rpms / ipa

Clone
Source Code
GIT

Files

  1.   177dc68814364064fa3f929a235eef1acb4130ae
  2.   SOURCES
  3.   0002-krbtktpolicy-reset.patch
Blob Blame History Raw 
From a8b52eaf3cf56c90e3d94fdef0b9e426052634ea Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 18 Dec 2019 12:08:59 +0200
Subject: [PATCH] Reset per-indicator Kerberos policy

When 'ipa krbtpolicy-reset' is called, we need to reset all policy
settings, including per-indicator ones. Per-indicator policy uses
subtyped attributes (foo;bar), the current krbtpolicy-reset code does
not deal with those.

Add support for per-indicator policy reset. It is a bit tricky, as we
need to drop the values to defaults but avoid adding non-per-indicator
variants of the same attributes.

Add test to check that policy has been resetted by observing a new
Kerberos TGT for the user after its policy reset.

Fixes: https://pagure.io/freeipa/issue/8153

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/plugins/krbtpolicy.py              | 21 +++++++++++++++++++-
 ipatests/test_integration/test_krbtpolicy.py | 13 ++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/ipaserver/plugins/krbtpolicy.py b/ipaserver/plugins/krbtpolicy.py
index 997fe7e81..b01c44e93 100644
--- a/ipaserver/plugins/krbtpolicy.py
+++ b/ipaserver/plugins/krbtpolicy.py
@@ -68,6 +68,8 @@ register = Registry()
 _default_values = {
     'krbmaxticketlife': 86400,
     'krbmaxrenewableage': 604800,
+    'krbauthindmaxticketlife': 86400,
+    'krbauthindmaxrenewableage': 604800,
 }
 
 # These attributes never have non-optional values, so they should be
@@ -311,9 +313,26 @@ class krbtpolicy_reset(baseldap.LDAPQuery):
                 def_values[a] = None
         # if reseting global policy - set values to default
         else:
-            def_values = _default_values
+            def_values = _default_values.copy()
 
         entry = ldap.get_entry(dn, list(def_values))
+
+        # For per-indicator policies, drop them to defaults
+        for subtype in _supported_options:
+            for attr in _option_based_attrs:
+                name = '{};{}'.format(attr, subtype)
+                if name in entry:
+                    if uid is not None:
+                        def_values[name] = None
+                    else:
+                        def_values[name] = _default_values[attr]
+
+        # Remove non-subtyped attrs variants,
+        # they should never be used directly.
+        for attr in _option_based_attrs:
+            if attr in def_values:
+                del def_values[attr]
+
         entry.update(def_values)
         try:
             ldap.update_entry(entry)
diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py
index b2264de7a..08e332096 100644
--- a/ipatests/test_integration/test_krbtpolicy.py
+++ b/ipatests/test_integration/test_krbtpolicy.py
@@ -112,3 +112,16 @@ class TestPWPolicy(IntegrationTest):
         assert maxlife_within_policy(result.stdout_text, 1200) is True
 
         tasks.kdestroy_all(master)
+
+    def test_krbtpolicy_reset(self):
+        """Test a hardened kerberos ticket policy reset"""
+        master = self.master
+
+        tasks.kinit_admin(master)
+        master.run_command(['ipa', 'krbtpolicy-reset', USER2])
+        master.run_command(['kinit', USER2],
+                           stdin_text=PASSWORD + '\n')
+        result = master.run_command('klist | grep krbtgt')
+        assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
+
+        tasks.kdestroy_all(master)
-- 
2.24.1

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation