4c20458190
- Resolves: RHEL-70760 Fix typo in ipa-migrate log file i.e 'Privledges' to 'Privileges' - Resolves: RHEL-70481 ipa-server-upgrade fails after established trust with ad - Resolves: RHEL-69927 add support for python cryptography 44.0.0 - Resolves: RHEL-69908 All user groups are not being included during HSM token validation - Resolves: RHEL-69900 Upgrade to ipa-server-4.12.2-1.el9 OTP-based bind to LDAP without enforceldapotp is broken Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
73 lines
3.1 KiB
Diff
73 lines
3.1 KiB
Diff
From 934d4a291d44a40b5ea006aa1f09afa8e4a985fc Mon Sep 17 00:00:00 2001
|
|
From: Rob Crittenden <rcritten@redhat.com>
|
|
Date: Mon, 2 Dec 2024 10:27:15 -0500
|
|
Subject: [PATCH] Pass all pkiuser groups as suplementary when validating an
|
|
HSM
|
|
|
|
We were doing a "best effort" when validating the HSM token is
|
|
visible with a valid PIN when it came to groups. A specific
|
|
workaround was added for softhsm2 but this didn't carry over
|
|
to other HSMs that may have group-specific read/write access.
|
|
|
|
Use the new capability in ipaplatform.constants.py::Group to be
|
|
able to use generate a valid entry from a group GID. Pair this
|
|
with os.getgrouplist() and all groups will be passed correctly
|
|
via ipautil.run().
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9709
|
|
|
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
---
|
|
ipaserver/install/ca.py | 12 ++++--------
|
|
1 file changed, 4 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
|
|
index 520e3fc5de1084e7c22c0cf7eaa86e1d3c421373..2959aceed5cd2fd4851457eaa4aeac3c0905d27d 100644
|
|
--- a/ipaserver/install/ca.py
|
|
+++ b/ipaserver/install/ca.py
|
|
@@ -211,11 +211,7 @@ def hsm_validator(token_name, token_library, token_password):
|
|
)
|
|
pkiuser = constants.PKI_USER
|
|
pkigroup = constants.PKI_GROUP
|
|
- if 'libsofthsm' in token_library:
|
|
- import grp
|
|
- group = grp.getgrnam(constants.ODS_GROUP)
|
|
- if str(constants.PKI_USER) in group.gr_mem:
|
|
- pkigroup = constants.ODS_GROUP
|
|
+ group_list = os.getgrouplist(pkiuser, pkigroup.gid)
|
|
with certdb.NSSDatabase() as tempnssdb:
|
|
tempnssdb.create_db(user=str(pkiuser), group=str(pkigroup))
|
|
# Try adding the token library to the temporary database in
|
|
@@ -231,7 +227,7 @@ def hsm_validator(token_name, token_library, token_password):
|
|
# It may fail if p11-kit has already registered the library, that's
|
|
# ok.
|
|
ipautil.run(command, stdin='\n', cwd=tempnssdb.secdir,
|
|
- runas=pkiuser, suplementary_groups=[pkigroup],
|
|
+ runas=pkiuser, suplementary_groups=group_list,
|
|
raiseonerr=False)
|
|
|
|
command = [
|
|
@@ -242,7 +238,7 @@ def hsm_validator(token_name, token_library, token_password):
|
|
]
|
|
lines = ipautil.run(
|
|
command, cwd=tempnssdb.secdir, capture_output=True,
|
|
- runas=pkiuser, suplementary_groups=[pkigroup]).output
|
|
+ runas=pkiuser, suplementary_groups=group_list).output
|
|
found = False
|
|
token_line = f'token: {token_name}'
|
|
for line in lines.split('\n'):
|
|
@@ -265,7 +261,7 @@ def hsm_validator(token_name, token_library, token_password):
|
|
]
|
|
result = ipautil.run(args, cwd=tempnssdb.secdir,
|
|
runas=pkiuser,
|
|
- suplementary_groups=[pkigroup],
|
|
+ suplementary_groups=group_list,
|
|
capture_error=True, raiseonerr=False)
|
|
if result.returncode != 0 and len(result.error_output):
|
|
if 'SEC_ERROR_BAD_PASSWORD' in result.error_output:
|
|
--
|
|
2.47.1
|
|
|