#6146 caacl: error when instantiating rules with service principals
Closed: Fixed None Opened 2 years ago by ftweedal.

Due to a regression in Principal refactor, when a CA ACL includes individual
service principals TypeError is thrown; a kerberos.Principal object is received
where a string is expected.

Traceback: http://pastebin.test.redhat.com/396397
Steps to reproduce: http://pastebin.test.redhat.com/396446


Making steps to reproduce public:

[root@master1 ~]# ipa certprofile-import caIPAtest --file=caIPAtest.txt --desc="Test profile"

[root@master1 ~]# ipa host-add master2.ipa.test --force

[root@master1 ~]# ipa service-add svc/`hostname`

[root@master1 ~]# ipa service-add svc/master1.ipa.test

[root@master1 ~]# ipa service-add-host svc/master1.ipa.test --hosts master2.ipa.test

[root@master1 ~]# ipa-getkeytab -p host/master2.ipa.test@IPA.TEST -k /root/master2.keytab

[root@master1 ~]# ipa caacl-add test_caacl --desc "test caacl"

[root@master1 ~]# ipa caacl-add-host test_caacl --hosts master2.ipa.test

[root@master1 ~]# ipa caacl-add-services test_caacl --services svc/master2.ipa.test --services svc/master1.ipa.test

[root@master1 ~]# cat master2-san.cnf
[req]
req_extensions = v3_req
distinguished_name =req_distinguished_name

[req_distinguished_name]
commonName = master2.ipa.test

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = master2.ipa.test
DNS.2 = master1.ipa.test

[root@master1 ~]# kinit -kt /root/master2.keytab host/master2.ipa.test

[root@master1 ~]# ipa cert-request master2_ipa_test.csr --principal 'srv/master2.ipa.test@IPA.TEST' --profile-id caIPAtest
ipa: ERROR: an internal error has occurred

[root@master1 ~]# vim /var/log/httpd/error_log
[Wed Jul 27 08:54:34.782146 2016] [wsgi:error] [pid 23715] ipa: INFO: [jsonserver_kerb] admin@IPA.TEST: service_find/1(None, version=u'2.211'): SUCCESS
[Wed Jul 27 10:19:56.445714 2016] [wsgi:error] [pid 23716] ipa: INFO: [jsonserver_kerb] host/master2.ipa.test@IPA.TEST: schema(known_fingerprints=(u'6ce3ecd5',), version=u'2.170'): SchemaUpToDate
[Wed Jul 27 10:19:57.044888 2016] [wsgi:error] [pid 23715] ipa: ERROR: non-public: TypeError: names must be a string
[Wed Jul 27 10:19:57.044909 2016] [wsgi:error] [pid 23715] Traceback (most recent call last):
[Wed Jul 27 10:19:57.044912 2016] [wsgi:error] [pid 23715]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 352, in wsgi_execute
[Wed Jul 27 10:19:57.044913 2016] [wsgi:error] [pid 23715]     result = self.Command[name](*args, **options)
[Wed Jul 27 10:19:57.044915 2016] [wsgi:error] [pid 23715]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
[Wed Jul 27 10:19:57.044916 2016] [wsgi:error] [pid 23715]     return self.__do_call(*args, **options)
[Wed Jul 27 10:19:57.044917 2016] [wsgi:error] [pid 23715]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
[Wed Jul 27 10:19:57.044919 2016] [wsgi:error] [pid 23715]     ret = self.run(*args, **options)
[Wed Jul 27 10:19:57.044920 2016] [wsgi:error] [pid 23715]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
[Wed Jul 27 10:19:57.044921 2016] [wsgi:error] [pid 23715]     return self.execute(*args, **options)
[Wed Jul 27 10:19:57.044923 2016] [wsgi:error] [pid 23715]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 456, in execute
[Wed Jul 27 10:19:57.044924 2016] [wsgi:error] [pid 23715]     caacl_check(principal_type, principal, ca, profile_id)
[Wed Jul 27 10:19:57.044925 2016] [wsgi:error] [pid 23715]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 227, in caacl_check
[Wed Jul 27 10:19:57.044927 2016] [wsgi:error] [pid 23715]     principal, ca, profile_id):
[Wed Jul 27 10:19:57.044928 2016] [wsgi:error] [pid 23715]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/caacl.py", line 153, in acl_evaluate
[Wed Jul 27 10:19:57.044929 2016] [wsgi:error] [pid 23715]     return req.evaluate(rules) == pyhbac.HBAC_EVAL_ALLOW
[Wed Jul 27 10:19:57.044931 2016] [wsgi:error] [pid 23715] TypeError: names must be a string
[Wed Jul 27 10:19:57.045097 2016] [wsgi:error] [pid 23715] ipa: INFO: [jsonserver_session] host/master2.ipa.test@IPA.TEST: cert_request/1(u'-----BEGIN CERTIFICATE REQUEST-----\\nMIIEuDCCAqACAQAwGzEZMBcGA1UEAwwQbWFzdGVyMi5pcGEudGVzdDCCAiIwDQYJ\\nKoZIhvcNAQEBBQADggIPADCCAgoCggIBANlVwAkop4nztaOPLgEDUv+rd01A6/l6\\nfD4OV9OXfJ4A55GeazS+VnlwaMNDnTP2x2a/2SKpRhn9EGghSkqfmXFMXirtW9e3\\nmvXxVaH06FCewNQVW0PgomhH1w6cJYtISOvsCTOFMCShFqeRYTXZTj5Uc+RIM1FD\\nyrKwVwRynHWSaoq7PJ1pNqcfNUUZu+wMjssyTQNQItlYMkVKZRZKdiGZZkW3ZgiI\\nSLZNwyzf27cXp3ZIaoVmlb6qSVgs6kYVV2gqBbprub78L+2EFEtos9uO+3SRYg8r\\nGLSP/tL96u/Q6mnk0nSorSpRKkZCK12W25r6O1F+/mcVKUa+uGFe+Bq8EdggTakw\\nPVPvSF0VHSCKG7gMGEQd8S+HFb0B195+WGF1bwwB/NEh1/S41Vd1Z4R+V4/bvxnc\\n78axeMTlTf/zCmImuYQia+nQDMlaFfsyrNqtzjI6KbgQo8xF00tgL3q88HD/lmkq\\nnNlMxG8LeVHefDG3VTaAFZ1imgj0lA/mClxgE2TnNxuNG0vbGZ8iEyOkd+hNXKTk\\ngvEM7l+2wZBMu4zvCmbFv/2g469s2FvzMHU3fF8ccx41RACzGUEqVghSzM9muSd5\\nUY6m3QlHzM+7GJ2NT/nWGnCXhcKPYhyhTYvn2ygbrb3hMp0offWt0tfF17MzJQCX\\nIv0plr78RLqPAgMBAAGgWDBWBgkqhkiG9w0BCQ4xSTBHMAkGA1UdEwQCMAAwCwYD\\nVR0PBAQDAgXgMC0GA1UdEQQmMCSCEG1hc3RlcjIuaXBhLnRlc3SCEG1hc3RlcjEu\\naXBhLnRlc3QwDQYJKoZIhvcNAQELBQADggIBALJlc2zLGFfZ78N+XK4rUvlmKsz9\\naaupJ9j2s1Ty0bjSLHFHYRyhOhlRD+H2DRX3f3YpKI3VaZ7PuKrS8D2G/PVjPPMS\\nhz8IVF6+ngIFivvnweQff2m+Du3B1RsU4F2o/b4KW3rJxahBdqy0O3ogamYjJswZ\\nopUnT8SiTX2GumS9By/H4lehU1o8WAJI3PI1hWoer/q1dJI5QZr85c1bdoD1CyAF\\nFH/clVECqZkXuFLBsbJ4B4z5XAZHjan0Cpn8B6aA4X/8LnjCVdXsEnHdY3hdWiqA\\n2AVZnNTGVtDUqgG1LDJwpJ7DngCzR1Bh1qNtUbz5WlbJ+FtNbSTU4TDZnUO2eyEU\\nqFKzeMDXCNIpPqorp93D4DIxrL2HBjY/vFkrAmFxlKdMt1t5a61oH5I1Pmh3MDko\\ncGwAKGYyoj829jAVMMMcrrTHIulLDjEoEL5sl2UGysQj6nk527LJg0sf7+/CYy7f\\nzGZz3x3HzRdinW4khVv3RIq8LR5POELjjSgjjxAAZmTVBFqUfVtVr9WN0S8nFRFg\\nSG3yGIDF0Zk3Ntg0siRY6EtpDCHX5ye6qWFCmsVYgO0FzNkOje0oUwUnQBJhQ5Dq\\nGLhv7DlcqHZrYGZo3DuKCpekWUInidZKQcVsGo1StJq77c82A7vf9mdnSDRoRUkv\\ntMpT/myL5yPceHvZ\\n-----END CERTIFICATE REQUEST-----\\n', profile_id=u'caIPAtest', principal=u'srv/master2.ipa.test@IPA.TEST', version=u'2.211'): TypeError

There are a few missing steps in reproducer, this may help

$ ipa service-add svc/master2.ipa.test
$ openssl req -config master2-san.cnf -new -out master2_ipa_test.csr

master:

  • 9dac0a1 caacl: fix regression in rule instantiation

Metadata Update from @ftweedal:
- Issue assigned to ftweedal
- Issue set to the milestone: FreeIPA 4.4.1

2 years ago

Login to comment on this ticket.

Metadata