diff --git a/.gitignore b/.gitignore index 5471ecd..dbce2de 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/freeipa-4.9.12.tar.gz +SOURCES/freeipa-4.9.13.tar.gz diff --git a/.ipa.metadata b/.ipa.metadata index de73ab5..ee9bea0 100644 --- a/.ipa.metadata +++ b/.ipa.metadata @@ -1 +1 @@ -ea6c8a209748b4ad8d07da556f705a366b3dd6c1 SOURCES/freeipa-4.9.12.tar.gz +da1bb0220894d8dc06afb98dcf087fea38076a79 SOURCES/freeipa-4.9.13.tar.gz diff --git a/SOURCES/0001-user-or-group-name-explain-the-supported-format_rhbz#2150217.patch b/SOURCES/0001-user-or-group-name-explain-the-supported-format_rhbz#2150217.patch deleted file mode 100644 index 8bad0c6..0000000 --- a/SOURCES/0001-user-or-group-name-explain-the-supported-format_rhbz#2150217.patch +++ /dev/null @@ -1,261 +0,0 @@ -From f42a106e84c1fd609350da2540289ce945a7ecbd Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Thu, 11 May 2023 10:53:58 +0200 -Subject: [PATCH] user or group name: explain the supported format - -The commands ipa user-add or ipa group-add validate the -format of the user/group name and display the following -message when it does not conform to the expectations: -invalid 'login': may only include letters, numbers, _, -, . and $ - -The format is more complex, for instance '1234567' is an invalid -user name but the failure is inconsistent with the error message. -Modify the error message to point to ipa help user/group and add -more details in the help message. - -Same change for idoverrideuser and idoverridegroup: -The user/group name must follow these rules: -- cannot contain only numbers -- must start with a letter, a number, _ or . -- may contain letters, numbers, _, ., or - -- may end with a letter, a number, _, ., - or $ - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2150217 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rafael Guterres Jeffman -Reviewed-By: Alexander Bokovoy -Reviewed-By: Rob Crittenden ---- - ipalib/constants.py | 5 +++++ - ipaserver/plugins/baseuser.py | 2 +- - ipaserver/plugins/group.py | 10 ++++++++-- - ipaserver/plugins/idviews.py | 5 +++-- - ipaserver/plugins/stageuser.py | 6 ++++++ - ipaserver/plugins/user.py | 6 ++++++ - ipatests/test_xmlrpc/test_group_plugin.py | 5 +++-- - ipatests/test_xmlrpc/test_stageuser_plugin.py | 3 ++- - ipatests/test_xmlrpc/test_user_plugin.py | 7 ++++--- - 9 files changed, 38 insertions(+), 11 deletions(-) - -diff --git a/ipalib/constants.py b/ipalib/constants.py -index 4b759a573..104419bc2 100644 ---- a/ipalib/constants.py -+++ b/ipalib/constants.py -@@ -319,6 +319,11 @@ MAXHOSTFQDNLEN = 253 - PATTERN_GROUPUSER_NAME = ( - '(?!^[0-9]+$)^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$' - ) -+ERRMSG_GROUPUSER_NAME = ( -+ 'may only include letters, numbers, _, -, . and $' -+ ', refer to \'ipa help {}\' for complete format ' -+ 'description' -+) - - # Kerberos Anonymous principal name - ANON_USER = 'WELLKNOWN/ANONYMOUS' -diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py -index 684a65242..bae6c54ff 100644 ---- a/ipaserver/plugins/baseuser.py -+++ b/ipaserver/plugins/baseuser.py -@@ -211,7 +211,7 @@ class baseuser(LDAPObject): - takes_params = ( - Str('uid', - pattern=constants.PATTERN_GROUPUSER_NAME, -- pattern_errmsg='may only include letters, numbers, _, -, . and $', -+ pattern_errmsg=constants.ERRMSG_GROUPUSER_NAME.format('user'), - maxlength=255, - cli_name='login', - label=_('User login'), -diff --git a/ipaserver/plugins/group.py b/ipaserver/plugins/group.py -index afdad93c1..0333ed622 100644 ---- a/ipaserver/plugins/group.py -+++ b/ipaserver/plugins/group.py -@@ -24,7 +24,7 @@ import logging - - from ipalib import api - from ipalib import Int, Str, Flag --from ipalib.constants import PATTERN_GROUPUSER_NAME -+from ipalib.constants import PATTERN_GROUPUSER_NAME, ERRMSG_GROUPUSER_NAME - from ipalib.plugable import Registry - from .baseldap import ( - add_external_post_callback, -@@ -70,6 +70,12 @@ converted to non-POSIX groups. - - Every group must have a description. - -+The group name must follow these rules: -+- cannot contain only numbers -+- must start with a letter, a number, _ or . -+- may contain letters, numbers, _, ., or - -+- may end with a letter, a number, _, ., - or $ -+ - POSIX groups must have a Group ID (GID) number. Changing a GID is - supported but can have an impact on your file permissions. It is not necessary - to supply a GID when creating a group. IPA will generate one automatically -@@ -330,7 +336,7 @@ class group(LDAPObject): - takes_params = ( - Str('cn', - pattern=PATTERN_GROUPUSER_NAME, -- pattern_errmsg='may only include letters, numbers, _, -, . and $', -+ pattern_errmsg=ERRMSG_GROUPUSER_NAME.format('group'), - maxlength=255, - cli_name='group_name', - label=_('Group name'), -diff --git a/ipaserver/plugins/idviews.py b/ipaserver/plugins/idviews.py -index 4f4b3a2f7..6a16884cf 100644 ---- a/ipaserver/plugins/idviews.py -+++ b/ipaserver/plugins/idviews.py -@@ -37,6 +37,7 @@ from ipalib.constants import ( - IPA_ANCHOR_PREFIX, - SID_ANCHOR_PREFIX, - PATTERN_GROUPUSER_NAME, -+ ERRMSG_GROUPUSER_NAME - ) - from ipalib.plugable import Registry - from ipalib.util import (normalize_sshpubkey, validate_sshpubkey, -@@ -1025,7 +1026,7 @@ class idoverrideuser(baseidoverride): - takes_params = baseidoverride.takes_params + ( - Str('uid?', - pattern=PATTERN_GROUPUSER_NAME, -- pattern_errmsg='may only include letters, numbers, _, -, . and $', -+ pattern_errmsg=ERRMSG_GROUPUSER_NAME.format('user'), - maxlength=255, - cli_name='login', - label=_('User login'), -@@ -1128,7 +1129,7 @@ class idoverridegroup(baseidoverride): - takes_params = baseidoverride.takes_params + ( - Str('cn?', - pattern=PATTERN_GROUPUSER_NAME, -- pattern_errmsg='may only include letters, numbers, _, -, . and $', -+ pattern_errmsg=ERRMSG_GROUPUSER_NAME.format('group'), - maxlength=255, - cli_name='group_name', - label=_('Group name'), -diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py -index 760dff7ab..51438a83a 100644 ---- a/ipaserver/plugins/stageuser.py -+++ b/ipaserver/plugins/stageuser.py -@@ -94,6 +94,12 @@ usernames that start with a digit or usernames that exceed a certain length - may cause problems for some UNIX systems. - Use 'ipa config-mod' to change the username format allowed by IPA tools. - -+The user name must follow these rules: -+- cannot contain only numbers -+- must start with a letter, a number, _ or . -+- may contain letters, numbers, _, ., or - -+- may end with a letter, a number, _, ., - or $ -+ - - EXAMPLES: - -diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py -index fa8a67d3d..643b44f14 100644 ---- a/ipaserver/plugins/user.py -+++ b/ipaserver/plugins/user.py -@@ -88,6 +88,12 @@ usernames that start with a digit or usernames that exceed a certain length - may cause problems for some UNIX systems. - Use 'ipa config-mod' to change the username format allowed by IPA tools. - -+The user name must follow these rules: -+- cannot contain only numbers -+- must start with a letter, a number, _ or . -+- may contain letters, numbers, _, ., or - -+- may end with a letter, a number, _, ., - or $ -+ - Disabling a user account prevents that user from obtaining new Kerberos - credentials. It does not invalidate any credentials that have already - been issued. -diff --git a/ipatests/test_xmlrpc/test_group_plugin.py b/ipatests/test_xmlrpc/test_group_plugin.py -index f9a0e2cfe..27bc21fbc 100644 ---- a/ipatests/test_xmlrpc/test_group_plugin.py -+++ b/ipatests/test_xmlrpc/test_group_plugin.py -@@ -25,6 +25,7 @@ Test the `ipaserver/plugins/group.py` module. - import pytest - - from ipalib import errors -+from ipalib.constants import ERRMSG_GROUPUSER_NAME - from ipatests.test_xmlrpc import objectclasses - from ipatests.test_xmlrpc.xmlrpc_test import ( - fuzzy_digits, fuzzy_uuid, fuzzy_set_ci, -@@ -169,7 +170,7 @@ class TestGroup(XMLRPC_test): - ) - with raises_exact(errors.ValidationError( - name='group_name', -- error=u'may only include letters, numbers, _, -, . and $')): -+ error=ERRMSG_GROUPUSER_NAME.format('group'))): - command() - - def test_create_with_name_starting_with_numeric(self): -@@ -188,7 +189,7 @@ class TestGroup(XMLRPC_test): - ) - with raises_exact(errors.ValidationError( - name='group_name', -- error=u'may only include letters, numbers, _, -, . and $', -+ error=ERRMSG_GROUPUSER_NAME.format('group'), - )): - testgroup.create() - -diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py -index fd146876c..bd877aa94 100644 ---- a/ipatests/test_xmlrpc/test_stageuser_plugin.py -+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py -@@ -12,6 +12,7 @@ import six - - from collections import OrderedDict - from ipalib import api, errors -+from ipalib.constants import ERRMSG_GROUPUSER_NAME - from ipaplatform.constants import constants as platformconstants - - from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test, raises_exact -@@ -357,7 +358,7 @@ class TestCreateInvalidAttributes(XMLRPC_test): - command = invalid.make_create_command() - with raises_exact(errors.ValidationError( - name='login', -- error=u"may only include letters, numbers, _, -, . and $")): -+ error=ERRMSG_GROUPUSER_NAME.format('user'))): - command() - - def test_create_long_uid(self): -diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py -index c156a8793..eadfe6a65 100644 ---- a/ipatests/test_xmlrpc/test_user_plugin.py -+++ b/ipatests/test_xmlrpc/test_user_plugin.py -@@ -31,6 +31,7 @@ import ldap - import re - - from ipalib import api, errors -+from ipalib.constants import ERRMSG_GROUPUSER_NAME - from ipaplatform.constants import constants as platformconstants - from ipapython import ipautil - from ipatests.test_xmlrpc import objectclasses -@@ -502,7 +503,7 @@ class TestUpdate(XMLRPC_test): - ) - with raises_exact(errors.ValidationError( - name='rename', -- error=u'may only include letters, numbers, _, -, . and $')): -+ error=ERRMSG_GROUPUSER_NAME.format('user'))): - command() - - def test_add_radius_username(self, user): -@@ -556,7 +557,7 @@ class TestCreate(XMLRPC_test): - command = testuser.make_create_command() - with raises_exact(errors.ValidationError( - name=u'login', -- error=u'may only include letters, numbers, _, -, . and $')): -+ error=ERRMSG_GROUPUSER_NAME.format('user'))): - command() - - def test_create_with_too_long_login(self): -@@ -730,7 +731,7 @@ class TestCreate(XMLRPC_test): - ) - with raises_exact(errors.ValidationError( - name=u'login', -- error=u'may only include letters, numbers, _, -, . and $', -+ error=ERRMSG_GROUPUSER_NAME.format('user'), - )): - testuser.create() - --- -2.40.1 - diff --git a/SOURCES/0002-Use-the-python-cryptography-parser-directly-in-cert-find_rhbz#2164349.patch b/SOURCES/0002-Use-the-python-cryptography-parser-directly-in-cert-find_rhbz#2164349.patch deleted file mode 100644 index 7fc5737..0000000 --- a/SOURCES/0002-Use-the-python-cryptography-parser-directly-in-cert-find_rhbz#2164349.patch +++ /dev/null @@ -1,242 +0,0 @@ -From 9fe30f21c987bdccf80ef5f6d645fdc59b393bdb Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Jun 16 2023 19:09:52 +0000 -Subject: Revert "Use the OpenSSL certificate parser in cert-find" - - -This reverts commit 191880bc9f77c3e8a3cecc82e6eea33ab5ad03e4. - -The problem isn't with python-cryptography, it is with the -IPACertificate class which does way more work on a certificate -than is necessary in cert-find. - -Related: https://pagure.io/freeipa/issue/9331 -Reviewed-By: Florence Blanc-Renaud - ---- - -diff --git a/freeipa.spec.in b/freeipa.spec.in -index f3380b4..2b18963 100755 ---- a/freeipa.spec.in -+++ b/freeipa.spec.in -@@ -390,7 +390,6 @@ BuildRequires: python3-pylint - BuildRequires: python3-pytest-multihost - BuildRequires: python3-pytest-sourceorder - BuildRequires: python3-qrcode-core >= 5.0.0 --BuildRequires: python3-pyOpenSSL - BuildRequires: python3-samba - BuildRequires: python3-six - BuildRequires: python3-sss -@@ -862,7 +861,6 @@ Requires: python3-netifaces >= 0.10.4 - Requires: python3-pyasn1 >= 0.3.2-2 - Requires: python3-pyasn1-modules >= 0.3.2-2 - Requires: python3-pyusb --Requires: python3-pyOpenSSL - Requires: python3-qrcode-core >= 5.0.0 - Requires: python3-requests - Requires: python3-six -diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py -index cec3d93..88c6b62 100644 ---- a/ipaserver/plugins/cert.py -+++ b/ipaserver/plugins/cert.py -@@ -30,7 +30,6 @@ import cryptography.x509 - from cryptography.hazmat.primitives import hashes, serialization - from dns import resolver, reversename - import six --import sys - - from ipalib import Command, Str, Int, Flag, StrEnum - from ipalib import api -@@ -1623,19 +1622,7 @@ class cert_find(Search, CertMethod): - ) - - def _get_cert_key(self, cert): -- # for cert-find with a certificate value -- if isinstance(cert, x509.IPACertificate): -- return (DN(cert.issuer), cert.serial_number) -- -- issuer = [] -- for oid, value in cert.get_issuer().get_components(): -- issuer.append( -- '{}={}'.format(oid.decode('utf-8'), value.decode('utf-8')) -- ) -- issuer = ','.join(issuer) -- # Use this to flip from OpenSSL reverse to X500 ordering -- issuer = DN(issuer).x500_text() -- return (DN(issuer), cert.get_serial_number()) -+ return (DN(cert.issuer), cert.serial_number) - - def _cert_search(self, pkey_only, **options): - result = collections.OrderedDict() -@@ -1755,11 +1742,6 @@ class cert_find(Search, CertMethod): - return result, False, complete - - def _ldap_search(self, all, pkey_only, no_members, **options): -- # defer import of the OpenSSL module to not affect the requests -- # module which will use pyopenssl if this is available. -- if sys.modules.get('OpenSSL.SSL', False) is None: -- del sys.modules["OpenSSL.SSL"] -- import OpenSSL.crypto - ldap = self.api.Backend.ldap2 - - filters = [] -@@ -1818,14 +1800,12 @@ class cert_find(Search, CertMethod): - ca_enabled = getattr(context, 'ca_enabled') - for entry in entries: - for attr in ('usercertificate', 'usercertificate;binary'): -- for der in entry.raw.get(attr, []): -- cert = OpenSSL.crypto.load_certificate( -- OpenSSL.crypto.FILETYPE_ASN1, der) -+ for cert in entry.get(attr, []): - cert_key = self._get_cert_key(cert) - try: - obj = result[cert_key] - except KeyError: -- obj = {'serial_number': cert.get_serial_number()} -+ obj = {'serial_number': cert.serial_number} - if not pkey_only and (all or not ca_enabled): - # Retrieving certificate details is now deferred - # until after all certificates are collected. - -From 3b1dbcdba2994bf57908f530913998e9ab888e4c Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Jun 16 2023 19:09:52 +0000 -Subject: Revert "cert_find: fix call with --all" - - -This reverts commit 1f30cc65276a532e7288217f216b72a2b0628c8f. - -The problem isn't with python-cryptography, it is with the -IPACertificate class which does way more work on a certificate -than is necessary in cert-find. - -Related: https://pagure.io/freeipa/issue/9331 -Reviewed-By: Florence Blanc-Renaud - ---- - -diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py -index 88c6b62..ba37525 100644 ---- a/ipaserver/plugins/cert.py -+++ b/ipaserver/plugins/cert.py -@@ -1812,7 +1812,6 @@ class cert_find(Search, CertMethod): - # For the case of CA-less we need to keep - # the certificate because getting it again later - # would require unnecessary LDAP searches. -- cert = cert.to_cryptography() - obj['certificate'] = ( - base64.b64encode( - cert.public_bytes(x509.Encoding.DER)) - -From d00fd3398c32beb2c3e72f4878c87f9d2c0e833d Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Jun 16 2023 19:09:52 +0000 -Subject: Use the python-cryptography parser directly in cert-find - - -cert-find is a rather complex beast because it not only -looks for certificates in the optional CA but within the -IPA LDAP database as well. It has a process to deduplicate -the certificates since any PKI issued certificates will -also be associated with an IPA record. - -In order to obtain the data to deduplicate the certificates -the cert from LDAP must be parser for issuer and serial number. -ipaldap has automation to determine the datatype of an -attribute and will use the ipalib.x509 IPACertificate class to -decode a certificate automatically if you access -entry['usercertificate']. - -The downside is that this is comparatively slow. Here is the -parse time in microseconds: - -cryptography 0.0081 -OpenSSL.crypto 0.2271 -ipalib.x509 2.6814 - -Since only issuer and subject are required there is no need to -make the expensive IPACertificate call. - -The IPACertificate parsing time is fine if you're parsing one -certificate but if the LDAP search returns a lot of certificates, -say in the thousands, then those microseconds add up quickly. -In testing it took ~17 seconds to parse 5k certificates (excluding -transmission overhead, etc). - -cert-find when there are a lot of certificates has been -historically slow. It isn't related to the CA which returns -large sets (well, 5k anyway) in a second or two. It was the -LDAP comparision adding tens of seconds to the runtime. - -When searching with the default sizelimit of 100 the time is -~10s without this patch. With it the time is 1.5s. - -CLI times from before and after searching for all certs: - -original: - -------------------------------- -Number of entries returned 5038 -------------------------------- -real 0m15.507s -user 0m0.828s -sys 0m0.241s - -using cryptography: - -real 0m4.037s -user 0m0.816s -sys 0m0.193s - -Fixes: https://pagure.io/freeipa/issue/9331 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud - ---- - -diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py -index ba37525..619be83 100644 ---- a/ipaserver/plugins/cert.py -+++ b/ipaserver/plugins/cert.py -@@ -1800,7 +1800,8 @@ class cert_find(Search, CertMethod): - ca_enabled = getattr(context, 'ca_enabled') - for entry in entries: - for attr in ('usercertificate', 'usercertificate;binary'): -- for cert in entry.get(attr, []): -+ for der in entry.raw.get(attr, []): -+ cert = cryptography.x509.load_der_x509_certificate(der) - cert_key = self._get_cert_key(cert) - try: - obj = result[cert_key] -diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py -index 433cebc..583c67f 100644 ---- a/ipatests/test_xmlrpc/test_cert_plugin.py -+++ b/ipatests/test_xmlrpc/test_cert_plugin.py -@@ -254,6 +254,16 @@ class test_cert(BaseCert): - result = _emails_are_valid(email_addrs, []) - assert not result - -+ def test_00012_cert_find_all(self): -+ """ -+ Test that cert-find --all returns successfully. -+ -+ We don't know how many we'll get but there should be at least 10 -+ by default. -+ """ -+ res = api.Command['cert_find'](all=True) -+ assert 'count' in res and res['count'] >= 10 -+ - def test_99999_cleanup(self): - """ - Clean up cert test data -@@ -283,7 +293,7 @@ class test_cert_find(XMLRPC_test): - - short = api.env.host.split('.', maxsplit=1)[0] - -- def test_0001_find_all(self): -+ def test_0001_find_all_certs(self): - """ - Search for all certificates. - - diff --git a/SOURCES/0003-Upgrade-add-PKI-drop-in-file-if-missing_rhbz#2215336.patch b/SOURCES/0003-Upgrade-add-PKI-drop-in-file-if-missing_rhbz#2215336.patch deleted file mode 100644 index b719fa3..0000000 --- a/SOURCES/0003-Upgrade-add-PKI-drop-in-file-if-missing_rhbz#2215336.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 86c1426b2d376a390e87b074d3e10d85fa124abf Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Jun 21 2023 17:02:48 +0000 -Subject: Upgrade: add PKI drop-in file if missing - - -During the installation of IPA server, the installer adds a drop-in -file in /etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf -that ensures the CA is reachable before the start command returns. -If the file is missing (for instance because the server was installed -with an old version before this drop-in was created), the upgrade -should add the file. - -Fixes: https://pagure.io/freeipa/issue/9381 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden - ---- - -diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py -index dd22ac2..e4dc7ae 100644 ---- a/ipaserver/install/server/upgrade.py -+++ b/ipaserver/install/server/upgrade.py -@@ -1737,6 +1737,10 @@ def upgrade_configuration(): - os.path.join(paths.USR_SHARE_IPA_DIR, - "ipa-kdc-proxy.conf.template")) - if ca.is_configured(): -+ # Ensure that the drop-in file is present -+ if not os.path.isfile(paths.SYSTEMD_PKI_TOMCAT_IPA_CONF): -+ ca.add_ipa_wait() -+ - # Handle upgrade of AJP connector configuration - rewrite = ca.secure_ajp_connector() - if ca.ajp_secret: - -From 356ec5cbfe0876686239f938bdf54892dc30571e Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Jun 21 2023 17:02:48 +0000 -Subject: Integration test: add a test for upgrade and PKI drop-in file - - -Add an upgrade test with the following scenario: -- remove PKI drop-in file (to simulate an upgrade from an old -version) -- remove caECServerCertWithSCT profile from LDAP -- launch the ipa-server-upgrade command -- check that the upgrade added the file - -Related: https://pagure.io/freeipa/issue/9381 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden - ---- - -diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py -index 9203503..182e3b5 100644 ---- a/ipatests/test_integration/test_upgrade.py -+++ b/ipatests/test_integration/test_upgrade.py -@@ -455,3 +455,25 @@ class TestUpgrade(IntegrationTest): - assert 'tXTRecord' in location_krb_rec - assert len(location_krb_rec['tXTRecord']) == 1 - assert location_krb_rec['tXTRecord'][0] == f'"{realm}"' -+ -+ def test_pki_dropin_file(self): -+ """Test that upgrade adds the drop-in file if missing -+ -+ Test for ticket 9381 -+ Simulate an update from a version that didn't provide -+ /etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf, -+ remove one of the certificate profiles from LDAP and check that upgrade -+ completes successfully and adds the missing file. -+ When the drop-in file is missing, the upgrade tries to login to -+ PKI in order to migrate the profile and fails because PKI failed to -+ start. -+ """ -+ self.master.run_command(["rm", "-f", paths.SYSTEMD_PKI_TOMCAT_IPA_CONF]) -+ ldif = textwrap.dedent(""" -+ dn: cn=caECServerCertWithSCT,ou=certificateProfiles,ou=ca,o=ipaca -+ changetype: delete -+ """) -+ tasks.ldapmodify_dm(self.master, ldif) -+ self.master.run_command(['ipa-server-upgrade']) -+ assert self.master.transport.file_exists( -+ paths.SYSTEMD_PKI_TOMCAT_IPA_CONF) - diff --git a/SOURCES/0004-Upgrade-fix-replica-agreement_rhbz#2216551.patch b/SOURCES/0004-Upgrade-fix-replica-agreement_rhbz#2216551.patch deleted file mode 100644 index 4d795e4..0000000 --- a/SOURCES/0004-Upgrade-fix-replica-agreement_rhbz#2216551.patch +++ /dev/null @@ -1,233 +0,0 @@ -From d29b47512a39ada02fb371521994576cd9815a6c Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Mon, 19 Jun 2023 10:36:29 +0200 -Subject: [PATCH] Upgrade: fix replica agreement - -The upgrade checks the replication agreements to ensure that -some attributes are excluded from replication. The agreements -are stored in entries like -cn=serverToreplica,cn=replica,cn=_suffix_,cn=mapping tree,cn=config -but those entries are managed by the replication topology plugin -and should not be updated directly. The consequence is that the update -of the attributes fails and ipa-server-update prints an error message: - -Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling -to perform: Entry and attributes are managed by topology plugin.No direct -modifications allowed. -Error caught updating nsDS5ReplicatedAttributeListTotal: Server is -unwilling to perform: Entry and attributes are managed by topology -plugin.No direct modifications allowed. - -The upgrade continues but the replication is not excluding -passwordgraceusertime. - -Instead of editing the agreements, perform the modifications on -the topology segments. - -Fixes: https://pagure.io/freeipa/issue/9385 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - .../install/plugins/fix_replica_agreements.py | 80 +++++++++---------- - 1 file changed, 38 insertions(+), 42 deletions(-) - -diff --git a/ipaserver/install/plugins/fix_replica_agreements.py b/ipaserver/install/plugins/fix_replica_agreements.py -index c0cdd3eb1..d963753d0 100644 ---- a/ipaserver/install/plugins/fix_replica_agreements.py -+++ b/ipaserver/install/plugins/fix_replica_agreements.py -@@ -22,6 +22,7 @@ import logging - from ipaserver.install import replication - from ipalib import Registry - from ipalib import Updater -+from ipalib import errors - - logger = logging.getLogger(__name__) - -@@ -41,35 +42,42 @@ class update_replica_attribute_lists(Updater): - def execute(self, **options): - # We need an LDAPClient connection to the backend - logger.debug("Start replication agreement exclude list update task") -- conn = self.api.Backend.ldap2 - -- repl = replication.ReplicationManager(self.api.env.realm, -- self.api.env.host, -- None, conn=conn) -- -- # We need to update only IPA replica agreements, not winsync -- ipa_replicas = repl.find_ipa_replication_agreements() -- -- logger.debug("Found %d agreement(s)", len(ipa_replicas)) -- -- for replica in ipa_replicas: -- for desc in replica.get('description', []): -- logger.debug('%s', desc) -- -- self._update_attr(repl, replica, -- 'nsDS5ReplicatedAttributeList', -- replication.EXCLUDES, template=EXCLUDE_TEMPLATE) -- self._update_attr(repl, replica, -- 'nsDS5ReplicatedAttributeListTotal', -- replication.TOTAL_EXCLUDES, template=EXCLUDE_TEMPLATE) -- self._update_attr(repl, replica, -- 'nsds5ReplicaStripAttrs', replication.STRIP_ATTRS) -+ # Find suffixes -+ suffixes = self.api.Command.topologysuffix_find()['result'] -+ for suffix in suffixes: -+ suffix_name = suffix['cn'][0] -+ # Find segments -+ sgmts = self.api.Command.topologysegment_find( -+ suffix_name, all=True)['result'] -+ for segment in sgmts: -+ updates = {} -+ updates = self._update_attr( -+ segment, updates, -+ 'nsds5replicatedattributelist', -+ replication.EXCLUDES, template=EXCLUDE_TEMPLATE) -+ updates = self._update_attr( -+ segment, updates, -+ 'nsds5replicatedattributelisttotal', -+ replication.TOTAL_EXCLUDES, template=EXCLUDE_TEMPLATE) -+ updates = self._update_attr( -+ segment, updates, -+ 'nsds5replicastripattrs', replication.STRIP_ATTRS) -+ if updates: -+ try: -+ self.api.Command.topologysegment_mod( -+ suffix_name, segment['cn'][0], -+ **updates) -+ except errors.EmptyModlist: -+ # No update done -+ logger.debug("No update required for the segment %s", -+ segment['cn'][0]) - - logger.debug("Done updating agreements") - - return False, [] # No restart, no updates - -- def _update_attr(self, repl, replica, attribute, values, template='%s'): -+ def _update_attr(self, segment, updates, attribute, values, template='%s'): - """Add or update an attribute of a replication agreement - - If the attribute doesn't already exist, it is added and set to -@@ -77,27 +85,21 @@ class update_replica_attribute_lists(Updater): - If the attribute does exist, `values` missing from it are just - appended to the end, also space-separated. - -- :param repl: Replication manager -- :param replica: Replica agreement -+ :param: updates: dict containing the updates -+ :param segment: dict containing segment information - :param attribute: Attribute to add or update - :param values: List of values the attribute should hold - :param template: Template to use when adding attribute - """ -- attrlist = replica.single_value.get(attribute) -+ attrlist = segment.get(attribute) - if attrlist is None: - logger.debug("Adding %s", attribute) - - # Need to add it altogether -- replica[attribute] = [template % " ".join(values)] -- -- try: -- repl.conn.update_entry(replica) -- logger.debug("Updated") -- except Exception as e: -- logger.error("Error caught updating replica: %s", str(e)) -+ updates[attribute] = template % " ".join(values) - - else: -- attrlist_normalized = attrlist.lower().split() -+ attrlist_normalized = attrlist[0].lower().split() - missing = [a for a in values - if a.lower() not in attrlist_normalized] - -@@ -105,14 +107,8 @@ class update_replica_attribute_lists(Updater): - logger.debug("%s needs updating (missing: %s)", attribute, - ', '.join(missing)) - -- replica[attribute] = [ -- '%s %s' % (attrlist, ' '.join(missing))] -+ updates[attribute] = '%s %s' % (attrlist[0], ' '.join(missing)) - -- try: -- repl.conn.update_entry(replica) -- logger.debug("Updated %s", attribute) -- except Exception as e: -- logger.error("Error caught updating %s: %s", -- attribute, str(e)) - else: - logger.debug("%s: No update necessary", attribute) -+ return updates --- -2.41.0 - -From 93d97b59600c15e5028ee39b0e98450544165158 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Mon, 19 Jun 2023 10:36:59 +0200 -Subject: [PATCH] Integration tests: add a test to ipa-server-upgrade - -Add an integration test ensuring that the upgrade -properly updates the attributes to be excluded from -replication. - -Related: https://pagure.io/freeipa/issue/9385 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - .../test_simple_replication.py | 30 +++++++++++++++++++ - 1 file changed, 30 insertions(+) - -diff --git a/ipatests/test_integration/test_simple_replication.py b/ipatests/test_integration/test_simple_replication.py -index 17092a499..d1e65ef7c 100644 ---- a/ipatests/test_integration/test_simple_replication.py -+++ b/ipatests/test_integration/test_simple_replication.py -@@ -23,8 +23,10 @@ import pytest - - from ipaplatform.paths import paths - from ipapython.dn import DN -+from ipaserver.install.replication import EXCLUDES - from ipatests.pytest_ipa.integration import tasks - from ipatests.test_integration.base import IntegrationTest -+from ipatests.test_integration.test_topology import find_segment - - - def check_replication(source_host, dest_host, login): -@@ -104,6 +106,34 @@ class TestSimpleReplication(IntegrationTest): - [paths.IPA_CUSTODIA_CHECK, self.master.hostname] - ) - -+ def test_fix_agreements(self): -+ """Test that upgrade fixes the list of attributes excluded from repl -+ -+ Test for ticket 9385 -+ """ -+ # Prepare the server by removing some values from -+ # from the nsDS5ReplicatedAttributeList -+ segment = find_segment(self.master, self.replicas[0], "domain") -+ self.master.run_command([ -+ "ipa", "topologysegment-mod", "domain", segment, -+ "--replattrs", -+ "(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn"]) -+ # Run the upgrade -+ result = self.master.run_command(["ipa-server-upgrade"]) -+ # Ensure that the upgrade updated the attribute without error -+ errmsg = "Error caught updating nsDS5ReplicatedAttributeList" -+ assert errmsg not in result.stdout_text -+ # Check the updated value -+ suffix = DN(self.master.domain.basedn) -+ dn = DN(('cn', str(suffix)), ('cn', 'mapping tree'), ('cn', 'config')) -+ result = tasks.ldapsearch_dm(self.master, str(dn), -+ ["nsDS5ReplicatedAttributeList"]) -+ output = result.stdout_text.lower() -+ -+ template = 'nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE %s' -+ expected_value = template % " ".join(EXCLUDES) -+ assert expected_value.lower() in output -+ - def test_replica_removal(self): - """Test replica removal""" - result = self.master.run_command(['ipa-replica-manage', 'list']) --- -2.41.0 - diff --git a/SOURCES/0005-OTP-fix-data-type-to-avoid-endianness-issue_rhbz#2218293.patch b/SOURCES/0005-OTP-fix-data-type-to-avoid-endianness-issue_rhbz#2218293.patch deleted file mode 100644 index 6d5b7b6..0000000 --- a/SOURCES/0005-OTP-fix-data-type-to-avoid-endianness-issue_rhbz#2218293.patch +++ /dev/null @@ -1,52 +0,0 @@ -From a7e167154b889f75463ccc9cd91a75c1afb22da9 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Jun 28 2023 19:43:16 +0000 -Subject: OTP: fix data type to avoid endianness issue - - -When 389-ds process an OTP authentication, the ipa-pwd-extop -plugin reads a buffer to extract the authentication type. -The type is stored in an int but the data is a ber_tag_t. - -On big endian machines the type cast does not cause any issue -but on s390x the buffer that should return 128 is seen as 0. - -As a consequence, the plugin considers that the method is not -LDAP_AUTH_SIMPLE and exits early, without processing the OTP. - -The fix is simple and consists in using the right type -(ber_tag_t is an unsigned long). - -Fixes: https://pagure.io/freeipa/issue/9402 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden - ---- - -diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c -index 9375941..4562652 100644 ---- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c -+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c -@@ -1433,7 +1433,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) - Slapi_DN *target_sdn = NULL; - Slapi_DN *sdn = NULL; - const char *dn = NULL; -- int method = 0; -+ ber_tag_t method = 0; - bool syncreq; - bool otpreq; - int ret = 0; -@@ -1454,8 +1454,10 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) - } - - /* We're only interested in simple authentication. */ -- if (method != LDAP_AUTH_SIMPLE || credentials->bv_len == 0) -+ if (method != LDAP_AUTH_SIMPLE || credentials->bv_len == 0) { -+ LOG("Not handled (not simple bind or NULL dn/credentials)\n"); - return 0; -+ } - - /* Retrieve the user's entry. */ - sdn = slapi_sdn_dup(target_sdn); - diff --git a/SOURCES/0006-Backport-test-updates-8-9-release_rhbz#2218847.patch b/SOURCES/0006-Backport-test-updates-8-9-release_rhbz#2218847.patch deleted file mode 100644 index 8b44931..0000000 --- a/SOURCES/0006-Backport-test-updates-8-9-release_rhbz#2218847.patch +++ /dev/null @@ -1,173 +0,0 @@ -From 7a94acca6a9efb546f1cf59f63fcb89f98944ea5 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Thu, 25 May 2023 08:16:33 +0200 -Subject: [PATCH] ACME tests: fix issue_and_expire_acme_cert method - -The fixture issue_and_expire_acme_cert is changing the date -on master and client. It also resets the admin password as -it gets expired after the date change. -Currently the code is resetting the password by performing -kinit on the client, which leaves the master with an expired -ticket in its cache. Reset the password on the master instead -in order to have a valid ticket for the next operations. - -Fixes: https://pagure.io/freeipa/issue/9383 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Mohammad Rizwan ---- - ipatests/test_integration/test_acme.py | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py -index c73f441fc..c69e810da 100644 ---- a/ipatests/test_integration/test_acme.py -+++ b/ipatests/test_integration/test_acme.py -@@ -583,20 +583,20 @@ class TestACMERenew(IntegrationTest): - tasks.kdestroy_all(host) - tasks.move_date(host, 'stop', '+90days') - -- tasks.get_kdcinfo(host) -+ tasks.get_kdcinfo(self.master) - # Note raiseonerr=False: - # the assert is located after kdcinfo retrieval. - # run kinit command repeatedly until sssd gets settle - # after date change - tasks.run_repeatedly( -- host, "KRB5_TRACE=/dev/stdout kinit admin", -+ self.master, "KRB5_TRACE=/dev/stdout kinit admin", - stdin_text='{0}\n{0}\n{0}\n'.format( -- self.clients[0].config.admin_password -+ self.master.config.admin_password - ) - ) - # Retrieve kdc.$REALM after the password change, just in case SSSD - # domain status flipped to online during the password change. -- tasks.get_kdcinfo(host) -+ tasks.get_kdcinfo(self.master) - - yield - --- -2.41.0 - -From 998bafee86a870ad1ea4d6bccf12f0fae64c398c Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Wed, 31 May 2023 11:50:14 +0200 -Subject: [PATCH] ipatest: remove xfail from test_smb - -test_smb is now successful because the windows server version -has been updated to windows-server-2022 with -- KB5012170 -- KB5025230 -- KB5022507 -- servicing stack 10.0.20348.1663 -in freeipa-pr-ci commit 3ba4151. - -Remove the xfail. - -Fixes: https://pagure.io/freeipa/issue/9124 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Mohammad Rizwan ---- - ipatests/test_integration/test_smb.py | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py -index 30f8d5901..eb3981bdd 100644 ---- a/ipatests/test_integration/test_smb.py -+++ b/ipatests/test_integration/test_smb.py -@@ -349,7 +349,6 @@ class TestSMB(IntegrationTest): - @pytest.mark.skipif( - osinfo.id == 'fedora' and osinfo.version_number <= (31,), - reason='Test requires krb 1.18') -- @pytest.mark.xfail(reason="Pagure ticket 9124", strict=True) - def test_smb_service_s4u2self(self): - """Test S4U2Self operation by IPA service - against both AD and IPA users --- -2.41.0 - -From 1b51fa4cb07380d1102891233e85a7940f804c72 Mon Sep 17 00:00:00 2001 -From: Anuja More -Date: Thu, 11 May 2023 12:50:10 +0530 -Subject: [PATCH] ipatests: Check that SSSD_PUBCONF_KRB5_INCLUDE_D_DIR is not - included in krb5.conf - -SSSD already provides a config snippet which includes -SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java. -Test checks that krb5.conf does not include -SSSD_PUBCONF_KRB5_INCLUDE_D_DIR. - -Related: https://pagure.io/freeipa/issue/9267 - -Signed-off-by: Anuja More -Reviewed-By: Florence Blanc-Renaud ---- - .../test_integration/test_installation_client.py | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/ipatests/test_integration/test_installation_client.py b/ipatests/test_integration/test_installation_client.py -index 014b0f6ab..56e1593bf 100644 ---- a/ipatests/test_integration/test_installation_client.py -+++ b/ipatests/test_integration/test_installation_client.py -@@ -76,6 +76,21 @@ class TestInstallClient(IntegrationTest): - result = self.clients[0].run_command(['cat', '/etc/ssh/ssh_config']) - assert 'HostKeyAlgorithms' not in result.stdout_text - -+ def test_client_install_with_krb5(self): -+ """Test that SSSD_PUBCONF_KRB5_INCLUDE_D_DIR is not added in krb5.conf -+ -+ SSSD already provides a config snippet which includes -+ SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java. -+ Test checks that krb5.conf does not include -+ SSSD_PUBCONF_KRB5_INCLUDE_D_DIR. -+ -+ related: https://pagure.io/freeipa/issue/9267 -+ """ -+ krb5_cfg = self.master.get_file_contents(paths.KRB5_CONF) -+ assert 'includedir {dir}'.format( -+ dir=paths.SSSD_PUBCONF_KRB5_INCLUDE_D_DIR -+ ).encode() not in krb5_cfg -+ - - class TestClientInstallBind(IntegrationTest): - """ --- -2.41.0 - -From f599e2d67bad5945e4dcf99fdd584f01f1e20d1e Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Tue, 6 Jun 2023 09:04:48 +0200 -Subject: [PATCH] webuitests: close notification which hides Add button - -The webui test test_service.py::test_service::test_arbitrary_certificates -randomly fails. -The test is creating a new service then navigates to the Service page -and clicks on the Add Certificate button. -The notification area may still be present and hide the button, with -the message "Service successfully added". -Close all notifications before navigating to the Service page. - -Fixes: https://pagure.io/freeipa/issue/9389 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Michal Polovka ---- - ipatests/test_webui/test_service.py | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/ipatests/test_webui/test_service.py b/ipatests/test_webui/test_service.py -index f1d9a9d62..e2976d73a 100644 ---- a/ipatests/test_webui/test_service.py -+++ b/ipatests/test_webui/test_service.py -@@ -296,6 +296,7 @@ class test_service(sevice_tasks): - cert_widget_sel = "div.certificate-widget" - - self.add_record(ENTITY, data) -+ self.close_notifications() - self.navigate_to_record(pkey) - - # check whether certificate section is present --- -2.41.0 - diff --git a/SOURCES/0007-ipa-kdb-fix-error-handling-of-is_master_host_rhbz#2214638.patch b/SOURCES/0007-ipa-kdb-fix-error-handling-of-is_master_host_rhbz#2214638.patch deleted file mode 100644 index 39d9e7f..0000000 --- a/SOURCES/0007-ipa-kdb-fix-error-handling-of-is_master_host_rhbz#2214638.patch +++ /dev/null @@ -1,85 +0,0 @@ -From b5793c854035a122ed4c66f917cc427e5024e46a Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Aug 02 2023 11:52:30 +0000 -Subject: ipa-kdb: fix error handling of is_master_host() - - -Adding proper error handling to the is_master_host() function to allow -it to make the difference between the absence of a master host object -and a connection failure. This will keep the krb5kdc daemon from -continuing to run with a NULL LDAP context. - -Fixes: https://pagure.io/freeipa/issue/9422 - -Signed-off-by: Julien Rische -Reviewed-By: Alexander Bokovoy - ---- - -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c -index 8da7543..83cb991 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac.c -+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c -@@ -401,27 +401,29 @@ static krb5_error_code ipadb_add_asserted_identity(struct ipadb_context *ipactx, - return 0; - } - --static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn) -+static krb5_error_code -+is_master_host(struct ipadb_context *ipactx, const char *fqdn, bool *result) - { -- int ret; -+ int err; - char *master_host_base = NULL; -- LDAPMessage *result = NULL; -- krb5_error_code err; -+ LDAPMessage *ldap_res = NULL; - -- ret = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s", -+ err = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s", - fqdn, ipactx->base); -- if (ret == -1) { -- return false; -- } -+ if (err == -1) -+ return ENOMEM; -+ - err = ipadb_simple_search(ipactx, master_host_base, LDAP_SCOPE_BASE, -- NULL, NULL, &result); -+ NULL, NULL, &ldap_res); - free(master_host_base); -- ldap_msgfree(result); -- if (err == 0) { -- return true; -- } -+ ldap_msgfree(ldap_res); -+ if (err != KRB5_KDB_NOENTRY && err != 0) -+ return err; -+ -+ if (result) -+ *result = err != KRB5_KDB_NOENTRY; - -- return false; -+ return 0; - } - - static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, -@@ -692,9 +694,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, - if ((is_host || is_service)) { - /* it is either host or service, so get the hostname first */ - char *sep = strchr(info3->base.account_name.string, '/'); -- bool is_master = is_master_host( -- ipactx, -- sep ? sep + 1 : info3->base.account_name.string); -+ bool is_master; -+ -+ ret = is_master_host(ipactx, -+ sep ? sep + 1 : info3->base.account_name.string, -+ &is_master); -+ if (ret) -+ return ret; -+ - if (is_master) { - /* Well known RID of domain controllers group */ - if (info3->base.rid == 0) { - diff --git a/SOURCES/0008-ipatests-enable-firewall-rule-for-http-service-on-acme-client_rhbz#2230256.patch b/SOURCES/0008-ipatests-enable-firewall-rule-for-http-service-on-acme-client_rhbz#2230256.patch deleted file mode 100644 index 041905c..0000000 --- a/SOURCES/0008-ipatests-enable-firewall-rule-for-http-service-on-acme-client_rhbz#2230256.patch +++ /dev/null @@ -1,39 +0,0 @@ -From f68468718c1e01df4a9180e17d7e24d961850e19 Mon Sep 17 00:00:00 2001 -From: Mohammad Rizwan -Date: Wed, 14 Jun 2023 17:32:02 +0530 -Subject: [PATCH] ipatests: enable firewall rule for http service on acme - client - -when system hardning done i.e in case of STIG, sometimes http challanges -can't be validated by CA if port 80 is not open. This fix enable it to facilitate -the communication. - -Signed-off-by: Mohammad Rizwan -Reviewed-By: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_integration/test_acme.py | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py -index c69e810da70..414fae8d751 100644 ---- a/ipatests/test_integration/test_acme.py -+++ b/ipatests/test_integration/test_acme.py -@@ -10,6 +10,7 @@ - - from ipalib.constants import IPA_CA_RECORD - from ipatests.test_integration.base import IntegrationTest -+from ipatests.pytest_ipa.integration.firewall import Firewall - from ipatests.pytest_ipa.integration import tasks - from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup - from ipaplatform.osinfo import osinfo -@@ -82,6 +83,9 @@ def prepare_acme_client(master, client): - acme_host = f'{IPA_CA_RECORD}.{master.domain.name}' - acme_server = f'https://{acme_host}/acme/directory' - -+ # enable firewall rule on client -+ Firewall(client).enable_services(["http", "https"]) -+ - # install acme client packages - if not skip_certbot_tests: - tasks.install_packages(client, ['certbot']) diff --git a/SOURCES/0009-User-plugin-improve-error-related-to-non-existing-idp_rhbz#2224572.patch b/SOURCES/0009-User-plugin-improve-error-related-to-non-existing-idp_rhbz#2224572.patch deleted file mode 100644 index 6109658..0000000 --- a/SOURCES/0009-User-plugin-improve-error-related-to-non-existing-idp_rhbz#2224572.patch +++ /dev/null @@ -1,193 +0,0 @@ -From 99aa03413421cf2839e89e10ca279ec19233dd01 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Jul 20 2023 08:23:36 +0000 -Subject: User plugin: improve error related to non existing idp - - -The user and stageuser commands return the following error -when the user is created/updated with a non existing idp: -$ ipa user-add testuser --first test --last user --idp dummy -ipa: ERROR: no such entry - -The error is not descriptive enough and has been modified to -display instead: -$ ipa user-add testuser --first test --last user --idp dummy -ipa: ERROR: External IdP configuration dummy not found - -Fixes: https://pagure.io/freeipa/issue/9416 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden - ---- - -diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py -index 73b76d3..ba5f9b7 100644 ---- a/ipaserver/plugins/baseuser.py -+++ b/ipaserver/plugins/baseuser.py -@@ -708,7 +708,11 @@ class baseuser_mod(LDAPUpdate): - if 'ipaidpuser' not in obj_classes: - entry_attrs['objectclass'].append('ipaidpuser') - -- answer = self.api.Object['idp'].get_dn_if_exists(cl) -+ try: -+ answer = self.api.Object['idp'].get_dn_if_exists(cl) -+ except errors.NotFound: -+ reason = "External IdP configuration {} not found" -+ raise errors.NotFound(reason=_(reason).format(cl)) - entry_attrs['ipaidpconfiglink'] = answer - - # Note: we could have used the method add_missing_object_class -diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py -index 51438a8..852e51b 100644 ---- a/ipaserver/plugins/stageuser.py -+++ b/ipaserver/plugins/stageuser.py -@@ -404,7 +404,11 @@ class stageuser_add(baseuser_add): - if 'ipaidpuser' not in entry_attrs['objectclass']: - entry_attrs['objectclass'].append('ipaidpuser') - -- answer = self.api.Object['idp'].get_dn_if_exists(cl) -+ try: -+ answer = self.api.Object['idp'].get_dn_if_exists(cl) -+ except errors.NotFound: -+ reason = "External IdP configuration {} not found" -+ raise errors.NotFound(reason=_(reason).format(cl)) - entry_attrs['ipaidpconfiglink'] = answer - - self.pre_common_callback(ldap, dn, entry_attrs, attrs_list, *keys, -diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py -index 643b44f..a337e1f 100644 ---- a/ipaserver/plugins/user.py -+++ b/ipaserver/plugins/user.py -@@ -638,7 +638,11 @@ class user_add(baseuser_add): - if 'ipaidpuser' not in entry_attrs['objectclass']: - entry_attrs['objectclass'].append('ipaidpuser') - -- answer = self.api.Object['idp'].get_dn_if_exists(rcl) -+ try: -+ answer = self.api.Object['idp'].get_dn_if_exists(rcl) -+ except errors.NotFound: -+ reason = "External IdP configuration {} not found" -+ raise errors.NotFound(reason=_(reason).format(rcl)) - entry_attrs['ipaidpconfiglink'] = answer - - self.pre_common_callback(ldap, dn, entry_attrs, attrs_list, *keys, - -From dbcbe9a39c99008c6858bab53e2807b7bf01ba65 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Jul 20 2023 08:23:36 +0000 -Subject: xmlrpc tests: add a test for user plugin with non-existing idp - - -Add new tests checking the error returned for -ipa user-add ... --idp nonexistingidp -ipa user-mod ... --idp nonexistingidp -ipa stageuser-add ... --idp nonexistingidp -ipa stageuser-mod ... --idp nonexistingidp - -The expected error message is: -ipa: ERROR: External IdP configuration nonexistingidp not found - -Related: https://pagure.io/freeipa/issue/9416 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden - ---- - -diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py -index 394015f..9ae5561 100644 ---- a/ipatests/test_xmlrpc/test_stageuser_plugin.py -+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py -@@ -39,6 +39,8 @@ gid = u'456' - invalidrealm1 = u'suser1@NOTFOUND.ORG' - invalidrealm2 = u'suser1@BAD@NOTFOUND.ORG' - -+nonexistentidp = 'IdPDoesNotExist' -+ - invaliduser1 = u'+tuser1' - invaliduser2 = u'tuser1234567890123456789012345678901234567890' - invaliduser3 = u'1234' -@@ -431,6 +433,15 @@ class TestCreateInvalidAttributes(XMLRPC_test): - invalidrealm2))): - command() - -+ def test_create_invalid_idp(self, stageduser): -+ stageduser.ensure_missing() -+ command = stageduser.make_create_command( -+ options={u'ipaidpconfiglink': nonexistentidp}) -+ with raises_exact(errors.NotFound( -+ reason="External IdP configuration {} not found".format( -+ nonexistentidp))): -+ command() -+ - - @pytest.mark.tier1 - class TestUpdateInvalidAttributes(XMLRPC_test): -@@ -466,6 +477,15 @@ class TestUpdateInvalidAttributes(XMLRPC_test): - message=u'invalid \'gidnumber\': must be at least 1')): - command() - -+ def test_update_invalididp(self, stageduser): -+ stageduser.ensure_exists() -+ command = stageduser.make_update_command( -+ updates={u'ipaidpconfiglink': nonexistentidp}) -+ with raises_exact(errors.NotFound( -+ reason="External IdP configuration {} not found".format( -+ nonexistentidp))): -+ command() -+ - - @pytest.mark.tier1 - class TestActive(XMLRPC_test): -diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py -index 8ac19a4..baa2867 100644 ---- a/ipatests/test_xmlrpc/test_user_plugin.py -+++ b/ipatests/test_xmlrpc/test_user_plugin.py -@@ -86,6 +86,8 @@ expired_expiration_string = "1991-12-07T19:54:13Z" - # Date in ISO format (2013-12-10T12:00:00) - isodate_re = re.compile(r'^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z$') - -+nonexistentidp = 'IdPDoesNotExist' -+ - - @pytest.fixture(scope='class') - def user_min(request, xmlrpc_setup): -@@ -542,6 +544,18 @@ class TestUpdate(XMLRPC_test): - command() - user.delete() - -+ def test_update_invalid_idp(self, user): -+ """ Test user-mod --idp with a non-existent idp """ -+ user.ensure_exists() -+ command = user.make_update_command( -+ updates=dict(ipaidpconfiglink=nonexistentidp) -+ ) -+ with raises_exact(errors.NotFound( -+ reason="External IdP configuration {} not found".format( -+ nonexistentidp) -+ )): -+ command() -+ - - @pytest.mark.tier1 - class TestCreate(XMLRPC_test): -@@ -770,6 +784,17 @@ class TestCreate(XMLRPC_test): - user_radius.check_create(result) - user_radius.delete() - -+ def test_create_with_invalididp(self): -+ testuser = UserTracker( -+ name='idpuser', givenname='idp', sn='user', -+ ipaidpconfiglink=nonexistentidp -+ ) -+ with raises_exact(errors.NotFound( -+ reason="External IdP configuration {} not found".format( -+ nonexistentidp) -+ )): -+ testuser.create() -+ - - @pytest.mark.tier1 - class TestUserWithGroup(XMLRPC_test): - diff --git a/SOURCES/0010-Prevent-admin-user-from-being-deleted_rhbz#1921181.patch b/SOURCES/0010-Prevent-admin-user-from-being-deleted_rhbz#1921181.patch deleted file mode 100644 index be8d65f..0000000 --- a/SOURCES/0010-Prevent-admin-user-from-being-deleted_rhbz#1921181.patch +++ /dev/null @@ -1,169 +0,0 @@ -From f215d3f45396fa29bdd69f56096b50842df14908 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Aug 01 2023 22:03:03 +0000 -Subject: Prevent the admin user from being deleted - - -admin is required for trust operations - -Note that testing for removing the last member is now -irrelevant because admin must always exist so the test -for it was removed, but the code check remains. It is done -after the protected member check. - -Fixes: https://pagure.io/freeipa/issue/8878 - -Signed-off-by: Rob Crittenden -Reviewed-By: Alexander Bokovoy - ---- - -diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py -index a337e1f..6f5e349 100644 ---- a/ipaserver/plugins/user.py -+++ b/ipaserver/plugins/user.py -@@ -138,14 +138,23 @@ MEMBEROF_ADMINS = "(memberOf={})".format( - ) - - NOT_MEMBEROF_ADMINS = '(!{})'.format(MEMBEROF_ADMINS) -+PROTECTED_USERS = ('admin',) - - - def check_protected_member(user, protected_group_name=u'admins'): - ''' -- Ensure the last enabled member of a protected group cannot be deleted or -- disabled by raising LastMemberError. -+ Ensure admin and the last enabled member of a protected group cannot -+ be deleted or disabled by raising ProtectedEntryError or -+ LastMemberError as appropriate. - ''' - -+ if user in PROTECTED_USERS: -+ raise errors.ProtectedEntryError( -+ label=_("user"), -+ key=user, -+ reason=_("privileged user"), -+ ) -+ - # Get all users in the protected group - result = api.Command.user_find(in_group=protected_group_name) - -@@ -868,6 +877,12 @@ class user_mod(baseuser_mod): - - def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): - dn, oc = self.obj.get_either_dn(*keys, **options) -+ if options.get('rename') and keys[-1] in PROTECTED_USERS: -+ raise errors.ProtectedEntryError( -+ label=_("user"), -+ key=keys[-1], -+ reason=_("privileged user"), -+ ) - if 'objectclass' not in entry_attrs and 'rename' not in options: - entry_attrs.update({'objectclass': oc}) - self.pre_common_callback(ldap, dn, entry_attrs, attrs_list, *keys, -diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py -index baa2867..df105a2 100644 ---- a/ipatests/test_xmlrpc/test_user_plugin.py -+++ b/ipatests/test_xmlrpc/test_user_plugin.py -@@ -978,22 +978,32 @@ class TestManagers(XMLRPC_test): - - @pytest.mark.tier1 - class TestAdmins(XMLRPC_test): -- def test_remove_original_admin(self): -- """ Try to remove the only admin """ -+ def test_delete_admin(self): -+ """ Try to delete the protected admin user """ - tracker = Tracker() -- command = tracker.make_command('user_del', [admin1]) -+ command = tracker.make_command('user_del', admin1) - -- with raises_exact(errors.LastMemberError( -- key=admin1, label=u'group', container=admin_group)): -+ with raises_exact(errors.ProtectedEntryError(label=u'user', -+ key=admin1, reason='privileged user')): -+ command() -+ -+ def test_rename_admin(self): -+ """ Try to rename the admin user """ -+ tracker = Tracker() -+ command = tracker.make_command('user_mod', admin1, -+ **dict(rename=u'newadmin')) -+ -+ with raises_exact(errors.ProtectedEntryError(label=u'user', -+ key=admin1, reason='privileged user')): - command() - - def test_disable_original_admin(self): -- """ Try to disable the only admin """ -+ """ Try to disable the original admin """ - tracker = Tracker() - command = tracker.make_command('user_disable', admin1) - -- with raises_exact(errors.LastMemberError( -- key=admin1, label=u'group', container=admin_group)): -+ with raises_exact(errors.ProtectedEntryError(label=u'user', -+ key=admin1, reason='privileged user')): - command() - - def test_create_admin2(self, admin2): -@@ -1011,21 +1021,11 @@ class TestAdmins(XMLRPC_test): - admin2.disable() - tracker = Tracker() - -- with raises_exact(errors.LastMemberError( -- key=admin1, label=u'group', container=admin_group)): -+ with raises_exact(errors.ProtectedEntryError(label=u'user', -+ key=admin1, reason='privileged user')): - tracker.run_command('user_disable', admin1) -- with raises_exact(errors.LastMemberError( -- key=admin1, label=u'group', container=admin_group)): -- tracker.run_command('user_del', admin1) - admin2.delete() - -- with raises_exact(errors.LastMemberError( -- key=admin1, label=u'group', container=admin_group)): -- tracker.run_command('user_disable', admin1) -- with raises_exact(errors.LastMemberError( -- key=admin1, label=u'group', container=admin_group)): -- tracker.run_command('user_del', admin1) -- - - @pytest.mark.tier1 - class TestPreferredLanguages(XMLRPC_test): - -From 7d62d84bdd3c2acd2f4bf70bb5fabf14c72e8ee7 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Aug 08 2023 14:50:32 +0000 -Subject: ipatests: update expected webui msg for admin deletion - - -The deletion of the admin is now forbidden (even if it is -not the last member of the admins group) and the error -message has changed from "admin cannot be deleted or -disabled because it is the last member of group admins" -to " user admin cannot be deleted/modified: privileged user". - -Update the expected message in the webui test. - -Related: https://pagure.io/freeipa/issue/8878 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Alexander Bokovoy - ---- - -diff --git a/ipatests/test_webui/test_user.py b/ipatests/test_webui/test_user.py -index 8d44fbd..a8a92d0 100644 ---- a/ipatests/test_webui/test_user.py -+++ b/ipatests/test_webui/test_user.py -@@ -50,8 +50,7 @@ INV_FIRSTNAME = ("invalid 'first': Leading and trailing spaces are " - FIELD_REQ = 'Required field' - ERR_INCLUDE = 'may only include letters, numbers, _, -, . and $' - ERR_MISMATCH = 'Passwords must match' --ERR_ADMIN_DEL = ('admin cannot be deleted or disabled because it is the last ' -- 'member of group admins') -+ERR_ADMIN_DEL = ('user admin cannot be deleted/modified: privileged user') - USR_EXIST = 'user with name "{}" already exists' - ENTRY_EXIST = 'This entry already exists' - ACTIVE_ERR = 'active user with name "{}" already exists' - diff --git a/SOURCES/0011-Fix-memory-leak-in-the-OTP-last-token-plugin_rhbz#2227783.patch b/SOURCES/0011-Fix-memory-leak-in-the-OTP-last-token-plugin_rhbz#2227783.patch deleted file mode 100644 index 773b553..0000000 --- a/SOURCES/0011-Fix-memory-leak-in-the-OTP-last-token-plugin_rhbz#2227783.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 9438ce9207445e4ad4a9c7bdf0c9e569cabac571 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Aug 01 2023 06:07:06 +0000 -Subject: Fix memory leak in the OTP last token plugin - - -Three memory leaks are addressed: - -1. String values retrieved from the pblock need to be manually -freed. - -2. The list of objectclasses retreived from the pblock need to be -freed. - -3. Internal search results need to be freed. - -Fixes: https://pagure.io/freeipa/issue/9403 - -Signed-off-by: Rob Crittenden -Reviewed-By: Rafael Guterres Jeffman -Reviewed-By: Alexander Bokovoy - ---- - -diff --git a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c -index b7a2ba7..11106b2 100644 ---- a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c -+++ b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c -@@ -54,7 +54,7 @@ void *ipa_otp_lasttoken_plugin_id; - - static bool entry_is_token(Slapi_Entry *entry) - { -- char **ocls; -+ char **ocls = NULL; - - ocls = slapi_entry_attr_get_charray(entry, SLAPI_ATTR_OBJECTCLASS); - for (size_t i = 0; ocls != NULL && ocls[i] != NULL; i++) { -@@ -64,6 +64,7 @@ static bool entry_is_token(Slapi_Entry *entry) - } - } - -+ slapi_ch_array_free(ocls); - return false; - } - -@@ -138,7 +139,8 @@ static bool is_pwd_enabled(const char *user_dn) - static bool is_allowed(Slapi_PBlock *pb, Slapi_Entry *entry) - { - Slapi_DN *target_sdn = NULL; -- const char *bind_dn; -+ char *bind_dn; -+ bool rv = false; - - /* Ignore internal operations. */ - if (slapi_op_internal(pb)) -@@ -147,23 +149,35 @@ static bool is_allowed(Slapi_PBlock *pb, Slapi_Entry *entry) - /* Load parameters. */ - (void) slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn); - (void) slapi_pblock_get(pb, SLAPI_CONN_DN, &bind_dn); -- if (target_sdn == NULL || bind_dn == NULL) { -- LOG_FATAL("Missing parameters!\n"); -- return false; -+ if (bind_dn == NULL) { -+ LOG_FATAL("bind_dn parameter missing!\n"); -+ goto done; -+ } -+ if (target_sdn == NULL) { -+ LOG_FATAL("target_sdn parameter missing!\n"); -+ goto done; - } - - if (entry != NULL - ? !entry_is_token(entry) -- : !sdn_in_otp_container(target_sdn)) -- return true; -+ : !sdn_in_otp_container(target_sdn)) { -+ rv = true; -+ goto done; -+ } - -- if (!sdn_is_only_enabled_token(target_sdn, bind_dn)) -- return true; -+ if (!sdn_is_only_enabled_token(target_sdn, bind_dn)) { -+ rv = true; -+ goto done; -+ } - -- if (is_pwd_enabled(bind_dn)) -- return true; -+ if (is_pwd_enabled(bind_dn)) { -+ rv = true; -+ goto done; -+ } - -- return false; -+done: -+ slapi_ch_free_string(&bind_dn); -+ return rv; - } - - static inline int send_error(Slapi_PBlock *pb, int rc, const char *errstr) -diff --git a/daemons/ipa-slapi-plugins/libotp/otp_token.c b/daemons/ipa-slapi-plugins/libotp/otp_token.c -index a3cbfb0..4be4ede 100644 ---- a/daemons/ipa-slapi-plugins/libotp/otp_token.c -+++ b/daemons/ipa-slapi-plugins/libotp/otp_token.c -@@ -398,6 +398,7 @@ static struct otp_token **find(const struct otp_config *cfg, const char *user_dn - } - - error: -+ slapi_free_search_results_internal(pb); - slapi_pblock_destroy(pb); - return tokens; - } - diff --git a/SOURCES/0012-ipatests-fix-test_topology_rhbz#2232351.patch b/SOURCES/0012-ipatests-fix-test_topology_rhbz#2232351.patch deleted file mode 100644 index e5533c3..0000000 --- a/SOURCES/0012-ipatests-fix-test_topology_rhbz#2232351.patch +++ /dev/null @@ -1,58 +0,0 @@ -From fdaad3a45f5674876fd3f6cc7ad1e916ebfc7080 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Aug 14 2023 13:02:20 +0000 -Subject: ipatests: fix test_topology - - -The test TestTopologyOptions::test_add_remove_segment is -randomly failing downstream. Test scenario: -- create a line topology master <-> repl1 <-> repl2 -- create user on master -- wait for repl success on master -- check that the user is seen on repl2 - -The test waits for replication to complete on the master but -it should also wait for the replication to complete on repl1 -before checking the user presence on repl2. - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Anuja More - ---- - -diff --git a/ipatests/test_integration/test_topology.py b/ipatests/test_integration/test_topology.py -index 8a240fa..618c9d5 100644 ---- a/ipatests/test_integration/test_topology.py -+++ b/ipatests/test_integration/test_topology.py -@@ -124,6 +124,9 @@ class TestTopologyOptions(IntegrationTest): - self.replicas[0], - self.replicas[1]) - assert err == "", err -+ # At this point we have replicas[1] <-> master <-> replicas[0] -+ # ^--------------------------^ -+ - # Make sure the new segment is shown by `ipa topologysegment-find` - result1 = self.master.run_command(['ipa', 'topologysegment-find', - DOMAIN_SUFFIX_NAME]).stdout_text -@@ -137,9 +140,12 @@ class TestTopologyOptions(IntegrationTest): - deleteme = find_segment(self.master, self.replicas[1]) - returncode, error = tasks.destroy_segment(self.master, deleteme) - assert returncode == 0, error -+ # At this point we have master <-> replicas[0] <-> replicas[1] -+ - # Wait till replication ends and make sure replica1 does not have - # segment that was deleted on master - master_ldap = self.master.ldap_connect() -+ repl_ldap = self.replicas[0].ldap_connect() - tasks.wait_for_replication(master_ldap) - result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find', - DOMAIN_SUFFIX_NAME]).stdout_text -@@ -150,6 +156,7 @@ class TestTopologyOptions(IntegrationTest): - '--first', 'test', - '--last', 'user']) - tasks.wait_for_replication(master_ldap) -+ tasks.wait_for_replication(repl_ldap) - result4 = self.replicas[1].run_command(['ipa', 'user-find']) - assert('someuser' in result4.stdout_text), 'User not found: someuser' - # We end up having a line topology: master <-> replica1 <-> replica2 - diff --git a/SOURCES/0013-Installer-activate-nss-and-pam-services-in-sssd.conf_rhbz#2216532.patch b/SOURCES/0013-Installer-activate-nss-and-pam-services-in-sssd.conf_rhbz#2216532.patch deleted file mode 100644 index 64a634c..0000000 --- a/SOURCES/0013-Installer-activate-nss-and-pam-services-in-sssd.conf_rhbz#2216532.patch +++ /dev/null @@ -1,40 +0,0 @@ -From f38eefd9f7e54470de7c707782114b17aac8762a Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Aug 16 2023 15:25:34 +0000 -Subject: Installer: activate nss and pam services in sssd.conf - - -If there is already a sssd.conf file before the installer is -executed, the nss and pam services may not be enabled by the -installer. This happens for instance if the machine is hardened -for STIG and sssd.conf does not define services=... in the -[sssd] section. - -The consequence is that trust cannot be established with an AD -domain. - -The installer must enable nss and pam services even if there is -a pre-existing sssd.conf file. - -Fixes: https://pagure.io/freeipa/issue/9427 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Alexander Bokovoy - ---- - -diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py -index ef29a2c..07d62a7 100644 ---- a/ipaclient/install/client.py -+++ b/ipaclient/install/client.py -@@ -969,6 +969,9 @@ def configure_sssd_conf( - nss_service.set_option('memcache_timeout', 600) - sssdconfig.save_service(nss_service) - -+ sssd_enable_service(sssdconfig, 'nss') -+ sssd_enable_service(sssdconfig, 'pam') -+ - domain.set_option('ipa_domain', cli_domain) - domain.set_option('ipa_hostname', client_hostname) - if cli_domain.lower() != cli_realm.lower(): - diff --git a/SOURCES/freeipa-4.9.12.tar.gz.asc b/SOURCES/freeipa-4.9.12.tar.gz.asc deleted file mode 100644 index 699aa14..0000000 --- a/SOURCES/freeipa-4.9.12.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmRnL+gACgkQaYdvcqbi -00/1Gg/8CFABojXZyUkQnWeaHdrFeHeE+DW2qTs9Wr/TQwF67fYkh7lj3p+WqMlD -kMMNAfLn4wUnJNDMv64QlE6RAz71KetQlQt+mZQVT9M0nDepLhBw86qmNbJj611J -+2B79hzNLT8tmOf9NyLRJbFp3QebSPELX9hycPj1Ovd1tr/61tcwcNzE6ZLrX5vb -IPkCT2bo+6MceIsR50tTRxxK6J9jFYX73PjHJ5Ix7ssDf4vg2OBRTwUdLeZAkWlA -q+0bPPp+F3PWLhnSs+vIs5plHUI/hcGCt9pTvw/d6jUUxuwZadGGbRZSyDN7aj2Q -zEXeZsCtOSk5cx65lWHl+7TTyVvCoemeZPZ92EiCtVJfiuK3/6a/WFWanBZoO0E3 -N0p6HUcvIRPrEj0nQwH2vr0zkfSPA4g30k+Q9qeP3ArN+i+5OFfuiwiqk1AIJ2rv -ERhBRryOaNeiVpYghMQdtacWP/qQunfH6VdhA61Q089/lhomGeSytQI+fV4TXOhV -ldV7dftaWpQT3QYWSsKzoiHpyjIwOA8dBvQF2YDX7LNmeO/hj4ToFp00CVCWdb0j -MHs2X9p42kkhw2oZOf3GNyNvpybxUv59ER4YDEHbj8+iZyVjiqfcp71373DqpieW -iGjB3Wc0gO3cdYk3Mdl0SgkD7k0U9iwwh7qJeqqUYT3gKf9mqbY= -=dT0o ------END PGP SIGNATURE----- diff --git a/SOURCES/freeipa-4.9.13.tar.gz.asc b/SOURCES/freeipa-4.9.13.tar.gz.asc new file mode 100644 index 0000000..cdb062f --- /dev/null +++ b/SOURCES/freeipa-4.9.13.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmVbZU0ACgkQaYdvcqbi +009Fgw/+PzHGNOJPs67TtoYITV/3ZCzMyrYTcazVACjD61Zw7JBgbZzZpQXxBSbj +7QWpNJa3P2JFtv2qOUXJto40mOGpMynyYpuYs4CtyJ86eHTUJyYTFppBmCzzozhT +2C2BeKKjzV8OOWQ7yO/2BTEZ7KtOcIr4ZI7iZCnLJF9Yt8x7TURjGRqxsHwT62Ip +vcrtm0LkkYv/fQ6pFZZfinKU1OBrZphwHMCU4Mlv411iQg4+NOxLSsVU/kegeKIO +adp4Y9g5dfAfdXEXb2Zt7gkmLaWMgf+XNSFDL/wkzRYt74HKwvbIPJQlTZ6pqLxQ +yTtiHGuMb7xNDWolpoueo1/lbxaHRRGJaSPs7zUht3IBxb7hiF65Gm3UaJhoeAXc +gVleZf/+0titOdkRfTD2N0P0hli7gaiRrbpw8K4joxMFpYrQGUxD8SI376gkOj6o +5RWSioPoG9txNM7Co+lVpci7WHhL+Tmhf1SlHyVJGKoNe/z4VHnjHeYlFWRVdDEI +OOupZzJQoLnso3lTwR5VEN8xGURnhbGV4MdUfD/6FhwmyHiPlYkytdZIsGsNDOab +978PPaKcIpbsZ4gUhshcbn7qaY809lNSpMtg8saYOP4J/5Nu+i9X5bJqOmoX0rKa +gAJDY5har+lExRnTEdYEGVB8qen5lqi8r1oYjnDpkSpq6BRoAHA= +=uQom +-----END PGP SIGNATURE----- diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 4db2e66..5cceb0b 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -64,7 +64,7 @@ %if 0%{?rhel} %global package_name ipa %global alt_name freeipa -%global krb5_version 1.18.2-25 +%global krb5_version 1.18.2-26 %global krb5_kdb_version 8.0 # 0.7.16: https://github.com/drkjam/netaddr/issues/71 %global python_netaddr_version 0.7.19 @@ -176,7 +176,7 @@ # Work-around fact that RPM SPEC parser does not accept # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement -%define IPA_VERSION 4.9.12 +%define IPA_VERSION 4.9.13 # Release candidate version -- uncomment with one percent for RC versions #%%global rc_version %%nil %define AT_SIGN @ @@ -189,7 +189,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 8%{?rc_version:.%rc_version}%{?dist} +Release: 1%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -209,19 +209,6 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers # RHEL spec file only: START %if %{NON_DEVELOPER_BUILD} %if 0%{?rhel} >= 8 -Patch0001: 0001-user-or-group-name-explain-the-supported-format_rhbz#2150217.patch -Patch0002: 0002-Use-the-python-cryptography-parser-directly-in-cert-find_rhbz#2164349.patch -Patch0003: 0003-Upgrade-add-PKI-drop-in-file-if-missing_rhbz#2215336.patch -Patch0004: 0004-Upgrade-fix-replica-agreement_rhbz#2216551.patch -Patch0005: 0005-OTP-fix-data-type-to-avoid-endianness-issue_rhbz#2218293.patch -Patch0006: 0006-Backport-test-updates-8-9-release_rhbz#2218847.patch -Patch0007: 0007-ipa-kdb-fix-error-handling-of-is_master_host_rhbz#2214638.patch -Patch0008: 0008-ipatests-enable-firewall-rule-for-http-service-on-acme-client_rhbz#2230256.patch -Patch0009: 0009-User-plugin-improve-error-related-to-non-existing-idp_rhbz#2224572.patch -Patch0010: 0010-Prevent-admin-user-from-being-deleted_rhbz#1921181.patch -Patch0011: 0011-Fix-memory-leak-in-the-OTP-last-token-plugin_rhbz#2227783.patch -Patch0012: 0012-ipatests-fix-test_topology_rhbz#2232351.patch -Patch0013: 0013-Installer-activate-nss-and-pam-services-in-sssd.conf_rhbz#2216532.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch Patch1003: 1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch @@ -1736,6 +1723,14 @@ fi %endif %changelog +* Tue Nov 21 2023 Rafael Jeffman - 4.9.13-1 +- Rebase ipa to 4.9.13 + Resolves: RHEL-16936 + +* Wed Oct 04 2023 Julien Rische - 4.9.12-9 +- ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older + Resolves: RHEL-12198 + * Thu Aug 31 2023 Rafael Jeffman - 4.9.12-8 - Require krb5 release 1.18.2-25 or later Resolves: RHBZ#2234711