diff --git a/API.txt b/API.txt index fdcbf1733..7607b6230 100644 --- a/API.txt +++ b/API.txt @@ -1097,7 +1097,7 @@ option: Int('ipasearchrecordslimit?', autofill=False, cli_name='searchrecordslim option: Int('ipasearchtimelimit?', autofill=False, cli_name='searchtimelimit') option: Str('ipaselinuxusermapdefault?', autofill=False) option: Str('ipaselinuxusermaporder?', autofill=False) -option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'disabled']) +option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened', u'disabled']) option: Str('ipauserobjectclasses*', autofill=False, cli_name='userobjectclasses') option: IA5Str('ipausersearchfields?', autofill=False, cli_name='usersearch') option: Flag('raw', autofill=True, cli_name='raw', default=False) @@ -2442,7 +2442,7 @@ option: Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate') option: Bool('ipakrboktoauthasdelegate?', cli_name='ok_to_auth_as_delegate') option: Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth') option: Str('ipasshpubkey*', cli_name='sshpubkey') -option: Str('krbprincipalauthind*', cli_name='auth_ind') +option: StrEnum('krbprincipalauthind*', cli_name='auth_ind', values=[u'radius', u'otp', u'pkinit', u'hardened']) option: Str('l?', cli_name='locality') option: Str('macaddress*') option: Flag('no_members', autofill=True, default=False) @@ -2578,7 +2578,7 @@ option: Str('in_netgroup*', cli_name='in_netgroups') option: Str('in_role*', cli_name='in_roles') option: Str('in_sudorule*', cli_name='in_sudorules') option: Str('ipaassignedidview?', autofill=False) -option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind') +option: StrEnum('krbprincipalauthind*', autofill=False, cli_name='auth_ind', values=[u'radius', u'otp', u'pkinit', u'hardened']) option: Str('l?', autofill=False, cli_name='locality') option: Str('macaddress*', autofill=False) option: Str('man_by_host*', cli_name='man_by_hosts') @@ -2619,7 +2619,7 @@ option: Bool('ipakrbokasdelegate?', autofill=False, cli_name='ok_as_delegate') option: Bool('ipakrboktoauthasdelegate?', autofill=False, cli_name='ok_to_auth_as_delegate') option: Bool('ipakrbrequirespreauth?', autofill=False, cli_name='requires_pre_auth') option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey') -option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind') +option: StrEnum('krbprincipalauthind*', autofill=False, cli_name='auth_ind', values=[u'radius', u'otp', u'pkinit', u'hardened']) option: Principal('krbprincipalname*', autofill=False) option: Str('l?', autofill=False, cli_name='locality') option: Str('macaddress*', autofill=False) @@ -4494,7 +4494,7 @@ option: StrEnum('ipakrbauthzdata*', cli_name='pac_type', values=[u'MS-PAC', u'PA option: Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate') option: Bool('ipakrboktoauthasdelegate?', cli_name='ok_to_auth_as_delegate') option: Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth') -option: Str('krbprincipalauthind*', cli_name='auth_ind') +option: StrEnum('krbprincipalauthind*', cli_name='auth_ind', values=[u'radius', u'otp', u'pkinit', u'hardened']) option: Flag('no_members', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False) option: Str('setattr*', cli_name='setattr') @@ -4630,7 +4630,7 @@ arg: Str('criteria?') option: Flag('all', autofill=True, cli_name='all', default=False) option: StrEnum('ipakrbauthzdata*', autofill=False, cli_name='pac_type', values=[u'MS-PAC', u'PAD', u'NONE']) option: Principal('krbcanonicalname?', autofill=False, cli_name='canonical_principal') -option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind') +option: StrEnum('krbprincipalauthind*', autofill=False, cli_name='auth_ind', values=[u'radius', u'otp', u'pkinit', u'hardened']) option: Principal('krbprincipalname*', autofill=False, cli_name='principal') option: Str('man_by_host*', cli_name='man_by_hosts') option: Flag('no_members', autofill=True, default=True) @@ -4654,7 +4654,7 @@ option: StrEnum('ipakrbauthzdata*', autofill=False, cli_name='pac_type', values= option: Bool('ipakrbokasdelegate?', autofill=False, cli_name='ok_as_delegate') option: Bool('ipakrboktoauthasdelegate?', autofill=False, cli_name='ok_to_auth_as_delegate') option: Bool('ipakrbrequirespreauth?', autofill=False, cli_name='requires_pre_auth') -option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind') +option: StrEnum('krbprincipalauthind*', autofill=False, cli_name='auth_ind', values=[u'radius', u'otp', u'pkinit', u'hardened']) option: Principal('krbprincipalname*', autofill=False, cli_name='principal') option: Flag('no_members', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False) @@ -4902,7 +4902,7 @@ option: Str('initials?', autofill=True) option: Str('ipasshpubkey*', cli_name='sshpubkey') option: Str('ipatokenradiusconfiglink?', cli_name='radius') option: Str('ipatokenradiususername?', cli_name='radius_username') -option: StrEnum('ipauserauthtype*', cli_name='user_auth_type', values=[u'password', u'radius', u'otp']) +option: StrEnum('ipauserauthtype*', cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened']) option: DateTime('krbpasswordexpiration?', cli_name='password_expiration') option: DateTime('krbprincipalexpiration?', cli_name='principal_expiration') option: Principal('krbprincipalname*', autofill=True, cli_name='principal') @@ -5014,7 +5014,7 @@ option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script') option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path') option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius') option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username') -option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp']) +option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened']) option: DateTime('krbpasswordexpiration?', autofill=False, cli_name='password_expiration') option: DateTime('krbprincipalexpiration?', autofill=False, cli_name='principal_expiration') option: Principal('krbprincipalname*', autofill=False, cli_name='principal') @@ -5077,7 +5077,7 @@ option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path') option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey') option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius') option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username') -option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp']) +option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened']) option: DateTime('krbpasswordexpiration?', autofill=False, cli_name='password_expiration') option: DateTime('krbprincipalexpiration?', autofill=False, cli_name='principal_expiration') option: Principal('krbprincipalname*', autofill=False, cli_name='principal') @@ -5977,7 +5977,7 @@ option: Str('initials?', autofill=True) option: Str('ipasshpubkey*', cli_name='sshpubkey') option: Str('ipatokenradiusconfiglink?', cli_name='radius') option: Str('ipatokenradiususername?', cli_name='radius_username') -option: StrEnum('ipauserauthtype*', cli_name='user_auth_type', values=[u'password', u'radius', u'otp']) +option: StrEnum('ipauserauthtype*', cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened']) option: DateTime('krbpasswordexpiration?', cli_name='password_expiration') option: DateTime('krbprincipalexpiration?', cli_name='principal_expiration') option: Principal('krbprincipalname*', autofill=True, cli_name='principal') @@ -6106,7 +6106,7 @@ option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script') option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path') option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius') option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username') -option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp']) +option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened']) option: DateTime('krbpasswordexpiration?', autofill=False, cli_name='password_expiration') option: DateTime('krbprincipalexpiration?', autofill=False, cli_name='principal_expiration') option: Principal('krbprincipalname*', autofill=False, cli_name='principal') @@ -6172,7 +6172,7 @@ option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path') option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey') option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius') option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username') -option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp']) +option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened']) option: DateTime('krbpasswordexpiration?', autofill=False, cli_name='password_expiration') option: DateTime('krbprincipalexpiration?', autofill=False, cli_name='principal_expiration') option: Principal('krbprincipalname*', autofill=False, cli_name='principal') diff --git a/VERSION.m4 b/VERSION.m4 index 4e717f88c..ba9d8ed44 100644 --- a/VERSION.m4 +++ b/VERSION.m4 @@ -86,9 +86,9 @@ define(IPA_DATA_VERSION, 20100614120000) # # ######################################################## define(IPA_API_VERSION_MAJOR, 2) -define(IPA_API_VERSION_MINOR, 233) -# Last change: Added service_add_smb command - +define(IPA_API_VERSION_MINOR, 234) +# Last change: Added new auth indicators to ipauserauthtype and krbprincipalauthind. +# Converted krbprincipalauthind from Str() to StrEnum() ######################################################## # Following values are auto-generated from values above diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c index e19505821..612857b38 100644 --- a/daemons/ipa-kdb/ipa_kdb.c +++ b/daemons/ipa-kdb/ipa_kdb.c @@ -194,6 +194,8 @@ static const struct { { "password", IPADB_USER_AUTH_PASSWORD }, { "radius", IPADB_USER_AUTH_RADIUS }, { "otp", IPADB_USER_AUTH_OTP }, + { "pkinit", IPADB_USER_AUTH_PKINIT }, + { "hardened", IPADB_USER_AUTH_HARDENED }, { } }; diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index d187d969f..f2f21c6e0 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -90,6 +90,8 @@ enum ipadb_user_auth { IPADB_USER_AUTH_PASSWORD = 1 << 1, IPADB_USER_AUTH_RADIUS = 1 << 2, IPADB_USER_AUTH_OTP = 1 << 3, + IPADB_USER_AUTH_PKINIT = 1 << 4, + IPADB_USER_AUTH_HARDENED = 1 << 5, }; struct ipadb_global_config { diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py index 1103e5531..49bad9de3 100644 --- a/ipaserver/plugins/baseuser.py +++ b/ipaserver/plugins/baseuser.py @@ -353,11 +353,12 @@ class baseuser(LDAPObject): label=_('SSH public key fingerprint'), flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'}, ), - StrEnum('ipauserauthtype*', + StrEnum( + 'ipauserauthtype*', cli_name='user_auth_type', label=_('User authentication types'), doc=_('Types of supported user authentication'), - values=(u'password', u'radius', u'otp'), + values=(u'password', u'radius', u'otp', u'pkinit', u'hardened'), ), Str('userclass*', cli_name='class', diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py index 77a9f2c80..ba39d45d6 100644 --- a/ipaserver/plugins/config.py +++ b/ipaserver/plugins/config.py @@ -253,11 +253,13 @@ class config(LDAPObject): doc=_('Default types of PAC supported for services'), values=(u'MS-PAC', u'PAD', u'nfs:NONE'), ), - StrEnum('ipauserauthtype*', + StrEnum( + 'ipauserauthtype*', cli_name='user_auth_type', label=_('Default user authentication types'), doc=_('Default types of supported user authentication'), - values=(u'password', u'radius', u'otp', u'disabled'), + values=(u'password', u'radius', u'otp', + u'pkinit', u'hardened', u'disabled'), ), Str( 'ipa_master_server*', diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index c0c4f7060..065eb3152 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -28,7 +28,7 @@ import six from ipalib import api, errors, util from ipalib import messages -from ipalib import Str, Flag +from ipalib import Str, StrEnum, Flag from ipalib.parameters import Principal, Certificate from ipalib.plugable import Registry from .baseldap import (LDAPQuery, LDAPObject, LDAPCreate, @@ -567,13 +567,19 @@ class host(LDAPObject): label=_('Assigned ID View'), flags=['no_option'], ), - Str('krbprincipalauthind*', + StrEnum( + 'krbprincipalauthind*', cli_name='auth_ind', label=_('Authentication Indicators'), doc=_("Defines a whitelist for Authentication Indicators." " Use 'otp' to allow OTP-based 2FA authentications." " Use 'radius' to allow RADIUS-based 2FA authentications." - " Other values may be used for custom configurations."), + " Use 'pkinit' to allow PKINIT-based 2FA authentications." + " Use 'hardened' to allow brute-force hardened password" + " authentication by SPAKE or FAST." + " With no indicator specified," + " all authentication mechanisms are allowed."), + values=(u'radius', u'otp', u'pkinit', u'hardened'), ), ) + ticket_flags_params diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index c118b80a4..d64e0460a 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -534,13 +534,19 @@ class service(LDAPObject): " e.g. this might be necessary for NFS services."), values=(u'MS-PAC', u'PAD', u'NONE'), ), - Str('krbprincipalauthind*', + StrEnum( + 'krbprincipalauthind*', cli_name='auth_ind', label=_('Authentication Indicators'), doc=_("Defines a whitelist for Authentication Indicators." " Use 'otp' to allow OTP-based 2FA authentications." " Use 'radius' to allow RADIUS-based 2FA authentications." - " Other values may be used for custom configurations."), + " Use 'pkinit' to allow PKINIT-based 2FA authentications." + " Use 'hardened' to allow brute-force hardened password" + " authentication by SPAKE or FAST." + " With no indicator specified," + " all authentication mechanisms are allowed."), + values=(u'radius', u'otp', u'pkinit', u'hardened'), ), ) + ticket_flags_params diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py index 262fae17d..878868009 100644 --- a/ipatests/test_xmlrpc/test_service_plugin.py +++ b/ipatests/test_xmlrpc/test_service_plugin.py @@ -1481,17 +1481,20 @@ def indicators_service(request): class TestAuthenticationIndicators(XMLRPC_test): def test_create_service_with_otp_indicator( self, indicators_host, indicators_service): - """ Since range of authentication indicator values is not limited, - only 'otp' option is tested """ indicators_host.create() indicators_service.create() - def test_adding_second_indicator( + def test_adding_all_indicators( self, indicators_host, indicators_service): indicators_host.create() indicators_service.create() indicators_service.update( - updates={u'krbprincipalauthind': [u'otp', u'radius']}) + updates={ + u'krbprincipalauthind': [ + u'otp', u'radius', u'pkinit', u'hardened' + ] + } + ) def test_update_indicator(self, indicators_host, indicators_service): indicators_host.create() diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py index 329947f68..f867b042d 100644 --- a/ipatests/test_xmlrpc/test_user_plugin.py +++ b/ipatests/test_xmlrpc/test_user_plugin.py @@ -460,9 +460,11 @@ class TestUpdate(XMLRPC_test): command() def test_set_ipauserauthtype(self, user): - """ Set ipauserauthtype to 'password' and than back to None """ + """ Set ipauserauthtype to all valid types and than back to None """ user.ensure_exists() - user.update(dict(ipauserauthtype=u'password')) + user.update(dict(ipauserauthtype=[ + u'password', u'radius', u'otp', u'pkinit', u'hardened' + ])) user.retrieve() user.update(dict(ipauserauthtype=None))