From e386e22046fec4de062116245a3cd9e79c457499 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: May 22 2024 08:03:38 +0000 Subject: cert: use context.principal only when it is defined In server-like context we use LDAPI connection with auto-binding to LDAP object based on the UID of the process connecting to LDAPI UNIX domain socket. This means context.principal is not set and we cannot use it. When processing certificate issuance requests a care has to be done to match operations done as LDAP auto-bind to actual principals for validation. This is a tough one as we have no principal to match for cn=Directory Manager. Use fake principal to fail validation here and rely on LDAP ACIs instead. Fixes: https://pagure.io/freeipa/issue/9583 Signed-off-by: Alexander Bokovoy Reviewed-By: Thomas Woerner Reviewed-By: Rob Crittenden Reviewed-By: Rafael Guterres Jeffman --- diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index d52cdc1..007357b 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -321,7 +321,10 @@ def bind_principal_can_manage_cert(cert): A python-cryptography ``Certificate`` object. """ - bind_principal = kerberos.Principal(getattr(context, 'principal')) + op_account = getattr(context, 'principal', None) + if op_account is None: + return False + bind_principal = kerberos.Principal(op_account) if not bind_principal.is_host: return False @@ -691,7 +694,15 @@ class cert_request(Create, BaseCertMethod, VirtualCommand): principal_string = unicode(principal) principal_type = principal_to_principal_type(principal) - bind_principal = kerberos.Principal(getattr(context, 'principal')) + op_account = getattr(context, 'principal', None) + if op_account is None: + # Can the bound principal request certs for another principal? + # the virtual operation check will rely on LDAP ACIs, no need + # for the Kerberos principal here. + # Force the principal that cannot be matched in normal deployments + op_account = '@' + + bind_principal = kerberos.Principal(op_account) bind_principal_string = unicode(bind_principal) bind_principal_type = principal_to_principal_type(bind_principal)