|
 |
6d47df |
From 705e280eafb13b1b55fc0b91001e4721ce79fbdf Mon Sep 17 00:00:00 2001
|
|
|
6d47df |
From: Thomas Woerner <twoerner@redhat.com>
|
|
|
6d47df |
Date: Mon, 22 Oct 2018 13:57:11 +0200
|
|
|
6d47df |
Subject: [PATCH] Fix ressource leak in client/config.c get_config_entry
|
|
|
6d47df |
|
|
|
6d47df |
The leak happens due to using strndup to create a temporary string without
|
|
|
6d47df |
freeing it afterwards.
|
|
|
6d47df |
|
|
|
6d47df |
See: https://pagure.io/freeipa/issue/7738
|
|
|
6d47df |
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
|
|
|
6d47df |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
6d47df |
---
|
|
|
6d47df |
client/config.c | 3 ++-
|
|
|
6d47df |
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
6d47df |
|
|
|
6d47df |
diff --git a/client/config.c b/client/config.c
|
|
|
6d47df |
index ecc126ff47..a09564b702 100644
|
|
|
6d47df |
--- a/client/config.c
|
|
|
6d47df |
+++ b/client/config.c
|
|
|
6d47df |
@@ -123,17 +123,18 @@ get_config_entry(char * in_data, const char *section, const char *key)
|
|
|
6d47df |
line++;
|
|
|
6d47df |
p = strchr(line, ']');
|
|
|
6d47df |
if (p) {
|
|
|
6d47df |
- tmp = strndup(line, p - line);
|
|
|
6d47df |
if (in_section) {
|
|
|
6d47df |
/* We exited the matching section without a match */
|
|
|
6d47df |
free(data);
|
|
|
6d47df |
return NULL;
|
|
|
6d47df |
}
|
|
|
6d47df |
+ tmp = strndup(line, p - line);
|
|
|
6d47df |
if (strcmp(section, tmp) == 0) {
|
|
|
6d47df |
free(tmp);
|
|
|
6d47df |
in_section = 1;
|
|
|
6d47df |
continue;
|
|
|
6d47df |
}
|
|
|
6d47df |
+ free(tmp);
|
|
|
6d47df |
}
|
|
|
6d47df |
} /* [ */
|
|
|
6d47df |
|
|
|
6d47df |
From ebb14ed6f57c5504dc2f44339274b108483efd16 Mon Sep 17 00:00:00 2001
|
|
|
6d47df |
From: Thomas Woerner <twoerner@redhat.com>
|
|
|
6d47df |
Date: Mon, 22 Oct 2018 15:18:23 +0200
|
|
|
6d47df |
Subject: [PATCH] Fix ressource leak in
|
|
|
6d47df |
daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c ipa_cldap_netlogon
|
|
|
6d47df |
|
|
|
6d47df |
The leak happens due to using strndup in a for loop to create a temporary
|
|
|
6d47df |
string without freeing it in all cases.
|
|
|
6d47df |
|
|
|
6d47df |
See: https://pagure.io/freeipa/issue/7738
|
|
|
6d47df |
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
|
|
|
6d47df |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
6d47df |
---
|
|
|
6d47df |
daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c | 4 ++++
|
|
|
6d47df |
1 file changed, 4 insertions(+)
|
|
|
6d47df |
|
|
|
6d47df |
diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
|
|
|
6d47df |
index 5863f667ea..460f96cd59 100644
|
|
|
6d47df |
--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
|
|
|
6d47df |
+++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
|
|
|
6d47df |
@@ -260,6 +260,10 @@ int ipa_cldap_netlogon(struct ipa_cldap_ctx *ctx,
|
|
|
6d47df |
if (req->kvps.pairs[i].value.bv_val[len-1] == '.') {
|
|
|
6d47df |
len--;
|
|
|
6d47df |
}
|
|
|
6d47df |
+ if (domain != NULL) {
|
|
|
6d47df |
+ free(domain);
|
|
|
6d47df |
+ domain = NULL;
|
|
|
6d47df |
+ }
|
|
|
6d47df |
domain = strndup(req->kvps.pairs[i].value.bv_val, len);
|
|
|
6d47df |
if (!domain) {
|
|
|
6d47df |
ret = ENOMEM;
|
|
|
6d47df |
From 305150416429b85d46ad4162bac492db303cf9cf Mon Sep 17 00:00:00 2001
|
|
|
6d47df |
From: Christian Heimes <cheimes@redhat.com>
|
|
|
6d47df |
Date: Wed, 24 Oct 2018 10:12:39 +0200
|
|
|
6d47df |
Subject: [PATCH] Fix ipadb_multires resource handling
|
|
|
6d47df |
|
|
|
6d47df |
* ipadb_get_pwd_policy() initializes struct ipadb_multires *res to NULL.
|
|
|
6d47df |
* ipadb_multires_free() supports NULL as no-op.
|
|
|
6d47df |
* ipadb_multibase_search() consistently frees and NULLs
|
|
|
6d47df |
struct ipadb_multires **res on error.
|
|
|
6d47df |
|
|
|
6d47df |
See: https://pagure.io/freeipa/issue/7738
|
|
|
6d47df |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
6d47df |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
6d47df |
---
|
|
|
6d47df |
daemons/ipa-kdb/ipa_kdb_common.c | 13 +++++++++----
|
|
|
6d47df |
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 2 +-
|
|
|
6d47df |
2 files changed, 10 insertions(+), 5 deletions(-)
|
|
|
6d47df |
|
|
|
6d47df |
diff --git a/daemons/ipa-kdb/ipa_kdb_common.c b/daemons/ipa-kdb/ipa_kdb_common.c
|
|
|
6d47df |
index 5995efe6b1..e2592cea3f 100644
|
|
|
6d47df |
--- a/daemons/ipa-kdb/ipa_kdb_common.c
|
|
|
6d47df |
+++ b/daemons/ipa-kdb/ipa_kdb_common.c
|
|
|
6d47df |
@@ -634,10 +634,12 @@ krb5_error_code ipadb_multires_init(LDAP *lcontext, struct ipadb_multires **r)
|
|
|
6d47df |
|
|
|
6d47df |
void ipadb_multires_free(struct ipadb_multires *r)
|
|
|
6d47df |
{
|
|
|
6d47df |
- for (int i = 0; i < r->count; i++) {
|
|
|
6d47df |
- ldap_msgfree(r->res[i]);
|
|
|
6d47df |
+ if (r != NULL) {
|
|
|
6d47df |
+ for (int i = 0; i < r->count; i++) {
|
|
|
6d47df |
+ ldap_msgfree(r->res[i]);
|
|
|
6d47df |
+ }
|
|
|
6d47df |
+ free(r);
|
|
|
6d47df |
}
|
|
|
6d47df |
- free(r);
|
|
|
6d47df |
}
|
|
|
6d47df |
|
|
|
6d47df |
LDAPMessage *ipadb_multires_next_entry(struct ipadb_multires *r)
|
|
|
6d47df |
@@ -670,8 +672,11 @@ krb5_error_code ipadb_multibase_search(struct ipadb_context *ipactx,
|
|
|
6d47df |
if (ret != 0) return ret;
|
|
|
6d47df |
|
|
|
6d47df |
ret = ipadb_check_connection(ipactx);
|
|
|
6d47df |
- if (ret != 0)
|
|
|
6d47df |
+ if (ret != 0) {
|
|
|
6d47df |
+ ipadb_multires_free(*res);
|
|
|
6d47df |
+ *res = NULL;
|
|
|
6d47df |
return ipadb_simple_ldap_to_kerr(ret);
|
|
|
6d47df |
+ }
|
|
|
6d47df |
|
|
|
6d47df |
for (int b = 0; basedns[b]; b++) {
|
|
|
6d47df |
LDAPMessage *r;
|
|
|
6d47df |
diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
|
|
|
6d47df |
index 1ec584612b..10f128700b 100644
|
|
|
6d47df |
--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
|
|
|
6d47df |
+++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
|
|
|
6d47df |
@@ -141,7 +141,7 @@ krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name,
|
|
|
6d47df |
char *esc_name = NULL;
|
|
|
6d47df |
char *src_filter = NULL;
|
|
|
6d47df |
krb5_error_code kerr;
|
|
|
6d47df |
- struct ipadb_multires *res;
|
|
|
6d47df |
+ struct ipadb_multires *res = NULL;
|
|
|
6d47df |
LDAPMessage *lentry;
|
|
|
6d47df |
osa_policy_ent_t pentry = NULL;
|
|
|
6d47df |
uint32_t result;
|
|
|
6d47df |
From 4ca3120b9a09ad48866446af29b38ca7c005b0d0 Mon Sep 17 00:00:00 2001
|
|
|
6d47df |
From: Christian Heimes <cheimes@redhat.com>
|
|
|
6d47df |
Date: Wed, 24 Oct 2018 10:19:14 +0200
|
|
|
6d47df |
Subject: [PATCH] Don't abuse strncpy() length limitation
|
|
|
6d47df |
MIME-Version: 1.0
|
|
|
6d47df |
Content-Type: text/plain; charset=UTF-8
|
|
|
6d47df |
Content-Transfer-Encoding: 8bit
|
|
|
6d47df |
|
|
|
6d47df |
On two occasions C code abused strncpy()'s length limitation to copy a
|
|
|
6d47df |
string of known length without the trailing NULL byte. Recent GCC is
|
|
|
6d47df |
raising the compiler warning:
|
|
|
6d47df |
|
|
|
6d47df |
warning: ‘strncpy’ output truncated before terminating nul copying as
|
|
|
6d47df |
many bytes from a string as its length [-Wstringop-truncation]
|
|
|
6d47df |
|
|
|
6d47df |
Use memcpy() instead if strncpy() to copy data of known size.
|
|
|
6d47df |
|
|
|
6d47df |
See: https://pagure.io/freeipa/issue/7738
|
|
|
6d47df |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
6d47df |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
6d47df |
---
|
|
|
6d47df |
daemons/ipa-kdb/ipa_kdb.c | 2 +-
|
|
|
6d47df |
daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 2 +-
|
|
|
6d47df |
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
|
6d47df |
|
|
|
6d47df |
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
|
|
|
6d47df |
index 00c732624b..20967316ed 100644
|
|
|
6d47df |
--- a/daemons/ipa-kdb/ipa_kdb.c
|
|
|
6d47df |
+++ b/daemons/ipa-kdb/ipa_kdb.c
|
|
|
6d47df |
@@ -110,7 +110,7 @@ static char *ipadb_realm_to_ldapi_uri(char *realm)
|
|
|
6d47df |
/* copy path and escape '/' to '%2f' */
|
|
|
6d47df |
for (q = LDAPIDIR; *q; q++) {
|
|
|
6d47df |
if (*q == '/') {
|
|
|
6d47df |
- strncpy(p, "%2f", 3);
|
|
|
6d47df |
+ memcpy(p, "%2f", 3);
|
|
|
6d47df |
p += 3;
|
|
|
6d47df |
} else {
|
|
|
6d47df |
*p = *q;
|
|
|
6d47df |
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
|
|
|
6d47df |
index db7183bf2b..61b46904ab 100644
|
|
|
6d47df |
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
|
|
|
6d47df |
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
|
|
|
6d47df |
@@ -1003,7 +1003,7 @@ int ipapwd_set_extradata(const char *dn,
|
|
|
6d47df |
xdata[5] = (unixtime & 0xff000000) >> 24;
|
|
|
6d47df |
|
|
|
6d47df |
/* append the principal name */
|
|
|
6d47df |
- strncpy(&xdata[6], principal, p_len);
|
|
|
6d47df |
+ memcpy(&xdata[6], principal, p_len);
|
|
|
6d47df |
|
|
|
6d47df |
xdata[xd_len -1] = 0;
|
|
|
6d47df |
|
|
|
6d47df |
From a06fb8d0f7b7c6aba942186b93d87823398f5337 Mon Sep 17 00:00:00 2001
|
|
|
6d47df |
From: Christian Heimes <cheimes@redhat.com>
|
|
|
6d47df |
Date: Thu, 1 Nov 2018 11:41:29 +0100
|
|
|
6d47df |
Subject: [PATCH] has_krbprincipalkey: avoid double free
|
|
|
6d47df |
|
|
|
6d47df |
Set keys to NULL after free rder to avoid potential double free.
|
|
|
6d47df |
|
|
|
6d47df |
See: https://pagure.io/freeipa/issue/7738
|
|
|
6d47df |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
6d47df |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
6d47df |
---
|
|
|
6d47df |
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 6 +++++-
|
|
|
6d47df |
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
|
6d47df |
|
|
|
6d47df |
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
|
|
6d47df |
index 209d596255..3c3c7e8845 100644
|
|
|
6d47df |
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
|
|
6d47df |
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
|
|
6d47df |
@@ -176,7 +176,11 @@ static bool has_krbprincipalkey(Slapi_Entry *entry) {
|
|
|
6d47df |
|
|
|
6d47df |
if (rc || (num_keys <= 0)) {
|
|
|
6d47df |
/* this one is not valid, ignore it */
|
|
|
6d47df |
- if (keys) ipa_krb5_free_key_data(keys, num_keys);
|
|
|
6d47df |
+ if (keys) {
|
|
|
6d47df |
+ ipa_krb5_free_key_data(keys, num_keys);
|
|
|
6d47df |
+ keys = NULL;
|
|
|
6d47df |
+ num_keys = 0;
|
|
|
6d47df |
+ }
|
|
|
6d47df |
} else {
|
|
|
6d47df |
/* It exists at least this one that is valid, no need to continue */
|
|
|
6d47df |
if (keys) ipa_krb5_free_key_data(keys, num_keys);
|
|
|
6d47df |
From 2884ab69babfd7d40f951ba814234ce4763b0cd8 Mon Sep 17 00:00:00 2001
|
|
|
6d47df |
From: Christian Heimes <cheimes@redhat.com>
|
|
|
6d47df |
Date: Thu, 1 Nov 2018 11:41:41 +0100
|
|
|
6d47df |
Subject: [PATCH] ipadb_mspac_get_trusted_domains: NULL ptr deref
|
|
|
6d47df |
|
|
|
6d47df |
Fix potential NULL pointer deref in ipadb_mspac_get_trusted_domains().
|
|
|
6d47df |
In theory, dn could be empty and rdn NULL. The man page for ldap_str2dn()
|
|
|
6d47df |
does not guarantee that it returns a non-empty result.
|
|
|
6d47df |
|
|
|
6d47df |
See: https://pagure.io/freeipa/issue/7738
|
|
|
6d47df |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
6d47df |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
6d47df |
---
|
|
|
6d47df |
daemons/ipa-kdb/ipa_kdb_mspac.c | 6 ++++++
|
|
|
6d47df |
1 file changed, 6 insertions(+)
|
|
|
6d47df |
|
|
|
6d47df |
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
|
6d47df |
index 11e036986a..329a5c1158 100644
|
|
|
6d47df |
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
|
6d47df |
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
|
6d47df |
@@ -2586,6 +2586,12 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
|
|
6d47df |
}
|
|
|
6d47df |
|
|
|
6d47df |
/* We should have a single AVA in the domain RDN */
|
|
|
6d47df |
+ if (rdn == NULL) {
|
|
|
6d47df |
+ ldap_dnfree(dn);
|
|
|
6d47df |
+ ret = EINVAL;
|
|
|
6d47df |
+ goto done;
|
|
|
6d47df |
+ }
|
|
|
6d47df |
+
|
|
|
6d47df |
t[n].parent_name = strndup(rdn[0]->la_value.bv_val, rdn[0]->la_value.bv_len);
|
|
|
6d47df |
|
|
|
6d47df |
ldap_dnfree(dn);
|
|
|
6d47df |
From 28b89df5ed8a9a060227433e8eeebf7eea844bb9 Mon Sep 17 00:00:00 2001
|
|
|
6d47df |
From: Christian Heimes <cheimes@redhat.com>
|
|
|
6d47df |
Date: Thu, 1 Nov 2018 11:41:47 +0100
|
|
|
6d47df |
Subject: [PATCH] ipapwd_pre_mod: NULL ptr deref
|
|
|
6d47df |
|
|
|
6d47df |
In ipapwd_pre_mod, check userpw for NULL before dereferencing its first
|
|
|
6d47df |
element.
|
|
|
6d47df |
|
|
|
6d47df |
See: https://pagure.io/freeipa/issue/7738
|
|
|
6d47df |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
6d47df |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
6d47df |
---
|
|
|
6d47df |
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 2 +-
|
|
|
6d47df |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
6d47df |
|
|
|
6d47df |
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
|
|
6d47df |
index 3c3c7e8845..9aef2f7d7d 100644
|
|
|
6d47df |
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
|
|
6d47df |
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
|
|
6d47df |
@@ -766,7 +766,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
|
|
|
6d47df |
/* Check this is a clear text password, or refuse operation (only if we need
|
|
|
6d47df |
* to comput other hashes */
|
|
|
6d47df |
if (! unhashedpw && (gen_krb_keys || is_smb || is_ipant)) {
|
|
|
6d47df |
- if ('{' == userpw[0]) {
|
|
|
6d47df |
+ if ((userpw != NULL) && ('{' == userpw[0])) {
|
|
|
6d47df |
if (0 == strncasecmp(userpw, "{CLEAR}", strlen("{CLEAR}"))) {
|
|
|
6d47df |
unhashedpw = slapi_ch_strdup(&userpw[strlen("{CLEAR}")]);
|
|
|
6d47df |
if (NULL == unhashedpw) {
|
|
|
6d47df |
From 5abe3d9feff3c0e66a43fa3799611521f83ee893 Mon Sep 17 00:00:00 2001
|
|
|
6d47df |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
6d47df |
Date: Wed, 7 Nov 2018 11:57:53 +0200
|
|
|
6d47df |
Subject: [PATCH] ipaserver.install.adtrust: fix CID 323644
|
|
|
6d47df |
|
|
|
6d47df |
Fix Coverity finding CID 323644: logically dead code path
|
|
|
6d47df |
|
|
|
6d47df |
The code to determine whether NetBIOS name was already set or need to be
|
|
|
6d47df |
set after deriving it from a domain or asking a user for an interactive
|
|
|
6d47df |
input, was refactored at some point to avoid retrieving the whole LDAP
|
|
|
6d47df |
entry. Instead, it was provided with the actual NetBIOS name retrieved.
|
|
|
6d47df |
|
|
|
6d47df |
As result, a part of the code got neglected and was never executed.
|
|
|
6d47df |
|
|
|
6d47df |
Fix this code and provide a test that tries to test predefined,
|
|
|
6d47df |
interactively provided and automatically derived NetBIOS name depending
|
|
|
6d47df |
on how the installer is being run.
|
|
|
6d47df |
|
|
|
6d47df |
We mock up the actual execution so that no access to LDAP or Samba is
|
|
|
6d47df |
needed.
|
|
|
6d47df |
|
|
|
6d47df |
Backport to ipa-4-7 takes into account Python 2.7 differences:
|
|
|
6d47df |
- uses mock instead of unittest.mock if the latter is not available
|
|
|
6d47df |
- derives ApiMockup from object
|
|
|
6d47df |
|
|
|
6d47df |
Fixes: https://pagure.io/freeipa/issue/7753
|
|
|
6d47df |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
6d47df |
(cherry picked from commit 82af034023b03ae64f005c8160b9e961e7b9fd55)
|
|
|
6d47df |
|
|
|
6d47df |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
6d47df |
---
|
|
|
6d47df |
ipaserver/install/adtrust.py | 3 +-
|
|
|
6d47df |
.../test_ipaserver/test_adtrust_mockup.py | 58 +++++++++++++++++++
|
|
|
6d47df |
2 files changed, 59 insertions(+), 2 deletions(-)
|
|
|
6d47df |
create mode 100644 ipatests/test_ipaserver/test_adtrust_mockup.py
|
|
|
6d47df |
|
|
|
6d47df |
diff --git a/ipaserver/install/adtrust.py b/ipaserver/install/adtrust.py
|
|
|
6d47df |
index e9ae3fa3ed..75194eed8f 100644
|
|
|
6d47df |
--- a/ipaserver/install/adtrust.py
|
|
|
6d47df |
+++ b/ipaserver/install/adtrust.py
|
|
|
6d47df |
@@ -95,7 +95,6 @@ def set_and_check_netbios_name(netbios_name, unattended, api):
|
|
|
6d47df |
cur_netbios_name = None
|
|
|
6d47df |
gen_netbios_name = None
|
|
|
6d47df |
reset_netbios_name = False
|
|
|
6d47df |
- entry = None
|
|
|
6d47df |
|
|
|
6d47df |
if api.Backend.ldap2.isconnected():
|
|
|
6d47df |
cur_netbios_name = retrieve_netbios_name(api)
|
|
|
6d47df |
@@ -133,7 +132,7 @@ def set_and_check_netbios_name(netbios_name, unattended, api):
|
|
|
6d47df |
gen_netbios_name = adtrustinstance.make_netbios_name(
|
|
|
6d47df |
api.env.domain)
|
|
|
6d47df |
|
|
|
6d47df |
- if entry is not None:
|
|
|
6d47df |
+ if gen_netbios_name is not None:
|
|
|
6d47df |
# Fix existing trust configuration
|
|
|
6d47df |
print("Trust is configured but no NetBIOS domain name found, "
|
|
|
6d47df |
"setting it now.")
|
|
|
6d47df |
diff --git a/ipatests/test_ipaserver/test_adtrust_mockup.py b/ipatests/test_ipaserver/test_adtrust_mockup.py
|
|
|
6d47df |
new file mode 100644
|
|
|
6d47df |
index 0000000000..614a06f8c8
|
|
|
6d47df |
--- /dev/null
|
|
|
6d47df |
+++ b/ipatests/test_ipaserver/test_adtrust_mockup.py
|
|
|
6d47df |
@@ -0,0 +1,58 @@
|
|
|
6d47df |
+# Copyright (C) 2018 FreeIPA Project Contributors - see LICENSE file
|
|
|
6d47df |
+
|
|
|
6d47df |
+from __future__ import print_function
|
|
|
6d47df |
+import ipaserver.install.adtrust as adtr
|
|
|
6d47df |
+from ipaserver.install.adtrust import set_and_check_netbios_name
|
|
|
6d47df |
+from collections import namedtuple
|
|
|
6d47df |
+from unittest import TestCase
|
|
|
6d47df |
+try:
|
|
|
6d47df |
+ from unittest import mock
|
|
|
6d47df |
+except ImportError:
|
|
|
6d47df |
+ import mock
|
|
|
6d47df |
+from io import StringIO
|
|
|
6d47df |
+
|
|
|
6d47df |
+
|
|
|
6d47df |
+class ApiMockup(object):
|
|
|
6d47df |
+ Backend = namedtuple('Backend', 'ldap2')
|
|
|
6d47df |
+ Calls = namedtuple('Callbacks', 'retrieve_netbios_name')
|
|
|
6d47df |
+ env = namedtuple('Environment', 'domain')
|
|
|
6d47df |
+
|
|
|
6d47df |
+
|
|
|
6d47df |
+class TestNetbiosName(TestCase):
|
|
|
6d47df |
+ @classmethod
|
|
|
6d47df |
+ def setUpClass(cls):
|
|
|
6d47df |
+ api = ApiMockup()
|
|
|
6d47df |
+ ldap2 = namedtuple('LDAP', 'isconnected')
|
|
|
6d47df |
+ ldap2.isconnected = mock.MagicMock(return_value=True)
|
|
|
6d47df |
+ api.Backend.ldap2 = ldap2
|
|
|
6d47df |
+ api.Calls.retrieve_netbios_name = adtr.retrieve_netbios_name
|
|
|
6d47df |
+ adtr.retrieve_netbios_name = mock.MagicMock(return_value=None)
|
|
|
6d47df |
+ cls.api = api
|
|
|
6d47df |
+
|
|
|
6d47df |
+ @classmethod
|
|
|
6d47df |
+ def tearDownClass(cls):
|
|
|
6d47df |
+ adtr.retrieve_netbios_name = cls.api.Calls.retrieve_netbios_name
|
|
|
6d47df |
+
|
|
|
6d47df |
+ def test_NetbiosName(self):
|
|
|
6d47df |
+ """
|
|
|
6d47df |
+ Test set_and_check_netbios_name() using permutation of two inputs:
|
|
|
6d47df |
+ - predefined and not defined NetBIOS name
|
|
|
6d47df |
+ - unattended and interactive run
|
|
|
6d47df |
+ As result, the function has to return expected NetBIOS name in
|
|
|
6d47df |
+ all cases. For interactive run we override input to force what
|
|
|
6d47df |
+ we expect.
|
|
|
6d47df |
+ """
|
|
|
6d47df |
+ self.api.env.domain = 'example.com'
|
|
|
6d47df |
+ expected_nname = 'EXAMPLE'
|
|
|
6d47df |
+ # NetBIOS name, unattended, should set the name?
|
|
|
6d47df |
+ tests = ((expected_nname, True, False),
|
|
|
6d47df |
+ (None, True, True),
|
|
|
6d47df |
+ (None, False, True),
|
|
|
6d47df |
+ (expected_nname, False, False))
|
|
|
6d47df |
+ with mock.patch('sys.stdin', new_callable=StringIO) as stdin:
|
|
|
6d47df |
+ stdin.write(expected_nname + '\r')
|
|
|
6d47df |
+ for test in tests:
|
|
|
6d47df |
+ nname, setname = set_and_check_netbios_name(
|
|
|
6d47df |
+ test[0], test[1], self.api)
|
|
|
6d47df |
+ assert expected_nname == nname
|
|
|
6d47df |
+ assert setname == test[2]
|
|
|
6d47df |
From 48a6048be2a3c6cf496a67a2732b8aaee91af620 Mon Sep 17 00:00:00 2001
|
|
|
6d47df |
From: Christian Heimes <cheimes@redhat.com>
|
|
|
6d47df |
Date: Thu, 8 Nov 2018 10:42:43 +0100
|
|
|
6d47df |
Subject: [PATCH] Copy-paste error in permssions plugin, CID 323649
|
|
|
6d47df |
|
|
|
6d47df |
Address a bug in the code block for attributeLevelRights for old clients.
|
|
|
6d47df |
The backward compatibility code for deprecated options was not triggered,
|
|
|
6d47df |
because the new name was checked against wrong dict.
|
|
|
6d47df |
|
|
|
6d47df |
Coverity Scan issue 323649, Copy-paste error
|
|
|
6d47df |
|
|
|
6d47df |
The copied code will not have its intended effect.
|
|
|
6d47df |
In postprocess_result: A copied piece of code is inconsistent with the
|
|
|
6d47df |
original (CWE-398)
|
|
|
6d47df |
|
|
|
6d47df |
See: Fixes: https://pagure.io/freeipa/issue/7753
|
|
|
6d47df |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
6d47df |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
6d47df |
---
|
|
|
6d47df |
ipaserver/plugins/permission.py | 2 +-
|
|
|
6d47df |
ipatests/test_xmlrpc/test_old_permission_plugin.py | 4 ++--
|
|
|
6d47df |
2 files changed, 3 insertions(+), 3 deletions(-)
|
|
|
6d47df |
|
|
|
6d47df |
diff --git a/ipaserver/plugins/permission.py b/ipaserver/plugins/permission.py
|
|
|
6d47df |
index 2127d8234e..8ffe01bd88 100644
|
|
|
6d47df |
--- a/ipaserver/plugins/permission.py
|
|
|
6d47df |
+++ b/ipaserver/plugins/permission.py
|
|
|
6d47df |
@@ -486,7 +486,7 @@ def postprocess_result(self, entry, options):
|
|
|
6d47df |
|
|
|
6d47df |
if old_client:
|
|
|
6d47df |
for old_name, new_name in _DEPRECATED_OPTION_ALIASES.items():
|
|
|
6d47df |
- if new_name in entry:
|
|
|
6d47df |
+ if new_name in rights:
|
|
|
6d47df |
rights[old_name] = rights[new_name]
|
|
|
6d47df |
del rights[new_name]
|
|
|
6d47df |
|
|
|
6d47df |
diff --git a/ipatests/test_xmlrpc/test_old_permission_plugin.py b/ipatests/test_xmlrpc/test_old_permission_plugin.py
|
|
|
6d47df |
index 6d1117b6b3..600e449421 100644
|
|
|
6d47df |
--- a/ipatests/test_xmlrpc/test_old_permission_plugin.py
|
|
|
6d47df |
+++ b/ipatests/test_xmlrpc/test_old_permission_plugin.py
|
|
|
6d47df |
@@ -73,8 +73,8 @@
|
|
|
6d47df |
'ipapermbindruletype': u'rscwo',
|
|
|
6d47df |
'ipapermdefaultattr': u'rscwo',
|
|
|
6d47df |
'ipapermexcludedattr': u'rscwo',
|
|
|
6d47df |
- 'ipapermlocation': u'rscwo',
|
|
|
6d47df |
- 'ipapermright': u'rscwo',
|
|
|
6d47df |
+ 'subtree': u'rscwo', # old
|
|
|
6d47df |
+ 'permissions': u'rscwo', # old
|
|
|
6d47df |
'ipapermtarget': u'rscwo',
|
|
|
6d47df |
'ipapermtargetfilter': u'rscwo',
|
|
|
6d47df |
'ipapermtargetto': u'rscwo',
|