[Freeipa-devel] [freeipa PR#5171][opened] [Backport][ipa-4-8] Check ca_wrapped in ipa-custodia-check

tiran via FreeIPA-devel Mon, 05 Oct 2020 05:39:18 -0700

   URL: https://github.com/freeipa/freeipa/pull/5171
Author: tiran
 Title: #5171: [Backport][ipa-4-8] Check ca_wrapped in ipa-custodia-check
Action: opened


PR body:
"""
Manual backport of PR #5112 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5171/head:pr5171
git checkout pr5171

From bf06caa8ace05b1cfc561fce6ca397116728bd4b Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 16 Sep 2020 17:01:29 +0200
Subject: [PATCH 1/2] Check ca_wrapped in ipa-custodia-check

ca_wrapped uses Dogtag's pki tool (written in Java) to wrap key
material. Add checks to custodia to verify that key wrapping works.

Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 install/tools/ipa-custodia-check.in                  |  2 ++
 ipaplatform/base/paths.py                            |  1 +
 ipaplatform/debian/paths.py                          |  1 +
 ipatests/test_integration/test_installation.py       |  6 ++++++
 ipatests/test_integration/test_simple_replication.py | 10 ++++++++++
 5 files changed, 20 insertions(+)

diff --git a/install/tools/ipa-custodia-check.in b/install/tools/ipa-custodia-check.in
index 5143dc4983..66f8f1d723 100644
--- a/install/tools/ipa-custodia-check.in
+++ b/install/tools/ipa-custodia-check.in
@@ -49,6 +49,8 @@ KEYS = [
     'dm/DMHash',
     'ra/ipaCert',
     'ca/auditSigningCert cert-pki-ca',
+    'ca_wrapped/auditSigningCert cert-pki-ca',
+    'ca_wrapped/auditSigningCert cert-pki-ca/1.2.840.113549.3.7',
     'ca/caSigningCert cert-pki-ca',
     'ca/ocspSigningCert cert-pki-ca',
     'ca/subsystemCert cert-pki-ca',
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 2528192b4a..a1390fbfd5 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -391,6 +391,7 @@ class BasePathNamespace:
     IPA_CUSTODIA_SOCKET = '/run/httpd/ipa-custodia.sock'
     IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
     IPA_CUSTODIA_HANDLER = "/usr/libexec/ipa/custodia"
+    IPA_CUSTODIA_CHECK = "/usr/libexec/ipa/ipa-custodia-check"
     IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab'
     EXTERNAL_SCHEMA_DIR = '/usr/share/ipa/schema.d'
     GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf'
diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py
index ad49afd357..c97007acea 100644
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -117,6 +117,7 @@ class DebianPathNamespace(BasePathNamespace):
     IPA_CUSTODIA_SOCKET = "/run/apache2/ipa-custodia.sock"
     IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
     IPA_CUSTODIA_HANDLER = "/usr/lib/ipa/custodia"
+    IPA_CUSTODIA_CHECK = "/usr/lib/ipa/ipa-custodia-check"
     WSGI_PREFIX_DIR = "/run/apache2/wsgi"
 
 paths = DebianPathNamespace()
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index ec826edb73..edb7245a54 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -1005,6 +1005,12 @@ def test_admin_root_alias_CVE_2020_10747(self):
         assert result.returncode != 0
         assert 'user with name "root" already exists' in result.stderr_text
 
+    def test_ipa_custodia_check(self):
+        # check local key retrieval
+        self.master.run_command(
+            [paths.IPA_CUSTODIA_CHECK, self.master.hostname]
+        )
+
 
 class TestInstallMasterKRA(IntegrationTest):
 
diff --git a/ipatests/test_integration/test_simple_replication.py b/ipatests/test_integration/test_simple_replication.py
index 7071e6ee70..8de3851447 100644
--- a/ipatests/test_integration/test_simple_replication.py
+++ b/ipatests/test_integration/test_simple_replication.py
@@ -21,6 +21,7 @@
 
 import pytest
 
+from ipaplatform.paths import paths
 from ipapython.dn import DN
 from ipatests.pytest_ipa.integration import tasks
 from ipatests.test_integration.base import IntegrationTest
@@ -94,6 +95,15 @@ def test_replica_manage(self):
         assert msg1 not in result.stdout_text
         assert msg2 not in result.stdout_text
 
+    def test_ipa_custodia_check(self):
+        replica = self.replicas[0]
+        self.master.run_command(
+            [paths.IPA_CUSTODIA_CHECK, replica.hostname]
+        )
+        replica.run_command(
+            [paths.IPA_CUSTODIA_CHECK, self.master.hostname]
+        )
+
     def test_replica_removal(self):
         """Test replica removal"""
         result = self.master.run_command(['ipa-replica-manage', 'list'])

From a65cb408a5e9b498e6302af2f596bbdc14314210 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 23 Sep 2020 15:22:00 +0200
Subject: [PATCH 2/2] Verify freeipa-selinux's ipa module is loaded

ipa-custodia tests will fail if the ipa.pp override module from
freeipa-selinux is not correctly installed, loaded, and enabled.

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipaplatform/base/paths.py                     |  1 +
 .../test_integration/test_installation.py     | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index a1390fbfd5..0c5494612d 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -263,6 +263,7 @@ class BasePathNamespace:
     RESTORECON = "/usr/sbin/restorecon"
     SELINUXENABLED = "/usr/sbin/selinuxenabled"
     SETSEBOOL = "/usr/sbin/setsebool"
+    SEMODULE = "/usr/sbin/semodule"
     SMBD = "/usr/sbin/smbd"
     USERADD = "/usr/sbin/useradd"
     FONTS_DIR = "/usr/share/fonts"
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index edb7245a54..5cf84385d7 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -1011,6 +1011,25 @@ def test_ipa_custodia_check(self):
             [paths.IPA_CUSTODIA_CHECK, self.master.hostname]
         )
 
+    @pytest.mark.skipif(
+        paths.SEMODULE is None, reason="test requires semodule command"
+    )
+    def test_ipa_selinux_policy(self):
+        # check that freeipa-selinux's policy module is loaded and
+        # not disabled
+        result = self.master.run_command(
+            [paths.SEMODULE, "-lfull"]
+        )
+        # prio module pp [disabled]
+        # 100: default priority
+        # 200: decentralized SELinux policy priority
+        entries = {
+            tuple(line.split())
+            for line in result.stdout_text.split('\n')
+            if line.strip()
+        }
+        assert ('200', 'ipa', 'pp') in entries
+
 
 class TestInstallMasterKRA(IntegrationTest):

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#5171][opened] [Backport][ipa-4-8] Check ca_wrapped in ipa-custodia-check

Reply via email to