import ipa-4.8.7-13.module+el8.3.0+8376+0bba7131
This commit is contained in:
commit
615535485a
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
SOURCES/freeipa-4.8.7.tar.gz
|
1
.ipa.metadata
Normal file
1
.ipa.metadata
Normal file
@ -0,0 +1 @@
|
||||
0099d799a77a757eeb4a95a69a38bdec24e45026 SOURCES/freeipa-4.8.7.tar.gz
|
@ -0,0 +1,409 @@
|
||||
From c2ba333b9681d008d9c528a79dbdd76ce11a3ecd Mon Sep 17 00:00:00 2001
|
||||
From: Serhii Tsymbaliuk <stsymbal@redhat.com>
|
||||
Date: Thu, 28 May 2020 08:47:49 +0200
|
||||
Subject: [PATCH 01/22] WebUI: Fix "IPA Error 3007: RequirmentError" while
|
||||
adding idoverrideuser association
|
||||
|
||||
Add builder for association adder dialog which allows to override behavior of the component.
|
||||
Replace default implementation with a custom one for idoverrideuser.
|
||||
Replace text filter with 'ID view' select box in the idoverrideuser dialog.
|
||||
|
||||
Ticket: https://pagure.io/freeipa/issue/8335
|
||||
|
||||
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
install/ui/src/freeipa/association.js | 13 ++++-
|
||||
install/ui/src/freeipa/dialog.js | 73 ++++++++++++++++-----------
|
||||
install/ui/src/freeipa/group.js | 14 +++++
|
||||
install/ui/src/freeipa/idviews.js | 58 +++++++++++++++++++++
|
||||
ipaserver/plugins/internal.py | 6 +++
|
||||
5 files changed, 133 insertions(+), 31 deletions(-)
|
||||
|
||||
diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js
|
||||
index f10ccb2a5..b083a79f9 100644
|
||||
--- a/install/ui/src/freeipa/association.js
|
||||
+++ b/install/ui/src/freeipa/association.js
|
||||
@@ -25,6 +25,7 @@
|
||||
define([
|
||||
'dojo/_base/lang',
|
||||
'dojo/Deferred',
|
||||
+ './builder',
|
||||
'./metadata',
|
||||
'./ipa',
|
||||
'./jquery',
|
||||
@@ -38,7 +39,7 @@ define([
|
||||
'./facet',
|
||||
'./search',
|
||||
'./dialog'],
|
||||
- function(lang, Deferred, metadata_provider, IPA, $, metadata,
|
||||
+ function(lang, Deferred, builder, metadata_provider, IPA, $, metadata,
|
||||
navigation, phases, reg, rpc, su, text) {
|
||||
|
||||
/**
|
||||
@@ -1209,7 +1210,8 @@ exp.association_facet = IPA.association_facet = function (spec, no_init) {
|
||||
|
||||
var pkeys = that.data.result.result[that.get_attribute_name()];
|
||||
|
||||
- var dialog = IPA.association_adder_dialog({
|
||||
+ var dialog = builder.build('association_adder_dialog', {
|
||||
+ $type: that.other_entity.name,
|
||||
title: title,
|
||||
entity: that.entity,
|
||||
pkey: pkey,
|
||||
@@ -1675,6 +1677,13 @@ IPA.attr_read_only_evaluator = function(spec) {
|
||||
return that;
|
||||
};
|
||||
|
||||
+// Create a registry for adder dialogs where key is name of 'other entity'.
|
||||
+// It allows to override dialogs for some specific cases of association
|
||||
+// creation.
|
||||
+var dialog_builder = builder.get('association_adder_dialog');
|
||||
+dialog_builder.factory = IPA.association_adder_dialog;
|
||||
+reg.set('association_adder_dialog', dialog_builder.registry);
|
||||
+
|
||||
phases.on('registration', function() {
|
||||
var w = reg.widget;
|
||||
var f = reg.field;
|
||||
diff --git a/install/ui/src/freeipa/dialog.js b/install/ui/src/freeipa/dialog.js
|
||||
index c153120df..d67d63b6d 100644
|
||||
--- a/install/ui/src/freeipa/dialog.js
|
||||
+++ b/install/ui/src/freeipa/dialog.js
|
||||
@@ -919,35 +919,7 @@ IPA.adder_dialog = function(spec) {
|
||||
'class': 'input-group col-md-12 adder-dialog-top'
|
||||
}).appendTo(container);
|
||||
|
||||
- var filter_placeholder = text.get('@i18n:association.filter_placeholder');
|
||||
- filter_placeholder = filter_placeholder.replace('${other_entity}',
|
||||
- that.other_entity.metadata.label);
|
||||
-
|
||||
- that.filter_field = $('<input/>', {
|
||||
- type: 'text',
|
||||
- name: 'filter',
|
||||
- 'class': 'form-control',
|
||||
- 'placeholder': filter_placeholder,
|
||||
- keyup: function(event) {
|
||||
- if (event.keyCode === keys.ENTER) {
|
||||
- that.search();
|
||||
- return false;
|
||||
- }
|
||||
- }
|
||||
- }).appendTo(input_group);
|
||||
-
|
||||
- var input_group_btn = $('<div/>', {
|
||||
- 'class': 'input-group-btn'
|
||||
- }).appendTo(input_group);
|
||||
-
|
||||
- that.find_button = IPA.button({
|
||||
- name: 'find',
|
||||
- label: '@i18n:buttons.filter',
|
||||
- click: function() {
|
||||
- that.search();
|
||||
- return false;
|
||||
- }
|
||||
- }).appendTo(input_group_btn);
|
||||
+ that.filter_field = that.get_filter_field(input_group);
|
||||
|
||||
var row = $('<div/>', { 'class': 'row adder-dialog-main'}).appendTo(container);
|
||||
//
|
||||
@@ -1132,6 +1104,49 @@ IPA.adder_dialog = function(spec) {
|
||||
return that.filter_field.val();
|
||||
};
|
||||
|
||||
+ /**
|
||||
+ * Return field for filtering available items
|
||||
+ *
|
||||
+ * Default implementation returns text input + "Filter" button.
|
||||
+ * It can be overridden.
|
||||
+ *
|
||||
+ * @param {HTMLElement} input_group - container for a filter field
|
||||
+ * @return {HTMLElement}
|
||||
+ */
|
||||
+ that.get_filter_field = function(input_group) {
|
||||
+ var filter_placeholder = text.get(
|
||||
+ '@i18n:association.filter_placeholder'
|
||||
+ ).replace('${other_entity}', that.other_entity.metadata.label);
|
||||
+
|
||||
+ var filter_field = $('<input/>', {
|
||||
+ type: 'text',
|
||||
+ name: 'filter',
|
||||
+ 'class': 'form-control',
|
||||
+ 'placeholder': filter_placeholder,
|
||||
+ keyup: function(event) {
|
||||
+ if (event.keyCode === keys.ENTER) {
|
||||
+ that.search();
|
||||
+ return false;
|
||||
+ }
|
||||
+ }
|
||||
+ }).appendTo(input_group);
|
||||
+
|
||||
+ var input_group_btn = $('<div/>', {
|
||||
+ 'class': 'input-group-btn'
|
||||
+ }).appendTo(input_group);
|
||||
+
|
||||
+ that.find_button = IPA.button({
|
||||
+ name: 'find',
|
||||
+ label: '@i18n:buttons.filter',
|
||||
+ click: function() {
|
||||
+ that.search();
|
||||
+ return false;
|
||||
+ }
|
||||
+ }).appendTo(input_group_btn);
|
||||
+
|
||||
+ return filter_field;
|
||||
+ };
|
||||
+
|
||||
/**
|
||||
* Clear rows in available table
|
||||
*/
|
||||
diff --git a/install/ui/src/freeipa/group.js b/install/ui/src/freeipa/group.js
|
||||
index e46d8c7e3..2984bd4b2 100644
|
||||
--- a/install/ui/src/freeipa/group.js
|
||||
+++ b/install/ui/src/freeipa/group.js
|
||||
@@ -205,6 +205,20 @@ return {
|
||||
add_title: '@i18n:objects.group.add_into_sudo',
|
||||
remove_method: 'remove_user',
|
||||
remove_title: '@i18n:objects.group.remove_from_sudo'
|
||||
+ },
|
||||
+ {
|
||||
+ $type: 'association',
|
||||
+ name: 'member_idoverrideuser',
|
||||
+ associator: IPA.serial_associator,
|
||||
+ add_title: '@i18n:objects.group.add_idoverride_user',
|
||||
+ remove_title: '@i18n:objects.group.remove_idoverride_users',
|
||||
+ columns: [
|
||||
+ {
|
||||
+ name: 'ipaanchoruuid',
|
||||
+ label: '@i18n:objects.idoverrideuser.anchor_label',
|
||||
+ link: false
|
||||
+ }
|
||||
+ ]
|
||||
}
|
||||
],
|
||||
standard_association_facets: true,
|
||||
diff --git a/install/ui/src/freeipa/idviews.js b/install/ui/src/freeipa/idviews.js
|
||||
index 35dc998c8..a4fca6205 100644
|
||||
--- a/install/ui/src/freeipa/idviews.js
|
||||
+++ b/install/ui/src/freeipa/idviews.js
|
||||
@@ -966,6 +966,58 @@ idviews.unapply_action = function(spec) {
|
||||
return that;
|
||||
};
|
||||
|
||||
+idviews.idoverrideuser_adder_dialog = function(spec) {
|
||||
+
|
||||
+ spec = spec || {};
|
||||
+
|
||||
+ var that = IPA.association_adder_dialog(spec);
|
||||
+
|
||||
+ that.base_search = that.search;
|
||||
+
|
||||
+ that.search = function() {
|
||||
+ // Search for users only in case a ID view is selected
|
||||
+ if (that.get_filter()) {
|
||||
+ that.base_search();
|
||||
+ }
|
||||
+ };
|
||||
+
|
||||
+ /**
|
||||
+ * Replace default text filter with a select box for filtering by ID view
|
||||
+ */
|
||||
+ that.get_filter_field = function(input_group) {
|
||||
+
|
||||
+ var filter_field = $('<select/>', {
|
||||
+ name: 'filter',
|
||||
+ 'class': 'form-control',
|
||||
+ change: function(event) {
|
||||
+ that.search();
|
||||
+ }
|
||||
+ }).appendTo(input_group);
|
||||
+
|
||||
+ rpc.command({
|
||||
+ entity: 'idview',
|
||||
+ method: 'find',
|
||||
+ on_success: function(data) {
|
||||
+ var results = data.result;
|
||||
+
|
||||
+ for (var i=0; i<results.count; i++) {
|
||||
+ var result = results.result[i];
|
||||
+ $('<option/>', {
|
||||
+ text: result.cn[0],
|
||||
+ value: result.cn[0]
|
||||
+ }).appendTo(filter_field);
|
||||
+ }
|
||||
+
|
||||
+ that.search();
|
||||
+ }
|
||||
+ }).execute();
|
||||
+
|
||||
+ return filter_field;
|
||||
+ };
|
||||
+
|
||||
+ return that;
|
||||
+};
|
||||
+
|
||||
/**
|
||||
* ID View entity specification object
|
||||
* @member idviews
|
||||
@@ -993,6 +1045,7 @@ idviews.register = function() {
|
||||
var f = reg.facet;
|
||||
var a = reg.action;
|
||||
var w = reg.widget;
|
||||
+ var ad = reg.association_adder_dialog;
|
||||
|
||||
e.register({type: 'idview', spec: idviews.spec});
|
||||
e.register({
|
||||
@@ -1012,6 +1065,11 @@ idviews.register = function() {
|
||||
|
||||
w.register('idviews_certs', idviews.idviews_certs_widget);
|
||||
w.register('cert_textarea', idviews.cert_textarea_widget);
|
||||
+
|
||||
+ ad.register({
|
||||
+ type: 'idoverrideuser',
|
||||
+ factory: idviews.idoverrideuser_adder_dialog
|
||||
+ });
|
||||
};
|
||||
|
||||
phases.on('registration', idviews.register);
|
||||
diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py
|
||||
index 5f2b1fdc2..7622e65dc 100644
|
||||
--- a/ipaserver/plugins/internal.py
|
||||
+++ b/ipaserver/plugins/internal.py
|
||||
@@ -835,6 +835,9 @@ class i18n_messages(Command):
|
||||
"Remove users from member managers for user group "
|
||||
"'${primary_key}'"
|
||||
),
|
||||
+ "add_idoverride_user": _(
|
||||
+ "Add user ID override into user group '${primary_key}'"
|
||||
+ ),
|
||||
"details": _("Group Settings"),
|
||||
"external": _("External"),
|
||||
"groups": _("Groups"),
|
||||
@@ -868,6 +871,9 @@ class i18n_messages(Command):
|
||||
"remove_users": _(
|
||||
"Remove users from user group '${primary_key}'"
|
||||
),
|
||||
+ "remove_idoverride_users": _(
|
||||
+ "Remove user ID overrides from user group '${primary_key}'"
|
||||
+ ),
|
||||
"type": _("Group Type"),
|
||||
"user_groups": _("User Groups"),
|
||||
},
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From f6c460aee8542d4d81cd9970d71051c240156973 Mon Sep 17 00:00:00 2001
|
||||
From: Serhii Tsymbaliuk <stsymbal@redhat.com>
|
||||
Date: Thu, 16 Jul 2020 18:52:24 +0200
|
||||
Subject: [PATCH] WebUI: Fix error "unknown command
|
||||
'idoverrideuser_add_member'"
|
||||
|
||||
There was wrong IPA.associator class used for 'Groups' -> 'User ID overrides' association,
|
||||
as a result a wrong command was sent to the server.
|
||||
|
||||
Ticket: https://pagure.io/freeipa/issue/8416
|
||||
|
||||
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
|
||||
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
install/ui/src/freeipa/group.js | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/install/ui/src/freeipa/group.js b/install/ui/src/freeipa/group.js
|
||||
index 2984bd4b2..61c19a82f 100644
|
||||
--- a/install/ui/src/freeipa/group.js
|
||||
+++ b/install/ui/src/freeipa/group.js
|
||||
@@ -209,7 +209,6 @@ return {
|
||||
{
|
||||
$type: 'association',
|
||||
name: 'member_idoverrideuser',
|
||||
- associator: IPA.serial_associator,
|
||||
add_title: '@i18n:objects.group.add_idoverride_user',
|
||||
remove_title: '@i18n:objects.group.remove_idoverride_users',
|
||||
columns: [
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From e35739b7e9f6bb016b37abbd92bdaee71a59a288 Mon Sep 17 00:00:00 2001
|
||||
From: Serhii Tsymbaliuk <stsymbal@redhat.com>
|
||||
Date: Wed, 29 Jul 2020 09:41:36 +0200
|
||||
Subject: [PATCH] WebUI tests: Add test case to cover user ID override feature
|
||||
|
||||
The test case includes adding an user ID override to Default Trust View
|
||||
and adding the ID override to some IPA group.
|
||||
|
||||
Ticket: https://pagure.io/freeipa/issue/8416
|
||||
|
||||
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
|
||||
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
ipatests/test_webui/test_trust.py | 41 +++++++++++++++++++++++++++++++
|
||||
1 file changed, 41 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_webui/test_trust.py b/ipatests/test_webui/test_trust.py
|
||||
index c04c2fcd8..605f8a2a7 100644
|
||||
--- a/ipatests/test_webui/test_trust.py
|
||||
+++ b/ipatests/test_webui/test_trust.py
|
||||
@@ -21,6 +21,8 @@
|
||||
Trust tests
|
||||
"""
|
||||
|
||||
+import ipatests.test_webui.data_group as group
|
||||
+import ipatests.test_webui.data_idviews as idview
|
||||
from ipatests.test_webui.ui_driver import UI_driver
|
||||
from ipatests.test_webui.ui_driver import screenshot
|
||||
from ipatests.test_webui.task_range import range_tasks
|
||||
@@ -29,6 +31,8 @@ import pytest
|
||||
ENTITY = 'trust'
|
||||
CONFIG_ENTITY = 'trustconfig'
|
||||
|
||||
+DEFAULT_TRUST_VIEW = 'Default Trust View'
|
||||
+
|
||||
CONFIG_DATA = {
|
||||
'mod': [
|
||||
['combobox', 'ipantfallbackprimarygroup', 'admins'],
|
||||
@@ -164,3 +168,40 @@ class test_trust(trust_tasks):
|
||||
|
||||
self.mod_record(CONFIG_ENTITY, CONFIG_DATA)
|
||||
self.mod_record(CONFIG_ENTITY, CONFIG_DATA2)
|
||||
+
|
||||
+ @screenshot
|
||||
+ def test_group_member_idoverrideuser(self):
|
||||
+
|
||||
+ self.init_app()
|
||||
+
|
||||
+ # Create new trust
|
||||
+ data = self.get_data()
|
||||
+ self.add_record(ENTITY, data)
|
||||
+
|
||||
+ # Create an user ID override
|
||||
+ ad_domain = self.config.get('ad_domain')
|
||||
+ ad_admin = self.config.get('ad_admin')
|
||||
+ idoverrideuser_pkey = '{}@{}'.format(ad_admin, ad_domain).lower()
|
||||
+
|
||||
+ self.navigate_to_record(DEFAULT_TRUST_VIEW, entity=idview.ENTITY)
|
||||
+ self.add_record(idview.ENTITY, {
|
||||
+ 'pkey': idoverrideuser_pkey,
|
||||
+ 'add': [
|
||||
+ ('textbox', 'ipaanchoruuid_default', idoverrideuser_pkey),
|
||||
+ ],
|
||||
+ }, facet='idoverrideuser')
|
||||
+
|
||||
+ # Create new group and add the user ID override there
|
||||
+ self.navigate_to_entity(group.ENTITY)
|
||||
+ self.add_record(group.ENTITY, group.DATA)
|
||||
+ self.navigate_to_record(group.PKEY)
|
||||
+ self.add_associations([idoverrideuser_pkey],
|
||||
+ facet='member_idoverrideuser', delete=True)
|
||||
+
|
||||
+ # Clean up data
|
||||
+ self.navigate_to_entity(group.ENTITY)
|
||||
+ self.delete_record(group.PKEY)
|
||||
+ self.navigate_to_record(DEFAULT_TRUST_VIEW, entity=idview.ENTITY)
|
||||
+ self.delete_record(idoverrideuser_pkey)
|
||||
+ self.navigate_to_entity(ENTITY)
|
||||
+ self.delete_record(ad_domain)
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,601 @@
|
||||
From 77fae8c48bbe0f4499f4d8ed91b268568c64cd7c Mon Sep 17 00:00:00 2001
|
||||
From: Christian Heimes <cheimes@redhat.com>
|
||||
Date: Thu, 11 Jun 2020 11:17:25 +0200
|
||||
Subject: [PATCH] Move ipa-epn systemd files and run RPM hooks
|
||||
|
||||
The init/systemd directory is for server only and not part of
|
||||
CLIENT_ONLY builds.
|
||||
|
||||
It's necesary to run pre/post installation hooks to make systemd aware
|
||||
of new files.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8367
|
||||
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
---
|
||||
.gitignore | 4 +--
|
||||
client/Makefile.am | 1 +
|
||||
client/share/Makefile.am | 5 ++++
|
||||
{install => client}/share/expire_msg.template | 0
|
||||
client/systemd/Makefile.am | 27 +++++++++++++++++++
|
||||
{init => client}/systemd/ipa-epn.service.in | 0
|
||||
{init => client}/systemd/ipa-epn.timer.in | 0
|
||||
configure.ac | 24 +++++++++++++++--
|
||||
freeipa.spec.in | 15 +++++++++++
|
||||
init/systemd/Makefile.am | 8 +++---
|
||||
install/share/Makefile.am | 5 ----
|
||||
server.m4 | 19 -------------
|
||||
12 files changed, 76 insertions(+), 32 deletions(-)
|
||||
rename {install => client}/share/expire_msg.template (100%)
|
||||
create mode 100644 client/systemd/Makefile.am
|
||||
rename {init => client}/systemd/ipa-epn.service.in (100%)
|
||||
rename {init => client}/systemd/ipa-epn.timer.in (100%)
|
||||
|
||||
#diff --git a/.gitignore b/.gitignore
|
||||
#index 6584c3b4f..4cedb1ff2 100644
|
||||
#--- a/.gitignore
|
||||
#+++ b/.gitignore
|
||||
#@@ -94,8 +94,6 @@ freeipa2-dev-doc
|
||||
# /init/ipa_memcached
|
||||
# /init/systemd/ipa-custodia.service
|
||||
# /init/systemd/ipa.service
|
||||
#-/init/systemd/ipa-epn.service
|
||||
#-/init/systemd/ipa-epn.timer
|
||||
# /init/tmpfilesd/ipa.conf
|
||||
#
|
||||
# !/install/ui/doc/Makefile.in
|
||||
#@@ -116,6 +114,8 @@ freeipa2-dev-doc
|
||||
# /client/ipa-getkeytab
|
||||
# /client/ipa-join
|
||||
# /client/ipa-rmkeytab
|
||||
#+/client/systemd/ipa-epn.service
|
||||
#+/client/systemd/ipa-epn.timer
|
||||
#
|
||||
# /ipaplatform/override.py
|
||||
# /ipapython/version.py
|
||||
diff --git a/client/Makefile.am b/client/Makefile.am
|
||||
index 858a9369e..87da87fcd 100644
|
||||
--- a/client/Makefile.am
|
||||
+++ b/client/Makefile.am
|
||||
@@ -95,6 +95,7 @@ SUBDIRS = \
|
||||
share \
|
||||
man \
|
||||
sysconfig \
|
||||
+ systemd \
|
||||
$(NULL)
|
||||
# init
|
||||
|
||||
diff --git a/client/share/Makefile.am b/client/share/Makefile.am
|
||||
index 6d4a62d5e..1402a3a9d 100644
|
||||
--- a/client/share/Makefile.am
|
||||
+++ b/client/share/Makefile.am
|
||||
@@ -4,3 +4,8 @@ appdir = $(IPA_DATA_DIR)/client
|
||||
dist_app_DATA = \
|
||||
freeipa.template \
|
||||
$(NULL)
|
||||
+
|
||||
+epnconfdir = $(IPA_SYSCONF_DIR)/epn
|
||||
+dist_epnconf_DATA = \
|
||||
+ expire_msg.template \
|
||||
+ $(NULL)
|
||||
diff --git a/install/share/expire_msg.template b/client/share/expire_msg.template
|
||||
similarity index 100%
|
||||
rename from install/share/expire_msg.template
|
||||
rename to client/share/expire_msg.template
|
||||
diff --git a/client/systemd/Makefile.am b/client/systemd/Makefile.am
|
||||
new file mode 100644
|
||||
index 000000000..1f591be83
|
||||
--- /dev/null
|
||||
+++ b/client/systemd/Makefile.am
|
||||
@@ -0,0 +1,27 @@
|
||||
+# This file will be processed with automake-1.7 to create Makefile.in
|
||||
+#
|
||||
+AUTOMAKE_OPTIONS = 1.7
|
||||
+
|
||||
+NULL =
|
||||
+
|
||||
+dist_noinst_DATA = \
|
||||
+ ipa-epn.service.in \
|
||||
+ ipa-epn.timer.in \
|
||||
+ $(NULL)
|
||||
+
|
||||
+systemdsystemunit_DATA = \
|
||||
+ ipa-epn.service \
|
||||
+ ipa-epn.timer \
|
||||
+ $(NULL)
|
||||
+
|
||||
+CLEANFILES = $(systemdsystemunit_DATA)
|
||||
+
|
||||
+%: %.in Makefile
|
||||
+ sed \
|
||||
+ -e 's|@bindir[@]|$(bindir)|g' \
|
||||
+ -e 's|@IPA_SYSCONF_DIR[@]|$(IPA_SYSCONF_DIR)|g' \
|
||||
+ -e 's|@localstatedir[@]|$(localstatedir)|g' \
|
||||
+ -e 's|@sbindir[@]|$(sbindir)|g' \
|
||||
+ -e 's|@libexecdir[@]|$(libexecdir)|g' \
|
||||
+ -e 's|@sysconfenvdir[@]|$(sysconfenvdir)|g' \
|
||||
+ '$(srcdir)/$@.in' >$@
|
||||
diff --git a/init/systemd/ipa-epn.service.in b/client/systemd/ipa-epn.service.in
|
||||
similarity index 100%
|
||||
rename from init/systemd/ipa-epn.service.in
|
||||
rename to client/systemd/ipa-epn.service.in
|
||||
diff --git a/init/systemd/ipa-epn.timer.in b/client/systemd/ipa-epn.timer.in
|
||||
similarity index 100%
|
||||
rename from init/systemd/ipa-epn.timer.in
|
||||
rename to client/systemd/ipa-epn.timer.in
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 5ec529088..586b2532a 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -220,6 +220,25 @@ AC_ARG_WITH([runstatedir],
|
||||
[runstatedir="/run"])
|
||||
AC_SUBST([runstatedir])
|
||||
|
||||
+dnl ---------------------------------------------------------------------------
|
||||
+dnl - Check for systemd directories
|
||||
+dnl ---------------------------------------------------------------------------
|
||||
+
|
||||
+PKG_CHECK_EXISTS([systemd], [], [AC_MSG_ERROR([systemd not found])])
|
||||
+AC_ARG_WITH([systemdsystemunitdir],
|
||||
+ AS_HELP_STRING([--with-systemdsystemunitdir=DIR],
|
||||
+ [Directory for systemd service files]),
|
||||
+ [systemdsystemunitdir=$with_systemdsystemunitdir],
|
||||
+ [systemdsystemunitdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=systemdsystemunitdir systemd)])
|
||||
+AC_SUBST([systemdsystemunitdir])
|
||||
+
|
||||
+AC_ARG_WITH([systemdtmpfilesdir],
|
||||
+ AS_HELP_STRING([--with-systemdtmpfilesdir=DIR],
|
||||
+ [Directory for systemd-tmpfiles configuration files]),
|
||||
+ [systemdtmpfilesdir=$with_systemdtmpfilesdir],
|
||||
+ [systemdtmpfilesdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=tmpfilesdir systemd)])
|
||||
+AC_SUBST([systemdtmpfilesdir])
|
||||
+
|
||||
dnl ---------------------------------------------------------------------------
|
||||
dnl - Server-only configuration
|
||||
dnl ---------------------------------------------------------------------------
|
||||
@@ -544,6 +563,7 @@ AC_CONFIG_FILES([
|
||||
client/share/Makefile
|
||||
client/man/Makefile
|
||||
client/sysconfig/Makefile
|
||||
+ client/systemd/Makefile
|
||||
contrib/completion/Makefile
|
||||
contrib/Makefile
|
||||
daemons/dnssec/Makefile
|
||||
@@ -637,13 +657,13 @@ echo "
|
||||
jslint: ${JSLINT}
|
||||
LDAP libs: ${LDAP_LIBS}
|
||||
OpenSSL crypto libs: ${CRYPTO_LIBS}
|
||||
- KRB5 libs: ${KRB5_LIBS}"
|
||||
+ KRB5 libs: ${KRB5_LIBS}
|
||||
+ systemdsystemunitdir: ${systemdsystemunitdir}"
|
||||
|
||||
AM_COND_IF([ENABLE_SERVER], [
|
||||
echo "\
|
||||
KRAD libs: ${KRAD_LIBS}
|
||||
krb5rundir: ${krb5rundir}
|
||||
- systemdsystemunitdir: ${systemdsystemunitdir}
|
||||
systemdtmpfilesdir: ${systemdtmpfilesdir}
|
||||
build mode: server & client"
|
||||
], [
|
||||
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||
index cec57e64e..1d8f4e6aa 100755
|
||||
--- a/freeipa.spec.in
|
||||
+++ b/freeipa.spec.in
|
||||
@@ -586,6 +586,10 @@ on the machine enrolled into a FreeIPA environment
|
||||
%package client-epn
|
||||
Summary: Tools to configure Expiring Password Notification in IPA
|
||||
Group: System Environment/Base
|
||||
+Requires: systemd-units
|
||||
+Requires(post): systemd-units
|
||||
+Requires(preun): systemd-units
|
||||
+Requires(postun): systemd-units
|
||||
Requires: %{name}-client = %{version}-%{release}
|
||||
|
||||
%description client-epn
|
||||
@@ -1003,6 +1007,17 @@ fi
|
||||
# ONLY_CLIENT
|
||||
%endif
|
||||
|
||||
+%preun client-epn
|
||||
+%systemd_preun ipa-epn.service
|
||||
+%systemd_preun ipa-epn.timer
|
||||
+
|
||||
+%postun client-epn
|
||||
+%systemd_postun ipa-epn.service
|
||||
+%systemd_postun ipa-epn.timer
|
||||
+
|
||||
+%post client-epn
|
||||
+%systemd_post ipa-epn.service
|
||||
+%systemd_post ipa-epn.timer
|
||||
|
||||
%post client
|
||||
if [ $1 -gt 1 ] ; then
|
||||
diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am
|
||||
index 5053dbff6..175178787 100644
|
||||
--- a/init/systemd/Makefile.am
|
||||
+++ b/init/systemd/Makefile.am
|
||||
@@ -2,17 +2,17 @@
|
||||
#
|
||||
AUTOMAKE_OPTIONS = 1.7
|
||||
|
||||
+NULL =
|
||||
+
|
||||
dist_noinst_DATA = \
|
||||
ipa-custodia.service.in \
|
||||
ipa.service.in \
|
||||
- ipa-epn.service.in \
|
||||
- ipa-epn.timer.in
|
||||
+ $(NULL)
|
||||
|
||||
systemdsystemunit_DATA = \
|
||||
ipa-custodia.service \
|
||||
ipa.service \
|
||||
- ipa-epn.service \
|
||||
- ipa-epn.timer
|
||||
+ $(NULL)
|
||||
|
||||
CLEANFILES = $(systemdsystemunit_DATA)
|
||||
|
||||
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
|
||||
index 496e81288..e95796dfb 100644
|
||||
--- a/install/share/Makefile.am
|
||||
+++ b/install/share/Makefile.am
|
||||
@@ -106,8 +106,3 @@ dist_app_DATA = \
|
||||
kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy
|
||||
dist_kdcproxyconf_DATA = \
|
||||
kdcproxy.conf
|
||||
-
|
||||
-epnconfdir = $(IPA_SYSCONF_DIR)/epn
|
||||
-dist_epnconf_DATA = \
|
||||
- expire_msg.template \
|
||||
- $(NULL)
|
||||
diff --git a/server.m4 b/server.m4
|
||||
index d35823e80..842d599d2 100644
|
||||
--- a/server.m4
|
||||
+++ b/server.m4
|
||||
@@ -153,22 +153,3 @@ dnl Check for libverto
|
||||
dnl ---------------------------------------------------------------------------
|
||||
|
||||
PKG_CHECK_MODULES([LIBVERTO], [libverto])
|
||||
-
|
||||
-dnl ---------------------------------------------------------------------------
|
||||
-dnl - Check for systemd directories
|
||||
-dnl ---------------------------------------------------------------------------
|
||||
-
|
||||
-PKG_CHECK_EXISTS([systemd], [], [AC_MSG_ERROR([systemd not found])])
|
||||
-AC_ARG_WITH([systemdsystemunitdir],
|
||||
- AS_HELP_STRING([--with-systemdsystemunitdir=DIR],
|
||||
- [Directory for systemd service files]),
|
||||
- [systemdsystemunitdir=$with_systemdsystemunitdir],
|
||||
- [systemdsystemunitdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=systemdsystemunitdir systemd)])
|
||||
-AC_SUBST([systemdsystemunitdir])
|
||||
-
|
||||
-AC_ARG_WITH([systemdtmpfilesdir],
|
||||
- AS_HELP_STRING([--with-systemdtmpfilesdir=DIR],
|
||||
- [Directory for systemd-tmpfiles configuration files]),
|
||||
- [systemdtmpfilesdir=$with_systemdtmpfilesdir],
|
||||
- [systemdtmpfilesdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=tmpfilesdir systemd)])
|
||||
-AC_SUBST([systemdtmpfilesdir])
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From 23e2935e5c5cb402dd4f6f44eaa4b013e6a8188a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Mon, 22 Jun 2020 16:39:02 +0200
|
||||
Subject: [PATCH] EPN: ship the configuration file.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Ship and install /etc/ipa/epn.conf.
|
||||
Minor fixes to the associated man page.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8374
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
client/man/epn.conf.5 | 5 ++--
|
||||
client/share/Makefile.am | 7 +++++-
|
||||
client/share/epn.conf | 54 ++++++++++++++++++++++++++++++++++++++++
|
||||
freeipa.spec.in | 4 ++-
|
||||
4 files changed, 65 insertions(+), 5 deletions(-)
|
||||
create mode 100644 client/share/epn.conf
|
||||
|
||||
diff --git a/client/man/epn.conf.5 b/client/man/epn.conf.5
|
||||
index 38e99e25d..14f5dbb75 100644
|
||||
--- a/client/man/epn.conf.5
|
||||
+++ b/client/man/epn.conf.5
|
||||
@@ -71,11 +71,10 @@ Specifies the From e-mail address value in the e-mails sent. The default is
|
||||
root@localhost. Bounces will be sent here.
|
||||
.TP
|
||||
.B smtp_delay <milliseconds>
|
||||
-Time to wait, in milliseconds, between each e-mail sent to try to avoid overloading the mail queue.
|
||||
+Time to wait, in milliseconds, between each e-mail sent to try to avoid overloading the mail queue. The default is 0.
|
||||
.TP
|
||||
.B mail_from <address>
|
||||
-Specifies the From: e-mal address value in the e-mails sent. The default is
|
||||
-noreply@ipadefaultemaildomain. This value can be found by running
|
||||
+Specifies the From: e-mail address value in the e-mails sent. The default is noreply@ipadefaultemaildomain. This value can be found by running
|
||||
.I ipa config-show
|
||||
.TP
|
||||
.B notify_ttls <list of days>
|
||||
diff --git a/client/share/Makefile.am b/client/share/Makefile.am
|
||||
index 1402a3a9d..472242e62 100644
|
||||
--- a/client/share/Makefile.am
|
||||
+++ b/client/share/Makefile.am
|
||||
@@ -5,7 +5,12 @@ dist_app_DATA = \
|
||||
freeipa.template \
|
||||
$(NULL)
|
||||
|
||||
-epnconfdir = $(IPA_SYSCONF_DIR)/epn
|
||||
+epnconfdir = $(IPA_SYSCONF_DIR)
|
||||
dist_epnconf_DATA = \
|
||||
+ epn.conf \
|
||||
+ $(NULL)
|
||||
+
|
||||
+epntemplatedir = $(IPA_SYSCONF_DIR)/epn
|
||||
+dist_epntemplate_DATA = \
|
||||
expire_msg.template \
|
||||
$(NULL)
|
||||
diff --git a/client/share/epn.conf b/client/share/epn.conf
|
||||
new file mode 100644
|
||||
index 000000000..0e590dfc3
|
||||
--- /dev/null
|
||||
+++ b/client/share/epn.conf
|
||||
@@ -0,0 +1,54 @@
|
||||
+# Global IPA-EPN [0] configuration file.
|
||||
+# For a complete explanation of each parameter, see the epn.conf(5)
|
||||
+# manual page.
|
||||
+# For best results, change no more than a single parameter at a time,
|
||||
+# and test if ipa-epn(1) still works as intended, using --dry-run when
|
||||
+# it makes sense.
|
||||
+#
|
||||
+# [0] https://github.com/freeipa/freeipa/blob/master/doc/designs/expiring-password-notification.md
|
||||
+
|
||||
+[global]
|
||||
+
|
||||
+# Specifies the SMTP server to use.
|
||||
+smtp_server = localhost
|
||||
+
|
||||
+# Specifies the SMTP port.
|
||||
+smtp_port = 25
|
||||
+
|
||||
+# Specifies the id of the user to authenticate with the SMTP server.
|
||||
+# Default None (empty value).
|
||||
+# smtp_user =
|
||||
+
|
||||
+# Specifies the password for the authorized user.
|
||||
+# Default None (empty value).
|
||||
+# smtp_password =
|
||||
+
|
||||
+# pecifies the number of seconds to wait for SMTP to respond.
|
||||
+smtp_timeout = 60
|
||||
+
|
||||
+# Specifies the type of secure connection to make. Options are: none,
|
||||
+# starttls and ssl.
|
||||
+smtp_security = none
|
||||
+
|
||||
+# Specifies the From e-mail address value in the e-mails sent. Bounces will
|
||||
+# be sent here.
|
||||
+smtp_admin = root@localhost
|
||||
+
|
||||
+# Time to wait, in milliseconds, between each e-mail sent to try to avoid
|
||||
+# overloading the mail queue.
|
||||
+smtp_delay = 0
|
||||
+
|
||||
+# Specifies the From: e-mail address value in the e-mails sent.
|
||||
+# The default when unset is noreply@ipadefaultemaildomain.
|
||||
+# This value can be found by running ipa config-show.
|
||||
+# mail_from =
|
||||
+
|
||||
+# The list of days before a password expiration when ipa-epn should notify
|
||||
+# a user that their password will soon require a reset.
|
||||
+notify_ttls = 28, 14, 7, 3, 1
|
||||
+
|
||||
+# Set the character set of the message.
|
||||
+msg_charset = utf8
|
||||
+
|
||||
+# Set the message's MIME sub-content type.
|
||||
+msg_subtype = plain
|
||||
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||
index 5bce6f118..8cca99697 100755
|
||||
--- a/freeipa.spec.in
|
||||
+++ b/freeipa.spec.in
|
||||
@@ -1387,13 +1387,15 @@ fi
|
||||
|
||||
%files client-epn
|
||||
%doc README.md Contributors.txt
|
||||
+%dir %{_sysconfdir}/ipa/epn
|
||||
%license COPYING
|
||||
%{_sbindir}/ipa-epn
|
||||
%{_mandir}/man1/ipa-epn.1*
|
||||
%{_mandir}/man5/epn.conf.5*
|
||||
%attr(644,root,root) %{_unitdir}/ipa-epn.service
|
||||
%attr(644,root,root) %{_unitdir}/ipa-epn.timer
|
||||
-%attr(644,root,root) %{_sysconfdir}/ipa/epn/expire_msg.template
|
||||
+%attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf
|
||||
+%attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn/expire_msg.template
|
||||
|
||||
%files -n python3-ipaclient
|
||||
%doc README.md Contributors.txt
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From 3b43950d35f78b28d4edde4fda475b5aa84f4587 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Tue, 23 Jun 2020 09:39:02 +0200
|
||||
Subject: [PATCH] man pages: fix epn.conf.5 and ipa-epn.1 formatting
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Fix formatting issues found with mandoc.
|
||||
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
client/man/epn.conf.5 | 2 +-
|
||||
client/man/ipa-epn.1 | 8 ++++----
|
||||
2 files changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/client/man/epn.conf.5 b/client/man/epn.conf.5
|
||||
index 14f5dbb75..df1f0156c 100644
|
||||
--- a/client/man/epn.conf.5
|
||||
+++ b/client/man/epn.conf.5
|
||||
@@ -16,7 +16,7 @@
|
||||
.\"
|
||||
.\" Author: Rob Crittenden <rcritten@@redhat.com>
|
||||
.\"
|
||||
-.TH "epn.conf" "5" "Apr 28 2020" "FreeIPA" "FreeIPA Manual Pages"
|
||||
+.TH "EPN.CONF" "5" "April 28, 2020" "FreeIPA" "FreeIPA Manual Pages"
|
||||
.SH "NAME"
|
||||
epn.conf \- Expiring Password Notification configuration file
|
||||
.SH "SYNOPSIS"
|
||||
diff --git a/client/man/ipa-epn.1 b/client/man/ipa-epn.1
|
||||
index 9999ea8ca..124fd4536 100644
|
||||
--- a/client/man/ipa-epn.1
|
||||
+++ b/client/man/ipa-epn.1
|
||||
@@ -15,14 +15,14 @@
|
||||
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
.\"
|
||||
.\"
|
||||
-.TH "ipa-epn" "1" "Apr 24 2020" "FreeIPA" "FreeIPA Manual Pages"
|
||||
+.TH "IPA-EPN" "1" "April 24, 2020" "FreeIPA" "FreeIPA Manual Pages"
|
||||
.SH "NAME"
|
||||
ipa\-epn \- Send expiring password nofications
|
||||
.SH "SYNOPSIS"
|
||||
-ipa\-epn \[options\]
|
||||
+ipa\-epn \fR[options\fR]
|
||||
|
||||
.SH "DESCRIPTION"
|
||||
-ipa\-epn provides a method to warn users via email that their IPA account password is about to expire.
|
||||
+ipa\-epn provides a method to warn users via email that their IPA account password is about to expire.
|
||||
|
||||
It can be used in dry\-run mode which is recommmended during setup. The output is always JSON in this case.
|
||||
|
||||
@@ -38,7 +38,7 @@ The \-\-to\-nbdays CLI option can be used to determine the number of notificatio
|
||||
|
||||
If \fB\-\-from\-nbdays\fR is not specified, ipa\-epn will look within a 24\-hour long time range in <number of days> days.
|
||||
|
||||
-if \fB\-\-from\-nbdays\fR is specified, the date range starts at \fB\-\-from\-nbdays\fR days in the future and ends at \fB\-\-to\-nbdays\fR in the future.
|
||||
+if \fB\-\-from\-nbdays\fR is specified, the date range starts at \fB\-\-from\-nbdays\fR days in the future and ends at \fB\-\-to\-nbdays\fR in the future.
|
||||
|
||||
Together, these two CLI options can be used to determine how many emails would be sent in a specific time in the future.
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From 2648c218467792e907435eaa5267a0f3457f634f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Tue, 23 Jun 2020 13:50:02 +0200
|
||||
Subject: [PATCH] ipatests: check that EPN's configuration file is installed.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8374
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_epn.py | 14 ++++++++++++++
|
||||
1 file changed, 14 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
|
||||
index 7f56d4bc0..409d588d5 100644
|
||||
--- a/ipatests/test_integration/test_epn.py
|
||||
+++ b/ipatests/test_integration/test_epn.py
|
||||
@@ -209,6 +209,20 @@ class TestEPN(IntegrationTest):
|
||||
cls.master.run_command(r'rm -f /etc/pki/tls/private/postfix.key')
|
||||
cls.master.run_command(r'rm -f /etc/pki/tls/certs/postfix.pem')
|
||||
|
||||
+ @pytest.mark.xfail(reason='pr-ci issue 378', strict=True)
|
||||
+ def test_EPN_config_file(self):
|
||||
+ """Check that the EPN configuration file is installed.
|
||||
+ https://pagure.io/freeipa/issue/8374
|
||||
+ """
|
||||
+ epn_conf = "/etc/ipa/epn.conf"
|
||||
+ epn_template = "/etc/ipa/epn/expire_msg.template"
|
||||
+ cmd1 = self.master.run_command(["rpm", "-qc", "freeipa-client-epn"])
|
||||
+ assert epn_conf in cmd1.stdout_text
|
||||
+ assert epn_template in cmd1.stdout_text
|
||||
+ cmd2 = self.master.run_command(["sha256sum", epn_conf])
|
||||
+ ck = "4c207b5c9c760c36db0d3b2b93da50ea49edcc4002d6d1e7383601f0ec30b957"
|
||||
+ assert cmd2.stdout_text.find(ck) == 0
|
||||
+
|
||||
def test_EPN_smoketest_1(self):
|
||||
"""No users except admin. Check --dry-run output.
|
||||
With the default configuration, the result should be an empty list.
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From 06accac8906f66ebbb31849d6528b39ae006b124 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Wed, 24 Jun 2020 23:24:36 +0200
|
||||
Subject: [PATCH] ipatests: ipa_epn: uninstall/reinstall ipa-client-epn
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Due to https://github.com/freeipa/freeipa-pr-ci/issues/378
|
||||
the installed version of freeipa-client-epn is not the built
|
||||
one. Temporarily force uninstall/reinstall of this package
|
||||
before running the test.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8374
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_epn.py | 20 +++++++++++++++++++-
|
||||
1 file changed, 19 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
|
||||
index 409d588d5..9a9fb17b9 100644
|
||||
--- a/ipatests/test_integration/test_epn.py
|
||||
+++ b/ipatests/test_integration/test_epn.py
|
||||
@@ -209,11 +209,29 @@ class TestEPN(IntegrationTest):
|
||||
cls.master.run_command(r'rm -f /etc/pki/tls/private/postfix.key')
|
||||
cls.master.run_command(r'rm -f /etc/pki/tls/certs/postfix.pem')
|
||||
|
||||
- @pytest.mark.xfail(reason='pr-ci issue 378', strict=True)
|
||||
+ @pytest.mark.skip_if_platform(
|
||||
+ "debian", reason="Cannot check installed packages using RPM"
|
||||
+ )
|
||||
def test_EPN_config_file(self):
|
||||
"""Check that the EPN configuration file is installed.
|
||||
https://pagure.io/freeipa/issue/8374
|
||||
"""
|
||||
+ # workaround for https://github.com/freeipa/freeipa-pr-ci/issues/378
|
||||
+ rpm_q_cmds = [
|
||||
+ ["rpm", "-qi", "freeipa-client"],
|
||||
+ ["rpm", "-qi", "freeipa-client-epn"],
|
||||
+ ["rpm", "-qc", "freeipa-client-epn"],
|
||||
+ ["rpm", "-V", "freeipa-client-epn"],
|
||||
+ ["rpm", "-qvc", "freeipa-client-epn"],
|
||||
+ ["ls", "-l", "/etc/ipa", "/etc/ipa/epn"],
|
||||
+ ]
|
||||
+ for cmd in rpm_q_cmds:
|
||||
+ self.master.run_command(cmd, raiseonerr=False)
|
||||
+ tasks.uninstall_packages(self.master, ["*ipa-client-epn"])
|
||||
+ tasks.install_packages(self.master, ["*ipa-client-epn"])
|
||||
+ for cmd in rpm_q_cmds:
|
||||
+ self.master.run_command(cmd, raiseonerr=False)
|
||||
+ # end workaround
|
||||
epn_conf = "/etc/ipa/epn.conf"
|
||||
epn_template = "/etc/ipa/epn/expire_msg.template"
|
||||
cmd1 = self.master.run_command(["rpm", "-qc", "freeipa-client-epn"])
|
||||
--
|
||||
2.26.2
|
||||
|
147
SOURCES/0003-Use-256-bit-AJP-secret_rhbz#1849914.patch
Normal file
147
SOURCES/0003-Use-256-bit-AJP-secret_rhbz#1849914.patch
Normal file
@ -0,0 +1,147 @@
|
||||
From be48983558a560dadad410a70a4a1684565ed481 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Mon, 15 Jun 2020 18:38:35 -0400
|
||||
Subject: [PATCH] Clarify AJP connector creation process
|
||||
|
||||
We do two things:
|
||||
|
||||
1. Fix the xpath for AJP connector verification. An AJP connector is
|
||||
one which has protocol="AJP/1.3", NOT one that has port="8009". An
|
||||
AJP connector can exist on any port and port 8009 can have any
|
||||
protocol. Secrets only make sense on AJP connectors, so make the
|
||||
xpath match the existing comment.
|
||||
|
||||
2. Add some background in-line documentation about AJP secret
|
||||
provisioning. This should help future developers understand why this
|
||||
was added to IPA and what limitations there are in what PKI or IPA
|
||||
can do. Most notably, explain why Dogtag can't upgrade the AJP
|
||||
connector to have a secret in the general case.
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
ipaserver/install/dogtaginstance.py | 20 +++++++++++++++++---
|
||||
1 file changed, 17 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
|
||||
index 42c9db3fb..aa3baeb7c 100644
|
||||
--- a/ipaserver/install/dogtaginstance.py
|
||||
+++ b/ipaserver/install/dogtaginstance.py
|
||||
@@ -308,11 +308,12 @@ class DogtagInstance(service.Service):
|
||||
doc = server_xml.getroot()
|
||||
|
||||
# no AJP connector means no need to update anything
|
||||
- connectors = doc.xpath('//Connector[@port="8009"]')
|
||||
+ connectors = doc.xpath('//Connector[@protocol="AJP/1.3"]')
|
||||
if len(connectors) == 0:
|
||||
return
|
||||
|
||||
- # AJP connector is set on port 8009. Use non-greedy search to find it
|
||||
+ # AJP protocol is at version 1.3. Assume there is only one as
|
||||
+ # Dogtag only provisions one.
|
||||
connector = connectors[0]
|
||||
|
||||
# Detect tomcat version and choose the right option name
|
||||
@@ -331,11 +332,24 @@ class DogtagInstance(service.Service):
|
||||
rewrite = False
|
||||
else:
|
||||
if oldattr in connector.attrib:
|
||||
+ # Sufficiently new Dogtag versions (10.9.0-a2) handle the
|
||||
+ # upgrade for us; we need only to ensure that we're not both
|
||||
+ # attempting to upgrade server.xml at the same time.
|
||||
+ # Hopefully this is guaranteed for us.
|
||||
self.ajp_secret = connector.attrib[oldattr]
|
||||
connector.attrib[secretattr] = self.ajp_secret
|
||||
del connector.attrib[oldattr]
|
||||
else:
|
||||
- # Generate password, don't use special chars to not break XML
|
||||
+ # Generate password, don't use special chars to not break XML.
|
||||
+ #
|
||||
+ # If we hit this case, pkispawn was run on an older Dogtag
|
||||
+ # version and we're stuck migrating, choosing a password
|
||||
+ # ourselves. Dogtag can't generate one randomly because a
|
||||
+ # Dogtag administrator might've configured AJP and might
|
||||
+ # not be using IPA.
|
||||
+ #
|
||||
+ # Newer Dogtag versions will generate a random password
|
||||
+ # during pkispawn.
|
||||
self.ajp_secret = ipautil.ipa_generate_password(special=None)
|
||||
connector.attrib[secretattr] = self.ajp_secret
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From 1e804bf19da4ee274e735fd49452d4df5d73a002 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Wed, 17 Jun 2020 16:00:25 -0400
|
||||
Subject: [PATCH] Configure PKI AJP Secret with 256-bit secret
|
||||
|
||||
By default, PKI's AJP secret is generated as a 75-bit password. By
|
||||
generating it in IPA, we can guarantee the strength of the AJP secret.
|
||||
It makes sense to use a stronger AJP secret because it typically
|
||||
isn't rotated; access to AJP allows an attacker to impersonate an admin
|
||||
while talking to PKI.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8372
|
||||
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849146
|
||||
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1845447
|
||||
Related: https://github.com/dogtagpki/pki/pull/437
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
install/share/ipaca_customize.ini | 1 +
|
||||
install/share/ipaca_default.ini | 2 ++
|
||||
ipaserver/install/dogtaginstance.py | 4 +++-
|
||||
3 files changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/install/share/ipaca_customize.ini b/install/share/ipaca_customize.ini
|
||||
index 6d58579af..948734241 100644
|
||||
--- a/install/share/ipaca_customize.ini
|
||||
+++ b/install/share/ipaca_customize.ini
|
||||
@@ -12,6 +12,7 @@
|
||||
#
|
||||
# Predefined variables
|
||||
# - ipa_ca_subject
|
||||
+# - ipa_ajp_secret
|
||||
# - ipa_fqdn
|
||||
# - ipa_subject_base
|
||||
# - pki_admin_password
|
||||
diff --git a/install/share/ipaca_default.ini b/install/share/ipaca_default.ini
|
||||
index 2b9900286..a51256116 100644
|
||||
--- a/install/share/ipaca_default.ini
|
||||
+++ b/install/share/ipaca_default.ini
|
||||
@@ -12,6 +12,7 @@ ipa_ca_pem_file=/etc/ipa/ca.crt
|
||||
|
||||
## dynamic values
|
||||
# ipa_ca_subject=
|
||||
+# ipa_ajp_secret=
|
||||
# ipa_subject_base=
|
||||
# ipa_fqdn=
|
||||
# ipa_ocsp_uri=
|
||||
@@ -66,6 +67,7 @@ pki_issuing_ca=%(pki_issuing_ca_uri)s
|
||||
pki_replication_password=
|
||||
|
||||
pki_enable_proxy=True
|
||||
+pki_ajp_secret=%(ipa_ajp_secret)s
|
||||
pki_restart_configured_instance=False
|
||||
pki_security_domain_hostname=%(ipa_fqdn)s
|
||||
pki_security_domain_https_port=443
|
||||
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
|
||||
index aa3baeb7c..361d80a8c 100644
|
||||
--- a/ipaserver/install/dogtaginstance.py
|
||||
+++ b/ipaserver/install/dogtaginstance.py
|
||||
@@ -840,7 +840,9 @@ class PKIIniLoader:
|
||||
pki_subsystem_type=subsystem.lower(),
|
||||
home_dir=os.path.expanduser("~"),
|
||||
# for softhsm2 testing
|
||||
- softhsm2_so=paths.LIBSOFTHSM2_SO
|
||||
+ softhsm2_so=paths.LIBSOFTHSM2_SO,
|
||||
+ # Configure a more secure AJP password by default
|
||||
+ ipa_ajp_secret=ipautil.ipa_generate_password(special=None)
|
||||
)
|
||||
|
||||
@classmethod
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,167 @@
|
||||
From a090b429fda35c5a9c3cfb672ab42a5985d00ff9 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Vobornik <pvoborni@redhat.com>
|
||||
Date: Mon, 8 Jun 2020 19:27:30 +0200
|
||||
Subject: [PATCH] baseuser: fix ipanthomedirectorydrive option name
|
||||
|
||||
It should be ipanthomedirectorydrive and not ipanthomedirectoryrive.
|
||||
|
||||
This fixes showing the field in Web UI and also should fix CLI as it
|
||||
probably never worked.
|
||||
|
||||
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
API.txt | 8 ++++----
|
||||
ipaserver/plugins/baseuser.py | 2 +-
|
||||
2 files changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/API.txt b/API.txt
|
||||
index 5354a33a0..300b3d9b1 100644
|
||||
--- a/API.txt
|
||||
+++ b/API.txt
|
||||
@@ -5085,7 +5085,7 @@ option: Str('in_role*', cli_name='in_roles')
|
||||
option: Str('in_sudorule*', cli_name='in_sudorules')
|
||||
option: Str('initials?', autofill=False)
|
||||
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
|
||||
-option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
|
||||
+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
|
||||
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
|
||||
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
|
||||
option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
|
||||
@@ -5147,7 +5147,7 @@ option: Str('givenname?', autofill=False, cli_name='first')
|
||||
option: Str('homedirectory?', autofill=False, cli_name='homedir')
|
||||
option: Str('initials?', autofill=False)
|
||||
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
|
||||
-option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
|
||||
+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
|
||||
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
|
||||
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
|
||||
option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
|
||||
@@ -6185,7 +6185,7 @@ option: Str('in_role*', cli_name='in_roles')
|
||||
option: Str('in_sudorule*', cli_name='in_sudorules')
|
||||
option: Str('initials?', autofill=False)
|
||||
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
|
||||
-option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
|
||||
+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
|
||||
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
|
||||
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
|
||||
option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
|
||||
@@ -6250,7 +6250,7 @@ option: Str('givenname?', autofill=False, cli_name='first')
|
||||
option: Str('homedirectory?', autofill=False, cli_name='homedir')
|
||||
option: Str('initials?', autofill=False)
|
||||
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
|
||||
-option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
|
||||
+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
|
||||
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
|
||||
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
|
||||
option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
|
||||
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
|
||||
index a0ed65874..e1b7763f0 100644
|
||||
--- a/ipaserver/plugins/baseuser.py
|
||||
+++ b/ipaserver/plugins/baseuser.py
|
||||
@@ -420,7 +420,7 @@ class baseuser(LDAPObject):
|
||||
label=_('SMB Home Directory'),
|
||||
flags=['no_create'],
|
||||
),
|
||||
- StrEnum('ipanthomedirectoryrive?',
|
||||
+ StrEnum('ipanthomedirectorydrive?',
|
||||
cli_name='smb_home_drive',
|
||||
label=_('SMB Home Directory Drive'),
|
||||
flags=['no_create'],
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From 691b3cddb275821630f443f22706fa75e7c7a5c8 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Vobornik <pvoborni@redhat.com>
|
||||
Date: Mon, 8 Jun 2020 19:11:33 +0200
|
||||
Subject: [PATCH] webui: hide user attributes for SMB services section if empty
|
||||
|
||||
This section should be hidded if user object hasn't ipantuserattrs
|
||||
object class. I.e. when trusts are not enabled.
|
||||
|
||||
Web UI framework already supports hidding of sections if the
|
||||
section contains no visible field. So to achieve it we simply needs
|
||||
to hide the fields. Given that attributelevelrights
|
||||
contains rights only for attributes of current object classes, all
|
||||
of these are regarded as not writable.
|
||||
|
||||
We can leverage feature of input_widget that it gets hidden
|
||||
when the attribute is not writable and has no value and widget's
|
||||
"hidden_if_empty" is set to true. Thus doing it here.
|
||||
|
||||
For this to work, it is also required to fix an issue with
|
||||
"ipanthomedirectorydrive" which is optional (in API) but Web UI
|
||||
doesn't offer "empty" ("") value. Adding it here.
|
||||
|
||||
fixes: https://pagure.io/freeipa/issue/8336
|
||||
|
||||
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
|
||||
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
install/ui/src/freeipa/user.js | 20 +++++++++++---------
|
||||
1 file changed, 11 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
|
||||
index fb626f2a1..8f1f5cd85 100644
|
||||
--- a/install/ui/src/freeipa/user.js
|
||||
+++ b/install/ui/src/freeipa/user.js
|
||||
@@ -367,36 +367,39 @@ return {
|
||||
{
|
||||
name: 'smb_attributes',
|
||||
label: '@i18n:objects.smb_attributes.title',
|
||||
- show_cond: ['oc_ipantuserattrs'],
|
||||
fields: [{
|
||||
name: 'ipantlogonscript',
|
||||
tooltip: {
|
||||
title: '@i18n:objects.smb_attributes.ipantlogonscript_tooltip'
|
||||
- }
|
||||
+ },
|
||||
+ hidden_if_empty: true
|
||||
},
|
||||
{
|
||||
name: 'ipantprofilepath',
|
||||
tooltip: {
|
||||
title: '@i18n:objects.smb_attributes.ipantprofilepath_tooltip'
|
||||
- }
|
||||
+ },
|
||||
+ hidden_if_empty: true
|
||||
},
|
||||
{
|
||||
name: 'ipanthomedirectory',
|
||||
tooltip: {
|
||||
title: '@i18n:objects.smb_attributes.ipanthomedirectory_tooltip'
|
||||
- }
|
||||
+ },
|
||||
+ hidden_if_empty: true
|
||||
},
|
||||
{
|
||||
name: 'ipanthomedirectorydrive',
|
||||
$type: 'select',
|
||||
options: IPA.create_options([
|
||||
- 'A:', 'B:', 'C:', 'D:', 'E:', 'F:', 'G:', 'H:', 'I:',
|
||||
- 'J:', 'K:', 'L:', 'M:', 'N:', 'O:', 'P:', 'Q:', 'R:',
|
||||
- 'S:', 'T:', 'U:', 'V:', 'W:', 'X:', 'Y:', 'Z:'
|
||||
+ '', 'A:', 'B:', 'C:', 'D:', 'E:', 'F:', 'G:', 'H:',
|
||||
+ 'I:', 'J:', 'K:', 'L:', 'M:', 'N:', 'O:', 'P:', 'Q:',
|
||||
+ 'R:', 'S:', 'T:', 'U:', 'V:', 'W:', 'X:', 'Y:', 'Z:'
|
||||
]),
|
||||
tooltip: {
|
||||
title: '@i18n:objects.smb_attributes.ipanthomedirectorydrive_tooltip'
|
||||
- }
|
||||
+ },
|
||||
+ hidden_if_empty: true
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -482,7 +485,6 @@ return {
|
||||
IPA.user.self_service_other_user_evaluator,
|
||||
IPA.user.preserved_user_evaluator,
|
||||
IPA.user.is_locked_evaluator,
|
||||
- IPA.object_class_evaluator,
|
||||
IPA.cert.certificate_evaluator
|
||||
],
|
||||
summary_conditions: [
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,93 @@
|
||||
From 42dd1628a1211363c860917e474ecc5b9c1fdb84 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Thu, 2 Jul 2020 15:50:00 +0300
|
||||
Subject: [PATCH] selinux: allow oddjobd to set up ipa_helper_t context for
|
||||
execution
|
||||
|
||||
On Fedora 32+ and RHEL 8.3.0+ execution of ipa_helper_t context requires
|
||||
SELinux policy permission to use 'noatsecure'. This comes most likely
|
||||
from execve() setup by glibc.
|
||||
|
||||
Add SELinux interface ipa_helper_noatsecure() that can be called by
|
||||
oddjob's SELinux policy definition.
|
||||
|
||||
In addition, if ipa_helper_t runs ipa-getkeytab, libkrb5 will attempt to
|
||||
access SELinux configuration and produce AVC for that. Allow reading
|
||||
general userspace SELinux configuration.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8395
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
---
|
||||
selinux/ipa.if | 18 ++++++++++++++++++
|
||||
selinux/ipa.te | 1 +
|
||||
2 files changed, 19 insertions(+)
|
||||
|
||||
diff --git a/selinux/ipa.if b/selinux/ipa.if
|
||||
index ea971b8fa..783db8b78 100644
|
||||
--- a/selinux/ipa.if
|
||||
+++ b/selinux/ipa.if
|
||||
@@ -419,3 +419,21 @@ ifndef(`dirsrv_systemctl',`
|
||||
ps_process_pattern($1, dirsrv_t)
|
||||
')
|
||||
')
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow ipa_helper noatsecure
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`ipa_helper_noatsecure',`
|
||||
+ gen_require(`
|
||||
+ type ipa_helper_t;
|
||||
+ ')
|
||||
+ allow $1 ipa_helper_t:process { noatsecure };
|
||||
+')
|
||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
||||
index 587e5e585..383979094 100644
|
||||
--- a/selinux/ipa.te
|
||||
+++ b/selinux/ipa.te
|
||||
@@ -115,6 +115,7 @@ optional_policy(`
|
||||
|
||||
|
||||
allow ipa_helper_t self:capability { net_admin dac_read_search dac_override chown };
|
||||
+seutil_read_config(ipa_helper_t);
|
||||
|
||||
#kernel bug
|
||||
dontaudit ipa_helper_t self:capability2 block_suspend;
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From 0d70addbbf2a99e7398a518bc98d5fe109469bb5 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Fri, 3 Jul 2020 17:20:49 +0300
|
||||
Subject: [PATCH] selinux: support running ipa-custodia with PrivateTmp=yes
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/8395
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
---
|
||||
selinux/ipa.te | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
||||
index 383979094..a3381217a 100644
|
||||
--- a/selinux/ipa.te
|
||||
+++ b/selinux/ipa.te
|
||||
@@ -390,3 +390,7 @@ optional_policy(`
|
||||
sssd_search_lib(ipa_custodia_t)
|
||||
sssd_stream_connect(ipa_custodia_t)
|
||||
')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ systemd_private_tmp(ipa_custodia_tmp_t)
|
||||
+')
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,180 @@
|
||||
From 128500198d3782a76616cf1d971d5aeb17e8c1da Mon Sep 17 00:00:00 2001
|
||||
From: Fraser Tweedale <ftweedal@redhat.com>
|
||||
Date: Thu, 11 Jun 2020 22:42:38 +1000
|
||||
Subject: [PATCH] fix iPAddress cert issuance for >1 host/service
|
||||
|
||||
The 'cert_request' command accumulates DNS names from the CSR,
|
||||
before checking that all IP addresses in the CSR are reachable from
|
||||
those DNS names. Before adding a DNS name to the set, we check that
|
||||
that it corresponds to the FQDN of a known host/service principal
|
||||
(including principal aliases). When a DNS name maps to a
|
||||
"alternative" principal (i.e. not the one given via the 'principal'
|
||||
argument), this check was not being performed correctly.
|
||||
Specifically, we were looking for the 'krbprincipalname' field on
|
||||
the RPC response object directly, instead of its 'result' field.
|
||||
|
||||
To resolve the issue, dereference the RPC response to its 'result'
|
||||
field before invoking the '_dns_name_matches_principal' subroutine.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8368
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipaserver/plugins/cert.py | 6 +-
|
||||
.../test_cert_request_ip_address.py | 62 +++++++++++++++++--
|
||||
2 files changed, 61 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
|
||||
index d353bc3ea..fe7ea34f5 100644
|
||||
--- a/ipaserver/plugins/cert.py
|
||||
+++ b/ipaserver/plugins/cert.py
|
||||
@@ -827,13 +827,13 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
|
||||
try:
|
||||
if principal_type == HOST:
|
||||
alt_principal_obj = api.Command['host_show'](
|
||||
- name, all=True)
|
||||
+ name, all=True)['result']
|
||||
elif principal_type == KRBTGT:
|
||||
alt_principal = kerberos.Principal(
|
||||
(u'host', name), principal.realm)
|
||||
elif principal_type == SERVICE:
|
||||
alt_principal_obj = api.Command['service_show'](
|
||||
- alt_principal, all=True)
|
||||
+ alt_principal, all=True)['result']
|
||||
except errors.NotFound:
|
||||
# We don't want to issue any certificates referencing
|
||||
# machines we don't know about. Nothing is stored in this
|
||||
@@ -866,7 +866,7 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
|
||||
pass
|
||||
|
||||
# Now check write access and caacl
|
||||
- altdn = alt_principal_obj['result']['dn']
|
||||
+ altdn = alt_principal_obj['dn']
|
||||
if not ldap.can_write(altdn, "usercertificate"):
|
||||
raise errors.ACIError(info=_(
|
||||
"Insufficient privilege to create a certificate "
|
||||
diff --git a/ipatests/test_xmlrpc/test_cert_request_ip_address.py b/ipatests/test_xmlrpc/test_cert_request_ip_address.py
|
||||
index bf4de05bf..c0475d30d 100644
|
||||
--- a/ipatests/test_xmlrpc/test_cert_request_ip_address.py
|
||||
+++ b/ipatests/test_xmlrpc/test_cert_request_ip_address.py
|
||||
@@ -28,10 +28,16 @@ from ipatests.test_xmlrpc.tracker.host_plugin import HostTracker
|
||||
from ipatests.test_xmlrpc.tracker.user_plugin import UserTracker
|
||||
from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
|
||||
|
||||
-host_fqdn = f'iptest.{api.env.domain}'
|
||||
+host_shortname = 'iptest'
|
||||
+host_fqdn = f'{host_shortname}.{api.env.domain}'
|
||||
host_princ = f'host/{host_fqdn}'
|
||||
host_ptr = f'{host_fqdn}.'
|
||||
|
||||
+host2_shortname = 'iptest2'
|
||||
+host2_fqdn = f'{host2_shortname}.{api.env.domain}'
|
||||
+host2_princ = f'host/{host2_fqdn}'
|
||||
+host2_ptr = f'{host2_fqdn}.'
|
||||
+
|
||||
other_fqdn = f'other.{api.env.domain}'
|
||||
other_ptr = f'{other_fqdn}.'
|
||||
|
||||
@@ -39,6 +45,10 @@ ipv4_address = '169.254.0.42'
|
||||
ipv4_revzone_s = '0.254.169.in-addr.arpa.'
|
||||
ipv4_revrec_s = '42'
|
||||
|
||||
+host2_ipv4_address = '169.254.0.43'
|
||||
+host2_ipv4_revzone_s = '0.254.169.in-addr.arpa.'
|
||||
+host2_ipv4_revrec_s = '43'
|
||||
+
|
||||
ipv6_address = 'fe80::8f18:bdab:4299:95fa'
|
||||
ipv6_revzone_s = '0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa.'
|
||||
ipv6_revrec_s = 'a.f.5.9.9.9.2.4.b.a.d.b.8.1.f.8'
|
||||
@@ -46,7 +56,13 @@ ipv6_revrec_s = 'a.f.5.9.9.9.2.4.b.a.d.b.8.1.f.8'
|
||||
|
||||
@pytest.fixture(scope='class')
|
||||
def host(request, xmlrpc_setup):
|
||||
- tr = HostTracker('iptest')
|
||||
+ tr = HostTracker(host_shortname)
|
||||
+ return tr.make_fixture(request)
|
||||
+
|
||||
+
|
||||
+@pytest.fixture(scope='class')
|
||||
+def host2(request, xmlrpc_setup):
|
||||
+ tr = HostTracker(host2_shortname)
|
||||
return tr.make_fixture(request)
|
||||
|
||||
|
||||
@@ -88,6 +104,12 @@ def ipv6_revzone(host):
|
||||
yield from _zone_setup(host, ipv6_revzone_s)
|
||||
|
||||
|
||||
+@pytest.fixture(scope='class')
|
||||
+def host2_ipv4_ptr(host2, ipv4_revzone):
|
||||
+ yield from _record_setup(
|
||||
+ host2, ipv4_revzone, host2_ipv4_revrec_s, ptrrecord=host2_ptr)
|
||||
+
|
||||
+
|
||||
@pytest.fixture(scope='class')
|
||||
def ipv4_ptr(host, ipv4_revzone):
|
||||
yield from _record_setup(
|
||||
@@ -100,16 +122,22 @@ def ipv6_ptr(host, ipv6_revzone):
|
||||
host, ipv6_revzone, ipv6_revrec_s, ptrrecord=host_ptr)
|
||||
|
||||
|
||||
+@pytest.fixture(scope='class')
|
||||
+def host2_ipv4_a(host2):
|
||||
+ yield from _record_setup(
|
||||
+ host2, api.env.domain, host2_shortname, arecord=host2_ipv4_address)
|
||||
+
|
||||
+
|
||||
@pytest.fixture(scope='class')
|
||||
def ipv4_a(host):
|
||||
yield from _record_setup(
|
||||
- host, api.env.domain, 'iptest', arecord=ipv4_address)
|
||||
+ host, api.env.domain, host_shortname, arecord=ipv4_address)
|
||||
|
||||
|
||||
@pytest.fixture(scope='class')
|
||||
def ipv6_aaaa(host):
|
||||
yield from _record_setup(
|
||||
- host, api.env.domain, 'iptest', aaaarecord=ipv6_address)
|
||||
+ host, api.env.domain, host_shortname, aaaarecord=ipv6_address)
|
||||
|
||||
|
||||
@pytest.fixture(scope='class')
|
||||
@@ -210,6 +238,12 @@ csr_cname2 = csr([
|
||||
x509.DNSName(f'cname2.{api.env.domain}'),
|
||||
x509.IPAddress(ipaddress.ip_address(ipv4_address)),
|
||||
])
|
||||
+csr_two_dnsname_two_ip = csr([
|
||||
+ x509.DNSName(host_fqdn),
|
||||
+ x509.IPAddress(ipaddress.ip_address(ipv4_address)),
|
||||
+ x509.DNSName(host2_fqdn),
|
||||
+ x509.IPAddress(ipaddress.ip_address(host2_ipv4_address)),
|
||||
+])
|
||||
|
||||
|
||||
@pytest.fixture
|
||||
@@ -449,3 +483,23 @@ class TestIPAddressCNAME(XMLRPC_test):
|
||||
def test_two_levels(self, host, csr_cname2):
|
||||
with pytest.raises(errors.ValidationError, match=PAT_FWD):
|
||||
host.run_command('cert_request', csr_cname2, principal=host_princ)
|
||||
+
|
||||
+
|
||||
+@pytest.mark.tier1
|
||||
+class TestTwoHostsTwoIPAddresses(XMLRPC_test):
|
||||
+ """
|
||||
+ Test certificate issuance with CSR containing two hosts
|
||||
+ and two IP addresses (one for each host).
|
||||
+
|
||||
+ """
|
||||
+ def test_host_exists(
|
||||
+ self, host, host2, ipv4_a, ipv4_ptr, host2_ipv4_a, host2_ipv4_ptr,
|
||||
+ ):
|
||||
+ # for convenience, this test also establishes the DNS
|
||||
+ # record fixtures, which have class scope
|
||||
+ host.ensure_exists()
|
||||
+ host2.ensure_exists()
|
||||
+
|
||||
+ def test_issuance(self, host, csr_two_dnsname_two_ip):
|
||||
+ host.run_command(
|
||||
+ 'cert_request', csr_two_dnsname_two_ip, principal=host_princ)
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,118 @@
|
||||
From 9ded9e2573a00c388533f2a09365c499a4e2961e Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Fri, 19 Jun 2020 08:48:56 -0400
|
||||
Subject: [PATCH] Specify cert_paths when calling PKIConnection
|
||||
|
||||
PKIConnection now defaults to specifying verify=True. We've introduced
|
||||
a new parameter, cert_paths, to specify additional paths (directories or
|
||||
files) to load as certificates. Specify the IPA CA certificate file so
|
||||
we can guarantee connections succeed and validate the peer's certificate.
|
||||
|
||||
Point to IPA CA certificate during pkispawn
|
||||
|
||||
Bump pki_version to 10.9.0-0.4 (aka -b2)
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8379
|
||||
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849155
|
||||
Related: https://github.com/dogtagpki/pki/pull/443
|
||||
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1426572
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
---
|
||||
freeipa.spec.in | 6 +++---
|
||||
install/tools/ipa-pki-wait-running.in | 3 ++-
|
||||
ipaserver/install/cainstance.py | 7 +++++++
|
||||
ipaserver/install/dogtaginstance.py | 3 ++-
|
||||
ipaserver/plugins/dogtag.py | 11 +++++------
|
||||
5 files changed, 19 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||
index 74e752ea5..d00b9d640 100755
|
||||
--- a/freeipa.spec.in
|
||||
+++ b/freeipa.spec.in
|
||||
@@ -112,9 +112,9 @@
|
||||
# Fedora
|
||||
%endif
|
||||
|
||||
-# 10.7.3 supports LWCA key replication using AES
|
||||
-# https://pagure.io/freeipa/issue/8020
|
||||
-%global pki_version 10.7.3-1
|
||||
+# PKIConnection has been modified to always validate certs.
|
||||
+# https://pagure.io/freeipa/issue/8379
|
||||
+%global pki_version 10.9.0-0.4
|
||||
|
||||
# https://pagure.io/certmonger/issue/90
|
||||
%global certmonger_version 0.79.7-1
|
||||
diff --git a/install/tools/ipa-pki-wait-running.in b/install/tools/ipa-pki-wait-running.in
|
||||
index 69f5ec296..4f0f2f34a 100644
|
||||
--- a/install/tools/ipa-pki-wait-running.in
|
||||
+++ b/install/tools/ipa-pki-wait-running.in
|
||||
@@ -59,7 +59,8 @@ def get_conn(hostname, subsystem):
|
||||
"""
|
||||
conn = PKIConnection(
|
||||
hostname=hostname,
|
||||
- subsystem=subsystem
|
||||
+ subsystem=subsystem,
|
||||
+ cert_paths=paths.IPA_CA_CRT
|
||||
)
|
||||
logger.info(
|
||||
"Created connection %s://%s:%s/%s",
|
||||
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
||||
index 706bc28cc..9294f1dba 100644
|
||||
--- a/ipaserver/install/cainstance.py
|
||||
+++ b/ipaserver/install/cainstance.py
|
||||
@@ -509,6 +509,13 @@ class CAInstance(DogtagInstance):
|
||||
else:
|
||||
pki_pin = None
|
||||
|
||||
+ # When spawning a CA instance, always point to IPA_CA_CRT if it
|
||||
+ # exists. Later, when we're performing step 2 of an external CA
|
||||
+ # installation, we'll overwrite this key to point to the real
|
||||
+ # external CA.
|
||||
+ if os.path.exists(paths.IPA_CA_CRT):
|
||||
+ cfg['pki_cert_chain_path'] = paths.IPA_CA_CRT
|
||||
+
|
||||
if self.clone:
|
||||
if self.no_db_setup:
|
||||
cfg.update(
|
||||
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
|
||||
index 361d80a8c..7e295665c 100644
|
||||
--- a/ipaserver/install/dogtaginstance.py
|
||||
+++ b/ipaserver/install/dogtaginstance.py
|
||||
@@ -70,7 +70,8 @@ def get_security_domain():
|
||||
connection = PKIConnection(
|
||||
protocol='https',
|
||||
hostname=api.env.ca_host,
|
||||
- port='8443'
|
||||
+ port='8443',
|
||||
+ cert_paths=paths.IPA_CA_CRT
|
||||
)
|
||||
domain_client = pki.system.SecurityDomainClient(connection)
|
||||
info = domain_client.get_security_domain_info()
|
||||
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
|
||||
index 4de26d76f..b300f6b18 100644
|
||||
--- a/ipaserver/plugins/dogtag.py
|
||||
+++ b/ipaserver/plugins/dogtag.py
|
||||
@@ -2082,13 +2082,12 @@ class kra(Backend):
|
||||
'https',
|
||||
self.kra_host,
|
||||
str(self.kra_port),
|
||||
- 'kra')
|
||||
+ 'kra',
|
||||
+ cert_paths=paths.IPA_CA_CRT
|
||||
+ )
|
||||
|
||||
- connection.session.cert = (paths.RA_AGENT_PEM, paths.RA_AGENT_KEY)
|
||||
- # uncomment the following when this commit makes it to release
|
||||
- # https://git.fedorahosted.org/cgit/pki.git/commit/?id=71ae20c
|
||||
- # connection.set_authentication_cert(paths.RA_AGENT_PEM,
|
||||
- # paths.RA_AGENT_KEY)
|
||||
+ connection.set_authentication_cert(paths.RA_AGENT_PEM,
|
||||
+ paths.RA_AGENT_KEY)
|
||||
|
||||
try:
|
||||
yield KRAClient(connection, crypto)
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,34 @@
|
||||
From d83b760d1f76a3ba8e527dd27551e51a600b22c0 Mon Sep 17 00:00:00 2001
|
||||
From: Christian Heimes <cheimes@redhat.com>
|
||||
Date: Wed, 15 Jul 2020 10:23:35 +0200
|
||||
Subject: [PATCH] Add missing SELinux rule for ipa-custodia.sock
|
||||
|
||||
A SELinux rule for ipa_custodia_stream_connect(httpd_t) was not copied
|
||||
from upstream rules. It breaks installations on systems that don't have
|
||||
ipa_custodia_stream_connect in SELinux domain for apache, e.g. RHEL 8.3.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8412
|
||||
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
||||
---
|
||||
selinux/ipa.te | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
||||
index a3381217a4..c4c3fa805e 100644
|
||||
--- a/selinux/ipa.te
|
||||
+++ b/selinux/ipa.te
|
||||
@@ -378,6 +378,13 @@ optional_policy(`
|
||||
ipa_search_lib(ipa_custodia_t)
|
||||
')
|
||||
|
||||
+optional_policy(`
|
||||
+ gen_require(`
|
||||
+ type httpd_t;
|
||||
+ ')
|
||||
+ ipa_custodia_stream_connect(httpd_t)
|
||||
+')
|
||||
+
|
||||
optional_policy(`
|
||||
pki_manage_tomcat_etc_rw(ipa_custodia_t)
|
||||
pki_read_tomcat_cert(ipa_custodia_t)
|
@ -0,0 +1,189 @@
|
||||
From ca880cfb117fc870a6e2710b9e31b2f67d5651e1 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Wed, 29 Jul 2020 13:35:49 +0200
|
||||
Subject: [PATCH] ipa-client-install: use the authselect backup during
|
||||
uninstall
|
||||
|
||||
When ipa-client-install is run on a system with no existing
|
||||
authselect configuration (for instance a fedora 31 new install),
|
||||
uninstallation is picking sssd profile but this may lead to
|
||||
a configuration with differences compared to the pre-ipa-client
|
||||
state.
|
||||
|
||||
Now that authselect provides an option to backup the existing
|
||||
configuration prior to setting a profile, the client install
|
||||
can save the backup name and uninstall is able to apply the
|
||||
backup in order to go back to the pre-ipa-client state.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8189
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||
---
|
||||
ipaplatform/redhat/authconfig.py | 37 ++++++++++++++------------------
|
||||
1 file changed, 16 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/ipaplatform/redhat/authconfig.py b/ipaplatform/redhat/authconfig.py
|
||||
index 758376f2b..89f452d66 100644
|
||||
--- a/ipaplatform/redhat/authconfig.py
|
||||
+++ b/ipaplatform/redhat/authconfig.py
|
||||
@@ -27,6 +27,7 @@ from ipaplatform.paths import paths
|
||||
from ipapython import ipautil
|
||||
from ipapython.admintool import ScriptError
|
||||
import os
|
||||
+import time
|
||||
|
||||
FILES_TO_NOT_BACKUP = ['passwd', 'group', 'shadow', 'gshadow']
|
||||
|
||||
@@ -103,28 +104,16 @@ class RedHatAuthSelect(RedHatAuthToolBase):
|
||||
def configure(self, sssd, mkhomedir, statestore, sudo=True):
|
||||
# In the statestore, the following keys are used for the
|
||||
# 'authselect' module:
|
||||
+ # Old method:
|
||||
# profile: name of the profile configured pre-installation
|
||||
# features_list: list of features configured pre-installation
|
||||
# mkhomedir: True if installation was called with --mkhomedir
|
||||
# profile and features_list are used when reverting to the
|
||||
# pre-install state
|
||||
- cfg = self._parse_authselect_output()
|
||||
- if cfg:
|
||||
- statestore.backup_state('authselect', 'profile', cfg[0])
|
||||
- statestore.backup_state(
|
||||
- 'authselect', 'features_list', " ".join(cfg[1]))
|
||||
- else:
|
||||
- # cfg = None means that the current conf is not managed by
|
||||
- # authselect but by authconfig.
|
||||
- # As we are using authselect to configure the host,
|
||||
- # it will not be possible to revert to a custom authconfig
|
||||
- # configuration later (during uninstall)
|
||||
- # Best thing to do will be to use sssd profile at this time
|
||||
- logger.warning(
|
||||
- "WARNING: The configuration pre-client installation is not "
|
||||
- "managed by authselect and cannot be backed up. "
|
||||
- "Uninstallation may not be able to revert to the original "
|
||||
- "state.")
|
||||
+ # New method:
|
||||
+ # backup: name of the authselect backup
|
||||
+ backup_name = "pre_ipaclient_{}".format(time.strftime("%Y%m%d%H%M%S"))
|
||||
+ statestore.backup_state('authselect', 'backup', backup_name)
|
||||
|
||||
cmd = [paths.AUTHSELECT, "select", "sssd"]
|
||||
if mkhomedir:
|
||||
@@ -133,6 +122,7 @@ class RedHatAuthSelect(RedHatAuthToolBase):
|
||||
if sudo:
|
||||
cmd.append("with-sudo")
|
||||
cmd.append("--force")
|
||||
+ cmd.append("--backup={}".format(backup_name))
|
||||
|
||||
ipautil.run(cmd)
|
||||
|
||||
@@ -179,10 +169,15 @@ class RedHatAuthSelect(RedHatAuthToolBase):
|
||||
else:
|
||||
features = []
|
||||
|
||||
- cmd = [paths.AUTHSELECT, "select", profile]
|
||||
- cmd.extend(features)
|
||||
- cmd.append("--force")
|
||||
- ipautil.run(cmd)
|
||||
+ backup = statestore.restore_state('authselect', 'backup')
|
||||
+ if backup:
|
||||
+ cmd = [paths.AUTHSELECT, "backup-restore", backup]
|
||||
+ ipautil.run(cmd)
|
||||
+ else:
|
||||
+ cmd = [paths.AUTHSELECT, "select", profile]
|
||||
+ cmd.extend(features)
|
||||
+ cmd.append("--force")
|
||||
+ ipautil.run(cmd)
|
||||
|
||||
def backup(self, path):
|
||||
current = self._get_authselect_current_output()
|
||||
--
|
||||
2.26.2
|
||||
|
||||
# Not needed for 4.7.8 release
|
||||
#
|
||||
#From 3eaab97e317584bc47d4a27a607267ed90df7ff7 Mon Sep 17 00:00:00 2001
|
||||
#From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
#Date: Wed, 29 Jul 2020 13:40:26 +0200
|
||||
#Subject: [PATCH] ipatests: remove the xfail for test_nfs.py
|
||||
#
|
||||
#Related: https://pagure.io/freeipa/issue/8189
|
||||
#Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
#Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||
#---
|
||||
# ipatests/test_integration/test_nfs.py | 4 ----
|
||||
# 1 file changed, 4 deletions(-)
|
||||
#
|
||||
#diff --git a/ipatests/test_integration/test_nfs.py b/ipatests/test_integration/test_nfs.py
|
||||
#index 7272b0d44..832c56cca 100644
|
||||
#--- a/ipatests/test_integration/test_nfs.py
|
||||
#+++ b/ipatests/test_integration/test_nfs.py
|
||||
#@@ -363,10 +363,6 @@ class TestIpaClientAutomountFileRestore(IntegrationTest):
|
||||
# cmd = self.clients[0].run_command(sha256nsswitch_cmd)
|
||||
# assert cmd.stdout_text == orig_sha256
|
||||
#
|
||||
#- @pytest.mark.xfail(
|
||||
#- reason="https://pagure.io/freeipa/issue/8189",
|
||||
#- strict=True
|
||||
#- )
|
||||
# def test_nsswitch_backup_restore_sssd(self):
|
||||
# self.nsswitch_backup_restore()
|
||||
#
|
||||
#--
|
||||
#2.26.2
|
||||
|
||||
From 4baf6b292f28481ece483bb8ecbd6a0807d9d45a Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Wed, 29 Jul 2020 17:57:53 +0200
|
||||
Subject: [PATCH] ipatests: fix test_authselect
|
||||
|
||||
Before the code fix, install/uninstall on a config without
|
||||
any authselect profile was not able to restore the exact
|
||||
state but configured sssd profile instead.
|
||||
|
||||
Now that the code is doing a pre-install backup, uninstall
|
||||
restores the exact state and the test needs to be updated
|
||||
accordingly.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/8189
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_authselect.py | 13 ++++++++-----
|
||||
1 file changed, 8 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_authselect.py b/ipatests/test_integration/test_authselect.py
|
||||
index bdf7d9f77..cba23e707 100644
|
||||
--- a/ipatests/test_integration/test_authselect.py
|
||||
+++ b/ipatests/test_integration/test_authselect.py
|
||||
@@ -100,7 +100,9 @@ class TestClientInstallation(IntegrationTest):
|
||||
['rm', '-f', '/etc/authselect/authselect.conf'])
|
||||
result = self._install_client()
|
||||
assert result.returncode == 0
|
||||
- assert self.msg_warn_install in result.stderr_text
|
||||
+ # With the fix for 8189, there is no warning any more
|
||||
+ # because install is performing a pre-install backup
|
||||
+ assert self.msg_warn_install not in result.stderr_text
|
||||
# Client installation must configure the 'sssd' profile
|
||||
# with sudo
|
||||
check_authselect_profile(self.client, default_profile, ('with-sudo',))
|
||||
@@ -109,12 +111,13 @@ class TestClientInstallation(IntegrationTest):
|
||||
"""
|
||||
Test client un-installation when there was no authselect profile
|
||||
"""
|
||||
- # As the client did not have any authselect profile before install,
|
||||
- # uninstall must print a warning about restoring 'sssd' profile
|
||||
- # by default
|
||||
+ # The client did not have any authselect profile before install,
|
||||
+ # but uninstall must be able to restore the backup
|
||||
+ # Check that no profile is configured after uninstall
|
||||
result = self._uninstall_client()
|
||||
assert result.returncode == 0
|
||||
- check_authselect_profile(self.client, default_profile)
|
||||
+ assert not self.client.transport.file_exists(
|
||||
+ '/etc/authselect/authselect.conf')
|
||||
|
||||
def test_install_client_preconfigured_profile(self):
|
||||
"""
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,32 @@
|
||||
From 66a5a0efd538e31a190ca6ecb775bc1dfc4ee232 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Wed, 29 Jul 2020 13:42:43 -0400
|
||||
Subject: [PATCH] Replace SSLCertVerificationError with CertificateError for
|
||||
py36
|
||||
|
||||
This exception was added in python 3.7. Use CertificateError
|
||||
instead which is an alias and will work with older python releases.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1858318
|
||||
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
ipaserver/install/server/upgrade.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
|
||||
index 2c36bc0e2..2c1517865 100644
|
||||
--- a/ipaserver/install/server/upgrade.py
|
||||
+++ b/ipaserver/install/server/upgrade.py
|
||||
@@ -667,7 +667,7 @@ def http_certificate_ensure_ipa_ca_dnsname(http):
|
||||
|
||||
try:
|
||||
cert.match_hostname(expect)
|
||||
- except ssl.SSLCertVerificationError:
|
||||
+ except ssl.CertificateError:
|
||||
if certs.is_ipa_issued_cert(api, cert):
|
||||
request_id = certmonger.get_request_id(
|
||||
{'cert-file': paths.HTTPD_CERT_FILE})
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,103 @@
|
||||
From c72ef1ed965aca79da4576d9579dec5459e14b99 Mon Sep 17 00:00:00 2001
|
||||
From: Christian Heimes <cheimes@redhat.com>
|
||||
Date: Fri, 8 May 2020 15:27:01 +0200
|
||||
Subject: [PATCH] SELinux: Backport dirsrv_systemctl interface
|
||||
|
||||
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
---
|
||||
selinux/ipa.if | 27 +++++++++++++++++++++++++++
|
||||
1 file changed, 27 insertions(+)
|
||||
|
||||
diff --git a/selinux/ipa.if b/selinux/ipa.if
|
||||
index cefae5d90..ea971b8fa 100644
|
||||
--- a/selinux/ipa.if
|
||||
+++ b/selinux/ipa.if
|
||||
@@ -392,3 +392,30 @@ ifndef(`apache_manage_pid_files',`
|
||||
manage_sock_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
|
||||
')
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute dirsrv server in the dirsrv domain.
|
||||
+## Backport from https://github.com/fedora-selinux/selinux-policy-contrib/pull/241
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+ifndef(`dirsrv_systemctl',`
|
||||
+ interface(`dirsrv_systemctl',`
|
||||
+ gen_require(`
|
||||
+ type dirsrv_unit_file_t;
|
||||
+ type dirsrv_t;
|
||||
+ ')
|
||||
+
|
||||
+ systemd_exec_systemctl($1)
|
||||
+ init_reload_services($1)
|
||||
+ allow $1 dirsrv_unit_file_t:file read_file_perms;
|
||||
+ allow $1 dirsrv_unit_file_t:service manage_service_perms;
|
||||
+
|
||||
+ ps_process_pattern($1, dirsrv_t)
|
||||
+ ')
|
||||
+')
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From f76c56c6072418c78f138678b1c4dd917fea6ee1 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Thu, 7 May 2020 16:17:12 +0200
|
||||
Subject: [PATCH] Allow ipa-adtrust-install restart sssd and dirsrv services
|
||||
|
||||
Allow ipa_helper_t connect to init using /run/systemd/private socket.
|
||||
Allow ipa_helper_t read init process state.
|
||||
Allow ipa_helper_t manage sssd and dirsrv units.
|
||||
|
||||
See: https://bugzilla.redhat.com/show_bug.cgi?id=1820298
|
||||
See: https://github.com/fedora-selinux/selinux-policy-contrib/pull/241
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
---
|
||||
selinux/ipa.te | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
||||
index b1e29c8e2..587e5e585 100644
|
||||
--- a/selinux/ipa.te
|
||||
+++ b/selinux/ipa.te
|
||||
@@ -147,6 +147,9 @@ auth_use_nsswitch(ipa_helper_t)
|
||||
|
||||
files_list_tmp(ipa_helper_t)
|
||||
|
||||
+init_read_state(ipa_helper_t)
|
||||
+init_stream_connect(ipa_helper_t)
|
||||
+
|
||||
ipa_manage_pid_files(ipa_helper_t)
|
||||
ipa_read_lib(ipa_helper_t)
|
||||
|
||||
@@ -156,6 +159,10 @@ optional_policy(`
|
||||
dirsrv_stream_connect(ipa_helper_t)
|
||||
')
|
||||
|
||||
+optional_policy(`
|
||||
+ dirsrv_systemctl(ipa_helper_t)
|
||||
+')
|
||||
+
|
||||
optional_policy(`
|
||||
ldap_stream_connect(ipa_helper_t)
|
||||
')
|
||||
@@ -182,6 +189,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
sssd_manage_lib_files(ipa_helper_t)
|
||||
+ sssd_systemctl(ipa_helper_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,84 @@
|
||||
From 81c955e561dd42ab70a39bf636c90e82a9d7d899 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Mon, 3 Aug 2020 18:52:07 +0200
|
||||
Subject: [PATCH] CAless installation: set the perms on KDC cert file
|
||||
|
||||
In CA less installation, the KDC certificate file does not have
|
||||
the expected 644 permissions. As a consequence, WebUI login
|
||||
fails.
|
||||
|
||||
The fix makes sure that the KDC cert file is saved with 644 perms.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8440
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipaserver/install/krbinstance.py | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
|
||||
index 09d14693c..1910ff374 100644
|
||||
--- a/ipaserver/install/krbinstance.py
|
||||
+++ b/ipaserver/install/krbinstance.py
|
||||
@@ -536,6 +536,8 @@ class KrbInstance(service.Service):
|
||||
certs.install_pem_from_p12(self.pkcs12_info[0],
|
||||
self.pkcs12_info[1],
|
||||
paths.KDC_CERT)
|
||||
+ # The KDC cert needs to be readable by everyone
|
||||
+ os.chmod(paths.KDC_CERT, 0o644)
|
||||
certs.install_key_from_p12(self.pkcs12_info[0],
|
||||
self.pkcs12_info[1],
|
||||
paths.KDC_KEY)
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From 295dd4235f693b7b4b4270b46a28cb6e7b3d00b4 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Mon, 3 Aug 2020 18:53:47 +0200
|
||||
Subject: [PATCH] ipatests: check KDC cert permissions in CA less install
|
||||
|
||||
The KDC certificate file must be stored with 644 permissions.
|
||||
Add a test checking the file permissions on server + replica.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/8440
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_caless.py | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
|
||||
index a7b2cbbbc..1ea7d9896 100644
|
||||
--- a/ipatests/test_integration/test_caless.py
|
||||
+++ b/ipatests/test_integration/test_caless.py
|
||||
@@ -1527,6 +1527,13 @@ class TestCertInstall(CALessBase):
|
||||
assert result.returncode == 0
|
||||
|
||||
|
||||
+def verify_kdc_cert_perms(host):
|
||||
+ """Verify that the KDC cert pem file has 0644 perms"""
|
||||
+ cmd = host.run_command(['stat', '-c',
|
||||
+ '"%a %G:%U"', paths.KDC_CERT])
|
||||
+ assert "644 root:root" in cmd.stdout_text
|
||||
+
|
||||
+
|
||||
class TestPKINIT(CALessBase):
|
||||
"""Install master and replica with PKINIT"""
|
||||
num_replicas = 1
|
||||
@@ -1540,6 +1547,7 @@ class TestPKINIT(CALessBase):
|
||||
result = cls.install_server(pkinit_pkcs12_exists=True,
|
||||
pkinit_pin=_DEFAULT)
|
||||
assert result.returncode == 0
|
||||
+ verify_kdc_cert_perms(cls.master)
|
||||
|
||||
@replica_install_teardown
|
||||
def test_server_replica_install_pkinit(self):
|
||||
@@ -1549,6 +1557,7 @@ class TestPKINIT(CALessBase):
|
||||
pkinit_pin=_DEFAULT)
|
||||
assert result.returncode == 0
|
||||
self.verify_installation()
|
||||
+ verify_kdc_cert_perms(self.replicas[0])
|
||||
|
||||
|
||||
class TestServerReplicaCALessToCAFull(CALessBase):
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,145 @@
|
||||
From b95817e35716bbab000633043817202e17d7c53e Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Thu, 6 Aug 2020 17:07:36 +0200
|
||||
Subject: [PATCH] IPA-EPN: Use a helper to retrieve LDAP attributes from an
|
||||
entry
|
||||
|
||||
Allow for empty attributes.
|
||||
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
---
|
||||
ipaclient/install/ipa_epn.py | 22 +++++++++++++++-------
|
||||
1 file changed, 15 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py
|
||||
index 65f9f3d47..0d1ae2add 100644
|
||||
--- a/ipaclient/install/ipa_epn.py
|
||||
+++ b/ipaclient/install/ipa_epn.py
|
||||
@@ -122,22 +122,30 @@ class EPNUserList:
|
||||
"""Return len(self)."""
|
||||
return len(self._expiring_password_user_dq)
|
||||
|
||||
+ def get_ldap_attr(self, entry, attr):
|
||||
+ """Get a single value from a multi-valued attr in a safe way"""
|
||||
+ return str(entry.get(attr, [""]).pop(0))
|
||||
+
|
||||
def add(self, entry):
|
||||
"""Parses and appends an LDAP user entry with the uid, cn,
|
||||
givenname, sn, krbpasswordexpiration and mail attributes.
|
||||
"""
|
||||
try:
|
||||
self._sorted = False
|
||||
+ if entry.get("mail") is None:
|
||||
+ logger.error("IPA-EPN: No mail address defined for: %s",
|
||||
+ entry.dn)
|
||||
+ return
|
||||
self._expiring_password_user_dq.append(
|
||||
dict(
|
||||
- uid=str(entry["uid"].pop(0)),
|
||||
- cn=str(entry["cn"].pop(0)),
|
||||
- givenname=str(entry["givenname"].pop(0)),
|
||||
- sn=str(entry["sn"].pop(0)),
|
||||
- krbpasswordexpiration=str(
|
||||
- entry["krbpasswordexpiration"].pop(0)
|
||||
+ uid=self.get_ldap_attr(entry, "uid"),
|
||||
+ cn=self.get_ldap_attr(entry, "cn"),
|
||||
+ givenname=self.get_ldap_attr(entry, "givenname"),
|
||||
+ sn=self.get_ldap_attr(entry, "sn"),
|
||||
+ krbpasswordexpiration=(
|
||||
+ self.get_ldap_attr(entry,"krbpasswordexpiration")
|
||||
),
|
||||
- mail=str(entry["mail"]),
|
||||
+ mail=str(entry.get("mail")),
|
||||
)
|
||||
)
|
||||
except IndexError as e:
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From 8e810d8cf38ec60d76178bd673e218fb05d56c8e Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Thu, 6 Aug 2020 17:13:19 +0200
|
||||
Subject: [PATCH] IPA-EPN: fix configuration file typo
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
---
|
||||
client/share/epn.conf | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/client/share/epn.conf b/client/share/epn.conf
|
||||
index 0e590dfc3..e3645801c 100644
|
||||
--- a/client/share/epn.conf
|
||||
+++ b/client/share/epn.conf
|
||||
@@ -23,7 +23,7 @@ smtp_port = 25
|
||||
# Default None (empty value).
|
||||
# smtp_password =
|
||||
|
||||
-# pecifies the number of seconds to wait for SMTP to respond.
|
||||
+# Specifies the number of seconds to wait for SMTP to respond.
|
||||
smtp_timeout = 60
|
||||
|
||||
# Specifies the type of secure connection to make. Options are: none,
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From 1b1dbcbe9d83ba35f3cfdd01399f123816ec6e5b Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 6 Aug 2020 18:57:10 -0400
|
||||
Subject: [PATCH] IPA-EPN: Test that users without givenname and/or mail are
|
||||
handled
|
||||
|
||||
The admin user does not have a givenname by default, allow for that.
|
||||
|
||||
Report errors for users without a default e-mail address.
|
||||
|
||||
Update the SHA256 hash with the typo fix.
|
||||
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_epn.py | 22 +++++++++++++++++++++-
|
||||
1 file changed, 21 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
|
||||
index 18f73c722..c5c73835a 100644
|
||||
--- a/ipatests/test_integration/test_epn.py
|
||||
+++ b/ipatests/test_integration/test_epn.py
|
||||
@@ -240,7 +240,7 @@ class TestEPN(IntegrationTest):
|
||||
assert epn_conf in cmd1.stdout_text
|
||||
assert epn_template in cmd1.stdout_text
|
||||
cmd2 = self.master.run_command(["sha256sum", epn_conf])
|
||||
- ck = "4c207b5c9c760c36db0d3b2b93da50ea49edcc4002d6d1e7383601f0ec30b957"
|
||||
+ ck = "192481b52fb591112afd7b55b12a44c6618fdbc7e05a3b1866fd67ec579c51df"
|
||||
assert cmd2.stdout_text.find(ck) == 0
|
||||
|
||||
def test_EPN_smoketest_1(self):
|
||||
@@ -591,3 +591,23 @@ class TestEPN(IntegrationTest):
|
||||
self.master.put_file_contents('/etc/ipa/epn.conf', epn_conf)
|
||||
result = tasks.ipa_epn(self.master, raiseonerr=False)
|
||||
assert "smtp_delay cannot be less than zero" in result.stderr_text
|
||||
+
|
||||
+ def test_EPN_admin(self):
|
||||
+ """The admin user is special and has no givenName by default
|
||||
+ It also doesn't by default have an e-mail address
|
||||
+ Check --dry-run output.
|
||||
+ """
|
||||
+ epn_conf = textwrap.dedent('''
|
||||
+ [global]
|
||||
+ ''')
|
||||
+ self.master.put_file_contents('/etc/ipa/epn.conf', epn_conf)
|
||||
+ self.master.run_command(
|
||||
+ ['ipa', 'user-mod', 'admin', '--password-expiration',
|
||||
+ datetime_to_generalized_time(
|
||||
+ datetime.datetime.utcnow() + datetime.timedelta(days=7)
|
||||
+ )]
|
||||
+ )
|
||||
+ (unused, stderr_text, _unused) = self._check_epn_output(
|
||||
+ self.master, dry_run=True
|
||||
+ )
|
||||
+ assert "uid=admin" in stderr_text
|
||||
--
|
||||
2.26.2
|
||||
|
404
SOURCES/0014-IPA-EPN-enhance-input-validation_rhbz#1866291.patch
Normal file
404
SOURCES/0014-IPA-EPN-enhance-input-validation_rhbz#1866291.patch
Normal file
@ -0,0 +1,404 @@
|
||||
From 9479a393a71fe1de7d62ca2b50a7d3d8698d4ba1 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Tue, 4 Aug 2020 11:05:31 +0200
|
||||
Subject: [PATCH] ipatests: tasks.py: fix ipa-epn invocation
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
tasks.py::ipa_epn would previously fail to invoke ipa-epn with
|
||||
from_nbdays=0.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/8449
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
ipatests/pytest_ipa/integration/tasks.py | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
|
||||
index a3f7cc838..c0a592750 100755
|
||||
--- a/ipatests/pytest_ipa/integration/tasks.py
|
||||
+++ b/ipatests/pytest_ipa/integration/tasks.py
|
||||
@@ -1470,9 +1470,9 @@ def ipa_epn(
|
||||
cmd.append("--dry-run")
|
||||
if mailtest:
|
||||
cmd.append("--mail-test")
|
||||
- if from_nbdays:
|
||||
+ if from_nbdays is not None:
|
||||
cmd.extend(("--from-nbdays", str(from_nbdays)))
|
||||
- if to_nbdays:
|
||||
+ if to_nbdays is not None:
|
||||
cmd.extend(("--to-nbdays", str(to_nbdays)))
|
||||
return host.run_command(cmd, raiseonerr=raiseonerr)
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From 3b8fdd87760cfb8ec739c67298f012cf0bd3ac39 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Wed, 5 Aug 2020 10:02:31 +0200
|
||||
Subject: [PATCH] ipatests: test_epn: test_EPN_nbdays enhancements
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Enhance test_EPN_nbdays so that it checks:
|
||||
* that no emails get sent when using --dry-run
|
||||
* that --from-nbdays implies --dry-run
|
||||
* that --to-nbdays requires --from-nbdays
|
||||
* illegal inputs for nbdays:
|
||||
** from-nbdays > to-nbdays
|
||||
** non-numerical input
|
||||
** decimal input
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8449
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_epn.py | 130 +++++++++++++++++++++++---
|
||||
1 file changed, 117 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
|
||||
index f4c123c6d..18f73c722 100644
|
||||
--- a/ipatests/test_integration/test_epn.py
|
||||
+++ b/ipatests/test_integration/test_epn.py
|
||||
@@ -15,6 +15,13 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
+######
|
||||
+# This test suite will _expectedly_ fail if run at the end of the UTC day
|
||||
+# because users would be created during day N and then EPN output checked
|
||||
+# during day N+1. This is expected and should be ignored as it does not
|
||||
+# reflect a product bug. -- fcami
|
||||
+######
|
||||
+
|
||||
from __future__ import print_function, absolute_import
|
||||
|
||||
import base64
|
||||
@@ -178,12 +185,14 @@ class TestEPN(IntegrationTest):
|
||||
from_nbdays=None,
|
||||
to_nbdays=None,
|
||||
raiseonerr=True,
|
||||
+ validatejson=True
|
||||
):
|
||||
result = tasks.ipa_epn(host, raiseonerr=raiseonerr, dry_run=dry_run,
|
||||
from_nbdays=from_nbdays,
|
||||
to_nbdays=to_nbdays)
|
||||
- json.dumps(json.loads(result.stdout_text), ensure_ascii=False)
|
||||
- return (result.stdout_text, result.stderr_text)
|
||||
+ if validatejson:
|
||||
+ json.dumps(json.loads(result.stdout_text), ensure_ascii=False)
|
||||
+ return (result.stdout_text, result.stderr_text, result.returncode)
|
||||
|
||||
@classmethod
|
||||
def install(cls, mh):
|
||||
@@ -244,12 +253,12 @@ class TestEPN(IntegrationTest):
|
||||
''')
|
||||
self.master.put_file_contents('/etc/ipa/epn.conf', epn_conf)
|
||||
# check EPN on client (LDAP+GSSAPI)
|
||||
- (stdout_text, unused) = self._check_epn_output(
|
||||
+ (stdout_text, unused, _unused) = self._check_epn_output(
|
||||
self.clients[0], dry_run=True
|
||||
)
|
||||
assert len(json.loads(stdout_text)) == 0
|
||||
# check EPN on master (LDAPI)
|
||||
- (stdout_text, unused) = self._check_epn_output(
|
||||
+ (stdout_text, unused, _unused) = self._check_epn_output(
|
||||
self.master, dry_run=True
|
||||
)
|
||||
assert len(json.loads(stdout_text)) == 0
|
||||
@@ -292,10 +301,10 @@ class TestEPN(IntegrationTest):
|
||||
),
|
||||
],
|
||||
)
|
||||
- (stdout_text_client, unused) = self._check_epn_output(
|
||||
+ (stdout_text_client, unused, _unused) = self._check_epn_output(
|
||||
self.clients[0], dry_run=True
|
||||
)
|
||||
- (stdout_text_master, unused) = self._check_epn_output(
|
||||
+ (stdout_text_master, unused, _unused) = self._check_epn_output(
|
||||
self.master, dry_run=True
|
||||
)
|
||||
assert stdout_text_master == stdout_text_client
|
||||
@@ -331,10 +340,10 @@ class TestEPN(IntegrationTest):
|
||||
password=None,
|
||||
)
|
||||
|
||||
- (stdout_text_client, unused) = self._check_epn_output(
|
||||
+ (stdout_text_client, unused, _unused) = self._check_epn_output(
|
||||
self.clients[0], dry_run=True
|
||||
)
|
||||
- (stdout_text_master, unused) = self._check_epn_output(
|
||||
+ (stdout_text_master, unused, _unused) = self._check_epn_output(
|
||||
self.master, dry_run=True
|
||||
)
|
||||
assert stdout_text_master == stdout_text_client
|
||||
@@ -344,22 +353,117 @@ class TestEPN(IntegrationTest):
|
||||
expected_users = ["user1", "user3", "user7", "user14", "user28"]
|
||||
assert sorted(user_lst) == sorted(expected_users)
|
||||
|
||||
- def test_EPN_nbdays(self):
|
||||
+ def test_EPN_nbdays_0(self, cleanupmail):
|
||||
"""Test the to/from nbdays options (implies --dry-run)
|
||||
|
||||
We have a set of users installed with varying expiration
|
||||
dates. Confirm that to/from nbdays finds them.
|
||||
+
|
||||
+ Make sure --dry-run does not accidentally send emails.
|
||||
"""
|
||||
|
||||
- # Compare the notify_ttls values
|
||||
+ # Use the notify_ttls values with a 1-day sliding window
|
||||
for i in self.notify_ttls:
|
||||
user_list = []
|
||||
- (stdout_text_client, unused) = self._check_epn_output(
|
||||
- self.clients[0], from_nbdays=i, to_nbdays=i + 1, dry_run=True)
|
||||
+ (stdout_text_client, unused, _unused) = self._check_epn_output(
|
||||
+ self.clients[0], from_nbdays=i, to_nbdays=i + 1, dry_run=True
|
||||
+ )
|
||||
for user in json.loads(stdout_text_client):
|
||||
user_list.append(user["uid"])
|
||||
assert len(user_list) == 1
|
||||
- assert user_list[0] == "user%d" % i
|
||||
+ userid = "user{id}".format(id=i)
|
||||
+ assert user_list[0] == userid
|
||||
+
|
||||
+ # Check that the user list is expected for any given notify_ttls.
|
||||
+ (stdout_text_client, unused, _unused) = self._check_epn_output(
|
||||
+ self.clients[0], to_nbdays=i
|
||||
+ )
|
||||
+ user_list = [user["uid"] for user in json.loads(stdout_text_client)]
|
||||
+ assert len(user_list) == 1
|
||||
+ assert user_list[0] == "user{id}".format(id=i - 1)
|
||||
+
|
||||
+ # make sure no emails were sent
|
||||
+ result = self.clients[0].run_command(['ls', '-lha', '/var/mail/'])
|
||||
+ assert userid not in result.stdout_text
|
||||
+
|
||||
+ def test_EPN_nbdays_1(self, cleanupmail):
|
||||
+ """Test that for a given range, we find the users in that range"""
|
||||
+
|
||||
+ # Use hardcoded date ranges for now
|
||||
+ for date_range in [(0, 5), (7, 15), (1, 20)]:
|
||||
+ expected_user_list = ["user{i}".format(i=i)
|
||||
+ for i in range(date_range[0], date_range[1])]
|
||||
+ (stdout_text_client, unused, _unused) = self._check_epn_output(
|
||||
+ self.clients[0],
|
||||
+ from_nbdays=date_range[0],
|
||||
+ to_nbdays=date_range[1]
|
||||
+ )
|
||||
+ user_list = [user["uid"] for user in json.loads(stdout_text_client)]
|
||||
+ for user in expected_user_list:
|
||||
+ assert user in user_list
|
||||
+ for user in user_list:
|
||||
+ assert user in expected_user_list
|
||||
+
|
||||
+ # Test the to/from nbdays options behavior with illegal input
|
||||
+
|
||||
+ def test_EPN_nbdays_input_0(self):
|
||||
+ """Make sure that --to-nbdays implies --dry-run ;
|
||||
+ therefore check that the output is valid JSON and contains the
|
||||
+ expected user.
|
||||
+ """
|
||||
+
|
||||
+ (stdout_text_client, unused, _unused) = self._check_epn_output(
|
||||
+ self.clients[0], to_nbdays=5, dry_run=False
|
||||
+ )
|
||||
+ assert len(json.loads(stdout_text_client)) == 1
|
||||
+ assert json.loads(stdout_text_client)[0]["uid"] == "user4"
|
||||
+
|
||||
+ def test_EPN_nbdays_input_1(self):
|
||||
+ """Make sure that --from-nbdays cannot be used without --to-nbdays"""
|
||||
+
|
||||
+ (unused, stderr_text_client, rc) = \
|
||||
+ self._check_epn_output(
|
||||
+ self.clients[0], from_nbdays=3,
|
||||
+ raiseonerr=False, validatejson=False
|
||||
+ )
|
||||
+ assert "You cannot specify --from-nbdays without --to-nbdays" \
|
||||
+ in stderr_text_client
|
||||
+ assert rc > 0
|
||||
+
|
||||
+ @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
|
||||
+ def test_EPN_nbdays_input_2(self):
|
||||
+ """alpha input"""
|
||||
+
|
||||
+ (unused, stderr, rc) = self._check_epn_output(
|
||||
+ self.clients[0], to_nbdays="abc",
|
||||
+ raiseonerr=False, validatejson=False
|
||||
+ )
|
||||
+ assert "error: --to-nbdays must be an integer." in stderr
|
||||
+ assert rc > 0
|
||||
+
|
||||
+ @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
|
||||
+ def test_EPN_nbdays_input_3(self):
|
||||
+ """from_nbdays > to_nbdays"""
|
||||
+
|
||||
+ (unused, stderr, rc) = self._check_epn_output(
|
||||
+ self.clients[0], from_nbdays=9, to_nbdays=7,
|
||||
+ raiseonerr=False, validatejson=False
|
||||
+ )
|
||||
+ assert "error: --from-nbdays must be smaller than --to-nbdays." in \
|
||||
+ stderr
|
||||
+ assert rc > 0
|
||||
+
|
||||
+ @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
|
||||
+ def test_EPN_nbdays_input_4(self):
|
||||
+ """decimal input"""
|
||||
+
|
||||
+ (unused, stderr, rc) = self._check_epn_output(
|
||||
+ self.clients[0], to_nbdays=7.3,
|
||||
+ raiseonerr=False, validatejson=False
|
||||
+ )
|
||||
+ logger.info(stderr)
|
||||
+ assert rc > 0
|
||||
+ assert "error: --to-nbdays must be an integer." in stderr
|
||||
|
||||
# From here the tests build on one another:
|
||||
# 1) add auth
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From b4266023e04729db12de2f7e0de4da9e1d00db38 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Fri, 7 Aug 2020 19:08:39 +0200
|
||||
Subject: [PATCH] ipatests: test_epn: update error messages
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Update error messages in the test.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8449
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_epn.py | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
|
||||
index e03521193..af662140a 100644
|
||||
--- a/ipatests/test_integration/test_epn.py
|
||||
+++ b/ipatests/test_integration/test_epn.py
|
||||
@@ -458,7 +458,7 @@ class TestEPN(IntegrationTest):
|
||||
self.clients[0], to_nbdays="abc",
|
||||
raiseonerr=False, validatejson=False
|
||||
)
|
||||
- assert "error: --to-nbdays must be an integer." in stderr
|
||||
+ assert "error: --to-nbdays must be a positive integer." in stderr
|
||||
assert rc > 0
|
||||
|
||||
@pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
|
||||
@@ -483,7 +483,7 @@ class TestEPN(IntegrationTest):
|
||||
)
|
||||
logger.info(stderr)
|
||||
assert rc > 0
|
||||
- assert "error: --to-nbdays must be an integer." in stderr
|
||||
+ assert "error: --to-nbdays must be a positive integer." in stderr
|
||||
|
||||
# From here the tests build on one another:
|
||||
# 1) add auth
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From 2809084a44e3b174fa48a611e79f04358e1d6dca Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Wed, 5 Aug 2020 09:05:31 +0200
|
||||
Subject: [PATCH] IPA-EPN: enhance input validation
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Enhance input validation:
|
||||
* make sure --from-nbdays and --to-nbdays are integer
|
||||
* make sure --from-nbdays < --to-nbdays
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8444
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
ipaclient/install/ipa_epn.py | 28 +++++++++++++++++++++++++--
|
||||
ipatests/test_integration/test_epn.py | 3 ---
|
||||
2 files changed, 26 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py
|
||||
index 82d7b3f57..88c926e88 100644
|
||||
--- a/ipaclient/install/ipa_epn.py
|
||||
+++ b/ipaclient/install/ipa_epn.py
|
||||
@@ -246,9 +246,33 @@ class EPN(admintool.AdminTool):
|
||||
|
||||
def validate_options(self):
|
||||
super(EPN, self).validate_options(needs_root=True)
|
||||
- if self.options.to_nbdays:
|
||||
+ if self.options.to_nbdays is not None:
|
||||
+ try:
|
||||
+ if int(self.options.to_nbdays) < 0:
|
||||
+ raise RuntimeError('Input is negative.')
|
||||
+ except Exception as e:
|
||||
+ self.option_parser.error(
|
||||
+ "--to-nbdays must be a positive integer. "
|
||||
+ "{error}".format(error=e)
|
||||
+ )
|
||||
self.options.dry_run = True
|
||||
- if self.options.from_nbdays and not self.options.to_nbdays:
|
||||
+ if self.options.from_nbdays is not None:
|
||||
+ try:
|
||||
+ if int(self.options.from_nbdays) < 0:
|
||||
+ raise RuntimeError('Input is negative.')
|
||||
+ except Exception as e:
|
||||
+ self.option_parser.error(
|
||||
+ "--from-nbdays must be a positive integer. "
|
||||
+ "{error}".format(error=e)
|
||||
+ )
|
||||
+ if self.options.from_nbdays is not None and \
|
||||
+ self.options.to_nbdays is not None:
|
||||
+ if int(self.options.from_nbdays) >= int(self.options.to_nbdays):
|
||||
+ self.option_parser.error(
|
||||
+ "--from-nbdays must be smaller than --to-nbdays."
|
||||
+ )
|
||||
+ if self.options.from_nbdays is not None and \
|
||||
+ self.options.to_nbdays is None:
|
||||
self.option_parser.error(
|
||||
"You cannot specify --from-nbdays without --to-nbdays"
|
||||
)
|
||||
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
|
||||
index af662140a..fc26888cb 100644
|
||||
--- a/ipatests/test_integration/test_epn.py
|
||||
+++ b/ipatests/test_integration/test_epn.py
|
||||
@@ -450,7 +450,6 @@ class TestEPN(IntegrationTest):
|
||||
in stderr_text_client
|
||||
assert rc > 0
|
||||
|
||||
- @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
|
||||
def test_EPN_nbdays_input_2(self):
|
||||
"""alpha input"""
|
||||
|
||||
@@ -461,7 +460,6 @@ class TestEPN(IntegrationTest):
|
||||
assert "error: --to-nbdays must be a positive integer." in stderr
|
||||
assert rc > 0
|
||||
|
||||
- @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
|
||||
def test_EPN_nbdays_input_3(self):
|
||||
"""from_nbdays > to_nbdays"""
|
||||
|
||||
@@ -473,7 +471,6 @@ class TestEPN(IntegrationTest):
|
||||
stderr
|
||||
assert rc > 0
|
||||
|
||||
- @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
|
||||
def test_EPN_nbdays_input_4(self):
|
||||
"""decimal input"""
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,141 @@
|
||||
From 3cf7fb1014ae40fd5a5278f27577a8196a4af051 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Fri, 7 Aug 2020 07:51:53 +0200
|
||||
Subject: [PATCH] ipatests: test_epn: add test_EPN_connection_refused
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Add a test for EPN behavior when the configured SMTP does not
|
||||
accept connections.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8445
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_epn.py | 27 ++++++++++++++++++++++++---
|
||||
1 file changed, 24 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
|
||||
index c5c73835a..1a25d3710 100644
|
||||
--- a/ipatests/test_integration/test_epn.py
|
||||
+++ b/ipatests/test_integration/test_epn.py
|
||||
@@ -182,14 +182,20 @@ class TestEPN(IntegrationTest):
|
||||
self,
|
||||
host,
|
||||
dry_run=False,
|
||||
+ mailtest=False,
|
||||
from_nbdays=None,
|
||||
to_nbdays=None,
|
||||
raiseonerr=True,
|
||||
validatejson=True
|
||||
):
|
||||
- result = tasks.ipa_epn(host, raiseonerr=raiseonerr, dry_run=dry_run,
|
||||
- from_nbdays=from_nbdays,
|
||||
- to_nbdays=to_nbdays)
|
||||
+ result = tasks.ipa_epn(
|
||||
+ host,
|
||||
+ from_nbdays=from_nbdays,
|
||||
+ to_nbdays=to_nbdays,
|
||||
+ mailtest=mailtest,
|
||||
+ dry_run=dry_run,
|
||||
+ raiseonerr=raiseonerr
|
||||
+ )
|
||||
if validatejson:
|
||||
json.dumps(json.loads(result.stdout_text), ensure_ascii=False)
|
||||
return (result.stdout_text, result.stderr_text, result.returncode)
|
||||
@@ -243,6 +249,21 @@ class TestEPN(IntegrationTest):
|
||||
ck = "192481b52fb591112afd7b55b12a44c6618fdbc7e05a3b1866fd67ec579c51df"
|
||||
assert cmd2.stdout_text.find(ck) == 0
|
||||
|
||||
+ @pytest.mark.xfail(reason='freeipa ticket 8445', strict=True)
|
||||
+ def test_EPN_connection_refused(self):
|
||||
+ """Test EPN behavior when the configured SMTP is down
|
||||
+ """
|
||||
+
|
||||
+ self.master.run_command(["systemctl", "stop", "postfix"])
|
||||
+ (unused, stderr_text, rc) = self._check_epn_output(
|
||||
+ self.master, mailtest=True,
|
||||
+ raiseonerr=False, validatejson=False
|
||||
+ )
|
||||
+ self.master.run_command(["systemctl", "start", "postfix"])
|
||||
+ assert "IPA-EPN: Could not connect to the configured SMTP server" in \
|
||||
+ stderr_text
|
||||
+ assert rc > 0
|
||||
+
|
||||
def test_EPN_smoketest_1(self):
|
||||
"""No users except admin. Check --dry-run output.
|
||||
With the default configuration, the result should be an empty list.
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From 53f330b053740b169d211aa16b3b36fb61157bbd Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Fri, 7 Aug 2020 06:19:31 +0200
|
||||
Subject: [PATCH] IPA-EPN: Fix SMTP connection error handling
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Enhance error message when SMTP is down.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8445
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipaclient/install/ipa_epn.py | 17 ++++++++++-------
|
||||
ipatests/test_integration/test_epn.py | 1 -
|
||||
2 files changed, 10 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py
|
||||
index 0d1ae2add..82d7b3f57 100644
|
||||
--- a/ipaclient/install/ipa_epn.py
|
||||
+++ b/ipaclient/install/ipa_epn.py
|
||||
@@ -38,6 +38,7 @@ from email.mime.multipart import MIMEMultipart
|
||||
from email.mime.text import MIMEText
|
||||
from email.header import Header
|
||||
from email.utils import make_msgid
|
||||
+from socket import error as socketerror
|
||||
|
||||
from ipaplatform.paths import paths
|
||||
from ipalib import api, errors
|
||||
@@ -640,13 +641,15 @@ class MTAClient:
|
||||
port=self._smtp_port,
|
||||
timeout=self._smtp_timeout,
|
||||
)
|
||||
- except smtplib.SMTPException as e:
|
||||
- logger.error(
|
||||
- "IPA-EPN: Unable to connect to %s:%s: %s",
|
||||
- self._smtp_hostname,
|
||||
- self._smtp_port,
|
||||
- e,
|
||||
- )
|
||||
+ except (socketerror, smtplib.SMTPException) as e:
|
||||
+ msg = \
|
||||
+ "IPA-EPN: Could not connect to the configured SMTP server: " \
|
||||
+ "{host}:{port}: {error}".format(
|
||||
+ host=self._smtp_hostname,
|
||||
+ port=self._smtp_port,
|
||||
+ error=e
|
||||
+ )
|
||||
+ raise admintool.ScriptError(msg)
|
||||
|
||||
try:
|
||||
self._conn.ehlo()
|
||||
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
|
||||
index 1a25d3710..e03521193 100644
|
||||
--- a/ipatests/test_integration/test_epn.py
|
||||
+++ b/ipatests/test_integration/test_epn.py
|
||||
@@ -249,7 +249,6 @@ class TestEPN(IntegrationTest):
|
||||
ck = "192481b52fb591112afd7b55b12a44c6618fdbc7e05a3b1866fd67ec579c51df"
|
||||
assert cmd2.stdout_text.find(ck) == 0
|
||||
|
||||
- @pytest.mark.xfail(reason='freeipa ticket 8445', strict=True)
|
||||
def test_EPN_connection_refused(self):
|
||||
"""Test EPN behavior when the configured SMTP is down
|
||||
"""
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,110 @@
|
||||
From 4a97145c3a76a4d9ebf52b3905410a0bd7bec856 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Tue, 4 Aug 2020 15:09:56 -0400
|
||||
Subject: [PATCH] Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations
|
||||
|
||||
It was previously being set to 0444 which triggered a warning
|
||||
in freeipa-healthcheck.
|
||||
|
||||
Even root needs DAC_OVERRIDE capability to write to a 0o444 file
|
||||
which may not be available in some environments.
|
||||
|
||||
https://pagure.io/freeipa/issue/8441
|
||||
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
ipaserver/install/certs.py | 2 +-
|
||||
ipaserver/install/server/install.py | 5 ++---
|
||||
2 files changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
|
||||
index 22ee79bd1..51d9f9221 100644
|
||||
--- a/ipaserver/install/certs.py
|
||||
+++ b/ipaserver/install/certs.py
|
||||
@@ -329,7 +329,7 @@ class CertDB:
|
||||
ipautil.backup_file(cacert_fname)
|
||||
root_nicknames = self.find_root_cert(nickname)[:-1]
|
||||
with open(cacert_fname, "w") as f:
|
||||
- os.fchmod(f.fileno(), stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
|
||||
+ os.fchmod(f.fileno(), 0o644)
|
||||
for root in root_nicknames:
|
||||
result = self.run_certutil(["-L", "-n", root, "-a"],
|
||||
capture_output=True)
|
||||
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
|
||||
index b53c58e2a..6a593602f 100644
|
||||
--- a/ipaserver/install/server/install.py
|
||||
+++ b/ipaserver/install/server/install.py
|
||||
@@ -891,9 +891,8 @@ def install(installer):
|
||||
|
||||
ca.install_step_0(False, None, options, custodia=custodia)
|
||||
else:
|
||||
- # Put the CA cert where other instances expect it
|
||||
- x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT)
|
||||
- os.chmod(paths.IPA_CA_CRT, 0o444)
|
||||
+ # /etc/ipa/ca.crt is created as a side-effect of
|
||||
+ # dsinstance::enable_ssl() via export_ca_cert()
|
||||
|
||||
if not options.no_pkinit:
|
||||
x509.write_certificate(http_ca_cert, paths.KDC_CA_BUNDLE_PEM)
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From da2079ce2cc841aec56da872131112eb24326f81 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Tue, 4 Aug 2020 15:12:20 -0400
|
||||
Subject: [PATCH] ipatests: Check permissions of /etc/ipa/ca.crt new
|
||||
installations
|
||||
|
||||
It should be 0644 root:root for both CA-ful and CA-less installs.
|
||||
|
||||
https://pagure.io/freeipa/issue/8441
|
||||
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_caless.py | 8 ++++++++
|
||||
ipatests/test_integration/test_installation.py | 10 ++++++++++
|
||||
2 files changed, 18 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
|
||||
index 1ea7d9896..16dfbb320 100644
|
||||
--- a/ipatests/test_integration/test_caless.py
|
||||
+++ b/ipatests/test_integration/test_caless.py
|
||||
@@ -394,6 +394,14 @@ class CALessBase(IntegrationTest):
|
||||
host, cert_from_ldap.public_bytes(x509.Encoding.PEM))
|
||||
assert cert_from_ldap == expected_cacrt
|
||||
|
||||
+ result = host.run_command(
|
||||
+ ["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT]
|
||||
+ )
|
||||
+ (owner, group, mode) = result.stdout_text.strip().split(':')
|
||||
+ assert owner == "root"
|
||||
+ assert group == "root"
|
||||
+ assert mode == "644"
|
||||
+
|
||||
# Verify certmonger was not started
|
||||
result = host.run_command(['getcert', 'list'], raiseonerr=False)
|
||||
assert result.returncode == 0
|
||||
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
||||
index 100a5a766..fb1990083 100644
|
||||
--- a/ipatests/test_integration/test_installation.py
|
||||
+++ b/ipatests/test_integration/test_installation.py
|
||||
@@ -346,6 +346,16 @@ class TestInstallCA(IntegrationTest):
|
||||
status = tasks.wait_for_request(self.master, request_id[0], 300)
|
||||
assert status == "MONITORING"
|
||||
|
||||
+ def test_ipa_ca_crt_permissions(self):
|
||||
+ """Verify that /etc/ipa/ca.cert is mode 0644 root:root"""
|
||||
+ result = self.master.run_command(
|
||||
+ ["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT]
|
||||
+ )
|
||||
+ out = str(result.stdout_text.strip())
|
||||
+ (owner, group, mode) = out.split(':')
|
||||
+ assert mode == "644"
|
||||
+ assert owner == "root"
|
||||
+ assert group == "root"
|
||||
|
||||
class TestInstallWithCA_KRA1(InstallTestBase1):
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,62 @@
|
||||
From 438285470610dee4aa6a56523df22307840ede87 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Mon, 7 Sep 2020 11:07:21 +0200
|
||||
Subject: [PATCH] SELinux Policy: let custodia replicate keys
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Enhance the SELinux policy so that custodia can replicate sub-CA keys
|
||||
and certificates:
|
||||
allow ipa_custodia_t self:tcp_socket { bind create };
|
||||
allow ipa_custodia_t node_t:tcp_socket node_bind;
|
||||
allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
|
||||
allow ipa_custodia_t pki_tomcat_cert_t:file create;
|
||||
allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
|
||||
allow ipa_custodia_t self:process execmem;
|
||||
|
||||
Found by: test_replica_promotion::TestSubCAkeyReplication
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8488
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
selinux/ipa.te | 11 +++++++++++
|
||||
1 file changed, 11 insertions(+)
|
||||
|
||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
||||
index c4c3fa805..3fa4ba980 100644
|
||||
--- a/selinux/ipa.te
|
||||
+++ b/selinux/ipa.te
|
||||
@@ -72,6 +72,9 @@ logging_log_file(ipa_custodia_log_t)
|
||||
type ipa_custodia_tmp_t;
|
||||
files_tmp_file(ipa_custodia_tmp_t)
|
||||
|
||||
+type pki_tomcat_cert_t;
|
||||
+type node_t;
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# ipa_otpd local policy
|
||||
@@ -323,10 +326,18 @@ optional_policy(`
|
||||
allow ipa_custodia_t self:capability { setgid setuid };
|
||||
allow ipa_custodia_t self:fifo_file rw_fifo_file_perms;
|
||||
allow ipa_custodia_t self:netlink_route_socket { create_socket_perms nlmsg_read };
|
||||
+allow ipa_custodia_t self:process execmem;
|
||||
allow ipa_custodia_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow ipa_custodia_t self:unix_dgram_socket create_socket_perms;
|
||||
+allow ipa_custodia_t self:tcp_socket { bind create };
|
||||
allow ipa_custodia_t self:udp_socket create_socket_perms;
|
||||
|
||||
+allow ipa_custodia_t node_t:tcp_socket node_bind;
|
||||
+
|
||||
+allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
|
||||
+allow ipa_custodia_t pki_tomcat_cert_t:file create;
|
||||
+allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
|
||||
+
|
||||
manage_dirs_pattern(ipa_custodia_t,ipa_custodia_log_t,ipa_custodia_log_t)
|
||||
manage_files_pattern(ipa_custodia_t, ipa_custodia_log_t, ipa_custodia_log_t)
|
||||
logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,117 @@
|
||||
Adapted version of d1c860e59b52. to make it apply without commits
|
||||
|
||||
34b4d9bce5 - ipatests: Test ipa user login with wrong password
|
||||
ab36d79adc - ipatests: Test for ipa-nis-manage CLI tool.
|
||||
|
||||
From d1c860e59b5237178066ed963cc2fa50d99cd690 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Wed, 16 Sep 2020 17:07:21 +0200
|
||||
Subject: [PATCH] ipatests: check that pkispawn log is not empty
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Since commits:
|
||||
https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
|
||||
https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e
|
||||
pkispawn will not honor the pki_log_level configuration item.
|
||||
All 10.9 Dogtag versions have these commits.
|
||||
This affects FreeIPA in that it makes debugging Dogtag installation issues next
|
||||
to impossible.
|
||||
Adding --debug to the pkispawn CLI is required to revert to the previous
|
||||
behavior.
|
||||
Therefore check that the log is not empty and contains DEBUG+INFO lines.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8503
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_commands.py | 23 ++++++++++++++++++++++
|
||||
1 file changed, 23 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
|
||||
index fa6abd81e..3a12bcde2 100644
|
||||
--- a/ipatests/test_integration/test_commands.py
|
||||
+++ b/ipatests/test_integration/test_commands.py
|
||||
@@ -1295,3 +1295,26 @@ class TestIPACommand(IntegrationTest):
|
||||
assert msg2 not in result.stderr_text
|
||||
finally:
|
||||
bashrc_backup.restore()
|
||||
+
|
||||
+ def test_pkispawn_log_is_present(self):
|
||||
+ """
|
||||
+ This testcase checks if pkispawn logged properly.
|
||||
+ It is a candidate from being moved out of test_commands.
|
||||
+ """
|
||||
+ result = self.master.run_command(
|
||||
+ ["ls", "/var/log/pki/"]
|
||||
+ )
|
||||
+ pkispawnlogfile = None
|
||||
+ for file in result.stdout_text.splitlines():
|
||||
+ if file.startswith("pki-ca-spawn"):
|
||||
+ pkispawnlogfile = file
|
||||
+ break
|
||||
+ assert pkispawnlogfile is not None
|
||||
+ pkispawnlogfile = os.path.sep.join(("/var/log/pki", pkispawnlogfile))
|
||||
+ pkispawnlog = self.master.get_file_contents(
|
||||
+ pkispawnlogfile, encoding='utf-8'
|
||||
+ )
|
||||
+ # Totally arbitrary. pkispawn debug logs tend to be > 10KiB.
|
||||
+ assert len(pkispawnlog) > 1024
|
||||
+ assert "DEBUG" in pkispawnlog
|
||||
+ assert "INFO" in pkispawnlog
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From 97c6d2d2c2359b8ff5585afa0d2e5f5599cd5048 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Thu, 17 Sep 2020 07:31:59 +0200
|
||||
Subject: [PATCH] dogtaginstance.py: add --debug to pkispawn
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Since commits:
|
||||
https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
|
||||
https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e
|
||||
pkispawn will not honor the pki_log_level configuration item.
|
||||
All 10.9 Dogtag versions have these commits.
|
||||
This affects FreeIPA in that it makes debugging Dogtag installation issues next
|
||||
to impossible.
|
||||
Adding --debug to the pkispawn CLI is required to revert to the previous
|
||||
behavior.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8503
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipaserver/install/dogtaginstance.py | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
|
||||
index 524262ad7..03fdd7c0b 100644
|
||||
--- a/ipaserver/install/dogtaginstance.py
|
||||
+++ b/ipaserver/install/dogtaginstance.py
|
||||
@@ -183,7 +183,8 @@ class DogtagInstance(service.Service):
|
||||
subsystem = self.subsystem
|
||||
args = [paths.PKISPAWN,
|
||||
"-s", subsystem,
|
||||
- "-f", cfg_file]
|
||||
+ "-f", cfg_file,
|
||||
+ "--debug"]
|
||||
|
||||
with open(cfg_file) as f:
|
||||
logger.debug(
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,549 @@
|
||||
From 52929cbadf0252fcac1019b74663a2808061ea1b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Thu, 17 Sep 2020 11:30:45 +0200
|
||||
Subject: [PATCH] ipatests: enhance TestSubCAkeyReplication
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
enhance the test suite so that it covers:
|
||||
- deleting subCAs (disabling them first)
|
||||
- checking what happens when creating a dozen+ subCAs at a time
|
||||
- adding a subCA that already exists and expect failure
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/8488
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
||||
---
|
||||
.../test_replica_promotion.py | 52 +++++++++++++++++--
|
||||
1 file changed, 47 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
|
||||
index 82117054f..f0b72e1f8 100644
|
||||
--- a/ipatests/test_integration/test_replica_promotion.py
|
||||
+++ b/ipatests/test_integration/test_replica_promotion.py
|
||||
@@ -474,17 +474,35 @@ class TestSubCAkeyReplication(IntegrationTest):
|
||||
SERVER_CERT_NICK: 'u,u,u',
|
||||
}
|
||||
|
||||
- def add_subca(self, host, name, subject):
|
||||
+ def add_subca(self, host, name, subject, raiseonerr=True):
|
||||
result = host.run_command([
|
||||
'ipa', 'ca-add', name,
|
||||
'--subject', subject,
|
||||
- '--desc', self.SUBCA_DESC,
|
||||
+ '--desc', self.SUBCA_DESC],
|
||||
+ raiseonerr=raiseonerr
|
||||
+ )
|
||||
+ if raiseonerr:
|
||||
+ assert "ipa: ERROR:" not in result.stderr_text
|
||||
+ auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text))
|
||||
+ return '{} {}'.format(IPA_CA_NICKNAME, auth_id)
|
||||
+ else:
|
||||
+ assert "ipa: ERROR:" in result.stderr_text
|
||||
+ assert result.returncode != 0
|
||||
+ return result
|
||||
+
|
||||
+ def del_subca(self, host, name):
|
||||
+ host.run_command([
|
||||
+ 'ipa', 'ca-disable', name
|
||||
])
|
||||
- auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text))
|
||||
- return '{} {}'.format(IPA_CA_NICKNAME, auth_id)
|
||||
+ result = host.run_command([
|
||||
+ 'ipa', 'ca-del', name
|
||||
+ ])
|
||||
+ assert "Deleted CA \"{}\"".format(name) in result.stdout_text
|
||||
|
||||
def check_subca(self, host, name, cert_nick):
|
||||
- host.run_command(['ipa', 'ca-show', name])
|
||||
+ result = host.run_command(['ipa', 'ca-show', name])
|
||||
+ # ipa ca-show returns 0 even if the cert cannot be found locally.
|
||||
+ assert "ipa: ERROR:" not in result.stderr_text
|
||||
tasks.run_certutil(
|
||||
host, ['-L', '-n', cert_nick], paths.PKI_TOMCAT_ALIAS_DIR
|
||||
)
|
||||
@@ -627,6 +645,30 @@ class TestSubCAkeyReplication(IntegrationTest):
|
||||
ssl = replica.run_command(ssl_cmd)
|
||||
assert 'Issuer: CN = {}'.format(self.SUBCA_MASTER) in ssl.stdout_text
|
||||
|
||||
+ def test_del_subca_master_on_replica(self):
|
||||
+ self.del_subca(self.replicas[0], self.SUBCA_MASTER)
|
||||
+
|
||||
+ def test_del_subca_replica(self):
|
||||
+ self.del_subca(self.replicas[0], self.SUBCA_REPLICA)
|
||||
+
|
||||
+ def test_scale_add_subca(self):
|
||||
+ master = self.master
|
||||
+ replica = self.replicas[0]
|
||||
+
|
||||
+ subcas = {}
|
||||
+ for i in range(0, 16):
|
||||
+ name = "_".join((self.SUBCA_MASTER, str(i)))
|
||||
+ cn = "_".join((self.SUBCA_MASTER_CN, str(i)))
|
||||
+ subcas[name] = self.add_subca(master, name, cn)
|
||||
+ self.add_subca(master, name, cn, raiseonerr=False)
|
||||
+
|
||||
+ # give replication some time
|
||||
+ time.sleep(15)
|
||||
+
|
||||
+ for name in subcas:
|
||||
+ self.check_subca(replica, name, subcas[name])
|
||||
+ self.del_subca(replica, name)
|
||||
+
|
||||
|
||||
class TestReplicaInstallCustodia(IntegrationTest):
|
||||
"""
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From 5a5962426d8174212f0b7efef1a9e53aaecb5901 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Fri, 18 Sep 2020 11:55:37 +0200
|
||||
Subject: [PATCH] SELinux: Add dedicated policy for ipa-pki-retrieve-key
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Add proper labeling, transition and policy for ipa-pki-retrieve-key.
|
||||
Make sure tomcat_t can execute ipa-pki-retrieve-key.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8488
|
||||
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
||||
---
|
||||
selinux/ipa.fc | 1 +
|
||||
selinux/ipa.te | 28 ++++++++++++++++++++++++++++
|
||||
2 files changed, 29 insertions(+)
|
||||
|
||||
diff --git a/selinux/ipa.fc b/selinux/ipa.fc
|
||||
index a98cc4665..1176f383c 100644
|
||||
--- a/selinux/ipa.fc
|
||||
+++ b/selinux/ipa.fc
|
||||
@@ -30,5 +30,6 @@
|
||||
/usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat -- gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0)
|
||||
/usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat-wrapped -- gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0)
|
||||
/usr/libexec/ipa/custodia/ipa-custodia-ra-agent -- gen_context(system_u:object_r:ipa_custodia_ra_agent_exec_t,s0)
|
||||
+/usr/libexec/ipa/ipa-pki-retrieve-key -- gen_context(system_u:object_r:ipa_pki_retrieve_key_exec_t,s0)
|
||||
|
||||
/var/log/ipa-custodia.audit.log(/.*)? -- gen_context(system_u:object_r:ipa_custodia_log_t,s0)
|
||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
||||
index 3fa4ba980..26daed293 100644
|
||||
--- a/selinux/ipa.te
|
||||
+++ b/selinux/ipa.te
|
||||
@@ -75,6 +75,9 @@ files_tmp_file(ipa_custodia_tmp_t)
|
||||
type pki_tomcat_cert_t;
|
||||
type node_t;
|
||||
|
||||
+type ipa_pki_retrieve_key_exec_t;
|
||||
+init_script_file(ipa_pki_retrieve_key_exec_t)
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# ipa_otpd local policy
|
||||
@@ -412,3 +415,28 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
systemd_private_tmp(ipa_custodia_tmp_t)
|
||||
')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gen_require(`
|
||||
+ type tomcat_t;
|
||||
+ ')
|
||||
+ can_exec(tomcat_t, ipa_pki_retrieve_key_exec_t)
|
||||
+ pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_exec_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gen_require(`
|
||||
+ type devlog_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit ipa_custodia_t devlog_t:lnk_file read_lnk_file_perms;
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ java_exec(ipa_custodia_pki_tomcat_exec_t)
|
||||
+ # allow Java to read system status and RNG
|
||||
+ dev_read_urand(ipa_custodia_t)
|
||||
+ dev_read_rand(ipa_custodia_t)
|
||||
+ kernel_read_network_state(ipa_custodia_t)
|
||||
+ dev_read_sysfs(ipa_custodia_t)
|
||||
+')
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From c126610ea6605a1ff36cecf2e2f5b2cb97130831 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Fri, 18 Sep 2020 17:45:39 +0200
|
||||
Subject: [PATCH] SELinux Policy: let custodia_t map custodia_tmp_t
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This is used by the JVM perf counters.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/8488
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
||||
---
|
||||
selinux/ipa.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
||||
index 26daed293..0a9ccaf83 100644
|
||||
--- a/selinux/ipa.te
|
||||
+++ b/selinux/ipa.te
|
||||
@@ -347,6 +347,7 @@ logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
|
||||
|
||||
manage_dirs_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
|
||||
manage_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
|
||||
+mmap_exec_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
|
||||
files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
|
||||
|
||||
kernel_dgram_send(ipa_custodia_t)
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From 310dbd6eec337f0747d73fa87363083a742fc5dc Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Mon, 21 Sep 2020 11:32:52 +0200
|
||||
Subject: [PATCH] SELinux Policy: ipa_pki_retrieve_key_exec_t =>
|
||||
ipa_pki_retrieve_key_t
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Grant pki_manage_tomcat_etc_rw to ipa_pki_retrieve_key_t instead of
|
||||
ipa_pki_retrieve_key_exec_t.
|
||||
As suggested by Ondrej Mosnáček.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8488
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
||||
---
|
||||
selinux/ipa.te | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
||||
index 0a9ccaf83..92a3b2359 100644
|
||||
--- a/selinux/ipa.te
|
||||
+++ b/selinux/ipa.te
|
||||
@@ -78,6 +78,8 @@ type node_t;
|
||||
type ipa_pki_retrieve_key_exec_t;
|
||||
init_script_file(ipa_pki_retrieve_key_exec_t)
|
||||
|
||||
+type ipa_pki_retrieve_key_t;
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# ipa_otpd local policy
|
||||
@@ -422,7 +424,7 @@ optional_policy(`
|
||||
type tomcat_t;
|
||||
')
|
||||
can_exec(tomcat_t, ipa_pki_retrieve_key_exec_t)
|
||||
- pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_exec_t)
|
||||
+ pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From 0518c63768b50973f3d3129547f5b4b95335f4a8 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Mon, 21 Sep 2020 11:37:12 +0200
|
||||
Subject: [PATCH] SELinux Policy: ipa_custodia_pki_tomcat_exec_t =>
|
||||
ipa_custodia_pki_tomcat_t
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
ipa_custodia_pki_tomcat_exec_t was granted java_exec by mistake ; replace by
|
||||
ipa_custodia_pki_tomcat_t.
|
||||
As suggested by Ondrej Mosnáček.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8488
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
||||
---
|
||||
selinux/ipa.te | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
||||
index 92a3b2359..b2c618a53 100644
|
||||
--- a/selinux/ipa.te
|
||||
+++ b/selinux/ipa.te
|
||||
@@ -63,6 +63,8 @@ init_script_file(ipa_custodia_dmldap_exec_t)
|
||||
type ipa_custodia_pki_tomcat_exec_t;
|
||||
init_script_file(ipa_custodia_pki_tomcat_exec_t)
|
||||
|
||||
+type ipa_custodia_pki_tomcat_t;
|
||||
+
|
||||
type ipa_custodia_ra_agent_exec_t;
|
||||
init_script_file(ipa_custodia_ra_agent_exec_t)
|
||||
|
||||
@@ -436,7 +438,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- java_exec(ipa_custodia_pki_tomcat_exec_t)
|
||||
+ java_exec(ipa_custodia_pki_tomcat_t)
|
||||
# allow Java to read system status and RNG
|
||||
dev_read_urand(ipa_custodia_t)
|
||||
dev_read_rand(ipa_custodia_t)
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From 25cf7af0d41bbd34621f37c95802675b42baeae9 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Tue, 22 Sep 2020 11:36:13 +0200
|
||||
Subject: [PATCH] SELinux Policy: flag ipa_pki_retrieve_key_exec_t as
|
||||
domain_type
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8488
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
||||
---
|
||||
selinux/ipa.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
||||
index b2c618a53..42b010133 100644
|
||||
--- a/selinux/ipa.te
|
||||
+++ b/selinux/ipa.te
|
||||
@@ -78,6 +78,7 @@ type pki_tomcat_cert_t;
|
||||
type node_t;
|
||||
|
||||
type ipa_pki_retrieve_key_exec_t;
|
||||
+domain_type(ipa_pki_retrieve_key_exec_t)
|
||||
init_script_file(ipa_pki_retrieve_key_exec_t)
|
||||
|
||||
type ipa_pki_retrieve_key_t;
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From 7ad04841245668e3126cb1718ef7ec1b744526e8 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Tue, 22 Sep 2020 13:12:05 +0200
|
||||
Subject: [PATCH] SELinux Policy: make interfaces for kernel modules
|
||||
non-optional
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Interfaces for kernel modules do not need to be in an optional module.
|
||||
Also make sure ipa_custodia_t can log.
|
||||
Suggested by Lukas Vrabec.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8488
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
||||
---
|
||||
selinux/ipa.te | 16 +++++++++-------
|
||||
1 file changed, 9 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
||||
index 42b010133..f984a0f94 100644
|
||||
--- a/selinux/ipa.te
|
||||
+++ b/selinux/ipa.te
|
||||
@@ -78,10 +78,9 @@ type pki_tomcat_cert_t;
|
||||
type node_t;
|
||||
|
||||
type ipa_pki_retrieve_key_exec_t;
|
||||
-domain_type(ipa_pki_retrieve_key_exec_t)
|
||||
-init_script_file(ipa_pki_retrieve_key_exec_t)
|
||||
-
|
||||
type ipa_pki_retrieve_key_t;
|
||||
+domain_type(ipa_pki_retrieve_key_t)
|
||||
+init_script_file(ipa_pki_retrieve_key_exec_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -356,6 +355,7 @@ mmap_exec_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
|
||||
files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
|
||||
|
||||
kernel_dgram_send(ipa_custodia_t)
|
||||
+kernel_read_network_state(ipa_custodia_t)
|
||||
|
||||
auth_read_passwd(ipa_custodia_t)
|
||||
|
||||
@@ -366,6 +366,10 @@ can_exec(ipa_custodia_t, ipa_custodia_ra_agent_exec_t)
|
||||
corecmd_exec_bin(ipa_custodia_t)
|
||||
corecmd_mmap_bin_files(ipa_custodia_t)
|
||||
|
||||
+dev_read_urand(ipa_custodia_t)
|
||||
+dev_read_rand(ipa_custodia_t)
|
||||
+dev_read_sysfs(ipa_custodia_t)
|
||||
+
|
||||
domain_use_interactive_fds(ipa_custodia_t)
|
||||
|
||||
files_mmap_usr_files(ipa_custodia_t)
|
||||
@@ -377,6 +381,8 @@ files_read_etc_files(ipa_custodia_t)
|
||||
libs_exec_ldconfig(ipa_custodia_t)
|
||||
libs_ldconfig_exec_entry_type(ipa_custodia_t)
|
||||
|
||||
+logging_send_syslog_msg(ipa_custodia_t)
|
||||
+
|
||||
miscfiles_read_generic_certs(ipa_custodia_t)
|
||||
miscfiles_read_localization(ipa_custodia_t)
|
||||
|
||||
@@ -441,8 +447,4 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
java_exec(ipa_custodia_pki_tomcat_t)
|
||||
# allow Java to read system status and RNG
|
||||
- dev_read_urand(ipa_custodia_t)
|
||||
- dev_read_rand(ipa_custodia_t)
|
||||
- kernel_read_network_state(ipa_custodia_t)
|
||||
- dev_read_sysfs(ipa_custodia_t)
|
||||
')
|
||||
--
|
||||
2.26.2
|
||||
|
||||
From 6a31605c1d249416ed7627755bca23a1cc45a581 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Tue, 22 Sep 2020 13:34:40 +0200
|
||||
Subject: [PATCH] SELinux Policy: Allow tomcat_t to read kerberos keytabs
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This is required to fix:
|
||||
avc: denied { search } for pid=1930 comm="ipa-pki-retriev" name="krb5" dev="dm-0" ino=8620822 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
|
||||
|
||||
Macros suggested by: Ondrej Mosnacek
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8488
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
||||
---
|
||||
selinux/ipa.te | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
||||
index f984a0f94..fa577191c 100644
|
||||
--- a/selinux/ipa.te
|
||||
+++ b/selinux/ipa.te
|
||||
@@ -448,3 +448,11 @@ optional_policy(`
|
||||
java_exec(ipa_custodia_pki_tomcat_t)
|
||||
# allow Java to read system status and RNG
|
||||
')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gen_require(`
|
||||
+ type tomcat_t;
|
||||
+ ')
|
||||
+ kerberos_read_config(tomcat_t)
|
||||
+ kerberos_read_keytab(tomcat_t)
|
||||
+')
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,68 @@
|
||||
From 58c3343a67a3922dcc84d3d4b1deca515c48a6f8 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Wed, 23 Sep 2020 09:17:53 +0200
|
||||
Subject: [PATCH] SELinux: do not double-define node_t and pki_tomcat_cert_t
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
node_t and pki_tomcat_cert_t are defined in other modules.
|
||||
Do not double-define them.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8513
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
---
|
||||
selinux/ipa.te | 25 ++++++++++++++++---------
|
||||
1 file changed, 16 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
||||
index fa577191c..d80e64a0b 100644
|
||||
--- a/selinux/ipa.te
|
||||
+++ b/selinux/ipa.te
|
||||
@@ -74,9 +74,6 @@ logging_log_file(ipa_custodia_log_t)
|
||||
type ipa_custodia_tmp_t;
|
||||
files_tmp_file(ipa_custodia_tmp_t)
|
||||
|
||||
-type pki_tomcat_cert_t;
|
||||
-type node_t;
|
||||
-
|
||||
type ipa_pki_retrieve_key_exec_t;
|
||||
type ipa_pki_retrieve_key_t;
|
||||
domain_type(ipa_pki_retrieve_key_t)
|
||||
@@ -339,12 +336,6 @@ allow ipa_custodia_t self:unix_dgram_socket create_socket_perms;
|
||||
allow ipa_custodia_t self:tcp_socket { bind create };
|
||||
allow ipa_custodia_t self:udp_socket create_socket_perms;
|
||||
|
||||
-allow ipa_custodia_t node_t:tcp_socket node_bind;
|
||||
-
|
||||
-allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
|
||||
-allow ipa_custodia_t pki_tomcat_cert_t:file create;
|
||||
-allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
|
||||
-
|
||||
manage_dirs_pattern(ipa_custodia_t,ipa_custodia_log_t,ipa_custodia_log_t)
|
||||
manage_files_pattern(ipa_custodia_t, ipa_custodia_log_t, ipa_custodia_log_t)
|
||||
logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
|
||||
@@ -456,3 +447,19 @@ optional_policy(`
|
||||
kerberos_read_config(tomcat_t)
|
||||
kerberos_read_keytab(tomcat_t)
|
||||
')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gen_require(`
|
||||
+ type node_t;
|
||||
+ ')
|
||||
+ allow ipa_custodia_t node_t:tcp_socket node_bind;
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gen_require(`
|
||||
+ type pki_tomcat_cert_t;
|
||||
+ ')
|
||||
+ allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
|
||||
+ allow ipa_custodia_t pki_tomcat_cert_t:file create;
|
||||
+ allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
|
||||
+')
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,215 @@
|
||||
Adapted patch for ipatests/test_integration/test_installation.py due to
|
||||
missing commit 930f4b3d1dc03f9e365b007b027d65e146a08f05 (Prevent local account
|
||||
takeover).
|
||||
|
||||
From 87e5c0500b76b7cbeecedc0c28d44095c7063186 Mon Sep 17 00:00:00 2001
|
||||
From: Christian Heimes <cheimes@redhat.com>
|
||||
Date: Thu, 24 Sep 2020 12:32:37 +0200
|
||||
Subject: [PATCH] Fix nsslapd-db-lock tuning of BDB backend
|
||||
|
||||
nsslapd-db-lock was moved from cn=config,cn=ldbm database,cn=plugins,cn=config
|
||||
entry to cn=bdb subentry. Manual patching of dse.ldif was no longer
|
||||
working. Installations with 389-DS 1.4.3 and newer are affected.
|
||||
|
||||
Low lock count can affect performance during high load, e.g. mass-import
|
||||
of users or lots of concurrent connections.
|
||||
|
||||
Bump minimal DS version to 1.4.3. Fedora 32 and RHEL 8.3 have 1.4.3.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8515
|
||||
See: https://pagure.io/freeipa/issue/5914
|
||||
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
---
|
||||
freeipa.spec.in | 17 ++++++-----------
|
||||
install/share/Makefile.am | 1 +
|
||||
install/share/ldbm-tuning.ldif | 4 ++++
|
||||
install/updates/10-db-locks.update | 10 ++++++++++
|
||||
install/updates/Makefile.am | 1 +
|
||||
ipapython/ipaldap.py | 1 +
|
||||
ipaserver/install/dsinstance.py | 9 ++++-----
|
||||
.../test_customized_ds_config_install.py | 3 ++-
|
||||
.../test_integration/test_installation.py | 19 +++++++++++++++++++
|
||||
9 files changed, 48 insertions(+), 17 deletions(-)
|
||||
create mode 100644 install/share/ldbm-tuning.ldif
|
||||
create mode 100644 install/updates/10-db-locks.update
|
||||
|
||||
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||
index 1db7d6457..8e6736b60 100755
|
||||
--- a/freeipa.spec.in
|
||||
+++ b/freeipa.spec.in
|
||||
@@ -55,10 +55,9 @@
|
||||
%global selinux_policy_version 3.14.3-21
|
||||
%global slapi_nis_version 0.56.1-4
|
||||
%global python_ldap_version 3.1.0-1
|
||||
-# python3-lib389
|
||||
-# Fix for "Installation fails: Replica Busy"
|
||||
-# https://pagure.io/389-ds-base/issue/49818
|
||||
-%global ds_version 1.4.0.16
|
||||
+# 1.4.3 moved nsslapd-db-locks to cn=bdb sub-entry
|
||||
+# https://pagure.io/freeipa/issue/8515
|
||||
+%global ds_version 1.4.3
|
||||
# Fix for TLS 1.3 PHA, RHBZ#1775158
|
||||
%global httpd_version 2.4.37-21
|
||||
|
||||
@@ -89,13 +88,9 @@
|
||||
|
||||
# fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324
|
||||
%global python_ldap_version 3.1.0-1
|
||||
-# Fix for create suffix
|
||||
-# https://pagure.io/389-ds-base/issue/49984
|
||||
-%if 0%{?fedora} >= 30
|
||||
-%global ds_version 1.4.1.1
|
||||
-%else
|
||||
-%global ds_version 1.4.0.21
|
||||
-%endif
|
||||
+# 1.4.3 moved nsslapd-db-locks to cn=bdb sub-entry
|
||||
+# https://pagure.io/freeipa/issue/8515
|
||||
+%global ds_version 1.4.3
|
||||
|
||||
# Fix for TLS 1.3 PHA, RHBZ#1775146
|
||||
%if 0%{?fedora} >= 31
|
||||
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
|
||||
index 53bd8f5d5..53485edfa 100644
|
||||
--- a/install/share/Makefile.am
|
||||
+++ b/install/share/Makefile.am
|
||||
@@ -102,6 +102,7 @@ dist_app_DATA = \
|
||||
ipaca_default.ini \
|
||||
ipaca_customize.ini \
|
||||
ipaca_softhsm2.ini \
|
||||
+ ldbm-tuning.ldif \
|
||||
$(NULL)
|
||||
|
||||
kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy
|
||||
diff --git a/install/share/ldbm-tuning.ldif b/install/share/ldbm-tuning.ldif
|
||||
new file mode 100644
|
||||
index 000000000..765ccb01a
|
||||
--- /dev/null
|
||||
+++ b/install/share/ldbm-tuning.ldif
|
||||
@@ -0,0 +1,4 @@
|
||||
+dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
|
||||
+changetype: modify
|
||||
+replace: nsslapd-db-locks
|
||||
+nsslapd-db-locks: 50000
|
||||
diff --git a/install/updates/10-db-locks.update b/install/updates/10-db-locks.update
|
||||
new file mode 100644
|
||||
index 000000000..31d2e4352
|
||||
--- /dev/null
|
||||
+++ b/install/updates/10-db-locks.update
|
||||
@@ -0,0 +1,10 @@
|
||||
+# Fix nsslapd-db-locks move
|
||||
+# https://pagure.io/freeipa/issue/8515
|
||||
+
|
||||
+# replace 389-DS default with 50000 locks
|
||||
+dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
|
||||
+replace: nsslapd-db-locks:10000::50000
|
||||
+
|
||||
+# remove setting from old location
|
||||
+dn: cn=config,cn=ldbm database,cn=plugins,cn=config
|
||||
+remove: nsslapd-db-locks: 50000
|
||||
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
|
||||
index 8a4d9cc6c..957ad4fa2 100644
|
||||
--- a/install/updates/Makefile.am
|
||||
+++ b/install/updates/Makefile.am
|
||||
@@ -4,6 +4,7 @@ appdir = $(IPA_DATA_DIR)/updates
|
||||
app_DATA = \
|
||||
05-pre_upgrade_plugins.update \
|
||||
10-config.update \
|
||||
+ 10-db-locks.update \
|
||||
10-enable-betxn.update \
|
||||
10-ipapwd.update \
|
||||
10-selinuxusermap.update \
|
||||
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
|
||||
index 3eac95a87..5c43413cc 100644
|
||||
--- a/ipapython/ipaldap.py
|
||||
+++ b/ipapython/ipaldap.py
|
||||
@@ -753,6 +753,7 @@ class LDAPClient:
|
||||
'nsslapd-anonlimitsdn': True,
|
||||
'nsslapd-minssf-exclude-rootdse': True,
|
||||
'nsslapd-enable-upgrade-hash': True,
|
||||
+ 'nsslapd-db-locks': True,
|
||||
})
|
||||
|
||||
time_limit = -1.0 # unlimited
|
||||
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
|
||||
index 3fc0de371..065c6f78f 100644
|
||||
--- a/ipaserver/install/dsinstance.py
|
||||
+++ b/ipaserver/install/dsinstance.py
|
||||
@@ -226,6 +226,7 @@ class DsInstance(service.Service):
|
||||
|
||||
self.step("creating directory server instance", self.__create_instance)
|
||||
self.step("configure autobind for root", self.__root_autobind)
|
||||
+ self.step("tune ldbm plugin", self.__tune_ldbm)
|
||||
self.step("stopping directory server", self.__stop_instance)
|
||||
self.step("updating configuration in dse.ldif", self.__update_dse_ldif)
|
||||
self.step("starting directory server", self.__start_instance)
|
||||
@@ -592,6 +593,9 @@ class DsInstance(service.Service):
|
||||
# Done!
|
||||
logger.debug("completed creating DS instance")
|
||||
|
||||
+ def __tune_ldbm(self):
|
||||
+ self._ldap_mod("ldbm-tuning.ldif")
|
||||
+
|
||||
def __update_dse_ldif(self):
|
||||
"""
|
||||
This method updates dse.ldif right after instance creation. This is
|
||||
@@ -610,11 +614,6 @@ class DsInstance(service.Service):
|
||||
temp_filename = new_dse_ldif.name
|
||||
with open(dse_filename, "r") as input_file:
|
||||
parser = installutils.ModifyLDIF(input_file, new_dse_ldif)
|
||||
- parser.replace_value(
|
||||
- 'cn=config,cn=ldbm database,cn=plugins,cn=config',
|
||||
- 'nsslapd-db-locks',
|
||||
- [b'50000']
|
||||
- )
|
||||
if self.config_ldif:
|
||||
# parse modifications from ldif file supplied by the admin
|
||||
with open(self.config_ldif, "r") as config_ldif:
|
||||
diff --git a/ipatests/test_integration/test_customized_ds_config_install.py b/ipatests/test_integration/test_customized_ds_config_install.py
|
||||
index a2fcc7dd2..95195a014 100644
|
||||
--- a/ipatests/test_integration/test_customized_ds_config_install.py
|
||||
+++ b/ipatests/test_integration/test_customized_ds_config_install.py
|
||||
@@ -4,7 +4,8 @@ from ipatests.pytest_ipa.integration import tasks
|
||||
|
||||
DIRSRV_CONFIG_MODS = """
|
||||
# https://fedorahosted.org/freeipa/ticket/4949
|
||||
-dn: cn=config,cn=ldbm database,cn=plugins,cn=config
|
||||
+# https://pagure.io/freeipa/issue/8515
|
||||
+dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
|
||||
changetype: modify
|
||||
replace: nsslapd-db-locks
|
||||
nsslapd-db-locks: 100000
|
||||
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
||||
index c939c6450..ec826edb7 100644
|
||||
--- a/ipatests/test_integration/test_installation.py
|
||||
+++ b/ipatests/test_integration/test_installation.py
|
||||
@@ -972,6 +972,25 @@ class TestInstallMaster(IntegrationTest):
|
||||
)
|
||||
assert "nsslapd-enable-upgrade-hash: off" in result.stdout_text
|
||||
|
||||
+ def test_ldbm_tuning(self):
|
||||
+ # check db-locks in new cn=bdb subentry (1.4.3+)
|
||||
+ result = tasks.ldapsearch_dm(
|
||||
+ self.master,
|
||||
+ "cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config",
|
||||
+ ["nsslapd-db-locks"],
|
||||
+ scope="base"
|
||||
+ )
|
||||
+ assert "nsslapd-db-locks: 50000" in result.stdout_text
|
||||
+
|
||||
+ # no db-locks configuration in old global entry
|
||||
+ result = tasks.ldapsearch_dm(
|
||||
+ self.master,
|
||||
+ "cn=config,cn=ldbm database,cn=plugins,cn=config",
|
||||
+ ["nsslapd-db-locks"],
|
||||
+ scope="base"
|
||||
+ )
|
||||
+ assert "nsslapd-db-locks" not in result.stdout_text
|
||||
+
|
||||
|
||||
class TestInstallMasterKRA(IntegrationTest):
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
2906
SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
Normal file
2906
SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
Normal file
File diff suppressed because one or more lines are too long
2051
SOURCES/1002-4.8.0-Remove-csrgen.patch
Normal file
2051
SOURCES/1002-4.8.0-Remove-csrgen.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,134 @@
|
||||
From 2f8e87ce9ccaab51b32a395c6cf6c764434ed0e2 Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Woerner <twoerner@redhat.com>
|
||||
Date: Thu, 11 Jun 2020 10:40:57 +0200
|
||||
Subject: [PATCH] Revert "WebUI: use python3-rjsmin to minify JavaScript files"
|
||||
|
||||
This reverts commit d986e844bbd37ccc7a532175631a55acd315cda3.
|
||||
---
|
||||
.lgtm.yml | 4 ++--
|
||||
freeipa.spec.in | 2 +-
|
||||
install/ui/build/freeipa/Makefile.am | 2 +-
|
||||
install/ui/src/webui.profile.js | 4 ++--
|
||||
install/ui/util/build/README | 4 ++--
|
||||
install/ui/util/compile.sh | 8 ++++----
|
||||
6 files changed, 12 insertions(+), 12 deletions(-)
|
||||
|
||||
#diff --git a/.lgtm.yml b/.lgtm.yml
|
||||
#index b3898116e..e63615918 100644
|
||||
#--- a/.lgtm.yml
|
||||
#+++ b/.lgtm.yml
|
||||
#@@ -39,7 +39,7 @@ extraction:
|
||||
# - python3-setuptools
|
||||
# - python3-wheel
|
||||
# - nodejs
|
||||
#- - python3-rjsmin
|
||||
#+ - uglifyjs
|
||||
# - systemd
|
||||
# - 389-ds-base-dev
|
||||
# - libssl-dev
|
||||
#@@ -79,7 +79,7 @@ extraction:
|
||||
# - python3-setuptools
|
||||
# - python3-wheel
|
||||
# - nodejs
|
||||
#- - python3-rjsmin
|
||||
#+ - uglifyjs
|
||||
# - systemd
|
||||
# - 389-ds-base-dev
|
||||
# - libssl-dev
|
||||
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||
index b6eb79593..a4682497a 100755
|
||||
--- a/freeipa.spec.in
|
||||
+++ b/freeipa.spec.in
|
||||
@@ -191,7 +191,7 @@ BuildRequires: libsss_idmap-devel
|
||||
BuildRequires: libsss_certmap-devel
|
||||
BuildRequires: libsss_nss_idmap-devel >= %{sssd_version}
|
||||
BuildRequires: nodejs(abi)
|
||||
-BuildRequires: python3-rjsmin
|
||||
+BuildRequires: uglify-js
|
||||
BuildRequires: libverto-devel
|
||||
BuildRequires: libunistring-devel
|
||||
# 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773
|
||||
diff --git a/install/ui/build/freeipa/Makefile.am b/install/ui/build/freeipa/Makefile.am
|
||||
index f4d97819e..05e82f4da 100644
|
||||
--- a/install/ui/build/freeipa/Makefile.am
|
||||
+++ b/install/ui/build/freeipa/Makefile.am
|
||||
@@ -18,6 +18,6 @@ widgets := $(wildcard ../../src/freeipa/widgets/*.js)
|
||||
nav := $(wildcard ../../src/freeipa/navigation/*.js)
|
||||
|
||||
app.js: $(core) $(base) $(widgets) $(nav)
|
||||
- PYTHON=$(PYTHON) $(srcdir)/../../util/make-ui.sh
|
||||
+ $(srcdir)/../../util/make-ui.sh
|
||||
|
||||
core.js: app.js
|
||||
diff --git a/install/ui/src/webui.profile.js b/install/ui/src/webui.profile.js
|
||||
index 2d4d691dc..1d7a6cc84 100644
|
||||
--- a/install/ui/src/webui.profile.js
|
||||
+++ b/install/ui/src/webui.profile.js
|
||||
@@ -9,7 +9,7 @@ var profile = (function(){
|
||||
releaseName: "lib",
|
||||
action: "release",
|
||||
|
||||
- // optimization done separately by python3-rjsmin
|
||||
+ // optimization done separately by uglify.js
|
||||
layerOptimize: false,
|
||||
optimize: false,
|
||||
cssOptimize: false,
|
||||
@@ -123,4 +123,4 @@ var profile = (function(){
|
||||
}
|
||||
}
|
||||
};
|
||||
-})();
|
||||
+})();
|
||||
\ No newline at end of file
|
||||
diff --git a/install/ui/util/build/README b/install/ui/util/build/README
|
||||
index 2c4e0ecac..0772532d4 100644
|
||||
--- a/install/ui/util/build/README
|
||||
+++ b/install/ui/util/build/README
|
||||
@@ -1,5 +1,5 @@
|
||||
build.js is builded dojo builder, with applied patches from 'patches' folder, by
|
||||
-itself and compiled using python3-rjsmin
|
||||
+itself and compiled using uglify.js
|
||||
|
||||
_base/configRhino.js is unmodifed file from dojo/dojo. Required for a build to work.
|
||||
|
||||
@@ -9,4 +9,4 @@ Available via Academic Free License >= 2.1 OR the modified BSD license.
|
||||
see: http://dojotoolkit.org/license for details
|
||||
|
||||
= License =
|
||||
-Full Dojo license is in LICENSE file.
|
||||
+Full Dojo license is in LICENSE file.
|
||||
\ No newline at end of file
|
||||
diff --git a/install/ui/util/compile.sh b/install/ui/util/compile.sh
|
||||
index 1516b815f..d14f90ab0 100755
|
||||
--- a/install/ui/util/compile.sh
|
||||
+++ b/install/ui/util/compile.sh
|
||||
@@ -26,14 +26,14 @@ RDIR=$DIR/../release
|
||||
usage() {
|
||||
cat <<-__EOF__;
|
||||
NAME
|
||||
- compile.sh - Compiles layer file of Dojo build using Python rjsmin.
|
||||
+ compile.sh - Compiles layer file of Dojo build using uglify.js.
|
||||
Deletes all other files.
|
||||
|
||||
SYNOPSIS
|
||||
path/to/compile.sh [--help] --release RELEASE --layer NAME/NAME
|
||||
|
||||
DESCRIPTION
|
||||
- Compiles layer file of Dojo build output using Python rjsmin.
|
||||
+ Compiles layer file of Dojo build output using uglify.js.
|
||||
Deletes all other files.
|
||||
|
||||
OPTIONS
|
||||
@@ -105,7 +105,7 @@ if [[ ! $OUTPUT_FILE ]] ; then
|
||||
OUTPUT_FILE=$RDIR/$RELEASE/$LAYER.js
|
||||
fi
|
||||
|
||||
-# compile using python rjsmin
|
||||
+# compile using uglifyjs
|
||||
echo "Minimizing: $RDIR/$RELEASE/$LAYER.js"
|
||||
echo "Target file: $OUTPUT_FILE"
|
||||
-${PYTHON:-python3} -m rjsmin < $RDIR/$RELEASE/$LAYER.js > $OUTPUT_FILE
|
||||
+uglifyjs $RDIR/$RELEASE/$LAYER.js > $OUTPUT_FILE
|
||||
--
|
||||
2.26.2
|
||||
|
16
SOURCES/freeipa-4.8.7.tar.gz.asc
Normal file
16
SOURCES/freeipa-4.8.7.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAl7hNhYACgkQRxniuKu/
|
||||
Yhq2rxAAnK8YHbQtivjssWz6BBRiU5TKootA3fSqfvbhACYG14629/Dpc5IIkYZ1
|
||||
0AE4CUFA7Oi92emFbxrLJyeSuxuzTxSVmydJ5HW/OTkRRSnmjL5oeBg2D++B9OaO
|
||||
qVAXRZbi5YNfW5y//9BIRzCGw0RHpbR/QjZ1ipDymky6nr5IS+EhfZ0iHeEyiNXd
|
||||
OP3OJv538HSvRrv3mJvz52pKVfegw1OTd8yUnmuPEc9ClQfPQHjXqsOeFYCbR8fg
|
||||
59y0twMMrOc2J4eL0OkNE/By+o+1vAMUwEs736sCdbJJPigerfuK0e7ZxP+x98BP
|
||||
bmIBxv7eUf20Rn3An7+vTqQP60V4tS+FOnc2LD3OpHH4vy34ovWZfYZWVKbg0z1+
|
||||
5E/0TWifhlibbRZctDaxkZfFVchQnixHnO0Awv8wNxRzh/XvvsTPz1zJXk5kHk3r
|
||||
Ws2/GbeWTiJLe8sIXJz0MNTayWLnsDJG6BCRf+K0HwCdL80p4TG71dTwa9PW5HEy
|
||||
UklxW/zfr+chS1AszNgb8wJa6WtDHfQnktJwSSj7CkD3JdUVx+L/cJiOfbCM+WUi
|
||||
BRzhVhNUDX/FkpGUyvC4AYXX+wcwHph9BDChUDqcG886aIK28TAsie3Vwz/F7hKP
|
||||
TYpF1+YIImcRfUQ737pnbHL12o5yzfhkBfD2GMsojEd0x71B3PY=
|
||||
=B33Z
|
||||
-----END PGP SIGNATURE-----
|
4739
SPECS/ipa.spec
Normal file
4739
SPECS/ipa.spec
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user