname => {
+ idp_v['fields'].forEach(function(fname) {
widget_f = that.container.fields.get_field(fname);
widget_f.set_required(true);
widget_f.set_enabled(true);
--
2.36.1

View File

@ -0,0 +1,120 @@
From 9a33838407f244e481523fe643bc0626874e8b1a Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Mon, 19 Dec 2022 14:57:03 -0300
Subject: [PATCH] Revert "DNSResolver: Fix use of nameservers with ports"
This reverts commit 5e2e4664aec641886923c2bec61ce25b96edb62a.
diff --git a/ipapython/dnsutil.py b/ipapython/dnsutil.py
index 58de365ab..4baeaf8cc 100644
--- a/ipapython/dnsutil.py 2023-05-19 05:12:52.471239297 -0300
+++ b/ipapython/dnsutil.py 2023-05-24 12:20:13.588867053 -0300
@@ -145,55 +145,6 @@
nameservers.remove(ipv4_loopback)
self.nameservers = nameservers
- @property
- def nameservers(self):
- return self._nameservers
-
- @nameservers.setter
- def nameservers(self, nameservers):
- """
- *nameservers*, a ``list`` of nameservers with optional ports:
- "SERVER_IP port PORT_NUMBER".
-
- Overloads dns.resolver.Resolver.nameservers setter to split off ports
- into nameserver_ports after setting nameservers successfully with the
- setter in dns.resolver.Resolver.
- """
- # Get nameserver_ports if it is already set
- if hasattr(self, "nameserver_ports"):
- nameserver_ports = self.nameserver_ports
- else:
- nameserver_ports = {}
-
- # Check nameserver items in list and split out converted port number
- # into nameserver_ports: { nameserver: port }
- if isinstance(nameservers, list):
- _nameservers = []
- for nameserver in nameservers:
- splits = nameserver.split()
- if len(splits) == 3 and splits[1] == "port":
- nameserver = splits[0]
- try:
- port = int(splits[2])
- if port < 0 or port > 65535:
- raise ValueError()
- except ValueError:
- raise ValueError(
- "invalid nameserver: %s is not a valid port" %
- splits[2])
- nameserver_ports[nameserver] = port
- _nameservers.append(nameserver)
- nameservers = _nameservers
-
- # Call dns.resolver.Resolver.nameservers setter
- if hasattr(dns.resolver.Resolver, "nameservers"):
- dns.resolver.Resolver.nameservers.__set__(self, nameservers)
- else:
- # old dnspython (<2) doesn't have 'nameservers' property
- self._nameservers = nameservers
- # Set nameserver_ports after successfull call to setter
- self.nameserver_ports = nameserver_ports
-
class DNSZoneAlreadyExists(dns.exception.DNSException):
supp_kwargs = {'zone', 'ns'}
diff --git a/ipatests/test_ipapython/test_dnsutil.py b/ipatests/test_ipapython/test_dnsutil.py
index 9070d89ad..5e7a46197 100644
--- a/ipatests/test_ipapython/test_dnsutil.py
+++ b/ipatests/test_ipapython/test_dnsutil.py
@@ -101,48 +101,3 @@ class TestSortURI:
assert dnsutil.sort_prio_weight([h3, h2, h1]) == [h1, h2, h3]
assert dnsutil.sort_prio_weight([h3, h3, h3]) == [h3]
assert dnsutil.sort_prio_weight([h2, h2, h1, h1]) == [h1, h2]
-
-
-class TestDNSResolver:
- @pytest.fixture(name="res")
- def resolver(self):
- """Resolver that doesn't read /etc/resolv.conf
-
- /etc/resolv.conf is not mandatory on systems
- """
- return dnsutil.DNSResolver(configure=False)
-
- def test_nameservers(self, res):
- res.nameservers = ["4.4.4.4", "8.8.8.8"]
- assert res.nameservers == ["4.4.4.4", "8.8.8.8"]
-
- def test_nameservers_with_ports(self, res):
- res.nameservers = ["4.4.4.4 port 53", "8.8.8.8 port 8053"]
- assert res.nameservers == ["4.4.4.4", "8.8.8.8"]
- assert res.nameserver_ports == {"4.4.4.4": 53, "8.8.8.8": 8053}
-
- res.nameservers = ["4.4.4.4 port 53", "8.8.8.8 port 8053"]
- assert res.nameservers == ["4.4.4.4", "8.8.8.8"]
- assert res.nameserver_ports == {"4.4.4.4": 53, "8.8.8.8": 8053}
-
- def test_nameservers_with_bad_ports(self, res):
- try:
- res.nameservers = ["4.4.4.4 port a"]
- except ValueError:
- pass
- else:
- pytest.fail("No fail on bad port a")
-
- try:
- res.nameservers = ["4.4.4.4 port -1"]
- except ValueError:
- pass
- else:
- pytest.fail("No fail on bad port -1")
-
- try:
- res.nameservers = ["4.4.4.4 port 65536"]
- except ValueError:
- pass
- else:
- pytest.fail("No fail on bad port 65536")

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmUcDfoACgkQaYdvcqbi
00+tSA/8DjMUZ1P21qxTpPzybT6tx54X1wzAK+mSB+pC2gSLcv932lVERUvNmTC6
vXtTiI2xWlkcw0VQdtmN0ncdPYuFsC9EeClnWXSH3ayDXP/EguF9uWZDO6zsK4yP
pLVgJKvCX1O5EUN+l9pKtPAnyphSEkcd5rWqzEmfQV6+mILdVS3W8BVOuq8oY4xq
J/1HmbV6b78rrsH9CW9TjFVKlNsOYKTS2dDCYSbidjE69hsvdS8yD8eH9WgVPR2z
X2zidVLIRv7D9Ayy59+rfEfuehhG2FD4lL54DWqUqlw87prN7a1aH7jgs6o+1XCK
2pBDcC6oac+mtCTAGNaMnormzbR55RLgYKpwoyv/OvspuRzsHDfgQy91+YvIBqFV
EW0oB5TG4GeDn3jUPPyehtpRm+TUTeCQiBTcbeksEYDol4xxePKqIC3X313zm/fc
IKYQ2XwZTyrxGOtVmvAncHzwkyVgyDA6aJNApxsu0EdcpFBm/qhuAeadxrLR1v4+
j90yAaUlKduviX5XE1XGCHqvwHXttLmB1npxPmzSPe6MYlmzXRcen8SFPK/dquyC
Vi+CykIR1jelqBvHObIbU4Q8ss0irQhSbHGpHxkup1cmO2b/YILzVrOkE3TIUbps
g1zb4lryzWkXU1q8qPHsS3Fh1HEfuZCWk6Eg6xmmhxENdAsTCeo=
=iHBW
-----END PGP SIGNATURE-----

View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmVbZU0ACgkQaYdvcqbi
009Fgw/+PzHGNOJPs67TtoYITV/3ZCzMyrYTcazVACjD61Zw7JBgbZzZpQXxBSbj
7QWpNJa3P2JFtv2qOUXJto40mOGpMynyYpuYs4CtyJ86eHTUJyYTFppBmCzzozhT
2C2BeKKjzV8OOWQ7yO/2BTEZ7KtOcIr4ZI7iZCnLJF9Yt8x7TURjGRqxsHwT62Ip
vcrtm0LkkYv/fQ6pFZZfinKU1OBrZphwHMCU4Mlv411iQg4+NOxLSsVU/kegeKIO
adp4Y9g5dfAfdXEXb2Zt7gkmLaWMgf+XNSFDL/wkzRYt74HKwvbIPJQlTZ6pqLxQ
yTtiHGuMb7xNDWolpoueo1/lbxaHRRGJaSPs7zUht3IBxb7hiF65Gm3UaJhoeAXc
gVleZf/+0titOdkRfTD2N0P0hli7gaiRrbpw8K4joxMFpYrQGUxD8SI376gkOj6o
5RWSioPoG9txNM7Co+lVpci7WHhL+Tmhf1SlHyVJGKoNe/z4VHnjHeYlFWRVdDEI
OOupZzJQoLnso3lTwR5VEN8xGURnhbGV4MdUfD/6FhwmyHiPlYkytdZIsGsNDOab
978PPaKcIpbsZ4gUhshcbn7qaY809lNSpMtg8saYOP4J/5Nu+i9X5bJqOmoX0rKa
gAJDY5har+lExRnTEdYEGVB8qen5lqi8r1oYjnDpkSpq6BRoAHA=
=uQom
-----END PGP SIGNATURE-----

File diff suppressed because it is too large Load Diff

5401
SPECS/ipa.spec Normal file

File diff suppressed because it is too large Load Diff