From 6ef486fbd46828b54a8807219b86704cad68bf46 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Thu, 17 Aug 2023 15:23:04 +0200 Subject: [PATCH] ipa-4.10.2-4 - Resolves: rhbz#2231847 RHEL 8.8 & 9.2 fails to create AD trust with STIG applied - Resolves: rhbz#2232056 Include latest test fixes in python3-ipatests Signed-off-by: Florence Blanc-Renaud --- 0022-ipatests-fix-test_topology.patch | 60 ++ 0023-ipatests-idm-api-related-tests.patch | 560 ++++++++++++++++++ ...tests-fixture-can-produce-IndexError.patch | 45 ++ ...te-nss-and-pam-services-in-sssd.conf.patch | 42 ++ freeipa.spec | 10 +- 5 files changed, 716 insertions(+), 1 deletion(-) create mode 100644 0022-ipatests-fix-test_topology.patch create mode 100644 0023-ipatests-idm-api-related-tests.patch create mode 100644 0024-ipatests-fixture-can-produce-IndexError.patch create mode 100644 0025-Installer-activate-nss-and-pam-services-in-sssd.conf.patch diff --git a/0022-ipatests-fix-test_topology.patch b/0022-ipatests-fix-test_topology.patch new file mode 100644 index 0000000..92729ef --- /dev/null +++ b/0022-ipatests-fix-test_topology.patch @@ -0,0 +1,60 @@ +From 1278e614dd93bf0ac3d6e0c36cb9c277808afb2c Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Fri, 11 Aug 2023 08:01:18 +0200 +Subject: [PATCH] ipatests: fix test_topology + +The test TestTopologyOptions::test_add_remove_segment is +randomly failing downstream. Test scenario: +- create a line topology master <-> repl1 <-> repl2 +- create user on master +- wait for repl success on master +- check that the user is seen on repl2 + +The test waits for replication to complete on the master but +it should also wait for the replication to complete on repl1 +before checking the user presence on repl2. + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Anuja More +--- + ipatests/test_integration/test_topology.py | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/ipatests/test_integration/test_topology.py b/ipatests/test_integration/test_topology.py +index 8a240fa3c081a05b8f4501fe48694e01086003a1..618c9d5dcce994cd0359a291b044eb2cf0bddc74 100644 +--- a/ipatests/test_integration/test_topology.py ++++ b/ipatests/test_integration/test_topology.py +@@ -124,6 +124,9 @@ class TestTopologyOptions(IntegrationTest): + self.replicas[0], + self.replicas[1]) + assert err == "", err ++ # At this point we have replicas[1] <-> master <-> replicas[0] ++ # ^--------------------------^ ++ + # Make sure the new segment is shown by `ipa topologysegment-find` + result1 = self.master.run_command(['ipa', 'topologysegment-find', + DOMAIN_SUFFIX_NAME]).stdout_text +@@ -137,9 +140,12 @@ class TestTopologyOptions(IntegrationTest): + deleteme = find_segment(self.master, self.replicas[1]) + returncode, error = tasks.destroy_segment(self.master, deleteme) + assert returncode == 0, error ++ # At this point we have master <-> replicas[0] <-> replicas[1] ++ + # Wait till replication ends and make sure replica1 does not have + # segment that was deleted on master + master_ldap = self.master.ldap_connect() ++ repl_ldap = self.replicas[0].ldap_connect() + tasks.wait_for_replication(master_ldap) + result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find', + DOMAIN_SUFFIX_NAME]).stdout_text +@@ -150,6 +156,7 @@ class TestTopologyOptions(IntegrationTest): + '--first', 'test', + '--last', 'user']) + tasks.wait_for_replication(master_ldap) ++ tasks.wait_for_replication(repl_ldap) + result4 = self.replicas[1].run_command(['ipa', 'user-find']) + assert('someuser' in result4.stdout_text), 'User not found: someuser' + # We end up having a line topology: master <-> replica1 <-> replica2 +-- +2.41.0 + diff --git a/0023-ipatests-idm-api-related-tests.patch b/0023-ipatests-idm-api-related-tests.patch new file mode 100644 index 0000000..34c072a --- /dev/null +++ b/0023-ipatests-idm-api-related-tests.patch @@ -0,0 +1,560 @@ +From ac6a2172f5dcb46701148c7b096ffa1b44076816 Mon Sep 17 00:00:00 2001 +From: Sudhir Menon +Date: Thu, 27 Jul 2023 14:33:08 +0530 +Subject: [PATCH] ipatests: idm api related tests. + +IDM API related tests are automated in the +above PR +Ref: https://freeipa.readthedocs.io/en/latest/api/basic_usage.html + +Signed-off-by: Sudhir Menon +Reviewed-By: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_idm_api.py | 534 ++++++++++++++++++++++ + 1 file changed, 534 insertions(+) + create mode 100644 ipatests/test_integration/test_idm_api.py + +diff --git a/ipatests/test_integration/test_idm_api.py b/ipatests/test_integration/test_idm_api.py +new file mode 100644 +index 0000000000000000000000000000000000000000..eafef5dd8526bc14725d6bc32819cb5c7387f868 +--- /dev/null ++++ b/ipatests/test_integration/test_idm_api.py +@@ -0,0 +1,534 @@ ++# ++# Copyright (C) 2018 FreeIPA Contributors see COPYING for license ++# ++from __future__ import absolute_import ++ ++from ipatests.test_integration.base import IntegrationTest ++import textwrap ++ ++API_INIT = """ ++ from ipalib import api, errors ++ api.bootstrap_with_global_options(context="server") ++ api.finalize() ++ api.Backend.ldap2.connect() ++ """ ++ ++CERT = ( ++ b"MIIEkDCCAvigAwIBAgIBCzANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKD\n" ++ b"A5URVNUUkVBTE0uVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG\n" ++ b"9yaXR5MB4XDTIzMDcyODE3MTIxOVoXDTI1MDcyODE3MTIxOVowKjEXMBU\n" ++ b"GA1UECgwOVEVTVFJFQUxNLlRFU1QxDzANBgNVBAMMBmpzbWl0aDCCASIw\n" ++ b"DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOF0XFrdVXmKp95AVZW5o\n" ++ b"BWcij6vJPqeU3UpzTLbM+fROhNaKMX9S+yXrJHifOmhCOuNA8TtptKVJx\n" ++ b"CIDZ1/5KwPBk4vrnwOBtVMCftHj87MabBqV/nmQQrCiKTcJu4aQEDI9Qh\n" ++ b"yza09EJKvG8KkpnyuShtkP2LgkUxIqkjBg4DLV7grO+I+aG17QTuQxUTy\n" ++ b"icfYDBnzD4hTKPLf7d9KNyG+sEeyN0gceLFMUYaQ4lyapcSzYJwOSAc2B\n" ++ b"EU73tLaJlQORHL7HmhxrjD1IgZyxFjp/ofLVZFFoJAqjz2FWzOxmQw+bc\n" ++ b"0WTzQjeSTGx+l3htj7MmhIRBMqr3Um6zXkLKMCAwEAAaOCATAwggEsMB8\n" ++ b"GA1UdIwQYMBaAFCIXu6QtsiBVo1yZQZ7MMHTl5Wj6MEAGCCsGAQUFBwEB\n" ++ b"BDQwMjAwBggrBgEFBQcwAYYkaHR0cDovL2lwYS1jYS50ZXN0cmVhbG0ud\n" ++ b"GVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBg\n" ++ b"EFBQcDAQYIKwYBBQUHAwIweQYDVR0fBHIwcDBuoDagNIYyaHR0cDovL2l\n" ++ b"wYS1jYS50ZXN0cmVhbG0udGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6i\n" ++ b"NKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0Z\n" ++ b"SBBdXRob3JpdHkwHQYDVR0OBBYEFNwQNQAG8MsKQPwMFyGzRiMzRAa5MA\n" ++ b"0GCSqGSIb3DQEBCwUAA4IBgQB2g0mS8XAPI+aRBa5q7Vbp1245CvMP0Eq\n" ++ b"Cz6gvCNwtxW0UDKnB++d/YQ13ft+x9Xj3rB/M2YXxdxTpQnQQv34CUcyh\n" ++ b"PQKJthAsbKBpdusCGrbS54zKFR0MjxwOwIIDHuI6eu2AoSpsmYs5UGzQm\n" ++ b"oCfQhbImK7iGLy0rOHaON1cWAFmC6lzJ2TFELc4N3eLYGVZy2ZtyZTgA3\n" ++ b"l97rBCwbDDFF1JWoOByIq8Ij99ksyMXws++sNUpo/1l8Jt0Gn6RBiidZB\n" ++ b"ef4+kJN+t6RAAwRQ / 3cmEggXcFoV13KZ70PeMXeX6CKMwXIwt3q7A78\n" ++ b"Wc/0OIBREZLhXpkmogCzWCuatdzeBIhMhx0vDEzaxlhf32ZWfN5pFMpgq\n" ++ b"wLZsdwMf6J65kGbE5Pg3Yxk7OiByxZJnR8UlvbU3r6RhMWutD6C0aqqNt\n" ++ b"o3us5gTmfRc8Mf1l/BUgDqkBKOTU8FHREGemG1HoklBym/Pbua0VMUA+s\n" ++ b"0nECR4LLM/o9PCJ2Y3QPBZy8Hg=\n" ++) ++ ++ ++class TestAPIScenario(IntegrationTest): ++ """ ++ Tests for IDM API scenarios ++ """ ++ ++ topology = "line" ++ ++ def create_and_run_script(self, filename, user_code_script): ++ self.master.put_file_contents(filename, user_code_script) ++ self.master.run_command(["python3", filename]) ++ self.master.run_command(["rm", filename]) ++ ++ def test_idm_user_add(self): ++ """ ++ This test checks that ipa user using api.Command["user_add"] ++ and then checks that user is displayed using ++ api.Command["user_show"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ api.Command["user_add"]("jsmith", givenname="John", sn="Smith", ++ ipauserauthtype="otp") ++ cmd = api.Command["user_show"]("jsmith", all=True)["result"] ++ assert 'otp' in cmd['ipauserauthtype'] ++ assert 'John Smith' in cmd['cn'] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/user_add.py", user_code_script ++ ) ++ ++ def test_idm_user_find(self): ++ """ ++ This test checks that user is displayed ++ using api.Command["user_find"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ cmd = api.Command["user_find"]("jsmith") ++ assert '1 user matched' in cmd['summary'] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/user_find.py", user_code_script ++ ) ++ ++ def test_idm_user_mod(self): ++ """ ++ This test checks that user attribute is modified ++ using api.Command["user_mod"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ cmd = api.Command["user_mod"]("jsmith", ++ mail="jsmith@example.org")["result"] ++ assert 'jsmith@example.org' in cmd['mail'] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/user_mod.py", user_code_script ++ ) ++ ++ def test_disable_user(self): ++ """ ++ This test checks that user is disabled ++ using api.Command["user_disable"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ cmd = api.Command["user_disable"]("jsmith") ++ assert 'Disabled user account "jsmith"' in cmd['summary'] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/disable_user.py", user_code_script ++ ) ++ ++ def test_enable_user(self): ++ """ ++ This test checks that user is enabled ++ using api.Command["user_enable"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ cmd = api.Command["user_enable"]("jsmith") ++ assert 'Enabled user account "jsmith"' in cmd['summary'] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/enable_user.py", user_code_script ++ ) ++ ++ def test_create_ipa_group(self): ++ """ ++ This test checks that group is created ++ using api.Command["group_add"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ cmd = api.Command["group_add"]("developers", gidnumber=500, ++ description="Developers") ++ assert 'Added group "developers"' in cmd['summary'] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/create_group.py", user_code_script ++ ) ++ ++ def test_show_ipa_group(self): ++ """ ++ This test checks that group is displayed ++ using api.Command["group_show"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ cmd = api.Command["group_show"]("developers") ++ assert 'developers' in cmd['result']['cn'] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/group_show.py", user_code_script ++ ) ++ ++ def test_ipa_group_mod(self): ++ """ ++ This test checks that group description is modified ++ using api.Command["group_mod"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ cmd = api.Command["group_mod"]("developers", description='developer') ++ ["result"] ++ assert 'Modified group "developers"' in cmd['summary'] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/group_mod.py", user_code_script ++ ) ++ ++ def test_add_members_to_ipa_group(self): ++ """ ++ This test checks that member is added to group ++ using api.Command["group_add_member"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ cmd = api.Command["group_add_member"]("developers", ++ user='jsmith')["result"] ++ assert 'jsmith' in cmd['member_user'] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/create_group_members.py", user_code_script ++ ) ++ ++ def test_ipa_group_find(self): ++ """ ++ This test checks that group is displayed ++ using api.Command["group_find"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ cmd = api.Command["group_find"]("developers") ++ assert '1 group matched' in cmd['summary'] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/group_find.py", user_code_script ++ ) ++ ++ def test_remove_member_group(self): ++ """ ++ This test checks that group member is removed ++ using api.Command["group_remove_member"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ cmd = api.Command["group_remove_member"]("developers", ++ user="jsmith") ++ assert 'member_user' not in cmd ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/remove_member_group.py", user_code_script ++ ) ++ ++ def test_add_permission(self): ++ """ ++ This test checks that permission is added ++ using api.Command["permission_add"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ cmd = api.Command["permission_add"]("Create users", ++ ipapermright='add', type='user') ++ assert 'Added permission "Create users"' in cmd['summary'] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/add_perm.py", user_code_script ++ ) ++ ++ def test_create_hbac_rule(self): ++ """ ++ This test checks that hbac rule is added ++ using api.Command["hbacrule_add"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ cmd = api.Command["hbacrule_add"]("sshd_rule") ++ assert 'Added HBAC rule "sshd_rule"' in cmd['summary'] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/add_hbac_rule.py", user_code_script ++ ) ++ ++ def test_add_hbac_service(self): ++ """ ++ This test checks that hbac service is added using ++ api.Command["hbacsvc_add"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ cmd = api.Command["hbacsvc_add"]("chronyd") ++ assert 'Added HBAC service "chronyd"' in cmd['summary'] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/add_hbac_svc.py", user_code_script ++ ) ++ ++ def test_enable_hbac_rule(self): ++ """ ++ This test checks that hbac rule is enabled using ++ api.Command["hbacrule_enable"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ cmd = api.Command["hbacrule_enable"]("sshd_rule") ++ assert 'Enabled HBAC rule "sshd_rule"' in cmd['summary'] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/enable_hbacrule.py", user_code_script ++ ) ++ ++ def test_create_sudo_rule(self): ++ """ ++ This test checks that sudo rule is created using ++ api.Command["sudorule_add"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ cmd = api.Command["sudorule_add"]("timechange") ++ assert 'Added Sudo Rule "timechange"' in cmd['summary'] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/create_sudos.py", user_code_script ++ ) ++ ++ def test_add_user_certificate(self): ++ """ ++ This test checks user certificate is added using ++ api.Command["user_add_cert"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ msg = 'Added certificates to user "jsmith"' ++ cmd = api.Command["user_add_cert"]("jsmith", usercertificate={CERT}) ++ assert msg in cmd["summary"] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/add_cert.py", user_code_script ++ ) ++ ++ def test_remove_user_certificate(self): ++ """ ++ This test checks that user certificate is removed ++ using api.Command["user_remove_cert"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ msg = 'Removed certificates from user "jsmith"' ++ cmd = api.Command["user_remove_cert"]("jsmith", usercertificate={CERT}) ++ assert msg in cmd["summary"] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/remove_cert.py", user_code_script ++ ) ++ ++ def test_certmaprule_add(self): ++ """ ++ This test checks that certmap rule is added using ++ api.Command["certmaprule_add"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ msg = ('Added Certificate Identity Mapping Rule "testrule"') ++ cmd = api.Command["certmaprule_add"]("testrule") ++ assert msg in cmd['summary'] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/certmap_rule_add.py", user_code_script ++ ) ++ ++ def test_certmaprule_enable(self): ++ """ ++ This test checks that certmap rule is enabled ++ using api.Command["certmaprule_enable"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ msg = ('Enabled Certificate Identity Mapping Rule "testrule"') ++ cmd = api.Command["certmaprule_enable"]("testrule") ++ assert msg in cmd["summary"] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/certmap_rule_enable.py", user_code_script ++ ) ++ ++ def test_certmaprule_disable(self): ++ """ ++ This test checks that certmap rule is disabled using ++ api.Command["certmaprule_disable"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ msg = ('Disabled Certificate Identity Mapping Rule "testrule"') ++ cmd = api.Command["certmaprule_disable"]("testrule") ++ assert msg in cmd["summary"] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/certmap_rule_disable.py", user_code_script ++ ) ++ ++ def test_certmaprule_del(self): ++ """ ++ This test checks that certmap rule is deleted using ++ api.Command["certmaprule_del"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ msg = ('Deleted Certificate Identity Mapping Rule "testrule"') ++ cmd = api.Command["certmaprule_del"]("testrule") ++ assert msg in cmd['summary'] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/certmap_rule_del.py", user_code_script ++ ) ++ ++ def test_add_role(self): ++ """ ++ This test checks that role and privilege is added using ++ api.Command["role_add"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ cmd1 = api.Command["role_add"]("junioradmin", ++ description="Junior admin") ++ assert 'Added role "junioradmin"' in cmd1["summary"] ++ cmd2 = api.Command.role_add_privilege("junioradmin", ++ privilege="Vault Administrators")["result"] ++ assert 'Vault Administrators' in cmd2["memberof_privilege"] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/add_role.py", user_code_script ++ ) ++ ++ def test_add_subid(self): ++ """ ++ This test checks that subid is added for IPA user ++ using api.Command["subid_add"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ cmd = api.Command["subid_add"](ipaowner="jsmith") ++ assert 'Added subordinate id ' in cmd['summary'] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/add_subid.py", user_code_script ++ ) ++ ++ def test_add_otptoken(self): ++ """ ++ This test checks that otp token is added for IPA user ++ using api.Command["otptoken_add"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ cmd = api.Command["otptoken_add"]( ++ type='HOTP', description='testotp', ++ ipatokenotpalgorithm='sha512', ipatokenowner='jsmith', ++ ipatokenotpdigits='6') ++ assert 'Added OTP token' in cmd['summary'] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/add_otptoken.py", user_code_script ++ ) ++ ++ def test_user_del(self): ++ """ ++ This test checks that user is deleted ++ using api.Command["user_del"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ cmd = api.Command["user_del"]("jsmith") ++ assert 'Deleted user "jsmith"' in cmd['summary'] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/user_del.py", user_code_script ++ ) ++ ++ def test_remove_ipa_group(self): ++ """ ++ This test checks that group is removed ++ using api.Command["group_del"] ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ cmd = api.Command["group_del"]("developers") ++ assert 'Deleted group "developers"' in cmd['summary'] ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/show_group.py", user_code_script ++ ) ++ ++ def test_batch_command(self): ++ """ ++ This test checks that batch commands ++ can be run using api. ++ """ ++ user_code_script = textwrap.dedent( ++ f""" ++ {API_INIT} ++ batch_args = [] ++ for i in range(5): ++ user_id = "user%i" % i ++ args = [user_id] ++ kw = {{'givenname' : user_id, 'sn' : user_id}} ++ batch_args.append({{'method' : 'user_add', 'params' : [args, kw]}}) ++ api.Command["batch"](*batch_args) ++ """ ++ ) ++ self.create_and_run_script( ++ "/tmp/batch.py", user_code_script ++ ) +-- +2.41.0 + diff --git a/0024-ipatests-fixture-can-produce-IndexError.patch b/0024-ipatests-fixture-can-produce-IndexError.patch new file mode 100644 index 0000000..83ce90c --- /dev/null +++ b/0024-ipatests-fixture-can-produce-IndexError.patch @@ -0,0 +1,45 @@ +From f816b4d9e6ff7a47b0da1a368d2454add78af07c Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Fri, 11 Aug 2023 09:10:30 +0200 +Subject: [PATCH] ipatests: fixture can produce IndexError + +The fixture issue_and_expire_acme_cert returns a function +that fills the hosts array. If the function is not called in +the test (for instance because a test is skipped, as in +TestACMEPrune::test_prune_cert_search_size_limit), hosts = [] +and hosts[0] raises an IndexError. + +Fix the fixture to check first that hosts is not empty. + +Related: https://pagure.io/freeipa/issue/9348 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Mohammad Rizwan Yusuf +--- + ipatests/test_integration/test_acme.py | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py +index c7389732cd067d49541cd04ea6687a6b95b4669f..bc989a9a2a00b0ac68b9dcffd4ccea269314961b 100644 +--- a/ipatests/test_integration/test_acme.py ++++ b/ipatests/test_integration/test_acme.py +@@ -633,9 +633,13 @@ def issue_and_expire_acme_cert(): + tasks.move_date(host, 'start', '-90days-60minutes') + + # restart ipa services as date moved and wait to get things settle +- time.sleep(10) +- hosts[0].run_command(['ipactl', 'restart']) +- time.sleep(10) ++ # if the internal fixture was not called (for instance because the test ++ # was skipped), hosts = [] and hosts[0] would produce an IndexError ++ # exception. ++ if hosts: ++ time.sleep(10) ++ hosts[0].run_command(['ipactl', 'restart']) ++ time.sleep(10) + + + class TestACMERenew(IntegrationTest): +-- +2.41.0 + diff --git a/0025-Installer-activate-nss-and-pam-services-in-sssd.conf.patch b/0025-Installer-activate-nss-and-pam-services-in-sssd.conf.patch new file mode 100644 index 0000000..a6a0eb3 --- /dev/null +++ b/0025-Installer-activate-nss-and-pam-services-in-sssd.conf.patch @@ -0,0 +1,42 @@ +From 4a62a21499a4884f0db55d01966a6ff532a4ed1e Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Mon, 14 Aug 2023 10:53:05 +0200 +Subject: [PATCH] Installer: activate nss and pam services in sssd.conf + +If there is already a sssd.conf file before the installer is +executed, the nss and pam services may not be enabled by the +installer. This happens for instance if the machine is hardened +for STIG and sssd.conf does not define services=... in the +[sssd] section. + +The consequence is that trust cannot be established with an AD +domain. + +The installer must enable nss and pam services even if there is +a pre-existing sssd.conf file. + +Fixes: https://pagure.io/freeipa/issue/9427 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy +--- + ipaclient/install/client.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py +index ef29a2c8a3f673860cb22e0e6953853fd96a8572..07d62a748f77e990a38e28e3675abb05eef0da8d 100644 +--- a/ipaclient/install/client.py ++++ b/ipaclient/install/client.py +@@ -969,6 +969,9 @@ def configure_sssd_conf( + nss_service.set_option('memcache_timeout', 600) + sssdconfig.save_service(nss_service) + ++ sssd_enable_service(sssdconfig, 'nss') ++ sssd_enable_service(sssdconfig, 'pam') ++ + domain.set_option('ipa_domain', cli_domain) + domain.set_option('ipa_hostname', client_hostname) + if cli_domain.lower() != cli_realm.lower(): +-- +2.41.0 + diff --git a/freeipa.spec b/freeipa.spec index 8b273a7..1c0672b 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -223,7 +223,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 3%{?rc_version:.%rc_version}%{?dist} +Release: 4%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPL-3.0-or-later @@ -268,6 +268,10 @@ Patch0018: 0018-Prevent-the-admin-user-from-being-deleted.patch Patch0019: 0019-ipa-kdb-fix-error-handling-of-is_master_host.patch Patch0020: 0020-ipatests-update-expected-webui-msg-for-admin-deletio.patch Patch0021: 0021-ipatests-remove-fixture-call-and-wait-to-get-things-.patch +Patch0022: 0022-ipatests-fix-test_topology.patch +Patch0023: 0023-ipatests-idm-api-related-tests.patch +Patch0024: 0024-ipatests-fixture-can-produce-IndexError.patch +Patch0025: 0025-Installer-activate-nss-and-pam-services-in-sssd.conf.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -1759,6 +1763,10 @@ fi %endif %changelog +* Thu Aug 17 2023 Florence Blanc-Renaud - 4.10.2-4 +- Resolves: rhbz#2231847 RHEL 8.8 & 9.2 fails to create AD trust with STIG applied +- Resolves: rhbz#2232056 Include latest test fixes in python3-ipatests + * Thu Aug 10 2023 Florence Blanc-Renaud - 4.10.2-3 - Resolves: rhbz#2229712 Delete operation protection for admin user - Resolves: rhbz#2227831 Interrupt request processing in ipadb_fill_info3() if connection to 389ds is lost