[Freeipa-devel] [PATCH] 0051 Allow CustodiaClient to be used by arbitrary principals

Fraser Tweedale ftweedal at redhat.com
Fri Apr 8 14:23:39 UTC 2016 

Hi all,

The attached patch (first of many for long-awaited sub-CAs feature)
makes it possible to use CustodiaClient without root privileges, as
an arbitrary principal.

Cheers,
Fraser
-------------- next part --------------
From 8e6cab0e47dd4e3152d8bbd84c8675353aa2cb4a Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Fri, 8 Apr 2016 15:21:19 +1000
Subject: [PATCH] Allow CustodiaClient to be used by arbitrary principals

Currently CustodiaClient assumes that the client is the host
principal, and it is hard-coded to read the host keytab and server
keys.

For the Lightweight CAs feature, Dogtag on CA replicas will use
CustodiaClient to retrieve signing keys from the originating
replica.  Because this process runs as 'pkiuser', the host keys
cannot be used; instead, each Dogtag replica will have a service
principal to use for Custodia authentication.

Update CustodiaClient to allow specifying the keytab and Custodia
keyfile to use.  Avoid hard-coding the GSS-API name; use the name
read from the keytab during credential acquisition.  Also add an ACI
to allow authenticated users to read and search for Custodia server
public keys.

Part of: https://fedorahosted.org/freeipa/ticket/4559
---
 install/updates/20-aci.update |  3 +++
 ipapython/secrets/client.py   | 17 +++++++++--------
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 4802ae0458e8b870bf3127764ebabac1a48f7cf2..16e3b7ab9d6cdcc1de0490f42447a17f8b769524 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -136,3 +136,6 @@ add:aci: (target = "ldap:///cn=replication,cn=etc,$SUFFIX")(targetattr = "nsDS5R
 dn: cn=ipa,cn=etc,$SUFFIX
 add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "IPA server hosts can create own Custodia secrets"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
 add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = "ipaPublicKey")(version 3.0; acl "IPA server hosts can manage own Custodia secrets"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
+
+# Anyone can search Custodia public keys
+add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = "ipaPublicKey || ipaKeyUsage || memberPrincipal")(version 3.0; acl "Anyone can search Custodia public keys"; allow(read, search, compare) userdn = "ldap:///all";)
diff --git a/ipapython/secrets/client.py b/ipapython/secrets/client.py
index 5b671988ddc66eedd9ae1cd4ddec0e1308bc5a93..33172e58095fcfd2469c0ea5ea597fd1a01c2907 100644
--- a/ipapython/secrets/client.py
+++ b/ipapython/secrets/client.py
@@ -41,16 +41,19 @@ class CustodiaClient(object):
 
         return iSecStore(config)
 
-    def __init__(self, client, server, realm, ldap_uri=None, auth_type=None):
+    def __init__(self, client, server, realm, ldap_uri=None, auth_type=None,
+            keyfile=None, keytab=None):
         self.client = client
-        self.creds = None
+        self.keytab = keytab or paths.KRB5_KEYTAB
+        self.creds = self.init_creds()
 
         self.service_name = gssapi.Name('HTTP@%s' % (server,),
                                         gssapi.NameType.hostbased_service)
         self.server = server
 
-        keyfile = os.path.join(paths.IPA_CUSTODIA_CONF_DIR, 'server.keys')
-        self.ikk = IPAKEMKeys({'server_keys': keyfile})
+        if keyfile is None:
+            keyfile = os.path.join(paths.IPA_CUSTODIA_CONF_DIR, 'server.keys')
+        self.ikk = IPAKEMKeys({'server_keys': keyfile, 'ldap_uri': ldap_uri})
 
         self.kemcli = KEMClient(self._server_keys(server, realm),
                                 self._client_keys())
@@ -61,11 +64,9 @@ class CustodiaClient(object):
         requests.packages.urllib3.disable_warnings()
 
     def init_creds(self):
-        name = gssapi.Name('host@%s' % (self.client,),
-                           gssapi.NameType.hostbased_service)
-        store = {'client_keytab': paths.KRB5_KEYTAB,
+        store = {'client_keytab': self.keytab,
                  'ccache': 'MEMORY:Custodia_%s' % b64encode(os.urandom(8))}
-        return gssapi.Credentials(name=name, store=store, usage='initiate')
+        return gssapi.Credentials(store=store, usage='initiate')
 
     def _auth_header(self):
         if not self.creds or self.creds.lifetime < 300:
-- 
2.5.5

More information about the Freeipa-devel mailing list