rpms
/
ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import ipa-4.10.0-6.el9

This commit is contained in:
CentOS Sources 2022-09-27 07:16:00 -04:00 committed by Stepan Oksanichenko
parent 3a117a41e7
commit 567ffe06b1
54 changed files with 17062 additions and 3102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/freeipa-4.9.8.tar.gz
SOURCES/freeipa-4.10.0.tar.gz

2
.ipa.metadata
View File

@ -1 +1 @@
38641a7f95779ba35089fcc10e25ec82a9b0248e SOURCES/freeipa-4.9.8.tar.gz
901ede9686abffef511c6477d90d5e6fd32d6fbc SOURCES/freeipa-4.10.0.tar.gz

56
SOURCES/0001-Only-calculate-LDAP-password-grace-when-the-password.patch Normal file
View File

@ -0,0 +1,56 @@
From 22d1392a8a0d2887c389dcd78be06104cff88d30 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 29 Jun 2022 13:25:55 +0000
Subject: [PATCH] Only calculate LDAP password grace when the password is
expired
The user's pwd expiration was retrieved but inadvertently was never
compared to current time. So any LDAP bind, including from the
IPA API, counted against the grace period. There is no need to go
through the graceperiod code for non-expired passwords.
https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
.../ipa-graceperiod/ipa_graceperiod.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
index 0860b5c20fc86687f80ee6f2426e23c87123130f..a3f57cb4bd7a2a66d70fae98cca0f62a8f0c017f 100644
--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
+++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
@@ -359,7 +359,8 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
Slapi_ValueSet *values = NULL;
long grace_limit = 0;
int grace_user_time;
- char *pwd_expiration = NULL;
+ char *tmpstr = NULL;
+ time_t pwd_expiration;
int pwresponse_requested = 0;
Slapi_PBlock *pbtm = NULL;
Slapi_Mods *smods = NULL;
@@ -414,12 +415,17 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
}
slapi_value_free(&objectclass);
- pwd_expiration = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
- if (pwd_expiration == NULL) {
+ tmpstr = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
+ if (tmpstr == NULL) {
/* No expiration means nothing to do */
LOG_TRACE("No krbPasswordExpiration for %s, nothing to do\n", dn);
goto done;
}
+ pwd_expiration = ipapwd_gentime_to_time_t(tmpstr);
+ if (pwd_expiration > time(NULL)) {
+ /* Not expired, nothing to see here */
+ goto done;
+ }
ldrc = ipagraceperiod_getpolicy(target_entry, &policy_entry,
&values, &actual_type_name,
--
2.36.1

36
SOURCES/0001-ipa-kdb-issue-PAC_REQUESTER_SID-only-for-TGTs.patch
View File

@ -1,36 +0,0 @@
From 669f3d71161741c676ddd6a08bd08d4a4ccd495b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 26 Nov 2021 17:40:54 +0200
Subject: [PATCH] ipa-kdb: issue PAC_REQUESTER_SID only for TGTs
MS-KILE 3.3.5.6.4.8 in revision after Windows Server November 2021
security fixes added the following requirement:
- PAC_REQUESTER_SID is only added in TGT case (including referrals and
tickets to RODCs)
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 6f7d1ac15daf17dfca36ebd3265c866725d24717..538cfbba958068bd2ee0aaae7a2743ae82237898 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1148,7 +1148,8 @@ static krb5_error_code ipadb_get_pac(krb5_context kcontext,
#endif
#ifdef HAVE_PAC_REQUESTER_SID
- {
+ /* MS-KILE 3.3.5.6.4.8: add PAC_REQUESTER_SID only in TGT case */
+ if ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0) {
union PAC_INFO pac_requester_sid;
/* == Package PAC_REQUESTER_SID == */
memset(&pac_requester_sid, 0, sizeof(pac_requester_sid));
--
2.31.1

122
SOURCES/0002-ipa-kdb-fix-requester-SID-check-according-to-MS-KILE.patch
View File

@ -1,122 +0,0 @@
From 7d93bda31ce0b4e0e22c6e464c9138800dcf8b1c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 26 Nov 2021 11:13:51 +0200
Subject: [PATCH] ipa-kdb: fix requester SID check according to MS-KILE and
MS-SFU updates
New versions of MS-KILE and MS-SFU after Windows Server November 2021
security updates add PAC_REQUESTER_SID buffer check behavior:
- PAC_REQUESTER_SID should only be added for TGT requests
- if PAC_REQUESTER_SID is present, KDC must verify that the cname on
the ticket resolves to the account with the same SID as the
PAC_REQUESTER_SID. If it doesn't KDC must respond with
KDC_ERR_TKT_REVOKED
Change requester SID check to skip exact check for non-local
PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains
we know about.
If requester SID is the same as in PAC, we already do cname vs PAC SID
verification.
With these changes FreeIPA works against Windows Server 2019 with
November 2021 security fixes in cross-realm S4U2Self operations.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 47 ++++++++++++++++++++++++---------
1 file changed, 34 insertions(+), 13 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 538cfbba958068bd2ee0aaae7a2743ae82237898..1b972c167dd50619c7a6bd78eb5c81b0e05a4832 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1697,7 +1697,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
"local [%s], PAC [%s]",
dom ? dom : "<failed to display>",
sid ? sid : "<failed to display>");
- return KRB5KDC_ERR_POLICY;
+ return KRB5KDC_ERR_TGT_REVOKED;
}
}
@@ -1709,7 +1709,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
kerr = ipadb_get_principal(context, client_princ, flags, &client_actual);
if (kerr != 0) {
krb5_klog_syslog(LOG_ERR, "PAC issue: ipadb_get_principal failed.");
- return KRB5KDC_ERR_POLICY;
+ return KRB5KDC_ERR_TGT_REVOKED;
}
ied = (struct ipadb_e_data *)client_actual->e_data;
@@ -1743,7 +1743,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
"local [%s] vs PAC [%s]",
local_sid ? local_sid : "<failed to display>",
pac_sid ? pac_sid : "<failed to display>");
- kerr = KRB5KDC_ERR_POLICY;
+ kerr = KRB5KDC_ERR_TGT_REVOKED;
goto done;
}
@@ -2005,22 +2005,43 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context,
/* Check that requester SID is the same as in the PAC entry */
if (requester_sid != NULL) {
struct dom_sid client_sid;
+ bool is_from_trusted_domain = false;
kerr = ipadb_get_sid_from_pac(tmpctx, info.info, &client_sid);
if (kerr) {
goto done;
}
result = dom_sid_check(&client_sid, requester_sid, true);
if (!result) {
- /* memctx is freed by the caller */
- char *pac_sid = dom_sid_string(tmpctx, &client_sid);
- char *req_sid = dom_sid_string(tmpctx, requester_sid);
- krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
- "different from what PAC requester claims. "
- "PAC [%s] vs PAC requester [%s]",
- pac_sid ? pac_sid : "<failed to display>",
- req_sid ? req_sid : "<failed to display>");
- kerr = KRB5KDC_ERR_POLICY;
- goto done;
+ struct ipadb_context *ipactx = ipadb_get_context(context);
+ if (!ipactx || !ipactx->mspac) {
+ return KRB5_KDB_DBNOTINITED;
+ }
+ /* In S4U case we might be dealing with the PAC issued by the trusted domain */
+ if (is_s4u && (ipactx->mspac->trusts != NULL)) {
+ /* Iterate through list of trusts and check if this SID belongs to
+ * one of the domains we trust */
+ for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
+ result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
+ requester_sid, false);
+ if (result) {
+ is_from_trusted_domain = true;
+ break;
+ }
+ }
+ }
+
+ if (!is_from_trusted_domain) {
+ /* memctx is freed by the caller */
+ char *pac_sid = dom_sid_string(tmpctx, &client_sid);
+ char *req_sid = dom_sid_string(tmpctx, requester_sid);
+ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
+ "different from what PAC requester claims. "
+ "PAC [%s] vs PAC requester [%s]",
+ pac_sid ? pac_sid : "<failed to display>",
+ req_sid ? req_sid : "<failed to display>");
+ kerr = KRB5KDC_ERR_TGT_REVOKED;
+ goto done;
+ }
}
}
--
2.31.1

67
SOURCES/0002-webui-Do-not-allow-empty-pagination-size.patch Normal file
View File

@ -0,0 +1,67 @@
From 02d3fb8266d8199fd1ed983de6c57b269546df82 Mon Sep 17 00:00:00 2001
From: Armando Neto <abiagion@redhat.com>
Date: Fri, 8 Jul 2022 15:56:31 -0300
Subject: [PATCH] webui: Do not allow empty pagination size
Pagination size must be required, the current validators are triggered after
form is submitted, thus the only way for check if data is not empty is by making
the field required.
Fixes: https://pagure.io/freeipa/issue/9192
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
.../ui/src/freeipa/Application_controller.js | 1 +
ipatests/test_webui/test_misc_cases.py | 19 +++++++++++++++++++
2 files changed, 20 insertions(+)
diff --git a/install/ui/src/freeipa/Application_controller.js b/install/ui/src/freeipa/Application_controller.js
index 46aabc9c4dd47aa3874cb3ddf27da048607b7516..140ee8fe0d7adc274396248aae0be2f4559db27a 100644
--- a/install/ui/src/freeipa/Application_controller.js
+++ b/install/ui/src/freeipa/Application_controller.js
@@ -318,6 +318,7 @@ define([
$type: 'text',
name: 'pagination_size',
label: '@i18n:customization.table_pagination',
+ required: true,
validators: ['positive_integer']
}
]
diff --git a/ipatests/test_webui/test_misc_cases.py b/ipatests/test_webui/test_misc_cases.py
index 5f7ffb54ee33e9b453d6b987b7bf84d6f4311ebd..aca9e1a99e1e2cf60790fe8c33a65430e0d535e2 100644
--- a/ipatests/test_webui/test_misc_cases.py
+++ b/ipatests/test_webui/test_misc_cases.py
@@ -11,6 +11,11 @@ from ipatests.test_webui.ui_driver import screenshot
import pytest
import re
+try:
+ from selenium.webdriver.common.by import By
+except ImportError:
+ pass
+
@pytest.mark.tier1
class TestMiscCases(UI_driver):
@@ -26,3 +31,17 @@ class TestMiscCases(UI_driver):
ver_re = re.compile('version: .*')
assert re.search(ver_re, about_text), 'Version not found'
self.dialog_button_click('ok')
+
+ @screenshot
+ def test_customization_pagination_input_required(self):
+ """Test if 'pagination size' is required when submitting the form."""
+ self.init_app()
+
+ self.profile_menu_action('configuration')
+ self.fill_input('pagination_size', '')
+ self.dialog_button_click('save')
+
+ pagination_size_elem = self.find(
+ ".widget[name='pagination_size']", By.CSS_SELECTOR)
+
+ self.assert_field_validation_required(parent=pagination_size_elem)
--
2.36.1

48
SOURCES/0003-ipatests-Fix-test_ipa_cert_fix.py-TestCertFixReplica.patch
View File

@ -1,48 +0,0 @@
From ba7ec71ba96280da3841ebe47df2a6dc1cd6341e Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Fri, 26 Nov 2021 12:11:21 +0530
Subject: [PATCH] ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica
teardown
Fixture `expire_certs` moves date back after renewing the certs.
This is causing the ipa-replica to fail. This fix first uninstalls
the server then moves back the date.
Fixes: https://pagure.io/freeipa/issue/9052
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_ipa_cert_fix.py | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index 39904d5de64c59416f01646f437aabf797d57dd9..5b56054b4f16d5654ebeb61971a8775bfaf341b8 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -389,6 +389,12 @@ class TestCertFixReplica(IntegrationTest):
setup_dns=False, extra_args=['--no-ntp']
)
+ @classmethod
+ def uninstall(cls, mh):
+ # Uninstall method is empty as the uninstallation is done in
+ # the fixture
+ pass
+
@pytest.fixture
def expire_certs(self):
# move system date to expire certs
@@ -398,7 +404,8 @@ class TestCertFixReplica(IntegrationTest):
yield
# move date back on replica and master
- for host in self.master, self.replicas[0]:
+ for host in self.replicas[0], self.master:
+ tasks.uninstall_master(host)
tasks.move_date(host, 'start', '-3years-1days')
def test_renew_expired_cert_replica(self, expire_certs):
--
2.34.1

15825
SOURCES/0003-ipatests-add-nightly-definitions-for-ipa-4-10-branch.patch Normal file
View File

File diff suppressed because it is too large Load Diff

69
SOURCES/0004-Added-a-check-while-removing-cert_dir-.-The-teardown.patch Normal file
View File

@ -0,0 +1,69 @@
From aca97507cd119ad55e0c3c18ca65087cb5576c82 Mon Sep 17 00:00:00 2001
From: Sumedh Sidhaye <ssidhaye@redhat.com>
Date: Mon, 13 Jun 2022 13:49:08 +0530
Subject: [PATCH] Added a check while removing 'cert_dir'. The teardown method
is called even if all the tests are skipped since the required PKI version is
not present. The teardown is trying to remove a non-existent directory.
Currently the cert_dir attribute is only present if IPA installation was
done. If IPA was not installed the attribute does not exist.
In order that the uninstall code finds the attribute a class attribute
is added.
Pagure Issue: https://pagure.io/freeipa/issue/9179
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_caless.py | 12 +++++++++++-
.../test_integration/test_random_serial_numbers.py | 6 ++++++
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 96f477bbe4b0e25184605a80659b5ec6529a2320..4c370f77e84215714e533b1b6ebeb89216319c0f 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -122,6 +122,15 @@ def replica_install_teardown(func):
class CALessBase(IntegrationTest):
+ # The teardown method is called even if all the tests are skipped
+ # since the required PKI version is not present.
+ # The teardown is trying to remove a non-existent directory.
+ # Currently the cert_dir attribute is only present if IPA installation was
+ # done. If IPA was not installed the attribute does not exist.
+ # In order that the uninstall code finds the attribute a class attribute
+ # is added.
+ cert_dir = None
+
@classmethod
def install(cls, mh):
cls.cert_dir = tempfile.mkdtemp(prefix="ipatest-")
@@ -164,7 +173,8 @@ class CALessBase(IntegrationTest):
@classmethod
def uninstall(cls, mh):
# Remove the NSS database
- shutil.rmtree(cls.cert_dir)
+ if cls.cert_dir:
+ shutil.rmtree(cls.cert_dir)
super(CALessBase, cls).uninstall(mh)
@classmethod
diff --git a/ipatests/test_integration/test_random_serial_numbers.py b/ipatests/test_integration/test_random_serial_numbers.py
index a931c7b562f00f94e10d1e9e891fbf0624d5fd88..c52cfa4ed50e2718791b0844d743fb240d26b365 100644
--- a/ipatests/test_integration/test_random_serial_numbers.py
+++ b/ipatests/test_integration/test_random_serial_numbers.py
@@ -64,3 +64,9 @@ class TestServerCALessToExternalCA_RSN(TestServerCALessToExternalCA):
if not pki_supports_RSNv3(mh.master):
raise pytest.skip("RNSv3 not supported")
super(TestServerCALessToExternalCA_RSN, cls).install(mh)
+
+ @classmethod
+ def uninstall(cls, mh):
+ if not pki_supports_RSNv3(mh.master):
+ raise pytest.skip("RSNv3 not supported")
+ super(TestServerCALessToExternalCA_RSN, cls).uninstall(mh)
--
2.37.2

29
SOURCES/0004-Extend-test-to-see-if-replica-is-not-shown-when-runn.patch
View File

@ -1,29 +0,0 @@
From 8b22ee018c3bb7f58a1b6694a7fd611688f8e74f Mon Sep 17 00:00:00 2001
From: Sumedh Sidhaye <ssidhaye@redhat.com>
Date: Thu, 25 Nov 2021 17:48:20 +0530
Subject: [PATCH] Extend test to see if replica is not shown when running
`ipa-replica-manage list -v <FQDN>`
Related: https://pagure.io/freeipa/issue/8605
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_simple_replication.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_simple_replication.py b/ipatests/test_integration/test_simple_replication.py
index 8de3851447abdfd36171134cbb683115b34df749..17092a49966e61d5a4a9b04c15abcb1de8be9683 100644
--- a/ipatests/test_integration/test_simple_replication.py
+++ b/ipatests/test_integration/test_simple_replication.py
@@ -111,5 +111,6 @@ class TestSimpleReplication(IntegrationTest):
# has to be run with --force, there is no --unattended
self.master.run_command(['ipa-replica-manage', 'del',
self.replicas[0].hostname, '--force'])
- result = self.master.run_command(['ipa-replica-manage', 'list'])
+ result = self.master.run_command(
+ ['ipa-replica-manage', 'list', '-v', self.master.hostname])
assert self.replicas[0].hostname not in result.stdout_text
--
2.34.1

40
SOURCES/0005-ipatests-Test-default-value-of-nsslapd-sizelimit.patch
View File

@ -1,40 +0,0 @@
From 465f1669a6c5abc72da1ecaf9aefa8488f80806c Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Mon, 13 Dec 2021 17:37:05 +0530
Subject: [PATCH] ipatests: Test default value of nsslapd-sizelimit.
related : https://pagure.io/freeipa/issue/8962
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_installation.py | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index 95cfaad54c33a581c6af352097ea95ed435ea2b1..0947241ae2738419c4855e2517670c9033e634f0 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -1067,6 +1067,19 @@ class TestInstallMaster(IntegrationTest):
)
assert "nsslapd-db-locks" not in result.stdout_text
+ def test_nsslapd_sizelimit(self):
+ """ Test for default value of nsslapd-sizelimit.
+
+ Related : https://pagure.io/freeipa/issue/8962
+ """
+ result = tasks.ldapsearch_dm(
+ self.master,
+ "cn=config",
+ ["nsslapd-sizelimit"],
+ scope="base"
+ )
+ assert "nsslapd-sizelimit: 100000" in result.stdout_text
+
def test_admin_root_alias_CVE_2020_10747(self):
# Test for CVE-2020-10747 fix
# https://bugzilla.redhat.com/show_bug.cgi?id=1810160
--
2.34.1

55
SOURCES/0005-ipatests-healthcheck-test-if-system-is-FIPS-enabled.patch Normal file
View File

@ -0,0 +1,55 @@
From c55185d3dc3c6cd2ffebab77fbf8caa40a32bcd1 Mon Sep 17 00:00:00 2001
From: Erik <ebelko@redhat.com>
Date: Mon, 18 Jul 2022 11:59:24 +0200
Subject: [PATCH] ipatests: healthcheck: test if system is FIPS enabled
Test if FIPS is enabled and the check exists.
Related: https://pagure.io/freeipa/issue/8951
Signed-off-by: Erik Belko <ebelko@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../test_integration/test_ipahealthcheck.py | 25 +++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 23af09f3a7eaa8012e7a898ce6a534d1fad45323..a0c85f79e6e84f9e63072c6d70276480e4af97ad 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -340,6 +340,31 @@ class TestIpaHealthCheck(IntegrationTest):
assert returncode == 0
assert output == "No issues found."
+ def test_ipa_healthcheck_fips_enabled(self):
+ """
+ Test if FIPS is enabled and the check exists.
+
+ https://pagure.io/freeipa/issue/8951
+ """
+ returncode, check = run_healthcheck(self.master,
+ source="ipahealthcheck.meta.core",
+ check="MetaCheck",
+ output_type="json",
+ failures_only=False)
+ assert returncode == 0
+
+ cmd = self.master.run_command(['fips-mode-setup', '--is-enabled'],
+ raiseonerr=False)
+ returncode = cmd.returncode
+
+ # If this produces IndexError, the check does not exist
+ if check[0]["kw"]["fips"] == "disabled":
+ assert returncode == 2
+ elif check[0]["kw"]["fips"] == "enabled":
+ assert returncode == 0
+ else:
+ assert returncode == 1
+
def test_ipa_healthcheck_after_certupdate(self):
"""
Verify that ipa-certupdate hasn't messed up tracking
--
2.37.2

125
SOURCES/0006-Disabling-gracelimit-does-not-prevent-LDAP-binds.patch Normal file
View File

@ -0,0 +1,125 @@
From 1bb4ff9ed2313fb3c2bd1418258c5bcec557b6a5 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 21 Jul 2022 09:28:46 -0400
Subject: [PATCH] Disabling gracelimit does not prevent LDAP binds
Originally the code treated 0 as disabled. This was
changed during the review process to -1 but one remnant
was missed effetively allowing gracelimit 0 to also mean
disabled.
Add explicit tests for testing with gracelimit = 0 and
gracelimit = -1.
Also remove some extranous "str(self.master.domain.basedn)"
lines from some of the tests.
Fixes: https://pagure.io/freeipa/issue/9206
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
.../ipa-graceperiod/ipa_graceperiod.c | 2 +-
ipatests/test_integration/test_pwpolicy.py | 55 ++++++++++++++++++-
2 files changed, 53 insertions(+), 4 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
index a3f57cb4bd7a2a66d70fae98cca0f62a8f0c017f..345e1dee7d163167373ca82dedb1e827f0e1bc8c 100644
--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
+++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
@@ -479,7 +479,7 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
if (pwresponse_requested) {
slapi_pwpolicy_make_response_control(pb, -1, grace_limit - grace_user_time , -1);
}
- } else if ((grace_limit > 0) && (grace_user_time >= grace_limit)) {
+ } else if (grace_user_time >= grace_limit) {
LOG_TRACE("%s password is expired and out of grace limit\n", dn);
errstr = "Password is expired.\n";
ret = LDAP_INVALID_CREDENTIALS;
diff --git a/ipatests/test_integration/test_pwpolicy.py b/ipatests/test_integration/test_pwpolicy.py
index 6d66982848ac5a0061b47d30fad022be055c93e4..41d6e9070a90c2bde7b3182ad6ecf1a923bba203 100644
--- a/ipatests/test_integration/test_pwpolicy.py
+++ b/ipatests/test_integration/test_pwpolicy.py
@@ -36,7 +36,7 @@ class TestPWPolicy(IntegrationTest):
cls.master.run_command(['ipa', 'group-add-member', POLICY,
'--users', USER])
cls.master.run_command(['ipa', 'pwpolicy-add', POLICY,
- '--priority', '1'])
+ '--priority', '1', '--gracelimit', '-1'])
cls.master.run_command(['ipa', 'passwd', USER],
stdin_text='{password}\n{password}\n'.format(
password=PASSWORD
@@ -265,7 +265,6 @@ class TestPWPolicy(IntegrationTest):
def test_graceperiod_expired(self):
"""Test the LDAP bind grace period"""
- str(self.master.domain.basedn)
dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
user=USER, base_dn=str(self.master.domain.basedn))
@@ -308,7 +307,6 @@ class TestPWPolicy(IntegrationTest):
def test_graceperiod_not_replicated(self):
"""Test that the grace period is reset on password reset"""
- str(self.master.domain.basedn)
dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
user=USER, base_dn=str(self.master.domain.basedn))
@@ -341,3 +339,54 @@ class TestPWPolicy(IntegrationTest):
)
assert 'passwordgraceusertime: 0' in result.stdout_text.lower()
self.reset_password(self.master)
+
+ def test_graceperiod_zero(self):
+ """Test the LDAP bind with zero grace period"""
+ dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
+ user=USER, base_dn=str(self.master.domain.basedn))
+
+ self.master.run_command(
+ ["ipa", "pwpolicy-mod", POLICY, "--gracelimit", "0", ],
+ )
+
+ # Resetting the password will mark it as expired
+ self.reset_password(self.master)
+
+ # Now grace is done and binds should fail.
+ result = self.master.run_command(
+ ["ldapsearch", "-e", "ppolicy", "-D", dn,
+ "-w", PASSWORD, "-b", dn], raiseonerr=False
+ )
+ assert result.returncode == 49
+
+ assert 'Password is expired' in result.stderr_text
+ assert 'Password expired, 0 grace logins remain' in result.stderr_text
+
+ def test_graceperiod_disabled(self):
+ """Test the LDAP bind with grace period disabled (-1)"""
+ str(self.master.domain.basedn)
+ dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
+ user=USER, base_dn=str(self.master.domain.basedn))
+
+ # This can fail if gracelimit is already -1 so ignore it
+ self.master.run_command(
+ ["ipa", "pwpolicy-mod", POLICY, "--gracelimit", "-1",],
+ raiseonerr=False,
+ )
+
+ # Ensure the password is expired
+ self.reset_password(self.master)
+
+ result = self.kinit_as_user(self.master, PASSWORD, PASSWORD)
+
+ for _i in range(0, 10):
+ result = self.master.run_command(
+ ["ldapsearch", "-e", "ppolicy", "-D", dn,
+ "-w", PASSWORD, "-b", dn]
+ )
+
+ # With graceperiod disabled it should not increment
+ result = tasks.ldapsearch_dm(
+ self.master, dn, ['passwordgraceusertime',],
+ )
+ assert 'passwordgraceusertime: 0' in result.stdout_text.lower()
--
2.37.2

123
SOURCES/0006-ipatests-Test-empty-cert-request-doesn-t-force-certm.patch
View File

@ -1,123 +0,0 @@
From cbd9ac6ab07dfb60f67da762fdd70856ad35c230 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Thu, 25 Nov 2021 13:10:05 +0530
Subject: [PATCH] ipatests: Test empty cert request doesn't force certmonger to
segfault
When empty cert request is submitted to certmonger, it goes to
segfault. This fix test that if something like this happens,
certmonger should gracefuly handle it
and some PEP8 fixes
related: https://pagure.io/certmonger/issue/191
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
---
ipatests/test_integration/test_cert.py | 79 +++++++++++++++++++++++++-
1 file changed, 78 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
index 5ffb8c6086328d563084f1d4b73daa1d01d956e7..0518d79545f7592d17571068e2681474bd9e5b14 100644
--- a/ipatests/test_integration/test_cert.py
+++ b/ipatests/test_integration/test_cert.py
@@ -14,6 +14,7 @@ import random
import re
import string
import time
+import textwrap
from ipaplatform.paths import paths
from ipapython.dn import DN
@@ -193,7 +194,7 @@ class TestInstallMasterClient(IntegrationTest):
tasks.kinit_admin(self.master)
tasks.user_add(self.master, user)
- for id in (0,1):
+ for id in (0, 1):
csr_file = f'{id}.csr'
key_file = f'{id}.key'
cert_file = f'{id}.crt'
@@ -584,3 +585,79 @@ class TestCAShowErrorHandling(IntegrationTest):
error_msg = 'ipa: ERROR: The certificate for ' \
'{} is not available on this server.'.format(lwca)
assert error_msg in result.stderr_text
+
+ def test_certmonger_empty_cert_not_segfault(self):
+ """Test empty cert request doesn't force certmonger to segfault
+
+ Test scenario:
+ create a cert request file in /var/lib/certmonger/requests which is
+ missing most of the required information, and ask request a new
+ certificate to certmonger. The wrong request file should not make
+ certmonger crash.
+
+ related: https://pagure.io/certmonger/issue/191
+ """
+ empty_cert_req_content = textwrap.dedent("""
+ id=dogtag-ipa-renew-agent
+ key_type=UNSPECIFIED
+ key_gen_type=UNSPECIFIED
+ key_size=0
+ key_gen_size=0
+ key_next_type=UNSPECIFIED
+ key_next_gen_type=UNSPECIFIED
+ key_next_size=0
+ key_next_gen_size=0
+ key_preserve=0
+ key_storage_type=NONE
+ key_perms=0
+ key_requested_count=0
+ key_issued_count=0
+ cert_storage_type=FILE
+ cert_perms=0
+ cert_is_ca=0
+ cert_ca_path_length=0
+ cert_no_ocsp_check=0
+ last_need_notify_check=19700101000000
+ last_need_enroll_check=19700101000000
+ template_is_ca=0
+ template_ca_path_length=-1
+ template_no_ocsp_check=0
+ state=NEED_KEY_PAIR
+ autorenew=0
+ monitor=0
+ submitted=19700101000000
+ """)
+ # stop certmonger service
+ self.master.run_command(['systemctl', 'stop', 'certmonger'])
+
+ # place an empty cert request file to certmonger request dir
+ self.master.put_file_contents(
+ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'),
+ empty_cert_req_content
+ )
+
+ # start certmonger, it should not fail
+ self.master.run_command(['systemctl', 'start', 'certmonger'])
+
+ # request a new cert, should succeed and certmonger doesn't goes
+ # to segfault
+ result = self.master.run_command([
+ "ipa-getcert", "request",
+ "-f", os.path.join(paths.OPENSSL_CERTS_DIR, "test.pem"),
+ "-k", os.path.join(paths.OPENSSL_PRIVATE_DIR, "test.key"),
+ ])
+ request_id = re.findall(r'\d+', result.stdout_text)
+
+ # check if certificate is in MONITORING state
+ status = tasks.wait_for_request(self.master, request_id[0], 50)
+ assert status == "MONITORING"
+
+ self.master.run_command(
+ ['ipa-getcert', 'stop-tracking', '-i', request_id[0]]
+ )
+ self.master.run_command([
+ 'rm', '-rf',
+ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'),
+ os.path.join(paths.OPENSSL_CERTS_DIR, 'test.pem'),
+ os.path.join(paths.OPENSSL_PRIVATE_DIR, 'test.key')
+ ])
--
2.34.1

104
SOURCES/0007-Test-cases-for-ipa-replica-conncheck-command.patch
View File

@ -1,104 +0,0 @@
From 1d19b860d4cd3bd65a4b143b588425d9a64237fd Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Thu, 18 Nov 2021 18:36:58 +0530
Subject: [PATCH] Test cases for ipa-replica-conncheck command
Following test cases would be checked:
- when called with --principal (it should then prompt for a password)
- when called with --principal / --password
- when called without principal and password but with a kerberos TGT,
kinit admin done before calling ipa-replica-conncheck
- when called without principal and password, and without any kerberos
TGT (it should default to principal=admin and prompt for a password)
related: https://pagure.io/freeipa/issue/9047
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
---
.../test_replica_promotion.py | 70 +++++++++++++++++++
1 file changed, 70 insertions(+)
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index b9c56f775d08885cb6b1226eeb7bcf105f87cdc1..1a4e9bc121abf41a3919aedda3d334de9404d1a0 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -437,6 +437,76 @@ class TestRenewalMaster(IntegrationTest):
self.assertCARenewalMaster(master, replica.hostname)
self.assertCARenewalMaster(replica, replica.hostname)
+ def test_replica_concheck(self):
+ """Test cases for ipa-replica-conncheck command
+
+ Following test cases would be checked:
+ - when called with --principal (it should then prompt for a password)
+ - when called with --principal / --password
+ - when called without principal and password but with a kerberos TGT,
+ kinit admin done before calling ipa-replica-conncheck
+ - when called without principal and password, and without any kerberos
+ TGT (it should default to principal=admin and prompt for a password)
+
+ related: https://pagure.io/freeipa/issue/9047
+ """
+ exp_str1 = "Connection from replica to master is OK."
+ exp_str2 = "Connection from master to replica is OK"
+ tasks.kdestroy_all(self.replicas[0])
+ # when called with --principal (it should then prompt for a password)
+ result = self.replicas[0].run_command(
+ ['ipa-replica-conncheck', '--auto-master-check',
+ '--master', self.master.hostname,
+ '-r', self.replicas[0].domain.realm,
+ '-p', self.replicas[0].config.admin_name],
+ stdin_text=self.master.config.admin_password
+ )
+ assert result.returncode == 0
+ assert (
+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
+ )
+
+ # when called with --principal / --password
+ result = self.replicas[0].run_command([
+ 'ipa-replica-conncheck', '--auto-master-check',
+ '--master', self.master.hostname,
+ '-r', self.replicas[0].domain.realm,
+ '-p', self.replicas[0].config.admin_name,
+ '-w', self.master.config.admin_password
+ ])
+ assert result.returncode == 0
+ assert (
+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
+ )
+
+ # when called without principal and password, and without
+ # any kerberos TGT, it should default to principal=admin
+ # and prompt for a password
+ result = self.replicas[0].run_command(
+ ['ipa-replica-conncheck', '--auto-master-check',
+ '--master', self.master.hostname,
+ '-r', self.replicas[0].domain.realm],
+ stdin_text=self.master.config.admin_password
+ )
+ assert result.returncode == 0
+ assert (
+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
+ )
+
+ # when called without principal and password but with a kerberos TGT,
+ # kinit admin done before calling ipa-replica-conncheck
+ tasks.kinit_admin(self.replicas[0])
+ result = self.replicas[0].run_command(
+ ['ipa-replica-conncheck', '--auto-master-check',
+ '--master', self.master.hostname,
+ '-r', self.replicas[0].domain.realm]
+ )
+ assert result.returncode == 0
+ assert (
+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
+ )
+ tasks.kdestroy_all(self.replicas[0])
+
def test_automatic_renewal_master_transfer_ondelete(self):
# Test that after replica uninstallation, master overtakes the cert
# renewal master role from replica (which was previously set there)
--
2.34.1

144
SOURCES/0007-ipatests-ipa-client-install-subid-adds-entry-in-nssw.patch Normal file
View File

@ -0,0 +1,144 @@
From a39af6b7228d8ba85b9e97aa5decbc056d081c77 Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Thu, 23 Jun 2022 16:14:39 +0530
Subject: [PATCH] ipatests: ipa-client-install --subid adds entry in
nsswitch.conf
This testcase checks that when ipa-client-install command
is run with --subid option, /etc/nsswitch.conf file is updated
with the below entry
subid: nss
Related: https://pagure.io/freeipa/issue/9159
Since the newly added testsuite required client
system, hence modified the below yaml files to change the topology
from *master_1repl to *master_1repl_1client in the below files
gating.yaml
nightly_latest.yaml
nightly_rawhide.yaml
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/prci_definitions/gating.yaml | 2 +-
.../nightly_ipa-4-10_latest.yaml | 2 +-
.../nightly_ipa-4-10_latest_selinux.yaml | 2 +-
.../nightly_ipa-4-10_previous.yaml | 2 +-
ipatests/test_integration/test_subids.py | 38 +++++++++++++++++++
5 files changed, 42 insertions(+), 4 deletions(-)
diff --git a/ipatests/prci_definitions/gating.yaml b/ipatests/prci_definitions/gating.yaml
index 4083c650a17ce76bdefa243f1a7c5924039ff0bb..db4875dcfae8676287ef771805b34d988330bb40 100644
--- a/ipatests/prci_definitions/gating.yaml
+++ b/ipatests/prci_definitions/gating.yaml
@@ -309,4 +309,4 @@ jobs:
test_suite: test_integration/test_subids.py
template: *ci-ipa-4-10-latest
timeout: 3600
- topology: *master_1repl
+ topology: *master_1repl_1client
diff --git a/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml
index 24aa6e7cf29e448ba9d838d1cb98169213ea63ef..027b2a5b6c0b7ec3c3b5784ec4569661a06d4ed7 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml
@@ -1748,7 +1748,7 @@ jobs:
test_suite: test_integration/test_subids.py
template: *ci-ipa-4-10-latest
timeout: 3600
- topology: *master_1repl
+ topology: *master_1repl_1client
fedora-latest-ipa-4-10/test_custom_plugins:
requires: [fedora-latest-ipa-4-10/build]
diff --git a/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml
index f22cc08384b3d50e49278d38e73bf93cd7804e80..bcc17bef935666735bfb2c2e51209362a374b511 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml
@@ -1887,7 +1887,7 @@ jobs:
test_suite: test_integration/test_subids.py
template: *ci-ipa-4-10-latest
timeout: 3600
- topology: *master_1repl
+ topology: *master_1repl_1client
fedora-latest-ipa-4-10/test_custom_plugins:
requires: [fedora-latest-ipa-4-10/build]
diff --git a/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml
index df98a66871fd90daaebd83f063e48f1580675049..37d38762e696a6394ef146a0e2b68bbc8ced515d 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml
@@ -1748,7 +1748,7 @@ jobs:
test_suite: test_integration/test_subids.py
template: *ci-ipa-4-10-previous
timeout: 3600
- topology: *master_1repl
+ topology: *master_1repl_1client
fedora-previous-ipa-4-10/test_custom_plugins:
requires: [fedora-previous-ipa-4-10/build]
diff --git a/ipatests/test_integration/test_subids.py b/ipatests/test_integration/test_subids.py
index f6d8607f237bf03358baae008dd2a6ad819751c0..8158499e1a2b71bdc1a308dec0939fd0d491599d 100644
--- a/ipatests/test_integration/test_subids.py
+++ b/ipatests/test_integration/test_subids.py
@@ -17,6 +17,7 @@ from ipatests.test_integration.base import IntegrationTest
class TestSubordinateId(IntegrationTest):
num_replicas = 0
+ num_clients = 1
topology = "star"
def _parse_result(self, result):
@@ -268,3 +269,40 @@ class TestSubordinateId(IntegrationTest):
f"--subuid={subuid}"])
owner = self._parse_result(result)["owner"]
assert owner == uid
+
+ def test_nsswitch_doesnot_contain_subid_entry(self):
+ """
+ This testcase checks that when ipa-client-install
+ is installed without subid option, the nsswitch.conf
+ does not contain subid entry or does not use sss as
+ source for subid
+ """
+ cmd = self.clients[0].run_command(
+ ["grep", "^subid", "/etc/nsswitch.conf"],
+ raiseonerr=False
+ )
+ # a source is defined for the subid database.
+ # Ensure it is not "sss"
+ if cmd.returncode == 0:
+ assert 'sss' not in cmd.stdout_text
+ else:
+ # grep command returncode 1 means no matching line
+ # was found = no source is defined for the subid database,
+ # which is valid other return codes would
+ # mean an error occurred
+ assert cmd.returncode == 1
+
+ def test_nsswitch_is_updated_with_subid_entry(self):
+ """
+ This test case checks that when ipa-client-install
+ is installed with --subid option, the nsswitch.conf
+ file is modified with the entry 'subid: sss'
+ """
+ tasks.uninstall_client(self.clients[0])
+ tasks.install_client(self.master, self.clients[0],
+ extra_args=['--subid'])
+ cmd = self.clients[0].run_command(
+ ["grep", "^subid", "/etc/nsswitch.conf"]
+ )
+ subid = cmd.stdout_text.split()
+ assert ['subid:', 'sss'] == subid
--
2.37.2

59
SOURCES/0008-PEP8-Fixes.patch
View File

@ -1,59 +0,0 @@
From 5444da016edc416c0c9481c660c013053dbb93b5 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Thu, 18 Nov 2021 18:43:22 +0530
Subject: [PATCH] PEP8 Fixes
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
---
.../test_integration/test_replica_promotion.py | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 1a4e9bc121abf41a3919aedda3d334de9404d1a0..c328b1a08ffc8ac5efb0986d2b18c5074f573432 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -138,7 +138,6 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
assert res.returncode == 1
assert expected_err in res.stderr_text
-
@replicas_cleanup
def test_one_command_installation(self):
"""
@@ -150,11 +149,11 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
Firewall(self.replicas[0]).enable_services(["freeipa-ldap",
"freeipa-ldaps"])
self.replicas[0].run_command(['ipa-replica-install', '-w',
- self.master.config.admin_password,
- '-n', self.master.domain.name,
- '-r', self.master.domain.realm,
- '--server', self.master.hostname,
- '-U'])
+ self.master.config.admin_password,
+ '-n', self.master.domain.name,
+ '-r', self.master.domain.realm,
+ '--server', self.master.hostname,
+ '-U'])
# Ensure that pkinit is properly configured, test for 7566
result = self.replicas[0].run_command(['ipa-pkinit-manage', 'status'])
assert "PKINIT is enabled" in result.stdout_text
@@ -321,7 +320,7 @@ class TestWrongClientDomain(IntegrationTest):
result1 = client.run_command(['ipa-replica-install', '-U', '-w',
self.master.config.dirman_password],
raiseonerr=False)
- assert(result1.returncode == 0), (
+ assert (result1.returncode == 0), (
'Failed to promote the client installed with the upcase domain name')
def test_client_rollback(self):
@@ -355,6 +354,7 @@ class TestWrongClientDomain(IntegrationTest):
assert("An error occurred while removing SSSD" not in
result.stdout_text)
+
class TestRenewalMaster(IntegrationTest):
topology = 'star'
--
2.34.1

56
SOURCES/0008-webui-Allow-grace-login-limit.patch Normal file
View File

@ -0,0 +1,56 @@
From 7a1e1d9f1cb13679c28f12d05b156a08bcc4d856 Mon Sep 17 00:00:00 2001
From: Carla Martinez <carlmart@redhat.com>
Date: Fri, 29 Jul 2022 13:16:16 +0200
Subject: [PATCH] webui: Allow grace login limit
There was no support for setting the grace login limit on the WebUI. The
only way to so was only via CLI:
`ipa pwpolicy-mod --gracelimit=2 global_policy`
Thus, the grace login limit must be updated from the policy section and
this will reflect also on the user settings (under the 'Password Policy'
section)
Fixes: https://pagure.io/freeipa/issue/9211
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
install/ui/src/freeipa/policy.js | 3 +++
install/ui/src/freeipa/user.js | 5 +++++
2 files changed, 8 insertions(+)
diff --git a/install/ui/src/freeipa/policy.js b/install/ui/src/freeipa/policy.js
index fa2028a52b1118b6125f91153280da0a2ffe0584..7ec103636ced0cce34997d81a02b25ba73bda33f 100644
--- a/install/ui/src/freeipa/policy.js
+++ b/install/ui/src/freeipa/policy.js
@@ -72,6 +72,9 @@ return {
{
name: 'cospriority',
required: true
+ },
+ {
+ name: 'passwordgracelimit'
}
]
}]
diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
index a580db03599457eefd85f8c23d74c284946393c7..b47c97f72008f2f4e75b4cb88e9ff6756827b26e 100644
--- a/install/ui/src/freeipa/user.js
+++ b/install/ui/src/freeipa/user.js
@@ -318,6 +318,11 @@ return {
label: '@mo-param:pwpolicy:krbpwdlockoutduration:label',
read_only: true,
measurement_unit: 'seconds'
+ },
+ {
+ name: 'passwordgracelimit',
+ label: '@mo-param:pwpolicy:passwordgracelimit:label',
+ read_only: true
}
]
},
--
2.37.2

226
SOURCES/0009-Additional-tests-for-RSN-v3.patch Normal file
View File

@ -0,0 +1,226 @@
From bfe074ed478c20a9537dc2a714bba50dbc2cd34f Mon Sep 17 00:00:00 2001
From: Sumedh Sidhaye <ssidhaye@redhat.com>
Date: Fri, 5 Aug 2022 11:22:59 +0530
Subject: [PATCH] Additional tests for RSN v3
New Tests include
TestRSNPKIConfig
TestRSNVault
The new tests are just extending existing classes to be run
with random serial numbers enabled
The tests also include a new method to check params set in CS.cfg for both CA and
KRA, and another test to check Random Serial Number version while
running `ipa ca-find`
Added nightly definitions
Related Ticket: https://pagure.io/freeipa/issue/2016
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
.../nightly_ipa-4-10_latest.yaml | 24 +++++++++
.../nightly_ipa-4-10_latest_selinux.yaml | 26 ++++++++++
.../nightly_ipa-4-10_previous.yaml | 24 +++++++++
.../test_random_serial_numbers.py | 51 ++++++++++++++++++-
ipatests/test_integration/test_vault.py | 4 +-
5 files changed, 127 insertions(+), 2 deletions(-)
diff --git a/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml
index 027b2a5b6c0b7ec3c3b5784ec4569661a06d4ed7..547320d258f51132266b56e9193533d2291c623c 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml
@@ -1821,3 +1821,27 @@ jobs:
template: *ci-ipa-4-10-latest
timeout: 5400
topology: *master_1repl
+
+ fedora-latest-ipa-4-10/test_random_serial_numbers_TestRSNPKIConfig:
+ requires: [fedora-latest-ipa-4-10/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-latest-ipa-4-10/build_url}'
+ test_suite: test_integration/test_random_serial_numbers.py::TestRSNPKIConfig
+ template: *ci-ipa-4-10-latest
+ timeout: 10800
+ topology: *master_3repl_1client
+
+ fedora-latest-ipa-4-10/test_random_serial_numbers_TestRSNVault:
+ requires: [fedora-latest-ipa-4-10/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-latest-ipa-4-10/build_url}'
+ test_suite: test_integration/test_random_serial_numbers.py::TestRSNVault
+ template: *ci-ipa-4-10-latest
+ timeout: 10800
+ topology: *master_1repl
\ No newline at end of file
diff --git a/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml
index bcc17bef935666735bfb2c2e51209362a374b511..f6e5f1cff22de9db4df4577d1cd615499cf0fab3 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml
@@ -1966,3 +1966,29 @@ jobs:
template: *ci-ipa-4-10-latest
timeout: 5400
topology: *master_1repl
+
+ fedora-latest-ipa-4-10/test_random_serial_numbers_TestRSNPKIConfig:
+ requires: [fedora-latest-ipa-4-10/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-latest-ipa-4-10/build_url}'
+ selinux_enforcing: True
+ test_suite: test_integration/test_random_serial_numbers.py::TestRSNPKIConfig
+ template: *ci-ipa-4-10-latest
+ timeout: 10800
+ topology: *master_3repl_1client
+
+ fedora-latest-ipa-4-10/test_random_serial_numbers_TestRSNVault:
+ requires: [fedora-latest-ipa-4-10/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-latest-ipa-4-10/build_url}'
+ selinux_enforcing: True
+ test_suite: test_integration/test_random_serial_numbers.py::TestRSNVault
+ template: *ci-ipa-4-10-latest
+ timeout: 10800
+ topology: *master_1repl
diff --git a/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml
index 37d38762e696a6394ef146a0e2b68bbc8ced515d..463f4b92fecc7fbc0be969de422352fb7baeb797 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml
@@ -1821,3 +1821,27 @@ jobs:
template: *ci-ipa-4-10-previous
timeout: 5400
topology: *master_1repl
+
+ fedora-previous-ipa-4-10/test_random_serial_numbers_TestRSNPKIConfig:
+ requires: [fedora-previous-ipa-4-10/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-previous-ipa-4-10/build_url}'
+ test_suite: test_integration/test_random_serial_numbers.py::TestRSNPKIConfig
+ template: *ci-ipa-4-10-previous
+ timeout: 10800
+ topology: *master_3repl_1client
+
+ fedora-previous-ipa-4-10/test_random_serial_numbers_TestRSNVault:
+ requires: [fedora-previous-ipa-4-10/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-previous-ipa-4-10/build_url}'
+ test_suite: test_integration/test_random_serial_numbers.py::TestRSNVault
+ template: *ci-ipa-4-10-previous
+ timeout: 10800
+ topology: *master_1repl
diff --git a/ipatests/test_integration/test_random_serial_numbers.py b/ipatests/test_integration/test_random_serial_numbers.py
index c52cfa4ed50e2718791b0844d743fb240d26b365..ab58b1c622b010994ed93a17dd80cfd02095508d 100644
--- a/ipatests/test_integration/test_random_serial_numbers.py
+++ b/ipatests/test_integration/test_random_serial_numbers.py
@@ -4,12 +4,15 @@
import pytest
+from ipaplatform.paths import paths
+
+from ipatests.pytest_ipa.integration import tasks
from ipatests.test_integration.test_installation import (
TestInstallWithCA_DNS1,
TestInstallWithCA_KRA1,
)
from ipatests.test_integration.test_caless import TestServerCALessToExternalCA
-
+from ipatests.test_integration.test_vault import TestInstallKRA
from ipatests.test_integration.test_commands import TestIPACommand
@@ -26,6 +29,18 @@ def pki_supports_RSNv3(host):
return False
+def check_pki_config_params(host):
+ # Check CS.cfg
+ try:
+ cs_cfg = host.get_file_contents(paths.CA_CS_CFG_PATH)
+ kra_cfg = host.get_file_contents(paths.KRA_CS_CFG_PATH)
+ assert "dbs.cert.id.generator=random".encode() in cs_cfg
+ assert "dbs.request.id.generator=random".encode() in cs_cfg
+ assert "dbs.key.id.generator=random".encode() in kra_cfg
+ except IOError:
+ pytest.skip("PKI config not present.Skipping test")
+
+
class TestInstallWithCA_DNS1_RSN(TestInstallWithCA_DNS1):
random_serial = True
@@ -70,3 +85,37 @@ class TestServerCALessToExternalCA_RSN(TestServerCALessToExternalCA):
if not pki_supports_RSNv3(mh.master):
raise pytest.skip("RSNv3 not supported")
super(TestServerCALessToExternalCA_RSN, cls).uninstall(mh)
+
+
+class TestRSNPKIConfig(TestInstallWithCA_KRA1):
+ random_serial = True
+ num_replicas = 3
+
+ @classmethod
+ def install(cls, mh):
+ if not pki_supports_RSNv3(mh.master):
+ raise pytest.skip("RSNv3 not supported")
+ super(TestRSNPKIConfig, cls).install(mh)
+
+ def test_check_pki_config(self):
+ check_pki_config_params(self.master)
+ check_pki_config_params(self.replicas[0])
+ check_pki_config_params(self.replicas[1])
+
+ def test_check_rsn_version(self):
+ tasks.kinit_admin(self.master)
+ res = self.master.run_command(['ipa', 'ca-find'])
+ assert 'RSN Version: 3' in res.stdout_text
+ tasks.kinit_admin(self.replicas[0])
+ res = self.replicas[0].run_command(['ipa', 'ca-find'])
+ assert 'RSN Version: 3' in res.stdout_text
+
+
+class TestRSNVault(TestInstallKRA):
+ random_serial = True
+
+ @classmethod
+ def install(cls, mh):
+ if not pki_supports_RSNv3(mh.master):
+ raise pytest.skip("RSNv3 not supported")
+ super(TestRSNVault, cls).install(mh)
diff --git a/ipatests/test_integration/test_vault.py b/ipatests/test_integration/test_vault.py
index 548822d049070d6f9d42da772264eb24010fafda..6288e557f96cae60d031b44c49fbe830712eb7be 100644
--- a/ipatests/test_integration/test_vault.py
+++ b/ipatests/test_integration/test_vault.py
@@ -33,7 +33,9 @@ class TestInstallKRA(IntegrationTest):
@classmethod
def install(cls, mh):
- tasks.install_master(cls.master, setup_kra=True)
+ tasks.install_master(cls.master,
+ setup_kra=True,
+ random_serial=cls.random_serial)
# do not install KRA on replica, it is part of test
tasks.install_replica(cls.master, cls.replicas[0], setup_kra=False)
--
2.37.2

209
SOURCES/0009-ipatests-webui-Tests-for-subordinate-ids.patch
View File

@ -1,209 +0,0 @@
From edbd8f692a28fc999b92e9032614d366511db323 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Mon, 6 Dec 2021 20:50:01 +0530
Subject: [PATCH] ipatests: webui: Tests for subordinate ids.
Added web-ui tests to verify where operations
using subordinate ids are working as expected.
Related : https://pagure.io/freeipa/issue/8361
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_webui/test_subid.py | 141 ++++++++++++++++++++++++++++++
ipatests/test_webui/ui_driver.py | 28 ++++++
2 files changed, 169 insertions(+)
create mode 100644 ipatests/test_webui/test_subid.py
diff --git a/ipatests/test_webui/test_subid.py b/ipatests/test_webui/test_subid.py
new file mode 100644
index 0000000000000000000000000000000000000000..26decdba03955f28ab21a41ccffae2a9af7b09fe
--- /dev/null
+++ b/ipatests/test_webui/test_subid.py
@@ -0,0 +1,141 @@
+
+"""
+Tests for subordinateid.
+"""
+
+from ipatests.test_webui.ui_driver import UI_driver
+import ipatests.test_webui.data_config as config_data
+import ipatests.test_webui.data_user as user_data
+from ipatests.test_webui.ui_driver import screenshot
+import re
+
+
+class test_subid(UI_driver):
+
+ def add_user(self, pkey, name, surname):
+ self.add_record('user', {
+ 'pkey': pkey,
+ 'add': [
+ ('textbox', 'uid', pkey),
+ ('textbox', 'givenname', name),
+ ('textbox', 'sn', surname),
+ ]
+ })
+
+ def set_default_subid(self):
+ self.navigate_to_entity(config_data.ENTITY)
+ self.check_option('ipauserdefaultsubordinateid', 'checked')
+ self.facet_button_click('save')
+
+ def get_user_count(self, user_pkey):
+ self.navigate_to_entity('subid', facet='search')
+ self.apply_search_filter(user_pkey)
+ self.wait_for_request()
+ return self.get_rows()
+
+ @screenshot
+ def test_set_defaultsubid(self):
+ """
+ Test to verify that enable/disable is working for
+ adding subids to new users.
+ """
+ self.init_app()
+ self.add_record(user_data.ENTITY, user_data.DATA2)
+ self.navigate_to_entity(config_data.ENTITY)
+ # test subid can be enabled/disabled.
+ self.set_default_subid()
+ assert self.get_field_checked('ipauserdefaultsubordinateid')
+ self.set_default_subid()
+ assert not self.get_field_checked('ipauserdefaultsubordinateid')
+
+ @screenshot
+ def test_user_defaultsubid(self):
+ """
+ Test to verify that subid is generated for new user.
+ """
+ self.init_app()
+ user_pkey = "some-user"
+
+ self.set_default_subid()
+ assert self.get_field_checked('ipauserdefaultsubordinateid')
+
+ before_count = self.get_user_count(user_pkey)
+ assert len(before_count) == 0
+
+ self.add_user(user_pkey, 'Some', 'User')
+ after_count = self.get_user_count(user_pkey)
+ assert len(after_count) == 1
+
+ @screenshot
+ def test_user_subid_mod_desc(self):
+ """
+ Test to verify that auto-assigned subid description is modified.
+ """
+ self.init_app()
+ self.navigate_to_record("some-user")
+ self.switch_to_facet('memberof_subid')
+ rows = self.get_rows()
+ self.navigate_to_row_record(rows[-1])
+ self.fill_textbox("description", "some-user-subid-desc")
+ self.facet_button_click('save')
+
+ @screenshot
+ def test_admin_subid(self):
+ """
+ Test to verify that subid range is created with owner admin.
+ """
+ self.init_app()
+ self.navigate_to_entity('subid', facet='search')
+ self.facet_button_click('add')
+ self.select_combobox('ipaowner', 'admin')
+ self.dialog_button_click('add')
+ self.wait(0.3)
+ self.assert_no_error_dialog()
+
+ @screenshot
+ def test_admin_subid_negative(self):
+ """
+ Test to verify that readding the subid fails with error.
+ """
+ self.init_app()
+ self.navigate_to_entity('subid', facet='search')
+ self.facet_button_click('add')
+ self.select_combobox('ipaowner', 'admin')
+ self.dialog_button_click('add')
+ self.wait(0.3)
+ err_dialog = self.get_last_error_dialog(dialog_name='error_dialog')
+ text = self.get_text('.modal-body div p', err_dialog)
+ text = text.strip()
+ pattern = r'Subordinate id with with name .* already exists.'
+ assert re.search(pattern, text) is not None
+ self.close_all_dialogs()
+
+ @screenshot
+ def test_user_subid_add(self):
+ """
+ Test to verify that subid range is created for given user.
+ """
+ self.init_app()
+ self.navigate_to_entity('subid', facet='search')
+ before_count = self.get_rows()
+ self.facet_button_click('add')
+ self.select_combobox('ipaowner', user_data.PKEY2)
+ self.dialog_button_click('add')
+ self.wait(0.3)
+ self.assert_no_error_dialog()
+ after_count = self.get_rows()
+ assert len(before_count) < len(after_count)
+
+ @screenshot
+ def test_subid_del(self):
+ """
+ Test to remove subordinate id for given user.
+ """
+ self.init_app()
+ self.navigate_to_entity('subid', facet='search')
+ user_uid = self.get_record_pkey("some-user", "ipaowner",
+ table_name="ipauniqueid")
+ before_count = self.get_rows()
+ self.delete_record(user_uid, table_name="ipauniqueid")
+ after_count = self.get_rows()
+ assert len(before_count) > len(after_count)
diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py
index 46fd512ae67bee65be55ae0d4dedec53cc29de97..77fd74e49593183a37fe735bedf2e0d6b9257ac7 100644
--- a/ipatests/test_webui/ui_driver.py
+++ b/ipatests/test_webui/ui_driver.py
@@ -1151,6 +1151,34 @@ class UI_driver:
return row
return None
+ def get_row_by_column_value(self, key, column_name, parent=None,
+ table_name=None):
+ """
+ Get the first matched row element of a search table with given key
+ matched against selected column. None if not found
+ """
+ rows = self.get_rows(parent, table_name)
+ s = "td div[name='%s']" % column_name
+ for row in rows:
+ has = self.find(s, By.CSS_SELECTOR, row)
+ if has.text == key:
+ return row
+ return None
+
+ def get_record_pkey(self, key, column, parent=None, table_name=None):
+ """
+ Get record pkey if value of column is known
+ """
+ row = self.get_row_by_column_value(key,
+ column_name=column,
+ parent=parent,
+ table_name=table_name)
+ val = None
+ if row:
+ el = self.find("td input", By.CSS_SELECTOR, row)
+ val = el.get_attribute("value")
+ return val
+
def navigate_to_row_record(self, row, pkey_column=None):
"""
Navigate to record by clicking on a link.
--
2.34.1

39
SOURCES/0010-Config-plugin-return-EmptyModlist-when-no-change-is-.patch
View File

@ -1,39 +0,0 @@
From b9c42fed9b6f60801f908c368d0d97a2a69f7bb2 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 15 Dec 2021 10:47:02 +0100
Subject: [PATCH] Config plugin: return EmptyModlist when no change is applied
When ipa config-mod is called with the option --enable-sid,
the code needs to trap EmptyModlist exception (it is expected
that no LDAP attribute is modified by this operation).
The code had a flaw and was checking:
'enable_sid' in options
instead of
options['enable_sid']
"'enable_sid' in options" always returns true as this option
is a Flag with a default value, hence always present even if
not specified on the command line.
Fixes: https://pagure.io/freeipa/issue/9063
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/plugins/config.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
index eae401fc3f7a1b7628eb211db206ba4bc2b36754..24446beb0b03a1510a96316eae915780817db102 100644
--- a/ipaserver/plugins/config.py
+++ b/ipaserver/plugins/config.py
@@ -707,7 +707,7 @@ class config_mod(LDAPUpdate):
if (isinstance(exc, errors.EmptyModlist) and
call_func.__name__ == 'update_entry' and
('ca_renewal_master_server' in options or
- 'enable_sid' in options)):
+ options['enable_sid'])):
return
super(config_mod, self).exc_callback(
--
2.34.1

35
SOURCES/0010-check_repl_update-in-progress-is-a-boolean.patch Normal file
View File

@ -0,0 +1,35 @@
From 2003eb6b3d4a27a5de5eaa79418f115dd99886cd Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Sun, 7 Aug 2022 12:44:47 +0200
Subject: [PATCH] check_repl_update: in progress is a boolean
With the fix for https://pagure.io/freeipa/issue/9171,
nsds5replicaUpdateInProgress is now handled as a boolean.
One remaining occurrence was still handling it as a string
and calling lower() on its value.
Replace with direct boolean comparison.
Fixes: https://pagure.io/freeipa/issue/9218
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/install/replication.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 16be3760cb14bfeb1cc9a761400752071639dc7c..9d9aa1c4bfc99109c0cf1e6d1619ec1b38e20c02 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -1152,7 +1152,7 @@ class ReplicationManager:
except (ValueError, TypeError, KeyError):
end = 0
# incremental update is done if inprogress is false and end >= start
- done = inprogress and inprogress.lower() == 'false' and start <= end
+ done = inprogress is not None and not inprogress and start <= end
logger.info("Replication Update in progress: %s: status: %s: "
"start: %d: end: %d",
inprogress, status, start, end)
--
2.37.2

36
SOURCES/0011-config-plugin-add-a-test-ensuring-EmptyModlist-is-re.patch
View File

@ -1,36 +0,0 @@
From cd735099e86304294217147ed578ac902fcf3dd3 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 15 Dec 2021 10:51:05 +0100
Subject: [PATCH] config plugin: add a test ensuring EmptyModlist is returned
Add a test to test_config_plugin, that calls ipa config-mod
with the same value as already present in LDAP.
The call must return EmptyModlist.
Related: https://pagure.io/freeipa/issue/9063
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_xmlrpc/test_config_plugin.py | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/ipatests/test_xmlrpc/test_config_plugin.py b/ipatests/test_xmlrpc/test_config_plugin.py
index e981bb4a03d39de450fc459d4b1ce4b636c19029..a8ec9f0e558d7efa091b50deca9fa7ca59fd7b11 100644
--- a/ipatests/test_xmlrpc/test_config_plugin.py
+++ b/ipatests/test_xmlrpc/test_config_plugin.py
@@ -312,4 +312,13 @@ class test_config(Declarative):
'value': None,
},
),
+ dict(
+ desc='Set the value to the already set value, no modifications',
+ command=(
+ 'config_mod', [], {
+ 'ipasearchrecordslimit': u'100',
+ },
+ ),
+ expected=errors.EmptyModlist(),
+ ),
]
--
2.34.1

82
SOURCES/0011-ipatests-Fix-expected-object-classes.patch Normal file
View File

@ -0,0 +1,82 @@
From b6520bef2ef05dd87636d8b57e3247d451af81d8 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 14 Dec 2021 16:33:29 +0100
Subject: [PATCH] ipatests: Fix expected object classes
Because the sidgen plugin is a postop plugin, it is not
always triggered before the result of an ADD is returned
and the objectclasses of the user may / may not contain
ipantuserattrs.
Fix the expected object classes.
Related: https://pagure.io/freeipa/issue/9062
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
---
ipatests/test_xmlrpc/test_user_plugin.py | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
index 74d78b0c6d75590640da1357da1f9f4570307878..c156a8793c5765df96029753f4a278e961d4e895 100644
--- a/ipatests/test_xmlrpc/test_user_plugin.py
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
@@ -125,7 +125,9 @@ def user_npg(request, group):
del tracker.attrs['mepmanagedentry']
tracker.attrs.update(
description=[], memberof_group=[group.cn],
- objectclass=objectclasses.user_base + [u'ipantuserattrs'],
+ objectclass=fuzzy_set_optional_oc(
+ objectclasses.user_base, 'ipantuserattrs'
+ ),
)
return tracker.make_fixture(request)
@@ -139,7 +141,9 @@ def user_npg2(request, group):
del tracker.attrs['mepmanagedentry']
tracker.attrs.update(
gidnumber=[u'1000'], description=[], memberof_group=[group.cn],
- objectclass=objectclasses.user_base + [u'ipantuserattrs'],
+ objectclass=fuzzy_set_optional_oc(
+ objectclasses.user_base, 'ipantuserattrs'
+ ),
)
return tracker.make_fixture(request)
@@ -151,8 +155,9 @@ def user_radius(request, xmlrpc_setup):
sn=u'radiususer1',
ipatokenradiususername=u'radiususer')
tracker.track_create()
- tracker.attrs.update(
- objectclass=objectclasses.user + [u'ipatokenradiusproxyuser']
+ tracker.attrs.update(objectclass=fuzzy_set_optional_oc(
+ objectclasses.user + [u'ipatokenradiusproxyuser'],
+ 'ipantuserattrs'),
)
return tracker.make_fixture(request)
@@ -647,7 +652,8 @@ class TestCreate(XMLRPC_test):
testuser.attrs.update(gidnumber=[u'1000'])
testuser.attrs.update(
description=[],
- objectclass=objectclasses.user_base + [u'ipantuserattrs']
+ objectclass=fuzzy_set_optional_oc(
+ objectclasses.user_base, 'ipantuserattrs'),
)
command = testuser.make_create_command()
result = command()
@@ -865,7 +871,9 @@ class TestUserWithUPGDisabled(XMLRPC_test):
testuser.attrs.update(gidnumber=[u'1000'])
testuser.attrs.update(
description=[],
- objectclass=objectclasses.user_base + [u'ipantuserattrs'],
+ objectclass=fuzzy_set_optional_oc(
+ objectclasses.user_base, 'ipantuserattrs'
+ ),
)
command = testuser.make_create_command()
result = command()
--
2.37.2

50
SOURCES/0012-doc-Update-LDAP-grace-period-design-with-default-val.patch Normal file
View File

@ -0,0 +1,50 @@
From 1aa39529cda4ab9620539dbad705cedd23c21b42 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 18 Aug 2022 08:21:58 -0400
Subject: [PATCH] doc: Update LDAP grace period design with default values
New group password policies will get -1 (unlimited) on creation
by default.
Existing group password policies will remain untouched and
those created prior will be treated as no BIND allowed.
Fixes: https://pagure.io/freeipa/issue/9212
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
doc/designs/ldap_grace_period.md | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/doc/designs/ldap_grace_period.md b/doc/designs/ldap_grace_period.md
index 4b9db34247c1446aec3f5bcce7dfa1bd8a2bd359..e26aedda976b19f3ba26593ba3b3c06c30506a21 100644
--- a/doc/designs/ldap_grace_period.md
+++ b/doc/designs/ldap_grace_period.md
@@ -51,7 +51,22 @@ The basic flow is:
On successful password reset (by anyone) reset the user's passwordGraceUserTime to 0.
-The default value on install/upgrade will be -1 to retail existing behavior.
+Range values for passwordgracelimit are:
+
+-1 : password grace checking is disabled
+ 0 : no grace BIND are allowed at all post-expiration
+ 1..MAXINT: the number of BIND allowed post-expiration
+
+The default value for the global policy on install/upgrade will be -1 to
+retain existing behavior.
+
+New group password policies will default to -1 to retain previous
+behavior.
+
+Existing group policies with no grace limit set are updated to use
+the default unlimited value, -1. This is done because lack of value in
+LDAP is treated as 0 so any existing group policies would not allow
+post-expiration BIND so this will avoid confusion.
The per-user attempts will not be replicated.
--
2.37.2

36
SOURCES/0012-ipatests-webui-Use-safe-loader-for-loading-YAML-conf.patch
View File

@ -1,36 +0,0 @@
From 419d7fd6e5a9ed2d356ad05eef1043309f5646ef Mon Sep 17 00:00:00 2001
From: Michal Polovka <mpolovka@redhat.com>
Date: Fri, 7 Jan 2022 12:12:26 +0100
Subject: [PATCH] ipatests: webui: Use safe-loader for loading YAML
configuration file
FullLoader class for YAML loader was introduced in version 5.1 which
also deprecated default loader. SafeLoader, however, stays consistent
across the versions and brings added security.
This fix is necessary as PyYAML > 5.1 is not available in downstream.
Related: https://pagure.io/freeipa/issue/9009
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_webui/ui_driver.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py
index 77fd74e49593183a37fe735bedf2e0d6b9257ac7..519efee9bba3de2114d22865a08df87f9b5f348a 100644
--- a/ipatests/test_webui/ui_driver.py
+++ b/ipatests/test_webui/ui_driver.py
@@ -192,7 +192,7 @@ class UI_driver:
if not NO_YAML and os.path.isfile(path):
try:
with open(path, 'r') as conf:
- cls.config = yaml.load(stream=conf, Loader=yaml.FullLoader)
+ cls.config = yaml.safe_load(stream=conf)
except yaml.YAMLError as e:
pytest.skip("Invalid Web UI config.\n%s" % e)
except IOError as e:
--
2.34.1

107
SOURCES/0013-Added-test-automation-for-SHA384withRSA-CSR-support.patch
View File

@ -1,107 +0,0 @@
From 0edf915efbb39fac45c784171dd715ec6b28861a Mon Sep 17 00:00:00 2001
From: Sumedh Sidhaye <ssidhaye@redhat.com>
Date: Fri, 14 Jan 2022 19:55:13 +0530
Subject: [PATCH] Added test automation for SHA384withRSA CSR support
Scenario 1:
Setup master with --ca-signing-algorithm=SHA384withRSA
Run certutil and check Signing Algorithm
Scenario 2:
Setup a master
Stop services
Modify default.params.signingAlg in CS.cfg
Restart services
Resubmit cert (Resubmitted cert should have new Algorithm)
Pagure Link: https://pagure.io/freeipa/issue/8906
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
---
.../test_integration/test_installation.py | 63 +++++++++++++++++++
1 file changed, 63 insertions(+)
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index 0947241ae2738419c4855e2517670c9033e634f0..f2d372c0c0356f244971a2af808db45dd6c8cb5b 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -34,6 +34,7 @@ from ipatests.pytest_ipa.integration import tasks
from ipatests.pytest_ipa.integration.env_config import get_global_config
from ipatests.test_integration.base import IntegrationTest
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
+from ipatests.test_integration.test_cert import get_certmonger_fs_id
from ipaplatform import services
@@ -1916,3 +1917,65 @@ class TestInstallWithoutNamed(IntegrationTest):
tasks.install_replica(
self.master, self.replicas[0], setup_ca=False, setup_dns=False
)
+
+
+class TestInstallwithSHA384withRSA(IntegrationTest):
+ num_replicas = 0
+
+ def test_install_master_withalgo_sha384withrsa(self, server_cleanup):
+ tasks.install_master(
+ self.master,
+ extra_args=['--ca-signing-algorithm=SHA384withRSA'],
+ )
+
+ # check Signing Algorithm post installation
+ dashed_domain = self.master.domain.realm.replace(".", '-')
+ cmd_args = ['certutil', '-L', '-d',
+ '/etc/dirsrv/slapd-{}/'.format(dashed_domain),
+ '-n', 'Server-Cert']
+ result = self.master.run_command(cmd_args)
+ assert 'SHA-384 With RSA Encryption' in result.stdout_text
+
+ def test_install_master_modify_existing(self, server_cleanup):
+ """
+ Setup a master
+ Stop services
+ Modify default.params.signingAlg in CS.cfg
+ Restart services
+ Resubmit cert (Resubmitted cert should have new Algorithm)
+ """
+ tasks.install_master(self.master)
+ self.master.run_command(['ipactl', 'stop'])
+ cs_cfg_content = self.master.get_file_contents(paths.CA_CS_CFG_PATH,
+ encoding='utf-8')
+ new_lines = []
+ replace_str = "ca.signing.defaultSigningAlgorithm=SHA384withRSA"
+ ocsp_rep_str = "ca.ocsp_signing.defaultSigningAlgorithm=SHA384withRSA"
+ for line in cs_cfg_content.split('\n'):
+ if line.startswith('ca.signing.defaultSigningAlgorithm'):
+ new_lines.append(replace_str)
+ elif line.startswith('ca.ocsp_signing.defaultSigningAlgorithm'):
+ new_lines.append(ocsp_rep_str)
+ else:
+ new_lines.append(line)
+ self.master.put_file_contents(paths.CA_CS_CFG_PATH,
+ '\n'.join(new_lines))
+ self.master.run_command(['ipactl', 'start'])
+
+ cmd = ['getcert', 'list', '-f', paths.RA_AGENT_PEM]
+ result = self.master.run_command(cmd)
+ request_id = get_certmonger_fs_id(result.stdout_text)
+
+ # resubmit RA Agent cert
+ cmd = ['getcert', 'resubmit', '-f', paths.RA_AGENT_PEM]
+ self.master.run_command(cmd)
+
+ tasks.wait_for_certmonger_status(self.master,
+ ('CA_WORKING', 'MONITORING'),
+ request_id)
+
+ cmd_args = ['openssl', 'x509', '-in',
+ paths.RA_AGENT_PEM, '-noout', '-text']
+ result = self.master.run_command(cmd_args)
+ assert_str = 'Signature Algorithm: sha384WithRSAEncryption'
+ assert assert_str in result.stdout_text
--
2.34.1

74
SOURCES/0013-Set-default-gracelimit-on-group-password-policies-to.patch Normal file
View File

@ -0,0 +1,74 @@
From 45e6d49b94da78cd82eb016b3266a17a1359a087 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 4 Aug 2022 12:04:22 -0400
Subject: [PATCH] Set default gracelimit on group password policies to -1
This will retain previous behavior of unlimited LDAP BIND
post-expiration.
Fixes: https://pagure.io/freeipa/issue/9212
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
API.txt | 2 +-
ipaserver/plugins/pwpolicy.py | 2 ++
ipatests/test_xmlrpc/test_pwpolicy_plugin.py | 2 ++
3 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/API.txt b/API.txt
index 66929b921b197e27ede847fb6b10bf1e44c3464a..210bfc4950e6a7346dbdd6e29d1096b2f8750b1e 100644
--- a/API.txt
+++ b/API.txt
@@ -4076,7 +4076,7 @@ option: Int('krbpwdlockoutduration?', cli_name='lockouttime')
option: Int('krbpwdmaxfailure?', cli_name='maxfail')
option: Int('krbpwdmindiffchars?', cli_name='minclasses')
option: Int('krbpwdminlength?', cli_name='minlength')
-option: Int('passwordgracelimit?', cli_name='gracelimit', default=-1)
+option: Int('passwordgracelimit?', autofill=True, cli_name='gracelimit', default=-1)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Str('setattr*', cli_name='setattr')
option: Str('version?')
diff --git a/ipaserver/plugins/pwpolicy.py b/ipaserver/plugins/pwpolicy.py
index 4428aede2dcc7a2a0b6128bf7f58eb47e4a8e07d..f4ebffd5c8f06a53b6c4d5e48ff6eeafa240e3a4 100644
--- a/ipaserver/plugins/pwpolicy.py
+++ b/ipaserver/plugins/pwpolicy.py
@@ -408,6 +408,7 @@ class pwpolicy(LDAPObject):
minvalue=-1,
maxvalue=Int.MAX_UINT32,
default=-1,
+ autofill=True,
),
)
@@ -539,6 +540,7 @@ class pwpolicy_add(LDAPCreate):
keys[-1], krbpwdpolicyreference=dn,
cospriority=options.get('cospriority')
)
+
return dn
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
diff --git a/ipatests/test_xmlrpc/test_pwpolicy_plugin.py b/ipatests/test_xmlrpc/test_pwpolicy_plugin.py
index 8eee69c185b15be72870050ed247f252c72d1c66..fc785223bfe56269ad8b211e8f1c3ac9f4064c3c 100644
--- a/ipatests/test_xmlrpc/test_pwpolicy_plugin.py
+++ b/ipatests/test_xmlrpc/test_pwpolicy_plugin.py
@@ -387,6 +387,7 @@ class test_pwpolicy_mod_cospriority(Declarative):
krbpwdhistorylength=[u'10'],
krbpwdmindiffchars=[u'3'],
krbpwdminlength=[u'8'],
+ passwordgracelimit=[u'-1'],
objectclass=objectclasses.pwpolicy,
),
summary=None,
@@ -417,6 +418,7 @@ class test_pwpolicy_mod_cospriority(Declarative):
krbpwdhistorylength=[u'10'],
krbpwdmindiffchars=[u'3'],
krbpwdminlength=[u'8'],
+ passwordgracelimit=[u'-1'],
),
summary=None,
value=u'ipausers',
--
2.37.2

106
SOURCES/0014-Set-default-on-group-pwpolicy-with-no-grace-limit-in.patch Normal file
View File

@ -0,0 +1,106 @@
From de6f074538f6641fd9d84bed204a3d4d50eccbe5 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 4 Aug 2022 12:04:41 -0400
Subject: [PATCH] Set default on group pwpolicy with no grace limit in upgrade
If an existing group policy lacks a password grace limit
update it to -1 on upgrade.
Fixes: https://pagure.io/freeipa/issue/9212
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
.../updates/90-post_upgrade_plugins.update | 1 +
ipaserver/install/plugins/update_pwpolicy.py | 66 +++++++++++++++++++
2 files changed, 67 insertions(+)
diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
index c7ec71d492b0ac0e7641d586b7e7fa7501743bc2..6fe91aa6c6310a69a7f0feb1ad62243945db67f9 100644
--- a/install/updates/90-post_upgrade_plugins.update
+++ b/install/updates/90-post_upgrade_plugins.update
@@ -26,6 +26,7 @@ plugin: update_ra_cert_store
plugin: update_mapping_Guests_to_nobody
plugin: fix_kra_people_entry
plugin: update_pwpolicy
+plugin: update_pwpolicy_grace
# last
# DNS version 1
diff --git a/ipaserver/install/plugins/update_pwpolicy.py b/ipaserver/install/plugins/update_pwpolicy.py
index dca44ce4369dfc11f83a412a1249bb045d46713f..4185f034313bd49ca68e86c620043af6ead5f6d6 100644
--- a/ipaserver/install/plugins/update_pwpolicy.py
+++ b/ipaserver/install/plugins/update_pwpolicy.py
@@ -78,3 +78,69 @@ class update_pwpolicy(Updater):
return False, []
return False, []
+
+
+@register()
+class update_pwpolicy_grace(Updater):
+ """
+ Ensure all group policies have a grace period set.
+ """
+
+ def execute(self, **options):
+ ldap = self.api.Backend.ldap2
+
+ base_dn = DN(('cn', self.api.env.realm), ('cn', 'kerberos'),
+ self.api.env.basedn)
+ search_filter = (
+ "(&(objectClass=krbpwdpolicy)(!(passwordgracelimit=*)))"
+ )
+
+ while True:
+ # Run the search in loop to avoid issues when LDAP limits are hit
+ # during update
+
+ try:
+ (entries, truncated) = ldap.find_entries(
+ search_filter, ['objectclass'], base_dn, time_limit=0,
+ size_limit=0)
+
+ except errors.EmptyResult:
+ logger.debug("update_pwpolicy: no policies without "
+ "passwordgracelimit set")
+ return False, []
+
+ except errors.ExecutionError as e:
+ logger.error("update_pwpolicy: cannot retrieve list "
+ "of policies missing passwordgracelimit: %s", e)
+ return False, []
+
+ logger.debug("update_pwpolicy: found %d "
+ "policies to update, truncated: %s",
+ len(entries), truncated)
+
+ error = False
+
+ for entry in entries:
+ # Set unlimited BIND by default
+ entry['passwordgracelimit'] = -1
+ try:
+ ldap.update_entry(entry)
+ except (errors.EmptyModlist, errors.NotFound):
+ pass
+ except errors.ExecutionError as e:
+ logger.debug("update_pwpolicy: cannot "
+ "update policy: %s", e)
+ error = True
+
+ if error:
+ # Exit loop to avoid infinite cycles
+ logger.error("update_pwpolicy: error(s) "
+ "detected during pwpolicy update")
+ return False, []
+
+ elif not truncated:
+ # All affected entries updated, exit the loop
+ logger.debug("update_pwpolicy: all policies updated")
+ return False, []
+
+ return False, []
--
2.37.2

44
SOURCES/0014-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-g.patch
View File

@ -1,44 +0,0 @@
From 9bae5492270d8b695999cd82831cbee62b04626b Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Fri, 28 Jan 2022 16:58:42 +0100
Subject: [PATCH] ipa-pki-proxy.conf: provide access to
/kra/admin/kra/getStatus
The access to /kra/admin/kra/getStatus will be needed
in order to fix pki-healthcheck.
Note that this commit is a pre-requisite for the fix
to be done on PKI side. No test added since the full
integration test already exists in test_replica_promotion.py,
in TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica
Fixes: https://pagure.io/freeipa/issue/9099
Related: https://pagure.io/freeipa/issue/8582
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
install/share/ipa-pki-proxy.conf.template | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/install/share/ipa-pki-proxy.conf.template b/install/share/ipa-pki-proxy.conf.template
index 96708482cdac128930efaca33a806daaeba68042..7a46f20b9058bab63238f56295a92533c232d47a 100644
--- a/install/share/ipa-pki-proxy.conf.template
+++ b/install/share/ipa-pki-proxy.conf.template
@@ -1,4 +1,4 @@
-# VERSION 16 - DO NOT REMOVE THIS LINE
+# VERSION 17 - DO NOT REMOVE THIS LINE
ProxyRequests Off
@@ -11,7 +11,7 @@ ProxyRequests Off
</LocationMatch>
# matches for admin port and installer
-<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries">
+<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries|^/kra/admin/kra/getStatus">
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
SSLVerifyClient none
ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
--
2.34.1

59
SOURCES/0015-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled.patch
View File

@ -1,59 +0,0 @@
From 6d70421f57d0eca066a922e09416ef7195ee96d4 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Tue, 1 Feb 2022 16:43:09 +0100
Subject: [PATCH] ipa-kdb: do not remove keys for hardened auth-enabled users
Since 5d51ae5, principal keys were dropped in case user auth indicator
was not including password. Thereafter, the key removal behavior was
removed by 15ff9c8 in the context of the kdcpolicy plugin introduction.
Support for hardened pre-auth methods (FAST and SPAKE) was added in
d057040, and the removal of principal keys was restored afterwards by
f0d12b7, but not taking the new hardened auth indicator into account.
Fixes: https://pagure.io/freeipa/issue/9065
Related to: https://pagure.io/freeipa/issue/8001
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_principals.c | 23 ++++++++++++-----------
1 file changed, 12 insertions(+), 11 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 15f3df4fee8bdfadf60a4b1d9a5115407d1bb294..0d0d3748ce63a8252e84220d036140818ffdfb6e 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -788,17 +788,18 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
&res_key_data, &result, &mkvno);
switch (ret) {
case 0:
- /* Only set a principal's key if password auth can be used. Otherwise
- * the KDC would add pre-authentication methods to the NEEDED_PREAUTH
- * reply for AS-REQs which indicate the password authentication is
- * available. This might confuse applications like e.g. SSSD which try
- * to determine suitable authentication methods and corresponding
- * prompts with the help of MIT Kerberos' responder interface which
- * acts on the returned pre-authentication methods. A typical example
- * is enforced OTP authentication where of course keys are available
- * for the first factor but password authentication should not be
- * advertised by the KDC. */
- if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) {
+ /* Only set a principal's key if password or hardened auth can be used.
+ * Otherwise the KDC would add pre-authentication methods to the
+ * NEEDED_PREAUTH reply for AS-REQs which indicate the password
+ * authentication is available. This might confuse applications like
+ * e.g. SSSD which try to determine suitable authentication methods and
+ * corresponding prompts with the help of MIT Kerberos' responder
+ * interface which acts on the returned pre-authentication methods. A
+ * typical example is enforced OTP authentication where of course keys
+ * are available for the first factor but password authentication
+ * should not be advertised by the KDC. */
+ if (!(ua & (IPADB_USER_AUTH_PASSWORD | IPADB_USER_AUTH_HARDENED)) &&
+ (ua != IPADB_USER_AUTH_NONE)) {
/* This is the same behavior as ENOENT below. */
ipa_krb5_free_key_data(res_key_data, result);
break;
--
2.34.1

63
SOURCES/0016-ipatests-add-case-for-hardened-only-ticket-policy.patch
View File

@ -1,63 +0,0 @@
From 294ae35a61e6ca8816b261c57508e4be21221864 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Tue, 1 Feb 2022 19:38:29 +0100
Subject: [PATCH] ipatests: add case for hardened-only ticket policy
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
ipatests/test_integration/test_krbtpolicy.py | 30 ++++++++++++++++++--
1 file changed, 28 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py
index 63e75ae67f493352b1d3a611e7b079d914a7b253..9489fbc97b7836aecf491b57627f254d4849eb56 100644
--- a/ipatests/test_integration/test_krbtpolicy.py
+++ b/ipatests/test_integration/test_krbtpolicy.py
@@ -103,8 +103,8 @@ class TestPWPolicy(IntegrationTest):
result = master.run_command('klist | grep krbtgt')
assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
- def test_krbtpolicy_hardended(self):
- """Test a hardened kerberos ticket policy with 10 min tickets"""
+ def test_krbtpolicy_password_and_hardended(self):
+ """Test a pwd and hardened kerberos ticket policy with 10min tickets"""
master = self.master
master.run_command(['ipa', 'user-mod', USER1,
'--user-auth-type', 'password',
@@ -131,6 +131,32 @@ class TestPWPolicy(IntegrationTest):
result = master.run_command('klist | grep krbtgt')
assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
+ def test_krbtpolicy_hardended(self):
+ """Test a hardened kerberos ticket policy with 30min tickets"""
+ master = self.master
+ master.run_command(['ipa', 'user-mod', USER1,
+ '--user-auth-type', 'hardened'])
+ master.run_command(['ipa', 'config-mod',
+ '--user-auth-type', 'hardened'])
+ master.run_command(['ipa', 'krbtpolicy-mod', USER1,
+ '--hardened-maxlife', '1800'])
+
+ tasks.kdestroy_all(master)
+
+ master.run_command(['kinit', USER1],
+ stdin_text=PASSWORD + '\n')
+ result = master.run_command('klist | grep krbtgt')
+ assert maxlife_within_policy(result.stdout_text, 1800,
+ slush=1800) is True
+
+ tasks.kdestroy_all(master)
+
+ # Verify that the short policy only applies to USER1
+ master.run_command(['kinit', USER2],
+ stdin_text=PASSWORD + '\n')
+ result = master.run_command('klist | grep krbtgt')
+ assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
+
def test_krbtpolicy_password(self):
"""Test the kerberos ticket policy which issues 20 min tickets"""
master = self.master
--
2.34.1

104
SOURCES/0017-Don-t-always-override-the-port-in-import_included_pr.patch
View File

@ -1,104 +0,0 @@
From edb216849e4f47d6cae95981edf0c3fe2653fd7a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 28 Jan 2022 16:46:35 -0500
Subject: [PATCH] Don't always override the port in import_included_profiles
I can only guess to the original purpose of this override. I
believe it was because this is called in the installer prior
to Apache being set up. The expectation was that this would
only be called locally. It predates the RestClient class.
RestClient will attempt to find an available service. In this
case, during a CA installation, the local server is not
considered available because it lacks an entry in
cn=masters. So it will never be returned as an option.
So by overriding the port to 8443 the remote connection will
likely fail because we don't require that the port be open.
So instead, instantiate a RestClient and see what happens.
There are several use-cases:
1. Installing an initial server. The RestClient connection
should fail, so we will fall back to the override port and
use the local server. If Apache happens to be running with
a globally-issued certificate then the RestClient will
succeed. In this case if the connected host and the local
hostname are the same, override in that case as well.
2. Installing as a replica. In this case the local server should
be ignored in all cases and a remote CA will be picked with
no override done.
3. Switching from CA-less to CA-ful. The web server will be
trusted but the RestClient login will fail with a 404. Fall
back to the override port in this case.
The motivation for this is trying to install an EL 8.x replica
against an EL 7.9 server. 8.5+ includes the ACME service and
a new profile is needed which doesn't exist in 7. This was
failing because the RestClient determined that the local server
wasn't running a CA so tried the remote one (7.9) on the override
port 8443. Since this port isn't open: failure.
Chances are that adding the profile is still going to fail
because again, 7.9 lacks ACME capabilities, but it will fail in
a way that allows the installation to continue.
I suspect that all of the overrides can similarly handled, or
handled directly within the RestClient class, but for the sake
of "do no harm" I'm only changing this instance for now.
https://pagure.io/freeipa/issue/9100
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaserver/install/cainstance.py | 30 +++++++++++++++++++++++++++++-
1 file changed, 29 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 8c8bf1b3a7bcf8a9c50183579b874a5710a32ac3..ad206aad411b42336e86e0b651a948fccd3a75ac 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1953,7 +1953,35 @@ def import_included_profiles():
cn=['certprofiles'],
)
- api.Backend.ra_certprofile.override_port = 8443
+ # At this point Apache may or may not be running with a valid
+ # certificate. The local server is not yet recognized as a full
+ # CA yet so it isn't discoverable. So try to do some detection
+ # on what port to use, 443 (remote) or 8443 (local) for importing
+ # the profiles.
+ #
+ # api.Backend.ra_certprofile invokes the RestClient class
+ # which will discover and login to the CA REST API. We can
+ # use this information to detect where to import the profiles.
+ #
+ # If the login is successful (e.g. doesn't raise an exception)
+ # and it returns our hostname (it prefers the local host) then
+ # we override and talk locally.
+ #
+ # Otherwise a NetworkError means we can't connect on 443 (perhaps
+ # a firewall) or we get an HTTP error (valid TLS certificate on
+ # Apache but no CA, login fails with 404) so we override to the
+ # local server.
+ #
+ # When override port was always set to 8443 the RestClient could
+ # pick a remote server and since 8443 isn't in our firewall profile
+ # setting up a new server would fail.
+ try:
+ with api.Backend.ra_certprofile as profile_api:
+ if profile_api.ca_host == api.env.host:
+ api.Backend.ra_certprofile.override_port = 8443
+ except (errors.NetworkError, errors.RemoteRetrieveError) as e:
+ logger.debug('Overriding CA port: %s', e)
+ api.Backend.ra_certprofile.override_port = 8443
for (profile_id, desc, store_issued) in dogtag.INCLUDED_PROFILES:
dn = DN(('cn', profile_id),
--
2.34.1

115
SOURCES/0018-Remove-ipa-join-errors-from-behind-the-debug-option.patch
View File

@ -1,115 +0,0 @@
From 7c5540bb47799b4db95673d22f61995ad5c56440 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 31 Jan 2022 17:31:50 -0500
Subject: [PATCH] Remove ipa-join errors from behind the debug option
This brings it inline with the previous XML-RPC output which
only hid the request and response from the output and not
any errors returned.
https://pagure.io/freeipa/issue/9103
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Peter Keresztes Schmidt <carbenium@outlook.com>
---
client/ipa-join.c | 27 +++++++++------------------
1 file changed, 9 insertions(+), 18 deletions(-)
diff --git a/client/ipa-join.c b/client/ipa-join.c
index d98739a9abfb01ecf619187483bfc6677957d498..5888a33bf221eb5d455b2adcfa0f33b38f0969ca 100644
--- a/client/ipa-join.c
+++ b/client/ipa-join.c
@@ -743,8 +743,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
json_str = json_dumps(json, 0);
if (!json_str) {
- if (debug)
- fprintf(stderr, _("json_dumps() failed\n"));
+ fprintf(stderr, _("json_dumps() failed\n"));
rval = 17;
goto cleanup;
@@ -758,8 +757,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
CURLcode res = curl_easy_perform(curl);
if (res != CURLE_OK)
{
- if (debug)
- fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res));
+ fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res));
rval = 17;
goto cleanup;
@@ -769,8 +767,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &resp_code);
if (resp_code != 200) {
- if (debug)
- fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code);
+ fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code);
if (!quiet && resp_code == 401)
fprintf(stderr, _("JSON-RPC call was unauthorized. Check your credentials.\n"));
@@ -848,8 +845,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) {
j_root = json_loads(payload, 0, &j_error);
if (!j_root) {
- if (debug)
- fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text);
+ fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text);
rval = 17;
goto cleanup;
@@ -864,8 +860,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) {
*j_result_obj = json_object_get(j_root, "result");
if (!*j_result_obj) {
- if (debug)
- fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n"));
+ fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n"));
rval = 17;
goto cleanup;
@@ -897,8 +892,7 @@ jsonrpc_parse_join_response(const char *payload, join_info *join_i, bool quiet)
&tmp_hostdn,
"krbprincipalname", &tmp_princ,
"krblastpwdchange", &tmp_pwdch) != 0) {
- if (debug)
- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
+ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
rval = 17;
goto cleanup;
@@ -941,8 +935,7 @@ join_krb5_jsonrpc(const char *ipaserver, const char *hostname, char **hostdn, co
"nshardwareplatform", uinfo.machine);
if (!json_req) {
- if (debug)
- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
+ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
rval = 17;
goto cleanup;
@@ -990,8 +983,7 @@ jsonrpc_parse_unenroll_response(const char *payload, bool* result, bool quiet) {
if (json_unpack_ex(j_result_obj, &j_error, 0, "{s:b}",
"result", result) != 0) {
- if (debug)
- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
+ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
rval = 20;
goto cleanup;
@@ -1021,8 +1013,7 @@ jsonrpc_unenroll_host(const char *ipaserver, const char *host, bool quiet) {
host);
if (!json_req) {
- if (debug)
- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
+ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
rval = 17;
goto cleanup;
--
2.34.1

47
SOURCES/0019-Enable-the-ccache-sweep-timer-during-installation.patch
View File

@ -1,47 +0,0 @@
From 9b6d0bb1245c4891ccc270f360d0f72a4b1444c1 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 7 Feb 2022 10:39:55 -0500
Subject: [PATCH] Enable the ccache sweep timer during installation
The timer was only being enabled during package installation
if IPA was configured. So effectively only on upgrade.
Add as a separate installation step after the ccache directory
is configured.
Fixes: https://pagure.io/freeipa/issue/9107
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/install/httpinstance.py | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 732bb58d49addcb2a9f7698d577527257a17fe66..50ccf5e5031c37171cebe6f20232f3bd645cedeb 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -140,6 +140,8 @@ class HTTPInstance(service.Service):
self.step("publish CA cert", self.__publish_ca_cert)
self.step("clean up any existing httpd ccaches",
self.remove_httpd_ccaches)
+ self.step("enable ccache sweep",
+ self.enable_ccache_sweep)
self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
if not self.is_kdcproxy_configured():
self.step("create KDC proxy config", self.create_kdcproxy_conf)
@@ -177,6 +179,11 @@ class HTTPInstance(service.Service):
[paths.SYSTEMD_TMPFILES, '--create', '--prefix', paths.IPA_CCACHES]
)
+ def enable_ccache_sweep(self):
+ ipautil.run(
+ [paths.SYSTEMCTL, 'enable', 'ipa-ccache-sweep.timer']
+ )
+
def __configure_http(self):
self.update_httpd_service_ipa_conf()
self.update_httpd_wsgi_conf()
--
2.34.1

71
SOURCES/0020-Test-ipa-ccache-sweep.timer-enabled-by-default-durin.patch
View File

@ -1,71 +0,0 @@
From 0d9eb3d515385412abefe9c33e0099ea14f33cbc Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Wed, 9 Feb 2022 18:56:21 +0530
Subject: [PATCH] Test ipa-ccache-sweep.timer enabled by default during
installation
This test checks that ipa-ccache-sweep.timer is enabled by default
during the ipa installation.
related: https://pagure.io/freeipa/issue/9107
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
.../test_integration/test_installation.py | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index f2d372c0c0356f244971a2af808db45dd6c8cb5b..63edbaa2bb4dbae174c6ab8c8f193cc24cc45b14 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -475,7 +475,7 @@ class TestInstallCA(IntegrationTest):
# Tweak sysrestore.state to drop installation section
self.master.run_command(
- ['sed','-i', r's/\[installation\]/\[badinstallation\]/',
+ ['sed', '-i', r's/\[installation\]/\[badinstallation\]/',
os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
# Re-run installation check and it should fall back to old method
@@ -485,7 +485,7 @@ class TestInstallCA(IntegrationTest):
# Restore installation section.
self.master.run_command(
- ['sed','-i', r's/\[badinstallation\]/\[installation\]/',
+ ['sed', '-i', r's/\[badinstallation\]/\[installation\]/',
os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
# Uninstall and confirm that the old method reports correctly
@@ -690,6 +690,7 @@ def get_pki_tomcatd_pid(host):
break
return(pid)
+
def get_ipa_services_pids(host):
ipa_services_name = [
"krb5kdc", "kadmin", "named", "httpd", "ipa-custodia",
@@ -1309,6 +1310,20 @@ class TestInstallMasterKRA(IntegrationTest):
def test_install_master(self):
tasks.install_master(self.master, setup_dns=False, setup_kra=True)
+ def test_ipa_ccache_sweep_timer_enabled(self):
+ """Test ipa-ccache-sweep.timer enabled by default during installation
+
+ This test checks that ipa-ccache-sweep.timer is enabled by default
+ during the ipa installation.
+
+ related: https://pagure.io/freeipa/issue/9107
+ """
+ result = self.master.run_command(
+ ['systemctl', 'is-enabled', 'ipa-ccache-sweep.timer'],
+ raiseonerr=False
+ )
+ assert 'enabled' in result.stdout_text
+
def test_install_dns(self):
tasks.install_dns(self.master)
--
2.34.1

38
SOURCES/0021-ipa_cldap-fix-memory-leak.patch
View File

@ -1,38 +0,0 @@
From 186ebe311bc9545d7a9860cd5e8c748131bbe41e Mon Sep 17 00:00:00 2001
From: Francisco Trivino <ftrivino@redhat.com>
Date: Thu, 10 Feb 2022 14:23:12 +0100
Subject: [PATCH] ipa_cldap: fix memory leak
ipa_cldap_encode_netlogon() allocates memory to store binary data as part of
berval (bv_val) when processing a CLDAP packet request from a worker. The
data is used by ipa_cldap_respond() but bv_val is not freed later on.
This commit is adding the corresponding free() after ipa_cldap_respond()
is completed.
Discovered by LeakSanitizer
Fixes: https://pagure.io/freeipa/issue/9110
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
---
daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
index db4a3d061..252bcf647 100644
--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
+++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
@@ -287,6 +287,7 @@ done:
ipa_cldap_respond(ctx, req, &reply);
ipa_cldap_free_kvps(&req->kvps);
+ free(reply.bv_val);
free(req);
return;
}
--
2.34.1

31
SOURCES/0022-ipatests-remove-additional-check-for-failed-units_rhbz#2053025.patch
View File

@ -1,31 +0,0 @@
From b36bcf4ea5ed93baa4dc63f8e2be542d678211fb Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Thu, 10 Feb 2022 18:49:06 +0530
Subject: [PATCH] ipatests: remove additional check for failed units.
On RHEL tests are randomly failing because of this check
and the test doesn't need to check this.
Related : https://pagure.io/freeipa/issue/9108
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_otp.py | 1 -
1 file changed, 1 deletion(-)
diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
index d8ce527ca..6e70ddcb3 100644
--- a/ipatests/test_integration/test_otp.py
+++ b/ipatests/test_integration/test_otp.py
@@ -316,7 +316,6 @@ class TestOTPToken(IntegrationTest):
check_services = self.master.run_command(
['systemctl', 'list-units', '--state=failed']
)
- assert "0 loaded units listed" in check_services.stdout_text
assert "ipa-otpd" not in check_services.stdout_text
# Be sure no services are running and failed units
self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False)
--
2.34.1

40
SOURCES/0023-ipatests-fix-TestOTPToken-rhbz#2053025.patch
View File

@ -1,40 +0,0 @@
From 4c54e9d6ddb72eab6f654bf3dc2d29f27498ac96 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Sun, 5 Dec 2021 17:38:58 +0100
Subject: [PATCH] ipatests: fix
TestOTPToken::test_check_otpd_after_idle_timeout
The test sets 389-ds nsslapd-idletimeout to 60s, then does a
kinit with an otp token (which makes ipa-otpd create a LDAP
connection), then sleeps for 60s. The expectation is that
ns-slapd will detect that the LDAP conn from ipa-otpd is idle
and close the connection.
According to 389ds doc, the idle timeout is enforced when the
connection table is walked. By doing a ldapsearch, the test
"wakes up" ns-slapd and forces the detection of ipa-otpd
idle connection.
Fixes: https://pagure.io/freeipa/issue/9044
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
ipatests/test_integration/test_otp.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
index 353470897..d8ce527ca 100644
--- a/ipatests/test_integration/test_otp.py
+++ b/ipatests/test_integration/test_otp.py
@@ -354,6 +354,9 @@ class TestOTPToken(IntegrationTest):
otpvalue = totp.generate(int(time.time())).decode("ascii")
kinit_otp(self.master, USER, password=PASSWORD, otp=otpvalue)
time.sleep(60)
+ # ldapsearch will wake up slapd and force walking through
+ # the connection list, in order to spot the idle connections
+ tasks.ldapsearch_dm(self.master, "", ldap_args=[], scope="base")
def test_cb(cmd_jornalctl):
# check if LDAP connection is timed out
--
2.34.1

326
SOURCES/0024-ipatests-Tests-for-Autoprivate-group.patch
View File

@ -1,326 +0,0 @@
From 6b70e3c49acc55b5553101cf850fc40978861979 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Mon, 17 Jan 2022 16:57:52 +0530
Subject: [PATCH] ipatests: Tests for Autoprivate group.
Added tests using posix AD trust and non posix AD trust.
For option --auto-private-groups=[hybrid/true/false]
Related : https://pagure.io/freeipa/issue/8807
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
.../nightly_ipa-4-9_latest.yaml | 2 +-
.../nightly_ipa-4-9_latest_selinux.yaml | 2 +-
.../nightly_ipa-4-9_previous.yaml | 2 +-
ipatests/test_integration/test_trust.py | 242 +++++++++++++++++-
4 files changed, 240 insertions(+), 8 deletions(-)
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
index 6817421b278999c52c32b3e28dd06587e30d874f..8b1f58c4d99e744e319e6c758050a62a8d35c9ee 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
@@ -1627,7 +1627,7 @@ jobs:
build_url: '{fedora-latest-ipa-4-9/build_url}'
test_suite: test_integration/test_trust.py
template: *ci-ipa-4-9-latest
- timeout: 9000
+ timeout: 10000
topology: *adroot_adchild_adtree_master_1client
fedora-latest-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust:
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
index 817329756dc145fa5e6bc7aa0477e5df2a6ece5b..a11376ab836e7ed2f942c29753707e5b8e88a00f 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
@@ -1743,7 +1743,7 @@ jobs:
selinux_enforcing: True
test_suite: test_integration/test_trust.py
template: *ci-ipa-4-9-latest
- timeout: 9000
+ timeout: 10000
topology: *adroot_adchild_adtree_master_1client
fedora-latest-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust:
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
index 4196265c772ec393ebb8f8bbdc4af845cd6d2d24..3f8ce8b7641fdfdc27278651cbf83c2b152e1a16 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
@@ -1627,7 +1627,7 @@ jobs:
build_url: '{fedora-previous-ipa-4-9/build_url}'
test_suite: test_integration/test_trust.py
template: *ci-ipa-4-9-previous
- timeout: 9000
+ timeout: 10000
topology: *adroot_adchild_adtree_master_1client
fedora-previous-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust:
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index 0634badbb6a9aa148db2e3062e866215e61e89e7..ff2dd9cc819e1c5620ce449384957a633ae6d1f0 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -62,11 +62,12 @@ class BaseTestTrust(IntegrationTest):
cls.check_sid_generation()
tasks.sync_time(cls.master, cls.ad)
- cls.child_ad = cls.ad_subdomains[0]
- cls.ad_subdomain = cls.child_ad.domain.name
- cls.tree_ad = cls.ad_treedomains[0]
- cls.ad_treedomain = cls.tree_ad.domain.name
-
+ if cls.num_ad_subdomains > 0:
+ cls.child_ad = cls.ad_subdomains[0]
+ cls.ad_subdomain = cls.child_ad.domain.name
+ if cls.num_ad_treedomains > 0:
+ cls.tree_ad = cls.ad_treedomains[0]
+ cls.ad_treedomain = cls.tree_ad.domain.name
# values used in workaround for
# https://bugzilla.redhat.com/show_bug.cgi?id=1711958
cls.srv_gc_record_name = \
@@ -106,6 +107,63 @@ class BaseTestTrust(IntegrationTest):
expected_text = 'iparangetype: %s\n' % expected_type
assert expected_text in result.stdout_text
+ def mod_idrange_auto_private_group(
+ self, option='false'
+ ):
+ """
+ Set the auto-private-group option of the default trusted
+ AD domain range.
+ """
+ tasks.kinit_admin(self.master)
+ rangename = self.ad_domain.upper() + '_id_range'
+ error_msg = "ipa: ERROR: no modifications to be performed"
+ cmd = ["ipa", "idrange-mod", rangename,
+ "--auto-private-groups", option]
+ result = self.master.run_command(cmd, raiseonerr=False)
+ if result.returncode != 0:
+ tasks.assert_error(result, error_msg)
+ tasks.clear_sssd_cache(self.master)
+ tasks.clear_sssd_cache(self.clients[0])
+ test = self.master.run_command(["ipa", "idrange-show", rangename])
+ assert "Auto private groups: {0}".format(option) in test.stdout_text
+
+ def get_user_id(self, host, username):
+ """
+ User uid gid is parsed from the output of id user command.
+ """
+ tasks.clear_sssd_cache(self.master)
+ tasks.clear_sssd_cache(self.clients[0])
+ self.master.run_command(["id", username])
+ test_id = host.run_command(["id", username])
+ regex = r"^uid=(?P<uid>\d+).*gid=(?P<gid>\d+).*groups=(?P<groups>\d+)"
+ match = re.match(regex, test_id.stdout_text)
+ uid = match.group('uid')
+ gid = match.group('gid')
+ return uid, gid
+
+ @contextmanager
+ def set_idoverrideuser(self, user, uid, gid):
+ """
+ Fixture to add/remove idoverrideuser for default idview,
+ also creates idm group with the provided gid because
+ gid overrides requires an existing group.
+ """
+ tasks.clear_sssd_cache(self.master)
+ tasks.clear_sssd_cache(self.clients[0])
+ tasks.kinit_admin(self.master)
+ try:
+ args = ["ipa", "idoverrideuser-add", "Default Trust View",
+ "--gid", gid, "--uid", uid, user]
+ self.master.run_command(args)
+ tasks.group_add(self.master, "idgroup",
+ extra_args=["--gid", gid])
+ yield
+ finally:
+ self.master.run_command([
+ "ipa", "idoverrideuser-del", "Default Trust View", user]
+ )
+ self.master.run_command(["ipa", "group-del", "idgroup"])
+
def remove_trust(self, ad):
tasks.remove_trust_with_ad(self.master,
ad.domain.name, ad.hostname)
@@ -993,3 +1051,177 @@ class TestTrust(BaseTestTrust):
self.master.run_command(['rm', '-f', ad_zone_file])
tasks.configure_dns_for_trust(self.master, self.ad)
self.remove_trust(self.ad)
+
+
+class TestNonPosixAutoPrivateGroup(BaseTestTrust):
+ """
+ Tests for auto-private-groups option with non posix AD trust
+ Related : https://pagure.io/freeipa/issue/8807
+ """
+ topology = 'line'
+ num_ad_domains = 1
+ num_clients = 1
+ num_ad_subdomains = 0
+ num_ad_treedomains = 0
+ uid_override = "99999999"
+ gid_override = "78878787"
+
+ def test_add_nonposix_trust(self):
+ tasks.configure_dns_for_trust(self.master, self.ad)
+ tasks.establish_trust_with_ad(
+ self.master, self.ad_domain,
+ extra_args=['--range-type', 'ipa-ad-trust'])
+
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
+ def test_auto_private_groups_default_trusted_range(self, type):
+ """
+ Modify existing range for default trusted AD domain range
+ with auto-private-groups set as true/hybrid/false and test
+ user with no posix attributes.
+ """
+ self.mod_idrange_auto_private_group(type)
+ nonposixuser = "nonposixuser@%s" % self.ad_domain
+ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser)
+ if type == "true":
+ assert uid == gid
+ else:
+ test_group = self.clients[0].run_command(["id", nonposixuser])
+ gid_str = "gid={0}(domain users@{1})".format(gid, self.ad_domain)
+ grp_str = "groups={0}(domain users@{1})".format(gid,
+ self.ad_domain)
+ assert gid_str in test_group.stdout_text
+ assert grp_str in test_group.stdout_text
+ assert uid != gid
+
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
+ def test_idoverride_with_auto_private_group(self, type):
+ """
+ Override ad trusted user in default trust view
+ and set auto-private-groups=[hybrid,true,false]
+ and ensure that overridden values takes effect.
+ """
+ nonposixuser = "nonposixuser@%s" % self.ad_domain
+ with self.set_idoverrideuser(nonposixuser,
+ self.uid_override,
+ self.gid_override
+ ):
+ self.mod_idrange_auto_private_group(type)
+ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser)
+ assert (uid == self.uid_override and gid == self.gid_override)
+ test_group = self.clients[0].run_command(
+ ["id", nonposixuser]).stdout_text
+ assert "domain users@{0}".format(self.ad_domain) in test_group
+
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
+ def test_nonposixuser_nondefault_primary_group(self, type):
+ """
+ Test for non default primary group.
+ For hybrid/false gid corresponds to the group testgroup1.
+ """
+ nonposixuser1 = "nonposixuser1@%s" % self.ad_domain
+ self.mod_idrange_auto_private_group(type)
+ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser1)
+ if type == "true":
+ assert uid == gid
+ else:
+ test_group = self.clients[0].run_command(["id", nonposixuser1])
+ gid_str = "gid={0}(testgroup1@{1})".format(gid, self.ad_domain)
+ group = "groups={0}(testgroup1@{1})".format(gid, self.ad_domain)
+ assert (gid_str in test_group.stdout_text
+ and group in test_group.stdout_text)
+
+
+class TestPosixAutoPrivateGroup(BaseTestTrust):
+ """
+ Tests for auto-private-groups option with posix AD trust
+ Related : https://pagure.io/freeipa/issue/8807
+ """
+ topology = 'line'
+ num_ad_domains = 1
+ num_clients = 1
+ num_ad_subdomains = 0
+ num_ad_treedomains = 0
+ uid_override = "99999999"
+ gid_override = "78878787"
+
+ def test_add_posix_trust(self):
+ tasks.configure_dns_for_trust(self.master, self.ad)
+ tasks.establish_trust_with_ad(
+ self.master, self.ad_domain,
+ extra_args=['--range-type', 'ipa-ad-trust-posix'])
+
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
+ def test_gidnumber_not_corresponding_existing_group(self, type):
+ """
+ Test checks that sssd can resolve AD users which
+ contain posix attributes (uidNumber and gidNumber)
+ but there is no group with the corresponding gidNumber.
+ """
+ posixuser = "testuser2@%s" % self.ad_domain
+ self.mod_idrange_auto_private_group(type)
+ if type != "true":
+ result = self.clients[0].run_command(['id', posixuser],
+ raiseonerr=False)
+ tasks.assert_error(result, "no such user")
+ else:
+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
+ assert uid == gid
+ assert uid == '10060'
+
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
+ def test_only_uid_number_auto_private_group_default(self, type):
+ """
+ Test checks that posix user with only uidNumber defined
+ and gidNumber not set, auto-private-group
+ is set to false/true/hybrid
+ """
+ posixuser = "testuser1@%s" % self.ad_domain
+ self.mod_idrange_auto_private_group(type)
+ if type == "true":
+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
+ assert uid == gid
+ else:
+ for host in [self.master, self.clients[0]]:
+ result = host.run_command(['id', posixuser], raiseonerr=False)
+ tasks.assert_error(result, "no such user")
+
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
+ def test_auto_private_group_primary_group(self, type):
+ """
+ Test checks that AD users which contain posix attributes
+ (uidNumber and gidNumber) and there is primary group
+ with gid number defined.
+ """
+ posixuser = "testuser@%s" % self.ad_domain
+ self.mod_idrange_auto_private_group(type)
+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
+ test_grp = self.clients[0].run_command(["id", posixuser])
+ assert uid == '10042'
+ if type == "true":
+ assert uid == gid
+ groups = "groups=10042(testuser@{0}),10047(testgroup@{1})".format(
+ self.ad_domain, self.ad_domain)
+ assert groups in test_grp.stdout_text
+ else:
+ assert gid == '10047'
+ groups = "10047(testgroup@{0})".format(self.ad_domain)
+ assert groups in test_grp.stdout_text
+
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
+ def test_idoverride_with_auto_private_group(self, type):
+ """
+ Override ad trusted user in default trust view
+ and set auto-private-groups=[hybrid,true,false]
+ and ensure that overridden values takes effect.
+ """
+ posixuser = "testuser@%s" % self.ad_domain
+ with self.set_idoverrideuser(posixuser,
+ self.uid_override,
+ self.gid_override):
+ self.mod_idrange_auto_private_group(type)
+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
+ assert(uid == self.uid_override
+ and gid == self.gid_override)
+ result = self.clients[0].run_command(['id', posixuser])
+ assert "10047(testgroup@{0})".format(
+ self.ad_domain) in result.stdout_text
--
2.34.1

43
SOURCES/0025-mark-xfail-for-test_idoverride_with_auto_private_gro.patch
View File

@ -1,43 +0,0 @@
From 84381001d2e114b1f29fe89e16155c040b56b80f Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Thu, 10 Feb 2022 17:07:45 +0530
Subject: [PATCH] mark xfail for
test_idoverride_with_auto_private_group[hybrid]
Related : https://github.com/SSSD/sssd/issues/5989
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
ipatests/test_integration/test_trust.py | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index ff2dd9cc819e1c5620ce449384957a633ae6d1f0..54bd154628cb8fb063d9839d7928acd37647e2a4 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -15,6 +15,7 @@ from ipaplatform.paths import paths
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
from ipatests.pytest_ipa.integration import fips
+from ipatests.util import xfail_context
from ipapython.dn import DN
from collections import namedtuple
from contextlib import contextmanager
@@ -1110,7 +1111,11 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust):
assert (uid == self.uid_override and gid == self.gid_override)
test_group = self.clients[0].run_command(
["id", nonposixuser]).stdout_text
- assert "domain users@{0}".format(self.ad_domain) in test_group
+ version = tasks.get_sssd_version(self.clients[0])
+ with xfail_context(version <= tasks.parse_version('2.6.3')
+ and type == "hybrid",
+ 'https://github.com/SSSD/sssd/issues/5989'):
+ assert "domain users@{0}".format(self.ad_domain) in test_group
@pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
def test_nonposixuser_nondefault_primary_group(self, type):
--
2.34.1

38
SOURCES/0026-Mark-xfail-test_gidnumber_not_corresponding_existing.patch
View File

@ -1,38 +0,0 @@
From 7ad500e5d3f7d9af81e8a3137158672c6fafb0b4 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Thu, 10 Feb 2022 17:29:45 +0530
Subject: [PATCH] Mark xfail
test_gidnumber_not_corresponding_existing_group[true,hybrid]
Related : https://github.com/SSSD/sssd/issues/5988
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
ipatests/test_integration/test_trust.py | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index 54bd154628cb8fb063d9839d7928acd37647e2a4..c128378151ec4c0fb295823d75f2a04df2f7ffa0 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -1169,9 +1169,12 @@ class TestPosixAutoPrivateGroup(BaseTestTrust):
raiseonerr=False)
tasks.assert_error(result, "no such user")
else:
- (uid, gid) = self.get_user_id(self.clients[0], posixuser)
- assert uid == gid
- assert uid == '10060'
+ sssd_version = tasks.get_sssd_version(self.clients[0])
+ with xfail_context(sssd_version <= tasks.parse_version('2.6.3'),
+ 'https://github.com/SSSD/sssd/issues/5988'):
+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
+ assert uid == gid
+ assert uid == '10060'
@pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
def test_only_uid_number_auto_private_group_default(self, type):
--
2.34.1

108
SOURCES/0027-KRB-instance-make-provision-to-work-with-crypto-poli.patch
View File

@ -1,108 +0,0 @@
From a51900819bd5332bc05ec9d513f062844b3a7763 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 25 Feb 2022 08:58:24 +0200
Subject: [PATCH] KRB instance: make provision to work with crypto policy
without SHA-1 HMAC types
RHEL 9 system-wide crypto policies aim at eventual removal of SHA-1 use.
Due to bootstrapping process, force explicitly supported encryption
types in kdc.conf or we may end up with AES128-SHA1 and AES256-SHA2 only
in FIPS mode at bootstrap time which then fails to initialize kadmin
principals requiring use of AES256-SHA2 and AES128-SHA2.
Camellia ciphers must be filtered out in FIPS mode, we do that already
in the kerberos.ldif.
At this point we are not changing the master key encryption type to
AES256-SHA2 because upgrading existing deployments is complicated and
at the time when a replica configuration is deployed, we don't know what
is the encryption type of the master key of the original server as well.
Fixes: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
install/share/kdc.conf.template | 3 ++-
install/share/kerberos.ldif | 2 ++
ipaserver/install/krbinstance.py | 21 ++++++++++++++++++++-
3 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 232fedc445f660c30a88d8844d9f1b6042db41a7..685d42f3b7fb263e86b7a6db98be8bcc53e7bbe6 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -6,7 +6,8 @@
[realms]
$REALM = {
- master_key_type = aes256-cts
+ master_key_type = $MASTER_KEY_TYPE
+ supported_enctypes = $SUPPORTED_ENCTYPES
max_life = 7d
max_renewable_life = 14d
acl_file = $KRB5KDC_KADM5_ACL
diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif
index 3b75b445641fd86e2029ceb51e479c6ccb17856c..51e5cf9bca4b0b2cf2e1fe3ec85777deb61b76b0 100644
--- a/install/share/kerberos.ldif
+++ b/install/share/kerberos.ldif
@@ -28,6 +28,8 @@ ${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:special
krbMaxTicketLife: 86400
krbMaxRenewableAge: 604800
+krbDefaultEncSaltTypes: aes256-sha2:special
+krbDefaultEncSaltTypes: aes128-sha2:special
krbDefaultEncSaltTypes: aes256-cts:special
krbDefaultEncSaltTypes: aes128-cts:special
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 216c1032d8abd9fc119d98d8f9976ce17d246ea4..852edcd9978f4a47d355e206fbb4a513ea699865 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -51,6 +51,14 @@ logger = logging.getLogger(__name__)
PKINIT_ENABLED = 'pkinitEnabled'
+MASTER_KEY_TYPE = 'aes256-sha1'
+SUPPORTED_ENCTYPES = ('aes256-sha2:special', 'aes128-sha2:special',
+ 'aes256-sha2:normal', 'aes128-sha2:normal',
+ 'aes256-cts:special', 'aes128-cts:special',
+ 'aes256-cts:normal', 'aes128-cts:normal',
+ 'camellia256-cts:special', 'camellia128-cts:special',
+ 'camellia256-cts:normal', 'camellia128-cts:normal')
+
def get_pkinit_request_ca():
"""
@@ -252,6 +260,7 @@ class KrbInstance(service.Service):
else:
includes = ''
+ fips_enabled = tasks.is_fips_enabled()
self.sub_dict = dict(FQDN=self.fqdn,
IP=self.ip,
PASSWORD=self.kdc_password,
@@ -269,7 +278,17 @@ class KrbInstance(service.Service):
KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM,
CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM,
INCLUDES=includes,
- FIPS='#' if tasks.is_fips_enabled() else '')
+ FIPS='#' if fips_enabled else '')
+
+ if fips_enabled:
+ supported_enctypes = list(
+ filter(lambda e: not e.startswith('camelia'),
+ SUPPORTED_ENCTYPES))
+ else:
+ supported_enctypes = SUPPORTED_ENCTYPES
+ self.sub_dict['SUPPORTED_ENCTYPES'] = ' '.join(supported_enctypes)
+
+ self.sub_dict['MASTER_KEY_TYPE'] = MASTER_KEY_TYPE
# IPA server/KDC is not a subdomain of default domain
# Proper domain-realm mapping needs to be specified
--
2.34.1

58
SOURCES/0028-tests-ensure-AD-SUPPORT-subpolicy-is-active.patch
View File

@ -1,58 +0,0 @@
From b016683552a58f9cc2a05cf628cc467234eaf599 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 28 Feb 2022 11:10:49 +0200
Subject: [PATCH] tests: ensure AD-SUPPORT subpolicy is active
Use AD-SUPPORT subpolicy when testing trust to Active Directory in FIPS
mode. This is required in FIPS mode due to AD not supporting Kerberos
AES-bases encryption types using FIPS-compliant PBKDF2 and KDF, as
defined in RFC 8009.
Fixes: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
ipatests/pytest_ipa/integration/fips.py | 6 ++++++
ipatests/pytest_ipa/integration/tasks.py | 3 +++
2 files changed, 9 insertions(+)
diff --git a/ipatests/pytest_ipa/integration/fips.py b/ipatests/pytest_ipa/integration/fips.py
index 694ec8a9927da917fe99482094f68540a1032c14..b33aa91b14552d6f47191c913db4f974a5a5948c 100644
--- a/ipatests/pytest_ipa/integration/fips.py
+++ b/ipatests/pytest_ipa/integration/fips.py
@@ -68,3 +68,9 @@ def disable_userspace_fips(host):
# sanity check
assert not is_fips_enabled(host)
host.run_command(["openssl", "md5", "/dev/null"])
+
+
+def enable_crypto_subpolicy(host, subpolicy):
+ result = host.run_command(["update-crypto-policies", "--show"])
+ policy = result.stdin_text.strip() + ":" + subpolicy
+ host.run_command(["update-crypto-policies", "--set", policy])
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 7e1b7c24dab00986ff6e75430bf55e55dd1a6b8e..13d84e23fa7dc8a5e562e8498c9142e2bcad696a 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -66,6 +66,7 @@ from .env_config import env_to_script
from .host import Host
from .firewall import Firewall
from .resolver import ResolvedResolver
+from .fips import is_fips_enabled, enable_crypto_subpolicy
logger = logging.getLogger(__name__)
@@ -362,6 +363,8 @@ def install_master(host, setup_dns=True, setup_kra=False, setup_adtrust=False,
if setup_adtrust:
args.append('--setup-adtrust')
fw_services.append("freeipa-trust")
+ if is_fips_enabled(host):
+ enable_crypto_subpolicy(host, "AD-SUPPORT")
if external_ca:
args.append('--external-ca')
--
2.34.1

46
SOURCES/0029-ipatests-extend-AES-keyset-to-SHA2-based-ones.patch
View File

@ -1,46 +0,0 @@
From 49d9147e38c5b50c52a1ebc7283753c779c2f81f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 3 Mar 2022 14:38:57 +0200
Subject: [PATCH] ipatests: extend AES keyset to SHA2-based ones
Fixes: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
ipaserver/install/plugins/adtrust.py | 3 ++-
ipatests/pytest_ipa/integration/tasks.py | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
index 5b87ac47c6919de287b07c9ceef7ae22e1e79398..67e372bdb40a0b1f6815f107fc567f0ae056dad8 100644
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@@ -754,7 +754,8 @@ class update_host_cifs_keytabs(Updater):
"""
host_princ_template = "host/{master}@{realm}"
- valid_etypes = ['aes256-cts-hmac-sha1-96', 'aes128-cts-hmac-sha1-96']
+ valid_etypes = ['aes256-cts-hmac-sha384-192', 'aes128-cts-hmac-sha256-128',
+ 'aes256-cts-hmac-sha1-96', 'aes128-cts-hmac-sha1-96']
def extract_key_refs(self, keytab):
host_princ = self.host_princ_template.format(
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 13d84e23fa7dc8a5e562e8498c9142e2bcad696a..d06f8eb2cf6c36956ec200a1abb7c488d1dad9aa 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -2261,7 +2261,8 @@ class KerberosKeyCopier:
copier.copy_keys('/etc/krb5.keytab', tmpname, replacement=replacement)
"""
host_princ_template = "host/{master}@{realm}"
- valid_etypes = ['aes256-cts-hmac-sha1-96', 'aes128-cts-hmac-sha1-96']
+ valid_etypes = ['aes256-cts-hmac-sha384-192', 'aes128-cts-hmac-sha256-128',
+ 'aes256-cts-hmac-sha1-96', 'aes128-cts-hmac-sha1-96']
def __init__(self, host):
self.host = host
--
2.34.1

35
SOURCES/0030-freeipa.spec-bump-crypto-policies-dependency-for-Cen.patch
View File

@ -1,35 +0,0 @@
From ee39de46a1c1ea96bbe524f159ae435319b2d072 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 3 Mar 2022 14:43:11 +0200
Subject: [PATCH] freeipa.spec: bump crypto-policies dependency for CentOS 9
Stream
Fixes: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
freeipa.spec.in | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 0b24febc0baff6f60fd2b4cb254971bd3e3aa3b8..c1d81605068c6fc3e6c765ad01c4967fa9f03c95 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -695,6 +695,12 @@ Provides: %{name}-admintools = %{version}-%{release}
Conflicts: crypto-policies < 20200629-1
%endif
+%if 0%{?rhel} == 9
+# Conflict with crypto-policies < 20220223-1 to get upgraded AD-SUPPORT and
+# AD-SUPPORT-LEGACY policy modules
+Conflicts: crypto-policies < 20220223-1
+%endif
+
%description client
IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
--
2.34.1

56
SOURCES/0031-Kerberos-instance-default-to-AES256-SHA2-for-master-.patch
View File

@ -1,56 +0,0 @@
From 3e54c4362490b4da1b6cb3e141bb6e08fecc58c0 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 14 Mar 2022 13:23:04 +0200
Subject: [PATCH] Kerberos instance: default to AES256-SHA2 for master key
encryption
KDC configuration in /var/kerberos/krb5kdc/kdc.conf is generated from
the template in install/share/kdc.conf.template. Master key encryption
type specified there is used to bootstrap the master key in LDAP
database. Once it is done, actual deployment does not rely on the
master_key_type value anymore. The actual master key(s) get loaded from
LDAP database where they stored in a BER-encoded format, preserving all
parameters, including encryption type.
This means we can safely migrate to AES256-SHA2 as the default master
key encryption type for new installations. Replicas will get their
master key encryption type details from the server they were provisioned
from.
MIT Kerberos supports AES256-SHA2 since 1.15 (2015), meaning RHEL 7.4 is
the earliest supported version as it provides krb5 1.15.1. Current
supported RHEL 7 version is RHEL 7.9. Since RHEL 6 already cannot be
used as a replica to IPA 4.5+ due to a domain level 1 upgrade, this
change does not affect old releases.
Migration from the previously deployed master key encryption type is
described by MIT Kerberos upstream in
http://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/retiring-des.html#the-database-master-key
One would need to use '-x ipa-setup-override-restrictions' to allow
the `kdb5_util` utility to modify the data over IPA KDB driver.
Fixes: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
ipaserver/install/krbinstance.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 01b3309d50c0e8025e3381eac577225b1ef0be9d..a5eaa7b17133498f08e84d01c90764236e8ebe84 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -51,7 +51,7 @@ logger = logging.getLogger(__name__)
PKINIT_ENABLED = 'pkinitEnabled'
-MASTER_KEY_TYPE = 'aes256-sha1'
+MASTER_KEY_TYPE = 'aes256-sha2'
SUPPORTED_ENCTYPES = ('aes256-sha2:special', 'aes128-sha2:special',
'aes256-sha2:normal', 'aes128-sha2:normal',
'aes256-cts:special', 'aes128-cts:special',
--
2.34.1

44
SOURCES/0032-test_otp-do-not-use-paramiko-unless-it-is-really-nee.patch
View File

@ -1,44 +0,0 @@
From 3baae8d1bd0a0c4c707314524289e86e6ecbc0df Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 14 Mar 2022 21:09:36 +0200
Subject: [PATCH] test_otp: do not use paramiko unless it is really needed
paramiko cannot be used in FIPS mode. We have few tests that import
generic methods from test_otp (add_token/del_token) and those tests fail
in FIPS mode due to unconditional 'import paramiko'.
Instead, move 'import paramiko' to the ssh_2f() helper which is not used
in FIPS mode (the whole SSH 2FA test is skipped then).
Related: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
ipatests/test_integration/test_otp.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
index bec76d205bf37699483b65ebbc5613cbbb466bb4..04bef4626077e727654898b07a76acab4f1d5971 100644
--- a/ipatests/test_integration/test_otp.py
+++ b/ipatests/test_integration/test_otp.py
@@ -5,7 +5,6 @@
"""
import base64
import logging
-import paramiko
import pytest
import re
import time
@@ -102,6 +101,8 @@ def ssh_2f(hostname, username, answers_dict, port=22):
logger.info(
"Answer to ssh prompt is: '%s'", answers_dict[prmpt_str])
return resp
+
+ import paramiko
trans = paramiko.Transport((hostname, port))
trans.connect()
trans.auth_interactive(username, answer_handler)
--
2.34.1

44
SOURCES/0033-test_krbtpolicy-skip-SPAKE-related-tests-in-FIPS-mod.patch
View File

@ -1,44 +0,0 @@
From 2e70535f74e7d9dd76e728eca1119ce522fd138a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 15 Mar 2022 11:39:46 +0200
Subject: [PATCH] test_krbtpolicy: skip SPAKE-related tests in FIPS mode
SPAKE is based on the crypto primitives which are not FIPS compliant
yet. This means that in FIPS mode use of 'hardened' authentication
indicator is not possible. Skip corresponding tests in FIPS mode.
Related: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
ipatests/test_integration/test_krbtpolicy.py | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py
index 9489fbc97b7836aecf491b57627f254d4849eb56..eae16247bdfb195c1d91209cf2d11eac4c25018f 100644
--- a/ipatests/test_integration/test_krbtpolicy.py
+++ b/ipatests/test_integration/test_krbtpolicy.py
@@ -105,6 +105,9 @@ class TestPWPolicy(IntegrationTest):
def test_krbtpolicy_password_and_hardended(self):
"""Test a pwd and hardened kerberos ticket policy with 10min tickets"""
+ if self.master.is_fips_mode:
+ pytest.skip("SPAKE pre-auth is not compatible with FIPS mode")
+
master = self.master
master.run_command(['ipa', 'user-mod', USER1,
'--user-auth-type', 'password',
@@ -133,6 +136,9 @@ class TestPWPolicy(IntegrationTest):
def test_krbtpolicy_hardended(self):
"""Test a hardened kerberos ticket policy with 30min tickets"""
+ if self.master.is_fips_mode:
+ pytest.skip("SPAKE pre-auth is not compatible with FIPS mode")
+
master = self.master
master.run_command(['ipa', 'user-mod', USER1,
'--user-auth-type', 'hardened'])
--
2.34.1

555
SOURCES/0034-Support-AES-for-KRA-archival-wrapping.patch
View File

@ -1,555 +0,0 @@
From 895e99b6843c2fa2274acab824607c33c1a560a4 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 7 Oct 2019 14:13:03 +0200
Subject: [PATCH] Support AES for KRA archival wrapping
The vault plugin has used TripleDES (des-ede3-cbc) as default wrapping
algorithm since the plugin was introduced. Allow use of AES-128-CBC as
alternative wrapping algorithm for transport of secrets.
Fixes: https://pagure.io/freeipa/issue/6524
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
API.txt | 7 +-
VERSION.m4 | 5 +-
ipaclient/plugins/vault.py | 155 +++++++++++++++++++++++++------------
ipalib/capabilities.py | 4 +
ipalib/constants.py | 12 +++
ipaserver/plugins/vault.py | 61 ++++++++++++---
6 files changed, 180 insertions(+), 64 deletions(-)
diff --git a/API.txt b/API.txt
index 576fa7c51e31886b257ccf176aaf232c0f2ea5ee..f95f2c8457e39f2268386a8a2336952d3285e008 100644
--- a/API.txt
+++ b/API.txt
@@ -6548,7 +6548,7 @@ output: Output('completed', type=[<type 'int'>])
output: Output('failed', type=[<type 'dict'>])
output: Entry('result')
command: vault_archive_internal/1
-args: 1,9,3
+args: 1,10,3
arg: Str('cn', cli_name='name')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Bytes('nonce')
@@ -6559,6 +6559,7 @@ option: Flag('shared?', autofill=True, default=False)
option: Str('username?', cli_name='user')
option: Bytes('vault_data')
option: Str('version?')
+option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
@@ -6649,7 +6650,7 @@ output: Output('completed', type=[<type 'int'>])
output: Output('failed', type=[<type 'dict'>])
output: Entry('result')
command: vault_retrieve_internal/1
-args: 1,7,3
+args: 1,8,3
arg: Str('cn', cli_name='name')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
@@ -6658,6 +6659,7 @@ option: Bytes('session_key')
option: Flag('shared?', autofill=True, default=False)
option: Str('username?', cli_name='user')
option: Str('version?')
+option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
@@ -7327,6 +7329,7 @@ default: vaultcontainer_del/1
default: vaultcontainer_remove_owner/1
default: vaultcontainer_show/1
default: whoami/1
+capability: vault_aes_keywrap 2.246
capability: messages 2.52
capability: optional_uid_params 2.54
capability: permissions2 2.69
diff --git a/VERSION.m4 b/VERSION.m4
index 70aaff4c9b9514a5937eae60074376e1a592464e..997ac35e74fa6f2a96da027ed3ce93cf809b62a7 100644
--- a/VERSION.m4
+++ b/VERSION.m4
@@ -86,9 +86,8 @@ define(IPA_DATA_VERSION, 20100614120000)
# #
########################################################
define(IPA_API_VERSION_MAJOR, 2)
-# Last change: add enable_sid to config
-define(IPA_API_VERSION_MINOR, 245)
-
+# Last change: Add wrapping algorithm to vault archive/retrieve
+define(IPA_API_VERSION_MINOR, 246)
########################################################
# Following values are auto-generated from values above
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index d3a1d370efaccc7e5b0088bd3df341d76884d509..115171c7768d44251c17d0bcdac9c37b3a25db99 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -25,11 +25,12 @@ import io
import json
import logging
import os
+import ssl
import tempfile
from cryptography.fernet import Fernet, InvalidToken
from cryptography.hazmat.backends import default_backend
-from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
@@ -39,7 +40,7 @@ from cryptography.hazmat.primitives.serialization import (
from ipaclient.frontend import MethodOverride
from ipalib import x509
-from ipalib.constants import USER_CACHE_PATH
+from ipalib import constants
from ipalib.frontend import Local, Method, Object
from ipalib.util import classproperty
from ipalib import api, errors
@@ -546,42 +547,49 @@ class vault_mod(Local):
return response
-class _TransportCertCache:
+class _KraConfigCache:
+ """The KRA config cache stores vaultconfig-show result.
+ """
def __init__(self):
self._dirname = os.path.join(
- USER_CACHE_PATH, 'ipa', 'kra-transport-certs'
+ constants.USER_CACHE_PATH, 'ipa', 'kra-config'
)
def _get_filename(self, domain):
- basename = DNSName(domain).ToASCII() + '.pem'
+ basename = DNSName(domain).ToASCII() + '.json'
return os.path.join(self._dirname, basename)
- def load_cert(self, domain):
- """Load cert from cache
+ def load(self, domain):
+ """Load config from cache
:param domain: IPA domain
- :return: cryptography.x509.Certificate or None
+ :return: dict or None
"""
filename = self._get_filename(domain)
try:
try:
- return x509.load_certificate_from_file(filename)
- except EnvironmentError as e:
+ with open(filename) as f:
+ return json.load(f)
+ except OSError as e:
if e.errno != errno.ENOENT:
raise
except Exception:
logger.warning("Failed to load %s", filename, exc_info=True)
return None
- def store_cert(self, domain, transport_cert):
- """Store a new cert or override existing cert
+ def store(self, domain, response):
+ """Store config in cache
:param domain: IPA domain
- :param transport_cert: cryptography.x509.Certificate
- :return: True if cert was stored successfully
+ :param config: ipa vaultconfig-show response
+ :return: True if config was stored successfully
"""
+ config = response['result'].copy()
+ # store certificate as PEM-encoded ASCII
+ config['transport_cert'] = ssl.DER_cert_to_PEM_cert(
+ config['transport_cert']
+ )
filename = self._get_filename(domain)
- pem = transport_cert.public_bytes(serialization.Encoding.PEM)
try:
try:
os.makedirs(self._dirname)
@@ -589,9 +597,9 @@ class _TransportCertCache:
if e.errno != errno.EEXIST:
raise
with tempfile.NamedTemporaryFile(dir=self._dirname, delete=False,
- mode='wb') as f:
+ mode='w') as f:
try:
- f.write(pem)
+ json.dump(config, f)
ipautil.flush_sync(f)
f.close()
os.rename(f.name, filename)
@@ -604,8 +612,8 @@ class _TransportCertCache:
else:
return True
- def remove_cert(self, domain):
- """Remove a cert from cache, ignores errors
+ def remove(self, domain):
+ """Remove a config from cache, ignores errors
:param domain: IPA domain
:return: True if cert was found and removed
@@ -621,7 +629,7 @@ class _TransportCertCache:
return True
-_transport_cert_cache = _TransportCertCache()
+_kra_config_cache = _KraConfigCache()
@register(override=True, no_fail=True)
@@ -636,13 +644,8 @@ class vaultconfig_show(MethodOverride):
response = super(vaultconfig_show, self).forward(*args, **options)
- # cache transport certificate
- transport_cert = x509.load_der_x509_certificate(
- response['result']['transport_cert'])
-
- _transport_cert_cache.store_cert(
- self.api.env.domain, transport_cert
- )
+ # cache config
+ _kra_config_cache.store(self.api.env.domain, response)
if file:
with open(file, 'wb') as f:
@@ -652,10 +655,54 @@ class vaultconfig_show(MethodOverride):
class ModVaultData(Local):
- def _generate_session_key(self):
- key_length = max(algorithms.TripleDES.key_sizes)
- algo = algorithms.TripleDES(os.urandom(key_length // 8))
- return algo
+ def _generate_session_key(self, name):
+ if name not in constants.VAULT_WRAPPING_SUPPORTED_ALGOS:
+ msg = _("{algo} is not a supported vault wrapping algorithm")
+ raise errors.ValidationError(msg.format(algo=repr(name)))
+ if name == constants.VAULT_WRAPPING_AES128_CBC:
+ return algorithms.AES(os.urandom(128 // 8))
+ elif name == constants.VAULT_WRAPPING_3DES:
+ return algorithms.TripleDES(os.urandom(196 // 8))
+ else:
+ # unreachable
+ raise ValueError(name)
+
+ def _get_vaultconfig(self, force_refresh=False):
+ config = None
+ if not force_refresh:
+ config = _kra_config_cache.load(self.api.env.domain)
+ if config is None:
+ # vaultconfig_show also caches data
+ response = self.api.Command.vaultconfig_show()
+ config = response['result']
+ transport_cert = x509.load_der_x509_certificate(
+ config['transport_cert']
+ )
+ else:
+ # cached JSON uses PEM-encoded ASCII string
+ transport_cert = x509.load_pem_x509_certificate(
+ config['transport_cert'].encode('ascii')
+ )
+
+ default_algo = config.get('wrapping_default_algorithm')
+ if default_algo is None:
+ # old server
+ wrapping_algo = constants.VAULT_WRAPPING_AES128_CBC
+ elif default_algo in constants.VAULT_WRAPPING_SUPPORTED_ALGOS:
+ # try to use server default
+ wrapping_algo = default_algo
+ else:
+ # prefer server's sorting order
+ for algo in config['wrapping_supported_algorithms']:
+ if algo in constants.VAULT_WRAPPING_SUPPORTED_ALGOS:
+ wrapping_algo = algo
+ break
+ else:
+ raise errors.ValidationError(
+ "No overlapping wrapping algorithm between server and "
+ "client."
+ )
+ return transport_cert, wrapping_algo
def _do_internal(self, algo, transport_cert, raise_unexpected,
*args, **options):
@@ -675,29 +722,23 @@ class ModVaultData(Local):
except (errors.InternalError,
errors.ExecutionError,
errors.GenericError):
- _transport_cert_cache.remove_cert(self.api.env.domain)
+ _kra_config_cache.remove(self.api.env.domain)
if raise_unexpected:
raise
return None
- def internal(self, algo, *args, **options):
+ def internal(self, algo, transport_cert, *args, **options):
"""
Calls the internal counterpart of the command.
"""
- domain = self.api.env.domain
-
# try call with cached transport certificate
- transport_cert = _transport_cert_cache.load_cert(domain)
- if transport_cert is not None:
- result = self._do_internal(algo, transport_cert, False,
+ result = self._do_internal(algo, transport_cert, False,
*args, **options)
- if result is not None:
- return result
+ if result is not None:
+ return result
# retrieve transport certificate (cached by vaultconfig_show)
- response = self.api.Command.vaultconfig_show()
- transport_cert = x509.load_der_x509_certificate(
- response['result']['transport_cert'])
+ transport_cert = self._get_vaultconfig(force_refresh=True)[0]
# call with the retrieved transport certificate
return self._do_internal(algo, transport_cert, True,
*args, **options)
@@ -777,7 +818,7 @@ class vault_archive(ModVaultData):
def _wrap_data(self, algo, json_vault_data):
"""Encrypt data with wrapped session key and transport cert
- :param bytes algo: wrapping algorithm instance
+ :param algo: wrapping algorithm instance
:param bytes json_vault_data: dumped vault data
:return:
"""
@@ -929,15 +970,24 @@ class vault_archive(ModVaultData):
json_vault_data = json.dumps(vault_data).encode('utf-8')
+ # get config
+ transport_cert, wrapping_algo = self._get_vaultconfig()
+ # let options override wrapping algo
+ # For backwards compatibility do not send old legacy wrapping algo
+ # to server. Only send the option when non-3DES is used.
+ wrapping_algo = options.pop('wrapping_algo', wrapping_algo)
+ if wrapping_algo != constants.VAULT_WRAPPING_3DES:
+ options['wrapping_algo'] = wrapping_algo
+
# generate session key
- algo = self._generate_session_key()
+ algo = self._generate_session_key(wrapping_algo)
# wrap vault data
nonce, wrapped_vault_data = self._wrap_data(algo, json_vault_data)
options.update(
nonce=nonce,
vault_data=wrapped_vault_data
)
- return self.internal(algo, *args, **options)
+ return self.internal(algo, transport_cert, *args, **options)
@register(no_fail=True)
@@ -1061,10 +1111,19 @@ class vault_retrieve(ModVaultData):
vault = self.api.Command.vault_show(*args, **options)['result']
vault_type = vault['ipavaulttype'][0]
+ # get config
+ transport_cert, wrapping_algo = self._get_vaultconfig()
+ # let options override wrapping algo
+ # For backwards compatibility do not send old legacy wrapping algo
+ # to server. Only send the option when non-3DES is used.
+ wrapping_algo = options.pop('wrapping_algo', wrapping_algo)
+ if wrapping_algo != constants.VAULT_WRAPPING_3DES:
+ options['wrapping_algo'] = wrapping_algo
+
# generate session key
- algo = self._generate_session_key()
+ algo = self._generate_session_key(wrapping_algo)
# send retrieval request to server
- response = self.internal(algo, *args, **options)
+ response = self.internal(algo, transport_cert, *args, **options)
# unwrap data with session key
vault_data = self._unwrap_response(
algo,
diff --git a/ipalib/capabilities.py b/ipalib/capabilities.py
index 55b84aa6bc73d583e7bd5d03d2f4f1cc5c8e7c0b..4d8ae408bf67c280d27ce494baa9db9aaff0cd69 100644
--- a/ipalib/capabilities.py
+++ b/ipalib/capabilities.py
@@ -54,6 +54,10 @@ capabilities = dict(
# dns_name_values: dnsnames as objects
dns_name_values=u'2.88',
+
+ # vault supports aes key wrapping
+ vault_aes_keywrap='2.246'
+
)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 9f19b0f9941ba5068f1e6c218092e3b76fdc7599..11171b2e8aeb6f7306299b2bd7db3a3f39d29d4a 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -374,3 +374,15 @@ KRA_TRACKING_REQS = {
}
ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits + '-'
+
+# vault data wrapping algorithms
+VAULT_WRAPPING_3DES = 'des-ede3-cbc'
+VAULT_WRAPPING_AES128_CBC = 'aes-128-cbc'
+VAULT_WRAPPING_SUPPORTED_ALGOS = (
+ # old default was 3DES
+ VAULT_WRAPPING_3DES,
+ # supported since pki-kra >= 10.4
+ VAULT_WRAPPING_AES128_CBC,
+)
+# 3DES for backwards compatibility
+VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_3DES
diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py
index aebac7dff7bb9d183c6012cc685577d476e18c4e..4d40f66c6a793a831e91c5fe25c8b5277cbd1972 100644
--- a/ipaserver/plugins/vault.py
+++ b/ipaserver/plugins/vault.py
@@ -23,6 +23,10 @@ from ipalib.frontend import Command, Object
from ipalib import api, errors
from ipalib import Bytes, Flag, Str, StrEnum
from ipalib import output
+from ipalib.constants import (
+ VAULT_WRAPPING_SUPPORTED_ALGOS, VAULT_WRAPPING_DEFAULT_ALGO,
+ VAULT_WRAPPING_3DES, VAULT_WRAPPING_AES128_CBC,
+)
from ipalib.crud import PKQuery, Retrieve
from ipalib.parameters import Principal
from ipalib.plugable import Registry
@@ -39,14 +43,8 @@ from ipaserver.masters import is_service_enabled
if api.env.in_server:
import pki.account
import pki.key
- # pylint: disable=no-member
- try:
- # pki >= 10.4.0
- from pki.crypto import DES_EDE3_CBC_OID
- except ImportError:
- DES_EDE3_CBC_OID = pki.key.KeyClient.DES_EDE3_CBC_OID
- # pylint: enable=no-member
-
+ from pki.crypto import DES_EDE3_CBC_OID
+ from pki.crypto import AES_128_CBC_OID
if six.PY3:
unicode = str
@@ -652,6 +652,20 @@ class vault(LDAPObject):
),
)
+ def _translate_algorithm(self, name):
+ if name is None:
+ name = VAULT_WRAPPING_DEFAULT_ALGO
+ if name not in VAULT_WRAPPING_SUPPORTED_ALGOS:
+ msg = _("{algo} is not a supported vault wrapping algorithm")
+ raise errors.ValidationError(msg.format(algo=name))
+ if name == VAULT_WRAPPING_3DES:
+ return DES_EDE3_CBC_OID
+ elif name == VAULT_WRAPPING_AES128_CBC:
+ return AES_128_CBC_OID
+ else:
+ # unreachable
+ raise ValueError(name)
+
def get_dn(self, *keys, **options):
"""
Generates vault DN from parameters.
@@ -992,14 +1006,18 @@ class vaultconfig_show(Retrieve):
)
def execute(self, *args, **options):
-
if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
+ config = dict(
+ wrapping_supported_algorithms=VAULT_WRAPPING_SUPPORTED_ALGOS,
+ wrapping_default_algorithm=VAULT_WRAPPING_DEFAULT_ALGO,
+ )
+
with self.api.Backend.kra.get_client() as kra_client:
transport_cert = kra_client.system_certs.get_transport_cert()
- config = {'transport_cert': transport_cert.binary}
+ config['transport_cert'] = transport_cert.binary
self.api.Object.config.show_servroles_attributes(
config, "KRA server", **options)
@@ -1029,6 +1047,13 @@ class vault_archive_internal(PKQuery):
'nonce',
doc=_('Nonce'),
),
+ StrEnum(
+ 'wrapping_algo?',
+ doc=_('Key wrapping algorithm'),
+ values=VAULT_WRAPPING_SUPPORTED_ALGOS,
+ default=VAULT_WRAPPING_DEFAULT_ALGO,
+ autofill=True,
+ ),
)
has_output = output.standard_entry
@@ -1045,6 +1070,9 @@ class vault_archive_internal(PKQuery):
nonce = options.pop('nonce')
wrapped_session_key = options.pop('session_key')
+ wrapping_algo = options.pop('wrapping_algo', None)
+ algorithm_oid = self.obj._translate_algorithm(wrapping_algo)
+
# retrieve vault info
vault = self.api.Command.vault_show(*args, **options)['result']
@@ -1071,7 +1099,7 @@ class vault_archive_internal(PKQuery):
pki.key.KeyClient.PASS_PHRASE_TYPE,
wrapped_vault_data,
wrapped_session_key,
- algorithm_oid=DES_EDE3_CBC_OID,
+ algorithm_oid=algorithm_oid,
nonce_iv=nonce,
)
@@ -1098,6 +1126,13 @@ class vault_retrieve_internal(PKQuery):
'session_key',
doc=_('Session key wrapped with transport certificate'),
),
+ StrEnum(
+ 'wrapping_algo?',
+ doc=_('Key wrapping algorithm'),
+ values=VAULT_WRAPPING_SUPPORTED_ALGOS,
+ default=VAULT_WRAPPING_DEFAULT_ALGO,
+ autofill=True,
+ ),
)
has_output = output.standard_entry
@@ -1112,6 +1147,9 @@ class vault_retrieve_internal(PKQuery):
wrapped_session_key = options.pop('session_key')
+ wrapping_algo = options.pop('wrapping_algo', None)
+ algorithm_oid = self.obj._translate_algorithm(wrapping_algo)
+
# retrieve vault info
vault = self.api.Command.vault_show(*args, **options)['result']
@@ -1132,6 +1170,9 @@ class vault_retrieve_internal(PKQuery):
key_info = response.key_infos[0]
+ # XXX hack
+ kra_client.keys.encrypt_alg_oid = algorithm_oid
+
# retrieve encrypted data from KRA
key = kra_client.keys.retrieve_key(
key_info.get_key_id(),
--
2.34.1

86
SOURCES/0035-Set-AES-as-default-for-KRA-archival-wrapping.patch
View File

@ -1,86 +0,0 @@
From 984190eea01ac42cd1f97567a67dd9446e5b0bf9 Mon Sep 17 00:00:00 2001
From: Francisco Trivino <ftrivino@redhat.com>
Date: Fri, 11 Mar 2022 17:47:38 +0100
Subject: [PATCH] Set AES as default for KRA archival wrapping
This commit sets AES-128-CBC as default wrapping algorithm as
TripleDES (des-ede3-cbc) is not supported anymore in C9S.
Fixes: https://pagure.io/freeipa/issue/6524
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
API.txt | 6 +++---
ipalib/constants.py | 14 +++++++++-----
2 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/API.txt b/API.txt
index f95f2c8457e39f2268386a8a2336952d3285e008..1f27dcc616a6395c56ef91f3453e7620625c7645 100644
--- a/API.txt
+++ b/API.txt
@@ -6559,7 +6559,7 @@ option: Flag('shared?', autofill=True, default=False)
option: Str('username?', cli_name='user')
option: Bytes('vault_data')
option: Str('version?')
-option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
+option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
@@ -6659,7 +6659,7 @@ option: Bytes('session_key')
option: Flag('shared?', autofill=True, default=False)
option: Str('username?', cli_name='user')
option: Str('version?')
-option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
+option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
@@ -7329,10 +7329,10 @@ default: vaultcontainer_del/1
default: vaultcontainer_remove_owner/1
default: vaultcontainer_show/1
default: whoami/1
-capability: vault_aes_keywrap 2.246
capability: messages 2.52
capability: optional_uid_params 2.54
capability: permissions2 2.69
capability: primary_key_types 2.83
capability: datetime_values 2.84
capability: dns_name_values 2.88
+capability: vault_aes_keywrap 2.246
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 11171b2e8aeb6f7306299b2bd7db3a3f39d29d4a..68178004181bebcc8c093dac55e18d5afe0251e5 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -29,6 +29,8 @@ from ipaplatform.constants import constants as _constants
from ipapython.dn import DN
from ipapython.fqdn import gethostfqdn
from ipapython.version import VERSION, API_VERSION
+from cryptography.hazmat.primitives.ciphers import algorithms, modes
+from cryptography.hazmat.backends.openssl.backend import backend
FQDN = gethostfqdn()
@@ -379,10 +381,12 @@ ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits + '-'
VAULT_WRAPPING_3DES = 'des-ede3-cbc'
VAULT_WRAPPING_AES128_CBC = 'aes-128-cbc'
VAULT_WRAPPING_SUPPORTED_ALGOS = (
- # old default was 3DES
- VAULT_WRAPPING_3DES,
- # supported since pki-kra >= 10.4
+ # new default and supported since pki-kra >= 10.4
VAULT_WRAPPING_AES128_CBC,
)
-# 3DES for backwards compatibility
-VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_3DES
+VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_AES128_CBC
+
+# Add 3DES for backwards compatibility if supported
+if backend.cipher_supported(algorithms.TripleDES(b"\x00" * 8),
+ modes.CBC(b"\x00" * 8)):
+ VAULT_WRAPPING_SUPPORTED_ALGOS += (VAULT_WRAPPING_3DES,)
--
2.34.1

16
SOURCES/freeipa-4.10.0.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmK8aYIACgkQaYdvcqbi
00/mYQ/9GsTlD3aiAVvkTn+PLngLdsg3zFSDXUUI/I4ylOeoubzYmdWrX2yWJfvk
soVcxtHeLkrI/uLo44iiZkxYILxMY56dPzoUn6I46VQFppdoOzwlvdYhlOXYtvtB
yYIZhMdCsTkCORMlZ/RR8qNH8iZ1Zjzd4sf6CMWDdxK6ruAfPzaKAMm4EMa1+Rv7
67OfSJKqfNksfeKNndYyNki1FmZo7ukKqcA5/lE+ZaN3/yg6IMydqJVD462OJizF
aHyYZDEaUQv3Or9d8V5G/qJpUz6wCjvzLGvNp3nn4goyX2RG1yY6AX6W8P5/FGiN
A5emCV2LmufWE02CGHZ/9i88BIRqh0laPYJianEw/4iJa3BVYDjnlCTWxjDqVfv/
WBlEnZm/bQkHJITEe6hIwmnHJIFPrhuPxsaBIRUNU1oLTIoU+VFnPRyGGeFuKPSX
girFx1ip3roB6ChoXhYprS1eJ8CjP61ffjT+GLXl9b8OyqFmbxLCMRp19uFt96L1
DHWZv9ytfcwoZW7zzKlCwcGcLsui4PCmriSS8uaGUNvouBfeshHU4OgilwJnjQMP
kPvqagQCF7xe1ZoOdgoKgYvhXI+jABrZ0LVQoj4QMHGjCxkdFmhNNM37xtHogae9
NwfSWqa9UZO+LHy4tNiHrv9W0WnDoPjLFrod2yxIfhh/reYs3GU=
=Zzx6
-----END PGP SIGNATURE-----

16
SOURCES/freeipa-4.9.8.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmGf1XcACgkQaYdvcqbi
00/kMQ//Vano94V0/L3YsLaqKiFcGo/py5pTq1Os3wB9zzCYSuU0P/eajuHLBYNe
MfxecZihFFlmUdNooNWbewT4CE0ey1qFLwPfGXuLrse6fXVLLaYnAv2mkPUmDSpM
XfXO0PFU0BtdkMAUsdUATngPCpQzYjVUKsAMwPovi3UcLzFZ8tWJKMA55urhwC4q
E042wPLqzcX6Ee5JBSBkfNe35vG2LY7o3Ynh8SVCee2lBJvdWiuFT5XRhybXUsOp
q3eTsVPz68p7CvOrjlLSsWPP0nbGF1O1UQsN+oaDZAav1Nx8lTOlxUCUQXWbs2X6
BTUAOmZ6VjYu61sNgNSj+BSHlHIT3uRJ55JO5nLH/hLm0Oxn6SGRTVMueqV376QA
CsIk7UrdcX9QUtu70eRxuu1aAWJ5eaF4GDWnFP+62wzd/d6LjWEE+9kXgvrcTF0C
UzjWrmbI8x23bB4kqcROHz8lryMsBpZ94QKPHVppMiPgapDKRkculYkSeRLboADi
q4mh2prkDSq9diWV4HvZTGwPU77oiLrQsvbGuvwD62PAlyQ4rZpfW3FllTL2Lcxy
urA8a9UnQWQtDOsZIyxmMJ7R04gjI5fZfDhq6S09L9MfjFEKjsqO4FzXamj+SbAo
w25sIp1qT0sV1vOt+/R/HYSIyggQyTZpQJu5UB34QLqpfDdUwFg=
=t9up
-----END PGP SIGNATURE-----

119
SPECS/freeipa.spec
View File

@ -150,8 +150,8 @@
# RHEL 8.2+, F32+ has 3.58
%global nss_version 3.44.0-4
# RHEL 8.3+, F32+
%global sssd_version 2.4.0
# RHEL 8.7+, F35+, adds IdP integration
%global sssd_version 2.7.0
%define krb5_base_version %(LC_ALL=C /usr/bin/pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version)
%global kdcproxy_version 0.4-3
@ -185,7 +185,7 @@
# Work-around fact that RPM SPEC parser does not accept
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
%define IPA_VERSION 4.9.8
%define IPA_VERSION 4.10.0
# Release candidate version -- uncomment with one percent for RC versions
#%%global rc_version %%nil
%define AT_SIGN @
@ -198,7 +198,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 7%{?rc_version:.%rc_version}%{?dist}
Release: 6%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@ -218,41 +218,20 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
# RHEL spec file only: START
%if %{NON_DEVELOPER_BUILD}
%if 0%{?rhel} >= 8
Patch0001: 0001-ipa-kdb-issue-PAC_REQUESTER_SID-only-for-TGTs.patch
Patch0002: 0002-ipa-kdb-fix-requester-SID-check-according-to-MS-KILE.patch
Patch0003: 0003-ipatests-Fix-test_ipa_cert_fix.py-TestCertFixReplica.patch
Patch0004: 0004-Extend-test-to-see-if-replica-is-not-shown-when-runn.patch
Patch0005: 0005-ipatests-Test-default-value-of-nsslapd-sizelimit.patch
Patch0006: 0006-ipatests-Test-empty-cert-request-doesn-t-force-certm.patch
Patch0007: 0007-Test-cases-for-ipa-replica-conncheck-command.patch
Patch0008: 0008-PEP8-Fixes.patch
Patch0009: 0009-ipatests-webui-Tests-for-subordinate-ids.patch
Patch0010: 0010-Config-plugin-return-EmptyModlist-when-no-change-is-.patch
Patch0011: 0011-config-plugin-add-a-test-ensuring-EmptyModlist-is-re.patch
Patch0012: 0012-ipatests-webui-Use-safe-loader-for-loading-YAML-conf.patch
Patch0013: 0013-Added-test-automation-for-SHA384withRSA-CSR-support.patch
Patch0014: 0014-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-g.patch
Patch0015: 0015-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled.patch
Patch0016: 0016-ipatests-add-case-for-hardened-only-ticket-policy.patch
Patch0017: 0017-Don-t-always-override-the-port-in-import_included_pr.patch
Patch0018: 0018-Remove-ipa-join-errors-from-behind-the-debug-option.patch
Patch0019: 0019-Enable-the-ccache-sweep-timer-during-installation.patch
Patch0020: 0020-Test-ipa-ccache-sweep.timer-enabled-by-default-durin.patch
Patch0021: 0021-ipa_cldap-fix-memory-leak.patch
Patch0022: 0022-ipatests-remove-additional-check-for-failed-units_rhbz#2053025.patch
Patch0023: 0023-ipatests-fix-TestOTPToken-rhbz#2053025.patch
Patch0024: 0024-ipatests-Tests-for-Autoprivate-group.patch
Patch0025: 0025-mark-xfail-for-test_idoverride_with_auto_private_gro.patch
Patch0026: 0026-Mark-xfail-test_gidnumber_not_corresponding_existing.patch
Patch0027: 0027-KRB-instance-make-provision-to-work-with-crypto-poli.patch
Patch0028: 0028-tests-ensure-AD-SUPPORT-subpolicy-is-active.patch
Patch0029: 0029-ipatests-extend-AES-keyset-to-SHA2-based-ones.patch
Patch0030: 0030-freeipa.spec-bump-crypto-policies-dependency-for-Cen.patch
Patch0031: 0031-Kerberos-instance-default-to-AES256-SHA2-for-master-.patch
Patch0032: 0032-test_otp-do-not-use-paramiko-unless-it-is-really-nee.patch
Patch0033: 0033-test_krbtpolicy-skip-SPAKE-related-tests-in-FIPS-mod.patch
Patch0034: 0034-Support-AES-for-KRA-archival-wrapping.patch
Patch0035: 0035-Set-AES-as-default-for-KRA-archival-wrapping.patch
Patch0001: 0001-Only-calculate-LDAP-password-grace-when-the-password.patch
Patch0002: 0002-webui-Do-not-allow-empty-pagination-size.patch
Patch0003: 0003-ipatests-add-nightly-definitions-for-ipa-4-10-branch.patch
Patch0004: 0004-Added-a-check-while-removing-cert_dir-.-The-teardown.patch
Patch0005: 0005-ipatests-healthcheck-test-if-system-is-FIPS-enabled.patch
Patch0006: 0006-Disabling-gracelimit-does-not-prevent-LDAP-binds.patch
Patch0007: 0007-ipatests-ipa-client-install-subid-adds-entry-in-nssw.patch
Patch0008: 0008-webui-Allow-grace-login-limit.patch
Patch0009: 0009-Additional-tests-for-RSN-v3.patch
Patch0010: 0010-check_repl_update-in-progress-is-a-boolean.patch
Patch0011: 0011-ipatests-Fix-expected-object-classes.patch
Patch0012: 0012-doc-Update-LDAP-grace-period-design-with-default-val.patch
Patch0013: 0013-Set-default-gracelimit-on-group-password-policies-to.patch
Patch0014: 0014-Set-default-on-group-pwpolicy-with-no-grace-limit-in.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -353,7 +332,9 @@ BuildRequires: python3-wheel
%if %{with doc}
BuildRequires: python3-sphinx
BuildRequires: python3-m2r
BuildRequires: plantuml
BuildRequires: fontconfig
BuildRequires: google-noto-sans-vf-fonts
%endif
#
@ -639,8 +620,8 @@ Requires: %{name}-common = %{version}-%{release}
Requires: samba >= %{samba_version}
Requires: samba-winbind
Requires: libsss_idmap
Requires: sssd-winbind-idmap
Requires: libsss_idmap
%if 0%{?rhel}
Obsoletes: ipa-idoverride-memberof-plugin <= 0.1
%endif
@ -681,7 +662,12 @@ Requires: python3-sssdconfig >= %{sssd_version}
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: chrony
Requires: krb5-workstation >= %{krb5_version}
Requires: authselect >= 0.4-2
# authselect: sssd profile with-subid
%if 0%{?fedora} >= 36
Requires: authselect >= 1.4.0
%else
Requires: authselect >= 1.2.5
%endif
Requires: curl
# NIS domain name config: /usr/lib/systemd/system/*-domainname.service
# All Fedora 28+ and RHEL8+ contain the service in hostname package
@ -693,6 +679,7 @@ Requires: xmlrpc-c >= 1.27.4
Requires: jansson
%endif
Requires: sssd-ipa >= %{sssd_version}
Requires: sssd-idp >= %{sssd_version}
Requires: certmonger >= %{certmonger_version}
Requires: nss-tools >= %{nss_version}
Requires: bind-utils
@ -729,7 +716,7 @@ Conflicts: crypto-policies < 20200629-1
# Conflict with crypto-policies < 20220223-1 to get upgraded AD-SUPPORT and
# AD-SUPPORT-LEGACY policy modules
Conflicts: crypto-policies < 20220223-1
%endif
%endif
%description client
IPA is an integrated solution to provide centrally managed Identity (users,
@ -1089,6 +1076,7 @@ rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la
rm %{buildroot}/%{plugin_dir}/libipa_range_check.la
rm %{buildroot}/%{plugin_dir}/libipa_otp_counter.la
rm %{buildroot}/%{plugin_dir}/libipa_otp_lasttoken.la
rm %{buildroot}/%{plugin_dir}/libipa_graceperiod.la
rm %{buildroot}/%{plugin_dir}/libtopology.la
rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la
rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la
@ -1272,6 +1260,7 @@ if [ $1 -gt 1 ] ; then
%{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1
%{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1
chmod 0600 /var/log/ipaupgrade.log
SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config"
if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then
sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF"
@ -1447,6 +1436,7 @@ fi
%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so
%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so
%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so
%attr(755,root,root) %{plugin_dir}/libipa_graceperiod.so
%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
%{_mandir}/man1/ipa-replica-conncheck.1*
%{_mandir}/man1/ipa-replica-install.1*
@ -1750,8 +1740,47 @@ fi
%endif
%changelog
* Mon Mar 21 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-7
- Resolves: rhbz#2057471 Consequences of FIPS crypto policy tightening in RHEL 9
* Fri Aug 19 2022 Florence Blanc-Renaud <flo@redhat.com> - 4.10.0-6
- Resolves: rhbz#2110014 ldap bind occurs when admin user changes password with gracelimit=0
- Resolves: rhbz#2112901 RFE: Allow grace login limit to be set in IPA WebUI
- Resolves: rhbz#2115495 group password policy by default does not allow grace logins
- Resolves: rhbz#2116966 ipa-replica-manage displays traceback: Unexpected error: 'bool' object has no attribute 'lower'
* Thu Jul 28 2022 Francisco Trivino <ftrivino@redhat.com> - 4.10.0-5
- Resolves: rhbz#2109645
- Rebuild for samba-4.16.3-101.el9
* Thu Jul 21 2022 Francisco Trivino <ftrivino@redhat.com> - 4.10.0-4
- Resolves: rhbz#2109645
- Rebuild for samba-4.16.3-100.el9
* Fri Jul 15 2022 Florence Blanc-Renaud <flo@redhat.com> - 4.10.0-3
- Resolves: rhbz#2105294 IdM WebUI Pagination Size should not allow empty value
* Thu Jun 30 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.10.0-2
- Resolves: rhbz#2091988 [RFE] Add code to check password expiration on ldap bind
* Thu Jun 30 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.10.0-1
- Resolves: rhbz#747959 [RFE] Support random serial numbers in IPA certificates
- Resolves: rhbz#2100227 [UX] Preserving a user account produces output saying it was deleted
* Fri Jun 17 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.10-1
- Resolves: rhbz#2079469 [Rebase] Rebase ipa to latest 4.9.x release
- Resolves: rhbz#2012911 named journalctl logs shows 'zone testrealm.test/IN: serial (serialnumber) write back to LDAP failed.'
- Resolves: rhbz#2069202 [RFE] add support for authenticating against external IdP services using OAUTH2 preauthenticaiton mechanism provided by SSSD
- Resolves: rhbz#2083218 ipa-dnskeysyncd floods /var/log/messages with DEBUG messages
- Resolves: rhbz#2089750 RFE: Improve error message with more detail for ipa-replica-install command
- Resolves: rhbz#2091988 [RFE] Add code to check password expiration on ldap bind
- Resolves: rhbz#2094400 [RFE] ipa-client-install should provide option to enable subid: sss in /etc/nsswitch.conf
- Resolves: rhbz#2096922 secret in ipa-pki-proxy.conf is not changed if new requiredSecret value is present in /etc/pki/pki-tomcat/server.xml
* Wed Apr 06 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-8
- Resolves: rhbz#2067971 Consequences of FIPS crypto policy tightening in RHEL 9
- tests: ensure AD-SUPPORT subpolicy is active in more cases
- ipatests: fix check for AD topology being present
* Thu Mar 24 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-7
- Resolves: rhbz#2067971 Consequences of FIPS crypto policy tightening in RHEL 9
- KRB instance: make provision to work with crypto policy without SHA-1 HMAC types
- tests: ensure AD-SUPPORT subpolicy is active
- ipatests: extend AES keyset to SHA2-based ones