cert: use context.principal only when it is defined

In server-like context we use LDAPI connection with auto-binding to LDAP
object based on the UID of the process connecting to LDAPI UNIX domain
socket. This means context.principal is not set and we cannot use it.

When processing certificate issuance requests a care has to be done to
match operations done as LDAP auto-bind to actual principals for
validation. This is a tough one as we have no principal to match for
cn=Directory Manager. Use fake principal to fail validation here and
rely on LDAP ACIs instead.

Fixes: https://pagure.io/freeipa/issue/9583

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
This commit is contained in:
Alexander Bokovoy 2024-05-02 08:43:20 +03:00 committed by Antonio Torres
parent b6131b5737
commit e386e22046
No known key found for this signature in database
GPG Key ID: 359FAF777296F653

View File

@ -321,7 +321,10 @@ def bind_principal_can_manage_cert(cert):
A python-cryptography ``Certificate`` object. A python-cryptography ``Certificate`` object.
""" """
bind_principal = kerberos.Principal(getattr(context, 'principal')) op_account = getattr(context, 'principal', None)
if op_account is None:
return False
bind_principal = kerberos.Principal(op_account)
if not bind_principal.is_host: if not bind_principal.is_host:
return False return False
@ -691,7 +694,15 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
principal_string = unicode(principal) principal_string = unicode(principal)
principal_type = principal_to_principal_type(principal) principal_type = principal_to_principal_type(principal)
bind_principal = kerberos.Principal(getattr(context, 'principal')) op_account = getattr(context, 'principal', None)
if op_account is None:
# Can the bound principal request certs for another principal?
# the virtual operation check will rely on LDAP ACIs, no need
# for the Kerberos principal here.
# Force the principal that cannot be matched in normal deployments
op_account = '<unknown>@<UNKNOWN>'
bind_principal = kerberos.Principal(op_account)
bind_principal_string = unicode(bind_principal) bind_principal_string = unicode(bind_principal)
bind_principal_type = principal_to_principal_type(bind_principal) bind_principal_type = principal_to_principal_type(bind_principal)