diff --git a/.gitignore b/.gitignore index 8b5115a..1bb7e47 100644 --- a/.gitignore +++ b/.gitignore @@ -138,3 +138,5 @@ /freeipa-4.12.1.tar.gz /freeipa-4.12.2.tar.gz /freeipa-4.12.2.tar.gz.asc +/freeipa-4.13.0.tar.gz +/freeipa-4.13.0.tar.gz.asc diff --git a/0001-Trust-fix-tdo-with-WITH_FOREST.patch b/0001-Trust-fix-tdo-with-WITH_FOREST.patch new file mode 100644 index 0000000..61b4850 --- /dev/null +++ b/0001-Trust-fix-tdo-with-WITH_FOREST.patch @@ -0,0 +1,51 @@ +From f274df651ff8c352527c78f837cdff02e8eaa8f6 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Thu, 4 Dec 2025 13:13:21 +0100 +Subject: [PATCH] Trust: fix tdo with WITH_FOREST + +When a trust was established pre samba 4.23, the trust domain object +could contain ipanttrustattributes: 8 (LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) +This value prevents winbind restart. + +The current code replaces 0 with LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE +but should also handle the case for LSA_TRUST_ATTRIBUTE_WITHIN_FOREST. +In this case we should drop the bit and replace it by FOREST_TRANSITIVE +one because otherwise Samba will skip the domain. Do not change the LDAP +representation to allow older replicas to continue operations. + +Fixes: https://pagure.io/freeipa/issue/9892 +Signed-off-by: Alexander Bokovoy +Reviewed-By: Alexander Bokovoy +--- + daemons/ipa-sam/ipa_sam.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c +index c43ffddbbdd69123b5d568a937fbc12d138243d1..ea25934d569f378f41b386bbb57d33eaf2bb19c0 100644 +--- a/daemons/ipa-sam/ipa_sam.c ++++ b/daemons/ipa-sam/ipa_sam.c +@@ -2545,10 +2545,17 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx, + if (!res) { + goto done; + } +- if (td->trust_attributes == 0 && (td->domain_name != dns_domain)) { +- /* attribute wasn't present and this is not a subdomain within +- * the parent forest */ +- td->trust_attributes = LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE; ++ if (td->domain_name != dns_domain) { ++ if ((td->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) != 0 || ++ (td->trust_attributes == 0)) { ++ /* when trust attribute is not present or contains WITHIN_FOREST, ++ * we should drop the bit and replace it by FOREST_TRANSITIVE ++ * one because otherwise Samba will skip the domain. ++ * Do not change the LDAP representation to allow older replicas ++ * to continue operations. */ ++ td->trust_attributes &= ~LSA_TRUST_ATTRIBUTE_WITHIN_FOREST; ++ td->trust_attributes |= LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE; ++ } + } + + res = get_uint32_t_from_ldap_msg(ipasam_state, entry, +-- +2.52.0 + diff --git a/0002-freeipa-disable-nis.patch b/0002-freeipa-disable-nis.patch deleted file mode 100644 index bd4e270..0000000 --- a/0002-freeipa-disable-nis.patch +++ /dev/null @@ -1,900 +0,0 @@ -From da1ec155fb5d5afc29b70ff4d68f0d774aa7f245 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Mon, 29 Apr 2024 10:10:08 +0300 -Subject: [PATCH] Remove NIS server support - - RHEL 8.3+ already deprecated support for NIS protocol. - RHEL 9 does not ship NIS client side - RHEL 10 removes NIS server emulator support - -Remove NIS server integration from the migration and -management tools. - -Fixes: https://pagure.io/freeipa/issue/9363 - -Signed-off-by: Alexander Bokovoy ---- - freeipa.spec.in | 2 - - install/share/Makefile.am | 2 - - install/share/nis-update.uldif | 38 ---- - install/share/nis.uldif | 96 ---------- - install/tools/Makefile.am | 2 - - install/tools/ipa-compat-manage.in | 17 +- - install/tools/ipa-nis-manage.in | 205 --------------------- - install/tools/man/Makefile.am | 1 - - install/tools/man/ipa-nis-manage.1 | 51 ----- - install/updates/10-enable-betxn.update | 3 - - install/updates/50-nis.update | 3 - - install/updates/Makefile.am | 1 - - ipaplatform/base/paths.py | 2 - - ipaserver/install/ipa_migrate.py | 27 +-- - ipaserver/install/ipa_migrate_constants.py | 24 --- - ipaserver/install/plugins/update_nis.py | 92 --------- - ipatests/test_cmdline/test_cli.py | 1 - - ipatests/test_integration/test_commands.py | 87 --------- - 18 files changed, 16 insertions(+), 638 deletions(-) - delete mode 100644 install/share/nis-update.uldif - delete mode 100644 install/share/nis.uldif - delete mode 100644 install/tools/ipa-nis-manage.in - delete mode 100644 install/tools/man/ipa-nis-manage.1 - delete mode 100644 install/updates/50-nis.update - delete mode 100644 ipaserver/install/plugins/update_nis.py - -diff --git a/freeipa.spec.in b/freeipa.spec.in -index e370290bc..b5e33a6ac 100755 ---- a/freeipa.spec.in -+++ b/freeipa.spec.in -@@ -1508,7 +1508,6 @@ fi - %{_sbindir}/ipa-ldap-updater - %{_sbindir}/ipa-otptoken-import - %{_sbindir}/ipa-compat-manage --%{_sbindir}/ipa-nis-manage - %{_sbindir}/ipa-managed-entries - %{_sbindir}/ipactl - %{_sbindir}/ipa-advise -@@ -1583,7 +1582,6 @@ fi - %{_mandir}/man1/ipa-ca-install.1* - %{_mandir}/man1/ipa-kra-install.1* - %{_mandir}/man1/ipa-compat-manage.1* --%{_mandir}/man1/ipa-nis-manage.1* - %{_mandir}/man1/ipa-managed-entries.1* - %{_mandir}/man1/ipa-ldap-updater.1* - %{_mandir}/man8/ipactl.8* -diff --git a/install/share/Makefile.am b/install/share/Makefile.am -index 4029297b7..24664ca3b 100644 ---- a/install/share/Makefile.am -+++ b/install/share/Makefile.am -@@ -67,8 +67,6 @@ dist_app_DATA = \ - master-entry.ldif \ - memberof-task.ldif \ - memberof-conf.ldif \ -- nis.uldif \ -- nis-update.uldif \ - opendnssec_conf.template \ - opendnssec_kasp.template \ - unique-attributes.ldif \ -diff --git a/install/share/nis-update.uldif b/install/share/nis-update.uldif -deleted file mode 100644 -index e602c1de0..000000000 ---- a/install/share/nis-update.uldif -+++ /dev/null -@@ -1,38 +0,0 @@ --# Updates for NIS -- --# Correct syntax error that caused users to not appear --dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config --replace:nis-value-format: %merge(" ","%{memberNisNetgroup}","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\\\")\",\"-\"),%{nisDomainName:-})")::%merge(" ","%{memberNisNetgroup}","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})") -- --# Correct syntax error that caused nested netgroups to not work --# https://bugzilla.redhat.com/show_bug.cgi?id=788625 --dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config --replace:nis-value-format: %merge(" ","%{memberNisNetgroup}","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})")::%merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})") -- --# Make the padding an expression so usercat and hostcat always gets --# evaluated when displaying entries. --# https://bugzilla.redhat.com/show_bug.cgi?id=767372 --dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config --replace:nis-value-format: %merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})")::%merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"-\\\")\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"-\\\")\"),%{nisDomainName:-})") -- --dn: nis-domain=$DOMAIN+nis-map=ethers.byaddr, cn=NIS Server, cn=plugins, cn=config --default:objectclass: top --default:objectclass: extensibleObject --default:nis-domain: $DOMAIN --default:nis-map: ethers.byaddr --default:nis-base: cn=computers, cn=accounts, $SUFFIX --default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) --default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6") --default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7") --default:nis-secure: no -- --dn: nis-domain=$DOMAIN+nis-map=ethers.byname, cn=NIS Server, cn=plugins, cn=config --default:objectclass: top --default:objectclass: extensibleObject --default:nis-domain: $DOMAIN --default:nis-map: ethers.byname --default:nis-base: cn=computers, cn=accounts, $SUFFIX --default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) --default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%7") --default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7") --default:nis-secure: no -diff --git a/install/share/nis.uldif b/install/share/nis.uldif -deleted file mode 100644 -index 1735fb552..000000000 ---- a/install/share/nis.uldif -+++ /dev/null -@@ -1,96 +0,0 @@ --dn: cn=NIS Server, cn=plugins, cn=config --default:objectclass: top --default:objectclass: nsSlapdPlugin --default:objectclass: extensibleObject --default:cn: NIS Server --default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/nisserver-plugin.so --default:nsslapd-plugininitfunc: nis_plugin_init --default:nsslapd-plugintype: object --default:nsslapd-pluginbetxn: on --default:nsslapd-pluginenabled: on --default:nsslapd-pluginid: nis-server --default:nsslapd-pluginversion: 0.10 --default:nsslapd-pluginvendor: redhat.com --default:nsslapd-plugindescription: NIS Server Plugin --default:nis-tcp-wrappers-name: nis-server -- --dn: nis-domain=$DOMAIN+nis-map=passwd.byname, cn=NIS Server, cn=plugins, cn=config --default:objectclass: top --default:objectclass: extensibleObject --default:nis-domain: $DOMAIN --default:nis-map: passwd.byname --default:nis-base: cn=users, cn=accounts, $SUFFIX --default:nis-secure: no -- --dn: nis-domain=$DOMAIN+nis-map=passwd.byuid, cn=NIS Server, cn=plugins, cn=config --default:objectclass: top --default:objectclass: extensibleObject --default:nis-domain: $DOMAIN --default:nis-map: passwd.byuid --default:nis-base: cn=users, cn=accounts, $SUFFIX --default:nis-secure: no -- --dn: nis-domain=$DOMAIN+nis-map=group.byname, cn=NIS Server, cn=plugins, cn=config --default:objectclass: top --default:objectclass: extensibleObject --default:nis-domain: $DOMAIN --default:nis-map: group.byname --default:nis-base: cn=groups, cn=accounts, $SUFFIX --default:nis-secure: no -- --dn: nis-domain=$DOMAIN+nis-map=group.bygid, cn=NIS Server, cn=plugins, cn=config --default:objectclass: top --default:objectclass: extensibleObject --default:nis-domain: $DOMAIN --default:nis-map: group.bygid --default:nis-base: cn=groups, cn=accounts, $SUFFIX --default:nis-secure: no -- --dn: nis-domain=$DOMAIN+nis-map=netid.byname, cn=NIS Server, cn=plugins, cn=config --default:objectclass: top --default:objectclass: extensibleObject --default:nis-domain: $DOMAIN --default:nis-map: netid.byname --default:nis-base: cn=users, cn=accounts, $SUFFIX --default:nis-secure: no -- --# Note that the escapes in this entry can be quite confusing. The trick --# is that each level of nesting requires (2^n) - 1 escapes. So the --# first level is \", the second is \\\", the third is \\\\\\\", etc. --# (1, 3, 7, 15, more than that and you'll go insane) -- --# Note that this configuration mirrors the Schema Compat configuration for --# triples. --dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config --default:objectclass: top --default:objectclass: extensibleObject --default:nis-domain: $DOMAIN --default:nis-map: netgroup --default:nis-base: cn=ng, cn=alt, $SUFFIX --default:nis-filter: (objectClass=ipanisNetgroup) --default:nis-key-format: %{cn} --default:nis-value-format:%merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"-\\\")\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"-\\\")\"),%{nisDomainName:-})") --default:nis-secure: no -- --dn: nis-domain=$DOMAIN+nis-map=ethers.byaddr, cn=NIS Server, cn=plugins, cn=config --default:objectclass: top --default:objectclass: extensibleObject --default:nis-domain: $DOMAIN --default:nis-map: ethers.byaddr --default:nis-base: cn=computers, cn=accounts, $SUFFIX --default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) --default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6") --default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7") --default:nis-secure: no -- --dn: nis-domain=$DOMAIN+nis-map=ethers.byname, cn=NIS Server, cn=plugins, cn=config --default:objectclass: top --default:objectclass: extensibleObject --default:nis-domain: $DOMAIN --default:nis-map: ethers.byname --default:nis-base: cn=computers, cn=accounts, $SUFFIX --default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) --default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%7") --default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7") --default:nis-secure: no -- -diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am -index c454fad97..a5306ffe9 100644 ---- a/install/tools/Makefile.am -+++ b/install/tools/Makefile.am -@@ -19,7 +19,6 @@ dist_noinst_DATA = \ - ipa-server-upgrade.in \ - ipactl.in \ - ipa-compat-manage.in \ -- ipa-nis-manage.in \ - ipa-managed-entries.in \ - ipa-ldap-updater.in \ - ipa-otptoken-import.in \ -@@ -56,7 +55,6 @@ nodist_sbin_SCRIPTS = \ - ipa-server-upgrade \ - ipactl \ - ipa-compat-manage \ -- ipa-nis-manage \ - ipa-managed-entries \ - ipa-ldap-updater \ - ipa-otptoken-import \ -diff --git a/install/tools/ipa-compat-manage.in b/install/tools/ipa-compat-manage.in -index 459f39fc8..70dd7c451 100644 ---- a/install/tools/ipa-compat-manage.in -+++ b/install/tools/ipa-compat-manage.in -@@ -26,6 +26,7 @@ from ipaplatform.paths import paths - try: - from optparse import OptionParser # pylint: disable=deprecated-module - from ipapython import ipautil, config -+ from ipapython.ipaldap import realm_to_serverid - from ipaserver.install import installutils - from ipaserver.install.ldapupdate import LDAPUpdate - from ipalib import api, errors -@@ -150,9 +151,19 @@ def main(): - try: - entry = get_entry(nis_config_dn) - # We can't disable schema compat if the NIS plugin is enabled -- if entry is not None and entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'on': -- print("The NIS plugin is configured, cannot disable compatibility.", file=sys.stderr) -- print("Run 'ipa-nis-manage disable' first.", file=sys.stderr) -+ if ( -+ entry is not None -+ and entry.get("nsslapd-pluginenabled", [""])[0].lower() == "on" -+ ): -+ instance = realm_to_serverid(api.env.realm) -+ print( -+ "The NIS plugin is configured, cannot " -+ "disable compatibility.", file=sys.stderr, -+ ) -+ print( -+ f"Run \"dsconf {instance} plugin set --enabled off " -+ "'NIS Server'\" first.", file=sys.stderr, -+ ) - retval = 2 - except errors.ExecutionError as lde: - print("An error occurred while talking to the server.") -diff --git a/install/tools/ipa-nis-manage.in b/install/tools/ipa-nis-manage.in -deleted file mode 100644 -index 6b156ce6a..000000000 ---- a/install/tools/ipa-nis-manage.in -+++ /dev/null -@@ -1,205 +0,0 @@ --#!/usr/bin/python3 --# Authors: Rob Crittenden --# Authors: Simo Sorce --# --# Copyright (C) 2009 Red Hat --# see file 'COPYING' for use and warranty information --# --# This program is free software; you can redistribute it and/or modify --# it under the terms of the GNU General Public License as published by --# the Free Software Foundation, either version 3 of the License, or --# (at your option) any later version. --# --# This program is distributed in the hope that it will be useful, --# but WITHOUT ANY WARRANTY; without even the implied warranty of --# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the --# GNU General Public License for more details. --# --# You should have received a copy of the GNU General Public License --# along with this program. If not, see . --# -- --from __future__ import print_function -- --import sys --import os --from ipaplatform.paths import paths --try: -- from optparse import OptionParser # pylint: disable=deprecated-module -- from ipapython import ipautil, config -- from ipaserver.install import installutils -- from ipaserver.install.ldapupdate import LDAPUpdate -- from ipalib import api, errors -- from ipapython.ipa_log_manager import standard_logging_setup -- from ipapython.dn import DN -- from ipaplatform import services --except ImportError as e: -- print("""\ --There was a problem importing one of the required Python modules. The --error was: -- -- %s --""" % e, file=sys.stderr) -- sys.exit(1) -- --nis_config_dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config')) --compat_dn = DN(('cn', 'Schema Compatibility'), ('cn', 'plugins'), ('cn', 'config')) -- --def parse_options(): -- usage = "%prog [options] \n" -- usage += "%prog [options]\n" -- parser = OptionParser(usage=usage, formatter=config.IPAFormatter()) -- -- parser.add_option("-d", "--debug", action="store_true", dest="debug", -- help="Display debugging information about the update(s)") -- parser.add_option("-y", dest="password", -- help="File containing the Directory Manager password") -- -- config.add_standard_options(parser) -- options, args = parser.parse_args() -- -- return options, args -- --def get_dirman_password(): -- """Prompt the user for the Directory Manager password and verify its -- correctness. -- """ -- password = installutils.read_password("Directory Manager", confirm=False, validate=False, retry=False) -- -- return password -- --def get_entry(dn): -- """ -- Return the entry for the given DN. If the entry is not found return -- None. -- """ -- entry = None -- try: -- entry = api.Backend.ldap2.get_entry(dn) -- except errors.NotFound: -- pass -- return entry -- --def main(): -- retval = 0 -- files = [paths.NIS_ULDIF] -- servicemsg = "" -- -- if os.getegid() != 0: -- sys.exit('Must be root to use this tool.') -- -- installutils.check_server_configuration() -- -- options, args = parse_options() -- -- if len(args) != 1: -- sys.exit("You must specify one action: enable | disable | status") -- elif args[0] not in {"enable", "disable", "status"}: -- sys.exit("Unrecognized action [" + args[0] + "]") -- -- standard_logging_setup(None, debug=options.debug) -- dirman_password = "" -- if options.password: -- try: -- pw = ipautil.template_file(options.password, []) -- except IOError: -- sys.exit("File \"%s\" not found or not readable" % options.password) -- dirman_password = pw.strip() -- else: -- dirman_password = get_dirman_password() -- if dirman_password is None: -- sys.exit("Directory Manager password required") -- -- if not dirman_password: -- sys.exit("No password supplied") -- -- api.bootstrap( -- context='cli', confdir=paths.ETC_IPA, -- debug=options.debug, in_server=True) -- api.finalize() -- api.Backend.ldap2.connect(bind_pw=dirman_password) -- -- if args[0] == "enable": -- compat = get_entry(compat_dn) -- if compat is None or compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'off': -- sys.exit("The compat plugin needs to be enabled: ipa-compat-manage enable") -- entry = None -- try: -- entry = get_entry(nis_config_dn) -- except errors.ExecutionError as lde: -- print("An error occurred while talking to the server.") -- print(lde) -- retval = 1 -- -- # Enable either the portmap or rpcbind service -- portmap = services.knownservices.portmap -- rpcbind = services.knownservices.rpcbind -- -- if portmap.is_installed(): -- portmap.enable() -- servicemsg = portmap.service_name -- elif rpcbind.is_installed(): -- rpcbind.enable() -- servicemsg = rpcbind.service_name -- else: -- print("Unable to enable either %s or %s" % (portmap.service_name, rpcbind.service_name)) -- retval = 3 -- -- # The cn=config entry for the plugin may already exist but it -- # could be turned off, handle both cases. -- if entry is None: -- print("Enabling plugin") -- ld = LDAPUpdate() -- if ld.update(files) != True: -- retval = 1 -- elif entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'off': -- print("Enabling plugin") -- # Already configured, just enable the plugin -- entry['nsslapd-pluginenabled'] = ['on'] -- api.Backend.ldap2.update_entry(entry) -- else: -- print("Plugin already Enabled") -- retval = 2 -- -- elif args[0] == "disable": -- try: -- entry = api.Backend.ldap2.get_entry(nis_config_dn, ['nsslapd-pluginenabled']) -- entry['nsslapd-pluginenabled'] = ['off'] -- api.Backend.ldap2.update_entry(entry) -- except (errors.NotFound, errors.EmptyModlist): -- print("Plugin is already disabled") -- retval = 2 -- except errors.LDAPError as lde: -- print("An error occurred while talking to the server.") -- print(lde) -- retval = 1 -- -- elif args[0] == "status": -- nis_entry = get_entry(nis_config_dn) -- enabled = (nis_entry and -- nis_entry.get( -- 'nsslapd-pluginenabled', '')[0].lower() == "on") -- if enabled: -- print("Plugin is enabled") -- retval = 0 -- else: -- print("Plugin is not enabled") -- retval = 4 -- -- else: -- retval = 1 -- -- if retval == 0: -- if args[0] in {"enable", "disable"}: -- print("This setting will not take effect until you restart " -- "Directory Server.") -- -- if args[0] == "enable": -- print("The %s service may need to be started." % servicemsg) -- -- api.Backend.ldap2.disconnect() -- -- return retval -- --if __name__ == '__main__': -- installutils.run_script(main, operation_name='ipa-nis-manage') -diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am -index 34f359863..282407602 100644 ---- a/install/tools/man/Makefile.am -+++ b/install/tools/man/Makefile.am -@@ -18,7 +18,6 @@ dist_man1_MANS = \ - ipa-kra-install.1 \ - ipa-ldap-updater.1 \ - ipa-compat-manage.1 \ -- ipa-nis-manage.1 \ - ipa-managed-entries.1 \ - ipa-backup.1 \ - ipa-restore.1 \ -diff --git a/install/tools/man/ipa-nis-manage.1 b/install/tools/man/ipa-nis-manage.1 -deleted file mode 100644 -index 1107b7790..000000000 ---- a/install/tools/man/ipa-nis-manage.1 -+++ /dev/null -@@ -1,51 +0,0 @@ --.\" A man page for ipa-nis-manage --.\" Copyright (C) 2009 Red Hat, Inc. --.\" --.\" This program is free software; you can redistribute it and/or modify --.\" it under the terms of the GNU General Public License as published by --.\" the Free Software Foundation, either version 3 of the License, or --.\" (at your option) any later version. --.\" --.\" This program is distributed in the hope that it will be useful, but --.\" WITHOUT ANY WARRANTY; without even the implied warranty of --.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU --.\" General Public License for more details. --.\" --.\" You should have received a copy of the GNU General Public License --.\" along with this program. If not, see . --.\" --.\" Author: Rob Crittenden --.\" --.TH "ipa-nis-manage" "1" "April 25 2016" "IPA" "IPA Manual Pages" --.SH "NAME" --ipa\-nis\-manage \- Enables or disables the NIS listener plugin --.SH "SYNOPSIS" --ipa\-nis\-manage [options] --.SH "DESCRIPTION" --Run the command with the \fBenable\fR option to enable the NIS plugin. -- --Run the command with the \fBdisable\fR option to disable the NIS plugin. -- --Run the command with the \fBstatus\fR option to read status of the NIS plugin. Return code 0 indicates enabled plugin, return code 4 indicates disabled plugin. -- --In all cases the user will be prompted to provide the Directory Manager's password unless option \fB\-y\fR is used. -- --Directory Server will need to be restarted after the NIS listener plugin has been enabled. -- --.SH "OPTIONS" --.TP --\fB\-d\fR, \fB\-\-debug\fR --Enable debug logging when more verbose output is needed --.TP --\fB\-y\fR \fIfile\fR --File containing the Directory Manager password --.SH "EXIT STATUS" --0 if the command was successful -- --1 if an error occurred -- --2 if the plugin is already in the required status (enabled or disabled) -- --3 if RPC services cannot be enabled. -- --4 if status command detected plugin in disabled state. -diff --git a/install/updates/10-enable-betxn.update b/install/updates/10-enable-betxn.update -index 1f89341c7..9525292cb 100644 ---- a/install/updates/10-enable-betxn.update -+++ b/install/updates/10-enable-betxn.update -@@ -44,6 +44,3 @@ only: nsslapd-pluginbetxn: on - - dn: cn=Schema Compatibility, cn=plugins, cn=config - onlyifexist: nsslapd-pluginbetxn: on -- --dn: cn=NIS Server, cn=plugins, cn=config --onlyifexist: nsslapd-pluginbetxn: on -diff --git a/install/updates/50-nis.update b/install/updates/50-nis.update -deleted file mode 100644 -index 05a166f00..000000000 ---- a/install/updates/50-nis.update -+++ /dev/null -@@ -1,3 +0,0 @@ --# Updates are applied only if NIS plugin has been configured --# update definitions are located in install/share/nis-update.uldif --plugin: update_nis_configuration -diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am -index fd96831d8..cce2670a6 100644 ---- a/install/updates/Makefile.am -+++ b/install/updates/Makefile.am -@@ -52,7 +52,6 @@ app_DATA = \ - 50-groupuuid.update \ - 50-hbacservice.update \ - 50-krbenctypes.update \ -- 50-nis.update \ - 50-ipaconfig.update \ - 55-pbacmemberof.update \ - 59-trusts-sysacount.update \ -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index b339d2202..aed293845 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -295,8 +295,6 @@ class BasePathNamespace: - KRB_CON = "/usr/share/ipa/html/krb.con" - HTML_KRB5_INI = "/usr/share/ipa/html/krb5.ini" - HTML_KRBREALM_CON = "/usr/share/ipa/html/krbrealm.con" -- NIS_ULDIF = "/usr/share/ipa/nis.uldif" -- NIS_UPDATE_ULDIF = "/usr/share/ipa/nis-update.uldif" - SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/updates/91-schema_compat.update" - SCHEMA_COMPAT_POST_ULDIF = "/usr/share/ipa/schema_compat_post.uldif" - IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins" -diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py -index e21937401..a889143ec 100644 ---- a/ipaserver/install/ipa_migrate.py -+++ b/ipaserver/install/ipa_migrate.py -@@ -31,7 +31,7 @@ from ipapython.ipa_log_manager import standard_logging_setup - from ipaserver.install.ipa_migrate_constants import ( - DS_CONFIG, DB_OBJECTS, DS_INDEXES, BIND_DN, LOG_FILE_NAME, - STRIP_OP_ATTRS, STRIP_ATTRS, STRIP_OC, PROD_ATTRS, -- DNA_REGEN_VAL, DNA_REGEN_ATTRS, NIS_PLUGIN, IGNORE_ATTRS, -+ DNA_REGEN_VAL, DNA_REGEN_ATTRS, IGNORE_ATTRS, - DB_EXCLUDE_TREES - ) - -@@ -718,8 +718,7 @@ class IPAMigrate(): - self.log_info(title) - self.log_info('-' * (len(title) - 1)) - logged_something = self.log_stats(DS_CONFIG) -- if self.args.verbose or NIS_PLUGIN['count'] > 0: -- self.log_info(f" - NIS Server Plugin: {NIS_PLUGIN['count']}") -+ if self.args.verbose: - logged_something = True - if not self.log_stats(DS_INDEXES) and not logged_something: - self.log_info(" - No updates") -@@ -1847,28 +1846,6 @@ class IPAMigrate(): - add_missing=True) - stats['config_processed'] += 1 - -- # Slapi NIS Plugin -- if DN(NIS_PLUGIN['dn']) == DN(entry['dn']): -- # Parent plugin entry -- self.process_config_entry( -- entry['dn'], entry['attrs'], NIS_PLUGIN, -- add_missing=True) -- stats['config_processed'] += 1 -- elif DN(NIS_PLUGIN['dn']) in DN(entry['dn']): -- # Child NIS plugin entry -- nis_dn = entry['dn'] -- lc_remote_realm = self.remote_realm.lower() -- lc_realm = self.realm.lower() -- nis_dn = nis_dn.replace(lc_remote_realm, lc_realm) -- if 'nis-domain' in entry['attrs']: -- value = entry['attrs']['nis-domain'][0] -- value = value.replace(lc_remote_realm, lc_realm) -- entry['attrs']['nis-domain'][0] = value -- # Process the entry -- self.process_config_entry(nis_dn, entry['attrs'], NIS_PLUGIN, -- add_missing=True) -- stats['config_processed'] += 1 -- - # - # Migration - # -diff --git a/ipaserver/install/ipa_migrate_constants.py b/ipaserver/install/ipa_migrate_constants.py -index 0e26c7549..e0e504741 100644 ---- a/ipaserver/install/ipa_migrate_constants.py -+++ b/ipaserver/install/ipa_migrate_constants.py -@@ -502,30 +502,6 @@ DS_CONFIG = { - }, - } - --# --# Slpai NIS is an optional plugin. It requires special handling --# --NIS_PLUGIN = { -- 'dn': 'cn=NIS Server,cn=plugins,cn=config', -- 'attrs': [ -- 'nis-domain', -- 'nis-base', -- 'nis-map', -- 'nis-filter', -- 'nis-key-format:', -- 'nis-values-format:', -- 'nis-secure', -- 'nis-disallowed-chars', -- # Parent plugin entry -- 'nsslapd-pluginarg0', -- 'nsslapd-pluginenabled' -- ], -- 'multivalued': [], -- 'label': 'NIS Server Plugin', -- 'mode': 'all', -- 'count': 0, --} -- - # - # This mapping is simliar to above but it handles container entries - # This could be built into the above mapping using the "comma" approach -diff --git a/ipaserver/install/plugins/update_nis.py b/ipaserver/install/plugins/update_nis.py -deleted file mode 100644 -index c02eb5f83..000000000 ---- a/ipaserver/install/plugins/update_nis.py -+++ /dev/null -@@ -1,92 +0,0 @@ --# --# Copyright (C) 2015 FreeIPA Contributors see COPYING for license --# -- --from __future__ import absolute_import -- --import logging -- --from ipalib.plugable import Registry --from ipalib import errors --from ipalib import Updater --from ipaplatform.paths import paths --from ipapython.dn import DN --from ipaserver.install import sysupgrade --from ipaserver.install.ldapupdate import LDAPUpdate -- --logger = logging.getLogger(__name__) -- --register = Registry() -- -- --@register() --class update_nis_configuration(Updater): -- """Update NIS configuration -- -- NIS configuration can be updated only if NIS Server was configured via -- ipa-nis-manage command. -- """ -- -- def __recover_from_missing_maps(self, ldap): -- # https://fedorahosted.org/freeipa/ticket/5507 -- # if all following DNs are missing, but 'NIS Server' container exists -- # we are experiencig bug and maps should be fixed -- -- if sysupgrade.get_upgrade_state('nis', -- 'done_recover_from_missing_maps'): -- # this recover must be done only once, a user may deleted some -- # maps, we do not want to restore them again -- return -- -- logger.debug("Recovering from missing NIS maps bug") -- -- suffix = "cn=NIS Server,cn=plugins,cn=config" -- domain = self.api.env.domain -- missing_dn_list = [ -- DN(nis_map.format(domain=domain, suffix=suffix)) for nis_map in [ -- "nis-domain={domain}+nis-map=passwd.byname,{suffix}", -- "nis-domain={domain}+nis-map=passwd.byuid,{suffix}", -- "nis-domain={domain}+nis-map=group.byname,{suffix}", -- "nis-domain={domain}+nis-map=group.bygid,{suffix}", -- "nis-domain={domain}+nis-map=netid.byname,{suffix}", -- "nis-domain={domain}+nis-map=netgroup,{suffix}", -- ] -- ] -- -- for dn in missing_dn_list: -- try: -- ldap.get_entry(dn, attrs_list=['cn']) -- except errors.NotFound: -- pass -- else: -- # bug is not effective, at least one of 'possible missing' -- # maps was detected -- return -- -- sysupgrade.set_upgrade_state('nis', 'done_recover_from_missing_maps', -- True) -- -- # bug is effective run update to recreate missing maps -- ld = LDAPUpdate(api=self.api) -- ld.update([paths.NIS_ULDIF]) -- -- def execute(self, **options): -- ldap = self.api.Backend.ldap2 -- dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config')) -- try: -- ldap.get_entry(dn, attrs_list=['cn']) -- except errors.NotFound: -- # NIS is not configured on system, do not execute update -- logger.debug("Skipping NIS update, NIS Server is not configured") -- -- # container does not exist, bug #5507 is not effective -- sysupgrade.set_upgrade_state( -- 'nis', 'done_recover_from_missing_maps', True) -- else: -- self.__recover_from_missing_maps(ldap) -- -- logger.debug("Executing NIS Server update") -- ld = LDAPUpdate(api=self.api) -- ld.update([paths.NIS_UPDATE_ULDIF]) -- -- return False, () -diff --git a/ipatests/test_cmdline/test_cli.py b/ipatests/test_cmdline/test_cli.py -index ae0d059ce..718798d68 100644 ---- a/ipatests/test_cmdline/test_cli.py -+++ b/ipatests/test_cmdline/test_cli.py -@@ -385,7 +385,6 @@ IPA_CLIENT_NOT_CONFIGURED = b'IPA client is not configured on this system' - '/usr/share/ipa/updates/05-pre_upgrade_plugins.update'], - 2, None, IPA_NOT_CONFIGURED), - (['ipa-managed-entries'], 2, None, IPA_NOT_CONFIGURED), -- (['ipa-nis-manage'], 2, None, IPA_NOT_CONFIGURED), - (['ipa-pkinit-manage'], 2, None, IPA_NOT_CONFIGURED), - (['ipa-replica-manage', 'list'], 1, IPA_NOT_CONFIGURED, None), - (['ipa-server-certinstall'], 2, None, IPA_NOT_CONFIGURED), -diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py -index fd34defe5..e00b0f3bb 100644 ---- a/ipatests/test_integration/test_commands.py -+++ b/ipatests/test_integration/test_commands.py -@@ -1269,93 +1269,6 @@ class TestIPACommand(IntegrationTest): - serverid = realm_to_serverid(self.master.domain.realm) - return ("dirsrv@%s.service" % serverid) - -- def test_ipa_nis_manage_enable(self): -- """ -- This testcase checks if ipa-nis-manage enable -- command enables plugin on an IPA master -- """ -- dirsrv_service = self.get_dirsrv_id() -- console_msg = ( -- "Enabling plugin\n" -- "This setting will not take effect until " -- "you restart Directory Server.\n" -- "The rpcbind service may need to be started" -- ) -- status_msg = "Plugin is enabled" -- tasks.kinit_admin(self.master) -- result = self.master.run_command( -- ["ipa-nis-manage", "enable"], -- stdin_text=self.master.config.admin_password, -- ) -- assert console_msg in result.stdout_text -- # verify using backend -- conn = self.master.ldap_connect() -- dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config')) -- entry = conn.get_entry(dn) -- nispluginstring = entry.get('nsslapd-pluginEnabled') -- assert 'on' in nispluginstring -- # restart for changes to take effect -- self.master.run_command(["systemctl", "restart", dirsrv_service]) -- self.master.run_command(["systemctl", "restart", "rpcbind"]) -- time.sleep(DIRSRV_SLEEP) -- # check status msg on the console -- result = self.master.run_command( -- ["ipa-nis-manage", "status"], -- stdin_text=self.master.config.admin_password, -- ) -- assert status_msg in result.stdout_text -- -- def test_ipa_nis_manage_disable(self): -- """ -- This testcase checks if ipa-nis-manage disable -- command disable plugin on an IPA Master -- """ -- dirsrv_service = self.get_dirsrv_id() -- msg = ( -- "This setting will not take effect " -- "until you restart Directory Server." -- ) -- status_msg = "Plugin is not enabled" -- tasks.kinit_admin(self.master) -- result = self.master.run_command( -- ["ipa-nis-manage", "disable"], -- stdin_text=self.master.config.admin_password, -- ) -- assert msg in result.stdout_text -- # verify using backend -- conn = self.master.ldap_connect() -- dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config')) -- entry = conn.get_entry(dn) -- nispluginstring = entry.get('nsslapd-pluginEnabled') -- assert 'off' in nispluginstring -- # restart dirsrv for changes to take effect -- self.master.run_command(["systemctl", "restart", dirsrv_service]) -- time.sleep(DIRSRV_SLEEP) -- # check status msg on the console -- result = self.master.run_command( -- ["ipa-nis-manage", "status"], -- stdin_text=self.master.config.admin_password, -- raiseonerr=False, -- ) -- assert result.returncode == 4 -- assert status_msg in result.stdout_text -- -- def test_ipa_nis_manage_enable_incorrect_password(self): -- """ -- This testcase checks if ipa-nis-manage enable -- command throws error on console for invalid DS admin password -- """ -- msg1 = "Insufficient access: " -- msg2 = "Invalid credentials" -- result = self.master.run_command( -- ["ipa-nis-manage", "enable"], -- stdin_text='Invalid_pwd', -- raiseonerr=False, -- ) -- assert result.returncode == 1 -- assert msg1 in result.stderr_text -- assert msg2 in result.stderr_text -- - def test_pkispawn_log_is_present(self): - """ - This testcase checks if pkispawn logged properly. --- -2.45.2 - - diff --git a/0002-ipatest-add-an-integration-test-for-samba-upgrade.patch b/0002-ipatest-add-an-integration-test-for-samba-upgrade.patch new file mode 100644 index 0000000..d953605 --- /dev/null +++ b/0002-ipatest-add-an-integration-test-for-samba-upgrade.patch @@ -0,0 +1,65 @@ +From 41067f9506e8548a4f5ef11dca675fee741a4436 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Thu, 4 Dec 2025 12:58:38 +0100 +Subject: [PATCH] ipatest: add an integration test for samba upgrade + +When a trust was establish pre samba 4.23, the trust domain object +could contain ipanttrustattributes = 40 (LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) +and winbind would fail to restart after an upgrade to samba 4.23. + +Add a test simulating the situation and calling ipa-server-upgrade + +Related: https://pagure.io/freeipa/issue/9892 +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy +--- + ipatests/test_integration/test_trust.py | 33 +++++++++++++++++++++++++ + 1 file changed, 33 insertions(+) + +diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py +index 7bb74e2f5821719ffe2ceaf2bdcd8e7d46a6cd1f..13ad0afa4c1fb032d50f40cf7cb9b79283203225 100644 +--- a/ipatests/test_integration/test_trust.py ++++ b/ipatests/test_integration/test_trust.py +@@ -1009,6 +1009,39 @@ class TestTrust(BaseTestTrust): + tasks.unconfigure_windows_dns_for_trust(self.ad, self.master) + tasks.unconfigure_dns_for_trust(self.master, self.ad) + ++ def test_upgrade_within_forest(self): ++ """ ++ Simulate an upgrade from a trust established with samba pre 4.23 ++ ++ With older samba version, the trust domain object had ++ ipanttrustattributes: 8 ++ corresponding to LSA_TRUST_ATTRIBUTE_WITHIN_FOREST ++ and this breaks ipa-upgrade (winbind fails to restart) ++ """ ++ ++ tasks.configure_dns_for_trust(self.master, self.ad) ++ tasks.configure_windows_dns_for_trust(self.ad, self.master) ++ tasks.establish_trust_with_ad( ++ self.master, self.ad_domain, ++ extra_args=['--range-type', 'ipa-ad-trust']) ++ ++ conn = self.master.ldap_connect() ++ trust_dn = DN("cn={},cn=ad,cn=trusts,{}".format( ++ self.ad.domain.name, self.master.domain.basedn ++ )) ++ entry = conn.get_entry(trust_dn) ++ ++ # set the trust attributes to LSA_TRUST_ATTRIBUTE_WITHIN_FOREST ++ entry.single_value['ipanttrustattributes'] = '40' ++ conn.update_entry(entry) ++ self.master.run_command(['ipa-server-upgrade']) ++ self.master.run_command(['ipactl', 'restart']) ++ ++ # cleanup for next test ++ self.remove_trust(self.ad) ++ tasks.unconfigure_windows_dns_for_trust(self.ad, self.master) ++ tasks.unconfigure_dns_for_trust(self.master, self.ad) ++ + def test_server_option_with_unreachable_ad(self): + """ + Check trust can be established with partially unreachable AD topology +-- +2.52.0 + diff --git a/0003-ipatests-Check-Default-PAC-type-is-added-to-config.patch b/0003-ipatests-Check-Default-PAC-type-is-added-to-config.patch deleted file mode 100644 index c8f898e..0000000 --- a/0003-ipatests-Check-Default-PAC-type-is-added-to-config.patch +++ /dev/null @@ -1,92 +0,0 @@ -From ad4b7f6cedaed54acf279033b650010c65face10 Mon Sep 17 00:00:00 2001 -From: Sudhir Menon -Date: Tue, 20 Aug 2024 14:52:03 +0530 -Subject: [PATCH] ipatests: Check Default PAC type is added to config - -This patch checks that the default PAC type -is added to configuration i.e ipaKrbAuthzData: MS-PAC -during ipa-server-installation - -The patch also checks that if 'ipaKrbAuthzData: MS-PAC' -attribute is deleted and then when we run 'ipa-server-upgrade' -command the attribute is added back. - -Related: https://pagure.io/freeipa/issue/9632 - -Signed-off-by: Sudhir Menon -Reviewed-By: Florence Blanc-Renaud ---- - .../test_integration/test_installation.py | 15 +++++++++++ - ipatests/test_integration/test_upgrade.py | 26 ++++++++++++++++++- - 2 files changed, 40 insertions(+), 1 deletion(-) - -diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py -index ada43e33fe173ea3c315178c37e2a664b05b905b..c5565c452010f23f038ddf329454b591ef09f6af 100644 ---- a/ipatests/test_integration/test_installation.py -+++ b/ipatests/test_integration/test_installation.py -@@ -1190,6 +1190,21 @@ class TestInstallMaster(IntegrationTest): - expected_stdout=f'href="https://{self.master.hostname}/' - ) - -+ def test_pac_configuration_enabled(self): -+ """ -+ This testcase checks that the default PAC type -+ is added to configuration. -+ """ -+ base_dn = str(self.master.domain.basedn) -+ dn = DN( -+ ("cn", "ipaConfig"), -+ ("cn", "etc"), -+ base_dn -+ ) -+ result = tasks.ldapsearch_dm(self.master, str(dn), -+ ["ipaKrbAuthzData"]) -+ assert 'ipaKrbAuthzData: MS-PAC' in result.stdout_text -+ - def test_hostname_parameter(self, server_cleanup): - """ - Test that --hostname parameter is respected in interactive mode. -diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py -index 011de939e92790734d63da2f85be1c25349116a8..a0f393780ccc25774466992976532c876aa876da 100644 ---- a/ipatests/test_integration/test_upgrade.py -+++ b/ipatests/test_integration/test_upgrade.py -@@ -165,7 +165,6 @@ class TestUpgrade(IntegrationTest): - ldap.update_entry(location_krb_rec) - - yield _setup_locations -- - ldap = self.master.ldap_connect() - - modified = False -@@ -491,3 +490,28 @@ class TestUpgrade(IntegrationTest): - tasks.reinstall_packages(self.master, ['*ipa-client']) - assert not self.master.transport.file_exists( - paths.SSH_CONFIG + ".orig") -+ -+ def test_mspac_attribute_set(self): -+ """ -+ This testcase deletes the already existing attribute -+ 'ipaKrbAuthzData: MS-PAC'. -+ The test then runs ipa-server-upgrade and checks that -+ the attribute 'ipaKrbAuthzData: MS-PAC' is added again. -+ """ -+ base_dn = str(self.master.domain.basedn) -+ dn = DN( -+ ("cn", "ipaConfig"), -+ ("cn", "etc"), -+ base_dn -+ ) -+ ldif = textwrap.dedent(""" -+ dn: cn=ipaConfig,cn=etc,{} -+ changetype: modify -+ delete: ipaKrbAuthzData -+ """).format(base_dn) -+ tasks.ldapmodify_dm(self.master, ldif) -+ tasks.kinit_admin(self.master) -+ self.master.run_command(['ipa-server-upgrade']) -+ result = tasks.ldapsearch_dm(self.master, str(dn), -+ ["ipaKrbAuthzData"]) -+ assert 'ipaKrbAuthzData: MS-PAC' in result.stdout_text --- -2.46.0 - diff --git a/0004-selinux-add-all-IPA-log-files-to-ipa_log_t-file-cont.patch b/0004-selinux-add-all-IPA-log-files-to-ipa_log_t-file-cont.patch deleted file mode 100644 index 2972dc1..0000000 --- a/0004-selinux-add-all-IPA-log-files-to-ipa_log_t-file-cont.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 42eb97ee6bd8011b590aef321d4386ea9352933d Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Wed, 28 Aug 2024 10:02:19 +0300 -Subject: [PATCH] selinux: add all IPA log files to ipa_log_t file context - -We have multiple log files that produced by IPA components. Some of them -are written by the tools that run as root and inherit their file context -from /var/log -> var_log_t. However, increasingly we get tools that were -run through oddjob helpers. These supposed to be run within ipa_helper_t -SELinux context which has write permissions for ipa_log_t file context. - -Add all known log files from the base platform. The following script was -used to generate them: -$ git grep '_LOG = .*ipa.*\.log' ipaplatform/base/paths.py | cut -d= -f2 | \ - xargs -I% echo -e "%\t--\tgen_context(system_u:object_r:ipa_log_t,s0)" - -/var/log/ipabackup.log -- gen_context(system_u:object_r:ipa_log_t,s0) -/var/log/ipaclient-install.log -- gen_context(system_u:object_r:ipa_log_t,s0) -/var/log/ipaclient-uninstall.log -- gen_context(system_u:object_r:ipa_log_t,s0) -/var/log/ipaclientsamba-install.log -- gen_context(system_u:object_r:ipa_log_t,s0) -/var/log/ipaclientsamba-uninstall.log -- gen_context(system_u:object_r:ipa_log_t,s0) -/var/log/ipareplica-ca-install.log -- gen_context(system_u:object_r:ipa_log_t,s0) -/var/log/ipareplica-conncheck.log -- gen_context(system_u:object_r:ipa_log_t,s0) -/var/log/ipareplica-install.log -- gen_context(system_u:object_r:ipa_log_t,s0) -/var/log/iparestore.log -- gen_context(system_u:object_r:ipa_log_t,s0) -/var/log/ipaserver-enable-sid.log -- gen_context(system_u:object_r:ipa_log_t,s0) -/var/log/ipaserver-install.log -- gen_context(system_u:object_r:ipa_log_t,s0) -/var/log/ipaserver-adtrust-install.log -- gen_context(system_u:object_r:ipa_log_t,s0) -/var/log/ipaserver-dns-install.log -- gen_context(system_u:object_r:ipa_log_t,s0) -/var/log/ipaserver-kra-install.log -- gen_context(system_u:object_r:ipa_log_t,s0) -/var/log/ipaserver-uninstall.log -- gen_context(system_u:object_r:ipa_log_t,s0) -/var/log/ipaupgrade.log -- gen_context(system_u:object_r:ipa_log_t,s0) -/var/log/ipatrust-enable-agent.log -- gen_context(system_u:object_r:ipa_log_t,s0) -/var/log/ipaepn.log -- gen_context(system_u:object_r:ipa_log_t,s0) -/var/log/ipa-custodia.audit.log -- gen_context(system_u:object_r:ipa_log_t,s0) -/var/log/ipa-migrate.log -- gen_context(system_u:object_r:ipa_log_t,s0) - -ipa-custodia.audit.log was already in the present list. - -Additionally, ipa-migrate-conflict.ldif is used by the ipa-migrate tool -but is not provided through the ipaplatform mechanism. It is added -explicitly. - -Fixes: https://pagure.io/freeipa/issue/9654 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud ---- - selinux/ipa.fc | 21 ++++++++++++++++++++- - 1 file changed, 20 insertions(+), 1 deletion(-) - -diff --git a/selinux/ipa.fc b/selinux/ipa.fc -index 700e3a14a11fcd403a2e6f57ec781c58dae77660..47bd19ba77418cad1f0904dc4a9a35ce9d6ff9d2 100644 ---- a/selinux/ipa.fc -+++ b/selinux/ipa.fc -@@ -24,7 +24,26 @@ - - /var/log/ipa(/.*)? gen_context(system_u:object_r:ipa_log_t,s0) - --/var/log/ipareplica-conncheck.log.* -- gen_context(system_u:object_r:ipa_log_t,s0) -+/var/log/ipabackup.log -- gen_context(system_u:object_r:ipa_log_t,s0) -+/var/log/ipaclient-install.log -- gen_context(system_u:object_r:ipa_log_t,s0) -+/var/log/ipaclient-uninstall.log -- gen_context(system_u:object_r:ipa_log_t,s0) -+/var/log/ipaclientsamba-install.log -- gen_context(system_u:object_r:ipa_log_t,s0) -+/var/log/ipaclientsamba-uninstall.log -- gen_context(system_u:object_r:ipa_log_t,s0) -+/var/log/ipareplica-ca-install.log -- gen_context(system_u:object_r:ipa_log_t,s0) -+/var/log/ipareplica-conncheck.log -- gen_context(system_u:object_r:ipa_log_t,s0) -+/var/log/ipareplica-install.log -- gen_context(system_u:object_r:ipa_log_t,s0) -+/var/log/iparestore.log -- gen_context(system_u:object_r:ipa_log_t,s0) -+/var/log/ipaserver-enable-sid.log -- gen_context(system_u:object_r:ipa_log_t,s0) -+/var/log/ipaserver-install.log -- gen_context(system_u:object_r:ipa_log_t,s0) -+/var/log/ipaserver-adtrust-install.log -- gen_context(system_u:object_r:ipa_log_t,s0) -+/var/log/ipaserver-dns-install.log -- gen_context(system_u:object_r:ipa_log_t,s0) -+/var/log/ipaserver-kra-install.log -- gen_context(system_u:object_r:ipa_log_t,s0) -+/var/log/ipaserver-uninstall.log -- gen_context(system_u:object_r:ipa_log_t,s0) -+/var/log/ipaupgrade.log -- gen_context(system_u:object_r:ipa_log_t,s0) -+/var/log/ipatrust-enable-agent.log -- gen_context(system_u:object_r:ipa_log_t,s0) -+/var/log/ipaepn.log -- gen_context(system_u:object_r:ipa_log_t,s0) -+/var/log/ipa-migrate.log -- gen_context(system_u:object_r:ipa_log_t,s0) -+/var/log/ipa-migrate-conflict.ldif -- gen_context(system_u:object_r:ipa_log_t,s0) - - /var/run/ipa(/.*)? gen_context(system_u:object_r:ipa_var_run_t,s0) - --- -2.46.0 - diff --git a/0005-Add-ipa-idrange-fix.patch b/0005-Add-ipa-idrange-fix.patch deleted file mode 100644 index 9948fa9..0000000 --- a/0005-Add-ipa-idrange-fix.patch +++ /dev/null @@ -1,1501 +0,0 @@ -From aa4651526e6697e15ce4960bf1d15d1389889c7f Mon Sep 17 00:00:00 2001 -From: "asharov@redhat.com" -Date: Mon, 24 Jun 2024 15:33:34 +0200 -Subject: [PATCH] Add ipa-idrange-fix - -ipa-idrange-fix is a tool for analysis of existing IPA ranges, users -and groups outside of those ranges, and functionality to propose -and apply remediations to make sure as much users and groups as -possible end up in the IPA-managed ranges. - -Fixes: https://pagure.io/freeipa/issue/9612 - -Signed-off-by: Aleksandr Sharov -Reviewed-By: Rob Crittenden -Reviewed-By: Rob Crittenden ---- - freeipa.spec.in | 2 + - install/tools/Makefile.am | 2 + - install/tools/ipa-idrange-fix.in | 8 + - install/tools/man/Makefile.am | 1 + - install/tools/man/ipa-idrange-fix.1 | 111 ++ - ipaserver/install/ipa_idrange_fix.py | 1085 +++++++++++++++++ - .../test_integration/test_ipa_idrange_fix.py | 189 +++ - 7 files changed, 1398 insertions(+) - create mode 100644 install/tools/ipa-idrange-fix.in - create mode 100644 install/tools/man/ipa-idrange-fix.1 - create mode 100644 ipaserver/install/ipa_idrange_fix.py - create mode 100644 ipatests/test_integration/test_ipa_idrange_fix.py - -diff --git a/freeipa.spec.in b/freeipa.spec.in -index e370290bc74d92ab239bf11e88b3fa7e4faef415..171b6ad27b57553fdd46c7d041715949bb00b163 100755 ---- a/freeipa.spec.in -+++ b/freeipa.spec.in -@@ -1517,6 +1517,7 @@ fi - %{_sbindir}/ipa-pkinit-manage - %{_sbindir}/ipa-crlgen-manage - %{_sbindir}/ipa-cert-fix -+%{_sbindir}/ipa-idrange-fix - %{_sbindir}/ipa-acme-manage - %{_sbindir}/ipa-migrate - %if 0%{?fedora} >= 38 -@@ -1596,6 +1597,7 @@ fi - %{_mandir}/man1/ipa-pkinit-manage.1* - %{_mandir}/man1/ipa-crlgen-manage.1* - %{_mandir}/man1/ipa-cert-fix.1* -+%{_mandir}/man1/ipa-idrange-fix.1* - %{_mandir}/man1/ipa-acme-manage.1* - %{_mandir}/man1/ipa-migrate.1* - -diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am -index c454fad9795c79f88e1d72688f1d15c5234cc113..ca484ec37969c9c06ae7b408b55fa30cd4e8e4fe 100644 ---- a/install/tools/Makefile.am -+++ b/install/tools/Makefile.am -@@ -31,6 +31,7 @@ dist_noinst_DATA = \ - ipa-pkinit-manage.in \ - ipa-crlgen-manage.in \ - ipa-cert-fix.in \ -+ ipa-idrange-fix.in \ - ipa-custodia.in \ - ipa-custodia-check.in \ - ipa-httpd-kdcproxy.in \ -@@ -68,6 +69,7 @@ nodist_sbin_SCRIPTS = \ - ipa-pkinit-manage \ - ipa-crlgen-manage \ - ipa-cert-fix \ -+ ipa-idrange-fix \ - ipa-acme-manage \ - ipa-migrate \ - $(NULL) -diff --git a/install/tools/ipa-idrange-fix.in b/install/tools/ipa-idrange-fix.in -new file mode 100644 -index 0000000000000000000000000000000000000000..5994bd28b15e247c5a086238f36b16cc75ff24c3 ---- /dev/null -+++ b/install/tools/ipa-idrange-fix.in -@@ -0,0 +1,8 @@ -+#!/usr/bin/python3 -+# -+# Copyright (C) 2024 FreeIPA Contributors see COPYING for license -+# -+ -+from ipaserver.install.ipa_idrange_fix import IPAIDRangeFix -+ -+IPAIDRangeFix.run_cli() -diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am -index 34f359863afca7b6c1e792a53afc25bb8eb41fd3..e9542a77bbbb88054eae1e64311d6e9ec5bee499 100644 ---- a/install/tools/man/Makefile.am -+++ b/install/tools/man/Makefile.am -@@ -29,6 +29,7 @@ dist_man1_MANS = \ - ipa-pkinit-manage.1 \ - ipa-crlgen-manage.1 \ - ipa-cert-fix.1 \ -+ ipa-idrange-fix.1 \ - ipa-acme-manage.1 \ - ipa-migrate.1 \ - $(NULL) -diff --git a/install/tools/man/ipa-idrange-fix.1 b/install/tools/man/ipa-idrange-fix.1 -new file mode 100644 -index 0000000000000000000000000000000000000000..178d2e88779e135a65f3285de62d2dc3b19c175a ---- /dev/null -+++ b/install/tools/man/ipa-idrange-fix.1 -@@ -0,0 +1,111 @@ -+.\" -+.\" Copyright (C) 2024 FreeIPA Contributors see COPYING for license -+.\" -+.TH "ipa-idrange-fix" "1" "May 26 2024" "IPA" "IPA Manual Pages" -+.SH "NAME" -+ipa\-idrange\-fix \- Analyse and fix IPA ID ranges -+.SH "SYNOPSIS" -+ipa\-idrange\-fix [options] -+.SH "DESCRIPTION" -+ -+\fIipa-idrange-fix\fR is a tool for analysis of existing IPA ranges, users and -+groups outside of those ranges, and functionality to propose and apply -+remediations to make sure as many users and groups as possible end up in the -+IPA-managed ranges. Before any changes are applied, a full backup of the system -+is \fBSTRONGLY RECOMMENDED\fR. -+ -+Do not use this program in unattended mode unless you are absolutely sure -+you are consenting to the tool's proposals. -+ -+You can apply the proposals manually via \fIipa idrange(1)\fR commands. -+ -+This tool requires it to be run as \fBroot\fR and does not require a kerberos -+ticket. The directory server needs to be running. -+ -+\fIipa-idrange-fix\fR will read current ranges from LDAP, then check their -+basic constraints, RID bases, etc. If it finds critical issues with ranges, -+manual adjustment will be required. -+ -+After analyzing existing ranges, the tool will search for users and groups that -+are outside of ipa-local ranges. Then it will attempt to propose new ipa-local -+ranges in order to cover users and groups found. -+ -+Finally, the tool will summarize the analysis, and, if there are proposed -+changes, will ask if the user wants to apply those. Please read the -+proposals carefully before proceeding with changes! -+ -+Important note: By default, \fIipa-idrange-fix\fR will not cover the users and -+groups that have IDs under 1000 as these IDs are reserved for system and -+service users and groups. We \fBdon't recommend\fR using IDs under 1000 for -+IPA users and groups as they can possibly overlap with local ones. Please -+consider moving those users out of the range 1..1000, unless they are -+absolutely needed. -+ -+.SH "OPTIONS" -+.TP -+\fB\-\-version\fR -+Show the program's version and exit. -+.TP -+\fB\-h\fR, \fB\-\-help\fR -+Show the help for this program. -+.TP -+\fB\-\-ridoffset \fIINT\fR -+An offset for newly proposed base RIDs for ranges. We introduce offset in order -+to have an ability to increase ranges in the future, increase to more than -+offset will result in RID bases overlapping, and will be denied. If set to 0, -+there will be no offset, proposed RID ranges will start directly one after -+another. -+ -+Default - \fI100000\fR, allowed values - from \fI0\fR to \fI2^31\fR. -+.TP -+\fB\-\-rangegap \fIINT\fR -+A number of IDs between out of ranges IDs to be considered too big to be inside -+a proposed range. If the gap is bigger than this attribute, a new range will be -+started. If set to 0, every entity will get its own range, if allowed by -+\fI--minrange\fR. -+ -+Default - \fI200000\fR, allowed values - from \fI0\fR to \fI2^31\fR. -+.TP -+\fB\-\-minrange \fIINT\fR -+A minimal amount of IDs the tool considers to be a valid range. All IDs that -+would form a range with less than this number will be considered outliers, not -+worth creating an IDrange for, and will be listed explicitly to be moved -+manually. If set to 1, a range will be proposed for every entity, even if the -+entity is single in the middle of an empty space. -+ -+Default - \fI10\fR, allowed values - from \fI1\fR to \fI2^31\fR. -+.TP -+\fB\-\-allowunder1000\fR -+A flag to allow proposing ranges that start with IDs lower than \fI1000\fR. -+Remember, this is not recommended - IDs under 1000 are reserved for system and -+service users and groups. IDranges with these low IDs may result with -+overlapping of IPA and system local users and groups, which can be a serious -+security issue and generally produce a lot of issues around these entities' -+resolution. -+.TP -+\fB\-\-norounding\fR -+A flag to turn off idrange starting id and size rounding - e.g. if we find -+ID 1234, and the size 567, it will stay that way, the proposed range will -+start at ID 1234, and have a 567 size. If not specified, basic rounding to -+outer margins will be applied. Rounding will be 10^size of the proposed range. -+.TP -+\fB\-\-unattended\fR -+Run the tool in unattended mode, if any changes would be proposed, they will -+be applied automatically. -+.TP -+\fB\-v\fR, \fB\-\-verbose\fR -+Print debugging information. -+.TP -+\fB\-q\fR, \fB\-\-quiet\fR -+Output only errors (output from child processes may still be shown). -+.TP -+\fB\-\-log\-file\fR=\fIFILE\fR -+Log to the given file. -+.SH "EXIT STATUS" -+0 if the command was successful -+ -+1 if an error occurred -+ -+.SH "SEE ALSO" -+.BR ipa\ idrange-mod(1) -+.BR ipa\ idrange-add(1) -diff --git a/ipaserver/install/ipa_idrange_fix.py b/ipaserver/install/ipa_idrange_fix.py -new file mode 100644 -index 0000000000000000000000000000000000000000..c6c67ae9330e2d0184efc09d09a84216ef0772a6 ---- /dev/null -+++ b/ipaserver/install/ipa_idrange_fix.py -@@ -0,0 +1,1085 @@ -+"""Tool to analyze and fix IPA ID ranges""" -+# -+# Copyright (C) 2024 FreeIPA Contributors see COPYING for license -+# -+ -+import logging -+import ldap -+ -+from ipalib import api, errors -+from ipapython.admintool import AdminTool -+from ipapython.dn import DN -+from ipapython import ipautil -+from typing import List, Tuple -+ -+logger = logging.getLogger(__name__) -+ -+ -+class IDRange: -+ """Class for ID range entity""" -+ -+ def __init__(self): -+ self.last_id: int = None -+ self.last_base_rid: int = None -+ self.last_secondary_rid: int = None -+ self.name: str = None -+ self.size: int = None -+ self.first_id: int = None -+ self.base_rid: int = None -+ self.secondary_base_rid: int = None -+ self.type: str = None -+ self.suffix: str = None -+ self.dn: str = None -+ -+ def _count(self) -> None: -+ """Function to calculate last IDs for the range""" -+ self.last_id = self.first_id + self.size - 1 -+ if self.type == "ipa-local": -+ self.last_base_rid = ( -+ self.base_rid + self.size -+ if self.base_rid is not None -+ else None -+ ) -+ self.last_secondary_rid = ( -+ self.secondary_base_rid + self.size -+ if self.secondary_base_rid is not None -+ else None -+ ) -+ -+ def __repr__(self): -+ return ( -+ f"IDRange(name='{self.name}', " -+ f"type={self.type}, " -+ f"size={self.size}, " -+ f"first_id={self.first_id}, " -+ f"base_rid={self.base_rid}, " -+ f"secondary_base_rid={self.secondary_base_rid})" -+ ) -+ -+ def __eq__(self, other): -+ return self.first_id == other.first_id -+ -+ -+class IDentity: -+ """A generic class for ID entity - users or groups""" -+ -+ def __init__(self, **kwargs): -+ self.dn: str = kwargs.get('dn') -+ self.name: str = kwargs.get('name') -+ self.user: str = kwargs.get('user') -+ self.number: int = kwargs.get('number') -+ -+ def __str__(self): -+ if self.user: -+ return (f"user '{self.name}', uid={self.number}") -+ return (f"group '{self.name}', gid={self.number}") -+ -+ def debug(self): -+ if self.user: -+ return ( -+ f"user(username='{self.name}', " -+ f"uid={self.number}, " -+ f"{self.dn})" -+ ) -+ return ( -+ f"group(groupname='{self.name}', " -+ f"gid={self.number}, " -+ f"{self.dn})" -+ ) -+ -+ def __eq__(self, other): -+ return self.number == other.number and self.user == other.user -+ -+ -+class IPAIDRangeFix(AdminTool): -+ """Tool to analyze and fix IPA ID ranges""" -+ -+ command_name = "ipa-idrange-fix" -+ log_file_name = "/var/log/ipa-idrange-fix.log" -+ usage = "%prog" -+ description = "Analyze and fix IPA ID ranges" -+ -+ @classmethod -+ def add_options(cls, parser, debug_option=False): -+ super(IPAIDRangeFix, cls).add_options(parser) -+ parser.add_option( -+ "--ridoffset", -+ dest="ridoffset", -+ type=int, -+ default=100000, -+ metavar=100000, -+ help="Offset for a next base RID from previous RID range. \ -+Needed for future range size expansions. Has to be > 0", -+ ) -+ parser.add_option( -+ "--rangegap", -+ dest="rangegap", -+ type=int, -+ default=200000, -+ metavar=200000, -+ help="Threshold for a gap between out-of-range IDs to be \ -+considered a different range. Has to be > 0", -+ ) -+ parser.add_option( -+ "--minrange", -+ dest="minrange", -+ type=int, -+ default=10, -+ metavar=10, -+ help="Minimal considered range size for out-of-range IDs.\ -+All ranges with amount of IDs lower than this number will be discarded and \ -+IDs will be listed to be moved manually. Has to be > 1", -+ ) -+ parser.add_option( -+ "--allowunder1000", -+ dest="allowunder1000", -+ action="store_true", -+ default=False, -+ help="Allow idranges to start below 1000. Be careful to not \ -+overlap IPA users/groups with existing system-local ones!", -+ ) -+ parser.add_option( -+ "--norounding", -+ dest="norounding", -+ action="store_true", -+ default=False, -+ help="Disable IDrange rounding attempt in order to get ranges \ -+exactly covering just IDs provided", -+ ) -+ parser.add_option( -+ "--unattended", -+ dest="unattended", -+ action="store_true", -+ default=False, -+ help="Automatically fix all range issues found without asking \ -+for confirmation", -+ ) -+ -+ def __init__(self, *args, **kwargs): -+ super().__init__(*args, **kwargs) -+ self.realm: str = None -+ self.suffix: DN = None -+ self.proposals_rid: List[IDRange] = [] -+ self.proposals_new: List[IDRange] = [] -+ self.outliers: List[IDentity] = [] -+ self.under1000: List[IDentity] = [] -+ self.id_ranges: List[IDRange] = [] -+ -+ def validate_options(self, needs_root=True): -+ super().validate_options(needs_root) -+ -+ def run(self): -+ api.bootstrap(in_server=True) -+ api.finalize() -+ -+ self.realm = api.env.realm -+ self.suffix = ipautil.realm_to_suffix(self.realm) -+ try: -+ api.Backend.ldap2.connect() -+ -+ # Reading range data -+ self.id_ranges = read_ranges(self.suffix) -+ -+ # Evaluating existing ranges, if something is off, exit -+ if self.evaluate_ranges() != 0: -+ return 1 -+ -+ # reading out of range IDs -+ ids_out_of_range = read_outofrange_identities( -+ self.suffix, self.id_ranges -+ ) -+ -+ # Evaluating out of range IDs -+ self.evaluate_identities(ids_out_of_range) -+ -+ # Print the proposals -+ self.print_intentions() -+ -+ # If there are no proposals, we have nothing to do, exiting -+ if (len(self.proposals_rid) == 0 -+ and len(self.proposals_new) == 0): -+ logger.info("\nNo changes proposed, nothing to do.") -+ return 0 -+ -+ logger.info("\nID ranges table after proposed changes:") -+ draw_ascii_table(self.id_ranges) -+ -+ if self.options.unattended: -+ logger.info( -+ "Unattended mode, proceeding with applying changes!" -+ ) -+ else: -+ response = ipautil.user_input('Enter "yes" to proceed') -+ if response.lower() != "yes": -+ logger.info("Not proceeding.") -+ return 0 -+ logger.info("Proceeding.") -+ -+ # Applying changes -+ for id_range in self.proposals_rid: -+ apply_ridbases(id_range) -+ -+ for id_range in self.proposals_new: -+ create_range(id_range) -+ -+ logger.info("All changes applied successfully!") -+ -+ finally: -+ if api.Backend.ldap2.isconnected(): -+ api.Backend.ldap2.disconnect() -+ -+ return 0 -+ -+ def evaluate_ranges(self) -> int: -+ """Function to evaluate existing ID ranges""" -+ if len(self.id_ranges) == 0: -+ logger.error("No ID ranges found!") -+ return 1 -+ -+ draw_ascii_table(self.id_ranges) -+ -+ if not ranges_overlap_check(self.id_ranges): -+ logger.error( -+ "Ranges overlap detected, cannot proceed! Please adjust \ -+existing ranges manually." -+ ) -+ return 1 -+ -+ # Checking RID bases for existing ranges -+ id_ranges_nobase = get_ranges_no_base(self.id_ranges) -+ -+ if len(id_ranges_nobase) > 0: -+ logger.info( -+ "Found %s ranges without base RIDs", len(id_ranges_nobase) -+ ) -+ for id_range in id_ranges_nobase: -+ logger.debug( -+ "Range '%s' has RID base %s and secondary RID base %s", -+ id_range.name, -+ id_range.base_rid, -+ id_range.secondary_base_rid, -+ ) -+ propose_rid_ranges( -+ self.id_ranges, -+ self.options.ridoffset, -+ self.proposals_rid -+ ) -+ else: -+ logger.info( -+ "All ID ranges have base RIDs set, RID adjustments are \ -+not needed." -+ ) -+ return 0 -+ -+ def evaluate_identities(self, ids_out_of_range: List[IDentity]) -> None: -+ """Function to evaluate out of range IDs""" -+ if len(ids_out_of_range) == 0: -+ logger.info("No out of range IDs found!") -+ else: -+ logger.info( -+ "Found overall %s IDs out of existing ID ranges.\n", -+ len(ids_out_of_range), -+ ) -+ # ruling out IDs under 1000 if flag is not set -+ if not self.options.allowunder1000: -+ self.under1000, ids_out_of_range = separate_under1000( -+ ids_out_of_range -+ ) -+ if len(self.under1000) > 0: -+ logger.info( -+ "Found IDs under 1000, which is not recommeneded \ -+(if you definitely need ranges proposed for those, use --allowunder1000):" -+ ) -+ for identity in self.under1000: -+ logger.info("%s", identity) -+ -+ # Get initial divide of IDs into groups -+ groups = group_identities_by_threshold( -+ ids_out_of_range, self.options.rangegap -+ ) -+ -+ # Get outliers from too small groups and clean groups for -+ # further processing -+ self.outliers, cleangroups = separate_ranges_and_outliers( -+ groups, self.options.minrange -+ ) -+ -+ # Print the outliers, they have to be moved manually -+ if len(self.outliers) > 0: -+ logger.info( -+ "\nIdentities that don't fit the criteria to get a new " -+ "range found! Current attributes:\n" -+ "Minimal range size: %s\n" -+ "Maximum gap between IDs: %s\n" -+ "Try adjusting --minrange, --rangegap or move the " -+ "following identities into already existing ranges:", -+ self.options.minrange, -+ self.options.rangegap -+ ) -+ for identity in self.outliers: -+ logger.info("%s", identity) -+ -+ if len(cleangroups) > 0: -+ # Get IDrange name base -+ basename = get_rangename_base(self.id_ranges) -+ -+ # Create proposals for new ranges from groups -+ for group in cleangroups: -+ newrange = propose_range( -+ group, -+ self.id_ranges, -+ self.options.ridoffset, -+ basename, -+ self.options.norounding, -+ self.options.allowunder1000 -+ ) -+ if newrange is not None: -+ self.proposals_new.append(newrange) -+ self.id_ranges.append(newrange) -+ self.id_ranges.sort(key=lambda x: x.first_id) -+ else: -+ logger.info( -+ "\nNo IDs fit the criteria for a new ID range to propose!" -+ ) -+ -+ def print_intentions(self) -> None: -+ """Function to print out the summary of the proposed changes""" -+ logger.info("\nSummary:") -+ -+ if len(self.outliers) > 0: -+ logger.info("Outlier IDs that are too far away to get a range:") -+ for identity in self.outliers: -+ logger.info("%s", identity) -+ -+ if len(self.under1000) > 0: -+ if self.options.allowunder1000: -+ logger.info("IDs under 1000 were treated like normal IDs.") -+ else: -+ logger.info("IDs under 1000:") -+ for identity in self.under1000: -+ logger.info("%s", identity) -+ else: -+ logger.info("No IDs under 1000 found.") -+ -+ if len(self.proposals_rid) > 0: -+ logger.info("Proposed changes to existing ranges:") -+ for id_range in self.proposals_rid: -+ logger.info( -+ "Range '%s' - base RID: %s, secondary base RID: %s", -+ id_range.name, -+ id_range.base_rid, -+ id_range.secondary_base_rid, -+ ) -+ else: -+ logger.info("No changes proposed for existing ranges.") -+ -+ if len(self.proposals_new) > 0: -+ logger.info("Proposed new ranges:") -+ for id_range in self.proposals_new: -+ logger.info("%s", id_range) -+ else: -+ logger.info("No new ranges proposed.") -+ -+# Working with output -+# region -+ -+ -+def draw_ascii_table(id_ranges: List[IDRange], stdout: bool = False) -> None: -+ """Function to draw a table with ID ranges in ASCII""" -+ table: str = "\n" -+ # Calculate the maximum width required for each column using column names -+ max_widths = { -+ column: max( -+ len(str(column)), -+ max( -+ ( -+ len(str(getattr(id_range, column))) -+ if getattr(id_range, column) is not None -+ else 0 -+ ) -+ for id_range in id_ranges -+ ), -+ ) -+ for column in [ -+ "name", -+ "type", -+ "size", -+ "first_id", -+ "last_id", -+ "base_rid", -+ "last_base_rid", -+ "secondary_base_rid", -+ "last_secondary_rid", -+ ] -+ } -+ -+ # Draw the table header -+ header = "| " -+ for column, width in max_widths.items(): -+ header += f"{column.ljust(width)} | " -+ horizontal_line = "-" * (len(header) - 1) -+ table += horizontal_line + "\n" -+ table += header + "\n" -+ table += horizontal_line + "\n" -+ -+ # Draw the table rows -+ for id_range in id_ranges: -+ row = "| " -+ for column, width in max_widths.items(): -+ value = getattr(id_range, column) -+ if value is not None: -+ row += f"{str(value).rjust(width)} | " -+ else: -+ # Adding the separator -+ row += " " * (width + 1) + "| " -+ table += row + "\n" -+ table += horizontal_line + "\n" -+ if stdout: -+ print(table) -+ else: -+ logger.info(table) -+# endregion -+# Reading from LDAP -+# region -+ -+ -+def read_ranges(suffix) -> List[IDRange]: -+ """Function to read ID ranges from LDAP""" -+ id_ranges: IDRange = [] -+ try: -+ ranges = api.Backend.ldap2.get_entries( -+ DN(api.env.container_ranges, suffix), -+ ldap.SCOPE_ONELEVEL, -+ "(objectclass=ipaIDRange)", -+ ) -+ except errors.NotFound: -+ logger.error("LDAPError: No ranges found!") -+ except errors.ExecutionError as e: -+ logger.error("Exception while reading users: %s", e) -+ else: -+ for entry in ranges: -+ sv = entry.single_value -+ id_range = IDRange() -+ id_range.name = sv.get("cn") -+ id_range.size = int(sv.get("ipaidrangesize")) -+ id_range.first_id = int(sv.get("ipabaseid")) -+ id_range.base_rid = ( -+ int(sv.get("ipabaserid")) if sv.get("ipabaserid") else None -+ ) -+ id_range.secondary_base_rid = ( -+ int(sv.get("ipasecondarybaserid")) -+ if sv.get("ipasecondarybaserid") -+ else None -+ ) -+ id_range.suffix = suffix -+ id_range.type = sv.get("iparangetype") -+ id_range.dn = entry.dn -+ -+ id_range._count() -+ logger.debug("ID range found: %s", id_range) -+ -+ id_ranges.append(id_range) -+ -+ id_ranges.sort(key=lambda x: x.first_id) -+ return id_ranges -+ -+ -+def read_outofrange_identities(suffix, id_ranges) -> List[IDentity]: -+ """Function to read out of range users and groups from LDAP""" -+ users_outofrange = read_ldap_ids( -+ DN(api.env.container_user, suffix), -+ True, -+ id_ranges -+ ) -+ logger.info("Users out of range found: %s", len(users_outofrange)) -+ del_outofrange = read_ldap_ids( -+ DN(api.env.container_deleteuser, suffix), -+ True, -+ id_ranges -+ ) -+ logger.info("Preserved users out of range found: %s", len(del_outofrange)) -+ groups_outofrange = read_ldap_ids( -+ DN(api.env.container_group, suffix), -+ False, -+ id_ranges -+ ) -+ logger.info("Groups out of range found: %s", len(groups_outofrange)) -+ outofrange = users_outofrange + del_outofrange + groups_outofrange -+ outofrange.sort(key=lambda x: x.number) -+ return outofrange -+ -+ -+def read_ldap_ids(container_dn, user: bool, id_ranges) -> List[IDentity]: -+ """Function to read IDs from containter in LDAP""" -+ id_entities = [] -+ if user: -+ id_name = "user" -+ ldap_filter = get_outofrange_filter( -+ id_ranges, -+ "posixaccount", -+ "uidNumber" -+ ) -+ else: -+ id_name = "group" -+ ldap_filter = get_outofrange_filter( -+ id_ranges, -+ "posixgroup", -+ "gidNumber" -+ ) -+ -+ logger.debug("Searching %ss in %s with filter: %s", id_name, container_dn, -+ ldap_filter) -+ try: -+ identities = api.Backend.ldap2.get_entries( -+ container_dn, -+ ldap.SCOPE_ONELEVEL, -+ ldap_filter, -+ ) -+ for entry in identities: -+ id_entities.append(read_identity(entry, user)) -+ except errors.NotFound: -+ logger.debug("No out of range %ss found in %s!", id_name, container_dn) -+ except errors.ExecutionError as e: -+ logger.error("Exception while reading %s: %s", container_dn, e) -+ return id_entities -+ -+ -+def read_identity(ldapentry, user: bool = True) -> IDentity: -+ """Function to convert LDAP entry to IDentity object""" -+ sv = ldapentry.single_value -+ id_entity = IDentity() -+ id_entity.dn = ldapentry.dn -+ id_entity.name = sv.get("cn") -+ id_entity.number = ( -+ int(sv.get("uidNumber")) if user else int(sv.get("gidNumber")) -+ ) -+ id_entity.user = user -+ logger.debug("Out of range found: %s", id_entity.debug()) -+ return id_entity -+ -+ -+def get_outofrange_filter( -+ id_ranges_all: List[IDRange], object_class: str, posix_id: str -+) -> str: -+ """Function to create LDAP filter for out of range users and groups""" -+ # we need to look only for ipa-local ranges -+ id_ranges = get_ipa_local_ranges(id_ranges_all) -+ -+ ldap_filter = f"(&(objectClass={object_class})(|" -+ -+ # adding gaps in ranges to the filter -+ for i in range(len(id_ranges) + 1): -+ if i == 0: -+ start_condition = f"({posix_id}>=1)" -+ else: -+ start_condition = f"({posix_id}>={id_ranges[i - 1].last_id + 1})" -+ -+ if i < len(id_ranges): -+ end_condition = f"({posix_id}<={id_ranges[i].first_id - 1})" -+ else: -+ end_condition = f"({posix_id}<=2147483647)" -+ -+ ldap_filter += f"(&{start_condition}{end_condition})" -+ -+ ldap_filter += "))" -+ -+ return ldap_filter -+# endregion -+# Writing to LDAP -+# region -+ -+ -+def apply_ridbases(id_range: IDRange) -> None: -+ """Funtion to apply RID bases to the range in LDAP""" -+ try: -+ api.Backend.ldap2.modify_s( -+ id_range.dn, -+ [ -+ (ldap.MOD_ADD, "ipaBaseRID", str(id_range.base_rid)), -+ ( -+ ldap.MOD_ADD, -+ "ipaSecondaryBaseRID", -+ str(id_range.secondary_base_rid), -+ ), -+ ], -+ ) -+ logger.info("RID bases updated for range '%s'", id_range.name) -+ -+ except ldap.CONSTRAINT_VIOLATION as e: -+ logger.error( -+ "Failed to add RID bases to the range '%s': %s", -+ id_range.name, -+ e -+ ) -+ raise RuntimeError("Constraint violation.\n") from e -+ -+ except Exception as e: -+ logger.error( -+ "Exception while updating RID bases for range '%s': %s", -+ id_range.name, -+ e, -+ ) -+ raise RuntimeError("Failed to update RID bases.\n") from e -+ -+ -+def create_range(id_range: IDRange) -> None: -+ """Function to create a new range in LDAP""" -+ try: -+ logger.info("Creating range '%s'...", id_range.name) -+ -+ entry = api.Backend.ldap2.make_entry( -+ DN(id_range.dn), -+ objectclass=["ipaIDRange", "ipaDomainIDRange"], -+ ipaidrangesize=[str(id_range.size)], -+ ipabaseid=[str(id_range.first_id)], -+ ipabaserid=[str(id_range.base_rid)], -+ ipasecondarybaserid=[str(id_range.secondary_base_rid)], -+ iparangetype=[id_range.type], -+ ) -+ -+ api.Backend.ldap2.add_entry(entry) -+ logger.info("Range '%s' created successfully", id_range.name) -+ except Exception as e: -+ logger.error( -+ "Exception while creating range '%s': %s", -+ id_range.name, -+ e -+ ) -+ raise RuntimeError("Failed to create range.\n") from e -+# endregion -+# Working with ranges -+# region -+ -+ -+def get_ipa_local_ranges(id_ranges: List[IDRange]) -> List[IDRange]: -+ """Function to get only ipa-local ranges from the list of ranges""" -+ ipa_local_ranges = [] -+ -+ for id_range in id_ranges: -+ if id_range.type == "ipa-local": -+ ipa_local_ranges.append(id_range) -+ -+ return ipa_local_ranges -+ -+ -+def range_overlap_check( -+ range1_start: int, range1_end: int, range2_start: int, range2_end: int -+) -> bool: -+ """Function to check if two ranges overlap""" -+ # False when overlapping -+ return not (range1_start <= range2_end and range2_start <= range1_end) -+ -+ -+def range_overlap_check_idrange(range1: IDRange, range2: IDRange) -> bool: -+ """Function to check if two ranges overlap""" -+ # False when overlapping -+ return range_overlap_check( -+ range1.first_id, range1.last_id, range2.first_id, range2.last_id) -+ -+ -+def newrange_overlap_check( -+ id_ranges: List[IDRange], newrange: IDRange -+) -> bool: -+ """Function to check if proposed range overlaps with existing ones""" -+ for id_range in id_ranges: -+ if not range_overlap_check_idrange(id_range, newrange): -+ return False -+ return True -+ -+ -+def ranges_overlap_check(id_ranges: List[IDRange]) -> bool: -+ """Function to check if any of the existing ranges overlap""" -+ if len(id_ranges) < 2: -+ return True -+ for i in range(len(id_ranges) - 1): -+ for j in range(i + 1, len(id_ranges)): -+ if not range_overlap_check_idrange(id_ranges[i], id_ranges[j]): -+ logger.error( -+ "Ranges '%s' and '%s' overlap!", -+ id_ranges[i].name, -+ id_ranges[j].name, -+ ) -+ return False -+ return True -+# endregion -+# Working with RID bases -+# region -+ -+ -+def propose_rid_ranges( -+ id_ranges: List[IDRange], delta: int, proposals: List[IDRange] -+) -> None: -+ """ -+ Function to propose RID bases for ranges that don't have them set. -+ -+ - delta represents how far we start new base off existing range, -+ used in order to allow for future expansion of existing ranges up -+ to [delta] IDs. -+ """ -+ ipa_local_ranges = get_ipa_local_ranges(id_ranges) -+ -+ for id_range in ipa_local_ranges: -+ proposed_base_rid = 0 -+ proposed_secondary_base_rid = 0 -+ -+ # Calculate proposed base RID and secondary base RID -+ if id_range.base_rid is None: -+ result, proposed_base_rid = propose_rid_base( -+ id_range, ipa_local_ranges, delta, True -+ ) -+ if result: -+ id_range.base_rid = proposed_base_rid -+ id_range.last_base_rid = proposed_base_rid + id_range.size -+ else: -+ # if this fails too, we print the warning and abandon the idea -+ logger.warning( -+ "Warning: Proposed base RIDs %s for '%s' both failed, \ -+please adjust manually", -+ proposed_base_rid, -+ id_range.name, -+ ) -+ continue -+ -+ if id_range.secondary_base_rid is None: -+ result, proposed_secondary_base_rid = propose_rid_base( -+ id_range, ipa_local_ranges, delta, False, proposed_base_rid -+ ) -+ if result: -+ id_range.secondary_base_rid = proposed_secondary_base_rid -+ id_range.last_secondary_rid = ( -+ proposed_secondary_base_rid + id_range.size -+ ) -+ else: -+ # if this fails too, we print the warning and abandon the idea -+ logger.warning( -+ "Warning: Proposed secondary base RIDs %s for '%s' \ -+both failed, please adjust manually", -+ proposed_secondary_base_rid, -+ id_range.name, -+ ) -+ continue -+ -+ # Add range to the proposals if we changed something successfully -+ if proposed_base_rid > 0 or proposed_secondary_base_rid > 0: -+ logger.debug( -+ "Proposed RIDs for range '%s': pri %s, sec %s", -+ id_range.name, -+ proposed_base_rid, -+ proposed_secondary_base_rid, -+ ) -+ proposals.append(id_range) -+ -+ -+def propose_rid_base( -+ idrange: IDRange, -+ ipa_local_ranges: List[IDRange], -+ delta: int, -+ primary: bool = True, -+ previous_base_rid: int = -1 -+) -> Tuple[bool, str]: -+ """ -+ Function to propose a base RID for a range, primary or secondary. -+ We are getting the biggest base RID + size + delta and try -+ if it's a viable option, check same kind first, then the other. -+ """ -+ proposed_base_rid = max_rid(ipa_local_ranges, primary) + delta -+ if proposed_base_rid == previous_base_rid: -+ proposed_base_rid += idrange.size + delta -+ if check_rid_base(ipa_local_ranges, proposed_base_rid, idrange.size): -+ return True, proposed_base_rid -+ -+ # if we fail, we try the same with biggest of a different kind -+ proposed_base_rid_orig = proposed_base_rid -+ proposed_base_rid = max_rid(ipa_local_ranges, not primary) + delta -+ if proposed_base_rid == previous_base_rid: -+ proposed_base_rid += idrange.size + delta -+ if check_rid_base(ipa_local_ranges, proposed_base_rid, idrange.size): -+ return True, proposed_base_rid -+ -+ # if it fails, we return both RID proposals for the range -+ return False, f"{proposed_base_rid_orig} and {proposed_base_rid}" -+ -+ -+def max_rid(id_ranges: List[IDRange], primary: bool = True) -> int: -+ """Function to get maximum RID of primary or secondary RIDs""" -+ maximum_rid = 0 -+ for id_range in id_ranges: -+ -+ # looking only for primary RIDs -+ if primary: -+ if id_range.last_base_rid is not None: -+ maximum_rid = max(maximum_rid, id_range.last_base_rid) -+ # looking only for secondary RIDs -+ else: -+ if id_range.last_secondary_rid is not None: -+ maximum_rid = max(maximum_rid, id_range.last_secondary_rid) -+ -+ return maximum_rid -+ -+ -+def check_rid_base(id_ranges: List[IDRange], base: int, size: int) -> bool: -+ """Function to check if proposed RID base is viable""" -+ end = base + size + 1 -+ -+ # Checking sanity of RID range -+ if base + size > 2147483647: -+ return False -+ if base < 1000: -+ return False -+ -+ # Checking RID range overlaps -+ for id_range in id_ranges: -+ # we are interested only in ipa-local ranges -+ if id_range.type != "ipa-local": -+ continue -+ -+ # if there is no base rid set, there is no secondary base rid set, -+ # so nothing to overlap with -+ if id_range.base_rid is None: -+ continue -+ -+ # checking for an overlap -+ if not range_overlap_check( -+ base, end, id_range.base_rid, id_range.last_base_rid -+ ): -+ logger.debug( -+ "RID check failure: proposed Primary %s + %s, \ -+intersects with %s-%s from range '%s'", -+ base, -+ size, -+ id_range.base_rid, -+ id_range.last_base_rid, -+ id_range.name, -+ ) -+ return False -+ -+ # if there is no secondary base rid set, nothing to overlap with -+ if id_range.secondary_base_rid is None: -+ continue -+ -+ # if either start of end of the range fails inside existing range, -+ # or existing range is inside proposed one, we have an overlap -+ if not range_overlap_check( -+ base, end, id_range.secondary_base_rid, id_range.last_secondary_rid -+ ): -+ logger.debug( -+ "RID check failure: proposed Secondary %s + %s, \ -+intersects with %s-%s from range '%s'", -+ base, -+ size, -+ id_range.secondary_base_rid, -+ id_range.last_secondary_rid, -+ id_range.name, -+ ) -+ return False -+ -+ return True -+ -+ -+def get_ranges_no_base(id_ranges: List[IDRange]) -> List[IDRange]: -+ """Function to get ranges without either of base RIDs set""" -+ ipa_local_ranges = get_ipa_local_ranges(id_ranges) -+ ranges_no_base = [] -+ for id_range in ipa_local_ranges: -+ if id_range.base_rid is None or id_range.secondary_base_rid is None: -+ ranges_no_base.append(id_range) -+ -+ return ranges_no_base -+# endregion -+# Working with IDentities out of range -+# region -+ -+ -+def group_identities_by_threshold( -+ identities: List[IDentity], threshold: int -+) -> List[List[IDentity]]: -+ """Function to group out of range IDs by threshold""" -+ groups: List[List[IDentity]] = [] -+ currentgroup: List[IDentity] = [] -+ if len(identities) == 0: -+ return groups -+ -+ for i in range(len(identities) - 1): -+ # add id to current group -+ currentgroup.append(identities[i]) -+ -+ # If the difference with the next one is greater than the threshold, -+ # start a new group -+ if identities[i + 1].number - identities[i].number > threshold: -+ groups.append(currentgroup) -+ currentgroup = [] -+ -+ # Add the last ID number to the last group -+ currentgroup.append(identities[-1]) -+ groups.append(currentgroup) -+ -+ return groups -+ -+ -+def separate_under1000( -+ identities: List[IDentity], -+) -> Tuple[List[IDentity], List[IDentity]]: -+ """Function to separate IDs under 1000, expects sorted list""" -+ for i, identity in enumerate(identities): -+ if identity.number >= 1000: -+ return identities[:i], identities[i:] -+ return identities, [] -+ -+ -+def separate_ranges_and_outliers( -+ groups: List[List[IDentity]], minrangesize=int -+) -> Tuple[List[List[IDentity]], List[List[IDentity]]]: -+ """Function to separate IDs into outliers and IDs that can get ranges""" -+ outliers = [] -+ cleangroups = [] -+ for group in groups: -+ # if group is smaller than minrangesize, add it's memebers to ourliers -+ if group[-1].number - group[0].number + 1 < minrangesize: -+ for identity in group: -+ outliers.append(identity) -+ # if the group is OK, add it to cleaned groups -+ else: -+ cleangroups.append(group) -+ -+ return outliers, cleangroups -+ -+ -+def round_idrange(start: int, end: int, under1000: bool) -> Tuple[int, int]: -+ """Function to round up range margins to look pretty""" -+ # calculating power of the size -+ sizepower = len(str(end - start + 1)) -+ # multiplier for the nearest rounded number -+ multiplier = 10 ** (sizepower - 1) -+ # getting rounded range margins -+ rounded_start = (start // multiplier) * multiplier -+ if not under1000: -+ rounded_start = max(rounded_start, 1000) -+ else: -+ rounded_start = max(rounded_start, 1) -+ rounded_end = ((end + multiplier) // multiplier) * multiplier - 1 -+ -+ return rounded_start, rounded_end -+ -+ -+def get_rangename_base(id_ranges: List[IDRange]) -> str: -+ """Function to get a base name for new range proposals""" -+ base_name = "" -+ # we want to use default range name as a base for new ranges -+ for id_range in id_ranges: -+ if id_range.base_rid == 1000: -+ base_name = id_range.name -+ -+ # if we didn't find it, propose generic name -+ if base_name == "": -+ base_name = "Auto_added_range" -+ -+ return base_name -+ -+ -+def get_rangename(id_ranges: List[IDRange], basename: str) -> str: -+ """ -+ Function to get a new range name, we add the counter as 3-digit number -+ extension and make sure it's unique -+ """ -+ counter = 1 -+ full_name = f"{basename}_{counter:03}" -+ while any(id_range.name == full_name for id_range in id_ranges): -+ counter += 1 -+ full_name = f"{basename}_{counter:03}" -+ return full_name -+ -+ -+def propose_range( -+ group: List[IDentity], -+ id_ranges: List[IDRange], -+ delta: int, -+ basename: str, -+ norounding: bool, -+ allowunder1000: bool -+) -> IDRange: -+ """Function to propose a new range for group of IDs out of ranges""" -+ startid = group[0].number -+ endid = group[-1].number -+ -+ logger.debug( -+ "Proposing a range for existing IDs out of ranges with start id %s \ -+and end id %s...", -+ startid, -+ endid, -+ ) -+ -+ # creating new range -+ newrange = IDRange() -+ newrange.type = "ipa-local" -+ newrange.name = get_rangename(id_ranges, basename) -+ newrange.suffix = id_ranges[0].suffix -+ newrange.dn = f"cn={newrange.name},cn=ranges,cn=etc,{newrange.suffix}" -+ -+ if norounding: -+ newrange.first_id = startid -+ newrange.last_id = endid -+ newrange.size = newrange.last_id - newrange.first_id + 1 -+ else: -+ # first trying to round up ranges to look pretty -+ newrange.first_id, newrange.last_id = round_idrange( -+ startid, -+ endid, -+ allowunder1000 -+ ) -+ newrange.size = newrange.last_id - newrange.first_id + 1 -+ -+ # if this creates an overlap, try without rounding -+ if not newrange_overlap_check(id_ranges, newrange): -+ newrange.first_id = startid -+ newrange.last_id = endid -+ newrange.size = newrange.last_id - newrange.first_id + 1 -+ # if we still failed, abandon idea -+ if not newrange_overlap_check(id_ranges, newrange): -+ logger.error( -+ "ERROR! Failed to create idrange for existing IDs out of \ -+ranges with start id %s and end id %s, it overlaps with existing range!", -+ startid, -+ endid, -+ ) -+ return None -+ -+ # creating RID bases -+ ipa_local_ranges = get_ipa_local_ranges(id_ranges) -+ -+ result, proposed_base_rid = propose_rid_base( -+ newrange, ipa_local_ranges, delta, True -+ ) -+ if result: -+ newrange.base_rid = proposed_base_rid -+ newrange.last_base_rid = proposed_base_rid + newrange.size -+ else: -+ # if this fails we print the warning -+ logger.warning( -+ "Warning! Proposed base RIDs %s for new range start id %s and \ -+end id %s both failed, please adjust manually", -+ proposed_base_rid, -+ newrange.first_id, -+ newrange.last_id, -+ ) -+ -+ result, proposed_secondary_base_rid = propose_rid_base( -+ newrange, ipa_local_ranges, delta, False, proposed_base_rid -+ ) -+ if result: -+ newrange.secondary_base_rid = proposed_secondary_base_rid -+ newrange.last_secondary_rid = ( -+ proposed_secondary_base_rid + newrange.size -+ ) -+ else: -+ # if this fails we print the warning -+ logger.warning( -+ "Warning! Proposed secondary base RIDs %s for new range start id \ -+%s and end id %s both failed, please adjust manually", -+ proposed_secondary_base_rid, -+ newrange.first_id, -+ newrange.last_id, -+ ) -+ -+ logger.debug("Proposed range: %s", newrange) -+ return newrange -+# endregion -diff --git a/ipatests/test_integration/test_ipa_idrange_fix.py b/ipatests/test_integration/test_ipa_idrange_fix.py -new file mode 100644 -index 0000000000000000000000000000000000000000..de3da9bfd221ce74f1d1bbb0dbe12e4db08b8daa ---- /dev/null -+++ b/ipatests/test_integration/test_ipa_idrange_fix.py -@@ -0,0 +1,189 @@ -+# -+# Copyright (C) 2024 FreeIPA Contributors see COPYING for license -+# -+ -+""" -+Module provides tests for ipa-idrange-fix CLI. -+""" -+ -+import logging -+import re -+ -+from ipatests.pytest_ipa.integration import tasks -+from ipatests.test_integration.base import IntegrationTest -+ -+ -+logger = logging.getLogger(__name__) -+ -+ -+class TestIpaIdrangeFix(IntegrationTest): -+ @classmethod -+ def install(cls, mh): -+ super(TestIpaIdrangeFix, cls).install(mh) -+ tasks.kinit_admin(cls.master) -+ -+ def test_no_issues(self): -+ """Test ipa-idrange-fix command with no issues.""" -+ result = self.master.run_command(["ipa-idrange-fix", "--unattended"]) -+ -+ expected_under1000 = "No IDs under 1000 found" -+ expected_nochanges = "No changes proposed for existing ranges" -+ expected_newrange = "No new ranges proposed" -+ expected_noissues = "No changes proposed, nothing to do." -+ assert expected_under1000 in result.stderr_text -+ assert expected_nochanges in result.stderr_text -+ assert expected_newrange in result.stderr_text -+ assert expected_noissues in result.stderr_text -+ -+ def test_idrange_no_rid_bases(self): -+ """Test ipa-idrange-fix command with IDrange with no RID bases.""" -+ self.master.run_command([ -+ "ipa", -+ "idrange-add", -+ "idrange_no_rid_bases", -+ "--base-id", '10000', -+ "--range-size", '20000', -+ ]) -+ -+ result = self.master.run_command(["ipa-idrange-fix", "--unattended"]) -+ expected_text = "RID bases updated for range 'idrange_no_rid_bases'" -+ -+ # Remove IDrange with no rid bases -+ self.master.run_command(["ipa", "idrange-del", "idrange_no_rid_bases"]) -+ -+ assert expected_text in result.stderr_text -+ -+ def test_idrange_no_rid_bases_reversed(self): -+ """ -+ Test ipa-idrange-fix command with IDrange with no RID bases, but we -+ previously had a range with RID bases reversed - secondary lower than -+ primary. It is a valid configuration, so we should fix no-RID range. -+ """ -+ self.master.run_command([ -+ "ipa", -+ "idrange-add", -+ "idrange_no_rid_bases", -+ "--base-id", '10000', -+ "--range-size", '20000', -+ ]) -+ self.master.run_command([ -+ "ipa", -+ "idrange-add", -+ "idrange_reversed", -+ "--base-id", '50000', -+ "--range-size", '20000', -+ "--rid-base", '100300000' -+ "--secondary-rid-base", '301000' -+ ]) -+ -+ result = self.master.run_command(["ipa-idrange-fix", "--unattended"]) -+ expected_text = "RID bases updated for range 'idrange_no_rid_bases'" -+ -+ # Remove test IDranges -+ self.master.run_command(["ipa", "idrange-del", "idrange_no_rid_bases"]) -+ self.master.run_command(["ipa", "idrange-del", "idrange_reversed"]) -+ -+ assert expected_text in result.stderr_text -+ -+ def test_users_outofrange(self): -+ """Test ipa-idrange-fix command with users out of range.""" -+ for i in range(1, 20): -+ self.master.run_command([ -+ "ipa", -+ "user-add", -+ "testuser{}".format(i), -+ "--first", "Test", -+ "--last", "User {}".format(i), -+ "--uid", str(100000 + i * 10), -+ ]) -+ -+ result = self.master.run_command(["ipa-idrange-fix", "--unattended"]) -+ expected_text = r"Range '[\w\.]+_id_range_\d{3}' created successfully" -+ match = re.search(expected_text, result.stderr_text) -+ -+ # Remove users out of range and created IDrange -+ for i in range(1, 20): -+ self.master.run_command([ -+ "ipa", -+ "user-del", -+ "testuser{}".format(i) -+ ]) -+ if match is not None: -+ self.master.run_command([ -+ "ipa", -+ "idrange-del", -+ match.group(0).split(" ")[1].replace("'", "") -+ ]) -+ -+ assert match is not None -+ -+ def test_user_outlier(self): -+ """Test ipa-idrange-fix command with outlier user.""" -+ self.master.run_command([ -+ "ipa", -+ "user-add", -+ "testuser_outlier", -+ "--first", "Outlier", -+ "--last", "User", -+ "--uid", '500000', -+ ]) -+ -+ result = self.master.run_command(["ipa-idrange-fix", "--unattended"]) -+ expected_text = "Identities that don't fit the criteria to get a new \ -+range found!" -+ expected_user = "user 'Outlier User', uid=500000" -+ -+ # Remove outlier user -+ self.master.run_command(["ipa", "user-del", "testuser_outlier"]) -+ -+ assert expected_text in result.stderr_text -+ assert expected_user in result.stderr_text -+ -+ def test_user_under1000(self): -+ """Test ipa-idrange-fix command with user under 1000.""" -+ self.master.run_command([ -+ "ipa", -+ "user-add", -+ "testuser_under1000", -+ "--first", "Under", -+ "--last", "1000", -+ "--uid", '999', -+ ]) -+ -+ result = self.master.run_command(["ipa-idrange-fix", "--unattended"]) -+ expected_text = "IDs under 1000:" -+ expected_user = "user 'Under 1000', uid=999" -+ -+ # Remove user under 1000 -+ self.master.run_command(["ipa", "user-del", "testuser_under1000"]) -+ -+ assert expected_text in result.stderr_text -+ assert expected_user in result.stderr_text -+ -+ def test_user_preserved(self): -+ """Test ipa-idrange-fix command with preserved user.""" -+ self.master.run_command([ -+ "ipa", -+ "user-add", -+ "testuser_preserved", -+ "--first", "Preserved", -+ "--last", "User", -+ "--uid", '9999', -+ ]) -+ self.master.run_command([ -+ "ipa", -+ "user-del", -+ "testuser_preserved", -+ "--preserve" -+ ]) -+ -+ result = self.master.run_command(["ipa-idrange-fix", "--unattended"]) -+ expected_text = "Identities that don't fit the criteria to get a new \ -+range found!" -+ expected_user = "user 'Preserved User', uid=9999" -+ -+ # Remove preserved user -+ self.master.run_command(["ipa", "user-del", "testuser_preserved"]) -+ -+ assert expected_text in result.stderr_text -+ assert expected_user in result.stderr_text --- -2.46.0 - diff --git a/0006-ipatests-Add-missing-comma-in-test_idrange_no_rid_ba.patch b/0006-ipatests-Add-missing-comma-in-test_idrange_no_rid_ba.patch deleted file mode 100644 index 882df86..0000000 --- a/0006-ipatests-Add-missing-comma-in-test_idrange_no_rid_ba.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 4fef80aeaaf017b286bd12ebfc30529f6a65a80e Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Mon, 2 Sep 2024 18:28:27 +0200 -Subject: [PATCH] ipatests: Add missing comma in - test_idrange_no_rid_bases_reversed - -The test is calling ipa idrange-add but is missing a comma in -the arguments list. -The resulting call is using "--rid-base 100300000--secondary-rid-base". -Add the missing comma to build the command with -"--rid-base 100300000 --secondary-rid-base" - -Fixes: https://pagure.io/freeipa/issue/9656 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Alexander Bokovoy ---- - ipatests/test_integration/test_ipa_idrange_fix.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ipatests/test_integration/test_ipa_idrange_fix.py b/ipatests/test_integration/test_ipa_idrange_fix.py -index de3da9bfd221ce74f1d1bbb0dbe12e4db08b8daa..ff8fbdac9d028d26fc55f5e357f89af879a61723 100644 ---- a/ipatests/test_integration/test_ipa_idrange_fix.py -+++ b/ipatests/test_integration/test_ipa_idrange_fix.py -@@ -72,7 +72,7 @@ class TestIpaIdrangeFix(IntegrationTest): - "idrange_reversed", - "--base-id", '50000', - "--range-size", '20000', -- "--rid-base", '100300000' -+ "--rid-base", '100300000', - "--secondary-rid-base", '301000' - ]) - --- -2.46.0 - diff --git a/0007-ipatests-Update-ipa-adtrust-install-test.patch b/0007-ipatests-Update-ipa-adtrust-install-test.patch deleted file mode 100644 index 465b89a..0000000 --- a/0007-ipatests-Update-ipa-adtrust-install-test.patch +++ /dev/null @@ -1,32 +0,0 @@ -From a18eb8358675b3697ccf8f8d8dc230cc62df6a4d Mon Sep 17 00:00:00 2001 -From: Erik Belko -Date: Thu, 29 Aug 2024 16:47:21 +0200 -Subject: [PATCH] ipatests: Update ipa-adtrust-install test - -update test_user_connects_smb_share_if_locked_specific_group with wait -for SSSD to be online after ipa-adtrust-install command - -Related: https://pagure.io/freeipa/issue/9655 - -Signed-off-by: Erik Belko -Reviewed-By: Alexander Bokovoy ---- - ipatests/test_integration/test_adtrust_install.py | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/ipatests/test_integration/test_adtrust_install.py b/ipatests/test_integration/test_adtrust_install.py -index 72e8d874fb17adadc556ba55b825a88a3ac21a67..de252db1705ad940c3b5ee4df967d7c17a4203a7 100644 ---- a/ipatests/test_integration/test_adtrust_install.py -+++ b/ipatests/test_integration/test_adtrust_install.py -@@ -853,6 +853,8 @@ class TestIpaAdTrustInstall(IntegrationTest): - self.master.config.admin_password, - "-U"] - ) -+ # Wait for SSSD to become online before doing any other check -+ tasks.wait_for_sssd_domain_status_online(self.master) - self.master.run_command(["mkdir", "/freeipa4234"]) - self.master.run_command( - ["chcon", "-t", "samba_share_t", --- -2.46.0 - diff --git a/0008-Installer-activate-ssh-service-in-sssd.conf.patch b/0008-Installer-activate-ssh-service-in-sssd.conf.patch deleted file mode 100644 index 9484727..0000000 --- a/0008-Installer-activate-ssh-service-in-sssd.conf.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 373d41f211c1a04dc432a068bc7d2ba825ff554c Mon Sep 17 00:00:00 2001 -From: Francisco Trivino -Date: Tue, 13 Aug 2024 12:44:21 +0200 -Subject: [PATCH] Installer: activate ssh service in sssd.conf - -This commit enables SSSD's ssh service in ipa-client-install to ensure -sss_ssh_knownhosts and sss_ssh_knownhostsproxy functions properly. - -Fixes: https://pagure.io/freeipa/issue/9649 -Related: https://pagure.io/freeipa/issue/9536 - -Signed-off-by: Francisco Trivino -Reviewed-By: Rob Crittenden ---- - ipaclient/install/client.py | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py -index 802db9614b24553b2b49259f3aebb366093560ac..47a371f629f6ddfb1cd5e9fff9faad737aa01f54 100644 ---- a/ipaclient/install/client.py -+++ b/ipaclient/install/client.py -@@ -974,6 +974,8 @@ def configure_sssd_conf( - - sssd_enable_service(sssdconfig, 'nss') - sssd_enable_service(sssdconfig, 'pam') -+ if options.conf_ssh: -+ sssd_enable_service(sssdconfig, 'ssh') - - domain.set_option('ipa_domain', cli_domain) - domain.set_option('ipa_hostname', client_hostname) --- -2.46.0 - diff --git a/0009-ipa-migrate-fix-migration-issues-with-entries-using-.patch b/0009-ipa-migrate-fix-migration-issues-with-entries-using-.patch deleted file mode 100644 index c0dc80b..0000000 --- a/0009-ipa-migrate-fix-migration-issues-with-entries-using-.patch +++ /dev/null @@ -1,404 +0,0 @@ -From 8d242ba741ec22b258d5e70a530cefd0940783c7 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Tue, 23 Jul 2024 17:07:06 -0400 -Subject: [PATCH] ipa-migrate - fix migration issues with entries using - ipaUniqueId in the RDN - -We need to handle these entries differently and specify what attribute -and search base to use to find the entry on the local server. Most -entries can use the "cn" attribute but for selinux usermaps we need to -search using the ipaOwner attribute which is a DN, and in turn requires -additional handling/converting in order to properly check if the usermap -exists or not. - -Also fixed an issue where an attribute should be removed from the local -entry if it does not exist on the remote entry. - -And fixed the handling od "sudoOrder" which is defined as multi-valued -in the schema, but we really need to treat it as single-valued - -Fixes: https://pagure.io/freeipa/issue/9640 - -Signed-off-by: Mark Reynolds -Reviewed-By: Rob Crittenden -Reviewed-By: Rob Crittenden ---- - ipaserver/install/ipa_migrate.py | 119 +++++++++++++++++++-- - ipaserver/install/ipa_migrate_constants.py | 82 +++++++++++++-- - 2 files changed, 187 insertions(+), 14 deletions(-) - -diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py -index e21937401b3463335d8297b41a403405071d3795..78c530f24fe5d8c9f5de0f816df9904bf30c7b94 100644 ---- a/ipaserver/install/ipa_migrate.py -+++ b/ipaserver/install/ipa_migrate.py -@@ -32,7 +32,7 @@ from ipaserver.install.ipa_migrate_constants import ( - DS_CONFIG, DB_OBJECTS, DS_INDEXES, BIND_DN, LOG_FILE_NAME, - STRIP_OP_ATTRS, STRIP_ATTRS, STRIP_OC, PROD_ATTRS, - DNA_REGEN_VAL, DNA_REGEN_ATTRS, IGNORE_ATTRS, -- DB_EXCLUDE_TREES -+ DB_EXCLUDE_TREES, POLICY_OP_ATTRS - ) - - """ -@@ -529,6 +529,14 @@ class IPAMigrate(): - # - # Helper functions - # -+ def attr_is_operational(self, attr): -+ schema = self.local_conn.schema -+ attr_obj = schema.get_obj(ldap.schema.AttributeType, attr) -+ if attr_obj is not None: -+ if attr_obj.usage == 1: -+ return True -+ return False -+ - def replace_suffix(self, entry_dn): - """ - Replace the base DN in an entry DN -@@ -1122,6 +1130,18 @@ class IPAMigrate(): - stats['reset_range'] += 1 - return entry - -+ def attr_is_required(self, attr, entry): -+ """ -+ Check if an attribute is required in this entry -+ """ -+ entry_oc = entry['objectClass'] -+ for oc in entry_oc: -+ required_attrs = self.local_conn.get_allowed_attributes( -+ [oc], raise_on_unknown=False, attributes="must") -+ if attr.lower() in required_attrs: -+ return True -+ return False -+ - def clean_entry(self, entry_dn, entry_type, entry_attrs): - """ - Clean up the entry from the remote server -@@ -1311,7 +1331,17 @@ class IPAMigrate(): - f"'{old_value}' " - "new value " - f"'{local_entry[attr][0]}'") -- -+ elif 'single' == sp_attr[1]: -+ # The attribute is defined as multivalued, but -+ # we really need to treat it as single valued -+ self.log_debug("Entry is different and will " -+ f"be updated: '{local_dn}' " -+ f"attribute '{attr}' replaced " -+ "with val " -+ f"'{remote_attrs[attr][0]}' " -+ "old value: " -+ f"{local_entry[attr][0]}") -+ local_entry[attr][0] = remote_attrs[attr][0] - goto_next_attr = True - break - -@@ -1358,6 +1388,31 @@ class IPAMigrate(): - local_entry[attr] = remote_attrs[attr] - entry_updated = True - -+ # Remove attributes in the local entry that do not exist in the -+ # remote entry -+ remove_attrs = [] -+ for attr in local_entry: -+ if (self.attr_is_operational(attr) -+ and attr.lower() not in POLICY_OP_ATTRS) or \ -+ attr.lower() in IGNORE_ATTRS or \ -+ attr.lower() in STRIP_ATTRS or \ -+ attr.lower() == "usercertificate": -+ # This is an attribute that we do not want to remove -+ continue -+ -+ if attr not in remote_attrs and \ -+ not self.attr_is_required(attr, local_entry): -+ # Mark this attribute for deletion -+ remove_attrs.append(attr) -+ entry_updated = True -+ -+ # Remove attributes -+ for remove_attr in remove_attrs: -+ self.log_debug("Entry is different and will be updated: " -+ f"'{local_dn}' attribute '{remove_attr}' " -+ "is being removed") -+ del local_entry[remove_attr] -+ - if range_reset: - stats['reset_range'] += 1 - -@@ -1371,6 +1426,9 @@ class IPAMigrate(): - """ - Process chunks of remote entries from a paged results search - -+ entry_dn = the remote entry DN -+ entry_attrs = the remote entry's attributes stored in a dict -+ - Identify entry type - Process entry (removing/change attr/val/schema) - Compare processed remote entry with local entry, merge/overwrite? -@@ -1426,6 +1484,47 @@ class IPAMigrate(): - # Based on the entry type do additional work - # - -+ # For entries with alternate identifying needs we need to rebuild the -+ # local dn. Typically this is for entries that use ipaUniqueId as the -+ # RDN attr -+ if entry_type != "custom" and 'alt_id' in DB_OBJECTS[entry_type]: -+ attr = DB_OBJECTS[entry_type]['alt_id']['attr'] -+ base = DB_OBJECTS[entry_type]['alt_id']['base'] -+ srch_filter = f'{attr}={entry_attrs[attr][0]}' -+ if DB_OBJECTS[entry_type]['alt_id']['isDN'] is True: -+ # Convert the filter to match the local suffix -+ srch_filter = self.replace_suffix(srch_filter) -+ srch_base = base + str(self.local_suffix) -+ -+ try: -+ entries = self.local_conn.get_entries(DN(srch_base), -+ filter=srch_filter) -+ if len(entries) == 1: -+ local_dn = entries[0].dn -+ elif len(entries) == 0: -+ # Not found, no problem just proceed and we will add it -+ pass -+ else: -+ # Found too many entries - should not happen -+ self.log_error('Found too many local matching entries ' -+ f'for "{local_dn}"') -+ if self.args.force: -+ stats['ignored_errors'] += 1 -+ return -+ else: -+ sys.exit(1) -+ except errors.EmptyResult: -+ # Not found, no problem just proceed and we will add it later -+ pass -+ except (errors.NetworkError, errors.DatabaseError) as e: -+ self.log_error('Failed to find a local matching entry for ' -+ f'"{local_dn}" error: {str(e)}') -+ if self.args.force: -+ stats['ignored_errors'] += 1 -+ return -+ else: -+ sys.exit(1) -+ - # See if the entry exists on the local server - try: - local_entry = self.local_conn.get_entry(DN(local_dn), -@@ -1441,14 +1540,20 @@ class IPAMigrate(): - - if self.dryrun: - self.write_update_to_ldif(local_entry) -- DB_OBJECTS[entry_type]['count'] += 1 -+ if entry_type == "custom": -+ stats['custom'] += 1 -+ else: -+ DB_OBJECTS[entry_type]['count'] += 1 - stats['total_db_migrated'] += 1 - return - - # Update the local entry - try: - self.local_conn.update_entry(local_entry) -- DB_OBJECTS[entry_type]['count'] += 1 -+ if entry_type == "custom": -+ stats['custom'] += 1 -+ else: -+ DB_OBJECTS[entry_type]['count'] += 1 - except errors.ExecutionError as e: - self.log_error(f'Failed to update "{local_dn}" error: ' - f'{str(e)}') -@@ -1567,7 +1672,7 @@ class IPAMigrate(): - """ - Used paged search for online method to avoid large memory footprint - """ -- self.log_info("Migrating database ... (this make take a while)") -+ self.log_info("Migrating database ... (this may take a while)") - if self.args.db_ldif is not None: - self.processDBOffline() - else: -@@ -1608,7 +1713,7 @@ class IPAMigrate(): - f"{len(objectclasses)} objectClasses") - - # Loop over attributes and objectclasses and count them -- schema = self.local_conn._get_schema() -+ schema = self.local_conn.schema - local_schema = schema.ldap_entry() - for schema_type in [(attributes, "attributeTypes"), - (objectclasses, "objectClasses")]: -@@ -1967,7 +2072,7 @@ class IPAMigrate(): - - # Run ipa-server-upgrade - self.log_info("Running ipa-server-upgrade ... " -- "(this make take a while)") -+ "(this may take a while)") - if self.dryrun: - self.log_info("Skipping ipa-server-upgrade in dryrun mode.") - else: -diff --git a/ipaserver/install/ipa_migrate_constants.py b/ipaserver/install/ipa_migrate_constants.py -index 0e26c75497b216f09ed450aa25a09c2102582326..250f1b5b01bf066d316a98489ab6153b89615173 100644 ---- a/ipaserver/install/ipa_migrate_constants.py -+++ b/ipaserver/install/ipa_migrate_constants.py -@@ -19,6 +19,28 @@ STRIP_OP_ATTRS = [ - 'nsuniqueid', - 'dsentrydn', - 'entryuuid', -+ 'entrydn', -+ 'entryid', -+ 'entryusn', -+ 'numsubordinates', -+ 'parentid', -+ 'tombstonenumsubordinates' -+] -+ -+# Operational attributes that we would want to remove from the local entry if -+# they don't exist in the remote entry -+POLICY_OP_ATTRS = [ -+ 'nsaccountlock', -+ 'passwordexpiratontime', -+ 'passwordgraceusertime', -+ 'pwdpolicysubentry', -+ 'passwordexpwarned', -+ 'passwordretrycount', -+ 'retrycountresettime', -+ 'accountunlocktime', -+ 'passwordhistory', -+ 'passwordallowchangetime', -+ 'pwdreset' - ] - - # Atributes to strip from users/groups -@@ -110,7 +132,7 @@ STRIP_OC = [ - # - # The DS_CONFIG mapping breaks each config entry (or type of entry) into its - # own catagory. Each catagory, or type, as DN list "dn", the attributes# we --# are intrested in. These attributes are broken into singel valued "attrs", -+# are intrested in. These attributes are broken into single valued "attrs", - # or multi-valued attributes "multivalued". If the attributes is single - # valued then the value is replaced, if it's multivalued then it is "appended" - # -@@ -565,6 +587,12 @@ DS_INDEXES = { - # identify the entry. - # The "label" and "count" attributes are used for the Summary Report - # -+# Some entries use ipaUniqueId as the RDN attribute, this makes comparing -+# entries between the remote and local servers problematic. So we need special -+# identifying information to find the local entry. In this case we use the -+# "alt_id" key which is a dict of an attribute 'attr' and partial base DN -+# 'base' - which is expected to end in a comma. -+# - DB_OBJECTS = { - # Plugins - 'automember_def': { -@@ -640,8 +668,8 @@ DB_OBJECTS = { - 'oc': ['ipaconfigobject', 'ipaguiconfig'], - 'subtree': 'cn=ipaconfig,cn=etc,$SUFFIX', - 'special_attrs': [ -- # needs special handling, but -- # ipa-server-upgrade rewrites this attribute anyway! -+ # needs special handling, but ipa-server-upgrade rewrites this -+ # attribute anyway! - ('ipausersearchfields', 'list'), - ], - 'label': 'IPA Config', -@@ -772,11 +800,16 @@ DB_OBJECTS = { - 'mode': 'all', - 'count': 0, - }, -- 'subids': { # unknown what these entries look like TODO -+ 'subids': { - 'oc': [], - 'subtree': ',cn=subids,cn=accounts,$SUFFIX', - 'label': 'Sub IDs', -- 'mode': 'all', # TODO Maybe production only? -+ 'mode': 'production', -+ 'alt_id': { -+ 'attr': 'ipaOwner', -+ 'isDN': True, -+ 'base': 'cn=subids,cn=accounts,', -+ }, - 'count': 0, - }, - -@@ -884,6 +917,11 @@ DB_OBJECTS = { - 'oc': ['ipahbacrule'], - 'subtree': ',cn=hbac,$SUFFIX', - 'label': 'HBAC Rules', -+ 'alt_id': { -+ 'attr': 'cn', -+ 'base': 'cn=hbac,', -+ 'isDN': False, -+ }, - 'mode': 'all', - 'count': 0, - }, -@@ -892,6 +930,11 @@ DB_OBJECTS = { - 'selinux_usermap': { # Not sure if this is needed, entry is empty TODO - 'oc': [], - 'subtree': ',cn=usermap,cn=selinux,$SUFFIX', -+ 'alt_id': { -+ 'attr': 'cn', -+ 'base': 'cn=usermap,cn=selinux,', -+ 'isDN': False, -+ }, - 'label': 'Selinux Usermaps', - 'mode': 'all', - 'count': 0, -@@ -902,12 +945,27 @@ DB_OBJECTS = { - 'oc': ['ipasudorule'], - 'subtree': ',cn=sudorules,cn=sudo,$SUFFIX', - 'label': 'Sudo Rules', -+ 'alt_id': { -+ 'attr': 'cn', -+ 'base': 'cn=sudorules,cn=sudo,', -+ 'isDN': False, -+ }, -+ 'special_attrs': [ -+ # schema defines sudoOrder as mutlivalued, but we need to treat -+ # it as single valued -+ ('sudoorder', 'single'), -+ ], - 'mode': 'all', - 'count': 0, - }, - 'sudo_cmds': { - 'oc': ['ipasudocmd'], - 'subtree': ',cn=sudocmds,cn=sudo,$SUFFIX', -+ 'alt_id': { -+ 'attr': 'sudoCmd', -+ 'base': 'cn=sudocmds,cn=sudo,', -+ 'isDN': False, -+ }, - 'label': 'Sudo Commands', - 'mode': 'all', - 'count': 0, -@@ -991,6 +1049,11 @@ DB_OBJECTS = { - 'oc': ['ipanisnetgroup'], - 'not_oc': ['mepmanagedentry'], - 'subtree': ',cn=ng,cn=alt,$SUFFIX', -+ 'alt_id': { -+ 'attr': 'cn', -+ 'base': 'cn=ng,cn=alt,', -+ 'isDN': False, -+ }, - 'label': 'Network Groups', - 'mode': 'all', - 'count': 0, -@@ -1006,9 +1069,14 @@ DB_OBJECTS = { - 'count': 0, - }, - 'caacls': { -- 'oc': ['top'], -+ 'oc': ['ipacaacl'], - 'subtree': ',cn=caacls,cn=ca,$SUFFIX', -- 'label': 'CA Certificates', -+ 'alt_id': { -+ 'attr': 'cn', -+ 'base': 'cn=caacls,cn=ca,', -+ 'isDN': False, -+ }, -+ 'label': 'CA Certificate ACLs', - 'mode': 'all', - 'count': 0, - }, --- -2.46.0 - diff --git a/0010-ipa-migrate-fix-alternate-entry-search-filter.patch b/0010-ipa-migrate-fix-alternate-entry-search-filter.patch deleted file mode 100644 index 512384a..0000000 --- a/0010-ipa-migrate-fix-alternate-entry-search-filter.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 3b5a980f5b65b03b9fd7ad0cfbb6c87874d3ff24 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Tue, 3 Sep 2024 13:42:05 -0400 -Subject: [PATCH] ipa-migrate - fix alternate entry search filter - -Processing a filter like a DN can cause normalization issues that result -in an invalid filter. Make sure the filter is encapsulated with -parenthesis and we call replace_suffix_value() instead of -replace_suffix() - -Fixes: https://pagure.io/freeipa/issue/9658 - -Signed-off-by: Mark Reynolds - -Fix typo in test - -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/install/ipa_migrate.py | 4 ++-- - ipatests/test_integration/test_ipa_ipa_migration.py | 6 +++--- - 2 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py -index 78c530f24fe5d8c9f5de0f816df9904bf30c7b94..38356aa23ea435e2a616f48356feaea7b50dd1e4 100644 ---- a/ipaserver/install/ipa_migrate.py -+++ b/ipaserver/install/ipa_migrate.py -@@ -1490,10 +1490,10 @@ class IPAMigrate(): - if entry_type != "custom" and 'alt_id' in DB_OBJECTS[entry_type]: - attr = DB_OBJECTS[entry_type]['alt_id']['attr'] - base = DB_OBJECTS[entry_type]['alt_id']['base'] -- srch_filter = f'{attr}={entry_attrs[attr][0]}' -+ srch_filter = f'({attr}={entry_attrs[attr][0]})' - if DB_OBJECTS[entry_type]['alt_id']['isDN'] is True: - # Convert the filter to match the local suffix -- srch_filter = self.replace_suffix(srch_filter) -+ srch_filter = self.replace_suffix_value(srch_filter) - srch_base = base + str(self.local_suffix) - - try: -diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py -index f697bbfbfc6169309274db689501c99fe148cc70..288165e8a83a96e6f6bd4e52866f98617f497c56 100644 ---- a/ipatests/test_integration/test_ipa_ipa_migration.py -+++ b/ipatests/test_integration/test_ipa_ipa_migration.py -@@ -610,7 +610,7 @@ class TestIPAMigrateScenario1(IntegrationTest): - MIGRATION_SCHEMA_LOG_MSG = "Migrating schema ...\n" - MIGRATION_CONFIG_LOG_MSG = "Migrating configuration ...\n" - IPA_UPGRADE_LOG_MSG = ( -- "Running ipa-server-upgrade ... (this make take a while)\n" -+ "Running ipa-server-upgrade ... (this may take a while)\n" - ) - SIDGEN_TASK_LOG_MSG = "Running SIDGEN task ...\n" - MIGRATION_COMPLETE_LOG_MSG = "Migration complete!\n" -@@ -641,10 +641,10 @@ class TestIPAMigrateScenario1(IntegrationTest): - tasks.kinit_admin(self.replicas[0]) - MIGRATION_SCHEMA_LOG_MSG = "Migrating schema ...\n" - MIGRATION_DATABASE_LOG_MSG = ( -- "Migrating database ... (this make take a while)\n" -+ "Migrating database ... (this may take a while)\n" - ) - IPA_UPGRADE_LOG_MSG = ( -- "Running ipa-server-upgrade ... (this make take a while)\n" -+ "Running ipa-server-upgrade ... (this may take a while)\n" - ) - SIDGEN_TASK_LOG_MSG = "Running SIDGEN task ...\n" - result = run_migrate( --- -2.46.0 - diff --git a/0011-Custodia-in-fips-mode-add-nomac-or-nomacver-to-opens.patch b/0011-Custodia-in-fips-mode-add-nomac-or-nomacver-to-opens.patch deleted file mode 100644 index 1db95cb..0000000 --- a/0011-Custodia-in-fips-mode-add-nomac-or-nomacver-to-opens.patch +++ /dev/null @@ -1,82 +0,0 @@ -From c96d172d7d2e87513d9bd51a98591858e1f88def Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Thu, 5 Sep 2024 14:52:26 +0200 -Subject: [PATCH] Custodia: in fips mode add -nomac or -nomacver to openssl - pkcs12 - -In FIPS mode the command openssl pkcs12 fails unless the -export is called with -nomac and import with -nomacver - -The command is used by custodia to export private keys from the -master and import them in the replica. - -Fixes: https://pagure.io/freeipa/issue/9577 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Alexander Bokovoy ---- - ipaserver/secrets/handlers/pemfile.py | 20 ++++++++++++++++++-- - 1 file changed, 18 insertions(+), 2 deletions(-) - -diff --git a/ipaserver/secrets/handlers/pemfile.py b/ipaserver/secrets/handlers/pemfile.py -index ad36bd02008ff068fa7e237dd9653e31f7ac7d85..006d351699f3086653c2e461fdcb8afb53eea281 100644 ---- a/ipaserver/secrets/handlers/pemfile.py -+++ b/ipaserver/secrets/handlers/pemfile.py -@@ -8,6 +8,7 @@ import json - import os - - from ipaplatform.paths import paths -+from ipaplatform.tasks import tasks - from ipapython import ipautil - from . import common - -@@ -25,7 +26,7 @@ def export_key(args, tmpdir): - f.write(password) - - # OpenSSL does not support pkcs12 export of a cert without key -- ipautil.run([ -+ cmd = [ - paths.OPENSSL, 'pkcs12', '-export', - '-in', args.certfile, - '-out', pk12file, -@@ -34,7 +35,13 @@ def export_key(args, tmpdir): - '-keypbe', 'AES-256-CBC', - '-certpbe', 'AES-256-CBC', - '-macalg', 'sha384', -- ]) -+ ] -+ -+ fips_enabled = tasks.is_fips_enabled() -+ if fips_enabled: -+ cmd.append('-nomac') -+ -+ ipautil.run(cmd) - - with open(pk12file, 'rb') as f: - p12data = f.read() -@@ -69,6 +76,11 @@ def import_key(args, tmpdir): - '-out', args.certfile, - '-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile), - ] -+ -+ fips_enabled = tasks.is_fips_enabled() -+ if fips_enabled: -+ cmd.append('-nomacver') -+ - ipautil.run(cmd, umask=0o027) - - # get the private key from the file -@@ -79,6 +91,10 @@ def import_key(args, tmpdir): - '-out', args.keyfile, - '-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile), - ] -+ -+ if fips_enabled: -+ cmd.append('-nomacver') -+ - ipautil.run(cmd, umask=0o027) - - --- -2.46.0 - diff --git a/0012-ipatests-make-TestDuplicates-teardowns-order-agnosti.patch b/0012-ipatests-make-TestDuplicates-teardowns-order-agnosti.patch deleted file mode 100644 index 3c8b719..0000000 --- a/0012-ipatests-make-TestDuplicates-teardowns-order-agnosti.patch +++ /dev/null @@ -1,139 +0,0 @@ -From d102773ce24481c6797f71557b75e77921164285 Mon Sep 17 00:00:00 2001 -From: Stanislav Levin -Date: Thu, 12 Sep 2024 12:38:52 +0300 -Subject: [PATCH] ipatests: make TestDuplicates teardowns order agnostic - -Fixtures 'user4' and 'user5' track the same actual user 'tuser'. -If used together their teardowns can fail depending on the -order of execution. - -With this change fixtures of TestDuplicates are simplified and -method-scoped. - -Related: https://pagure.io/freeipa/issue/9571 -Signed-off-by: Stanislav Levin -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_xmlrpc/test_stageuser_plugin.py | 76 +++++++------------ - 1 file changed, 28 insertions(+), 48 deletions(-) - -diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py -index 9ae5561dfa4e0d54fe1231501bfea3c0ba261849..6ed593fbf24dd2e8ce087625b9cb4c21c9a3c145 100644 ---- a/ipatests/test_xmlrpc/test_stageuser_plugin.py -+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py -@@ -120,12 +120,6 @@ def stageduser3(request, xmlrpc_setup): - return tracker.make_fixture_activate(request) - - --@pytest.fixture(scope='class') --def stageduser4(request, xmlrpc_setup): -- tracker = StageUserTracker(u'tuser', u'test', u'user') -- return tracker.make_fixture(request) -- -- - @pytest.fixture(scope='class') - def stageduser_notposix(request, xmlrpc_setup): - tracker = StageUserTracker(u'notposix', u'notposix', u'notposix') -@@ -161,18 +155,6 @@ def user3(request, xmlrpc_setup): - return tracker.make_fixture(request) - - --@pytest.fixture(scope='class') --def user4(request, xmlrpc_setup): -- tracker = UserTracker(u'tuser', u'test', u'user') -- return tracker.make_fixture(request) -- -- --@pytest.fixture(scope='class') --def user5(request, xmlrpc_setup): -- tracker = UserTracker(u'tuser', u'test', u'user') -- return tracker.make_fixture(request) -- -- - @pytest.fixture(scope='class') - def user6(request, xmlrpc_setup): - tracker = UserTracker(u'suser2', u'staged', u'user') -@@ -724,52 +706,50 @@ class TestManagers(XMLRPC_test): - - @pytest.mark.tier1 - class TestDuplicates(XMLRPC_test): -- def test_active_same_as_preserved(self, user4, user5): -- user4.ensure_missing() -- user5.make_preserved_user() -- command = user4.make_create_command() -+ @pytest.fixture -+ def user(self, request, xmlrpc_setup): -+ tracker = UserTracker("tuser", "test", "user") -+ return tracker.make_fixture(request) -+ -+ @pytest.fixture -+ def stageduser(self, request, xmlrpc_setup): -+ tracker = StageUserTracker("tuser", "test", "user") -+ return tracker.make_fixture(request) -+ -+ def test_active_same_as_preserved(self, user): -+ user.make_preserved_user() -+ command = user.make_create_command() - with raises_exact(errors.DuplicateEntry( -- message=u'user with name "%s" already exists' % user4.uid)): -+ message=u'user with name "%s" already exists' % user.uid)): - command() -- user5.delete() - -- def test_staged_same_as_active(self, user4, stageduser4): -- user4.ensure_exists() -- stageduser4.create() # can be created -+ def test_staged_same_as_active(self, user, stageduser): -+ user.create() -+ stageduser.create() # can be created - -- command = stageduser4.make_activate_command() -+ command = stageduser.make_activate_command() - with raises_exact(errors.DuplicateEntry( - message=u'active user with name "%s" already exists' % -- user4.uid)): -+ user.uid)): - command() # cannot be activated - -- user4.delete() -- stageduser4.delete() -- -- def test_staged_same_as_preserved(self, user5, stageduser4): -- user5.make_preserved_user() -- stageduser4.create() # can be created -+ def test_staged_same_as_preserved(self, user, stageduser): -+ user.make_preserved_user() -+ stageduser.create() # can be created - -- command = stageduser4.make_activate_command() -+ command = stageduser.make_activate_command() - with raises_exact(errors.DuplicateEntry( - message=u'This entry already exists')): - command() # cannot be activated - -- user5.delete() -- stageduser4.delete() -+ def test_active_same_as_staged(self, user, stageduser): -+ stageduser.create() -+ user.create() # can be created - -- def test_active_same_as_staged(self, user4, stageduser4): -- user4.ensure_missing() -- stageduser4.ensure_exists() -- command = user4.make_create_command() -- result = command() -- user4.track_create() -- user4.check_create(result) # can be created -- -- command = stageduser4.make_activate_command() -+ command = stageduser.make_activate_command() - with raises_exact(errors.DuplicateEntry( - message=u'active user with name "%s" already exists' % -- user4.uid)): -+ user.uid)): - command() # cannot be activated - - --- -2.46.0 - diff --git a/0013-UnsafeIPAddress-pass-flag-0-to-IPNetwork.patch b/0013-UnsafeIPAddress-pass-flag-0-to-IPNetwork.patch deleted file mode 100644 index 1d6fab3..0000000 --- a/0013-UnsafeIPAddress-pass-flag-0-to-IPNetwork.patch +++ /dev/null @@ -1,34 +0,0 @@ -From a9e653ca36a0829ae59cd204e7388d7a6c91e082 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Fri, 13 Sep 2024 09:58:36 +0200 -Subject: [PATCH] UnsafeIPAddress: pass flag=0 to IPNetwork - -When parsing a string, the constructor tries to parse the value -as an IP Address first, or falls back to an IPNetwork with the -flags INET_PTON. - -Use the flag 0 instead for an IPNetwork. - -Fixes: https://pagure.io/freeipa/issue/9645 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Alexander Bokovoy ---- - ipapython/ipautil.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py -index 3e98bfd6a66f24933e7e4de8efb79f4f5bf8bd0e..c237d59fb4b8be4187fb0efb04b097ff4df6c182 100644 ---- a/ipapython/ipautil.py -+++ b/ipapython/ipautil.py -@@ -119,7 +119,7 @@ class UnsafeIPAddress(netaddr.IPAddress): - if addr.version != 6: - raise - except ValueError: -- self._net = netaddr.IPNetwork(addr, flags=self.netaddr_ip_flags) -+ self._net = netaddr.IPNetwork(addr, flags=0) - addr = self._net.ip - super(UnsafeIPAddress, self).__init__(addr, - flags=self.netaddr_ip_flags) --- -2.46.2 - diff --git a/0014-ipatests-provide-a-ccache-to-rpcclient-deletetrustdo.patch b/0014-ipatests-provide-a-ccache-to-rpcclient-deletetrustdo.patch deleted file mode 100644 index 127b1f7..0000000 --- a/0014-ipatests-provide-a-ccache-to-rpcclient-deletetrustdo.patch +++ /dev/null @@ -1,67 +0,0 @@ -From a343c149838a3058794f33c75c58b75bc1748f7f Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Tue, 17 Sep 2024 17:00:49 +0200 -Subject: [PATCH] ipatests: provide a ccache to rpcclient deletetrustdom - -With samba update to samba-4.20.4, rpcclient now needs a -ccache otherwise it prompts for a password. - -Fixes: https://pagure.io/freeipa/issue/9667 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden -Reviewed-By: Alexander Bokovoy ---- - ipatests/pytest_ipa/integration/tasks.py | 23 ++++++++++++++++++++--- - 1 file changed, 20 insertions(+), 3 deletions(-) - -diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py -index 9d6b5f67a311a28c335801d59e0ff0f0c7faccdd..677fb7534256a65940fb5280fa6412789dcba54f 100755 ---- a/ipatests/pytest_ipa/integration/tasks.py -+++ b/ipatests/pytest_ipa/integration/tasks.py -@@ -795,15 +795,22 @@ def remove_trust_info_from_ad(master, ad_domain, ad_hostname): - kinit_as_user(master, - 'Administrator@{}'.format(ad_domain.upper()), - master.config.ad_admin_password) -+ # Find cache for the user -+ cache_args = [] -+ cache = get_credential_cache(master) -+ if cache: -+ cache_args = ["--use-krb5-ccache", cache] -+ - # Detect whether rpcclient supports -k or --use-kerberos option - res = master.run_command(['rpcclient', '-h'], raiseonerr=False) - if "--use-kerberos" in res.stderr_text: - rpcclient_krb5_knob = "--use-kerberos=desired" - else: - rpcclient_krb5_knob = "-k" -- master.run_command(['rpcclient', rpcclient_krb5_knob, ad_hostname, -- '-c', 'deletetrustdom {}'.format(master.domain.name)], -- raiseonerr=False) -+ cmd_args = ['rpcclient', rpcclient_krb5_knob, ad_hostname] -+ cmd_args.extend(cache_args) -+ cmd_args.extend(['-c', 'deletetrustdom {}'.format(master.domain.name)]) -+ master.run_command(cmd_args, raiseonerr=False) - - - def configure_auth_to_local_rule(master, ad): -@@ -1086,6 +1093,16 @@ def kinit_admin(host, raiseonerr=True): - raiseonerr=raiseonerr) - - -+def get_credential_cache(host): -+ # Return the credential cache currently in use on host or None -+ result = host.run_command(["klist"]).stdout_text -+ pattern = re.compile(r'Ticket cache: (?P.*)\n') -+ res = pattern.search(result) -+ if res: -+ return res['cache'] -+ return None -+ -+ - def uninstall_master(host, ignore_topology_disconnect=True, - ignore_last_of_role=True, clean=True, verbose=False): - uninstall_cmd = ['ipa-server-install', '--uninstall', '-U'] --- -2.46.2 - diff --git a/0015-test_adtrust_install-add-use-krb5-ccache-to-smbclien.patch b/0015-test_adtrust_install-add-use-krb5-ccache-to-smbclien.patch deleted file mode 100644 index 79600fd..0000000 --- a/0015-test_adtrust_install-add-use-krb5-ccache-to-smbclien.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 743c7b46e463bef666dc84e9f513eb7dee7f59f6 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Tue, 17 Sep 2024 14:48:58 +0200 -Subject: [PATCH] test_adtrust_install: add --use-krb5-ccache to smbclient - command - -With samba 4.20.4 the smbclient commands needs a ccache otherwise it -prompts for a password. - -Fixes: https://pagure.io/freeipa/issue/9666 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden -Reviewed-By: Alexander Bokovoy ---- - .../test_integration/test_adtrust_install.py | 28 ++++++++++++------- - 1 file changed, 18 insertions(+), 10 deletions(-) - -diff --git a/ipatests/test_integration/test_adtrust_install.py b/ipatests/test_integration/test_adtrust_install.py -index de252db1705ad940c3b5ee4df967d7c17a4203a7..79a91dfaa61276de74b10777c6d44b5942ed1be0 100644 ---- a/ipatests/test_integration/test_adtrust_install.py -+++ b/ipatests/test_integration/test_adtrust_install.py -@@ -873,17 +873,25 @@ class TestIpaAdTrustInstall(IntegrationTest): - "path", "/freeipa4234"]) - self.master.run_command(["touch", "before"]) - self.master.run_command(["touch", "after"]) -- self.master.run_command( -- ["smbclient", "--use-kerberos=desired", -- "-c=put before", "//{}/share".format( -- self.master.hostname)] -- ) -+ # Find cache for the admin user -+ cache_args = [] -+ cache = tasks.get_credential_cache(self.master) -+ if cache: -+ cache_args = ["--use-krb5-ccache", cache] -+ -+ cmd_args = ["smbclient", "--use-kerberos=desired"] -+ cmd_args.extend(cache_args) -+ cmd_args.extend([ -+ "-c=put before", "//{}/share".format(self.master.hostname) -+ ]) -+ self.master.run_command(cmd_args) - self.master.run_command( - ["net", "conf", "setparm", "share", - "valid users", "@admins"]) -- result = self.master.run_command( -- ["smbclient", "--use-kerberos=desired", -- "-c=put after", "//{}/share".format( -- self.master.hostname)] -- ) -+ cmd_args = ["smbclient", "--use-kerberos=desired"] -+ cmd_args.extend(cache_args) -+ cmd_args.extend([ -+ "-c=put after", "//{}/share".format(self.master.hostname) -+ ]) -+ result = self.master.run_command(cmd_args) - assert msg not in result.stdout_text --- -2.46.2 - diff --git a/0016-Don-t-rely-on-removing-the-CA-to-uninstall-the-ACME-.patch b/0016-Don-t-rely-on-removing-the-CA-to-uninstall-the-ACME-.patch deleted file mode 100644 index 19498d0..0000000 --- a/0016-Don-t-rely-on-removing-the-CA-to-uninstall-the-ACME-.patch +++ /dev/null @@ -1,209 +0,0 @@ -From a785d0c561b8e22bd9d56739481095e07e0a7eb7 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 30 Sep 2024 13:30:46 -0400 -Subject: [PATCH] Don't rely on removing the CA to uninstall the ACME depoyment - -There has always been a pki-server commnd acme-remove. We were -not aware that it should be called prior to removing a CA. In -11.5.0 this is strongly encouraged by the PKI team. In 11.6.0 -ACME is treated as a full subsystem so will be removed in the -future using pkidestroy -s ACME - -The new class acmeinstance.ACMEInstance is introduced so its -uninstallation can be handled in a similar way as the other -PKI services via DogtagInstance. It is, right now, a pretty -thin wrapper. - -We can discuss moving the ACME installation routines here at -some point. It would be ok as long as we don't have to introduce -another PKI restart as part of it. - -In PKI 11.6.0 pkidestroy has new options to ensure a clean -uninstall: --remove-conf --remove-logs. Pass those options -into pkidestroy calls for 11.6.0+. - -Clean up an additional IPA-generated file that needs to be -cleaned up during uninstall: /root/kracert.p12. 11.6.0 is -more sensitive to leftover files than previous versions. - -Fixes: https://pagure.io/freeipa/issue/9673 -Fixes: https://pagure.io/freeipa/issue/9674 - -Signed-off-by: Rob Crittenden -Reviewed-By: Alexander Bokovoy ---- - ipaserver/install/acmeinstance.py | 31 +++++++++++++ - ipaserver/install/ca.py | 5 ++- - ipaserver/install/cainstance.py | 1 + - ipaserver/install/dogtaginstance.py | 44 +++++++++++++------ - .../test_integration/test_uninstallation.py | 21 +++++++++ - 5 files changed, 87 insertions(+), 15 deletions(-) - create mode 100644 ipaserver/install/acmeinstance.py - -diff --git a/ipaserver/install/acmeinstance.py b/ipaserver/install/acmeinstance.py -new file mode 100644 -index 0000000000000000000000000000000000000000..0027c314545f384d9b6ee24b279479e5360d8bef ---- /dev/null -+++ b/ipaserver/install/acmeinstance.py -@@ -0,0 +1,31 @@ -+# -+# Copyright (C) 2024 FreeIPA Contributors see COPYING for license -+# -+ -+import logging -+ -+from ipaserver.install.dogtaginstance import DogtagInstance -+ -+logger = logging.getLogger(__name__) -+ -+ -+class ACMEInstance(DogtagInstance): -+ """ -+ ACME is deployed automatically with a CA subsystem but it is the -+ responsibility of IPA to uninstall the service. -+ -+ This is mostly a placeholder for the uninstaller. We can -+ eventually move the ACME installation routines into this class -+ if we want but it might result in an extra PKI restart which -+ would be slow. -+ """ -+ def __init__(self, realm=None, host_name=None): -+ super(ACMEInstance, self).__init__( -+ realm=realm, -+ subsystem="ACME", -+ service_desc="ACME server", -+ host_name=host_name -+ ) -+ -+ def uninstall(self): -+ DogtagInstance.uninstall(self) -diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py -index ffcb5268399ce71128fc8de5f54d433d35e99dd2..520e3fc5de1084e7c22c0cf7eaa86e1d3c421373 100644 ---- a/ipaserver/install/ca.py -+++ b/ipaserver/install/ca.py -@@ -22,7 +22,7 @@ from ipaplatform.constants import constants - from ipaserver.install import sysupgrade - from ipapython.install import typing - from ipapython.install.core import group, knob, extend_knob --from ipaserver.install import cainstance, bindinstance, dsinstance -+from ipaserver.install import acmeinstance, cainstance, bindinstance, dsinstance - from ipapython import ipautil, certdb - from ipapython import ipaldap - from ipapython.admintool import ScriptError -@@ -715,6 +715,9 @@ def install_step_1(standalone, replica_config, options, custodia): - - - def uninstall(): -+ acme = acmeinstance.ACMEInstance(api.env.realm) -+ acme.uninstall() -+ - ca_instance = cainstance.CAInstance(api.env.realm) - ca_instance.stop_tracking_certificates() - ipautil.remove_file(paths.RA_AGENT_PEM) -diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py -index 5dac2c0441752e7bb569cde1fc93bc17c3128cdf..5c2c9f8b981cf5d587865f7680e2b231eae655e2 100644 ---- a/ipaserver/install/cainstance.py -+++ b/ipaserver/install/cainstance.py -@@ -1118,6 +1118,7 @@ class CAInstance(DogtagInstance): - - ipautil.remove_file(paths.DOGTAG_ADMIN_P12) - ipautil.remove_file(paths.CACERT_P12) -+ ipautil.remove_file(paths.ADMIN_CERT_PATH) - - def unconfigure_certmonger_renewal_guard(self): - if not self.is_configured(): -diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py -index e89492312deb8ca20668a62fd7a2a20e2866a3fb..4b0f4d274b0c33140ed6f939f1a3fd8b75930ff9 100644 ---- a/ipaserver/install/dogtaginstance.py -+++ b/ipaserver/install/dogtaginstance.py -@@ -304,21 +304,37 @@ class DogtagInstance(service.Service): - if self.is_installed(): - self.print_msg("Unconfiguring %s" % self.subsystem) - -- args = [paths.PKIDESTROY, -- "-i", "pki-tomcat", "--force", -- "-s", self.subsystem] -- -- # specify --log-file on PKI 11.0.0 or later -- -+ args = [] - pki_version = pki.util.Version(pki.specification_version()) -- if pki_version >= pki.util.Version("11.0.0"): -- timestamp = time.strftime( -- "%Y%m%d%H%M%S", -- time.localtime(time.time())) -- log_file = os.path.join( -- paths.VAR_LOG_PKI_DIR, -- "pki-%s-destroy.%s.log" % (self.subsystem.lower(), timestamp)) -- args.extend(["--log-file", log_file]) -+ if self.subsystem == "ACME": -+ if pki_version < pki.util.Version("11.0.0"): -+ return -+ elif ( -+ pki.util.Version("11.0.0") <= pki_version -+ <= pki.util.Version("11.5.0") -+ ): -+ args = ['pki-server', 'acme-remove'] -+ else: -+ # fall through for PKI >= 11.6.0 -+ pass -+ if not args: -+ args = [paths.PKIDESTROY, -+ "-i", "pki-tomcat", "--force", -+ "-s", self.subsystem] -+ -+ # specify --log-file on PKI 11.0.0 or later -+ -+ if pki_version >= pki.util.Version("11.0.0"): -+ timestamp = time.strftime( -+ "%Y%m%d%H%M%S", -+ time.localtime(time.time())) -+ log_file = os.path.join( -+ paths.VAR_LOG_PKI_DIR, -+ "pki-%s-destroy.%s.log" % -+ (self.subsystem.lower(), timestamp)) -+ args.extend(["--log-file", log_file]) -+ if pki_version >= pki.util.Version("11.6.0"): -+ args.extend(["--remove-conf", "--remove-logs"]) - - try: - ipautil.run(args) -diff --git a/ipatests/test_integration/test_uninstallation.py b/ipatests/test_integration/test_uninstallation.py -index 4f8f17ce3ad8d5376ecba11442f379e5691de7f7..049c50db536ae1070f5f958e76b12a1518da0aba 100644 ---- a/ipatests/test_integration/test_uninstallation.py -+++ b/ipatests/test_integration/test_uninstallation.py -@@ -197,6 +197,7 @@ class TestUninstallCleanup(IntegrationTest): - '/var/lib/sss/pubconf/krb5.include.d/localauth_plugin', - '/var/named/dynamic/managed-keys.bind', - '/var/named/dynamic/managed-keys.bind.jnl', -+ '/var/lib/systemd/coredump/', - ] - - leftovers = [] -@@ -217,3 +218,23 @@ class TestUninstallCleanup(IntegrationTest): - leftovers.append(line) - - assert len(leftovers) == 0 -+ -+ -+class TestUninstallReinstall(IntegrationTest): -+ """Test install, uninstall, re-install. -+ -+ Reinstall with PKI 11.6.0 was failing -+ https://pagure.io/freeipa/issue/9673 -+ """ -+ -+ num_replicas = 0 -+ -+ @classmethod -+ def install(cls, mh): -+ tasks.install_master(cls.master, setup_dns=False) -+ -+ def test_uninstall_server(self): -+ tasks.uninstall_master(self.master) -+ -+ def test_reinstall_server(self): -+ tasks.install_master(self.master, setup_dns=False) --- -2.46.2 - diff --git a/0017-ipatests-Fixes-for-ipa-idrange-fix-testsuite.patch b/0017-ipatests-Fixes-for-ipa-idrange-fix-testsuite.patch deleted file mode 100644 index 910e631..0000000 --- a/0017-ipatests-Fixes-for-ipa-idrange-fix-testsuite.patch +++ /dev/null @@ -1,35 +0,0 @@ -From ae4c2ad6cd966d48c063814f494dcc16cf0ccd4c Mon Sep 17 00:00:00 2001 -From: Sudhir Menon -Date: Tue, 24 Sep 2024 13:46:48 +0530 -Subject: [PATCH] ipatests: Fixes for ipa-idrange-fix testsuite - -This patch adds the line tasks.install_master(cls.master). -The kinit admin command fails with the below error as the -IPA is not configured on the test system - -'ipa: ERROR: stderr: kinit: Configuration file does not specify default -realm when parsing name admin' - -Signed-off-by: Sudhir Menon -Reviewed-By: Rob Crittenden ---- - ipatests/test_integration/test_ipa_idrange_fix.py | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/ipatests/test_integration/test_ipa_idrange_fix.py b/ipatests/test_integration/test_ipa_idrange_fix.py -index ff8fbdac9d028d26fc55f5e357f89af879a61723..0c915bd0931ed11a3aa86c533ee8748aa8a7ec07 100644 ---- a/ipatests/test_integration/test_ipa_idrange_fix.py -+++ b/ipatests/test_integration/test_ipa_idrange_fix.py -@@ -17,6 +17,9 @@ logger = logging.getLogger(__name__) - - - class TestIpaIdrangeFix(IntegrationTest): -+ -+ topology = 'line' -+ - @classmethod - def install(cls, mh): - super(TestIpaIdrangeFix, cls).install(mh) --- -2.46.2 - diff --git a/0018-spec-Use-nodejs22-on-RHEL-10-and-ELN.patch b/0018-spec-Use-nodejs22-on-RHEL-10-and-ELN.patch deleted file mode 100644 index 9586e86..0000000 --- a/0018-spec-Use-nodejs22-on-RHEL-10-and-ELN.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 642af014d9e7de8e53934af4ca3970977957cba7 Mon Sep 17 00:00:00 2001 -From: Yaakov Selkowitz -Date: Tue, 8 Oct 2024 02:13:00 -0400 -Subject: [PATCH] spec: Use nodejs22 on RHEL 10 and ELN - -nodejs22 is now the default nodejs version in RHEL 10 as well as ELN. - -Signed-off-by: Yaakov Selkowitz -Reviewed-By: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud ---- - freeipa.spec.in | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/freeipa.spec.in b/freeipa.spec.in -index 171b6ad27b57553fdd46c7d041715949bb00b163..9b3d916f34c10a00070855578a593e299187bc44 100755 ---- a/freeipa.spec.in -+++ b/freeipa.spec.in -@@ -308,10 +308,10 @@ BuildRequires: libpwquality-devel - BuildRequires: libsss_idmap-devel - BuildRequires: libsss_certmap-devel - BuildRequires: libsss_nss_idmap-devel >= %{sssd_version} --%if 0%{?fedora} >= 41 -+%if 0%{?fedora} >= 41 || 0%{?rhel} >= 10 - # Do not use nodejs22 on fedora < 41, https://pagure.io/freeipa/issue/9643 - BuildRequires: nodejs(abi) --%elif 0%{?fedora} >= 39 || 0%{?rhel} >= 10 -+%elif 0%{?fedora} >= 39 - # Do not use nodejs20 on fedora < 39, https://pagure.io/freeipa/issue/9374 - BuildRequires: nodejs(abi) < 127 - %else --- -2.46.2 - diff --git a/0019-Do-not-let-user-with-an-expired-OTP-token-to-log-in-.patch b/0019-Do-not-let-user-with-an-expired-OTP-token-to-log-in-.patch deleted file mode 100644 index ca6e6da..0000000 --- a/0019-Do-not-let-user-with-an-expired-OTP-token-to-log-in-.patch +++ /dev/null @@ -1,265 +0,0 @@ -From 18303b94bea4e08a0c889fc357df6ba2f308fa0d Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Wed, 2 Oct 2024 21:26:34 -0400 -Subject: [PATCH] Do not let user with an expired OTP token to log in if only - OTP is allowed - -If only OTP authentication is allowed, and a user tries to login with an -expired token, do not let them log in with their password. Forcing the -admin to intervene. If the user does not have an OTP token then allow -them to log in with a password until an OTP token is configured - -Fixes: https://pagure.io/freeipa/issue/9387 - -Signed-off-by: Mark Reynolds -Reviewed-By: Rob Crittenden -Reviewed-By: Alexander Bokovoy -Reviewed-By: Julien Rische ---- - daemons/ipa-kdb/ipa_kdb_principals.c | 63 +++++++++++-- - .../ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 3 +- - ipatests/test_integration/test_otp.py | 94 ++++++++++++++++++- - 3 files changed, 151 insertions(+), 9 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c -index 14603e528b43acb29234c425e97ad297ac6724a7..114957b884786dd3ca3b01c47f6bb82e8a040beb 100644 ---- a/daemons/ipa-kdb/ipa_kdb_principals.c -+++ b/daemons/ipa-kdb/ipa_kdb_principals.c -@@ -107,7 +107,6 @@ static char *std_principal_obj_classes[] = { - "krbprincipal", - "krbprincipalaux", - "krbTicketPolicyAux", -- - NULL - }; - -@@ -338,14 +337,16 @@ static void ipadb_validate_otp(struct ipadb_context *ipactx, - if (dn == NULL) - return; - count = asprintf(&filter, ftmpl, dn, datetime, datetime); -- ldap_memfree(dn); -- if (count < 0) -+ if (count < 0) { -+ ldap_memfree(dn); - return; -+ } - - /* Fetch the active token list. */ - kerr = ipadb_simple_search(ipactx, ipactx->base, LDAP_SCOPE_SUBTREE, - filter, (char**) attrs, &res); - free(filter); -+ filter = NULL; - if (kerr != 0 || res == NULL) - return; - -@@ -353,10 +354,60 @@ static void ipadb_validate_otp(struct ipadb_context *ipactx, - count = ldap_count_entries(ipactx->lcontext, res); - ldap_msgfree(res); - -- /* If the user is configured for OTP, but has no active tokens, remove -- * OTP from the list since the user obviously can't log in this way. */ -- if (count == 0) -+ /* -+ * If there are no valid tokens then we need to remove the OTP flag, -+ * unless OTP is the only auth type allowed... -+ */ -+ if (count == 0) { -+ /* Remove the OTP flag for now */ - *ua &= ~IPADB_USER_AUTH_OTP; -+ -+ if (*ua == 0) { -+ /* -+ * Ok, we "only" allow OTP, so if there is an expired/disabled -+ * token then add back the OTP flag as the server will double -+ * check the validity and reject the entire bind. Otherwise, this -+ * is the first time the user is authenticating and the user -+ * should be allowed to bind using its password -+ */ -+ static const char *expired_ftmpl = "(&" -+ "(objectClass=ipaToken)(ipatokenOwner=%s)" -+ "(|(ipatokenNotAfter<=%s)(!(ipatokenNotAfter=*))" -+ "(ipatokenDisabled=True))" -+ ")"; -+ if (asprintf(&filter, expired_ftmpl, dn, datetime) < 0) { -+ ldap_memfree(dn); -+ return; -+ } -+ -+ krb5_klog_syslog(LOG_INFO, -+ "Entry (%s) does not have a valid token and only OTP " -+ "authentication is supported, checking for expired tokens...", -+ dn); -+ -+ kerr = ipadb_simple_search(ipactx, ipactx->base, LDAP_SCOPE_SUBTREE, -+ filter, (char**) attrs, &res); -+ free(filter); -+ if (kerr != 0 || res == NULL) { -+ ldap_memfree(dn); -+ return; -+ } -+ -+ if (ldap_count_entries(ipactx->lcontext, res) > 0) { -+ /* -+ * Ok we only allow OTP, and there are expired/disabled tokens -+ * so add the OTP flag back, and the server will reject the -+ * bind -+ */ -+ krb5_klog_syslog(LOG_INFO, -+ "Entry (%s) does have an expired/disabled token so this " -+ "user can not fall through to password auth", dn); -+ *ua |= IPADB_USER_AUTH_OTP; -+ } -+ ldap_msgfree(res); -+ } -+ } -+ ldap_memfree(dn); - } - - static void ipadb_validate_radius(struct ipadb_context *ipactx, -diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c -index c967e2cfffbd920280639f3188783ec150523b47..1c1340e31ac30cb01412a7065ea339cb5461e839 100644 ---- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c -+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c -@@ -1528,7 +1528,8 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) - if (!syncreq && (otpreq == OTP_IS_NOT_REQUIRED)) { - ret = ipapwd_gen_checks(pb, &errMesg, &krbcfg, IPAPWD_CHECK_ONLY_CONFIG); - if (ret != 0) { -- LOG_FATAL("ipapwd_gen_checks failed!?\n"); -+ LOG_FATAL("ipapwd_gen_checks failed for '%s': %s\n", -+ slapi_sdn_get_dn(sdn), errMesg); - slapi_entry_free(entry); - slapi_sdn_free(&sdn); - return 0; -diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py -index 350371bfe1e4c1cc6dcc89f6584f813fcb0d32a0..878b4fb560ba8d7768ead54b065656462545babd 100644 ---- a/ipatests/test_integration/test_otp.py -+++ b/ipatests/test_integration/test_otp.py -@@ -10,6 +10,7 @@ import re - import time - import textwrap - from urllib.parse import urlparse, parse_qs -+from paramiko import AuthenticationException - - from cryptography.hazmat.backends import default_backend - from cryptography.hazmat.primitives import hashes -@@ -83,7 +84,7 @@ def kinit_otp(host, user, *, password, otp, success=True): - ) - - --def ssh_2f(hostname, username, answers_dict, port=22): -+def ssh_2f(hostname, username, answers_dict, port=22, unwanted_prompt=""): - """ - :param hostname: hostname - :param username: username -@@ -103,6 +104,10 @@ def ssh_2f(hostname, username, answers_dict, port=22): - logger.info("Prompt is: '%s'", prmpt_str) - logger.info( - "Answer to ssh prompt is: '%s'", answers_dict[prmpt_str]) -+ if unwanted_prompt and prmpt_str == unwanted_prompt: -+ # We should not see this prompt -+ raise ValueError("We got an unwanted prompt: " -+ + answers_dict[prmpt_str]) - return resp - - import paramiko -@@ -193,7 +198,8 @@ class TestOTPToken(IntegrationTest): - - # skipping too many OTP fails - otp1 = hotp.generate(10).decode("ascii") -- kinit_otp(self.master, USER, password=PASSWORD, otp=otp1, success=False) -+ kinit_otp(self.master, USER, password=PASSWORD, otp=otp1, -+ success=False) - # Now the token is desynchronized - yield (otpuid, hotp) - -@@ -536,3 +542,87 @@ class TestOTPToken(IntegrationTest): - finally: - master.run_command(['ipa', 'pwpolicy-mod', '--minlife', '1']) - master.run_command(['ipa', 'user-del', USER1]) -+ -+ def test_totp_expired_ldap(self): -+ master = self.master -+ basedn = master.domain.basedn -+ USER1 = 'user-expired-otp' -+ TMP_PASSWORD = 'Secret1234509' -+ binddn = DN(f"uid={USER1},cn=users,cn=accounts,{basedn}") -+ controls = [ -+ BooleanControl( -+ controlType="2.16.840.1.113730.3.8.10.7", -+ booleanValue=True) -+ ] -+ -+ tasks.kinit_admin(master) -+ master.run_command(['ipa', 'pwpolicy-mod', '--minlife', '0']) -+ tasks.user_add(master, USER1, password=TMP_PASSWORD) -+ # Enforce use of OTP token for this user -+ master.run_command(['ipa', 'user-mod', USER1, -+ '--user-auth-type=otp']) -+ try: -+ # Change initial password through the IPA endpoint -+ url = f'https://{master.hostname}/ipa/session/change_password' -+ master.run_command(['curl', '-d', f'user={USER1}', -+ '-d', f'old_password={TMP_PASSWORD}', -+ '-d', f'new_password={PASSWORD}', -+ '--referer', f'https://{master.hostname}/ipa', -+ url]) -+ conn = master.ldap_connect() -+ # First, attempt authenticating with a password but without LDAP -+ # control to enforce OTP presence and without server-side -+ # enforcement of the OTP presence check. -+ conn.simple_bind(binddn, f"{PASSWORD}") -+ -+ # Add an OTP token and then modify it to be expired -+ otpuid, totp = add_otptoken(master, USER1, otptype="totp") -+ -+ # Make sure OTP auth is working -+ otpvalue = totp.generate(int(time.time())).decode("ascii") -+ conn = master.ldap_connect() -+ conn.simple_bind(binddn, f"{PASSWORD}{otpvalue}", -+ client_controls=controls) -+ conn.unbind() -+ -+ # Modfy token so that is now expired -+ args = [ -+ "ipa", -+ "otptoken-mod", -+ otpuid, -+ "--not-after", -+ "20241001010000Z", -+ ] -+ master.run_command(args) -+ -+ # Next, authenticate with Password+OTP again and with the LDAP -+ # control this operation should now fail -+ time.sleep(45) -+ otpvalue = totp.generate(int(time.time())).decode("ascii") -+ -+ conn = master.ldap_connect() -+ with pytest.raises(errors.ACIError): -+ conn.simple_bind(binddn, f"{PASSWORD}{otpvalue}", -+ client_controls=controls) -+ -+ # Sleep to make sure we are going to use a different token value -+ time.sleep(45) -+ -+ # Use OTP token again but authenticate over ssh and make sure it -+ # doesn't fallthrough to asking for a password -+ otpvalue = totp.generate(int(time.time())).decode("ascii") -+ answers = { -+ 'Enter first factor:': PASSWORD, -+ 'Enter second factor:': otpvalue -+ } -+ with pytest.raises(AuthenticationException): -+ # ssh should fail and NOT ask for a password -+ ssh_2f(master.hostname, USER1, answers, -+ unwanted_prompt="Password:") -+ -+ # Remove token -+ del_otptoken(self.master, otpuid) -+ -+ finally: -+ master.run_command(['ipa', 'pwpolicy-mod', '--minlife', '1']) -+ master.run_command(['ipa', 'user-del', USER1]) --- -2.46.2 - diff --git a/0020-ipatests-Activate-ssh-in-sssd.conf.patch b/0020-ipatests-Activate-ssh-in-sssd.conf.patch deleted file mode 100644 index 9e24025..0000000 --- a/0020-ipatests-Activate-ssh-in-sssd.conf.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 761647f842567713032709753b6d63467d9871a6 Mon Sep 17 00:00:00 2001 -From: Sudhir Menon -Date: Mon, 23 Sep 2024 14:05:43 +0530 -Subject: [PATCH] ipatests: Activate ssh in sssd.conf - -This testcase checks that services: ssh -is included in the sssd.conf file when -ipa-client-install is successful. - -Ref: https://pagure.io/freeipa/issue/9649 - -Signed-off-by: Sudhir Menon -Reviewed-By: Rob Crittenden ---- - ipatests/test_integration/test_installation_client.py | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/ipatests/test_integration/test_installation_client.py b/ipatests/test_integration/test_installation_client.py -index f8567b39eead4dffd522aad504fa72a086969257..884bff2f2f3e49f66da391424e128d8e31b82a8a 100644 ---- a/ipatests/test_integration/test_installation_client.py -+++ b/ipatests/test_integration/test_installation_client.py -@@ -94,6 +94,16 @@ class TestInstallClient(IntegrationTest): - ).encode() not in krb5_cfg - tasks.uninstall_client(self.clients[0]) - -+ def test_check_ssh_service_is_activated(self): -+ """ -+ This test checks all default services are activated -+ in sssd.conf including ssh -+ """ -+ tasks.install_client(self.master, self.clients[0]) -+ sssd_cfg = self.clients[0].get_file_contents(paths.SSSD_CONF) -+ assert 'services = nss, pam, ssh, sudo' in sssd_cfg.decode() -+ tasks.uninstall_client(self.clients[0]) -+ - def test_install_with_automount(self): - """Test that installation with automount is successful""" - tasks.install_client(self.master, self.clients[0], --- -2.46.2 - diff --git a/0021-ipa-migrate-man-page-fix-typos-and-errors.patch b/0021-ipa-migrate-man-page-fix-typos-and-errors.patch deleted file mode 100644 index a48b5d4..0000000 --- a/0021-ipa-migrate-man-page-fix-typos-and-errors.patch +++ /dev/null @@ -1,131 +0,0 @@ -From f978fa05e3ed9d4ad9d20493c05c77fb9b4976a7 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Tue, 15 Oct 2024 17:04:55 +0200 -Subject: [PATCH] ipa-migrate man page: fix typos and errors - -ipa-migrate man page mentions non-existing option --hostname. -Fix the SYNOPSIS and various typos. - -Fixes: https://pagure.io/freeipa/issue/9681 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Mark Reynolds ---- - install/tools/man/ipa-migrate.1 | 38 +++++++++++++++------------------ - 1 file changed, 17 insertions(+), 21 deletions(-) - -diff --git a/install/tools/man/ipa-migrate.1 b/install/tools/man/ipa-migrate.1 -index 47ae47ea4afa3a5a6fe25dd9bbd14c27ab5f1fdb..5106f4f0f5b5928909ccd5abcef3bb6d1586f5df 100644 ---- a/install/tools/man/ipa-migrate.1 -+++ b/install/tools/man/ipa-migrate.1 -@@ -5,11 +5,11 @@ - .SH "NAME" - ipa\-migrate \- Migrate an IPA server from one machine to another - .SH "SYNOPSIS" --ipa\-migrate -+\fBipa\-migrate\fR [OPTIONS] \fBprod\-mode\fR|\fBstage\-mode\fR \fIhostname\fR - .SH "DESCRIPTION" - - Use the \fIipa-migrate\fR command to migrate one --IPA server to an existing local IPA server installation. -+IPA server \fIhostname\fR to an existing local IPA server installation. - - Migrate IPA schema, configuration, and database to a local IPA server. This - migration can be done online, where the tool will query the remote server. Or, -@@ -19,7 +19,6 @@ and then use an exported LDIF file for the database migration portion (this - might be more useful for very large databases as you don't need to worry about - network interruptions) - --.SH POSITIONAL ARGUMENTS - .TP - \fBprod\-mode\fR - In this mode everything will be migrated including the current user SIDs and -@@ -28,13 +27,10 @@ DNA ranges - \fBstage\-mode\fR - In this mode, SIDs & DNA ranges are not migrated, and DNA attributes are reset - --.SH "COMMANDS" -+.SH "OPTIONS" - .TP - \fB\-v\fR, \fB\-\-verbose\fR --Use verbose output while running the migration tool. --.TP --\fB\-e\fR, \fB\-\-hostname=HOSTNAME\fR --The host name of the remote IPA server that is being migrated from. -+Use verbose output while running the migration tool - .TP - \fB\-D\fR, \fB\-\-bind\-dn=BIND_DN\fR - The Bind DN (Distinguished Name) or an LDAP entry to bind to the remote IPA server with. -@@ -43,10 +39,10 @@ access to read the userPassword attribute. If ommitted the default is "cn=direc - .TP - \fB\-w\fR, \fB\-\-bind\-pw=PASSWORD\fR - The password for the Bind DN that is authenticating against the remote IPA server. If --a password is not provided then the tool with prompt for the password if needed. -+a password is not provided then the tool with prompt for the password if needed - .TP --\fB\-Just\fR, \fB\-\-bind\-pw\-file=FILE_PATH\fR --Path to a file containing the password for the Bind DN. -+\fB\-j\fR, \fB\-\-bind\-pw\-file=FILE_PATH\fR -+Path to a file containing the password for the Bind DN - .TP - \fB\-Z\fR, \fB\-\-cacertfile=FILE_PATH\fR - Path to a file containing a CA Certificate that the remote server trusts -@@ -55,23 +51,23 @@ Path to a file containing a CA Certificate that the remote server trusts - Path to a file containing the migration log. By default the tool will use \fI/var/log/ipa-migrate.log\fR - .TP - \fB\-x\fR, \fB\-\-dryrun\fR --Go through the migration process but do not write and data to the new IPA server. -+Go through the migration process but do not write any data to the new IPA server - .TP - \fB\-o\fR, \fB\-\-dryrun\-record=FILE_PATH\fR - Go through the migration process but do not write any data to the new IPA server. However, write the --migration operations to an LDIF file which can be applied later or reused for multiple migrations. -+migration operations to an LDIF file which can be applied later or reused for multiple migrations - .TP - \fB\-r\fR, \fB\-\-reset\-range\fR - Reset the ID range for migrated users/groups. In "stage-mode" this is done automatically - .TP - \fB\-F\fR, \fB\-\-force\fR --Ignore any errors and continue to proceed with migration effort. -+Ignore any errors and continue to proceed with migration effort - .TP - \fB\-q\fR, \fB\-\-quiet\fR --Only log errors during the migration process. -+Only log errors during the migration process - .TP - \fB\-B\fR, \fB\-\-migrate\-dns\fR --Migrate thr DNS records -+Migrate the DNS records - .TP - \fB\-S\fR, \fB\-\-skip\-schema\fR - Do not migrate the database schema -@@ -80,21 +76,21 @@ Do not migrate the database schema - Do not migrate the database configuration (dse.ldif/cn=config) - .TP - \fB\-O\fR, \fB\-\-schema\-overwrite\fR --Overwrite existing schema definitions. By default duplicate schema is skipped. -+Overwrite existing schema definitions. By default duplicate schema is skipped - .TP - \fB\-s\fR, \fB\-\-subtree=DN\fR - Specifies a custom database subtree that should be included in the migration. - This is only needed if non-default subtrees/branches were added to the database --outside of IPA. -+outside of IPA - .TP - \fB\-f\fR, \fB\-\-db\-ldif=FILE_PATH\fR --LDIF file containing the entire backend. If omitted the tool will query the remote IPA server. -+LDIF file containing the entire backend. If omitted the tool will query the remote IPA server - .TP - \fB\-m\fR, \fB\-\-schema\-ldif=FILE_PATH\fR --LDIF file containing the schema. If omitted the tool will query the remote IPA server. -+LDIF file containing the schema. If omitted the tool will query the remote IPA server - .TP - \fB\-g\fR, \fB\-\-config\-ldif=FILE_PATH\fR --LDIF file containing the entire "cn=config" DIT. If omitted the tool will query the remote IPA server. -+LDIF file containing the entire "cn=config" DIT. If omitted the tool will query the remote IPA server - .TP - \fB\-n\fR, \fB\-\-no\-prompt\fR - Do not prompt for confirmation before starting migration. Use at your own risk! --- -2.46.2 - diff --git a/0022-ipatests-Test-for-ipa-hbac-rule-duplication.patch b/0022-ipatests-Test-for-ipa-hbac-rule-duplication.patch deleted file mode 100644 index 7660ce0..0000000 --- a/0022-ipatests-Test-for-ipa-hbac-rule-duplication.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 7f4e7e1d6a2ae9d05a2dfcf620f4df07d09d9d2b Mon Sep 17 00:00:00 2001 -From: Sudhir Menon -Date: Thu, 3 Oct 2024 18:45:31 +0530 -Subject: [PATCH] ipatests: Test for ipa hbac rule duplication - -This test checks that ipa-migrate is not creating duplicate default hbac rules -for allow_all and allow_systemd-user rules. - -Related: https://pagure.io/freeipa/issue/9640 - -Signed-off-by: Sudhir Menon -Reviewed-By: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - .../test_ipa_ipa_migration.py | 26 +++++++++++++++++++ - 1 file changed, 26 insertions(+) - -diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py -index 288165e8a83a96e6f6bd4e52866f98617f497c56..70c268951a0d7e40806742b16e62b764b2bae37b 100644 ---- a/ipatests/test_integration/test_ipa_ipa_migration.py -+++ b/ipatests/test_integration/test_ipa_ipa_migration.py -@@ -9,6 +9,7 @@ from __future__ import absolute_import - from ipatests.test_integration.base import IntegrationTest - from ipatests.pytest_ipa.integration import tasks - from ipaplatform.paths import paths -+from collections import Counter - - import pytest - import textwrap -@@ -920,3 +921,28 @@ class TestIPAMigrateScenario1(IntegrationTest): - ) - assert result.returncode == 1 - assert ERR_MSG in result.stderr_text -+ -+ def test_ipa_hbac_rule_duplication(self): -+ """ -+ This testcase checks that default hbac rules -+ are not duplicated on the local server when -+ ipa-migrate command is run. -+ """ -+ run_migrate( -+ self.replicas[0], -+ "prod-mode", -+ self.master.hostname, -+ "cn=Directory Manager", -+ self.master.config.admin_password, -+ extra_args=['-n'] -+ ) -+ result = self.replicas[0].run_command( -+ ['ipa', 'hbacrule-find'] -+ ) -+ lines = result.stdout_text.splitlines() -+ line = [] -+ for i in lines: -+ line.append(i.strip()) -+ count = Counter(line) -+ assert count.get('Rule name: allow_all') < 2 -+ assert count.get('Rule name: allow_systemd-user') < 2 --- -2.46.2 - diff --git a/0023-ipatests-refactor-password-file-handling-in-TestHSMI.patch b/0023-ipatests-refactor-password-file-handling-in-TestHSMI.patch deleted file mode 100644 index 0d8eacd..0000000 --- a/0023-ipatests-refactor-password-file-handling-in-TestHSMI.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 142f52fc981fe9f1d693b79a7b49506af2e98829 Mon Sep 17 00:00:00 2001 -From: Mohammad Rizwan -Date: Mon, 19 Aug 2024 16:08:53 +0530 -Subject: [PATCH] ipatests: refactor password file handling in TestHSMInstall - -When token and associated certs are not being cleaned -up properly, the subsequent installation fails. Hence -Password file related scenarios moved out to new test class -so that it have fresh installation. - -Signed-off-by: Mohammad Rizwan -Reviewed-By: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - .../nightly_ipa-4-12_latest.yaml | 12 ++++++++ - .../nightly_ipa-4-12_latest_selinux.yaml | 13 ++++++++ - ipatests/test_integration/test_hsm.py | 30 ++++++++++--------- - 3 files changed, 41 insertions(+), 14 deletions(-) - -diff --git a/ipatests/prci_definitions/nightly_ipa-4-12_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-12_latest.yaml -index 6d18e708fb0512ce21d8db68d4f1ab26849f40b7..07e2a8399ae4cc953adb415b975101ed20c67fd2 100644 ---- a/ipatests/prci_definitions/nightly_ipa-4-12_latest.yaml -+++ b/ipatests/prci_definitions/nightly_ipa-4-12_latest.yaml -@@ -1950,6 +1950,18 @@ jobs: - timeout: 6300 - topology: *master_3repl_1client - -+ fedora-latest-ipa-4-12/test_hsm_TestHSMInstallPasswordFile: -+ requires: [fedora-latest-ipa-4-12/build] -+ priority: 50 -+ job: -+ class: RunPytest -+ args: -+ build_url: '{fedora-latest-ipa-4-12/build_url}' -+ test_suite: test_integration/test_hsm.py::TestHSMInstallPasswordFile -+ template: *ci-ipa-4-12-latest -+ timeout: 6300 -+ topology: *master_1repl -+ - fedora-latest-ipa-4-12/test_hsm_TestHSMInstallADTrustBase: - requires: [fedora-latest-ipa-4-12/build] - priority: 50 -diff --git a/ipatests/prci_definitions/nightly_ipa-4-12_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-12_latest_selinux.yaml -index 52686df9713975c9590b8a99edb7c3442531fecc..11046be13fca1e7403d0fd74329a66ded3927a6c 100644 ---- a/ipatests/prci_definitions/nightly_ipa-4-12_latest_selinux.yaml -+++ b/ipatests/prci_definitions/nightly_ipa-4-12_latest_selinux.yaml -@@ -2105,6 +2105,19 @@ jobs: - timeout: 6300 - topology: *master_3repl_1client - -+ fedora-latest-ipa-4-12/test_hsm_TestHSMInstallPasswordFile: -+ requires: [fedora-latest-ipa-4-12/build] -+ priority: 50 -+ job: -+ class: RunPytest -+ args: -+ build_url: '{fedora-latest-ipa-4-12/build_url}' -+ selinux_enforcing: True -+ test_suite: test_integration/test_hsm.py::TestHSMInstallPasswordFile -+ template: *ci-ipa-4-12-latest -+ timeout: 6300 -+ topology: *master_1repl -+ - fedora-latest-ipa-4-12/test_hsm_TestHSMInstallADTrustBase: - requires: [fedora-latest-ipa-4-12/build] - priority: 50 -diff --git a/ipatests/test_integration/test_hsm.py b/ipatests/test_integration/test_hsm.py -index 374f5c25fd3453cd45a15d2b0f20cee424282595..42895fcd60a7c02d3b6103c2f6751a367da30b2f 100644 ---- a/ipatests/test_integration/test_hsm.py -+++ b/ipatests/test_integration/test_hsm.py -@@ -312,24 +312,26 @@ class TestHSMInstall(BaseHSMTest): - assert returncode == 0 - assert output == "No issues found." - -- def test_hsm_install_server_password_file(self): -- check_version(self.master) -- # cleanup before fresh install with password file -- for client in self.clients: -- tasks.uninstall_client(client) - -- for replica in self.replicas: -- tasks.uninstall_master(replica) -+class TestHSMInstallPasswordFile(BaseHSMTest): - -- tasks.uninstall_master(self.master) -+ num_replicas = 1 - -- delete_hsm_token([self.master] + self.replicas, self.token_name) -- self.token_name, self.token_password = get_hsm_token(self.master) -- self.master.put_file_contents(self.token_password_file, -- self.token_password) -- self.replicas[0].put_file_contents(self.token_password_file, -- self.token_password) -+ @classmethod -+ def install(cls, mh): -+ check_version(cls.master) -+ # Enable pkiuser to read softhsm tokens -+ cls.master.run_command(['usermod', 'pkiuser', '-a', '-G', 'ods']) -+ cls.token_name, cls.token_password = get_hsm_token(cls.master) -+ cls.master.put_file_contents( -+ cls.token_password_file, cls.token_password -+ ) -+ cls.replicas[0].put_file_contents( -+ cls.token_password_file, cls.token_password -+ ) - -+ def test_hsm_install_server_password_file(self): -+ check_version(self.master) - tasks.install_master( - self.master, setup_dns=self.master_with_dns, - setup_kra=self.master_with_kra, --- -2.46.2 - diff --git a/0024-ipatests-2FA-test-cases.patch b/0024-ipatests-2FA-test-cases.patch deleted file mode 100644 index 398202f..0000000 --- a/0024-ipatests-2FA-test-cases.patch +++ /dev/null @@ -1,276 +0,0 @@ -From 6ac11ae003740faf19f3c75bf542ec44f717114f Mon Sep 17 00:00:00 2001 -From: Madhuri Upadhye -Date: Tue, 23 Jul 2024 18:14:36 +0530 -Subject: [PATCH] ipatests: 2FA test cases - -Added following: - -Added 'ssh_2fa_with_cmd' method for authentication, -as for '\n' with paramiko did not work. In a test case -need to just press `Enter` for `second factor`. -Advantage of above function is no having paramiko -dependancy. -We can run the any command in same session after -authentication of user. - -Test cases: -1. Authenticate the user only with password, -just press enter at `Second factor` and check tgt after auth. -when User authentication types: otp, password -2. Authenticate the user with password and otpvalues and -check tgt of user after auth when -User authentication types: otp, password - -related: https://github.com/SSSD/sssd/pull/7500 - -Signed-off-by: Madhuri Upadhye -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_integration/test_otp.py | 192 ++++++++++++++++++++++++-- - 1 file changed, 181 insertions(+), 11 deletions(-) - -diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py -index 878b4fb560ba8d7768ead54b065656462545babd..0babb45897c6107bf354477dbb0d3a805a3116f5 100644 ---- a/ipatests/test_integration/test_otp.py -+++ b/ipatests/test_integration/test_otp.py -@@ -5,26 +5,27 @@ - """ - import base64 - import logging --import pytest - import re --import time -+import tempfile - import textwrap --from urllib.parse import urlparse, parse_qs --from paramiko import AuthenticationException -+import time -+from urllib.parse import parse_qs, urlparse - -+import pytest - from cryptography.hazmat.backends import default_backend - from cryptography.hazmat.primitives import hashes - from cryptography.hazmat.primitives.twofactor.hotp import HOTP - from cryptography.hazmat.primitives.twofactor.totp import TOTP -- --from ipatests.test_integration.base import IntegrationTest --from ipaplatform.paths import paths --from ipatests.pytest_ipa.integration import tasks --from ipapython.dn import DN -- - from ldap.controls.simple import BooleanControl -+from paramiko import AuthenticationException - - from ipalib import errors -+from ipaplatform.osinfo import osinfo -+from ipaplatform.paths import paths -+from ipapython.dn import DN -+from ipatests.pytest_ipa.integration import tasks -+from ipatests.test_integration.base import IntegrationTest -+from ipatests.util import xfail_context - - PASSWORD = "DummyPassword123" - USER = "opttestuser" -@@ -84,6 +85,65 @@ def kinit_otp(host, user, *, password, otp, success=True): - ) - - -+def ssh_2fa_with_cmd(host, hostname, username, password, otpvalue, -+ command="exit 0"): -+ """ ssh to user and in same session pass the command to check tgt of user -+ :param host: host to ssh -+ :param hostname: hostname to ssh -+ :param str username: The name of user -+ :param str password: password, usually the first factor -+ :param str otpvalue: generated pin of user -+ :param str command: command to execute in same session, -+ by deafult set to "exit 0" -+ :return: object class of expect command run -+ """ -+ temp_conf = tempfile.NamedTemporaryFile(suffix='.exp', delete=False) -+ with open(temp_conf.name, 'w') as tfile: -+ tfile.write('proc exitmsg { msg code } {\n') -+ tfile.write('\t# Close spawned program, if we are in the prompt\n') -+ tfile.write('\tcatch close\n\n') -+ tfile.write('\t# Wait for the exit code\n') -+ tfile.write('\tlassign [wait] pid spawnid os_error_flag rc\n\n') -+ tfile.write('\tputs ""\n') -+ tfile.write('\tputs "expect result: $msg"\n') -+ tfile.write('\tputs "expect exit code: $code"\n') -+ tfile.write('\tputs "expect spawn exit code: $rc"\n') -+ tfile.write('\texit $code\n') -+ tfile.write('}\n') -+ tfile.write('set timeout 60\n') -+ tfile.write('set prompt ".*\\[#\\$>\\] $"\n') -+ tfile.write(f'set password "{password}"\n') -+ tfile.write(f'set otpvalue "{otpvalue}"\n') -+ tfile.write(f'spawn ssh -o NumberOfPasswordPrompts=1 -o ' -+ f'StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null' -+ f' -l {username} {hostname} {command}\n') -+ tfile.write('expect {\n') -+ tfile.write('"Enter first factor:*" {send -- "$password\r"}\n') -+ tfile.write('timeout {exitmsg "Unexpected output" 201}\n') -+ tfile.write('eof {exitmsg "Unexpected end of file" 202}\n') -+ tfile.write('}\n') -+ tfile.write('expect {\n') -+ tfile.write('"Enter second factor:*" {send -- "$otpvalue\r"}\n') -+ tfile.write('timeout {exitmsg "Unexpected output" 201}\n') -+ tfile.write('eof {exitmsg "Unexpected end of file" 202}\n') -+ tfile.write('}\n') -+ tfile.write('expect {\n') -+ tfile.write('"Authentication failure" ' -+ '{exitmsg "Authentication failure" 1}\n') -+ tfile.write('eof {exitmsg "Authentication successful" 0}\n') -+ tfile.write('timeout {exitmsg "Unexpected output" 201}\n') -+ tfile.write('}\n') -+ tfile.write('expect {\n') -+ tfile.write('exitmsg "Unexpected code path" 203\n') -+ tfile.write('EOF\n') -+ tfile.write('}') -+ host.transport.put_file(temp_conf.name, '/tmp/ssh.exp') -+ tasks.clear_sssd_cache(host) -+ expect_cmd = 'expect -f /tmp/ssh.exp' -+ cmd = host.run_command(expect_cmd, raiseonerr=False) -+ return cmd -+ -+ - def ssh_2f(hostname, username, answers_dict, port=22, unwanted_prompt=""): - """ - :param hostname: hostname -@@ -91,6 +151,7 @@ def ssh_2f(hostname, username, answers_dict, port=22, unwanted_prompt=""): - :param answers_dict: dictionary of options with prompt_message and value. - :param port: port for ssh - """ -+ - # Handler for server questions - def answer_handler(title, instructions, prompt_list): - resp = [] -@@ -131,8 +192,9 @@ class TestOTPToken(IntegrationTest): - - @classmethod - def install(cls, mh): -- super(TestOTPToken, cls).install(mh) - master = cls.master -+ tasks.install_packages(master, ['expect']) -+ super(TestOTPToken, cls).install(mh) - - tasks.kinit_admin(master) - # create service with OTP auth indicator -@@ -398,6 +460,114 @@ class TestOTPToken(IntegrationTest): - self.master.run_command(['semanage', 'login', '-D']) - sssd_conf_backup.restore() - -+ def test_2fa_only_with_password(self): -+ """Test ssh with 2FA only with the password(first factor) when -+ user-auth-type is opt and password. -+ -+ Test for : https://github.com/SSSD/sssd/pull/7500 -+ -+ Add the IPA user and user-auth-type set to opt and password. -+ Authenticate the user only with password, just press enter -+ at `Second factor` -+ """ -+ master = self.master -+ USER3 = 'sshuser3' -+ sssd_conf_backup = tasks.FileBackup(master, paths.SSSD_CONF) -+ first_prompt = 'Enter first factor:' -+ second_prompt = 'Enter second factor:' -+ add_contents = textwrap.dedent(''' -+ [prompting/2fa/sshd] -+ single_prompt = False -+ first_prompt = {0} -+ second_prompt = {1} -+ ''').format(first_prompt, second_prompt) -+ set_sssd_conf(master, add_contents) -+ tasks.create_active_user(master, USER3, PASSWORD) -+ tasks.kinit_admin(master) -+ master.run_command(['ipa', 'user-mod', USER3, '--user-auth-type=otp', -+ '--user-auth-type=password']) -+ try: -+ otpuid, totp = add_otptoken(master, USER3, otptype='totp') -+ master.run_command(['ipa', 'otptoken-show', otpuid]) -+ totp.generate(int(time.time())).decode('ascii') -+ otpvalue = "\n" -+ tasks.clear_sssd_cache(self.master) -+ github_ticket = "https://github.com/SSSD/sssd/pull/7500" -+ sssd_version = tasks.get_sssd_version(master) -+ rhel_fail = ( -+ osinfo.id == 'rhel' -+ and sssd_version < tasks.parse_version("2.9.5") -+ ) -+ fedora_fail = ( -+ osinfo.id == 'fedora' -+ and sssd_version == tasks.parse_version("2.9.5") -+ ) -+ with xfail_context(rhel_fail or fedora_fail, reason=github_ticket): -+ result = ssh_2fa_with_cmd(master, -+ self.master.external_hostname, -+ USER3, PASSWORD, otpvalue=otpvalue, -+ command="klist") -+ print(result.stdout_text) -+ assert ('Authentication successful') in result.stdout_text -+ assert USER3 in result.stdout_text -+ assert (f'Default principal: ' -+ f'{USER3}@{self.master.domain.realm}' in -+ result.stdout_text) -+ cmd = self.master.run_command(['semanage', 'login', '-l']) -+ assert USER3 in cmd.stdout_text -+ finally: -+ master.run_command(['ipa', 'user-del', USER3]) -+ self.master.run_command(['semanage', 'login', '-D']) -+ sssd_conf_backup.restore() -+ -+ def test_2fa_with_otp_password(self): -+ """Test ssh with 2FA only with password and otpvalue when -+ user-auth-type is opt and password. -+ -+ Test for : https://github.com/SSSD/sssd/pull/7500 -+ -+ Add the IPA user and user-auth-type set to opt and password. -+ Authenticate the user only with password and otpvalue. -+ """ -+ master = self.master -+ USER4 = 'sshuser4' -+ sssd_conf_backup = tasks.FileBackup(master, paths.SSSD_CONF) -+ first_prompt = 'Enter first factor:' -+ second_prompt = 'Enter second factor:' -+ add_contents = textwrap.dedent(''' -+ [prompting/2fa/sshd] -+ single_prompt = False -+ first_prompt = {0} -+ second_prompt = {1} -+ ''').format(first_prompt, second_prompt) -+ set_sssd_conf(master, add_contents) -+ tasks.create_active_user(master, USER4, PASSWORD) -+ tasks.kinit_admin(master) -+ -+ master.run_command(['ipa', 'user-mod', USER4, '--user-auth-type=otp', -+ '--user-auth-type=password']) -+ try: -+ otpuid, totp = add_otptoken(master, USER4, otptype='totp') -+ master.run_command(['ipa', 'otptoken-show', otpuid]) -+ otpvalue = totp.generate(int(time.time())).decode('ascii') -+ tasks.clear_sssd_cache(self.master) -+ result = ssh_2fa_with_cmd(master, -+ self.master.external_hostname, -+ USER4, PASSWORD, otpvalue=otpvalue, -+ command="klist") -+ print(result.stdout_text) -+ cmd = self.master.run_command(['semanage', 'login', '-l']) -+ # check the output -+ assert ('Authentication successful') in result.stdout_text -+ assert USER4 in result.stdout_text -+ assert (f'Default principal: {USER4}@' -+ f'{self.master.domain.realm}' in result.stdout_text) -+ assert USER4 in cmd.stdout_text -+ finally: -+ master.run_command(['ipa', 'user-del', USER4]) -+ self.master.run_command(['semanage', 'login', '-D']) -+ sssd_conf_backup.restore() -+ - @pytest.fixture - def setup_otp_nsslapd(self): - check_services = self.master.run_command( --- -2.46.2 - diff --git a/0025-Small-fixup-to-determine-which-ACME-uninstaller-to-u.patch b/0025-Small-fixup-to-determine-which-ACME-uninstaller-to-u.patch deleted file mode 100644 index e96338f..0000000 --- a/0025-Small-fixup-to-determine-which-ACME-uninstaller-to-u.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 9a2de23eb5e00efa72189c4a86d9db1fab52c2ca Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 24 Oct 2024 11:49:17 -0400 -Subject: [PATCH] Small fixup to determine which ACME uninstaller to use - -The conditional was <= 11.5.0 which it should have been -< 11.6.0 to allow for small updates to the 11.5.0 branch. - -Fixes: https://pagure.io/freeipa/issue/9673 -Fixes: https://pagure.io/freeipa/issue/9674 - -Signed-off-by: Rob Crittenden -Reviewed-By: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/install/dogtaginstance.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py -index 4b0f4d274b0c33140ed6f939f1a3fd8b75930ff9..58421a1d8859e5dd1357e07fd605e84e49048951 100644 ---- a/ipaserver/install/dogtaginstance.py -+++ b/ipaserver/install/dogtaginstance.py -@@ -311,7 +311,7 @@ class DogtagInstance(service.Service): - return - elif ( - pki.util.Version("11.0.0") <= pki_version -- <= pki.util.Version("11.5.0") -+ < pki.util.Version("11.6.0") - ): - args = ['pki-server', 'acme-remove'] - else: --- -2.47.0 - diff --git a/0026-Fix-a-couple-of-instances-of-the-no-break-control-ch.patch b/0026-Fix-a-couple-of-instances-of-the-no-break-control-ch.patch deleted file mode 100644 index 5a1caf0..0000000 --- a/0026-Fix-a-couple-of-instances-of-the-no-break-control-ch.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 993f792f2e26f8a14a5e3691c06a6b15d57072e7 Mon Sep 17 00:00:00 2001 -From: Sam Morris -Date: Tue, 17 Sep 2024 12:43:08 +0100 -Subject: [PATCH] Fix a couple of instances of the "no-break control character" - being used inadvertently - -Fixes https://pagure.io/freeipa/issue/9665 - -Signed-off-by: Sam Morris -Reviewed-By: Alexander Bokovoy ---- - client/man/ipa-client-install.1 | 4 ++-- - client/man/ipa.1 | 6 +++--- - 2 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1 -index 4a755ac33d35246304303b847a62cb3fc97680b7..725b114224781e2f7ec7c71eaf5b7be807008655 100644 ---- a/client/man/ipa-client-install.1 -+++ b/client/man/ipa-client-install.1 -@@ -240,8 +240,8 @@ for more information. The option is mutually exclusive with - \fB\-\-pkinit\-anchor\fR=\fIFILEDIR\fR - Trust anchors (root and intermediate CA certs) for PKINIT. \fIFILEDIR\fR is - either the absolute path to a PEM bundle (for example --'FILE:/etc/pki/tls/cert.pem') or to an OpenSSL hash directory (for example --'DIR:/etc/ssl/certs/'). The option can be used multiple times. PKINIT -+\fIFILE:/etc/pki/tls/cert.pem\fR) or to an OpenSSL hash directory (for example -+\fIDIR:/etc/ssl/certs/\fR). The option can be used multiple times. PKINIT - requires the full trust chain of the Kerberos KDC server as well as the full - trust chain of the identity certificate. - -diff --git a/client/man/ipa.1 b/client/man/ipa.1 -index 172c50d8a1f2ba137ea10d93343fb54efbdb765d..c404c5be36da78ebb4d08cd0e4b2b9ea27d9e71b 100644 ---- a/client/man/ipa.1 -+++ b/client/man/ipa.1 -@@ -176,11 +176,11 @@ journal as journald records execution context. See systemd.journal\-fields(7) - for details. - - The details of the individual logged messages can be explained with the help of --'\fBjournalctl -x\fR' command, while full set of logged properties can be --retrieved with '\fBjournalctl -o json-pretty\fR'. See journalctl(1) for details -+\fBjournalctl -x\fR command, while full set of logged properties can be -+retrieved with \fBjournalctl -o json-pretty\fR. See journalctl(1) for details - on the systemd journal viewer. - --For the sample message above, an explanation could be requested with '\fBjournalctl -x -g ldap2_140328582446688\fR' where LDAP backend connection instance identifier can be used to uniquely fetch that individual message. -+For the sample message above, an explanation could be requested with \fBjournalctl -x -g ldap2_140328582446688\fR where LDAP backend connection instance identifier can be used to uniquely fetch that individual message. - - .SH "EXAMPLES" - .TP --- -2.47.0 - diff --git a/0027-ipa-migrate-dryrun-write-updates-crashes-when-removi.patch b/0027-ipa-migrate-dryrun-write-updates-crashes-when-removi.patch deleted file mode 100644 index 2ed299e..0000000 --- a/0027-ipa-migrate-dryrun-write-updates-crashes-when-removi.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 3d0962014adda39b754c4274ccb5ca5d70963c33 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Mon, 21 Oct 2024 13:51:13 -0400 -Subject: [PATCH] ipa-migrate - dryrun write updates crashes when removing - values - -When removing values the mod value list is None and that leads to a -crash when trying to iterate it. Instead check that the vals are not -None before looping. - -Fixes: https://pagure.io/freeipa/issue/9682 - -Signed-off-by: MArk Reynolds -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - ipaserver/install/ipa_migrate.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py -index 38356aa23ea435e2a616f48356feaea7b50dd1e4..f35629378490d3d45ca97f2aa5b4390c67d660ed 100644 ---- a/ipaserver/install/ipa_migrate.py -+++ b/ipaserver/install/ipa_migrate.py -@@ -622,7 +622,7 @@ class IPAMigrate(): - else: - action = "replace" - ldif_entry += f"{action}: {attr}\n" -- for val in vals: -+ for val in list(vals or []): - ldif_entry += get_ldif_attr_val(attr, val) - ldif_entry += "-\n" - ldif_entry += "\n" --- -2.47.0 - diff --git a/0028-ipa-migrate-should-migrate-dns-forward-zones.patch b/0028-ipa-migrate-should-migrate-dns-forward-zones.patch deleted file mode 100644 index ac75a1c..0000000 --- a/0028-ipa-migrate-should-migrate-dns-forward-zones.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 6bdb8603054fc60e9479f6aaf8b6315dfe508891 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Tue, 22 Oct 2024 13:00:03 -0400 -Subject: [PATCH] ipa-migrate should migrate dns forward zones - -Fixes: https://pagure.io/freeipa/issue/9686 - -Signed-off-by: Mark Reynolds -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - ipaserver/install/ipa_migrate_constants.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ipaserver/install/ipa_migrate_constants.py b/ipaserver/install/ipa_migrate_constants.py -index 250f1b5b01bf066d316a98489ab6153b89615173..c140414ea6c607a93e35ef0705480d1002b7945e 100644 ---- a/ipaserver/install/ipa_migrate_constants.py -+++ b/ipaserver/install/ipa_migrate_constants.py -@@ -993,7 +993,7 @@ DB_OBJECTS = { - 'count': 0, - }, - 'dns_records': { -- 'oc': ['idnsrecord', 'idnszone'], -+ 'oc': ['idnsrecord', 'idnszone', 'idnsforwardzone'], - 'subtree': ',cn=dns,$SUFFIX', - 'label': 'DNS Records', - 'mode': 'all', --- -2.47.0 - diff --git a/0029-vault-handle-pyca-InternalError-exception-for-PKCS-1.patch b/0029-vault-handle-pyca-InternalError-exception-for-PKCS-1.patch deleted file mode 100644 index 3f4ff73..0000000 --- a/0029-vault-handle-pyca-InternalError-exception-for-PKCS-1.patch +++ /dev/null @@ -1,44 +0,0 @@ -From dad2f06ed6854abbd81b747c26de6c13dfea327b Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Wed, 30 Oct 2024 10:48:50 +0200 -Subject: [PATCH] vault: handle pyca InternalError exception for PKCS#1 v1.5 - padding - -In FIPS mode one cannot use PKCS#1 v1.5 padding. OpenSSL did remove it -from the FIPS provider and will report an error that PyCA cannot -process, so it will raise its own InternalException. - -Handle it the same way as ValueError. - -Fixes: https://pagure.io/freeipa/issue/9689 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Francisco Trivino ---- - ipaclient/plugins/vault.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py -index 96edf09a2060e7b39e1e96c6fa65ae095ec18e73..75415c03a57242ae674636fa31a72db2fa56d6ea 100644 ---- a/ipaclient/plugins/vault.py -+++ b/ipaclient/plugins/vault.py -@@ -37,6 +37,7 @@ from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes - from cryptography.hazmat.primitives.padding import PKCS7 - from cryptography.hazmat.primitives.serialization import ( - load_pem_public_key, load_pem_private_key) -+from cryptography.exceptions import InternalError as CryptographyInternalError - - from ipaclient.frontend import MethodOverride - from ipalib import x509 -@@ -717,7 +718,7 @@ class ModVaultData(Local): - algo.key, - padding.PKCS1v15() - ) -- except ValueError: -+ except (ValueError, CryptographyInternalError): - wrapped_session_key = public_key.encrypt( - algo.key, - padding.OAEP( --- -2.47.0 - diff --git a/0030-ipatests-Tests-for-ipa-migrate-tool.patch b/0030-ipatests-Tests-for-ipa-migrate-tool.patch deleted file mode 100644 index 3b3c85f..0000000 --- a/0030-ipatests-Tests-for-ipa-migrate-tool.patch +++ /dev/null @@ -1,784 +0,0 @@ -From 9da927c8eec7db6d1c75c296eef45beb93797e58 Mon Sep 17 00:00:00 2001 -From: Sudhir Menon -Date: Thu, 1 Aug 2024 16:30:16 +0530 -Subject: [PATCH] ipatests: Tests for ipa-migrate tool - -This patch includes test to covers below scenarios - -1. hbac and sudo rules are migrated to local server -2. uid for user migrated varies in stage/prod mode. -3. subids are migrated to local server -4. idranges are migrated to local server -5. vaults are not migrated to local server. -6. Ensure trust related data is also migrated to local server -7. Added paths.IPA_MIGRATE_LOG in ipatests/pytest_ipa/integration/__init__.py - -Signed-off-by: Sudhir Menon -Reviewed-By: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/pytest_ipa/integration/__init__.py | 2 + - .../test_ipa_ipa_migration.py | 596 ++++++++++++++---- - 2 files changed, 460 insertions(+), 138 deletions(-) - -diff --git a/ipatests/pytest_ipa/integration/__init__.py b/ipatests/pytest_ipa/integration/__init__.py -index 34b6ef0fb1e49fbb9c86e7496de50cf5cda5e91e..eb032cd72d2aa2a5ed4c476e3cb04dc77f607eaa 100644 ---- a/ipatests/pytest_ipa/integration/__init__.py -+++ b/ipatests/pytest_ipa/integration/__init__.py -@@ -88,6 +88,8 @@ CLASS_LOGFILES = [ - paths.VAR_LOG_AUDIT, - # sssd - paths.VAR_LOG_SSSD_DIR, -+ # ipa-ipa-migration logs -+ paths.IPA_MIGRATE_LOG, - # system - paths.RESOLV_CONF, - paths.HOSTS, -diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py -index 70c268951a0d7e40806742b16e62b764b2bae37b..d852ca63a6b3a7e7118d66ce1cd9bb98e56f1a73 100644 ---- a/ipatests/test_integration/test_ipa_ipa_migration.py -+++ b/ipatests/test_integration/test_ipa_ipa_migration.py -@@ -12,6 +12,7 @@ from ipaplatform.paths import paths - from collections import Counter - - import pytest -+import re - import textwrap - - -@@ -65,29 +66,7 @@ def prepare_ipa_server(master): - "--secondary-rid-base=400000", - ] - ) -- -- # Add Automount locations and maps -- master.run_command(["ipa", "automountlocation-add", "baltimore"]) -- master.run_command(["ipa", "automountmap-add", "baltimore", "auto.share"]) -- master.run_command( -- [ -- "ipa", -- "automountmap-add-indirect", -- "baltimore", -- "--parentmap=auto.share", -- "--mount=sub auto.man", -- ] -- ) -- master.run_command( -- [ -- "ipa", -- "automountkey-add", -- "baltimore", -- "auto.master", -- "--key=/share", -- "--info=auto.share", -- ] -- ) -+ master.run_command(["ipactl", "restart"]) - - # Run ipa-adtrust-install - master.run_command(["dnf", "install", "-y", "ipa-server-trust-ad"]) -@@ -235,6 +214,17 @@ def prepare_ipa_server(master): - ["ipa", "hbacrule-add-service", "--hbacsvcs=sshd", "testuser_sshd"] - ) - -+ # Add DNSForwardzone -+ master.run_command( -+ [ -+ "ipa", -+ "dnsforwardzone-add", -+ "forwardzone.test", -+ "--forwarder", -+ "10.11.12.13", -+ ] -+ ) -+ - # Vault addition - master.run_command( - [ -@@ -244,6 +234,7 @@ def prepare_ipa_server(master): - "vault1234", - "--type", - "symmetric", -+ "testvault", - ] - ) - -@@ -260,7 +251,46 @@ def prepare_ipa_server(master): - - # Modify passkeyconfig - master.run_command( -- ["ipa", "passkeyconfig-mod", "--require-user-verification=FALSE"] -+ [ -+ "ipa", "passkeyconfig-mod", -+ "--require-user-verification=FALSE" -+ ] -+ ) -+ -+ # Adding automountlocation, maps, keys -+ master.run_command( -+ [ -+ "ipa", "automountlocation-add", -+ "baltimore" -+ ] -+ ) -+ -+ master.run_command( -+ [ -+ "ipa", "automountmap-add", -+ "baltimore", -+ "auto.share" -+ ] -+ ) -+ -+ master.run_command( -+ [ -+ "ipa", "automountmap-add-indirect", -+ "baltimore", -+ "--parentmap=auto.share", -+ "--mount=sub", -+ "auto.man", -+ ] -+ ) -+ -+ master.run_command( -+ [ -+ "ipa", "automountkey-add", -+ "baltimore", -+ "auto.master", -+ "--key=/share", -+ "--info=auto.share", -+ ] - ) - - -@@ -288,12 +318,24 @@ def run_migrate( - return result - - --class TestIPAMigrateScenario1(IntegrationTest): -+@pytest.fixture() -+def empty_log_file(request): - """ -- Tier-1 tests for ipa-migrate tool with DNS enabled on -- local and remote server -+ This fixture empties the log file before ipa-migrate tool -+ is run since the log is appended everytime the tool is run. - """ -+ request.cls.replicas[0].run_command( -+ ["truncate", "-s", "0", paths.IPA_MIGRATE_LOG] -+ ) -+ yield - -+ -+class MigrationTest(IntegrationTest): -+ """ -+ This class will help setup remote IPA server(cls.master) -+ and local IPA server(cls.replicas[0]) and it will -+ also prepare the remote IPA before migration actually begins. -+ """ - num_replicas = 1 - num_clients = 1 - topology = "line" -@@ -303,14 +345,14 @@ class TestIPAMigrateScenario1(IntegrationTest): - tasks.install_master(cls.master, setup_dns=True, setup_kra=True) - prepare_ipa_server(cls.master) - tasks.install_client(cls.master, cls.clients[0], nameservers=None) -+ tasks.install_master(cls.replicas[0], setup_dns=True, setup_kra=True) - -- def test_remote_server(self): -- """ -- This test installs IPA server instead of replica on -- system under test with the same realm and domain name. -- """ -- tasks.install_master(self.replicas[0], setup_dns=True, setup_kra=True) - -+class TestIPAMigrateCLIOptions(MigrationTest): -+ """ -+ Tests to check CLI options for ipa-migrate tool with -+ DNS enabled on local and remote server. -+ """ - def test_ipa_migrate_without_kinit_as_admin(self): - """ - This test checks that ipa-migrate tool displays -@@ -417,7 +459,7 @@ class TestIPAMigrateScenario1(IntegrationTest): - """ - ldif_file = "/tmp/test.ldif" - param = ['-x', '-o', ldif_file] -- run_migrate( -+ result = run_migrate( - self.replicas[0], - "stage-mode", - self.master.hostname, -@@ -426,45 +468,21 @@ class TestIPAMigrateScenario1(IntegrationTest): - extra_args=param, - ) - assert self.replicas[0].transport.file_exists("/tmp/test.ldif") -+ assert result.returncode == 0 - -- @pytest.fixture() -- def empty_log_file(self): -- """ -- This fixture empties the log file before ipa-migrate tool -- is run since the log is appended everytime the tool is run. -- """ -- self.replicas[0].run_command( -- ["truncate", "-s", "0", paths.IPA_MIGRATE_LOG] -- ) -- yield -- -- def test_ipa_sigden_plugin_fail_error(self, empty_log_file): -- """ -- This testcase checks that sidgen plugin fail error is -- not seen during migrate prod-mode -- """ -- SIDGEN_ERR_MSG = "SIDGEN task failed: \n" -- run_migrate( -- self.replicas[0], -- "stage-mode", -- self.master.hostname, -- "cn=Directory Manager", -- self.master.config.admin_password, -- extra_args=['-x'], -- ) -- error_msg = self.replicas[0].get_file_contents( -- paths.IPA_MIGRATE_LOG, encoding="utf-8" -- ) -- assert SIDGEN_ERR_MSG not in error_msg -- -- def test_ipa_migrate_stage_mode_dry_run(self, empty_log_file): -+ def test_ipa_migrate_stage_mode_dry_run(self): - """ - Test ipa-migrate stage mode with dry-run option -+ This test also checks SIDGEN task failure is -+ not seen in ipa migrate log. - """ - tasks.kinit_admin(self.master) - tasks.kinit_admin(self.replicas[0]) -+ SIDGEN_ERR_MSG = "SIDGEN task failed: \n" - IPA_MIGRATE_STAGE_DRY_RUN_LOG = "--dryrun=True\n" -- IPA_SERVER_UPRGADE_LOG = "Skipping ipa-server-upgrade in dryrun mode.\n" -+ IPA_SERVER_UPRGADE_LOG = ( -+ "Skipping ipa-server-upgrade in dryrun mode.\n" -+ ) - IPA_SKIP_SIDGEN_LOG = "Skipping SIDGEN task in dryrun mode." - result = run_migrate( - self.replicas[0], -@@ -481,6 +499,7 @@ class TestIPAMigrateScenario1(IntegrationTest): - assert IPA_MIGRATE_STAGE_DRY_RUN_LOG in install_msg - assert IPA_SERVER_UPRGADE_LOG in install_msg - assert IPA_SKIP_SIDGEN_LOG in install_msg -+ assert SIDGEN_ERR_MSG not in install_msg - - def test_ipa_migrate_prod_mode_dry_run(self, empty_log_file): - """ -@@ -509,7 +528,7 @@ class TestIPAMigrateScenario1(IntegrationTest): - assert IPA_SERVER_UPRGADE_LOG in install_msg - assert IPA_SIDGEN_LOG in install_msg - -- def test_ipa_migrate_with_skip_schema_option_dry_run(self, empty_log_file): -+ def test_ipa_migrate_skip_schema_dry_run(self, empty_log_file): - """ - This test checks that ipa-migrate tool works - with -S(schema) options in stage mode -@@ -532,7 +551,7 @@ class TestIPAMigrateScenario1(IntegrationTest): - ) - assert SKIP_SCHEMA_MSG_LOG in install_msg - -- def test_ipa_migrate_with_skip_config_option_dry_run(self, empty_log_file): -+ def test_ipa_migrate_skip_config_dry_run(self, empty_log_file): - """ - This test checks that ipa-migrate tool works - with -C(config) options in stage mode -@@ -579,7 +598,7 @@ class TestIPAMigrateScenario1(IntegrationTest): - ) - assert RESET_RANGE_LOG in install_msg - -- def test_ipa_migrate_stage_mode_dry_override_schema(self, empty_log_file): -+ def test_ipa_migrate_stage_mode_override_schema(self, empty_log_file): - """ - This test checks that -O option (override schema) works - in dry mode -@@ -601,70 +620,6 @@ class TestIPAMigrateScenario1(IntegrationTest): - ) - assert SCHEMA_OVERRIDE_LOG in install_msg - -- def test_ipa_migrate_stage_mode(self, empty_log_file): -- """ -- This test checks that ipa-migrate is successful -- in dry run mode -- """ -- tasks.kinit_admin(self.master) -- tasks.kinit_admin(self.replicas[0]) -- MIGRATION_SCHEMA_LOG_MSG = "Migrating schema ...\n" -- MIGRATION_CONFIG_LOG_MSG = "Migrating configuration ...\n" -- IPA_UPGRADE_LOG_MSG = ( -- "Running ipa-server-upgrade ... (this may take a while)\n" -- ) -- SIDGEN_TASK_LOG_MSG = "Running SIDGEN task ...\n" -- MIGRATION_COMPLETE_LOG_MSG = "Migration complete!\n" -- result = run_migrate( -- self.replicas[0], -- "stage-mode", -- self.master.hostname, -- "cn=Directory Manager", -- self.master.config.admin_password, -- extra_args=['-n'], -- ) -- install_msg = self.replicas[0].get_file_contents( -- paths.IPA_MIGRATE_LOG, encoding="utf-8" -- ) -- assert result.returncode == 0 -- assert MIGRATION_SCHEMA_LOG_MSG in install_msg -- assert MIGRATION_CONFIG_LOG_MSG in install_msg -- assert IPA_UPGRADE_LOG_MSG in install_msg -- assert SIDGEN_TASK_LOG_MSG in install_msg -- assert MIGRATION_COMPLETE_LOG_MSG in install_msg -- -- def test_ipa_migrate_prod_mode(self, empty_log_file): -- """ -- This test checks that ipa-migrate is successful -- in prod run mode -- """ -- tasks.kinit_admin(self.master) -- tasks.kinit_admin(self.replicas[0]) -- MIGRATION_SCHEMA_LOG_MSG = "Migrating schema ...\n" -- MIGRATION_DATABASE_LOG_MSG = ( -- "Migrating database ... (this may take a while)\n" -- ) -- IPA_UPGRADE_LOG_MSG = ( -- "Running ipa-server-upgrade ... (this may take a while)\n" -- ) -- SIDGEN_TASK_LOG_MSG = "Running SIDGEN task ...\n" -- result = run_migrate( -- self.replicas[0], -- "prod-mode", -- self.master.hostname, -- "cn=Directory Manager", -- self.master.config.admin_password, -- extra_args=['-n'], -- ) -- install_msg = self.replicas[0].get_file_contents( -- paths.IPA_MIGRATE_LOG, encoding="utf-8" -- ) -- assert result.returncode == 0 -- assert MIGRATION_SCHEMA_LOG_MSG in install_msg -- assert MIGRATION_DATABASE_LOG_MSG in install_msg -- assert IPA_UPGRADE_LOG_MSG in install_msg -- assert SIDGEN_TASK_LOG_MSG in install_msg -- - def test_ipa_migrate_with_bind_pwd_file_option(self, empty_log_file): - """ - This testcase checks that ipa-migrate tool -@@ -801,6 +756,9 @@ class TestIPAMigrateScenario1(IntegrationTest): - - @pytest.fixture() - def modify_dns_zone(self): -+ """ -+ This fixture adds dnszone and then removes the zone. -+ """ - zone_name = 'ipatest.test' - self.master.run_command( - ["ipa", "dnszone-add", zone_name, "--force"] -@@ -844,6 +802,20 @@ class TestIPAMigrateScenario1(IntegrationTest): - assert DNS_LOG2 in install_msg - assert DNS_LOG3 in install_msg - -+ def test_ipa_migrate_dns_forwardzone(self): -+ """ -+ This testcase checks that DNS forwardzone is -+ also migrated in prod-mode -+ """ -+ zone_name = "forwardzone.test" -+ result = self.replicas[0].run_command( -+ ["ipa", "dnsforwardzone-show", zone_name] -+ ) -+ assert 'Zone name: {}'.format(zone_name) in result.stdout_text -+ assert 'Active zone: True' in result.stdout_text -+ assert 'Zone forwarders: 10.11.12.13' in result.stdout_text -+ assert 'Forward policy: first' in result.stdout_text -+ - def test_ipa_migrate_version_option(self): - """ - The -V option has been removed. -@@ -922,20 +894,179 @@ class TestIPAMigrateScenario1(IntegrationTest): - assert result.returncode == 1 - assert ERR_MSG in result.stderr_text - -- def test_ipa_hbac_rule_duplication(self): -+ -+class TestIPAMigrationStageMode(MigrationTest): -+ """ -+ Tests for ipa-migrate tool in stage mode -+ """ -+ def test_ipa_migrate_stage_mode(self, empty_log_file): - """ -- This testcase checks that default hbac rules -- are not duplicated on the local server when -- ipa-migrate command is run. -+ This test checks that ipa-migrate is successful -+ in dry run mode - """ -+ tasks.kinit_admin(self.master) -+ tasks.kinit_admin(self.replicas[0]) -+ MIGRATION_SCHEMA_LOG_MSG = "Migrating schema ...\n" -+ MIGRATION_CONFIG_LOG_MSG = "Migrating configuration ...\n" -+ IPA_UPGRADE_LOG_MSG = ( -+ "Running ipa-server-upgrade ... (this may take a while)\n" -+ ) -+ SIDGEN_TASK_LOG_MSG = "Running SIDGEN task ...\n" -+ MIGRATION_COMPLETE_LOG_MSG = "Migration complete!\n" - run_migrate( -+ self.replicas[0], -+ "stage-mode", -+ self.master.hostname, -+ "cn=Directory Manager", -+ self.master.config.admin_password, -+ extra_args=['-n'], -+ ) -+ install_msg = self.replicas[0].get_file_contents( -+ paths.IPA_MIGRATE_LOG, encoding="utf-8" -+ ) -+ assert MIGRATION_SCHEMA_LOG_MSG in install_msg -+ assert MIGRATION_CONFIG_LOG_MSG in install_msg -+ assert IPA_UPGRADE_LOG_MSG in install_msg -+ assert SIDGEN_TASK_LOG_MSG in install_msg -+ assert MIGRATION_COMPLETE_LOG_MSG in install_msg -+ -+ def test_ipa_migrate_stage_mode_new_user(self): -+ """ -+ This testcase checks that when a new user is added and -+ ipa-migrate is run in stage-mode, uid/gid of the -+ migrated user is not preserved i.e we have different -+ uid/gid for user on remote and local IPA server. -+ """ -+ username = 'testuser4' -+ base_dn = str(self.master.domain.basedn) -+ LOG_MSG1 = ( -+ "DEBUG Resetting the DNA range for new entry: " -+ "uid={},cn=users,cn=accounts,{}\n" -+ ).format(username, base_dn) -+ install_msg = self.replicas[0].get_file_contents( -+ paths.IPA_MIGRATE_LOG, encoding="utf-8" -+ ) -+ assert LOG_MSG1 not in install_msg -+ tasks.clear_sssd_cache(self.master) -+ self.master.run_command(['ipa', 'user-show', username]) -+ cmd1 = self.master.run_command(['id', username]) -+ tasks.clear_sssd_cache(self.replicas[0]) -+ self.replicas[0].run_command(['ipa', 'user-show', username]) -+ cmd2 = self.replicas[0].run_command(['id', username]) -+ assert cmd1.stdout_text != cmd2.stdout_text -+ -+ -+class TestIPAMigrationProdMode(MigrationTest): -+ """ -+ Tests for ipa-migrate tool in prod mode -+ """ -+ def test_ipa_migrate_prod_mode(self, empty_log_file): -+ """ -+ This test checks that ipa-migrate is successful -+ in prod run mode -+ """ -+ tasks.kinit_admin(self.master) -+ tasks.kinit_admin(self.replicas[0]) -+ MIGRATION_SCHEMA_LOG_MSG = "Migrating schema ...\n" -+ MIGRATION_DATABASE_LOG_MSG = ( -+ "Migrating database ... (this may take a while)\n" -+ ) -+ IPA_UPGRADE_LOG_MSG = ( -+ "Running ipa-server-upgrade ... (this may take a while)\n" -+ ) -+ SIDGEN_TASK_LOG_MSG = "Running SIDGEN task ...\n" -+ result = run_migrate( - self.replicas[0], - "prod-mode", - self.master.hostname, - "cn=Directory Manager", - self.master.config.admin_password, -- extra_args=['-n'] -+ extra_args=['-n'], - ) -+ install_msg = self.replicas[0].get_file_contents( -+ paths.IPA_MIGRATE_LOG, encoding="utf-8" -+ ) -+ assert result.returncode == 0 -+ assert MIGRATION_SCHEMA_LOG_MSG in install_msg -+ assert MIGRATION_DATABASE_LOG_MSG in install_msg -+ assert IPA_UPGRADE_LOG_MSG in install_msg -+ assert SIDGEN_TASK_LOG_MSG in install_msg -+ -+ def test_ipa_migrate_prod_mode_hbac_rule(self): -+ """ -+ This testcase checks that hbac rule is migrated from -+ remote server to local server in prod mode. -+ """ -+ hbac_rule_name1 = 'test1' -+ hbac_rule_name2 = 'testuser_sshd' -+ tasks.kinit_admin(self.replicas[0]) -+ cmd1 = self.replicas[0].run_command( -+ ["ipa", "hbacrule-find", hbac_rule_name1]) -+ cmd2 = self.replicas[0].run_command( -+ ["ipa", "hbacrule-find", hbac_rule_name2]) -+ assert hbac_rule_name1 in cmd1.stdout_text -+ assert hbac_rule_name2 in cmd2.stdout_text -+ -+ def test_ipa_migrate_prod_mode_sudo_rule(self): -+ """ -+ This testcase checks that sudo cmd and rules are -+ migrated from remote server to local server in prod mode. -+ """ -+ sudorule = 'readfiles' -+ sudocmd = '/usr/bin/less' -+ tasks.kinit_admin(self.replicas[0]) -+ cmd1 = self.replicas[0].run_command( -+ ["ipa", "sudorule-find", sudorule]) -+ cmd2 = self.replicas[0].run_command( -+ ["ipa", "sudocmd-find", sudocmd]) -+ assert 'Rule name: readfiles\n' in cmd1.stdout_text -+ assert 'Sudo Command: /usr/bin/less\n' in cmd2.stdout_text -+ -+ def test_ipa_migrate_prod_mode_new_user_sid(self): -+ """ -+ This testcase checks that in prod-mode uid/gid of the -+ migrated user is preserved i.e we have same -+ uid/gid for user on remote and local IPA server. -+ """ -+ username = 'testuser4' -+ tasks.clear_sssd_cache(self.master) -+ result1 = self.master.run_command(['id', username]) -+ tasks.clear_sssd_cache(self.replicas[0]) -+ result2 = self.replicas[0].run_command(['id', username]) -+ assert result1.stdout_text == result2.stdout_text -+ -+ def test_check_vault_is_not_migrated(self): -+ """ -+ This testcase checks that vault is -+ not migrated -+ """ -+ vault_name = "testvault" -+ CMD_OUTPUT = "Number of entries returned 0" -+ cmd = self.replicas[0].run_command( -+ ["ipa", "vault-find", vault_name], raiseonerr=False) -+ assert cmd.returncode != 0 -+ assert CMD_OUTPUT in cmd.stdout_text -+ -+ def test_ipa_migrate_subids(self): -+ """ -+ This testcase checks that subids for users are migrated -+ to the local server from the remote server -+ """ -+ user_name = 'admin' -+ CMD_MSG = "1 subordinate id matched" -+ cmd = self.replicas[0].run_command( -+ ['ipa', 'subid-find', -+ '--owner', user_name] -+ ) -+ assert cmd.returncode == 0 -+ assert CMD_MSG in cmd.stdout_text -+ -+ def test_ipa_hbac_rule_duplication(self): -+ """ -+ This testcase checks that default hbac rules -+ are not duplicated on the local server when -+ ipa-migrate command is run. -+ """ - result = self.replicas[0].run_command( - ['ipa', 'hbacrule-find'] - ) -@@ -946,3 +1077,192 @@ class TestIPAMigrateScenario1(IntegrationTest): - count = Counter(line) - assert count.get('Rule name: allow_all') < 2 - assert count.get('Rule name: allow_systemd-user') < 2 -+ -+ def test_ipa_migrate_otptoken(self): -+ """ -+ This testcase checks that the otptoken -+ is migrated for the user. -+ """ -+ owner = "testuser1" -+ CMD_OUTPUT = "1 OTP token matched" -+ result = self.replicas[0].run_command([ -+ "ipa", "otptoken-find" -+ ]) -+ assert CMD_OUTPUT in result.stdout_text -+ assert 'Type: TOTP' in result.stdout_text -+ assert 'Owner: {}'.format(owner) in result.stdout_text -+ -+ def test_ipa_migrate_check_passkey_config(self): -+ """ -+ This testcase checks that passkey config -+ is migrated -+ """ -+ CMD_OUTPUT = "Require user verification: False" -+ result = self.replicas[0].run_command([ -+ "ipa", "passkeyconfig-show" -+ ]) -+ assert CMD_OUTPUT in result.stdout_text -+ -+ def test_ipa_migrate_check_service_status(self): -+ """ -+ This testcase checks that ipactl and sssd -+ services are running post ipa-migrate tool -+ successful runs completed -+ """ -+ cmd1 = self.replicas[0].run_command([ -+ "ipactl", "status" -+ ]) -+ assert cmd1.returncode == 0 -+ cmd2 = self.replicas[0].run_command([ -+ "systemctl", "status", "sssd" -+ ]) -+ assert cmd2.returncode == 0 -+ -+ def test_custom_idrange_is_migrated(self): -+ """ -+ This testcase checks that custom idrange is migrated -+ from remote server to local server in production -+ mode. -+ """ -+ range_name = "testrange" -+ CMD_OUTPUT = ( -+ "---------------\n" -+ "1 range matched\n" -+ "---------------\n" -+ " Range name: testrange\n" -+ " First Posix ID of the range: 10000\n" -+ " Number of IDs in the range: 10000\n" -+ " First RID of the corresponding RID range: 300000\n" -+ " First RID of the secondary RID range: 400000\n" -+ " Range type: local domain range\n" -+ "----------------------------\n" -+ "Number of entries returned 1\n" -+ "----------------------------\n" -+ ) -+ cmd = self.replicas[0].run_command( -+ ["ipa", "idrange-find", range_name]) -+ assert CMD_OUTPUT in cmd.stdout_text -+ -+ def test_automountlocation_is_migrated(self): -+ """ -+ This testcase checks that automount location/maps -+ and keys are migrated. -+ """ -+ base_dn = str(self.master.domain.basedn) -+ automount_cn = "automount" -+ loc_name = "baltimore" -+ auto_map_name = "auto.share" -+ DEBUG_LOG = ( -+ "Added entry: cn={},cn={},{}\n" -+ ).format(loc_name, automount_cn, base_dn) -+ CMD1_OUTPUT = ( -+ " Location: baltimore\n" -+ ) -+ CMD2_OUTPUT = ( -+ " Map: auto.share\n" -+ ) -+ CMD3_OUTPUT = ( -+ "-----------------------\n" -+ "1 automount key matched\n" -+ "-----------------------\n" -+ " Key: sub\n" -+ " Mount information: -fstype=autofs ldap:auto.man\n" -+ ) -+ cmd1 = self.replicas[0].run_command( -+ ["ipa", "automountlocation-show", loc_name]) -+ cmd2 = self.replicas[0].run_command( -+ ["ipa", "automountmap-find", loc_name]) -+ cmd3 = self.replicas[0].run_command( -+ ["ipa", "automountkey-find", loc_name, auto_map_name] -+ ) -+ install_msg = self.replicas[0].get_file_contents( -+ paths.IPA_MIGRATE_LOG, encoding="utf-8" -+ ) -+ assert CMD1_OUTPUT in cmd1.stdout_text -+ assert CMD2_OUTPUT in cmd2.stdout_text -+ assert CMD3_OUTPUT in cmd3.stdout_text -+ assert DEBUG_LOG in install_msg -+ -+ -+class TestIPAMigrationWithADtrust(IntegrationTest): -+ """ -+ Test for ipa-migrate tool with IPA Master having trust setup -+ with Windows AD. -+ """ -+ topology = "line" -+ num_ad_domains = 1 -+ num_replicas = 1 -+ -+ @classmethod -+ def install(cls, mh): -+ tasks.install_master( -+ cls.master, setup_dns=True, extra_args=['--no-dnssec-validation'] -+ ) -+ cls.ad = cls.ads[0] -+ cls.ad_domain = cls.ad.domain.name -+ tasks.install_adtrust(cls.master) -+ tasks.configure_dns_for_trust(cls.master, cls.ad) -+ tasks.establish_trust_with_ad(cls.master, cls.ad.domain.name) -+ -+ def test_install_local_server(self): -+ """ -+ This test installs local IPA Server() i.e new IPA server with -+ the same realm and domain name that will receive the migration data. -+ """ -+ tasks.install_master( -+ self.replicas[0], setup_dns=True, -+ extra_args=['--no-dnssec-validation'] -+ ) -+ tasks.install_adtrust(self.replicas[0]) -+ -+ def test_check_ad_attributes_migrate_prod_mode(self): -+ """ -+ This test checks that IPA-AD trust related attributes -+ are migrated to local server. -+ """ -+ result = run_migrate( -+ self.replicas[0], -+ "prod-mode", -+ self.master.hostname, -+ "cn=Directory Manager", -+ self.master.config.admin_password, -+ extra_args=['-n'] -+ ) -+ assert result.returncode == 0 -+ trust1 = self.master.run_command( -+ ['ipa', 'trust-show', self.ad_domain] -+ ).stdout_text -+ trust2 = self.replicas[0].run_command( -+ ['ipa', 'trust-show', self.ad_domain]).stdout_text -+ assert trust1 == trust2 -+ -+ def test_check_domain_sid_is_migrated(self): -+ """ -+ This testcase checks that domain sid is -+ migrated from a remote server having trust with AD -+ to local server and is displayed in the -+ ipa trustconfig-show command -+ """ -+ regexp = (r'Security Identifier: (.*)$') -+ cmd1 = self.master.run_command(["ipa", "trustconfig-show"]) -+ sid1 = re.findall(regexp, cmd1.stdout_text, re.MULTILINE) -+ cmd2 = self.replicas[0].run_command( -+ ["ipa", "trustconfig-show"] -+ ) -+ sid2 = re.findall(regexp, cmd2.stdout_text, re.MULTILINE) -+ assert sid1 == sid2 -+ -+ def test_check_ad_idrange_is_migrated(self): -+ """ -+ This testcase checks AD idrange is migrated -+ from remote IPA server having trust with AD -+ to local IPA server -+ """ -+ ad_domain_name = self.ad.domain.name.upper() -+ cmd1 = self.master.run_command( -+ ["ipa", "idrange-show", ad_domain_name + "_id_range"] -+ ) -+ cmd2 = self.replicas[0].run_command( -+ ["ipa", "idrange-show", ad_domain_name + "_id_range"] -+ ) -+ assert cmd1.stdout_text == cmd2.stdout_text --- -2.47.0 - diff --git a/0031-Fix-Organization-field-in-Okta-not-required.patch b/0031-Fix-Organization-field-in-Okta-not-required.patch deleted file mode 100644 index 10f6abb..0000000 --- a/0031-Fix-Organization-field-in-Okta-not-required.patch +++ /dev/null @@ -1,34 +0,0 @@ -From c64c098e1d0ae492499caa83a1b73532da511f84 Mon Sep 17 00:00:00 2001 -From: Carla Martinez -Date: Tue, 29 Oct 2024 15:23:55 +0100 -Subject: [PATCH] Fix: 'Organization' field in Okta not required - -Although the 'Organization' field is not required -when using the Okta template, the WebUI requires it -in order to create a new IDP. If this is not provided, -an error is shown. - -Fixes: https://pagure.io/freeipa/issue/9687 -Signed-off-by: Carla Martinez -Reviewed-By: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud ---- - install/ui/src/freeipa/idp.js | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/install/ui/src/freeipa/idp.js b/install/ui/src/freeipa/idp.js -index ada09c0754f5a51575831e127deb81d1f27f44d1..04daad591a8e94ea9b8c146c12e0c84aaad6cee4 100644 ---- a/install/ui/src/freeipa/idp.js -+++ b/install/ui/src/freeipa/idp.js -@@ -41,7 +41,7 @@ idp.templates = [ - fields: ['ipaidporg']}, - { value: 'okta', - label: text.get('@i18n:objects.idp.template_okta'), -- fields: ['ipaidporg', 'ipaidpbaseurl']} -+ fields: ['ipaidpbaseurl']} - ]; - - --- -2.47.0 - diff --git a/0033-selinux-allow-Cockpit-to-use-HTTP-keytab-on-IPA-serv.patch b/0033-selinux-allow-Cockpit-to-use-HTTP-keytab-on-IPA-serv.patch deleted file mode 100644 index a432535..0000000 --- a/0033-selinux-allow-Cockpit-to-use-HTTP-keytab-on-IPA-serv.patch +++ /dev/null @@ -1,148 +0,0 @@ -From c71e12e902b3912c31245d46ad6f2c2ddee01126 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Tue, 1 Oct 2024 11:28:28 +0300 -Subject: [PATCH] selinux: allow Cockpit to use HTTP keytab on IPA servers - -Cockpit can use GSSAPI authentication and has pretty good definition of -how to enable it: https://cockpit-project.org/guide/latest/sso.html. -These instructions work on IPA clients but they cannot be used on IPA -servers because IPA framework already owns HTTP/.. Kerberos service and -its keytab. - -Luckily, there are two changes that need to be done to enable Cockpit -single sign-on with GSSAPI on IPA servers: - - - create a symlink /etc/cockpit/krb5.keytab to - /var/lib/ipa/gssproxy/http.keytab - - - add SELinux policy to allow cockpit_session_t to operate on - /var/lib/ipa/gssproxy/http.keytab file - -For existing installation an upgrade process would restore SELinux -context of the http.keytab file to the new value. - -Note that Cockpit documentation above also talks about Kerberos service -modifications to enable delegation. These modifications should not be -done for IPA servers' HTTP services, as these services are already -enabled to handle delegation. - -Fixes: https://pagure.io/freeipa/issue/9675 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Rob Crittenden -Reviewed-By: Rob Crittenden ---- - ipaserver/install/server/upgrade.py | 1 + - selinux/ipa.fc | 2 ++ - selinux/ipa.if | 24 ++++++++++++++++++++++++ - selinux/ipa.te | 19 +++++++++++++++++++ - 4 files changed, 46 insertions(+) - -diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py -index 31d4f8398cfb0251cc59ada909eb55635b83e960..d5c466ee2f905eafd15663fef46d052ade30d742 100644 ---- a/ipaserver/install/server/upgrade.py -+++ b/ipaserver/install/server/upgrade.py -@@ -1124,6 +1124,7 @@ def update_http_keytab(http): - paths.OLD_IPA_KEYTAB, e - ) - http.keytab_user.chown(http.keytab) -+ tasks.restore_context(http.keytab) - - - def ds_enable_sidgen_extdom_plugins(ds): -diff --git a/selinux/ipa.fc b/selinux/ipa.fc -index 47bd19ba77418cad1f0904dc4a9a35ce9d6ff9d2..15e8e41aa50228ff560e338044240b46bc24cc40 100644 ---- a/selinux/ipa.fc -+++ b/selinux/ipa.fc -@@ -22,6 +22,8 @@ - - /var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0) - -+/var/lib/ipa/gssproxy/http.keytab -- gen_context(system_u:object_r:ipa_http_keytab_t,s0) -+ - /var/log/ipa(/.*)? gen_context(system_u:object_r:ipa_log_t,s0) - - /var/log/ipabackup.log -- gen_context(system_u:object_r:ipa_log_t,s0) -diff --git a/selinux/ipa.if b/selinux/ipa.if -index 8c47e7963af92b1ddcd59d92aa45d6b8e9c0c6cc..8f3147e10bd294665dd41e1c1f99c993d9699d20 100644 ---- a/selinux/ipa.if -+++ b/selinux/ipa.if -@@ -155,6 +155,7 @@ interface(`ipa_manage_log',` - ######################################## - ## - ## Allow domain to manage ipa lib files/dirs. -+## This includes reading ipa_http_keytab_t files. - ## - ## - ## -@@ -164,10 +165,33 @@ interface(`ipa_manage_log',` - # - interface(`ipa_read_lib',` - gen_require(` -+ type ipa_http_keytab_t; - type ipa_var_lib_t; - ') - - read_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t) -+ read_files_pattern($1, ipa_http_keytab_t, ipa_http_keytab_t) -+ list_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t) -+') -+ -+######################################## -+## -+## Allow domain to manage ipa HTTP keytab file. -+## This includes reading ipa_var_lib_t directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ipa_read_http_keytab',` -+ gen_require(` -+ type ipa_http_keytab_t; -+ type ipa_var_lib_t; -+ ') -+ -+ read_files_pattern($1, ipa_http_keytab_t, ipa_http_keytab_t) - list_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t) - ') - -diff --git a/selinux/ipa.te b/selinux/ipa.te -index 2546a9bd9468200185c484974a9e71f16f89de71..e4ce66687a48b27e85591cdd8352f7cac94d3151 100644 ---- a/selinux/ipa.te -+++ b/selinux/ipa.te -@@ -43,6 +43,9 @@ logging_log_file(ipa_log_t) - type ipa_var_lib_t; - files_type(ipa_var_lib_t) - -+type ipa_http_keytab_t; -+files_type(ipa_http_keytab_t) -+ - type ipa_var_run_t; - files_pid_file(ipa_var_run_t) - -@@ -516,3 +519,19 @@ optional_policy(` - ') - allow certmonger_t pki_tomcat_etc_rw_t:file { getattr ioctl open read }; - ') -+ -+# gssproxy needs to read http keytab -+optional_policy(` -+ gen_require(` -+ type gssproxy_t; -+ ') -+ ipa_read_http_keytab(gssproxy_t) -+') -+ -+# Allow Cockpit to use HTTP keytab on IPA servers for GSSAPI authentication -+optional_policy(` -+ gen_require(` -+ type cockpit_session_t; -+ ') -+ ipa_read_http_keytab(cockpit_session_t) -+') --- -2.47.0 - diff --git a/0034-Minimal-test-for-Cockpit-integration-on-IPA-master.patch b/0034-Minimal-test-for-Cockpit-integration-on-IPA-master.patch deleted file mode 100644 index d079f16..0000000 --- a/0034-Minimal-test-for-Cockpit-integration-on-IPA-master.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 0dadcbb4ac9f6142b5130f025f64d918d6f208a9 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Tue, 8 Oct 2024 10:25:08 +0300 -Subject: [PATCH] Minimal test for Cockpit integration on IPA master - -Add a test to share HTTP service keytab on IPA master between IPA and -Cockpit. The test configures Cockpit with IPA CA-issued certificate and -allows Cockpit to access IPA HTTP service keytab for authentication. - -The test then attempts to authenticate with GSSAPI as admin user. A -successful result is when we receive CSRF token from the Cockpit as -the result of this authentication. This means we have logged in -successfully with Kerberos. - -Fixes: https://pagure.io/freeipa/issue/9675 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Rob Crittenden -Reviewed-By: Rob Crittenden ---- - ipatests/test_integration/test_cockpit.py | 61 +++++++++++++++++++++++ - 1 file changed, 61 insertions(+) - create mode 100644 ipatests/test_integration/test_cockpit.py - -diff --git a/ipatests/test_integration/test_cockpit.py b/ipatests/test_integration/test_cockpit.py -new file mode 100644 -index 0000000000000000000000000000000000000000..cdc96170a116536c7aa00be78cc4e0225804e21c ---- /dev/null -+++ b/ipatests/test_integration/test_cockpit.py -@@ -0,0 +1,61 @@ -+# -+# Copyright (C) 2024 FreeIPA Contributors see COPYING for license -+# -+ -+from __future__ import absolute_import -+ -+import time -+from ipatests.pytest_ipa.integration import tasks -+from ipatests.test_integration.base import IntegrationTest -+from ipaplatform.paths import paths -+ -+ -+class TestCockpitIntegration(IntegrationTest): -+ topology = "line" -+ reqcert = '/etc/cockpit/ws-certs.d/99-cockpit.cert' -+ reqkey = '/etc/cockpit/ws-certs.d/99-cockpit.key' -+ symlink = '/etc/cockpit/krb5.keytab' -+ -+ @classmethod -+ def uninstall(cls, mh): -+ cls.master.run_command(['ipa-getcert', 'stop-tracking', '-f', -+ cls.reqcert], raiseonerr=False) -+ cls.master.run_command(['rm', '-f', cls.symlink], raiseonerr=False) -+ cls.master.run_command(['systemctl', 'disable', '--now', -+ 'cockpit.socket']) -+ super(TestCockpitIntegration, cls).uninstall(mh) -+ -+ @classmethod -+ def install(cls, mh): -+ master = cls.master -+ -+ # Install Cockpit and configure it to use IPA certificate and keytab -+ master.run_command(['dnf', 'install', '-y', 'cockpit', 'curl'], -+ raiseonerr=False) -+ -+ super(TestCockpitIntegration, cls).install(mh) -+ -+ master.run_command(['ipa-getcert', 'request', '-f', cls.reqcert, '-k', -+ cls.reqkey, '-D', cls.master.hostname, '-K', -+ 'host/' + cls.master.hostname, '-m', '0640', '-o', -+ 'root:cockpit-ws', '-O', 'root:root', '-M', -+ '0644'], raiseonerr=False) -+ -+ master.run_command(['ln', '-s', paths.HTTP_KEYTAB, cls.symlink], -+ raiseonerr=False) -+ -+ time.sleep(5) -+ master.run_command(['systemctl', 'enable', '--now', 'cockpit.socket']) -+ -+ def test_login_with_kerberos(self): -+ """ -+ Login to Cockpit using GSSAPI authentication -+ """ -+ master = self.master -+ tasks.kinit_admin(master) -+ -+ cockpit_login = f'https://{master.hostname}:9090/cockpit/login' -+ result = master.run_command([paths.BIN_CURL, '-u:', '--negotiate', -+ '--cacert', paths.IPA_CA_CRT, -+ cockpit_login]) -+ assert ("csrf-token" in result.stdout_text) --- -2.47.0 - diff --git a/0035-ipatests-install-master-with-allow-zone-overlap.patch b/0035-ipatests-install-master-with-allow-zone-overlap.patch deleted file mode 100644 index 04aabe6..0000000 --- a/0035-ipatests-install-master-with-allow-zone-overlap.patch +++ /dev/null @@ -1,42 +0,0 @@ -From baa9fc3e3e2f6b39db5ec465c92dc597cd5399b9 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Tue, 12 Nov 2024 16:44:46 +0100 -Subject: [PATCH] ipatests: install master with allow-zone-overlap - -In the IPA to IPA migration tests, install the destination master -with --setup-dns --allow-zone-overlap to allow installation -even if the zone is already served by the source master. - -Fixes: https://pagure.io/freeipa/issue/9697 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Sudhir Menon ---- - ipatests/test_integration/test_ipa_ipa_migration.py | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py -index d852ca63a6b3a7e7118d66ce1cd9bb98e56f1a73..0c637a0141d95f34f951c60a9648adf8e87eaa63 100644 ---- a/ipatests/test_integration/test_ipa_ipa_migration.py -+++ b/ipatests/test_integration/test_ipa_ipa_migration.py -@@ -345,7 +345,8 @@ class MigrationTest(IntegrationTest): - tasks.install_master(cls.master, setup_dns=True, setup_kra=True) - prepare_ipa_server(cls.master) - tasks.install_client(cls.master, cls.clients[0], nameservers=None) -- tasks.install_master(cls.replicas[0], setup_dns=True, setup_kra=True) -+ tasks.install_master(cls.replicas[0], setup_dns=True, setup_kra=True, -+ extra_args=['--allow-zone-overlap']) - - - class TestIPAMigrateCLIOptions(MigrationTest): -@@ -1211,7 +1212,7 @@ class TestIPAMigrationWithADtrust(IntegrationTest): - """ - tasks.install_master( - self.replicas[0], setup_dns=True, -- extra_args=['--no-dnssec-validation'] -+ extra_args=['--no-dnssec-validation', '--allow-zone-overlap'] - ) - tasks.install_adtrust(self.replicas[0]) - --- -2.47.0 - diff --git a/0036-ipaserver-dcerpc-support-Samba-4.21.patch b/0036-ipaserver-dcerpc-support-Samba-4.21.patch deleted file mode 100644 index 241d410..0000000 --- a/0036-ipaserver-dcerpc-support-Samba-4.21.patch +++ /dev/null @@ -1,38 +0,0 @@ -From c306c613399cdd9a2c716b83ce0d47d320aec2a8 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Tue, 19 Nov 2024 12:57:46 +0200 -Subject: [PATCH] ipaserver/dcerpc: support Samba 4.21 - -Samba 4.21 moved samba.trust_utils module to samba.lsa_utils. - -Fixes: https://pagure.io/freeipa/issue/9702 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/dcerpc.py | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py -index a28c72361276f12a1a02cd126425ac3c62eddd4f..3344ea226e3cba61912e717f9c375612bb4707e0 100644 ---- a/ipaserver/dcerpc.py -+++ b/ipaserver/dcerpc.py -@@ -55,9 +55,13 @@ from samba import ntstatus - import samba - - try: -- from samba.trust_utils import CreateTrustedDomainRelax -+ from samba.lsa_utils import CreateTrustedDomainRelax - except ImportError: -- CreateTrustedDomainRelax = None -+ try: -+ from samba.trust_utils import CreateTrustedDomainRelax -+ except ImportError: -+ CreateTrustedDomainRelax = None -+ - try: - from samba import arcfour_encrypt - except ImportError: --- -2.47.0 - diff --git a/0037-Change-default-to-RSN-when-389-ds-uses-the-mdb-backe.patch b/0037-Change-default-to-RSN-when-389-ds-uses-the-mdb-backe.patch deleted file mode 100644 index f2636a1..0000000 --- a/0037-Change-default-to-RSN-when-389-ds-uses-the-mdb-backe.patch +++ /dev/null @@ -1,161 +0,0 @@ -From 3777d2b06299454766ab70ee479a829d5f6b7fc0 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Wed, 11 Sep 2024 16:32:07 -0400 -Subject: [PATCH] Change default to RSN when 389-ds uses the mdb backend - -The lmdb performance for VLV indexes is not great so the PKI -team recommended we switch from sequential serial numbers to -Random Serial Numbers (RSN). - -The first time a non-bdb backend (future-proofing) is installed -then the replication RSN configuration value is stored. All future -replica installs will use RSN. - -We have no way of enforcing ONLY to have RSN across a topology -so it will be up to administrators to retire any sequential CAs. - -Fixes: https://pagure.io/freeipa/issue/9661 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Alexander Bokovoy -Reviewed-By: Rafael Guterres Jeffman ---- - install/tools/ipa-ca-install.in | 6 ++++- - install/tools/man/ipa-ca-install.1 | 2 +- - install/tools/man/ipa-server-install.1 | 2 +- - ipaserver/install/cainstance.py | 29 +++++++++++++++++++++++ - ipatests/test_xmlrpc/tracker/ca_plugin.py | 6 ++++- - 5 files changed, 41 insertions(+), 4 deletions(-) - -diff --git a/install/tools/ipa-ca-install.in b/install/tools/ipa-ca-install.in -index 9f3d16669679a245b73e044622ff52321524fcde..3c27a6b27715786fb0d3614a9d5689a145037ad7 100644 ---- a/install/tools/ipa-ca-install.in -+++ b/install/tools/ipa-ca-install.in -@@ -301,7 +301,11 @@ def install(safe_options, options): - install_master(safe_options, options) - else: - if options.random_serial_numbers: -- if ca.lookup_random_serial_number_version(api) == 0: -+ ldap_backend = cainstance.lookup_ldap_backend(api) -+ if ( -+ ca.lookup_random_serial_number_version(api) == 0 -+ and ldap_backend == "bdb" -+ ): - sys.exit( - "\nRandom serial numbers cannot be enabled in an " - "existing CA installation.\n") -diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1 -index 5745d39de440886af3147496eb1ed44edc010621..bbd3ba85d9849eaa50b39273a6e1f6ac089a0d6a 100644 ---- a/install/tools/man/ipa-ca-install.1 -+++ b/install/tools/man/ipa-ca-install.1 -@@ -83,7 +83,7 @@ Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SH - Do not use DNS for hostname lookup during installation - .TP - \fB\-\-random\-serial\-numbers\fR --Enable Random Serial Numbers. Random serial numbers cannot be used in a mixed environment. Either all CA's have it enabled or none do. -+Enable Random Serial Numbers (RSN) and certificate pruning. This option is enabled by default if the system is installed with a 389-ds version that supports LMDB or if another CA in the topology is configured with Random Serial Numbers. This option remains present to avoid issues with automation. In mixed environments where existing CA servers are configured with sequential numbers, it is recommended to replace the sequential servers as soon as reasonably possible. - .TP - \fB\-\-token\-name\fR=\fITOKEN_NAME\fR - The PKCS#11 token name if using an HSM to store and generate private keys. -diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 -index 215a77d6b54bcf5c44f304a80fc76e1137c66beb..d226cf8d6513ab95ed274d861a1c6ee4b0dfca53 100644 ---- a/install/tools/man/ipa-server-install.1 -+++ b/install/tools/man/ipa-server-install.1 -@@ -126,7 +126,7 @@ If no template is specified, the template name "SubCA" is used. - File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. - .TP - \fB\-\-random\-serial\-numbers\fR --Enable Random Serial Numbers. Random serial numbers cannot be used in a mixed environment. Either all CA's have it enabled or none do. -+Enable Random Serial Numbers (RSN) and certificate pruning. This option is enabled by default if the system is installed with a 389-ds version that supports LMDB or if another CA in the topology is configured with Random Serial Numbers. This option remains present to avoid issues with automation. In mixed environments where existing CA servers are configured with sequential numbers, it is recommended to replace the sequential servers as soon as reasonably possible. - .TP - \fB\-\-no\-pkinit\fR - Disables pkinit setup steps. -diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py -index 5c2c9f8b981cf5d587865f7680e2b231eae655e2..d0c3b6b940a2b99f0fa747a4dc8c6fc800e4ca12 100644 ---- a/ipaserver/install/cainstance.py -+++ b/ipaserver/install/cainstance.py -@@ -259,6 +259,18 @@ def is_ca_installed_locally(): - return os.path.exists(paths.CA_CS_CFG_PATH) - - -+def lookup_ldap_backend(api): -+ """Look up the LDAP backend database value and return it""" -+ dn = DN("cn=config,cn=ldbm database,cn=plugins,cn=config") -+ try: -+ entry = api.Backend.ldap2.get_entry(dn) -+ except errors.NotFound: -+ ldap_backend = 'bdb' -+ else: -+ ldap_backend = entry.get('nsslapd-backend-implement', ['bdb'])[0] -+ return ldap_backend -+ -+ - class InconsistentCRLGenConfigException(Exception): - pass - -@@ -388,6 +400,15 @@ class CAInstance(DogtagInstance): - self.ca_type = x509.ExternalCAType.GENERIC.value - self.external_ca_profile = external_ca_profile - self.random_serial_numbers = random_serial_numbers -+ ldap_backend = lookup_ldap_backend(api) -+ -+ if ldap_backend != 'bdb' and not random_serial_numbers: -+ # override selection for lmdb due to VLV performance issues. -+ logger.info( -+ 'Forcing random serial numbers to be enabled for the %s ' -+ 'backend', ldap_backend -+ ) -+ self.random_serial_numbers = True - - self.no_db_setup = promote - self.use_ldaps = use_ldaps -@@ -507,6 +528,9 @@ class CAInstance(DogtagInstance): - - self.step("configuring certmonger renewal for lightweight CAs", - self.add_lightweight_ca_tracking_requests) -+ if self.clone and self.random_serial_numbers: -+ self.step("Recording random serial number state", -+ self.__store_random_serial_number_state) - if minimum_acme_support(): - self.step("deploying ACME service", self.setup_acme) - -@@ -1650,6 +1674,11 @@ class CAInstance(DogtagInstance): - dn = DN(('cn', ipalib.constants.IPA_CA_CN), api.env.container_ca, - api.env.basedn) - entry_attrs = api.Backend.ldap2.get_entry(dn) -+ version = entry_attrs.single_value.get( -+ "ipaCaRandomSerialNumberVersion", "0" -+ ) -+ if str(version) == str(value): -+ return - entry_attrs['ipaCaRandomSerialNumberVersion'] = value - api.Backend.ldap2.update_entry(entry_attrs) - -diff --git a/ipatests/test_xmlrpc/tracker/ca_plugin.py b/ipatests/test_xmlrpc/tracker/ca_plugin.py -index 59fb60037d0e2be98f55c85f52fa690b359ada30..f949b5707a38b5524cb543528ad4144e89527568 100644 ---- a/ipatests/test_xmlrpc/tracker/ca_plugin.py -+++ b/ipatests/test_xmlrpc/tracker/ca_plugin.py -@@ -4,6 +4,7 @@ - from __future__ import absolute_import - - import six -+from lib389.utils import get_default_db_lib - - from ipapython.dn import DN - from ipatests.test_xmlrpc.tracker.base import Tracker, EnableTracker -@@ -83,7 +84,10 @@ class CATracker(Tracker, EnableTracker): - objectclass=objectclasses.ca - ) - if self.description == 'IPA CA': -- self.attrs['ipacarandomserialnumberversion'] = ('0',) -+ if get_default_db_lib() == 'bdb': -+ self.attrs['ipacarandomserialnumberversion'] = ('0',) -+ else: -+ self.attrs['ipacarandomserialnumberversion'] = ('3',) - self.exists = True - - def make_disable_command(self): --- -2.47.0 - diff --git a/0038-ipatests-Test-that-when-lmdb-is-available-enable-RSN.patch b/0038-ipatests-Test-that-when-lmdb-is-available-enable-RSN.patch deleted file mode 100644 index c93a3dd..0000000 --- a/0038-ipatests-Test-that-when-lmdb-is-available-enable-RSN.patch +++ /dev/null @@ -1,108 +0,0 @@ -From ed70380cbb97a355a4d84ca61fd27120cda902b9 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 12 Sep 2024 13:52:55 -0400 -Subject: [PATCH] ipatests: Test that when lmdb is available, enable RSN - -Related: https://pagure.io/freeipa/issue/9661 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Alexander Bokovoy -Reviewed-By: Rafael Guterres Jeffman ---- - .../test_random_serial_numbers.py | 71 +++++++++++++++++++ - 1 file changed, 71 insertions(+) - -diff --git a/ipatests/test_integration/test_random_serial_numbers.py b/ipatests/test_integration/test_random_serial_numbers.py -index ab58b1c622b010994ed93a17dd80cfd02095508d..c45d15b583bac0faec80780edd00b60b47e334a9 100644 ---- a/ipatests/test_integration/test_random_serial_numbers.py -+++ b/ipatests/test_integration/test_random_serial_numbers.py -@@ -3,10 +3,12 @@ - # - - import pytest -+import textwrap - - from ipaplatform.paths import paths - - from ipatests.pytest_ipa.integration import tasks -+from ipatests.test_integration.base import IntegrationTest - from ipatests.test_integration.test_installation import ( - TestInstallWithCA_DNS1, - TestInstallWithCA_KRA1, -@@ -119,3 +121,72 @@ class TestRSNVault(TestInstallKRA): - if not pki_supports_RSNv3(mh.master): - raise pytest.skip("RSNv3 not supported") - super(TestRSNVault, cls).install(mh) -+ -+ -+class TestInstall_RSN_MDB(IntegrationTest): -+ """ -+ Test installation when the 389-ds mdb backend is used. This has -+ poor performance for VLV compared to the older bdb backend so -+ RSN will be required. -+ """ -+ num_replicas = 1 -+ -+ def disable_rsn(self): -+ """Mark RSN as disabled in the topology by setting -+ ipaCaRandomSerialNumberVersion to 0. -+ """ -+ entry_ldif = textwrap.dedent(""" -+ dn: cn=ipa,cn=cas,cn=ca,{base_dn} -+ changetype: modify -+ replace: ipaCaRandomSerialNumberVersion -+ ipaCaRandomSerialNumberVersion: 0 -+ """).format(base_dn=str(self.master.domain.basedn)) -+ tasks.ldapmodify_dm(self.master, entry_ldif) -+ -+ def check_rsn_status(self, host): -+ """Verify that RSN is enabled on a host""" -+ base_dn = str(host.domain.basedn) -+ result = tasks.ldapsearch_dm( -+ host, -+ 'cn=ipa,cn=cas,cn=ca,{base_dn}'.format( -+ base_dn=base_dn), -+ ['ipacarandomserialnumberversion',], -+ scope='base' -+ ) -+ output = result.stdout_text.lower() -+ assert 'ipacarandomserialnumberversion: 3' in output -+ -+ cs_cfg = host.get_file_contents(paths.CA_CS_CFG_PATH) -+ assert "dbs.cert.id.generator=random".encode() in cs_cfg -+ -+ @classmethod -+ def install(cls, mh): -+ if not pki_supports_RSNv3(mh.master): -+ raise pytest.skip("RNSv3 not supported") -+ result = cls.replicas[0].run_command( -+ "python -c 'from lib389.utils import get_default_db_lib; " -+ "print(get_default_db_lib())'" -+ ) -+ if 'mdb' not in result.stdout_text: -+ raise pytest.skip("MDB not supported") -+ tasks.install_master(cls.master, setup_dns=True) -+ -+ def test_replica_install(self): -+ self.disable_rsn() -+ tasks.install_replica( -+ self.master, self.replicas[0], setup_ca=True) -+ self.check_rsn_status(self.replicas[0]) -+ tasks.run_server_del( -+ self.master, self.replicas[0].hostname, force=True, -+ ignore_topology_disconnect=True, ignore_last_of_role=True) -+ tasks.uninstall_replica( -+ master=self.master, -+ replica=self.replicas[0] -+ ) -+ -+ def test_replica_install_noca(self): -+ self.disable_rsn() -+ tasks.install_replica( -+ self.master, self.replicas[0], setup_ca=False) -+ tasks.install_ca(self.replicas[0]) -+ self.check_rsn_status(self.replicas[0]) --- -2.47.0 - diff --git a/0039-Set-required-version-of-389-ds-for-VLV-fix-on-F40-41.patch b/0039-Set-required-version-of-389-ds-for-VLV-fix-on-F40-41.patch deleted file mode 100644 index 282898c..0000000 --- a/0039-Set-required-version-of-389-ds-for-VLV-fix-on-F40-41.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 2cd2b8fe43036a97f1051c5aa76fd5ed28e7ed6c Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Wed, 16 Oct 2024 15:39:31 -0400 -Subject: [PATCH] Set required version of 389-ds for VLV fix on F40/41 - -Require builds that contain the fixes for VLV handling in -https://bugzilla.redhat.com/show_bug.cgi?id=2317851 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Alexander Bokovoy -Reviewed-By: Rafael Guterres Jeffman ---- - freeipa.spec.in | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/freeipa.spec.in b/freeipa.spec.in -index 72d7013a6c49873f4a59734c684c6c5510e669d0..1283ba847f60cd335851d7e846536a4a6c14b071 100755 ---- a/freeipa.spec.in -+++ b/freeipa.spec.in -@@ -127,6 +127,10 @@ - # version supporting LMDB and lib389.cli_ctl.dblib.run_dbscan utility - %if 0%{?fedora} < 34 - %global ds_version 1.4.4.16-1 -+%elif 0%{?fedora} == 40 -+%global ds_version 3.0.4-3 -+%elif 0%{?fedora} >= 41 -+%global ds_version 3.1.1-3 - %else - %global ds_version 2.1.0 - %endif --- -2.47.0 - diff --git a/0040-Enable-pruning-when-Random-Serial-Numbers-are-enable.patch b/0040-Enable-pruning-when-Random-Serial-Numbers-are-enable.patch deleted file mode 100644 index b7433cd..0000000 --- a/0040-Enable-pruning-when-Random-Serial-Numbers-are-enable.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 6f304bac61eadbacf4f176421c6927b92b74685e Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Wed, 11 Sep 2024 16:33:00 -0400 -Subject: [PATCH] Enable pruning when Random Serial Numbers are enabled - -When using short-lived certs (ACME) along with normal certificate -issuance the expired certs can build over time in the PKI database. -This can cause issues with replication, performance and overall -database size. - -Random Serial Numbers v3 (RSNv3) is mandatory to enable pruning -so if we have it enabled then enable pruning to avoid future issues. - -Related: https://pagure.io/freeipa/issue/9661 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Alexander Bokovoy -Reviewed-By: Rafael Guterres Jeffman ---- - ipaserver/install/cainstance.py | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py -index d0c3b6b940a2b99f0fa747a4dc8c6fc800e4ca12..f3ed9fff8510072f0ad210beaaea151a3099082b 100644 ---- a/ipaserver/install/cainstance.py -+++ b/ipaserver/install/cainstance.py -@@ -471,6 +471,8 @@ class CAInstance(DogtagInstance): - self.step( - "Ensuring backward compatibility", - self.__dogtag10_migration) -+ if self.random_serial_numbers: -+ self.step("enable certificate pruning", self.enable_pruning) - if promote: - self.step("destroying installation admin user", - self.teardown_admin) -@@ -790,6 +792,17 @@ class CAInstance(DogtagInstance): - 'NSS_ENABLE_PKIX_VERIFY', '1', - quotes=False, separator='=') - -+ def enable_pruning(self): -+ directivesetter.set_directive(paths.CA_CS_CFG_PATH, -+ 'jobsScheduler.enabled', 'true', -+ quotes=False, separator='=') -+ directivesetter.set_directive(paths.CA_CS_CFG_PATH, -+ 'jobsScheduler.job.pruning.enabled', -+ 'true', quotes=False, separator='=') -+ directivesetter.set_directive(paths.CA_CS_CFG_PATH, -+ 'jobsScheduler.job.pruning.owner', -+ 'ipara', quotes=False, separator='=') -+ - def __import_ra_cert(self): - """ - Helper method for IPA domain level 0 replica install --- -2.47.0 - diff --git a/0041-Don-t-drop-certificates-in-cert-find-if-the-LWCA-was.patch b/0041-Don-t-drop-certificates-in-cert-find-if-the-LWCA-was.patch deleted file mode 100644 index ec1aaee..0000000 --- a/0041-Don-t-drop-certificates-in-cert-find-if-the-LWCA-was.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 0eafb03110b6ae4c80680e5c451661e1cf41db77 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 21 Nov 2024 11:39:12 -0500 -Subject: [PATCH] Don't drop certificates in cert-find if the LWCA was removed - -The cert-find command wants to return the IPA CA name of the -issued certificates. If the CA was removed then the certificate -is skipped in the output. This basically black holes any certificates -issued by the LWCA. - -It is also breaking the cert_find tests with RSNv3 enabled at -times depending on the certificate order returned. Some of them -may be certificates issued by a now-deleted CA. - -This was discovered in test_xmlrpc/test_cert.py with the -cert-find tests where the expected number of certificates wasn't -returned. This is because ra.find() retrieved exactly 10 certificates -and then some were removed when trying to identify the CA. - -Related: https://pagure.io/freeipa/issue/9661 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Alexander Bokovoy -Reviewed-By: Rafael Guterres Jeffman ---- - ipaserver/plugins/cert.py | 15 ++++++++++++--- - 1 file changed, 12 insertions(+), 3 deletions(-) - -diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py -index 6249c6d6f24acdca4fc3e9dd989f58344192b567..b8012c62a7809a85faec9cbb710f187fa16d90f4 100644 ---- a/ipaserver/plugins/cert.py -+++ b/ipaserver/plugins/cert.py -@@ -1721,7 +1721,8 @@ class cert_find(Search, CertMethod): - try: - ca_obj = ca_objs[issuer] - except KeyError: -- continue -+ # A deleted LWCA? Return the issuer DN as a string -+ ca_obj = {'cn': [str(issuer)]} - - if pkey_only: - obj = {'serial_number': serial_number} -@@ -1905,8 +1906,16 @@ class cert_find(Search, CertMethod): - try: - ca_obj = ca_objs[cacn] - except KeyError: -- ca_obj = ca_objs[cacn] = ( -- self.api.Command.ca_show(cacn, all=True)['result']) -+ try: -+ ca_obj = ca_objs[cacn] = ( -+ self.api.Command.ca_show( -+ cacn, all=True)['result']) -+ except errors.NotFound: -+ # If we have inserted a CA DN because the -+ # LWCA was deleted then ca-show of it will -+ # fail as NotFound. There is no chain to -+ # retrieve. -+ ca_obj = [] - - obj.update( - ra.get_certificate(serial_number) --- -2.47.0 - diff --git a/0042-ipatests-pruning-is-enabled-by-default-with-LMDB.patch b/0042-ipatests-pruning-is-enabled-by-default-with-LMDB.patch deleted file mode 100644 index 4ef6181..0000000 --- a/0042-ipatests-pruning-is-enabled-by-default-with-LMDB.patch +++ /dev/null @@ -1,99 +0,0 @@ -From fd222273a544f9e8c7a1749ff797880db7edbf25 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Mon, 25 Nov 2024 13:14:50 +0100 -Subject: [PATCH] ipatests: pruning is enabled by default with LMDB - -The test test_acme.py::TestACMEPrune::test_enable_pruning expects -certificate pruning to be disabled by default. That assumption -is valid only if the backend is BDB (if the backend is LMDB, -RSNv3 + cert pruning are enabled by default). - -Update the test to be consistent with the new defaults. - -Fixes: https://pagure.io/freeipa/issue/9706 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - ipatests/test_integration/test_acme.py | 37 +++++++++++++++++--------- - 1 file changed, 25 insertions(+), 12 deletions(-) - -diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py -index 4032d266a8dc72fae6ee11857c306aa3a21e51bc..709d90715823672a3d85a1ef7896fb10ee63fdc5 100644 ---- a/ipatests/test_integration/test_acme.py -+++ b/ipatests/test_integration/test_acme.py -@@ -17,6 +17,7 @@ from ipatests.test_integration.test_random_serial_numbers import ( - ) - from ipaplatform.osinfo import osinfo - from ipaplatform.paths import paths -+from ipapython.dn import DN - from ipatests.test_integration.test_external_ca import ( - install_server_external_ca_step1, - install_server_external_ca_step2, -@@ -144,6 +145,15 @@ def certbot_standalone_cert(host, acme_server, no_of_cert=1): - ) - - -+def get_389ds_backend(host): -+ """ Return the backend type used by 389ds (either 'bdb' or 'lmdb')""" -+ conn = host.ldap_connect() -+ entry = conn.get_entry( -+ DN('cn=config,cn=ldbm database,cn=plugins,cn=config')) -+ backend = entry.single_value.get('nsslapd-backend-implement') -+ return backend -+ -+ - class TestACME(CALessBase): - """ - Test the FreeIPA ACME service by using ACME clients on a FreeIPA client. -@@ -397,21 +407,22 @@ class TestACME(CALessBase): - assert status == 'disabled' - - def test_acme_pruning_no_random_serial(self): -- """This ACME install is configured without random serial -+ """BDB install is configured without random serial - numbers. Verify that we can't enable pruning on it. -- -- This test is located here because by default installs -- don't enable RSNv3. - """ - if (tasks.get_pki_version(self.master) - < tasks.parse_version('11.3.0')): - raise pytest.skip("Certificate pruning is not available") - self.master.run_command(['ipa-acme-manage', 'enable']) -- result = self.master.run_command( -- ['ipa-acme-manage', 'pruning', '--enable'], -- raiseonerr=False) -- assert result.returncode == 1 -- assert "requires random serial numbers" in result.stderr_text -+ -+ # This test is only relevant with BDB backend -+ # as with LMDB, the installer now enable RSNv3 and cert pruning -+ if get_389ds_backend(self.master) == 'bdb': -+ result = self.master.run_command( -+ ['ipa-acme-manage', 'pruning', '--enable'], -+ raiseonerr=False) -+ assert result.returncode == 1 -+ assert "requires random serial numbers" in result.stderr_text - - @server_install_teardown - def test_third_party_certs(self): -@@ -707,10 +718,12 @@ class TestACMEPrune(IntegrationTest): - if (tasks.get_pki_version(self.master) - < tasks.parse_version('11.3.0')): - raise pytest.skip("Certificate pruning is not available") -- cs_cfg = self.master.get_file_contents(paths.CA_CS_CFG_PATH) -- assert "jobsScheduler.job.pruning.enabled=false".encode() in cs_cfg - -- self.master.run_command(['ipa-acme-manage', 'pruning', '--enable']) -+ # Pruning is enabled by default when the host supports lmdb -+ if get_389ds_backend(self.master) == 'bdb': -+ cs_cfg = self.master.get_file_contents(paths.CA_CS_CFG_PATH) -+ assert "jobsScheduler.job.pruning.enabled=false".encode() in cs_cfg -+ self.master.run_command(['ipa-acme-manage', 'pruning', '--enable']) - - cs_cfg = self.master.get_file_contents(paths.CA_CS_CFG_PATH) - assert "jobsScheduler.enabled=true".encode() in cs_cfg --- -2.47.0 - diff --git a/0043-webuitests-adapt-to-Random-Serial-Numbers.patch b/0043-webuitests-adapt-to-Random-Serial-Numbers.patch deleted file mode 100644 index e001977..0000000 --- a/0043-webuitests-adapt-to-Random-Serial-Numbers.patch +++ /dev/null @@ -1,95 +0,0 @@ -From c8befc9f46b43aec748ede33236ca4f77b2356c6 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Tue, 26 Nov 2024 09:40:53 +0100 -Subject: [PATCH] webuitests: adapt to Random Serial Numbers - -The webui tests were written for sequential serial numbers -and expect the certs to be issued with low serial numbers. -Adapt to Random Serial Numbers. - -Fixes:https://pagure.io/freeipa/issue/9707 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - ipatests/test_webui/test_cert.py | 39 +++++++++++++++++++++++++++++--- - 1 file changed, 36 insertions(+), 3 deletions(-) - -diff --git a/ipatests/test_webui/test_cert.py b/ipatests/test_webui/test_cert.py -index 7a8ffde917c75f4578b1d8f9a1cdcdbb4ba4a1ae..0dc276555b26a2ac4a0d79695f3cd74a3ccd55ec 100644 ---- a/ipatests/test_webui/test_cert.py -+++ b/ipatests/test_webui/test_cert.py -@@ -93,6 +93,14 @@ class test_cert(UI_driver): - csr = generate_csr(hostname) - - self.navigate_to_entity(ENTITY) -+ -+ # Save the existing cert serials before the new one is added -+ # the test will compare before/after in order to find the serial -+ # of the newly generated certificate -+ result = self.execute_api_from_ui('cert_find', [], {}) -+ certs = result['result']['result'] -+ before = [cert["serial_number"] for cert in certs] -+ - self.facet_button_click('request_cert') - self.fill_textbox('principal', 'HTTP/{}'.format(hostname)) - self.check_option('add', 'checked') -@@ -100,8 +108,17 @@ class test_cert(UI_driver): - self.dialog_button_click('issue') - self.assert_notification(assert_text='Certificate requested') - self.navigate_to_entity(ENTITY) -+ -+ # Save the existing cert serials after the new one is added -+ result = self.execute_api_from_ui('cert_find', [], {}) -+ certs = result['result']['result'] -+ after = [cert["serial_number"] for cert in certs] -+ new_serial = [serial for serial in after if serial not in before] -+ # Find the cert that was jsut generated -+ index = after.index(new_serial[0]) -+ - rows = self.get_rows() -- cert = rows[-1] -+ cert = rows[index] - - self.navigate_to_row_record(cert) - self.action_list_action('revoke_cert', False) -@@ -212,10 +229,18 @@ class test_cert(UI_driver): - # try searching using -1 - check_minimum_serial(self, '-1', 'min_serial_number') - -+ # Find the highest serial number and add 1 to be sure there is no -+ # cert with a higher serial number -+ result = self.execute_api_from_ui('cert_find', [], {}) -+ certs = result['result']['result'] -+ serials = [int(cert["serial_number_hex"], 0) for cert in certs] -+ serials.sort() -+ highest_serial = str(serials[-1] + 1) -+ - # try using higher value than no. of certs present - self.navigate_to_entity(ENTITY) - self.select('select[name=search_option]', 'min_serial_number') -- search_pkey(self, '99') -+ search_pkey(self, highest_serial) - rows = self.get_rows() - assert len(rows) == 0 - -@@ -226,8 +251,16 @@ class test_cert(UI_driver): - """ - self.init_app() - self.navigate_to_entity(ENTITY) -+ -+ # Find the second lowest serial number -+ result = self.execute_api_from_ui('cert_find', [], {}) -+ certs = result['result']['result'] -+ serials = [int(cert["serial_number_hex"], 0) for cert in certs] -+ serials.sort() -+ second_serial = str(serials[1]) -+ - self.select('select[name=search_option]', 'max_serial_number') -- search_pkey(self, '2') -+ search_pkey(self, second_serial) - rows = self.get_rows() - assert len(rows) == 2 - --- -2.47.0 - diff --git a/0044-Allow-looking-up-constants.Group-by-gid-in-addition-.patch b/0044-Allow-looking-up-constants.Group-by-gid-in-addition-.patch deleted file mode 100644 index 0e4333b..0000000 --- a/0044-Allow-looking-up-constants.Group-by-gid-in-addition-.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 184589fac4ff36b5583541f40dff91296c33370a Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 2 Dec 2024 10:23:29 -0500 -Subject: [PATCH] Allow looking up constants.Group by gid in addition to name - -This adds flexibility so we can look up groups by both gid and -by name in order to have a more consistent API for management. - -Related: https://pagure.io/freeipa/issue/9709 - -Signed-off-by: Rob Crittenden -Reviewed-By: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud ---- - ipaplatform/base/constants.py | 5 ++++- - ipatests/test_ipaplatform/test_constants.py | 11 +++++++++++ - 2 files changed, 15 insertions(+), 1 deletion(-) - -diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py -index 1689efe52466f00fd8b014f720e1d21ebdbf2504..f1ef7efff502573bab82e890bcdf87c0ec52a399 100644 ---- a/ipaplatform/base/constants.py -+++ b/ipaplatform/base/constants.py -@@ -86,7 +86,10 @@ class Group(_Entity): - try: - self._entity = entity = grp.getgrnam(self) - except KeyError: -- raise ValueError(f"group '{self!s}' not found") from None -+ try: -+ self._entity = entity = grp.getgrgid(int(self)) -+ except (TypeError, ValueError): -+ raise ValueError(f"group '{self!s}' not found") from None - return entity - - @property -diff --git a/ipatests/test_ipaplatform/test_constants.py b/ipatests/test_ipaplatform/test_constants.py -index b57bfa48e5ccefe2b22cb00aca8436e0edc01a30..9bb12283609f87bcd875a2c55ee1e8b714dd8b3a 100644 ---- a/ipatests/test_ipaplatform/test_constants.py -+++ b/ipatests/test_ipaplatform/test_constants.py -@@ -1,6 +1,7 @@ - # - # Copyright (C) 2020 FreeIPA Contributors see COPYING for license - # -+import grp - import pytest - - from ipaplatform.base.constants import User, Group -@@ -40,6 +41,16 @@ def test_group(): - assert Group(str(group)) is not group - - -+def test_numeric_group(): -+ g = grp.getgrnam('apache') -+ group = Group(g.gr_gid) -+ assert group.gid == g.gr_gid -+ assert type(str(group)) is str -+ assert repr(group) == '' % g.gr_gid -+ assert group.gid == g.gr_gid -+ assert group.entity.gr_gid == g.gr_gid -+ -+ - def test_group_invalid(): - invalid = Group("invalid") - with pytest.raises(ValueError) as e: --- -2.47.1 - diff --git a/0045-Pass-all-pkiuser-groups-as-suplementary-when-validat.patch b/0045-Pass-all-pkiuser-groups-as-suplementary-when-validat.patch deleted file mode 100644 index d916be8..0000000 --- a/0045-Pass-all-pkiuser-groups-as-suplementary-when-validat.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 934d4a291d44a40b5ea006aa1f09afa8e4a985fc Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 2 Dec 2024 10:27:15 -0500 -Subject: [PATCH] Pass all pkiuser groups as suplementary when validating an - HSM - -We were doing a "best effort" when validating the HSM token is -visible with a valid PIN when it came to groups. A specific -workaround was added for softhsm2 but this didn't carry over -to other HSMs that may have group-specific read/write access. - -Use the new capability in ipaplatform.constants.py::Group to be -able to use generate a valid entry from a group GID. Pair this -with os.getgrouplist() and all groups will be passed correctly -via ipautil.run(). - -Fixes: https://pagure.io/freeipa/issue/9709 - -Signed-off-by: Rob Crittenden -Reviewed-By: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/install/ca.py | 12 ++++-------- - 1 file changed, 4 insertions(+), 8 deletions(-) - -diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py -index 520e3fc5de1084e7c22c0cf7eaa86e1d3c421373..2959aceed5cd2fd4851457eaa4aeac3c0905d27d 100644 ---- a/ipaserver/install/ca.py -+++ b/ipaserver/install/ca.py -@@ -211,11 +211,7 @@ def hsm_validator(token_name, token_library, token_password): - ) - pkiuser = constants.PKI_USER - pkigroup = constants.PKI_GROUP -- if 'libsofthsm' in token_library: -- import grp -- group = grp.getgrnam(constants.ODS_GROUP) -- if str(constants.PKI_USER) in group.gr_mem: -- pkigroup = constants.ODS_GROUP -+ group_list = os.getgrouplist(pkiuser, pkigroup.gid) - with certdb.NSSDatabase() as tempnssdb: - tempnssdb.create_db(user=str(pkiuser), group=str(pkigroup)) - # Try adding the token library to the temporary database in -@@ -231,7 +227,7 @@ def hsm_validator(token_name, token_library, token_password): - # It may fail if p11-kit has already registered the library, that's - # ok. - ipautil.run(command, stdin='\n', cwd=tempnssdb.secdir, -- runas=pkiuser, suplementary_groups=[pkigroup], -+ runas=pkiuser, suplementary_groups=group_list, - raiseonerr=False) - - command = [ -@@ -242,7 +238,7 @@ def hsm_validator(token_name, token_library, token_password): - ] - lines = ipautil.run( - command, cwd=tempnssdb.secdir, capture_output=True, -- runas=pkiuser, suplementary_groups=[pkigroup]).output -+ runas=pkiuser, suplementary_groups=group_list).output - found = False - token_line = f'token: {token_name}' - for line in lines.split('\n'): -@@ -265,7 +261,7 @@ def hsm_validator(token_name, token_library, token_password): - ] - result = ipautil.run(args, cwd=tempnssdb.secdir, - runas=pkiuser, -- suplementary_groups=[pkigroup], -+ suplementary_groups=group_list, - capture_error=True, raiseonerr=False) - if result.returncode != 0 and len(result.error_output): - if 'SEC_ERROR_BAD_PASSWORD' in result.error_output: --- -2.47.1 - diff --git a/0046-ipalib-x509-support-PyCA-44.0.patch b/0046-ipalib-x509-support-PyCA-44.0.patch deleted file mode 100644 index 2b3672f..0000000 --- a/0046-ipalib-x509-support-PyCA-44.0.patch +++ /dev/null @@ -1,166 +0,0 @@ -From d4d56a6705c870901bc73882e4804367f7c9c91a Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Sun, 1 Dec 2024 20:16:54 +0200 -Subject: [PATCH] ipalib/x509: support PyCA 44.0 - -PyCA made x509.Certificate class concrete, it cannot be extended anymore -by Python code. The intent is to use helper functions to instantiate -certificate objects and never create them directly. - -FreeIPA wraps PyCA's x509.Certificate class and provides own shim -on top of it. In most cases we load the certificate content via the -helper functions and don't really need to derive from the certificate -class. - -Move IPACertificate to be a normal Python object class that stores -x509.Certificate internally. The only place where this breaks is when -IPACertificate object needs to be passed to a code that expects -x509.Certificate (Dogtag PKI). In such cases, expose the underlying -certificate instance via IPACertificate.cert property. - -Fixes: https://pagure.io/freeipa/issue/9708 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud ---- - ipalib/ipajson.py | 4 ++-- - ipalib/x509.py | 10 +++++++++- - ipapython/ipaldap.py | 15 +++++++-------- - ipaserver/plugins/dogtag.py | 3 ++- - 4 files changed, 20 insertions(+), 12 deletions(-) - -diff --git a/ipalib/ipajson.py b/ipalib/ipajson.py -index 5551d12e5fec7e458fa6fe85560664b2fd897337..fd99c8219c722c52321336f28ff27e1573e906c7 100644 ---- a/ipalib/ipajson.py -+++ b/ipalib/ipajson.py -@@ -9,7 +9,7 @@ from decimal import Decimal - import json - import six - from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT --from ipalib import capabilities -+from ipalib import capabilities, x509 - from ipalib.x509 import Encoding as x509_Encoding - from ipapython.dn import DN - from ipapython.dnsutil import DNSName -@@ -72,7 +72,7 @@ class _JSONPrimer(dict): - list: self._enc_list, - tuple: self._enc_list, - dict: self._enc_dict, -- crypto_x509.Certificate: self._enc_certificate, -+ x509.IPACertificate: self._enc_certificate, - crypto_x509.CertificateSigningRequest: self._enc_certificate, - }) - -diff --git a/ipalib/x509.py b/ipalib/x509.py -index fd08238962b2b5e9cd056fb13c0a81ee8f31b092..6780bead00b50efdf03c62ce717572eeb9df2e5f 100644 ---- a/ipalib/x509.py -+++ b/ipalib/x509.py -@@ -88,7 +88,7 @@ SAN_UPN = '1.3.6.1.4.1.311.20.2.3' - SAN_KRB5PRINCIPALNAME = '1.3.6.1.5.2.2' - - --class IPACertificate(crypto_x509.Certificate): -+class IPACertificate: - """ - A proxy class wrapping a python-cryptography certificate representation for - IPA purposes -@@ -205,6 +205,10 @@ class IPACertificate(crypto_x509.Certificate): - """ - return self._cert.fingerprint(algorithm) - -+ @property -+ def cert(self): -+ return self._cert -+ - @property - def serial_number(self): - return self._cert.serial_number -@@ -457,6 +461,8 @@ def load_pem_x509_certificate(data): - :returns: a ``IPACertificate`` object. - :raises: ``ValueError`` if unable to load the certificate. - """ -+ if isinstance(data, IPACertificate): -+ return data - return IPACertificate( - crypto_x509.load_pem_x509_certificate(data, backend=default_backend()) - ) -@@ -469,6 +475,8 @@ def load_der_x509_certificate(data): - :returns: a ``IPACertificate`` object. - :raises: ``ValueError`` if unable to load the certificate. - """ -+ if isinstance(data, IPACertificate): -+ return data - return IPACertificate( - crypto_x509.load_der_x509_certificate(data, backend=default_backend()) - ) -diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py -index 1888e40916aa6e641542f08fb30ff2b0d4b850b1..5bb81c1bc844fce9b14251d3702e09099d85cdb5 100644 ---- a/ipapython/ipaldap.py -+++ b/ipapython/ipaldap.py -@@ -33,7 +33,6 @@ import warnings - - from collections import OrderedDict - --from cryptography import x509 as crypto_x509 - from cryptography.hazmat.primitives import serialization - - import ldap -@@ -748,10 +747,10 @@ class LDAPClient: - 'dnszoneidnsname': DNSName, - 'krbcanonicalname': Principal, - 'krbprincipalname': Principal, -- 'usercertificate': crypto_x509.Certificate, -- 'usercertificate;binary': crypto_x509.Certificate, -- 'cACertificate': crypto_x509.Certificate, -- 'cACertificate;binary': crypto_x509.Certificate, -+ 'usercertificate': x509.IPACertificate, -+ 'usercertificate;binary': x509.IPACertificate, -+ 'cACertificate': x509.IPACertificate, -+ 'cACertificate;binary': x509.IPACertificate, - 'nsds5replicalastupdatestart': unicode, - 'nsds5replicalastupdateend': unicode, - 'nsds5replicalastinitstart': unicode, -@@ -1000,7 +999,7 @@ class LDAPClient: - return dct - elif isinstance(val, datetime): - return val.strftime(LDAP_GENERALIZED_TIME_FORMAT).encode('utf-8') -- elif isinstance(val, crypto_x509.Certificate): -+ elif isinstance(val, x509.IPACertificate): - return val.public_bytes(x509.Encoding.DER) - elif val is None: - return None -@@ -1027,7 +1026,7 @@ class LDAPClient: - return DNSName.from_text(val.decode('utf-8')) - elif target_type in (DN, Principal): - return target_type(val.decode('utf-8')) -- elif target_type is crypto_x509.Certificate: -+ elif target_type is x509.IPACertificate: - return x509.load_der_x509_certificate(val) - else: - return target_type(val) -@@ -1381,7 +1380,7 @@ class LDAPClient: - ] - return cls.combine_filters(flts, rules) - elif value is not None: -- if isinstance(value, crypto_x509.Certificate): -+ if isinstance(value, x509.IPACertificate): - value = value.public_bytes(serialization.Encoding.DER) - if isinstance(value, bytes): - value = binascii.hexlify(value).decode('ascii') -diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py -index 78afb279795ecf74f296cbbb8724505075a6e4a9..ee6d0e347d640a2664e38ba64785c3d8af54bbad 100644 ---- a/ipaserver/plugins/dogtag.py -+++ b/ipaserver/plugins/dogtag.py -@@ -1581,7 +1581,8 @@ class kra(Backend): - - crypto = cryptoutil.CryptographyCryptoProvider( - transport_cert_nick="ra_agent", -- transport_cert=x509.load_certificate_from_file(paths.RA_AGENT_PEM) -+ transport_cert=x509.load_certificate_from_file( -+ paths.RA_AGENT_PEM).cert - ) - - # TODO: obtain KRA host & port from IPA service list or point to KRA load balancer --- -2.47.1 - diff --git a/0047-pyca-adapt-import-paths-for-TripleDES-cipher.patch b/0047-pyca-adapt-import-paths-for-TripleDES-cipher.patch deleted file mode 100644 index 04ae1fd..0000000 --- a/0047-pyca-adapt-import-paths-for-TripleDES-cipher.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 8dfec28647f7c17e47fbfc96a1720dcde1592386 Mon Sep 17 00:00:00 2001 -From: Stanislav Levin -Date: Mon, 2 Dec 2024 15:04:30 +0300 -Subject: [PATCH] pyca: adapt import paths for TripleDES cipher - -https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.TripleDES - -> This algorithm has been deprecated and moved to the Decrepit - cryptography module. If you need to continue using it then update your - code to use the new module path. It will be removed from this namespace - in 48.0.0. - -Fixes: https://pagure.io/freeipa/issue/9708 -Signed-off-by: Stanislav Levin -Reviewed-By: Florence Blanc-Renaud ---- - ipaclient/plugins/vault.py | 8 +++++++- - ipalib/constants.py | 24 +++++++++++------------- - ipaserver/install/ipa_otptoken_import.py | 8 +++++++- - 3 files changed, 25 insertions(+), 15 deletions(-) - -diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py -index 75415c03a57242ae674636fa31a72db2fa56d6ea..6af7297936924dfb80e7f79924b570421da65c97 100644 ---- a/ipaclient/plugins/vault.py -+++ b/ipaclient/plugins/vault.py -@@ -34,6 +34,12 @@ from cryptography.hazmat.primitives import hashes - from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC - from cryptography.hazmat.primitives.asymmetric import padding - from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes -+try: -+ # cryptography>=43.0.0 -+ from cryptography.hazmat.decrepit.ciphers.algorithms import TripleDES -+except ImportError: -+ # will be removed from this module in cryptography 48.0.0 -+ from cryptography.hazmat.primitives.ciphers.algorithms import TripleDES - from cryptography.hazmat.primitives.padding import PKCS7 - from cryptography.hazmat.primitives.serialization import ( - load_pem_public_key, load_pem_private_key) -@@ -661,7 +667,7 @@ class ModVaultData(Local): - if name == constants.VAULT_WRAPPING_AES128_CBC: - return algorithms.AES(os.urandom(128 // 8)) - elif name == constants.VAULT_WRAPPING_3DES: -- return algorithms.TripleDES(os.urandom(196 // 8)) -+ return TripleDES(os.urandom(196 // 8)) - else: - # unreachable - raise ValueError(name) -diff --git a/ipalib/constants.py b/ipalib/constants.py -index b657e5a9065d115d0eff2dbfffff49e992006536..c90caa22149ec3d93d45fcb5480f7401e4555799 100644 ---- a/ipalib/constants.py -+++ b/ipalib/constants.py -@@ -25,20 +25,19 @@ All constants centralised in one file. - import os - import string - import uuid --import warnings -- --warnings.filterwarnings( -- "ignore", -- "TripleDES has been moved to " -- "cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and " -- "will be removed from this module in 48.0.0", -- category=UserWarning) - - from ipaplatform.constants import constants as _constants - from ipapython.dn import DN - from ipapython.fqdn import gethostfqdn - from ipapython.version import VERSION, API_VERSION --from cryptography.hazmat.primitives.ciphers import algorithms, modes -+from cryptography.hazmat.primitives.ciphers import modes -+try: -+ # cryptography>=43.0.0 -+ from cryptography.hazmat.decrepit.ciphers.algorithms import TripleDES -+except ImportError: -+ # will be removed from this module in cryptography 48.0.0 -+ from cryptography.hazmat.primitives.ciphers.algorithms import TripleDES -+ - from cryptography.hazmat.backends.openssl.backend import backend - - -@@ -389,7 +388,6 @@ VAULT_WRAPPING_SUPPORTED_ALGOS = ( - VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_AES128_CBC - - # Add 3DES for backwards compatibility if supported --if getattr(algorithms, 'TripleDES', None): -- if backend.cipher_supported(algorithms.TripleDES( -- b"\x00" * 8), modes.CBC(b"\x00" * 8)): -- VAULT_WRAPPING_SUPPORTED_ALGOS += (VAULT_WRAPPING_3DES,) -+if backend.cipher_supported(TripleDES( -+ b"\x00" * 8), modes.CBC(b"\x00" * 8)): -+ VAULT_WRAPPING_SUPPORTED_ALGOS += (VAULT_WRAPPING_3DES,) -diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py -index 279a7502d2f305309252b3b291e32b772a51a1d3..17457f6c5b81ab70a0ecee13bf744e242ec88ff0 100644 ---- a/ipaserver/install/ipa_otptoken_import.py -+++ b/ipaserver/install/ipa_otptoken_import.py -@@ -37,6 +37,12 @@ from cryptography.hazmat.primitives import hashes, hmac - from cryptography.hazmat.primitives.padding import PKCS7 - from cryptography.hazmat.primitives.kdf import pbkdf2 - from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes -+try: -+ # cryptography>=43.0.0 -+ from cryptography.hazmat.decrepit.ciphers.algorithms import TripleDES -+except ImportError: -+ # will be removed from this module in cryptography 48.0.0 -+ from cryptography.hazmat.primitives.ciphers.algorithms import TripleDES - from cryptography.hazmat.backends import default_backend - - from ipaplatform.paths import paths -@@ -169,7 +175,7 @@ def convertAlgorithm(value): - # in the list of the vault wrapping algorithms, we cannot use 3DES anywhere - if VAULT_WRAPPING_3DES in VAULT_WRAPPING_SUPPORTED_ALGOS: - supported_algs["http://www.w3.org/2001/04/xmlenc#tripledes-cbc"] = ( -- algorithms.TripleDES, modes.CBC, 64) -+ TripleDES, modes.CBC, 64) - - return supported_algs.get(value.lower(), (None, None, None)) - --- -2.47.1 - diff --git a/0048-ipa-pwd-extop-clarify-OTP-use-over-LDAP-binds.patch b/0048-ipa-pwd-extop-clarify-OTP-use-over-LDAP-binds.patch deleted file mode 100644 index 2f77fbc..0000000 --- a/0048-ipa-pwd-extop-clarify-OTP-use-over-LDAP-binds.patch +++ /dev/null @@ -1,134 +0,0 @@ -From 3e7ec3dc49d0f559bdbe330e52019e59f0b57c18 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Tue, 3 Dec 2024 18:06:45 +0200 -Subject: [PATCH] ipa-pwd-extop: clarify OTP use over LDAP binds - -OTP use during LDAP bind can be enforced either explicitly via client -specifying a control with OID 2.16.840.1.113730.3.8.10.7 and no payload -or implicitly through the global IPA configuration with EnforceLDAPOTP. - -OTP token enforcement overrides IPA user authentication types -requirements: - -If OTP enforcement is required: - - - if user authentication types still allow password authentication, - authentication with just a password is denied, regardless whether OTP - tokens are associated with the user or not. - -If OTP enforcement is not required: - - - if user has no OTP tokens but user authentication types require OTP - use, authentication with just a password is allowed until a token is - added. - - - if user has OTP tokens and user authentication types require OTP use - but not password, authentication with just a password is denied. - -Additionally, enforcement of OTP only applies to LDAP objects which -don't use 'simpleSecurityObject' objectclass. This allows system service -accounts to continue authenticate with a password regardless of the -OTP enforcement. - -Fixes: https://pagure.io/freeipa/issue/9699 -Fixes: https://pagure.io/freeipa/issue/9711 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Rob Crittenden ---- - .../ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 38 +++++++++++++++---- - 1 file changed, 30 insertions(+), 8 deletions(-) - -diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c -index 1c1340e31ac30cb01412a7065ea339cb5461e839..42e880fd0a5c8b4708b145b340209eb218f60c4e 100644 ---- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c -+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c -@@ -1219,12 +1219,10 @@ typedef enum { - } otp_req_enum; - static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry, - struct berval *creds, otp_req_enum otpreq, -- bool *notokens) -+ bool *notokens, uint32_t *auth_types) - { -- uint32_t auth_types; -- - /* Get the configured authentication types. */ -- auth_types = otp_config_auth_types(otp_config, entry); -+ *auth_types = otp_config_auth_types(otp_config, entry); - *notokens = false; - - /* -@@ -1237,7 +1235,8 @@ static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry, - * 2. If PWD is enabled or OTP succeeded, fall through to PWD validation. - */ - -- if (auth_types & OTP_CONFIG_AUTH_TYPE_OTP) { -+ if ((*auth_types & OTP_CONFIG_AUTH_TYPE_OTP) || -+ (otpreq != OTP_IS_NOT_REQUIRED)) { - struct otp_token **tokens = NULL; - - LOG_PLUGIN_NAME(IPAPWD_PLUGIN_NAME, -@@ -1270,7 +1269,7 @@ static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry, - otp_token_free_array(tokens); - } - -- return (auth_types & OTP_CONFIG_AUTH_TYPE_PASSWORD) && -+ return (*auth_types & OTP_CONFIG_AUTH_TYPE_PASSWORD) && - (otpreq == OTP_IS_NOT_REQUIRED); - } - -@@ -1451,6 +1450,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) - struct ipapwd_krbcfg *krbcfg = NULL; - struct berval *credentials = NULL; - Slapi_Entry *entry = NULL; -+ Slapi_Value *objectclass = NULL; - Slapi_DN *target_sdn = NULL; - Slapi_DN *sdn = NULL; - const char *dn = NULL; -@@ -1465,6 +1465,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) - int rc = LDAP_INVALID_CREDENTIALS; - char *errMesg = NULL; - bool notokens = false; -+ uint32_t auth_types = 0; - - /* get BIND parameters */ - ret |= slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &target_sdn); -@@ -1538,12 +1539,33 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) - otpreq = OTP_IS_REQUIRED_IMPLICITLY; - } - } -+ /* we only apply OTP policy to Kerberos principals */ -+ objectclass = slapi_value_new_string("krbprincipalaux"); -+ if (objectclass == NULL) { -+ goto invalid_creds; -+ } -+ if (!slapi_entry_attr_has_syntax_value(entry, SLAPI_ATTR_OBJECTCLASS, -+ objectclass)) { -+ otpreq = OTP_IS_NOT_REQUIRED; -+ } -+ slapi_value_free(&objectclass); -+ - if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, -- credentials, otpreq, ¬okens)) { -+ credentials, otpreq, -+ ¬okens, &auth_types)) { - /* We got here because ipapwd_pre_bind_otp() returned false, - * it means that either token verification failed or - * a rule for empty tokens failed current policy. */ -- if (!(notokens || (otpreq == OTP_IS_NOT_REQUIRED))) -+ -+ /* Check if there were any tokens associated, thus -+ * OTP token verification has really failed */ -+ if (notokens == false) -+ goto invalid_creds; -+ -+ /* No tokens, check if auth type does not include OTP but OTP is -+ * enforced by the current policy */ -+ if (!(auth_types & OTP_CONFIG_AUTH_TYPE_OTP) && -+ (otpreq != OTP_IS_NOT_REQUIRED)) - goto invalid_creds; - } - --- -2.47.1 - diff --git a/0049-adtrust-add-missing-ipaAllowedOperations-objectclass.patch b/0049-adtrust-add-missing-ipaAllowedOperations-objectclass.patch deleted file mode 100644 index 6921ab0..0000000 --- a/0049-adtrust-add-missing-ipaAllowedOperations-objectclass.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 477dbba18bf987bf4461fdfdfba0d497159db7ce Mon Sep 17 00:00:00 2001 -From: Stanislav Levin -Date: Wed, 4 Dec 2024 19:56:51 +0300 -Subject: [PATCH] adtrust: add missing ipaAllowedOperations objectclass - -Per @abbra explanation: -> When expected Kerberos principal names for this object were flipped to - follow requirements for cross-realm krbtgt objects expected by Active - Directory, trusted object changed its canonical Kerberos principal name. - The keytab for this Kerberos principal name is fetched by SSSD and it - needs to be permitted to read the key. We added the virtual permission - to allow the keytab retrieval but didn't add the objectclass that - actually allows adding an LDAP attribute to express the permission. When - an attribute is added to an LDAP object, objectclasses of the object - must allow presence of that attribute. - -This is the followup to #9471 and fixes the upgrade. - -Thanks @abbra! - -Related: https://pagure.io/freeipa/issue/9471 -Fixes: https://pagure.io/freeipa/issue/9712 -Signed-off-by: Stanislav Levin -Reviewed-By: Alexander Bokovoy ---- - ipaserver/install/plugins/adtrust.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py -index e6d49cb2512bff7dcce57f019ecb6c497d11ed52..ab3d427ef561aeb26eb098270446640ba451c8ad 100644 ---- a/ipaserver/install/plugins/adtrust.py -+++ b/ipaserver/install/plugins/adtrust.py -@@ -705,7 +705,8 @@ class update_tdo_to_new_layout(Updater): - self.set_krb_principal([tgt_principal, nbt_principal], - passwd_incoming, - t_dn, -- flags=self.KRB_PRINC_CREATE_DEFAULT) -+ flags=self.KRB_PRINC_CREATE_DEFAULT -+ | self.KRB_PRINC_CREATE_AGENT_PERMISSION) - - # 3. INBOUND: krbtgt/@ must exist - trust_principal = self.tgt_principal_template.format( --- -2.47.1 - diff --git a/0050-Fix-the-typo-in-ipa_migrate_constants.patch b/0050-Fix-the-typo-in-ipa_migrate_constants.patch deleted file mode 100644 index c75955a..0000000 --- a/0050-Fix-the-typo-in-ipa_migrate_constants.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 6a2310eda39b1341258211c7630ef4baf4555df5 Mon Sep 17 00:00:00 2001 -From: Sudhir Menon -Date: Mon, 9 Dec 2024 23:03:56 +0530 -Subject: [PATCH] Fix the typo in ipa_migrate_constants. - -ipa-migrate.log displays Privileges migrated as Privledges -due to typo in labelling i.e 'label': 'Privledges' -Hence changed that to 'label': 'Privileges' - ----- LOG FILE ---- -INFO - Privledges: 3 ------------------- - -Fixes: https://pagure.io/freeipa/issue/9715 - -Signed-off-by: Sudhir Menon -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/install/ipa_migrate_constants.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ipaserver/install/ipa_migrate_constants.py b/ipaserver/install/ipa_migrate_constants.py -index c140414ea6c607a93e35ef0705480d1002b7945e..e8192fb1aabae1c36669370eff242428a1f0355f 100644 ---- a/ipaserver/install/ipa_migrate_constants.py -+++ b/ipaserver/install/ipa_migrate_constants.py -@@ -886,7 +886,7 @@ DB_OBJECTS = { - 'pbac_priv': { - 'oc': ['groupofnames'], - 'subtree': ',cn=privileges,cn=pbac,$SUFFIX', -- 'label': 'Privledges', -+ 'label': 'Privileges', - 'mode': 'all', - 'count': 0, - }, --- -2.47.1 - diff --git a/0051-test_ipahealthcheck-skip-connectivity_and_data-check.patch b/0051-test_ipahealthcheck-skip-connectivity_and_data-check.patch deleted file mode 100644 index c13ec2a..0000000 --- a/0051-test_ipahealthcheck-skip-connectivity_and_data-check.patch +++ /dev/null @@ -1,35 +0,0 @@ -From d8d4c5507bd3784d323e6836ff8456ba9608f115 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Fri, 20 Sep 2024 09:36:41 +0200 -Subject: [PATCH] test_ipahealthcheck: skip connectivity_and_data check - -PKI removed the clones.check connectivity_and_data check in -11.5 and master branches. Skip the test depending on PKI version. -The most recent version on 11.5 is 11.5.4 and still contains the check, -hence skipping if version >= 11.5.5. - -Fixes: https://pagure.io/freeipa/issue/9668 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - ipatests/test_integration/test_ipahealthcheck.py | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py -index a3e10b04487f0a12fdde19a8d1971a09f7d79b63..cc51a5a6a62fbc50927fc2fc51f129a069e70b69 100644 ---- a/ipatests/test_integration/test_ipahealthcheck.py -+++ b/ipatests/test_integration/test_ipahealthcheck.py -@@ -1219,6 +1219,9 @@ class TestIpaHealthCheck(IntegrationTest): - This testcase checks that when ClonesConnectivyAndDataCheck - is run it doesn't display source not found error - """ -+ if (tasks.get_pki_version( -+ self.master) >= tasks.parse_version('11.5.5')): -+ raise pytest.skip("PKI dropped ClonesConnectivyAndDataCheck") - error_msg = ( - "Source 'pki.server.healthcheck.clones.connectivity_and_data' " - "not found" --- -2.47.1 - diff --git a/0052-ipatests-Fixes-for-ipa-ipa-migration-tool.patch b/0052-ipatests-Fixes-for-ipa-ipa-migration-tool.patch deleted file mode 100644 index dffb3c4..0000000 --- a/0052-ipatests-Fixes-for-ipa-ipa-migration-tool.patch +++ /dev/null @@ -1,36 +0,0 @@ -From c294b7f6dbcae9c01d5366b19b3b070ffb730fa6 Mon Sep 17 00:00:00 2001 -From: Sudhir Menon -Date: Wed, 11 Dec 2024 15:12:48 +0530 -Subject: [PATCH] ipatests: Fixes for ipa-ipa-migration tool - -The test test_ipa_migrate_with_invalid_host has been -failing in downstream run due to mismatch in the expected test output, -hence the assert statement has been modified. - -Related: https://pagure.io/freeipa/issue/3656 - -Signed-off-by: Sudhir Menon -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_integration/test_ipa_ipa_migration.py | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py -index 0c637a0141d95f34f951c60a9648adf8e87eaa63..95c29234fc7893d3eae5d900a58aa7b1162ed61d 100644 ---- a/ipatests/test_integration/test_ipa_ipa_migration.py -+++ b/ipatests/test_integration/test_ipa_ipa_migration.py -@@ -437,10 +437,8 @@ class TestIPAMigrateCLIOptions(MigrationTest): - """ - hostname = "server.invalid.host" - ERR_MSG = ( -- "IPA to IPA migration starting ...\n" - "Failed to bind to remote server: cannot connect to " -- "'ldap://" -- "{}': \n".format(hostname) -+ "'ldap://{}':".format(hostname) - ) - result = run_migrate( - self.replicas[0], --- -2.47.1 - diff --git a/0053-Installation-test-KRA-on-replica-after-cert-renewal.patch b/0053-Installation-test-KRA-on-replica-after-cert-renewal.patch deleted file mode 100644 index ce5085c..0000000 --- a/0053-Installation-test-KRA-on-replica-after-cert-renewal.patch +++ /dev/null @@ -1,47 +0,0 @@ -From ff5bb485d709ea02422cbafba51d23db384822af Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Fri, 20 Dec 2024 15:45:01 +0100 -Subject: [PATCH] Installation test: KRA on replica after cert renewal - -Add a new test installing the KRA on a replica after the -KRA certs have been renewed on the master. - -Related: https://pagure.io/freeipa/issue/9692 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - ipatests/test_integration/test_installation.py | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py -index c5565c452010f23f038ddf329454b591ef09f6af..1fae472673a3934c86af2f9adc7b343c70e25b2b 100644 ---- a/ipatests/test_integration/test_installation.py -+++ b/ipatests/test_integration/test_installation.py -@@ -1322,7 +1322,7 @@ class TestInstallMaster(IntegrationTest): - - class TestInstallMasterKRA(IntegrationTest): - -- num_replicas = 0 -+ num_replicas = 1 - - @classmethod - def install(cls, mh): -@@ -1379,6 +1379,14 @@ class TestInstallMasterKRA(IntegrationTest): - ) - assert starting_serial != int(cert.serial_number) - -+ def test_install_replica_after_kracert_renewal(self): -+ """ -+ Test replica installation with CA after the KRA certs renewal -+ """ -+ tasks.install_replica(self.master, self.replicas[0], -+ setup_ca=True) -+ tasks.install_kra(self.replicas[0]) -+ - - class TestInstallMasterDNS(IntegrationTest): - --- -2.47.1 - diff --git a/0054-KRA-cert-renewal-update-ca.connector.KRA.transportCe.patch b/0054-KRA-cert-renewal-update-ca.connector.KRA.transportCe.patch deleted file mode 100644 index 1666f04..0000000 --- a/0054-KRA-cert-renewal-update-ca.connector.KRA.transportCe.patch +++ /dev/null @@ -1,45 +0,0 @@ -From a707083b0987e6ffabb817fcc5e5138b4c755459 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Fri, 20 Dec 2024 17:01:56 +0100 -Subject: [PATCH] KRA cert renewal: update ca.connector.KRA.transportCert - -After the KRA transport cert has been renewed, the value -of ca.connector.KRA.transportCert must also be updated in -/etc/pki/pki-tomcat/ca/CS.cfg. -Otherwise replica installation with KRA fails. - -Fixes: https://pagure.io/freeipa/issue/9692 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - ipaserver/install/cainstance.py | 13 ++++++++----- - 1 file changed, 8 insertions(+), 5 deletions(-) - -diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py -index 5c2c9f8b981cf5d587865f7680e2b231eae655e2..e03a8c863e14782679e19c6887f5e220131e4234 100644 ---- a/ipaserver/install/cainstance.py -+++ b/ipaserver/install/cainstance.py -@@ -1225,11 +1225,14 @@ class CAInstance(DogtagInstance): - """ - - # The cert directive to update per nickname -- directives = {'auditSigningCert cert-pki-ca': 'ca.audit_signing.cert', -- 'ocspSigningCert cert-pki-ca': 'ca.ocsp_signing.cert', -- 'caSigningCert cert-pki-ca': 'ca.signing.cert', -- 'subsystemCert cert-pki-ca': 'ca.subsystem.cert', -- 'Server-Cert cert-pki-ca': 'ca.sslserver.cert'} -+ directives = { -+ 'auditSigningCert cert-pki-ca': 'ca.audit_signing.cert', -+ 'ocspSigningCert cert-pki-ca': 'ca.ocsp_signing.cert', -+ 'caSigningCert cert-pki-ca': 'ca.signing.cert', -+ 'subsystemCert cert-pki-ca': 'ca.subsystem.cert', -+ 'Server-Cert cert-pki-ca': 'ca.sslserver.cert', -+ 'transportCert cert-pki-kra': 'ca.connector.KRA.transportCert' -+ } - - try: - self.backup_config() --- -2.47.1 - diff --git a/0055-Add-30-second-timeout-for-certmonger-request-start-t.patch b/0055-Add-30-second-timeout-for-certmonger-request-start-t.patch deleted file mode 100644 index 53dfeb2..0000000 --- a/0055-Add-30-second-timeout-for-certmonger-request-start-t.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 2506d5de5a9dd8ebe6efc777c2eb76461f5b57e2 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 6 Jan 2025 10:12:15 -0500 -Subject: [PATCH] Add 30-second timeout for certmonger request/start tracking - -certmonger needs to validate that the PIN/password and/or token -are valid and available. In the case of a very slow HSM this can -take longer than the 5-second default timeout. - -We saw an HSM that took 18 seconds to start tracking the CA signing -certificate so default to 30 to be safe. - -Fixes: https://pagure.io/freeipa/issue/9725 - -Signed-off-by: Rob Crittenden -Reviewed-By: Alexander Bokovoy ---- - ipalib/install/certmonger.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py -index 7b22295152f752b6ab4de0f3525d48c541677aff..efc1ba4f42eab98df5fac51bafa3acc83ae91831 100644 ---- a/ipalib/install/certmonger.py -+++ b/ipalib/install/certmonger.py -@@ -477,7 +477,7 @@ def request_cert( - request_parameters['cert-perms'] = perms[0] - request_parameters['key-perms'] = perms[1] - -- result = cm.obj_if.add_request(request_parameters) -+ result = cm.obj_if.add_request(request_parameters, timeout=30) - try: - if result[0]: - request = _cm_dbus_object(cm.bus, cm, result[1], DBUS_CM_REQUEST_IF, -@@ -581,7 +581,7 @@ def start_tracking( - if nss_user: - params['nss-user'] = nss_user - -- result = cm.obj_if.add_request(params) -+ result = cm.obj_if.add_request(params, timeout=30) - try: - if result[0]: - request = _cm_dbus_object(cm.bus, cm, result[1], DBUS_CM_REQUEST_IF, --- -2.47.1 - diff --git a/0056-Unify-use-of-option-parsers.patch b/0056-Unify-use-of-option-parsers.patch deleted file mode 100644 index 3147117..0000000 --- a/0056-Unify-use-of-option-parsers.patch +++ /dev/null @@ -1,624 +0,0 @@ -From d26ce5cccc211f83b3cce3fc5e548b5cb955bb81 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 13 Dec 2024 13:42:36 +0200 -Subject: [PATCH] Unify use of option parsers - -Do not use direct optparse references, instead import IPAOptionParser - -Signed-off-by: Alexander Bokovoy ---- - install/tools/ipa-adtrust-install.in | 4 +--- - install/tools/ipa-managed-entries.in | 3 ++- - ipaclient/install/ipa_client_automount.py | 4 ++-- - ipaclient/install/ipa_client_samba.py | 4 ++-- - ipalib/cli.py | 21 ++++++++++++--------- - ipalib/plugable.py | 8 ++++---- - ipapython/admintool.py | 3 +-- - ipapython/config.py | 18 +++++++++++------- - ipapython/install/cli.py | 9 ++++----- - ipaserver/install/ipa_acme_manage.py | 6 ++---- - ipaserver/install/ipa_backup.py | 5 ++--- - ipaserver/install/ipa_cacert_manage.py | 9 ++++----- - ipaserver/install/ipa_kra_install.py | 5 ++--- - ipaserver/install/ipa_restore.py | 5 ++--- - ipaserver/install/ipa_server_certinstall.py | 7 +++---- - ipatests/i18n.py | 8 ++++---- - makeapi.in | 5 ++--- - 17 files changed, 60 insertions(+), 64 deletions(-) - -diff --git a/install/tools/ipa-adtrust-install.in b/install/tools/ipa-adtrust-install.in -index cb2b78e504896b96cdc378fd879cc1f00c60904f..e7b0e369259da5d28d703558d9293ccfaf68f3ed 100644 ---- a/install/tools/ipa-adtrust-install.in -+++ b/install/tools/ipa-adtrust-install.in -@@ -29,8 +29,6 @@ import sys - - import six - --from optparse import SUPPRESS_HELP # pylint: disable=deprecated-module -- - from ipalib.install import sysrestore - from ipaserver.install import adtrust, service - from ipaserver.install.installutils import ( -@@ -41,7 +39,7 @@ from ipapython.admintool import ScriptError - from ipapython import version - from ipapython import ipautil - from ipalib import api, errors, krb_utils --from ipapython.config import IPAOptionParser -+from ipapython.config import IPAOptionParser, SUPPRESS_HELP - from ipaplatform.paths import paths - from ipapython.ipa_log_manager import standard_logging_setup - -diff --git a/install/tools/ipa-managed-entries.in b/install/tools/ipa-managed-entries.in -index e9be41b7a34ed62e65ab40bf544a6e4cea7c598a..e3f121943eb3b18ca8f7f8bfeae7813cbc9bd753 100644 ---- a/install/tools/ipa-managed-entries.in -+++ b/install/tools/ipa-managed-entries.in -@@ -39,7 +39,8 @@ logger = logging.getLogger(os.path.basename(__file__)) - def parse_options(): - usage = "%prog [options] \n" - usage += "%prog [options]\n" -- parser = OptionParser(usage=usage, formatter=config.IPAFormatter()) -+ parser = config.IPAOptionParser(usage=usage, -+ formatter=config.IPAFormatter()) - - parser.add_option("-d", "--debug", action="store_true", dest="debug", - help="Display debugging information about the update(s)") -diff --git a/ipaclient/install/ipa_client_automount.py b/ipaclient/install/ipa_client_automount.py -index 4439932bd723c40c429dac2c08e97d326e414d24..9f49ff9edeee2648d2be1dea6b09806ba0b5e041 100644 ---- a/ipaclient/install/ipa_client_automount.py -+++ b/ipaclient/install/ipa_client_automount.py -@@ -34,7 +34,6 @@ import SSSDConfig - - from six.moves.urllib.parse import urlsplit - --from optparse import OptionParser # pylint: disable=deprecated-module - from ipapython import ipachangeconf - from ipaclient import discovery - from ipaclient.install.client import ( -@@ -52,6 +51,7 @@ from ipaplatform.tasks import tasks - from ipaplatform import services - from ipaplatform.paths import paths - from ipapython.admintool import ScriptError -+from ipapython.config import IPAOptionParser - - - logger = logging.getLogger(os.path.basename(__file__)) -@@ -59,7 +59,7 @@ logger = logging.getLogger(os.path.basename(__file__)) - - def parse_options(): - usage = "%prog [options]\n" -- parser = OptionParser(usage=usage) -+ parser = IPAOptionParser(usage=usage) - parser.add_option("--server", dest="server", help="FQDN of IPA server") - parser.add_option( - "--location", -diff --git a/ipaclient/install/ipa_client_samba.py b/ipaclient/install/ipa_client_samba.py -index 81d670c34cae0f91a436a2a2d1e0d525057b6cc7..5c33abb4cabe47ff311b7d769fefa37991f7d453 100755 ---- a/ipaclient/install/ipa_client_samba.py -+++ b/ipaclient/install/ipa_client_samba.py -@@ -9,7 +9,6 @@ import logging - import os - import gssapi - from urllib.parse import urlsplit --from optparse import OptionParser # pylint: disable=deprecated-module - from contextlib import contextmanager - - from ipaclient import discovery -@@ -31,6 +30,7 @@ from ipaplatform.constants import constants - from ipaplatform import services - from ipapython.admintool import ScriptError - from samba import generate_random_password -+from ipapython.config import IPAOptionParser - - logger = logging.getLogger(os.path.basename(__file__)) - logger.setLevel(logging.DEBUG) -@@ -68,7 +68,7 @@ def use_api_as_principal(principal, keytab): - - def parse_options(): - usage = "%prog [options]\n" -- parser = OptionParser(usage=usage) -+ parser = IPAOptionParser(usage=usage) - parser.add_option( - "--server", - dest="server", -diff --git a/ipalib/cli.py b/ipalib/cli.py -index d9c2ac16513101098c8f9a2258ae930b3b2cebf0..667b213fd4e4706e6eecd4d2b4737fb3fede4c93 100644 ---- a/ipalib/cli.py -+++ b/ipalib/cli.py -@@ -30,7 +30,6 @@ import textwrap - import sys - import getpass - import code --import optparse # pylint: disable=deprecated-module - import os - import pprint - import fcntl -@@ -71,6 +70,8 @@ from ipalib.text import _ - from ipalib import api - from ipapython.dnsutil import DNSName - from ipapython.admintool import ScriptError -+from ipapython.config import (IPAOptionParser, IPAFormatter, -+ OptionGroup, make_option) - - import datetime - -@@ -1121,7 +1122,8 @@ class Collector: - def __todict__(self): - return dict(self.__options) - --class CLIOptionParserFormatter(optparse.IndentedHelpFormatter): -+ -+class CLIOptionParserFormatter(IPAFormatter): - def format_argument(self, name, help_string): - result = [] - opt_width = self.help_position - self.current_indent - 2 -@@ -1141,7 +1143,8 @@ class CLIOptionParserFormatter(optparse.IndentedHelpFormatter): - result.append("\n") - return "".join(result) - --class CLIOptionParser(optparse.OptionParser): -+ -+class CLIOptionParser(IPAOptionParser): - """ - This OptionParser subclass adds an ability to print positional - arguments in CLI help. Custom formatter is used to format the argument -@@ -1151,13 +1154,13 @@ class CLIOptionParser(optparse.OptionParser): - self._arguments = [] - if 'formatter' not in kwargs: - kwargs['formatter'] = CLIOptionParserFormatter() -- optparse.OptionParser.__init__(self, *args, **kwargs) -+ IPAOptionParser.__init__(self, *args, **kwargs) - - def format_option_help(self, formatter=None): - """ - Prepend argument help to standard OptionParser's option help - """ -- option_help = optparse.OptionParser.format_option_help(self, formatter) -+ option_help = IPAOptionParser.format_option_help(self, formatter) - - if isinstance(formatter, CLIOptionParserFormatter): - heading = unicode(_("Positional arguments")) -@@ -1272,7 +1275,7 @@ class cli(backend.Executioner): - """Get or create an option group for the given name""" - option_group = option_groups.get(group_name) - if option_group is None: -- option_group = optparse.OptionGroup(parser, group_name) -+ option_group = OptionGroup(parser, group_name) - parser.add_option_group(option_group) - option_groups[group_name] = option_group - return option_group -@@ -1298,7 +1301,7 @@ class cli(backend.Executioner): - option_names = ['--%s' % cli_name] - if option.cli_short_name: - option_names.append('-%s' % option.cli_short_name) -- opt = optparse.make_option(*option_names, **kw) -+ opt = make_option(*option_names, **kw) - if option.option_group is None: - parser.add_option(opt) - else: -@@ -1312,7 +1315,7 @@ class cli(backend.Executioner): - group = _get_option_group(unicode(_('Deprecated options'))) - for alias in option.deprecated_cli_aliases: - name = '--%s' % alias -- group.add_option(optparse.make_option(name, **new_kw)) -+ group.add_option(make_option(name, **new_kw)) - - for arg in cmd.args(): - name = self.__get_arg_name(arg, format_name=False) -@@ -1442,7 +1445,7 @@ class cli(backend.Executioner): - ) - - --class IPAHelpFormatter(optparse.IndentedHelpFormatter): -+class IPAHelpFormatter(IPAFormatter): - """Formatter suitable for printing IPA command help - - The default help formatter reflows text to fit the terminal, but it -diff --git a/ipalib/plugable.py b/ipalib/plugable.py -index 2e2861df054fa7ed3533d0f82a23b65322ab591b..a87e6e8914fa5579920aad8190c7f6a86cb3dfea 100644 ---- a/ipalib/plugable.py -+++ b/ipalib/plugable.py -@@ -33,7 +33,6 @@ import sys - import threading - import os - from os import path --import optparse # pylint: disable=deprecated-module - import textwrap - import collections - import importlib -@@ -47,6 +46,7 @@ from ipalib.util import classproperty - from ipalib.base import ReadOnly, lock, islocked - from ipalib.constants import DEFAULT_CONFIG - from ipapython import ipa_log_manager, ipautil -+from ipapython.config import IPAOptionParser, IPAFormatter - from ipapython.ipa_log_manager import ( - LOGGING_FORMAT_FILE, - LOGGING_FORMAT_STDERR) -@@ -526,7 +526,7 @@ class API(ReadOnly): - - def build_global_parser(self, parser=None, context=None): - """ -- Add global options to an optparse.OptionParser instance. -+ Add global options to an IPAOptionParser instance. - """ - def config_file_callback(option, opt, value, parser): - if not os.path.isfile(value): -@@ -536,7 +536,7 @@ class API(ReadOnly): - parser.values.conf = value - - if parser is None: -- parser = optparse.OptionParser( -+ parser = IPAOptionParser( - add_help_option=False, - formatter=IPAHelpFormatter(), - usage='%prog [global-options] COMMAND [command-options]', -@@ -821,7 +821,7 @@ class API(ReadOnly): - return self.__next[plugin] - - --class IPAHelpFormatter(optparse.IndentedHelpFormatter): -+class IPAHelpFormatter(IPAFormatter): - def format_epilog(self, epilog): - text_width = self.width - self.current_indent - indent = " " * self.current_indent -diff --git a/ipapython/admintool.py b/ipapython/admintool.py -index fdb4400d879165612405b3ba159a220773bd8d69..dff9112eba4009d2fc1a6202756c6671ba4d909d 100644 ---- a/ipapython/admintool.py -+++ b/ipapython/admintool.py -@@ -26,7 +26,6 @@ import logging - import sys - import os - import traceback --from optparse import OptionGroup # pylint: disable=deprecated-module - - from ipaplatform.osinfo import osinfo - from ipapython import version -@@ -113,7 +112,7 @@ class AdminTool: - :param parser: The parser to add options to - :param debug_option: Add a --debug option as an alias to --verbose - """ -- group = OptionGroup(parser, "Logging and output options") -+ group = config.OptionGroup(parser, "Logging and output options") - group.add_option("-v", "--verbose", dest="verbose", default=False, - action="store_true", help="print debugging information") - if debug_option: -diff --git a/ipapython/config.py b/ipapython/config.py -index f53d0f998aaedf47715764577dd7f5048f4ca841..7af4dfdeb0047586de9694f233be8bf543190b9c 100644 ---- a/ipapython/config.py -+++ b/ipapython/config.py -@@ -18,9 +18,9 @@ - # - from __future__ import absolute_import - --# pylint: disable=deprecated-module --from optparse import ( -- Option, Values, OptionParser, IndentedHelpFormatter, OptionValueError) -+# pylint: disable=deprecated-module, disable=unused-import -+from optparse import (Option, Values, OptionGroup, OptionParser, SUPPRESS_HELP, -+ IndentedHelpFormatter, OptionValueError, make_option) - # pylint: enable=deprecated-module - from copy import copy - from configparser import ConfigParser as SafeConfigParser -@@ -113,10 +113,14 @@ class IPAOptionParser(OptionParser): - description=None, - formatter=None, - add_help_option=True, -- prog=None): -- OptionParser.__init__(self, usage, option_list, option_class, -- version, conflict_handler, description, -- formatter, add_help_option, prog) -+ prog=None, -+ epilog=None): -+ OptionParser.__init__(self, usage=usage, option_list=option_list, -+ option_class=option_class, version=version, -+ conflict_handler=conflict_handler, -+ description=description, formatter=formatter, -+ add_help_option=add_help_option, prog=prog, -+ epilog=epilog) - - def get_safe_opts(self, opts): - """ -diff --git a/ipapython/install/cli.py b/ipapython/install/cli.py -index ab212be4e2c3f9c2aae97f7759672ef7c68c3347..a048b3c7c64bc22338e4517d64b33a44446c58a3 100644 ---- a/ipapython/install/cli.py -+++ b/ipapython/install/cli.py -@@ -9,12 +9,11 @@ Command line support. - import collections - import enum - import logging --import optparse # pylint: disable=deprecated-module - import signal - - import six - --from ipapython import admintool -+from ipapython import admintool, config - from ipapython.ipa_log_manager import standard_logging_setup - from ipapython.ipautil import (CheckedIPAddress, CheckedIPAddressLoopback, - private_ccache) -@@ -158,7 +157,7 @@ class ConfigureTool(admintool.AdminTool): - try: - opt_group = groups[group_cls] - except KeyError: -- opt_group = groups[group_cls] = optparse.OptionGroup( -+ opt_group = groups[group_cls] = config.OptionGroup( - parser, "{0} options".format(group_cls.description)) - parser.add_option_group(opt_group) - -@@ -232,7 +231,7 @@ class ConfigureTool(admintool.AdminTool): - if not hidden: - help = knob_cls.description - else: -- help = optparse.SUPPRESS_HELP -+ help = config.SUPPRESS_HELP - - opt_group.add_option( - *opt_strs, -@@ -256,7 +255,7 @@ class ConfigureTool(admintool.AdminTool): - - # fake option parser to parse positional arguments - # (because optparse does not support positional argument parsing) -- fake_option_parser = optparse.OptionParser() -+ fake_option_parser = config.IPAOptionParser() - self.add_options(fake_option_parser, True) - - fake_option_map = {option.dest: option -diff --git a/ipaserver/install/ipa_acme_manage.py b/ipaserver/install/ipa_acme_manage.py -index dc2359f49dfdd5c8f44ab96ee11a7240f8937e11..0decab394c1c18067fe0c194c040805a8d93d42d 100644 ---- a/ipaserver/install/ipa_acme_manage.py -+++ b/ipaserver/install/ipa_acme_manage.py -@@ -7,14 +7,12 @@ import enum - import pki.util - import logging - --from optparse import OptionGroup # pylint: disable=deprecated-module -- - from ipalib import api, errors, x509 - from ipalib import _ - from ipalib.facts import is_ipa_configured - from ipaplatform.paths import paths - from ipapython.admintool import AdminTool --from ipapython import cookie, dogtag -+from ipapython import cookie, dogtag, config - from ipapython.ipautil import run - from ipapython.certdb import NSSDatabase, EXTERNAL_CA_TRUST_FLAGS - from ipaserver.install import cainstance -@@ -143,7 +141,7 @@ class IPAACMEManage(AdminTool): - @classmethod - def add_options(cls, parser): - -- group = OptionGroup(parser, 'Pruning') -+ group = config.OptionGroup(parser, 'Pruning') - group.add_option( - "--enable", dest="enable", action="store_true", - default=False, help="Enable certificate pruning") -diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py -index 982e5dfc4c0339aada88f936ab450b7fc16944f2..b6af63813fc4eaadab44ad95386d86ae4f1e21ee 100644 ---- a/ipaserver/install/ipa_backup.py -+++ b/ipaserver/install/ipa_backup.py -@@ -20,7 +20,6 @@ - from __future__ import absolute_import, print_function - - import logging --import optparse # pylint: disable=deprecated-module - import os - import shutil - import sys -@@ -32,7 +31,7 @@ import six - from ipaplatform.paths import paths - from ipaplatform import services - from ipalib import api, errors --from ipapython import version -+from ipapython import version, config - from ipapython.ipautil import run, write_tmp_file - from ipapython import admintool, certdb - from ipapython.dn import DN -@@ -245,7 +244,7 @@ class Backup(admintool.AdminTool): - - parser.add_option( - "--gpg-keyring", dest="gpg_keyring", -- help=optparse.SUPPRESS_HELP) -+ help=config.SUPPRESS_HELP) - parser.add_option( - "--gpg", dest="gpg", action="store_true", - default=False, help="Encrypt the backup") -diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py -index f6ab736fa985b00ba66a7001c4c4e2188841bcbe..048245237855212afe1f3ec4795b2253026ef864 100644 ---- a/ipaserver/install/ipa_cacert_manage.py -+++ b/ipaserver/install/ipa_cacert_manage.py -@@ -22,14 +22,13 @@ from __future__ import print_function, absolute_import - import datetime - import logging - import os --from optparse import OptionGroup # pylint: disable=deprecated-module - import gssapi - - from ipalib.constants import ( - RENEWAL_CA_NAME, RENEWAL_REUSE_CA_NAME, RENEWAL_SELFSIGNED_CA_NAME, - IPA_CA_CN) - from ipalib.install import certmonger, certstore --from ipapython import admintool, ipautil -+from ipapython import admintool, ipautil, config - from ipapython.certdb import (EMPTY_TRUST_FLAGS, - EXTERNAL_CA_TRUST_FLAGS, - TrustFlags, -@@ -61,7 +60,7 @@ class CACertManage(admintool.AdminTool): - "-p", "--password", dest='password', - help="Directory Manager password") - -- renew_group = OptionGroup(parser, "Renew options") -+ renew_group = config.OptionGroup(parser, "Renew options") - renew_group.add_option( - "--self-signed", dest='self_signed', - action='store_true', -@@ -89,7 +88,7 @@ class CACertManage(admintool.AdminTool): - "certificate chain") - parser.add_option_group(renew_group) - -- install_group = OptionGroup(parser, "Install options") -+ install_group = config.OptionGroup(parser, "Install options") - install_group.add_option( - "-n", "--nickname", dest='nickname', - help="Nickname for the certificate") -@@ -98,7 +97,7 @@ class CACertManage(admintool.AdminTool): - help="Trust flags for the certificate in certutil format") - parser.add_option_group(install_group) - -- delete_group = OptionGroup(parser, "Delete options") -+ delete_group = config.OptionGroup(parser, "Delete options") - delete_group.add_option( - "-f", "--force", action='store_true', - help="Force removing the CA even if chain validation fails") -diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py -index 3e4cd67fa677db2534a639eb6beb14dfd78bf035..8a09179f7fa0c2ddad72d01e9c3eaf98575d0a88 100644 ---- a/ipaserver/install/ipa_kra_install.py -+++ b/ipaserver/install/ipa_kra_install.py -@@ -22,13 +22,12 @@ from __future__ import print_function, absolute_import - import logging - import sys - import tempfile --from optparse import SUPPRESS_HELP # pylint: disable=deprecated-module - - from textwrap import dedent - from ipalib import api - from ipalib.constants import DOMAIN_LEVEL_1 - from ipaplatform.paths import paths --from ipapython import admintool -+from ipapython import admintool, config - from ipaserver.install import service - from ipaserver.install import cainstance - from ipaserver.install import custodiainstance -@@ -73,7 +72,7 @@ class KRAInstall(admintool.AdminTool): - parser.add_option( - "--uninstall", - dest="uninstall", action="store_true", default=False, -- help=SUPPRESS_HELP) -+ help=config.SUPPRESS_HELP) - - parser.add_option( - "--pki-config-override", dest="pki_config_override", -diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py -index 57ad8dd05206132d3458fa84e7fb996b135f7f71..8d75a0e6beba09086bc2ce8c73f3bcfe81e52113 100644 ---- a/ipaserver/install/ipa_restore.py -+++ b/ipaserver/install/ipa_restore.py -@@ -20,7 +20,6 @@ - from __future__ import absolute_import, print_function - - import logging --import optparse # pylint: disable=deprecated-module - import os - import shutil - import sys -@@ -34,7 +33,7 @@ import six - from ipaclient.install.client import update_ipa_nssdb - from ipalib import api, errors - from ipalib.constants import FQDN --from ipapython import version, ipautil -+from ipapython import version, ipautil, config - from ipapython.ipautil import run, user_input - from ipapython import admintool, certdb - from ipapython.dn import DN -@@ -190,7 +189,7 @@ class Restore(admintool.AdminTool): - help="Directory Manager password") - parser.add_option( - "--gpg-keyring", dest="gpg_keyring", -- help=optparse.SUPPRESS_HELP) -+ help=config.SUPPRESS_HELP) - parser.add_option( - "--data", dest="data_only", action="store_true", - default=False, help="Restore only the data") -diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py -index e29f00ec37779aeb10255c5df6e10d6ecc0a6d11..e9f680b1d1e505f89fc1611b8dbb3f84768f6781 100644 ---- a/ipaserver/install/ipa_server_certinstall.py -+++ b/ipaserver/install/ipa_server_certinstall.py -@@ -22,12 +22,11 @@ from __future__ import print_function, absolute_import - import os - import os.path - import tempfile --import optparse # pylint: disable=deprecated-module - - from ipalib import x509 - from ipalib.install import certmonger - from ipaplatform.paths import paths --from ipapython import admintool, dogtag -+from ipapython import admintool, dogtag, config - from ipapython.certdb import NSSDatabase, get_ca_nickname - from ipapython.dn import DN - from ipapython import ipaldap -@@ -65,8 +64,8 @@ class ServerCertInstall(admintool.AdminTool): - help="The password of the PKCS#12 file") - parser.add_option( - "--dirsrv_pin", "--http_pin", -- dest="pin", -- help=optparse.SUPPRESS_HELP) -+ dest="pin", sensitive=True, -+ help=config.SUPPRESS_HELP) - parser.add_option( - "--cert-name", - dest="cert_name", metavar="NAME", -diff --git a/ipatests/i18n.py b/ipatests/i18n.py -index 49f5c4c3232346db3147bd7a5ba8056344ac907f..57915c286be72124fa23380f97f3922496f00c22 100644 ---- a/ipatests/i18n.py -+++ b/ipatests/i18n.py -@@ -22,7 +22,6 @@ from __future__ import print_function - - # WARNING: Do not import ipa modules, this is also used as a - # stand-alone script (invoked from po Makefile). --import optparse # pylint: disable=deprecated-module - import sys - import gettext - import re -@@ -30,6 +29,7 @@ import os - import traceback - import polib - from collections import namedtuple -+from ipapython import config - - import six - -@@ -722,9 +722,9 @@ usage =''' - def main(): - global verbose, print_traceback, pedantic, show_strings - -- parser = optparse.OptionParser(usage=usage) -+ parser = config.IPAOptionParser(usage=usage) - -- mode_group = optparse.OptionGroup(parser, 'Operational Mode', -+ mode_group = config.OptionGroup(parser, 'Operational Mode', - 'You must select one these modes to run in') - - mode_group.add_option('-g', '--test-gettext', action='store_const', const='test_gettext', dest='mode', -@@ -748,7 +748,7 @@ def main(): - parser.add_option('--traceback', action='store_true', dest='print_traceback', default=False, - help='print the traceback when an exception occurs') - -- param_group = optparse.OptionGroup(parser, 'Run Time Parameters', -+ param_group = config.OptionGroup(parser, 'Run Time Parameters', - 'These may be used to modify the run time defaults') - - param_group.add_option('--test-lang', action='store', dest='test_lang', default='test', -diff --git a/makeapi.in b/makeapi.in -index a801b9253db9500e0510fe591074ccf2e6d752c1..8fc87d23de743a6d661112ee616dce129a785a36 100644 ---- a/makeapi.in -+++ b/makeapi.in -@@ -38,6 +38,7 @@ from ipalib.parameters import Param - from ipalib.output import Output - from ipalib.text import Gettext, NGettext, ConcatenatedLazyText - from ipalib.capabilities import capabilities -+from ipapython import config - - API_FILE='API.txt' - -@@ -84,9 +85,7 @@ OUTPUT_IGNORED_ATTRIBUTES = ( - ) - - def parse_options(): -- from optparse import OptionParser # pylint: disable=deprecated-module -- -- parser = OptionParser() -+ parser = config.IPAOptionParser() - parser.add_option("--validate", dest="validate", action="store_true", - default=False, help="Validate the API vs the stored API") - --- -2.47.1 - diff --git a/0057-ipa-tools-remove-sensitive-material-from-the-command.patch b/0057-ipa-tools-remove-sensitive-material-from-the-command.patch deleted file mode 100644 index 0a799c8..0000000 --- a/0057-ipa-tools-remove-sensitive-material-from-the-command.patch +++ /dev/null @@ -1,423 +0,0 @@ -From f9314562aaae03619eb89ae762bc24182174ad28 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 8 Nov 2024 14:59:20 +0200 -Subject: [PATCH] ipa tools: remove sensitive material from the commandline - -When command line tools accept passwords, remove them from the command -line so that they don't get visible in '/proc/pid/commandline'. - -There is no common method to access the original ARGV vector and modify -it from Python. Since this mostly affects Linux systems where IPA -services run, we expect use of GNU libc and thus can rely on internal -glibc symbols. If they aren't available, the code will skip removing -passwords. - -Fixes: CVE-2024-11029 - -Signed-off-by: Alexander Bokovoy ---- - .../com.redhat.idm.trust-fetch-domains.in | 5 ++- - install/tools/ipa-adtrust-install.in | 3 +- - install/tools/ipa-ca-install.in | 2 + - install/tools/ipa-compat-manage.in | 6 ++- - install/tools/ipa-csreplica-manage.in | 12 +++--- - install/tools/ipa-managed-entries.in | 5 ++- - install/tools/ipa-replica-conncheck.in | 7 ++-- - install/tools/ipa-replica-manage.in | 10 +++-- - ipapython/admintool.py | 40 +++++++++++++++++++ - ipaserver/install/ipa_migrate.py | 17 +++++++- - ipaserver/install/ipa_restore.py | 2 +- - ipaserver/install/ipa_server_certinstall.py | 2 +- - 12 files changed, 90 insertions(+), 21 deletions(-) - -diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains.in b/install/oddjob/com.redhat.idm.trust-fetch-domains.in -index 45c1f1463d5849d753c2913aa0b86b845cfce784..b86be0212c462e82d9379f55d5d3198c1017d2e7 100644 ---- a/install/oddjob/com.redhat.idm.trust-fetch-domains.in -+++ b/install/oddjob/com.redhat.idm.trust-fetch-domains.in -@@ -15,6 +15,7 @@ import six - import gssapi - - from ipalib.install.kinit import kinit_keytab, kinit_password -+from ipapython.admintool import admin_cleanup_global_argv - - if six.PY3: - unicode = str -@@ -52,11 +53,13 @@ def parse_options(): - "--password", - action="store", - dest="password", -- help="Display debugging information", -+ help="Password for Active Directory administrator", -+ sensitive=True - ) - - options, args = parser.parse_args() - safe_options = parser.get_safe_opts(options) -+ admin_cleanup_global_argv(parser, options, sys.argv) - - # We only use first argument of the passed args but as D-BUS interface - # in oddjobd cannot expose optional, we fill in empty slots from IPA side -diff --git a/install/tools/ipa-adtrust-install.in b/install/tools/ipa-adtrust-install.in -index e7b0e369259da5d28d703558d9293ccfaf68f3ed..1efccdb678d17410667b1721670bf6bf79152109 100644 ---- a/install/tools/ipa-adtrust-install.in -+++ b/install/tools/ipa-adtrust-install.in -@@ -35,7 +35,7 @@ from ipaserver.install.installutils import ( - read_password, - check_server_configuration, - run_script) --from ipapython.admintool import ScriptError -+from ipapython.admintool import ScriptError, admin_cleanup_global_argv - from ipapython import version - from ipapython import ipautil - from ipalib import api, errors, krb_utils -@@ -93,6 +93,7 @@ def parse_options(): - - options, _args = parser.parse_args() - safe_options = parser.get_safe_opts(options) -+ admin_cleanup_global_argv(parser, options, sys.argv) - - return safe_options, options - -diff --git a/install/tools/ipa-ca-install.in b/install/tools/ipa-ca-install.in -index 9f3d16669679a245b73e044622ff52321524fcde..b437e761f760ab715c27bc330ac0f2e66e72ef5b 100644 ---- a/install/tools/ipa-ca-install.in -+++ b/install/tools/ipa-ca-install.in -@@ -42,6 +42,7 @@ from ipalib.constants import DOMAIN_LEVEL_1 - from ipapython.config import IPAOptionParser - from ipapython.ipa_log_manager import standard_logging_setup - from ipaplatform.paths import paths -+from ipapython.admintool import admin_cleanup_global_argv - - logger = logging.getLogger(os.path.basename(__file__)) - -@@ -132,6 +133,7 @@ def parse_options(): - - options, args = parser.parse_args() - safe_options = parser.get_safe_opts(options) -+ admin_cleanup_global_argv(parser, options, sys.argv) - - if args: - parser.error("Too many arguments provided") -diff --git a/install/tools/ipa-compat-manage.in b/install/tools/ipa-compat-manage.in -index 459f39fc826bbe6becd8be3517235af343d4b0d9..9650abd6f83ebc0a8ef347fee83989d4e9f13f09 100644 ---- a/install/tools/ipa-compat-manage.in -+++ b/install/tools/ipa-compat-manage.in -@@ -24,14 +24,14 @@ from __future__ import print_function - import sys - from ipaplatform.paths import paths - try: -- from optparse import OptionParser # pylint: disable=deprecated-module - from ipapython import ipautil, config - from ipapython.ipaldap import realm_to_serverid - from ipaserver.install import installutils - from ipaserver.install.ldapupdate import LDAPUpdate - from ipalib import api, errors - from ipapython.ipa_log_manager import standard_logging_setup - from ipapython.dn import DN -+ from ipapython.admintool import admin_cleanup_global_argv - except ImportError as e: - print("""\ - There was a problem importing one of the required Python modules. The -@@ -46,7 +46,8 @@ nis_config_dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config')) - def parse_options(): - usage = "%prog [options] \n" - usage += "%prog [options]\n" -- parser = OptionParser(usage=usage, formatter=config.IPAFormatter()) -+ parser = config.IPAOptionParser(usage=usage, -+ formatter=config.IPAFormatter()) - - parser.add_option("-d", "--debug", action="store_true", dest="debug", - help="Display debugging information about the update(s)") -@@ -55,6 +56,7 @@ def parse_options(): - - config.add_standard_options(parser) - options, args = parser.parse_args() -+ admin_cleanup_global_argv(parser, options, sys.argv) - - return options, args - -diff --git a/install/tools/ipa-csreplica-manage.in b/install/tools/ipa-csreplica-manage.in -index 6f248cc50f7f81b2014d629355f6f32d1d6ab7be..2fab27a94cfdbef8faadca82bc222bf96d212159 100644 ---- a/install/tools/ipa-csreplica-manage.in -+++ b/install/tools/ipa-csreplica-manage.in -@@ -32,8 +32,8 @@ from ipaserver.install import (replication, installutils, bindinstance, - from ipalib import api, errors - from ipalib.constants import FQDN - from ipalib.util import has_managed_topology, print_replication_status --from ipapython import ipautil, ipaldap, version --from ipapython.admintool import ScriptError -+from ipapython import ipautil, ipaldap, version, config -+from ipapython.admintool import admin_cleanup_global_argv, ScriptError - from ipapython.dn import DN - - logger = logging.getLogger(os.path.basename(__file__)) -@@ -54,11 +54,10 @@ commands = { - - - def parse_options(): -- from optparse import OptionParser # pylint: disable=deprecated-module -- -- parser = OptionParser(version=version.VERSION) -+ parser = config.IPAOptionParser(version=version.VERSION) - parser.add_option("-H", "--host", dest="host", help="starting host") -- parser.add_option("-p", "--password", dest="dirman_passwd", help="Directory Manager password") -+ parser.add_option("-p", "--password", dest="dirman_passwd", sensitive=True, -+ help="Directory Manager password") - parser.add_option("-v", "--verbose", dest="verbose", action="store_true", default=False, - help="provide additional information") - parser.add_option("-f", "--force", dest="force", action="store_true", default=False, -@@ -66,6 +65,7 @@ def parse_options(): - parser.add_option("--from", dest="fromhost", help="Host to get data from") - - options, args = parser.parse_args() -+ admin_cleanup_global_argv(parser, options, sys.argv) - - valid_syntax = False - -diff --git a/install/tools/ipa-managed-entries.in b/install/tools/ipa-managed-entries.in -index e3f121943eb3b18ca8f7f8bfeae7813cbc9bd753..ff2fd6a58ccb5b322f75008578fea81f561666fa 100644 ---- a/install/tools/ipa-managed-entries.in -+++ b/install/tools/ipa-managed-entries.in -@@ -24,7 +24,6 @@ import logging - import os - import re - import sys --from optparse import OptionParser # pylint: disable=deprecated-module - - from ipaplatform.paths import paths - from ipapython import config -@@ -32,6 +31,7 @@ from ipaserver.install import installutils - from ipalib import api, errors - from ipapython.ipa_log_manager import standard_logging_setup - from ipapython.dn import DN -+from ipapython.admintool import admin_cleanup_global_argv - - logger = logging.getLogger(os.path.basename(__file__)) - -@@ -51,9 +51,10 @@ def parse_options(): - action="store_true", - help="List available Managed Entries") - parser.add_option("-p", "--password", dest="dirman_password", -- help="Directory Manager password") -+ sensitive=True, help="Directory Manager password") - - options, args = parser.parse_args() -+ admin_cleanup_global_argv(parser, options, sys.argv) - - return options, args - -diff --git a/install/tools/ipa-replica-conncheck.in b/install/tools/ipa-replica-conncheck.in -index 8eee82483abc275cb37ad96ff272b6ee8192403f..81b7d13ac900031fa81356b894dc3eaaaee0f744 100644 ---- a/install/tools/ipa-replica-conncheck.in -+++ b/install/tools/ipa-replica-conncheck.in -@@ -23,15 +23,15 @@ from __future__ import print_function - import logging - - from ipapython import ipachangeconf --from ipapython.config import IPAOptionParser -+from ipapython.config import (IPAOptionParser, OptionGroup, -+ OptionValueError) -+from ipapython.admintool import admin_cleanup_global_argv - from ipapython.dn import DN - from ipapython import version - from ipapython import ipautil, certdb - from ipalib import api, errors, x509 - from ipalib.constants import FQDN - from ipaserver.install import installutils --# pylint: disable=deprecated-module --from optparse import OptionGroup, OptionValueError - # pylint: enable=deprecated-module - from ipapython.ipa_log_manager import standard_logging_setup - import copy -@@ -189,6 +189,7 @@ def parse_options(): - - options, _args = parser.parse_args() - safe_options = parser.get_safe_opts(options) -+ admin_cleanup_global_argv(parser, options, sys.argv) - - if options.master and options.replica: - parser.error("on-master and on-replica options are mutually exclusive!") -diff --git a/install/tools/ipa-replica-manage.in b/install/tools/ipa-replica-manage.in -index d6e6ef57c39af70f164d41662227af3dc2535f9c..7e5b31a598537f57c471729f22fdec4a5bedc03d 100644 ---- a/install/tools/ipa-replica-manage.in -+++ b/install/tools/ipa-replica-manage.in -@@ -43,6 +43,7 @@ from ipalib.util import ( - print_replication_status, - verify_host_resolvable, - ) -+from ipapython.admintool import admin_cleanup_global_argv - from ipapython.ipa_log_manager import standard_logging_setup - from ipapython.dn import DN - from ipapython.config import IPAOptionParser -@@ -84,7 +85,8 @@ class NoRUVsFound(Exception): - def parse_options(): - parser = IPAOptionParser(version=version.VERSION) - parser.add_option("-H", "--host", dest="host", help="starting host") -- parser.add_option("-p", "--password", dest="dirman_passwd", help="Directory Manager password") -+ parser.add_option("-p", "--password", dest="dirman_passwd", sensitive=True, -+ help="Directory Manager password") - parser.add_option("-v", "--verbose", dest="verbose", action="store_true", default=False, - help="provide additional information") - parser.add_option("-d", "--debug", dest="debug", action="store_true", default=False, -@@ -95,7 +97,7 @@ def parse_options(): - help="DANGER: clean up references to a ghost master") - parser.add_option("--binddn", dest="binddn", default=None, type="dn", - help="Bind DN to use with remote server") -- parser.add_option("--bindpw", dest="bindpw", default=None, -+ parser.add_option("--bindpw", dest="bindpw", default=None, sensitive=True, - help="Password for Bind DN to use with remote server") - parser.add_option("--winsync", dest="winsync", action="store_true", default=False, - help="This is a Windows Sync Agreement") -@@ -103,13 +105,15 @@ def parse_options(): - help="Full path and filename of CA certificate to use with TLS/SSL to the remote server") - parser.add_option("--win-subtree", dest="win_subtree", default=None, - help="DN of Windows subtree containing the users you want to sync (default cn=Users, ...', add two args -+ _argc = len(argv) + 2 -+ all_options = [] -+ if '_get_all_options' in dir(option_parser): -+ # OptParse parser -+ all_options = option_parser._get_all_options() -+ elif '_actions' in dir(option_parser): -+ # ArgParse parser -+ all_options = option_parser._actions -+ -+ for opt in all_options: -+ if getattr(opt, 'sensitive', False): -+ v = getattr(options, opt.dest) -+ for i in range(0, _argc): -+ vi = ctypes.cast(_argv[i], -+ ctypes.c_char_p -+ ).value.decode('utf-8') -+ if vi == v: -+ ctypes.memset(_argv[i], ord('X'), len(v)) -+ except Exception: -+ pass -+ -+ - class ScriptError(Exception): - """An exception that records an error message and a return value - """ -@@ -148,6 +187,7 @@ class AdminTool: - cls._option_parsers[cls] = cls.option_parser - - options, args = cls.option_parser.parse_args(argv[1:]) -+ admin_cleanup_global_argv(cls.option_parser, options, argv) - - command_class = cls.get_command_class(options, args) - command = command_class(options, args) -diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py -index f35629378490d3d45ca97f2aa5b4390c67d660ed..ece473bc8cb525e2d563356b5b274502d6b703e8 100644 ---- a/ipaserver/install/ipa_migrate.py -+++ b/ipaserver/install/ipa_migrate.py -@@ -28,6 +28,7 @@ from ipaplatform.paths import paths - from ipapython.dn import DN - from ipapython.ipaldap import LDAPClient, LDAPEntry, realm_to_ldapi_uri - from ipapython.ipa_log_manager import standard_logging_setup -+from ipapython.admintool import admin_cleanup_global_argv - from ipaserver.install.ipa_migrate_constants import ( - DS_CONFIG, DB_OBJECTS, DS_INDEXES, BIND_DN, LOG_FILE_NAME, - STRIP_OP_ATTRS, STRIP_ATTRS, STRIP_OC, PROD_ATTRS, -@@ -284,6 +285,18 @@ class LDIFParser(ldif.LDIFParser): - self.mc.process_db_entry(entry_dn=dn, entry_attrs=entry_attrs) - - -+class SensitiveStoreAction(argparse._StoreAction): -+ def __init__(self, *, sensitive, **options): -+ super(SensitiveStoreAction, self).__init__(**options) -+ self.sensitive = sensitive -+ -+ def _get_kwargs(self): -+ names = super(SensitiveStoreAction, self)._get_kwargs() -+ sensitive_name = 'sensitive' -+ names.extend((sensitive_name, getattr(self, sensitive_name))) -+ return names -+ -+ - # - # Migrate IPA to IPA Class - # -@@ -344,7 +357,8 @@ class IPAMigrate(): - help='Password for the Bind DN. If a password ' - 'is not provided then the user will be ' - 'prompted to enter it', -- default=None) -+ default=None, sensitive=True, -+ action=SensitiveStoreAction) - parser.add_argument('-j', '--bind-pw-file', - help='A text file containing the clear text ' - 'password for the Bind DN', default=None) -@@ -2128,6 +2142,7 @@ class IPAMigrate(): - parser = argparse.ArgumentParser(description=desc, allow_abbrev=True) - self.add_options(parser) - self.validate_options() -+ admin_cleanup_global_argv(parser, self.args, sys.argv) - - # Check for dryrun mode - if self.args.dryrun or self.args.dryrun_record is not None: -diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py -index 8d75a0e6beba09086bc2ce8c73f3bcfe81e52113..539501ab4f0c73571b680aeccf3854b511fd29dc 100644 ---- a/ipaserver/install/ipa_restore.py -+++ b/ipaserver/install/ipa_restore.py -@@ -185,7 +185,7 @@ class Restore(admintool.AdminTool): - super(Restore, cls).add_options(parser, debug_option=True) - - parser.add_option( -- "-p", "--password", dest="password", -+ "-p", "--password", dest="password", sensitive=True, - help="Directory Manager password") - parser.add_option( - "--gpg-keyring", dest="gpg_keyring", -diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py -index e9f680b1d1e505f89fc1611b8dbb3f84768f6781..76ad37ca7bcc62364379d56b21ead43c5248f5f1 100644 ---- a/ipaserver/install/ipa_server_certinstall.py -+++ b/ipaserver/install/ipa_server_certinstall.py -@@ -72,7 +72,7 @@ class ServerCertInstall(admintool.AdminTool): - help="Name of the certificate to install") - parser.add_option( - "-p", "--dirman-password", -- dest="dirman_password", -+ dest="dirman_password", sensitive=True, - help="Directory Manager password") - - def validate_options(self): --- -2.47.1 - diff --git a/0058-ipa-otpd-use-oidc_child-s-client-secret-stdin-option.patch b/0058-ipa-otpd-use-oidc_child-s-client-secret-stdin-option.patch deleted file mode 100644 index a42c3e8..0000000 --- a/0058-ipa-otpd-use-oidc_child-s-client-secret-stdin-option.patch +++ /dev/null @@ -1,75 +0,0 @@ -From d857fcfcc21481cdf06b8cce1685e141921d2fbf Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 27 Nov 2024 12:16:09 +0100 -Subject: [PATCH] ipa-otpd: use oidc_child's --client-secret-stdin option - -To remove the client secret from the command line where it would be -visible e.g. when calling ps it is now passed via stdin to oidc_child. - -Fixes: CVE-2024-11029 - -Signed-off-by: Sumit Bose ---- - daemons/ipa-otpd/oauth2.c | 24 ++++++++++++++---------- - 1 file changed, 14 insertions(+), 10 deletions(-) - -diff --git a/daemons/ipa-otpd/oauth2.c b/daemons/ipa-otpd/oauth2.c -index a33cf51715ca2a3e7a0cef871aed5cfbbd037598..52d7d7c9cb6c410bdbaa2e5eddccfea2204d3e69 100644 ---- a/daemons/ipa-otpd/oauth2.c -+++ b/daemons/ipa-otpd/oauth2.c -@@ -31,6 +31,7 @@ - #include - #include - #include -+#include - - #include "internal.h" - -@@ -93,6 +94,7 @@ static void oauth2_on_child_writable(verto_ctx *vctx, verto_ev *ev) - (void)vctx; /* Unused */ - ssize_t io; - struct child_ctx *child_ctx; -+ struct iovec iov[3]; - - child_ctx = verto_get_private(ev); - if (child_ctx == NULL) { -@@ -102,15 +104,18 @@ static void oauth2_on_child_writable(verto_ctx *vctx, verto_ev *ev) - } - - if (child_ctx->oauth2_state == OAUTH2_GET_DEVICE_CODE) { -- /* no input needed */ -- verto_del(ev); -- return; -- } -- -+ io = write(verto_get_fd(ev), child_ctx->item->idp.ipaidpClientSecret, -+ strlen(child_ctx->item->idp.ipaidpClientSecret)); -+ } else { -+ iov[0].iov_base = child_ctx->item->idp.ipaidpClientSecret; -+ iov[0].iov_len = strlen(child_ctx->item->idp.ipaidpClientSecret); -+ iov[1].iov_base = "\n"; -+ iov[1].iov_len = 1; -+ iov[2].iov_base = child_ctx->saved_item->oauth2.device_code_reply; -+ iov[2].iov_len = strlen(child_ctx->saved_item->oauth2.device_code_reply); - -- io = write(verto_get_fd(ev), -- child_ctx->saved_item->oauth2.device_code_reply, -- strlen(child_ctx->saved_item->oauth2.device_code_reply)); -+ io = writev(verto_get_fd(ev), iov, 3); -+ } - otpd_queue_item_free(child_ctx->saved_item); - - if (io < 0) { -@@ -429,8 +434,7 @@ int oauth2(struct otpd_queue_item **item, enum oauth2_state oauth2_state) - args[args_idx++] = (*item)->idp.ipaidpClientID; - - if ((*item)->idp.ipaidpClientSecret) { -- args[args_idx++] = "--client-secret"; -- args[args_idx++] = (*item)->idp.ipaidpClientSecret; -+ args[args_idx++] = "--client-secret-stdin"; - } - - if ((*item)->idp.ipaidpScope) { --- -2.47.1 - diff --git a/0059-Fix-pylint-issue-in-ipatests-i18n.py.patch b/0059-Fix-pylint-issue-in-ipatests-i18n.py.patch deleted file mode 100644 index 3e3b822..0000000 --- a/0059-Fix-pylint-issue-in-ipatests-i18n.py.patch +++ /dev/null @@ -1,69 +0,0 @@ -From eef544c1d331bbe80852ebe8b5fc9bad0539b6fa Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Wed, 15 Jan 2025 15:39:20 +0100 -Subject: [PATCH] Fix pylint issue in ipatests/i18n.py - -This file should not import ipa modules - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rafael Guterres Jeffman ---- - ipatests/i18n.py | 8 ++++---- - pylintrc | 3 ++- - 2 files changed, 6 insertions(+), 5 deletions(-) - -diff --git a/ipatests/i18n.py b/ipatests/i18n.py -index 57915c286be72124fa23380f97f3922496f00c22..49f5c4c3232346db3147bd7a5ba8056344ac907f 100644 ---- a/ipatests/i18n.py -+++ b/ipatests/i18n.py -@@ -22,6 +22,7 @@ from __future__ import print_function - - # WARNING: Do not import ipa modules, this is also used as a - # stand-alone script (invoked from po Makefile). -+import optparse # pylint: disable=deprecated-module - import sys - import gettext - import re -@@ -29,7 +30,6 @@ import os - import traceback - import polib - from collections import namedtuple --from ipapython import config - - import six - -@@ -722,9 +722,9 @@ usage =''' - def main(): - global verbose, print_traceback, pedantic, show_strings - -- parser = config.IPAOptionParser(usage=usage) -+ parser = optparse.OptionParser(usage=usage) - -- mode_group = config.OptionGroup(parser, 'Operational Mode', -+ mode_group = optparse.OptionGroup(parser, 'Operational Mode', - 'You must select one these modes to run in') - - mode_group.add_option('-g', '--test-gettext', action='store_const', const='test_gettext', dest='mode', -@@ -748,7 +748,7 @@ def main(): - parser.add_option('--traceback', action='store_true', dest='print_traceback', default=False, - help='print the traceback when an exception occurs') - -- param_group = config.OptionGroup(parser, 'Run Time Parameters', -+ param_group = optparse.OptionGroup(parser, 'Run Time Parameters', - 'These may be used to modify the run time defaults') - - param_group.add_option('--test-lang', action='store', dest='test_lang', default='test', -diff --git a/pylintrc b/pylintrc -index 50278cc76031af68959a138f6ea185c4288c7155..8fadeffbdfdb8013135a17b3493ecc4dc7e5e001 100644 ---- a/pylintrc -+++ b/pylintrc -@@ -153,4 +153,5 @@ forbidden-imports= - ipaplatform/:ipaclient:ipalib:ipaserver, - ipapython/:ipaclient:ipalib:ipaserver - ipatests/pytest_ipa:ipaserver:ipaclient.install:ipalib.install -- ipatests/test_integration:ipaserver -+ ipatests/test_integration:ipaserver, -+ ipatests/i18n.py:ipapython --- -2.47.1 - diff --git a/0060-ipatests-skip-test_ipahealthcheck_ds_configcheck-for.patch b/0060-ipatests-skip-test_ipahealthcheck_ds_configcheck-for.patch deleted file mode 100644 index 8a0c5aa..0000000 --- a/0060-ipatests-skip-test_ipahealthcheck_ds_configcheck-for.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 45f96a0f978dfda0e2faa8360182a1dfd3122b94 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Fri, 10 Jan 2025 13:22:29 +0100 -Subject: [PATCH] ipatests: skip test_ipahealthcheck_ds_configcheck for recent - versions - -389-ds removed the parameter nsslapd-logging-hr-timestamps-enabled -in 2.5.3 and above. Skip the test that exercises the corresponding -healthcheck. - -Fixes: https://pagure.io/freeipa/issue/9730 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden -Reviewed-By: Rob Crittenden ---- - ipatests/test_integration/test_ipahealthcheck.py | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py -index cc51a5a6a62fbc50927fc2fc51f129a069e70b69..6b6f15aa433a423fe599118d2226e4c4ec62b13b 100644 ---- a/ipatests/test_integration/test_ipahealthcheck.py -+++ b/ipatests/test_integration/test_ipahealthcheck.py -@@ -18,7 +18,7 @@ import uuid - - import pytest - --from ipalib import x509 -+from ipalib import errors, x509 - from ipapython.dn import DN - from ipapython.ipaldap import realm_to_serverid - from ipapython.certdb import NSS_SQL_FILES -@@ -1146,8 +1146,14 @@ class TestIpaHealthCheck(IntegrationTest): - ) - entry = ldap.get_entry(dn) - entry.single_value["nsslapd-logging-hr-timestamps-enabled"] = 'off' -- ldap.update_entry(entry) -- -+ try: -+ ldap.update_entry(entry) -+ except errors.DatabaseError as e: -+ expected_msg = "Unknown attribute " \ -+ "nsslapd-logging-hr-timestamps-enabled" -+ if expected_msg in e.message: -+ pytest.skip( -+ "389-ds removed nsslapd-logging-hr-timestamps-enabled") - yield - - entry = ldap.get_entry(dn) --- -2.47.1 - diff --git a/0061-ipatests-restart-dirsrv-after-time-jumps.patch b/0061-ipatests-restart-dirsrv-after-time-jumps.patch deleted file mode 100644 index d5c410b..0000000 --- a/0061-ipatests-restart-dirsrv-after-time-jumps.patch +++ /dev/null @@ -1,35 +0,0 @@ -From ec94ee72714296c86ba1227a5a945a7ed0bc7fac Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Thu, 16 Jan 2025 15:43:17 +0100 -Subject: [PATCH] ipatests: restart dirsrv after time jumps - -The test for ipa-healthcheck is moving the date in the future. -Restart the dirsrv instance because the LDAP server is -sensitive to large time jumps. - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden -Reviewed-By: Rob Crittenden ---- - ipatests/test_integration/test_ipahealthcheck.py | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py -index 6b6f15aa433a423fe599118d2226e4c4ec62b13b..7c3f5857a477070d8a9b52c04d41f35ac580c97f 100644 ---- a/ipatests/test_integration/test_ipahealthcheck.py -+++ b/ipatests/test_integration/test_ipahealthcheck.py -@@ -1634,6 +1634,11 @@ class TestIpaHealthCheck(IntegrationTest): - grace_date = datetime.strftime(grace_date, "%Y-%m-%d 00:00:01 Z") - self.master.run_command(['date', '-s', grace_date]) - -+ # Restart dirsrv as it doesn't like time jumps -+ instance = realm_to_serverid(self.master.domain.realm) -+ cmd = ["systemctl", "restart", "dirsrv@{}".format(instance)] -+ self.master.run_command(cmd) -+ - for check in ("IPACertmongerExpirationCheck", - "IPACertfileExpirationCheck",): - execute_expiring_check(check) --- -2.47.1 - diff --git a/0062-ipa-otpd-do-not-pass-OIDC-client-secret-if-there-is-.patch b/0062-ipa-otpd-do-not-pass-OIDC-client-secret-if-there-is-.patch deleted file mode 100644 index c423028..0000000 --- a/0062-ipa-otpd-do-not-pass-OIDC-client-secret-if-there-is-.patch +++ /dev/null @@ -1,67 +0,0 @@ -From d86db9d2c107c66372f422f1d628624b1a55ad45 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 17 Jan 2025 09:44:22 +0200 -Subject: [PATCH] ipa-otpd: do not pass OIDC client secret if there is none to - pass - -If there is no client secret specified for the OIDC client, don't push -it to oidc_child via stdin. oidc_child does only expect client secret if ---client-secret-stdin option was specified and we already specify it -only if client secret is not empty. - -In addition, if client secret is empty (it is a public OIDC client), -then strlen(NULL) would crash in glibc internals. Avoid that! - -Fixes: https://pagure.io/freeipa/issue/9734 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - daemons/ipa-otpd/oauth2.c | 29 +++++++++++++++++++---------- - 1 file changed, 19 insertions(+), 10 deletions(-) - -diff --git a/daemons/ipa-otpd/oauth2.c b/daemons/ipa-otpd/oauth2.c -index 52d7d7c9cb6c410bdbaa2e5eddccfea2204d3e69..0eb43b2372701d47b9ef62cbbdb32b97a5f7a0ba 100644 ---- a/daemons/ipa-otpd/oauth2.c -+++ b/daemons/ipa-otpd/oauth2.c -@@ -104,17 +104,26 @@ static void oauth2_on_child_writable(verto_ctx *vctx, verto_ev *ev) - } - - if (child_ctx->oauth2_state == OAUTH2_GET_DEVICE_CODE) { -- io = write(verto_get_fd(ev), child_ctx->item->idp.ipaidpClientSecret, -- strlen(child_ctx->item->idp.ipaidpClientSecret)); -+ if (child_ctx->item->idp.ipaidpClientSecret != NULL) { -+ io = write(verto_get_fd(ev), child_ctx->item->idp.ipaidpClientSecret, -+ strlen(child_ctx->item->idp.ipaidpClientSecret)); -+ } else { -+ io = 0; -+ } - } else { -- iov[0].iov_base = child_ctx->item->idp.ipaidpClientSecret; -- iov[0].iov_len = strlen(child_ctx->item->idp.ipaidpClientSecret); -- iov[1].iov_base = "\n"; -- iov[1].iov_len = 1; -- iov[2].iov_base = child_ctx->saved_item->oauth2.device_code_reply; -- iov[2].iov_len = strlen(child_ctx->saved_item->oauth2.device_code_reply); -- -- io = writev(verto_get_fd(ev), iov, 3); -+ int idx = 0; -+ if (child_ctx->item->idp.ipaidpClientSecret != NULL) { -+ iov[idx].iov_base = child_ctx->item->idp.ipaidpClientSecret; -+ iov[idx].iov_len = strlen(child_ctx->item->idp.ipaidpClientSecret); -+ idx++; -+ iov[idx].iov_base = "\n"; -+ iov[idx].iov_len = 1; -+ idx++; -+ } -+ iov[idx].iov_base = child_ctx->saved_item->oauth2.device_code_reply; -+ iov[idx].iov_len = strlen(child_ctx->saved_item->oauth2.device_code_reply); -+ idx++; -+ io = writev(verto_get_fd(ev), iov, idx); - } - otpd_queue_item_free(child_ctx->saved_item); - --- -2.47.1 - diff --git a/0063-Migrate-Keycloak-tests-to-JDK-21-and-Keycloak-26.patch b/0063-Migrate-Keycloak-tests-to-JDK-21-and-Keycloak-26.patch deleted file mode 100644 index 087c3ed..0000000 --- a/0063-Migrate-Keycloak-tests-to-JDK-21-and-Keycloak-26.patch +++ /dev/null @@ -1,165 +0,0 @@ -From 431a5804949417257b204125ff0a898b98dd2a90 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 17 Jan 2025 12:33:54 +0200 -Subject: [PATCH] Migrate Keycloak tests to JDK 21 and Keycloak 26 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - .../pytest_ipa/integration/create_bridge.py | 2 +- - .../pytest_ipa/integration/create_keycloak.py | 28 +++++++++---------- - ipatests/test_integration/test_idp.py | 4 +-- - ipatests/test_integration/test_sso.py | 4 +-- - 4 files changed, 18 insertions(+), 20 deletions(-) - -diff --git a/ipatests/pytest_ipa/integration/create_bridge.py b/ipatests/pytest_ipa/integration/create_bridge.py -index 618c645feef86f846a60e5727e7777defc67624c..5dd2f305c2ba6f707ee40be12581ff62c951805b 100644 ---- a/ipatests/pytest_ipa/integration/create_bridge.py -+++ b/ipatests/pytest_ipa/integration/create_bridge.py -@@ -147,7 +147,7 @@ def setup_keycloak_scim_plugin(host, bridge_server): - # Login to keycloak as admin - kcadmin_sh = "/opt/keycloak/bin/kcadm.sh" - kcadmin = [kcadmin_sh, "config", "credentials", "--server", -- f"https://{host.hostname}:8443/auth/", -+ f"https://{host.hostname}:8443", - "--realm", "master", "--user", "admin", - "--password", password] - tasks.run_repeatedly(host, kcadmin, timeout=60) -diff --git a/ipatests/pytest_ipa/integration/create_keycloak.py b/ipatests/pytest_ipa/integration/create_keycloak.py -index 1340b95715c25f1bf1cbbf2e3c6e60731f3af08e..addade7594d7a1b8edefdb8c67ec4bc7abe70ef4 100644 ---- a/ipatests/pytest_ipa/integration/create_keycloak.py -+++ b/ipatests/pytest_ipa/integration/create_keycloak.py -@@ -6,10 +6,10 @@ from ipaplatform.paths import paths - from ipatests.pytest_ipa.integration import tasks - - --def setup_keycloakserver(host, version='17.0.0'): -+def setup_keycloakserver(host, version='26.1.0'): - dir = "/opt/keycloak" - password = host.config.admin_password -- tasks.install_packages(host, ["unzip", "java-11-openjdk-headless", -+ tasks.install_packages(host, ["unzip", "java-21-openjdk-headless", - "openssl", "maven", "wget", - "firefox", "xorg-x11-server-Xvfb"]) - # add keycloak system user/group and folder -@@ -33,7 +33,7 @@ def setup_keycloakserver(host, version='17.0.0'): - - key = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.key") - crt = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.crt") -- keystore = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.store") -+ keystore = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.jks") - - host.run_command(["ipa-getcert", "request", "-K", - "HTTP/{0}".format(host.hostname), -@@ -49,14 +49,13 @@ def setup_keycloakserver(host, version='17.0.0'): - - # Setup keycloak service and config files - contents = textwrap.dedent(""" -- KEYCLOAK_ADMIN=admin -- KEYCLOAK_ADMIN_PASSWORD={admin_pswd} -- KC_HOSTNAME={host}:8443 -+ KC_BOOTSTRAP_ADMIN_USERNAME=admin -+ KC_BOOTSTRAP_ADMIN_PASSWORD={admin_pswd} -+ KC_HOSTNAME=https://{host}:8443/ - KC_HTTPS_CERTIFICATE_FILE={crt} - KC_HTTPS_CERTIFICATE_KEY_FILE={key} - KC_HTTPS_TRUST_STORE_FILE={store} - KC_HTTPS_TRUST_STORE_PASSWORD={store_pswd} -- KC_HTTP_RELATIVE_PATH=/auth - """).format(admin_pswd=password, host=host.hostname, crt=crt, key=key, - store=keystore, store_pswd=password) - host.put_file_contents("/etc/sysconfig/keycloak", contents) -@@ -84,14 +83,13 @@ def setup_keycloakserver(host, version='17.0.0'): - - # Run build stage first - env_vars = textwrap.dedent(""" -- export KEYCLOAK_ADMIN=admin -- export KC_HOSTNAME={hostname}:8443 -+ export KC_BOOTSTRAP_ADMIN_USERNAME=admin -+ export KC_HOSTNAME=https://{hostname}:8443/ - export KC_HTTPS_CERTIFICATE_FILE=/etc/pki/tls/certs/keycloak.crt - export KC_HTTPS_CERTIFICATE_KEY_FILE=/etc/pki/tls/private/keycloak.key -- export KC_HTTPS_TRUST_STORE_FILE=/etc/pki/tls/private/keycloak.store -+ export KC_HTTPS_TRUST_STORE_FILE=/etc/pki/tls/private/keycloak.jks - export KC_HTTPS_TRUST_STORE_PASSWORD={STORE_PASS} -- export KEYCLOAK_ADMIN_PASSWORD={ADMIN_PASS} -- export KC_HTTP_RELATIVE_PATH=/auth -+ export KC_BOOTSTRAP_ADMIN_PASSWORD={ADMIN_PASS} - """).format(hostname=host.hostname, STORE_PASS=password, - ADMIN_PASS=password) - -@@ -112,7 +110,7 @@ def setup_keycloakserver(host, version='17.0.0'): - host.run_command([kcadmin_sh, "config", "truststore", - "--trustpass", password, keystore]) - kcadmin = [kcadmin_sh, "config", "credentials", "--server", -- "https://{0}:8443/auth/".format(host.hostname), -+ "https://{0}:8443/".format(host.hostname), - "--realm", "master", "--user", "admin", - "--password", password - ] -@@ -133,7 +131,7 @@ def setup_keycloak_client(host): - password = host.config.admin_password - host.run_command(["/opt/keycloak/bin/kcreg.sh", - "config", "credentials", "--server", -- "https://{0}:8443/auth/".format(host.hostname), -+ "https://{0}:8443/".format(host.hostname), - "--realm", "master", "--user", "admin", - "--password", password] - ) -@@ -163,7 +161,7 @@ def setup_keycloak_client(host): - def uninstall_keycloak(host): - key = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.key") - crt = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.crt") -- keystore = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.store") -+ keystore = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.jks") - - host.run_command(["systemctl", "stop", "keycloak"], raiseonerr=False) - host.run_command(["getcert", "stop-tracking", "-k", key, "-f", crt], -diff --git a/ipatests/test_integration/test_idp.py b/ipatests/test_integration/test_idp.py -index ca2fcecb22459685450f2ed6c3ac1b9b215170f6..76edc9458e4448e05362ff040b8dab7a53cd3054 100644 ---- a/ipatests/test_integration/test_idp.py -+++ b/ipatests/test_integration/test_idp.py -@@ -122,7 +122,7 @@ class TestIDPKeycloak(IntegrationTest): - tasks.kinit_admin(self.master) - cmd = ["ipa", "idp-add", "keycloakidp", "--provider=keycloak", - "--client-id=ipa_oidc_client", "--org=master", -- "--base-url={0}:8443/auth".format(self.client.hostname)] -+ "--base-url={0}:8443".format(self.client.hostname)] - self.master.run_command(cmd, stdin_text="{0}\n{0}".format( - self.client.config.admin_password)) - tasks.user_add(self.master, 'keycloakuser', -@@ -282,7 +282,7 @@ class TestIDPKeycloak(IntegrationTest): - user = "backupuser" - cmd = ["ipa", "idp-add", "testidp", "--provider=keycloak", - "--client-id=ipa_oidc_client", "--org=master", -- "--base-url={0}:8443/auth".format(self.client.hostname)] -+ "--base-url={0}:8443".format(self.client.hostname)] - self.master.run_command(cmd, stdin_text="{0}\n{0}".format( - self.client.config.admin_password)) - -diff --git a/ipatests/test_integration/test_sso.py b/ipatests/test_integration/test_sso.py -index 9708e9fa05a75cb2657c657b39b015249f3fd208..57c5a96bae986ee9721fc540d2be2cdc443e78fb 100644 ---- a/ipatests/test_integration/test_sso.py -+++ b/ipatests/test_integration/test_sso.py -@@ -18,7 +18,7 @@ from selenium.webdriver.support import expected_conditions as EC - options = Options() - options.headless = True - driver = webdriver.Firefox(executable_path="/opt/geckodriver", options=options) --verification_uri = "https://{hostname}:8443/auth/realms/master/account/#/" -+verification_uri = "https://{hostname}:8443/realms/master/account/#/" - driver.get(verification_uri) - - try: -@@ -60,7 +60,7 @@ def keycloak_add_user(host, kcadm_pass, username, password=None): - domain = host.domain.name - kcadmin_sh = "/opt/keycloak/bin/kcadm.sh" - kcadmin = [kcadmin_sh, "config", "credentials", "--server", -- f"https://{host.hostname}:8443/auth/", -+ f"https://{host.hostname}:8443", - "--realm", "master", "--user", "admin", - "--password", kcadm_pass] - --- -2.47.1 - diff --git a/0064-Apply-certmonger_timeout-to-start_tracking-and-reque.patch b/0064-Apply-certmonger_timeout-to-start_tracking-and-reque.patch deleted file mode 100644 index dc7a2f6..0000000 --- a/0064-Apply-certmonger_timeout-to-start_tracking-and-reque.patch +++ /dev/null @@ -1,162 +0,0 @@ -From 9f30edef463237ba48efe45406626eb325bf6c39 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Wed, 22 Jan 2025 13:19:43 -0500 -Subject: [PATCH] Apply certmonger_timeout to start_tracking and request_cert - -We've seen that with some slow HSMs the default DBus timeout -the HSM doesn't respond quickly enough to certmonger start -tracking requests which fails the entire installation. - -A first attempt was made to bump up the default to 30 seconds -which turned out to not be long enough. - -There is already a certmonger timeout defined in the API but it -is 300 seconds so I was hesitant to use it. It could delay the -actual failure of a blown install by 5 minutes. But it also gives -the end user the flexibility to be able to control success over -an installation so we'll go ahead and use it. - -Fixes: https://pagure.io/freeipa/issue/9725 - -Signed-off-by: Rob Crittenden -Reviewed-By: Alexander Bokovoy -Reviewed-By: Mohammad Rizwan Yusuf -Reviewed-By: Florence Blanc-Renaud ---- - client/man/default.conf.5 | 10 ++++++++-- - ipalib/install/certmonger.py | 7 +++++-- - ipaserver/install/cainstance.py | 5 ++++- - ipaserver/install/dogtaginstance.py | 18 ++++++++++++++++++ - ipaserver/install/service.py | 4 +++- - 5 files changed, 38 insertions(+), 6 deletions(-) - -diff --git a/client/man/default.conf.5 b/client/man/default.conf.5 -index 3846de50c5d851471ea3ceed9fc38cb687c719e4..e0aec21f725d88ce2ba3cf52901fb15575892cde 100644 ---- a/client/man/default.conf.5 -+++ b/client/man/default.conf.5 -@@ -20,7 +20,7 @@ - .SH "NAME" - default.conf \- IPA configuration file - .SH "SYNOPSIS" --/etc/ipa/default.conf, ~/.ipa/default.conf, /etc/ipa/server.conf, /etc/ipa/cli.conf -+/etc/ipa/default.conf, ~/.ipa/default.conf, /etc/ipa/server.conf, /etc/ipa/cli.conf, /etc/ipa/installer.conf, /etc/ipa/cli_installer.conf - .SH "DESCRIPTION" - The \fIdefault.conf \fRconfiguration file is used to set system\-wide defaults to be applied when running IPA clients and servers. - -@@ -75,7 +75,7 @@ Specifies the hostname of the dogtag CA server. The default is the hostname of t - Specifies the insecure CA end user port. The default is 8080. - .TP - .B certmonger_wait_timeout --The time to wait for a certmonger request to complete during installation. The default value is 300 seconds. -+The time to wait for a certmonger request to complete during installation. The default value is 300 seconds. To tune create/add to /etc/ipa/installer.conf. - .TP - .B context - Specifies the context that IPA is being executed in. IPA may operate differently depending on the context. The current defined contexts are cli, server and dns. Additionally this value is used to load /etc/ipa/\fBcontext\fR.conf to provide context\-specific configuration. For example, if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server, add the verbose option to \fI/etc/ipa/cli.conf\fR. -@@ -263,6 +263,12 @@ system\-wide IPA client configuration file - .TP - .I /etc/ipa/server.conf - system\-wide IPA server configuration file -+.TP -+.I /etc/ipa/installer.conf -+IPA configuration used while installing an IPA server or replica -+.TP -+.I /etc/ipa/cli_installer.conf -+IPA configuration used while installing an IPA client - .SH "EXAMPLES" - .TP - An example of a context-specific configuration file is \fB/etc/ipa/dns.conf\fR to be used to increase debug output of the IPA DNSSEC daemons. -diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py -index efc1ba4f42eab98df5fac51bafa3acc83ae91831..675b2c96ce8ebe4f06822ad587a4bca734a1be09 100644 ---- a/ipalib/install/certmonger.py -+++ b/ipalib/install/certmonger.py -@@ -477,7 +477,8 @@ def request_cert( - request_parameters['cert-perms'] = perms[0] - request_parameters['key-perms'] = perms[1] - -- result = cm.obj_if.add_request(request_parameters, timeout=30) -+ result = cm.obj_if.add_request(request_parameters, -+ timeout=api.env.certmonger_wait_timeout) - try: - if result[0]: - request = _cm_dbus_object(cm.bus, cm, result[1], DBUS_CM_REQUEST_IF, -@@ -581,7 +582,9 @@ def start_tracking( - if nss_user: - params['nss-user'] = nss_user - -- result = cm.obj_if.add_request(params, timeout=30) -+ logger.debug("start tracking %s", params) -+ result = cm.obj_if.add_request(params, -+ timeout=api.env.certmonger_wait_timeout) - try: - if result[0]: - request = _cm_dbus_object(cm.bus, cm, result[1], DBUS_CM_REQUEST_IF, -diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py -index e03a8c863e14782679e19c6887f5e220131e4234..76718036dbd317651edc98ce631405e42bf814d7 100644 ---- a/ipaserver/install/cainstance.py -+++ b/ipaserver/install/cainstance.py -@@ -513,7 +513,10 @@ class CAInstance(DogtagInstance): - if ra_only: - runtime = None - else: -- runtime = 180 -+ if self.tokenname: -+ runtime = "HSM dependent" -+ else: -+ runtime = 180 - - try: - self.start_creation(runtime=runtime) -diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py -index 32a52dbedaa34b24c2658460f0ae889e7a37aa64..002053ed797beec829d324e80fc55b57cabf04be 100644 ---- a/ipaserver/install/dogtaginstance.py -+++ b/ipaserver/install/dogtaginstance.py -@@ -575,6 +575,24 @@ class DogtagInstance(service.Service): - except RuntimeError as e: - logger.error( - "certmonger failed to start tracking certificate: %s", e) -+ except dbus.exceptions.DBusException as e: -+ if e._dbus_error_name == "org.freedesktop.DBus.Error.NoReply": -+ logger.error( -+ "Timeout encountered starting tracking of '%s'." -+ "This timeout can be tuned using " -+ "certmonger_wait_timeout in /etc/ipa/installer.conf.", -+ nickname -+ ) -+ if self.hsm_enabled: -+ logger.error( -+ "On an initial install failure this may leave " -+ "certificates and keys on the HSM token. These " -+ "need to be manually cleaned per your HSM-specific " -+ "documentation before installing IPA again. On a " -+ "replica install no clean-up should be done (it will " -+ "destroy your installation." -+ ) -+ raise - - def stop_tracking_certificates(self): - """ -diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py -index cf0f64ab9794111761adf735bc488269bd1814fc..7755a4f2ff5e33e61f85dc24b71fd05a1837cd5a 100644 ---- a/ipaserver/install/service.py -+++ b/ipaserver/install/service.py -@@ -59,6 +59,8 @@ def print_msg(message, output_fd=sys.stdout): - - def format_seconds(seconds): - """Format a number of seconds as an English minutes+seconds message""" -+ if type(seconds) is not int: -+ return seconds - parts = [] - minutes, seconds = divmod(seconds, 60) - if minutes: -@@ -660,7 +662,7 @@ class Service: - else: - end_message = "Done configuring %s." % self.service_desc - -- if runtime is not None and runtime > 0: -+ if runtime is not None or (type(runtime) is int and runtime > 0): - self.print_msg('%s. Estimated time: %s' % (start_message, - format_seconds(runtime))) - else: --- -2.48.1 - diff --git a/0065-Add-DNS-over-TLS-support.patch b/0065-Add-DNS-over-TLS-support.patch deleted file mode 100644 index 6264f5c..0000000 --- a/0065-Add-DNS-over-TLS-support.patch +++ /dev/null @@ -1,1447 +0,0 @@ -From 46ef43b2a68139c991883633137c0061f20222a7 Mon Sep 17 00:00:00 2001 -From: Antonio Torres -Date: Mon, 29 Apr 2024 11:36:52 +0200 -Subject: [PATCH 1/4] Add DNS over TLS support - -Add DNS over TLS support using Unbound as a local resolver. This -includes new options on both server and client side. - -* `--dns-over-tls`: enable DNS over TLS support. This option is present - on both client and server. It deploys Unbound and configures BIND on -the server to receive DoT requests. -* `--dot-forwarder`: the upstream DNS server with DoT support. It must - be specified in the format `1.2.3.4#dns.server.test` -* `--dns-over-tls-key` and `--dns-over-tls-cert`: in case user prefers - to have the DoT certificate in BIND generated by themselves. If these - are empty, IPA CA is used instead to request a new certificate. - -Signed-off-by: Antonio Torres -Reviewed-By: Francisco Trivino -Reviewed-By: Alexander Bokovoy -Reviewed-By: Varun Mylaraiah -Reviewed-By: Pavel Brezina ---- - client/man/ipa-client-install.1 | 3 + - client/share/Makefile.am | 1 + - client/share/unbound.conf.template | 10 ++ - install/share/bind.named.conf.template | 4 + - install/tools/ipa-dns-install.in | 50 +++++- - install/tools/man/ipa-dns-install.1 | 16 ++ - install/tools/man/ipa-replica-install.1 | 16 ++ - install/tools/man/ipa-server-install.1 | 16 ++ - ipaclient/install/client.py | 89 +++++++++- - ipaplatform/base/paths.py | 4 + - ipaplatform/base/services.py | 2 +- - ipapython/ipautil.py | 13 ++ - ipaserver/install/bindinstance.py | 48 +++++- - ipaserver/install/dns.py | 182 ++++++++++++++++++++- - ipaserver/install/server/__init__.py | 60 ++++++- - ipaserver/install/server/install.py | 24 ++- - ipaserver/install/server/replicainstall.py | 2 + - 17 files changed, 507 insertions(+), 33 deletions(-) - create mode 100644 client/share/unbound.conf.template - -diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1 -index 725b11422..e6f641254 100644 ---- a/client/man/ipa-client-install.1 -+++ b/client/man/ipa-client-install.1 -@@ -201,6 +201,9 @@ Use \fIIP_ADDRESS\fR in DNS A/AAAA record for this host. May be specified multip - .TP - \fB\-\-all\-ip\-addresses\fR - Create DNS A/AAAA record for each IP address on this host. -+.TP -+\fB\-\-dns\-over\-tls\fR -+Configure DNS over TLS. - - .SS "SSSD OPTIONS" - .TP -diff --git a/client/share/Makefile.am b/client/share/Makefile.am -index bf631a22f..52f3c4dd4 100644 ---- a/client/share/Makefile.am -+++ b/client/share/Makefile.am -@@ -5,6 +5,7 @@ dist_app_DATA = \ - freeipa.template \ - sshd_ipa.conf.template \ - ssh_ipa.conf.template \ -+ unbound.conf.template \ - $(NULL) - - epnconfdir = $(IPA_SYSCONF_DIR) -diff --git a/client/share/unbound.conf.template b/client/share/unbound.conf.template -new file mode 100644 -index 000000000..166036f65 ---- /dev/null -+++ b/client/share/unbound.conf.template -@@ -0,0 +1,10 @@ -+server: -+ tls-cert-bundle: $TLS_CERT_BUNDLE_PATH -+ tls-upstream: yes -+ interface: 127.0.0.55 -+ log-servfail: yes -+forward-zone: -+ name: "." -+ forward-tls-upstream: yes -+ forward-first: no -+ $FORWARD_ADDRS -diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template -index 01b77c5ae..b64a6a4b0 100644 ---- a/install/share/bind.named.conf.template -+++ b/install/share/bind.named.conf.template -@@ -21,6 +21,8 @@ options { - - managed-keys-directory "$MANAGED_KEYS_DIR"; - -+ $NAMED_DNS_OVER_TLS_OPTIONS_CONF -+ - /* user customizations of options */ - include "$NAMED_CUSTOM_OPTIONS_CONF"; - -@@ -49,6 +51,8 @@ ${NAMED_ZONE_COMMENT}}; - include "$RFC1912_ZONES"; - include "$ROOT_KEY"; - -+$NAMED_DNS_OVER_TLS_CONF -+ - /* user customization */ - include "$NAMED_CUSTOM_CONF"; - -diff --git a/install/tools/ipa-dns-install.in b/install/tools/ipa-dns-install.in -index f1a90e7ac..0b0cd2be5 100644 ---- a/install/tools/ipa-dns-install.in -+++ b/install/tools/ipa-dns-install.in -@@ -27,6 +27,7 @@ import sys - - from ipaserver.install import bindinstance - from ipaserver.install import installutils -+from ipaplatform import services - from ipapython import version - from ipalib import api - from ipaplatform.paths import paths -@@ -56,6 +57,24 @@ def parse_options(): - parser.add_option("--auto-forwarders", dest="auto_forwarders", - action="store_true", default=False, - help="Use DNS forwarders configured in /etc/resolv.conf") -+ parser.add_option("--dns-over-tls", dest="dns_over_tls", -+ help="Configure DNS over TLS", default=False, -+ action="store_true") -+ parser.add_option("--dot-forwarder", dest="dot_forwarders", -+ action="append", -+ default=[], -+ help="Add a DNS over TLS forwarder. " -+ "This option can be used multiple times") -+ parser.add_option("--dns-over-tls-cert", dest="dns_over_tls_cert", -+ help="Certificate to use for DNS over TLS. " -+ "If empty, a new certificate will be requested " -+ "from IPA CA") -+ parser.add_option("--dns-over-tls-key", dest="dns_over_tls_key", -+ help="Key for certificate specified " -+ "in --dns-over-tls-cert") -+ parser.add_option("--dns-policy", dest="dns_policy", -+ choices=("relaxed", "enforced"), default="relaxed", -+ help="Policy for encrypted DNS enforcement") - parser.add_option("--forward-policy", dest="forward_policy", - choices=("first", "only"), default=None, - help="DNS forwarding policy for global forwarders") -@@ -102,12 +121,37 @@ def parse_options(): - elif options.auto_reverse and options.no_reverse: - parser.error("You cannot specify a --auto-reverse option together with --no-reverse") - -+ if options.dns_policy == "enforced" and not options.dns_over_tls: -+ parser.error("If encrypted DNS policy is enforced, " -+ "--dns-over-tls must be specified.") -+ -+ unbound = services.knownservices["unbound"] -+ if options.dns_over_tls and not unbound.is_installed(): -+ parser.error( -+ "To enable DNS over TLS, package ipa-server-encrypted-dns " -+ "must be installed." -+ ) -+ -+ if not options.dns_over_tls and options.dot_forwarders: -+ parser.error("You cannot specify a " -+ "--dot-forwarder option without --dns-over-tls") -+ elif options.dns_over_tls and not options.dot_forwarders: -+ parser.error( -+ "You must specify --dot-forwarder " -+ "when enabling DNS over TLS") -+ elif bool(options.dns_over_tls_key) != bool(options.dns_over_tls_cert): -+ parser.error( -+ "You cannot specify a --dns-over-tls-key option " -+ "without the --dns-over-tls-cert option and vice versa") -+ - if options.unattended: - if (not options.forwarders -- and not options.no_forwarders -- and not options.auto_forwarders): -+ and not options.no_forwarders -+ and not options.auto_forwarders -+ and not options.dot_forwarders): - parser.error("You must specify at least one option: " -- "--forwarder or --no-forwarders or --auto-forwarders") -+ "--forwarder or --no-forwarders or --auto-forwarders" -+ " or --dot-forwarder") - - if options.kasp_db_file and not os.path.isfile(options.kasp_db_file): - parser.error("File %s does not exist" % options.kasp_db_file) -diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1 -index 029001eca..6008d2028 100644 ---- a/install/tools/man/ipa-dns-install.1 -+++ b/install/tools/man/ipa-dns-install.1 -@@ -69,6 +69,22 @@ Allow creatin of (reverse) zone even if the zone is already resolvable. Using th - .TP - \fB\-U\fR, \fB\-\-unattended\fR - An unattended installation that will never prompt for user input -+.TP -+\fB\-\-dns\-over\-tls\fR -+Configure DNS over TLS. -+.TP -+\fB\-\-dot\-forwarder\fR=\fIIP_ADDRESS#HOSTNAME\fR -+Add a DNS-over-TLS-enabled forwarder in the format of ip#hostname, e.g.: dns.example.com#1.2.3.4. This option can be used multiple times. -+.TP -+\fB\-\-dns\-over\-tls\-cert\fR=\fIFILE\fR -+Certificate to use for DNS over TLS. If empty, a new certificate will be requested from IPA CA. -+.TP -+\fB\-\-dns\-over\-tls\-key\fR=\fIFILE\fR -+Key for the certificate specified in --dns-over-tls-key. -+.TP -+\fB\-\-dns\-policy\fR=\fIrelaxed|enforced\fR -+Encrypted DNS policy. If enforced, DNS communications will only be allowed through the configured encrypted DNS methods. If relaxed, -+unencrypted DNS queries will be allowed. - .SH "DEPRECATED OPTIONS" - .TP - \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-ds\-password\fR=\fIDM_PASSWORD\fR -diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 -index 3b1d25ba6..c55d21253 100644 ---- a/install/tools/man/ipa-replica-install.1 -+++ b/install/tools/man/ipa-replica-install.1 -@@ -223,6 +223,22 @@ Do not automatically create DNS SSHFP records. - .TP - \fB\-\-no\-dnssec\-validation\fR - Disable DNSSEC validation on this server. -+.TP -+\fB\-\-dns\-over\-tls\fR -+Configure DNS over TLS. -+.TP -+\fB\-\-dot\-forwarder\fR=\fIIP_ADDRESS#HOSTNAME\fR -+Add a DNS-over-TLS-enabled forwarder in the format of ip#hostname, e.g.: dns.example.com#1.2.3.4. This option can be used multiple times. -+.TP -+\fB\-\-dns\-over\-tls\-cert\fR=\fIFILE\fR -+Certificate to use for DNS over TLS. If empty, a new certificate will be requested from IPA CA. -+.TP -+\fB\-\-dns\-over\-tls\-key\fR=\fIFILE\fR -+Key for the certificate specified in --dns-over-tls-key. -+.TP -+\fB\-\-dns\-policy\fR=\fIrelaxed|enforced\fR -+Encrypted DNS policy. If enforced, DNS communications will only be allowed through the configured encrypted DNS methods. If relaxed, -+unencrypted DNS queries will be allowed. - - .SS "SID GENERATION OPTIONS" - .TP -diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 -index 215a77d6b..84d82531c 100644 ---- a/install/tools/man/ipa-server-install.1 -+++ b/install/tools/man/ipa-server-install.1 -@@ -252,6 +252,22 @@ Disable DNSSEC validation on this server. - .TP - \fB\-\-allow\-zone\-overlap\fR - Allow creation of (reverse) zone even if the zone is already resolvable. Using this option is discouraged as it result in later problems with domain name resolution. -+.TP -+\fB\-\-dns\-over\-tls\fR -+Configure DNS over TLS. -+.TP -+\fB\-\-dot\-forwarder\fR=\fIIP_ADDRESS#HOSTNAME\fR -+Add a DNS-over-TLS-enabled forwarder in the format of ip#hostname, e.g.: dns.example.com#1.2.3.4. This option can be used multiple times. -+.TP -+\fB\-\-dns\-over\-tls\-cert\fR=\fIFILE\fR -+Certificate to use for DNS over TLS. If empty, a new certificate will be requested from IPA CA. -+.TP -+\fB\-\-dns\-over\-tls\-key\fR=\fIFILE\fR -+Key for the certificate specified in --dns-over-tls-key. -+.TP -+\fB\-\-dns\-policy\fR=\fIrelaxed|enforced\fR -+Encrypted DNS policy. If enforced, DNS communications will only be allowed through the configured encrypted DNS methods. If relaxed, -+unencrypted DNS queries will be allowed. - - .SS "SID GENERATION OPTIONS" - .TP -diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py -index 47a371f62..9e4d3bbe7 100644 ---- a/ipaclient/install/client.py -+++ b/ipaclient/install/client.py -@@ -1002,6 +1002,11 @@ def configure_sssd_conf( - - if options.dns_updates: - domain.set_option('dyndns_update', True) -+ if options.dns_over_tls: -+ server_ip = str(list(dnsutil.resolve_ip_addresses( -+ cli_server[0]))[0]) -+ domain.set_option('dyndns_server', 'dns+tls://{}:853#{}' -+ .format(server_ip, cli_server[0])) - if options.all_ip_addresses: - domain.set_option('dyndns_iface', '*') - else: -@@ -1409,8 +1414,9 @@ def get_local_ipaddresses(iface=None): - return ips - - --def do_nsupdate(update_txt): -+def do_nsupdate(update_txt, options, server): - logger.debug("Writing nsupdate commands to %s:", UPDATE_FILE) -+ - logger.debug("%s", update_txt) - - with open(UPDATE_FILE, "w") as f: -@@ -1418,12 +1424,20 @@ def do_nsupdate(update_txt): - - result = False - try: -- ipautil.run([paths.NSUPDATE, '-g', UPDATE_FILE]) -+ if options.dns_over_tls: -+ ipautil.run([paths.NSUPDATE, '-p', '853', '-S', -+ '-H', server, '-g', UPDATE_FILE]) -+ else: -+ ipautil.run([paths.NSUPDATE, '-g', UPDATE_FILE]) - result = True - except CalledProcessError as e: - logger.debug('nsupdate (GSS-TSIG) failed: %s', str(e)) - try: -- ipautil.run([paths.NSUPDATE, UPDATE_FILE]) -+ if options.dns_over_tls: -+ ipautil.run([paths.NSUPDATE, '-p', '853', '-S', -+ '-H', server, '-g', UPDATE_FILE]) -+ else: -+ ipautil.run([paths.NSUPDATE, UPDATE_FILE]) - try: - sssdconfig = SSSDConfig.SSSDConfig() - sssdconfig.import_config() -@@ -1525,6 +1539,8 @@ def update_dns(server, hostname, options): - no_matching_interface_for_ip_address_warning(update_ips) - - update_txt = "debug\n" -+ if options.dns_over_tls: -+ update_txt += "server %s 853" % server - update_txt += ipautil.template_str(DELETE_TEMPLATE_A, - dict(HOSTNAME=hostname)) - update_txt += ipautil.template_str(DELETE_TEMPLATE_AAAA, -@@ -1538,7 +1554,7 @@ def update_dns(server, hostname, options): - template = ADD_TEMPLATE_AAAA - update_txt += ipautil.template_str(template, sub_dict) - -- if not do_nsupdate(update_txt): -+ if not do_nsupdate(update_txt, options, server): - logger.error("Failed to update DNS records.") - verify_dns_update(hostname, update_ips) - -@@ -1654,6 +1670,54 @@ def client_dns(server, hostname, options): - hostname, ex) - dns_ok = False - -+ # Setup DNS over TLS -+ if options.dns_over_tls: -+ # setup and enable Unbound as resolver -+ server_ip = str(list(dnsutil.resolve_ip_addresses(server))[0]) -+ forward_addr = "forward-addr: %s#%s" % (server_ip, server) -+ ipautil.copy_template_file( -+ paths.UNBOUND_CONF_SRC, -+ paths.UNBOUND_CONF, -+ dict( -+ TLS_CERT_BUNDLE_PATH=os.path.join( -+ paths.OPENSSL_CERTS_DIR, "ca-bundle.crt"), -+ FORWARD_ADDRS=forward_addr -+ ) -+ ) -+ sr = services.knownservices["systemd-resolved"] -+ if sr.is_running(): -+ sr.stop() -+ sr.disable() -+ -+ nm = services.knownservices["NetworkManager"] -+ if nm.is_enabled(): -+ with open(paths.NETWORK_MANAGER_IPA_CONF, "w") as f: -+ dns_none = [ -+ "# auto-generated by IPA installer", -+ "[main]", -+ "dns=none\n" -+ ] -+ f.write("\n".join(dns_none)) -+ nm.reload_or_restart() -+ -+ # Overwrite resolv.conf to point to Unbound -+ cfg = [ -+ "# auto-generated by IPA installer", -+ "search .", -+ "nameserver 127.0.0.55\n" -+ ] -+ fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) -+ fstore.backup_file(paths.RESOLV_CONF) -+ with open(paths.RESOLV_CONF, 'w') as f: -+ f.write('\n'.join(cfg)) -+ os.chmod(paths.RESOLV_CONF, 0o644) -+ -+ services.knownservices.unbound.enable() -+ services.knownservices.unbound.restart() -+ logger.info("DNS encryption support was enabled. " -+ "Unbound is configured to listen on 127.0.0.55:53 and " -+ "forward to upstream DoT servers.") -+ - if ( - options.dns_updates or options.all_ip_addresses or - options.ip_addresses or not dns_ok -@@ -1661,6 +1725,7 @@ def client_dns(server, hostname, options): - update_dns(server, hostname, options) - - -+ - def check_ip_addresses(options): - if options.ip_addresses: - for ip in options.ip_addresses: -@@ -1672,7 +1737,7 @@ def check_ip_addresses(options): - return True - - --def update_ssh_keys(hostname, ssh_dir, create_sshfp): -+def update_ssh_keys(hostname, ssh_dir, options, server): - if not os.path.isdir(ssh_dir): - return - -@@ -1718,10 +1783,12 @@ def update_ssh_keys(hostname, ssh_dir, create_sshfp): - logger.warning("Failed to upload host SSH public keys.") - return - -- if create_sshfp: -+ if options.create_sshfp: - ttl = 1200 - - update_txt = 'debug\n' -+ if options.dns_over_tls: -+ update_txt += "server %s 853" % server - update_txt += 'update delete %s. IN SSHFP\nshow\nsend\n' % hostname - for pubkey in pubkeys: - sshfp = pubkey.fingerprint_dns_sha1() -@@ -1734,7 +1801,7 @@ def update_ssh_keys(hostname, ssh_dir, create_sshfp): - hostname, ttl, sshfp) - update_txt += 'show\nsend\n' - -- if not do_nsupdate(update_txt): -+ if not do_nsupdate(update_txt, options, server): - logger.warning("Could not update DNS SSHFP records.") - - -@@ -3163,7 +3230,7 @@ def _install(options, tdict): - if not options.on_master: - client_dns(cli_server[0], hostname, options) - -- update_ssh_keys(hostname, paths.SSH_CONFIG_DIR, options.create_sshfp) -+ update_ssh_keys(hostname, paths.SSH_CONFIG_DIR, options, cli_server[0]) - - try: - os.remove(CCACHE_FILE) -@@ -3988,6 +4055,12 @@ class ClientInstallInterface(hostname_.HostNameInstallInterface, - if value < 1: - raise ValueError("expects an integer greater than 0.") - -+ dns_over_tls = knob( -+ None, -+ description="Configure DNS over TLS", -+ ) -+ dns_over_tls = enroll_only(dns_over_tls) -+ - request_cert = knob( - None, - deprecated=True, -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index b339d2202..b2da94992 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -102,6 +102,8 @@ class BasePathNamespace: - NAMED_ROOT_KEY = "/etc/named.root.key" - NAMED_MANAGED_KEYS_DIR = "/var/named/dynamic" - NAMED_CRYPTO_POLICY_FILE = None -+ UNBOUND_CONF_SRC = '/usr/share/ipa/client/unbound.conf.template' -+ UNBOUND_CONF = "/etc/unbound/conf.d/zzz-ipa.conf" - NSLCD_CONF = "/etc/nslcd.conf" - NSS_LDAP_CONF = "/etc/nss_ldap.conf" - NSSWITCH_CONF = "/etc/nsswitch.conf" -@@ -225,6 +227,8 @@ class BasePathNamespace: - OPENSSL_DIR = "/etc/pki/tls" - OPENSSL_CERTS_DIR = "/etc/pki/tls/certs" - OPENSSL_PRIVATE_DIR = "/etc/pki/tls/private" -+ BIND_DNS_OVER_TLS_CRT = "/etc/pki/tls/certs/bind_dot.crt" -+ BIND_DNS_OVER_TLS_KEY = "/etc/pki/tls/private/bind_dot.key" - PK12UTIL = "/usr/bin/pk12util" - SOFTHSM2_UTIL = "/usr/bin/softhsm2-util" - SSLGET = "/usr/bin/sslget" -diff --git a/ipaplatform/base/services.py b/ipaplatform/base/services.py -index 275422e30..fcb626aa3 100644 ---- a/ipaplatform/base/services.py -+++ b/ipaplatform/base/services.py -@@ -53,7 +53,7 @@ wellknownservices = [ - 'named', 'ods_enforcerd', 'ods_signerd', 'gssproxy', - 'nfs-utils', 'sssd', 'NetworkManager', 'ipa-custodia', - 'ipa-dnskeysyncd', 'ipa-otpd', 'ipa-ods-exporter', -- 'systemd-resolved', -+ 'systemd-resolved', 'unbound', - ] - - # The common ports for these services. This is used to wait for the -diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py -index c237d59fb..681f60655 100644 ---- a/ipapython/ipautil.py -+++ b/ipapython/ipautil.py -@@ -266,6 +266,19 @@ class CheckedIPAddressLoopback(CheckedIPAddress): - file=sys.stderr) - - -+class IPAddressDoTForwarder(str): -+ """IPv4 or IPv6 address with added hostname as needed for DNS over TLS -+ configuration. Example: 1.2.3.4#dns.hostname.test -+ """ -+ def __init__(self, addr): -+ addr_split = addr.split("#") -+ if len(addr_split) != 2 or not valid_ip(addr_split[0]): -+ raise ValueError( -+ "DoT forwarder must be in the format " -+ "of '1.2.3.4#dns.example.test'." -+ ) -+ -+ - def valid_ip(addr): - return netaddr.valid_ipv4(addr) or netaddr.valid_ipv6(addr) - -diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py -index 939f5f21f..4f4ab9bbc 100644 ---- a/ipaserver/install/bindinstance.py -+++ b/ipaserver/install/bindinstance.py -@@ -28,6 +28,7 @@ import re - import shutil - import sys - import time -+import textwrap - - import ldap - import six -@@ -50,7 +51,7 @@ from ipapython.admintool import ScriptError - import ipalib - from ipalib import api, errors - from ipalib.constants import IPA_CA_RECORD --from ipalib.install import dnsforwarders -+from ipalib.install import dnsforwarders, certmonger - from ipaplatform import services - from ipaplatform.tasks import tasks - from ipaplatform.constants import constants -@@ -668,14 +669,20 @@ class BindInstance(service.Service): - - def setup(self, fqdn, ip_addresses, realm_name, domain_name, forwarders, - forward_policy, reverse_zones, zonemgr=None, -- no_dnssec_validation=False): -+ no_dnssec_validation=False, dns_over_tls=False, -+ dns_over_tls_cert=None, dns_over_tls_key=None, -+ dns_policy=None): - """Setup bindinstance for installation - """ - self.setup_templating( - fqdn=fqdn, - realm_name=realm_name, - domain_name=domain_name, -- no_dnssec_validation=no_dnssec_validation -+ no_dnssec_validation=no_dnssec_validation, -+ dns_over_tls=dns_over_tls, -+ dns_over_tls_cert=dns_over_tls_cert, -+ dns_over_tls_key=dns_over_tls_key, -+ dns_policy=dns_policy - ) - self.ip_addresses = ip_addresses - self.forwarders = forwarders -@@ -688,7 +695,9 @@ class BindInstance(service.Service): - self.zonemgr = normalize_zonemgr(zonemgr) - - def setup_templating( -- self, fqdn, realm_name, domain_name, no_dnssec_validation=None -+ self, fqdn, realm_name, domain_name, no_dnssec_validation=None, -+ dns_over_tls=None, dns_over_tls_cert=None, dns_over_tls_key=None, -+ dns_policy=None - ): - """Setup bindinstance for templating - """ -@@ -698,6 +707,10 @@ class BindInstance(service.Service): - self.host = fqdn.split(".")[0] - self.suffix = ipautil.realm_to_suffix(self.realm) - self.no_dnssec_validation = no_dnssec_validation -+ self.dns_over_tls = dns_over_tls -+ self.dns_over_tls_cert = dns_over_tls_cert -+ self.dns_over_tls_key = dns_over_tls_key -+ self.dns_policy = dns_policy - self._setup_sub_dict() - - @property -@@ -872,6 +885,24 @@ class BindInstance(service.Service): - else: - crypto_policy = "// not available" - -+ if self.dns_over_tls: -+ named_tls_conf = textwrap.dedent("""\ -+ tls local-tls {{ -+ \tkey-file "{}"; -+ \tcert-file "{}"; -+ }}; -+ """).format(self.dns_over_tls_key, self.dns_over_tls_cert) -+ unencrypted_iface = ("127.0.0.1" if self.dns_policy == "enforced" -+ else "any") -+ named_tls_options = textwrap.dedent("""\ -+ \tlisten-on { %s; }; -+ \tlisten-on tls local-tls { any; }; -+ \tlisten-on-v6 tls local-tls { any; }; -+ """ % unencrypted_iface) -+ else: -+ named_tls_options = "" -+ named_tls_conf = "" -+ - self.sub_dict = dict( - FQDN=self.fqdn, - SERVER_ID=ipaldap.realm_to_serverid(self.realm), -@@ -891,6 +922,8 @@ class BindInstance(service.Service): - NAMED_DATA_DIR=constants.NAMED_DATA_DIR, - NAMED_ZONE_COMMENT=constants.NAMED_ZONE_COMMENT, - NAMED_DNSSEC_VALIDATION=self._get_dnssec_validation(), -+ NAMED_DNS_OVER_TLS_OPTIONS_CONF=named_tls_options, -+ NAMED_DNS_OVER_TLS_CONF=named_tls_conf, - ) - - def __setup_dns_container(self): -@@ -1344,6 +1377,11 @@ class BindInstance(service.Service): - - self.named_conflict.unmask() - -+ certmonger.stop_tracking(certfile=paths.BIND_DNS_OVER_TLS_CRT) -+ certmonger.stop_tracking(certfile=paths.BIND_DNS_OVER_TLS_KEY) -+ services.knownservices.unbound.disable() -+ services.knownservices.unbound.stop() -+ - ipautil.remove_file(paths.NAMED_CONF_BAK) - ipautil.remove_file(paths.NAMED_CUSTOM_CONF) - ipautil.remove_file(paths.NAMED_CUSTOM_OPTIONS_CONF) -@@ -1357,6 +1395,8 @@ class BindInstance(service.Service): - pass - except ValueError: - pass -+ ipautil.remove_file(paths.BIND_DNS_OVER_TLS_CRT) -+ ipautil.remove_file(paths.BIND_DNS_OVER_TLS_KEY) - ipautil.remove_keytab(self.keytab) - - ipautil.remove_ccache(run_as=self.service_user) -diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py -index 47d79af9c..29ca0d2ff 100644 ---- a/ipaserver/install/dns.py -+++ b/ipaserver/install/dns.py -@@ -20,14 +20,18 @@ from subprocess import CalledProcessError - from ipalib import api - from ipalib import errors - from ipalib import util --from ipalib.install import hostname, sysrestore -+from ipalib import x509 -+from ipalib.install import hostname, sysrestore, certmonger - from ipalib.install.service import enroll_only, prepare_only - from ipalib.install import dnsforwarders -+from ipalib.constants import FQDN - from ipaplatform.paths import paths - from ipaplatform.constants import constants - from ipaplatform import services -+from ipapython import admintool - from ipapython import ipautil - from ipapython import dnsutil -+from ipapython.certdb import EXTERNAL_CA_TRUST_FLAGS - from ipapython.dn import DN - from ipapython.dnsutil import check_zone_overlap - from ipapython.install import typing -@@ -37,7 +41,9 @@ from ipapython.ipautil import user_input - from ipaserver.install.installutils import get_server_ip_address - from ipaserver.install.installutils import read_dns_forwarders - from ipaserver.install.installutils import update_hosts_file -+from ipaserver.install.installutils import default_subject_base - from ipaserver.install import bindinstance -+from ipaserver.install import certs - from ipaserver.install import dnskeysyncinstance - from ipaserver.install import odsexporterinstance - from ipaserver.install import opendnssecinstance -@@ -108,6 +114,73 @@ def _disable_dnssec(): - conn.update_entry(entry) - - -+def _setup_dns_over_tls(options): -+ if os.path.isfile(paths.IPA_CA_CRT) and not options.dns_over_tls_cert: -+ # request certificate for DNS over TLS, using IPA CA -+ cert = paths.BIND_DNS_OVER_TLS_CRT -+ key = paths.BIND_DNS_OVER_TLS_KEY -+ certmonger.request_and_wait_for_cert( -+ certpath=(cert, key), -+ principal='DNS/%s@%s' % (FQDN, api.env.realm), -+ subject=str(DN(('CN', FQDN), default_subject_base(api.env.realm))), -+ storage="FILE" -+ ) -+ constants.NAMED_USER.chown(cert, gid=constants.NAMED_GROUP.gid) -+ constants.NAMED_USER.chown(key, gid=constants.NAMED_GROUP.gid) -+ -+ # setup and enable Unbound as resolver -+ forward_addrs = ["# forward-addr: specify here forwarders"] -+ if options.dot_forwarders: -+ forward_addrs = ["forward-addr: %s" % fw -+ for fw in options.dot_forwarders] -+ ipautil.copy_template_file( -+ paths.UNBOUND_CONF_SRC, -+ paths.UNBOUND_CONF, -+ dict( -+ TLS_CERT_BUNDLE_PATH=os.path.join( -+ paths.OPENSSL_CERTS_DIR, "ca-bundle.crt"), -+ FORWARD_ADDRS="\n".join(forward_addrs) -+ ) -+ ) -+ -+ sr = services.knownservices["systemd-resolved"] -+ if sr.is_running(): -+ sr.stop() -+ sr.disable() -+ -+ api.Command.dnsserver_mod( -+ FQDN, -+ idnsforwarders="127.0.0.55", -+ idnsforwardpolicy="first" -+ ) -+ -+ nm = services.knownservices["NetworkManager"] -+ if nm.is_enabled(): -+ with open(paths.NETWORK_MANAGER_IPA_CONF, "w") as f: -+ dns_none = [ -+ "# auto-generated by IPA installer", -+ "[main]", -+ "dns=none\n" -+ ] -+ f.write("\n".join(dns_none)) -+ nm.reload_or_restart() -+ -+ # Overwrite resolv.conf to point to IPA -+ cfg = [ -+ "# auto-generated by IPA installer", -+ "search .", -+ "nameserver 127.0.0.1\n" -+ ] -+ fstore = sysrestore.FileStore(paths.SYSRESTORE) -+ fstore.backup_file(paths.RESOLV_CONF) -+ with open(paths.RESOLV_CONF, 'w') as f: -+ f.write('\n'.join(cfg)) -+ os.chmod(paths.RESOLV_CONF, 0o644) -+ -+ services.knownservices.unbound.enable() -+ services.knownservices.unbound.restart() -+ -+ - def package_check(exception): - if not os.path.isfile(paths.IPA_DNS_INSTALL): - raise exception( -@@ -287,9 +360,14 @@ def install_check(standalone, api, replica, options, hostname): - - if options.no_forwarders: - options.forwarders = [] -- elif options.forwarders or options.auto_forwarders: -+ elif (options.forwarders -+ or options.dot_forwarders or options.auto_forwarders): - if not options.forwarders: -- options.forwarders = [] -+ if options.dot_forwarders: -+ options.forwarders = [fw.split("#")[0] -+ for fw in options.dot_forwarders] -+ else: -+ options.forwarders = [] - if options.auto_forwarders: - options.forwarders.extend(dnsforwarders.get_nameservers()) - elif standalone or not replica: -@@ -330,11 +408,46 @@ def install(standalone, replica, options, api=api): - # otherwise this is done by server/replica installer - update_hosts_file(ip_addresses, api.env.host, fstore) - -+ if os.path.isfile(paths.IPA_CA_CRT) and not options.dns_over_tls_cert: -+ dot_cert = paths.BIND_DNS_OVER_TLS_CRT -+ dot_key = paths.BIND_DNS_OVER_TLS_KEY -+ elif options.dns_over_tls_cert and options.dns_over_tls_key: -+ # Check certificate validity first -+ with certs.NSSDatabase() as tmpdb: -+ tmpdb.create_db() -+ ca_certs = x509.load_certificate_list_from_file( -+ options.dns_over_tls_cert) -+ nicknames = [] -+ for ca_cert in ca_certs: -+ nicknames.append(str(DN(ca_cert.subject))) -+ tmpdb.add_cert( -+ ca_cert, str(DN(ca_cert.subject)), EXTERNAL_CA_TRUST_FLAGS) -+ try: -+ for nick in nicknames: -+ tmpdb.verify_ca_cert_validity(nick) -+ except ValueError as e: -+ raise admintool.ScriptError( -+ "Not a valid CA certificate: %s" % e) -+ dot_cert = options.dns_over_tls_cert -+ dot_key = options.dns_over_tls_key -+ else: -+ raise RuntimeError( -+ "Certificate for DNS over TLS not specified " -+ "and IPA CA is not present." -+ ) -+ -+ if not options.forwarders and options.dot_forwarders: -+ options.forwaders = [fw.split("#")[0] for fw in options.dot_forwarders] -+ - bind = bindinstance.BindInstance(fstore, api=api) - bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain, - options.forwarders, options.forward_policy, - reverse_zones, zonemgr=options.zonemgr, -- no_dnssec_validation=options.no_dnssec_validation) -+ no_dnssec_validation=options.no_dnssec_validation, -+ dns_over_tls=options.dns_over_tls, -+ dns_over_tls_cert=dot_cert, -+ dns_over_tls_key=dot_key, -+ dns_policy=options.dns_policy) - - if standalone and not options.unattended: - print("") -@@ -343,6 +456,11 @@ def install(standalone, replica, options, api=api): - print("") - - bind.create_instance() -+ -+ if options.dns_over_tls: -+ print("Setting up DNS over TLS") -+ _setup_dns_over_tls(options) -+ - print("Restarting the web server to pick up resolv.conf changes") - services.knownservices.httpd.restart(capture_output=True) - -@@ -370,6 +488,12 @@ def install(standalone, replica, options, api=api): - bind.update_system_records() - - if standalone: -+ if options.dns_over_tls and options.dns_policy == "enforced": -+ dns_port = "853" -+ elif options.dns_over_tls: -+ dns_port = "53, 853" -+ else: -+ dns_port = "53" - print("==============================================================================") - print("Setup complete") - print("") -@@ -378,14 +502,22 @@ def install(standalone, replica, options, api=api): - print("") - print("\tYou must make sure these network ports are open:") - print("\t\tTCP Ports:") -- print("\t\t * 53: bind") -+ print(f"\t\t * {dns_port}: bind") - print("\t\tUDP Ports:") -- print("\t\t * 53: bind") -+ print(f"\t\t * {dns_port}: bind") - elif not standalone and replica: - print("") - bind.check_global_configuration() - print("") - -+ if options.dns_over_tls: -+ policy = "enforced" if options.dns_policy == "enforced" else "relaxed" -+ print("") -+ print(("DNS encryption support was enabled " -+ "with policy '{}'.".format(policy))) -+ print(("Unbound is configured to listen on 127.0.0.55:53 and " -+ "forward to upstream DoT servers.")) -+ - - def uninstall_check(options): - # test if server is DNSSEC key master -@@ -424,6 +556,10 @@ class DNSForwardPolicy(enum.Enum): - FIRST = 'first' - - -+class EncryptedDNSPolicy(enum.Enum): -+ RELAXED = 'relaxed' -+ ENFORCED = 'enforced' -+ - @group - class DNSInstallInterface(hostname.HostNameInstallInterface): - """ -@@ -536,6 +672,40 @@ class DNSInstallInterface(hostname.HostNameInstallInterface): - ) - no_dnssec_validation = enroll_only(no_dnssec_validation) - -+ dns_over_tls = knob( -+ None, -+ description="Configure DNS over TLS", -+ ) -+ dns_over_tls = enroll_only(dns_over_tls) -+ -+ dot_forwarders = knob( -+ typing.List[ipautil.IPAddressDoTForwarder], None, -+ description=("Add a DNS over TLS forwarder. " -+ "This option can be used multiple times"), -+ cli_names='--dot-forwarder', -+ ) -+ dot_forwarders = enroll_only(dot_forwarders) -+ -+ dns_over_tls_cert = knob( -+ str, None, -+ description=("Certificate to use for DNS over TLS. " -+ "If empty, a new certificate will be " -+ "requested from IPA CA"), -+ ) -+ dns_over_tls_cert = enroll_only(dns_over_tls_cert) -+ -+ dns_over_tls_key = knob( -+ str, None, -+ description="Key for certificate specified in --dns-over-tls-cert", -+ ) -+ dns_over_tls_key = enroll_only(dns_over_tls_key) -+ -+ dns_policy = knob( -+ EncryptedDNSPolicy, 'relaxed', -+ description=("Encrypted DNS policy"), -+ ) -+ dns_policy = enroll_only(dns_policy) -+ - dnssec_master = False - disable_dnssec_master = False - kasp_db_file = None -diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py -index 857b08f9f..c6a88585a 100644 ---- a/ipaserver/install/server/__init__.py -+++ b/ipaserver/install/server/__init__.py -@@ -21,6 +21,7 @@ from ipalib.install.service import (enroll_only, - from ipapython.install import typing - from ipapython.install.core import group, knob, extend_knob - from ipapython.install.common import step -+from ipaplatform import services - - from .install import validate_admin_password, validate_dm_password - from .install import get_min_idstart -@@ -442,6 +443,18 @@ class ServerInstallInterface(ServerCertificateInstallInterface, - raise RuntimeError( - "You cannot specify a --no-dnssec-validation option " - "without the --setup-dns option") -+ if self.dot_forwarders: -+ raise RuntimeError( -+ "You cannot specify a --dot-forwarder option " -+ "without the --setup-dns option") -+ if self.dns_over_tls_cert: -+ raise RuntimeError( -+ "You cannot specify a --dns-over-tls-cert option " -+ "without the --setup-dns option") -+ if self.dns_over_tls_key: -+ raise RuntimeError( -+ "You cannot specify a --dns-over-tls-key option " -+ "without the --setup-dns option") - elif self.forwarders and self.no_forwarders: - raise RuntimeError( - "You cannot specify a --forwarder option together with " -@@ -458,7 +471,32 @@ class ServerInstallInterface(ServerCertificateInstallInterface, - raise RuntimeError( - "You cannot specify a --auto-reverse option together with " - "--no-reverse") -- -+ elif self.dot_forwarders and not self.dns_over_tls: -+ raise RuntimeError( -+ "You cannot specify a --dot-forwarder option " -+ "without the --dns-over-tls option") -+ elif (self.dns_over_tls -+ and not services.knownservices["unbound"].is_installed()): -+ raise RuntimeError( -+ "To enable DNS over TLS, package ipa-server-encrypted-dns " -+ "must be installed." -+ ) -+ elif self.dns_policy == "enforced" and not self.dns_over_tls: -+ raise RuntimeError( -+ "You cannot specify a --dns-policy option " -+ "without the --dns-over-tls option") -+ elif self.dns_over_tls_cert and not self.dns_over_tls: -+ raise RuntimeError( -+ "You cannot specify a --dns-over-tls-cert option " -+ "without the --dns-over-tls option") -+ elif self.dns_over_tls_key and not self.dns_over_tls: -+ raise RuntimeError( -+ "You cannot specify a --dns-over-tls-key option " -+ "without the --dns-over-tls option") -+ elif bool(self.dns_over_tls_key) != bool(self.dns_over_tls_cert): -+ raise RuntimeError( -+ "You cannot specify a --dns-over-tls-key option " -+ "without the --dns-over-tls-cert option and vice versa") - if not self.setup_adtrust: - if self.add_agents: - raise RuntimeError( -@@ -504,12 +542,18 @@ class ServerInstallInterface(ServerCertificateInstallInterface, - "In unattended mode you need to provide at least -r, " - "-p and -a options") - if self.setup_dns: -- if (not self.forwarders and -- not self.no_forwarders and -- not self.auto_forwarders): -+ if (not self.forwarders -+ and not self.no_forwarders -+ and not self.auto_forwarders -+ and not self.dot_forwarders): - raise RuntimeError( - "You must specify at least one of --forwarder, " -- "--auto-forwarders, or --no-forwarders options") -+ "--auto-forwarders, --dot-forwarder or " -+ "--no-forwarders options") -+ elif self.dns_over_tls and not self.dot_forwarders: -+ raise RuntimeError( -+ "You must specify --dot-forwarder " -+ "when enabling DNS over TLS") - - any_ignore_option_true = any( - [self.ignore_topology_disconnect, self.ignore_last_of_role]) -@@ -541,10 +585,12 @@ class ServerInstallInterface(ServerCertificateInstallInterface, - if self.setup_dns: - if (not self.forwarders and - not self.no_forwarders and -- not self.auto_forwarders): -+ not self.auto_forwarders -+ and not self.dot_forwarders): - raise RuntimeError( - "You must specify at least one of --forwarder, " -- "--auto-forwarders, or --no-forwarders options") -+ "--auto-forwarders, --dot-forwarder, " -+ "or --no-forwarders options") - - - ServerMasterInstallInterface = installs_master(ServerInstallInterface) -diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py -index c39c807a9..4354683f1 100644 ---- a/ipaserver/install/server/install.py -+++ b/ipaserver/install/server/install.py -@@ -1018,6 +1018,10 @@ def install(installer): - - if options.setup_dns: - dns.install(False, False, options) -+ elif options.dns_over_tls: -+ service.print_msg("Warning: --dns-over-tls option " -+ "specified without --setup-dns, ignoring") -+ options.dns_over_tls = False - - # Always call adtrust installer to configure SID generation - # if --setup-adtrust is not specified, only the SID part is executed -@@ -1089,12 +1093,16 @@ def install(installer): - print("\t\t * 80, 443: HTTP/HTTPS") - print("\t\t * 389, 636: LDAP/LDAPS") - print("\t\t * 88, 464: kerberos") -- if options.setup_dns: -- print("\t\t * 53: bind") -+ if options.dns_over_tls and options.dns_policy == "enforced": -+ dns_port = "853" -+ elif options.dns_over_tls: -+ dns_port = "53, 853" -+ else: -+ dns_port = "53" -+ print(f"\t\t * {dns_port}: bind") - print("\t\tUDP Ports:") - print("\t\t * 88, 464: kerberos") -- if options.setup_dns: -- print("\t\t * 53: bind") -+ print(f"\t\t * {dns_port}: bind") - if not options.no_ntp: - print("\t\t * 123: ntp") - print("") -@@ -1109,6 +1117,14 @@ def install(installer): - print("\t and servers for correct operation. You should consider " - "enabling chronyd.") - -+ if options.dns_over_tls: -+ policy = "enforced" if options.dns_policy == "enforced" else "relaxed" -+ print("") -+ print(("DNS encryption support was enabled " -+ "with policy '{}'.".format(policy))) -+ print(("Unbound is configured to listen on 127.0.0.55:53 and " -+ "forward to upstream DoT servers.")) -+ - print("") - if setup_ca and not options.token_name: - print(("Be sure to back up the CA certificates stored in " + -diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py -index eeaaacb65..1f2c81f85 100644 ---- a/ipaserver/install/server/replicainstall.py -+++ b/ipaserver/install/server/replicainstall.py -@@ -722,6 +722,8 @@ def ensure_enrolled(installer): - args.extend(("--ntp-server", server)) - if installer.ntp_pool: - args.extend(("--ntp-pool", installer.ntp_pool)) -+ if installer.dns_over_tls and not installer.setup_dns: -+ args.append("--dns-over-tls") - - try: - # Call client install script --- -2.48.1 - -From 186d5f65dc57dba3bb027fa4c5c4cb1603ce305a Mon Sep 17 00:00:00 2001 -From: Antonio Torres -Date: Wed, 11 Dec 2024 13:38:28 +0100 -Subject: [PATCH 2/4] ipatests: add tests for DNS over TLS - -Signed-off-by: Antonio Torres -Reviewed-By: Francisco Trivino -Reviewed-By: Alexander Bokovoy -Reviewed-By: Varun Mylaraiah -Reviewed-By: Pavel Brezina ---- - ipatests/test_integration/test_edns.py | 257 +++++++++++++++++++++++++ - 1 file changed, 257 insertions(+) - create mode 100644 ipatests/test_integration/test_edns.py - -diff --git a/ipatests/test_integration/test_edns.py b/ipatests/test_integration/test_edns.py -new file mode 100644 -index 000000000..b42570ffa ---- /dev/null -+++ b/ipatests/test_integration/test_edns.py -@@ -0,0 +1,257 @@ -+# -+# Copyright (C) 2024 FreeIPA Contributors see COPYING for license -+# -+"""This covers tests for DNS over TLS related feature""" -+ -+from __future__ import absolute_import -+import textwrap -+ -+from ipatests.pytest_ipa.integration import tasks -+from ipatests.test_integration.base import IntegrationTest -+from ipatests.test_integration.test_dns import TestDNS -+from ipatests.pytest_ipa.integration.firewall import Firewall -+from ipaplatform.paths import paths -+ -+ -+class TestDNSOverTLS(IntegrationTest): -+ """Tests for DNS over TLS feature.""" -+ -+ topology = 'line' -+ num_replicas = 1 -+ num_clients = 1 -+ -+ @classmethod -+ def install(cls, mh): -+ Firewall(cls.master).enable_service("dns-over-tls") -+ Firewall(cls.replicas[0]).enable_service("dns-over-tls") -+ tasks.install_packages(cls.master, ['*ipa-server-encrypted-dns']) -+ tasks.install_packages(cls.replicas[0], ['*ipa-server-encrypted-dns']) -+ tasks.install_packages(cls.clients[0], ['*ipa-client-encrypted-dns']) -+ -+ def test_install_dnsovertls_invalid_ca(self): -+ """ -+ This test checks that the installers throws an error -+ when invalid cert is specified. -+ """ -+ bad_ca_cnf = textwrap.dedent(""" -+ [ req ] -+ x509_extensions = v3_ca -+ [ v3_ca ] -+ basicConstraints = critical,CA:false -+ """) -+ self.master.put_file_contents("/bad_ca.cnf", bad_ca_cnf) -+ self.master.run_command(["openssl", "req", "-newkey", "rsa:2048", -+ "-nodes", "-keyout", -+ "/etc/pki/tls/certs/privkey-invalid.pem", -+ "-x509", "-days", "36500", "-out", -+ "/etc/pki/tls/certs/certificate-invalid.pem", -+ "-subj", -+ ("/C=ES/ST=Andalucia/L=Sevilla/O=CompanyName/" -+ "OU=IT/CN=www.example.com/" -+ "emailAddress=email@example.com"), -+ "-config", "/bad_ca.cnf"]) -+ args = [ -+ "--dns-over-tls", -+ "--dot-forwarder", "1.1.1.1#cloudflare-dns.com", -+ "--dns-over-tls-cert", -+ "/etc/pki/tls/certs/certificate-invalid.pem", -+ "--dns-over-tls-key", -+ "/etc/pki/tls/certs/privkey-invalid.pem" -+ ] -+ res = tasks.install_master(self.master, extra_args=args, -+ raiseonerr=False) -+ assert "Not a valid CA certificate: " in res.stderr_text -+ tasks.uninstall_master(self.master) -+ -+ def test_install_dnsovertls_without_setup_dns_master(self): -+ """ -+ This test installs an IPA server using the --dns-over-tls option -+ without using setup-dns option, and captures warnings that appear. -+ """ -+ self.master.run_command(["ipa-server-install", "--uninstall", "-U"]) -+ args = [ -+ "--dns-over-tls", -+ ] -+ res = tasks.install_master( -+ self.master, extra_args=args, setup_dns=False) -+ assert ("Warning: --dns-over-tls option specified without " -+ "--setup-dns, ignoring") in res.stdout_text -+ tasks.uninstall_master(self.master) -+ -+ def test_install_dnsovertls_master(self): -+ """ -+ This tests installs IPA server with --dns-over-tls option. -+ """ -+ args = [ -+ "--dns-over-tls", -+ "--dot-forwarder", "1.1.1.1#cloudflare-dns.com", -+ ] -+ return tasks.install_master(self.master, extra_args=args) -+ -+ def test_install_dnsovertls_client(self): -+ """ -+ This tests installs IPA client with --dns-over-tls option. -+ """ -+ self.clients[0].put_file_contents( -+ paths.RESOLV_CONF, -+ "nameserver %s" % self.master.ip -+ ) -+ args = [ -+ "--dns-over-tls" -+ ] -+ return tasks.install_client(self.master, -+ self.clients[0], -+ nameservers=None, -+ extra_args=args) -+ -+ def test_install_dnsovertls_replica(self): -+ """ -+ This tests installs IPA replica with --dns-over-tls option. -+ """ -+ args = [ -+ "--dns-over-tls", -+ "--dot-forwarder", "1.1.1.1#cloudflare-dns.com", -+ ] -+ return tasks.install_replica(self.master, self.replicas[0], -+ setup_dns=True, extra_args=args) -+ -+ def test_queries_encrypted(self): -+ """ -+ This test performs queries from each of the hosts -+ and ensures they were routed to 1.1.1.1#853 (eDNS). -+ """ -+ unbound_log_cfg = textwrap.dedent(""" -+ server: -+ verbosity: 3 -+ log-queries: yes -+ """) -+ # Test servers first (querying to local Unbound) -+ for server in [self.master, self.replicas[0]]: -+ server.put_file_contents("/etc/unbound/conf.d/log.conf", -+ unbound_log_cfg) -+ server.run_command(["systemctl", "restart", "unbound"]) -+ server.run_command(["journalctl", "--flush", "--rotate", -+ "--vacuum-time=1s"]) -+ server.run_command(["dig", "freeipa.org"]) -+ server.run_command(["journalctl", "-u", "unbound", -+ "--grep=1.1.1.1#853"]) -+ server.run_command(["journalctl", "--flush", "--rotate", -+ "--vacuum-time=1s"]) -+ # Now, test the client (redirects query to master) -+ self.clients[0].run_command(["dig", "redhat.com"]) -+ self.master.run_command(["journalctl", "-u", "unbound", -+ "--grep=1.1.1.1#853"]) -+ -+ def test_uninstall_all(self): -+ """ -+ This test ensures that all hosts can be uninstalled correctly. -+ """ -+ tasks.uninstall_client(self.clients[0]) -+ tasks.uninstall_replica(self.master, self.replicas[0]) -+ tasks.uninstall_master(self.master) -+ -+ def test_install_dnsovertls_master_external_ca(self): -+ """ -+ This test ensures that IPA server can be installed -+ with DoT using an external CA. -+ """ -+ self.master.run_command(["openssl", "req", "-newkey", "rsa:2048", -+ "-nodes", "-keyout", -+ "/etc/pki/tls/certs/privkey.pem", "-x509", -+ "-days", "36500", "-out", -+ "/etc/pki/tls/certs/certificate.pem", "-subj", -+ ("/C=ES/ST=Andalucia/L=Sevilla/O=CompanyName/" -+ "OU=IT/CN={}/" -+ "emailAddress=email@example.com") -+ .format(self.master.hostname)]) -+ self.master.run_command(["chown", "named:named", -+ "/etc/pki/tls/certs/privkey.pem", -+ "/etc/pki/tls/certs/certificate.pem"]) -+ args = [ -+ "--dns-over-tls", -+ "--dot-forwarder", "1.1.1.1#cloudflare-dns.com", -+ "--dns-over-tls-cert", "/etc/pki/tls/certs/certificate.pem", -+ "--dns-over-tls-key", "/etc/pki/tls/certs/privkey.pem" -+ ] -+ return tasks.install_master(self.master, extra_args=args) -+ -+ def test_enrollments_external_ca(self): -+ """ -+ Test that replicas and clients can be deployed when the master -+ uses an external CA. -+ """ -+ tasks.copy_files(self.master, self.clients[0], -+ ["/etc/pki/tls/certs/certificate.pem"]) -+ self.clients[0].run_command(["mv", -+ "/etc/pki/tls/certs/certificate.pem", -+ "/etc/pki/ca-trust/source/anchors/"]) -+ self.clients[0].run_command(["update-ca-trust", "extract"]) -+ self.test_install_dnsovertls_client() -+ self.test_install_dnsovertls_replica() -+ self.test_queries_encrypted() -+ -+ def test_install_dnsovertls_with_invalid_ipaddress_master(self): -+ """ -+ This test installs an IPA server using the --dns-over-tls -+ option with an invalid IP address. -+ """ -+ args = [ -+ "--dns-over-tls", -+ "--dot-forwarder", "198.168.0.0.1#example-dns.test", -+ ] -+ res = tasks.install_master(self.master, extra_args=args, -+ raiseonerr=False) -+ assert ("--dot-forwarder invalid: DoT forwarder must be in " -+ "the format of '1.2.3.4#dns.example.test'") in res.stderr_text -+ tasks.uninstall_master(self.master) -+ -+ def test_validate_DoT_options_master(self): -+ """ -+ Tests that DoT options are displayed correctly on master. -+ """ -+ cmdout = self.master.run_command( -+ ['ipa-server-install', '--help']) -+ assert '''--dot-forwarder=DOT_FORWARDERS -+ Add a DNS over TLS forwarder. This option can be used -+ multiple times''' in cmdout.stdout_text # noqa: E501 -+ assert '''--dns-over-tls-cert=DNS_OVER_TLS_CERT -+ Certificate to use for DNS over TLS. If empty, a new -+ certificate will be requested from IPA CA''' in cmdout.stdout_text # noqa: E501 -+ assert '''--dns-over-tls-key=DNS_OVER_TLS_KEY -+ Key for certificate specified in --dns-over-tls-cert''' in cmdout.stdout_text # noqa: E501 -+ assert '''--dns-over-tls Configure DNS over TLS''' in cmdout.stdout_text # noqa: E501 -+ -+ def test_validate_DoT_options_replica(self): -+ """ -+ Tests that DoT options are displayed correctly on replica. -+ """ -+ cmdout = self.replicas[0].run_command( -+ ['ipa-server-install', '--help']) -+ assert '''--dot-forwarder=DOT_FORWARDERS -+ Add a DNS over TLS forwarder. This option can be used -+ multiple times''' in cmdout.stdout_text -+ assert '''--dns-over-tls-cert=DNS_OVER_TLS_CERT -+ Certificate to use for DNS over TLS. If empty, a new -+ certificate will be requested from IPA CA''' in cmdout.stdout_text # noqa: E501 -+ assert '''--dns-over-tls-key=DNS_OVER_TLS_KEY -+ Key for certificate specified in --dns-over-tls-cert''' in cmdout.stdout_text # noqa: E501 -+ assert '''--dns-over-tls Configure DNS over TLS''' in cmdout.stdout_text # noqa: E501 -+ -+ def test_validate_DoT_options_client(self): -+ """ -+ Tests that DoT options are displayed correctly on client. -+ """ -+ cmdout = self.clients[0].run_command( -+ ['ipa-client-install', '--help']) -+ assert '''--dns-over-tls Configure DNS over TLS''' in cmdout.stdout_text # noqa: E501 -+ -+ -+class TestDNS_DoT(TestDNS): -+ @classmethod -+ def install(cls, mh): -+ tasks.install_packages(cls.master, ['*ipa-server-encrypted-dns']) -+ args = [ -+ "--dns-over-tls", -+ "--dot-forwarder", "1.1.1.1#cloudflare-dns.com" -+ ] -+ tasks.install_master(cls.master, extra_args=args) --- -2.48.1 - -From a32b8fda893ae00bcd8efd91339dc8dbe35fc3cd Mon Sep 17 00:00:00 2001 -From: Antonio Torres -Date: Wed, 11 Dec 2024 13:35:29 +0100 -Subject: [PATCH 3/4] spec: add unbound requirement and template file - -Signed-off-by: Antonio Torres -Reviewed-By: Francisco Trivino -Reviewed-By: Alexander Bokovoy -Reviewed-By: Varun Mylaraiah -Reviewed-By: Pavel Brezina ---- - freeipa.spec.in | 27 +++++++++++++++++++++++++++ - 1 file changed, 27 insertions(+) - -diff --git a/freeipa.spec.in b/freeipa.spec.in -index 4b91aa96f..b539f51f8 100755 ---- a/freeipa.spec.in -+++ b/freeipa.spec.in -@@ -628,6 +628,7 @@ Requires: openssl-pkcs11 >= %{openssl_pkcs11_version} - # See https://bugzilla.redhat.com/show_bug.cgi?id=1825812 - # RHEL 8.3+ and Fedora 32+ have 2.1 - Requires: opendnssec >= 2.1.6-5 -+Recommends: %{name}-server-encrypted-dns - %{?systemd_requires} - - Provides: %{alt_name}-server-dns = %{version} -@@ -642,6 +643,15 @@ IPA integrated DNS server with support for automatic DNSSEC signing. - Integrated DNS server is BIND 9. OpenDNSSEC provides key management. - - -+%package server-encrypted-dns -+Summary: support for encrypted DNS in IPA integrated DNS server -+Requires: %{name}-client-encrypted-dns -+ -+%description server-encrypted-dns -+Provides support for enabling DNS over TLS in the IPA integrated DNS -+server. -+ -+ - %package server-trust-ad - Summary: Virtual package to install packages required for Active Directory trusts - Requires: %{name}-server = %{version}-%{release} -@@ -722,6 +732,7 @@ Requires: libnfsidmap - Requires: (nfs-utils or nfsv4-client-utils) - Requires: sssd-tools >= %{sssd_version} - Requires(post): policycoreutils -+Recommends: %{name}-client-encrypted-dns - - # https://pagure.io/freeipa/issue/8530 - Recommends: libsss_sudo -@@ -763,6 +774,14 @@ If your network uses IPA for authentication, this package should be - installed on every client machine. - This package provides command-line tools for IPA administrators. - -+%package client-encrypted-dns -+Summary: Enable encrypted DNS support for clients -+Requires: unbound -+ -+%description client-encrypted-dns -+This package enables support for installing clients with encrypted DNS -+via DNS over TLS. -+ - %package client-samba - Summary: Tools to configure Samba on IPA client - Group: System Environment/Base -@@ -1724,6 +1743,10 @@ fi - %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket - %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service - -+%files server-encrypted-dns -+%doc README.md Contributors.txt -+%license COPYING -+ - %files server-trust-ad - %doc README.md Contributors.txt - %license COPYING -@@ -1783,6 +1806,10 @@ fi - %attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf - %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn/expire_msg.template - -+%files client-encrypted-dns -+%doc README.md Contributors.txt -+%license COPYING -+ - %files -n python3-ipaclient - %doc README.md Contributors.txt - %license COPYING --- -2.48.1 - diff --git a/0066-ipatests-on-rhel10-do-not-install-firefox.patch b/0066-ipatests-on-rhel10-do-not-install-firefox.patch deleted file mode 100644 index 9a4bb9e..0000000 --- a/0066-ipatests-on-rhel10-do-not-install-firefox.patch +++ /dev/null @@ -1,41 +0,0 @@ -From d0dd2e8393f4b49edc67f8036a19d8b2d4e28938 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Fri, 31 Jan 2025 13:09:22 +0100 -Subject: [PATCH] ipatests: on rhel10 do not install firefox - -Firefox will be installed as a pre-requisite as it either comes -as a flatpak or a tar file. The flatpak is not compatible with -geckodriver as explained in geckodriver release notes -(https://github.com/mozilla/geckodriver/releases/tag/v0.35.0) - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden -Reviewed-By: Michal Polovka ---- - ipatests/pytest_ipa/integration/create_keycloak.py | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/ipatests/pytest_ipa/integration/create_keycloak.py b/ipatests/pytest_ipa/integration/create_keycloak.py -index addade7594d7a1b8edefdb8c67ec4bc7abe70ef4..7f0850ca704b3d4c9748a8e46cad1fff7c31f112 100644 ---- a/ipatests/pytest_ipa/integration/create_keycloak.py -+++ b/ipatests/pytest_ipa/integration/create_keycloak.py -@@ -9,9 +9,13 @@ from ipatests.pytest_ipa.integration import tasks - def setup_keycloakserver(host, version='26.1.0'): - dir = "/opt/keycloak" - password = host.config.admin_password -- tasks.install_packages(host, ["unzip", "java-21-openjdk-headless", -- "openssl", "maven", "wget", -- "firefox", "xorg-x11-server-Xvfb"]) -+ packages = ["unzip", "java-21-openjdk-headless", "openssl", "maven", "wget"] -+ # For RHEL 10 we don't install firefox as it is not shipped any more -+ # as a rpm. The infra handles the installation from a zip file -+ if not (tasks.get_platform(host) == "rhel" -+ and tasks.get_platform_version(host)[0] == 10): -+ packages.extend(["firefox", "xorg-x11-server-Xvfb"]) -+ tasks.install_packages(host, packages) - # add keycloak system user/group and folder - url = "https://github.com/keycloak/keycloak/releases/download/{0}/keycloak-{0}.zip".format(version) # noqa: E501 - host.run_command(["wget", url, "-O", "{0}-{1}.zip".format(dir, version)]) --- -2.48.1 - diff --git a/0067-Configure-the-pki-tomcatd-service-systemd-timeout.patch b/0067-Configure-the-pki-tomcatd-service-systemd-timeout.patch deleted file mode 100644 index ca4bc30..0000000 --- a/0067-Configure-the-pki-tomcatd-service-systemd-timeout.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 47ce0982249ee7ce12b38eae5ce3ee6a9b5df52e Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 4 Feb 2025 12:54:48 -0500 -Subject: [PATCH] Configure the pki-tomcatd service systemd timeout - -IPA defines a startup timeout that is primarily used -during installation to extend service start-up timeouts -on slower systems. - -This tends to work ok when runing pki-spawn but can fail when -systemd is starting the tomcat service. - -Use the value of startup_timeout to set TimeoutStartSec in -the pki-tomcat systemd override file ipa.conf. This will -preserve the necessary startup_timeout for all future restarts. - -This was seen with a very slow HSM where installation was successful -(pki-spawn) but pki-tomcatd startup timed out at the end of the -installation. - -To increase the value in installation one needs to create the file -/etc/ipa/installer.conf with contents: - -[global] -startup_timeout = 300 (or whatever) - -Fixes: https://pagure.io/freeipa/issue/9743 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Alexander Bokovoy ---- - ipaserver/install/cainstance.py | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py -index 76718036dbd317651edc98ce631405e42bf814d7..c8ecde8f2e9649d57012fcda937ee5816105df4e 100644 ---- a/ipaserver/install/cainstance.py -+++ b/ipaserver/install/cainstance.py -@@ -713,7 +713,12 @@ class CAInstance(DogtagInstance): - f.write('[Service]\n') - f.write('Environment=LC_ALL=C.UTF-8\n') - f.write('ExecStartPost={}\n'.format(paths.IPA_PKI_WAIT_RUNNING)) -+ f.write('TimeoutStartSec=%d\n' % api.env.startup_timeout) - tasks.systemd_daemon_reload() -+ logger.info( -+ "Set start up timeout of pki-tomcatd service to %d seconds", -+ api.env.startup_timeout -+ ) - - def safe_backup_config(self): - """ --- -2.48.1 - diff --git a/0068-Align-startup_timeout-with-the-systemd-default-and-d.patch b/0068-Align-startup_timeout-with-the-systemd-default-and-d.patch deleted file mode 100644 index c0d15af..0000000 --- a/0068-Align-startup_timeout-with-the-systemd-default-and-d.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 22cbc5ed4889d6c66e2916d5acde582b1868fbc9 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 10 Feb 2025 10:45:39 -0500 -Subject: [PATCH] Align startup_timeout with the systemd default and document - it - -We had it set to 120 seconds while the systemd default is 90. -They should be the same because the first one that times out "wins". - -Move where during the installation we create the systemd override -file so that the timeout will be applied across all subsequent -server starts during and post installation. - -Fixes: https://pagure.io/freeipa/issue/9743 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Alexander Bokovoy ---- - client/man/default.conf.5 | 2 +- - ipalib/constants.py | 5 +++-- - ipaserver/install/cainstance.py | 3 ++- - 3 files changed, 6 insertions(+), 4 deletions(-) - -diff --git a/client/man/default.conf.5 b/client/man/default.conf.5 -index e0aec21f725d88ce2ba3cf52901fb15575892cde..461c60134124ed3e31e17ac350576487fda4c46e 100644 ---- a/client/man/default.conf.5 -+++ b/client/man/default.conf.5 -@@ -191,7 +191,7 @@ Specifies the IPA Server hostname. - Skip client vs. server API version checking. Can lead to errors/strange behavior when newer clients talk to older servers. Use with caution. - .TP - .B startup_timeout