[Freeipa-devel] [freeipa PR#766][opened] ipa-kra-install: fix check_host_keys
URL: https://github.com/freeipa/freeipa/pull/766 Author: flo-renaud Title: #766: ipa-kra-install: fix check_host_keys Action: opened PR body: """ ipa-kra-install on a replica checks that the keys are available before going further to avoid race condition due to replication. The issue is that the check_host_keys method expects to find exactly one key for cn=env/host but 2 may exist: one below cn=custodia and one below cn=dogtag,cn=custodia. The fix is to check that at least one key exist (not exactly one key). https://pagure.io/freeipa/issue/6934 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/766/head:pr766 git checkout pr766 From 3acd6f06396bf7596f3af53724b3f345bdf562b5 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Fri, 5 May 2017 17:06:09 +0200 Subject: [PATCH] ipa-kra-install: fix check_host_keys ipa-kra-install on a replica checks that the keys are available before going further to avoid race condition due to replication. The issue is that the check_host_keys method expects to find exactly one key for cn=env/host but 2 may exist: one below cn=custodia and one below cn=dogtag,cn=custodia. The fix is to check that at least one key exist (not exactly one key). https://pagure.io/freeipa/issue/6934 --- ipaserver/secrets/kem.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipaserver/secrets/kem.py b/ipaserver/secrets/kem.py index c1991c6..f876b9e 100644 --- a/ipaserver/secrets/kem.py +++ b/ipaserver/secrets/kem.py @@ -72,7 +72,7 @@ def get_key(self, usage, principal): 'princ': principal}) r = conn.search_s(self.keysbase, scope, ldap_filter) if len(r) != 1: -raise ValueError("Incorrect number of results (%d) searching for" +raise ValueError("Incorrect number of results (%d) searching for " "public key for %s" % (len(r), principal)) ipa_public_key = r[0][1]['ipaPublicKey'][0] jwk = self._parse_public_key(ipa_public_key) @@ -85,8 +85,8 @@ def check_host_keys(self, host): ldap_filter = self.build_filter(IPA_CHECK_QUERY, {'host': host}) r = conn.search_s(self.keysbase, scope, ldap_filter) -if len(r) != 1: -raise ValueError("Incorrect number of results (%d) searching for" +if len(r) < 1: +raise ValueError("Incorrect number of results (%d) searching for " "public key for %s" % (len(r), host)) return True -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA
URL: https://github.com/freeipa/freeipa/pull/764 Title: #764: Basic uninstaller for the CA rcritten commented: """ What do you mean half-effective? Did you try it? There already IS a unified framework for component uninstallation: each service provides it. There are edge cases when trying to uninstall one particular piece but that is relatively straightforward to handle and as outlined in the PR this is not intended or expected to clean up every last element, just enough to be able to cleanly attempt the installation again. Forcing users to uninstall an entire master just to (try to) re-install the CA is a major pain point. Other services not having uninstall options is not relevant to this case IMHO. """ See the full comment at https://github.com/freeipa/freeipa/pull/764#issuecomment-299524085 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#752][comment] upgrade: add missing DN suffix when enabling KDC proxy
URL: https://github.com/freeipa/freeipa/pull/752 Title: #752: upgrade: add missing DN suffix when enabling KDC proxy MartinBasti commented: """ master: * 999706fcdfa7fd4206a2399aa578fb00753d9978 python2-ipalib: add missing python dependency * 4b8ab77dd4800bd9c6b822502462ee649c88c663 installer service: fix typo in service entry * ebefb281775d5bd5f32459ac597af78781d7dbf5 upgrade: add missing suffix to http instance """ See the full comment at https://github.com/freeipa/freeipa/pull/752#issuecomment-299518616 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#752][closed] upgrade: add missing DN suffix when enabling KDC proxy
URL: https://github.com/freeipa/freeipa/pull/752 Author: tomaskrizek Title: #752: upgrade: add missing DN suffix when enabling KDC proxy Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/752/head:pr752 git checkout pr752 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#752][+pushed] upgrade: add missing DN suffix when enabling KDC proxy
URL: https://github.com/freeipa/freeipa/pull/752 Title: #752: upgrade: add missing DN suffix when enabling KDC proxy Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#763][+pushed] Dogtag: fail if instance cannot be (re)started
URL: https://github.com/freeipa/freeipa/pull/763 Title: #763: Dogtag: fail if instance cannot be (re)started Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#763][comment] Dogtag: fail if instance cannot be (re)started
URL: https://github.com/freeipa/freeipa/pull/763 Title: #763: Dogtag: fail if instance cannot be (re)started MartinBasti commented: """ master: * 1a7a1f955e327bf1a06faa53c517bdb22eba Make CA/KRA fail when they don't start * aba384ddb535e81f81a518fa468a8ed095250ca1 Fix wrong message on Dogtag instances stop ipa-4-5: * 81f97cb89e17e63b3dcb8925a373970ac61764c2 Make CA/KRA fail when they don't start * 1b44c4caa1e7a1f90b3b3537de9cc1529f0891e8 Fix wrong message on Dogtag instances stop """ See the full comment at https://github.com/freeipa/freeipa/pull/763#issuecomment-299517511 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#763][closed] Dogtag: fail if instance cannot be (re)started
URL: https://github.com/freeipa/freeipa/pull/763 Author: stlaz Title: #763: Dogtag: fail if instance cannot be (re)started Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/763/head:pr763 git checkout pr763 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#752][comment] upgrade: add missing DN suffix when enabling KDC proxy
URL: https://github.com/freeipa/freeipa/pull/752 Title: #752: upgrade: add missing DN suffix when enabling KDC proxy martbab commented: """ A separate PR will be needed for ipa-4-5 branch. """ See the full comment at https://github.com/freeipa/freeipa/pull/752#issuecomment-299514588 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA
URL: https://github.com/freeipa/freeipa/pull/764 Title: #764: Basic uninstaller for the CA martbab commented: """ I would avoid having half-effective CA uninstaller given that other components like Samba, DNS(Sec), and now also KRA (given the amount of bugs the uninstaller caused) do not support their uninstallation. Either we have to design some unified framework for proper optional component uninstallation, or we can go in vein of AD trust and DNS installers which are idempotent to a degree. I have an impression that this PR will cause users more problems than it aims to solve. """ See the full comment at https://github.com/freeipa/freeipa/pull/764#issuecomment-299513197 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#752][+ack] upgrade: add missing DN suffix when enabling KDC proxy
URL: https://github.com/freeipa/freeipa/pull/752 Title: #752: upgrade: add missing DN suffix when enabling KDC proxy Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#752][comment] upgrade: add missing DN suffix when enabling KDC proxy
URL: https://github.com/freeipa/freeipa/pull/752 Title: #752: upgrade: add missing DN suffix when enabling KDC proxy MartinBasti commented: """ Works for me """ See the full comment at https://github.com/freeipa/freeipa/pull/752#issuecomment-299511962 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#752][comment] upgrade: add missing DN suffix when enabling KDC proxy
URL: https://github.com/freeipa/freeipa/pull/752 Title: #752: upgrade: add missing DN suffix when enabling KDC proxy martbab commented: """ This makes me wonder why don't we just use `self.api.env.basedn` in the ldap_enable/enable_kdcproxy/enable_pkinit methods but instead rely on 3 ways how to construct the root DN. LGTM as a quick fix, but we need to overhaul this part service installers in the future. """ See the full comment at https://github.com/freeipa/freeipa/pull/752#issuecomment-299511559 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#765][opened] [4.5 backport] spec file: bump python-netaddr Requires
URL: https://github.com/freeipa/freeipa/pull/765 Author: MartinBasti Title: #765: [4.5 backport] spec file: bump python-netaddr Requires Action: opened PR body: """ Bump python-netaddr Requires to the version which has correct private and reserved IPv4 address ranges. This fixes DNS server install failure when 0.0.0.0 is entered as a forwarder. Backport from: 0784e53f7f8a323acafbbff26a9d1c0276a229b0 https://pagure.io/freeipa/issue/6894 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/765/head:pr765 git checkout pr765 From 1abd7689eeb4ebb1685da0dc8a647bc2957ffc43 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 25 Apr 2017 12:13:00 + Subject: [PATCH] spec file: bump python-netaddr Requires Bump python-netaddr Requires to the version which has correct private and reserved IPv4 address ranges. This fixes DNS server install failure when 0.0.0.0 is entered as a forwarder. Backport from: 0784e53f7f8a323acafbbff26a9d1c0276a229b0 https://pagure.io/freeipa/issue/6894 --- freeipa.spec.in | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 3b7410b..1214de7 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -38,6 +38,8 @@ %if 0%{?rhel} # 1.15.1-7: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561) %global krb5_version 1.15.1-4 +# 0.7.16: https://github.com/drkjam/netaddr/issues/71 +%global python_netaddr_version 0.7.5-8 # Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation %global samba_version 4.6.0-4 %global selinux_policy_version 3.12.1-153 @@ -45,6 +47,8 @@ %else # 1.15.1-7: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561) %global krb5_version 1.15.1-7 +# 0.7.16: https://github.com/drkjam/netaddr/issues/71 +%global python_netaddr_version 0.7.16 # Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation %global samba_version 2:4.6.0-4 %global selinux_policy_version 3.13.1-158.4 @@ -641,7 +645,7 @@ Requires: keyutils Requires: pyOpenSSL Requires: python-nss >= 0.16 Requires: python-cryptography >= 1.4 -Requires: python-netaddr +Requires: python-netaddr >= %{python_netaddr_version} Requires: python-libipa_hbac Requires: python-qrcode-core >= 5.0.0 Requires: python-pyasn1 @@ -690,7 +694,7 @@ Requires: keyutils Requires: python3-pyOpenSSL Requires: python3-nss >= 0.16 Requires: python3-cryptography >= 1.4 -Requires: python3-netaddr +Requires: python3-netaddr >= %{python_netaddr_version} Requires: python3-libipa_hbac Requires: python3-qrcode-core >= 5.0.0 Requires: python3-pyasn1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively.
URL: https://github.com/freeipa/freeipa/pull/736 Author: felipevolpone Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/736/head:pr736 git checkout pr736 From 97725d8185e1d9431395ffa1aa39ceaf38090c8e Mon Sep 17 00:00:00 2001 From: Felipe Volpone Date: Fri, 5 May 2017 11:25:08 -0300 Subject: [PATCH 1/2] Fixing the cert-request comparing whole email address case-sensitively. Now, the cert-request command compares the domain part of the email case-insensitively. https://pagure.io/freeipa/issue/5919 --- ipaserver/plugins/cert.py| 29 ++--- ipatests/test_xmlrpc/test_cert_plugin.py | 23 +++ 2 files changed, 49 insertions(+), 3 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 1a425de..f43f1f0 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -798,7 +798,9 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw): # fail if any email addr from DN does not appear in ldap entry email_addrs = csr_obj.subject.get_attributes_for_oid( cryptography.x509.oid.NameOID.EMAIL_ADDRESS) -if len(set(email_addrs) - set(principal_obj.get('mail', []))) > 0: +csr_emails = [attr.value for attr in email_addrs] +if not _emails_are_valid(csr_emails, + principal_obj.get('mail', [])): raise errors.ValidationError( name='csr', error=_( @@ -884,8 +886,8 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw): "match requested principal") % gn.name) elif isinstance(gn, cryptography.x509.general_name.RFC822Name): if principal_type == USER: -if principal_obj and gn.value not in principal_obj.get( -'mail', []): +if not _emails_are_valid([gn.value], + principal_obj.get('mail', [])): raise errors.ValidationError( name='csr', error=_( @@ -953,6 +955,27 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw): ) +def _emails_are_valid(csr_emails, principal_emails): +""" +Checks if any email address from certificate does not +appear in ldap entry, comparing the domain part case-insensitively. +""" + +if not any(principal_emails): +return False + +def lower_domain(email): +email_splited = email.split('@', 1) +email_splited[1] = email_splited[1].lower() + +return '@'.join(email_splited) + +principal_emails_lower = set(map(lower_domain, principal_emails)) +csr_emails_lower = set(map(lower_domain, csr_emails)) + +return csr_emails_lower.issubset(principal_emails_lower) + + def principal_to_principal_type(principal): if principal.is_user: return USER diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py index 51c20b6..3bdb60e 100644 --- a/ipatests/test_xmlrpc/test_cert_plugin.py +++ b/ipatests/test_xmlrpc/test_cert_plugin.py @@ -251,6 +251,29 @@ def test_00010_cleanup(self): res = api.Command['service_find'](self.service_princ) assert res['count'] == 0 +def test_00011_email_are_valid(self): +""" +Verify the different scenarios when checking if any email addr +from DN or SAN extension does not appear in ldap entry. +""" + +from ipaserver.plugins.cert import _emails_are_valid +email_addrs = [u'a...@email.com'] +result = _emails_are_valid(email_addrs, [u'a...@email.com']) +assert True == result, result + +email_addrs = [u'a...@email.com'] +result = _emails_are_valid(email_addrs, [u'a...@email.com', + u'anot...@email.com']) +assert True == result, result + +result = _emails_are_valid([], [u'a...@email.com']) +assert False == result, result + +email_addrs = [u'invalidEmailAddress'] +result = _emails_are_valid(email_addrs, []) +assert False == result, result + @pytest.mark.tier1 class test_cert_find(XMLRPC_test): From ecc44fa5c4e317da96abf48fc440e1a9ad0c482d Mon Sep 17 00:00:00 2001 From: Felipe Volpone Date: Fri, 5 May 2017 12:17:15 -0300 Subject: [PATCH 2/2] Fixing tests --- ipaserver/plugins/cert.py| 2 +- ipatests/test_xmlrpc/test_cert_plugin.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index f43f1f0..9d1fe49 100644 --- a/ipaserver/plugins/cert.py +++ b/ipas
[Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively.
URL: https://github.com/freeipa/freeipa/pull/736 Author: felipevolpone Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/736/head:pr736 git checkout pr736 From 97725d8185e1d9431395ffa1aa39ceaf38090c8e Mon Sep 17 00:00:00 2001 From: Felipe Volpone Date: Fri, 5 May 2017 11:25:08 -0300 Subject: [PATCH] Fixing the cert-request comparing whole email address case-sensitively. Now, the cert-request command compares the domain part of the email case-insensitively. https://pagure.io/freeipa/issue/5919 --- ipaserver/plugins/cert.py| 29 ++--- ipatests/test_xmlrpc/test_cert_plugin.py | 23 +++ 2 files changed, 49 insertions(+), 3 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 1a425de..f43f1f0 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -798,7 +798,9 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw): # fail if any email addr from DN does not appear in ldap entry email_addrs = csr_obj.subject.get_attributes_for_oid( cryptography.x509.oid.NameOID.EMAIL_ADDRESS) -if len(set(email_addrs) - set(principal_obj.get('mail', []))) > 0: +csr_emails = [attr.value for attr in email_addrs] +if not _emails_are_valid(csr_emails, + principal_obj.get('mail', [])): raise errors.ValidationError( name='csr', error=_( @@ -884,8 +886,8 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw): "match requested principal") % gn.name) elif isinstance(gn, cryptography.x509.general_name.RFC822Name): if principal_type == USER: -if principal_obj and gn.value not in principal_obj.get( -'mail', []): +if not _emails_are_valid([gn.value], + principal_obj.get('mail', [])): raise errors.ValidationError( name='csr', error=_( @@ -953,6 +955,27 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw): ) +def _emails_are_valid(csr_emails, principal_emails): +""" +Checks if any email address from certificate does not +appear in ldap entry, comparing the domain part case-insensitively. +""" + +if not any(principal_emails): +return False + +def lower_domain(email): +email_splited = email.split('@', 1) +email_splited[1] = email_splited[1].lower() + +return '@'.join(email_splited) + +principal_emails_lower = set(map(lower_domain, principal_emails)) +csr_emails_lower = set(map(lower_domain, csr_emails)) + +return csr_emails_lower.issubset(principal_emails_lower) + + def principal_to_principal_type(principal): if principal.is_user: return USER diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py index 51c20b6..3bdb60e 100644 --- a/ipatests/test_xmlrpc/test_cert_plugin.py +++ b/ipatests/test_xmlrpc/test_cert_plugin.py @@ -251,6 +251,29 @@ def test_00010_cleanup(self): res = api.Command['service_find'](self.service_princ) assert res['count'] == 0 +def test_00011_email_are_valid(self): +""" +Verify the different scenarios when checking if any email addr +from DN or SAN extension does not appear in ldap entry. +""" + +from ipaserver.plugins.cert import _emails_are_valid +email_addrs = [u'a...@email.com'] +result = _emails_are_valid(email_addrs, [u'a...@email.com']) +assert True == result, result + +email_addrs = [u'a...@email.com'] +result = _emails_are_valid(email_addrs, [u'a...@email.com', + u'anot...@email.com']) +assert True == result, result + +result = _emails_are_valid([], [u'a...@email.com']) +assert False == result, result + +email_addrs = [u'invalidEmailAddress'] +result = _emails_are_valid(email_addrs, []) +assert False == result, result + @pytest.mark.tier1 class test_cert_find(XMLRPC_test): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively.
URL: https://github.com/freeipa/freeipa/pull/736 Author: felipevolpone Title: #736: Fixing the cert-request command comparing whole email address case-sensitively. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/736/head:pr736 git checkout pr736 From 85e931f2b5fb1c30227264e98e317c374b96b9ef Mon Sep 17 00:00:00 2001 From: Felipe Volpone Date: Fri, 5 May 2017 10:52:40 -0300 Subject: [PATCH] Fixing the cert-request comparing whole email address case-sensitively. Now, the cert-request command compares the domain part of the email case-insensitively. https://pagure.io/freeipa/issue/5919 --- ipaserver/plugins/cert.py| 29 ++--- ipatests/test_xmlrpc/test_cert_plugin.py | 23 +++ 2 files changed, 49 insertions(+), 3 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 1a425de..f43f1f0 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -798,7 +798,9 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw): # fail if any email addr from DN does not appear in ldap entry email_addrs = csr_obj.subject.get_attributes_for_oid( cryptography.x509.oid.NameOID.EMAIL_ADDRESS) -if len(set(email_addrs) - set(principal_obj.get('mail', []))) > 0: +csr_emails = [attr.value for attr in email_addrs] +if not _emails_are_valid(csr_emails, + principal_obj.get('mail', [])): raise errors.ValidationError( name='csr', error=_( @@ -884,8 +886,8 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw): "match requested principal") % gn.name) elif isinstance(gn, cryptography.x509.general_name.RFC822Name): if principal_type == USER: -if principal_obj and gn.value not in principal_obj.get( -'mail', []): +if not _emails_are_valid([gn.value], + principal_obj.get('mail', [])): raise errors.ValidationError( name='csr', error=_( @@ -953,6 +955,27 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw): ) +def _emails_are_valid(csr_emails, principal_emails): +""" +Checks if any email address from certificate does not +appear in ldap entry, comparing the domain part case-insensitively. +""" + +if not any(principal_emails): +return False + +def lower_domain(email): +email_splited = email.split('@', 1) +email_splited[1] = email_splited[1].lower() + +return '@'.join(email_splited) + +principal_emails_lower = set(map(lower_domain, principal_emails)) +csr_emails_lower = set(map(lower_domain, csr_emails)) + +return csr_emails_lower.issubset(principal_emails_lower) + + def principal_to_principal_type(principal): if principal.is_user: return USER diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py index 51c20b6..6615c3c 100644 --- a/ipatests/test_xmlrpc/test_cert_plugin.py +++ b/ipatests/test_xmlrpc/test_cert_plugin.py @@ -251,6 +251,29 @@ def test_00010_cleanup(self): res = api.Command['service_find'](self.service_princ) assert res['count'] == 0 +def test_00011_email_are_valid(self): +""" +Verify the different scenarios when checking if any email addr +from DN or SAN extension does not appear in ldap entry. +""" + +from ipaserver.plugins.cert import _emails_are_valid +email_addrs = [u'a...@email.com'] +result = _emails_are_valid(email_addrs, [u'a...@email.com']) +assert True == result, result + +email_addrs = [u'a...@email.com'] +result = _emails_are_valid(email_addrs, [u'a...@email.com', + u'anot...@email.com']) +assert True == result, result + +result = _emails_are_valid([], [u'a...@email.com']) +assert False == result, result + +email_addrs = [u'invalidEmailAddress'] +result = _emails_are_valid(subject_addrs, []) +assert False == result, result + @pytest.mark.tier1 class test_cert_find(XMLRPC_test): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#763][+ack] Dogtag: fail if instance cannot be (re)started
URL: https://github.com/freeipa/freeipa/pull/763 Title: #763: Dogtag: fail if instance cannot be (re)started Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#757][comment] ca, kra install: validate DM password
URL: https://github.com/freeipa/freeipa/pull/757 Title: #757: ca, kra install: validate DM password tomaskrizek commented: """ Thanks for the feedback, hopefully I addressed all the issues. """ See the full comment at https://github.com/freeipa/freeipa/pull/757#issuecomment-299469642 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password
URL: https://github.com/freeipa/freeipa/pull/757 Author: tomaskrizek Title: #757: ca, kra install: validate DM password Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/757/head:pr757 git checkout pr757 From 2cce2304491ce575b6803ca4dd7d8f6630c57a35 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Wed, 3 May 2017 10:05:25 +0200 Subject: [PATCH 1/3] ca install: merge duplicated code for DM password Extract copy-pasted code to a single function. Related https://pagure.io/freeipa/issue/6892 Signed-off-by: Tomas Krizek --- install/tools/ipa-ca-install | 40 +--- 1 file changed, 17 insertions(+), 23 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 60261aa..da6e5c3 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -116,9 +116,19 @@ def parse_options(): return safe_options, options, filename -def get_dirman_password(): -return installutils.read_password( -"Directory Manager (existing master)", confirm=False, validate=False) +def _get_dirman_password(password=None, unattended=False): +if not password: +if unattended: +sys.exit('Directory Manager password required') +try: +password = installutils.read_password( +"Directory Manager (existing master)", confirm=False, +validate=False) +except KeyboardInterrupt: +sys.exit(0) +if password is None: +sys.exit("Directory Manager password required") +return password def install_replica(safe_options, options, filename): @@ -142,16 +152,8 @@ def install_replica(safe_options, options, filename): check_creds(options, api.env.realm) # get the directory manager password -dirman_password = options.password -if not dirman_password: -if options.unattended: -sys.exit('Directory Manager password required') -try: -dirman_password = get_dirman_password() -except KeyboardInterrupt: -sys.exit(0) -if dirman_password is None: -sys.exit("Directory Manager password required") +dirman_password = _get_dirman_password( +options.password, options.unattended) if (not options.promote and not options.admin_password and not options.skip_conncheck and options.unattended): @@ -199,16 +201,8 @@ def install_replica(safe_options, options, filename): def install_master(safe_options, options): -dm_password = options.password -if not dm_password: -if options.unattended: -sys.exit('Directory Manager password required') -try: -dm_password = get_dirman_password() -except KeyboardInterrupt: -sys.exit(0) -if dm_password is None: -sys.exit("Directory Manager password required") +dm_password = _get_dirman_password( +options.password, options.unattended) options.realm_name = api.env.realm options.domain_name = api.env.domain From e3e8f051220970f10a34c8297b1a381d1721b663 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Wed, 3 May 2017 10:01:09 +0200 Subject: [PATCH 2/3] installutils: add DM password validator Add a validator that checks whether provided Directory Manager is valid by attempting to connect to LDAP. Related https://pagure.io/freeipa/issue/6892 Signed-off-by: Tomas Krizek --- ipaserver/install/installutils.py | 16 1 file changed, 16 insertions(+) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 9230e70..b6f0148 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -50,6 +50,7 @@ from ipapython import ipautil, admintool, version from ipapython.admintool import ScriptError from ipapython.ipa_log_manager import root_logger +from ipapython.ipaldap import DIRMAN_DN, LDAPClient from ipalib.util import validate_hostname from ipalib import api, errors, x509 from ipapython.dn import DN @@ -329,6 +330,21 @@ def _read_password_default_validator(password): if len(password) < 8: raise ValueError("Password must be at least 8 characters long") + +def validate_dm_password_ldap(password): +""" +Validate DM password by attempting to connect to LDAP. api.env has to +contain valid ldap_uri. +""" +client = LDAPClient(api.env.ldap_uri, cacert=paths.IPA_CA_CRT) +try: +client.simple_bind(DIRMAN_DN, password) +except errors.ACIError: +raise ValueError("Invalid Directory Manager password") +else: +client.unbind() + + def read_password(user, confirm=True, validate=True, retry=True, validator=_read_password_default_validator): correct = False pwd = None From 6f3e29374054563d2d3f12e9565778dbabe3859e Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date