The branch, v4-19-test has been updated via df025598884 python:gp: Print a nice message if cepces-submit can't be found via de32d94ca87 gp: Send list of keys instead of dict to remove via 93735e8a9b0 gp: Test disabled enrollment unapplies policy via 28b1fe5eac4 gp: Template changes should invalidate cache via dfbe7494683 gp: Test adding new cert templates enforces changes via 6dba94a3ab0 gp: Convert CA certificates to base64 via 9db01a2c729 gp: Test with binary content for certificate data via 0dd51b02e8f gp: Change root cert extension suffix via f9975df8414 gp: Support update-ca-trust helper via 9ab2eb21141 gp: Support more global trust directories from cfbaab5654c smbd: move access override for previous versions to the SMB layer
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test - Log ----------------------------------------------------------------- commit df025598884d28bdf2fc436cd46cbd04395ea4c7 Author: Andreas Schneider <a...@samba.org> Date: Tue Jan 9 08:50:01 2024 +0100 python:gp: Print a nice message if cepces-submit can't be found BUG: https://bugzilla.samba.org/show_bug.cgi?id=15552 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: David Mulder <dmul...@samba.org> (cherry picked from commit 8eb42425a8eb1b30ca0e94dfc01d8175ae5cde4b) Autobuild-User(v4-19-test): Jule Anger <jan...@samba.org> Autobuild-Date(v4-19-test): Mon Jan 15 11:11:31 UTC 2024 on atb-devel-224 commit de32d94ca87f39c3227c7e997f55bb707fb4fffd Author: Gabriel Nagy <gabriel.n...@canonical.com> Date: Wed Aug 16 12:33:59 2023 +0300 gp: Send list of keys instead of dict to remove `cache_get_all_attribute_values` returns a dict whereas we need to pass a list of keys to `remove`. These will be interpolated in the gpdb search. Signed-off-by: Gabriel Nagy <gabriel.n...@canonical.com> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: David Mulder <dmul...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Mon Aug 28 03:01:22 UTC 2023 on atb-devel-224 (cherry picked from commit 7dc181757c76b881ceaf1915ebb0bfbcf5aca83a) commit 93735e8a9b018209abbe16721ad9d37b3bf74bde Author: Gabriel Nagy <gabriel.n...@canonical.com> Date: Fri Aug 18 17:26:59 2023 +0300 gp: Test disabled enrollment unapplies policy For this we need to stage a Registry.pol file with certificate autoenrollment enabled, but with checkboxes unticked. Signed-off-by: Gabriel Nagy <gabriel.n...@canonical.com> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: David Mulder <dmul...@samba.org> (cherry picked from commit ee814f7707a8ddef2657212cd6d31799501b7bb3) commit 28b1fe5eac4a42e478ea7eb81a755de206ecbda4 Author: Gabriel Nagy <gabriel.n...@canonical.com> Date: Wed Aug 16 12:37:17 2023 +0300 gp: Template changes should invalidate cache If certificate templates are added or removed, the autoenroll extension should react to this and reapply the policy. Previously this wasn't taken into account. Signed-off-by: Gabriel Nagy <gabriel.n...@canonical.com> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: David Mulder <dmul...@samba.org> (cherry picked from commit 2a6ae997f2464b12b72b5314fa80d9784fb0f6c1) commit dfbe7494683974b839b2c8083b7eb45cba0a6829 Author: Gabriel Nagy <gabriel.n...@canonical.com> Date: Fri Aug 18 17:16:23 2023 +0300 gp: Test adding new cert templates enforces changes Ensure that cepces-submit reporting additional templates and re-applying will enforce the updated policy. Signed-off-by: Gabriel Nagy <gabriel.n...@canonical.com> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: David Mulder <dmul...@samba.org> (cherry picked from commit 2d6943a864405f324c467e8c3464c31ac08457b0) commit 6dba94a3ab0e1e5bebeaaac0a9f9498146414a75 Author: Gabriel Nagy <gabriel.n...@canonical.com> Date: Wed Aug 16 12:20:11 2023 +0300 gp: Convert CA certificates to base64 I don't know whether this applies universally, but in our case the contents of `es['cACertificate'][0]` are binary, so cleanly converting to a string fails with the following: 'utf-8' codec can't decode byte 0x82 in position 1: invalid start byte We found a fix to be encoding the certificate to base64 when constructing the CA list. Section 4.4.5.2 of MS-CAESO also suggests that the content of `cACertificate` is binary (OCTET string). Signed-off-by: Gabriel Nagy <gabriel.n...@canonical.com> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: David Mulder <dmul...@samba.org> (cherry picked from commit 157335ee93eb866f9b6a47486a5668d6e76aced5) commit 9db01a2c7291493a3f20987e53b1e688123a246a Author: Gabriel Nagy <gabriel.n...@canonical.com> Date: Fri Aug 18 17:06:43 2023 +0300 gp: Test with binary content for certificate data This fails all GPO-related tests that call `gpupdate --rsop`. Signed-off-by: Gabriel Nagy <gabriel.n...@canonical.com> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: David Mulder <dmul...@samba.org> (cherry picked from commit 1ef722cf66f9ec99f52939f1cfca031c5fe1ad70) commit 0dd51b02e8f2e44ce8bb41feda9bc83c7214f972 Author: Gabriel Nagy <gabriel.n...@canonical.com> Date: Fri Aug 11 18:46:42 2023 +0300 gp: Change root cert extension suffix On Ubuntu, certificates must end in '.crt' in order to be considered by the `update-ca-certificates` helper. Signed-off-by: Gabriel Nagy <gabriel.n...@canonical.com> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: David Mulder <dmul...@samba.org> (cherry picked from commit bce3a89204545dcab5fb39a712590f6e166f997b) commit f9975df8414cab23c486e5e1c299f49879b8b65e Author: Gabriel Nagy <gabriel.n...@canonical.com> Date: Thu Aug 17 01:09:28 2023 +0300 gp: Support update-ca-trust helper This is used on RHEL/Fedora instead of update-ca-certificates. They behave similarly so it's enough to change the command name. Signed-off-by: Gabriel Nagy <gabriel.n...@canonical.com> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: David Mulder <dmul...@samba.org> (cherry picked from commit fa80d1d86439749c44e60cf9075e84dc9ed3c268) commit 9ab2eb21141aa23ef5a28b497bf8241db7565788 Author: Gabriel Nagy <gabriel.n...@canonical.com> Date: Thu Aug 17 01:05:54 2023 +0300 gp: Support more global trust directories In addition to the SUSE global trust directory, add support for RHEL and Debian-based distributions (including Ubuntu). To determine the correct directory to use, we iterate over the variants and stop at the first which is a directory. In case none is found, fallback to the first option which will produce a warning as it did previously. Signed-off-by: Gabriel Nagy <gabriel.n...@canonical.com> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: David Mulder <dmul...@samba.org> (cherry picked from commit a1b285e485c0b5a8747499bdbbb9f3f4fc025b2f) ----------------------------------------------------------------------- Summary of changes: python/samba/gp/gp_cert_auto_enroll_ext.py | 67 ++++++++++++------ python/samba/tests/bin/cepces-submit | 3 +- python/samba/tests/gpo.py | 110 +++++++++++++++++++++++++++-- 3 files changed, 152 insertions(+), 28 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py index 312c8ddf467..08d1a7348cd 100644 --- a/python/samba/gp/gp_cert_auto_enroll_ext.py +++ b/python/samba/gp/gp_cert_auto_enroll_ext.py @@ -45,10 +45,12 @@ cert_wrap = b""" -----BEGIN CERTIFICATE----- %s -----END CERTIFICATE-----""" -global_trust_dir = '/etc/pki/trust/anchors' endpoint_re = '(https|HTTPS)://(?P<server>[a-zA-Z0-9.-]+)/ADPolicyProvider' + \ '_CEP_(?P<auth>[a-zA-Z]+)/service.svc/CEP' +global_trust_dirs = ['/etc/pki/trust/anchors', # SUSE + '/etc/pki/ca-trust/source/anchors', # RHEL/Fedora + '/usr/local/share/ca-certificates'] # Debian/Ubuntu def octet_string_to_objectGUID(data): """Convert an octet string to an objectGUID.""" @@ -156,7 +158,7 @@ def fetch_certification_authorities(ldb): for es in res: data = { 'name': get_string(es['cn'][0]), 'hostname': get_string(es['dNSHostName'][0]), - 'cACertificate': get_string(es['cACertificate'][0]) + 'cACertificate': get_string(base64.b64encode(es['cACertificate'][0])) } result.append(data) return result @@ -174,8 +176,7 @@ def fetch_template_attrs(ldb, name, attrs=None): return {'msPKI-Minimal-Key-Size': ['2048']} def format_root_cert(cert): - cert = base64.b64encode(cert.encode()) - return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert, 0, re.DOTALL) + return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert.encode(), 0, re.DOTALL) def find_cepces_submit(): certmonger_dirs = [os.environ.get("PATH"), '/usr/lib/certmonger', @@ -184,17 +185,19 @@ def find_cepces_submit(): def get_supported_templates(server): cepces_submit = find_cepces_submit() - if os.path.exists(cepces_submit): - env = os.environ - env['CERTMONGER_OPERATION'] = 'GET-SUPPORTED-TEMPLATES' - p = Popen([cepces_submit, '--server=%s' % server, '--auth=Kerberos'], - env=env, stdout=PIPE, stderr=PIPE) - out, err = p.communicate() - if p.returncode != 0: - data = { 'Error': err.decode() } - log.error('Failed to fetch the list of supported templates.', data) - return out.strip().split() - return [] + if not cepces_submit or not os.path.exists(cepces_submit): + log.error('Failed to find cepces-submit') + return [] + + env = os.environ + env['CERTMONGER_OPERATION'] = 'GET-SUPPORTED-TEMPLATES' + p = Popen([cepces_submit, '--server=%s' % server, '--auth=Kerberos'], + env=env, stdout=PIPE, stderr=PIPE) + out, err = p.communicate() + if p.returncode != 0: + data = {'Error': err.decode()} + log.error('Failed to fetch the list of supported templates.', data) + return out.strip().split() def getca(ca, url, trust_dir): @@ -239,7 +242,8 @@ def getca(ca, url, trust_dir): certs = load_der_pkcs7_certificates(r.content) for i in range(0, len(certs)): cert = certs[i].public_bytes(Encoding.PEM) - dest = '%s.%d' % (root_cert, i) + filename, extension = root_cert.rsplit('.', 1) + dest = '%s.%d.%s' % (filename, i, extension) with open(dest, 'wb') as w: w.write(cert) root_certs.append(dest) @@ -249,12 +253,29 @@ def getca(ca, url, trust_dir): return root_certs +def find_global_trust_dir(): + """Return the global trust dir using known paths from various Linux distros.""" + for trust_dir in global_trust_dirs: + if os.path.isdir(trust_dir): + return trust_dir + return global_trust_dirs[0] + +def update_ca_command(): + """Return the command to update the CA trust store.""" + return which('update-ca-certificates') or which('update-ca-trust') + +def changed(new_data, old_data): + """Return True if any key present in both dicts has changed.""" + return any((new_data[k] != old_data[k] if k in old_data else False) \ + for k in new_data.keys()) + def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): """Install the root certificate chain.""" data = dict({'files': [], 'templates': []}, **ca) url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname'] root_certs = getca(ca, url, trust_dir) data['files'].extend(root_certs) + global_trust_dir = find_global_trust_dir() for src in root_certs: # Symlink the certs to global trust dir dst = os.path.join(global_trust_dir, os.path.basename(src)) @@ -273,7 +294,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): # already exists. Ignore the FileExistsError. Preserve the # existing symlink in the unapply data. data['files'].append(dst) - update = which('update-ca-certificates') + update = update_ca_command() if update is not None: Popen([update]).wait() # Setup Certificate Auto Enrollment @@ -337,12 +358,12 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier): # If the policy has changed, unapply, then apply new policy old_val = self.cache_get_attribute_value(guid, attribute) old_data = json.loads(old_val) if old_val is not None else {} - if all([(ca[k] == old_data[k] if k in old_data else False) \ - for k in ca.keys()]) or \ - self.cache_get_apply_state() == GPOSTATE.ENFORCE: + templates = ['%s.%s' % (ca['name'], t.decode()) for t in get_supported_templates(ca['hostname'])] + new_data = { 'templates': templates, **ca } + if changed(new_data, old_data) or self.cache_get_apply_state() == GPOSTATE.ENFORCE: self.unapply(guid, attribute, old_val) - # If policy is already applied, skip application - if old_val is not None and \ + # If policy is already applied and unchanged, skip application + if old_val is not None and not changed(new_data, old_data) and \ self.cache_get_apply_state() != GPOSTATE.ENFORCE: return @@ -396,7 +417,7 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier): # remove any existing policy ca_attrs = \ self.cache_get_all_attribute_values(gpo.name) - self.clean(gpo.name, remove=ca_attrs) + self.clean(gpo.name, remove=list(ca_attrs.keys())) def __read_cep_data(self, guid, ldb, end_point_information, trust_dir, private_dir): diff --git a/python/samba/tests/bin/cepces-submit b/python/samba/tests/bin/cepces-submit index 668682a9f58..de63164692b 100755 --- a/python/samba/tests/bin/cepces-submit +++ b/python/samba/tests/bin/cepces-submit @@ -14,4 +14,5 @@ if __name__ == "__main__": assert opts.auth == 'Kerberos' if 'CERTMONGER_OPERATION' in os.environ and \ os.environ['CERTMONGER_OPERATION'] == 'GET-SUPPORTED-TEMPLATES': - print('Machine') # Report a Machine template + templates = os.environ.get('CEPCES_SUBMIT_SUPPORTED_TEMPLATES', 'Machine').split(',') + print('\n'.join(templates)) # Report the requested templates diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py index e4b75cc62a4..580f3568de8 100644 --- a/python/samba/tests/gpo.py +++ b/python/samba/tests/gpo.py @@ -281,6 +281,28 @@ b""" </PolFile> """ +auto_enroll_unchecked_reg_pol = \ +b""" +<?xml version="1.0" encoding="utf-8"?> +<PolFile num_entries="3" signature="PReg" version="1"> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\Policies\Microsoft\Cryptography\AutoEnrollment</Key> + <ValueName>AEPolicy</ValueName> + <Value>0</Value> + </Entry> + <Entry type="4" type_name="REG_DWORD"> + <Key>Software\Policies\Microsoft\Cryptography\AutoEnrollment</Key> + <ValueName>OfflineExpirationPercent</ValueName> + <Value>10</Value> + </Entry> + <Entry type="1" type_name="REG_SZ"> + <Key>Software\Policies\Microsoft\Cryptography\AutoEnrollment</Key> + <ValueName>OfflineExpirationStoreNames</ValueName> + <Value>MY</Value> + </Entry> +</PolFile> +""" + advanced_enroll_reg_pol = \ b""" <?xml version="1.0" encoding="utf-8"?> @@ -6783,14 +6805,14 @@ class GPOTests(tests.TestCase): ldb.add({'dn': certa_dn, 'objectClass': 'certificationAuthority', 'authorityRevocationList': ['XXX'], - 'cACertificate': 'XXX', + 'cACertificate': b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I', 'certificateRevocationList': ['XXX'], }) # Write the dummy pKIEnrollmentService enroll_dn = 'CN=%s,CN=Enrollment Services,%s' % (ca_cn, confdn) ldb.add({'dn': enroll_dn, 'objectClass': 'pKIEnrollmentService', - 'cACertificate': 'XXXX', + 'cACertificate': b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I', 'certificateTemplates': ['Machine'], 'dNSHostName': hostname, }) @@ -6812,6 +6834,23 @@ class GPOTests(tests.TestCase): self.assertTrue(os.path.exists(machine_crt), 'Machine key was not generated') + # Subsequent apply should react to new certificate templates + os.environ['CEPCES_SUBMIT_SUPPORTED_TEMPLATES'] = 'Machine,Workstation' + self.addCleanup(os.environ.pop, 'CEPCES_SUBMIT_SUPPORTED_TEMPLATES') + ext.process_group_policy([], gpos, dname, dname) + self.assertTrue(os.path.exists(ca_crt), + 'Root CA certificate was not requested') + self.assertTrue(os.path.exists(machine_crt), + 'Machine certificate was not requested') + self.assertTrue(os.path.exists(machine_crt), + 'Machine key was not generated') + workstation_crt = os.path.join(dname, '%s.Workstation.crt' % ca_cn) + self.assertTrue(os.path.exists(workstation_crt), + 'Workstation certificate was not requested') + workstation_key = os.path.join(dname, '%s.Workstation.key' % ca_cn) + self.assertTrue(os.path.exists(workstation_crt), + 'Workstation key was not generated') + # Verify RSOP does not fail ext.rsop([g for g in gpos if g.name == guid][0]) @@ -6819,6 +6858,38 @@ class GPOTests(tests.TestCase): ret = rsop(self.lp) self.assertEqual(ret, 0, 'gpupdate --rsop failed!') + # Remove policy by staging pol file with auto-enroll unchecked + parser.load_xml(etree.fromstring(auto_enroll_unchecked_reg_pol.strip())) + ret = stage_file(reg_pol, ndr_pack(parser.pol_file)) + self.assertTrue(ret, 'Could not create the target %s' % reg_pol) + ext.process_group_policy([], gpos, dname, dname) + self.assertFalse(os.path.exists(ca_crt), + 'Root CA certificate was not removed') + self.assertFalse(os.path.exists(machine_crt), + 'Machine certificate was not removed') + self.assertFalse(os.path.exists(machine_crt), + 'Machine key was not removed') + self.assertFalse(os.path.exists(workstation_crt), + 'Workstation certificate was not removed') + self.assertFalse(os.path.exists(workstation_crt), + 'Workstation key was not removed') + + # Reapply policy by staging the enabled pol file + parser.load_xml(etree.fromstring(auto_enroll_reg_pol.strip())) + ret = stage_file(reg_pol, ndr_pack(parser.pol_file)) + self.assertTrue(ret, 'Could not create the target %s' % reg_pol) + ext.process_group_policy([], gpos, dname, dname) + self.assertTrue(os.path.exists(ca_crt), + 'Root CA certificate was not requested') + self.assertTrue(os.path.exists(machine_crt), + 'Machine certificate was not requested') + self.assertTrue(os.path.exists(machine_crt), + 'Machine key was not generated') + self.assertTrue(os.path.exists(workstation_crt), + 'Workstation certificate was not requested') + self.assertTrue(os.path.exists(workstation_crt), + 'Workstation key was not generated') + # Remove policy gp_db = store.get_gplog(machine_creds.get_username()) del_gpos = get_deleted_gpos_list(gp_db, []) @@ -6829,11 +6900,17 @@ class GPOTests(tests.TestCase): 'Machine certificate was not removed') self.assertFalse(os.path.exists(machine_crt), 'Machine key was not removed') + self.assertFalse(os.path.exists(workstation_crt), + 'Workstation certificate was not removed') + self.assertFalse(os.path.exists(workstation_crt), + 'Workstation key was not removed') out, _ = Popen(['getcert', 'list-cas'], stdout=PIPE).communicate() self.assertNotIn(get_bytes(ca_cn), out, 'CA was not removed') out, _ = Popen(['getcert', 'list'], stdout=PIPE).communicate() self.assertNotIn(b'Machine', out, 'Machine certificate not removed') + self.assertNotIn(b'Workstation', out, + 'Workstation certificate not removed') # Remove the dummy CA, pKIEnrollmentService, and pKICertificateTemplate ldb.delete(certa_dn) @@ -7201,14 +7278,14 @@ class GPOTests(tests.TestCase): ldb.add({'dn': certa_dn, 'objectClass': 'certificationAuthority', 'authorityRevocationList': ['XXX'], - 'cACertificate': 'XXX', + 'cACertificate': b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I', 'certificateRevocationList': ['XXX'], }) # Write the dummy pKIEnrollmentService enroll_dn = 'CN=%s,CN=Enrollment Services,%s' % (ca_cn, confdn) ldb.add({'dn': enroll_dn, 'objectClass': 'pKIEnrollmentService', - 'cACertificate': 'XXXX', + 'cACertificate': b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I', 'certificateTemplates': ['Machine'], 'dNSHostName': hostname, }) @@ -7233,6 +7310,25 @@ class GPOTests(tests.TestCase): self.assertTrue(os.path.exists(machine_crt), 'Machine key was not generated') + # Subsequent apply should react to new certificate templates + os.environ['CEPCES_SUBMIT_SUPPORTED_TEMPLATES'] = 'Machine,Workstation' + self.addCleanup(os.environ.pop, 'CEPCES_SUBMIT_SUPPORTED_TEMPLATES') + ext.process_group_policy([], gpos, dname, dname) + for ca in ca_list: + self.assertTrue(os.path.exists(ca_crt), + 'Root CA certificate was not requested') + self.assertTrue(os.path.exists(machine_crt), + 'Machine certificate was not requested') + self.assertTrue(os.path.exists(machine_crt), + 'Machine key was not generated') + + workstation_crt = os.path.join(dname, '%s.Workstation.crt' % ca) + self.assertTrue(os.path.exists(workstation_crt), + 'Workstation certificate was not requested') + workstation_key = os.path.join(dname, '%s.Workstation.key' % ca) + self.assertTrue(os.path.exists(workstation_crt), + 'Workstation key was not generated') + # Verify RSOP does not fail ext.rsop([g for g in gpos if g.name == guid][0]) @@ -7250,12 +7346,18 @@ class GPOTests(tests.TestCase): 'Machine certificate was not removed') self.assertFalse(os.path.exists(machine_crt), 'Machine key was not removed') + self.assertFalse(os.path.exists(workstation_crt), + 'Workstation certificate was not removed') + self.assertFalse(os.path.exists(workstation_crt), + 'Workstation key was not removed') out, _ = Popen(['getcert', 'list-cas'], stdout=PIPE).communicate() for ca in ca_list: self.assertNotIn(get_bytes(ca), out, 'CA was not removed') out, _ = Popen(['getcert', 'list'], stdout=PIPE).communicate() self.assertNotIn(b'Machine', out, 'Machine certificate not removed') + self.assertNotIn(b'Workstation', out, + 'Workstation certificate not removed') # Remove the dummy CA, pKIEnrollmentService, and pKICertificateTemplate ldb.delete(certa_dn) -- Samba Shared Repository