mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
404fe1018e
Do minimal validation of the Kerberos principal name when passing it to kinit command line tool. Also pass it as the final argument to prevent option injection. Accepted Kerberos principals are: - user names, using the following regexp (username with optional @realm, no spaces or slashes in the name): "(?!^[0-9]+$)^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?@?[a-zA-Z0-9.-]*$" - service names (with slash in the name but no spaces). Validation of the hostname is done. There is no validation of the service name. The regular expression above also covers cases where a principal name starts with '-'. This prevents option injection as well. This fixes CVE-2024-1481 Fixes: https://pagure.io/freeipa/issue/9541 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
325 lines
8.9 KiB
YAML
325 lines
8.9 KiB
YAML
topologies:
|
|
build: &build
|
|
name: build
|
|
cpu: 2
|
|
memory: 3800
|
|
master_1repl: &master_1repl
|
|
name: master_1repl
|
|
cpu: 4
|
|
memory: 6750
|
|
master_1repl_1client: &master_1repl_1client
|
|
name: master_1repl_1client
|
|
cpu: 4
|
|
memory: 8000
|
|
ad_master_2client: &ad_master_2client
|
|
name: ad_master_2client
|
|
cpu: 4
|
|
memory: 10596
|
|
ipaserver: &ipaserver
|
|
name: ipaserver
|
|
cpu: 2
|
|
memory: 2750
|
|
|
|
jobs:
|
|
fedora-latest/build:
|
|
requires: []
|
|
priority: 150
|
|
job:
|
|
class: Build
|
|
args:
|
|
git_repo: '{git_repo}'
|
|
git_refspec: '{git_refspec}'
|
|
template: &ci-master-latest
|
|
name: freeipa/ci-master-f39
|
|
version: 0.0.1
|
|
timeout: 1800
|
|
topology: *build
|
|
|
|
fedora-latest/test_installation_TestInstallMaster:
|
|
requires: [fedora-latest/build]
|
|
priority: 100
|
|
job:
|
|
class: RunPytest
|
|
args:
|
|
build_url: '{fedora-latest/build_url}'
|
|
test_suite: test_integration/test_installation.py::TestInstallMaster
|
|
template: *ci-master-latest
|
|
timeout: 7200
|
|
topology: *master_1repl
|
|
|
|
fedora-latest/simple_replication:
|
|
requires: [fedora-latest/build]
|
|
priority: 100
|
|
job:
|
|
class: RunPytest
|
|
args:
|
|
build_url: '{fedora-latest/build_url}'
|
|
test_suite: test_integration/test_simple_replication.py
|
|
template: *ci-master-latest
|
|
timeout: 3600
|
|
topology: *master_1repl
|
|
|
|
fedora-latest/test_caless_TestServerReplicaCALessToCAFull:
|
|
requires: [fedora-latest/build]
|
|
priority: 100
|
|
job:
|
|
class: RunPytest
|
|
args:
|
|
build_url: '{fedora-latest/build_url}'
|
|
test_suite: test_integration/test_caless.py::TestServerReplicaCALessToCAFull
|
|
template: *ci-master-latest
|
|
timeout: 3600
|
|
topology: *master_1repl
|
|
|
|
fedora-latest/test_external_ca_TestExternalCA:
|
|
requires: [fedora-latest/build]
|
|
priority: 100
|
|
job:
|
|
class: RunPytest
|
|
args:
|
|
build_url: '{fedora-latest/build_url}'
|
|
test_suite: test_integration/test_external_ca.py::TestExternalCA test_integration/test_external_ca.py::TestExternalCAConstraints
|
|
template: *ci-master-latest
|
|
timeout: 4800
|
|
topology: *master_1repl_1client
|
|
|
|
fedora-latest/test_external_ca_TestSelfExternalSelf:
|
|
requires: [fedora-latest/build]
|
|
priority: 100
|
|
job:
|
|
class: RunPytest
|
|
args:
|
|
build_url: '{fedora-latest/build_url}'
|
|
test_suite: test_integration/test_external_ca.py::TestSelfExternalSelf test_integration/test_external_ca.py::TestExternalCAInstall
|
|
template: *ci-master-latest
|
|
timeout: 3600
|
|
topology: *master_1repl
|
|
|
|
fedora-latest/external_ca_templates:
|
|
requires: [fedora-latest/build]
|
|
priority: 100
|
|
job:
|
|
class: RunPytest
|
|
args:
|
|
build_url: '{fedora-latest/build_url}'
|
|
test_suite: test_integration/test_external_ca.py::TestExternalCAProfileScenarios
|
|
template: *ci-master-latest
|
|
timeout: 3600
|
|
topology: *master_1repl
|
|
|
|
fedora-latest/test_topologies:
|
|
requires: [fedora-latest/build]
|
|
priority: 100
|
|
job:
|
|
class: RunPytest
|
|
args:
|
|
build_url: '{fedora-latest/build_url}'
|
|
test_suite: test_integration/test_topologies.py
|
|
template: *ci-master-latest
|
|
timeout: 3600
|
|
topology: *master_1repl
|
|
|
|
fedora-latest/test_sudo:
|
|
requires: [fedora-latest/build]
|
|
priority: 100
|
|
job:
|
|
class: RunPytest
|
|
args:
|
|
build_url: '{fedora-latest/build_url}'
|
|
test_suite: test_integration/test_sudo.py
|
|
template: *ci-master-latest
|
|
timeout: 4800
|
|
topology: *master_1repl_1client
|
|
|
|
fedora-latest/test_commands:
|
|
requires: [fedora-latest/build]
|
|
priority: 100
|
|
job:
|
|
class: RunPytest
|
|
args:
|
|
build_url: '{fedora-latest/build_url}'
|
|
test_suite: test_integration/test_commands.py
|
|
template: *ci-master-latest
|
|
timeout: 5400
|
|
topology: *master_1repl_1client
|
|
|
|
fedora-latest/test_kerberos_flags:
|
|
requires: [fedora-latest/build]
|
|
priority: 100
|
|
job:
|
|
class: RunPytest
|
|
args:
|
|
build_url: '{fedora-latest/build_url}'
|
|
test_suite: test_integration/test_kerberos_flags.py
|
|
template: *ci-master-latest
|
|
timeout: 3600
|
|
topology: *master_1repl_1client
|
|
|
|
fedora-latest/test_forced_client_enrolment:
|
|
requires: [fedora-latest/build]
|
|
priority: 100
|
|
job:
|
|
class: RunPytest
|
|
args:
|
|
build_url: '{fedora-latest/build_url}'
|
|
test_suite: test_integration/test_forced_client_reenrollment.py
|
|
template: *ci-master-latest
|
|
timeout: 4800
|
|
topology: *master_1repl_1client
|
|
|
|
fedora-latest/test_advise:
|
|
requires: [fedora-latest/build]
|
|
priority: 100
|
|
job:
|
|
class: RunPytest
|
|
args:
|
|
build_url: '{fedora-latest/build_url}'
|
|
test_suite: test_integration/test_advise.py
|
|
template: *ci-master-latest
|
|
timeout: 3600
|
|
topology: *master_1repl_1client
|
|
|
|
fedora-latest/test_testconfig:
|
|
requires: [fedora-latest/build]
|
|
priority: 100
|
|
job:
|
|
class: RunPytest
|
|
args:
|
|
build_url: '{fedora-latest/build_url}'
|
|
test_suite: test_integration/test_testconfig.py
|
|
template: *ci-master-latest
|
|
timeout: 3600
|
|
topology: *master_1repl
|
|
|
|
fedora-latest/test_service_permissions:
|
|
requires: [fedora-latest/build]
|
|
priority: 100
|
|
job:
|
|
class: RunPytest
|
|
args:
|
|
build_url: '{fedora-latest/build_url}'
|
|
test_suite: test_integration/test_service_permissions.py
|
|
template: *ci-master-latest
|
|
timeout: 3600
|
|
topology: *master_1repl
|
|
|
|
fedora-latest/test_netgroup:
|
|
requires: [fedora-latest/build]
|
|
priority: 100
|
|
job:
|
|
class: RunPytest
|
|
args:
|
|
build_url: '{fedora-latest/build_url}'
|
|
test_suite: test_integration/test_netgroup.py
|
|
template: *ci-master-latest
|
|
timeout: 3600
|
|
topology: *master_1repl
|
|
|
|
fedora-latest/test_authconfig:
|
|
requires: [fedora-latest/build]
|
|
priority: 100
|
|
job:
|
|
class: RunPytest
|
|
args:
|
|
build_url: '{fedora-latest/build_url}'
|
|
test_suite: test_integration/test_authselect.py
|
|
template: *ci-master-latest
|
|
timeout: 4800
|
|
topology: *master_1repl_1client
|
|
|
|
fedora-latest/test_replica_promotion_TestSubCAkeyReplication:
|
|
requires: [fedora-latest/build]
|
|
priority: 100
|
|
job:
|
|
class: RunPytest
|
|
args:
|
|
build_url: '{fedora-latest/build_url}'
|
|
test_suite: test_integration/test_replica_promotion.py::TestSubCAkeyReplication
|
|
template: *ci-master-latest
|
|
timeout: 3600
|
|
topology: *master_1repl
|
|
|
|
fedora-latest/test_dnssec_TestInstallDNSSECFirst:
|
|
requires: [fedora-latest/build]
|
|
priority: 100
|
|
job:
|
|
class: RunPytest
|
|
args:
|
|
build_url: '{fedora-latest/build_url}'
|
|
test_suite: test_integration/test_dnssec.py::TestInstallDNSSECFirst
|
|
template: *ci-master-latest
|
|
timeout: 3600
|
|
topology: *master_1repl
|
|
|
|
fedora-latest/test_membermanager:
|
|
requires: [fedora-latest/build]
|
|
priority: 100
|
|
job:
|
|
class: RunPytest
|
|
args:
|
|
build_url: '{fedora-latest/build_url}'
|
|
test_suite: test_integration/test_membermanager.py
|
|
template: *ci-master-latest
|
|
timeout: 1800
|
|
topology: *master_1repl
|
|
|
|
fedora-latest/test_adtrust_install:
|
|
requires: [fedora-latest/build]
|
|
priority: 100
|
|
job:
|
|
class: RunPytest
|
|
args:
|
|
build_url: '{fedora-latest/build_url}'
|
|
test_suite: test_integration/test_adtrust_install.py
|
|
template: *ci-master-latest
|
|
timeout: 3600
|
|
topology: *master_1repl
|
|
|
|
fedora-latest/test_cert:
|
|
requires: [fedora-latest/build]
|
|
priority: 100
|
|
job:
|
|
class: RunPytest
|
|
args:
|
|
build_url: '{fedora-latest/build_url}'
|
|
test_suite: test_integration/test_cert.py
|
|
template: *ci-master-latest
|
|
timeout: 5400
|
|
topology: *master_1repl_1client
|
|
|
|
fedora-latest/test_upgrade:
|
|
requires: [fedora-latest/build]
|
|
priority: 100
|
|
job:
|
|
class: RunPytest
|
|
args:
|
|
build_url: '{fedora-latest/build_url}'
|
|
test_suite: test_integration/test_upgrade.py
|
|
template: *ci-master-latest
|
|
timeout: 3600
|
|
topology: *master_1repl
|
|
|
|
fedora-latest/test_subids:
|
|
requires: [fedora-latest/build]
|
|
priority: 100
|
|
job:
|
|
class: RunPytest
|
|
args:
|
|
build_url: '{fedora-latest/build_url}'
|
|
test_suite: test_integration/test_subids.py
|
|
template: *ci-master-latest
|
|
timeout: 3600
|
|
topology: *master_1repl_1client
|
|
|
|
fedora-latest/test_ipalib_install:
|
|
requires: [fedora-latest/build]
|
|
priority: 100
|
|
job:
|
|
class: RunPytest
|
|
args:
|
|
build_url: '{fedora-latest/build_url}'
|
|
test_suite: test_ipalib_install/test_kinit.py
|
|
template: *ci-master-latest
|
|
timeout: 600
|
|
topology: *master_1repl
|