Update to upstream 4.6.90.pre1

Resolves: #1551830, #1551677, #1547959, #1496562, #1179220
2018-03-16 13:47:47 -04:00 · 2018-03-16 13:47:47 -04:00 · 2b035d369f
commit 2b035d369f
parent 5e4d8ce49d
1 changed files with 57 additions and 119 deletions
--- a/freeipa.spec
+++ b/freeipa.spec
@ -67,7 +67,8 @@
 # Require 4.7.0 which brings Python 3 bindings
 %global samba_version 2:4.7.0
 %global samba_build_version 2:4.2.1
-%global selinux_policy_version 3.13.1-158.4
+# DNSSEC AVC violation, RHBZ#1537971
+%global selinux_policy_version 3.13.1-283.24
 %global slapi_nis_version 0.56.1

 # Use python3-pyldap to be compatible with old python3-pyldap 2.x and new
@ -77,12 +78,15 @@
 %global python2_ldap_version 3.0.0-0.4.b4
 %global python3_ldap_version 3.0.0-0.4.b4
 %else
-%global python2_ldap_version 2.4.15
+# syncrepl fix, https://pagure.io/freeipa/issue/7240
+%global python2_ldap_version 2.4.25-9
 %global python3_ldap_version 2.4.35.1-2
 %endif

 %endif

+# Require Dogtag PKI 10.6.0 with Python 3 and SQL NSSDB fixes
+%global pki_version 10.6.0-0.2

 %define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')

@ -90,13 +94,13 @@
 %global etc_systemd_dir %{_sysconfdir}/systemd/system
 %global gettext_domain ipa

-%global VERSION 4.6.3
+%global VERSION 4.6.90.pre1

 %define _hardened_build 1

 Name:           freeipa
 Version:        %{VERSION}
-Release:        5%{?dist}
+Release:        1%{?dist}
 Summary:        The Identity, Policy and Audit system

 Group:          System Environment/Base
@ -105,11 +109,6 @@ URL:            https://www.freeipa.org/
 Source0:        https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz
 Source1:        https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.asc

-# https://pagure.io/freeipa/issue/7389
-Patch0001:		0001-Fix-detection-of-KRA-installation-so-upgrades-can-su.patch
-# https://pagure.io/freeipa/issue/7394
-Patch0002:		0002-Replace-wsgi-package-conflict-with-config-file.patch
-
 # For the timestamp trick in patch application
 BuildRequires:  diffstat

@ -221,7 +220,7 @@ BuildRequires:  python2-dns >= 1.15
 BuildRequires:  jsl
 BuildRequires:  python2-yubico
 # pki Python package
-BuildRequires:  pki-base-python2 >= 10.5.1-2
+BuildRequires:  pki-base-python2 >= %{pki_version}
 BuildRequires:  python2-pytest-multihost
 BuildRequires:  python2-pytest-sourceorder
 # 0.4.2: Py3 fix https://bugzilla.redhat.com/show_bug.cgi?id=1476150
@ -239,7 +238,6 @@ BuildRequires:  python2-netifaces
 BuildRequires:  python2-sss
 BuildRequires:  python2-sss-murmur
 BuildRequires:  python2-sssdconfig
-BuildRequires:  python2-nose
 BuildRequires:  python2-paste
 BuildRequires:  python2-systemd
 BuildRequires:  python2-jinja2
@ -263,7 +261,7 @@ BuildRequires:  python3-qrcode-core >= 5.0.0
 BuildRequires:  python3-dns >= 1.15
 BuildRequires:  python3-yubico
 # pki Python package
-BuildRequires:  pki-base-python3 >= 10.5.1-2
+BuildRequires:  pki-base-python3 >= %{pki_version}
 BuildRequires:  python3-pytest-multihost
 BuildRequires:  python3-pytest-sourceorder
 # 0.4.2: Py3 fix https://bugzilla.redhat.com/show_bug.cgi?id=1476150
@ -278,7 +276,6 @@ BuildRequires:  python3-sss
 BuildRequires:  python3-sss-murmur
 BuildRequires:  python3-sssdconfig
 BuildRequires:  python3-libsss_nss_idmap
-BuildRequires:  python3-nose
 BuildRequires:  python3-paste
 BuildRequires:  python3-systemd
 BuildRequires:  python3-jinja2
@ -322,8 +319,10 @@ Requires: python3-pyldap >= %{python3_ldap_version}
 Requires: python2-ipaserver = %{version}-%{release}
 Requires: python2-ldap >= %{python2_ldap_version}
 %endif
-# 1.3.7.6-1: https://bugzilla.redhat.com/show_bug.cgi?id=1488295
-Requires: 389-ds-base >= 1.3.7.6-1
+# 1.3.7.9-1: https://bugzilla.redhat.com/show_bug.cgi?id=1459946
+#            https://bugzilla.redhat.com/show_bug.cgi?id=1511462
+#            https://bugzilla.redhat.com/show_bug.cgi?id=1514033
+Requires: 389-ds-base >= 1.3.7.9-1
 Requires: openldap-clients > 2.4.35-4
 Requires: nss >= 3.14.3-12.0
 Requires: nss-tools >= 3.14.3-12.0
@ -347,8 +346,7 @@ Requires: python2-systemd
 Requires: mod_wsgi
 %endif
 Requires: mod_auth_gssapi >= 1.5.0
-# 1.0.14-3: https://bugzilla.redhat.com/show_bug.cgi?id=1431206
-Requires: mod_nss >= 1.0.14-3
+Requires: mod_ssl
 Requires: mod_session
 # 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3
 Requires: mod_lookup_identity >= 0.9.9
@ -360,16 +358,17 @@ Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base >= %{selinux_policy_version}
 Requires: slapi-nis >= %{slapi_nis_version}
-# 10.5.1-2 contains Python 3 vault fix
-Requires: pki-ca >= 10.5.1-2
-Requires: pki-kra >= 10.5.1-2
+Requires: pki-ca >= %{pki_version}
+Requires: pki-kra >= %{pki_version}
 Requires(preun): systemd-units
 Requires(postun): systemd-units
 Requires: policycoreutils >= 2.1.12-5
 Requires: tar
 Requires(pre): certmonger >= 0.79.5-1
-# 1.3.7.6-1: https://bugzilla.redhat.com/show_bug.cgi?id=1488295
-Requires(pre): 389-ds-base >= 1.3.7.6-1
+# 1.3.7.9-1: https://bugzilla.redhat.com/show_bug.cgi?id=1459946
+#            https://bugzilla.redhat.com/show_bug.cgi?id=1511462
+#            https://bugzilla.redhat.com/show_bug.cgi?id=1514033
+Requires(pre): 389-ds-base >= 1.3.7.9-1
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
 Requires: openssl
@ -430,7 +429,7 @@ BuildRequires:  dbus-python
 Requires: python2-dns >= 1.15
 Requires: python2-kdcproxy >= 0.3
 Requires: rpm-libs
-Requires: pki-base-python2 >= 10.5.1-2
+Requires: pki-base-python2 >= %{pki_version}
 Requires: python2-augeas

 %description -n python2-ipaserver
@ -464,7 +463,7 @@ Requires: python3-dns >= 1.15
 Requires: python3-kdcproxy >= 0.3
 Requires: python3-augeas
 Requires: rpm-libs
-Requires: pki-base-python3 >= 10.5.1-2
+Requires: pki-base-python3 >= %{pki_version}

 %description -n python3-ipaserver
 IPA is an integrated solution to provide centrally managed Identity (users,
@ -510,10 +509,7 @@ Requires: bind-utils >= 9.11.0-6.P2
 Requires: bind-pkcs11 >= 9.11.0-6.P2
 Requires: bind-pkcs11-utils >= 9.11.0-6.P2
 Requires: opendnssec >= 1.4.6-4
-# Keep python2 dependencies until DNSSEC daemons are ported to Python 3
-Requires: python2
-Requires: python2-ipalib
-Requires: python2-ipaserver
+%{?systemd_requires}

 Provides: %{alt_name}-server-dns = %{version}
 Conflicts: %{alt_name}-server-dns
@ -579,11 +575,13 @@ Requires: python3-gssapi >= 1.2.0-5
 Requires: python3-ipaclient = %{version}-%{release}
 Requires: python3-pyldap >= %{python3_ldap_version}
 Requires: python3-sssdconfig
+Requires: python3-sssdconfig
 %else
 Requires: python2-gssapi >= 1.2.0-5
 Requires: python2-ipaclient = %{version}-%{release}
 Requires: python2-ldap >= %{python2_ldap_version}
 Requires: python2-sssdconfig
+Requires: python2-sssdconfig
 %endif
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
@ -863,7 +861,6 @@ Requires: python2-ipaclient = %{version}-%{release}
 Requires: python2-ipaserver = %{version}-%{release}
 Requires: tar
 Requires: xz
-Requires: python2-nose
 Requires: pytest >= 2.6
 Requires: python2-paste
 Requires: python2-coverage
@ -872,9 +869,9 @@ Requires: python2-polib
 Requires: python2-pytest-multihost >= 0.5
 Requires: python2-pytest-sourceorder
 Requires: ldns-utils
-Requires: python2-sssdconfig
 Requires: python2-cryptography >= 1.6
 Requires: iptables
+Requires: python2-mock

 Provides: %{alt_name}-tests = %{version}
 Conflicts: %{alt_name}-tests
@ -899,7 +896,6 @@ Requires: python3-ipaclient = %{version}-%{release}
 Requires: python3-ipaserver = %{version}-%{release}
 Requires: tar
 Requires: xz
-Requires: python3-nose
 Requires: python3-pytest >= 2.6
 Requires: python3-coverage
 Requires: python3-polib
@ -961,6 +957,8 @@ export JAVA_STACK_SIZE="16m"
 # PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235
 export PATH=/usr/bin:/usr/sbin:$PATH
 export PYTHON=%{__python2}
+
+%if ! 0%{?with_python3}
 # Workaround: make sure all shebangs are pointing to Python 2
 # This should be solved properly using setuptools
 # and this hack should be removed.
@ -969,61 +967,7 @@ find \
   ! -name '*.pyo' -a \
   -type f -exec grep -qsm1 '^#!.*\bpython' {} \; \
   -exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python2}|' {} \;
-
-%if 0%{?with_python3}
-# TODO: temporary solution until all scripts are ported to python3,
-# TODO: workaround: some scripts are copied over, so the are always py2.
-# We have to explicitly set python3 here for ported files here
-PY3_SUBST_PATHS='
-client/ipa-certupdate
-client/ipa-client-automount
-client/ipa-client-install
-daemons/ipa-otpd/test.py
-install/certmonger/ipa-server-guard
-install/certmonger/dogtag-ipa-ca-renew-agent-submit
-install/oddjob/com.redhat.idm.trust-fetch-domains
-install/restart_scripts/renew_ra_cert_pre
-install/restart_scripts/renew_ca_cert
-install/restart_scripts/renew_ra_cert
-install/restart_scripts/restart_httpd
-install/restart_scripts/renew_kdc_cert
-install/restart_scripts/stop_pkicad
-install/restart_scripts/restart_dirsrv
-install/tools/ipa-advise
-install/tools/ipa-adtrust-install
-install/tools/ipa-backup
-install/tools/ipa-ca-install
-install/tools/ipa-cacert-manage
-install/tools/ipa-compat-manage
-install/tools/ipa-csreplica-manage
-install/tools/ipa-custodia
-install/tools/ipa-custodia-check
-install/tools/ipa-dns-install
-install/tools/ipa-httpd-kdcproxy
-install/tools/ipa-kra-install
-install/tools/ipa-ldap-updater
-install/tools/ipa-managed-entries
-install/tools/ipa-nis-manage
-install/tools/ipa-otptoken-import
-install/tools/ipa-pkinit-manage
-install/tools/ipa-pki-retrieve-key
-install/tools/ipa-replica-conncheck
-install/tools/ipa-replica-install
-install/tools/ipa-replica-manage
-install/tools/ipa-replica-prepare
-install/tools/ipa-restore
-install/tools/ipa-server-certinstall
-install/tools/ipa-server-install
-install/tools/ipa-server-upgrade
-install/tools/ipa-winsync-migrate
-install/tools/ipactl
-ipa
-'
-for P in $PY3_SUBST_PATHS; do
-    sed -i -e '1 s|^#!\s\?.*\bpython[0-9]*|#!%{__python3}|' $P
-done;
-
-%endif # with_python3
+%endif # ! with_python3

 %configure --with-vendor-suffix=-%{release} \
           %{enable_server_option} \
@ -1034,22 +978,14 @@ done;
 %make_build -Onone

 %if 0%{?with_python3}
-pushd %{_builddir}/freeipa-%{version}-python3
 export PYTHON=%{__python3}
-# Workaround: make sure all shebangs are pointing to Python 3
-# This should be solved properly using setuptools
-# and this hack should be removed.
-find \
-   ! -name '*.pyc' -a \
-   ! -name '*.pyo' -a \
-   -type f -exec grep -qsm1 '^#!.*\bpython' {} \; \
-   -exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python3}|' {} \;
+pushd %{_builddir}/freeipa-%{version}-python3
 %configure --with-vendor-suffix=-%{release} \
           %{enable_server_option} \
           %{with_ipatests_option} \
           %{linter_options}
 popd
-%endif # with_python3
+%endif  # with_python3


 %check
@ -1074,16 +1010,7 @@ make %{?_smp_mflags} check VERBOSE=yes LIBDIR=%{_libdir}
 # will overwrite /usr/bin/ipa and other scripts with variants using
 # python2 shebang.
 pushd %{_builddir}/freeipa-%{version}-python3
-(cd ipaclient && %make_install)
-(cd ipalib && %make_install)
-(cd ipaplatform && %make_install)
-(cd ipapython && %make_install)
-%if ! %{ONLY_CLIENT}
-(cd ipaserver && %make_install)
-%endif # ONLY_CLIENT
-%if 0%{?with_ipatests}
-(cd ipatests && %make_install)
-%endif # with_ipatests
+%{__make} python_install DESTDIR=%{?buildroot} INSTALL="%{__install} -p"
 popd

 %if 0%{?with_ipatests}
@ -1251,6 +1178,17 @@ getent passwd ipaapi >/dev/null || useradd -r -g ipaapi -s /sbin/nologin -d / -c
 # add apache to ipaaapi group
 id -Gn apache | grep '\bipaapi\b' >/dev/null || usermod apache -a -G ipaapi

+
+%post server-dns
+%systemd_post ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service
+
+%preun server-dns
+%systemd_preun ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service
+
+%postun server-dns
+%systemd_postun ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service
+
+
 %postun server-trust-ad
 if [ "$1" -ge "1" ]; then
    if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then
@ -1392,9 +1330,6 @@ fi
 %dir %{_libexecdir}/ipa
 %{_libexecdir}/ipa/ipa-custodia
 %{_libexecdir}/ipa/ipa-custodia-check
-%{_libexecdir}/ipa/ipa-dnskeysyncd
-%{_libexecdir}/ipa/ipa-dnskeysync-replica
-%{_libexecdir}/ipa/ipa-ods-exporter
 %{_libexecdir}/ipa/ipa-httpd-kdcproxy
 %{_libexecdir}/ipa/ipa-pki-retrieve-key
 %{_libexecdir}/ipa/ipa-otpd
@ -1408,9 +1343,6 @@ fi
 %attr(644,root,root) %{_unitdir}/ipa.service
 %attr(644,root,root) %{_unitdir}/ipa-otpd.socket
 %attr(644,root,root) %{_unitdir}/ipa-otpd@.service
-%attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
-%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
-%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
 # END
 %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
 %attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so
@ -1479,8 +1411,6 @@ fi
 %license COPYING
 %ghost %verify(not owner group) %dir %{_sharedstatedir}/kdcproxy
 %dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy
-%config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd
-%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
 %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf
 # NOTE: systemd specific section
 %{_tmpfilesdir}/ipa.conf
@ -1539,10 +1469,6 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
-%dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec
-%{_usr}/share/ipa/ipa.conf
-%{_usr}/share/ipa/ipa-rewrite.conf
-%{_usr}/share/ipa/ipa-pki-proxy.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini
@ -1555,6 +1481,7 @@ fi
 %attr(711,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
 %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
+%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/certs
 %ghost %{_localstatedir}/lib/ipa/pki-ca/publish
 %ghost %{_localstatedir}/named/dyndb-ldap/ipa
 %dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia
@ -1567,9 +1494,17 @@ fi
 %defattr(-,root,root,-)
 %doc README.md Contributors.txt
 %license COPYING
+%config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd
+%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
+%dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec
+%{_libexecdir}/ipa/ipa-dnskeysyncd
+%{_libexecdir}/ipa/ipa-dnskeysync-replica
+%{_libexecdir}/ipa/ipa-ods-exporter
 %{_sbindir}/ipa-dns-install
 %{_mandir}/man1/ipa-dns-install.1*
-
+%attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
+%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
+%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service

 %files server-trust-ad
 %defattr(-,root,root,-)
@ -1781,6 +1716,9 @@ fi
 %endif # with_ipatests

 %changelog
+* Fri Mar 16 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.90.pre1-1
+- Update to upstream 4.6.90.pre1
+
 * Tue Feb 20 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.3-5
 - Disable i686 server builds because 389-ds no longer provides
  builds on that arch. (#1544386)