ubuntu · GabrielNagy · Aug 21, 2023 · Aug 14, 2023 · Aug 14, 2023
@@ -0,0 +1,114 @@
+From 10c33ec5da7e19e5710f44eaa91be6906dc59e2a Mon Sep 17 00:00:00 2001
+From: Gabriel Nagy <[email protected]>
+Date: Fri, 11 Aug 2023 18:39:13 +0300
+Subject: [PATCH 2/5] gp: Make global trust dir configurable
+
+The global trust directory differs between Linux distributions, e.g. on
+Debian-based systems the directory performing a similar function is
+`/usr/local/share/ca-certificates`.
+
+Make the path configurable similar to the other certificate directories,
+while defaulting to the previous one to maintain backwards
+compatibility.
+
+Signed-off-by: Gabriel Nagy <[email protected]>
+---
+ python/samba/gp/gp_cert_auto_enroll_ext.py | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
+index 312c8ddf467..bf6dcc4a98d 100644
+--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
+@@ -45,7 +45,6 @@ cert_wrap = b"""
+ -----BEGIN CERTIFICATE-----
+ %s
+ -----END CERTIFICATE-----"""
+-global_trust_dir = '/etc/pki/trust/anchors'
+ endpoint_re = '(https|HTTPS)://(?P<server>[a-zA-Z0-9.-]+)/ADPolicyProvider' + \
+               '_CEP_(?P<auth>[a-zA-Z]+)/service.svc/CEP'
+
+@@ -249,7 +248,7 @@ def getca(ca, url, trust_dir):
+     return root_certs
+
+
+-def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
++def cert_enroll(ca, ldb, trust_dir, private_dir, global_trust_dir, auth='Kerberos'):
+     """Install the root certificate chain."""
+     data = dict({'files': [], 'templates': []}, **ca)
+     url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname']
+@@ -351,11 +350,13 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
+         self.cache_add_attribute(guid, attribute, data)
+
+     def process_group_policy(self, deleted_gpo_list, changed_gpo_list,
+-                             trust_dir=None, private_dir=None):
++                             trust_dir=None, private_dir=None, global_trust_dir=None):
+         if trust_dir is None:
+             trust_dir = self.lp.cache_path('certs')
+         if private_dir is None:
+             private_dir = self.lp.private_path('certs')
++        if global_trust_dir is None:
++            global_trust_dir = '/etc/pki/trust/anchors'
+         if not os.path.exists(trust_dir):
+             os.mkdir(trust_dir, mode=0o755)
+         if not os.path.exists(private_dir):
+@@ -385,7 +386,8 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
+                         if enroll:
+                             ca_names = self.__enroll(gpo.name,
+                                                      pol_conf.entries,
+-                                                     trust_dir, private_dir)
++                                                     trust_dir, private_dir,
++                                                     global_trust_dir)
+
+                             # Cleanup any old CAs that have been removed
+                             ca_attrs = [base64.b64encode(n.encode()).decode() \
+@@ -399,7 +401,7 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
+                             self.clean(gpo.name, remove=ca_attrs)
+
+     def __read_cep_data(self, guid, ldb, end_point_information,
+-                        trust_dir, private_dir):
++                        trust_dir, private_dir, global_trust_dir):
+         """Read CEP Data.
+
+         [MS-CAESO] 4.4.5.3.2.4
+@@ -454,19 +456,19 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
+                     cas = fetch_certification_authorities(ldb)
+                     for _ca in cas:
+                         self.apply(guid, _ca, cert_enroll, _ca, ldb, trust_dir,
+-                                   private_dir)
++                                   private_dir, global_trust_dir)
+                         ca_names.append(_ca['name'])
+                 # If EndPoint.URI starts with "HTTPS//":
+                 elif ca['URL'].lower().startswith('https://'):
+                     self.apply(guid, ca, cert_enroll, ca, ldb, trust_dir,
+-                               private_dir, auth=ca['auth'])
++                               private_dir, global_trust_dir, auth=ca['auth'])
+                     ca_names.append(ca['name'])
+                 else:
+                     edata = { 'endpoint': ca['URL'] }
+                     log.error('Unrecognized endpoint', edata)
+             return ca_names
+
+-    def __enroll(self, guid, entries, trust_dir, private_dir):
++    def __enroll(self, guid, entries, trust_dir, private_dir, global_trust_dir):
+         url = 'ldap://%s' % get_dc_hostname(self.creds, self.lp)
+         ldb = Ldb(url=url, session_info=system_session(),
+                   lp=self.lp, credentials=self.creds)
+@@ -476,12 +478,12 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
+         if len(end_point_information) > 0:
+             ca_names.extend(self.__read_cep_data(guid, ldb,
+                                                  end_point_information,
+-                                                 trust_dir, private_dir))
++                                                 trust_dir, private_dir, global_trust_dir))
+         else:
+             cas = fetch_certification_authorities(ldb)
+             for ca in cas:
+                 self.apply(guid, ca, cert_enroll, ca, ldb, trust_dir,
+-                           private_dir)
++                           private_dir, global_trust_dir)
+                 ca_names.append(ca['name'])
+         return ca_names
+
+-- 
+2.41.0
+
@@ -0,0 +1,30 @@
+From f3096f35f4fe62eec5589c1bbe0a1ff576005a85 Mon Sep 17 00:00:00 2001
+From: Gabriel Nagy <[email protected]>
+Date: Fri, 11 Aug 2023 18:46:42 +0300
+Subject: [PATCH 3/5] gp: Change root cert extension suffix
+
+On Ubuntu, certificates must end in '.crt' in order to be considered by
+the `update-ca-certificates` helper.
+
+Signed-off-by: Gabriel Nagy <[email protected]>
+---
+ python/samba/gp/gp_cert_auto_enroll_ext.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
+index bf6dcc4a98d..e428737ba50 100644
+--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
+@@ -238,7 +238,8 @@ def getca(ca, url, trust_dir):
+         certs = load_der_pkcs7_certificates(r.content)
+         for i in range(0, len(certs)):
+             cert = certs[i].public_bytes(Encoding.PEM)
+-            dest = '%s.%d' % (root_cert, i)
++            filename, extension = root_cert.rsplit('.', 1)
++            dest = '%s.%d.%s' % (filename, i, extension)
+             with open(dest, 'wb') as w:
+                 w.write(cert)
+             root_certs.append(dest)
+-- 
+2.41.0
+
@@ -0,0 +1,57 @@
+From fe018c46b3515f43d1bcb392622fc97223e279d1 Mon Sep 17 00:00:00 2001
+From: Gabriel Nagy <[email protected]>
+Date: Fri, 11 Aug 2023 18:58:07 +0300
+Subject: [PATCH 4/5] gp: wip
+
+---
+ python/samba/gp/gp_cert_auto_enroll_ext.py | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
+index e428737ba50..30ff07ba433 100644
+--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
+@@ -155,7 +155,7 @@ def fetch_certification_authorities(ldb):
+     for es in res:
+         data = { 'name': get_string(es['cn'][0]),
+                  'hostname': get_string(es['dNSHostName'][0]),
+-                 'cACertificate': get_string(es['cACertificate'][0])
++                 'cACertificate': get_string(base64.b64encode(es['cACertificate'][0]))
+                }
+         result.append(data)
+     return result
+@@ -173,8 +173,7 @@ def fetch_template_attrs(ldb, name, attrs=None):
+         return {'msPKI-Minimal-Key-Size': ['2048']}
+
+ def format_root_cert(cert):
+-    cert = base64.b64encode(cert.encode())
+-    return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert, 0, re.DOTALL)
++    return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert.encode(), 0, re.DOTALL)
+
+ def find_cepces_submit():
+     certmonger_dirs = [os.environ.get("PATH"), '/usr/lib/certmonger',
+@@ -337,8 +336,10 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
+         # If the policy has changed, unapply, then apply new policy
+         old_val = self.cache_get_attribute_value(guid, attribute)
+         old_data = json.loads(old_val) if old_val is not None else {}
+-        if all([(ca[k] == old_data[k] if k in old_data else False) \
+-                    for k in ca.keys()]) or \
++        templates = ['%s.%s' % (ca['name'], t.decode()) for t in get_supported_templates(ca['hostname'])]
++        new_data = { 'templates': templates, **ca }
++        if any((new_data[k] != old_data[k] if k in old_data else False) \
++                    for k in new_data.keys()) or \
+                 self.cache_get_apply_state() == GPOSTATE.ENFORCE:
+             self.unapply(guid, attribute, old_val)
+         # If policy is already applied, skip application
+@@ -399,7 +400,7 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
+                             # remove any existing policy
+                             ca_attrs = \
+                                 self.cache_get_all_attribute_values(gpo.name)
+-                            self.clean(gpo.name, remove=ca_attrs)
++                            self.clean(gpo.name, remove=list(ca_attrs.keys()))
+
+     def __read_cep_data(self, guid, ldb, end_point_information,
+                         trust_dir, private_dir, global_trust_dir):
+-- 
+2.41.0
+
@@ -0,0 +1,52 @@
+From acf2d7e0cd96e03c5d8edadce7736f3e4d6922f0 Mon Sep 17 00:00:00 2001
+From: Gabriel Nagy <[email protected]>
+Date: Mon, 14 Aug 2023 13:34:32 +0300
+Subject: [PATCH 5/5] gp: update samba imports to vendored
+
+Signed-off-by: Gabriel Nagy <[email protected]>
+---
+ python/samba/gp/gp_cert_auto_enroll_ext.py | 6 +++---
+ python/samba/gp/gpclass.py                 | 2 +-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
+index 30ff07ba433..54be3bc2823 100644
+--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
+@@ -17,17 +17,17 @@
+ import os
+ import operator
+ import requests
+-from samba.gp.gpclass import gp_pol_ext, gp_applier, GPOSTATE
++from vendor_samba.gp.gpclass import gp_pol_ext, gp_applier, GPOSTATE
+ from samba import Ldb
+ from ldb import SCOPE_SUBTREE, SCOPE_BASE
+ from samba.auth import system_session
+-from samba.gp.gpclass import get_dc_hostname
++from vendor_samba.gp.gpclass import get_dc_hostname
+ import base64
+ from shutil import which
+ from subprocess import Popen, PIPE
+ import re
+ import json
+-from samba.gp.util.logging import log
++from vendor_samba.gp.util.logging import log
+ import struct
+ try:
+     from cryptography.hazmat.primitives.serialization.pkcs7 import \
+diff --git a/python/samba/gp/gpclass.py b/python/samba/gp/gpclass.py
+index 605f94f3317..0ef86576de2 100644
+--- a/python/samba/gp/gpclass.py
++++ b/python/samba/gp/gpclass.py
+@@ -40,7 +40,7 @@ from samba.dcerpc import preg
+ from samba.dcerpc import misc
+ from samba.ndr import ndr_pack, ndr_unpack
+ from samba.credentials import SMB_SIGNING_REQUIRED
+-from samba.gp.util.logging import log
++from vendor_samba.gp.util.logging import log
+ from hashlib import blake2b
+ import numbers
+ from samba.common import get_string
+-- 
+2.41.0
+