diff --git a/0001-Remove-unneeded-dependency-on-python-coverage.patch b/0001-Remove-unneeded-dependency-on-python-coverage.patch new file mode 100644 index 0000000..d27c680 --- /dev/null +++ b/0001-Remove-unneeded-dependency-on-python-coverage.patch @@ -0,0 +1,30 @@ +From 01f4b9d7935ca41c93b17e28543054f36e5baf46 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Wed, 30 Jun 2021 14:57:32 +0200 +Subject: [PATCH] Remove unneeded dependency on python-coverage + +The spec file requires python3-coverage although it is not +used in the project. + +Fixes: https://pagure.io/freeipa/issue/8905 +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Francois Cami +--- + freeipa.spec.in | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index fdca43a24a6e07f77b9cd8a0feec940a0366f128..fbfe4d09eedc169112dcdc18a953134de67b7731 100755 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -872,7 +872,6 @@ BuildArch: noarch + Requires: python3-ipaclient = %{version}-%{release} + Requires: python3-ipaserver = %{version}-%{release} + Requires: iptables +-Requires: python3-coverage + Requires: python3-cryptography >= 1.6 + Requires: python3-pexpect + %if 0%{?fedora} +-- +2.26.3 + diff --git a/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte.patch b/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte.patch new file mode 100644 index 0000000..411d510 --- /dev/null +++ b/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte.patch @@ -0,0 +1,134 @@ +From dffccae7193b0616cb84792edec480f5f67e1fc6 Mon Sep 17 00:00:00 2001 +From: Antonio Torres +Date: Mon, 8 Mar 2021 18:15:50 +0100 +Subject: [PATCH] Add checks to prevent adding auth indicators to internal IPA + services + +Authentication indicators should not be enforced against internal +IPA services, since not all users of those services are able to produce +Kerberos tickets with all the auth indicator options. This includes +host, ldap, HTTP and cifs in IPA server and cifs in IPA clients. +If a client that is being promoted to replica has an auth indicator +in its host principal then the promotion is aborted. + +Fixes: https://pagure.io/freeipa/issue/8206 +Signed-off-by: Antonio Torres +--- + ipaserver/install/server/replicainstall.py | 13 ++++++++++++ + ipaserver/plugins/host.py | 5 ++++- + ipaserver/plugins/service.py | 24 ++++++++++++++++++++++ + 3 files changed, 41 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py +index 73967a2249d5c8944d70c5c3ca9a9d3b3bfc6b73..f1fb9103687ce9719ef24c8cb3c41088a4003b25 100644 +--- a/ipaserver/install/server/replicainstall.py ++++ b/ipaserver/install/server/replicainstall.py +@@ -770,6 +770,15 @@ def promotion_check_ipa_domain(master_ldap_conn, basedn): + )) + + ++def promotion_check_host_principal_auth_ind(conn, hostdn): ++ entry = conn.get_entry(hostdn, ['krbprincipalauthind']) ++ if 'krbprincipalauthind' in entry: ++ raise RuntimeError( ++ "Client cannot be promoted to a replica if the host principal " ++ "has an authentication indicator set." ++ ) ++ ++ + @common_cleanup + @preserve_enrollment_state + def promote_check(installer): +@@ -956,6 +965,10 @@ def promote_check(installer): + config.master_host_name, None) + + promotion_check_ipa_domain(conn, remote_api.env.basedn) ++ hostdn = DN(('fqdn', api.env.host), ++ api.env.container_host, ++ api.env.basedn) ++ promotion_check_host_principal_auth_ind(conn, hostdn) + + # Make sure that domain fulfills minimal domain level + # requirement +diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py +index eb1f8ef042faf4b0deadfd5cef47f7688836506e..41fa933e2422184eafc4eae185a163082b96e045 100644 +--- a/ipaserver/plugins/host.py ++++ b/ipaserver/plugins/host.py +@@ -38,7 +38,7 @@ from .baseldap import (LDAPQuery, LDAPObject, LDAPCreate, + LDAPAddAttributeViaOption, + LDAPRemoveAttributeViaOption) + from .service import ( +- validate_realm, normalize_principal, ++ validate_realm, validate_auth_indicator, normalize_principal, + set_certificate_attrs, ticket_flags_params, update_krbticketflags, + set_kerberos_attrs, rename_ipaallowedtoperform_from_ldap, + rename_ipaallowedtoperform_to_ldap, revoke_certs) +@@ -735,6 +735,8 @@ class host_add(LDAPCreate): + update_krbticketflags(ldap, entry_attrs, attrs_list, options, False) + if 'krbticketflags' in entry_attrs: + entry_attrs['objectclass'].append('krbticketpolicyaux') ++ validate_auth_indicator(entry_attrs) ++ + return dn + + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): +@@ -993,6 +995,7 @@ class host_mod(LDAPUpdate): + if 'krbprincipalaux' not in (item.lower() for item in + entry_attrs['objectclass']): + entry_attrs['objectclass'].append('krbprincipalaux') ++ validate_auth_indicator(entry_attrs) + + add_sshpubkey_to_attrs_pre(self.context, attrs_list) + +diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py +index 1c93478049f5bdfdaf8503e459bd962dbbee9b44..cfbbff3c69c6a92535df58c51767c3d0952c7b0b 100644 +--- a/ipaserver/plugins/service.py ++++ b/ipaserver/plugins/service.py +@@ -201,6 +201,28 @@ def validate_realm(ugettext, principal): + raise errors.RealmMismatch() + + ++def validate_auth_indicator(entry): ++ new_value = entry.get('krbprincipalauthind', None) ++ if not new_value: ++ return ++ # The following services are considered internal IPA services ++ # and shouldn't be allowed to have auth indicators. ++ # https://pagure.io/freeipa/issue/8206 ++ pkey = api.Object['service'].get_primary_key_from_dn(entry.dn) ++ principal = kerberos.Principal(pkey) ++ server = api.Command.server_find(principal.hostname)['result'] ++ if server: ++ prefixes = ("host", "cifs", "ldap", "HTTP") ++ else: ++ prefixes = ("cifs",) ++ if principal.service_name in prefixes: ++ raise errors.ValidationError( ++ name='krbprincipalauthind', ++ error=_('authentication indicators not allowed ' ++ 'in service "%s"' % principal.service_name) ++ ) ++ ++ + def normalize_principal(value): + """ + Ensure that the name in the principal is lower-case. The realm is +@@ -652,6 +674,7 @@ class service_add(LDAPCreate): + hostname) + + self.obj.validate_ipakrbauthzdata(entry_attrs) ++ validate_auth_indicator(entry_attrs) + + if not options.get('force', False): + # We know the host exists if we've gotten this far but we +@@ -846,6 +869,7 @@ class service_mod(LDAPUpdate): + assert isinstance(dn, DN) + + self.obj.validate_ipakrbauthzdata(entry_attrs) ++ validate_auth_indicator(entry_attrs) + + # verify certificates + certs = entry_attrs.get('usercertificate') or [] +-- +2.26.3 + diff --git a/0003-ipatests-ensure-auth-indicators-can-t-be-added-to-in.patch b/0003-ipatests-ensure-auth-indicators-can-t-be-added-to-in.patch new file mode 100644 index 0000000..681a79d --- /dev/null +++ b/0003-ipatests-ensure-auth-indicators-can-t-be-added-to-in.patch @@ -0,0 +1,138 @@ +From 538a9992fd1394ed24cbcdf2a2a27694ac28da55 Mon Sep 17 00:00:00 2001 +From: Antonio Torres +Date: Mon, 8 Mar 2021 18:20:35 +0100 +Subject: [PATCH] ipatests: ensure auth indicators can't be added to internal + IPA services + +Authentication indicators should not be added to internal IPA services, +since this can lead to a broken IPA setup. In case a client with +an auth indicator set in its host principal, promoting it to a replica +should fail. + +Related: https://pagure.io/freeipa/issue/8206 +Signed-off-by: Antonio Torres +--- + .../test_replica_promotion.py | 38 +++++++++++++++++++ + ipatests/test_xmlrpc/test_host_plugin.py | 10 +++++ + ipatests/test_xmlrpc/test_service_plugin.py | 21 ++++++++++ + 3 files changed, 69 insertions(+) + +diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py +index 0a137dbdcb068811899e7ff7914730f14ea651c1..b9c56f775d08885cb6b1226eeb7bcf105f87cdc1 100644 +--- a/ipatests/test_integration/test_replica_promotion.py ++++ b/ipatests/test_integration/test_replica_promotion.py +@@ -101,6 +101,44 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase): + assert result.returncode == 1 + assert expected_err in result.stderr_text + ++ @replicas_cleanup ++ def test_install_with_host_auth_ind_set(self): ++ """ A client shouldn't be able to be promoted if it has ++ any auth indicator set in the host principal. ++ https://pagure.io/freeipa/issue/8206 ++ """ ++ ++ client = self.replicas[0] ++ # Configure firewall first ++ Firewall(client).enable_services(["freeipa-ldap", ++ "freeipa-ldaps"]) ++ ++ client.run_command(['ipa-client-install', '-U', ++ '--domain', self.master.domain.name, ++ '--realm', self.master.domain.realm, ++ '-p', 'admin', ++ '-w', self.master.config.admin_password, ++ '--server', self.master.hostname, ++ '--force-join']) ++ ++ tasks.kinit_admin(client) ++ ++ client.run_command(['ipa', 'host-mod', '--auth-ind=otp', ++ client.hostname]) ++ ++ res = client.run_command(['ipa-replica-install', '-U', '-w', ++ self.master.config.dirman_password], ++ raiseonerr=False) ++ ++ client.run_command(['ipa', 'host-mod', '--auth-ind=', ++ client.hostname]) ++ ++ expected_err = ("Client cannot be promoted to a replica if the host " ++ "principal has an authentication indicator set.") ++ assert res.returncode == 1 ++ assert expected_err in res.stderr_text ++ ++ + @replicas_cleanup + def test_one_command_installation(self): + """ +diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py +index c66bbc865cd5e1ee5ee5e1874c177a3ea9b08c93..9cfde3565d48e103a0549e2bfb7579e07668f41b 100644 +--- a/ipatests/test_xmlrpc/test_host_plugin.py ++++ b/ipatests/test_xmlrpc/test_host_plugin.py +@@ -605,6 +605,16 @@ class TestProtectedMaster(XMLRPC_test): + error=u'An IPA master host cannot be deleted or disabled')): + command() + ++ def test_try_add_auth_ind_master(self, this_host): ++ command = this_host.make_update_command({ ++ u'krbprincipalauthind': u'radius'}) ++ with raises_exact(errors.ValidationError( ++ name='krbprincipalauthind', ++ error=u'authentication indicators not allowed ' ++ 'in service "host"' ++ )): ++ command() ++ + + @pytest.mark.tier1 + class TestValidation(XMLRPC_test): +diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py +index 4c845938c33e2eca4235d53c4f4644c2fcdeda9c..ed634a0455a41dce367ed638634d1fc6d9e47553 100644 +--- a/ipatests/test_xmlrpc/test_service_plugin.py ++++ b/ipatests/test_xmlrpc/test_service_plugin.py +@@ -25,6 +25,7 @@ from ipalib import api, errors + from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash + from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer + from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test ++from ipatests.test_xmlrpc.xmlrpc_test import raises_exact + from ipatests.test_xmlrpc import objectclasses + from ipatests.test_xmlrpc.testcert import get_testcert, subject_base + from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn +@@ -1552,6 +1553,15 @@ def indicators_host(request): + return tracker.make_fixture(request) + + ++@pytest.fixture(scope='function') ++def this_host(request): ++ """Fixture for the current master""" ++ tracker = HostTracker(name=api.env.host.partition('.')[0], ++ fqdn=api.env.host) ++ tracker.exists = True ++ return tracker ++ ++ + @pytest.fixture(scope='function') + def indicators_service(request): + tracker = ServiceTracker( +@@ -1587,6 +1597,17 @@ class TestAuthenticationIndicators(XMLRPC_test): + expected_updates={u'krbprincipalauthind': [u'radius']} + ) + ++ def test_update_indicator_internal_service(self, this_host): ++ command = this_host.make_command('service_mod', ++ 'ldap/' + this_host.fqdn, ++ **dict(krbprincipalauthind='otp')) ++ with raises_exact(errors.ValidationError( ++ name='krbprincipalauthind', ++ error=u'authentication indicators not allowed ' ++ 'in service "ldap"' ++ )): ++ command() ++ + + @pytest.fixture(scope='function') + def managing_host(request): +-- +2.26.3 + diff --git a/0004-stageuser-add-ipauserauthtypeclass-when-required.patch b/0004-stageuser-add-ipauserauthtypeclass-when-required.patch new file mode 100644 index 0000000..2d9e34f --- /dev/null +++ b/0004-stageuser-add-ipauserauthtypeclass-when-required.patch @@ -0,0 +1,57 @@ +From a8d6257b2cf64c3dd2b1c5d7bcf81acc3b766853 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Mon, 5 Jul 2021 09:51:41 +0200 +Subject: [PATCH] stageuser: add ipauserauthtypeclass when required + +The command +ipa stageuser-add --user-auth-type=xxx +is currently failing because the objectclass ipauserauthtypeclass +is missing from the created entry. + +There is code adding the missing objectclass in the +pre_common_callback method of user_add, and this code should +be common to user_add and stageuser_add. In order to avoid code +duplication, it makes more sense to move the existing code to +pre_common_callback of baseuser_add, that is called by both +classes. + +Fixes: https://pagure.io/freeipa/issue/8909 +Reviewed-By: Rob Crittenden +Reviewed-By: Alexander Bokovoy +--- + ipaserver/plugins/baseuser.py | 3 +++ + ipaserver/plugins/user.py | 4 ---- + 2 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py +index ae16a978ab01f9c5c257e9cb5567c918a7fafdc5..6035228f19ef8acaf4992490d5512c126881816d 100644 +--- a/ipaserver/plugins/baseuser.py ++++ b/ipaserver/plugins/baseuser.py +@@ -539,6 +539,9 @@ class baseuser_add(LDAPCreate): + if entry_attrs.get('ipatokenradiususername', None): + add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn, + entry_attrs, update=False) ++ if entry_attrs.get('ipauserauthtype', None): ++ add_missing_object_class(ldap, u'ipauserauthtypeclass', dn, ++ entry_attrs, update=False) + + def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) +diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py +index 6f7facb5380ba56feab39b71cd265776f3ab57d8..e4ee572b236c288fd7dcf1d44c5adf1f836f63aa 100644 +--- a/ipaserver/plugins/user.py ++++ b/ipaserver/plugins/user.py +@@ -617,10 +617,6 @@ class user_add(baseuser_add): + 'ipauser' not in entry_attrs['objectclass']: + entry_attrs['objectclass'].append('ipauser') + +- if 'ipauserauthtype' in entry_attrs and \ +- 'ipauserauthtypeclass' not in entry_attrs['objectclass']: +- entry_attrs['objectclass'].append('ipauserauthtypeclass') +- + rcl = entry_attrs.get('ipatokenradiusconfiglink', None) + if rcl: + if 'ipatokenradiusproxyuser' not in entry_attrs['objectclass']: +-- +2.26.3 + diff --git a/0005-XMLRPC-test-add-a-test-for-stageuser-add-user-auth-t.patch b/0005-XMLRPC-test-add-a-test-for-stageuser-add-user-auth-t.patch new file mode 100644 index 0000000..d96d52f --- /dev/null +++ b/0005-XMLRPC-test-add-a-test-for-stageuser-add-user-auth-t.patch @@ -0,0 +1,32 @@ +From 932910456e0269edefe396d4af96447f90ff29b3 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Mon, 5 Jul 2021 10:22:31 +0200 +Subject: [PATCH] XMLRPC test: add a test for stageuser-add --user-auth-type + +Related: https://pagure.io/freeipa/issue/8909 +Reviewed-By: Rob Crittenden +Reviewed-By: Alexander Bokovoy +--- + ipatests/test_xmlrpc/test_stageuser_plugin.py | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py +index 5586fc607e134938225c1c982fc39d169847f549..bc606b093c98ce204ad4ea17e5c16273144fa2e7 100644 +--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py ++++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py +@@ -343,6 +343,12 @@ class TestStagedUser(XMLRPC_test): + result = command() + assert result['count'] == 1 + ++ def test_create_withuserauthtype(self, stageduser): ++ stageduser.ensure_missing() ++ command = stageduser.make_create_command( ++ options={u'ipauserauthtype': u'password'}) ++ command() ++ + + @pytest.mark.tier1 + class TestCreateInvalidAttributes(XMLRPC_test): +-- +2.26.3 + diff --git a/0006-augeas-bump-version-for-rhel9.patch b/0006-augeas-bump-version-for-rhel9.patch new file mode 100644 index 0000000..35859fe --- /dev/null +++ b/0006-augeas-bump-version-for-rhel9.patch @@ -0,0 +1,40 @@ +From 9144526d2d7e7dcd8503c6c38226e17ebb4ed8b9 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Wed, 7 Jul 2021 10:49:25 +0200 +Subject: [PATCH] augeas: bump version for rhel9 + +augeas 1.12.1-0.1 adds support for the new chony configuration +settings. + +Related: https://pagure.io/freeipa/issue/8676 +Reviewed-By: Francois Cami +Reviewed-By: Anuja More +--- + freeipa.spec.in | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index fbfe4d09eedc169112dcdc18a953134de67b7731..ae4af099f39641a9f5163d61cfb37e1c3afb6f4b 100755 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -162,13 +162,16 @@ + + # augeas support for new chrony options + # see https://pagure.io/freeipa/issue/8676 +-# Note: will need to be updated for RHEL9 when a fix is available for + # https://bugzilla.redhat.com/show_bug.cgi?id=1931787 + %if 0%{?fedora} >= 33 + %global augeas_version 1.12.0-6 + %else ++%if 0%{?rhel} >= 9 ++%global augeas_version 1.12.1-0 ++%else + %global augeas_version 1.12.0-3 + %endif ++%endif + + %global plugin_dir %{_libdir}/dirsrv/plugins + %global etc_systemd_dir %{_sysconfdir}/systemd/system +-- +2.26.3 + diff --git a/freeipa.spec b/freeipa.spec index d8ca7bb..ae07ba5 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -162,13 +162,16 @@ # augeas support for new chrony options # see https://pagure.io/freeipa/issue/8676 -# Note: will need to be updated for RHEL9 when a fix is available for # https://bugzilla.redhat.com/show_bug.cgi?id=1931787 %if 0%{?fedora} >= 33 %global augeas_version 1.12.0-6 %else +%if 0%{?rhel} >= 9 +%global augeas_version 1.12.1-0 +%else %global augeas_version 1.12.0-3 %endif +%endif %global plugin_dir %{_libdir}/dirsrv/plugins %global etc_systemd_dir %{_sysconfdir}/systemd/system @@ -191,7 +194,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 1%{?rc_version:.%rc_version}%{?dist} +Release: 2%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -211,6 +214,12 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers # RHEL spec file only: START %if %{NON_DEVELOPER_BUILD} %if 0%{?rhel} >= 8 +Patch0001: 0001-Remove-unneeded-dependency-on-python-coverage.patch +Patch0002: 0002-Add-checks-to-prevent-adding-auth-indicators-to-inte.patch +Patch0003: 0003-ipatests-ensure-auth-indicators-can-t-be-added-to-in.patch +Patch0004: 0004-stageuser-add-ipauserauthtypeclass-when-required.patch +Patch0005: 0005-XMLRPC-test-add-a-test-for-stageuser-add-user-auth-t.patch +Patch0006: 0006-augeas-bump-version-for-rhel9.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -866,7 +875,6 @@ BuildArch: noarch Requires: python3-ipaclient = %{version}-%{release} Requires: python3-ipaserver = %{version}-%{release} Requires: iptables -Requires: python3-coverage Requires: python3-cryptography >= 1.6 Requires: python3-pexpect %if 0%{?fedora} @@ -1690,6 +1698,12 @@ fi %endif %changelog +* Fri Jul 9 2021 Florence Blanc-Renaud - 4.9.6-2 +- Resolves: rhbz#1955440 ipa installation fails to configure chrony +- Resolves: rhbz#1976761 Package python3-ipatests (from CRB repo) Requires python3-coverage +- Resolves: rhbz#1979609 Unable to set ipaUserAuthType with stageuser-add +- Resolves: rhbz#1979629 Add checks to prevent assigning authentication indicators to internal IPA services + * Wed Jun 30 2021 Florence Blanc-Renaud - 4.9.6-1 - Resolves: rhbz#1969351 Rebase IPA to latest 4.9.x version - Resolves: rhbz#1976288 ansible-freeipa automember test fails with `automember_add_condition: testgroup: 'objectclass'` due to ldap cache