From 4403f2b6fca85e3c9da6301f3fb5156cbca82605 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Mon, 4 Sep 2017 12:01:19 +0200 Subject: [PATCH] 4.6.0-1: rebase to upstream 4.6.0 Signed-off-by: Tomas Krizek --- .gitignore | 2 + ...SELinux-execmem-violations-in-crypto.patch | 25 +- freeipa.spec | 231 +++++++++++++----- sources | 4 +- 4 files changed, 182 insertions(+), 80 deletions(-) diff --git a/.gitignore b/.gitignore index 5c67b0c..f3ea5d2 100644 --- a/.gitignore +++ b/.gitignore @@ -55,3 +55,5 @@ /freeipa-4.5.2.tar.gz.asc /freeipa-4.5.3.tar.gz /freeipa-4.5.3.tar.gz.asc +/freeipa-4.6.0.tar.gz +/freeipa-4.6.0.tar.gz.asc diff --git a/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch b/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch index a85cf63..65bfcc1 100644 --- a/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch +++ b/0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch @@ -1,6 +1,6 @@ -From 3c106c400b9946405289fc5f6b57a76d08667b50 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Thu, 1 Sep 2016 17:04:06 +0300 +From 18692deb9a1ceffe5b4bc5c1b470f7c3e6159a9d Mon Sep 17 00:00:00 2001 +From: Tomas Krizek +Date: Mon, 4 Sep 2017 13:46:47 +0200 Subject: [PATCH] Workarounds for SELinux execmem violations in cryptography pki.client no longer tries to use PyOpenSSL instead of Python's ssl @@ -17,18 +17,20 @@ code from urllib3's contrib directory. The import of PyOpenSSL is enough to trigger the SELinux denial. A hack in wsgi.py prevents the import by raising an ImportError. + +Signed-off-by: Tomas Krizek --- - install/share/wsgi.py | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) + install/share/wsgi.py | 13 +++++++++++++ + 1 file changed, 13 insertions(+) diff --git a/install/share/wsgi.py b/install/share/wsgi.py -index ee9311e..bb201fa 100644 +index e263b8117fe7e6817cb0b6d87c6e6b0c34a9f5e8..fed11572308b9dbefdf1fa2e7f72395230e9dff8 100644 --- a/install/share/wsgi.py +++ b/install/share/wsgi.py -@@ -23,6 +23,20 @@ - """ - WSGI appliction for IPA server. +@@ -25,6 +25,19 @@ WSGI appliction for IPA server. """ + import logging + import os +import sys + +# Some dependencies like Dogtag's pki.client library and custodia use @@ -42,10 +44,9 @@ index ee9311e..bb201fa 100644 +# This hack prevents the import by raising an ImportError. + +sys.modules['requests.packages.urllib3.contrib.pyopenssl'] = None -+ + from ipaplatform.paths import paths from ipalib import api - from ipalib.config import Env -- -2.7.4 +2.13.3 diff --git a/freeipa.spec b/freeipa.spec index 060211d..82cafcd 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -17,11 +17,13 @@ %global with_ipatests_option --without-ipatests %endif +%if 0%{!?with_python3:1} %if 0%{?rhel} %global with_python3 0 %else %global with_python3 1 %endif +%endif # lint is not executed during rpmbuild # %%global with_lint 1 @@ -31,9 +33,6 @@ %global linter_options --disable-pylint --without-jslint %endif -# Python wheel support and PyPI packages -%global with_wheels 0 - %global alt_name ipa %if 0%{?rhel} # 1.15.1-7: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561) @@ -63,13 +62,13 @@ %global etc_systemd_dir %{_sysconfdir}/systemd/system %global gettext_domain ipa -%global VERSION 4.5.3 +%global VERSION 4.6.0 %define _hardened_build 1 Name: freeipa Version: %{VERSION} -Release: 3%{?dist} +Release: 1%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -135,23 +134,26 @@ BuildRequires: python-lesscpy # makeapi/makeaci is using Python 2 only for now # BuildRequires: python-ldap -BuildRequires: python-nss BuildRequires: m2crypto BuildRequires: python-netaddr -BuildRequires: python-pyasn1 -BuildRequires: python-pyasn1-modules -BuildRequires: python-dns +BuildRequires: python2-pyasn1 +BuildRequires: python2-pyasn1-modules +BuildRequires: python2-dns BuildRequires: python-six -BuildRequires: python-libsss_nss_idmap -BuildRequires: python-cffi +BuildRequires: python2-libsss_nss_idmap +BuildRequires: python2-cffi # # Build dependencies for wheel packaging and PyPI upload # -%if 0%{with_wheels} +%if 0%{?with_wheels} +BuildRequires: dbus-glib-devel +BuildRequires: libffi-devel +BuildRequires: python2-tox BuildRequires: python2-twine BuildRequires: python2-wheel %if 0%{?with_python3} +BuildRequires: python3-tox BuildRequires: python3-twine BuildRequires: python3-wheel %endif @@ -162,45 +164,50 @@ BuildRequires: python3-wheel # %if 0%{?with_lint} BuildRequires: samba-python -# 1.4: the version where Certificate.serial changed to .serial_number -BuildRequires: python2-cryptography >= 1.4 +# 1.6: x509.Name.rdns (https://github.com/pyca/cryptography/issues/3199) +BuildRequires: python2-cryptography >= 1.6 BuildRequires: python-gssapi >= 1.2.0-5 +%if 0%{?fedora} >= 26 +BuildRequires: python2-pylint +%else BuildRequires: pylint >= 1.6 +%endif # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 BuildRequires: python2-polib -BuildRequires: python-libipa_hbac -BuildRequires: python-lxml +BuildRequires: python2-libipa_hbac +BuildRequires: python2-lxml # 5.0.0: QRCode.print_ascii BuildRequires: python-qrcode-core >= 5.0.0 # 1.15: python-dns changed return type in to_text() method in PY3 -BuildRequires: python-dns >= 1.15 +BuildRequires: python2-dns >= 1.15 BuildRequires: jsl -BuildRequires: python-yubico +BuildRequires: python2-yubico # pki Python package BuildRequires: pki-base-python2 BuildRequires: python-pytest-multihost BuildRequires: python-pytest-sourceorder -BuildRequires: python-jwcrypto +# 0.4.2: Py3 fix https://bugzilla.redhat.com/show_bug.cgi?id=1476150 +BuildRequires: python-jwcrypto >= 0.4.2 # 0.3: sd_notify (https://pagure.io/freeipa/issue/5825) BuildRequires: python2-custodia >= 0.3.1 BuildRequires: dbus-python -BuildRequires: python-dateutil +BuildRequires: python2-dateutil BuildRequires: python-enum34 BuildRequires: python-netifaces -BuildRequires: python-sss -BuildRequires: python-sss-murmur -BuildRequires: python-sssdconfig -BuildRequires: python-nose -BuildRequires: python-paste +BuildRequires: python2-sss +BuildRequires: python2-sss-murmur +BuildRequires: python2-sssdconfig +BuildRequires: python2-nose +BuildRequires: python2-paste BuildRequires: systemd-python BuildRequires: python2-jinja2 -BuildRequires: python-augeas +BuildRequires: python2-augeas %if 0%{?with_python3} # FIXME: this depedency is missing - server will not work #BuildRequires: python3-samba -# 1.4: the version where Certificate.serial changed to .serial_number -BuildRequires: python3-cryptography >= 1.4 +# 1.6: x509.Name.rdns (https://github.com/pyca/cryptography/issues/3199) +BuildRequires: python3-cryptography >= 1.6 BuildRequires: python3-gssapi >= 1.2.0 BuildRequires: python3-pylint >= 1.6 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 @@ -217,7 +224,8 @@ BuildRequires: python3-yubico BuildRequires: pki-base-python3 BuildRequires: python3-pytest-multihost BuildRequires: python3-pytest-sourceorder -BuildRequires: python3-jwcrypto +# 0.4.2: Py3 fix https://bugzilla.redhat.com/show_bug.cgi?id=1476150 +BuildRequires: python3-jwcrypto >= 0.4.2 # 0.3: sd_notify (https://pagure.io/freeipa/issue/5825) BuildRequires: python3-custodia >= 0.3.1 BuildRequires: python3-dbus @@ -233,6 +241,10 @@ BuildRequires: python3-paste BuildRequires: python3-systemd BuildRequires: python3-jinja2 BuildRequires: python3-augeas +BuildRequires: python3-netaddr +BuildRequires: python3-pyasn1 +BuildRequires: python3-pyasn1-modules +BuildRequires: python3-pyldap %endif # with_python3 %endif # with_lint @@ -262,7 +274,11 @@ Group: System Environment/Base Requires: %{name}-server-common = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} +%if 0%{?with_python3} +Requires: python3-ipaserver = %{version}-%{release} +%else Requires: python2-ipaserver = %{version}-%{release} +%endif Requires: 389-ds-base >= 1.3.5.14 Requires: openldap-clients > 2.4.35-4 Requires: nss >= 3.14.3-12.0 @@ -273,7 +289,11 @@ Requires: krb5-pkinit-openssl >= %{krb5_version} Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: httpd >= 2.4.6-31 +%if 0%{with_python3} +Requires: python3-mod_wsgi +%else Requires: mod_wsgi +%endif Requires: mod_auth_gssapi >= 1.5.0 # 1.0.14-3: https://bugzilla.redhat.com/show_bug.cgi?id=1431206 Requires: mod_nss >= 1.0.14-3 @@ -296,7 +316,8 @@ Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: policycoreutils >= 2.1.12-5 Requires: tar -Requires(pre): certmonger >= 0.78 +# certmonger-0.79.4-2 fixes newlines in PEM files +Requires(pre): certmonger >= 0.79.4-2 Requires(pre): 389-ds-base >= 1.3.5.14 Requires: fontawesome-fonts Requires: open-sans-fonts @@ -347,16 +368,16 @@ Requires: %{name}-common = %{version}-%{release} Requires: python2-ipaclient = %{version}-%{release} Requires: python2-custodia >= 0.3.1 Requires: python-ldap >= 2.4.15 -Requires: python-lxml +Requires: python2-lxml Requires: python-gssapi >= 1.2.0-5 -Requires: python-sssdconfig -Requires: python-pyasn1 +Requires: python2-sssdconfig +Requires: python2-pyasn1 Requires: dbus-python -Requires: python-dns >= 1.15 +Requires: python2-dns >= 1.15 Requires: python-kdcproxy >= 0.3 Requires: rpm-libs Requires: pki-base-python2 -Requires: python-augeas +Requires: python2-augeas %description -n python2-ipaserver IPA is an integrated solution to provide centrally managed Identity (users, @@ -378,7 +399,8 @@ Requires: %{name}-server-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python3-ipaclient = %{version}-%{release} Requires: python3-custodia >= 0.3.1 -Requires: python3-pyldap >= 2.4.15 +# we need pre-requires since earlier versions may break upgrade +Requires(pre): python3-pyldap >= 2.4.35.1-2 Requires: python3-lxml Requires: python3-gssapi >= 1.2.0 Requires: python3-sssdconfig @@ -434,6 +456,10 @@ Requires: bind-utils >= 9.11.0-6.P2 Requires: bind-pkcs11 >= 9.11.0-6.P2 Requires: bind-pkcs11-utils >= 9.11.0-6.P2 Requires: opendnssec >= 1.4.6-4 +# Keep python2 dependencies until DNSSEC daemons are ported to Python 3 +Requires: python2 +Requires: python2-ipalib +Requires: python2-ipaserver Provides: %{alt_name}-server-dns = %{version} Conflicts: %{alt_name}-server-dns @@ -484,7 +510,11 @@ Summary: IPA authentication for use on clients Group: System Environment/Base Requires: %{name}-client-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} +%if 0%{?with_python3} +Requires: python3-ipaclient = %{version}-%{release} +%else Requires: python2-ipaclient = %{version}-%{release} +%endif Requires: python-ldap Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp @@ -497,7 +527,8 @@ Requires: libcurl >= 7.21.7-2 Requires: xmlrpc-c >= 1.27.4 Requires: sssd >= 1.14.0 Requires: python-sssdconfig -Requires: certmonger >= 0.78 +# certmonger-0.79.4-2 fixes newlines in PEM files +Requires: certmonger >= 0.79.4-2 Requires: nss-tools Requires: bind-utils Requires: oddjob-mkhomedir @@ -539,7 +570,7 @@ BuildArch: noarch Requires: %{name}-client-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python2-ipalib = %{version}-%{release} -Requires: python-dns >= 1.15 +Requires: python2-dns >= 1.15 Requires: python2-jinja2 %description -n python2-ipaclient @@ -603,7 +634,11 @@ BuildArch: noarch Obsoletes: %{name}-python < 4.2.91 Provides: %{name}-python = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} +%if 0%{?with_python3} +Requires: python3-ipalib = %{version}-%{release} +%else Requires: python2-ipalib = %{version}-%{release} +%endif Provides: %{alt_name}-python-compat = %{version} Conflicts: %{alt_name}-python-compat @@ -643,25 +678,25 @@ Requires: gnupg Requires: keyutils Requires: pyOpenSSL Requires: python >= 2.7.9 -Requires: python-nss >= 0.16 Requires: m2crypto -Requires: python2-cryptography >= 1.4 +Requires: python2-cryptography >= 1.6 Requires: python-netaddr >= %{python_netaddr_version} -Requires: python-libipa_hbac +Requires: python2-libipa_hbac Requires: python-qrcode-core >= 5.0.0 -Requires: python-pyasn1 -Requires: python-pyasn1-modules -Requires: python-dateutil -Requires: python-yubico >= 1.2.3 -Requires: python-sss-murmur +Requires: python2-pyasn1 +Requires: python2-pyasn1-modules +Requires: python2-dateutil +Requires: python2-yubico >= 1.2.3 +Requires: python2-sss-murmur Requires: dbus-python -Requires: python-setuptools +Requires: python2-setuptools Requires: python-six -Requires: python-jwcrypto -Requires: python-cffi +# 0.4.2: Py3 fix https://bugzilla.redhat.com/show_bug.cgi?id=1476150 +Requires: python-jwcrypto >= 0.4.2 +Requires: python2-cffi Requires: python-ldap >= 2.4.15 -Requires: python-requests -Requires: python-dns >= 1.15 +Requires: python2-requests +Requires: python2-dns >= 1.15 Requires: python-enum34 Requires: python-netifaces >= 0.10.4 Requires: pyusb @@ -693,22 +728,24 @@ Requires: python3-gssapi >= 1.2.0 Requires: gnupg Requires: keyutils Requires: python3-pyOpenSSL -Requires: python3-nss >= 0.16 -Requires: python3-cryptography >= 1.4 +Requires: python3-cryptography >= 1.6 Requires: python3-netaddr >= %{python_netaddr_version} Requires: python3-libipa_hbac Requires: python3-qrcode-core >= 5.0.0 Requires: python3-pyasn1 Requires: python3-pyasn1-modules Requires: python3-dateutil -Requires: python3-yubico >= 1.2.3 +# fixes searching for yubikeys in python3 +Requires: python3-yubico >= 1.3.2-7 Requires: python3-sss-murmur Requires: python3-dbus Requires: python3-setuptools Requires: python3-six -Requires: python3-jwcrypto +# 0.4.2: Py3 fix https://bugzilla.redhat.com/show_bug.cgi?id=1476150 +Requires: python3-jwcrypto >= 0.4.2 Requires: python3-cffi -Requires: python3-pyldap >= 2.4.15 +# we need pre-requires since earlier versions may break upgrade +Requires(pre): python3-pyldap >= 2.4.35.1-2 Requires: python3-requests Requires: python3-dns >= 1.15 Requires: python3-netifaces >= 0.10.4 @@ -759,17 +796,18 @@ Requires: python2-ipaclient = %{version}-%{release} Requires: python2-ipaserver = %{version}-%{release} Requires: tar Requires: xz -Requires: python-nose +Requires: python2-nose Requires: pytest >= 2.6 -Requires: python-paste -Requires: python-coverage +Requires: python2-paste +Requires: python2-coverage # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 Requires: python2-polib Requires: python-pytest-multihost >= 0.5 Requires: python-pytest-sourceorder Requires: ldns-utils -Requires: python-sssdconfig -Requires: python2-cryptography >= 1.4 +Requires: python2-sssdconfig +Requires: python2-cryptography >= 1.6 +Requires: iptables Provides: %{alt_name}-tests = %{version} Conflicts: %{alt_name}-tests @@ -791,8 +829,7 @@ Summary: IPA tests and test tools BuildArch: noarch %{?python_provide:%python_provide python3-ipatests} Requires: python3-ipaclient = %{version}-%{release} -# FIXME: uncomment once there's python3-ipaserver -#Requires: python3-ipaserver = %{version}-%{release} +Requires: python3-ipaserver = %{version}-%{release} Requires: tar Requires: xz Requires: python3-nose @@ -803,7 +840,8 @@ Requires: python3-pytest-multihost >= 0.5 Requires: python3-pytest-sourceorder Requires: ldns-utils Requires: python3-sssdconfig -Requires: python3-cryptography >= 1.4 +Requires: python3-cryptography >= 1.6 +Requires: iptables %description -n python3-ipatests IPA is an integrated solution to provide centrally managed Identity (users, @@ -864,6 +902,61 @@ find \ ! -name '*.pyo' -a \ -type f -exec grep -qsm1 '^#!.*\bpython' {} \; \ -exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python2}|' {} \; + +%if 0%{?with_python3} +# TODO: temporary solution until all scripts are ported to python3, +# TODO: workaround: some scripts are copied over, so the are always py2. +# We have to explicitly set python3 here for ported files here +PY3_SUBST_PATHS=' +client/ipa-certupdate +client/ipa-client-automount +client/ipa-client-install +daemons/ipa-otpd/test.py +install/certmonger/ipa-server-guard +install/certmonger/dogtag-ipa-ca-renew-agent-submit +install/oddjob/com.redhat.idm.trust-fetch-domains +install/restart_scripts/renew_ra_cert_pre +install/restart_scripts/renew_ca_cert +install/restart_scripts/renew_ra_cert +install/restart_scripts/restart_httpd +install/restart_scripts/renew_kdc_cert +install/restart_scripts/stop_pkicad +install/restart_scripts/restart_dirsrv +install/tools/ipa-advise +install/tools/ipa-adtrust-install +install/tools/ipa-backup +install/tools/ipa-ca-install +install/tools/ipa-cacert-manage +install/tools/ipa-compat-manage +install/tools/ipa-csreplica-manage +install/tools/ipa-custodia +install/tools/ipa-dns-install +install/tools/ipa-httpd-kdcproxy +install/tools/ipa-kra-install +install/tools/ipa-ldap-updater +install/tools/ipa-managed-entries +install/tools/ipa-nis-manage +install/tools/ipa-otptoken-import +install/tools/ipa-pkinit-manage +install/tools/ipa-pki-retrieve-key +install/tools/ipa-replica-conncheck +install/tools/ipa-replica-install +install/tools/ipa-replica-manage +install/tools/ipa-replica-prepare +install/tools/ipa-restore +install/tools/ipa-server-certinstall +install/tools/ipa-server-install +install/tools/ipa-server-upgrade +install/tools/ipa-winsync-migrate +install/tools/ipactl +ipa +' +for P in $PY3_SUBST_PATHS; do + sed -i -e '1 s|^#!\s\?.*\bpython[0-9]*|#!%{__python3}|' $P +done; + +%endif # with_python3 + %configure --with-vendor-suffix=-%{release} \ %{enable_server_option} \ %{with_ipatests_option} \ @@ -1030,6 +1123,7 @@ fi /bin/systemctl reload-or-try-restart dbus /bin/systemctl reload-or-try-restart oddjobd +%tmpfiles_create ipa.conf %posttrans server # don't execute upgrade and restart of IPA when server is not installed @@ -1236,7 +1330,6 @@ fi %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf %config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf -%config(noreplace) %{_sysconfdir}/krb5.conf.d/ipa-certauth %dir %{_libexecdir}/ipa/certmonger %attr(755,root,root) %{_libexecdir}/ipa/certmonger/* # NOTE: systemd specific section @@ -1317,19 +1410,22 @@ fi %config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf +# NOTE: systemd specific section +%{_tmpfilesdir}/ipa.conf %attr(644,root,root) %{_unitdir}/ipa-custodia.service %ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf # END %dir %{_usr}/share/ipa %{_usr}/share/ipa/wsgi.py* +%{_usr}/share/ipa/kdcproxy.wsgi %{_usr}/share/ipa/*.ldif %{_usr}/share/ipa/*.uldif %{_usr}/share/ipa/*.template -%{_usr}/share/ipa/ipa.conf.tmpfiles %dir %{_usr}/share/ipa/advise %dir %{_usr}/share/ipa/advise/legacy %{_usr}/share/ipa/advise/legacy/*.template %dir %{_usr}/share/ipa/profiles +%{_usr}/share/ipa/profiles/README %{_usr}/share/ipa/profiles/*.cfg %dir %{_usr}/share/ipa/html %{_usr}/share/ipa/html/ffconfig.js @@ -1614,6 +1710,9 @@ fi %endif # with_ipatests %changelog +* Mon Sep 04 2017 Tomas Krizek - 4.6.0-1 +- Rebase to upstream 4.6.0 + * Wed Aug 02 2017 Fedora Release Engineering - 4.5.3-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild diff --git a/sources b/sources index e52e18e..12d99c5 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (freeipa-4.5.3.tar.gz) = 649b42a721b1bde6e8ebd5387bff171e9ea700005e3b2670129a25a6a5d1d81f6c6005375fb136d973706c0337f048c10fdd9913967035fa7f6ba766828dae42 -SHA512 (freeipa-4.5.3.tar.gz.asc) = 8eef3c911cc04c2d9fd15c840b71391a556ac6cd32d092af3424db303e2b933fc74db4600a4d491a14f636cd180975fd9157ece0e46f1502f0cdf81d097ef7e2 +SHA512 (freeipa-4.6.0.tar.gz) = 4719fb821b74b76b8159cf9866c386a265e7d821cec70f008c9cf4ad9df9ee9362ca058a59a323e1151660a29938c9c6eb928b922a355bdc49c8b72f33a5dd8f +SHA512 (freeipa-4.6.0.tar.gz.asc) = 4bf540a36a8c667d1b130bfe6de54eed8d7fdc860089762c91f823af878af1e53acd2032f6fd1518c76e56ac39ca740875c85e81cf4bd41919498ce15333b26e