mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 15:13:50 -06:00
cert: use context.principal only when it is defined
In server-like context we use LDAPI connection with auto-binding to LDAP object based on the UID of the process connecting to LDAPI UNIX domain socket. This means context.principal is not set and we cannot use it. When processing certificate issuance requests a care has to be done to match operations done as LDAP auto-bind to actual principals for validation. This is a tough one as we have no principal to match for cn=Directory Manager. Use fake principal to fail validation here and rely on LDAP ACIs instead. Fixes: https://pagure.io/freeipa/issue/9583 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
This commit is contained in:
parent
b6131b5737
commit
e386e22046
@ -321,7 +321,10 @@ def bind_principal_can_manage_cert(cert):
|
|||||||
A python-cryptography ``Certificate`` object.
|
A python-cryptography ``Certificate`` object.
|
||||||
|
|
||||||
"""
|
"""
|
||||||
bind_principal = kerberos.Principal(getattr(context, 'principal'))
|
op_account = getattr(context, 'principal', None)
|
||||||
|
if op_account is None:
|
||||||
|
return False
|
||||||
|
bind_principal = kerberos.Principal(op_account)
|
||||||
if not bind_principal.is_host:
|
if not bind_principal.is_host:
|
||||||
return False
|
return False
|
||||||
|
|
||||||
@ -691,7 +694,15 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
|
|||||||
principal_string = unicode(principal)
|
principal_string = unicode(principal)
|
||||||
principal_type = principal_to_principal_type(principal)
|
principal_type = principal_to_principal_type(principal)
|
||||||
|
|
||||||
bind_principal = kerberos.Principal(getattr(context, 'principal'))
|
op_account = getattr(context, 'principal', None)
|
||||||
|
if op_account is None:
|
||||||
|
# Can the bound principal request certs for another principal?
|
||||||
|
# the virtual operation check will rely on LDAP ACIs, no need
|
||||||
|
# for the Kerberos principal here.
|
||||||
|
# Force the principal that cannot be matched in normal deployments
|
||||||
|
op_account = '<unknown>@<UNKNOWN>'
|
||||||
|
|
||||||
|
bind_principal = kerberos.Principal(op_account)
|
||||||
bind_principal_string = unicode(bind_principal)
|
bind_principal_string = unicode(bind_principal)
|
||||||
bind_principal_type = principal_to_principal_type(bind_principal)
|
bind_principal_type = principal_to_principal_type(bind_principal)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user