6ec482
From 06eb54e3e8e645a64d915602a64834cc26bc8924 Mon Sep 17 00:00:00 2001
6ec482
From: Alexander Bokovoy <abokovoy@redhat.com>
6ec482
Date: Tue, 10 Sep 2019 13:39:39 +0300
6ec482
Subject: [PATCH] add default access control when migrating trust objects
6ec482
6ec482
It looks like for some cases we do not have proper set up keytab
6ec482
retrieval configuration in the old trusted domain object. This mostly
6ec482
affects two-way trust cases. In such cases, create default configuration
6ec482
as ipasam would have created when trust was established.
6ec482
6ec482
Resolves: https://pagure.io/freeipa/issue/8067
6ec482
6ec482
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
6ec482
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
6ec482
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
6ec482
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
6ec482
---
6ec482
 ipaserver/install/plugins/adtrust.py | 14 ++++++++++++--
6ec482
 1 file changed, 12 insertions(+), 2 deletions(-)
6ec482
6ec482
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
6ec482
index 12596d5bfe71c16a2cb87acb755a88051676e3e5..0dd2c840899abe3b51b9308d38a9d0f4d1fb2f9b 100644
6ec482
--- a/ipaserver/install/plugins/adtrust.py
6ec482
+++ b/ipaserver/install/plugins/adtrust.py
6ec482
@@ -28,6 +28,9 @@ logger = logging.getLogger(__name__)
6ec482
 register = Registry()
6ec482
 
6ec482
 DEFAULT_ID_RANGE_SIZE = 200000
6ec482
+trust_read_keys_template = \
6ec482
+    ["cn=adtrust agents,cn=sysaccounts,cn=etc,{basedn}",
6ec482
+     "cn=trust admins,cn=groups,cn=accounts,{basedn}"]
6ec482
 
6ec482
 
6ec482
 @register()
6ec482
@@ -575,8 +578,15 @@ class update_tdo_to_new_layout(Updater):
6ec482
                     'krbprincipalkey')
6ec482
                 entry_data['krbextradata'] = en.single_value.get(
6ec482
                     'krbextradata')
6ec482
-                entry_data['ipaAllowedToPerform;read_keys'] = en.get(
6ec482
-                    'ipaAllowedToPerform;read_keys', [])
6ec482
+                read_keys = en.get('ipaAllowedToPerform;read_keys', [])
6ec482
+                if not read_keys:
6ec482
+                    # Old style, no ipaAllowedToPerform;read_keys in the entry,
6ec482
+                    # use defaults that ipasam should have set when creating a
6ec482
+                    # trust
6ec482
+                    read_keys = list(map(
6ec482
+                        lambda x: x.format(basedn=self.api.env.basedn),
6ec482
+                        trust_read_keys_template))
6ec482
+                entry_data['ipaAllowedToPerform;read_keys'] = read_keys
6ec482
 
6ec482
         entry.update(entry_data)
6ec482
         try:
6ec482
-- 
6ec482
2.20.1
6ec482