First build for RHEL 8.9
- Rebase ipa to 4.9.12 Resolves: RHBZ#2196425 - user or group name: explain the supported format Resolves: RHBZ#2150217 Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
This commit is contained in:
parent
4471000467
commit
2d7a6e674e
|
@ -1,2 +1,4 @@
|
||||||
SOURCES/freeipa-4.9.11.tar.gz
|
SOURCES/freeipa-4.9.11.tar.gz
|
||||||
/freeipa-4.9.11.tar.gz
|
/freeipa-4.9.11.tar.gz
|
||||||
|
/freeipa-4.9.12.tar.gz
|
||||||
|
/freeipa-4.9.12.tar.gz.asc
|
||||||
|
|
|
@ -1,56 +0,0 @@
|
||||||
From 22d1392a8a0d2887c389dcd78be06104cff88d30 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Date: Wed, 29 Jun 2022 13:25:55 +0000
|
|
||||||
Subject: [PATCH] Only calculate LDAP password grace when the password is
|
|
||||||
expired
|
|
||||||
|
|
||||||
The user's pwd expiration was retrieved but inadvertently was never
|
|
||||||
compared to current time. So any LDAP bind, including from the
|
|
||||||
IPA API, counted against the grace period. There is no need to go
|
|
||||||
through the graceperiod code for non-expired passwords.
|
|
||||||
|
|
||||||
https://pagure.io/freeipa/issue/1539
|
|
||||||
|
|
||||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
---
|
|
||||||
.../ipa-graceperiod/ipa_graceperiod.c | 12 +++++++++---
|
|
||||||
1 file changed, 9 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
|
|
||||||
index 0860b5c20fc86687f80ee6f2426e23c87123130f..a3f57cb4bd7a2a66d70fae98cca0f62a8f0c017f 100644
|
|
||||||
--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
|
|
||||||
+++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
|
|
||||||
@@ -359,7 +359,8 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
|
|
||||||
Slapi_ValueSet *values = NULL;
|
|
||||||
long grace_limit = 0;
|
|
||||||
int grace_user_time;
|
|
||||||
- char *pwd_expiration = NULL;
|
|
||||||
+ char *tmpstr = NULL;
|
|
||||||
+ time_t pwd_expiration;
|
|
||||||
int pwresponse_requested = 0;
|
|
||||||
Slapi_PBlock *pbtm = NULL;
|
|
||||||
Slapi_Mods *smods = NULL;
|
|
||||||
@@ -414,12 +415,17 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
|
|
||||||
}
|
|
||||||
slapi_value_free(&objectclass);
|
|
||||||
|
|
||||||
- pwd_expiration = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
|
|
||||||
- if (pwd_expiration == NULL) {
|
|
||||||
+ tmpstr = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
|
|
||||||
+ if (tmpstr == NULL) {
|
|
||||||
/* No expiration means nothing to do */
|
|
||||||
LOG_TRACE("No krbPasswordExpiration for %s, nothing to do\n", dn);
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
+ pwd_expiration = ipapwd_gentime_to_time_t(tmpstr);
|
|
||||||
+ if (pwd_expiration > time(NULL)) {
|
|
||||||
+ /* Not expired, nothing to see here */
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
ldrc = ipagraceperiod_getpolicy(target_entry, &policy_entry,
|
|
||||||
&values, &actual_type_name,
|
|
||||||
--
|
|
||||||
2.36.1
|
|
||||||
|
|
|
@ -1,70 +0,0 @@
|
||||||
From 0d44e959e5bbe822b51137a8e7cf48fa25533805 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
|
|
||||||
Date: Fri, 10 Dec 2021 12:15:36 -0300
|
|
||||||
Subject: [PATCH] Revert "freeipa.spec: depend on bind-dnssec-utils"
|
|
||||||
|
|
||||||
This reverts commit f89d59b6e18b54967682f6a37ce92ae67ab3fcda.
|
|
||||||
---
|
|
||||||
freeipa.spec.in | 4 +---
|
|
||||||
ipaplatform/base/paths.py | 2 +-
|
|
||||||
ipaplatform/fedora/paths.py | 1 +
|
|
||||||
ipaserver/dnssec/bindmgr.py | 1 -
|
|
||||||
4 files changed, 3 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
|
||||||
index 8f5c370e5..e20edb7bc 100755
|
|
||||||
--- a/freeipa.spec.in
|
|
||||||
+++ b/freeipa.spec.in
|
|
||||||
@@ -576,11 +576,9 @@ Requires: %{name}-server = %{version}-%{release}
|
|
||||||
Requires: bind-dyndb-ldap >= 11.2-2
|
|
||||||
Requires: bind >= %{bind_version}
|
|
||||||
Requires: bind-utils >= %{bind_version}
|
|
||||||
-# bind-dnssec-utils is required by the OpenDNSSec integration
|
|
||||||
-# https://pagure.io/freeipa/issue/9026
|
|
||||||
-Requires: bind-dnssec-utils >= %{bind_version}
|
|
||||||
%if %{with bind_pkcs11}
|
|
||||||
Requires: bind-pkcs11 >= %{bind_version}
|
|
||||||
+Requires: bind-pkcs11-utils >= %{bind_version}
|
|
||||||
%else
|
|
||||||
Requires: softhsm >= %{softhsm_version}
|
|
||||||
Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
|
|
||||||
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
|
|
||||||
index 7d21367ec..42a47f1df 100644
|
|
||||||
--- a/ipaplatform/base/paths.py
|
|
||||||
+++ b/ipaplatform/base/paths.py
|
|
||||||
@@ -259,7 +259,7 @@ class BasePathNamespace:
|
|
||||||
IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key"
|
|
||||||
IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader"
|
|
||||||
IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running"
|
|
||||||
- DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
|
|
||||||
+ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
|
|
||||||
GETSEBOOL = "/usr/sbin/getsebool"
|
|
||||||
GROUPADD = "/usr/sbin/groupadd"
|
|
||||||
USERMOD = "/usr/sbin/usermod"
|
|
||||||
diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py
|
|
||||||
index 4e993c063..92a948966 100644
|
|
||||||
--- a/ipaplatform/fedora/paths.py
|
|
||||||
+++ b/ipaplatform/fedora/paths.py
|
|
||||||
@@ -36,6 +36,7 @@ class FedoraPathNamespace(RedHatPathNamespace):
|
|
||||||
NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
|
|
||||||
if HAS_NFS_CONF:
|
|
||||||
SYSCONFIG_NFS = '/etc/nfs.conf'
|
|
||||||
+ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
|
|
||||||
|
|
||||||
|
|
||||||
paths = FedoraPathNamespace()
|
|
||||||
diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py
|
|
||||||
index 0c79cc03d..a15c0e601 100644
|
|
||||||
--- a/ipaserver/dnssec/bindmgr.py
|
|
||||||
+++ b/ipaserver/dnssec/bindmgr.py
|
|
||||||
@@ -127,7 +127,6 @@ class BINDMgr:
|
|
||||||
)
|
|
||||||
cmd = [
|
|
||||||
paths.DNSSEC_KEYFROMLABEL,
|
|
||||||
- '-E', 'pkcs11',
|
|
||||||
'-K', workdir,
|
|
||||||
'-a', attrs['idnsSecAlgorithm'][0],
|
|
||||||
'-l', uri
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
|
@ -1,41 +0,0 @@
|
||||||
From 651e28c1fb6b86ad1fbd4ea98644e00b7042499c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Dec 02 2022 12:21:22 +0000
|
|
||||||
Subject: updates: fix memberManager ACI to allow managers from a specified group
|
|
||||||
|
|
||||||
|
|
||||||
The original implementation of the member manager added support for both
|
|
||||||
user and group managers but left out upgrade scenario. This means when
|
|
||||||
upgrading existing installation a manager whose rights defined by the
|
|
||||||
group membership would not be able to add group members until the ACI is
|
|
||||||
fixed.
|
|
||||||
|
|
||||||
Remove old ACI and add a full one during upgrade step.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/9286
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
|
|
||||||
index a168bb9..4a7ba13 100644
|
|
||||||
--- a/install/updates/20-aci.update
|
|
||||||
+++ b/install/updates/20-aci.update
|
|
||||||
@@ -141,11 +141,13 @@ add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can
|
|
||||||
|
|
||||||
# Allow member managers to modify members of user groups
|
|
||||||
dn: cn=groups,cn=accounts,$SUFFIX
|
|
||||||
-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
|
|
||||||
+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
|
|
||||||
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
|
|
||||||
|
|
||||||
# Allow member managers to modify members of host groups
|
|
||||||
dn: cn=hostgroups,cn=accounts,$SUFFIX
|
|
||||||
-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
|
|
||||||
+remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
|
|
||||||
+add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
|
|
||||||
|
|
||||||
# Hosts can add and delete their own services
|
|
||||||
dn: cn=services,cn=accounts,$SUFFIX
|
|
||||||
|
|
|
@ -0,0 +1,261 @@
|
||||||
|
From f42a106e84c1fd609350da2540289ce945a7ecbd Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Thu, 11 May 2023 10:53:58 +0200
|
||||||
|
Subject: [PATCH] user or group name: explain the supported format
|
||||||
|
|
||||||
|
The commands ipa user-add or ipa group-add validate the
|
||||||
|
format of the user/group name and display the following
|
||||||
|
message when it does not conform to the expectations:
|
||||||
|
invalid 'login': may only include letters, numbers, _, -, . and $
|
||||||
|
|
||||||
|
The format is more complex, for instance '1234567' is an invalid
|
||||||
|
user name but the failure is inconsistent with the error message.
|
||||||
|
Modify the error message to point to ipa help user/group and add
|
||||||
|
more details in the help message.
|
||||||
|
|
||||||
|
Same change for idoverrideuser and idoverridegroup:
|
||||||
|
The user/group name must follow these rules:
|
||||||
|
- cannot contain only numbers
|
||||||
|
- must start with a letter, a number, _ or .
|
||||||
|
- may contain letters, numbers, _, ., or -
|
||||||
|
- may end with a letter, a number, _, ., - or $
|
||||||
|
|
||||||
|
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2150217
|
||||||
|
|
||||||
|
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
---
|
||||||
|
ipalib/constants.py | 5 +++++
|
||||||
|
ipaserver/plugins/baseuser.py | 2 +-
|
||||||
|
ipaserver/plugins/group.py | 10 ++++++++--
|
||||||
|
ipaserver/plugins/idviews.py | 5 +++--
|
||||||
|
ipaserver/plugins/stageuser.py | 6 ++++++
|
||||||
|
ipaserver/plugins/user.py | 6 ++++++
|
||||||
|
ipatests/test_xmlrpc/test_group_plugin.py | 5 +++--
|
||||||
|
ipatests/test_xmlrpc/test_stageuser_plugin.py | 3 ++-
|
||||||
|
ipatests/test_xmlrpc/test_user_plugin.py | 7 ++++---
|
||||||
|
9 files changed, 38 insertions(+), 11 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipalib/constants.py b/ipalib/constants.py
|
||||||
|
index 4b759a573..104419bc2 100644
|
||||||
|
--- a/ipalib/constants.py
|
||||||
|
+++ b/ipalib/constants.py
|
||||||
|
@@ -319,6 +319,11 @@ MAXHOSTFQDNLEN = 253
|
||||||
|
PATTERN_GROUPUSER_NAME = (
|
||||||
|
'(?!^[0-9]+$)^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$'
|
||||||
|
)
|
||||||
|
+ERRMSG_GROUPUSER_NAME = (
|
||||||
|
+ 'may only include letters, numbers, _, -, . and $'
|
||||||
|
+ ', refer to \'ipa help {}\' for complete format '
|
||||||
|
+ 'description'
|
||||||
|
+)
|
||||||
|
|
||||||
|
# Kerberos Anonymous principal name
|
||||||
|
ANON_USER = 'WELLKNOWN/ANONYMOUS'
|
||||||
|
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
|
||||||
|
index 684a65242..bae6c54ff 100644
|
||||||
|
--- a/ipaserver/plugins/baseuser.py
|
||||||
|
+++ b/ipaserver/plugins/baseuser.py
|
||||||
|
@@ -211,7 +211,7 @@ class baseuser(LDAPObject):
|
||||||
|
takes_params = (
|
||||||
|
Str('uid',
|
||||||
|
pattern=constants.PATTERN_GROUPUSER_NAME,
|
||||||
|
- pattern_errmsg='may only include letters, numbers, _, -, . and $',
|
||||||
|
+ pattern_errmsg=constants.ERRMSG_GROUPUSER_NAME.format('user'),
|
||||||
|
maxlength=255,
|
||||||
|
cli_name='login',
|
||||||
|
label=_('User login'),
|
||||||
|
diff --git a/ipaserver/plugins/group.py b/ipaserver/plugins/group.py
|
||||||
|
index afdad93c1..0333ed622 100644
|
||||||
|
--- a/ipaserver/plugins/group.py
|
||||||
|
+++ b/ipaserver/plugins/group.py
|
||||||
|
@@ -24,7 +24,7 @@ import logging
|
||||||
|
|
||||||
|
from ipalib import api
|
||||||
|
from ipalib import Int, Str, Flag
|
||||||
|
-from ipalib.constants import PATTERN_GROUPUSER_NAME
|
||||||
|
+from ipalib.constants import PATTERN_GROUPUSER_NAME, ERRMSG_GROUPUSER_NAME
|
||||||
|
from ipalib.plugable import Registry
|
||||||
|
from .baseldap import (
|
||||||
|
add_external_post_callback,
|
||||||
|
@@ -70,6 +70,12 @@ converted to non-POSIX groups.
|
||||||
|
|
||||||
|
Every group must have a description.
|
||||||
|
|
||||||
|
+The group name must follow these rules:
|
||||||
|
+- cannot contain only numbers
|
||||||
|
+- must start with a letter, a number, _ or .
|
||||||
|
+- may contain letters, numbers, _, ., or -
|
||||||
|
+- may end with a letter, a number, _, ., - or $
|
||||||
|
+
|
||||||
|
POSIX groups must have a Group ID (GID) number. Changing a GID is
|
||||||
|
supported but can have an impact on your file permissions. It is not necessary
|
||||||
|
to supply a GID when creating a group. IPA will generate one automatically
|
||||||
|
@@ -330,7 +336,7 @@ class group(LDAPObject):
|
||||||
|
takes_params = (
|
||||||
|
Str('cn',
|
||||||
|
pattern=PATTERN_GROUPUSER_NAME,
|
||||||
|
- pattern_errmsg='may only include letters, numbers, _, -, . and $',
|
||||||
|
+ pattern_errmsg=ERRMSG_GROUPUSER_NAME.format('group'),
|
||||||
|
maxlength=255,
|
||||||
|
cli_name='group_name',
|
||||||
|
label=_('Group name'),
|
||||||
|
diff --git a/ipaserver/plugins/idviews.py b/ipaserver/plugins/idviews.py
|
||||||
|
index 4f4b3a2f7..6a16884cf 100644
|
||||||
|
--- a/ipaserver/plugins/idviews.py
|
||||||
|
+++ b/ipaserver/plugins/idviews.py
|
||||||
|
@@ -37,6 +37,7 @@ from ipalib.constants import (
|
||||||
|
IPA_ANCHOR_PREFIX,
|
||||||
|
SID_ANCHOR_PREFIX,
|
||||||
|
PATTERN_GROUPUSER_NAME,
|
||||||
|
+ ERRMSG_GROUPUSER_NAME
|
||||||
|
)
|
||||||
|
from ipalib.plugable import Registry
|
||||||
|
from ipalib.util import (normalize_sshpubkey, validate_sshpubkey,
|
||||||
|
@@ -1025,7 +1026,7 @@ class idoverrideuser(baseidoverride):
|
||||||
|
takes_params = baseidoverride.takes_params + (
|
||||||
|
Str('uid?',
|
||||||
|
pattern=PATTERN_GROUPUSER_NAME,
|
||||||
|
- pattern_errmsg='may only include letters, numbers, _, -, . and $',
|
||||||
|
+ pattern_errmsg=ERRMSG_GROUPUSER_NAME.format('user'),
|
||||||
|
maxlength=255,
|
||||||
|
cli_name='login',
|
||||||
|
label=_('User login'),
|
||||||
|
@@ -1128,7 +1129,7 @@ class idoverridegroup(baseidoverride):
|
||||||
|
takes_params = baseidoverride.takes_params + (
|
||||||
|
Str('cn?',
|
||||||
|
pattern=PATTERN_GROUPUSER_NAME,
|
||||||
|
- pattern_errmsg='may only include letters, numbers, _, -, . and $',
|
||||||
|
+ pattern_errmsg=ERRMSG_GROUPUSER_NAME.format('group'),
|
||||||
|
maxlength=255,
|
||||||
|
cli_name='group_name',
|
||||||
|
label=_('Group name'),
|
||||||
|
diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py
|
||||||
|
index 760dff7ab..51438a83a 100644
|
||||||
|
--- a/ipaserver/plugins/stageuser.py
|
||||||
|
+++ b/ipaserver/plugins/stageuser.py
|
||||||
|
@@ -94,6 +94,12 @@ usernames that start with a digit or usernames that exceed a certain length
|
||||||
|
may cause problems for some UNIX systems.
|
||||||
|
Use 'ipa config-mod' to change the username format allowed by IPA tools.
|
||||||
|
|
||||||
|
+The user name must follow these rules:
|
||||||
|
+- cannot contain only numbers
|
||||||
|
+- must start with a letter, a number, _ or .
|
||||||
|
+- may contain letters, numbers, _, ., or -
|
||||||
|
+- may end with a letter, a number, _, ., - or $
|
||||||
|
+
|
||||||
|
|
||||||
|
EXAMPLES:
|
||||||
|
|
||||||
|
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
|
||||||
|
index fa8a67d3d..643b44f14 100644
|
||||||
|
--- a/ipaserver/plugins/user.py
|
||||||
|
+++ b/ipaserver/plugins/user.py
|
||||||
|
@@ -88,6 +88,12 @@ usernames that start with a digit or usernames that exceed a certain length
|
||||||
|
may cause problems for some UNIX systems.
|
||||||
|
Use 'ipa config-mod' to change the username format allowed by IPA tools.
|
||||||
|
|
||||||
|
+The user name must follow these rules:
|
||||||
|
+- cannot contain only numbers
|
||||||
|
+- must start with a letter, a number, _ or .
|
||||||
|
+- may contain letters, numbers, _, ., or -
|
||||||
|
+- may end with a letter, a number, _, ., - or $
|
||||||
|
+
|
||||||
|
Disabling a user account prevents that user from obtaining new Kerberos
|
||||||
|
credentials. It does not invalidate any credentials that have already
|
||||||
|
been issued.
|
||||||
|
diff --git a/ipatests/test_xmlrpc/test_group_plugin.py b/ipatests/test_xmlrpc/test_group_plugin.py
|
||||||
|
index f9a0e2cfe..27bc21fbc 100644
|
||||||
|
--- a/ipatests/test_xmlrpc/test_group_plugin.py
|
||||||
|
+++ b/ipatests/test_xmlrpc/test_group_plugin.py
|
||||||
|
@@ -25,6 +25,7 @@ Test the `ipaserver/plugins/group.py` module.
|
||||||
|
import pytest
|
||||||
|
|
||||||
|
from ipalib import errors
|
||||||
|
+from ipalib.constants import ERRMSG_GROUPUSER_NAME
|
||||||
|
from ipatests.test_xmlrpc import objectclasses
|
||||||
|
from ipatests.test_xmlrpc.xmlrpc_test import (
|
||||||
|
fuzzy_digits, fuzzy_uuid, fuzzy_set_ci,
|
||||||
|
@@ -169,7 +170,7 @@ class TestGroup(XMLRPC_test):
|
||||||
|
)
|
||||||
|
with raises_exact(errors.ValidationError(
|
||||||
|
name='group_name',
|
||||||
|
- error=u'may only include letters, numbers, _, -, . and $')):
|
||||||
|
+ error=ERRMSG_GROUPUSER_NAME.format('group'))):
|
||||||
|
command()
|
||||||
|
|
||||||
|
def test_create_with_name_starting_with_numeric(self):
|
||||||
|
@@ -188,7 +189,7 @@ class TestGroup(XMLRPC_test):
|
||||||
|
)
|
||||||
|
with raises_exact(errors.ValidationError(
|
||||||
|
name='group_name',
|
||||||
|
- error=u'may only include letters, numbers, _, -, . and $',
|
||||||
|
+ error=ERRMSG_GROUPUSER_NAME.format('group'),
|
||||||
|
)):
|
||||||
|
testgroup.create()
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
|
||||||
|
index fd146876c..bd877aa94 100644
|
||||||
|
--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
|
||||||
|
+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
|
||||||
|
@@ -12,6 +12,7 @@ import six
|
||||||
|
|
||||||
|
from collections import OrderedDict
|
||||||
|
from ipalib import api, errors
|
||||||
|
+from ipalib.constants import ERRMSG_GROUPUSER_NAME
|
||||||
|
from ipaplatform.constants import constants as platformconstants
|
||||||
|
|
||||||
|
from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test, raises_exact
|
||||||
|
@@ -357,7 +358,7 @@ class TestCreateInvalidAttributes(XMLRPC_test):
|
||||||
|
command = invalid.make_create_command()
|
||||||
|
with raises_exact(errors.ValidationError(
|
||||||
|
name='login',
|
||||||
|
- error=u"may only include letters, numbers, _, -, . and $")):
|
||||||
|
+ error=ERRMSG_GROUPUSER_NAME.format('user'))):
|
||||||
|
command()
|
||||||
|
|
||||||
|
def test_create_long_uid(self):
|
||||||
|
diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
|
||||||
|
index c156a8793..eadfe6a65 100644
|
||||||
|
--- a/ipatests/test_xmlrpc/test_user_plugin.py
|
||||||
|
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
|
||||||
|
@@ -31,6 +31,7 @@ import ldap
|
||||||
|
import re
|
||||||
|
|
||||||
|
from ipalib import api, errors
|
||||||
|
+from ipalib.constants import ERRMSG_GROUPUSER_NAME
|
||||||
|
from ipaplatform.constants import constants as platformconstants
|
||||||
|
from ipapython import ipautil
|
||||||
|
from ipatests.test_xmlrpc import objectclasses
|
||||||
|
@@ -502,7 +503,7 @@ class TestUpdate(XMLRPC_test):
|
||||||
|
)
|
||||||
|
with raises_exact(errors.ValidationError(
|
||||||
|
name='rename',
|
||||||
|
- error=u'may only include letters, numbers, _, -, . and $')):
|
||||||
|
+ error=ERRMSG_GROUPUSER_NAME.format('user'))):
|
||||||
|
command()
|
||||||
|
|
||||||
|
def test_add_radius_username(self, user):
|
||||||
|
@@ -556,7 +557,7 @@ class TestCreate(XMLRPC_test):
|
||||||
|
command = testuser.make_create_command()
|
||||||
|
with raises_exact(errors.ValidationError(
|
||||||
|
name=u'login',
|
||||||
|
- error=u'may only include letters, numbers, _, -, . and $')):
|
||||||
|
+ error=ERRMSG_GROUPUSER_NAME.format('user'))):
|
||||||
|
command()
|
||||||
|
|
||||||
|
def test_create_with_too_long_login(self):
|
||||||
|
@@ -730,7 +731,7 @@ class TestCreate(XMLRPC_test):
|
||||||
|
)
|
||||||
|
with raises_exact(errors.ValidationError(
|
||||||
|
name=u'login',
|
||||||
|
- error=u'may only include letters, numbers, _, -, . and $',
|
||||||
|
+ error=ERRMSG_GROUPUSER_NAME.format('user'),
|
||||||
|
)):
|
||||||
|
testuser.create()
|
||||||
|
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
|
@ -1,75 +0,0 @@
|
||||||
From b9c42fed9b6f60801f908c368d0d97a2a69f7bb2 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Date: Wed, 15 Dec 2021 10:47:02 +0100
|
|
||||||
Subject: [PATCH] Config plugin: return EmptyModlist when no change is applied
|
|
||||||
|
|
||||||
When ipa config-mod is called with the option --enable-sid,
|
|
||||||
the code needs to trap EmptyModlist exception (it is expected
|
|
||||||
that no LDAP attribute is modified by this operation).
|
|
||||||
The code had a flaw and was checking:
|
|
||||||
'enable_sid' in options
|
|
||||||
instead of
|
|
||||||
options['enable_sid']
|
|
||||||
|
|
||||||
"'enable_sid' in options" always returns true as this option
|
|
||||||
is a Flag with a default value, hence always present even if
|
|
||||||
not specified on the command line.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/9063
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/plugins/config.py | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
|
|
||||||
index eae401fc3..24446beb0 100644
|
|
||||||
--- a/ipaserver/plugins/config.py
|
|
||||||
+++ b/ipaserver/plugins/config.py
|
|
||||||
@@ -707,7 +707,7 @@ class config_mod(LDAPUpdate):
|
|
||||||
if (isinstance(exc, errors.EmptyModlist) and
|
|
||||||
call_func.__name__ == 'update_entry' and
|
|
||||||
('ca_renewal_master_server' in options or
|
|
||||||
- 'enable_sid' in options)):
|
|
||||||
+ options['enable_sid'])):
|
|
||||||
return
|
|
||||||
|
|
||||||
super(config_mod, self).exc_callback(
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
||||||
From cd735099e86304294217147ed578ac902fcf3dd3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Date: Wed, 15 Dec 2021 10:51:05 +0100
|
|
||||||
Subject: [PATCH] config plugin: add a test ensuring EmptyModlist is returned
|
|
||||||
|
|
||||||
Add a test to test_config_plugin, that calls ipa config-mod
|
|
||||||
with the same value as already present in LDAP.
|
|
||||||
The call must return EmptyModlist.
|
|
||||||
|
|
||||||
Related: https://pagure.io/freeipa/issue/9063
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_xmlrpc/test_config_plugin.py | 9 +++++++++
|
|
||||||
1 file changed, 9 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_xmlrpc/test_config_plugin.py b/ipatests/test_xmlrpc/test_config_plugin.py
|
|
||||||
index e981bb4a0..a8ec9f0e5 100644
|
|
||||||
--- a/ipatests/test_xmlrpc/test_config_plugin.py
|
|
||||||
+++ b/ipatests/test_xmlrpc/test_config_plugin.py
|
|
||||||
@@ -312,4 +312,13 @@ class test_config(Declarative):
|
|
||||||
'value': None,
|
|
||||||
},
|
|
||||||
),
|
|
||||||
+ dict(
|
|
||||||
+ desc='Set the value to the already set value, no modifications',
|
|
||||||
+ command=(
|
|
||||||
+ 'config_mod', [], {
|
|
||||||
+ 'ipasearchrecordslimit': u'100',
|
|
||||||
+ },
|
|
||||||
+ ),
|
|
||||||
+ expected=errors.EmptyModlist(),
|
|
||||||
+ ),
|
|
||||||
]
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
|
@ -1,67 +0,0 @@
|
||||||
From 02d3fb8266d8199fd1ed983de6c57b269546df82 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Armando Neto <abiagion@redhat.com>
|
|
||||||
Date: Fri, 8 Jul 2022 15:56:31 -0300
|
|
||||||
Subject: [PATCH] webui: Do not allow empty pagination size
|
|
||||||
|
|
||||||
Pagination size must be required, the current validators are triggered after
|
|
||||||
form is submitted, thus the only way for check if data is not empty is by making
|
|
||||||
the field required.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/9192
|
|
||||||
|
|
||||||
Signed-off-by: Armando Neto <abiagion@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
---
|
|
||||||
.../ui/src/freeipa/Application_controller.js | 1 +
|
|
||||||
ipatests/test_webui/test_misc_cases.py | 19 +++++++++++++++++++
|
|
||||||
2 files changed, 20 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/install/ui/src/freeipa/Application_controller.js b/install/ui/src/freeipa/Application_controller.js
|
|
||||||
index 46aabc9c4dd47aa3874cb3ddf27da048607b7516..140ee8fe0d7adc274396248aae0be2f4559db27a 100644
|
|
||||||
--- a/install/ui/src/freeipa/Application_controller.js
|
|
||||||
+++ b/install/ui/src/freeipa/Application_controller.js
|
|
||||||
@@ -318,6 +318,7 @@ define([
|
|
||||||
$type: 'text',
|
|
||||||
name: 'pagination_size',
|
|
||||||
label: '@i18n:customization.table_pagination',
|
|
||||||
+ required: true,
|
|
||||||
validators: ['positive_integer']
|
|
||||||
}
|
|
||||||
]
|
|
||||||
diff --git a/ipatests/test_webui/test_misc_cases.py b/ipatests/test_webui/test_misc_cases.py
|
|
||||||
index 5f7ffb54ee33e9b453d6b987b7bf84d6f4311ebd..aca9e1a99e1e2cf60790fe8c33a65430e0d535e2 100644
|
|
||||||
--- a/ipatests/test_webui/test_misc_cases.py
|
|
||||||
+++ b/ipatests/test_webui/test_misc_cases.py
|
|
||||||
@@ -11,6 +11,11 @@ from ipatests.test_webui.ui_driver import screenshot
|
|
||||||
import pytest
|
|
||||||
import re
|
|
||||||
|
|
||||||
+try:
|
|
||||||
+ from selenium.webdriver.common.by import By
|
|
||||||
+except ImportError:
|
|
||||||
+ pass
|
|
||||||
+
|
|
||||||
|
|
||||||
@pytest.mark.tier1
|
|
||||||
class TestMiscCases(UI_driver):
|
|
||||||
@@ -26,3 +31,17 @@ class TestMiscCases(UI_driver):
|
|
||||||
ver_re = re.compile('version: .*')
|
|
||||||
assert re.search(ver_re, about_text), 'Version not found'
|
|
||||||
self.dialog_button_click('ok')
|
|
||||||
+
|
|
||||||
+ @screenshot
|
|
||||||
+ def test_customization_pagination_input_required(self):
|
|
||||||
+ """Test if 'pagination size' is required when submitting the form."""
|
|
||||||
+ self.init_app()
|
|
||||||
+
|
|
||||||
+ self.profile_menu_action('configuration')
|
|
||||||
+ self.fill_input('pagination_size', '')
|
|
||||||
+ self.dialog_button_click('save')
|
|
||||||
+
|
|
||||||
+ pagination_size_elem = self.find(
|
|
||||||
+ ".widget[name='pagination_size']", By.CSS_SELECTOR)
|
|
||||||
+
|
|
||||||
+ self.assert_field_validation_required(parent=pagination_size_elem)
|
|
||||||
--
|
|
||||||
2.36.1
|
|
||||||
|
|
|
@ -1,47 +0,0 @@
|
||||||
From 653a7fe02880c168755984133ee143567cc7bb4e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Francisco Trivino <ftrivino@redhat.com>
|
|
||||||
Date: Wed, 26 Jan 2022 15:43:39 +0100
|
|
||||||
Subject: [PATCH] Custodia: use a stronger encryption algo when exporting keys
|
|
||||||
|
|
||||||
The Custodia key export handler is using the default's OpenSSL encryption
|
|
||||||
scheme for PKCS#12.
|
|
||||||
|
|
||||||
This represents an issue when performing a migration from CentOS Stream 8 (C8S)
|
|
||||||
to CentOS Steam 9 (C9S) where the Custodia client running in the new C9S
|
|
||||||
replica talks to the Custodia server on C8S source server. The later creates an
|
|
||||||
encrypted PKCS#12 file that contains the cert and the key using the OpenSSL's
|
|
||||||
default encryption scheme, which is no longer supported on C9S.
|
|
||||||
|
|
||||||
This commit enforces a stronger encryption algorigthm by adding following
|
|
||||||
arguments to the Custodia server handler:
|
|
||||||
|
|
||||||
-keypbe AES-256-CBC -certpbe AES-256-CBC -macalg sha384
|
|
||||||
|
|
||||||
The new arguments enforce stronger PBEv2 instead of the insecure PBEv1.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/9101
|
|
||||||
|
|
||||||
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/secrets/handlers/pemfile.py | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/secrets/handlers/pemfile.py b/ipaserver/secrets/handlers/pemfile.py
|
|
||||||
index 4e8eff0e3..ad36bd020 100644
|
|
||||||
--- a/ipaserver/secrets/handlers/pemfile.py
|
|
||||||
+++ b/ipaserver/secrets/handlers/pemfile.py
|
|
||||||
@@ -31,6 +31,9 @@ def export_key(args, tmpdir):
|
|
||||||
'-out', pk12file,
|
|
||||||
'-inkey', args.keyfile,
|
|
||||||
'-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),
|
|
||||||
+ '-keypbe', 'AES-256-CBC',
|
|
||||||
+ '-certpbe', 'AES-256-CBC',
|
|
||||||
+ '-macalg', 'sha384',
|
|
||||||
])
|
|
||||||
|
|
||||||
with open(pk12file, 'rb') as f:
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
|
@ -1,122 +0,0 @@
|
||||||
From 6d70421f57d0eca066a922e09416ef7195ee96d4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Julien Rische <jrische@redhat.com>
|
|
||||||
Date: Tue, 1 Feb 2022 16:43:09 +0100
|
|
||||||
Subject: [PATCH] ipa-kdb: do not remove keys for hardened auth-enabled users
|
|
||||||
|
|
||||||
Since 5d51ae5, principal keys were dropped in case user auth indicator
|
|
||||||
was not including password. Thereafter, the key removal behavior was
|
|
||||||
removed by 15ff9c8 in the context of the kdcpolicy plugin introduction.
|
|
||||||
Support for hardened pre-auth methods (FAST and SPAKE) was added in
|
|
||||||
d057040, and the removal of principal keys was restored afterwards by
|
|
||||||
f0d12b7, but not taking the new hardened auth indicator into account.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/9065
|
|
||||||
Related to: https://pagure.io/freeipa/issue/8001
|
|
||||||
|
|
||||||
Signed-off-by: Julien Rische <jrische@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
|
||||||
---
|
|
||||||
daemons/ipa-kdb/ipa_kdb_principals.c | 23 ++++++++++++-----------
|
|
||||||
1 file changed, 12 insertions(+), 11 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
||||||
index 15f3df4fe..0d0d3748c 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
||||||
@@ -788,17 +788,18 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
|
|
||||||
&res_key_data, &result, &mkvno);
|
|
||||||
switch (ret) {
|
|
||||||
case 0:
|
|
||||||
- /* Only set a principal's key if password auth can be used. Otherwise
|
|
||||||
- * the KDC would add pre-authentication methods to the NEEDED_PREAUTH
|
|
||||||
- * reply for AS-REQs which indicate the password authentication is
|
|
||||||
- * available. This might confuse applications like e.g. SSSD which try
|
|
||||||
- * to determine suitable authentication methods and corresponding
|
|
||||||
- * prompts with the help of MIT Kerberos' responder interface which
|
|
||||||
- * acts on the returned pre-authentication methods. A typical example
|
|
||||||
- * is enforced OTP authentication where of course keys are available
|
|
||||||
- * for the first factor but password authentication should not be
|
|
||||||
- * advertised by the KDC. */
|
|
||||||
- if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) {
|
|
||||||
+ /* Only set a principal's key if password or hardened auth can be used.
|
|
||||||
+ * Otherwise the KDC would add pre-authentication methods to the
|
|
||||||
+ * NEEDED_PREAUTH reply for AS-REQs which indicate the password
|
|
||||||
+ * authentication is available. This might confuse applications like
|
|
||||||
+ * e.g. SSSD which try to determine suitable authentication methods and
|
|
||||||
+ * corresponding prompts with the help of MIT Kerberos' responder
|
|
||||||
+ * interface which acts on the returned pre-authentication methods. A
|
|
||||||
+ * typical example is enforced OTP authentication where of course keys
|
|
||||||
+ * are available for the first factor but password authentication
|
|
||||||
+ * should not be advertised by the KDC. */
|
|
||||||
+ if (!(ua & (IPADB_USER_AUTH_PASSWORD | IPADB_USER_AUTH_HARDENED)) &&
|
|
||||||
+ (ua != IPADB_USER_AUTH_NONE)) {
|
|
||||||
/* This is the same behavior as ENOENT below. */
|
|
||||||
ipa_krb5_free_key_data(res_key_data, result);
|
|
||||||
break;
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
||||||
From 294ae35a61e6ca8816b261c57508e4be21221864 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Julien Rische <jrische@redhat.com>
|
|
||||||
Date: Tue, 1 Feb 2022 19:38:29 +0100
|
|
||||||
Subject: [PATCH] ipatests: add case for hardened-only ticket policy
|
|
||||||
|
|
||||||
Signed-off-by: Julien Rische <jrische@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_krbtpolicy.py | 30 ++++++++++++++++++--
|
|
||||||
1 file changed, 28 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py
|
|
||||||
index 63e75ae67..9489fbc97 100644
|
|
||||||
--- a/ipatests/test_integration/test_krbtpolicy.py
|
|
||||||
+++ b/ipatests/test_integration/test_krbtpolicy.py
|
|
||||||
@@ -103,8 +103,8 @@ class TestPWPolicy(IntegrationTest):
|
|
||||||
result = master.run_command('klist | grep krbtgt')
|
|
||||||
assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
|
|
||||||
|
|
||||||
- def test_krbtpolicy_hardended(self):
|
|
||||||
- """Test a hardened kerberos ticket policy with 10 min tickets"""
|
|
||||||
+ def test_krbtpolicy_password_and_hardended(self):
|
|
||||||
+ """Test a pwd and hardened kerberos ticket policy with 10min tickets"""
|
|
||||||
master = self.master
|
|
||||||
master.run_command(['ipa', 'user-mod', USER1,
|
|
||||||
'--user-auth-type', 'password',
|
|
||||||
@@ -131,6 +131,32 @@ class TestPWPolicy(IntegrationTest):
|
|
||||||
result = master.run_command('klist | grep krbtgt')
|
|
||||||
assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
|
|
||||||
|
|
||||||
+ def test_krbtpolicy_hardended(self):
|
|
||||||
+ """Test a hardened kerberos ticket policy with 30min tickets"""
|
|
||||||
+ master = self.master
|
|
||||||
+ master.run_command(['ipa', 'user-mod', USER1,
|
|
||||||
+ '--user-auth-type', 'hardened'])
|
|
||||||
+ master.run_command(['ipa', 'config-mod',
|
|
||||||
+ '--user-auth-type', 'hardened'])
|
|
||||||
+ master.run_command(['ipa', 'krbtpolicy-mod', USER1,
|
|
||||||
+ '--hardened-maxlife', '1800'])
|
|
||||||
+
|
|
||||||
+ tasks.kdestroy_all(master)
|
|
||||||
+
|
|
||||||
+ master.run_command(['kinit', USER1],
|
|
||||||
+ stdin_text=PASSWORD + '\n')
|
|
||||||
+ result = master.run_command('klist | grep krbtgt')
|
|
||||||
+ assert maxlife_within_policy(result.stdout_text, 1800,
|
|
||||||
+ slush=1800) is True
|
|
||||||
+
|
|
||||||
+ tasks.kdestroy_all(master)
|
|
||||||
+
|
|
||||||
+ # Verify that the short policy only applies to USER1
|
|
||||||
+ master.run_command(['kinit', USER2],
|
|
||||||
+ stdin_text=PASSWORD + '\n')
|
|
||||||
+ result = master.run_command('klist | grep krbtgt')
|
|
||||||
+ assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
|
|
||||||
+
|
|
||||||
def test_krbtpolicy_password(self):
|
|
||||||
"""Test the kerberos ticket policy which issues 20 min tickets"""
|
|
||||||
master = self.master
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
|
@ -1,44 +0,0 @@
|
||||||
From 9bae5492270d8b695999cd82831cbee62b04626b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Date: Fri, 28 Jan 2022 16:58:42 +0100
|
|
||||||
Subject: [PATCH] ipa-pki-proxy.conf: provide access to
|
|
||||||
/kra/admin/kra/getStatus
|
|
||||||
|
|
||||||
The access to /kra/admin/kra/getStatus will be needed
|
|
||||||
in order to fix pki-healthcheck.
|
|
||||||
Note that this commit is a pre-requisite for the fix
|
|
||||||
to be done on PKI side. No test added since the full
|
|
||||||
integration test already exists in test_replica_promotion.py,
|
|
||||||
in TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/9099
|
|
||||||
Related: https://pagure.io/freeipa/issue/8582
|
|
||||||
|
|
||||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
install/share/ipa-pki-proxy.conf.template | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/install/share/ipa-pki-proxy.conf.template b/install/share/ipa-pki-proxy.conf.template
|
|
||||||
index 96708482c..7a46f20b9 100644
|
|
||||||
--- a/install/share/ipa-pki-proxy.conf.template
|
|
||||||
+++ b/install/share/ipa-pki-proxy.conf.template
|
|
||||||
@@ -1,4 +1,4 @@
|
|
||||||
-# VERSION 16 - DO NOT REMOVE THIS LINE
|
|
||||||
+# VERSION 17 - DO NOT REMOVE THIS LINE
|
|
||||||
|
|
||||||
ProxyRequests Off
|
|
||||||
|
|
||||||
@@ -11,7 +11,7 @@ ProxyRequests Off
|
|
||||||
</LocationMatch>
|
|
||||||
|
|
||||||
# matches for admin port and installer
|
|
||||||
-<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries">
|
|
||||||
+<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries|^/kra/admin/kra/getStatus">
|
|
||||||
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
|
|
||||||
SSLVerifyClient none
|
|
||||||
ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
|
@ -1,755 +0,0 @@
|
||||||
From 0edf915efbb39fac45c784171dd715ec6b28861a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumedh Sidhaye <ssidhaye@redhat.com>
|
|
||||||
Date: Fri, 14 Jan 2022 19:55:13 +0530
|
|
||||||
Subject: [PATCH] Added test automation for SHA384withRSA CSR support
|
|
||||||
|
|
||||||
Scenario 1:
|
|
||||||
Setup master with --ca-signing-algorithm=SHA384withRSA
|
|
||||||
Run certutil and check Signing Algorithm
|
|
||||||
|
|
||||||
Scenario 2:
|
|
||||||
Setup a master
|
|
||||||
Stop services
|
|
||||||
Modify default.params.signingAlg in CS.cfg
|
|
||||||
Restart services
|
|
||||||
Resubmit cert (Resubmitted cert should have new Algorithm)
|
|
||||||
|
|
||||||
Pagure Link: https://pagure.io/freeipa/issue/8906
|
|
||||||
|
|
||||||
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Antonio Torres <antorres@redhat.com>
|
|
||||||
---
|
|
||||||
.../test_integration/test_installation.py | 63 +++++++++++++++++++
|
|
||||||
1 file changed, 63 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
|
||||||
index 0947241ae..f2d372c0c 100644
|
|
||||||
--- a/ipatests/test_integration/test_installation.py
|
|
||||||
+++ b/ipatests/test_integration/test_installation.py
|
|
||||||
@@ -34,6 +34,7 @@ from ipatests.pytest_ipa.integration import tasks
|
|
||||||
from ipatests.pytest_ipa.integration.env_config import get_global_config
|
|
||||||
from ipatests.test_integration.base import IntegrationTest
|
|
||||||
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
|
|
||||||
+from ipatests.test_integration.test_cert import get_certmonger_fs_id
|
|
||||||
from ipaplatform import services
|
|
||||||
|
|
||||||
|
|
||||||
@@ -1916,3 +1917,65 @@ class TestInstallWithoutNamed(IntegrationTest):
|
|
||||||
tasks.install_replica(
|
|
||||||
self.master, self.replicas[0], setup_ca=False, setup_dns=False
|
|
||||||
)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+class TestInstallwithSHA384withRSA(IntegrationTest):
|
|
||||||
+ num_replicas = 0
|
|
||||||
+
|
|
||||||
+ def test_install_master_withalgo_sha384withrsa(self, server_cleanup):
|
|
||||||
+ tasks.install_master(
|
|
||||||
+ self.master,
|
|
||||||
+ extra_args=['--ca-signing-algorithm=SHA384withRSA'],
|
|
||||||
+ )
|
|
||||||
+
|
|
||||||
+ # check Signing Algorithm post installation
|
|
||||||
+ dashed_domain = self.master.domain.realm.replace(".", '-')
|
|
||||||
+ cmd_args = ['certutil', '-L', '-d',
|
|
||||||
+ '/etc/dirsrv/slapd-{}/'.format(dashed_domain),
|
|
||||||
+ '-n', 'Server-Cert']
|
|
||||||
+ result = self.master.run_command(cmd_args)
|
|
||||||
+ assert 'SHA-384 With RSA Encryption' in result.stdout_text
|
|
||||||
+
|
|
||||||
+ def test_install_master_modify_existing(self, server_cleanup):
|
|
||||||
+ """
|
|
||||||
+ Setup a master
|
|
||||||
+ Stop services
|
|
||||||
+ Modify default.params.signingAlg in CS.cfg
|
|
||||||
+ Restart services
|
|
||||||
+ Resubmit cert (Resubmitted cert should have new Algorithm)
|
|
||||||
+ """
|
|
||||||
+ tasks.install_master(self.master)
|
|
||||||
+ self.master.run_command(['ipactl', 'stop'])
|
|
||||||
+ cs_cfg_content = self.master.get_file_contents(paths.CA_CS_CFG_PATH,
|
|
||||||
+ encoding='utf-8')
|
|
||||||
+ new_lines = []
|
|
||||||
+ replace_str = "ca.signing.defaultSigningAlgorithm=SHA384withRSA"
|
|
||||||
+ ocsp_rep_str = "ca.ocsp_signing.defaultSigningAlgorithm=SHA384withRSA"
|
|
||||||
+ for line in cs_cfg_content.split('\n'):
|
|
||||||
+ if line.startswith('ca.signing.defaultSigningAlgorithm'):
|
|
||||||
+ new_lines.append(replace_str)
|
|
||||||
+ elif line.startswith('ca.ocsp_signing.defaultSigningAlgorithm'):
|
|
||||||
+ new_lines.append(ocsp_rep_str)
|
|
||||||
+ else:
|
|
||||||
+ new_lines.append(line)
|
|
||||||
+ self.master.put_file_contents(paths.CA_CS_CFG_PATH,
|
|
||||||
+ '\n'.join(new_lines))
|
|
||||||
+ self.master.run_command(['ipactl', 'start'])
|
|
||||||
+
|
|
||||||
+ cmd = ['getcert', 'list', '-f', paths.RA_AGENT_PEM]
|
|
||||||
+ result = self.master.run_command(cmd)
|
|
||||||
+ request_id = get_certmonger_fs_id(result.stdout_text)
|
|
||||||
+
|
|
||||||
+ # resubmit RA Agent cert
|
|
||||||
+ cmd = ['getcert', 'resubmit', '-f', paths.RA_AGENT_PEM]
|
|
||||||
+ self.master.run_command(cmd)
|
|
||||||
+
|
|
||||||
+ tasks.wait_for_certmonger_status(self.master,
|
|
||||||
+ ('CA_WORKING', 'MONITORING'),
|
|
||||||
+ request_id)
|
|
||||||
+
|
|
||||||
+ cmd_args = ['openssl', 'x509', '-in',
|
|
||||||
+ paths.RA_AGENT_PEM, '-noout', '-text']
|
|
||||||
+ result = self.master.run_command(cmd_args)
|
|
||||||
+ assert_str = 'Signature Algorithm: sha384WithRSAEncryption'
|
|
||||||
+ assert assert_str in result.stdout_text
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
||||||
From 8b22ee018c3bb7f58a1b6694a7fd611688f8e74f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumedh Sidhaye <ssidhaye@redhat.com>
|
|
||||||
Date: Thu, 25 Nov 2021 17:48:20 +0530
|
|
||||||
Subject: [PATCH] Extend test to see if replica is not shown when running
|
|
||||||
`ipa-replica-manage list -v <FQDN>`
|
|
||||||
|
|
||||||
Related: https://pagure.io/freeipa/issue/8605
|
|
||||||
|
|
||||||
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_simple_replication.py | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_simple_replication.py b/ipatests/test_integration/test_simple_replication.py
|
|
||||||
index 8de385144..17092a499 100644
|
|
||||||
--- a/ipatests/test_integration/test_simple_replication.py
|
|
||||||
+++ b/ipatests/test_integration/test_simple_replication.py
|
|
||||||
@@ -111,5 +111,6 @@ class TestSimpleReplication(IntegrationTest):
|
|
||||||
# has to be run with --force, there is no --unattended
|
|
||||||
self.master.run_command(['ipa-replica-manage', 'del',
|
|
||||||
self.replicas[0].hostname, '--force'])
|
|
||||||
- result = self.master.run_command(['ipa-replica-manage', 'list'])
|
|
||||||
+ result = self.master.run_command(
|
|
||||||
+ ['ipa-replica-manage', 'list', '-v', self.master.hostname])
|
|
||||||
assert self.replicas[0].hostname not in result.stdout_text
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
||||||
From ba7ec71ba96280da3841ebe47df2a6dc1cd6341e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Mohammad Rizwan <myusuf@redhat.com>
|
|
||||||
Date: Fri, 26 Nov 2021 12:11:21 +0530
|
|
||||||
Subject: [PATCH] ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica
|
|
||||||
teardown
|
|
||||||
|
|
||||||
Fixture `expire_certs` moves date back after renewing the certs.
|
|
||||||
This is causing the ipa-replica to fail. This fix first uninstalls
|
|
||||||
the server then moves back the date.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/9052
|
|
||||||
|
|
||||||
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_ipa_cert_fix.py | 9 ++++++++-
|
|
||||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
|
|
||||||
index 39904d5de..5b56054b4 100644
|
|
||||||
--- a/ipatests/test_integration/test_ipa_cert_fix.py
|
|
||||||
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
|
|
||||||
@@ -389,6 +389,12 @@ class TestCertFixReplica(IntegrationTest):
|
|
||||||
setup_dns=False, extra_args=['--no-ntp']
|
|
||||||
)
|
|
||||||
|
|
||||||
+ @classmethod
|
|
||||||
+ def uninstall(cls, mh):
|
|
||||||
+ # Uninstall method is empty as the uninstallation is done in
|
|
||||||
+ # the fixture
|
|
||||||
+ pass
|
|
||||||
+
|
|
||||||
@pytest.fixture
|
|
||||||
def expire_certs(self):
|
|
||||||
# move system date to expire certs
|
|
||||||
@@ -398,7 +404,8 @@ class TestCertFixReplica(IntegrationTest):
|
|
||||||
yield
|
|
||||||
|
|
||||||
# move date back on replica and master
|
|
||||||
- for host in self.master, self.replicas[0]:
|
|
||||||
+ for host in self.replicas[0], self.master:
|
|
||||||
+ tasks.uninstall_master(host)
|
|
||||||
tasks.move_date(host, 'start', '-3years-1days')
|
|
||||||
|
|
||||||
def test_renew_expired_cert_replica(self, expire_certs):
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
||||||
From 465f1669a6c5abc72da1ecaf9aefa8488f80806c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Anuja More <amore@redhat.com>
|
|
||||||
Date: Mon, 13 Dec 2021 17:37:05 +0530
|
|
||||||
Subject: [PATCH] ipatests: Test default value of nsslapd-sizelimit.
|
|
||||||
|
|
||||||
related : https://pagure.io/freeipa/issue/8962
|
|
||||||
|
|
||||||
Signed-off-by: Anuja More <amore@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_installation.py | 13 +++++++++++++
|
|
||||||
1 file changed, 13 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
|
||||||
index 95cfaad54..0947241ae 100644
|
|
||||||
--- a/ipatests/test_integration/test_installation.py
|
|
||||||
+++ b/ipatests/test_integration/test_installation.py
|
|
||||||
@@ -1067,6 +1067,19 @@ class TestInstallMaster(IntegrationTest):
|
|
||||||
)
|
|
||||||
assert "nsslapd-db-locks" not in result.stdout_text
|
|
||||||
|
|
||||||
+ def test_nsslapd_sizelimit(self):
|
|
||||||
+ """ Test for default value of nsslapd-sizelimit.
|
|
||||||
+
|
|
||||||
+ Related : https://pagure.io/freeipa/issue/8962
|
|
||||||
+ """
|
|
||||||
+ result = tasks.ldapsearch_dm(
|
|
||||||
+ self.master,
|
|
||||||
+ "cn=config",
|
|
||||||
+ ["nsslapd-sizelimit"],
|
|
||||||
+ scope="base"
|
|
||||||
+ )
|
|
||||||
+ assert "nsslapd-sizelimit: 100000" in result.stdout_text
|
|
||||||
+
|
|
||||||
def test_admin_root_alias_CVE_2020_10747(self):
|
|
||||||
# Test for CVE-2020-10747 fix
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1810160
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
||||||
From cbd9ac6ab07dfb60f67da762fdd70856ad35c230 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Mohammad Rizwan <myusuf@redhat.com>
|
|
||||||
Date: Thu, 25 Nov 2021 13:10:05 +0530
|
|
||||||
Subject: [PATCH] ipatests: Test empty cert request doesn't force certmonger to
|
|
||||||
segfault
|
|
||||||
|
|
||||||
When empty cert request is submitted to certmonger, it goes to
|
|
||||||
segfault. This fix test that if something like this happens,
|
|
||||||
certmonger should gracefuly handle it
|
|
||||||
|
|
||||||
and some PEP8 fixes
|
|
||||||
|
|
||||||
related: https://pagure.io/certmonger/issue/191
|
|
||||||
|
|
||||||
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_cert.py | 79 +++++++++++++++++++++++++-
|
|
||||||
1 file changed, 78 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
|
|
||||||
index 5ffb8c608..0518d7954 100644
|
|
||||||
--- a/ipatests/test_integration/test_cert.py
|
|
||||||
+++ b/ipatests/test_integration/test_cert.py
|
|
||||||
@@ -14,6 +14,7 @@ import random
|
|
||||||
import re
|
|
||||||
import string
|
|
||||||
import time
|
|
||||||
+import textwrap
|
|
||||||
|
|
||||||
from ipaplatform.paths import paths
|
|
||||||
from ipapython.dn import DN
|
|
||||||
@@ -193,7 +194,7 @@ class TestInstallMasterClient(IntegrationTest):
|
|
||||||
tasks.kinit_admin(self.master)
|
|
||||||
tasks.user_add(self.master, user)
|
|
||||||
|
|
||||||
- for id in (0,1):
|
|
||||||
+ for id in (0, 1):
|
|
||||||
csr_file = f'{id}.csr'
|
|
||||||
key_file = f'{id}.key'
|
|
||||||
cert_file = f'{id}.crt'
|
|
||||||
@@ -584,3 +585,79 @@ class TestCAShowErrorHandling(IntegrationTest):
|
|
||||||
error_msg = 'ipa: ERROR: The certificate for ' \
|
|
||||||
'{} is not available on this server.'.format(lwca)
|
|
||||||
assert error_msg in result.stderr_text
|
|
||||||
+
|
|
||||||
+ def test_certmonger_empty_cert_not_segfault(self):
|
|
||||||
+ """Test empty cert request doesn't force certmonger to segfault
|
|
||||||
+
|
|
||||||
+ Test scenario:
|
|
||||||
+ create a cert request file in /var/lib/certmonger/requests which is
|
|
||||||
+ missing most of the required information, and ask request a new
|
|
||||||
+ certificate to certmonger. The wrong request file should not make
|
|
||||||
+ certmonger crash.
|
|
||||||
+
|
|
||||||
+ related: https://pagure.io/certmonger/issue/191
|
|
||||||
+ """
|
|
||||||
+ empty_cert_req_content = textwrap.dedent("""
|
|
||||||
+ id=dogtag-ipa-renew-agent
|
|
||||||
+ key_type=UNSPECIFIED
|
|
||||||
+ key_gen_type=UNSPECIFIED
|
|
||||||
+ key_size=0
|
|
||||||
+ key_gen_size=0
|
|
||||||
+ key_next_type=UNSPECIFIED
|
|
||||||
+ key_next_gen_type=UNSPECIFIED
|
|
||||||
+ key_next_size=0
|
|
||||||
+ key_next_gen_size=0
|
|
||||||
+ key_preserve=0
|
|
||||||
+ key_storage_type=NONE
|
|
||||||
+ key_perms=0
|
|
||||||
+ key_requested_count=0
|
|
||||||
+ key_issued_count=0
|
|
||||||
+ cert_storage_type=FILE
|
|
||||||
+ cert_perms=0
|
|
||||||
+ cert_is_ca=0
|
|
||||||
+ cert_ca_path_length=0
|
|
||||||
+ cert_no_ocsp_check=0
|
|
||||||
+ last_need_notify_check=19700101000000
|
|
||||||
+ last_need_enroll_check=19700101000000
|
|
||||||
+ template_is_ca=0
|
|
||||||
+ template_ca_path_length=-1
|
|
||||||
+ template_no_ocsp_check=0
|
|
||||||
+ state=NEED_KEY_PAIR
|
|
||||||
+ autorenew=0
|
|
||||||
+ monitor=0
|
|
||||||
+ submitted=19700101000000
|
|
||||||
+ """)
|
|
||||||
+ # stop certmonger service
|
|
||||||
+ self.master.run_command(['systemctl', 'stop', 'certmonger'])
|
|
||||||
+
|
|
||||||
+ # place an empty cert request file to certmonger request dir
|
|
||||||
+ self.master.put_file_contents(
|
|
||||||
+ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'),
|
|
||||||
+ empty_cert_req_content
|
|
||||||
+ )
|
|
||||||
+
|
|
||||||
+ # start certmonger, it should not fail
|
|
||||||
+ self.master.run_command(['systemctl', 'start', 'certmonger'])
|
|
||||||
+
|
|
||||||
+ # request a new cert, should succeed and certmonger doesn't goes
|
|
||||||
+ # to segfault
|
|
||||||
+ result = self.master.run_command([
|
|
||||||
+ "ipa-getcert", "request",
|
|
||||||
+ "-f", os.path.join(paths.OPENSSL_CERTS_DIR, "test.pem"),
|
|
||||||
+ "-k", os.path.join(paths.OPENSSL_PRIVATE_DIR, "test.key"),
|
|
||||||
+ ])
|
|
||||||
+ request_id = re.findall(r'\d+', result.stdout_text)
|
|
||||||
+
|
|
||||||
+ # check if certificate is in MONITORING state
|
|
||||||
+ status = tasks.wait_for_request(self.master, request_id[0], 50)
|
|
||||||
+ assert status == "MONITORING"
|
|
||||||
+
|
|
||||||
+ self.master.run_command(
|
|
||||||
+ ['ipa-getcert', 'stop-tracking', '-i', request_id[0]]
|
|
||||||
+ )
|
|
||||||
+ self.master.run_command([
|
|
||||||
+ 'rm', '-rf',
|
|
||||||
+ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'),
|
|
||||||
+ os.path.join(paths.OPENSSL_CERTS_DIR, 'test.pem'),
|
|
||||||
+ os.path.join(paths.OPENSSL_PRIVATE_DIR, 'test.key')
|
|
||||||
+ ])
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
||||||
From edbd8f692a28fc999b92e9032614d366511db323 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Anuja More <amore@redhat.com>
|
|
||||||
Date: Mon, 6 Dec 2021 20:50:01 +0530
|
|
||||||
Subject: [PATCH] ipatests: webui: Tests for subordinate ids.
|
|
||||||
|
|
||||||
Added web-ui tests to verify where operations
|
|
||||||
using subordinate ids are working as expected.
|
|
||||||
|
|
||||||
Related : https://pagure.io/freeipa/issue/8361
|
|
||||||
|
|
||||||
Signed-off-by: Anuja More <amore@redhat.com>
|
|
||||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_webui/test_subid.py | 141 ++++++++++++++++++++++++++++++
|
|
||||||
ipatests/test_webui/ui_driver.py | 28 ++++++
|
|
||||||
2 files changed, 169 insertions(+)
|
|
||||||
create mode 100644 ipatests/test_webui/test_subid.py
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_webui/test_subid.py b/ipatests/test_webui/test_subid.py
|
|
||||||
new file mode 100644
|
|
||||||
index 000000000..26decdba0
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/ipatests/test_webui/test_subid.py
|
|
||||||
@@ -0,0 +1,141 @@
|
|
||||||
+
|
|
||||||
+"""
|
|
||||||
+Tests for subordinateid.
|
|
||||||
+"""
|
|
||||||
+
|
|
||||||
+from ipatests.test_webui.ui_driver import UI_driver
|
|
||||||
+import ipatests.test_webui.data_config as config_data
|
|
||||||
+import ipatests.test_webui.data_user as user_data
|
|
||||||
+from ipatests.test_webui.ui_driver import screenshot
|
|
||||||
+import re
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+class test_subid(UI_driver):
|
|
||||||
+
|
|
||||||
+ def add_user(self, pkey, name, surname):
|
|
||||||
+ self.add_record('user', {
|
|
||||||
+ 'pkey': pkey,
|
|
||||||
+ 'add': [
|
|
||||||
+ ('textbox', 'uid', pkey),
|
|
||||||
+ ('textbox', 'givenname', name),
|
|
||||||
+ ('textbox', 'sn', surname),
|
|
||||||
+ ]
|
|
||||||
+ })
|
|
||||||
+
|
|
||||||
+ def set_default_subid(self):
|
|
||||||
+ self.navigate_to_entity(config_data.ENTITY)
|
|
||||||
+ self.check_option('ipauserdefaultsubordinateid', 'checked')
|
|
||||||
+ self.facet_button_click('save')
|
|
||||||
+
|
|
||||||
+ def get_user_count(self, user_pkey):
|
|
||||||
+ self.navigate_to_entity('subid', facet='search')
|
|
||||||
+ self.apply_search_filter(user_pkey)
|
|
||||||
+ self.wait_for_request()
|
|
||||||
+ return self.get_rows()
|
|
||||||
+
|
|
||||||
+ @screenshot
|
|
||||||
+ def test_set_defaultsubid(self):
|
|
||||||
+ """
|
|
||||||
+ Test to verify that enable/disable is working for
|
|
||||||
+ adding subids to new users.
|
|
||||||
+ """
|
|
||||||
+ self.init_app()
|
|
||||||
+ self.add_record(user_data.ENTITY, user_data.DATA2)
|
|
||||||
+ self.navigate_to_entity(config_data.ENTITY)
|
|
||||||
+ # test subid can be enabled/disabled.
|
|
||||||
+ self.set_default_subid()
|
|
||||||
+ assert self.get_field_checked('ipauserdefaultsubordinateid')
|
|
||||||
+ self.set_default_subid()
|
|
||||||
+ assert not self.get_field_checked('ipauserdefaultsubordinateid')
|
|
||||||
+
|
|
||||||
+ @screenshot
|
|
||||||
+ def test_user_defaultsubid(self):
|
|
||||||
+ """
|
|
||||||
+ Test to verify that subid is generated for new user.
|
|
||||||
+ """
|
|
||||||
+ self.init_app()
|
|
||||||
+ user_pkey = "some-user"
|
|
||||||
+
|
|
||||||
+ self.set_default_subid()
|
|
||||||
+ assert self.get_field_checked('ipauserdefaultsubordinateid')
|
|
||||||
+
|
|
||||||
+ before_count = self.get_user_count(user_pkey)
|
|
||||||
+ assert len(before_count) == 0
|
|
||||||
+
|
|
||||||
+ self.add_user(user_pkey, 'Some', 'User')
|
|
||||||
+ after_count = self.get_user_count(user_pkey)
|
|
||||||
+ assert len(after_count) == 1
|
|
||||||
+
|
|
||||||
+ @screenshot
|
|
||||||
+ def test_user_subid_mod_desc(self):
|
|
||||||
+ """
|
|
||||||
+ Test to verify that auto-assigned subid description is modified.
|
|
||||||
+ """
|
|
||||||
+ self.init_app()
|
|
||||||
+ self.navigate_to_record("some-user")
|
|
||||||
+ self.switch_to_facet('memberof_subid')
|
|
||||||
+ rows = self.get_rows()
|
|
||||||
+ self.navigate_to_row_record(rows[-1])
|
|
||||||
+ self.fill_textbox("description", "some-user-subid-desc")
|
|
||||||
+ self.facet_button_click('save')
|
|
||||||
+
|
|
||||||
+ @screenshot
|
|
||||||
+ def test_admin_subid(self):
|
|
||||||
+ """
|
|
||||||
+ Test to verify that subid range is created with owner admin.
|
|
||||||
+ """
|
|
||||||
+ self.init_app()
|
|
||||||
+ self.navigate_to_entity('subid', facet='search')
|
|
||||||
+ self.facet_button_click('add')
|
|
||||||
+ self.select_combobox('ipaowner', 'admin')
|
|
||||||
+ self.dialog_button_click('add')
|
|
||||||
+ self.wait(0.3)
|
|
||||||
+ self.assert_no_error_dialog()
|
|
||||||
+
|
|
||||||
+ @screenshot
|
|
||||||
+ def test_admin_subid_negative(self):
|
|
||||||
+ """
|
|
||||||
+ Test to verify that readding the subid fails with error.
|
|
||||||
+ """
|
|
||||||
+ self.init_app()
|
|
||||||
+ self.navigate_to_entity('subid', facet='search')
|
|
||||||
+ self.facet_button_click('add')
|
|
||||||
+ self.select_combobox('ipaowner', 'admin')
|
|
||||||
+ self.dialog_button_click('add')
|
|
||||||
+ self.wait(0.3)
|
|
||||||
+ err_dialog = self.get_last_error_dialog(dialog_name='error_dialog')
|
|
||||||
+ text = self.get_text('.modal-body div p', err_dialog)
|
|
||||||
+ text = text.strip()
|
|
||||||
+ pattern = r'Subordinate id with with name .* already exists.'
|
|
||||||
+ assert re.search(pattern, text) is not None
|
|
||||||
+ self.close_all_dialogs()
|
|
||||||
+
|
|
||||||
+ @screenshot
|
|
||||||
+ def test_user_subid_add(self):
|
|
||||||
+ """
|
|
||||||
+ Test to verify that subid range is created for given user.
|
|
||||||
+ """
|
|
||||||
+ self.init_app()
|
|
||||||
+ self.navigate_to_entity('subid', facet='search')
|
|
||||||
+ before_count = self.get_rows()
|
|
||||||
+ self.facet_button_click('add')
|
|
||||||
+ self.select_combobox('ipaowner', user_data.PKEY2)
|
|
||||||
+ self.dialog_button_click('add')
|
|
||||||
+ self.wait(0.3)
|
|
||||||
+ self.assert_no_error_dialog()
|
|
||||||
+ after_count = self.get_rows()
|
|
||||||
+ assert len(before_count) < len(after_count)
|
|
||||||
+
|
|
||||||
+ @screenshot
|
|
||||||
+ def test_subid_del(self):
|
|
||||||
+ """
|
|
||||||
+ Test to remove subordinate id for given user.
|
|
||||||
+ """
|
|
||||||
+ self.init_app()
|
|
||||||
+ self.navigate_to_entity('subid', facet='search')
|
|
||||||
+ user_uid = self.get_record_pkey("some-user", "ipaowner",
|
|
||||||
+ table_name="ipauniqueid")
|
|
||||||
+ before_count = self.get_rows()
|
|
||||||
+ self.delete_record(user_uid, table_name="ipauniqueid")
|
|
||||||
+ after_count = self.get_rows()
|
|
||||||
+ assert len(before_count) > len(after_count)
|
|
||||||
diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py
|
|
||||||
index 46fd512ae..77fd74e49 100644
|
|
||||||
--- a/ipatests/test_webui/ui_driver.py
|
|
||||||
+++ b/ipatests/test_webui/ui_driver.py
|
|
||||||
@@ -1151,6 +1151,34 @@ class UI_driver:
|
|
||||||
return row
|
|
||||||
return None
|
|
||||||
|
|
||||||
+ def get_row_by_column_value(self, key, column_name, parent=None,
|
|
||||||
+ table_name=None):
|
|
||||||
+ """
|
|
||||||
+ Get the first matched row element of a search table with given key
|
|
||||||
+ matched against selected column. None if not found
|
|
||||||
+ """
|
|
||||||
+ rows = self.get_rows(parent, table_name)
|
|
||||||
+ s = "td div[name='%s']" % column_name
|
|
||||||
+ for row in rows:
|
|
||||||
+ has = self.find(s, By.CSS_SELECTOR, row)
|
|
||||||
+ if has.text == key:
|
|
||||||
+ return row
|
|
||||||
+ return None
|
|
||||||
+
|
|
||||||
+ def get_record_pkey(self, key, column, parent=None, table_name=None):
|
|
||||||
+ """
|
|
||||||
+ Get record pkey if value of column is known
|
|
||||||
+ """
|
|
||||||
+ row = self.get_row_by_column_value(key,
|
|
||||||
+ column_name=column,
|
|
||||||
+ parent=parent,
|
|
||||||
+ table_name=table_name)
|
|
||||||
+ val = None
|
|
||||||
+ if row:
|
|
||||||
+ el = self.find("td input", By.CSS_SELECTOR, row)
|
|
||||||
+ val = el.get_attribute("value")
|
|
||||||
+ return val
|
|
||||||
+
|
|
||||||
def navigate_to_row_record(self, row, pkey_column=None):
|
|
||||||
"""
|
|
||||||
Navigate to record by clicking on a link.
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
||||||
From 419d7fd6e5a9ed2d356ad05eef1043309f5646ef Mon Sep 17 00:00:00 2001
|
|
||||||
From: Michal Polovka <mpolovka@redhat.com>
|
|
||||||
Date: Fri, 7 Jan 2022 12:12:26 +0100
|
|
||||||
Subject: [PATCH] ipatests: webui: Use safe-loader for loading YAML
|
|
||||||
configuration file
|
|
||||||
|
|
||||||
FullLoader class for YAML loader was introduced in version 5.1 which
|
|
||||||
also deprecated default loader. SafeLoader, however, stays consistent
|
|
||||||
across the versions and brings added security.
|
|
||||||
|
|
||||||
This fix is necessary as PyYAML > 5.1 is not available in downstream.
|
|
||||||
|
|
||||||
Related: https://pagure.io/freeipa/issue/9009
|
|
||||||
|
|
||||||
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_webui/ui_driver.py | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py
|
|
||||||
index 77fd74e49..519efee9b 100644
|
|
||||||
--- a/ipatests/test_webui/ui_driver.py
|
|
||||||
+++ b/ipatests/test_webui/ui_driver.py
|
|
||||||
@@ -192,7 +192,7 @@ class UI_driver:
|
|
||||||
if not NO_YAML and os.path.isfile(path):
|
|
||||||
try:
|
|
||||||
with open(path, 'r') as conf:
|
|
||||||
- cls.config = yaml.load(stream=conf, Loader=yaml.FullLoader)
|
|
||||||
+ cls.config = yaml.safe_load(stream=conf)
|
|
||||||
except yaml.YAMLError as e:
|
|
||||||
pytest.skip("Invalid Web UI config.\n%s" % e)
|
|
||||||
except IOError as e:
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
||||||
From 5444da016edc416c0c9481c660c013053dbb93b5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Mohammad Rizwan <myusuf@redhat.com>
|
|
||||||
Date: Thu, 18 Nov 2021 18:43:22 +0530
|
|
||||||
Subject: [PATCH] PEP8 Fixes
|
|
||||||
|
|
||||||
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
|
||||||
---
|
|
||||||
.../test_integration/test_replica_promotion.py | 14 +++++++-------
|
|
||||||
1 file changed, 7 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
|
|
||||||
index 1a4e9bc12..c328b1a08 100644
|
|
||||||
--- a/ipatests/test_integration/test_replica_promotion.py
|
|
||||||
+++ b/ipatests/test_integration/test_replica_promotion.py
|
|
||||||
@@ -138,7 +138,6 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
|
|
||||||
assert res.returncode == 1
|
|
||||||
assert expected_err in res.stderr_text
|
|
||||||
|
|
||||||
-
|
|
||||||
@replicas_cleanup
|
|
||||||
def test_one_command_installation(self):
|
|
||||||
"""
|
|
||||||
@@ -150,11 +149,11 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
|
|
||||||
Firewall(self.replicas[0]).enable_services(["freeipa-ldap",
|
|
||||||
"freeipa-ldaps"])
|
|
||||||
self.replicas[0].run_command(['ipa-replica-install', '-w',
|
|
||||||
- self.master.config.admin_password,
|
|
||||||
- '-n', self.master.domain.name,
|
|
||||||
- '-r', self.master.domain.realm,
|
|
||||||
- '--server', self.master.hostname,
|
|
||||||
- '-U'])
|
|
||||||
+ self.master.config.admin_password,
|
|
||||||
+ '-n', self.master.domain.name,
|
|
||||||
+ '-r', self.master.domain.realm,
|
|
||||||
+ '--server', self.master.hostname,
|
|
||||||
+ '-U'])
|
|
||||||
# Ensure that pkinit is properly configured, test for 7566
|
|
||||||
result = self.replicas[0].run_command(['ipa-pkinit-manage', 'status'])
|
|
||||||
assert "PKINIT is enabled" in result.stdout_text
|
|
||||||
@@ -321,7 +320,7 @@ class TestWrongClientDomain(IntegrationTest):
|
|
||||||
result1 = client.run_command(['ipa-replica-install', '-U', '-w',
|
|
||||||
self.master.config.dirman_password],
|
|
||||||
raiseonerr=False)
|
|
||||||
- assert(result1.returncode == 0), (
|
|
||||||
+ assert (result1.returncode == 0), (
|
|
||||||
'Failed to promote the client installed with the upcase domain name')
|
|
||||||
|
|
||||||
def test_client_rollback(self):
|
|
||||||
@@ -355,6 +354,7 @@ class TestWrongClientDomain(IntegrationTest):
|
|
||||||
assert("An error occurred while removing SSSD" not in
|
|
||||||
result.stdout_text)
|
|
||||||
|
|
||||||
+
|
|
||||||
class TestRenewalMaster(IntegrationTest):
|
|
||||||
|
|
||||||
topology = 'star'
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
||||||
From 1d19b860d4cd3bd65a4b143b588425d9a64237fd Mon Sep 17 00:00:00 2001
|
|
||||||
From: Mohammad Rizwan <myusuf@redhat.com>
|
|
||||||
Date: Thu, 18 Nov 2021 18:36:58 +0530
|
|
||||||
Subject: [PATCH] Test cases for ipa-replica-conncheck command
|
|
||||||
|
|
||||||
Following test cases would be checked:
|
|
||||||
- when called with --principal (it should then prompt for a password)
|
|
||||||
- when called with --principal / --password
|
|
||||||
- when called without principal and password but with a kerberos TGT,
|
|
||||||
kinit admin done before calling ipa-replica-conncheck
|
|
||||||
- when called without principal and password, and without any kerberos
|
|
||||||
TGT (it should default to principal=admin and prompt for a password)
|
|
||||||
|
|
||||||
related: https://pagure.io/freeipa/issue/9047
|
|
||||||
|
|
||||||
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
|
||||||
---
|
|
||||||
.../test_replica_promotion.py | 70 +++++++++++++++++++
|
|
||||||
1 file changed, 70 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
|
|
||||||
index b9c56f775..1a4e9bc12 100644
|
|
||||||
--- a/ipatests/test_integration/test_replica_promotion.py
|
|
||||||
+++ b/ipatests/test_integration/test_replica_promotion.py
|
|
||||||
@@ -437,6 +437,76 @@ class TestRenewalMaster(IntegrationTest):
|
|
||||||
self.assertCARenewalMaster(master, replica.hostname)
|
|
||||||
self.assertCARenewalMaster(replica, replica.hostname)
|
|
||||||
|
|
||||||
+ def test_replica_concheck(self):
|
|
||||||
+ """Test cases for ipa-replica-conncheck command
|
|
||||||
+
|
|
||||||
+ Following test cases would be checked:
|
|
||||||
+ - when called with --principal (it should then prompt for a password)
|
|
||||||
+ - when called with --principal / --password
|
|
||||||
+ - when called without principal and password but with a kerberos TGT,
|
|
||||||
+ kinit admin done before calling ipa-replica-conncheck
|
|
||||||
+ - when called without principal and password, and without any kerberos
|
|
||||||
+ TGT (it should default to principal=admin and prompt for a password)
|
|
||||||
+
|
|
||||||
+ related: https://pagure.io/freeipa/issue/9047
|
|
||||||
+ """
|
|
||||||
+ exp_str1 = "Connection from replica to master is OK."
|
|
||||||
+ exp_str2 = "Connection from master to replica is OK"
|
|
||||||
+ tasks.kdestroy_all(self.replicas[0])
|
|
||||||
+ # when called with --principal (it should then prompt for a password)
|
|
||||||
+ result = self.replicas[0].run_command(
|
|
||||||
+ ['ipa-replica-conncheck', '--auto-master-check',
|
|
||||||
+ '--master', self.master.hostname,
|
|
||||||
+ '-r', self.replicas[0].domain.realm,
|
|
||||||
+ '-p', self.replicas[0].config.admin_name],
|
|
||||||
+ stdin_text=self.master.config.admin_password
|
|
||||||
+ )
|
|
||||||
+ assert result.returncode == 0
|
|
||||||
+ assert (
|
|
||||||
+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
|
|
||||||
+ )
|
|
||||||
+
|
|
||||||
+ # when called with --principal / --password
|
|
||||||
+ result = self.replicas[0].run_command([
|
|
||||||
+ 'ipa-replica-conncheck', '--auto-master-check',
|
|
||||||
+ '--master', self.master.hostname,
|
|
||||||
+ '-r', self.replicas[0].domain.realm,
|
|
||||||
+ '-p', self.replicas[0].config.admin_name,
|
|
||||||
+ '-w', self.master.config.admin_password
|
|
||||||
+ ])
|
|
||||||
+ assert result.returncode == 0
|
|
||||||
+ assert (
|
|
||||||
+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
|
|
||||||
+ )
|
|
||||||
+
|
|
||||||
+ # when called without principal and password, and without
|
|
||||||
+ # any kerberos TGT, it should default to principal=admin
|
|
||||||
+ # and prompt for a password
|
|
||||||
+ result = self.replicas[0].run_command(
|
|
||||||
+ ['ipa-replica-conncheck', '--auto-master-check',
|
|
||||||
+ '--master', self.master.hostname,
|
|
||||||
+ '-r', self.replicas[0].domain.realm],
|
|
||||||
+ stdin_text=self.master.config.admin_password
|
|
||||||
+ )
|
|
||||||
+ assert result.returncode == 0
|
|
||||||
+ assert (
|
|
||||||
+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
|
|
||||||
+ )
|
|
||||||
+
|
|
||||||
+ # when called without principal and password but with a kerberos TGT,
|
|
||||||
+ # kinit admin done before calling ipa-replica-conncheck
|
|
||||||
+ tasks.kinit_admin(self.replicas[0])
|
|
||||||
+ result = self.replicas[0].run_command(
|
|
||||||
+ ['ipa-replica-conncheck', '--auto-master-check',
|
|
||||||
+ '--master', self.master.hostname,
|
|
||||||
+ '-r', self.replicas[0].domain.realm]
|
|
||||||
+ )
|
|
||||||
+ assert result.returncode == 0
|
|
||||||
+ assert (
|
|
||||||
+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
|
|
||||||
+ )
|
|
||||||
+ tasks.kdestroy_all(self.replicas[0])
|
|
||||||
+
|
|
||||||
def test_automatic_renewal_master_transfer_ondelete(self):
|
|
||||||
# Test that after replica uninstallation, master overtakes the cert
|
|
||||||
# renewal master role from replica (which was previously set there)
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
|
@ -1,104 +0,0 @@
|
||||||
From edb216849e4f47d6cae95981edf0c3fe2653fd7a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Date: Fri, 28 Jan 2022 16:46:35 -0500
|
|
||||||
Subject: [PATCH] Don't always override the port in import_included_profiles
|
|
||||||
|
|
||||||
I can only guess to the original purpose of this override. I
|
|
||||||
believe it was because this is called in the installer prior
|
|
||||||
to Apache being set up. The expectation was that this would
|
|
||||||
only be called locally. It predates the RestClient class.
|
|
||||||
|
|
||||||
RestClient will attempt to find an available service. In this
|
|
||||||
case, during a CA installation, the local server is not
|
|
||||||
considered available because it lacks an entry in
|
|
||||||
cn=masters. So it will never be returned as an option.
|
|
||||||
|
|
||||||
So by overriding the port to 8443 the remote connection will
|
|
||||||
likely fail because we don't require that the port be open.
|
|
||||||
|
|
||||||
So instead, instantiate a RestClient and see what happens.
|
|
||||||
|
|
||||||
There are several use-cases:
|
|
||||||
|
|
||||||
1. Installing an initial server. The RestClient connection
|
|
||||||
should fail, so we will fall back to the override port and
|
|
||||||
use the local server. If Apache happens to be running with
|
|
||||||
a globally-issued certificate then the RestClient will
|
|
||||||
succeed. In this case if the connected host and the local
|
|
||||||
hostname are the same, override in that case as well.
|
|
||||||
|
|
||||||
2. Installing as a replica. In this case the local server should
|
|
||||||
be ignored in all cases and a remote CA will be picked with
|
|
||||||
no override done.
|
|
||||||
|
|
||||||
3. Switching from CA-less to CA-ful. The web server will be
|
|
||||||
trusted but the RestClient login will fail with a 404. Fall
|
|
||||||
back to the override port in this case.
|
|
||||||
|
|
||||||
The motivation for this is trying to install an EL 8.x replica
|
|
||||||
against an EL 7.9 server. 8.5+ includes the ACME service and
|
|
||||||
a new profile is needed which doesn't exist in 7. This was
|
|
||||||
failing because the RestClient determined that the local server
|
|
||||||
wasn't running a CA so tried the remote one (7.9) on the override
|
|
||||||
port 8443. Since this port isn't open: failure.
|
|
||||||
|
|
||||||
Chances are that adding the profile is still going to fail
|
|
||||||
because again, 7.9 lacks ACME capabilities, but it will fail in
|
|
||||||
a way that allows the installation to continue.
|
|
||||||
|
|
||||||
I suspect that all of the overrides can similarly handled, or
|
|
||||||
handled directly within the RestClient class, but for the sake
|
|
||||||
of "do no harm" I'm only changing this instance for now.
|
|
||||||
|
|
||||||
https://pagure.io/freeipa/issue/9100
|
|
||||||
|
|
||||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/install/cainstance.py | 30 +++++++++++++++++++++++++++++-
|
|
||||||
1 file changed, 29 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
|
||||||
index 8c8bf1b3a..ad206aad4 100644
|
|
||||||
--- a/ipaserver/install/cainstance.py
|
|
||||||
+++ b/ipaserver/install/cainstance.py
|
|
||||||
@@ -1953,7 +1953,35 @@ def import_included_profiles():
|
|
||||||
cn=['certprofiles'],
|
|
||||||
)
|
|
||||||
|
|
||||||
- api.Backend.ra_certprofile.override_port = 8443
|
|
||||||
+ # At this point Apache may or may not be running with a valid
|
|
||||||
+ # certificate. The local server is not yet recognized as a full
|
|
||||||
+ # CA yet so it isn't discoverable. So try to do some detection
|
|
||||||
+ # on what port to use, 443 (remote) or 8443 (local) for importing
|
|
||||||
+ # the profiles.
|
|
||||||
+ #
|
|
||||||
+ # api.Backend.ra_certprofile invokes the RestClient class
|
|
||||||
+ # which will discover and login to the CA REST API. We can
|
|
||||||
+ # use this information to detect where to import the profiles.
|
|
||||||
+ #
|
|
||||||
+ # If the login is successful (e.g. doesn't raise an exception)
|
|
||||||
+ # and it returns our hostname (it prefers the local host) then
|
|
||||||
+ # we override and talk locally.
|
|
||||||
+ #
|
|
||||||
+ # Otherwise a NetworkError means we can't connect on 443 (perhaps
|
|
||||||
+ # a firewall) or we get an HTTP error (valid TLS certificate on
|
|
||||||
+ # Apache but no CA, login fails with 404) so we override to the
|
|
||||||
+ # local server.
|
|
||||||
+ #
|
|
||||||
+ # When override port was always set to 8443 the RestClient could
|
|
||||||
+ # pick a remote server and since 8443 isn't in our firewall profile
|
|
||||||
+ # setting up a new server would fail.
|
|
||||||
+ try:
|
|
||||||
+ with api.Backend.ra_certprofile as profile_api:
|
|
||||||
+ if profile_api.ca_host == api.env.host:
|
|
||||||
+ api.Backend.ra_certprofile.override_port = 8443
|
|
||||||
+ except (errors.NetworkError, errors.RemoteRetrieveError) as e:
|
|
||||||
+ logger.debug('Overriding CA port: %s', e)
|
|
||||||
+ api.Backend.ra_certprofile.override_port = 8443
|
|
||||||
|
|
||||||
for (profile_id, desc, store_issued) in dogtag.INCLUDED_PROFILES:
|
|
||||||
dn = DN(('cn', profile_id),
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
|
@ -1,115 +0,0 @@
|
||||||
From 7c5540bb47799b4db95673d22f61995ad5c56440 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Date: Mon, 31 Jan 2022 17:31:50 -0500
|
|
||||||
Subject: [PATCH] Remove ipa-join errors from behind the debug option
|
|
||||||
|
|
||||||
This brings it inline with the previous XML-RPC output which
|
|
||||||
only hid the request and response from the output and not
|
|
||||||
any errors returned.
|
|
||||||
|
|
||||||
https://pagure.io/freeipa/issue/9103
|
|
||||||
|
|
||||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
Reviewed-By: Peter Keresztes Schmidt <carbenium@outlook.com>
|
|
||||||
---
|
|
||||||
client/ipa-join.c | 27 +++++++++------------------
|
|
||||||
1 file changed, 9 insertions(+), 18 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/client/ipa-join.c b/client/ipa-join.c
|
|
||||||
index d98739a9a..5888a33bf 100644
|
|
||||||
--- a/client/ipa-join.c
|
|
||||||
+++ b/client/ipa-join.c
|
|
||||||
@@ -743,8 +743,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
|
|
||||||
|
|
||||||
json_str = json_dumps(json, 0);
|
|
||||||
if (!json_str) {
|
|
||||||
- if (debug)
|
|
||||||
- fprintf(stderr, _("json_dumps() failed\n"));
|
|
||||||
+ fprintf(stderr, _("json_dumps() failed\n"));
|
|
||||||
|
|
||||||
rval = 17;
|
|
||||||
goto cleanup;
|
|
||||||
@@ -758,8 +757,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
|
|
||||||
CURLcode res = curl_easy_perform(curl);
|
|
||||||
if (res != CURLE_OK)
|
|
||||||
{
|
|
||||||
- if (debug)
|
|
||||||
- fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res));
|
|
||||||
+ fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res));
|
|
||||||
|
|
||||||
rval = 17;
|
|
||||||
goto cleanup;
|
|
||||||
@@ -769,8 +767,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
|
|
||||||
curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &resp_code);
|
|
||||||
|
|
||||||
if (resp_code != 200) {
|
|
||||||
- if (debug)
|
|
||||||
- fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code);
|
|
||||||
+ fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code);
|
|
||||||
|
|
||||||
if (!quiet && resp_code == 401)
|
|
||||||
fprintf(stderr, _("JSON-RPC call was unauthorized. Check your credentials.\n"));
|
|
||||||
@@ -848,8 +845,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) {
|
|
||||||
|
|
||||||
j_root = json_loads(payload, 0, &j_error);
|
|
||||||
if (!j_root) {
|
|
||||||
- if (debug)
|
|
||||||
- fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text);
|
|
||||||
+ fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text);
|
|
||||||
|
|
||||||
rval = 17;
|
|
||||||
goto cleanup;
|
|
||||||
@@ -864,8 +860,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) {
|
|
||||||
|
|
||||||
*j_result_obj = json_object_get(j_root, "result");
|
|
||||||
if (!*j_result_obj) {
|
|
||||||
- if (debug)
|
|
||||||
- fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n"));
|
|
||||||
+ fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n"));
|
|
||||||
|
|
||||||
rval = 17;
|
|
||||||
goto cleanup;
|
|
||||||
@@ -897,8 +892,7 @@ jsonrpc_parse_join_response(const char *payload, join_info *join_i, bool quiet)
|
|
||||||
&tmp_hostdn,
|
|
||||||
"krbprincipalname", &tmp_princ,
|
|
||||||
"krblastpwdchange", &tmp_pwdch) != 0) {
|
|
||||||
- if (debug)
|
|
||||||
- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
|
|
||||||
+ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
|
|
||||||
|
|
||||||
rval = 17;
|
|
||||||
goto cleanup;
|
|
||||||
@@ -941,8 +935,7 @@ join_krb5_jsonrpc(const char *ipaserver, const char *hostname, char **hostdn, co
|
|
||||||
"nshardwareplatform", uinfo.machine);
|
|
||||||
|
|
||||||
if (!json_req) {
|
|
||||||
- if (debug)
|
|
||||||
- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
|
|
||||||
+ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
|
|
||||||
|
|
||||||
rval = 17;
|
|
||||||
goto cleanup;
|
|
||||||
@@ -990,8 +983,7 @@ jsonrpc_parse_unenroll_response(const char *payload, bool* result, bool quiet) {
|
|
||||||
|
|
||||||
if (json_unpack_ex(j_result_obj, &j_error, 0, "{s:b}",
|
|
||||||
"result", result) != 0) {
|
|
||||||
- if (debug)
|
|
||||||
- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
|
|
||||||
+ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
|
|
||||||
|
|
||||||
rval = 20;
|
|
||||||
goto cleanup;
|
|
||||||
@@ -1021,8 +1013,7 @@ jsonrpc_unenroll_host(const char *ipaserver, const char *host, bool quiet) {
|
|
||||||
host);
|
|
||||||
|
|
||||||
if (!json_req) {
|
|
||||||
- if (debug)
|
|
||||||
- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
|
|
||||||
+ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
|
|
||||||
|
|
||||||
rval = 17;
|
|
||||||
goto cleanup;
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
|
@ -1,118 +0,0 @@
|
||||||
From 9b6d0bb1245c4891ccc270f360d0f72a4b1444c1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Date: Mon, 7 Feb 2022 10:39:55 -0500
|
|
||||||
Subject: [PATCH] Enable the ccache sweep timer during installation
|
|
||||||
|
|
||||||
The timer was only being enabled during package installation
|
|
||||||
if IPA was configured. So effectively only on upgrade.
|
|
||||||
|
|
||||||
Add as a separate installation step after the ccache directory
|
|
||||||
is configured.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/9107
|
|
||||||
|
|
||||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/install/httpinstance.py | 7 +++++++
|
|
||||||
1 file changed, 7 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
|
|
||||||
index 732bb58d4..50ccf5e50 100644
|
|
||||||
--- a/ipaserver/install/httpinstance.py
|
|
||||||
+++ b/ipaserver/install/httpinstance.py
|
|
||||||
@@ -140,6 +140,8 @@ class HTTPInstance(service.Service):
|
|
||||||
self.step("publish CA cert", self.__publish_ca_cert)
|
|
||||||
self.step("clean up any existing httpd ccaches",
|
|
||||||
self.remove_httpd_ccaches)
|
|
||||||
+ self.step("enable ccache sweep",
|
|
||||||
+ self.enable_ccache_sweep)
|
|
||||||
self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
|
|
||||||
if not self.is_kdcproxy_configured():
|
|
||||||
self.step("create KDC proxy config", self.create_kdcproxy_conf)
|
|
||||||
@@ -177,6 +179,11 @@ class HTTPInstance(service.Service):
|
|
||||||
[paths.SYSTEMD_TMPFILES, '--create', '--prefix', paths.IPA_CCACHES]
|
|
||||||
)
|
|
||||||
|
|
||||||
+ def enable_ccache_sweep(self):
|
|
||||||
+ ipautil.run(
|
|
||||||
+ [paths.SYSTEMCTL, 'enable', 'ipa-ccache-sweep.timer']
|
|
||||||
+ )
|
|
||||||
+
|
|
||||||
def __configure_http(self):
|
|
||||||
self.update_httpd_service_ipa_conf()
|
|
||||||
self.update_httpd_wsgi_conf()
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
||||||
From 0d9eb3d515385412abefe9c33e0099ea14f33cbc Mon Sep 17 00:00:00 2001
|
|
||||||
From: Mohammad Rizwan <myusuf@redhat.com>
|
|
||||||
Date: Wed, 9 Feb 2022 18:56:21 +0530
|
|
||||||
Subject: [PATCH] Test ipa-ccache-sweep.timer enabled by default during
|
|
||||||
installation
|
|
||||||
|
|
||||||
This test checks that ipa-ccache-sweep.timer is enabled by default
|
|
||||||
during the ipa installation.
|
|
||||||
|
|
||||||
related: https://pagure.io/freeipa/issue/9107
|
|
||||||
|
|
||||||
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
.../test_integration/test_installation.py | 19 +++++++++++++++++--
|
|
||||||
1 file changed, 17 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
|
||||||
index f2d372c0c..63edbaa2b 100644
|
|
||||||
--- a/ipatests/test_integration/test_installation.py
|
|
||||||
+++ b/ipatests/test_integration/test_installation.py
|
|
||||||
@@ -475,7 +475,7 @@ class TestInstallCA(IntegrationTest):
|
|
||||||
|
|
||||||
# Tweak sysrestore.state to drop installation section
|
|
||||||
self.master.run_command(
|
|
||||||
- ['sed','-i', r's/\[installation\]/\[badinstallation\]/',
|
|
||||||
+ ['sed', '-i', r's/\[installation\]/\[badinstallation\]/',
|
|
||||||
os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
|
|
||||||
|
|
||||||
# Re-run installation check and it should fall back to old method
|
|
||||||
@@ -485,7 +485,7 @@ class TestInstallCA(IntegrationTest):
|
|
||||||
|
|
||||||
# Restore installation section.
|
|
||||||
self.master.run_command(
|
|
||||||
- ['sed','-i', r's/\[badinstallation\]/\[installation\]/',
|
|
||||||
+ ['sed', '-i', r's/\[badinstallation\]/\[installation\]/',
|
|
||||||
os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
|
|
||||||
|
|
||||||
# Uninstall and confirm that the old method reports correctly
|
|
||||||
@@ -690,6 +690,7 @@ def get_pki_tomcatd_pid(host):
|
|
||||||
break
|
|
||||||
return(pid)
|
|
||||||
|
|
||||||
+
|
|
||||||
def get_ipa_services_pids(host):
|
|
||||||
ipa_services_name = [
|
|
||||||
"krb5kdc", "kadmin", "named", "httpd", "ipa-custodia",
|
|
||||||
@@ -1309,6 +1310,20 @@ class TestInstallMasterKRA(IntegrationTest):
|
|
||||||
def test_install_master(self):
|
|
||||||
tasks.install_master(self.master, setup_dns=False, setup_kra=True)
|
|
||||||
|
|
||||||
+ def test_ipa_ccache_sweep_timer_enabled(self):
|
|
||||||
+ """Test ipa-ccache-sweep.timer enabled by default during installation
|
|
||||||
+
|
|
||||||
+ This test checks that ipa-ccache-sweep.timer is enabled by default
|
|
||||||
+ during the ipa installation.
|
|
||||||
+
|
|
||||||
+ related: https://pagure.io/freeipa/issue/9107
|
|
||||||
+ """
|
|
||||||
+ result = self.master.run_command(
|
|
||||||
+ ['systemctl', 'is-enabled', 'ipa-ccache-sweep.timer'],
|
|
||||||
+ raiseonerr=False
|
|
||||||
+ )
|
|
||||||
+ assert 'enabled' in result.stdout_text
|
|
||||||
+
|
|
||||||
def test_install_dns(self):
|
|
||||||
tasks.install_dns(self.master)
|
|
||||||
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
|
@ -1,31 +0,0 @@
|
||||||
From b36bcf4ea5ed93baa4dc63f8e2be542d678211fb Mon Sep 17 00:00:00 2001
|
|
||||||
From: Anuja More <amore@redhat.com>
|
|
||||||
Date: Thu, 10 Feb 2022 18:49:06 +0530
|
|
||||||
Subject: [PATCH] ipatests: remove additional check for failed units.
|
|
||||||
|
|
||||||
On RHEL tests are randomly failing because of this check
|
|
||||||
and the test doesn't need to check this.
|
|
||||||
|
|
||||||
Related : https://pagure.io/freeipa/issue/9108
|
|
||||||
|
|
||||||
Signed-off-by: Anuja More <amore@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_otp.py | 1 -
|
|
||||||
1 file changed, 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
|
|
||||||
index d8ce527ca..6e70ddcb3 100644
|
|
||||||
--- a/ipatests/test_integration/test_otp.py
|
|
||||||
+++ b/ipatests/test_integration/test_otp.py
|
|
||||||
@@ -316,7 +316,6 @@ class TestOTPToken(IntegrationTest):
|
|
||||||
check_services = self.master.run_command(
|
|
||||||
['systemctl', 'list-units', '--state=failed']
|
|
||||||
)
|
|
||||||
- assert "0 loaded units listed" in check_services.stdout_text
|
|
||||||
assert "ipa-otpd" not in check_services.stdout_text
|
|
||||||
# Be sure no services are running and failed units
|
|
||||||
self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False)
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
|
@ -1,38 +0,0 @@
|
||||||
From 186ebe311bc9545d7a9860cd5e8c748131bbe41e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Francisco Trivino <ftrivino@redhat.com>
|
|
||||||
Date: Thu, 10 Feb 2022 14:23:12 +0100
|
|
||||||
Subject: [PATCH] ipa_cldap: fix memory leak
|
|
||||||
|
|
||||||
ipa_cldap_encode_netlogon() allocates memory to store binary data as part of
|
|
||||||
berval (bv_val) when processing a CLDAP packet request from a worker. The
|
|
||||||
data is used by ipa_cldap_respond() but bv_val is not freed later on.
|
|
||||||
|
|
||||||
This commit is adding the corresponding free() after ipa_cldap_respond()
|
|
||||||
is completed.
|
|
||||||
|
|
||||||
Discovered by LeakSanitizer
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/9110
|
|
||||||
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
|
||||||
---
|
|
||||||
daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
|
|
||||||
index db4a3d061..252bcf647 100644
|
|
||||||
--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
|
|
||||||
+++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
|
|
||||||
@@ -287,6 +287,7 @@ done:
|
|
||||||
ipa_cldap_respond(ctx, req, &reply);
|
|
||||||
|
|
||||||
ipa_cldap_free_kvps(&req->kvps);
|
|
||||||
+ free(reply.bv_val);
|
|
||||||
free(req);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
|
@ -1,40 +0,0 @@
|
||||||
From 4c54e9d6ddb72eab6f654bf3dc2d29f27498ac96 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Date: Sun, 5 Dec 2021 17:38:58 +0100
|
|
||||||
Subject: [PATCH] ipatests: fix
|
|
||||||
TestOTPToken::test_check_otpd_after_idle_timeout
|
|
||||||
|
|
||||||
The test sets 389-ds nsslapd-idletimeout to 60s, then does a
|
|
||||||
kinit with an otp token (which makes ipa-otpd create a LDAP
|
|
||||||
connection), then sleeps for 60s. The expectation is that
|
|
||||||
ns-slapd will detect that the LDAP conn from ipa-otpd is idle
|
|
||||||
and close the connection.
|
|
||||||
According to 389ds doc, the idle timeout is enforced when the
|
|
||||||
connection table is walked. By doing a ldapsearch, the test
|
|
||||||
"wakes up" ns-slapd and forces the detection of ipa-otpd
|
|
||||||
idle connection.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/9044
|
|
||||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Anuja More <amore@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_otp.py | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
|
|
||||||
index 353470897..d8ce527ca 100644
|
|
||||||
--- a/ipatests/test_integration/test_otp.py
|
|
||||||
+++ b/ipatests/test_integration/test_otp.py
|
|
||||||
@@ -354,6 +354,9 @@ class TestOTPToken(IntegrationTest):
|
|
||||||
otpvalue = totp.generate(int(time.time())).decode("ascii")
|
|
||||||
kinit_otp(self.master, USER, password=PASSWORD, otp=otpvalue)
|
|
||||||
time.sleep(60)
|
|
||||||
+ # ldapsearch will wake up slapd and force walking through
|
|
||||||
+ # the connection list, in order to spot the idle connections
|
|
||||||
+ tasks.ldapsearch_dm(self.master, "", ldap_args=[], scope="base")
|
|
||||||
|
|
||||||
def test_cb(cmd_jornalctl):
|
|
||||||
# check if LDAP connection is timed out
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
|
@ -1,407 +0,0 @@
|
||||||
From 6b70e3c49acc55b5553101cf850fc40978861979 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Anuja More <amore@redhat.com>
|
|
||||||
Date: Mon, 17 Jan 2022 16:57:52 +0530
|
|
||||||
Subject: [PATCH] ipatests: Tests for Autoprivate group.
|
|
||||||
|
|
||||||
Added tests using posix AD trust and non posix AD trust.
|
|
||||||
For option --auto-private-groups=[hybrid/true/false]
|
|
||||||
|
|
||||||
Related : https://pagure.io/freeipa/issue/8807
|
|
||||||
|
|
||||||
Signed-off-by: Anuja More <amore@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Anuja More <amore@redhat.com>
|
|
||||||
---
|
|
||||||
.../nightly_ipa-4-9_latest.yaml | 2 +-
|
|
||||||
.../nightly_ipa-4-9_latest_selinux.yaml | 2 +-
|
|
||||||
.../nightly_ipa-4-9_previous.yaml | 2 +-
|
|
||||||
ipatests/test_integration/test_trust.py | 242 +++++++++++++++++-
|
|
||||||
4 files changed, 240 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
|
||||||
index 6817421b2..8b1f58c4d 100644
|
|
||||||
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
|
||||||
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
|
||||||
@@ -1627,7 +1627,7 @@ jobs:
|
|
||||||
build_url: '{fedora-latest-ipa-4-9/build_url}'
|
|
||||||
test_suite: test_integration/test_trust.py
|
|
||||||
template: *ci-ipa-4-9-latest
|
|
||||||
- timeout: 9000
|
|
||||||
+ timeout: 10000
|
|
||||||
topology: *adroot_adchild_adtree_master_1client
|
|
||||||
|
|
||||||
fedora-latest-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust:
|
|
||||||
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
|
|
||||||
index 817329756..a11376ab8 100644
|
|
||||||
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
|
|
||||||
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
|
|
||||||
@@ -1743,7 +1743,7 @@ jobs:
|
|
||||||
selinux_enforcing: True
|
|
||||||
test_suite: test_integration/test_trust.py
|
|
||||||
template: *ci-ipa-4-9-latest
|
|
||||||
- timeout: 9000
|
|
||||||
+ timeout: 10000
|
|
||||||
topology: *adroot_adchild_adtree_master_1client
|
|
||||||
|
|
||||||
fedora-latest-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust:
|
|
||||||
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
|
||||||
index 4196265c7..3f8ce8b76 100644
|
|
||||||
--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
|
||||||
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
|
||||||
@@ -1627,7 +1627,7 @@ jobs:
|
|
||||||
build_url: '{fedora-previous-ipa-4-9/build_url}'
|
|
||||||
test_suite: test_integration/test_trust.py
|
|
||||||
template: *ci-ipa-4-9-previous
|
|
||||||
- timeout: 9000
|
|
||||||
+ timeout: 10000
|
|
||||||
topology: *adroot_adchild_adtree_master_1client
|
|
||||||
|
|
||||||
fedora-previous-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust:
|
|
||||||
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
|
|
||||||
index 0634badbb..ff2dd9cc8 100644
|
|
||||||
--- a/ipatests/test_integration/test_trust.py
|
|
||||||
+++ b/ipatests/test_integration/test_trust.py
|
|
||||||
@@ -62,11 +62,12 @@ class BaseTestTrust(IntegrationTest):
|
|
||||||
cls.check_sid_generation()
|
|
||||||
tasks.sync_time(cls.master, cls.ad)
|
|
||||||
|
|
||||||
- cls.child_ad = cls.ad_subdomains[0]
|
|
||||||
- cls.ad_subdomain = cls.child_ad.domain.name
|
|
||||||
- cls.tree_ad = cls.ad_treedomains[0]
|
|
||||||
- cls.ad_treedomain = cls.tree_ad.domain.name
|
|
||||||
-
|
|
||||||
+ if cls.num_ad_subdomains > 0:
|
|
||||||
+ cls.child_ad = cls.ad_subdomains[0]
|
|
||||||
+ cls.ad_subdomain = cls.child_ad.domain.name
|
|
||||||
+ if cls.num_ad_treedomains > 0:
|
|
||||||
+ cls.tree_ad = cls.ad_treedomains[0]
|
|
||||||
+ cls.ad_treedomain = cls.tree_ad.domain.name
|
|
||||||
# values used in workaround for
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1711958
|
|
||||||
cls.srv_gc_record_name = \
|
|
||||||
@@ -106,6 +107,63 @@ class BaseTestTrust(IntegrationTest):
|
|
||||||
expected_text = 'iparangetype: %s\n' % expected_type
|
|
||||||
assert expected_text in result.stdout_text
|
|
||||||
|
|
||||||
+ def mod_idrange_auto_private_group(
|
|
||||||
+ self, option='false'
|
|
||||||
+ ):
|
|
||||||
+ """
|
|
||||||
+ Set the auto-private-group option of the default trusted
|
|
||||||
+ AD domain range.
|
|
||||||
+ """
|
|
||||||
+ tasks.kinit_admin(self.master)
|
|
||||||
+ rangename = self.ad_domain.upper() + '_id_range'
|
|
||||||
+ error_msg = "ipa: ERROR: no modifications to be performed"
|
|
||||||
+ cmd = ["ipa", "idrange-mod", rangename,
|
|
||||||
+ "--auto-private-groups", option]
|
|
||||||
+ result = self.master.run_command(cmd, raiseonerr=False)
|
|
||||||
+ if result.returncode != 0:
|
|
||||||
+ tasks.assert_error(result, error_msg)
|
|
||||||
+ tasks.clear_sssd_cache(self.master)
|
|
||||||
+ tasks.clear_sssd_cache(self.clients[0])
|
|
||||||
+ test = self.master.run_command(["ipa", "idrange-show", rangename])
|
|
||||||
+ assert "Auto private groups: {0}".format(option) in test.stdout_text
|
|
||||||
+
|
|
||||||
+ def get_user_id(self, host, username):
|
|
||||||
+ """
|
|
||||||
+ User uid gid is parsed from the output of id user command.
|
|
||||||
+ """
|
|
||||||
+ tasks.clear_sssd_cache(self.master)
|
|
||||||
+ tasks.clear_sssd_cache(self.clients[0])
|
|
||||||
+ self.master.run_command(["id", username])
|
|
||||||
+ test_id = host.run_command(["id", username])
|
|
||||||
+ regex = r"^uid=(?P<uid>\d+).*gid=(?P<gid>\d+).*groups=(?P<groups>\d+)"
|
|
||||||
+ match = re.match(regex, test_id.stdout_text)
|
|
||||||
+ uid = match.group('uid')
|
|
||||||
+ gid = match.group('gid')
|
|
||||||
+ return uid, gid
|
|
||||||
+
|
|
||||||
+ @contextmanager
|
|
||||||
+ def set_idoverrideuser(self, user, uid, gid):
|
|
||||||
+ """
|
|
||||||
+ Fixture to add/remove idoverrideuser for default idview,
|
|
||||||
+ also creates idm group with the provided gid because
|
|
||||||
+ gid overrides requires an existing group.
|
|
||||||
+ """
|
|
||||||
+ tasks.clear_sssd_cache(self.master)
|
|
||||||
+ tasks.clear_sssd_cache(self.clients[0])
|
|
||||||
+ tasks.kinit_admin(self.master)
|
|
||||||
+ try:
|
|
||||||
+ args = ["ipa", "idoverrideuser-add", "Default Trust View",
|
|
||||||
+ "--gid", gid, "--uid", uid, user]
|
|
||||||
+ self.master.run_command(args)
|
|
||||||
+ tasks.group_add(self.master, "idgroup",
|
|
||||||
+ extra_args=["--gid", gid])
|
|
||||||
+ yield
|
|
||||||
+ finally:
|
|
||||||
+ self.master.run_command([
|
|
||||||
+ "ipa", "idoverrideuser-del", "Default Trust View", user]
|
|
||||||
+ )
|
|
||||||
+ self.master.run_command(["ipa", "group-del", "idgroup"])
|
|
||||||
+
|
|
||||||
def remove_trust(self, ad):
|
|
||||||
tasks.remove_trust_with_ad(self.master,
|
|
||||||
ad.domain.name, ad.hostname)
|
|
||||||
@@ -993,3 +1051,177 @@ class TestTrust(BaseTestTrust):
|
|
||||||
self.master.run_command(['rm', '-f', ad_zone_file])
|
|
||||||
tasks.configure_dns_for_trust(self.master, self.ad)
|
|
||||||
self.remove_trust(self.ad)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+class TestNonPosixAutoPrivateGroup(BaseTestTrust):
|
|
||||||
+ """
|
|
||||||
+ Tests for auto-private-groups option with non posix AD trust
|
|
||||||
+ Related : https://pagure.io/freeipa/issue/8807
|
|
||||||
+ """
|
|
||||||
+ topology = 'line'
|
|
||||||
+ num_ad_domains = 1
|
|
||||||
+ num_clients = 1
|
|
||||||
+ num_ad_subdomains = 0
|
|
||||||
+ num_ad_treedomains = 0
|
|
||||||
+ uid_override = "99999999"
|
|
||||||
+ gid_override = "78878787"
|
|
||||||
+
|
|
||||||
+ def test_add_nonposix_trust(self):
|
|
||||||
+ tasks.configure_dns_for_trust(self.master, self.ad)
|
|
||||||
+ tasks.establish_trust_with_ad(
|
|
||||||
+ self.master, self.ad_domain,
|
|
||||||
+ extra_args=['--range-type', 'ipa-ad-trust'])
|
|
||||||
+
|
|
||||||
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
|
|
||||||
+ def test_auto_private_groups_default_trusted_range(self, type):
|
|
||||||
+ """
|
|
||||||
+ Modify existing range for default trusted AD domain range
|
|
||||||
+ with auto-private-groups set as true/hybrid/false and test
|
|
||||||
+ user with no posix attributes.
|
|
||||||
+ """
|
|
||||||
+ self.mod_idrange_auto_private_group(type)
|
|
||||||
+ nonposixuser = "nonposixuser@%s" % self.ad_domain
|
|
||||||
+ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser)
|
|
||||||
+ if type == "true":
|
|
||||||
+ assert uid == gid
|
|
||||||
+ else:
|
|
||||||
+ test_group = self.clients[0].run_command(["id", nonposixuser])
|
|
||||||
+ gid_str = "gid={0}(domain users@{1})".format(gid, self.ad_domain)
|
|
||||||
+ grp_str = "groups={0}(domain users@{1})".format(gid,
|
|
||||||
+ self.ad_domain)
|
|
||||||
+ assert gid_str in test_group.stdout_text
|
|
||||||
+ assert grp_str in test_group.stdout_text
|
|
||||||
+ assert uid != gid
|
|
||||||
+
|
|
||||||
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
|
|
||||||
+ def test_idoverride_with_auto_private_group(self, type):
|
|
||||||
+ """
|
|
||||||
+ Override ad trusted user in default trust view
|
|
||||||
+ and set auto-private-groups=[hybrid,true,false]
|
|
||||||
+ and ensure that overridden values takes effect.
|
|
||||||
+ """
|
|
||||||
+ nonposixuser = "nonposixuser@%s" % self.ad_domain
|
|
||||||
+ with self.set_idoverrideuser(nonposixuser,
|
|
||||||
+ self.uid_override,
|
|
||||||
+ self.gid_override
|
|
||||||
+ ):
|
|
||||||
+ self.mod_idrange_auto_private_group(type)
|
|
||||||
+ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser)
|
|
||||||
+ assert (uid == self.uid_override and gid == self.gid_override)
|
|
||||||
+ test_group = self.clients[0].run_command(
|
|
||||||
+ ["id", nonposixuser]).stdout_text
|
|
||||||
+ assert "domain users@{0}".format(self.ad_domain) in test_group
|
|
||||||
+
|
|
||||||
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
|
|
||||||
+ def test_nonposixuser_nondefault_primary_group(self, type):
|
|
||||||
+ """
|
|
||||||
+ Test for non default primary group.
|
|
||||||
+ For hybrid/false gid corresponds to the group testgroup1.
|
|
||||||
+ """
|
|
||||||
+ nonposixuser1 = "nonposixuser1@%s" % self.ad_domain
|
|
||||||
+ self.mod_idrange_auto_private_group(type)
|
|
||||||
+ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser1)
|
|
||||||
+ if type == "true":
|
|
||||||
+ assert uid == gid
|
|
||||||
+ else:
|
|
||||||
+ test_group = self.clients[0].run_command(["id", nonposixuser1])
|
|
||||||
+ gid_str = "gid={0}(testgroup1@{1})".format(gid, self.ad_domain)
|
|
||||||
+ group = "groups={0}(testgroup1@{1})".format(gid, self.ad_domain)
|
|
||||||
+ assert (gid_str in test_group.stdout_text
|
|
||||||
+ and group in test_group.stdout_text)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+class TestPosixAutoPrivateGroup(BaseTestTrust):
|
|
||||||
+ """
|
|
||||||
+ Tests for auto-private-groups option with posix AD trust
|
|
||||||
+ Related : https://pagure.io/freeipa/issue/8807
|
|
||||||
+ """
|
|
||||||
+ topology = 'line'
|
|
||||||
+ num_ad_domains = 1
|
|
||||||
+ num_clients = 1
|
|
||||||
+ num_ad_subdomains = 0
|
|
||||||
+ num_ad_treedomains = 0
|
|
||||||
+ uid_override = "99999999"
|
|
||||||
+ gid_override = "78878787"
|
|
||||||
+
|
|
||||||
+ def test_add_posix_trust(self):
|
|
||||||
+ tasks.configure_dns_for_trust(self.master, self.ad)
|
|
||||||
+ tasks.establish_trust_with_ad(
|
|
||||||
+ self.master, self.ad_domain,
|
|
||||||
+ extra_args=['--range-type', 'ipa-ad-trust-posix'])
|
|
||||||
+
|
|
||||||
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
|
|
||||||
+ def test_gidnumber_not_corresponding_existing_group(self, type):
|
|
||||||
+ """
|
|
||||||
+ Test checks that sssd can resolve AD users which
|
|
||||||
+ contain posix attributes (uidNumber and gidNumber)
|
|
||||||
+ but there is no group with the corresponding gidNumber.
|
|
||||||
+ """
|
|
||||||
+ posixuser = "testuser2@%s" % self.ad_domain
|
|
||||||
+ self.mod_idrange_auto_private_group(type)
|
|
||||||
+ if type != "true":
|
|
||||||
+ result = self.clients[0].run_command(['id', posixuser],
|
|
||||||
+ raiseonerr=False)
|
|
||||||
+ tasks.assert_error(result, "no such user")
|
|
||||||
+ else:
|
|
||||||
+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
|
|
||||||
+ assert uid == gid
|
|
||||||
+ assert uid == '10060'
|
|
||||||
+
|
|
||||||
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
|
|
||||||
+ def test_only_uid_number_auto_private_group_default(self, type):
|
|
||||||
+ """
|
|
||||||
+ Test checks that posix user with only uidNumber defined
|
|
||||||
+ and gidNumber not set, auto-private-group
|
|
||||||
+ is set to false/true/hybrid
|
|
||||||
+ """
|
|
||||||
+ posixuser = "testuser1@%s" % self.ad_domain
|
|
||||||
+ self.mod_idrange_auto_private_group(type)
|
|
||||||
+ if type == "true":
|
|
||||||
+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
|
|
||||||
+ assert uid == gid
|
|
||||||
+ else:
|
|
||||||
+ for host in [self.master, self.clients[0]]:
|
|
||||||
+ result = host.run_command(['id', posixuser], raiseonerr=False)
|
|
||||||
+ tasks.assert_error(result, "no such user")
|
|
||||||
+
|
|
||||||
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
|
|
||||||
+ def test_auto_private_group_primary_group(self, type):
|
|
||||||
+ """
|
|
||||||
+ Test checks that AD users which contain posix attributes
|
|
||||||
+ (uidNumber and gidNumber) and there is primary group
|
|
||||||
+ with gid number defined.
|
|
||||||
+ """
|
|
||||||
+ posixuser = "testuser@%s" % self.ad_domain
|
|
||||||
+ self.mod_idrange_auto_private_group(type)
|
|
||||||
+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
|
|
||||||
+ test_grp = self.clients[0].run_command(["id", posixuser])
|
|
||||||
+ assert uid == '10042'
|
|
||||||
+ if type == "true":
|
|
||||||
+ assert uid == gid
|
|
||||||
+ groups = "groups=10042(testuser@{0}),10047(testgroup@{1})".format(
|
|
||||||
+ self.ad_domain, self.ad_domain)
|
|
||||||
+ assert groups in test_grp.stdout_text
|
|
||||||
+ else:
|
|
||||||
+ assert gid == '10047'
|
|
||||||
+ groups = "10047(testgroup@{0})".format(self.ad_domain)
|
|
||||||
+ assert groups in test_grp.stdout_text
|
|
||||||
+
|
|
||||||
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
|
|
||||||
+ def test_idoverride_with_auto_private_group(self, type):
|
|
||||||
+ """
|
|
||||||
+ Override ad trusted user in default trust view
|
|
||||||
+ and set auto-private-groups=[hybrid,true,false]
|
|
||||||
+ and ensure that overridden values takes effect.
|
|
||||||
+ """
|
|
||||||
+ posixuser = "testuser@%s" % self.ad_domain
|
|
||||||
+ with self.set_idoverrideuser(posixuser,
|
|
||||||
+ self.uid_override,
|
|
||||||
+ self.gid_override):
|
|
||||||
+ self.mod_idrange_auto_private_group(type)
|
|
||||||
+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
|
|
||||||
+ assert(uid == self.uid_override
|
|
||||||
+ and gid == self.gid_override)
|
|
||||||
+ result = self.clients[0].run_command(['id', posixuser])
|
|
||||||
+ assert "10047(testgroup@{0})".format(
|
|
||||||
+ self.ad_domain) in result.stdout_text
|
|
||||||
--
|
|
||||||
2.35.1
|
|
||||||
|
|
||||||
From 84381001d2e114b1f29fe89e16155c040b56b80f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Anuja More <amore@redhat.com>
|
|
||||||
Date: Thu, 10 Feb 2022 17:07:45 +0530
|
|
||||||
Subject: [PATCH] mark xfail for
|
|
||||||
test_idoverride_with_auto_private_group[hybrid]
|
|
||||||
|
|
||||||
Related : https://github.com/SSSD/sssd/issues/5989
|
|
||||||
|
|
||||||
Signed-off-by: Anuja More <amore@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Anuja More <amore@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_trust.py | 7 ++++++-
|
|
||||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
|
|
||||||
index ff2dd9cc8..54bd15462 100644
|
|
||||||
--- a/ipatests/test_integration/test_trust.py
|
|
||||||
+++ b/ipatests/test_integration/test_trust.py
|
|
||||||
@@ -15,6 +15,7 @@ from ipaplatform.paths import paths
|
|
||||||
from ipatests.test_integration.base import IntegrationTest
|
|
||||||
from ipatests.pytest_ipa.integration import tasks
|
|
||||||
from ipatests.pytest_ipa.integration import fips
|
|
||||||
+from ipatests.util import xfail_context
|
|
||||||
from ipapython.dn import DN
|
|
||||||
from collections import namedtuple
|
|
||||||
from contextlib import contextmanager
|
|
||||||
@@ -1110,7 +1111,11 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust):
|
|
||||||
assert (uid == self.uid_override and gid == self.gid_override)
|
|
||||||
test_group = self.clients[0].run_command(
|
|
||||||
["id", nonposixuser]).stdout_text
|
|
||||||
- assert "domain users@{0}".format(self.ad_domain) in test_group
|
|
||||||
+ version = tasks.get_sssd_version(self.clients[0])
|
|
||||||
+ with xfail_context(version <= tasks.parse_version('2.6.3')
|
|
||||||
+ and type == "hybrid",
|
|
||||||
+ 'https://github.com/SSSD/sssd/issues/5989'):
|
|
||||||
+ assert "domain users@{0}".format(self.ad_domain) in test_group
|
|
||||||
|
|
||||||
@pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
|
|
||||||
def test_nonposixuser_nondefault_primary_group(self, type):
|
|
||||||
--
|
|
||||||
2.35.1
|
|
||||||
|
|
||||||
From 7ad500e5d3f7d9af81e8a3137158672c6fafb0b4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Anuja More <amore@redhat.com>
|
|
||||||
Date: Thu, 10 Feb 2022 17:29:45 +0530
|
|
||||||
Subject: [PATCH] Mark xfail
|
|
||||||
test_gidnumber_not_corresponding_existing_group[true,hybrid]
|
|
||||||
|
|
||||||
Related : https://github.com/SSSD/sssd/issues/5988
|
|
||||||
|
|
||||||
Signed-off-by: Anuja More <amore@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Anuja More <amore@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_trust.py | 9 ++++++---
|
|
||||||
1 file changed, 6 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
|
|
||||||
index 54bd15462..c12837815 100644
|
|
||||||
--- a/ipatests/test_integration/test_trust.py
|
|
||||||
+++ b/ipatests/test_integration/test_trust.py
|
|
||||||
@@ -1169,9 +1169,12 @@ class TestPosixAutoPrivateGroup(BaseTestTrust):
|
|
||||||
raiseonerr=False)
|
|
||||||
tasks.assert_error(result, "no such user")
|
|
||||||
else:
|
|
||||||
- (uid, gid) = self.get_user_id(self.clients[0], posixuser)
|
|
||||||
- assert uid == gid
|
|
||||||
- assert uid == '10060'
|
|
||||||
+ sssd_version = tasks.get_sssd_version(self.clients[0])
|
|
||||||
+ with xfail_context(sssd_version <= tasks.parse_version('2.6.3'),
|
|
||||||
+ 'https://github.com/SSSD/sssd/issues/5988'):
|
|
||||||
+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
|
|
||||||
+ assert uid == gid
|
|
||||||
+ assert uid == '10060'
|
|
||||||
|
|
||||||
@pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
|
|
||||||
def test_only_uid_number_auto_private_group_default(self, type):
|
|
||||||
--
|
|
||||||
2.35.1
|
|
||||||
|
|
|
@ -4,20 +4,20 @@ Date: Mon, 19 Dec 2022 14:57:03 -0300
|
||||||
Subject: [PATCH] Revert "DNSResolver: Fix use of nameservers with ports"
|
Subject: [PATCH] Revert "DNSResolver: Fix use of nameservers with ports"
|
||||||
|
|
||||||
This reverts commit 5e2e4664aec641886923c2bec61ce25b96edb62a.
|
This reverts commit 5e2e4664aec641886923c2bec61ce25b96edb62a.
|
||||||
---
|
|
||||||
ipapython/dnsutil.py | 41 -------------------------
|
|
||||||
ipatests/test_ipapython/test_dnsutil.py | 40 ------------------------
|
|
||||||
2 files changed, 81 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipapython/dnsutil.py b/ipapython/dnsutil.py
|
diff --git a/ipapython/dnsutil.py b/ipapython/dnsutil.py
|
||||||
index 58de365ab..4baeaf8cc 100644
|
index 58de365ab..4baeaf8cc 100644
|
||||||
--- a/ipapython/dnsutil.py
|
--- a/ipapython/dnsutil.py 2023-05-19 05:12:52.471239297 -0300
|
||||||
+++ b/ipapython/dnsutil.py
|
+++ b/ipapython/dnsutil.py 2023-05-24 12:20:13.588867053 -0300
|
||||||
@@ -144,47 +144,6 @@ class DNSResolver(dns.resolver.Resolver):
|
@@ -145,55 +145,6 @@
|
||||||
nameservers.remove(ipv4_loopback)
|
nameservers.remove(ipv4_loopback)
|
||||||
self.nameservers = nameservers
|
self.nameservers = nameservers
|
||||||
|
|
||||||
- @dns.resolver.Resolver.nameservers.setter
|
- @property
|
||||||
|
- def nameservers(self):
|
||||||
|
- return self._nameservers
|
||||||
|
-
|
||||||
|
- @nameservers.setter
|
||||||
- def nameservers(self, nameservers):
|
- def nameservers(self, nameservers):
|
||||||
- """
|
- """
|
||||||
- *nameservers*, a ``list`` of nameservers with optional ports:
|
- *nameservers*, a ``list`` of nameservers with optional ports:
|
||||||
|
@ -54,7 +54,11 @@ index 58de365ab..4baeaf8cc 100644
|
||||||
- nameservers = _nameservers
|
- nameservers = _nameservers
|
||||||
-
|
-
|
||||||
- # Call dns.resolver.Resolver.nameservers setter
|
- # Call dns.resolver.Resolver.nameservers setter
|
||||||
- dns.resolver.Resolver.nameservers.__set__(self, nameservers)
|
- if hasattr(dns.resolver.Resolver, "nameservers"):
|
||||||
|
- dns.resolver.Resolver.nameservers.__set__(self, nameservers)
|
||||||
|
- else:
|
||||||
|
- # old dnspython (<2) doesn't have 'nameservers' property
|
||||||
|
- self._nameservers = nameservers
|
||||||
- # Set nameserver_ports after successfull call to setter
|
- # Set nameserver_ports after successfull call to setter
|
||||||
- self.nameserver_ports = nameserver_ports
|
- self.nameserver_ports = nameserver_ports
|
||||||
-
|
-
|
||||||
|
@ -62,23 +66,29 @@ index 58de365ab..4baeaf8cc 100644
|
||||||
class DNSZoneAlreadyExists(dns.exception.DNSException):
|
class DNSZoneAlreadyExists(dns.exception.DNSException):
|
||||||
supp_kwargs = {'zone', 'ns'}
|
supp_kwargs = {'zone', 'ns'}
|
||||||
diff --git a/ipatests/test_ipapython/test_dnsutil.py b/ipatests/test_ipapython/test_dnsutil.py
|
diff --git a/ipatests/test_ipapython/test_dnsutil.py b/ipatests/test_ipapython/test_dnsutil.py
|
||||||
index 09463c69d..5e7a46197 100644
|
index 9070d89ad..5e7a46197 100644
|
||||||
--- a/ipatests/test_ipapython/test_dnsutil.py
|
--- a/ipatests/test_ipapython/test_dnsutil.py
|
||||||
+++ b/ipatests/test_ipapython/test_dnsutil.py
|
+++ b/ipatests/test_ipapython/test_dnsutil.py
|
||||||
@@ -101,43 +101,3 @@ class TestSortURI:
|
@@ -101,48 +101,3 @@ class TestSortURI:
|
||||||
assert dnsutil.sort_prio_weight([h3, h2, h1]) == [h1, h2, h3]
|
assert dnsutil.sort_prio_weight([h3, h2, h1]) == [h1, h2, h3]
|
||||||
assert dnsutil.sort_prio_weight([h3, h3, h3]) == [h3]
|
assert dnsutil.sort_prio_weight([h3, h3, h3]) == [h3]
|
||||||
assert dnsutil.sort_prio_weight([h2, h2, h1, h1]) == [h1, h2]
|
assert dnsutil.sort_prio_weight([h2, h2, h1, h1]) == [h1, h2]
|
||||||
-
|
-
|
||||||
-
|
-
|
||||||
-class TestDNSResolver:
|
-class TestDNSResolver:
|
||||||
- def test_nameservers(self):
|
- @pytest.fixture(name="res")
|
||||||
- res = dnsutil.DNSResolver()
|
- def resolver(self):
|
||||||
|
- """Resolver that doesn't read /etc/resolv.conf
|
||||||
|
-
|
||||||
|
- /etc/resolv.conf is not mandatory on systems
|
||||||
|
- """
|
||||||
|
- return dnsutil.DNSResolver(configure=False)
|
||||||
|
-
|
||||||
|
- def test_nameservers(self, res):
|
||||||
- res.nameservers = ["4.4.4.4", "8.8.8.8"]
|
- res.nameservers = ["4.4.4.4", "8.8.8.8"]
|
||||||
- assert res.nameservers == ["4.4.4.4", "8.8.8.8"]
|
- assert res.nameservers == ["4.4.4.4", "8.8.8.8"]
|
||||||
-
|
-
|
||||||
- def test_nameservers_with_ports(self):
|
- def test_nameservers_with_ports(self, res):
|
||||||
- res = dnsutil.DNSResolver()
|
|
||||||
- res.nameservers = ["4.4.4.4 port 53", "8.8.8.8 port 8053"]
|
- res.nameservers = ["4.4.4.4 port 53", "8.8.8.8 port 8053"]
|
||||||
- assert res.nameservers == ["4.4.4.4", "8.8.8.8"]
|
- assert res.nameservers == ["4.4.4.4", "8.8.8.8"]
|
||||||
- assert res.nameserver_ports == {"4.4.4.4": 53, "8.8.8.8": 8053}
|
- assert res.nameserver_ports == {"4.4.4.4": 53, "8.8.8.8": 8053}
|
||||||
|
@ -87,8 +97,7 @@ index 09463c69d..5e7a46197 100644
|
||||||
- assert res.nameservers == ["4.4.4.4", "8.8.8.8"]
|
- assert res.nameservers == ["4.4.4.4", "8.8.8.8"]
|
||||||
- assert res.nameserver_ports == {"4.4.4.4": 53, "8.8.8.8": 8053}
|
- assert res.nameserver_ports == {"4.4.4.4": 53, "8.8.8.8": 8053}
|
||||||
-
|
-
|
||||||
- def test_nameservers_with_bad_ports(self):
|
- def test_nameservers_with_bad_ports(self, res):
|
||||||
- res = dnsutil.DNSResolver()
|
|
||||||
- try:
|
- try:
|
||||||
- res.nameservers = ["4.4.4.4 port a"]
|
- res.nameservers = ["4.4.4.4 port a"]
|
||||||
- except ValueError:
|
- except ValueError:
|
||||||
|
@ -109,6 +118,3 @@ index 09463c69d..5e7a46197 100644
|
||||||
- pass
|
- pass
|
||||||
- else:
|
- else:
|
||||||
- pytest.fail("No fail on bad port 65536")
|
- pytest.fail("No fail on bad port 65536")
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
||||||
|
|
|
@ -1,122 +0,0 @@
|
||||||
From 7d93bda31ce0b4e0e22c6e464c9138800dcf8b1c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Fri, 26 Nov 2021 11:13:51 +0200
|
|
||||||
Subject: [PATCH] ipa-kdb: fix requester SID check according to MS-KILE and
|
|
||||||
MS-SFU updates
|
|
||||||
|
|
||||||
New versions of MS-KILE and MS-SFU after Windows Server November 2021
|
|
||||||
security updates add PAC_REQUESTER_SID buffer check behavior:
|
|
||||||
|
|
||||||
- PAC_REQUESTER_SID should only be added for TGT requests
|
|
||||||
|
|
||||||
- if PAC_REQUESTER_SID is present, KDC must verify that the cname on
|
|
||||||
the ticket resolves to the account with the same SID as the
|
|
||||||
PAC_REQUESTER_SID. If it doesn't KDC must respond with
|
|
||||||
KDC_ERR_TKT_REVOKED
|
|
||||||
|
|
||||||
Change requester SID check to skip exact check for non-local
|
|
||||||
PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains
|
|
||||||
we know about.
|
|
||||||
|
|
||||||
If requester SID is the same as in PAC, we already do cname vs PAC SID
|
|
||||||
verification.
|
|
||||||
|
|
||||||
With these changes FreeIPA works against Windows Server 2019 with
|
|
||||||
November 2021 security fixes in cross-realm S4U2Self operations.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/9031
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
daemons/ipa-kdb/ipa_kdb_mspac.c | 47 ++++++++++++++++++++++++---------
|
|
||||||
1 file changed, 34 insertions(+), 13 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
index 538cfbba9..1b972c167 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
@@ -1697,7 +1697,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
|
|
||||||
"local [%s], PAC [%s]",
|
|
||||||
dom ? dom : "<failed to display>",
|
|
||||||
sid ? sid : "<failed to display>");
|
|
||||||
- return KRB5KDC_ERR_POLICY;
|
|
||||||
+ return KRB5KDC_ERR_TGT_REVOKED;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1709,7 +1709,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
|
|
||||||
kerr = ipadb_get_principal(context, client_princ, flags, &client_actual);
|
|
||||||
if (kerr != 0) {
|
|
||||||
krb5_klog_syslog(LOG_ERR, "PAC issue: ipadb_get_principal failed.");
|
|
||||||
- return KRB5KDC_ERR_POLICY;
|
|
||||||
+ return KRB5KDC_ERR_TGT_REVOKED;
|
|
||||||
}
|
|
||||||
|
|
||||||
ied = (struct ipadb_e_data *)client_actual->e_data;
|
|
||||||
@@ -1743,7 +1743,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
|
|
||||||
"local [%s] vs PAC [%s]",
|
|
||||||
local_sid ? local_sid : "<failed to display>",
|
|
||||||
pac_sid ? pac_sid : "<failed to display>");
|
|
||||||
- kerr = KRB5KDC_ERR_POLICY;
|
|
||||||
+ kerr = KRB5KDC_ERR_TGT_REVOKED;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -2005,22 +2005,43 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context,
|
|
||||||
/* Check that requester SID is the same as in the PAC entry */
|
|
||||||
if (requester_sid != NULL) {
|
|
||||||
struct dom_sid client_sid;
|
|
||||||
+ bool is_from_trusted_domain = false;
|
|
||||||
kerr = ipadb_get_sid_from_pac(tmpctx, info.info, &client_sid);
|
|
||||||
if (kerr) {
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
result = dom_sid_check(&client_sid, requester_sid, true);
|
|
||||||
if (!result) {
|
|
||||||
- /* memctx is freed by the caller */
|
|
||||||
- char *pac_sid = dom_sid_string(tmpctx, &client_sid);
|
|
||||||
- char *req_sid = dom_sid_string(tmpctx, requester_sid);
|
|
||||||
- krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
|
|
||||||
- "different from what PAC requester claims. "
|
|
||||||
- "PAC [%s] vs PAC requester [%s]",
|
|
||||||
- pac_sid ? pac_sid : "<failed to display>",
|
|
||||||
- req_sid ? req_sid : "<failed to display>");
|
|
||||||
- kerr = KRB5KDC_ERR_POLICY;
|
|
||||||
- goto done;
|
|
||||||
+ struct ipadb_context *ipactx = ipadb_get_context(context);
|
|
||||||
+ if (!ipactx || !ipactx->mspac) {
|
|
||||||
+ return KRB5_KDB_DBNOTINITED;
|
|
||||||
+ }
|
|
||||||
+ /* In S4U case we might be dealing with the PAC issued by the trusted domain */
|
|
||||||
+ if (is_s4u && (ipactx->mspac->trusts != NULL)) {
|
|
||||||
+ /* Iterate through list of trusts and check if this SID belongs to
|
|
||||||
+ * one of the domains we trust */
|
|
||||||
+ for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
|
|
||||||
+ result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
|
|
||||||
+ requester_sid, false);
|
|
||||||
+ if (result) {
|
|
||||||
+ is_from_trusted_domain = true;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!is_from_trusted_domain) {
|
|
||||||
+ /* memctx is freed by the caller */
|
|
||||||
+ char *pac_sid = dom_sid_string(tmpctx, &client_sid);
|
|
||||||
+ char *req_sid = dom_sid_string(tmpctx, requester_sid);
|
|
||||||
+ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
|
|
||||||
+ "different from what PAC requester claims. "
|
|
||||||
+ "PAC [%s] vs PAC requester [%s]",
|
|
||||||
+ pac_sid ? pac_sid : "<failed to display>",
|
|
||||||
+ req_sid ? req_sid : "<failed to display>");
|
|
||||||
+ kerr = KRB5KDC_ERR_TGT_REVOKED;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
|
@ -1,16 +0,0 @@
|
||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmOA8kcACgkQaYdvcqbi
|
|
||||||
00887g/9GTvueJCypiuTqxKsbkTbWamOyH3W+AqtHw9Ff+wM/hnkSloGizhQ4EZZ
|
|
||||||
4Zs1e6bfM1pGXT7DXU9WbiYtcVtUhY5l9SnT9moCMaG1z4aB7z9UCxsqsSCuy3bG
|
|
||||||
KQq6AO2z4DaqHiz6ez3QXi+MUCNnPziWmS3bLdDCrTK0PNxqiMPIotlXMgVFgDL7
|
|
||||||
go/TAUvUL27zH4ELvG4parSGEKVEqe//RzXklOwGrInyj/4u42x7lUdO2ugOolCI
|
|
||||||
wNod8v+NWQWVgxNyhfTjP5VBZzO9wkGx4xruF2cAjVdjnIUGcG0FR3hI/bpi7Lyv
|
|
||||||
EmIozbQMK92MLel63E7Z/d5Jxfmuw/n1t5NrgSth+9hhWnBEpiaKkD2zAmUATqHf
|
|
||||||
+y4mbrtajmjzewEnfUnQfCvSLDPyTpnQKkRY8hUvk7u/J+/ZFWMQl9RdGNw3M0Zr
|
|
||||||
WrsqkKLK/n5IOHYHb/lBRaUidssKjQYFIvyNfHDP/lu6iiyLOpi5MIdk9BakO5wc
|
|
||||||
oDMk3w9xY7tPPmoesW40BThnAdOR9U4aad8zVvOxhMfzAYRwu95HGQoHnk7/rNut
|
|
||||||
IfzMZVjVTLQ8gyApcBlWzu/buiOoEXTKaMyzs0S9RMptknj5Xf0CGRz3bVrZRfJd
|
|
||||||
umyhD6/rNk3eZW/yEIv3IqFev0h1txTBPSTlczYUIz6uc7nx82E=
|
|
||||||
=8YVm
|
|
||||||
-----END PGP SIGNATURE-----
|
|
|
@ -1,16 +0,0 @@
|
||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmGf1XcACgkQaYdvcqbi
|
|
||||||
00/kMQ//Vano94V0/L3YsLaqKiFcGo/py5pTq1Os3wB9zzCYSuU0P/eajuHLBYNe
|
|
||||||
MfxecZihFFlmUdNooNWbewT4CE0ey1qFLwPfGXuLrse6fXVLLaYnAv2mkPUmDSpM
|
|
||||||
XfXO0PFU0BtdkMAUsdUATngPCpQzYjVUKsAMwPovi3UcLzFZ8tWJKMA55urhwC4q
|
|
||||||
E042wPLqzcX6Ee5JBSBkfNe35vG2LY7o3Ynh8SVCee2lBJvdWiuFT5XRhybXUsOp
|
|
||||||
q3eTsVPz68p7CvOrjlLSsWPP0nbGF1O1UQsN+oaDZAav1Nx8lTOlxUCUQXWbs2X6
|
|
||||||
BTUAOmZ6VjYu61sNgNSj+BSHlHIT3uRJ55JO5nLH/hLm0Oxn6SGRTVMueqV376QA
|
|
||||||
CsIk7UrdcX9QUtu70eRxuu1aAWJ5eaF4GDWnFP+62wzd/d6LjWEE+9kXgvrcTF0C
|
|
||||||
UzjWrmbI8x23bB4kqcROHz8lryMsBpZ94QKPHVppMiPgapDKRkculYkSeRLboADi
|
|
||||||
q4mh2prkDSq9diWV4HvZTGwPU77oiLrQsvbGuvwD62PAlyQ4rZpfW3FllTL2Lcxy
|
|
||||||
urA8a9UnQWQtDOsZIyxmMJ7R04gjI5fZfDhq6S09L9MfjFEKjsqO4FzXamj+SbAo
|
|
||||||
w25sIp1qT0sV1vOt+/R/HYSIyggQyTZpQJu5UB34QLqpfDdUwFg=
|
|
||||||
=t9up
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3184
freeipa.spec
3184
freeipa.spec
File diff suppressed because it is too large
Load Diff
12
ipa.spec
12
ipa.spec
|
@ -176,7 +176,7 @@
|
||||||
|
|
||||||
# Work-around fact that RPM SPEC parser does not accept
|
# Work-around fact that RPM SPEC parser does not accept
|
||||||
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
|
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
|
||||||
%define IPA_VERSION 4.9.11
|
%define IPA_VERSION 4.9.12
|
||||||
# Release candidate version -- uncomment with one percent for RC versions
|
# Release candidate version -- uncomment with one percent for RC versions
|
||||||
#%%global rc_version %%nil
|
#%%global rc_version %%nil
|
||||||
%define AT_SIGN @
|
%define AT_SIGN @
|
||||||
|
@ -189,7 +189,7 @@
|
||||||
|
|
||||||
Name: %{package_name}
|
Name: %{package_name}
|
||||||
Version: %{IPA_VERSION}
|
Version: %{IPA_VERSION}
|
||||||
Release: 3%{?rc_version:.%rc_version}%{?dist}
|
Release: 1%{?rc_version:.%rc_version}%{?dist}
|
||||||
Summary: The Identity, Policy and Audit system
|
Summary: The Identity, Policy and Audit system
|
||||||
|
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
|
@ -209,7 +209,7 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
|
||||||
# RHEL spec file only: START
|
# RHEL spec file only: START
|
||||||
%if %{NON_DEVELOPER_BUILD}
|
%if %{NON_DEVELOPER_BUILD}
|
||||||
%if 0%{?rhel} >= 8
|
%if 0%{?rhel} >= 8
|
||||||
Patch0001: 0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch
|
Patch0001: 0001-user-or-group-name-explain-the-supported-format_rhbz#2150217.patch
|
||||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||||
Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
|
Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
|
||||||
Patch1003: 1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch
|
Patch1003: 1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch
|
||||||
|
@ -1725,6 +1725,12 @@ fi
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed May 24 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.12-1
|
||||||
|
- Rebase ipa to 4.9.12
|
||||||
|
Resolves: RHBZ#2196425
|
||||||
|
- user or group name: explain the supported format
|
||||||
|
Resolves: RHBZ#2150217
|
||||||
|
|
||||||
* Mon Dec 19 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.11-3
|
* Mon Dec 19 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.11-3
|
||||||
- Revert DNSResolver Fix use of nameservers with ports.
|
- Revert DNSResolver Fix use of nameservers with ports.
|
||||||
Related: RHBZ#2141316
|
Related: RHBZ#2141316
|
||||||
|
|
3
sources
3
sources
|
@ -1 +1,2 @@
|
||||||
SHA512 (freeipa-4.9.11.tar.gz) = cab799850faa30b6e6799d8f0a25dac3e4941c269a9bf0da86d998f1ecb5f4d0f5c84059dae6e88f8f17f24642015eb6fe29fcb281067b70b5e44644572b0b80
|
SHA512 (freeipa-4.9.12.tar.gz) = a4d7d46042bbbf8ca3df6bca45cdab9f3bfb7634fc516c1939533e5e200035374c6e72981dde7dc96a176679b69275fc54f0dfb174beeee66ba21d72006d4b1f
|
||||||
|
SHA512 (freeipa-4.9.12.tar.gz.asc) = 95ad27a52df1e4dd9ad9f058c53199cfd26e5b1c4269dd5a7b55147881033d55cc2656e812975015aff228e7f98417e3b22584b8413d53ec299ece98e1279e6f
|
||||||
|
|
Loading…
Reference in New Issue