3b8b44
From 109cd579e3b089b7fad4c92bf25594eba1af8a21 Mon Sep 17 00:00:00 2001
3b8b44
From: Alexander Bokovoy <abokovoy@redhat.com>
3b8b44
Date: Tue, 23 Aug 2022 16:58:07 +0300
3b8b44
Subject: [PATCH] fix canonicalization issue in Web UI
3b8b44
3b8b44
When Kerberos principal alias is used to login to a Web UI, we end up
3b8b44
with a request that is authenticated by a ticket issued in the alias
3b8b44
name but metadata processed for the canonical user name. This confuses
3b8b44
RPC layer of Web UI code and causes infinite loop to reload the page.
3b8b44
3b8b44
Fix it by doing two things:
3b8b44
3b8b44
 - force use of canonicalization of an enterprise principal on server
3b8b44
   side, not just specifying that the principal is an enterprise one;
3b8b44
3b8b44
 - recognize that a principal in the whoami()-returned object can have
3b8b44
   aliases and the principal returned by the server in the JSON response
3b8b44
   may be one of those aliases.
3b8b44
3b8b44
Fixes: https://pagure.io/freeipa/issue/9226
3b8b44
3b8b44
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
3b8b44
Reviewed-By: Armando Neto <abiagion@redhat.com>
3b8b44
---
3b8b44
 install/ui/src/freeipa/ipa.js | 8 +++++++-
3b8b44
 ipaserver/rpcserver.py        | 1 +
3b8b44
 2 files changed, 8 insertions(+), 1 deletion(-)
3b8b44
3b8b44
diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
3b8b44
index 758db1b00..a08d632e9 100644
3b8b44
--- a/install/ui/src/freeipa/ipa.js
3b8b44
+++ b/install/ui/src/freeipa/ipa.js
3b8b44
@@ -271,7 +271,13 @@ var IPA = function () {
3b8b44
                             var cn = that.whoami.data.krbcanonicalname;
3b8b44
                             if (cn) that.principal = cn[0];
3b8b44
                             if (!that.principal) {
3b8b44
-                                that.principal = that.whoami.data.krbprincipalname[0];
3b8b44
+                                var principal = data.principal;
3b8b44
+                                var idx = that.whoami.data.krbprincipalname.indexOf(principal);
3b8b44
+                                if (idx > -1) {
3b8b44
+                                    that.principal = principal;
3b8b44
+                                } else {
3b8b44
+                                    that.principal = that.whoami.data.krbprincipalname[0];
3b8b44
+                                }
3b8b44
                             }
3b8b44
                         } else if (entity === 'idoverrideuser') {
3b8b44
                             that.principal = that.whoami.data.ipaoriginaluid[0];
3b8b44
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
3b8b44
index 1f85e9898..4e8a08b66 100644
3b8b44
--- a/ipaserver/rpcserver.py
3b8b44
+++ b/ipaserver/rpcserver.py
3b8b44
@@ -1109,6 +1109,7 @@ class login_password(Backend, KerberosSession):
3b8b44
                 ccache_name,
3b8b44
                 armor_ccache_name=armor_path,
3b8b44
                 enterprise=True,
3b8b44
+                canonicalize=True,
3b8b44
                 lifetime=self.api.env.kinit_lifetime)
3b8b44
 
3b8b44
             if armor_path:
3b8b44
-- 
3b8b44
2.37.3
3b8b44