Check that IPA configuration has MS-PAC generation enabled

FreeIPA uses S4U extensions to operate on behalf of the user requesting IPA API access. S4U2Proxy extension requires presence of MS-PAC record in the Kerberos evidence ticket presented by the proxy service. This is mandatory since ~2023 to address Bronze bit CVE. Check that 'ipa config-show' output includes 'MS-PAC' in the list of values for ipakrbauthzdata attribute. Signed-off-by: Alexander Bokovoy <[email protected]> Signed-off-by: Rob Crittenden <[email protected]>
freeipa · Jul 17, 2024 · 366b49f · 366b49f
1 parent b6346fe
commit 366b49f
Show file tree

Hide file tree

Showing 2 changed files with 63 additions and 1 deletion.
diff --git a/src/ipahealthcheck/ipa/trust.py b/src/ipahealthcheck/ipa/trust.py
@@ -684,3 +684,23 @@ def check(self):
                          key='adtrustpackage',
                          msg='trust-ad sub-package is not installed. '
                          'Administration will be limited.')
+
+
+@registry
+class IPAauthzdatapacCheck(IPAPlugin):
+    """
+    Verify that the MS-PAC generation is not disabled
+    """
+    @duration
+    def check(self):
+        ipaconfig = api.Command.config_show(raw=True)
+        krbauthzdata = ipaconfig['result'].get('ipakrbauthzdata', tuple())
+        authzdata = 'MS-PAC'
+        if authzdata not in krbauthzdata:
+            yield Result(self, constants.ERROR,
+                         key=authzdata,
+                         error='access to IPA API will not work',
+                         msg='MS-PAC generation is not enabled '
+                         'in IPA configuration {key}: {error}')
+        else:
+            yield Result(self, constants.SUCCESS, key='MS-PAC')
diff --git a/tests/test_ipa_trust.py b/tests/test_ipa_trust.py
@@ -23,7 +23,8 @@
                                       IPATrustControllerGroupSIDCheck,
                                       IPATrustControllerAdminSIDCheck,
                                       IPATrustControllerConfCheck,
-                                      IPATrustPackageCheck)
+                                      IPATrustPackageCheck,
+                                      IPAauthzdatapacCheck)
 
 from ipalib import errors
 from ipapython.dn import DN
@@ -1287,3 +1288,44 @@ def test_agent_without_package(self):
         assert result.source == 'ipahealthcheck.ipa.trust'
         assert result.check == 'IPATrustPackageCheck'
         sys.modules['ipaserver.install'] = save
+
+
+class TestConfiguration(BaseTest):
+
+    def test_ipakrbauthzdata_positive(self):
+        framework = object()
+        registry.initialize(framework, config.Config)
+        f = IPAauthzdatapacCheck(registry)
+
+        m_api.Command.config_show.side_effect = [{
+            'result': {
+                'ipakrbauthzdata': ['MS-PAC', 'nfs:NONE',]
+            }
+        }]
+        self.results = capture_results(f)
+
+        assert len(self.results) == 1
+
+        result = self.results.results[0]
+        assert result.result == constants.SUCCESS
+        assert result.source == 'ipahealthcheck.ipa.trust'
+        assert result.check == 'IPAauthzdatapacCheck'
+
+    def test_ipakrbauthzdata_negative(self):
+        framework = object()
+        registry.initialize(framework, config.Config)
+        f = IPAauthzdatapacCheck(registry)
+
+        m_api.Command.config_show.side_effect = [{
+            'result': {
+                'ipakrbauthzdata': ['nfs:NONE',]
+            }
+        }]
+        self.results = capture_results(f)
+
+        assert len(self.results) == 1
+
+        result = self.results.results[0]
+        assert result.result == constants.ERROR
+        assert result.source == 'ipahealthcheck.ipa.trust'
+        assert result.check == 'IPAauthzdatapacCheck'