search

freeipa / freeipa-healthcheck

Check the health of a freeIPA installation
GNU General Public License v3.0
50 stars 28 forks source link

ipahealthcheck.ipa.proxy test fails when secret contains non-alphanumeric characters #275

Closed eashleyfl closed 1 year ago

eashleyfl commented 2 years ago

Issue

If the AJP secret contains any special characters, the regex expression at freeipa-healthcheck/src/ipahealthcheck/ipa/proxy.py:89 fails to recognize the secret correctly. If the first character is a special character, it reports no secret is specified.

PROXY_RE = r'\s+ProxyPassMatch ajp://localhost:8009 secret=(\w+)$'

Actual behavior

ipa-healthcheck reports like the following, even though the secret exists and is properly configured everywhere:

{
"source": "ipahealthcheck.ipa.proxy",
"check": "IPAProxySecretCheck",
"result": "CRITICAL",
"uuid": "6820b5b3-08a9-4632-a834-a71d1ae0d84b",
"when": "20220708144958Z",
"duration": "0.000894",
"kw": {
"key": "proxy_secrets",
"proxy_conf": "/etc/httpd/conf.d/ipa-pki-proxy.conf",
"msg": "No ProxyPassMatch secrets found in {proxy_conf}"
}
},

The word match expression for 'secret=(\w+)$' will stop at any special character. If the first character is a special character, it reads as no secret specified. This needs to use a better regex expression since special characters are likely to be in any modern secret.

Expected behavior

It should not report any error

Version/Release/Distribution

freeipa-healthcheck.noarch 0.11-2.fc36 @updates
freeipa-healthcheck-core.noarch 0.11-2.fc36 @updates
rcritten commented 1 year ago

The secret as generated by IPA cannot include special characters because of the way the password generator is called.

https://github.com/freeipa/freeipa/blob/master/ipaserver/install/dogtaginstance.py#L409

Was this secret set manually?

eashleyfl commented 1 year ago

I have a vague recollection of being prompted for a password but don't seem to have relevant logs for it. I always use a password generator when prompted for a password. So yes, I believe it was set manually.

Was this secret set manually?

------- Original Message ------- On Monday, March 27th, 2023 at 5:49 PM, Rob Crittenden @.***> wrote:

The secret as generated by IPA cannot include special characters because of the way the password generator is called.

https://github.com/freeipa/freeipa/blob/master/ipaserver/install/dogtaginstance.py#L409

Was this secret set manually?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.

rcritten commented 1 year ago

This password is not prompted for.

As far as I can tell even if the CA generates the secret it is all characters & numbers:

The charset is defined at https://github.com/dogtagpki/pki/blob/master/base/server/python/pki/server/deployment/pkiparser.py#L275 and used at https://github.com/dogtagpki/pki/blob/master/base/server/python/pki/server/deployment/pkiparser.py#L288 which is a subset of \w (which is [a-zA-Z0-9_])

Is the length of yours 44 characters? That's the length IPA generates.

eashleyfl commented 1 year ago

I must have changed it when I first installed the KRA server.