On Fri, Apr 08, 2016 at 10:47:19AM -0400, Simo Sorce wrote:
> On Sat, 2016-04-09 at 00:23 +1000, Fraser Tweedale wrote:
> > -        name = gssapi.Name('host@%s' % (self.client,),
> > 
> > -                           gssapi.NameType.hostbased_service)
> 
> If you remove this then on a serve that has nfs keys in the keytab you
> may end up acquiring the wrong credentials.
> You need to pass down what credentials you want to use to initialize the
> cred store, we canot rely on ordering in the system keytab case.
> 
> Simo.
> 
Thanks Simo; updated patch attached.
From cfa2d1d95508c5ea9bb9bf59df6ae0c165f8fbde Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Fri, 8 Apr 2016 15:21:19 +1000
Subject: [PATCH] Allow CustodiaClient to be used by arbitrary principals

Currently CustodiaClient assumes that the client is the host
principal, and it is hard-coded to read the host keytab and server
keys.

For the Lightweight CAs feature, Dogtag on CA replicas will use
CustodiaClient to retrieve signing keys from the originating
replica.  Because this process runs as 'pkiuser', the host keys
cannot be used; instead, each Dogtag replica will have a service
principal to use for Custodia authentication.

Update CustodiaClient to allow specifying the keytab and Custodia
keyfile to use.  Avoid hard-coding the service name to find in the
keytab.  Also add an ACI to allow authenticated users to read and
search for Custodia server public keys.

Part of: https://fedorahosted.org/freeipa/ticket/4559
---
 install/updates/20-aci.update |  3 +++
 ipapython/secrets/client.py   | 17 ++++++++++-------
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 
4802ae0458e8b870bf3127764ebabac1a48f7cf2..16e3b7ab9d6cdcc1de0490f42447a17f8b769524
 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -136,3 +136,6 @@ add:aci: (target = 
"ldap:///cn=replication,cn=etc,$SUFFIX";)(targetattr = "nsDS5R
 dn: cn=ipa,cn=etc,$SUFFIX
 add:aci: (target = 
"ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "IPA 
server hosts can create own Custodia secrets"; allow(add) groupdn = 
"ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX"; and userdn = 
"ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
 add:aci: (target = 
"ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = 
"ipaPublicKey")(version 3.0; acl "IPA server hosts can manage own Custodia 
secrets"; allow(write) groupdn = 
"ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX"; and userdn = 
"ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
+
+# Anyone can search Custodia public keys
+add:aci: (target = 
"ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = 
"ipaPublicKey || ipaKeyUsage || memberPrincipal")(version 3.0; acl "Anyone can 
search Custodia public keys"; allow(read, search, compare) userdn = 
"ldap:///all";;)
diff --git a/ipapython/secrets/client.py b/ipapython/secrets/client.py
index 
5b671988ddc66eedd9ae1cd4ddec0e1308bc5a93..a15057ae67c377a782db3642d14384e0bf11b5a2
 100644
--- a/ipapython/secrets/client.py
+++ b/ipapython/secrets/client.py
@@ -41,16 +41,19 @@ class CustodiaClient(object):
 
         return iSecStore(config)
 
-    def __init__(self, client, server, realm, ldap_uri=None, auth_type=None):
-        self.client = client
-        self.creds = None
+    def __init__(self, client, server, realm, ldap_uri=None, auth_type=None,
+            client_servicename='host', keyfile=None, keytab=None):
+        self.client_service = '%s@%s' % (client_servicename, client)
+        self.keytab = keytab or paths.KRB5_KEYTAB
+        self.creds = self.init_creds()
 
         self.service_name = gssapi.Name('HTTP@%s' % (server,),
                                         gssapi.NameType.hostbased_service)
         self.server = server
 
-        keyfile = os.path.join(paths.IPA_CUSTODIA_CONF_DIR, 'server.keys')
-        self.ikk = IPAKEMKeys({'server_keys': keyfile})
+        if keyfile is None:
+            keyfile = os.path.join(paths.IPA_CUSTODIA_CONF_DIR, 'server.keys')
+        self.ikk = IPAKEMKeys({'server_keys': keyfile, 'ldap_uri': ldap_uri})
 
         self.kemcli = KEMClient(self._server_keys(server, realm),
                                 self._client_keys())
@@ -61,9 +64,9 @@ class CustodiaClient(object):
         requests.packages.urllib3.disable_warnings()
 
     def init_creds(self):
-        name = gssapi.Name('host@%s' % (self.client,),
+        name = gssapi.Name(self.client_service,
                            gssapi.NameType.hostbased_service)
-        store = {'client_keytab': paths.KRB5_KEYTAB,
+        store = {'client_keytab': self.keytab,
                  'ccache': 'MEMORY:Custodia_%s' % b64encode(os.urandom(8))}
         return gssapi.Credentials(name=name, store=store, usage='initiate')
 
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to