[Freeipa-devel] [freeipa PR#3029][opened] [Backport][ipa-4-6] ipa-client-install: autodiscovery must refuse single-label domains

Thu, 11 Apr 2019 01:02:37 -0700 

   URL: https://github.com/freeipa/freeipa/pull/3029
Author: flo-renaud
 Title: #3029: [Backport][ipa-4-6] ipa-client-install: autodiscovery must 
refuse single-label domains
Action: opened

PR body:
"""
Manual backport of PR #3021 to ipa-4-6.

The manual backport was required because the file is `ipaclient/discovery.py` 
in the master branch but `ipaclient/install/ipadiscovery.py` in ipa-4-6 branch.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3029/head:pr3029
git checkout pr3029

From 523a7ffd0ca98f2ddbdc8ebb1e2fc357e726219e Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <f...@redhat.com>
Date: Thu, 11 Apr 2019 09:10:56 +0200
Subject: [PATCH] ipa-client-install: autodiscovery must refuse single-label
 domains

Since commit 905ab93, ipa-server-install refuses single-label domains,
but older IPA server versions could be installed with a single-label
domain/realm.
ipa-client-install is already refusing single-label domain/realm when
provided to the CLI with --domain / --realm but does not perform the same
check when the domain is discovered.
This commit adds a check to domain names automatically discovered and skips
single-label domains. Same check for realm names.

Fixes: https://pagure.io/freeipa/issue/7598
---
 ipaclient/install/ipadiscovery.py | 45 +++++++++++++++++++++++--------
 1 file changed, 34 insertions(+), 11 deletions(-)

diff --git a/ipaclient/install/ipadiscovery.py b/ipaclient/install/ipadiscovery.py
index 4800325575..94eab56b71 100644
--- a/ipaclient/install/ipadiscovery.py
+++ b/ipaclient/install/ipadiscovery.py
@@ -27,6 +27,7 @@
 from dns import resolver, rdatatype
 from dns.exception import DNSException
 from ipalib import errors
+from ipalib.util import validate_domain_name
 from ipapython.dnsutil import query_srv
 from ipapython import ipaldap
 from ipaplatform.paths import paths
@@ -233,6 +234,13 @@ def search(self, domain="", servers="", realm=None, hostname=None, ca_cert_path=
                 domains = [(domain, 'domain of the hostname')] + domains
                 tried = set()
                 for domain, reason in domains:
+                    # Domain name should not be single-label
+                    try:
+                        validate_domain_name(domain)
+                    except ValueError as e:
+                        logger.debug("Skipping invalid domain '%s' (%s)",
+                                     domain, e)
+                        continue
                     servers, domain = self.check_domain(domain, tried, reason)
                     if servers:
                         autodiscovered = True
@@ -300,17 +308,25 @@ def search(self, domain="", servers="", realm=None, hostname=None, ca_cert_path=
             ldapret = self.ipacheckldap(server, self.realm, ca_cert_path=ca_cert_path)
 
             if ldapret[0] == 0:
-                self.server = ldapret[1]
-                self.realm = ldapret[2]
-                self.server_source = self.realm_source = (
-                    'Discovered from LDAP DNS records in %s' % self.server)
-                valid_servers.append(server)
-                # verified, we actually talked to the remote server and it
-                # is definetely an IPA server
-                if autodiscovered:
-                    # No need to keep verifying servers if we discovered them
-                    # via DNS
-                    break
+                # Make sure that realm is not single-label
+                try:
+                    validate_domain_name(ldapret[2], entity='realm')
+                except ValueError as e:
+                    logger.debug("Skipping invalid realm '%s' (%s)",
+                                 ldapret[2], e)
+                    ldapret = [NOT_IPA_SERVER]
+                else:
+                    self.server = ldapret[1]
+                    self.realm = ldapret[2]
+                    self.server_source = self.realm_source = (
+                        'Discovered from LDAP DNS records in %s' % self.server)
+                    valid_servers.append(server)
+                    # verified, we actually talked to the remote server and it
+                    # is definetely an IPA server
+                    if autodiscovered:
+                        # No need to keep verifying servers if we discovered
+                        # them via DNS
+                        break
             elif ldapret[0] == NO_ACCESS_TO_LDAP or ldapret[0] == NO_TLS_LDAP:
                 ldapaccess = False
                 valid_servers.append(server)
@@ -548,6 +564,13 @@ def ipadnssearchkrbrealm(self, domain=None):
                         'A TXT record cannot be decoded as UTF-8: %s', e)
                     continue
                 if realm:
+                    # Make sure that the realm is not single-label
+                    try:
+                        validate_domain_name(realm, entity='realm')
+                    except ValueError as e:
+                        logger.debug("Skipping invalid realm '%s' (%s)",
+                                     realm, e)
+                        continue
                     return realm
         return None
 

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org

Reply via email to