From: David Mulder <dmulder@suse.com>
Date: Mon, 11 Apr 2022 20:26:50 +0000 (-0600)
Subject: gpo: Certificate Auto Enroll correctly check templates
X-Git-Tag: talloc-2.3.4~272
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=45d76ecad2159714af6ecc4f7d525ca39149cc07;p=thirdparty%2Fsamba.git

gpo: Certificate Auto Enroll correctly check templates

[MS-CAESO] 4.4.5.3.2.4 and 4.4.5.3.2.4.2 explain
to fetch templates via cep, then to gather attrs
for the templates after. This code was reversed.
This will matter when implementing advanced
endpoint configuration.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
---

diff --git a/python/samba/gp_cert_auto_enroll_ext.py b/python/samba/gp_cert_auto_enroll_ext.py
index b05c161fe3a..2e01853108e 100644
--- a/python/samba/gp_cert_auto_enroll_ext.py
+++ b/python/samba/gp_cert_auto_enroll_ext.py
@@ -52,11 +52,7 @@ def fetch_certification_authorities(ldb):
     if len(res) == 0:
         return result
     for es in res:
-        templates = {}
-        for template in es['certificateTemplates']:
-            templates[template] = fetch_template_attrs(ldb, template)
         data = dict(es)
-        data['certificateTemplates'] = templates
         result.append(data)
     return result
 
@@ -93,7 +89,7 @@ def get_supported_templates(server):
         return out.strip().split()
     return []
 
-def cert_enroll(ca, trust_dir, private_dir):
+def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
     # Install the root certificate chain
     data = {'files': [], 'templates': []}
     sscep = which('sscep')
@@ -147,9 +143,8 @@ def cert_enroll(ca, trust_dir, private_dir):
             data = { 'Error': err.decode(), 'CA': ca['cn'][0] }
             log.error('Failed to add Certificate Authority', data)
         supported_templates = get_supported_templates(ca['dNSHostName'][0])
-        for template, attrs in ca['certificateTemplates'].items():
-            if template not in supported_templates:
-                continue
+        for template in supported_templates:
+            attrs = fetch_template_attrs(ldb, template)
             nickname = '%s.%s' % (ca['cn'][0], template.decode())
             keyfile = os.path.join(private_dir, '%s.key' % nickname)
             certfile = os.path.join(trust_dir, '%s.crt' % nickname)
@@ -229,7 +224,7 @@ class gp_cert_auto_enroll_ext(gp_pol_ext):
                                       lp=self.lp, credentials=self.creds)
                             cas = fetch_certification_authorities(ldb)
                             for ca in cas:
-                                data = cert_enroll(ca, trust_dir, private_dir)
+                                data = cert_enroll(ca, ldb, trust_dir, private_dir)
                                 self.gp_db.store(str(self),
                                      base64.b64encode(ca['cn'][0]).decode(),
                                      data)