add default access control when migrating trust objects

It looks like for some cases we do not have proper set up keytab retrieval configuration in the old trusted domain object. This mostly affects two-way trust cases. In such cases, create default configuration as ipasam would have created when trust was established. Resolves: https://pagure.io/freeipa/issue/8067 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
freeipa · Sep 16, 2019 · 5741e03 · 5741e03
1 parent a016ed7
commit 5741e03
Showing 1 changed file with 12 additions and 2 deletions.
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
@@ -28,6 +28,9 @@ def ndr_unpack(x):
 register = Registry()
 
 DEFAULT_ID_RANGE_SIZE = 200000
+trust_read_keys_template = \
+    ["cn=adtrust agents,cn=sysaccounts,cn=etc,{basedn}",
+     "cn=trust admins,cn=groups,cn=accounts,{basedn}"]
 
 
 @register()
@@ -575,8 +578,15 @@ def set_krb_principal(self, principals, password, trustdn, flags=None):
                     'krbprincipalkey')
                 entry_data['krbextradata'] = en.single_value.get(
                     'krbextradata')
-                entry_data['ipaAllowedToPerform;read_keys'] = en.get(
-                    'ipaAllowedToPerform;read_keys', [])
+                read_keys = en.get('ipaAllowedToPerform;read_keys', [])
+                if not read_keys:
+                    # Old style, no ipaAllowedToPerform;read_keys in the entry,
+                    # use defaults that ipasam should have set when creating a
+                    # trust
+                    read_keys = list(map(
+                        lambda x: x.format(basedn=self.api.env.basedn),
+                        trust_read_keys_template))
+                entry_data['ipaAllowedToPerform;read_keys'] = read_keys
 
         entry.update(entry_data)
         try: