diff --git a/SOURCES/0054-add-default-access-control-when-migrating-trust-obje.patch b/SOURCES/0054-add-default-access-control-when-migrating-trust-obje.patch new file mode 100644 index 0000000..d4428ee --- /dev/null +++ b/SOURCES/0054-add-default-access-control-when-migrating-trust-obje.patch @@ -0,0 +1,55 @@ +From b1cefe64e4e91966e59d81c778abc8057af4cd6f Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 10 Sep 2019 13:39:39 +0300 +Subject: [PATCH] add default access control when migrating trust objects + +It looks like for some cases we do not have proper set up keytab +retrieval configuration in the old trusted domain object. This mostly +affects two-way trust cases. In such cases, create default configuration +as ipasam would have created when trust was established. + +Resolves: https://pagure.io/freeipa/issue/8067 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/install/plugins/adtrust.py | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py +index 12596d5bfe71c16a2cb87acb755a88051676e3e5..0dd2c840899abe3b51b9308d38a9d0f4d1fb2f9b 100644 +--- a/ipaserver/install/plugins/adtrust.py ++++ b/ipaserver/install/plugins/adtrust.py +@@ -28,6 +28,9 @@ logger = logging.getLogger(__name__) + register = Registry() + + DEFAULT_ID_RANGE_SIZE = 200000 ++trust_read_keys_template = \ ++ ["cn=adtrust agents,cn=sysaccounts,cn=etc,{basedn}", ++ "cn=trust admins,cn=groups,cn=accounts,{basedn}"] + + + @register() +@@ -575,8 +578,15 @@ class update_tdo_to_new_layout(Updater): + 'krbprincipalkey') + entry_data['krbextradata'] = en.single_value.get( + 'krbextradata') +- entry_data['ipaAllowedToPerform;read_keys'] = en.get( +- 'ipaAllowedToPerform;read_keys', []) ++ read_keys = en.get('ipaAllowedToPerform;read_keys', []) ++ if not read_keys: ++ # Old style, no ipaAllowedToPerform;read_keys in the entry, ++ # use defaults that ipasam should have set when creating a ++ # trust ++ read_keys = list(map( ++ lambda x: x.format(basedn=self.api.env.basedn), ++ trust_read_keys_template)) ++ entry_data['ipaAllowedToPerform;read_keys'] = read_keys + + entry.update(entry_data) + try: +-- +2.20.1 + diff --git a/SOURCES/0055-adtrust-add-default-read_keys-permission-for-TDO-obj.patch b/SOURCES/0055-adtrust-add-default-read_keys-permission-for-TDO-obj.patch new file mode 100644 index 0000000..baf9ee0 --- /dev/null +++ b/SOURCES/0055-adtrust-add-default-read_keys-permission-for-TDO-obj.patch @@ -0,0 +1,105 @@ +From d45545807106958d924d0b92b3e275ac75c3a6fd Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 12 Sep 2019 11:21:51 +0300 +Subject: [PATCH] adtrust: add default read_keys permission for TDO objects + +If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys +attribute values, it cannot be used by SSSD to retrieve TDO keys and the +whole communication with Active Directory domain controllers will not be +possible. + +This seems to affect trusts which were created before +ipaAllowedToPerform;read_keys permission granting was introduced +(FreeIPA 4.2). Add back the default setting for the permissions which +grants access to trust agents and trust admins. + +Resolves: https://pagure.io/freeipa/issue/8067 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + .../updates/90-post_upgrade_plugins.update | 1 + + ipaserver/install/plugins/adtrust.py | 56 +++++++++++++++++++ + 2 files changed, 57 insertions(+) + +diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update +index a9f5f6a924d330b924d9adb8b7eee728258f27c6..77b910fc26858611e44a5ba3f4f4c18f4895c95e 100644 +--- a/install/updates/90-post_upgrade_plugins.update ++++ b/install/updates/90-post_upgrade_plugins.update +@@ -12,6 +12,7 @@ plugin: update_default_range + plugin: update_default_trust_view + plugin: update_tdo_gidnumber + plugin: update_tdo_to_new_layout ++plugin: update_tdo_default_read_keys_permissions + plugin: update_ca_renewal_master + plugin: update_idrange_type + plugin: update_pacs +diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py +index 0dd2c840899abe3b51b9308d38a9d0f4d1fb2f9b..fca83aa6df2cc3fafca91f2ed55339dba016a1fa 100644 +--- a/ipaserver/install/plugins/adtrust.py ++++ b/ipaserver/install/plugins/adtrust.py +@@ -727,3 +727,59 @@ class update_tdo_to_new_layout(Updater): + self.KRB_PRINC_CREATE_DISABLED) + + return False, [] ++ ++ ++@register() ++class update_tdo_default_read_keys_permissions(Updater): ++ trust_filter = \ ++ "(&(objectClass=krbPrincipal)(krbPrincipalName=krbtgt/{nbt}@*))" ++ ++ def execute(self, **options): ++ ldap = self.api.Backend.ldap2 ++ ++ # First, see if trusts are enabled on the server ++ if not self.api.Command.adtrust_is_enabled()['result']: ++ logger.debug('AD Trusts are not enabled on this server') ++ return False, [] ++ ++ result = self.api.Command.trustconfig_show()['result'] ++ our_nbt_name = result.get('ipantflatname', [None])[0] ++ if not our_nbt_name: ++ return False, [] ++ ++ trusts_dn = self.api.env.container_adtrusts + self.api.env.basedn ++ trust_filter = self.trust_filter.format(nbt=our_nbt_name) ++ ++ # We might be in a situation when no trusts exist yet ++ # In such case there is nothing to upgrade but we have to catch ++ # an exception or it will abort the whole upgrade process ++ try: ++ tdos = ldap.get_entries( ++ base_dn=trusts_dn, ++ scope=ldap.SCOPE_SUBTREE, ++ filter=trust_filter, ++ attrs_list=['*']) ++ except errors.EmptyResult: ++ tdos = [] ++ ++ for tdo in tdos: ++ updates = dict() ++ oc = tdo.get('objectClass', []) ++ if 'ipaAllowedOperations' not in oc: ++ updates['objectClass'] = oc + ['ipaAllowedOperations'] ++ ++ read_keys = tdo.get('ipaAllowedToPerform;read_keys', []) ++ if not read_keys: ++ read_keys_values = list(map( ++ lambda x: x.format(basedn=self.api.env.basedn), ++ trust_read_keys_template)) ++ updates['ipaAllowedToPerform;read_keys'] = read_keys_values ++ ++ tdo.update(updates) ++ try: ++ ldap.update_entry(tdo) ++ except errors.EmptyModlist: ++ logger.debug("No update was required for TDO %s", ++ tdo.single_value.get('krbCanonicalName')) ++ ++ return False, [] +-- +2.20.1 + diff --git a/SOURCES/0056-Disable-deprecated-lambda-check-in-adtrust-upgrade-c.patch b/SOURCES/0056-Disable-deprecated-lambda-check-in-adtrust-upgrade-c.patch new file mode 100644 index 0000000..5fc808c --- /dev/null +++ b/SOURCES/0056-Disable-deprecated-lambda-check-in-adtrust-upgrade-c.patch @@ -0,0 +1,38 @@ +From a2056fe04b9667c4c86925051b9b71c741eb9cd1 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 16 Sep 2019 09:38:19 -0400 +Subject: [PATCH] Disable deprecated-lambda check in adtrust upgrade code + +It is interesting that we don't have this problem with newer +Python and pylint versions. Ignoring to try to keep the code +more in line with newer releases. + +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/install/plugins/adtrust.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py +index fca83aa6df2cc3fafca91f2ed55339dba016a1fa..950b7b9c82f1b0e115675ff8093d1bd02e913ae2 100644 +--- a/ipaserver/install/plugins/adtrust.py ++++ b/ipaserver/install/plugins/adtrust.py +@@ -583,6 +583,7 @@ class update_tdo_to_new_layout(Updater): + # Old style, no ipaAllowedToPerform;read_keys in the entry, + # use defaults that ipasam should have set when creating a + # trust ++ # pylint: disable=deprecated-lambda + read_keys = list(map( + lambda x: x.format(basedn=self.api.env.basedn), + trust_read_keys_template)) +@@ -770,6 +771,7 @@ class update_tdo_default_read_keys_permissions(Updater): + + read_keys = tdo.get('ipaAllowedToPerform;read_keys', []) + if not read_keys: ++ # pylint: disable=deprecated-lambda + read_keys_values = list(map( + lambda x: x.format(basedn=self.api.env.basedn), + trust_read_keys_template)) +-- +2.20.1 + diff --git a/SOURCES/0057-Handle-missing-LWCA-certificate-or-chain.patch b/SOURCES/0057-Handle-missing-LWCA-certificate-or-chain.patch new file mode 100644 index 0000000..dccf25c --- /dev/null +++ b/SOURCES/0057-Handle-missing-LWCA-certificate-or-chain.patch @@ -0,0 +1,196 @@ +From dc90e83e77f63384f072ca31d79705e26dc5d656 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 30 May 2019 20:57:10 +1000 +Subject: [PATCH] Handle missing LWCA certificate or chain + +If lightweight CA key replication has not completed, requests for +the certificate or chain will return 404**. This can occur in +normal operation, and should be a temporary condition. Detect this +case and handle it by simply omitting the 'certificate' and/or +'certificate_out' fields in the response, and add a warning message +to the response. + +Also update the client-side plugin that handles the +--certificate-out option. Because the CLI will automatically print +the warning message, if the expected field is missing from the +response, just ignore it and continue processing. + +** after the Dogtag NullPointerException gets fixed! + +Part of: https://pagure.io/freeipa/issue/7964 + +Reviewed-By: Christian Heimes +Reviewed-By: Fraser Tweedale +Reviewed-By: Alexander Bokovoy +Reviewed-By: Rob Crittenden +--- + ipaclient/plugins/ca.py | 19 +++++++++++--- + ipalib/messages.py | 9 +++++++ + ipaserver/plugins/ca.py | 57 +++++++++++++++++++++++++++++++---------- + 3 files changed, 68 insertions(+), 17 deletions(-) + +diff --git a/ipaclient/plugins/ca.py b/ipaclient/plugins/ca.py +index f0e7d5ced0d3d9318e34aba84cbc37cf42b9410d..ab47ae85df398e1dc40191691a26639eb3772493 100644 +--- a/ipaclient/plugins/ca.py ++++ b/ipaclient/plugins/ca.py +@@ -33,13 +33,24 @@ class WithCertOutArgs(MethodOverride): + error=str(e)) + + result = super(WithCertOutArgs, self).forward(*keys, **options) ++ + if filename: ++ # if result certificate / certificate_chain not present in result, ++ # it means Dogtag did not provide it (probably due to LWCA key ++ # replication lag or failure. The server transmits a warning ++ # message in this case, which the client automatically prints. ++ # So in this section we just ignore it and move on. ++ certs = None + if options.get('chain', False): +- certs = result['result']['certificate_chain'] ++ if 'certificate_chain' in result['result']: ++ certs = result['result']['certificate_chain'] + else: +- certs = [base64.b64decode(result['result']['certificate'])] +- certs = (x509.load_der_x509_certificate(cert) for cert in certs) +- x509.write_certificate_list(certs, filename) ++ if 'certificate' in result['result']: ++ certs = [base64.b64decode(result['result']['certificate'])] ++ if certs: ++ x509.write_certificate_list( ++ (x509.load_der_x509_certificate(cert) for cert in certs), ++ filename) + + return result + +diff --git a/ipalib/messages.py b/ipalib/messages.py +index 9e2c990d6db8ee41daf3fba6085eed8355dccbe7..646662795648b5a44a5ce25b7610982d5500cfac 100644 +--- a/ipalib/messages.py ++++ b/ipalib/messages.py +@@ -487,6 +487,15 @@ class FailedToAddHostDNSRecords(PublicMessage): + "%(reason)s") + + ++class LightweightCACertificateNotAvailable(PublicMessage): ++ """ ++ **13031** Certificate is not available ++ """ ++ errno = 13031 ++ type = "error" ++ format = _("The certificate for %(ca)s is not available on this server.") ++ ++ + def iter_messages(variables, base): + """Return a tuple with all subclasses + """ +diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py +index 88e7ec2a9f50a3c4f90947c8e3d38e327627a878..c8f1630c65d55ee9e820ea50ef34e08f92c66f4a 100644 +--- a/ipaserver/plugins/ca.py ++++ b/ipaserver/plugins/ca.py +@@ -6,7 +6,7 @@ import base64 + + import six + +-from ipalib import api, errors, output, Bytes, DNParam, Flag, Str ++from ipalib import api, errors, messages, output, Bytes, DNParam, Flag, Str + from ipalib.constants import IPA_CA_CN + from ipalib.plugable import Registry + from ipapython.dn import ATTR_NAME_BY_OID +@@ -163,28 +163,53 @@ class ca(LDAPObject): + + + def set_certificate_attrs(entry, options, want_cert=True): ++ """ ++ Set certificate attributes into the entry. Depending on ++ options, this may contact Dogtag to retrieve certificate or ++ chain. If the retrieval fails with 404 (which can occur under ++ normal operation due to lightweight CA key replication delay), ++ return a message object that should be set in the response. ++ ++ """ + try: + ca_id = entry['ipacaid'][0] + except KeyError: +- return ++ return None + full = options.get('all', False) + want_chain = options.get('chain', False) + + want_data = want_cert or want_chain or full + if not want_data: +- return ++ return None ++ ++ msg = None + + with api.Backend.ra_lightweight_ca as ca_api: + if want_cert or full: +- der = ca_api.read_ca_cert(ca_id) +- entry['certificate'] = base64.b64encode(der).decode('ascii') ++ try: ++ der = ca_api.read_ca_cert(ca_id) ++ entry['certificate'] = base64.b64encode(der).decode('ascii') ++ except errors.HTTPRequestError as e: ++ if e.status == 404: # pylint: disable=no-member ++ msg = messages.LightweightCACertificateNotAvailable( ++ ca=entry['cn'][0]) ++ else: ++ raise e + + if want_chain or full: +- pkcs7_der = ca_api.read_ca_chain(ca_id) +- certs = x509.pkcs7_to_certs(pkcs7_der, x509.DER) +- ders = [cert.public_bytes(x509.Encoding.DER) for cert in certs] +- entry['certificate_chain'] = ders +- ++ try: ++ pkcs7_der = ca_api.read_ca_chain(ca_id) ++ certs = x509.pkcs7_to_certs(pkcs7_der, x509.DER) ++ ders = [cert.public_bytes(x509.Encoding.DER) for cert in certs] ++ entry['certificate_chain'] = ders ++ except errors.HTTPRequestError as e: ++ if e.status == 404: # pylint: disable=no-member ++ msg = messages.LightweightCACertificateNotAvailable( ++ ca=entry['cn'][0]) ++ else: ++ raise e ++ ++ return msg + + @register() + class ca_find(LDAPSearch): +@@ -198,7 +223,9 @@ class ca_find(LDAPSearch): + result = super(ca_find, self).execute(*keys, **options) + if not options.get('pkey_only', False): + for entry in result['result']: +- set_certificate_attrs(entry, options, want_cert=False) ++ msg = set_certificate_attrs(entry, options, want_cert=False) ++ if msg: ++ self.add_message(msg) + return result + + +@@ -220,7 +247,9 @@ class ca_show(LDAPRetrieve): + def execute(self, *keys, **options): + ca_enabled_check(self.api) + result = super(ca_show, self).execute(*keys, **options) +- set_certificate_attrs(result['result'], options) ++ msg = set_certificate_attrs(result['result'], options) ++ if msg: ++ self.add_message(msg) + return result + + +@@ -284,7 +313,9 @@ class ca_add(LDAPCreate): + return dn + + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): +- set_certificate_attrs(entry_attrs, options) ++ msg = set_certificate_attrs(entry_attrs, options) ++ if msg: ++ self.add_message(msg) + return dn + + +-- +2.20.1 + diff --git a/SOURCES/0058-Fix-CustodiaClient-ccache-handling.patch b/SOURCES/0058-Fix-CustodiaClient-ccache-handling.patch new file mode 100644 index 0000000..1d60244 --- /dev/null +++ b/SOURCES/0058-Fix-CustodiaClient-ccache-handling.patch @@ -0,0 +1,275 @@ +From 240617674f83305b2a27899aa83f6af0caa69c9c Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Wed, 12 Jun 2019 22:02:52 +0200 +Subject: [PATCH] Fix CustodiaClient ccache handling + +A CustodiaClient object has to the process environment a bit, e.g. set +up GSSAPI credentials. To reuse the credentials in libldap connections, +it is also necessary to set up a custom ccache store and to set the +environment variable KRBCCNAME temporarily. + +Fixes: https://pagure.io/freeipa/issue/7964 +Co-Authored-By: Fraser Tweedale +Signed-off-by: Christian Heimes +Reviewed-By: Christian Heimes +Reviewed-By: Fraser Tweedale +Reviewed-By: Alexander Bokovoy +Reviewed-By: Rob Crittenden +--- + install/tools/ipa-pki-retrieve-key | 33 ++++--- + ipaserver/secrets/client.py | 143 ++++++++++++++++------------- + 2 files changed, 100 insertions(+), 76 deletions(-) + +diff --git a/install/tools/ipa-pki-retrieve-key b/install/tools/ipa-pki-retrieve-key +index 5056682c3cdaa734be2dadcffd7de0b2d80afaf9..192022b9b40f076e88fd95d5cc8cf8305901dcf5 100755 +--- a/install/tools/ipa-pki-retrieve-key ++++ b/install/tools/ipa-pki-retrieve-key +@@ -2,9 +2,8 @@ + + from __future__ import print_function + ++import argparse + import os +-import sys +-import traceback + + from ipalib import constants + from ipalib.config import Env +@@ -16,27 +15,37 @@ def main(): + env = Env() + env._finalize() + +- keyname = "ca_wrapped/" + sys.argv[1] +- servername = sys.argv[2] ++ parser = argparse.ArgumentParser("ipa-pki-retrieve-key") ++ parser.add_argument("keyname", type=str) ++ parser.add_argument("servername", type=str) ++ ++ args = parser.parse_args() ++ keyname = "ca_wrapped/{}".format(args.keyname) + + service = constants.PKI_GSSAPI_SERVICE_NAME + client_keyfile = os.path.join(paths.PKI_TOMCAT, service + '.keys') + client_keytab = os.path.join(paths.PKI_TOMCAT, service + '.keytab') + ++ for filename in [client_keyfile, client_keytab]: ++ if not os.access(filename, os.R_OK): ++ parser.error( ++ "File '{}' missing or not readable.\n".format(filename) ++ ) ++ + # pylint: disable=no-member + client = CustodiaClient( +- client_service='%s@%s' % (service, env.host), server=servername, +- realm=env.realm, ldap_uri="ldaps://" + env.host, +- keyfile=client_keyfile, keytab=client_keytab, +- ) ++ client_service="{}@{}".format(service, env.host), ++ server=args.servername, ++ realm=env.realm, ++ ldap_uri="ldaps://" + env.host, ++ keyfile=client_keyfile, ++ keytab=client_keytab, ++ ) + + # Print the response JSON to stdout; it is already in the format + # that Dogtag's ExternalProcessKeyRetriever expects + print(client.fetch_key(keyname, store=False)) + + +-try: ++if __name__ == '__main__': + main() +-except BaseException: +- traceback.print_exc() +- sys.exit(1) +diff --git a/ipaserver/secrets/client.py b/ipaserver/secrets/client.py +index 16e7856185aa9786007d3b7f8be0652f70fb4518..40df6c4e69cd673dd8e3c36fbf33f2cda8544a67 100644 +--- a/ipaserver/secrets/client.py ++++ b/ipaserver/secrets/client.py +@@ -1,93 +1,106 @@ + # Copyright (C) 2015 IPA Project Contributors, see COPYING for license + + from __future__ import print_function, absolute_import ++ ++import contextlib ++import os ++from base64 import b64encode ++ ++ + # pylint: disable=relative-import + from custodia.message.kem import KEMClient, KEY_USAGE_SIG, KEY_USAGE_ENC + # pylint: enable=relative-import + from jwcrypto.common import json_decode + from jwcrypto.jwk import JWK ++from ipalib.krb_utils import krb5_format_service_principal_name + from ipaserver.secrets.kem import IPAKEMKeys +-from ipaserver.secrets.store import iSecStore ++from ipaserver.secrets.store import IPASecStore + from ipaplatform.paths import paths +-from base64 import b64encode +-import ldapurl + import gssapi +-import os +-import urllib3 + import requests + + +-class CustodiaClient(object): +- +- def _client_keys(self): +- return self.ikk.server_keys +- +- def _server_keys(self, server, realm): +- principal = 'host/%s@%s' % (server, realm) +- sk = JWK(**json_decode(self.ikk.find_key(principal, KEY_USAGE_SIG))) +- ek = JWK(**json_decode(self.ikk.find_key(principal, KEY_USAGE_ENC))) +- return (sk, ek) +- +- def _ldap_uri(self, realm): +- dashrealm = '-'.join(realm.split('.')) +- socketpath = paths.SLAPD_INSTANCE_SOCKET_TEMPLATE % (dashrealm,) +- return 'ldapi://' + ldapurl.ldapUrlEscape(socketpath) +- +- def _keystore(self, realm, ldap_uri, auth_type): +- config = dict() +- if ldap_uri is None: +- config['ldap_uri'] = self._ldap_uri(realm) +- else: +- config['ldap_uri'] = ldap_uri +- if auth_type is not None: +- config['auth_type'] = auth_type ++@contextlib.contextmanager ++def ccache_env(ccache): ++ """Temporarily set KRB5CCNAME environment variable ++ """ ++ orig_ccache = os.environ.get('KRB5CCNAME') ++ os.environ['KRB5CCNAME'] = ccache ++ try: ++ yield ++ finally: ++ os.environ.pop('KRB5CCNAME', None) ++ if orig_ccache is not None: ++ os.environ['KRB5CCNAME'] = orig_ccache + +- return iSecStore(config) + +- def __init__( +- self, client_service, keyfile, keytab, server, realm, +- ldap_uri=None, auth_type=None): ++class CustodiaClient(object): ++ def __init__(self, client_service, keyfile, keytab, server, realm, ++ ldap_uri=None, auth_type=None): ++ if client_service.endswith(realm) or "@" not in client_service: ++ raise ValueError( ++ "Client service name must be a GSS name (service@host), " ++ "not '{}'.".format(client_service) ++ ) + self.client_service = client_service + self.keytab = keytab +- +- # Init creds immediately to make sure they are valid. Creds +- # can also be re-inited by _auth_header to avoid expiry. +- # +- self.creds = self.init_creds() +- +- self.service_name = gssapi.Name('HTTP@%s' % (server,), +- gssapi.NameType.hostbased_service) + self.server = server ++ self.realm = realm ++ self.ldap_uri = ldap_uri ++ self.auth_type = auth_type ++ self.service_name = gssapi.Name( ++ 'HTTP@{}'.format(server), gssapi.NameType.hostbased_service ++ ) ++ self.keystore = IPASecStore() ++ # use in-process MEMORY ccache. Handler process don't need a TGT. ++ token = b64encode(os.urandom(8)).decode('ascii') ++ self.ccache = 'MEMORY:Custodia_{}'.format(token) ++ ++ with ccache_env(self.ccache): ++ # Init creds immediately to make sure they are valid. Creds ++ # can also be re-inited by _auth_header to avoid expiry. ++ self.creds = self._init_creds() ++ ++ self.ikk = IPAKEMKeys( ++ {'server_keys': keyfile, 'ldap_uri': ldap_uri} ++ ) ++ self.kemcli = KEMClient( ++ self._server_keys(), self._client_keys() ++ ) + +- self.ikk = IPAKEMKeys({'server_keys': keyfile, 'ldap_uri': ldap_uri}) +- +- self.kemcli = KEMClient(self._server_keys(server, realm), +- self._client_keys()) +- +- self.keystore = self._keystore(realm, ldap_uri, auth_type) +- +- # FIXME: Remove warnings about missing subjAltName for the +- # requests module +- urllib3.disable_warnings() ++ def _client_keys(self): ++ return self.ikk.server_keys + +- def init_creds(self): +- name = gssapi.Name(self.client_service, +- gssapi.NameType.hostbased_service) +- store = {'client_keytab': self.keytab, +- 'ccache': 'MEMORY:Custodia_%s' % b64encode( +- os.urandom(8)).decode('ascii')} ++ def _server_keys(self): ++ principal = krb5_format_service_principal_name( ++ 'host', self.server, self.realm ++ ) ++ sk = JWK(**json_decode(self.ikk.find_key(principal, KEY_USAGE_SIG))) ++ ek = JWK(**json_decode(self.ikk.find_key(principal, KEY_USAGE_ENC))) ++ return sk, ek ++ ++ def _init_creds(self): ++ name = gssapi.Name( ++ self.client_service, gssapi.NameType.hostbased_service ++ ) ++ store = { ++ 'client_keytab': self.keytab, ++ 'ccache': self.ccache ++ } + return gssapi.Credentials(name=name, store=store, usage='initiate') + + def _auth_header(self): +- if not self.creds or self.creds.lifetime < 300: +- self.creds = self.init_creds() +- ctx = gssapi.SecurityContext(name=self.service_name, creds=self.creds) ++ if self.creds.lifetime < 300: ++ self.creds = self._init_creds() ++ ctx = gssapi.SecurityContext( ++ name=self.service_name, ++ creds=self.creds ++ ) + authtok = ctx.step() + return {'Authorization': 'Negotiate %s' % b64encode( + authtok).decode('ascii')} + + def fetch_key(self, keyname, store=True): +- + # Prepare URL + url = 'https://%s/ipa/keys/%s' % (self.server, keyname) + +@@ -99,9 +112,11 @@ class CustodiaClient(object): + headers = self._auth_header() + + # Perform request +- r = requests.get(url, headers=headers, +- verify=paths.IPA_CA_CRT, +- params={'type': 'kem', 'value': request}) ++ r = requests.get( ++ url, headers=headers, ++ verify=paths.IPA_CA_CRT, ++ params={'type': 'kem', 'value': request} ++ ) + r.raise_for_status() + reply = r.json() + +-- +2.20.1 + diff --git a/SOURCES/0059-CustodiaClient-use-ldapi-when-ldap_uri-not-specified.patch b/SOURCES/0059-CustodiaClient-use-ldapi-when-ldap_uri-not-specified.patch new file mode 100644 index 0000000..cceae12 --- /dev/null +++ b/SOURCES/0059-CustodiaClient-use-ldapi-when-ldap_uri-not-specified.patch @@ -0,0 +1,43 @@ +From 8b315055de462005b6b3a5893f7131eb8ddd2640 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Wed, 19 Jun 2019 19:11:39 +1000 +Subject: [PATCH] CustodiaClient: use ldapi when ldap_uri not specified + +Reinstate ldap_uri selection behaviour that was lost during the +refactor in the previous commit. This is required because, on the +ipa-4-7 branch at least, the IPASecStore needs to use LDAPI to set +the Directory Manager passphrase digest. Use LDAPI when the +ldap_uri has not been explicity specified. + +Part of: https://pagure.io/freeipa/issue/7964 + +Reviewed-By: Alexander Bokovoy +Reviewed-By: Rob Crittenden +--- + ipaserver/secrets/client.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/secrets/client.py b/ipaserver/secrets/client.py +index 40df6c4e69cd673dd8e3c36fbf33f2cda8544a67..4c03ef8e4140dd507156d88941600a234b71184e 100644 +--- a/ipaserver/secrets/client.py ++++ b/ipaserver/secrets/client.py +@@ -13,6 +13,7 @@ from custodia.message.kem import KEMClient, KEY_USAGE_SIG, KEY_USAGE_ENC + from jwcrypto.common import json_decode + from jwcrypto.jwk import JWK + from ipalib.krb_utils import krb5_format_service_principal_name ++from ipaserver.install.installutils import realm_to_ldapi_uri + from ipaserver.secrets.kem import IPAKEMKeys + from ipaserver.secrets.store import IPASecStore + from ipaplatform.paths import paths +@@ -46,7 +47,7 @@ class CustodiaClient(object): + self.keytab = keytab + self.server = server + self.realm = realm +- self.ldap_uri = ldap_uri ++ self.ldap_uri = ldap_uri or realm_to_ldapi_uri(realm) + self.auth_type = auth_type + self.service_name = gssapi.Name( + 'HTTP@{}'.format(server), gssapi.NameType.hostbased_service +-- +2.20.1 + diff --git a/SOURCES/0060-CustodiaClient-fix-IPASecStore-config-on-ipa-4-7.patch b/SOURCES/0060-CustodiaClient-fix-IPASecStore-config-on-ipa-4-7.patch new file mode 100644 index 0000000..4096617 --- /dev/null +++ b/SOURCES/0060-CustodiaClient-fix-IPASecStore-config-on-ipa-4-7.patch @@ -0,0 +1,41 @@ +From a42c4c1be12f64228f196b42f30fb57019e3943e Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Tue, 30 Jul 2019 16:21:35 +1000 +Subject: [PATCH] CustodiaClient: fix IPASecStore config on ipa-4-7 + +The backport of a Custodia client fix for f30 and related refactors +and improvements, to the ipa-4-7 branch, had no conflicts. But +there is a change on newer branches that broke the backport. The +running of Custodia handlers in separate processes simplified the +configuration of the ISecStore. For ipa-4-7 we need to continue to +explicitly configure it, so restore the old configuration behaviour. + +Part of: https://pagure.io/freeipa/issue/7964 + +Reviewed-By: Alexander Bokovoy +Reviewed-By: Rob Crittenden +--- + ipaserver/secrets/client.py | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/secrets/client.py b/ipaserver/secrets/client.py +index 4c03ef8e4140dd507156d88941600a234b71184e..2363b081dbbf3671e8147497bb52811825bdf1a4 100644 +--- a/ipaserver/secrets/client.py ++++ b/ipaserver/secrets/client.py +@@ -52,7 +52,12 @@ class CustodiaClient(object): + self.service_name = gssapi.Name( + 'HTTP@{}'.format(server), gssapi.NameType.hostbased_service + ) +- self.keystore = IPASecStore() ++ ++ config = {'ldap_uri': self.ldap_uri} ++ if auth_type is not None: ++ config['auth_type'] = auth_type ++ self.keystore = IPASecStore(config) ++ + # use in-process MEMORY ccache. Handler process don't need a TGT. + token = b64encode(os.urandom(8)).decode('ascii') + self.ccache = 'MEMORY:Custodia_{}'.format(token) +-- +2.20.1 + diff --git a/SOURCES/0061-Bump-krb5-min-version.patch b/SOURCES/0061-Bump-krb5-min-version.patch new file mode 100644 index 0000000..fca1a71 --- /dev/null +++ b/SOURCES/0061-Bump-krb5-min-version.patch @@ -0,0 +1,34 @@ +From b62a0a59b3a1b07d5b5868ca0061b4af9b97e203 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Wed, 25 Sep 2019 16:43:25 +1000 +Subject: [PATCH] Bump krb5 min version + +krb5-1.15.1-36 introduced a ccache behavioural change that broke +lightweight CA key replication. The preceding commits (backported +from the ipa-4-7 branch) fix this issue but this commit ensure that +the correct version of krb5 is used with the updated FreeIPA code. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1755223 +Reviewed-By: Rob Crittenden +--- + freeipa.spec.in | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index a18a5b4aab335ad104f1263fa3ae8b26659c3095..72b328a723dd86c3f84a7c86ec68f224e8880af8 100644 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -49,8 +49,8 @@ + + %global alt_name ipa + %if 0%{?rhel} +-# 1.15.1-7: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561) +-%global krb5_version 1.15.1-4 ++# 1.15.1-36: https://bugzilla.redhat.com/show_bug.cgi?id=1755223 ++%global krb5_version 1.15.1-36 + # 0.7.16: https://github.com/drkjam/netaddr/issues/71 + %global python_netaddr_version 0.7.5-8 + # Require 4.7.0 which brings Python 3 bindings +-- +2.20.1 + diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch index 1868627..2aaf85a 100644 --- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch +++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch @@ -1,4 +1,4 @@ -From c70d8d9db7cdfd0ccea8970318effc433a705ece Mon Sep 17 00:00:00 2001 +From 6a6ce48f49a66edaead21c491cc1b09ae137e63f Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 15:48:07 +0000 Subject: [PATCH] Change branding to IPA and Identity Management diff --git a/SOURCES/1002-Package-copy-schema-to-ca.py.patch b/SOURCES/1002-Package-copy-schema-to-ca.py.patch index 5965d23..c6e1baf 100644 --- a/SOURCES/1002-Package-copy-schema-to-ca.py.patch +++ b/SOURCES/1002-Package-copy-schema-to-ca.py.patch @@ -1,4 +1,4 @@ -From bf981a8e9c5149aedeb1a7b5195aa52b8daf9f79 Mon Sep 17 00:00:00 2001 +From 13af793c9216b956b8fb6e398727f6c24a8865cc Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 16:07:15 +0000 Subject: [PATCH] Package copy-schema-to-ca.py @@ -10,7 +10,7 @@ This reverts commit f4c7f1dd8a9ce530a8291219a904686ee47e59c7. 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in -index a18a5b4aab335ad104f1263fa3ae8b26659c3095..093df7e2bb3d11381e37a6d150858c1f1680b61d 100644 +index 72b328a723dd86c3f84a7c86ec68f224e8880af8..488cf9c02be3e96ffde7ab2f2c3d80b9c82d428a 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1489,6 +1489,7 @@ fi diff --git a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch index 215dd4d..857ed39 100644 --- a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch +++ b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch @@ -1,4 +1,4 @@ -From 2eb2979487c55b542f8c3af1a3bf3ac00fec7a57 Mon Sep 17 00:00:00 2001 +From 6c381a943b76f56b3785b0288c6d8e6d6a3a43ff Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 22 Jun 2016 13:53:46 +0200 Subject: [PATCH] Revert "Increased mod_wsgi socket-timeout" diff --git a/SOURCES/1004-Remove-csrgen.patch b/SOURCES/1004-Remove-csrgen.patch index 37574cd..e1b6be8 100644 --- a/SOURCES/1004-Remove-csrgen.patch +++ b/SOURCES/1004-Remove-csrgen.patch @@ -1,4 +1,4 @@ -From 1c884659987140a34ce70e1fb55eb82e8f91b70a Mon Sep 17 00:00:00 2001 +From 9c081314d0d6bd4d06b8982e575808cc31dcf81e Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 16 Mar 2017 09:44:21 +0000 Subject: [PATCH] Remove csrgen @@ -39,7 +39,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1432630 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl diff --git a/freeipa.spec.in b/freeipa.spec.in -index 093df7e2bb3d11381e37a6d150858c1f1680b61d..60da86b27fe603488b5172e591d4478c76c5181d 100644 +index 488cf9c02be3e96ffde7ab2f2c3d80b9c82d428a..6636b9474564ab48d2f804c3854d33a1b071f2c8 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -248,7 +248,6 @@ BuildRequires: python2-sssdconfig diff --git a/SOURCES/1005-Removing-filesystem-encoding-check.patch b/SOURCES/1005-Removing-filesystem-encoding-check.patch index 68b5f03..805a6b3 100644 --- a/SOURCES/1005-Removing-filesystem-encoding-check.patch +++ b/SOURCES/1005-Removing-filesystem-encoding-check.patch @@ -1,4 +1,4 @@ -From 86f46e3669503e47c95bbe4aab8ba121a9cb5a17 Mon Sep 17 00:00:00 2001 +From dbb765507f3c691e437cf6284fb388d91ab630dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= Date: Fri, 10 Aug 2018 13:16:38 +0200 Subject: [PATCH] Removing filesystem encoding check diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch deleted file mode 100644 index 673cd2f..0000000 --- a/SOURCES/ipa-centos-branding.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001 -From: Jim Perrin -Date: Wed, 11 Mar 2015 10:37:03 -0500 -Subject: [PATCH] update for new ntp server method - ---- - ipaplatform/base/paths.py | 1 + - ipaserver/install/ntpinstance.py | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index af50262..5090062 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -99,6 +99,7 @@ class BasePathNamespace(object): - PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/" - PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf" - ETC_REDHAT_RELEASE = "/etc/redhat-release" -+ ETC_CENTOS_RELEASE = "/etc/centos-release" - RESOLV_CONF = "/etc/resolv.conf" - SAMBA_KEYTAB = "/etc/samba/samba.keytab" - SMB_CONF = "/etc/samba/smb.conf" -diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py -index c653525..4b0578b 100644 ---- a/ipaserver/install/ntpinstance.py -+++ b/ipaserver/install/ntpinstance.py -@@ -44,6 +44,8 @@ class NTPInstance(service.Service): - os = "" - if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): - os = "fedora" -+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE): -+ os = "centos" - elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): - os = "rhel" - --- -1.8.3.1 - diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index de633cf..e4ee136 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -42,8 +42,8 @@ %global alt_name freeipa %if 0%{?rhel} -# 1.15.1-7: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561) -%global krb5_version 1.15.1-4 +# 1.15.1-36: https://bugzilla.redhat.com/show_bug.cgi?id=1755223 +%global krb5_version 1.15.1-36 # Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation %global samba_version 4.7.0 # 0.7.16: https://github.com/drkjam/netaddr/issues/71 @@ -102,7 +102,7 @@ Name: ipa Version: %{IPA_VERSION} -Release: 11%{?dist} +Release: 11%{?dist}.3 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -110,9 +110,9 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -170,6 +170,14 @@ Patch0050: 0050-ipa-cert-fix-fix-spurious-renewal-master-change.patch Patch0051: 0051-adtrust-upgrade-fix-wrong-primary-principal-name.patch Patch0052: 0052-adtrust-upgrade-fix-wrong-primary-principal-name-par.patch Patch0053: 0053-trust-fetch-domains-make-sure-we-use-right-KDC-when-.patch +Patch0054: 0054-add-default-access-control-when-migrating-trust-obje.patch +Patch0055: 0055-adtrust-add-default-read_keys-permission-for-TDO-obj.patch +Patch0056: 0056-Disable-deprecated-lambda-check-in-adtrust-upgrade-c.patch +Patch0057: 0057-Handle-missing-LWCA-certificate-or-chain.patch +Patch0058: 0058-Fix-CustodiaClient-ccache-handling.patch +Patch0059: 0059-CustodiaClient-use-ldapi-when-ldap_uri-not-specified.patch +Patch0060: 0060-CustodiaClient-fix-IPASecStore-config-on-ipa-4-7.patch +Patch0061: 0061-Bump-krb5-min-version.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Package-copy-schema-to-ca.py.patch Patch1003: 1003-Revert-Increased-mod_wsgi-socket-timeout.patch @@ -423,10 +431,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 - -%if 0%{?centos} == 0 Requires: system-logos >= 70.7.0 -%endif Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server @@ -976,9 +981,9 @@ cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3 %endif # with_python3 # RHEL spec file only: START: Change branding to IPA and Identity Management -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management @@ -1002,8 +1007,7 @@ find \ %configure --with-vendor-suffix=-%{release} \ %{enable_server_option} \ %{with_ipatests_option} \ - %{linter_options} \ - --with-ipaplatform=rhel + %{linter_options} %make_build @@ -1024,8 +1028,7 @@ find \ %configure --with-vendor-suffix=-%{release} \ %{enable_server_option} \ %{with_ipatests_option} \ - %{linter_options} \ - --with-ipaplatform=rhel + %{linter_options} popd %endif # with_python3 @@ -1104,11 +1107,9 @@ ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-tes # remove files which are useful only for make uninstall find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \; -%if 0%{?centos} == 0 # RHEL spec file only: START: Replace login-screen-logo.png with a symlink ln -sf %{_datadir}/pixmaps/fedora-gdm-logo.png %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png # RHEL spec file only: END: Replace login-screen-logo.png with a symlink -%endif %find_lang %{gettext_domain} @@ -1751,8 +1752,19 @@ fi %changelog -* Tue Aug 06 2019 CentOS Sources - 4.6.5-11.el7.centos -- Roll in CentOS Branding +* Mon Sep 30 2019 Florence Blanc-Renaud - 4.6.5-11.el7_7.3 +- Resolves: #1756914 - Sub-CA key replication failure + - Handle missing LWCA certificate or chain + - Fix CustodiaClient ccache handling + - CustodiaClient: use ldapi when ldap_uri not specified + - CustodiaClient: fix IPASecStore config on ipa-4-7 + - Bump krb5 min version + +* Tue Sep 17 2019 Florence Blanc-Renaud - 4.6.5-11.el7_7.2 +- Resolves: #1752740 - when migrating trusted domain object structure, add default access control definitions, if they were missing in old trust objects + - add default access control when migrating trust objects + - adtrust: add default read_keys permission for TDO objects + - Disable deprecated-lambda check in adtrust upgrade code * Fri Jun 28 2019 Florence Blanc-Renaud - 4.6.5-11.el7 - Resolves: 1723473 - ipa upgrade fails with trust entry already exists