From 5bae5ab37a9f8fe92d0ad51825afeafd357e430c Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Tue, 29 Apr 2025 17:49:26 +0200 Subject: [PATCH] ipa-4.12.2-17 - Resolves: RHEL-88043 Server installation: dot-forwarder not added as a forwarder - Resolves: RHEL-86481 Include latest fixes in python3-ipatests package - Resolves: RHEL-85788 ipa-sidgen: fix memory leak in ipa_sidgen_add_post_op() - Resolves: RHEL-88899 [RFE] Add check on CA cert expiry for ipa-cert-fix --- ...ulate-forwarders-with-DoT-forwarders.patch | 49 ++++++++++ ...-dnsrecord_-tests-for-raw-structured.patch | 90 +++++++++++++++++++ ...or-ipa-healthcheck-test-in-FIPS-Mode.patch | 36 ++++++++ ...emory-leak-in-ipa_sidgen_add_post_op.patch | 42 +++++++++ ...-ipa-cert-fix-tool-to-avoid-updating.patch | 46 ++++++++++ 0089-Test-fix-for-the-update.patch | 41 +++++++++ freeipa.spec | 14 ++- 7 files changed, 317 insertions(+), 1 deletion(-) create mode 100644 0084-dns-don-t-populate-forwarders-with-DoT-forwarders.patch create mode 100644 0085-Correct-dnsrecord_-tests-for-raw-structured.patch create mode 100644 0086-ipatests-Fix-for-ipa-healthcheck-test-in-FIPS-Mode.patch create mode 100644 0087-ipa-sidgen-fix-memory-leak-in-ipa_sidgen_add_post_op.patch create mode 100644 0088-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating.patch create mode 100644 0089-Test-fix-for-the-update.patch diff --git a/0084-dns-don-t-populate-forwarders-with-DoT-forwarders.patch b/0084-dns-don-t-populate-forwarders-with-DoT-forwarders.patch new file mode 100644 index 0000000..51be0a4 --- /dev/null +++ b/0084-dns-don-t-populate-forwarders-with-DoT-forwarders.patch @@ -0,0 +1,49 @@ +From e1d517032afa2a8258c1ff8bd6bfdd4175b42327 Mon Sep 17 00:00:00 2001 +From: Antonio Torres +Date: Mon, 17 Feb 2025 10:21:53 +0100 +Subject: [PATCH] dns: don't populate forwarders with DoT forwarders + +DNS over TLS setup overrides global forwarder to point to Unbound, so no +need to setup regular forwarders. + +Resolves: https://pagure.io/freeipa/issue/9748 +Signed-off-by: Antonio Torres +Reviewed-By: Rob Crittenden +--- + ipaserver/install/dns.py | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py +index 88aff19bcec11f778af5644167c32c45cbcab594..470e1915971f66d84e4e4f279caaf81bd3a85cd3 100644 +--- a/ipaserver/install/dns.py ++++ b/ipaserver/install/dns.py +@@ -360,14 +360,9 @@ def install_check(standalone, api, replica, options, hostname): + + if options.no_forwarders: + options.forwarders = [] +- elif (options.forwarders +- or options.dot_forwarders or options.auto_forwarders): ++ elif options.forwarders or options.auto_forwarders: + if not options.forwarders: +- if options.dot_forwarders: +- options.forwarders = [fw.split("#")[0] +- for fw in options.dot_forwarders] +- else: +- options.forwarders = [] ++ options.forwarders = [] + if options.auto_forwarders: + options.forwarders.extend(dnsforwarders.get_nameservers()) + elif standalone or not replica: +@@ -436,9 +431,6 @@ def install(standalone, replica, options, api=api): + "and IPA CA is not present." + ) + +- if not options.forwarders and options.dot_forwarders: +- options.forwaders = [fw.split("#")[0] for fw in options.dot_forwarders] +- + bind = bindinstance.BindInstance(fstore, api=api) + bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain, + options.forwarders, options.forward_policy, +-- +2.49.0 + diff --git a/0085-Correct-dnsrecord_-tests-for-raw-structured.patch b/0085-Correct-dnsrecord_-tests-for-raw-structured.patch new file mode 100644 index 0000000..40457f5 --- /dev/null +++ b/0085-Correct-dnsrecord_-tests-for-raw-structured.patch @@ -0,0 +1,90 @@ +From d3e9e35ef73729956c649f2ee0d0ff3963f99e4e Mon Sep 17 00:00:00 2001 +From: David Hanina +Date: Fri, 28 Mar 2025 10:33:15 +0100 +Subject: [PATCH] Correct dnsrecord_* tests for --raw --structured + +Fixes typo in the tests, --raw --structured is only checked if rest of +the command is correct as well, therefore test changes were required. + +Fixes: https://pagure.io/freeipa/issue/9768 +Signed-off-by: David Hanina +Reviewed-By: Michal Polovka +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_xmlrpc/test_dns_plugin.py | 32 ++++++++++++++----------- + 1 file changed, 18 insertions(+), 14 deletions(-) + +diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py +index 803b0a9571c2888dd02c4595c68403f37be7fed7..864d5287f8317a5154aec4c792f56deab7ff0120 100644 +--- a/ipatests/test_xmlrpc/test_dns_plugin.py ++++ b/ipatests/test_xmlrpc/test_dns_plugin.py +@@ -3416,20 +3416,11 @@ class test_dns(Declarative): + }, + ), + +- dict( +- desc='Delete zone %r' % zone1, +- command=('dnszone_del', [zone1], {}), +- expected={ +- 'value': [zone1_absolute_dnsname], +- 'summary': u'Deleted DNS zone "%s"' % zone1_absolute, +- 'result': {'failed': []}, +- }, +- ), +- + dict( + desc="Ensure --raw and --structure does not work " + "for ipa dnsrecord-add", +- command=('dnrecord_add', [], {u'raw': True, u'structured': True}), ++ command=('dnsrecord_add', [zone1, name1], ++ {'arecord': arec2, u'raw': True, u'structured': True}), + expected=errors.MutuallyExclusiveError( + reason=u"cannot use structured together with raw" + ), +@@ -3438,7 +3429,8 @@ class test_dns(Declarative): + dict( + desc="Ensure --raw and --structure does not work " + "for ipa dnsrecord-mod", +- command=('dnrecord_add', [], {u'raw': True, u'structured': True}), ++ command=('dnsrecord_mod', [zone1, name1], ++ {'arecord': arec1, u'raw': True, u'structured': True}), + expected=errors.MutuallyExclusiveError( + reason=u"cannot use structured together with raw" + ), +@@ -3447,7 +3439,8 @@ class test_dns(Declarative): + dict( + desc="Ensure --raw and --structure does not work " + "for ipa dnsrecord-show", +- command=('dnrecord_add', [], {u'raw': True, u'structured': True}), ++ command=('dnsrecord_show', [zone1, name1], ++ {u'raw': True, u'structured': True}), + expected=errors.MutuallyExclusiveError( + reason=u"cannot use structured together with raw" + ), +@@ -3456,11 +3449,22 @@ class test_dns(Declarative): + dict( + desc="Ensure --raw and --structure does not work " + "for ipa dnsrecord-find", +- command=('dnrecord_add', [], {u'raw': True, u'structured': True}), ++ command=('dnsrecord_find', [zone1], ++ {u'raw': True, u'structured': True}), + expected=errors.MutuallyExclusiveError( + reason=u"cannot use structured together with raw" + ), + ), ++ ++ dict( ++ desc='Delete zone %r' % zone1, ++ command=('dnszone_del', [zone1], {}), ++ expected={ ++ 'value': [zone1_absolute_dnsname], ++ 'summary': u'Deleted DNS zone "%s"' % zone1_absolute, ++ 'result': {'failed': []}, ++ }, ++ ), + ] + + +-- +2.49.0 + diff --git a/0086-ipatests-Fix-for-ipa-healthcheck-test-in-FIPS-Mode.patch b/0086-ipatests-Fix-for-ipa-healthcheck-test-in-FIPS-Mode.patch new file mode 100644 index 0000000..d35c257 --- /dev/null +++ b/0086-ipatests-Fix-for-ipa-healthcheck-test-in-FIPS-Mode.patch @@ -0,0 +1,36 @@ +From d77c4597a841729cb7c890bb57cc548a70c8724b Mon Sep 17 00:00:00 2001 +From: Sudhir Menon +Date: Tue, 1 Apr 2025 12:31:18 +0530 +Subject: [PATCH] ipatests: Fix for ipa-healthcheck test in FIPS Mode + +Fix https://github.com/freeipa/freeipa-healthcheck/pull/349 +was added for RHEL10 only causing the tests to +fail in RHEL10.1. +Hence the if condition has been changed in the testcode. + +Signed-off-by: Sudhir Menon +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_ipahealthcheck.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py +index d72808f0f9b6dc7e438a16f9bd7e676f473fd323..8d1b9fce32f8e2e6ac78f9b26f9daf19445c3c8b 100644 +--- a/ipatests/test_integration/test_ipahealthcheck.py ++++ b/ipatests/test_integration/test_ipahealthcheck.py +@@ -374,10 +374,10 @@ class TestIpaHealthCheck(IntegrationTest): + if ( + parse_version(healthcheck_version) < parse_version("0.17") + and osinfo.id == 'rhel' +- and osinfo.version_number == (10,0) ++ and osinfo.version_number >= (10,0) + ): + # Patch: https://github.com/freeipa/freeipa-healthcheck/pull/349 +- pytest.xfail("Patch is unavailable for RHEL 10.0 and " ++ pytest.xfail("Patch is unavailable for RHEL 10.0 and above" + "freeipa-healtheck version 0.16 or less") + + returncode, check = run_healthcheck(self.master, +-- +2.49.0 + diff --git a/0087-ipa-sidgen-fix-memory-leak-in-ipa_sidgen_add_post_op.patch b/0087-ipa-sidgen-fix-memory-leak-in-ipa_sidgen_add_post_op.patch new file mode 100644 index 0000000..8d2abb4 --- /dev/null +++ b/0087-ipa-sidgen-fix-memory-leak-in-ipa_sidgen_add_post_op.patch @@ -0,0 +1,42 @@ +From 1aac0a5f7e0702e23e0ba6dad726734b5d75710d Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Mon, 31 Mar 2025 11:50:41 +0200 +Subject: [PATCH] ipa-sidgen: fix memory leak in ipa_sidgen_add_post_op + +Also remove unused "search_pb" variable and its associated free +functions. + +Fixes: https://pagure.io/freeipa/issue/9772 +Signed-off-by: Julien Rische +Reviewed-By: Rob Crittenden +Reviewed-By: Alexander Bokovoy +--- + daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c +index 99e6b850b04145cefcb7830df5fe4b36adec45de..35ecef228d7fac1e7009dbf97983089755aa6768 100644 +--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c ++++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c +@@ -81,7 +81,6 @@ static int ipa_sidgen_add_post_op(Slapi_PBlock *pb) + const char *dn_str; + Slapi_DN *dn = NULL; + struct ipa_sidgen_ctx *ctx; +- Slapi_PBlock *search_pb = NULL; + char *errmsg = NULL; + + ret = slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &is_repl_op); +@@ -152,9 +151,8 @@ static int ipa_sidgen_add_post_op(Slapi_PBlock *pb) + + ret = 0; + done: +- slapi_free_search_results_internal(search_pb); +- slapi_pblock_destroy(search_pb); + slapi_sdn_free(&dn); ++ slapi_entry_free(entry); + + if (ret != 0) { + if (errmsg == NULL) { +-- +2.49.0 + diff --git a/0088-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating.patch b/0088-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating.patch new file mode 100644 index 0000000..bd6e2e3 --- /dev/null +++ b/0088-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating.patch @@ -0,0 +1,46 @@ +From 3f7d84677775bd9e237b28b08fe961a157b8b14e Mon Sep 17 00:00:00 2001 +From: Aleksandr Sharov +Date: Sat, 8 Mar 2025 14:55:09 +0100 +Subject: [PATCH] Add a check into ipa-cert-fix tool to avoid updating certs if + CA is close to being expired. + +Fixes: https://pagure.io/freeipa/issue/9760 +Signed-off-by: Aleksandr Sharov +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/install/ipa_cert_fix.py | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py +index 8e02d1e75cc4cb936b77a6c9f3f9df2b8605a58b..960d7b9e08614ff6ee23c948a0a5fa08b109627e 100644 +--- a/ipaserver/install/ipa_cert_fix.py ++++ b/ipaserver/install/ipa_cert_fix.py +@@ -69,6 +69,7 @@ logger = logging.getLogger(__name__) + + + cert_nicknames = { ++ 'ca_issuing': 'caSigningCert cert-pki-ca', + 'sslserver': 'Server-Cert cert-pki-ca', + 'subsystem': 'subsystemCert cert-pki-ca', + 'ca_ocsp_signing': 'ocspSigningCert cert-pki-ca', +@@ -137,6 +138,16 @@ class IPACertFix(AdminTool): + print("Nothing to do.") + return 0 + ++ if any(key == 'ca_issuing' for key, _ in certs): ++ logger.debug("CA signing cert is expired, exiting!") ++ print( ++ "The CA signing certificate is expired or will expire within " ++ "the next two weeks.\n\nipa-cert-fix cannot proceed, please " ++ "refer to the ipa-cacert-manage tool to renew the CA " ++ "certificate before proceeding." ++ ) ++ return 1 ++ + print(msg) + + print_intentions(certs, extra_certs, non_renewed) +-- +2.49.0 + diff --git a/0089-Test-fix-for-the-update.patch b/0089-Test-fix-for-the-update.patch new file mode 100644 index 0000000..047a2ce --- /dev/null +++ b/0089-Test-fix-for-the-update.patch @@ -0,0 +1,41 @@ +From cdc03d7b6233f736c51c10aa07225aac9715e4c0 Mon Sep 17 00:00:00 2001 +From: Aleksandr Sharov +Date: Sat, 8 Mar 2025 15:04:57 +0100 +Subject: [PATCH] Test fix for the update + +Fixes: https://pagure.io/freeipa/issue/9760 +Signed-off-by: Aleksandr Sharov +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_ipa_cert_fix.py | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py +index 15d8a81575dc7f2077c34b8907fbeb3e2f6eb66f..d11fd3d611e7e5755569e8fc70de6f261473e3f3 100644 +--- a/ipatests/test_integration/test_ipa_cert_fix.py ++++ b/ipatests/test_integration/test_ipa_cert_fix.py +@@ -301,13 +301,18 @@ class TestIpaCertFix(IntegrationTest): + valid. If CA cert expired, ipa-cert-fix won't work. + + related: https://pagure.io/freeipa/issue/8721 ++ ++ If CA cert is close to expiry, there's no reason to issue new certs ++ with short validity period. So, ipa-cert-fix should fail in this case. ++ ++ related: https://pagure.io/freeipa/issue/9760 + """ + result = self.master.run_command(['ipa-cert-fix', '-v'], + stdin_text='yes\n', + raiseonerr=False) + # check that pki-server cert-fix command fails +- err_msg = ("ERROR: CalledProcessError(Command " +- "['pki-server', 'cert-fix'") ++ err_msg = ("CA signing cert is expired, exiting!") ++ assert result.returncode == 1 + assert err_msg in result.stderr_text + + +-- +2.49.0 + diff --git a/freeipa.spec b/freeipa.spec index ada1f5e..9009168 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -207,7 +207,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 16%{?rc_version:.%rc_version}%{?dist} +Release: 17%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPL-3.0-or-later @@ -321,6 +321,12 @@ Patch0080: 0080-idrange-use-minvalue-0-for-baserid-and-secondarybase.patch Patch0081: 0081-ipatests-Tests-to-check-data-in-journal-log.patch Patch0082: 0082-Disallow-removal-of-dogtag-and-ipa-dnskeysyncd-servi.patch Patch0083: 0083-Don-t-require-certificates-to-have-unique-ipaCertSub.patch +Patch0084: 0084-dns-don-t-populate-forwarders-with-DoT-forwarders.patch +Patch0085: 0085-Correct-dnsrecord_-tests-for-raw-structured.patch +Patch0086: 0086-ipatests-Fix-for-ipa-healthcheck-test-in-FIPS-Mode.patch +Patch0087: 0087-ipa-sidgen-fix-memory-leak-in-ipa_sidgen_add_post_op.patch +Patch0088: 0088-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating.patch +Patch0089: 0089-Test-fix-for-the-update.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -1972,6 +1978,12 @@ fi %endif %changelog +* Tue Apr 29 2025 Florence Blanc-Renaud - 4.12.2-17 +- Resolves: RHEL-88043 Server installation: dot-forwarder not added as a forwarder +- Resolves: RHEL-86481 Include latest fixes in python3-ipatests package +- Resolves: RHEL-85788 ipa-sidgen: fix memory leak in ipa_sidgen_add_post_op() +- Resolves: RHEL-88899 [RFE] Add check on CA cert expiry for ipa-cert-fix + * Mon Mar 24 2025 Florence Blanc-Renaud - 4.12.2-16 - Resolves: RHEL-84648 ipa-cacert-manage install fails with CAs having the same subject DN (subject key mismatch info) - Resolves: RHEL-84279 IPU 9 -> 10: ipa-server breaks the in-place upgrade due to failed scriptlet