diff options
author | Tomas Babej <tbabej@redhat.com> | 2013-03-06 12:17:28 +0100 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2013-03-14 15:20:30 +0100 |
commit | 04a17f00b7a991297cc4f7441512a4f5ca436271 (patch) | |
tree | aa497d1601251b2a32f5aa274d267a0bc0f4959f /ipaserver/dcerpc.py | |
parent | 354a5db38e46aaf7ff4ecb0b6ee54a18194c376e (diff) | |
download | freeipa-04a17f00b7a991297cc4f7441512a4f5ca436271.tar.gz freeipa-04a17f00b7a991297cc4f7441512a4f5ca436271.tar.xz freeipa-04a17f00b7a991297cc4f7441512a4f5ca436271.zip |
Enforce exact SID match when adding or modifying a ID range
SID validation in idrange.py now enforces exact match on SIDs, thus
one can no longer use SID of an object in a trusted domain as a
trusted domain SID.
https://fedorahosted.org/freeipa/ticket/3432
Diffstat (limited to 'ipaserver/dcerpc.py')
-rw-r--r-- | ipaserver/dcerpc.py | 50 |
1 files changed, 37 insertions, 13 deletions
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 150f72709..5d052ea4a 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -184,37 +184,53 @@ class DomainValidator(object): except errors.NotFound, e: return [] - def get_domain_by_sid(self, sid): + def get_domain_by_sid(self, sid, exact_match=False): if not self.domain: # our domain is not configured or self.is_configured() never run # reject SIDs as we can't check correctness of them raise errors.ValidationError(name='sid', error=_('domain is not configured')) + # Parse sid string to see if it is really in a SID format try: test_sid = security.dom_sid(sid) - except TypeError, e: + except TypeError: raise errors.ValidationError(name='sid', error=_('SID is not valid')) + # At this point we have SID_NT_AUTHORITY family SID and really need to # check it against prefixes of domain SIDs we trust to if not self._domains: self._domains = self.get_trusted_domains() if len(self._domains) == 0: # Our domain is configured but no trusted domains are configured - # This means we can't check the correctness of a trusted domain SIDs + # This means we can't check the correctness of a trusted + # domain SIDs raise errors.ValidationError(name='sid', error=_('no trusted domain is configured')) - # We have non-zero list of trusted domains and have to go through them - # one by one and check their sids as prefixes - test_sid_subauths = test_sid.sub_auths - for domain in self._domains: - domsid = self._domains[domain][1] - sub_auths = domsid.sub_auths - num_auths = min(test_sid.num_auths, domsid.num_auths) - if test_sid_subauths[:num_auths] == sub_auths[:num_auths]: - return domain - raise errors.NotFound(reason=_('SID does not match any trusted domain')) + + # We have non-zero list of trusted domains and have to go through + # them one by one and check their sids as prefixes / exact match + # depending on the value of exact_match flag + if exact_match: + # check exact match of sids + for domain in self._domains: + if sid == str(self._domains[domain][1]): + return domain + + raise errors.NotFound(reason=_("SID does not match exactly" + "with any trusted domain's SID")) + else: + # check as prefixes + test_sid_subauths = test_sid.sub_auths + for domain in self._domains: + domsid = self._domains[domain][1] + sub_auths = domsid.sub_auths + num_auths = min(test_sid.num_auths, domsid.num_auths) + if test_sid_subauths[:num_auths] == sub_auths[:num_auths]: + return domain + raise errors.NotFound(reason=_('SID does not match any ' + 'trusted domain')) def is_trusted_sid_valid(self, sid): try: @@ -224,6 +240,14 @@ class DomainValidator(object): else: return True + def is_trusted_domain_sid_valid(self, sid): + try: + self.get_domain_by_sid(sid, exact_match=True) + except (errors.ValidationError, errors.NotFound): + return False + else: + return True + def get_sid_from_domain_name(self, name): """Returns binary representation of SID for the trusted domain name or None if name is not in the list of trusted domains.""" |