Update anonymous access ACI to protect secret attributes.

Update anonymous access ACI so that no users besides Trust Admins
users can read AD Trust key attributes (ipaNTTrustAuthOutgoing,
ipaNTTrustAuthIncoming). The change is applied both for updated
IPA servers and new installations.

3 files changed, 83 insertions, 1 deletions

diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index f3ed39599..3e6c10077 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -3,7 +3,7 @@
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
+aci: (target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
 aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)
 aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)
diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am
index d29103a90..a0c62ca70 100644
--- a/ipaserver/install/plugins/Makefile.am
+++ b/ipaserver/install/plugins/Makefile.am
@@ -9,6 +9,7 @@ app_PYTHON = 			\
 	dns.py			\
 	updateclient.py		\
 	update_services.py	\
+	update_anonymous_aci.py	\
 	$(NULL)
 
 EXTRA_DIST =			\
diff --git a/ipaserver/install/plugins/update_anonymous_aci.py b/ipaserver/install/plugins/update_anonymous_aci.py
new file mode 100644
index 000000000..2b7446ad0
--- /dev/null
+++ b/ipaserver/install/plugins/update_anonymous_aci.py
@@ -0,0 +1,81 @@
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2013  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from copy import deepcopy
+from ipaserver.install.plugins import FIRST, LAST
+from ipaserver.install.plugins.baseupdate import PostUpdate
+#from ipalib.frontend import Updater
+#from ipaserver.install.plugins import baseupdate
+from ipalib import api
+from ipalib.aci import ACI
+from ipalib.plugins import aci
+from ipapython.ipa_log_manager import *
+
+class update_anonymous_aci(PostUpdate):
+    """
+    Update the Anonymous ACI to ensure that all secrets are protected.
+    """
+    order = FIRST
+
+    def execute(self, **options):
+        aciname = u'Enable Anonymous access'
+        aciprefix = u'none'
+        ldap = self.obj.backend
+
+        (dn, entry_attrs) = ldap.get_entry(api.env.basedn, ['aci'])
+
+        acistrs = entry_attrs.get('aci', [])
+        acilist = aci._convert_strings_to_acis(entry_attrs.get('aci', []))
+        rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname)
+
+        attrs = rawaci.target['targetattr']['expression']
+
+        update_attrs = deepcopy(attrs)
+
+        needed_attrs = []
+        for attr in ('ipaNTTrustAuthOutgoing', 'ipaNTTrustAuthIncoming'):
+            if attr not in attrs:
+                needed_attrs.append(attr)
+
+        update_attrs.extend(needed_attrs)
+        if len(attrs) == len(update_attrs):
+            root_logger.debug("Anonymous ACI already update-to-date")
+            return (False, False, [])
+        else:
+            root_logger.debug("New Anonymous ACI attributes needed: %s",
+                needed_attrs)
+
+        for tmpaci in acistrs:
+            candidate = ACI(tmpaci)
+            if rawaci.isequal(candidate):
+                acistrs.remove(tmpaci)
+                break
+
+        rawaci.target['targetattr']['expression'] = update_attrs
+        acistrs.append(unicode(rawaci))
+        entry_attrs['aci'] = acistrs
+
+        try:
+            ldap.update_entry(dn, entry_attrs)
+        except Exception, e:
+            root_logger.error("Failed to update Anonymous ACI: %s" % e)
+
+        return (False, False, [])
+
+api.register(update_anonymous_aci)