Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Backport ipa-4-6] Bypass D-BUS interface definition deficiences for trust-fetch-domains #3008

Closed
wants to merge 1 commit into from
Closed

[Backport ipa-4-6] Bypass D-BUS interface definition deficiences for trust-fetch-domains #3008

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
21 changes: 13 additions & 8 deletions install/oddjob/com.redhat.idm.trust-fetch-domains
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ from ipaserver.install.installutils import is_ipa_configured, ScriptError
from ipapython import config, ipautil
from ipalib import api
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
from ipaplatform.constants import constants
from ipaplatform.paths import paths
import sys
Expand Down Expand Up @@ -37,7 +38,17 @@ def parse_options():
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)

return safe_options, options, args
# We only use first argument of the passed args but as D-BUS interface
# in oddjobd cannot expose optional, we fill in empty slots from IPA side
# and filter them here.
trusted_domain = ipautil.fsdecode(args[0]).lower()

# Accept domain names that at least have two labels. We do not support
# single label Active Directory domains. This also catches empty args.
if len(DNSName(trusted_domain).labels) < 2:
# LSB status code 2: invalid or excess argument(s)
raise ScriptError("You must specify a valid trusted domain name", 2)
return safe_options, options, trusted_domain

def retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal):
getkeytab_args = ["/usr/sbin/ipa-getkeytab",
Expand Down Expand Up @@ -87,13 +98,7 @@ if not os.getegid() == 0:
# LSB status code 4: user had insufficient privilege
raise ScriptError("You must be root to run ipactl.", 4)

safe_options, options, args = parse_options()

if len(args) != 1:
# LSB status code 2: invalid or excess argument(s)
raise ScriptError("You must specify trusted domain name", 2)

trusted_domain = ipautil.fsdecode(args[0]).lower()
safe_options, options, trusted_domain = parse_options()

api.bootstrap(in_server=True, log=None,
context='server', confdir=paths.ETC_IPA)
Expand Down
11 changes: 9 additions & 2 deletions ipaserver/plugins/trust.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -446,8 +446,15 @@ def fetch_trusted_domains_over_dbus(myapi, *keys, **options):
fetch_domains_method = intf.get_dbus_method(
'fetch_domains',
dbus_interface=DBUS_IFACE_TRUST)
(_ret, _stdout, _stderr) = fetch_domains_method(
[forest_name] + method_options)
# Oddjobd D-BUS method definition only accepts fixed number
# of arguments on the command line. Thus, we need to pass
# remaining ones as ''. There are 30 slots to allow for extension
# and the number comes from the 'arguments' definition in
# install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
method_arguments = [forest_name]
method_arguments.extend(method_options)
method_arguments.extend([''] * (30 - len(method_arguments)))
(_ret, _stdout, _stderr) = fetch_domains_method(*method_arguments)
except dbus.DBusException as e:
logger.error('Failed to call %s.fetch_domains helper.'
'DBus exception is %s.', DBUS_IFACE_TRUST, str(e))
Expand Down