From 1b6180a5e1372a3599b34290e47207df63fda97f Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 5 Feb 2025 12:46:05 +0300 Subject: [PATCH] Import OL ipa-4.12.2-1.0.1.el9_5.4 --- ...pass-OIDC-client-secret-if-there-is-.patch | 67 +++++++ ...loak-tests-to-JDK-21-and-Keycloak-26.patch | 165 ++++++++++++++++++ SPECS/freeipa.spec | 15 +- 3 files changed, 245 insertions(+), 2 deletions(-) create mode 100644 SOURCES/0012-ipa-otpd-do-not-pass-OIDC-client-secret-if-there-is-.patch create mode 100644 SOURCES/0013-Migrate-Keycloak-tests-to-JDK-21-and-Keycloak-26.patch diff --git a/SOURCES/0012-ipa-otpd-do-not-pass-OIDC-client-secret-if-there-is-.patch b/SOURCES/0012-ipa-otpd-do-not-pass-OIDC-client-secret-if-there-is-.patch new file mode 100644 index 0000000..02c2253 --- /dev/null +++ b/SOURCES/0012-ipa-otpd-do-not-pass-OIDC-client-secret-if-there-is-.patch @@ -0,0 +1,67 @@ +From d86db9d2c107c66372f422f1d628624b1a55ad45 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 17 Jan 2025 09:44:22 +0200 +Subject: [PATCH] ipa-otpd: do not pass OIDC client secret if there is none to + pass + +If there is no client secret specified for the OIDC client, don't push +it to oidc_child via stdin. oidc_child does only expect client secret if +--client-secret-stdin option was specified and we already specify it +only if client secret is not empty. + +In addition, if client secret is empty (it is a public OIDC client), +then strlen(NULL) would crash in glibc internals. Avoid that! + +Fixes: https://pagure.io/freeipa/issue/9734 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +--- + daemons/ipa-otpd/oauth2.c | 29 +++++++++++++++++++---------- + 1 file changed, 19 insertions(+), 10 deletions(-) + +diff --git a/daemons/ipa-otpd/oauth2.c b/daemons/ipa-otpd/oauth2.c +index 52d7d7c9cb6c410bdbaa2e5eddccfea2204d3e69..0eb43b2372701d47b9ef62cbbdb32b97a5f7a0ba 100644 +--- a/daemons/ipa-otpd/oauth2.c ++++ b/daemons/ipa-otpd/oauth2.c +@@ -104,17 +104,26 @@ static void oauth2_on_child_writable(verto_ctx *vctx, verto_ev *ev) + } + + if (child_ctx->oauth2_state == OAUTH2_GET_DEVICE_CODE) { +- io = write(verto_get_fd(ev), child_ctx->item->idp.ipaidpClientSecret, +- strlen(child_ctx->item->idp.ipaidpClientSecret)); ++ if (child_ctx->item->idp.ipaidpClientSecret != NULL) { ++ io = write(verto_get_fd(ev), child_ctx->item->idp.ipaidpClientSecret, ++ strlen(child_ctx->item->idp.ipaidpClientSecret)); ++ } else { ++ io = 0; ++ } + } else { +- iov[0].iov_base = child_ctx->item->idp.ipaidpClientSecret; +- iov[0].iov_len = strlen(child_ctx->item->idp.ipaidpClientSecret); +- iov[1].iov_base = "\n"; +- iov[1].iov_len = 1; +- iov[2].iov_base = child_ctx->saved_item->oauth2.device_code_reply; +- iov[2].iov_len = strlen(child_ctx->saved_item->oauth2.device_code_reply); +- +- io = writev(verto_get_fd(ev), iov, 3); ++ int idx = 0; ++ if (child_ctx->item->idp.ipaidpClientSecret != NULL) { ++ iov[idx].iov_base = child_ctx->item->idp.ipaidpClientSecret; ++ iov[idx].iov_len = strlen(child_ctx->item->idp.ipaidpClientSecret); ++ idx++; ++ iov[idx].iov_base = "\n"; ++ iov[idx].iov_len = 1; ++ idx++; ++ } ++ iov[idx].iov_base = child_ctx->saved_item->oauth2.device_code_reply; ++ iov[idx].iov_len = strlen(child_ctx->saved_item->oauth2.device_code_reply); ++ idx++; ++ io = writev(verto_get_fd(ev), iov, idx); + } + otpd_queue_item_free(child_ctx->saved_item); + +-- +2.48.1 + diff --git a/SOURCES/0013-Migrate-Keycloak-tests-to-JDK-21-and-Keycloak-26.patch b/SOURCES/0013-Migrate-Keycloak-tests-to-JDK-21-and-Keycloak-26.patch new file mode 100644 index 0000000..82dcebc --- /dev/null +++ b/SOURCES/0013-Migrate-Keycloak-tests-to-JDK-21-and-Keycloak-26.patch @@ -0,0 +1,165 @@ +From 431a5804949417257b204125ff0a898b98dd2a90 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 17 Jan 2025 12:33:54 +0200 +Subject: [PATCH] Migrate Keycloak tests to JDK 21 and Keycloak 26 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +--- + .../pytest_ipa/integration/create_bridge.py | 2 +- + .../pytest_ipa/integration/create_keycloak.py | 28 +++++++++---------- + ipatests/test_integration/test_idp.py | 4 +-- + ipatests/test_integration/test_sso.py | 4 +-- + 4 files changed, 18 insertions(+), 20 deletions(-) + +diff --git a/ipatests/pytest_ipa/integration/create_bridge.py b/ipatests/pytest_ipa/integration/create_bridge.py +index 618c645feef86f846a60e5727e7777defc67624c..5dd2f305c2ba6f707ee40be12581ff62c951805b 100644 +--- a/ipatests/pytest_ipa/integration/create_bridge.py ++++ b/ipatests/pytest_ipa/integration/create_bridge.py +@@ -147,7 +147,7 @@ def setup_keycloak_scim_plugin(host, bridge_server): + # Login to keycloak as admin + kcadmin_sh = "/opt/keycloak/bin/kcadm.sh" + kcadmin = [kcadmin_sh, "config", "credentials", "--server", +- f"https://{host.hostname}:8443/auth/", ++ f"https://{host.hostname}:8443", + "--realm", "master", "--user", "admin", + "--password", password] + tasks.run_repeatedly(host, kcadmin, timeout=60) +diff --git a/ipatests/pytest_ipa/integration/create_keycloak.py b/ipatests/pytest_ipa/integration/create_keycloak.py +index 1340b95715c25f1bf1cbbf2e3c6e60731f3af08e..addade7594d7a1b8edefdb8c67ec4bc7abe70ef4 100644 +--- a/ipatests/pytest_ipa/integration/create_keycloak.py ++++ b/ipatests/pytest_ipa/integration/create_keycloak.py +@@ -6,10 +6,10 @@ from ipaplatform.paths import paths + from ipatests.pytest_ipa.integration import tasks + + +-def setup_keycloakserver(host, version='17.0.0'): ++def setup_keycloakserver(host, version='26.1.0'): + dir = "/opt/keycloak" + password = host.config.admin_password +- tasks.install_packages(host, ["unzip", "java-11-openjdk-headless", ++ tasks.install_packages(host, ["unzip", "java-21-openjdk-headless", + "openssl", "maven", "wget", + "firefox", "xorg-x11-server-Xvfb"]) + # add keycloak system user/group and folder +@@ -33,7 +33,7 @@ def setup_keycloakserver(host, version='17.0.0'): + + key = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.key") + crt = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.crt") +- keystore = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.store") ++ keystore = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.jks") + + host.run_command(["ipa-getcert", "request", "-K", + "HTTP/{0}".format(host.hostname), +@@ -49,14 +49,13 @@ def setup_keycloakserver(host, version='17.0.0'): + + # Setup keycloak service and config files + contents = textwrap.dedent(""" +- KEYCLOAK_ADMIN=admin +- KEYCLOAK_ADMIN_PASSWORD={admin_pswd} +- KC_HOSTNAME={host}:8443 ++ KC_BOOTSTRAP_ADMIN_USERNAME=admin ++ KC_BOOTSTRAP_ADMIN_PASSWORD={admin_pswd} ++ KC_HOSTNAME=https://{host}:8443/ + KC_HTTPS_CERTIFICATE_FILE={crt} + KC_HTTPS_CERTIFICATE_KEY_FILE={key} + KC_HTTPS_TRUST_STORE_FILE={store} + KC_HTTPS_TRUST_STORE_PASSWORD={store_pswd} +- KC_HTTP_RELATIVE_PATH=/auth + """).format(admin_pswd=password, host=host.hostname, crt=crt, key=key, + store=keystore, store_pswd=password) + host.put_file_contents("/etc/sysconfig/keycloak", contents) +@@ -84,14 +83,13 @@ def setup_keycloakserver(host, version='17.0.0'): + + # Run build stage first + env_vars = textwrap.dedent(""" +- export KEYCLOAK_ADMIN=admin +- export KC_HOSTNAME={hostname}:8443 ++ export KC_BOOTSTRAP_ADMIN_USERNAME=admin ++ export KC_HOSTNAME=https://{hostname}:8443/ + export KC_HTTPS_CERTIFICATE_FILE=/etc/pki/tls/certs/keycloak.crt + export KC_HTTPS_CERTIFICATE_KEY_FILE=/etc/pki/tls/private/keycloak.key +- export KC_HTTPS_TRUST_STORE_FILE=/etc/pki/tls/private/keycloak.store ++ export KC_HTTPS_TRUST_STORE_FILE=/etc/pki/tls/private/keycloak.jks + export KC_HTTPS_TRUST_STORE_PASSWORD={STORE_PASS} +- export KEYCLOAK_ADMIN_PASSWORD={ADMIN_PASS} +- export KC_HTTP_RELATIVE_PATH=/auth ++ export KC_BOOTSTRAP_ADMIN_PASSWORD={ADMIN_PASS} + """).format(hostname=host.hostname, STORE_PASS=password, + ADMIN_PASS=password) + +@@ -112,7 +110,7 @@ def setup_keycloakserver(host, version='17.0.0'): + host.run_command([kcadmin_sh, "config", "truststore", + "--trustpass", password, keystore]) + kcadmin = [kcadmin_sh, "config", "credentials", "--server", +- "https://{0}:8443/auth/".format(host.hostname), ++ "https://{0}:8443/".format(host.hostname), + "--realm", "master", "--user", "admin", + "--password", password + ] +@@ -133,7 +131,7 @@ def setup_keycloak_client(host): + password = host.config.admin_password + host.run_command(["/opt/keycloak/bin/kcreg.sh", + "config", "credentials", "--server", +- "https://{0}:8443/auth/".format(host.hostname), ++ "https://{0}:8443/".format(host.hostname), + "--realm", "master", "--user", "admin", + "--password", password] + ) +@@ -163,7 +161,7 @@ def setup_keycloak_client(host): + def uninstall_keycloak(host): + key = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.key") + crt = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.crt") +- keystore = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.store") ++ keystore = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.jks") + + host.run_command(["systemctl", "stop", "keycloak"], raiseonerr=False) + host.run_command(["getcert", "stop-tracking", "-k", key, "-f", crt], +diff --git a/ipatests/test_integration/test_idp.py b/ipatests/test_integration/test_idp.py +index ca2fcecb22459685450f2ed6c3ac1b9b215170f6..76edc9458e4448e05362ff040b8dab7a53cd3054 100644 +--- a/ipatests/test_integration/test_idp.py ++++ b/ipatests/test_integration/test_idp.py +@@ -122,7 +122,7 @@ class TestIDPKeycloak(IntegrationTest): + tasks.kinit_admin(self.master) + cmd = ["ipa", "idp-add", "keycloakidp", "--provider=keycloak", + "--client-id=ipa_oidc_client", "--org=master", +- "--base-url={0}:8443/auth".format(self.client.hostname)] ++ "--base-url={0}:8443".format(self.client.hostname)] + self.master.run_command(cmd, stdin_text="{0}\n{0}".format( + self.client.config.admin_password)) + tasks.user_add(self.master, 'keycloakuser', +@@ -282,7 +282,7 @@ class TestIDPKeycloak(IntegrationTest): + user = "backupuser" + cmd = ["ipa", "idp-add", "testidp", "--provider=keycloak", + "--client-id=ipa_oidc_client", "--org=master", +- "--base-url={0}:8443/auth".format(self.client.hostname)] ++ "--base-url={0}:8443".format(self.client.hostname)] + self.master.run_command(cmd, stdin_text="{0}\n{0}".format( + self.client.config.admin_password)) + +diff --git a/ipatests/test_integration/test_sso.py b/ipatests/test_integration/test_sso.py +index 9708e9fa05a75cb2657c657b39b015249f3fd208..57c5a96bae986ee9721fc540d2be2cdc443e78fb 100644 +--- a/ipatests/test_integration/test_sso.py ++++ b/ipatests/test_integration/test_sso.py +@@ -18,7 +18,7 @@ from selenium.webdriver.support import expected_conditions as EC + options = Options() + options.headless = True + driver = webdriver.Firefox(executable_path="/opt/geckodriver", options=options) +-verification_uri = "https://{hostname}:8443/auth/realms/master/account/#/" ++verification_uri = "https://{hostname}:8443/realms/master/account/#/" + driver.get(verification_uri) + + try: +@@ -60,7 +60,7 @@ def keycloak_add_user(host, kcadm_pass, username, password=None): + domain = host.domain.name + kcadmin_sh = "/opt/keycloak/bin/kcadm.sh" + kcadmin = [kcadmin_sh, "config", "credentials", "--server", +- f"https://{host.hostname}:8443/auth/", ++ f"https://{host.hostname}:8443", + "--realm", "master", "--user", "admin", + "--password", kcadm_pass] + +-- +2.48.1 + diff --git a/SPECS/freeipa.spec b/SPECS/freeipa.spec index 5a4b976..ed00bed 100644 --- a/SPECS/freeipa.spec +++ b/SPECS/freeipa.spec @@ -224,7 +224,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 1%{?rc_version:.%rc_version}%{?dist}.3 +Release: 1%{?rc_version:.%rc_version}.0.1%{?dist}.4 Summary: The Identity, Policy and Audit system License: GPL-3.0-or-later @@ -259,6 +259,8 @@ Patch0008: 0008-pyca-adapt-import-paths-for-TripleDES-cipher.patch Patch0009: 0009-ipa-pwd-extop-clarify-OTP-use-over-LDAP-binds.patch Patch0010: 0010-adtrust-add-missing-ipaAllowedOperations-objectclass.patch Patch0011: 0011-CVE-2024-11029.patch +Patch0012: 0012-ipa-otpd-do-not-pass-OIDC-client-secret-if-there-is-.patch +Patch0013: 0013-Migrate-Keycloak-tests-to-JDK-21-and-Keycloak-26.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -587,6 +589,7 @@ BuildArch: noarch Requires: %{name}-client-common = %{version}-%{release} Requires: httpd >= %{httpd_version} Requires: systemd-units >= %{systemd_version} +Requires: bind >= %{bind_version} %if 0%{?rhel} >= 8 && ! 0%{?eln} Requires: system-logos-ipa >= 80.4 %endif @@ -1038,7 +1041,8 @@ autoreconf -ivf %{enable_server_option} \ %{with_ipatests_option} \ %{with_ipa_join_xml_option} \ - %{linter_options} + %{linter_options} \ + --with-ipaplatform=rhel # run build in default dir # -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405 @@ -1874,6 +1878,13 @@ fi %endif %changelog +* Tue Feb 04 2025 Akshata Konala - 4.12.2-1.0.1.4 +- Set IPAPLATFORM=rhel when build on Oracle Linux [Orabug: 29516674] +- Add bind to ipa-server-common Requires [Orabug: 36518596] + +* Thu Jan 23 2025 Florence Blanc-Renaud - 4.12.2-1.4 +- Resolves: RHEL-76011 kinit with external idp user is failing + * Tue Dec 17 2024 Florence Blanc-Renaud - 4.12.2-1.3 - Resolves: RHEL-69928 add support for python cryptography 44.0.0 - Resolves: RHEL-70258 Upgrade to ipa-server-4.12.2-1.el9 OTP-based bind to LDAP without enforceldapotp is broken