[Freeipa-devel] [PATCH] Password vault

Jan Cholasta jcholast at redhat.com
Fri Jun 5 12:13:20 UTC 2015 

Dne 3.6.2015 v 14:17 Jan Cholasta napsal(a):
> Dne 2.6.2015 v 02:00 Endi Sukma Dewata napsal(a):
>> Please take a look at the updated patch.
>>
>> On 5/27/2015 12:39 AM, Jan Cholasta wrote:
>>>>>>>>> 21) vault_archive is not a retrieve operation, it should be
>>>>>>>>> based on
>>>>>>>>> LDAPUpdate instead of LDAPRetrieve. Or Command actually, since it
>>>>>>>>> does
>>>>>>>>> not do anything with LDAP. The same applies to vault_retrieve.
>>>>>>>>
>>>>>>>> The vault_archive does not actually modify the LDAP entry
>>>>>>>> because it
>>>>>>>> stores the data in KRA. It is actually an LDAPRetrieve operation
>>>>>>>> because
>>>>>>>> it needs to get the vault info before it can perform the archival
>>>>>>>> operation. Same thing with vault_retrieve.
>>>>>>>
>>>>>>> It is not a LDAPRetrieve operation, because it has different
>>>>>>> semantics.
>>>>>>> Please use Command as base class and either use ldap2 for direct
>>>>>>> LDAP or
>>>>>>> call vault_show instead of hacking around LDAPRetrieve.
>>>>>>
>>>>>> It's been changed to inherit from LDAPQuery instead.
>>>>>
>>>>> NACK, it's not a LDAPQuery operation, because it has different
>>>>> semantics. There is more to a command than executing code, so you
>>>>> should
>>>>> use a correct base class.
>>>>
>>>> Changed to inherit from Command as requested. Now these commands no
>>>> longer have a direct access to the vault object (self.obj) although
>>>> they
>>>> are accessing vault objects like other vault commands. Also now the
>>>> vault name argument has to be added explicitly on each command.
>>>
>>> You can inherit from crud.Retrieve and crud.Update to get self.obj and
>>> the argument back.
>>
>> I tried this:
>>
>>    class vault_retrieve(Command, crud.Retrieve):
>>
>> and it gave me an error:
>>
>>    TypeError: Error when calling the metaclass bases
>>        Cannot create a consistent method resolution
>>    order (MRO) for bases Retrieve, Command
>>
>> I'm sticking with the original code since it works fine although not
>> ideal. I'm not a Python expert, so if you know how to fix this properly
>> please feel free to post a patch on top of this.
>
> The class hierarchy is as follows:
>
>     frontend.Command
>         frontend.Method
>             crud.PKQuery
>                 crud.Retrieve
>                 cdur.Update
>
> So removing Command from the list of base classes should fix it.
>
>>
>>> If KRA is not installed, vault-archive and vault-retrieve fail with
>>> internal error.
>>
>> Added a code to check KRA installation in all vault commands. If you
>> know a way not to load the vault plugin if the KRA is not installed
>> please let me know, that's probably even better. Not sure how that will
>> work on the client side though.
>
> I see this has been already resolved in the other thread.
>
>>
>>> The commands still behave differently based on whether they were called
>>> from API which was initialized with in_server set to True or False.
>>
>> That is unfortunately a restriction imposed by the framework. In order
>> to guarantee the security, the vault is designed to have separate client
>> and server code. The client code encrypts the secret, the server code
>> forwards the encrypted secret to KRA. To archive a secret into a vault
>> properly, you are supposed to call the client code. If you're calling
>> the server code directly, you are responsible to do your own encryption
>> (i.e. generating session key, nonce, and vault data).
>
> I understand why the code has to be separated, what I don't understand
> is why it is in fact *not* separated and crammed into a single command,
> making weird and undefined behavior possible.
>
>>
>> If another plugin wants to use vault, it should implement a client code
>> which calls the vault client code to perform the archival from the
>> client side.
>>
>> What is the use case for calling the vault API from the server side
>> anyway? Wouldn't that defeat the purpose of having a vault? If a secret
>> exists on the server side in an unencrypted form doesn't it mean the
>> secret may already have been compromised?
>
> Server API is used not only by the server itself, but also by installers
> for example. Anyway the point is that there *can't* be a broken API like
> this, you should at least raise an error if the command is called from
> server API, although actually separating it into client and server parts
> would be preferable.
>
>>
>>> There is no point in exposing the session_key, nonce and vault_data
>>> options in CLI when their value is always overwritten in forward().
>>
>> I agree there is no need to expose them in CLI, but in this framework
>> the API also defines the CLI. If there's a way to keep them in the
>> server API but not expose them in the CLI please let me know. Or, if
>> there's a way to define completely separate server API (without a
>> matching client CLI) and client CLI (without a matching server API) that
>> will work too.
>
> As I suggested above, you can split the commands into separate client
> and server commands. The client command should inherit from
> frontend.Local so that it is always executed locally and the server
> command should have a "NO_CLI = True" attribute so that it is not
> available in the CLI.
>
>>
>>> Will this always succeed?
>>>
>>> +        # deactivate vault record in KRA
>>> +        response = kra_client.keys.list_keys(
>>> +            client_key_id, pki.key.KeyClient.KEY_STATUS_ACTIVE)
>>
>> Yes. If there's no active keys it will return an empty collection.
>>
>>> +        for key_info in response.key_infos:
>>> +            kra_client.keys.modify_key_status(
>>> +                key_info.get_key_id(),
>>> +                pki.key.KeyClient.KEY_STATUS_INACTIVE)
>>
>> This loop will do nothing given an empty collection.
>>
>>> If not, we might get into an inconsistent state, where the vault is
>>> deleted in LDAP but still active in KRA. (I'm not sure if this is
>>> actually a problem or not.)
>>
>> That can only happen if the server crashes after deleting the vault but
>> before deactivating the key. Regardless, it will not be a problem
>> because the key is identified by vault ID/path so it will not conflict
>> with other vaults, and it will get overwritten if the same vault is
>> recreated again.
>
> OK.
>

Attached is a patch including the requested changes.

I have also changed vault_config to vaultconfig_show, for consistency 
with {,dns}config_show (it also makes the transport certificate 
retrieval code in vault_{archive,retrieve} simpler).

I have noticed that triple-length DES is used for the session key. 
Wouldn't AES be better?

         # generate session key
         mechanism = nss.CKM_DES3_CBC_PAD

BTW, ipa-kra-install is broken with pki-core-10.2.4-1, but it works with 
pki-core-10.2.1-3.

-- 
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Added-vault-archive-and-vault-retrieve-commands.patch
Type: text/x-patch
Size: 26262 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150605/c1ab1853/attachment.bin>

More information about the Freeipa-devel mailing list