URL: https://github.com/freeipa/freeipa/pull/4974 Author: flo-renaud Title: #4974: CAless installation: set the perms on KDC cert file Action: opened
PR body: """ ### CAless installation: set the perms on KDC cert file In CA less installation, the KDC certificate file does not have the expected 644 permissions. As a consequence, WebUI login fails. The fix makes sure that the KDC cert file is saved with 644 perms. Fixes: https://pagure.io/freeipa/issue/8440 ### ipatests: check KDC cert permissions in CA less install The KDC certificate file must be stored with 644 permissions. Add a test checking the file permissions on server + replica. Related: https://pagure.io/freeipa/issue/8440 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4974/head:pr4974 git checkout pr4974
From 2b3c1f9902a56c8977dcfd0ebcc6a306237e6279 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Mon, 3 Aug 2020 18:52:07 +0200 Subject: [PATCH 1/3] CAless installation: set the perms on KDC cert file In CA less installation, the KDC certificate file does not have the expected 644 permissions. As a consequence, WebUI login fails. The fix makes sure that the KDC cert file is saved with 644 perms. Fixes: https://pagure.io/freeipa/issue/8440 --- ipaserver/install/krbinstance.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 09d14693ce..1910ff3740 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -536,6 +536,8 @@ def install_external_pkinit_certs(self): certs.install_pem_from_p12(self.pkcs12_info[0], self.pkcs12_info[1], paths.KDC_CERT) + # The KDC cert needs to be readable by everyone + os.chmod(paths.KDC_CERT, 0o644) certs.install_key_from_p12(self.pkcs12_info[0], self.pkcs12_info[1], paths.KDC_KEY) From 9cd90edc52d5c24389e916a78de019dbd5be2b21 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Mon, 3 Aug 2020 18:53:47 +0200 Subject: [PATCH 2/3] ipatests: check KDC cert permissions in CA less install The KDC certificate file must be stored with 644 permissions. Add a test checking the file permissions on server + replica. Related: https://pagure.io/freeipa/issue/8440 --- ipatests/test_integration/test_caless.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py index a7b2cbbbc9..1ea7d9896f 100644 --- a/ipatests/test_integration/test_caless.py +++ b/ipatests/test_integration/test_caless.py @@ -1527,6 +1527,13 @@ def test_anon_pkinit_with_external_CA(self): assert result.returncode == 0 +def verify_kdc_cert_perms(host): + """Verify that the KDC cert pem file has 0644 perms""" + cmd = host.run_command(['stat', '-c', + '"%a %G:%U"', paths.KDC_CERT]) + assert "644 root:root" in cmd.stdout_text + + class TestPKINIT(CALessBase): """Install master and replica with PKINIT""" num_replicas = 1 @@ -1540,6 +1547,7 @@ def install(cls, mh): result = cls.install_server(pkinit_pkcs12_exists=True, pkinit_pin=_DEFAULT) assert result.returncode == 0 + verify_kdc_cert_perms(cls.master) @replica_install_teardown def test_server_replica_install_pkinit(self): @@ -1549,6 +1557,7 @@ def test_server_replica_install_pkinit(self): pkinit_pin=_DEFAULT) assert result.returncode == 0 self.verify_installation() + verify_kdc_cert_perms(self.replicas[0]) class TestServerReplicaCALessToCAFull(CALessBase): From a47c0afcd4bd79ee05b48a574f2b3317e9b1f9c3 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Mon, 3 Aug 2020 18:59:47 +0200 Subject: [PATCH 3/3] Temp commit --- ipatests/prci_definitions/temp_commit.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml index e337068145..84612703e8 100644 --- a/ipatests/prci_definitions/temp_commit.yaml +++ b/ipatests/prci_definitions/temp_commit.yaml @@ -61,14 +61,14 @@ jobs: timeout: 1800 topology: *build - fedora-latest/temp_commit: + fedora-latest/test_caless_TestPKINIT: requires: [fedora-latest/build] priority: 50 job: class: RunPytest args: build_url: '{fedora-latest/build_url}' - test_suite: test_integration/test_REPLACEME.py + test_suite: test_integration/test_caless.py::TestPKINIT template: *ci-master-latest - timeout: 3600 - topology: *master_1repl_1client + timeout: 5400 + topology: *master_1repl
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
