ipa-4.12.2-17

- Resolves: RHEL-88043 Server installation: dot-forwarder not added as a forwarder
- Resolves: RHEL-86481 Include latest fixes in python3-ipatests package
- Resolves: RHEL-85788 ipa-sidgen: fix memory leak in ipa_sidgen_add_post_op()
- Resolves: RHEL-88899 [RFE] Add check on CA cert expiry for ipa-cert-fix
This commit is contained in:
Florence Blanc-Renaud 2025-04-29 17:49:26 +02:00
parent 518fbd80d0
commit 5bae5ab37a
7 changed files with 317 additions and 1 deletions

View File

@ -0,0 +1,49 @@
From e1d517032afa2a8258c1ff8bd6bfdd4175b42327 Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Mon, 17 Feb 2025 10:21:53 +0100
Subject: [PATCH] dns: don't populate forwarders with DoT forwarders
DNS over TLS setup overrides global forwarder to point to Unbound, so no
need to setup regular forwarders.
Resolves: https://pagure.io/freeipa/issue/9748
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/install/dns.py | 12 ++----------
1 file changed, 2 insertions(+), 10 deletions(-)
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index 88aff19bcec11f778af5644167c32c45cbcab594..470e1915971f66d84e4e4f279caaf81bd3a85cd3 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -360,14 +360,9 @@ def install_check(standalone, api, replica, options, hostname):
if options.no_forwarders:
options.forwarders = []
- elif (options.forwarders
- or options.dot_forwarders or options.auto_forwarders):
+ elif options.forwarders or options.auto_forwarders:
if not options.forwarders:
- if options.dot_forwarders:
- options.forwarders = [fw.split("#")[0]
- for fw in options.dot_forwarders]
- else:
- options.forwarders = []
+ options.forwarders = []
if options.auto_forwarders:
options.forwarders.extend(dnsforwarders.get_nameservers())
elif standalone or not replica:
@@ -436,9 +431,6 @@ def install(standalone, replica, options, api=api):
"and IPA CA is not present."
)
- if not options.forwarders and options.dot_forwarders:
- options.forwaders = [fw.split("#")[0] for fw in options.dot_forwarders]
-
bind = bindinstance.BindInstance(fstore, api=api)
bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain,
options.forwarders, options.forward_policy,
--
2.49.0

View File

@ -0,0 +1,90 @@
From d3e9e35ef73729956c649f2ee0d0ff3963f99e4e Mon Sep 17 00:00:00 2001
From: David Hanina <dhanina@redhat.com>
Date: Fri, 28 Mar 2025 10:33:15 +0100
Subject: [PATCH] Correct dnsrecord_* tests for --raw --structured
Fixes typo in the tests, --raw --structured is only checked if rest of
the command is correct as well, therefore test changes were required.
Fixes: https://pagure.io/freeipa/issue/9768
Signed-off-by: David Hanina <dhanina@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_xmlrpc/test_dns_plugin.py | 32 ++++++++++++++-----------
1 file changed, 18 insertions(+), 14 deletions(-)
diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py
index 803b0a9571c2888dd02c4595c68403f37be7fed7..864d5287f8317a5154aec4c792f56deab7ff0120 100644
--- a/ipatests/test_xmlrpc/test_dns_plugin.py
+++ b/ipatests/test_xmlrpc/test_dns_plugin.py
@@ -3416,20 +3416,11 @@ class test_dns(Declarative):
},
),
- dict(
- desc='Delete zone %r' % zone1,
- command=('dnszone_del', [zone1], {}),
- expected={
- 'value': [zone1_absolute_dnsname],
- 'summary': u'Deleted DNS zone "%s"' % zone1_absolute,
- 'result': {'failed': []},
- },
- ),
-
dict(
desc="Ensure --raw and --structure does not work "
"for ipa dnsrecord-add",
- command=('dnrecord_add', [], {u'raw': True, u'structured': True}),
+ command=('dnsrecord_add', [zone1, name1],
+ {'arecord': arec2, u'raw': True, u'structured': True}),
expected=errors.MutuallyExclusiveError(
reason=u"cannot use structured together with raw"
),
@@ -3438,7 +3429,8 @@ class test_dns(Declarative):
dict(
desc="Ensure --raw and --structure does not work "
"for ipa dnsrecord-mod",
- command=('dnrecord_add', [], {u'raw': True, u'structured': True}),
+ command=('dnsrecord_mod', [zone1, name1],
+ {'arecord': arec1, u'raw': True, u'structured': True}),
expected=errors.MutuallyExclusiveError(
reason=u"cannot use structured together with raw"
),
@@ -3447,7 +3439,8 @@ class test_dns(Declarative):
dict(
desc="Ensure --raw and --structure does not work "
"for ipa dnsrecord-show",
- command=('dnrecord_add', [], {u'raw': True, u'structured': True}),
+ command=('dnsrecord_show', [zone1, name1],
+ {u'raw': True, u'structured': True}),
expected=errors.MutuallyExclusiveError(
reason=u"cannot use structured together with raw"
),
@@ -3456,11 +3449,22 @@ class test_dns(Declarative):
dict(
desc="Ensure --raw and --structure does not work "
"for ipa dnsrecord-find",
- command=('dnrecord_add', [], {u'raw': True, u'structured': True}),
+ command=('dnsrecord_find', [zone1],
+ {u'raw': True, u'structured': True}),
expected=errors.MutuallyExclusiveError(
reason=u"cannot use structured together with raw"
),
),
+
+ dict(
+ desc='Delete zone %r' % zone1,
+ command=('dnszone_del', [zone1], {}),
+ expected={
+ 'value': [zone1_absolute_dnsname],
+ 'summary': u'Deleted DNS zone "%s"' % zone1_absolute,
+ 'result': {'failed': []},
+ },
+ ),
]
--
2.49.0

View File

@ -0,0 +1,36 @@
From d77c4597a841729cb7c890bb57cc548a70c8724b Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Tue, 1 Apr 2025 12:31:18 +0530
Subject: [PATCH] ipatests: Fix for ipa-healthcheck test in FIPS Mode
Fix https://github.com/freeipa/freeipa-healthcheck/pull/349
was added for RHEL10 only causing the tests to
fail in RHEL10.1.
Hence the if condition has been changed in the testcode.
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_ipahealthcheck.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index d72808f0f9b6dc7e438a16f9bd7e676f473fd323..8d1b9fce32f8e2e6ac78f9b26f9daf19445c3c8b 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -374,10 +374,10 @@ class TestIpaHealthCheck(IntegrationTest):
if (
parse_version(healthcheck_version) < parse_version("0.17")
and osinfo.id == 'rhel'
- and osinfo.version_number == (10,0)
+ and osinfo.version_number >= (10,0)
):
# Patch: https://github.com/freeipa/freeipa-healthcheck/pull/349
- pytest.xfail("Patch is unavailable for RHEL 10.0 and "
+ pytest.xfail("Patch is unavailable for RHEL 10.0 and above"
"freeipa-healtheck version 0.16 or less")
returncode, check = run_healthcheck(self.master,
--
2.49.0

View File

@ -0,0 +1,42 @@
From 1aac0a5f7e0702e23e0ba6dad726734b5d75710d Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Mon, 31 Mar 2025 11:50:41 +0200
Subject: [PATCH] ipa-sidgen: fix memory leak in ipa_sidgen_add_post_op
Also remove unused "search_pb" variable and its associated free
functions.
Fixes: https://pagure.io/freeipa/issue/9772
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c
index 99e6b850b04145cefcb7830df5fe4b36adec45de..35ecef228d7fac1e7009dbf97983089755aa6768 100644
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c
@@ -81,7 +81,6 @@ static int ipa_sidgen_add_post_op(Slapi_PBlock *pb)
const char *dn_str;
Slapi_DN *dn = NULL;
struct ipa_sidgen_ctx *ctx;
- Slapi_PBlock *search_pb = NULL;
char *errmsg = NULL;
ret = slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &is_repl_op);
@@ -152,9 +151,8 @@ static int ipa_sidgen_add_post_op(Slapi_PBlock *pb)
ret = 0;
done:
- slapi_free_search_results_internal(search_pb);
- slapi_pblock_destroy(search_pb);
slapi_sdn_free(&dn);
+ slapi_entry_free(entry);
if (ret != 0) {
if (errmsg == NULL) {
--
2.49.0

View File

@ -0,0 +1,46 @@
From 3f7d84677775bd9e237b28b08fe961a157b8b14e Mon Sep 17 00:00:00 2001
From: Aleksandr Sharov <asharov@redhat.com>
Date: Sat, 8 Mar 2025 14:55:09 +0100
Subject: [PATCH] Add a check into ipa-cert-fix tool to avoid updating certs if
CA is close to being expired.
Fixes: https://pagure.io/freeipa/issue/9760
Signed-off-by: Aleksandr Sharov <asharov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/ipa_cert_fix.py | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
index 8e02d1e75cc4cb936b77a6c9f3f9df2b8605a58b..960d7b9e08614ff6ee23c948a0a5fa08b109627e 100644
--- a/ipaserver/install/ipa_cert_fix.py
+++ b/ipaserver/install/ipa_cert_fix.py
@@ -69,6 +69,7 @@ logger = logging.getLogger(__name__)
cert_nicknames = {
+ 'ca_issuing': 'caSigningCert cert-pki-ca',
'sslserver': 'Server-Cert cert-pki-ca',
'subsystem': 'subsystemCert cert-pki-ca',
'ca_ocsp_signing': 'ocspSigningCert cert-pki-ca',
@@ -137,6 +138,16 @@ class IPACertFix(AdminTool):
print("Nothing to do.")
return 0
+ if any(key == 'ca_issuing' for key, _ in certs):
+ logger.debug("CA signing cert is expired, exiting!")
+ print(
+ "The CA signing certificate is expired or will expire within "
+ "the next two weeks.\n\nipa-cert-fix cannot proceed, please "
+ "refer to the ipa-cacert-manage tool to renew the CA "
+ "certificate before proceeding."
+ )
+ return 1
+
print(msg)
print_intentions(certs, extra_certs, non_renewed)
--
2.49.0

View File

@ -0,0 +1,41 @@
From cdc03d7b6233f736c51c10aa07225aac9715e4c0 Mon Sep 17 00:00:00 2001
From: Aleksandr Sharov <asharov@redhat.com>
Date: Sat, 8 Mar 2025 15:04:57 +0100
Subject: [PATCH] Test fix for the update
Fixes: https://pagure.io/freeipa/issue/9760
Signed-off-by: Aleksandr Sharov <asharov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_ipa_cert_fix.py | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index 15d8a81575dc7f2077c34b8907fbeb3e2f6eb66f..d11fd3d611e7e5755569e8fc70de6f261473e3f3 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -301,13 +301,18 @@ class TestIpaCertFix(IntegrationTest):
valid. If CA cert expired, ipa-cert-fix won't work.
related: https://pagure.io/freeipa/issue/8721
+
+ If CA cert is close to expiry, there's no reason to issue new certs
+ with short validity period. So, ipa-cert-fix should fail in this case.
+
+ related: https://pagure.io/freeipa/issue/9760
"""
result = self.master.run_command(['ipa-cert-fix', '-v'],
stdin_text='yes\n',
raiseonerr=False)
# check that pki-server cert-fix command fails
- err_msg = ("ERROR: CalledProcessError(Command "
- "['pki-server', 'cert-fix'")
+ err_msg = ("CA signing cert is expired, exiting!")
+ assert result.returncode == 1
assert err_msg in result.stderr_text
--
2.49.0

View File

@ -207,7 +207,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 16%{?rc_version:.%rc_version}%{?dist}
Release: 17%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPL-3.0-or-later
@ -321,6 +321,12 @@ Patch0080: 0080-idrange-use-minvalue-0-for-baserid-and-secondarybase.patch
Patch0081: 0081-ipatests-Tests-to-check-data-in-journal-log.patch
Patch0082: 0082-Disallow-removal-of-dogtag-and-ipa-dnskeysyncd-servi.patch
Patch0083: 0083-Don-t-require-certificates-to-have-unique-ipaCertSub.patch
Patch0084: 0084-dns-don-t-populate-forwarders-with-DoT-forwarders.patch
Patch0085: 0085-Correct-dnsrecord_-tests-for-raw-structured.patch
Patch0086: 0086-ipatests-Fix-for-ipa-healthcheck-test-in-FIPS-Mode.patch
Patch0087: 0087-ipa-sidgen-fix-memory-leak-in-ipa_sidgen_add_post_op.patch
Patch0088: 0088-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating.patch
Patch0089: 0089-Test-fix-for-the-update.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -1972,6 +1978,12 @@ fi
%endif
%changelog
* Tue Apr 29 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-17
- Resolves: RHEL-88043 Server installation: dot-forwarder not added as a forwarder
- Resolves: RHEL-86481 Include latest fixes in python3-ipatests package
- Resolves: RHEL-85788 ipa-sidgen: fix memory leak in ipa_sidgen_add_post_op()
- Resolves: RHEL-88899 [RFE] Add check on CA cert expiry for ipa-cert-fix
* Mon Mar 24 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-16
- Resolves: RHEL-84648 ipa-cacert-manage install fails with CAs having the same subject DN (subject key mismatch info)
- Resolves: RHEL-84279 IPU 9 -> 10: ipa-server breaks the in-place upgrade due to failed scriptlet