|
 |
86baa9 |
From 931c7fc1ada309a2d0fe832c95e5a5bf4a89edac Mon Sep 17 00:00:00 2001
|
|
|
86baa9 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
86baa9 |
Date: Mon, 8 Apr 2019 11:43:59 +0300
|
|
|
86baa9 |
Subject: [PATCH] Bypass D-BUS interface definition deficiences for
|
|
|
86baa9 |
trust-fetch-domains
|
|
|
86baa9 |
|
|
|
86baa9 |
In oddjobd it is possible to pass arguments as command line or on the
|
|
|
86baa9 |
stdin. We use command line to pass them but the way oddjobd registers
|
|
|
86baa9 |
the D-BUS method signatures is by specifying all arguments as mandatory.
|
|
|
86baa9 |
|
|
|
86baa9 |
Internally, oddjobd simply ignores if you passed less arguments than
|
|
|
86baa9 |
specified in the D-BUS defition. Unfortunately, it is not possible to
|
|
|
86baa9 |
specify less than maximum due to D-BUS seeing all arguments in the
|
|
|
86baa9 |
list (30 is defined for the trust-fetch-domains).
|
|
|
86baa9 |
|
|
|
86baa9 |
To pass options, have to pad a list of arguments to maximum with empty
|
|
|
86baa9 |
strings and then filter out unneeded ones in the script. Option parser
|
|
|
86baa9 |
already removes all options from the list of arguments so all we need to
|
|
|
86baa9 |
do is to take our actual arguments. In case of trust-fetch-domains, it
|
|
|
86baa9 |
is the name of the domain so we can only care about args[0].
|
|
|
86baa9 |
|
|
|
86baa9 |
Fixes: https://pagure.io/freeipa/issue/7903
|
|
|
86baa9 |
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
86baa9 |
(cherry picked from commit add6180ae5c5771b0b0f1c743df069ece4256512)
|
|
|
86baa9 |
|
|
|
86baa9 |
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
|
86baa9 |
---
|
|
|
86baa9 |
.../oddjob/com.redhat.idm.trust-fetch-domains | 21 ++++++++++++-------
|
|
|
86baa9 |
ipaserver/plugins/trust.py | 11 ++++++++--
|
|
|
86baa9 |
2 files changed, 22 insertions(+), 10 deletions(-)
|
|
|
86baa9 |
|
|
|
86baa9 |
diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains
|
|
|
86baa9 |
index 1e90759e0e6e7be36745ec12f4478bfec0f0358e..029de781b2a1f94b1fd281b79aa69a1e9422dede 100755
|
|
|
86baa9 |
--- a/install/oddjob/com.redhat.idm.trust-fetch-domains
|
|
|
86baa9 |
+++ b/install/oddjob/com.redhat.idm.trust-fetch-domains
|
|
|
86baa9 |
@@ -5,6 +5,7 @@ from ipaserver.install.installutils import is_ipa_configured, ScriptError
|
|
|
86baa9 |
from ipapython import config, ipautil
|
|
|
86baa9 |
from ipalib import api
|
|
|
86baa9 |
from ipapython.dn import DN
|
|
|
86baa9 |
+from ipapython.dnsutil import DNSName
|
|
|
86baa9 |
from ipaplatform.constants import constants
|
|
|
86baa9 |
from ipaplatform.paths import paths
|
|
|
86baa9 |
import sys
|
|
|
86baa9 |
@@ -37,7 +38,17 @@ def parse_options():
|
|
|
86baa9 |
options, args = parser.parse_args()
|
|
|
86baa9 |
safe_options = parser.get_safe_opts(options)
|
|
|
86baa9 |
|
|
|
86baa9 |
- return safe_options, options, args
|
|
|
86baa9 |
+ # We only use first argument of the passed args but as D-BUS interface
|
|
|
86baa9 |
+ # in oddjobd cannot expose optional, we fill in empty slots from IPA side
|
|
|
86baa9 |
+ # and filter them here.
|
|
|
86baa9 |
+ trusted_domain = ipautil.fsdecode(args[0]).lower()
|
|
|
86baa9 |
+
|
|
|
86baa9 |
+ # Accept domain names that at least have two labels. We do not support
|
|
|
86baa9 |
+ # single label Active Directory domains. This also catches empty args.
|
|
|
86baa9 |
+ if len(DNSName(trusted_domain).labels) < 2:
|
|
|
86baa9 |
+ # LSB status code 2: invalid or excess argument(s)
|
|
|
86baa9 |
+ raise ScriptError("You must specify a valid trusted domain name", 2)
|
|
|
86baa9 |
+ return safe_options, options, trusted_domain
|
|
|
86baa9 |
|
|
|
86baa9 |
def retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal):
|
|
|
86baa9 |
getkeytab_args = ["/usr/sbin/ipa-getkeytab",
|
|
|
86baa9 |
@@ -87,13 +98,7 @@ if not os.getegid() == 0:
|
|
|
86baa9 |
# LSB status code 4: user had insufficient privilege
|
|
|
86baa9 |
raise ScriptError("You must be root to run ipactl.", 4)
|
|
|
86baa9 |
|
|
|
86baa9 |
-safe_options, options, args = parse_options()
|
|
|
86baa9 |
-
|
|
|
86baa9 |
-if len(args) != 1:
|
|
|
86baa9 |
- # LSB status code 2: invalid or excess argument(s)
|
|
|
86baa9 |
- raise ScriptError("You must specify trusted domain name", 2)
|
|
|
86baa9 |
-
|
|
|
86baa9 |
-trusted_domain = ipautil.fsdecode(args[0]).lower()
|
|
|
86baa9 |
+safe_options, options, trusted_domain = parse_options()
|
|
|
86baa9 |
|
|
|
86baa9 |
api.bootstrap(in_server=True, log=None,
|
|
|
86baa9 |
context='server', confdir=paths.ETC_IPA)
|
|
|
86baa9 |
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
|
|
|
86baa9 |
index bb9e0fe3303989c49cf339df6e5aeeb4ce1435cf..5de363bda6fdee081d3e4c98e731cecfa9585d21 100644
|
|
|
86baa9 |
--- a/ipaserver/plugins/trust.py
|
|
|
86baa9 |
+++ b/ipaserver/plugins/trust.py
|
|
|
86baa9 |
@@ -446,8 +446,15 @@ def fetch_trusted_domains_over_dbus(myapi, *keys, **options):
|
|
|
86baa9 |
fetch_domains_method = intf.get_dbus_method(
|
|
|
86baa9 |
'fetch_domains',
|
|
|
86baa9 |
dbus_interface=DBUS_IFACE_TRUST)
|
|
|
86baa9 |
- (_ret, _stdout, _stderr) = fetch_domains_method(
|
|
|
86baa9 |
- [forest_name] + method_options)
|
|
|
86baa9 |
+ # Oddjobd D-BUS method definition only accepts fixed number
|
|
|
86baa9 |
+ # of arguments on the command line. Thus, we need to pass
|
|
|
86baa9 |
+ # remaining ones as ''. There are 30 slots to allow for extension
|
|
|
86baa9 |
+ # and the number comes from the 'arguments' definition in
|
|
|
86baa9 |
+ # install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
|
|
|
86baa9 |
+ method_arguments = [forest_name]
|
|
|
86baa9 |
+ method_arguments.extend(method_options)
|
|
|
86baa9 |
+ method_arguments.extend([''] * (30 - len(method_arguments)))
|
|
|
86baa9 |
+ (_ret, _stdout, _stderr) = fetch_domains_method(*method_arguments)
|
|
|
86baa9 |
except dbus.DBusException as e:
|
|
|
86baa9 |
logger.error('Failed to call %s.fetch_domains helper.'
|
|
|
86baa9 |
'DBus exception is %s.', DBUS_IFACE_TRUST, str(e))
|
|
|
86baa9 |
--
|
|
|
86baa9 |
2.20.1
|
|
|
86baa9 |
|