Allow using DOMAIN COMPONENT for AD DS certificates #75
Conversation
alfonsrv
changed the title
|
Cheers – I pushed the changes for review. |
| the original list order for possible subject fields allowing for MULTIPLE_OIDS.""" | ||
| if SUBJECT_FIELDS.index(subject[0][0]) > SUBJECT_FIELDS.index(subject[-1][0]): | ||
| return sorted(subject[::-1], key=lambda k: SUBJECT_FIELDS.index(k[0])) | ||
| return sorted(subject, key=lambda k: SUBJECT_FIELDS.index(k[0])) |
There was a problem hiding this comment.
This function here: I think I understand what your updated comment means to express, but the code is far from obvious. And I'm frankly surprised that the old code does not respect sort stability.
- I think
subject[::-1]is just reversing the list. At least a simple test did that. If yes, then use the more obviousreversed()instead. - What does that
ifcheck do? - Definitely add tests for an updated version of this function.
There was a problem hiding this comment.
See comment below. I'm not sure how it does its magic exactly anymore, I just know it reliably yields the desired results.
Exemplary test cases as mentioned below:
>>> subject = [('CN', 'John Doe'), ('OU', 'Users'), ('DC', 'contoso'), ('DC', 'loc')]
>>> sort_name(subject)
[('DC', 'loc'), ('DC', 'contoso'), ('OU', 'Users'), ('CN', 'John Doe')]
>>> subject = [('CN', 'John Doe'), ('OU', 'Marketing'), ('OU', 'Users'), ('OU', 'OtherUnit'), ('DC', 'contoso'), ('DC', 'loc')]
>>> sort_name(subject)
[('DC', 'loc'), ('DC', 'contoso'), ('OU', 'OtherUnit'), ('OU', 'Users'), ('OU', 'Marketing'), ('CN', 'John Doe')]
>>> subject = [('DC', 'loc'), ('DC', 'contoso'), ('DC', 'ad'), ('OU', 'Users'), ('CN', 'John Doe')]
>>> sort_name(subject)
[('DC', 'loc'), ('DC', 'contoso'), ('DC', 'ad'), ('OU', 'Users'), ('CN', 'John Doe')]Let me know if you feel comfortable with the sort function so we can move forward. Halting any further effort until then.
There was a problem hiding this comment.
Now that's behavior that I don't understand: In testcase two, loc is the last DC in the input and ends up as first element.
In the third test case, loc is the first DC, and still ends up as last. Is that supposed to be?
There was a problem hiding this comment.
Yes. In the first and second test case, the user input the subject with CN being the first element – this is a classic case of assuming the hierarchy goes from left-to-right with CN being the lowest weighted element.
In test case three, we're looking at the opposite. The user's hierarchical input is correct as per X509 with CN being the last element.
In all three test cases the user respect the general hierarchical-structure, albeit in a reversed manner.
|
By the way, the test suite in the main branch is now (finally) fixed again. That means you're runs should pass as well before being merged. Update: Tipp: Be sure to merge the latest master into your branch. |
After thinking a little bit about this, I'm currently uncomfortable with that particular change. Can you please explain what exactly it is you're trying to achieve with this change? Do you just want to reverse the order when printing a subject with a |
|
Currently on mobile, but try sorting Should be This also affects CLI; so I'd argue that the previous sorting algorithm wasn't designed to yield the desired results when e.g. multiple If you have a more elegant way to do it, I'm not emotionally attached to the new sorting algorithm. :) |
|
Huh? What happened with that migration? Where is that coming from? I don't see any models changed! |
|
What do you think of this change to It passes your first two test cases, but not the third one, where it's arguably more consistent. |
|
The issue is that you don't know how a user is going to input the subject into the form/certificate request/cli. It may either be the expected In fact being a system administrator I have seen many inexperienced sysadmins make this "mistake" assuming A sorting algorithm should be able to expect both assumptions and abstract that knowledge and level of detail from the user, being able to order it the right way in any case, to produce a valid X509 certificate. |
That seems like an impossible assumption to me. I think we should do the following: the |
|
I had to create the migration after the latest merge, otherwise it refused to run. Could have something to do with As for the others – I have pushed the minor adjustments I'm aware of that needed to be changed – not sure how we have remained on proceeding with the sorting algorithm. If there's something I am missing, let me know, so I can adjust it accordingly. |
I don't see any change in recent Django minor versions that would require that. It doesn't ask me to do that migration locally either. Please remove it - or show precisely when Django asks you to create it.
Please remove it from this PR and create a new issue describing your problem. TBH, I'm not really sure there even is an issue - sort order seems stable from changes I made in 24324de.
The rest should be fine IMHO. But note that you'll have to get GitHub CI to pass. Right now master passes as well, so merging it to your branch should show any remaining issues iin your PR. |
|
closed by accident? I can re-open of course? |
|
No, I decided contributing is too cumbersome. |
|
I'm very sorry to hear that. I hope you don't mind me picking up the fixes that you made. |
Adding support to use
DCdirective in certificates.An AD DS-bound certificate's subject used for Windows Smart Card authentication is composed of the absolute path of the user object in AD DS – this path is also reflected in the user's distinguishedName attribute and used for authentication, e.g.
[('CN', 'John Doe'), ('OU', 'Users'), ('DC', 'contoso'), ('DC', 'loc')].As per RFC2253, the formatting is reversed to x509 and the
DCandOUdirective can occur multiple times. Because the order is important when authenticating users, I extended thesort_namefunction a bit (with some online help of @kiwwisk)