-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Workflow to auto-patch vendored Samba code (#768)
- Loading branch information
Showing
10 changed files
with
2,619 additions
and
0 deletions.
There are no files selected for viewing
415 changes: 415 additions & 0 deletions
415
.github/samba/_patches/0001-Revert-gpclass.py-to-65ab33dffab2.patch
Large diffs are not rendered by default.
Oops, something went wrong.
114 changes: 114 additions & 0 deletions
114
.github/samba/_patches/0002-gp-Make-global-trust-dir-configurable.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,114 @@ | ||
| From 10c33ec5da7e19e5710f44eaa91be6906dc59e2a Mon Sep 17 00:00:00 2001 | ||
| From: Gabriel Nagy <[email protected]> | ||
| Date: Fri, 11 Aug 2023 18:39:13 +0300 | ||
| Subject: [PATCH 2/5] gp: Make global trust dir configurable | ||
|
|
||
| The global trust directory differs between Linux distributions, e.g. on | ||
| Debian-based systems the directory performing a similar function is | ||
| `/usr/local/share/ca-certificates`. | ||
|
|
||
| Make the path configurable similar to the other certificate directories, | ||
| while defaulting to the previous one to maintain backwards | ||
| compatibility. | ||
|
|
||
| Signed-off-by: Gabriel Nagy <[email protected]> | ||
| --- | ||
| python/samba/gp/gp_cert_auto_enroll_ext.py | 22 ++++++++++++---------- | ||
| 1 file changed, 12 insertions(+), 10 deletions(-) | ||
|
|
||
| diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py | ||
| index 312c8ddf467..bf6dcc4a98d 100644 | ||
| --- a/python/samba/gp/gp_cert_auto_enroll_ext.py | ||
| +++ b/python/samba/gp/gp_cert_auto_enroll_ext.py | ||
| @@ -45,7 +45,6 @@ cert_wrap = b""" | ||
| -----BEGIN CERTIFICATE----- | ||
| %s | ||
| -----END CERTIFICATE-----""" | ||
| -global_trust_dir = '/etc/pki/trust/anchors' | ||
| endpoint_re = '(https|HTTPS)://(?P<server>[a-zA-Z0-9.-]+)/ADPolicyProvider' + \ | ||
| '_CEP_(?P<auth>[a-zA-Z]+)/service.svc/CEP' | ||
|
|
||
| @@ -249,7 +248,7 @@ def getca(ca, url, trust_dir): | ||
| return root_certs | ||
|
|
||
|
|
||
| -def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): | ||
| +def cert_enroll(ca, ldb, trust_dir, private_dir, global_trust_dir, auth='Kerberos'): | ||
| """Install the root certificate chain.""" | ||
| data = dict({'files': [], 'templates': []}, **ca) | ||
| url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname'] | ||
| @@ -351,11 +350,13 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier): | ||
| self.cache_add_attribute(guid, attribute, data) | ||
|
|
||
| def process_group_policy(self, deleted_gpo_list, changed_gpo_list, | ||
| - trust_dir=None, private_dir=None): | ||
| + trust_dir=None, private_dir=None, global_trust_dir=None): | ||
| if trust_dir is None: | ||
| trust_dir = self.lp.cache_path('certs') | ||
| if private_dir is None: | ||
| private_dir = self.lp.private_path('certs') | ||
| + if global_trust_dir is None: | ||
| + global_trust_dir = '/etc/pki/trust/anchors' | ||
| if not os.path.exists(trust_dir): | ||
| os.mkdir(trust_dir, mode=0o755) | ||
| if not os.path.exists(private_dir): | ||
| @@ -385,7 +386,8 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier): | ||
| if enroll: | ||
| ca_names = self.__enroll(gpo.name, | ||
| pol_conf.entries, | ||
| - trust_dir, private_dir) | ||
| + trust_dir, private_dir, | ||
| + global_trust_dir) | ||
|
|
||
| # Cleanup any old CAs that have been removed | ||
| ca_attrs = [base64.b64encode(n.encode()).decode() \ | ||
| @@ -399,7 +401,7 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier): | ||
| self.clean(gpo.name, remove=ca_attrs) | ||
|
|
||
| def __read_cep_data(self, guid, ldb, end_point_information, | ||
| - trust_dir, private_dir): | ||
| + trust_dir, private_dir, global_trust_dir): | ||
| """Read CEP Data. | ||
|
|
||
| [MS-CAESO] 4.4.5.3.2.4 | ||
| @@ -454,19 +456,19 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier): | ||
| cas = fetch_certification_authorities(ldb) | ||
| for _ca in cas: | ||
| self.apply(guid, _ca, cert_enroll, _ca, ldb, trust_dir, | ||
| - private_dir) | ||
| + private_dir, global_trust_dir) | ||
| ca_names.append(_ca['name']) | ||
| # If EndPoint.URI starts with "HTTPS//": | ||
| elif ca['URL'].lower().startswith('https://'): | ||
| self.apply(guid, ca, cert_enroll, ca, ldb, trust_dir, | ||
| - private_dir, auth=ca['auth']) | ||
| + private_dir, global_trust_dir, auth=ca['auth']) | ||
| ca_names.append(ca['name']) | ||
| else: | ||
| edata = { 'endpoint': ca['URL'] } | ||
| log.error('Unrecognized endpoint', edata) | ||
| return ca_names | ||
|
|
||
| - def __enroll(self, guid, entries, trust_dir, private_dir): | ||
| + def __enroll(self, guid, entries, trust_dir, private_dir, global_trust_dir): | ||
| url = 'ldap://%s' % get_dc_hostname(self.creds, self.lp) | ||
| ldb = Ldb(url=url, session_info=system_session(), | ||
| lp=self.lp, credentials=self.creds) | ||
| @@ -476,12 +478,12 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier): | ||
| if len(end_point_information) > 0: | ||
| ca_names.extend(self.__read_cep_data(guid, ldb, | ||
| end_point_information, | ||
| - trust_dir, private_dir)) | ||
| + trust_dir, private_dir, global_trust_dir)) | ||
| else: | ||
| cas = fetch_certification_authorities(ldb) | ||
| for ca in cas: | ||
| self.apply(guid, ca, cert_enroll, ca, ldb, trust_dir, | ||
| - private_dir) | ||
| + private_dir, global_trust_dir) | ||
| ca_names.append(ca['name']) | ||
| return ca_names | ||
|
|
||
| -- | ||
| 2.41.0 | ||
|
|
30 changes: 30 additions & 0 deletions
30
.github/samba/_patches/0003-gp-Change-root-cert-extension-suffix.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| From f3096f35f4fe62eec5589c1bbe0a1ff576005a85 Mon Sep 17 00:00:00 2001 | ||
| From: Gabriel Nagy <[email protected]> | ||
| Date: Fri, 11 Aug 2023 18:46:42 +0300 | ||
| Subject: [PATCH 3/5] gp: Change root cert extension suffix | ||
|
|
||
| On Ubuntu, certificates must end in '.crt' in order to be considered by | ||
| the `update-ca-certificates` helper. | ||
|
|
||
| Signed-off-by: Gabriel Nagy <[email protected]> | ||
| --- | ||
| python/samba/gp/gp_cert_auto_enroll_ext.py | 3 ++- | ||
| 1 file changed, 2 insertions(+), 1 deletion(-) | ||
|
|
||
| diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py | ||
| index bf6dcc4a98d..e428737ba50 100644 | ||
| --- a/python/samba/gp/gp_cert_auto_enroll_ext.py | ||
| +++ b/python/samba/gp/gp_cert_auto_enroll_ext.py | ||
| @@ -238,7 +238,8 @@ def getca(ca, url, trust_dir): | ||
| certs = load_der_pkcs7_certificates(r.content) | ||
| for i in range(0, len(certs)): | ||
| cert = certs[i].public_bytes(Encoding.PEM) | ||
| - dest = '%s.%d' % (root_cert, i) | ||
| + filename, extension = root_cert.rsplit('.', 1) | ||
| + dest = '%s.%d.%s' % (filename, i, extension) | ||
| with open(dest, 'wb') as w: | ||
| w.write(cert) | ||
| root_certs.append(dest) | ||
| -- | ||
| 2.41.0 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| From fe018c46b3515f43d1bcb392622fc97223e279d1 Mon Sep 17 00:00:00 2001 | ||
| From: Gabriel Nagy <[email protected]> | ||
| Date: Fri, 11 Aug 2023 18:58:07 +0300 | ||
| Subject: [PATCH 4/5] gp: wip | ||
|
|
||
| --- | ||
| python/samba/gp/gp_cert_auto_enroll_ext.py | 13 +++++++------ | ||
| 1 file changed, 7 insertions(+), 6 deletions(-) | ||
|
|
||
| diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py | ||
| index e428737ba50..30ff07ba433 100644 | ||
| --- a/python/samba/gp/gp_cert_auto_enroll_ext.py | ||
| +++ b/python/samba/gp/gp_cert_auto_enroll_ext.py | ||
| @@ -155,7 +155,7 @@ def fetch_certification_authorities(ldb): | ||
| for es in res: | ||
| data = { 'name': get_string(es['cn'][0]), | ||
| 'hostname': get_string(es['dNSHostName'][0]), | ||
| - 'cACertificate': get_string(es['cACertificate'][0]) | ||
| + 'cACertificate': get_string(base64.b64encode(es['cACertificate'][0])) | ||
| } | ||
| result.append(data) | ||
| return result | ||
| @@ -173,8 +173,7 @@ def fetch_template_attrs(ldb, name, attrs=None): | ||
| return {'msPKI-Minimal-Key-Size': ['2048']} | ||
|
|
||
| def format_root_cert(cert): | ||
| - cert = base64.b64encode(cert.encode()) | ||
| - return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert, 0, re.DOTALL) | ||
| + return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert.encode(), 0, re.DOTALL) | ||
|
|
||
| def find_cepces_submit(): | ||
| certmonger_dirs = [os.environ.get("PATH"), '/usr/lib/certmonger', | ||
| @@ -337,8 +336,10 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier): | ||
| # If the policy has changed, unapply, then apply new policy | ||
| old_val = self.cache_get_attribute_value(guid, attribute) | ||
| old_data = json.loads(old_val) if old_val is not None else {} | ||
| - if all([(ca[k] == old_data[k] if k in old_data else False) \ | ||
| - for k in ca.keys()]) or \ | ||
| + templates = ['%s.%s' % (ca['name'], t.decode()) for t in get_supported_templates(ca['hostname'])] | ||
| + new_data = { 'templates': templates, **ca } | ||
| + if any((new_data[k] != old_data[k] if k in old_data else False) \ | ||
| + for k in new_data.keys()) or \ | ||
| self.cache_get_apply_state() == GPOSTATE.ENFORCE: | ||
| self.unapply(guid, attribute, old_val) | ||
| # If policy is already applied, skip application | ||
| @@ -399,7 +400,7 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier): | ||
| # remove any existing policy | ||
| ca_attrs = \ | ||
| self.cache_get_all_attribute_values(gpo.name) | ||
| - self.clean(gpo.name, remove=ca_attrs) | ||
| + self.clean(gpo.name, remove=list(ca_attrs.keys())) | ||
|
|
||
| def __read_cep_data(self, guid, ldb, end_point_information, | ||
| trust_dir, private_dir, global_trust_dir): | ||
| -- | ||
| 2.41.0 | ||
|
|
52 changes: 52 additions & 0 deletions
52
.github/samba/_patches/0005-gp-update-samba-imports-to-vendored.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| From acf2d7e0cd96e03c5d8edadce7736f3e4d6922f0 Mon Sep 17 00:00:00 2001 | ||
| From: Gabriel Nagy <[email protected]> | ||
| Date: Mon, 14 Aug 2023 13:34:32 +0300 | ||
| Subject: [PATCH 5/5] gp: update samba imports to vendored | ||
|
|
||
| Signed-off-by: Gabriel Nagy <[email protected]> | ||
| --- | ||
| python/samba/gp/gp_cert_auto_enroll_ext.py | 6 +++--- | ||
| python/samba/gp/gpclass.py | 2 +- | ||
| 2 files changed, 4 insertions(+), 4 deletions(-) | ||
|
|
||
| diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py | ||
| index 30ff07ba433..54be3bc2823 100644 | ||
| --- a/python/samba/gp/gp_cert_auto_enroll_ext.py | ||
| +++ b/python/samba/gp/gp_cert_auto_enroll_ext.py | ||
| @@ -17,17 +17,17 @@ | ||
| import os | ||
| import operator | ||
| import requests | ||
| -from samba.gp.gpclass import gp_pol_ext, gp_applier, GPOSTATE | ||
| +from vendor_samba.gp.gpclass import gp_pol_ext, gp_applier, GPOSTATE | ||
| from samba import Ldb | ||
| from ldb import SCOPE_SUBTREE, SCOPE_BASE | ||
| from samba.auth import system_session | ||
| -from samba.gp.gpclass import get_dc_hostname | ||
| +from vendor_samba.gp.gpclass import get_dc_hostname | ||
| import base64 | ||
| from shutil import which | ||
| from subprocess import Popen, PIPE | ||
| import re | ||
| import json | ||
| -from samba.gp.util.logging import log | ||
| +from vendor_samba.gp.util.logging import log | ||
| import struct | ||
| try: | ||
| from cryptography.hazmat.primitives.serialization.pkcs7 import \ | ||
| diff --git a/python/samba/gp/gpclass.py b/python/samba/gp/gpclass.py | ||
| index 605f94f3317..0ef86576de2 100644 | ||
| --- a/python/samba/gp/gpclass.py | ||
| +++ b/python/samba/gp/gpclass.py | ||
| @@ -40,7 +40,7 @@ from samba.dcerpc import preg | ||
| from samba.dcerpc import misc | ||
| from samba.ndr import ndr_pack, ndr_unpack | ||
| from samba.credentials import SMB_SIGNING_REQUIRED | ||
| -from samba.gp.util.logging import log | ||
| +from vendor_samba.gp.util.logging import log | ||
| from hashlib import blake2b | ||
| import numbers | ||
| from samba.common import get_string | ||
| -- | ||
| 2.41.0 | ||
|
|
Oops, something went wrong.