mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
7ea50ff76d
Add an upgrade script to detect when ipakra people entry has incorrect 'description' attribute and fix it. Part of: https://pagure.io/freeipa/issue/8084 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
77 lines
2.8 KiB
Python
77 lines
2.8 KiB
Python
#
|
|
# Copyright (C) 2019 FreeIPA Contributors see COPYING for license
|
|
#
|
|
|
|
import logging
|
|
|
|
from ipalib import Registry, Updater, x509
|
|
from ipapython.dn import DN
|
|
from ipaplatform.paths import paths
|
|
from ipaserver.install import krainstance
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
register = Registry()
|
|
|
|
|
|
@register()
|
|
class fix_kra_people_entry(Updater):
|
|
"""
|
|
Update the KRA uid=ipakra agent user entry.
|
|
|
|
There was a bug where this was created with an incorrect
|
|
'description' attribute, breaking authentication:
|
|
https://pagure.io/freeipa/issue/8084.
|
|
|
|
"""
|
|
def execute(self, **options):
|
|
kra = krainstance.KRAInstance(self.api.env.realm)
|
|
if not kra.is_installed():
|
|
return False, []
|
|
|
|
cert = x509.load_certificate_from_file(paths.RA_AGENT_PEM)
|
|
entry = self.api.Backend.ldap2.get_entry(krainstance.KRA_AGENT_DN)
|
|
|
|
# check description attribute
|
|
description_values = entry.get('description', [])
|
|
if len(description_values) < 1:
|
|
# missing 'description' attribute is unexpected, but we can
|
|
# add it
|
|
do_fix = True
|
|
else:
|
|
# There should only be one value, so we will take the first value.
|
|
# But ignore the serial number when comparing, just in case.
|
|
description = description_values[0]
|
|
parts = description.split(';', 2) # see below for syntax
|
|
|
|
if len(parts) < 3:
|
|
do_fix = True # syntax error (not expected)
|
|
elif parts[2] != '{};{}'.format(DN(cert.issuer), DN(cert.subject)):
|
|
# issuer/subject does not match cert. THIS is the condition
|
|
# caused by issue 8084, which we want to fix.
|
|
do_fix = True
|
|
else:
|
|
do_fix = False # everything is fine
|
|
|
|
if do_fix:
|
|
# If other replicas have a different iteration of the IPA RA
|
|
# cert (e.g. renewal was triggered prematurely on some master
|
|
# and not on others) then authentication on those replicas will
|
|
# fail. But the 'description' attribute needed fixing because
|
|
# the issuer value was wrong, meaning authentication was broken
|
|
# on ALL replicas. So even for the corner case where different
|
|
# replicas have different IPA RA certs, updating the attribute
|
|
# will at least mean THIS replica can authenticate to the KRA.
|
|
|
|
logger.debug("Fixing KRA user entry 'description' attribute")
|
|
entry['description'] = [
|
|
'2;{};{};{}'.format(
|
|
cert.serial_number,
|
|
DN(cert.issuer),
|
|
DN(cert.subject)
|
|
)
|
|
]
|
|
self.api.Backend.ldap2.update_entry(entry)
|
|
|
|
return False, [] # don't restart DS; no LDAP updates to perform
|