rpms/ipa
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Import OL ipa-4.12.2-1.0.1.el9_5.4

Browse Source
This commit is contained in:
eabdullin 2025-02-05 12:46:05 +03:00
parent 2609b6f540
commit 1b6180a5e1
3 changed files with 245 additions and 2 deletions

67
SOURCES/0012-ipa-otpd-do-not-pass-OIDC-client-secret-if-there-is-.patch Normal file
View File

@ -0,0 +1,67 @@
From d86db9d2c107c66372f422f1d628624b1a55ad45 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 17 Jan 2025 09:44:22 +0200
Subject: [PATCH] ipa-otpd: do not pass OIDC client secret if there is none to
pass
If there is no client secret specified for the OIDC client, don't push
it to oidc_child via stdin. oidc_child does only expect client secret if
--client-secret-stdin option was specified and we already specify it
only if client secret is not empty.
In addition, if client secret is empty (it is a public OIDC client),
then strlen(NULL) would crash in glibc internals. Avoid that!
Fixes: https://pagure.io/freeipa/issue/9734
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
daemons/ipa-otpd/oauth2.c | 29 +++++++++++++++++++----------
1 file changed, 19 insertions(+), 10 deletions(-)
diff --git a/daemons/ipa-otpd/oauth2.c b/daemons/ipa-otpd/oauth2.c
index 52d7d7c9cb6c410bdbaa2e5eddccfea2204d3e69..0eb43b2372701d47b9ef62cbbdb32b97a5f7a0ba 100644
--- a/daemons/ipa-otpd/oauth2.c
+++ b/daemons/ipa-otpd/oauth2.c
@@ -104,17 +104,26 @@ static void oauth2_on_child_writable(verto_ctx *vctx, verto_ev *ev)
}
if (child_ctx->oauth2_state == OAUTH2_GET_DEVICE_CODE) {
- io = write(verto_get_fd(ev), child_ctx->item->idp.ipaidpClientSecret,
- strlen(child_ctx->item->idp.ipaidpClientSecret));
+ if (child_ctx->item->idp.ipaidpClientSecret != NULL) {
+ io = write(verto_get_fd(ev), child_ctx->item->idp.ipaidpClientSecret,
+ strlen(child_ctx->item->idp.ipaidpClientSecret));
+ } else {
+ io = 0;
+ }
} else {
- iov[0].iov_base = child_ctx->item->idp.ipaidpClientSecret;
- iov[0].iov_len = strlen(child_ctx->item->idp.ipaidpClientSecret);
- iov[1].iov_base = "\n";
- iov[1].iov_len = 1;
- iov[2].iov_base = child_ctx->saved_item->oauth2.device_code_reply;
- iov[2].iov_len = strlen(child_ctx->saved_item->oauth2.device_code_reply);
-
- io = writev(verto_get_fd(ev), iov, 3);
+ int idx = 0;
+ if (child_ctx->item->idp.ipaidpClientSecret != NULL) {
+ iov[idx].iov_base = child_ctx->item->idp.ipaidpClientSecret;
+ iov[idx].iov_len = strlen(child_ctx->item->idp.ipaidpClientSecret);
+ idx++;
+ iov[idx].iov_base = "\n";
+ iov[idx].iov_len = 1;
+ idx++;
+ }
+ iov[idx].iov_base = child_ctx->saved_item->oauth2.device_code_reply;
+ iov[idx].iov_len = strlen(child_ctx->saved_item->oauth2.device_code_reply);
+ idx++;
+ io = writev(verto_get_fd(ev), iov, idx);
}
otpd_queue_item_free(child_ctx->saved_item);
--
2.48.1

165
SOURCES/0013-Migrate-Keycloak-tests-to-JDK-21-and-Keycloak-26.patch Normal file
View File

@ -0,0 +1,165 @@
From 431a5804949417257b204125ff0a898b98dd2a90 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 17 Jan 2025 12:33:54 +0200
Subject: [PATCH] Migrate Keycloak tests to JDK 21 and Keycloak 26
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../pytest_ipa/integration/create_bridge.py | 2 +-
.../pytest_ipa/integration/create_keycloak.py | 28 +++++++++----------
ipatests/test_integration/test_idp.py | 4 +--
ipatests/test_integration/test_sso.py | 4 +--
4 files changed, 18 insertions(+), 20 deletions(-)
diff --git a/ipatests/pytest_ipa/integration/create_bridge.py b/ipatests/pytest_ipa/integration/create_bridge.py
index 618c645feef86f846a60e5727e7777defc67624c..5dd2f305c2ba6f707ee40be12581ff62c951805b 100644
--- a/ipatests/pytest_ipa/integration/create_bridge.py
+++ b/ipatests/pytest_ipa/integration/create_bridge.py
@@ -147,7 +147,7 @@ def setup_keycloak_scim_plugin(host, bridge_server):
# Login to keycloak as admin
kcadmin_sh = "/opt/keycloak/bin/kcadm.sh"
kcadmin = [kcadmin_sh, "config", "credentials", "--server",
- f"https://{host.hostname}:8443/auth/",
+ f"https://{host.hostname}:8443",
"--realm", "master", "--user", "admin",
"--password", password]
tasks.run_repeatedly(host, kcadmin, timeout=60)
diff --git a/ipatests/pytest_ipa/integration/create_keycloak.py b/ipatests/pytest_ipa/integration/create_keycloak.py
index 1340b95715c25f1bf1cbbf2e3c6e60731f3af08e..addade7594d7a1b8edefdb8c67ec4bc7abe70ef4 100644
--- a/ipatests/pytest_ipa/integration/create_keycloak.py
+++ b/ipatests/pytest_ipa/integration/create_keycloak.py
@@ -6,10 +6,10 @@ from ipaplatform.paths import paths
from ipatests.pytest_ipa.integration import tasks
-def setup_keycloakserver(host, version='17.0.0'):
+def setup_keycloakserver(host, version='26.1.0'):
dir = "/opt/keycloak"
password = host.config.admin_password
- tasks.install_packages(host, ["unzip", "java-11-openjdk-headless",
+ tasks.install_packages(host, ["unzip", "java-21-openjdk-headless",
"openssl", "maven", "wget",
"firefox", "xorg-x11-server-Xvfb"])
# add keycloak system user/group and folder
@@ -33,7 +33,7 @@ def setup_keycloakserver(host, version='17.0.0'):
key = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.key")
crt = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.crt")
- keystore = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.store")
+ keystore = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.jks")
host.run_command(["ipa-getcert", "request", "-K",
"HTTP/{0}".format(host.hostname),
@@ -49,14 +49,13 @@ def setup_keycloakserver(host, version='17.0.0'):
# Setup keycloak service and config files
contents = textwrap.dedent("""
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD={admin_pswd}
- KC_HOSTNAME={host}:8443
+ KC_BOOTSTRAP_ADMIN_USERNAME=admin
+ KC_BOOTSTRAP_ADMIN_PASSWORD={admin_pswd}
+ KC_HOSTNAME=https://{host}:8443/
KC_HTTPS_CERTIFICATE_FILE={crt}
KC_HTTPS_CERTIFICATE_KEY_FILE={key}
KC_HTTPS_TRUST_STORE_FILE={store}
KC_HTTPS_TRUST_STORE_PASSWORD={store_pswd}
- KC_HTTP_RELATIVE_PATH=/auth
""").format(admin_pswd=password, host=host.hostname, crt=crt, key=key,
store=keystore, store_pswd=password)
host.put_file_contents("/etc/sysconfig/keycloak", contents)
@@ -84,14 +83,13 @@ def setup_keycloakserver(host, version='17.0.0'):
# Run build stage first
env_vars = textwrap.dedent("""
- export KEYCLOAK_ADMIN=admin
- export KC_HOSTNAME={hostname}:8443
+ export KC_BOOTSTRAP_ADMIN_USERNAME=admin
+ export KC_HOSTNAME=https://{hostname}:8443/
export KC_HTTPS_CERTIFICATE_FILE=/etc/pki/tls/certs/keycloak.crt
export KC_HTTPS_CERTIFICATE_KEY_FILE=/etc/pki/tls/private/keycloak.key
- export KC_HTTPS_TRUST_STORE_FILE=/etc/pki/tls/private/keycloak.store
+ export KC_HTTPS_TRUST_STORE_FILE=/etc/pki/tls/private/keycloak.jks
export KC_HTTPS_TRUST_STORE_PASSWORD={STORE_PASS}
- export KEYCLOAK_ADMIN_PASSWORD={ADMIN_PASS}
- export KC_HTTP_RELATIVE_PATH=/auth
+ export KC_BOOTSTRAP_ADMIN_PASSWORD={ADMIN_PASS}
""").format(hostname=host.hostname, STORE_PASS=password,
ADMIN_PASS=password)
@@ -112,7 +110,7 @@ def setup_keycloakserver(host, version='17.0.0'):
host.run_command([kcadmin_sh, "config", "truststore",
"--trustpass", password, keystore])
kcadmin = [kcadmin_sh, "config", "credentials", "--server",
- "https://{0}:8443/auth/".format(host.hostname),
+ "https://{0}:8443/".format(host.hostname),
"--realm", "master", "--user", "admin",
"--password", password
]
@@ -133,7 +131,7 @@ def setup_keycloak_client(host):
password = host.config.admin_password
host.run_command(["/opt/keycloak/bin/kcreg.sh",
"config", "credentials", "--server",
- "https://{0}:8443/auth/".format(host.hostname),
+ "https://{0}:8443/".format(host.hostname),
"--realm", "master", "--user", "admin",
"--password", password]
)
@@ -163,7 +161,7 @@ def setup_keycloak_client(host):
def uninstall_keycloak(host):
key = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.key")
crt = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.crt")
- keystore = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.store")
+ keystore = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.jks")
host.run_command(["systemctl", "stop", "keycloak"], raiseonerr=False)
host.run_command(["getcert", "stop-tracking", "-k", key, "-f", crt],
diff --git a/ipatests/test_integration/test_idp.py b/ipatests/test_integration/test_idp.py
index ca2fcecb22459685450f2ed6c3ac1b9b215170f6..76edc9458e4448e05362ff040b8dab7a53cd3054 100644
--- a/ipatests/test_integration/test_idp.py
+++ b/ipatests/test_integration/test_idp.py
@@ -122,7 +122,7 @@ class TestIDPKeycloak(IntegrationTest):
tasks.kinit_admin(self.master)
cmd = ["ipa", "idp-add", "keycloakidp", "--provider=keycloak",
"--client-id=ipa_oidc_client", "--org=master",
- "--base-url={0}:8443/auth".format(self.client.hostname)]
+ "--base-url={0}:8443".format(self.client.hostname)]
self.master.run_command(cmd, stdin_text="{0}\n{0}".format(
self.client.config.admin_password))
tasks.user_add(self.master, 'keycloakuser',
@@ -282,7 +282,7 @@ class TestIDPKeycloak(IntegrationTest):
user = "backupuser"
cmd = ["ipa", "idp-add", "testidp", "--provider=keycloak",
"--client-id=ipa_oidc_client", "--org=master",
- "--base-url={0}:8443/auth".format(self.client.hostname)]
+ "--base-url={0}:8443".format(self.client.hostname)]
self.master.run_command(cmd, stdin_text="{0}\n{0}".format(
self.client.config.admin_password))
diff --git a/ipatests/test_integration/test_sso.py b/ipatests/test_integration/test_sso.py
index 9708e9fa05a75cb2657c657b39b015249f3fd208..57c5a96bae986ee9721fc540d2be2cdc443e78fb 100644
--- a/ipatests/test_integration/test_sso.py
+++ b/ipatests/test_integration/test_sso.py
@@ -18,7 +18,7 @@ from selenium.webdriver.support import expected_conditions as EC
options = Options()
options.headless = True
driver = webdriver.Firefox(executable_path="/opt/geckodriver", options=options)
-verification_uri = "https://{hostname}:8443/auth/realms/master/account/#/"
+verification_uri = "https://{hostname}:8443/realms/master/account/#/"
driver.get(verification_uri)
try:
@@ -60,7 +60,7 @@ def keycloak_add_user(host, kcadm_pass, username, password=None):
domain = host.domain.name
kcadmin_sh = "/opt/keycloak/bin/kcadm.sh"
kcadmin = [kcadmin_sh, "config", "credentials", "--server",
- f"https://{host.hostname}:8443/auth/",
+ f"https://{host.hostname}:8443",
"--realm", "master", "--user", "admin",
"--password", kcadm_pass]
--
2.48.1

15
SPECS/freeipa.spec
View File

@ -224,7 +224,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 1%{?rc_version:.%rc_version}%{?dist}.3
Release: 1%{?rc_version:.%rc_version}.0.1%{?dist}.4
Summary: The Identity, Policy and Audit system
License: GPL-3.0-or-later
@ -259,6 +259,8 @@ Patch0008: 0008-pyca-adapt-import-paths-for-TripleDES-cipher.patch
Patch0009: 0009-ipa-pwd-extop-clarify-OTP-use-over-LDAP-binds.patch
Patch0010: 0010-adtrust-add-missing-ipaAllowedOperations-objectclass.patch
Patch0011: 0011-CVE-2024-11029.patch
Patch0012: 0012-ipa-otpd-do-not-pass-OIDC-client-secret-if-there-is-.patch
Patch0013: 0013-Migrate-Keycloak-tests-to-JDK-21-and-Keycloak-26.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -587,6 +589,7 @@ BuildArch: noarch
Requires: %{name}-client-common = %{version}-%{release}
Requires: httpd >= %{httpd_version}
Requires: systemd-units >= %{systemd_version}
Requires: bind >= %{bind_version}
%if 0%{?rhel} >= 8 && ! 0%{?eln}
Requires: system-logos-ipa >= 80.4
%endif
@ -1038,7 +1041,8 @@ autoreconf -ivf
%{enable_server_option} \
%{with_ipatests_option} \
%{with_ipa_join_xml_option} \
%{linter_options}
%{linter_options} \
--with-ipaplatform=rhel
# run build in default dir
# -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405
@ -1874,6 +1878,13 @@ fi
%endif
%changelog
* Tue Feb 04 2025 Akshata Konala <akshata.konala@oracle.com> - 4.12.2-1.0.1.4
- Set IPAPLATFORM=rhel when build on Oracle Linux [Orabug: 29516674]
- Add bind to ipa-server-common Requires [Orabug: 36518596]
* Thu Jan 23 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-1.4
- Resolves: RHEL-76011 kinit with external idp user is failing
* Tue Dec 17 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-1.3
- Resolves: RHEL-69928 add support for python cryptography 44.0.0
- Resolves: RHEL-70258 Upgrade to ipa-server-4.12.2-1.el9 OTP-based bind to LDAP without enforceldapotp is broken