To prevent cyclic imports, move JSON handling code to a separate file.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Do minimal validation of the Kerberos principal name when passing it to
kinit command line tool. Also pass it as the final argument to prevent
option injection.
Accepted Kerberos principals are:
- user names, using the following regexp
(username with optional @realm, no spaces or slashes in the name):
"(?!^[0-9]+$)^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?@?[a-zA-Z0-9.-]*$"
- service names (with slash in the name but no spaces). Validation of
the hostname is done. There is no validation of the service name.
The regular expression above also covers cases where a principal name
starts with '-'. This prevents option injection as well.
This fixes CVE-2024-1481
Fixes: https://pagure.io/freeipa/issue/9541
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The referer was only checked in WSGIExecutioner classes:
- jsonserver
- KerberosWSGIExecutioner
- xmlserver
- jsonserver_kerb
This left /i18n_messages, /session/login_kerberos,
/session/login_x509, /session/login_password,
/session/change_password and /session/sync_token unprotected
against CSRF attacks.
CVE-2023-5455
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
When Kerberos principal alias is used to login to a Web UI, we end up
with a request that is authenticated by a ticket issued in the alias
name but metadata processed for the canonical user name. This confuses
RPC layer of Web UI code and causes infinite loop to reload the page.
Fix it by doing two things:
- force use of canonicalization of an enterprise principal on server
side, not just specifying that the principal is an enterprise one;
- recognize that a principal in the whoami()-returned object can have
aliases and the principal returned by the server in the JSON response
may be one of those aliases.
Fixes: https://pagure.io/freeipa/issue/9226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Add new options to ipa config-mod, allowing to enable
SID generation on upgraded servers:
ipa config-mod --enable-sid --add-sids --netbios-name NAME
The new option uses Dbus to launch an oddjob command,
org.freeipa.server.config-enable-sid
that runs the installation steps related to SID generation.
--add-sids is optional and triggers the sid generation task that
populates SID for existing users / groups.
--netbios-name is optional and allows to specify the NetBIOS Name.
When not provided, the NetBIOS name is generated based on the leading
component of the DNS domain name.
This command can be run multiple times.
Fixes: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
perf_counter_ns is only available in Python 3.7 and later.
Define a lambda for 3.6 and lower.
Fixes: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Previously, `get_credentials` raises either ValueError or re-raises
GSSError. The former makes the handling of this function more difficult
without a good reason.
With this change:
- `get_credentials` no longer handles exceptions by itself, but delegates
this to the callers (which already process GSS errors).
- `get_credentials_if_valid` doesn't raise any expected exceptions, but
return valid credentials (on the moment of calling) or None. This makes
it consistent with docs.
Related: https://pagure.io/freeipa/issue/8873
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Adding execution time in logs provides useful information
for identifying API operations that impact IPA performance.
Related: https://pagure.io/freeipa/issue/8759
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
MIT Kerberos implements FAST negotiation as specified in RFC 6806
section 11. The implementation relies on the caller to provide a hint
whether FAST armoring must be used.
FAST armor can only be used when both client and KDC have a shared
secret. When KDC is from a trusted domain, there is no way to have a
shared secret between a generic Kerberos client and that KDC.
[MS-KILE] section 3.2.5.4 'Using FAST When the Realm Supports FAST'
allows KILE clients (Kerberos clients) to have local settings that
direct it to enforce use of FAST. This is equal to the current
implementation of 'kinit' utility in MIT Kerberos requiring to use FAST
if armor cache (option '-T') is provided.
[MS-KILE] section 3.3.5.7.4 defines a way for a computer from a
different realm to use compound identity TGS-REQ to create FAST TGS-REQ
explicitly armored with the computer's TGT. However, this method is not
available to IPA framework as we don't have access to the IPA server's
host key. In addition, 'kinit' utility does not support this method.
Active Directory has a policy to force use of FAST when client
advertizes its use. Since we cannot know in advance whether a principal
to obtain initial credentials for belongs to our realm or to a trusted
one due to enterprise principal canonicalization, we have to try to
kinit. Right now we fail unconditionally if FAST couldn't be used and
libkrb5 communication with a KDC from the user realm (e.g. from a
trusted forest) causes enforcement of a FAST.
In the latter case, as we cannot use FAST anyway, try to kinit again
without advertizing FAST. This works even in the situations when FAST
enforcement is enabled on Active Directory side: if client doesn't
advertize FAST capability, it is not required. Additionally, FAST cannot
be used for any practical need for a trusted domain's users yet.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
DatabaseError exceptions with 'account inactivated' message are turned
into 401 Unauthorized errors. The problem occurs when a user is disabled
but has a valid cookie.
Other DatabaseErrors are turned into 503 Service Unavailable. They
usually occur when LDAP server is not available or broken.
Fixes: https://pagure.io/freeipa/issue/8352
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When ipa commands are used by an Active Directory user that
does not have any idoverride-user set, they return the
following error message which can be misleading:
$ kinit aduser@ADDOMAIN.COM
$ ipa ping
ipa: ERROR: cannot connect to 'https://master.ipa.com/ipa/json': Internal Server Error
The fix properly handles ACIError exception received when
creating the context, and now the following message can be seen:
$ kinit aduser@ADDOMAIN.COM
$ ipa ping
ipa: ERROR: cannot connect to 'https://master.ipa.com/ipa/json': Unauthorized
with the following log in /var/log/httpd/error_log:
ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials
Fixes: https://pagure.io/freeipa/issue/8163
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Replace six.moves and six.StringIO/BytesIO imports with cannonical
Python 3 packages.
Note: six.moves.input behaves differently than builtin input function.
Therefore I left six.moves.input for now.
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
For now JSON service is not available without authentication
to IPA. But some of Web UI pages expect translations before
or without Login process. This endpoint serves i18n requests
only.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Aiming to support pylint 2.0 some functions and methods must have their
return statements updated in order to fix two new violations:
- `useless-return` (R1711):
Useless return at end of function or method Emitted when a single
"return" or "return None" statement is found at the end of function
or method definition. This statement can safely be removed because
Python will implicitly return None
- `inconsistent-return-statements` (R1710):
Either all return statements in a function should return an
expression, or none of them should. According to PEP8, if any return
statement returns an expression, any return statements where no value
is returned should explicitly state this as return None, and an
explicit return statement should be present at the end of the
function (if reachable)
Issue: https://pagure.io/freeipa/issue/7614
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa rpc server did set the LANG environment variable on each
request and it was not thread safe which led to unpredictable
mixed languages output. Also, there were mistakes regarding
setting the Accept-Language HTTP header.
Now on each request we're setting the "languages" property
in the context thread local variable and client is setting
the Accept-Language HTTP header correctly.
Also, as the server is caching the schema and the schema can
be generated for several languages it's good to store different
schema fingerprint for each language separately.
pagure: https://pagure.io/freeipa/issue/7238
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
xmlserver.Command does not have to be called so don't.
Fixes pylint: not-callable error.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Remove all object-specific loggers, with the exception of `Plugin.log`,
which is now deprecated. Replace affected logger calls with module-level
logger calls.
Deprecate object-specific loggers in `ipa_log_manager.get_logger`.
Reviewed-By: Martin Basti <mbasti@redhat.com>
We have only one debug log level and it causes issues with py3.
...
File "/usr/lib/python3.5/site-packages/ipaserver/rpcserver.py", line 490, in marshal
response, version, pretty_print=self.api.env.debug >= 2
TypeError: unorderable types: str() >= int()
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
base64 encoding returns bytes but these can't be added together with
a string.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
python3-mod_wsgi expects that the application() method returns
bytes otherwise it breaks.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
We need to verify the ccache is avcailable in all cases or finalize
will cause us to acquire creds with the keytab which is not what we
want.
Ticket #7037
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This is done by setting the kinit_lifetime option in default.conf
to a value that can be passed in with the -l option syntax of kinit.
https://pagure.io/freeipa/issue/7001
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In some circumstances the ccache file may disappear while
mod_auth_gssapi still has a valid cookie and the client is performing a
json server call.
This may lead to credentials getting sourced from the keytab.
Make sure we enforce what GSS NAME we want to resolve so HTTP creds are
never mistakenly sourced.
Ticket: #6972
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Set `pkinit_pool` in `kdc.conf` to a CA certificate bundle of all CAs known
to IPA.
Make sure `cacert.pem` is exported in all installation code paths.
Use the KDC certificate itself as a PKINIT anchor in `login_password`.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Http request performed in finalize_kerberos_acquisition doesn't use
CA certificate/certificate store with full certificate chain of IPA server.
So it might happen that in case that IPA is installed with externally signed
CA certificate, the call can fail because of certificate validation
and e.g. prevent session acquisition.
If it will fail for sure is not known - the use case was not discovered,
but it is faster and safer to fix preemptively.
https://pagure.io/freeipa/issue/6876
Reviewed-By: Martin Basti <mbasti@redhat.com>
https://pagure.io/freeipa/issue/6830
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
__call__ didn't return causing internal error in wsgi application. Previously
this bug was hidden by some other error and the code worked even though it
shouldn't.
https://pagure.io/freeipa/issue/6819
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
When mod_lookup_identity is unable to match user by certificate (and username)
it unsets http request's user. mod_auth_gssapi is then unable to get Kerberos
ticket and doesn't set KRB5CCNAME environment variable.
x509_login.__call__ now returns 401 in such case to indicate that request was
not authenticated.
https://pagure.io/freeipa/issue/6225
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Do not set or delete attributes directly on KerberosWSGIExecutioner, ldap2
and ra_lightweight_ca instances, as that raises an AttributeError in
development mode because of ReadOnly locking.
Use the usual workaround of `object.__setattr__` and `object.__delattr__`
to fix the issue.
https://pagure.io/freeipa/issue/6625
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
The logic of the extraction/validation of principal from the request and
subsequent authentication was simplified and most of the guesswork will
be done by KDC during kinit. This also allows principals from trusted
domains to login via rpcserver.
https://fedorahosted.org/freeipa/ticket/6343
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
There were 2 issues with session logouts, one is that the logout_cookie
was checked and acted on in the wrong place, the other is that the wrong
value was set in the IPASESSION header.
Fixes https://fedorahosted.org/freeipa/ticket/6685
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Improve performance of FreeIPA's JSON serializer and deserializer.
* Don't indent and sort keys. Both options trigger a slow path in
Python's json package. Without indention and sorting, encoding
mostly happens in optimized C code.
* Replace O(n) type checks with O(1) type lookup and eliminate
the use of isinstance().
* Check each client capability only once for every conversion.
* Use decoder's obj_hook feature to traverse the object tree once and
to eliminate calls to isinstance().
Closes: https://fedorahosted.org/freeipa/ticket/6655
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The anonymous user allows the framework to obtain an armor ccache without
relying on usable credentials, either via a keytab or a pkinit and
public certificates. This will be needed once the HTTP keytab is moved away
for privilege separation.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
We do not want to generate runtime directories just because the packages
are installed, but only if the server is actually setup and run. Also this
will be needed later because we will create a user at install time and some
tmpfiles will need to be owned by this user.
As we are changing this code also rationalize the directory structure and
move it from the http rundir to the ipa specific rundir.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
variable 'e' is valid only in except block in py3, so it must be
assigned to different variable for further usage
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
WSGI prints TypeError into error log when IPA doesn't return bytes in
list as result
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
kinit_password() depends on ipaplatform.
Move kinit_password() as well as kinit_keytab() to a new
ipalib.install.kinit module, as they are used only from installers.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Check for import errors with pylint to make sure new python package
dependencies are not overlooked.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors
Enabled check should prevent to leave unused variable in code
Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
