Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't store entries with a usercertificate in the LDAP cache #6015

Closed
wants to merge 2 commits into from
Closed

Don't store entries with a usercertificate in the LDAP cache #6015

wants to merge 2 commits into from

Conversation

rcritten
Copy link
Contributor

Don't store entries with a usercertificate in the LDAP cache

usercertificate often has a subclass and both the plain and
subclassed (binary) values are queried. I'm concerned that
they are used more or less interchangably in places so not
caching these entries is the safest path forward for now until
we can dedicate the time to find all usages, determine their
safety and/or perhaps handle this gracefully within the cache
now.

What we see in this bug is that usercertificate;binary holds the
first certificate value but a user-mod is done with
setattr usercertificate=<new_cert>. Since there is no
usercertificate value (remember, it's usercertificate;binary)
a replace is done and 389-ds wipes the existing value as we've
asked it to.

I'm not comfortable with simply treating them the same because
in LDAP they are not.

https://pagure.io/freeipa/issue/8986

Signed-off-by: Rob Crittenden rcritten@redhat.com

@rcritten rcritten added the ipa-4-9 Mark for backport to ipa 4.9 label Sep 10, 2021
@rcritten
Copy link
Contributor Author

Fixed linter issue.

fcami
fcami approved these changes Sep 10, 2021
View reviewed changes
Copy link
Contributor

@fcami fcami left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Not Acking formally yet.

@frasertweedale
Copy link
Contributor

Well... actually how 389DS treats the ;binary option is not correct. It treats it as a subtype, when
in fact it should not. See https://datatracker.ietf.org/doc/html/rfc4522. I vaguely recall other FreeIPA
and/or Dogtag issues due to this quirk.

The workaround in this PR looks fine to me.

@tbordaz
Copy link
Contributor

tbordaz commented Sep 13, 2021

Well... actually how 389DS treats the ;binary option is not correct. It treats it as a subtype, when
in fact it should not. See https://datatracker.ietf.org/doc/html/rfc4522. I vaguely recall other FreeIPA
and/or Dogtag issues due to this quirk.

The workaround in this PR looks fine to me.

Hi @frasertweedale, 389-ds transfers all returned attributes following BER encoding form. Do you mean 389ds should transfert certificates attributes (https://datatracker.ietf.org/doc/html/rfc4523) in DER encoding from ?

@frasertweedale
Copy link
Contributor

frasertweedale commented Sep 13, 2021
edited

G'day @tbordaz. What I mean is that 389 treats ;binary as an attribute subtype, rather than a transport option. That is, it happily accepts and stores a userCertificate attribute (without the ;binary transfer option), and returns it in the same way. This violates https://datatracker.ietf.org/doc/html/rfc4523 which says that attributes having the various certificate-related syntaxes MUST only be transfered using the ;binary transfer option.

Furthermore, RFC 4522 states:

 The binary option is not a tagging option [RFC4512], so the presence
 of the binary option does not specify an attribute subtype.  An
 attribute description containing the binary option references exactly
 the same attribute as the attribute description without the binary
 option.  The supertype/subtype relationships of attributes with
 tagging options are not altered in any way by the presence or absence
 of the binary option.

But 389DS treats ;binary as an attribute subtype tag. It leads to
bugs like this one this PR addresses.

@tbordaz
Copy link
Contributor

tbordaz commented Sep 13, 2021

G'day @tbordaz. What I mean is that 389 treats ;binary as an attribute subtype, rather than a transport option. That is, it happily accepts and stores a userCertificate attribute (without the ;binary transfer option), and returns it in the same way. This violates https://datatracker.ietf.org/doc/html/rfc4523 which says that attributes having the various certificate-related syntaxes MUST only be transfered using the ;binary transfer option.

Furthermore, RFC 4522 states:

 The binary option is not a tagging option [RFC4512], so the presence
 of the binary option does not specify an attribute subtype.  An
 attribute description containing the binary option references exactly
 the same attribute as the attribute description without the binary
 option.  The supertype/subtype relationships of attributes with
 tagging options are not altered in any way by the presence or absence
 of the binary option.

But 389DS treats ;binary as an attribute subtype tag. It leads to
bugs like this one this PR addresses.

I agree, the handling ';binary' is not conform. it is a transfer syntax not a subtype.

@rcritten
Copy link
Contributor Author

@frasertweedale so is that an ack? :-)

@frasertweedale
Copy link
Contributor

@fcami what do you think? I am not familiar with this new LDAP cache feature, but the patch makes sense to me.

@fcami
Copy link
Contributor

fcami commented Sep 16, 2021

ACK

@fcami fcami added the ack Pull Request approved, can be merged label Sep 16, 2021
@rcritten
Don't store entries with a usercertificate in the LDAP cache
72730e8 
usercertificate often has a subclass and both the plain and
subclassed (binary) values are queried. I'm concerned that
they are used more or less interchangably in places so not
caching these entries is the safest path forward for now until
we can dedicate the time to find all usages, determine their
safety and/or perhaps handle this gracefully within the cache
now.

What we see in this bug is that usercertificate;binary holds the
first certificate value but a user-mod is done with
setattr usercertificate=<new_cert>. Since there is no
usercertificate value (remember, it's usercertificate;binary)
a replace is done and 389-ds wipes the existing value as we've
asked it to.

I'm not comfortable with simply treating them the same because
in LDAP they are not.

https://pagure.io/freeipa/issue/8986

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
@rcritten
ipatests: Test that a user can be issued multiple certificates
d0f2cde 
Prevent regressions in the LDAP cache layer that caused newly
issued certificates to overwrite existing ones.

https://pagure.io/freeipa/issue/8986

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
@rcritten
Copy link
Contributor Author

temp commit removed

@rcritten rcritten added the pushed Pull Request has already been pushed label Sep 16, 2021
@rcritten
Copy link
Contributor Author

master:

  • ba526c5 Don't store entries with a usercertificate in the LDAP cache
  • 540b01b ipatests: Test that a user can be issued multiple certificates

@rcritten rcritten closed this Sep 16, 2021
@rcritten rcritten mentioned this pull request Sep 16, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fcami fcami fcami approved these changes

Assignees
No one assigned
Labels
ack Pull Request approved, can be merged ipa-4-9 Mark for backport to ipa 4.9 pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
4 participants
@rcritten @frasertweedale @tbordaz @fcami