From 0be98884991ff14720dfce428e4f23ebc4a42311 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sep 12 2019 14:17:53 +0000
Subject: adtrust: add default read_keys permission for TDO objects


If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys
attribute values, it cannot be used by SSSD to retrieve TDO keys and the
whole communication with Active Directory domain controllers will not be
possible.

This seems to affect trusts which were created before
ipaAllowedToPerform;read_keys permission granting was introduced
(FreeIPA 4.2). Add back the default setting for the permissions which
grants access to trust agents and trust admins.

Resolves: https://pagure.io/freeipa/issue/8067

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

---

diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
index f5f428d..8eb1977 100644
--- a/install/updates/90-post_upgrade_plugins.update
+++ b/install/updates/90-post_upgrade_plugins.update
@@ -13,6 +13,7 @@ plugin: update_default_trust_view
 plugin: update_tdo_gidnumber
 plugin: update_tdo_to_new_layout
 plugin: update_host_cifs_keytabs
+plugin: update_tdo_default_read_keys_permissions
 plugin: update_ca_renewal_master
 plugin: update_idrange_type
 plugin: update_pacs
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
index 7e6b5c3..386fe53 100644
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@@ -821,3 +821,59 @@ class update_host_cifs_keytabs(Updater):
                 self.copy_key(paths.SAMBA_KEYTAB, hostkey)
 
         return False, []
+
+
+@register()
+class update_tdo_default_read_keys_permissions(Updater):
+    trust_filter = \
+        "(&(objectClass=krbPrincipal)(krbPrincipalName=krbtgt/{nbt}@*))"
+
+    def execute(self, **options):
+        ldap = self.api.Backend.ldap2
+
+        # First, see if trusts are enabled on the server
+        if not self.api.Command.adtrust_is_enabled()['result']:
+            logger.debug('AD Trusts are not enabled on this server')
+            return False, []
+
+        result = self.api.Command.trustconfig_show()['result']
+        our_nbt_name = result.get('ipantflatname', [None])[0]
+        if not our_nbt_name:
+            return False, []
+
+        trusts_dn = self.api.env.container_adtrusts + self.api.env.basedn
+        trust_filter = self.trust_filter.format(nbt=our_nbt_name)
+
+        # We might be in a situation when no trusts exist yet
+        # In such case there is nothing to upgrade but we have to catch
+        # an exception or it will abort the whole upgrade process
+        try:
+            tdos = ldap.get_entries(
+                base_dn=trusts_dn,
+                scope=ldap.SCOPE_SUBTREE,
+                filter=trust_filter,
+                attrs_list=['*'])
+        except errors.EmptyResult:
+            tdos = []
+
+        for tdo in tdos:
+            updates = dict()
+            oc = tdo.get('objectClass', [])
+            if 'ipaAllowedOperations' not in oc:
+                updates['objectClass'] = oc + ['ipaAllowedOperations']
+
+            read_keys = tdo.get('ipaAllowedToPerform;read_keys', [])
+            if not read_keys:
+                read_keys_values = list(map(
+                    lambda x: x.format(basedn=self.api.env.basedn),
+                    trust_read_keys_template))
+                updates['ipaAllowedToPerform;read_keys'] = read_keys_values
+
+            tdo.update(updates)
+            try:
+                ldap.update_entry(tdo)
+            except errors.EmptyModlist:
+                logger.debug("No update was required for TDO %s",
+                             tdo.single_value.get('krbCanonicalName'))
+
+        return False, []