areguera / rpms / ipa

Forked from rpms/ipa 5 years ago
Clone

Blame SOURCES/0012-add-default-access-control-configuration-to-trusted-domain-objects_rhbz#1751707.patch

544061
From 0deea83e93665404bb536d181ae54ad7cff45336 Mon Sep 17 00:00:00 2001
544061
From: Alexander Bokovoy <abokovoy@redhat.com>
544061
Date: Sep 13 2019 07:34:35 +0000
544061
Subject: add default access control when migrating trust objects
544061
544061
544061
It looks like for some cases we do not have proper set up keytab
544061
retrieval configuration in the old trusted domain object. This mostly
544061
affects two-way trust cases. In such cases, create default configuration
544061
as ipasam would have created when trust was established.
544061
544061
Resolves: https://pagure.io/freeipa/issue/8067
544061
544061
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
544061
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
544061
544061
---
544061
544061
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
544061
index 3b2e49b..7e6b5c3 100644
544061
--- a/ipaserver/install/plugins/adtrust.py
544061
+++ b/ipaserver/install/plugins/adtrust.py
544061
@@ -29,6 +29,9 @@ logger = logging.getLogger(__name__)
544061
 register = Registry()
544061
 
544061
 DEFAULT_ID_RANGE_SIZE = 200000
544061
+trust_read_keys_template = \
544061
+    ["cn=adtrust agents,cn=sysaccounts,cn=etc,{basedn}",
544061
+     "cn=trust admins,cn=groups,cn=accounts,{basedn}"]
544061
 
544061
 
544061
 @register()
544061
@@ -576,8 +579,15 @@ class update_tdo_to_new_layout(Updater):
544061
                     'krbprincipalkey')
544061
                 entry_data['krbextradata'] = en.single_value.get(
544061
                     'krbextradata')
544061
-                entry_data['ipaAllowedToPerform;read_keys'] = en.get(
544061
-                    'ipaAllowedToPerform;read_keys', [])
544061
+                read_keys = en.get('ipaAllowedToPerform;read_keys', [])
544061
+                if not read_keys:
544061
+                    # Old style, no ipaAllowedToPerform;read_keys in the entry,
544061
+                    # use defaults that ipasam should have set when creating a
544061
+                    # trust
544061
+                    read_keys = list(map(
544061
+                        lambda x: x.format(basedn=self.api.env.basedn),
544061
+                        trust_read_keys_template))
544061
+                entry_data['ipaAllowedToPerform;read_keys'] = read_keys
544061
 
544061
         entry.update(entry_data)
544061
         try:
544061
544061
From b32510d67d2bd64e77659c6766d3f9647629acec Mon Sep 17 00:00:00 2001
544061
From: Alexander Bokovoy <abokovoy@redhat.com>
544061
Date: Sep 13 2019 07:34:35 +0000
544061
Subject: adtrust: add default read_keys permission for TDO objects
544061
544061
544061
If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys
544061
attribute values, it cannot be used by SSSD to retrieve TDO keys and the
544061
whole communication with Active Directory domain controllers will not be
544061
possible.
544061
544061
This seems to affect trusts which were created before
544061
ipaAllowedToPerform;read_keys permission granting was introduced
544061
(FreeIPA 4.2). Add back the default setting for the permissions which
544061
grants access to trust agents and trust admins.
544061
544061
Resolves: https://pagure.io/freeipa/issue/8067
544061
544061
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
544061
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
544061
544061
---
544061
544061
diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
544061
index f5f428d..8eb1977 100644
544061
--- a/install/updates/90-post_upgrade_plugins.update
544061
+++ b/install/updates/90-post_upgrade_plugins.update
544061
@@ -13,6 +13,7 @@ plugin: update_default_trust_view
544061
 plugin: update_tdo_gidnumber
544061
 plugin: update_tdo_to_new_layout
544061
 plugin: update_host_cifs_keytabs
544061
+plugin: update_tdo_default_read_keys_permissions
544061
 plugin: update_ca_renewal_master
544061
 plugin: update_idrange_type
544061
 plugin: update_pacs
544061
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
544061
index 7e6b5c3..386fe53 100644
544061
--- a/ipaserver/install/plugins/adtrust.py
544061
+++ b/ipaserver/install/plugins/adtrust.py
544061
@@ -821,3 +821,59 @@ class update_host_cifs_keytabs(Updater):
544061
                 self.copy_key(paths.SAMBA_KEYTAB, hostkey)
544061
 
544061
         return False, []
544061
+
544061
+
544061
+@register()
544061
+class update_tdo_default_read_keys_permissions(Updater):
544061
+    trust_filter = \
544061
+        "(&(objectClass=krbPrincipal)(krbPrincipalName=krbtgt/{nbt}@*))"
544061
+
544061
+    def execute(self, **options):
544061
+        ldap = self.api.Backend.ldap2
544061
+
544061
+        # First, see if trusts are enabled on the server
544061
+        if not self.api.Command.adtrust_is_enabled()['result']:
544061
+            logger.debug('AD Trusts are not enabled on this server')
544061
+            return False, []
544061
+
544061
+        result = self.api.Command.trustconfig_show()['result']
544061
+        our_nbt_name = result.get('ipantflatname', [None])[0]
544061
+        if not our_nbt_name:
544061
+            return False, []
544061
+
544061
+        trusts_dn = self.api.env.container_adtrusts + self.api.env.basedn
544061
+        trust_filter = self.trust_filter.format(nbt=our_nbt_name)
544061
+
544061
+        # We might be in a situation when no trusts exist yet
544061
+        # In such case there is nothing to upgrade but we have to catch
544061
+        # an exception or it will abort the whole upgrade process
544061
+        try:
544061
+            tdos = ldap.get_entries(
544061
+                base_dn=trusts_dn,
544061
+                scope=ldap.SCOPE_SUBTREE,
544061
+                filter=trust_filter,
544061
+                attrs_list=['*'])
544061
+        except errors.EmptyResult:
544061
+            tdos = []
544061
+
544061
+        for tdo in tdos:
544061
+            updates = dict()
544061
+            oc = tdo.get('objectClass', [])
544061
+            if 'ipaAllowedOperations' not in oc:
544061
+                updates['objectClass'] = oc + ['ipaAllowedOperations']
544061
+
544061
+            read_keys = tdo.get('ipaAllowedToPerform;read_keys', [])
544061
+            if not read_keys:
544061
+                read_keys_values = list(map(
544061
+                    lambda x: x.format(basedn=self.api.env.basedn),
544061
+                    trust_read_keys_template))
544061
+                updates['ipaAllowedToPerform;read_keys'] = read_keys_values
544061
+
544061
+            tdo.update(updates)
544061
+            try:
544061
+                ldap.update_entry(tdo)
544061
+            except errors.EmptyModlist:
544061
+                logger.debug("No update was required for TDO %s",
544061
+                             tdo.single_value.get('krbCanonicalName'))
544061
+
544061
+        return False, []
544061