Blame SOURCES/pki-core-rhel-7-9-rhcs-9-7-bu-10.patch

92abab
From 14e4011027214bd2c33ef4975a3ed43486e4de70 Mon Sep 17 00:00:00 2001
92abab
From: Matthew Harmsen <mharmsen@redhat.com>
92abab
Date: Sat, 23 Oct 2021 23:19:57 -0600
92abab
Subject: [PATCH 1/3] Fixes gleaned from the following DOGTAG_10_5_COMMITS:
92abab
92abab
commit 68ef0c8a4208b9deea819c41d65639edd6de8e8c
92abab
Author: Chris Kelley <ckelley@redhat.com>
92abab
Date:   Tue Aug 31 12:41:06 2021 +0100
92abab
92abab
    Fix navigation buttons in CA EE list certs page
92abab
92abab
commit 64e6acd3e035ecb0eb84d8fe47cd513eb8eaeb3b
92abab
Author: Jon Parrish <jonathon.d.parrish2.ctr@mail.mil>
92abab
Date:   Thu Oct 7 16:39:38 2021 +0000
92abab
92abab
    Close table so that top navigation is at the top
92abab
---
92abab
 base/ca/shared/webapps/ca/ee/ca/queryCert.template | 6 +++---
92abab
 1 file changed, 3 insertions(+), 3 deletions(-)
92abab
92abab
diff --git a/base/ca/shared/webapps/ca/ee/ca/queryCert.template b/base/ca/shared/webapps/ca/ee/ca/queryCert.template
92abab
index 878e3be..65718e1 100644
92abab
--- a/base/ca/shared/webapps/ca/ee/ca/queryCert.template
92abab
+++ b/base/ca/shared/webapps/ca/ee/ca/queryCert.template
92abab
@@ -336,7 +336,7 @@ if (result.recordSet.length == 0) {
92abab
 	);
92abab
 
92abab
 	document.write("\n"+
92abab
-		"\n");
92abab
+		"\n");
92abab
 	displayNextForm();
92abab
 
92abab
 	document.write(
92abab
@@ -370,7 +370,7 @@ document.write("\n");
92abab
     }
92abab
 
92abab
 	document.write("\n"+
92abab
-		"\n");
92abab
+		"\n");
92abab
 
92abab
 	if (result.header.revokeAll != null && result.header.totalRecordCount > 1) {
92abab
 		displayRevokeAllForm(result.header.totalRecordCount);
92abab
@@ -407,7 +407,7 @@ function renderNextButtonElement(name, label, disabled)
92abab
     result.innerText = label;
92abab
     result.width = 72;
92abab
     result.disabled = disabled ? true : false;
92abab
-    result.onClick = () => doNext(result);
92abab
+    result.onclick = () => doNext(result);
92abab
     return result;
92abab
 }
92abab
 
92abab
-- 
92abab
1.8.3.1
92abab
92abab
92abab
From 33fd6ff7de3c847939269ca1307d5854af258d4c Mon Sep 17 00:00:00 2001
92abab
From: Christina Fu <cfu@redhat.com>
92abab
Date: Mon, 11 Oct 2021 16:26:19 -0700
92abab
Subject: [PATCH 2/3] Bug2007405-pkispawn bails out too easily in
92abab
 validate_system_cert
92abab
92abab
For pkispawn, in def validate_system_cert, it appears some unexpected
92abab
conditions could happen that would trigger failur to
92abab
  pki-server subsystem-cert-validate
92abab
92abab
Some of these conditions probably could have been resolved manually
92abab
if installation were allowed to complete.
92abab
92abab
This patch is to print out the result as information then allow the
92abab
installation to continue. It doesn't necessarily mean that the
92abab
installation will succeed, but it will at least go further to allow
92abab
for better investigation.
92abab
92abab
fixes https://bugzilla.redhat.com/show_bug.cgi?id=2007405
92abab
92abab
(cherry picked from commit 656d3426cc3ace5cac3624384e05c4233caae022)
92abab
---
92abab
 base/server/python/pki/server/__init__.py | 9 ++++++---
92abab
 1 file changed, 6 insertions(+), 3 deletions(-)
92abab
92abab
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
92abab
index 3512e94..3856c85 100644
92abab
--- a/base/server/python/pki/server/__init__.py
92abab
+++ b/base/server/python/pki/server/__init__.py
92abab
@@ -450,9 +450,12 @@ class PKISubsystem(object):
92abab
 
92abab
         logger.debug('Command: %s', ' '.join(cmd))
92abab
 
92abab
-        subprocess.check_output(
92abab
-            cmd,
92abab
-            stderr=subprocess.STDOUT)
92abab
+        try:
92abab
+            print(subprocess.check_output(
92abab
+                cmd,
92abab
+                stderr=subprocess.STDOUT))
92abab
+        except subprocess.CalledProcessError as v:
92abab
+            print("pki-server subsystem-cert-validate stdout output:\n", v.output)
92abab
 
92abab
     def export_system_cert(
92abab
             self,
92abab
-- 
92abab
1.8.3.1
92abab
92abab
92abab
From 82a3f261c83c33c395f4ee720b3cb09c9007580c Mon Sep 17 00:00:00 2001
92abab
From: Andrew Wnuk <92763627+ajwnuk@users.noreply.github.com>
92abab
Date: Thu, 21 Oct 2021 15:17:55 -0700
92abab
Subject: [PATCH 3/3] Authentication issue #3629 (#3787)
92abab
92abab
Co-authored-by: Andrew Wnuk <awnuk@purestorage.com>
92abab
(cherry picked from commit cf3fb92a029991da029ba81b5f68e254e44532d7)
92abab
---
92abab
 .../authentication/UserPwdDirAuthentication.java   | 150 +++++++++++++++++++++
92abab
 1 file changed, 150 insertions(+)
92abab
92abab
diff --git a/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java
92abab
index ead8650..faaefb6 100644
92abab
--- a/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java
92abab
+++ b/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java
92abab
@@ -18,12 +18,21 @@
92abab
 package com.netscape.cms.authentication;
92abab
 
92abab
 // ldap java sdk
92abab
+import java.util.ArrayList;
92abab
 import java.util.Enumeration;
92abab
+import java.util.HashMap;
92abab
 import java.util.Locale;
92abab
+import java.util.Map;
92abab
 import java.util.Vector;
92abab
 
92abab
+
92abab
 import netscape.ldap.LDAPConnection;
92abab
 import netscape.ldap.LDAPException;
92abab
+import netscape.ldap.LDAPAttribute;
92abab
+import netscape.ldap.LDAPConnection;
92abab
+import netscape.ldap.LDAPEntry;
92abab
+import netscape.ldap.LDAPSearchResults;
92abab
+import netscape.ldap.LDAPv2;
92abab
 
92abab
 import com.netscape.certsrv.apps.CMS;
92abab
 import com.netscape.certsrv.authentication.AuthToken;
92abab
@@ -44,6 +53,8 @@ import com.netscape.certsrv.profile.IProfileAuthenticator;
92abab
 import com.netscape.certsrv.property.Descriptor;
92abab
 import com.netscape.certsrv.property.IDescriptor;
92abab
 import com.netscape.certsrv.request.IRequest;
92abab
+import com.netscape.certsrv.usrgrp.IUGSubsystem;
92abab
+import com.netscape.certsrv.usrgrp.IUser;
92abab
 // cert server x509 imports
92abab
 // java sdk imports.
92abab
 
92abab
@@ -65,6 +76,12 @@ public class UserPwdDirAuthentication extends DirBasedAuthentication
92abab
 
92abab
     protected String mAttrName = null;
92abab
     protected String mAttrDesc = null;
92abab
+    protected String mMemberAttrName = null;
92abab
+    protected String mMemberAttrValue = null;
92abab
+    protected String mInternalGroup = null;
92abab
+    protected boolean mInternalUserRequired = false;
92abab
+    protected IUGSubsystem mUGS = null;
92abab
+    protected String mAttrs[] = null;
92abab
 
92abab
     /* Holds configuration parameters accepted by this implementation.
92abab
      * This list is passed to the configuration console so configuration
92abab
@@ -82,6 +99,10 @@ public class UserPwdDirAuthentication extends DirBasedAuthentication
92abab
                     "ldap.basedn",
92abab
                     "ldap.attrName",
92abab
                     "ldap.attrDesc",
92abab
+                    "ldap.memberAttrName",
92abab
+                    "ldap.memberAttrValue",
92abab
+                    "ldap.internalUserRequired",
92abab
+                    "ldap.internalGroup",
92abab
                     "ldap.minConns",
92abab
                     "ldap.maxConns",
92abab
             };
92abab
@@ -138,6 +159,36 @@ public class UserPwdDirAuthentication extends DirBasedAuthentication
92abab
         }
92abab
         CMS.debug("UserPwdDirAuthentication init  mAttr=" + mAttr +
92abab
                 "  mAttrName=" + mAttrName + "  mAttrDesc=" + mAttrDesc);
92abab
+
92abab
+        // Optional attribute, which presence and value have to be checked if included in configuration
92abab
+        mMemberAttrName = mLdapConfig.getString("memberAttrName", null);
92abab
+        mMemberAttrName = (mMemberAttrName != null)? mMemberAttrName.trim(): mMemberAttrName; 
92abab
+        if (mMemberAttrName != null && mMemberAttrName.length() > 0) {
92abab
+            mMemberAttrValue = mLdapConfig.getString("memberAttrValue", null);
92abab
+            mMemberAttrValue = (mMemberAttrValue != null)? mMemberAttrValue.trim(): mMemberAttrValue; 
92abab
+            CMS.debug("UserPwdDirAuthentication init  mMemberAttrName=" + mMemberAttrName + "  mMemberAttrValue=" + mMemberAttrValue);
92abab
+        }
92abab
+        // Optional attribute, which indicates local user entry presence that have to be checked if included in configuration
92abab
+        mInternalUserRequired = mLdapConfig.getBoolean("internalUserRequired", false);
92abab
+        CMS.debug("UserPwdDirAuthentication init  mInternalUserRequired=" + mInternalUserRequired);
92abab
+        mInternalGroup = mLdapConfig.getString("internalGroup", null);
92abab
+        mInternalGroup = (mInternalGroup != null)? mInternalGroup.trim(): mInternalGroup;
92abab
+        if (mInternalGroup != null && mInternalGroup.length() > 0) {
92abab
+            mInternalUserRequired = true;
92abab
+            CMS.debug("UserPwdDirAuthentication init  mInternalGroup=" + mInternalGroup);
92abab
+        }
92abab
+        if (mInternalUserRequired) {
92abab
+            mUGS = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
92abab
+        }
92abab
+
92abab
+        ArrayList<String> attrList = new ArrayList<>();
92abab
+        if (mInternalUserRequired) {
92abab
+            attrList.add(CRED_UID);
92abab
+        }
92abab
+        if (mMemberAttrName != null && mMemberAttrName.length() > 0 && !mMemberAttrName.equalsIgnoreCase(CRED_UID)) {
92abab
+            attrList.add(mMemberAttrName);
92abab
+        }
92abab
+        mAttrs = (String[])attrList.toArray(new String[attrList.size()]);
92abab
     }
92abab
 
92abab
     /**
92abab
@@ -182,6 +233,105 @@ public class UserPwdDirAuthentication extends DirBasedAuthentication
92abab
             // bind as user dn and pwd - authenticates user with pwd.
92abab
             conn.authenticate(userdn, pwd);
92abab
             CMS.debug("Authenticated: userdn=" + userdn);
92abab
+
92abab
+            LDAPEntry entry = null;
92abab
+            Map<String, String[]> entryAttributes = new HashMap<String, String[]>();
92abab
+            if (mAttrs != null && mAttrs.length > 0) {
92abab
+                LDAPSearchResults results = conn.search(userdn, LDAPConnection.SCOPE_BASE, null, mAttrs, false);
92abab
+                if (results != null && results.hasMoreElements()) {
92abab
+                    entry = results.next();
92abab
+                    if (entry != null) {
92abab
+                        CMS.debug("Reviewing entry: " + entry.getDN());
92abab
+                        for (int i = 0; i < mAttrs.length; i++) {
92abab
+                            LDAPAttribute memberAttribute = entry.getAttribute(mAttrs[i]);
92abab
+                            if (memberAttribute != null) {
92abab
+                                String[] values = memberAttribute.getStringValueArray();
92abab
+                                if (values != null && values.length > 0) {
92abab
+                                    entryAttributes.put(mAttrs[i], values);
92abab
+                                }
92abab
+                            }
92abab
+                        }
92abab
+                    }
92abab
+                }
92abab
+            }
92abab
+            if (mAttrs != null && mAttrs.length > 0 && (entry == null || entryAttributes.size() == 0)) {
92abab
+                CMS.debug("Failed to obtain data required for verification.");
92abab
+                throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
92abab
+            }
92abab
+
92abab
+            if (mMemberAttrName != null && mMemberAttrName.length() > 0) {
92abab
+                CMS.debug("Authenticating: memberAttribute=" + mMemberAttrName);
92abab
+                String[] values = entryAttributes.get(mMemberAttrName);
92abab
+                boolean verified = false;
92abab
+                if (values != null && values.length > 0) {
92abab
+                    if (mMemberAttrValue != null && mMemberAttrValue.length() > 0) {
92abab
+                        for (int i = 0; i < values.length; i++) {
92abab
+                            if (mMemberAttrValue.equalsIgnoreCase(values[i])) {
92abab
+                                verified = true;
92abab
+                            }
92abab
+                        }
92abab
+                    } else {
92abab
+                        verified = true;
92abab
+                    }
92abab
+                }
92abab
+                if (!verified) {
92abab
+                    CMS.debug("Failed to verify memberAttribute");
92abab
+                    throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
92abab
+                }
92abab
+
92abab
+                if (mInternalUserRequired) {
92abab
+                    values = entryAttributes.get(CRED_UID);
92abab
+                    verified = false;
92abab
+                    if (values != null && values.length > 0) {
92abab
+                        for (int i = 0; i < values.length; i++) {
92abab
+                            IUser user = mUGS.getUser(values[i]);
92abab
+                            if (user != null) {
92abab
+                                if (mInternalGroup != null && mInternalGroup.length() > 0) {
92abab
+                                    if (mUGS.isMemberOf(values[i], mInternalGroup)) {
92abab
+                                        verified = true;
92abab
+                                        CMS.debug("Authenticated: user='" + user.getUserDN() + "' is member of '" + mInternalGroup + "'");
92abab
+                                    }
92abab
+                                } else {
92abab
+                                    verified = true;
92abab
+                                    CMS.debug("Authenticated: user='" + user.getUserDN() + "'");
92abab
+                                }
92abab
+                            }
92abab
+                        }
92abab
+                    }
92abab
+                    if (!verified) {
92abab
+                        CMS.debug("Failed to verify userAttribute");
92abab
+                        throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
92abab
+                    }
92abab
+                }
92abab
+
92abab
+            } else {
92abab
+                if (mInternalUserRequired) {
92abab
+                    String userAttr = (mAttr.equalsIgnoreCase(CRED_UID))? attr: entryAttributes.get(CRED_UID)[0];
92abab
+                    if (userAttr != null  && userAttr.length() > 0) {
92abab
+                        CMS.debug("Authenticating: InternalUser: '" + CRED_UID + "=" + userAttr + "'");
92abab
+                        IUser user = mUGS.getUser(userAttr);
92abab
+                        if (user != null) {
92abab
+                            if (mInternalGroup != null && mInternalGroup.length() > 0) {
92abab
+                                if (mUGS.isMemberOf(userAttr, mInternalGroup)) {
92abab
+                                    CMS.debug("Authenticated: user='" + user.getUserDN() + "' is member of '" + mInternalGroup + "'");
92abab
+                                } else {
92abab
+                                    CMS.debug("Authenticated: user='" + user.getUserDN() + "' is NOT member of '" + mInternalGroup + "'");
92abab
+                                    throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
92abab
+                                }
92abab
+                            } else {
92abab
+                                CMS.debug("Authenticated: user='" + user.getUserDN() + "'");
92abab
+                            }
92abab
+                        } else {
92abab
+                            CMS.debug("Missing InternalUser='" + userAttr + "'");
92abab
+                            throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
92abab
+                        }
92abab
+                    } else {
92abab
+                        CMS.debug("Incorrect attribute requested: '" + mAttr + "' instead of '" + CRED_UID + "'");
92abab
+                        throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
92abab
+                    }
92abab
+                }
92abab
+            }
92abab
+
92abab
             // set attr in the token.
92abab
             token.set(mAttr, attr);
92abab
 
92abab
-- 
92abab
1.8.3.1
92abab