From a8a923033bf764b744496199d8f86ff7a7fe183e Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 17 Oct 2023 14:59:53 -0400 Subject: [PATCH 1/6] ipa-client: correct directory location by using constants instead If something in the client sysrestore.state wasn't removed by the installer a warning message was printed with an incorrect location. Fix this by using constants instead. Signed-off-by: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- ipaclient/install/client.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 01a5f2339c8..7e3adee351a 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -3697,9 +3697,12 @@ def uninstall(options): logger.warning( 'Some installation state has not been restored.\n' 'This may cause re-installation to fail.\n' - 'It should be safe to remove /var/lib/ipa-client/sysrestore.state ' + 'It should be safe to remove %s ' 'but it may\n mean your system hasn\'t been restored ' - 'to its pre-installation state.') + 'to its pre-installation state.', + os.path.join(paths.IPA_CLIENT_SYSRESTORE, + sysrestore.SYSRESTORE_STATEFILE) + ) # Remove the IPA configuration file remove_file(paths.IPA_DEFAULT_CONF) From 5270d58a049560458be62e1c6a17bbc8163926d5 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 28 Sep 2023 09:45:15 -0500 Subject: [PATCH 2/6] Enable LWCA monitor explicitly Currently LWCA is only supported in IPA since the key replication depends on Custodia, so LWCA is not actually supported in regular PKI installation. However, currently the AuthorityMonitor is enabled by default and it executes a persistent search to monitor LWCA replication so it is wasting resources in non-IPA environment. To reduce unnecessary resource consumption the LWCA monitor will be disabled by default in PKI, so IPA will need to enable it explicitly for new and existing installations. Reviewed-By: Florence Blanc-Renaud --- ipaserver/install/cainstance.py | 24 ++++++++++++++++++++++++ ipaserver/install/server/upgrade.py | 11 +++++++++++ 2 files changed, 35 insertions(+) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index cd7b6902447..389b2e18862 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -435,6 +435,8 @@ def configure_instance(self, host_name, dm_password, admin_password, configure_lightweight_ca_acls) self.step("Ensure lightweight CAs container exists", ensure_lightweight_cas_container) + self.step("Enable lightweight CA monitor", + enable_lightweight_ca_monitor) self.step( "Ensuring backward compatibility", self.__dogtag10_migration) @@ -1783,6 +1785,28 @@ def ensure_lightweight_cas_container(): ) +def enable_lightweight_ca_monitor(): + + # Check LWCA monitor + value = directivesetter.get_directive( + paths.CA_CS_CFG_PATH, + 'ca.authorityMonitor.enable', + separator='=') + + if value == 'true': + return False # already enabled; restart not needed + + # Enable LWCA monitor + directivesetter.set_directive( + paths.CA_CS_CFG_PATH, + 'ca.authorityMonitor.enable', + 'true', + quotes=False, + separator='=') + + return True # restart needed + + def minimum_acme_support(data=None): """ ACME with global enable/disable is required. diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index d208379d01d..f42faea049c 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -482,6 +482,16 @@ def ca_ensure_lightweight_cas_container(ca): return cainstance.ensure_lightweight_cas_container() +def ca_enable_lightweight_ca_monitor(ca): + logger.info('[Enabling LWCA monitor]') + + if not ca.is_configured(): + logger.info('CA is not configured') + return False + + return cainstance.enable_lightweight_ca_monitor() + + def ca_add_default_ocsp_uri(ca): logger.info('[Adding default OCSP URI configuration]') if not ca.is_configured(): @@ -1904,6 +1914,7 @@ def upgrade_configuration(): ca_configure_profiles_acl(ca), ca_configure_lightweight_ca_acls(ca), ca_ensure_lightweight_cas_container(ca), + ca_enable_lightweight_ca_monitor(ca), ca_add_default_ocsp_uri(ca), ca_disable_publish_cert(ca), ]) From 44349cfa76a860314292120b00fe3814a6fed892 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 14 Aug 2023 09:41:03 -0500 Subject: [PATCH 3/6] Remove unused hierarchy.select The hierarchy.select param has been removed in PKI 11.5 so it doesn't need to be updated in renew_ca_cert.in. Signed-off-by: Endi Sukma Dewata Reviewed-By: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- install/restart_scripts/renew_ca_cert.in | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/install/restart_scripts/renew_ca_cert.in b/install/restart_scripts/renew_ca_cert.in index d8119738634..7b7b9b30d4d 100644 --- a/install/restart_scripts/renew_ca_cert.in +++ b/install/restart_scripts/renew_ca_cert.in @@ -28,7 +28,6 @@ import shutil import traceback from ipalib.install import certstore -from ipapython import directivesetter from ipapython import ipautil from ipalib import api, errors from ipalib import x509 @@ -105,23 +104,6 @@ def _main(): "Updating trust on certificate %s failed in %s" % (nickname, db.secdir)) elif nickname == 'caSigningCert cert-pki-ca': - # Update CS.cfg - cfg_path = paths.CA_CS_CFG_PATH - config = directivesetter.get_directive( - cfg_path, 'subsystem.select', '=') - if config == 'New': - syslog.syslog(syslog.LOG_NOTICE, "Updating CS.cfg") - if cert.is_self_signed(): - directivesetter.set_directive( - cfg_path, 'hierarchy.select', 'Root', - quotes=False, separator='=') - else: - directivesetter.set_directive( - cfg_path, 'hierarchy.select', 'Subordinate', - quotes=False, separator='=') - else: - syslog.syslog(syslog.LOG_NOTICE, "Not updating CS.cfg") - # Remove old external CA certificates for ca_nick, ca_flags in db.list_certs(): if ca_flags.has_key: From 1202d0149bbf82c2183896c86764d818e8b2f02c Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 14 Aug 2023 10:05:14 -0500 Subject: [PATCH 4/6] Replace subsystem.select with CAInstance.is_crlgen_enabled() The subsystem.select is not a reliable indicator to determine whether the CA is a renewal master since there is no process in PKI to update the param when the role of the instance changes (from master to clone and vice versa) so the param has been removed in PKI 11.5. Instead, it's better to use CAInstance.is_crlgen_enabled() since CRL generation is only enabled in a renewal master. Signed-off-by: Endi Sukma Dewata Reviewed-By: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- ipaserver/install/plugins/ca_renewal_master.py | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py index 7267b5613d7..fcbfb854853 100644 --- a/ipaserver/install/plugins/ca_renewal_master.py +++ b/ipaserver/install/plugins/ca_renewal_master.py @@ -28,7 +28,6 @@ from ipalib.plugable import Registry from ipaplatform.paths import paths from ipapython.dn import DN -from ipapython import directivesetter logger = logging.getLogger(__name__) @@ -108,18 +107,9 @@ def execute(self, **options): else: logger.debug("certmonger request for RA cert not found") - config = directivesetter.get_directive( - paths.CA_CS_CFG_PATH, 'subsystem.select', '=') - - if config == 'New': - pass - elif config == 'Clone': + if not ca.is_crlgen_enabled(): + # CA is not a renewal master return False, [] - else: - logger.warning( - "CS.cfg has unknown subsystem.select value '%s', " - "assuming local CA is not a renewal master", config) - return (False, False, []) update = { 'dn': dn, From 9d49f403c2f23e13991d1cd5f109f4f0e056d96f Mon Sep 17 00:00:00 2001 From: Sudhir Menon Date: Tue, 10 Oct 2023 15:22:27 +0530 Subject: [PATCH 5/6] ipatests: Skip the test failing due to FIPS policy 1. test_certmonger_reads_token_HSM test in test_installaton.py is failing in FIPS/STIG mode with the below error. SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import. Error attempting to import private key in STIG mode 2. Adding the posfix config change, because there was a crash seen in smtpd in FIPS mode. ie. postconf -e smtpd_tls_fingerprint_digest=sha256 KCS: https://access.redhat.com/solutions/6958957 Signed-off-by: Sudhir Menon Reviewed-By: Florence Blanc-Renaud --- ipatests/test_integration/test_epn.py | 4 +++- ipatests/test_integration/test_installation.py | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py index 8ea79cefbdd..b391e32219b 100644 --- a/ipatests/test_integration/test_epn.py +++ b/ipatests/test_integration/test_epn.py @@ -180,7 +180,6 @@ def configure_starttls(host): postconf(host, 'smtpd_tls_session_cache_timeout = 3600s') # announce STARTTLS support to remote SMTP clients, not require postconf(host, 'smtpd_tls_security_level = may') - host.run_command(["systemctl", "restart", "postfix"]) @@ -208,6 +207,9 @@ def configure_ssl_client_cert(host): # CA certificates of root CAs trusted to sign remote SMTP client cert postconf(host, f"smtpd_tls_CAfile = {paths.IPA_CA_CRT}") + if host.is_fips_mode: + postconf(host, 'smtpd_tls_fingerprint_digest = sha256') + host.run_command(["systemctl", "restart", "postfix"]) diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py index 68a442a9cd7..bf4163abc0f 100644 --- a/ipatests/test_integration/test_installation.py +++ b/ipatests/test_integration/test_installation.py @@ -35,6 +35,7 @@ from ipatests.test_integration.base import IntegrationTest from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup from ipatests.test_integration.test_cert import get_certmonger_fs_id +from ipatests.pytest_ipa.integration import skip_if_fips from ipaplatform import services @@ -298,6 +299,7 @@ def test_replica_ca_install_with_skip_schema_check(self): tasks.install_replica(self.master, self.replicas[1], setup_ca=False) tasks.install_ca(self.replicas[1], extra_args=["--skip-schema-check"]) + @skip_if_fips() def test_certmonger_reads_token_HSM(self): """Test if certmonger reads the token in HSM From d50624dce932d02ea03a00d3ac2ec1be69e8d3b6 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Thu, 19 Oct 2023 12:47:03 +0200 Subject: [PATCH 6/6] group-add-member fails with an external member The command ipa group-add-member --external aduser@addomain.test fails with an internal error when used with samba 4.19. The command internally calls samba.security.dom_sid(sid) which used to raise a TypeError but now raises a ValueError (commit 9abdd67 on https://github.com/samba-team/samba). IPA source code needs to handle properly both exception types. Fixes: https://pagure.io/freeipa/issue/9466 Signed-off-by: Florence Blanc-Renaud Reviewed-By: Rob Crittenden --- ipaserver/dcerpc.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 741f0608f93..7e585c87639 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -303,7 +303,7 @@ def get_domain_by_sid(self, sid, exact_match=False): # Parse sid string to see if it is really in a SID format try: test_sid = security.dom_sid(sid) - except TypeError: + except (TypeError, ValueError): raise errors.ValidationError(name='sid', error=_('SID is not valid'))