cert-request: match names against principal aliases #227
Conversation
frasertweedale
force-pushed
the
feature/6432-cert-request-san-princ-alias
branch
2 times, most recently
from
8fb85f2
to
6156cf7
Compare
frasertweedale
changed the title
|
@frasertweedale What is the intended semantics of the checks against principal aliases in SAN? If the requestor can use only the aliases belonging to the entry of the recieving principal, then it should be enough to retrieve the entry by searching for the 'krbprincipalname' from --principal option, retrieve it, and then checking whether all values of dnsName/KRB5PrincipalName are a subset of Kerberos principal aliases. |
|
Also, the current execution flow of the command is very confusing (retrieving objects based on intended principal types etc.). As a part of the ticket I was planning to do a sneaky refactoring of the flow which IMHO should look like this: 1.) you search entries by krbprincipalname extracted from 'principal' option (or from bind principal) 2.) If not found, you error out that such entry could not be found 3.) due to syntax overrides in ipaldap, all returned principals will be converted to Principal objects so after you retrieve the entry and ensure that it exists you can test whether it is service, user, etc. 4.) for values in SAN, you check whether the value is already container in the entries principals (as you do in this PR). If the principal is not there, you can try to retrieve the entry from ldap and either error out if not found, or check CA ACLs against it when present. 5.) if all is OK, forward the request to RA backend and issue the certificate. Do you think that this would extend the scope of the ticket too much? If yes, I can open a separate ticket for this cleanup and do it on top of your work. |
|
Also one of the tests in caacl_profile_enforcement suite fails: |
|
@martbab thanks for review; I will revisit this some time in next week (hopefully) |
|
Semantics:
match[dns]: iterate principal aliases. Matches if: alias has same realm as w.r.t. test failure, I cannot reproduce with this patch rebased on latest master. |
|
@martbab I agree with doing the refactor you propose, but I deem it out of scope for this ticket. Doing that refactor entails a cleanup of how we handle the LDAP So... do we want to look at getting this merged soon? |
|
I agree that it is out of scope of this work and will open a separate ticket for the |
|
|
||
| # ignore aliases with different realm or service name from | ||
| # subject principal | ||
| if alias.realm != principal.realm: |
There was a problem hiding this comment.
Nitpick: we (currently) do not support aliases w/ realm that is different than IPA realm (*-add-principal will error out loudly) so I am not sure whether we require this check.
There was a problem hiding this comment.
I'm going to leave it in anyway. It does no harm and is one less potential bug if we do ever support aliases with different realms, somehow.
|
|
||
| """ | ||
| aliases = set(principal_obj.get('krbprincipalname', [])) | ||
| for alias in principal_obj.get('krbcanonicalname', []): |
There was a problem hiding this comment.
As per http://www.freeipa.org/page/V4/Kerberos_principal_aliases the canonical name MUST be listed among the values of 'krbprincipalname' attribute so there is no need to explicitly add it here (results in a no-op all the time).
There was a problem hiding this comment.
OK, thanks. I've removed function _collect_princpial_aliases() and just replaced with principal_obj.get('krbprincipalname', []) at call sites.
|
|
||
| @pytest.mark.tier1 | ||
| class TestPrincipalAliasForSubjectAltNameDnsName(SubjectAltNameOneServiceBase): | ||
| """Sign certificate request with an invalid SAN dnsName. |
There was a problem hiding this comment.
Copy-paste error in the docstring here?
There was a problem hiding this comment.
Yep, thanks. Corrected in updated patch.
| self, santest_service_host_1): | ||
| api.Command.service_add_principal( | ||
| santest_service_host_1.name, | ||
| 'srv/santest-host-2.ipa.local') |
There was a problem hiding this comment.
Please use santest_host_2 fixture here and use santest_1_host_2.attrs['krbcanonicalname'][0] to construct the alias instead of hard-coding the alias name as string. This test fails due to adding principal name for srv/santest-host-2.ipa.local while the service name in fixture is srv/santest-host-2.ipa.*test*
There was a problem hiding this comment.
Thanks for clarifying. I was wonder how the test was failing. It is obvious now thanks to your explanation :)
|
There are small issues I found in the patch. Please address those. @apophys can quickly you review the new test cases? they pass (except for one pointed out in review) so they should be valid and OK. |
frasertweedale
force-pushed
the
feature/6432-cert-request-san-princ-alias
branch
from
6156cf7
to
b84e266
Compare
| except ValueError: | ||
| return False | ||
|
|
||
| return principal in principal_obj.get('krbprincpialname', []) |
There was a problem hiding this comment.
Please fix typo in attribute name.
There was a problem hiding this comment.
hah, silly fat fingers. push incoming
Currently we do not check Kerberos principal aliases when validating a CSR. Enhance cert-request to accept the following scenarios: - for hosts and services: CN and SAN dnsNames match a principal alias (realm and service name must be same as nominated principal) - for all principal types: UPN or KRB5PrincipalName othername match any principal alias. Fixes: https://fedorahosted.org/freeipa/ticket/6295
frasertweedale
force-pushed
the
feature/6432-cert-request-san-princ-alias
branch
from
b84e266
to
c347ff8
Compare
|
The tests look good to me. |
|
Fixed upstream |
Currently we do not check Kerberos principal aliases when validating
a CSR. Enhance cert-request to accept the following scenarios:
for hosts and services: CN and SAN dnsNames match a principal
alias (realm and service name must be same as nominated principal)
for all principal types: UPN or KRB5PrincipalName othername match
any principal alias.
Fixes: https://fedorahosted.org/freeipa/ticket/6295