freeipa/ipaserver/install/plugins/fix_kra_people_entry.py

77 lines
2.8 KiB
Python
Raw Normal View History

#
# Copyright (C) 2019 FreeIPA Contributors see COPYING for license
#
import logging
from ipalib import Registry, Updater, x509
from ipapython.dn import DN
from ipaplatform.paths import paths
from ipaserver.install import krainstance
logger = logging.getLogger(__name__)
register = Registry()
@register()
class fix_kra_people_entry(Updater):
"""
Update the KRA uid=ipakra agent user entry.
There was a bug where this was created with an incorrect
'description' attribute, breaking authentication:
https://pagure.io/freeipa/issue/8084.
"""
def execute(self, **options):
kra = krainstance.KRAInstance(self.api.env.realm)
if not kra.is_installed():
return False, []
cert = x509.load_certificate_from_file(paths.RA_AGENT_PEM)
entry = self.api.Backend.ldap2.get_entry(krainstance.KRA_AGENT_DN)
# check description attribute
description_values = entry.get('description', [])
if len(description_values) < 1:
# missing 'description' attribute is unexpected, but we can
# add it
do_fix = True
else:
# There should only be one value, so we will take the first value.
# But ignore the serial number when comparing, just in case.
description = description_values[0]
parts = description.split(';', 2) # see below for syntax
if len(parts) < 3:
do_fix = True # syntax error (not expected)
elif parts[2] != '{};{}'.format(DN(cert.issuer), DN(cert.subject)):
# issuer/subject does not match cert. THIS is the condition
# caused by issue 8084, which we want to fix.
do_fix = True
else:
do_fix = False # everything is fine
if do_fix:
# If other replicas have a different iteration of the IPA RA
# cert (e.g. renewal was triggered prematurely on some master
# and not on others) then authentication on those replicas will
# fail. But the 'description' attribute needed fixing because
# the issuer value was wrong, meaning authentication was broken
# on ALL replicas. So even for the corner case where different
# replicas have different IPA RA certs, updating the attribute
# will at least mean THIS replica can authenticate to the KRA.
logger.debug("Fixing KRA user entry 'description' attribute")
entry['description'] = [
'2;{};{};{}'.format(
cert.serial_number,
DN(cert.issuer),
DN(cert.subject)
)
]
self.api.Backend.ldap2.update_entry(entry)
return False, [] # don't restart DS; no LDAP updates to perform