IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Reset per-indicator Kerberos policy

Browse Source 
When 'ipa krbtpolicy-reset' is called, we need to reset all policy
settings, including per-indicator ones. Per-indicator policy uses
subtyped attributes (foo;bar), the current krbtpolicy-reset code does
not deal with those.

Add support for per-indicator policy reset. It is a bit tricky, as we
need to drop the values to defaults but avoid adding non-per-indicator
variants of the same attributes.

Add test to check that policy has been resetted by observing a new
Kerberos TGT for the user after its policy reset.

Fixes: https://pagure.io/freeipa/issue/8153

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
Alexander Bokovoy 2019-12-18 12:08:59 +02:00 committed by Christian Heimes
parent 775bbb919a
commit 2ed5eca762
2 changed files with 33 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
ipaserver/plugins/krbtpolicy.py
View File

@ -68,6 +68,8 @@ register = Registry()
_default_values = { _default_values = {
'krbmaxticketlife': 86400, 'krbmaxticketlife': 86400,
'krbmaxrenewableage': 604800, 'krbmaxrenewableage': 604800,
'krbauthindmaxticketlife': 86400,
'krbauthindmaxrenewableage': 604800,
} }
# These attributes never have non-optional values, so they should be # These attributes never have non-optional values, so they should be
@ -311,9 +313,26 @@ class krbtpolicy_reset(baseldap.LDAPQuery):
def_values[a] = None def_values[a] = None
# if reseting global policy - set values to default # if reseting global policy - set values to default
else: else:
def_values = _default_values def_values = _default_values.copy()
entry = ldap.get_entry(dn, list(def_values)) entry = ldap.get_entry(dn, list(def_values))
# For per-indicator policies, drop them to defaults
for subtype in _supported_options:
for attr in _option_based_attrs:
name = '{};{}'.format(attr, subtype)
if name in entry:
if uid is not None:
def_values[name] = None
else:
def_values[name] = _default_values[attr]
# Remove non-subtyped attrs variants,
# they should never be used directly.
for attr in _option_based_attrs:
if attr in def_values:
del def_values[attr]
entry.update(def_values) entry.update(def_values)
try: try:
ldap.update_entry(entry) ldap.update_entry(entry)

13
ipatests/test_integration/test_krbtpolicy.py
View File

@ -112,3 +112,16 @@ class TestPWPolicy(IntegrationTest):
assert maxlife_within_policy(result.stdout_text, 1200) is True assert maxlife_within_policy(result.stdout_text, 1200) is True
tasks.kdestroy_all(master) tasks.kdestroy_all(master)
def test_krbtpolicy_reset(self):
"""Test a hardened kerberos ticket policy reset"""
master = self.master
tasks.kinit_admin(master)
master.run_command(['ipa', 'krbtpolicy-reset', USER2])
master.run_command(['kinit', USER2],
stdin_text=PASSWORD + '\n')
result = master.run_command('klist | grep krbtgt')
assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
tasks.kdestroy_all(master)