'=?utf-8?q?=5B389-commits=5D?= [389-ds-base] branch master updated: Issue 50716 - CVE-2019-14824 (BZ#'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-directory-commits
Subject:    =?utf-8?q?=5B389-commits=5D?= [389-ds-base] branch master updated: Issue 50716 - CVE-2019-14824 (BZ#
From:       pagure () pagure ! io
Date:       2019-11-14 13:26:11
Message-ID: 20191114132611.31996.78984 () pagure01 ! fedoraproject ! org
[Download RAW message or body]

This is an automated email from the git hooks/post-receive script.

vashirov pushed a commit to branch master
in repository 389-ds-base.

The following commit(s) were added to refs/heads/master by this push:
     new 334ba3f  Issue 50716 - CVE-2019-14824 (BZ#1748199) - deref plugin displays \
restricted attributes 334ba3f is described below

commit 334ba3fb918ad645d0b4ebb6dc3ec16eed89e522
Author: Viktor Ashirov <vashirov@redhat.com>
AuthorDate: Thu Nov 14 12:39:20 2019 +0100

    Issue 50716 - CVE-2019-14824 (BZ#1748199) - deref plugin displays restricted \
attributes  
    Description:
    Add test case
    
    Author: Mark Reynolds
    
    Relates: https://pagure.io/389-ds-base/issue/50716
---
 dirsrvtests/tests/suites/plugins/deref_aci_test.py | 141 +++++++++++++++++++++
 src/lib389/lib389/_controls.py                     |   2 +-
 2 files changed, 142 insertions(+), 1 deletion(-)

diff --git a/dirsrvtests/tests/suites/plugins/deref_aci_test.py \
b/dirsrvtests/tests/suites/plugins/deref_aci_test.py new file mode 100644
index 0000000..ee64ff1
--- /dev/null
+++ b/dirsrvtests/tests/suites/plugins/deref_aci_test.py
@@ -0,0 +1,141 @@
+import os
+import logging
+import pytest
+import ldap
+from lib389._constants import DEFAULT_SUFFIX, PASSWORD
+from lib389.idm.organizationalunit import OrganizationalUnits
+from lib389.idm.user import UserAccounts, TEST_USER_PROPERTIES
+from lib389.idm.group import Groups
+from lib389.topologies import topology_st as topo
+
+pytestmark = pytest.mark.tier1
+
+DEBUGGING = os.getenv("DEBUGGING", default=None)
+if DEBUGGING:
+    logging.getLogger(__name__).setLevel(logging.DEBUG)
+else:
+    logging.getLogger(__name__).setLevel(logging.INFO)
+log = logging.getLogger(__name__)
+
+ACCTS_DN = "ou=accounts,dc=example,dc=com"
+USERS_DN = "ou=users,ou=accounts,dc=example,dc=com"
+GROUPS_DN = "ou=groups,ou=accounts,dc=example,dc=com"
+ADMIN_GROUP_DN = "cn=admins,ou=groups,ou=accounts,dc=example,dc=com"
+ADMIN_DN = "uid=admin,ou=users,ou=accounts,dc=example,dc=com"
+
+ACCTS_ACI = ('(targetattr="userPassword")(version 3.0; acl "allow password ' +
+             'search"; allow(search) userdn = "ldap:///all";)')
+USERS_ACI = ('(targetattr = "cn || createtimestamp || description || displayname || \
entryusn || gecos ' + +             '|| gidnumber || givenname || homedirectory || \
initials || ' + +             'loginshell || manager || modifytimestamp || \
objectclass || sn || title || uid || uidnumber")' + +             '(targetfilter = \
"(objectclass=posixaccount)")' + +             '(version 3.0;acl "Read \
Attributes";allow (compare,read,search) userdn = "ldap:///anyone";)') +GROUPS_ACIS = \
[ +    (
+        '(targetattr = "businesscategory || cn || createtimestamp || description |' \
+ +        '| entryusn || gidnumber || mepmanagedby || modifytimestamp || o || \
objectclass || ou || own' + +        'er || seealso")(targetfilter = \
"(objectclass=posixgroup)")(version 3.0;acl' + +        '"permission:System: Read \
Groups";allow (compare,re' + +        'ad,search) userdn = "ldap:///anyone";)'
+    ),
+    (
+        '(targetattr = "member || memberof || memberuid")(targetfilter = '+
+        '"(objectclass=posixgroup)")(version 3.0;acl' +
+        '"permission:System: Read Group Membership";allow (compare,read' +
+        ',search) userdn = "ldap:///all";)'
+    )
+]
+
+
+def test_deref_and_access_control(topo):
+    """Test that the deref plugin honors access control rules correctly
+
+    The setup mimics a generic IPA DIT with its ACI's.  The userpassword
+    attribute should not be returned
+
+    :id: bedb6af2-b765-479d-808c-df0348e0ec95
+    :setup: Standalone Instance
+    :steps:
+        1. Create container entries with aci's
+        2. Perform deref search and make sure userpassword is not returned
+    :expectedresults:
+        1. Success
+        2. Success
+    """
+
+    topo.standalone.config.set('nsslapd-schemacheck', 'off')
+    if DEBUGGING:
+        topo.standalone.config.enable_log('audit')
+        topo.standalone.config.set('nsslapd-errorlog-level', '128')
+
+    # Accounts
+    ou1 = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)
+    ou1.create(properties={
+        'ou': 'accounts',
+        'aci': ACCTS_ACI
+    })
+
+    # Users
+    ou2 = OrganizationalUnits(topo.standalone, ACCTS_DN)
+    ou2.create(properties={
+        'ou': 'users',
+        'aci': USERS_ACI
+    })
+
+    # Groups
+    ou3 = OrganizationalUnits(topo.standalone, ACCTS_DN)
+    ou3.create(properties={
+        'ou': 'groups',
+        'aci': GROUPS_ACIS
+    })
+
+    # Create User
+    users = UserAccounts(topo.standalone, USERS_DN, rdn=None)
+    user_props = TEST_USER_PROPERTIES.copy()
+    user_props.update(
+        {
+            'uid': 'user',
+            'objectclass': ['posixAccount', 'extensibleObject'],
+            'userpassword': PASSWORD
+        }
+    )
+    user = users.create(properties=user_props)
+
+    # Create Admin user
+    user_props = TEST_USER_PROPERTIES.copy()
+    user_props.update(
+        {
+            'uid': 'admin',
+            'objectclass': ['posixAccount', 'extensibleObject', 'inetuser'],
+            'userpassword': PASSWORD,
+            'memberOf': ADMIN_GROUP_DN
+        }
+    )
+    users.create(properties=user_props)
+
+    # Create Admin group
+    groups = Groups(topo.standalone, GROUPS_DN, rdn=None)
+    group_props = {
+        'cn': 'admins',
+        'gidNumber': '123',
+        'objectclass': ['posixGroup', 'extensibleObject'],
+        'member': ADMIN_DN
+    }
+    groups.create(properties=group_props)
+
+    # Bind as user, then perform deref search on admin user
+    user.rebind(PASSWORD)
+    result, control_response = topo.standalone.dereference(
+        'member:cn,userpassword',
+        base=ADMIN_GROUP_DN,
+        scope=ldap.SCOPE_BASE)
+
+    log.info('Check, that the dereference search result does not have userpassword')
+    assert result[0][2][0].entry[0]['attrVals'][0]['type'] != 'userpassword'
+
+
+if __name__ == '__main__':
+    # Run isolated
+    # -s for DEBUG mode
+    CURRENT_FILE = os.path.realpath(__file__)
+    pytest.main(["-s", CURRENT_FILE])
diff --git a/src/lib389/lib389/_controls.py b/src/lib389/lib389/_controls.py
index 7cbe78c..2f8d9ac 100644
--- a/src/lib389/lib389/_controls.py
+++ b/src/lib389/lib389/_controls.py
@@ -101,7 +101,7 @@ class DereferenceControl(LDAPControl):
     def encodeControlValue(self):
         cv = DerefControlValue()
         cvi = 0
-        for derefSpec in self.deref.split(';'):
+        for derefSpec in self.deref.decode('utf-8').split(';'):
             derefAttr, attributes = derefSpec.split(':')
             attributes = attributes.split(',')
             al = AttributeList()

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.
_______________________________________________
389-commits mailing list -- 389-commits@lists.fedoraproject.org
To unsubscribe send an email to 389-commits-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-commits@lists.fedoraproject.org



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic