ipa-4.9.8-8

- Resolves: rhbz#2067971 Consequences of FIPS crypto policy tightening in RHEL 9

0036-tests-ensure-AD-SUPPORT-subpolicy-is-active-in-more-.patch

@@ -0,0 +1,66 @@
+From 09481117b58f1a237bb1048d3fe8d44caf9e167f Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Fri, 25 Mar 2022 09:51:08 +0200
+Subject: [PATCH] tests: ensure AD-SUPPORT subpolicy is active in more cases
+
+Continuation of the commit 2eee5931d714ca237290be7dc2fb7233ce747eca:
+
+    Use AD-SUPPORT subpolicy when testing trust to Active Directory in FIPS
+    mode. This is required in FIPS mode due to AD not supporting Kerberos
+    AES-bases encryption types using FIPS-compliant PBKDF2 and KDF, as
+    defined in RFC 8009.
+
+Fixes: https://pagure.io/freeipa/issue/9119
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Anuja More <amore@redhat.com>
+---
+ ipatests/pytest_ipa/integration/fips.py  | 2 +-
+ ipatests/pytest_ipa/integration/tasks.py | 6 ++++++
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/ipatests/pytest_ipa/integration/fips.py b/ipatests/pytest_ipa/integration/fips.py
+index b33aa91b14552d6f47191c913db4f974a5a5948c..5c281e5e253bfc3e3c227172c99bf2fe8578cc11 100644
+--- a/ipatests/pytest_ipa/integration/fips.py
++++ b/ipatests/pytest_ipa/integration/fips.py
+@@ -72,5 +72,5 @@ def disable_userspace_fips(host):
+ 
+ def enable_crypto_subpolicy(host, subpolicy):
+     result = host.run_command(["update-crypto-policies", "--show"])
+-    policy = result.stdin_text.strip() + ":" + subpolicy
++    policy = result.stdout_text.strip() + ":" + subpolicy
+     host.run_command(["update-crypto-policies", "--set", policy])
+diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
+index 1119f55efe639aff409c4b17a04943f280869419..8a1b5d383db1b09a5dc3cab7ee58ceb071e4fbc2 100755
+--- a/ipatests/pytest_ipa/integration/tasks.py
++++ b/ipatests/pytest_ipa/integration/tasks.py
+@@ -499,6 +499,8 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False,
+     if setup_adtrust:
+         args.append('--setup-adtrust')
+         fw_services.append("freeipa-trust")
++        if is_fips_enabled(replica):
++            enable_crypto_subpolicy(replica, "AD-SUPPORT")
+     if master_authoritative_for_client_domain(master, replica):
+         args.extend(['--ip-address', replica.ip])
+ 
+@@ -568,6 +570,8 @@ def install_client(master, client, extra_args=[], user=None,
+ 
+     args.extend(extra_args)
+ 
++    if is_fips_enabled(client) and 'ad' in master:
++        enable_crypto_subpolicy(client, "AD-SUPPORT")
+     result = client.run_command(args, stdin_text=stdin_text)
+ 
+     setup_sssd_conf(client)
+@@ -582,6 +586,8 @@ def install_adtrust(host):
+     Configures the compat tree for the legacy clients.
+     """
+     kinit_admin(host)
++    if is_fips_enabled(host):
++        enable_crypto_subpolicy(host, "AD-SUPPORT")
+     host.run_command(['ipa-adtrust-install', '-U',
+                       '--enable-compat',
+                       '--netbios-name', host.netbios,
+-- 
+2.34.1
+

0037-ipatests-fix-check-for-AD-topology-being-present.patch

@@ -0,0 +1,29 @@
+From b6b5f6073bf4e12b8357a6ec9f5a4f6bb683437f Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Sat, 26 Mar 2022 14:52:21 +0200
+Subject: [PATCH] ipatests: fix check for AD topology being present
+
+Fixes: https://pagure.io/freeipa/issue/9133
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipatests/pytest_ipa/integration/tasks.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
+index 8a1b5d383db1b09a5dc3cab7ee58ceb071e4fbc2..99b907c6495120f440a56e688399356b1fc6eae4 100755
+--- a/ipatests/pytest_ipa/integration/tasks.py
++++ b/ipatests/pytest_ipa/integration/tasks.py
+@@ -570,7 +570,7 @@ def install_client(master, client, extra_args=[], user=None,
+ 
+     args.extend(extra_args)
+ 
+-    if is_fips_enabled(client) and 'ad' in master:
++    if is_fips_enabled(client) and getattr(master.config, 'ad_domains', False):
+         enable_crypto_subpolicy(client, "AD-SUPPORT")
+     result = client.run_command(args, stdin_text=stdin_text)
+ 
+-- 
+2.34.1
+

freeipa.spec

@@ -198,7 +198,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        7%{?rc_version:.%rc_version}%{?dist}
+Release:        8%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -253,6 +253,8 @@ Patch0032:      0032-test_otp-do-not-use-paramiko-unless-it-is-really-nee.patch
 Patch0033:      0033-test_krbtpolicy-skip-SPAKE-related-tests-in-FIPS-mod.patch
 Patch0034:      0034-Support-AES-for-KRA-archival-wrapping.patch
 Patch0035:      0035-Set-AES-as-default-for-KRA-archival-wrapping.patch
+Patch0036:      0036-tests-ensure-AD-SUPPORT-subpolicy-is-active-in-more-.patch
+Patch0037:      0037-ipatests-fix-check-for-AD-topology-being-present.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 %endif
 %endif
@@ -1750,6 +1752,11 @@ fi
 %endif
 
 %changelog
+* Wed Apr 06 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-8
+- Resolves: rhbz#2067971 Consequences of FIPS crypto policy tightening in RHEL 9
+  - tests: ensure AD-SUPPORT subpolicy is active in more cases
+  - ipatests: fix check for AD topology being present
+
 * Thu Mar 24 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-7
 - Resolves: rhbz#2067971 Consequences of FIPS crypto policy tightening in RHEL 9
   - KRB instance: make provision to work with crypto policy without SHA-1 HMAC types