More fixes to Fedora 28 beta

2018-03-21 10:45:19 +02:00 · 2018-03-21 10:45:19 +02:00 · 4bae5f4bc8
commit 4bae5f4bc8
parent 8bb66c5db7
6 changed files with 190 additions and 35 deletions
--- a/0001-Processing-of-server-roles-should-ignore-errors.Empt.patch
+++ b/0001-Processing-of-server-roles-should-ignore-errors.Empt.patch
@ -1,7 +1,8 @@
-From 782d74463226039647ec0b5caaa1a967d86cc930 Mon Sep 17 00:00:00 2001
+From e161bce61819fbc8fd1b2a0bdfb01ecf9947b733 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Mon, 19 Mar 2018 21:48:04 +0200
-Subject: [PATCH] Processing of server roles should ignore errors.EmptyResult
+Subject: [PATCH 1/2] Processing of server roles should ignore
 errors.EmptyResult
 When non-admin user issues a command that utilizes
 api.Object.config.show_servroles_attributes(), some server roles might
--- a/0002-Make-sure-template-dictionary-has-WSGI_PREFIX_DIR-wh.patch
+++ b/0002-Make-sure-template-dictionary-has-WSGI_PREFIX_DIR-wh.patch
@ -1,31 +0,0 @@
 From ffa274fc72e0d56bca3389d3ba973459053c25f3 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Tue, 20 Mar 2018 09:35:51 +0200
 Subject: [PATCH 2/2] Make sure template dictionary has WSGI_PREFIX_DIR when
 upgrading ipa.conf.template
 Fixes https://pagure.io/freeipa/issue/7454
 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
 ---
 ipaserver/install/server/upgrade.py | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
 index a38f4115c..807d674d7 100644
 --- a/ipaserver/install/server/upgrade.py
 +++ b/ipaserver/install/server/upgrade.py
@@ -1651,6 +1651,11 @@ def upgrade_configuration():
         ds_dirname = dsinstance.config_dirname(ds_serverid)
 +        sub_dict['WSGI_PREFIX_DIR'] = paths.WSGI_PREFIX_DIR
 +        sub_dict['GSSAPI_SESSION_KEY'] = paths.GSSAPI_SESSION_KEY
 +        sub_dict['FONTS_DIR'] = paths.FONTS_DIR
 +        sub_dict['IPA_CCACHES'] = paths.IPA_CCACHES
 +        sub_dict['IPA_CUSTODIA_SOCKET'] = paths.IPA_CUSTODIA_SOCKET
         upgrade_file(sub_dict, paths.HTTPD_IPA_CONF,
                      os.path.join(paths.USR_SHARE_IPA_DIR,
                                   "ipa.conf.template"))
 -- 
 2.14.3
--- a/0002-Update-template-directory-with-new-variables-when-up.patch
+++ b/0002-Update-template-directory-with-new-variables-when-up.patch
@ -0,0 +1,41 @@
 From ae35587582f0e4ae1e9fac3270d2f6942f4f7a31 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Tue, 20 Mar 2018 09:35:51 +0200
 Subject: [PATCH 2/2] Update template directory with new variables when
 upgrading ipa.conf.template
 With e6c707b168067ebb3705c21efc377acd29b23fff we changed httpd
 configuration to use abstracted out variables in the template.
 However, during upgrade we haven't resolved these variables so an
 upgrade from pre-e6c707b168067ebb3705c21efc377acd29b23fff install will
 fail.
 Add all missing variables to the upgrade code.
 Fixes https://pagure.io/freeipa/issue/7454
 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
 ---
 ipaserver/install/server/upgrade.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)
 diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
 index a38f4115c..5654cc32d 100644
 --- a/ipaserver/install/server/upgrade.py
 +++ b/ipaserver/install/server/upgrade.py
@@ -1617,7 +1617,12 @@ def upgrade_configuration():
         AUTOREDIR='' if auto_redirect else '#',
         CRL_PUBLISH_PATH=paths.PKI_CA_PUBLISH_DIR,
         DOGTAG_PORT=8009,
 -        CLONE='#'
 +        CLONE='#',
 +        WSGI_PREFIX_DIR=paths.WSGI_PREFIX_DIR,
 +        GSSAPI_SESSION_KEY=paths.GSSAPI_SESSION_KEY,
 +        FONTS_DIR=paths.FONTS_DIR,
 +        IPA_CCACHES=paths.IPA_CCACHES,
 +        IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET
     )
     subject_base = find_subject_base()
 -- 
 2.14.3
--- a/0003-upgrade-Run-configuration-upgrade-under-file-based-c.patch
+++ b/0003-upgrade-Run-configuration-upgrade-under-file-based-c.patch
@ -0,0 +1,88 @@
 From c25c5c1c85d4ee3aaea7c62a32134c0af56b9004 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Wed, 21 Mar 2018 10:33:32 +0200
 Subject: [PATCH] upgrade: Run configuration upgrade under file-based ccache
 Use anonymous file-based ccache to prevent upgrade failures
 in case KCM: or KEYRING: ccache type is used by default
 in krb5.conf and is not available. We don't need any user
 credentials during upgrade procedure but kadmin.local
 would attempt to resolve default ccache and if that's not
 available, kadmin.local will fail.
 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1558818
 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
 ---
 ipaserver/install/server/upgrade.py | 39 +++++++++++++++++++++++++++++++++++--
 1 file changed, 37 insertions(+), 2 deletions(-)
 diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
 index a38f4115c..00389a914 100644
 --- a/ipaserver/install/server/upgrade.py
 +++ b/ipaserver/install/server/upgrade.py
@@ -11,10 +11,11 @@ import shutil
 import pwd
 import fileinput
 import sys
 +from contextlib import contextmanager
 from augeas import Augeas
 import dns.exception
 from ipalib import api, x509
 -from ipalib.install import certmonger, sysrestore
 +from ipalib.install import certmonger, sysrestore, kinit
 import SSSDConfig
 import ipalib.util
 import ipalib.errors
@@ -1926,6 +1927,32 @@ def upgrade_check(options):
         logger.warning("Upgrade without version check may break your system")
 +@contextmanager
 +def anonymous_ccache():
 +    kpath = os.path.join(paths.IPA_CCACHES,
 +                         "upgrade_ccache_{}".format(os.getpid()))
 +
 +    try:
 +        logger.debug('Obtaining anonymous creds in ccache %s', kpath)
 +        kinit.kinit_armor(
 +            kpath,
 +            pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
 +        )
 +        kdestroy = True
 +    except RuntimeError:
 +        logger.error("Failed to obtain anonymous creds cache")
 +        kdestroy = False
 +    old_path = os.getenv('KRB5CCNAME')
 +    try:
 +        os.environ['KRB5CCNAME'] = kpath
 +        yield
 +    finally:
 +        if old_path:
 +            os.environ['KRB5CCNAME'] = old_path
 +        if kdestroy:
 +            installutils.remove_ccache(kpath)
 +
 +
 def upgrade():
     realm = api.env.realm
     schema_files = [os.path.join(paths.USR_SHARE_IPA_DIR, f) for f
@@ -1950,7 +1977,15 @@ def upgrade():
     print('Upgrading IPA services')
     logger.info('Upgrading the configuration of the IPA services')
 -    upgrade_configuration()
 +    # Use anonymous file-based ccache to prevent upgrade failures
 +    # in case KCM: or KEYRING: ccache type is used by default
 +    # in krb5.conf and is not available. We don't need any user
 +    # credentials during upgrade procedure but kadmin.local
 +    # would attempt to resolve default ccache and if that's not
 +    # available, kadmin.local will fail.
 +    # Bug https://bugzilla.redhat.com/show_bug.cgi?id=1558818
 +    with anonymous_ccache():
 +        upgrade_configuration()
     logger.info('The IPA services were upgraded')
     # store new data version after upgrade
 -- 
 2.14.3
--- a/0004-use-LDAP-Whoami-command-when-creating-an-OTP-token.patch
+++ b/0004-use-LDAP-Whoami-command-when-creating-an-OTP-token.patch
@ -0,0 +1,49 @@
 From 585250368a8841e69176006acb6876abc54843cb Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Tue, 20 Mar 2018 16:40:24 +0200
 Subject: [PATCH] use LDAP Whoami command when creating an OTP token
 ipa user-find --whoami is used by ipa otptoken-add to populate
 ipaTokenOwner and managedBy attributes. These attributes, in turn are
 checked by the self-service ACI which allows to create OTP tokens
 assigned to the creator.
 With 389-ds-base 1.4.0.6-2.fc28 in Fedora 28 beta there is a bug in
 searches with scope 'one' that result in ipa user-find --whoami
 returning 0 results.
 Because ipa user-find --whoami does not work, non-admin user cannot
 create a token. This is a regression that can be fixed by using LDAP
 Whoami command.
 Fixes: https://pagure.io/freeipa/issue/7456
 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
 ---
 ipaserver/plugins/otptoken.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)
 diff --git a/ipaserver/plugins/otptoken.py b/ipaserver/plugins/otptoken.py
 index d94ae49ff..17b32094d 100644
 --- a/ipaserver/plugins/otptoken.py
 +++ b/ipaserver/plugins/otptoken.py
@@ -311,13 +311,12 @@ class otptoken_add(LDAPCreate):
         # If owner was not specified, default to the person adding this token.
         # If managedby was not specified, attempt a sensible default.
         if 'ipatokenowner' not in entry_attrs or 'managedby' not in entry_attrs:
 -            result = self.api.Command.user_find(
 -                whoami=True, no_members=False)['result']
 -            if result:
 -                cur_uid = result[0]['uid'][0]
 +            cur_dn = DN(self.api.Backend.ldap2.conn.whoami_s()[4:])
 +            if cur_dn:
 +                cur_uid = cur_dn[0].value
                 prev_uid = entry_attrs.setdefault('ipatokenowner', cur_uid)
                 if cur_uid == prev_uid:
 -                    entry_attrs.setdefault('managedby', result[0]['dn'])
 +                    entry_attrs.setdefault('managedby', cur_dn.ldap_text())
         # Resolve the owner's dn
         _normalize_owner(self.api.Object.user, entry_attrs)
 -- 
 2.14.3
--- a/freeipa.spec
+++ b/freeipa.spec
@ -100,7 +100,7 @@
 Name:           freeipa
 Version:        %{VERSION}
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        The Identity, Policy and Audit system
 Group:          System Environment/Base
@ -109,7 +109,9 @@ URL:            https://www.freeipa.org/
 Source0:        https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz
 Source1:        https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.asc
 Patch0001:      0001-Processing-of-server-roles-should-ignore-errors.Empt.patch
-Patch0002:      0002-Make-sure-template-dictionary-has-WSGI_PREFIX_DIR-wh.patch
+Patch0002:      0002-Update-template-directory-with-new-variables-when-up.patch
 Patch0003:      0003-upgrade-Run-configuration-upgrade-under-file-based-c.patch
 Patch0004:      0004-use-LDAP-Whoami-command-when-creating-an-OTP-token.patch  
 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@ -1718,6 +1720,11 @@ fi
 %endif # with_ipatests
 %changelog
 * Tue Mar 20 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.90.pre1-5
 - Apply upstream fix for #1558354
 - Run upgrade under file-based ccache (#1558818)
 - Fix OTP token issuance due to regression in https://pagure.io/389-ds-base/issue/49617
 * Tue Mar 20 2018 Adam Williamson <awilliam@redhat.com> - 4.6.90.pre1-4
 - Fix upgrades harder (extension of -3 patch) (#1558354)