|
 |
92abab |
From 14e4011027214bd2c33ef4975a3ed43486e4de70 Mon Sep 17 00:00:00 2001
|
|
|
92abab |
From: Matthew Harmsen <mharmsen@redhat.com>
|
|
|
92abab |
Date: Sat, 23 Oct 2021 23:19:57 -0600
|
|
|
92abab |
Subject: [PATCH 1/3] Fixes gleaned from the following DOGTAG_10_5_COMMITS:
|
|
|
92abab |
|
|
|
92abab |
commit 68ef0c8a4208b9deea819c41d65639edd6de8e8c
|
|
|
92abab |
Author: Chris Kelley <ckelley@redhat.com>
|
|
|
92abab |
Date: Tue Aug 31 12:41:06 2021 +0100
|
|
|
92abab |
|
|
|
92abab |
Fix navigation buttons in CA EE list certs page
|
|
|
92abab |
|
|
|
92abab |
commit 64e6acd3e035ecb0eb84d8fe47cd513eb8eaeb3b
|
|
|
92abab |
Author: Jon Parrish <jonathon.d.parrish2.ctr@mail.mil>
|
|
|
92abab |
Date: Thu Oct 7 16:39:38 2021 +0000
|
|
|
92abab |
|
|
|
92abab |
Close table so that top navigation is at the top
|
|
|
92abab |
---
|
|
|
92abab |
base/ca/shared/webapps/ca/ee/ca/queryCert.template | 6 +++---
|
|
|
92abab |
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
92abab |
|
|
|
92abab |
diff --git a/base/ca/shared/webapps/ca/ee/ca/queryCert.template b/base/ca/shared/webapps/ca/ee/ca/queryCert.template
|
|
|
92abab |
index 878e3be..65718e1 100644
|
|
|
92abab |
--- a/base/ca/shared/webapps/ca/ee/ca/queryCert.template
|
|
|
92abab |
+++ b/base/ca/shared/webapps/ca/ee/ca/queryCert.template
|
|
|
92abab |
@@ -336,7 +336,7 @@ if (result.recordSet.length == 0) {
|
|
|
92abab |
);
|
|
|
92abab |
|
|
|
92abab |
document.write("\n"+
|
|
|
92abab |
- "\n");
|
|
|
92abab |
+ "\n");
|
|
|
92abab |
displayNextForm();
|
|
|
92abab |
|
|
|
92abab |
document.write(
|
|
|
92abab |
@@ -370,7 +370,7 @@ document.write("\n");
|
|
|
92abab |
}
|
|
|
92abab |
|
|
|
92abab |
document.write("\n"+
|
|
|
92abab |
- "\n");
|
|
|
92abab |
+ "\n");
|
|
|
92abab |
|
|
|
92abab |
if (result.header.revokeAll != null && result.header.totalRecordCount > 1) {
|
|
|
92abab |
displayRevokeAllForm(result.header.totalRecordCount);
|
|
|
92abab |
@@ -407,7 +407,7 @@ function renderNextButtonElement(name, label, disabled)
|
|
|
92abab |
result.innerText = label;
|
|
|
92abab |
result.width = 72;
|
|
|
92abab |
result.disabled = disabled ? true : false;
|
|
|
92abab |
- result.onClick = () => doNext(result);
|
|
|
92abab |
+ result.onclick = () => doNext(result);
|
|
|
92abab |
return result;
|
|
|
92abab |
}
|
|
|
92abab |
|
|
|
92abab |
--
|
|
|
92abab |
1.8.3.1
|
|
|
92abab |
|
|
|
92abab |
|
|
|
92abab |
From 33fd6ff7de3c847939269ca1307d5854af258d4c Mon Sep 17 00:00:00 2001
|
|
|
92abab |
From: Christina Fu <cfu@redhat.com>
|
|
|
92abab |
Date: Mon, 11 Oct 2021 16:26:19 -0700
|
|
|
92abab |
Subject: [PATCH 2/3] Bug2007405-pkispawn bails out too easily in
|
|
|
92abab |
validate_system_cert
|
|
|
92abab |
|
|
|
92abab |
For pkispawn, in def validate_system_cert, it appears some unexpected
|
|
|
92abab |
conditions could happen that would trigger failur to
|
|
|
92abab |
pki-server subsystem-cert-validate
|
|
|
92abab |
|
|
|
92abab |
Some of these conditions probably could have been resolved manually
|
|
|
92abab |
if installation were allowed to complete.
|
|
|
92abab |
|
|
|
92abab |
This patch is to print out the result as information then allow the
|
|
|
92abab |
installation to continue. It doesn't necessarily mean that the
|
|
|
92abab |
installation will succeed, but it will at least go further to allow
|
|
|
92abab |
for better investigation.
|
|
|
92abab |
|
|
|
92abab |
fixes https://bugzilla.redhat.com/show_bug.cgi?id=2007405
|
|
|
92abab |
|
|
|
92abab |
(cherry picked from commit 656d3426cc3ace5cac3624384e05c4233caae022)
|
|
|
92abab |
---
|
|
|
92abab |
base/server/python/pki/server/__init__.py | 9 ++++++---
|
|
|
92abab |
1 file changed, 6 insertions(+), 3 deletions(-)
|
|
|
92abab |
|
|
|
92abab |
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
|
|
|
92abab |
index 3512e94..3856c85 100644
|
|
|
92abab |
--- a/base/server/python/pki/server/__init__.py
|
|
|
92abab |
+++ b/base/server/python/pki/server/__init__.py
|
|
|
92abab |
@@ -450,9 +450,12 @@ class PKISubsystem(object):
|
|
|
92abab |
|
|
|
92abab |
logger.debug('Command: %s', ' '.join(cmd))
|
|
|
92abab |
|
|
|
92abab |
- subprocess.check_output(
|
|
|
92abab |
- cmd,
|
|
|
92abab |
- stderr=subprocess.STDOUT)
|
|
|
92abab |
+ try:
|
|
|
92abab |
+ print(subprocess.check_output(
|
|
|
92abab |
+ cmd,
|
|
|
92abab |
+ stderr=subprocess.STDOUT))
|
|
|
92abab |
+ except subprocess.CalledProcessError as v:
|
|
|
92abab |
+ print("pki-server subsystem-cert-validate stdout output:\n", v.output)
|
|
|
92abab |
|
|
|
92abab |
def export_system_cert(
|
|
|
92abab |
self,
|
|
|
92abab |
--
|
|
|
92abab |
1.8.3.1
|
|
|
92abab |
|
|
|
92abab |
|
|
|
92abab |
From 82a3f261c83c33c395f4ee720b3cb09c9007580c Mon Sep 17 00:00:00 2001
|
|
|
92abab |
From: Andrew Wnuk <92763627+ajwnuk@users.noreply.github.com>
|
|
|
92abab |
Date: Thu, 21 Oct 2021 15:17:55 -0700
|
|
|
92abab |
Subject: [PATCH 3/3] Authentication issue #3629 (#3787)
|
|
|
92abab |
|
|
|
92abab |
Co-authored-by: Andrew Wnuk <awnuk@purestorage.com>
|
|
|
92abab |
(cherry picked from commit cf3fb92a029991da029ba81b5f68e254e44532d7)
|
|
|
92abab |
---
|
|
|
92abab |
.../authentication/UserPwdDirAuthentication.java | 150 +++++++++++++++++++++
|
|
|
92abab |
1 file changed, 150 insertions(+)
|
|
|
92abab |
|
|
|
92abab |
diff --git a/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java
|
|
|
92abab |
index ead8650..faaefb6 100644
|
|
|
92abab |
--- a/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java
|
|
|
92abab |
+++ b/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java
|
|
|
92abab |
@@ -18,12 +18,21 @@
|
|
|
92abab |
package com.netscape.cms.authentication;
|
|
|
92abab |
|
|
|
92abab |
// ldap java sdk
|
|
|
92abab |
+import java.util.ArrayList;
|
|
|
92abab |
import java.util.Enumeration;
|
|
|
92abab |
+import java.util.HashMap;
|
|
|
92abab |
import java.util.Locale;
|
|
|
92abab |
+import java.util.Map;
|
|
|
92abab |
import java.util.Vector;
|
|
|
92abab |
|
|
|
92abab |
+
|
|
|
92abab |
import netscape.ldap.LDAPConnection;
|
|
|
92abab |
import netscape.ldap.LDAPException;
|
|
|
92abab |
+import netscape.ldap.LDAPAttribute;
|
|
|
92abab |
+import netscape.ldap.LDAPConnection;
|
|
|
92abab |
+import netscape.ldap.LDAPEntry;
|
|
|
92abab |
+import netscape.ldap.LDAPSearchResults;
|
|
|
92abab |
+import netscape.ldap.LDAPv2;
|
|
|
92abab |
|
|
|
92abab |
import com.netscape.certsrv.apps.CMS;
|
|
|
92abab |
import com.netscape.certsrv.authentication.AuthToken;
|
|
|
92abab |
@@ -44,6 +53,8 @@ import com.netscape.certsrv.profile.IProfileAuthenticator;
|
|
|
92abab |
import com.netscape.certsrv.property.Descriptor;
|
|
|
92abab |
import com.netscape.certsrv.property.IDescriptor;
|
|
|
92abab |
import com.netscape.certsrv.request.IRequest;
|
|
|
92abab |
+import com.netscape.certsrv.usrgrp.IUGSubsystem;
|
|
|
92abab |
+import com.netscape.certsrv.usrgrp.IUser;
|
|
|
92abab |
// cert server x509 imports
|
|
|
92abab |
// java sdk imports.
|
|
|
92abab |
|
|
|
92abab |
@@ -65,6 +76,12 @@ public class UserPwdDirAuthentication extends DirBasedAuthentication
|
|
|
92abab |
|
|
|
92abab |
protected String mAttrName = null;
|
|
|
92abab |
protected String mAttrDesc = null;
|
|
|
92abab |
+ protected String mMemberAttrName = null;
|
|
|
92abab |
+ protected String mMemberAttrValue = null;
|
|
|
92abab |
+ protected String mInternalGroup = null;
|
|
|
92abab |
+ protected boolean mInternalUserRequired = false;
|
|
|
92abab |
+ protected IUGSubsystem mUGS = null;
|
|
|
92abab |
+ protected String mAttrs[] = null;
|
|
|
92abab |
|
|
|
92abab |
/* Holds configuration parameters accepted by this implementation.
|
|
|
92abab |
* This list is passed to the configuration console so configuration
|
|
|
92abab |
@@ -82,6 +99,10 @@ public class UserPwdDirAuthentication extends DirBasedAuthentication
|
|
|
92abab |
"ldap.basedn",
|
|
|
92abab |
"ldap.attrName",
|
|
|
92abab |
"ldap.attrDesc",
|
|
|
92abab |
+ "ldap.memberAttrName",
|
|
|
92abab |
+ "ldap.memberAttrValue",
|
|
|
92abab |
+ "ldap.internalUserRequired",
|
|
|
92abab |
+ "ldap.internalGroup",
|
|
|
92abab |
"ldap.minConns",
|
|
|
92abab |
"ldap.maxConns",
|
|
|
92abab |
};
|
|
|
92abab |
@@ -138,6 +159,36 @@ public class UserPwdDirAuthentication extends DirBasedAuthentication
|
|
|
92abab |
}
|
|
|
92abab |
CMS.debug("UserPwdDirAuthentication init mAttr=" + mAttr +
|
|
|
92abab |
" mAttrName=" + mAttrName + " mAttrDesc=" + mAttrDesc);
|
|
|
92abab |
+
|
|
|
92abab |
+ // Optional attribute, which presence and value have to be checked if included in configuration
|
|
|
92abab |
+ mMemberAttrName = mLdapConfig.getString("memberAttrName", null);
|
|
|
92abab |
+ mMemberAttrName = (mMemberAttrName != null)? mMemberAttrName.trim(): mMemberAttrName;
|
|
|
92abab |
+ if (mMemberAttrName != null && mMemberAttrName.length() > 0) {
|
|
|
92abab |
+ mMemberAttrValue = mLdapConfig.getString("memberAttrValue", null);
|
|
|
92abab |
+ mMemberAttrValue = (mMemberAttrValue != null)? mMemberAttrValue.trim(): mMemberAttrValue;
|
|
|
92abab |
+ CMS.debug("UserPwdDirAuthentication init mMemberAttrName=" + mMemberAttrName + " mMemberAttrValue=" + mMemberAttrValue);
|
|
|
92abab |
+ }
|
|
|
92abab |
+ // Optional attribute, which indicates local user entry presence that have to be checked if included in configuration
|
|
|
92abab |
+ mInternalUserRequired = mLdapConfig.getBoolean("internalUserRequired", false);
|
|
|
92abab |
+ CMS.debug("UserPwdDirAuthentication init mInternalUserRequired=" + mInternalUserRequired);
|
|
|
92abab |
+ mInternalGroup = mLdapConfig.getString("internalGroup", null);
|
|
|
92abab |
+ mInternalGroup = (mInternalGroup != null)? mInternalGroup.trim(): mInternalGroup;
|
|
|
92abab |
+ if (mInternalGroup != null && mInternalGroup.length() > 0) {
|
|
|
92abab |
+ mInternalUserRequired = true;
|
|
|
92abab |
+ CMS.debug("UserPwdDirAuthentication init mInternalGroup=" + mInternalGroup);
|
|
|
92abab |
+ }
|
|
|
92abab |
+ if (mInternalUserRequired) {
|
|
|
92abab |
+ mUGS = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
|
|
|
92abab |
+ }
|
|
|
92abab |
+
|
|
|
92abab |
+ ArrayList<String> attrList = new ArrayList<>();
|
|
|
92abab |
+ if (mInternalUserRequired) {
|
|
|
92abab |
+ attrList.add(CRED_UID);
|
|
|
92abab |
+ }
|
|
|
92abab |
+ if (mMemberAttrName != null && mMemberAttrName.length() > 0 && !mMemberAttrName.equalsIgnoreCase(CRED_UID)) {
|
|
|
92abab |
+ attrList.add(mMemberAttrName);
|
|
|
92abab |
+ }
|
|
|
92abab |
+ mAttrs = (String[])attrList.toArray(new String[attrList.size()]);
|
|
|
92abab |
}
|
|
|
92abab |
|
|
|
92abab |
/**
|
|
|
92abab |
@@ -182,6 +233,105 @@ public class UserPwdDirAuthentication extends DirBasedAuthentication
|
|
|
92abab |
// bind as user dn and pwd - authenticates user with pwd.
|
|
|
92abab |
conn.authenticate(userdn, pwd);
|
|
|
92abab |
CMS.debug("Authenticated: userdn=" + userdn);
|
|
|
92abab |
+
|
|
|
92abab |
+ LDAPEntry entry = null;
|
|
|
92abab |
+ Map<String, String[]> entryAttributes = new HashMap<String, String[]>();
|
|
|
92abab |
+ if (mAttrs != null && mAttrs.length > 0) {
|
|
|
92abab |
+ LDAPSearchResults results = conn.search(userdn, LDAPConnection.SCOPE_BASE, null, mAttrs, false);
|
|
|
92abab |
+ if (results != null && results.hasMoreElements()) {
|
|
|
92abab |
+ entry = results.next();
|
|
|
92abab |
+ if (entry != null) {
|
|
|
92abab |
+ CMS.debug("Reviewing entry: " + entry.getDN());
|
|
|
92abab |
+ for (int i = 0; i < mAttrs.length; i++) {
|
|
|
92abab |
+ LDAPAttribute memberAttribute = entry.getAttribute(mAttrs[i]);
|
|
|
92abab |
+ if (memberAttribute != null) {
|
|
|
92abab |
+ String[] values = memberAttribute.getStringValueArray();
|
|
|
92abab |
+ if (values != null && values.length > 0) {
|
|
|
92abab |
+ entryAttributes.put(mAttrs[i], values);
|
|
|
92abab |
+ }
|
|
|
92abab |
+ }
|
|
|
92abab |
+ }
|
|
|
92abab |
+ }
|
|
|
92abab |
+ }
|
|
|
92abab |
+ }
|
|
|
92abab |
+ if (mAttrs != null && mAttrs.length > 0 && (entry == null || entryAttributes.size() == 0)) {
|
|
|
92abab |
+ CMS.debug("Failed to obtain data required for verification.");
|
|
|
92abab |
+ throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
|
|
|
92abab |
+ }
|
|
|
92abab |
+
|
|
|
92abab |
+ if (mMemberAttrName != null && mMemberAttrName.length() > 0) {
|
|
|
92abab |
+ CMS.debug("Authenticating: memberAttribute=" + mMemberAttrName);
|
|
|
92abab |
+ String[] values = entryAttributes.get(mMemberAttrName);
|
|
|
92abab |
+ boolean verified = false;
|
|
|
92abab |
+ if (values != null && values.length > 0) {
|
|
|
92abab |
+ if (mMemberAttrValue != null && mMemberAttrValue.length() > 0) {
|
|
|
92abab |
+ for (int i = 0; i < values.length; i++) {
|
|
|
92abab |
+ if (mMemberAttrValue.equalsIgnoreCase(values[i])) {
|
|
|
92abab |
+ verified = true;
|
|
|
92abab |
+ }
|
|
|
92abab |
+ }
|
|
|
92abab |
+ } else {
|
|
|
92abab |
+ verified = true;
|
|
|
92abab |
+ }
|
|
|
92abab |
+ }
|
|
|
92abab |
+ if (!verified) {
|
|
|
92abab |
+ CMS.debug("Failed to verify memberAttribute");
|
|
|
92abab |
+ throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
|
|
|
92abab |
+ }
|
|
|
92abab |
+
|
|
|
92abab |
+ if (mInternalUserRequired) {
|
|
|
92abab |
+ values = entryAttributes.get(CRED_UID);
|
|
|
92abab |
+ verified = false;
|
|
|
92abab |
+ if (values != null && values.length > 0) {
|
|
|
92abab |
+ for (int i = 0; i < values.length; i++) {
|
|
|
92abab |
+ IUser user = mUGS.getUser(values[i]);
|
|
|
92abab |
+ if (user != null) {
|
|
|
92abab |
+ if (mInternalGroup != null && mInternalGroup.length() > 0) {
|
|
|
92abab |
+ if (mUGS.isMemberOf(values[i], mInternalGroup)) {
|
|
|
92abab |
+ verified = true;
|
|
|
92abab |
+ CMS.debug("Authenticated: user='" + user.getUserDN() + "' is member of '" + mInternalGroup + "'");
|
|
|
92abab |
+ }
|
|
|
92abab |
+ } else {
|
|
|
92abab |
+ verified = true;
|
|
|
92abab |
+ CMS.debug("Authenticated: user='" + user.getUserDN() + "'");
|
|
|
92abab |
+ }
|
|
|
92abab |
+ }
|
|
|
92abab |
+ }
|
|
|
92abab |
+ }
|
|
|
92abab |
+ if (!verified) {
|
|
|
92abab |
+ CMS.debug("Failed to verify userAttribute");
|
|
|
92abab |
+ throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
|
|
|
92abab |
+ }
|
|
|
92abab |
+ }
|
|
|
92abab |
+
|
|
|
92abab |
+ } else {
|
|
|
92abab |
+ if (mInternalUserRequired) {
|
|
|
92abab |
+ String userAttr = (mAttr.equalsIgnoreCase(CRED_UID))? attr: entryAttributes.get(CRED_UID)[0];
|
|
|
92abab |
+ if (userAttr != null && userAttr.length() > 0) {
|
|
|
92abab |
+ CMS.debug("Authenticating: InternalUser: '" + CRED_UID + "=" + userAttr + "'");
|
|
|
92abab |
+ IUser user = mUGS.getUser(userAttr);
|
|
|
92abab |
+ if (user != null) {
|
|
|
92abab |
+ if (mInternalGroup != null && mInternalGroup.length() > 0) {
|
|
|
92abab |
+ if (mUGS.isMemberOf(userAttr, mInternalGroup)) {
|
|
|
92abab |
+ CMS.debug("Authenticated: user='" + user.getUserDN() + "' is member of '" + mInternalGroup + "'");
|
|
|
92abab |
+ } else {
|
|
|
92abab |
+ CMS.debug("Authenticated: user='" + user.getUserDN() + "' is NOT member of '" + mInternalGroup + "'");
|
|
|
92abab |
+ throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
|
|
|
92abab |
+ }
|
|
|
92abab |
+ } else {
|
|
|
92abab |
+ CMS.debug("Authenticated: user='" + user.getUserDN() + "'");
|
|
|
92abab |
+ }
|
|
|
92abab |
+ } else {
|
|
|
92abab |
+ CMS.debug("Missing InternalUser='" + userAttr + "'");
|
|
|
92abab |
+ throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
|
|
|
92abab |
+ }
|
|
|
92abab |
+ } else {
|
|
|
92abab |
+ CMS.debug("Incorrect attribute requested: '" + mAttr + "' instead of '" + CRED_UID + "'");
|
|
|
92abab |
+ throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
|
|
|
92abab |
+ }
|
|
|
92abab |
+ }
|
|
|
92abab |
+ }
|
|
|
92abab |
+
|
|
|
92abab |
// set attr in the token.
|
|
|
92abab |
token.set(mAttr, attr);
|
|
|
92abab |
|
|
|
92abab |
--
|
|
|
92abab |
1.8.3.1
|
|
|
92abab |
|