From 6ff3da92fc4eb66b7676ba44e43e071a3909b55d Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Tue, 17 Aug 2021 10:34:03 +0200 Subject: [PATCH] ipa-4.9.6-5 - Resolves: rhbz#1988383 Do SRV discovery in ipa-getkeytab if -s and -H aren't provided - Resolves: rhbz#1986329 ipa-server install failure without DNS - Resolves: rhbz#1980734 Remove python3-pexpect as dependency for ipatests pkg - Resolves: rhbz#1992538 Backport recent test fixes in python3-ipatests --- ...le-date-when-calling-journalctl-sinc.patch | 35 ++ ...-test_source_ipahealthcheck_ipa_host.patch | 43 +++ ...ahealthcheck-print-a-message-if-a-sy.patch | 52 +++ ...stallation-move-tracking_reqs-depend.patch | 104 +++++ ...lose-notification-when-revoking-cert.patch | 31 ++ ...a-cert-fix-warns-when-startup-direct.patch | 153 ++++++++ ...x-algo-for-finding-available-idrange.patch | 40 ++ ...sts-smbclient-k-use-kerberos-desired.patch | 61 +++ 0029-test_acme-refactor-with-tasks.patch | 81 ++++ ...me-make-password-renewal-more-robust.patch | 66 ++++ ...-tasks.py-fix-flake8-reported-issues.patch | 58 +++ ....get_sub_dict-for-missing-named-user.patch | 142 +++++++ ...remove-python3-pexpect-from-Requires.patch | 68 ++++ ...d-option-to-discover-servers-using-D.patch | 365 ++++++++++++++++++ ...-ipa-getkeytab-fix-compiler-warnings.patch | 55 +++ ...sts-test-ipa-getkeytab-server-option.patch | 92 +++++ ...r-OTP-when-the-LDAP-connection-timed.patch | 91 +++++ ...that-getcert-output-includes-the-iss.patch | 51 +++ ...r-warning-into-stderr-instead-of-std.patch | 43 +++ ...-krb5_trace-in-TestIpaAdTrustInstall.patch | 56 +++ ...apsearch-with-base-scope-works-with-.patch | 45 +++ ...est_basesearch_compat_tree-on-fedora.patch | 44 +++ ...r-test_check_otpd_after_idle_timeout.patch | 89 +++++ freeipa.spec | 68 +++- 24 files changed, 1928 insertions(+), 5 deletions(-) create mode 100644 0021-ipatests-use-whole-date-when-calling-journalctl-sinc.patch create mode 100644 0022-ipatests-Fix-for-test_source_ipahealthcheck_ipa_host.patch create mode 100644 0023-ipatests-test_ipahealthcheck-print-a-message-if-a-sy.patch create mode 100644 0024-ipatests-test_installation-move-tracking_reqs-depend.patch create mode 100644 0025-webui-tests-close-notification-when-revoking-cert.patch create mode 100644 0026-ipatests-Test-ipa-cert-fix-warns-when-startup-direct.patch create mode 100644 0027-webui-tests-fix-algo-for-finding-available-idrange.patch create mode 100644 0028-ipatests-smbclient-k-use-kerberos-desired.patch create mode 100644 0029-test_acme-refactor-with-tasks.patch create mode 100644 0030-test_acme-make-password-renewal-more-robust.patch create mode 100644 0031-tasks.py-fix-flake8-reported-issues.patch create mode 100644 0032-Fix-ldapupdate.get_sub_dict-for-missing-named-user.patch create mode 100644 0033-freeipa.spec.in-remove-python3-pexpect-from-Requires.patch create mode 100644 0034-ipa-getkeytab-add-option-to-discover-servers-using-D.patch create mode 100644 0035-ipa-getkeytab-fix-compiler-warnings.patch create mode 100644 0036-ipatests-test-ipa-getkeytab-server-option.patch create mode 100644 0037-ipatests-Test-for-OTP-when-the-LDAP-connection-timed.patch create mode 100644 0038-ipatests-verify-that-getcert-output-includes-the-iss.patch create mode 100644 0039-ipatests-Look-for-warning-into-stderr-instead-of-std.patch create mode 100644 0040-ipatests-use-krb5_trace-in-TestIpaAdTrustInstall.patch create mode 100644 0041-ipatests-Test-ldapsearch-with-base-scope-works-with-.patch create mode 100644 0042-ipatests-skip-test_basesearch_compat_tree-on-fedora.patch create mode 100644 0043-ipatests-Refactor-test_check_otpd_after_idle_timeout.patch diff --git a/0021-ipatests-use-whole-date-when-calling-journalctl-sinc.patch b/0021-ipatests-use-whole-date-when-calling-journalctl-sinc.patch new file mode 100644 index 0000000..2ec50bb --- /dev/null +++ b/0021-ipatests-use-whole-date-when-calling-journalctl-sinc.patch @@ -0,0 +1,35 @@ +From b2e6292337c6f7f68ac383db8aa54a1abfa3f6b4 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Sun, 11 Jul 2021 16:29:16 +0200 +Subject: [PATCH] ipatests: use whole date when calling journalctl --since + +The test TestSelfExternalSelf::test_switch_back_to_self_signed +is checking the content of the journal using journalctl --since ... +but provides only the time, not the whole date with year-month-day. +As a consequence, if the test is executed around midnight it may +find nothing in the journal because it's looking for logs after 11:50PM, +which is a date in the future. +Fixes: https://pagure.io/freeipa/issue/8918 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Anuja More +--- + ipatests/test_integration/test_external_ca.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py +index 72aa57a0b..d48d73deb 100644 +--- a/ipatests/test_integration/test_external_ca.py ++++ b/ipatests/test_integration/test_external_ca.py +@@ -301,7 +301,7 @@ class TestSelfExternalSelf(IntegrationTest): + def test_switch_back_to_self_signed(self): + + # for journalctl --since +- switch_time = time.strftime('%H:%M:%S') ++ switch_time = time.strftime('%Y-%m-%d %H:%M:%S') + # switch back to self-signed CA + result = self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew', + '--self-signed']) +-- +2.31.1 + diff --git a/0022-ipatests-Fix-for-test_source_ipahealthcheck_ipa_host.patch b/0022-ipatests-Fix-for-test_source_ipahealthcheck_ipa_host.patch new file mode 100644 index 0000000..d56f3e5 --- /dev/null +++ b/0022-ipatests-Fix-for-test_source_ipahealthcheck_ipa_host.patch @@ -0,0 +1,43 @@ +From 26be7ffdba87e0e6294ea035ab3dc9bd933fba43 Mon Sep 17 00:00:00 2001 +From: Sudhir Menon +Date: Fri, 9 Jul 2021 13:44:12 +0530 +Subject: [PATCH] ipatests: Fix for + test_source_ipahealthcheck_ipa_host_check_ipahostkeytab + +Expected error message has been modified for +test_source_ipahealthcheck_ipa_host_check_ipahostkeytab + +Related: https://pagure.io/freeipa/issue/8889 + +Signed-off-by: Sudhir Menon +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_ipahealthcheck.py | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py +index 305d7b945..f6a3043f1 100644 +--- a/ipatests/test_integration/test_ipahealthcheck.py ++++ b/ipatests/test_integration/test_ipahealthcheck.py +@@ -499,9 +499,6 @@ class TestIpaHealthCheck(IntegrationTest): + from host's keytab. + """ + msg = ( +- "Failed to obtain host TGT: Major (458752): " +- "No credentials were " +- "supplied, or the credentials were unavailable or inaccessible, " + "Minor (2529639107): No credentials cache found" + ) + +@@ -514,7 +511,7 @@ class TestIpaHealthCheck(IntegrationTest): + ) + assert returncode == 1 + assert data[0]["result"] == "ERROR" +- assert data[0]["kw"]["msg"] == msg ++ assert msg in data[0]["kw"]["msg"] + + def test_source_ipahealthcheck_topology_IPATopologyDomainCheck(self): + """ +-- +2.31.1 + diff --git a/0023-ipatests-test_ipahealthcheck-print-a-message-if-a-sy.patch b/0023-ipatests-test_ipahealthcheck-print-a-message-if-a-sy.patch new file mode 100644 index 0000000..8993bcc --- /dev/null +++ b/0023-ipatests-test_ipahealthcheck-print-a-message-if-a-sy.patch @@ -0,0 +1,52 @@ +From 7f910eb2dda8595da435b4aed6e759a2916df813 Mon Sep 17 00:00:00 2001 +From: Michal Polovka +Date: Wed, 23 Jun 2021 14:53:49 +0200 +Subject: [PATCH] ipatests: test_ipahealthcheck: print a message if a system is + healthy + +Test if when the system is completely healthy, informative message is +returned and not only empty output (list or json). + +Related: https://pagure.io/freeipa/issue/8892 + +Signed-off-by: Michal Polovka +Reviewed-By: Rob Crittenden +--- + ipatests/test_integration/test_ipahealthcheck.py | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py +index f6a3043f1..36fe72be7 100644 +--- a/ipatests/test_integration/test_ipahealthcheck.py ++++ b/ipatests/test_integration/test_ipahealthcheck.py +@@ -286,7 +286,7 @@ class TestIpaHealthCheck(IntegrationTest): + for source in sources_avail: + assert source in result.stdout_text + +- def test_human_output(self, restart_service): ++ def test_human_severity(self, restart_service): + """ + Test that in human output the severity value is correct + +@@ -306,6 +306,18 @@ class TestIpaHealthCheck(IntegrationTest): + assert output == \ + "ERROR: ipahealthcheck.meta.services.sssd: sssd: not running" + ++ def test_human_output(self): ++ """ ++ Test if in case no failures were found, informative string is printed ++ in human output. ++ ++ https://pagure.io/freeipa/issue/8892 ++ """ ++ returncode, output = run_healthcheck(self.master, output_type="human", ++ failures_only=True) ++ assert returncode == 0 ++ assert output == "No issues found." ++ + def test_ipa_healthcheck_after_certupdate(self): + """ + Verify that ipa-certupdate hasn't messed up tracking +-- +2.31.1 + diff --git a/0024-ipatests-test_installation-move-tracking_reqs-depend.patch b/0024-ipatests-test_installation-move-tracking_reqs-depend.patch new file mode 100644 index 0000000..848571f --- /dev/null +++ b/0024-ipatests-test_installation-move-tracking_reqs-depend.patch @@ -0,0 +1,104 @@ +From e5df4dc4884f1a66ccbca79b9a0d83874c996d1d Mon Sep 17 00:00:00 2001 +From: Michal Polovka +Date: Mon, 31 May 2021 14:43:28 +0200 +Subject: [PATCH] ipatests: test_installation: move tracking_reqs dependency to + ipalib constants ipaserver: krainstance: utilize moved tracking_reqs + dependency + +KRA instance import depends on lib389 package, which is not always +installed and that results in failure. Furthermore, test_installation +utilizes krainstance import. This fix moves relevant parts from +krainstance to ipalib constants where those are subsequently imported +from. + +Related: https://pagure.io/freeipa/issue/8795 + +Signed-off-by: Michal Polovka +Reviewed-By: Michal Polovka +Reviewed-By: Francois Cami +Reviewed-By: Tibor Dudlak +Reviewed-By: Rob Crittenden +Reviewed-By: Christian Heimes +Reviewed-By: Florence Blanc-Renaud +--- + ipalib/constants.py | 8 ++++++++ + ipaserver/install/krainstance.py | 7 ++----- + ipatests/test_integration/test_installation.py | 7 +++---- + 3 files changed, 13 insertions(+), 9 deletions(-) + +diff --git a/ipalib/constants.py b/ipalib/constants.py +index bff899ba6..2aeafac7a 100644 +--- a/ipalib/constants.py ++++ b/ipalib/constants.py +@@ -360,3 +360,11 @@ SUBID_RANGE_MAX = (2 ** 32) - (2 * SUBID_COUNT) + SUBID_RANGE_SIZE = SUBID_RANGE_MAX - SUBID_RANGE_START + # threshold before DNA plugin requests a new range + SUBID_DNA_THRESHOLD = 500 ++ ++# moved from ipaserver/install/krainstance.py::KRAInstance to avoid duplication ++# as per https://pagure.io/freeipa/issue/8795 ++KRA_TRACKING_REQS = { ++ 'auditSigningCert cert-pki-kra': 'caAuditSigningCert', ++ 'transportCert cert-pki-kra': 'caTransportCert', ++ 'storageCert cert-pki-kra': 'caStorageCert', ++} +diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py +index e63db3fef..13cb2dcaa 100644 +--- a/ipaserver/install/krainstance.py ++++ b/ipaserver/install/krainstance.py +@@ -27,6 +27,7 @@ import base64 + + from ipalib import api + from ipalib import x509 ++from ipalib.constants import KRA_TRACKING_REQS + from ipaplatform.paths import paths + from ipapython import directivesetter + from ipapython import ipautil +@@ -64,11 +65,7 @@ class KRAInstance(DogtagInstance): + # Mapping of nicknames for tracking requests, and the profile to + # use for that certificate. 'configure_renewal()' reads this + # dict. The profile MUST be specified. +- tracking_reqs = { +- 'auditSigningCert cert-pki-kra': 'caAuditSigningCert', +- 'transportCert cert-pki-kra': 'caTransportCert', +- 'storageCert cert-pki-kra': 'caStorageCert', +- } ++ tracking_reqs = KRA_TRACKING_REQS + + def __init__(self, realm): + super(KRAInstance, self).__init__( +diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py +index 0c96536f0..27f15dbe5 100644 +--- a/ipatests/test_integration/test_installation.py ++++ b/ipatests/test_integration/test_installation.py +@@ -20,7 +20,7 @@ from cryptography.hazmat.primitives import hashes + from cryptography import x509 as crypto_x509 + + from ipalib import x509 +-from ipalib.constants import DOMAIN_LEVEL_0 ++from ipalib.constants import DOMAIN_LEVEL_0, KRA_TRACKING_REQS + from ipalib.constants import IPA_CA_RECORD + from ipalib.sysrestore import SYSRESTORE_STATEFILE, SYSRESTORE_INDEXFILE + from ipapython.dn import DN +@@ -34,7 +34,7 @@ from ipatests.pytest_ipa.integration.env_config import get_global_config + from ipatests.test_integration.base import IntegrationTest + from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup + from ipaplatform import services +-from ipaserver.install import krainstance ++ + + config = get_global_config() + +@@ -1282,8 +1282,7 @@ class TestInstallMasterKRA(IntegrationTest): + """ + Test that the KRA subsystem certificates renew properly + """ +- kra = krainstance.KRAInstance(self.master.domain.realm) +- for nickname in kra.tracking_reqs: ++ for nickname in KRA_TRACKING_REQS: + cert = tasks.certutil_fetch_cert( + self.master, + paths.PKI_TOMCAT_ALIAS_DIR, +-- +2.31.1 + diff --git a/0025-webui-tests-close-notification-when-revoking-cert.patch b/0025-webui-tests-close-notification-when-revoking-cert.patch new file mode 100644 index 0000000..decc06d --- /dev/null +++ b/0025-webui-tests-close-notification-when-revoking-cert.patch @@ -0,0 +1,31 @@ +From 40e4ccf1ea943aba4d10e8126ffa49feddd2e683 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Tue, 13 Jul 2021 18:38:22 +0200 +Subject: [PATCH] webui tests: close notification when revoking cert + +When a cert is revoked, a notification is displayed +and may obscure the buttons. Make sure to close the +notification before moving to the next step. + +Fixes: https://pagure.io/freeipa/issue/8911 +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Mohammad Rizwan +--- + ipatests/test_webui/test_cert.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ipatests/test_webui/test_cert.py b/ipatests/test_webui/test_cert.py +index 53dc76faa..7a8ffde91 100644 +--- a/ipatests/test_webui/test_cert.py ++++ b/ipatests/test_webui/test_cert.py +@@ -107,6 +107,7 @@ class test_cert(UI_driver): + self.action_list_action('revoke_cert', False) + self.select('select[name=revocation_reason]', reason) + self.dialog_button_click('ok') ++ self.close_notifications() + self.navigate_to_entity(ENTITY) + + return cert +-- +2.31.1 + diff --git a/0026-ipatests-Test-ipa-cert-fix-warns-when-startup-direct.patch b/0026-ipatests-Test-ipa-cert-fix-warns-when-startup-direct.patch new file mode 100644 index 0000000..8d8a2d6 --- /dev/null +++ b/0026-ipatests-Test-ipa-cert-fix-warns-when-startup-direct.patch @@ -0,0 +1,153 @@ +From 02c0da3ef74948579106aab4b669f6e64dd60b24 Mon Sep 17 00:00:00 2001 +From: Mohammad Rizwan +Date: Thu, 24 Jun 2021 13:10:00 +0530 +Subject: [PATCH] ipatests: Test ipa-cert-fix warns when startup directive is + missing from CS.cfg + +Earlier it used to fail when startup directive missing from CS.cfg. +With https://github.com/dogtagpki/pki/pull/3466, it changed to display +a warning than failing. + +related: https://pagure.io/freeipa/issue/8890 + +Signed-off-by: Mohammad Rizwan +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Florence Blanc-Renaud +--- + .../test_integration/test_ipa_cert_fix.py | 92 ++++++++++++++++++- + 1 file changed, 90 insertions(+), 2 deletions(-) + +diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py +index b2e92d4dc..394e85603 100644 +--- a/ipatests/test_integration/test_ipa_cert_fix.py ++++ b/ipatests/test_integration/test_ipa_cert_fix.py +@@ -48,6 +48,16 @@ def check_status(host, cert_count, state, timeout=600): + return count + + ++def move_date(host, chrony_state, date_str): ++ """Helper method to move the date on given host ++ :param host: The host on which date is to be moved ++ :param chrony_state: State to which chrony service to be moved ++ :param date_str: date string to move the date i.e 2years1month1days ++ """ ++ host.run_command(['systemctl', chrony_state, 'chronyd']) ++ host.run_command(['date', '-s', date_str]) ++ ++ + @pytest.fixture + def expire_cert_critical(): + """ +@@ -82,6 +92,17 @@ class TestIpaCertFix(IntegrationTest): + # the fixture + pass + ++ @pytest.fixture ++ def expire_ca_cert(self): ++ tasks.install_master(self.master, setup_dns=False, ++ extra_args=['--no-ntp']) ++ move_date(self.master, 'stop', '+20Years+1day') ++ ++ yield ++ ++ tasks.uninstall_master(self.master) ++ move_date(self.master, 'start', '-20Years-1day') ++ + def test_missing_csr(self, expire_cert_critical): + """ + Test that ipa-cert-fix succeeds when CSR is missing from CS.cfg +@@ -122,7 +143,8 @@ class TestIpaCertFix(IntegrationTest): + + # Because of BZ 1897120, pki-cert-fix fails on pki-core 10.10.0 + # https://bugzilla.redhat.com/show_bug.cgi?id=1897120 +- if tasks.get_pki_version(self.master) != tasks.parse_version('10.10.0'): ++ if (tasks.get_pki_version(self.master) ++ != tasks.parse_version('10.10.0')): + assert result.returncode == 0 + + # get the number of certs track by certmonger +@@ -180,6 +202,72 @@ class TestIpaCertFix(IntegrationTest): + raiseonerr=False) + assert result.returncode == 2 + ++ def test_missing_startup(self, expire_cert_critical): ++ """ ++ Test ipa-cert-fix fails/warns when startup directive is missing ++ ++ This test checks that if 'selftests.container.order.startup' directive ++ is missing from CS.cfg, ipa-cert-fix fails and throw proper error ++ message. It also checks that underlying command 'pki-server cert-fix' ++ should fail to renew the cert. ++ ++ related: https://pagure.io/freeipa/issue/8721 ++ ++ With https://github.com/dogtagpki/pki/pull/3466, it changed to display ++ a warning than failing. ++ ++ This test also checks that if 'selftests.container.order.startup' ++ directive is missing from CS.cfg, ipa-cert-fix dsplay proper warning ++ (depending on pki version) ++ ++ related: https://pagure.io/freeipa/issue/8890 ++ """ ++ expire_cert_critical(self.master) ++ # pki must be stopped in order to edit CS.cfg ++ self.master.run_command(['ipactl', 'stop']) ++ self.master.run_command([ ++ 'sed', '-i', r'/selftests\.container\.order\.startup/d', ++ paths.CA_CS_CFG_PATH ++ ]) ++ # dirsrv needs to be up in order to run ipa-cert-fix ++ self.master.run_command(['ipactl', 'start', ++ '--ignore-service-failures']) ++ ++ result = self.master.run_command(['ipa-cert-fix', '-v'], ++ stdin_text='yes\n', ++ raiseonerr=False) ++ ++ err_msg1 = "ERROR: 'selftests.container.order.startup'" ++ # check that pki-server cert-fix command fails ++ err_msg2 = ("ERROR: CalledProcessError(Command " ++ "['pki-server', 'cert-fix'") ++ warn_msg = ("WARNING: No selftests configured in " ++ f"{paths.CA_CS_CFG_PATH} " ++ "(selftests.container.order.startup)") ++ ++ if (tasks.get_pki_version(self.master) ++ < tasks.parse_version('10.11.0')): ++ assert (err_msg1 in result.stderr_text ++ and err_msg2 in result.stderr_text) ++ else: ++ assert warn_msg in result.stdout_text ++ ++ def test_expired_CA_cert(self, expire_ca_cert): ++ """Test to check ipa-cert-fix when CA certificate is expired ++ ++ In order to fix expired certs using ipa-cert-fix, CA cert should be ++ valid. If CA cert expired, ipa-cert-fix won't work. ++ ++ related: https://pagure.io/freeipa/issue/8721 ++ """ ++ result = self.master.run_command(['ipa-cert-fix', '-v'], ++ stdin_text='yes\n', ++ raiseonerr=False) ++ # check that pki-server cert-fix command fails ++ err_msg = ("ERROR: CalledProcessError(Command " ++ "['pki-server', 'cert-fix'") ++ assert err_msg in result.stderr_text ++ + + class TestIpaCertFixThirdParty(CALessBase): + """ +@@ -219,7 +307,7 @@ class TestIpaCertFixThirdParty(CALessBase): + '--pin', self.master.config.admin_password, + '-d', 'server.p12'] + self.master.run_command(args) +- self.master.run_command(['ipactl', 'restart',]) ++ self.master.run_command(['ipactl', 'restart']) + + # Run ipa-cert-fix. This is basically a no-op but tests that + # the DS nickname is used and not a hardcoded value. +-- +2.31.1 + diff --git a/0027-webui-tests-fix-algo-for-finding-available-idrange.patch b/0027-webui-tests-fix-algo-for-finding-available-idrange.patch new file mode 100644 index 0000000..92c1528 --- /dev/null +++ b/0027-webui-tests-fix-algo-for-finding-available-idrange.patch @@ -0,0 +1,40 @@ +From f7997ed0b7d5b915c0184bf8e8864ff935cd6232 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Fri, 16 Jul 2021 15:21:48 +0200 +Subject: [PATCH] webui tests: fix algo for finding available idrange + +The webui tests for ID range evaluate a potentially free id range +by looking for existing ranges and picking a range = max value ++ 1 million. + +With the addition of subuid range this algorithm produces values +over the limit because the subuid range goes from +2,147,483,648 to 4,294,836,224 and the max base id is 4,294,967,295. + +Ignore the subuid range when picking a potential range. +Fixes: https://pagure.io/freeipa/issue/8919 +Reviewed-By: Rob Crittenden +--- + ipatests/test_webui/task_range.py | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/ipatests/test_webui/task_range.py b/ipatests/test_webui/task_range.py +index db34f6f11..f0664d35a 100644 +--- a/ipatests/test_webui/task_range.py ++++ b/ipatests/test_webui/task_range.py +@@ -64,6 +64,12 @@ class range_tasks(UI_driver): + max_rid = 0 + + for idrange in idranges: ++ # IPA.TEST_subid_range is automatically created near the end ++ # of the allowed ids, taking from 2,147,483,648 to 4,294,836,224 ++ # Ignore this range when looking for available ids otherwise ++ # we won't find any value < max baseid 4,294,967,295 ++ if idrange['cn'][0].endswith("_subid_range"): ++ continue + size = int(idrange['ipaidrangesize'][0]) + base_id = int(idrange['ipabaseid'][0]) + +-- +2.31.1 + diff --git a/0028-ipatests-smbclient-k-use-kerberos-desired.patch b/0028-ipatests-smbclient-k-use-kerberos-desired.patch new file mode 100644 index 0000000..38d2842 --- /dev/null +++ b/0028-ipatests-smbclient-k-use-kerberos-desired.patch @@ -0,0 +1,61 @@ +From 161d5844eb1214e60c636bdb73713c6a43f1e75c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= +Date: Mon, 19 Jul 2021 15:59:01 +0200 +Subject: [PATCH] ipatests: smbclient "-k" => "--use-kerberos=desired" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Change documentation: +https://download.samba.org/pub/samba/rc/samba-4.15.0rc1.WHATSNEW.txt + +As of Samba 4.15rc1, smbclient does not accept "-k" anymore. +The "-k|--kerberos" option ("Try to authenticate with kerberos.") +has been replaced with "--use-kerberos=required|desired|off". + +Fixes: https://pagure.io/freeipa/issue/8926 +Signed-off-by: François Cami +Reviewed-By: Michal Polovka +Reviewed-By: Michal Polovka +--- + ipatests/test_integration/test_smb.py | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py +index 399ad6209..b2b7ce2e4 100644 +--- a/ipatests/test_integration/test_smb.py ++++ b/ipatests/test_integration/test_smb.py +@@ -166,9 +166,28 @@ class TestSMB(IntegrationTest): + encoding='utf-8') + assert file_contents_at_server == test_string + +- # check access using smbclient utility ++ # Detect whether smbclient uses -k or --use-kerberos=required ++ # https://pagure.io/freeipa/issue/8926 ++ # then check access using smbclient. + res = run_smb_client( +- ['smbclient', '-k', share['unc'], '-c', 'dir']) ++ [ ++ "smbclient", ++ "-h", ++ ], raiseonerr=False ++ ) ++ if "[-k|--kerberos]" in res.stderr_text: ++ smbclient_krb5_knob = "-k" ++ else: ++ smbclient_krb5_knob = "--use-kerberos=desired" ++ res = run_smb_client( ++ [ ++ "smbclient", ++ smbclient_krb5_knob, ++ share["unc"], ++ "-c", ++ "dir", ++ ] ++ ) + assert test_dir in res.stdout_text + + # check file and dir removal from client side +-- +2.31.1 + diff --git a/0029-test_acme-refactor-with-tasks.patch b/0029-test_acme-refactor-with-tasks.patch new file mode 100644 index 0000000..5add22b --- /dev/null +++ b/0029-test_acme-refactor-with-tasks.patch @@ -0,0 +1,81 @@ +From 86869364a30f071ee79974b301ff68e80c0950ba Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= +Date: Tue, 20 Jul 2021 20:19:16 +0200 +Subject: [PATCH] test_acme: refactor with tasks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: François Cami +Reviewed-By: Michal Polovka +--- + ipatests/pytest_ipa/integration/tasks.py | 11 +++++++++++ + ipatests/test_integration/test_acme.py | 19 ++++--------------- + 2 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py +index 22c7ba782..c2e548617 100755 +--- a/ipatests/pytest_ipa/integration/tasks.py ++++ b/ipatests/pytest_ipa/integration/tasks.py +@@ -2800,3 +2800,14 @@ def is_package_installed(host, pkg): + 'is_package_installed: unknown platform %s' % platform + ) + return result.returncode == 0 ++ ++ ++def move_date(host, chrony_cmd, date_str): ++ """Helper method to move system date ++ :param host: host on which date is to be manipulated ++ :param chrony_cmd: systemctl command to apply to ++ chrony service, for instance 'start', 'stop' ++ :param date_str: date string to change the date i.e '3years2months1day1' ++ """ ++ host.run_command(['systemctl', chrony_cmd, 'chronyd']) ++ host.run_command(['date', '-s', date_str]) +diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py +index d90f1ff7d..b4aa1b351 100644 +--- a/ipatests/test_integration/test_acme.py ++++ b/ipatests/test_integration/test_acme.py +@@ -35,17 +35,6 @@ skip_mod_md_tests = osinfo.id not in ['rhel', 'fedora', ] + CERTBOT_DNS_IPA_SCRIPT = '/usr/libexec/ipa/acme/certbot-dns-ipa' + + +-def move_date(host, chrony_cmd, date_str): +- """Helper method to move system date +- :param host: host on which date is to be manipulated +- :param chrony_cmd: systemctl command to apply to +- chrony service, for instance 'start', 'stop' +- :param date_str: date string to change the date i.e '3years2months1day1' +- """ +- host.run_command(['systemctl', chrony_cmd, 'chronyd']) +- host.run_command(['date', '-s', date_str]) +- +- + def check_acme_status(host, exp_status, timeout=60): + """Helper method to check the status of acme server""" + for _i in range(0, timeout, 5): +@@ -598,8 +587,8 @@ class TestACMERenew(IntegrationTest): + ) + # move system date to expire acme cert + for host in self.clients[0], self.master: +- host.run_command(['kdestroy', '-A']) +- move_date(host, 'stop', '+90days') ++ tasks.kdestroy_all(host) ++ tasks.move_date(host, 'stop', '+90days') + self.clients[0].run_command( + ['kinit', 'admin'], + stdin_text=cmd_input.format( +@@ -611,8 +600,8 @@ class TestACMERenew(IntegrationTest): + + # move back date + for host in self.clients[0], self.master: +- host.run_command(['kdestroy', '-A']) +- move_date(host, 'start', '-90days') ++ tasks.kdestroy_all(host) ++ tasks.move_date(host, 'start', '-90days') + tasks.kinit_admin(host) + + @pytest.mark.skipif(skip_certbot_tests, reason='certbot not available') +-- +2.31.1 + diff --git a/0030-test_acme-make-password-renewal-more-robust.patch b/0030-test_acme-make-password-renewal-more-robust.patch new file mode 100644 index 0000000..f1e3334 --- /dev/null +++ b/0030-test_acme-make-password-renewal-more-robust.patch @@ -0,0 +1,66 @@ +From 701adb9185c77194ba1ad0c5fd2f13484417ef6f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= +Date: Tue, 20 Jul 2021 20:22:23 +0200 +Subject: [PATCH] test_acme: make password renewal more robust +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +A kinit immediately following a password change can fail. +Setting KRB5_TRACE and retrieving kdcinfo will help to understand +the cause of failure. + +Fixes: https://pagure.io/freeipa/issue/8929 +Signed-off-by: François Cami +Reviewed-By: Michal Polovka +--- + ipatests/test_integration/test_acme.py | 28 +++++++++++++------------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py +index b4aa1b351..10195a95f 100644 +--- a/ipatests/test_integration/test_acme.py ++++ b/ipatests/test_integration/test_acme.py +@@ -576,25 +576,25 @@ class TestACMERenew(IntegrationTest): + # request a standalone acme cert + certbot_standalone_cert(self.clients[0], self.acme_server) + +- cmd_input = ( +- # Password for admin@{REALM}: +- "{pwd}\n" +- # Password expired. You must change it now. +- # Enter new password: +- "{pwd}\n" +- # Enter it again: +- "{pwd}\n" +- ) + # move system date to expire acme cert + for host in self.clients[0], self.master: + tasks.kdestroy_all(host) + tasks.move_date(host, 'stop', '+90days') +- self.clients[0].run_command( +- ['kinit', 'admin'], +- stdin_text=cmd_input.format( +- pwd=self.clients[0].config.admin_password +- ) ++ ++ tasks.get_kdcinfo(host) ++ # Note raiseonerr=False: ++ # the assert is located after kdcinfo retrieval. ++ result = host.run_command( ++ "KRB5_TRACE=/dev/stdout kinit %s" % 'admin', ++ stdin_text='{0}\n{0}\n{0}\n'.format( ++ self.clients[0].config.admin_password ++ ), ++ raiseonerr=False + ) ++ # Retrieve kdc.$REALM after the password change, just in case SSSD ++ # domain status flipped to online during the password change. ++ tasks.get_kdcinfo(host) ++ assert result.returncode == 0 + + yield + +-- +2.31.1 + diff --git a/0031-tasks.py-fix-flake8-reported-issues.patch b/0031-tasks.py-fix-flake8-reported-issues.patch new file mode 100644 index 0000000..548f2f5 --- /dev/null +++ b/0031-tasks.py-fix-flake8-reported-issues.patch @@ -0,0 +1,58 @@ +From 5b826ab3582566b15a618f57cb2e002a9c16ef64 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= +Date: Tue, 20 Jul 2021 20:29:00 +0200 +Subject: [PATCH] tasks.py: fix flake8-reported issues +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: https://pagure.io/freeipa/issue/8931 +Signed-off-by: François Cami +Reviewed-By: Michal Polovka +--- + ipatests/pytest_ipa/integration/tasks.py | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py +index c2e548617..075c05cde 100755 +--- a/ipatests/pytest_ipa/integration/tasks.py ++++ b/ipatests/pytest_ipa/integration/tasks.py +@@ -597,7 +597,9 @@ def install_adtrust(host): + dig_command = ['dig', 'SRV', '+short', '@localhost', + '_ldap._tcp.%s' % host.domain.name] + dig_output = '0 100 389 %s.' % host.hostname +- dig_test = lambda x: re.search(re.escape(dig_output), x) ++ ++ def dig_test(x): ++ return re.search(re.escape(dig_output), x) + + run_repeatedly(host, dig_command, test=dig_test) + +@@ -2122,8 +2124,8 @@ def create_active_user(host, login, password, first='test', last='user', + result = host.run_command( + "KRB5_TRACE=/dev/stdout kinit %s" % login, + stdin_text='{0}\n{1}\n{1}\n'.format( +- temp_password, password, raiseonerr=False +- ) ++ temp_password, password ++ ), raiseonerr=False + ) + # Retrieve kdc.$REALM after the password change, just in case SSSD + # domain status flipped to online during the password change. +@@ -2264,10 +2266,10 @@ class KerberosKeyCopier: + [paths.KLIST, "-eK", "-k", keytab], log_stdout=False) + + keys_to_sync = [] +- for l in result.stdout_text.splitlines(): +- if (princ in l and any(e in l for e in self.valid_etypes)): ++ for line in result.stdout_text.splitlines(): ++ if (princ in line and any(e in line for e in self.valid_etypes)): + +- els = l.split() ++ els = line.split() + els[-2] = els[-2].strip('()') + els[-1] = els[-1].strip('()') + keys_to_sync.append(KeyEntry._make(els)) +-- +2.31.1 + diff --git a/0032-Fix-ldapupdate.get_sub_dict-for-missing-named-user.patch b/0032-Fix-ldapupdate.get_sub_dict-for-missing-named-user.patch new file mode 100644 index 0000000..e48eddf --- /dev/null +++ b/0032-Fix-ldapupdate.get_sub_dict-for-missing-named-user.patch @@ -0,0 +1,142 @@ +From a1eb13cdbc109da8c028bb886a1207ea2cc23cee Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Tue, 27 Jul 2021 11:54:20 +0200 +Subject: [PATCH] Fix ldapupdate.get_sub_dict() for missing named user +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The named user may not be present when ipa-server-dns and bind are not +installed. NAMED_UID and NAMED_GID constants are only used with local +DNS support. + +Fixes: https://pagure.io/freeipa/issue/8936 +Signed-off-by: Christian Heimes +Co-authored-by: François Cami +Reviewed-By: Francois Cami +Reviewed-By: Rob Crittenden +Reviewed-By: Francois Cami +Reviewed-By: Rob Crittenden +--- + ipaserver/install/ldapupdate.py | 14 +++++++--- + .../nightly_ipa-4-9_latest.yaml | 12 +++++++++ + .../nightly_ipa-4-9_previous.yaml | 12 +++++++++ + .../test_integration/test_installation.py | 27 +++++++++++++++++++ + 4 files changed, 62 insertions(+), 3 deletions(-) + +diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py +index 06cb78e0b..f0e7d6162 100644 +--- a/ipaserver/install/ldapupdate.py ++++ b/ipaserver/install/ldapupdate.py +@@ -64,6 +64,15 @@ def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None): + idrange_size = idmax - idstart + 1 + subid_base_rid = constants.SUBID_RANGE_START - idrange_size + ++ # uid / gid for autobind ++ # user is only defined when ipa-server-dns and bind are installed ++ try: ++ named_uid = platformconstants.NAMED_USER.uid ++ named_gid = platformconstants.NAMED_GROUP.gid ++ except ValueError: ++ named_uid = None ++ named_gid = None ++ + return dict( + REALM=realm, + DOMAIN=domain, +@@ -99,9 +108,8 @@ def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None): + DEFAULT_ADMIN_SHELL=platformconstants.DEFAULT_ADMIN_SHELL, + SELINUX_USERMAP_DEFAULT=platformconstants.SELINUX_USERMAP_DEFAULT, + SELINUX_USERMAP_ORDER=platformconstants.SELINUX_USERMAP_ORDER, +- # uid / gid for autobind +- NAMED_UID=platformconstants.NAMED_USER.uid, +- NAMED_GID=platformconstants.NAMED_GROUP.gid, ++ NAMED_UID=named_uid, ++ NAMED_GID=named_gid, + ) + + +diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml +index 939ee2b7d..1c8c5ddfc 100644 +--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml ++++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml +@@ -547,6 +547,18 @@ jobs: + timeout: 4800 + topology: *master_1repl_1client + ++ fedora-latest-ipa-4-9/test_installation_TestInstallWithoutNamed: ++ requires: [fedora-latest-ipa-4-9/build] ++ priority: 50 ++ job: ++ class: RunPytest ++ args: ++ build_url: '{fedora-latest-ipa-4-9/build_url}' ++ test_suite: test_integration/test_installation.py::TestInstallWithoutNamed ++ template: *ci-ipa-4-9-latest ++ timeout: 4800 ++ topology: *master_1repl ++ + fedora-latest-ipa-4-9/test_idviews: + requires: [fedora-latest-ipa-4-9/build] + priority: 50 +diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml +index 03658a934..6d121d59f 100644 +--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml ++++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml +@@ -547,6 +547,18 @@ jobs: + timeout: 4800 + topology: *master_1repl_1client + ++ fedora-previous-ipa-4-9/test_installation_TestInstallWithoutNamed: ++ requires: [fedora-previous-ipa-4-9/build] ++ priority: 50 ++ job: ++ class: RunPytest ++ args: ++ build_url: '{fedora-previous-ipa-4-9/build_url}' ++ test_suite: test_integration/test_installation.py::TestInstallWithoutNamed ++ template: *ci-ipa-4-9-previous ++ timeout: 4800 ++ topology: *master_1repl ++ + fedora-previous-ipa-4-9/test_idviews: + requires: [fedora-previous-ipa-4-9/build] + priority: 50 +diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py +index e76fd0efe..e3c41eaa1 100644 +--- a/ipatests/test_integration/test_installation.py ++++ b/ipatests/test_integration/test_installation.py +@@ -1853,3 +1853,30 @@ class TestInstallWithoutSudo(IntegrationTest): + result = tasks.install_client(self.master, self.clients[0]) + assert self.no_sudo_str not in result.stderr_text + assert self.sudo_version_str not in result.stdout_text ++ ++ ++class TestInstallWithoutNamed(IntegrationTest): ++ num_replicas = 1 ++ ++ @classmethod ++ def remove_named(cls, host): ++ # remove the bind package and make sure the named user does not exist. ++ # https://pagure.io/freeipa/issue/8936 ++ result = host.run_command(['id', 'named'], raiseonerr=False) ++ if result.returncode == 0: ++ tasks.uninstall_packages(host, ['bind']) ++ host.run_command(['userdel', constants.NAMED_USER]) ++ assert host.run_command( ++ ['id', 'named'], raiseonerr=False ++ ).returncode == 1 ++ ++ @classmethod ++ def install(cls, mh): ++ for tgt in (cls.master, cls.replicas[0]): ++ cls.remove_named(tgt) ++ tasks.install_master(cls.master, setup_dns=False) ++ ++ def test_replica0_install(self): ++ tasks.install_replica( ++ self.master, self.replicas[0], setup_ca=False, setup_dns=False ++ ) +-- +2.31.1 + diff --git a/0033-freeipa.spec.in-remove-python3-pexpect-from-Requires.patch b/0033-freeipa.spec.in-remove-python3-pexpect-from-Requires.patch new file mode 100644 index 0000000..31489e5 --- /dev/null +++ b/0033-freeipa.spec.in-remove-python3-pexpect-from-Requires.patch @@ -0,0 +1,68 @@ +From e0e1d6f94dd16c8066be8ce3c75ef306890a3e2b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= +Date: Wed, 28 Jul 2021 18:47:02 +0200 +Subject: [PATCH] freeipa.spec.in: remove python3-pexpect from Requires +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +python3-pexpect will be removed in RHEL9. +Update BuildRequires/Requires accordingly. + +Fixes: https://pagure.io/freeipa/issue/8938 +Signed-off-by: François Cami +Reviewed-By: Rob Crittenden +Reviewed-By: Antonio Torres +--- + freeipa.spec.in | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index c33d2e216..9440f3602 100755 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -328,11 +328,18 @@ BuildRequires: python3-m2r + # Build dependencies for lint and fastcheck + # + %if %{with lint} +-BuildRequires: git +-%if 0%{?fedora} < 34 ++ ++# python3-pexpect might not be available in RHEL9 ++%if 0%{?fedora} || 0%{?rhel} < 9 ++BuildRequires: python3-pexpect ++%endif ++ + # jsl is orphaned in Fedora 34+ ++%if 0%{?fedora} < 34 + BuildRequires: jsl + %endif ++ ++BuildRequires: git + BuildRequires: nss-tools + BuildRequires: rpmlint + BuildRequires: softhsm +@@ -357,7 +364,6 @@ BuildRequires: python3-lxml + BuildRequires: python3-netaddr >= %{python_netaddr_version} + BuildRequires: python3-netifaces + BuildRequires: python3-paste +-BuildRequires: python3-pexpect + BuildRequires: python3-pki >= %{pki_version} + BuildRequires: python3-polib + BuildRequires: python3-pyasn1 +@@ -878,11 +884,11 @@ Requires: python3-ipaclient = %{version}-%{release} + Requires: python3-ipaserver = %{version}-%{release} + Requires: iptables + Requires: python3-cryptography >= 1.6 +-Requires: python3-pexpect + %if 0%{?fedora} + # These packages do not exist on RHEL and for ipatests use + # they are installed on the controller through other means + Requires: ldns-utils ++Requires: python3-pexpect + # update-crypto-policies + Requires: crypto-policies-scripts + Requires: python3-polib +-- +2.31.1 + diff --git a/0034-ipa-getkeytab-add-option-to-discover-servers-using-D.patch b/0034-ipa-getkeytab-add-option-to-discover-servers-using-D.patch new file mode 100644 index 0000000..798f9d2 --- /dev/null +++ b/0034-ipa-getkeytab-add-option-to-discover-servers-using-D.patch @@ -0,0 +1,365 @@ +From 42206df69adc9c1eefa3ee576891b2ae3ac269e0 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 15 Jul 2021 15:11:28 -0400 +Subject: [PATCH] ipa-getkeytab: add option to discover servers using DNS SRV + +The basic flow is: + +- If server is provided by the user then use it +- If server the magic value '_srv', check for _ldap._tcp SRV records for + the domain in /etc/ipa/default.conf +- If no servers are found use the server from default.conf + +https://pagure.io/freeipa/issue/8478 + +Signed-off-by: Rob Crittenden +Reviewed-By: Alexander Bokovoy +Reviewed-By: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +--- + client/Makefile.am | 1 + + client/ipa-getkeytab.c | 221 +++++++++++++++++++++++++++++++++++++ + client/man/ipa-getkeytab.1 | 5 +- + configure.ac | 10 ++ + 4 files changed, 236 insertions(+), 1 deletion(-) + +diff --git a/client/Makefile.am b/client/Makefile.am +index 0031c04a5..72f4cb3dc 100644 +--- a/client/Makefile.am ++++ b/client/Makefile.am +@@ -66,6 +66,7 @@ ipa_getkeytab_LDADD = \ + $(SASL_LIBS) \ + $(POPT_LIBS) \ + $(LIBINTL_LIBS) \ ++ $(RESOLV_LIBS) \ + $(INI_LIBS) \ + $(NULL) + +diff --git a/client/ipa-getkeytab.c b/client/ipa-getkeytab.c +index 04786be9e..d3673eb05 100644 +--- a/client/ipa-getkeytab.c ++++ b/client/ipa-getkeytab.c +@@ -34,9 +34,11 @@ + #include + #include + #include ++#include + #include + #include + #include ++#include + + #include "config.h" + +@@ -46,6 +48,174 @@ + #include "ipa_ldap.h" + + ++struct srvrec { ++ char *host; ++ uint16_t port; ++ int priority, weight; ++ struct srvrec *next; ++}; ++ ++static int ++srvrec_priority_sort(const void *a, const void *b) ++{ ++ const struct srvrec *sa, *sb; ++ ++ sa = a; ++ sb = b; ++ return sa->priority - sb->priority; ++} ++ ++static int ++srvrec_sort_weight(const void *a, const void *b) ++{ ++ const struct srvrec *sa, *sb; ++ ++ sa = a; ++ sb = b; ++ return sa->weight - sb->weight; ++} ++ ++/* Return a uniform random number between 0 and range */ ++static double ++rand_inclusive(double range) ++{ ++ long long r; ++ ++ if (range == 0) { ++ return 0; ++ } ++ ++ if (RAND_bytes((unsigned char *) &r, sizeof(r)) == -1) { ++ return 0; ++ } ++ if (r < 0) { ++ r = -r; ++ } ++ return ((double)r / (double)LLONG_MAX) * range; ++} ++ ++static void ++sort_prio_weight(struct srvrec *res, int len) ++{ ++ int i, j; ++ double tweight; ++ struct srvrec tmp; ++ double r; ++ ++ qsort(res, len, sizeof(res[0]), srvrec_sort_weight); ++ for (i = 0; i < len - 1; i++) { ++ tweight = 0; ++ for (j = i; j < len; j++) { ++ /* Give records with 0 weight a small chance */ ++ tweight += res[j].weight ? res[j].weight : 0.01; ++ } ++ r = rand_inclusive(tweight); ++ tweight = 0; ++ for (j = i; j < len; j++) { ++ tweight += res[j].weight ? res[j].weight : 0.01; ++ if (tweight >= r) { ++ break; ++ } ++ } ++ if (j >= len) { ++ continue; ++ } ++ memcpy(&tmp, &res[i], sizeof(tmp)); ++ memcpy(&res[i], &res[j], sizeof(tmp)); ++ memcpy(&res[j], &tmp, sizeof(tmp)); ++ } ++} ++ ++/* The caller is responsible for freeing the results */ ++static int ++query_srv(const char *name, const char *domain, struct srvrec **results) ++{ ++ int i, j, len; ++ unsigned char *answer = NULL; ++ size_t answer_len = NS_MAXMSG; ++ struct srvrec *res = NULL; ++ ns_msg msg; ++ ns_rr rr; ++ int rv = -1; ++ ++ *results = NULL; ++ if ((name == NULL) || (strlen(name) == 0) || ++ (domain == NULL) || (strlen(domain) == 0)) { ++ return -1; ++ } ++ ++ res_init(); ++ answer = malloc(answer_len + 1); ++ if (answer == NULL) { ++ return -1; ++ } ++ memset(answer, 0, answer_len + 1); ++ i = res_querydomain(name, domain, C_IN, T_SRV, answer, answer_len); ++ if (i == -1) { ++ goto error; ++ } ++ answer_len = i; ++ memset(&msg, 0, sizeof(msg)); ++ if (ns_initparse(answer, answer_len, &msg) != 0) { ++ goto error; ++ } ++ memset(&rr, 0, sizeof(rr)); ++ for (i = 0; ns_parserr(&msg, ns_s_an, i, &rr) == 0; i++) { ++ continue; ++ } ++ if (i == 0) { ++ goto error; ++ } ++ len = i; ++ res = malloc(sizeof(*res) * i); ++ if (res == NULL) { ++ goto error; ++ } ++ memset(res, 0, sizeof(*res) * i); ++ for (i = 0, j = 0; i < len; i++) { ++ if (ns_parserr(&msg, ns_s_an, i, &rr) != 0) { ++ continue; ++ } ++ if (rr.rdlength < 6) { ++ continue; ++ } ++ res[j].host = malloc(rr.rdlength - 6 + 1); ++ if (res[j].host == NULL) { ++ goto error; ++ } ++ res[j].priority = ntohs(*(uint16_t *)rr.rdata); ++ res[j].weight = ntohs(*(uint16_t *)(rr.rdata + 2)); ++ res[j].port = ntohs(*(uint16_t *)(rr.rdata + 4)); ++ memcpy(res[j].host, rr.rdata + 6, rr.rdlength - 6); ++ if (ns_name_ntop(rr.rdata + 6, res[j].host, rr.rdlength - 6) == -1) { ++ continue; ++ } ++ res[j].host[rr.rdlength - 6] = '\0'; ++ j++; ++ } ++ len = j; ++ qsort(res, len, sizeof(res[0]), srvrec_priority_sort); ++ i = 0; ++ while (i < len) { ++ j = i + 1; ++ while (j < len && (res[j].priority == res[i].priority)) { ++ j++; ++ } ++ sort_prio_weight(res + i, j - i); ++ i = j; ++ } ++ /* Fixup the linked-list pointers */ ++ for (i = 0; i < len - 1; i++) { ++ res[i].next = &res[i + 1]; ++ } ++ *results = res; ++ rv = 0; ++ ++error: ++ free(answer); ++ return rv; ++} ++ + static int check_sasl_mech(const char *mech) + { + int i; +@@ -619,6 +789,7 @@ static char *ask_password(krb5_context krbctx, char *prompt1, char *prompt2, + + struct ipa_config { + const char *server_name; ++ const char *domain; + }; + + static int config_from_file(struct ini_cfgobj *cfgctx) +@@ -688,6 +859,11 @@ int read_ipa_config(struct ipa_config **ipacfg) + if (ret == 0 && obj != NULL) { + (*ipacfg)->server_name = ini_get_string_config_value(obj, &ret); + } ++ ret = ini_get_config_valueobj("global", "domain", cfgctx, ++ INI_GET_LAST_VALUE, &obj); ++ if (ret == 0 && obj != NULL) { ++ (*ipacfg)->domain = ini_get_string_config_value(obj, &ret); ++ } + + return 0; + } +@@ -754,6 +930,7 @@ int main(int argc, const char *argv[]) + static const char *sasl_mech = NULL; + static const char *ca_cert_file = NULL; + int quiet = 0; ++ int verbose = 0; + int askpass = 0; + int askbindpw = 0; + int permitted_enctypes = 0; +@@ -761,6 +938,8 @@ int main(int argc, const char *argv[]) + struct poptOption options[] = { + { "quiet", 'q', POPT_ARG_NONE, &quiet, 0, + _("Print as little as possible"), _("Output only on errors")}, ++ { "verbose", 'v', POPT_ARG_NONE, &verbose, 0, ++ _("Print debugging information"), _("Output debug info")}, + { "server", 's', POPT_ARG_STRING, &server, 0, + _("Contact this specific KDC Server"), + _("Server Name") }, +@@ -906,6 +1085,41 @@ int main(int argc, const char *argv[]) + exit(2); + } + ++ if (server && (strcasecmp(server, "_srv_") == 0)) { ++ struct srvrec *srvrecs, *srv; ++ struct ipa_config *ipacfg = NULL; ++ ++ ret = read_ipa_config(&ipacfg); ++ if (ret == 0 && ipacfg->domain && verbose) { ++ fprintf(stderr, _("DNS discovery for domain %s\n"), ipacfg->domain); ++ } ++ if (query_srv("_ldap._tcp", ipacfg->domain, &srvrecs) == 0) { ++ for (srv = srvrecs; (srv != NULL); srv = srv->next) { ++ if (verbose) { ++ fprintf(stderr, _("Discovered server %s\n"), srv->host); ++ } ++ } ++ for (srv = srvrecs; (srv != NULL); srv = srv->next) { ++ server = strdup(srv->host); ++ if (verbose) { ++ fprintf(stderr, _("Using discovered server %s\n"), server); ++ } ++ break; ++ } ++ for (srv = srvrecs; (srv != NULL); srv = srv->next) { ++ free(srv->host); ++ } ++ } else { ++ if (verbose) { ++ fprintf(stderr, _("DNS Discovery failed\n")); ++ } ++ } ++ if (strcasecmp(server, "_srv_") == 0) { ++ /* Discovery failed, fall through to option methods */ ++ server = NULL; ++ } ++ } ++ + if (!server && !ldap_uri) { + struct ipa_config *ipacfg = NULL; + +@@ -915,10 +1129,17 @@ int main(int argc, const char *argv[]) + ipacfg->server_name = NULL; + } + free(ipacfg); ++ if (verbose && server) { ++ fprintf(stderr, _("Using server from config %s\n"), server); ++ } + if (!server) { + fprintf(stderr, _("Server name not provided and unavailable\n")); + exit(2); + } ++ } else { ++ if (verbose) { ++ fprintf(stderr, _("Using provided server %s\n"), server); ++ } + } + if (server) { + ret = ipa_server_to_uri(server, sasl_mech, &ldap_uri); +diff --git a/client/man/ipa-getkeytab.1 b/client/man/ipa-getkeytab.1 +index b57c5489c..07d2d73b3 100644 +--- a/client/man/ipa-getkeytab.1 ++++ b/client/man/ipa-getkeytab.1 +@@ -78,7 +78,10 @@ arcfour\-hmac + \fB\-s ipaserver\fR + The IPA server to retrieve the keytab from (FQDN). If this option is not + provided the server name is read from the IPA configuration file +-(/etc/ipa/default.conf). Cannot be used together with \fB\-H\fR. ++(/etc/ipa/default.conf). Cannot be used together with \fB\-H\fR. If the ++value is _srv_ then DNS discovery will be used to determine a server. ++If this discovery fails then it will fall back to using the configuration ++file. + .TP + \fB\-q\fR + Quiet mode. Only errors are displayed. +diff --git a/configure.ac b/configure.ac +index dc79d5dce..9d7a33825 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -108,6 +108,16 @@ LDAP_CFLAGS="" + AC_SUBST(LDAP_LIBS) + AC_SUBST(LDAP_CFLAGS) + ++dnl --------------------------------------------------------------------------- ++dnl - Check for resolv library ++dnl --------------------------------------------------------------------------- ++ ++SAVE_CPPFLAGS=$CPPFLAGS ++CPPFLAGS="$NSPR_CFLAGS $NSS_CFLAGS" ++AC_CHECK_LIB(resolv,main,RESOLV_LIBS=-lresolv) ++AC_CHECK_HEADERS(resolv.h) ++AC_SUBST(RESOLV_LIBS) ++ + dnl --------------------------------------------------------------------------- + dnl - Check for OpenSSL Crypto library + dnl --------------------------------------------------------------------------- +-- +2.31.1 + diff --git a/0035-ipa-getkeytab-fix-compiler-warnings.patch b/0035-ipa-getkeytab-fix-compiler-warnings.patch new file mode 100644 index 0000000..734e8e9 --- /dev/null +++ b/0035-ipa-getkeytab-fix-compiler-warnings.patch @@ -0,0 +1,55 @@ +From 0114d24ea160676b784ef7010c19bbacc67ceea0 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 15 Jul 2021 17:52:54 -0400 +Subject: [PATCH] ipa-getkeytab: fix compiler warnings + +Make read_ipa_config and filter_keys static to avoid +"no previous prototype" warnings. + +Use correct datatype of return value for ber_scanf to +correct different signedness comparision. + +Fixed while working on https://pagure.io/freeipa/issue/8478 + +Signed-off-by: Rob Crittenden +Reviewed-By: Alexander Bokovoy +Reviewed-By: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +--- + client/ipa-getkeytab.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/client/ipa-getkeytab.c b/client/ipa-getkeytab.c +index d3673eb05..309b3c704 100644 +--- a/client/ipa-getkeytab.c ++++ b/client/ipa-getkeytab.c +@@ -291,7 +291,7 @@ static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *s + return ret; + } + +-int filter_keys(krb5_context krbctx, struct keys_container *keys, ++static int filter_keys(krb5_context krbctx, struct keys_container *keys, + ber_int_t *enctypes) + { + struct krb_key_salt *ksdata; +@@ -507,7 +507,7 @@ static int ldap_set_keytab(krb5_context krbctx, + BerElement *sctrl = NULL; + struct berval *control = NULL; + LDAPControl **srvctrl = NULL; +- int ret; ++ ber_tag_t ret; + int kvno, i; + ber_tag_t rtag; + ber_int_t *encs = NULL; +@@ -826,7 +826,7 @@ static int config_from_file(struct ini_cfgobj *cfgctx) + return 0; + } + +-int read_ipa_config(struct ipa_config **ipacfg) ++static int read_ipa_config(struct ipa_config **ipacfg) + { + struct ini_cfgobj *cfgctx = NULL; + struct value_obj *obj = NULL; +-- +2.31.1 + diff --git a/0036-ipatests-test-ipa-getkeytab-server-option.patch b/0036-ipatests-test-ipa-getkeytab-server-option.patch new file mode 100644 index 0000000..0b3e60c --- /dev/null +++ b/0036-ipatests-test-ipa-getkeytab-server-option.patch @@ -0,0 +1,92 @@ +From 7a13200fd8b92dd90ebc4b6416ef25659df8aa71 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Fri, 16 Jul 2021 12:59:47 -0400 +Subject: [PATCH] ipatests: test ipa-getkeytab server option + +Test various usages of the -s/--server option: +* -s is defined, use it as the server +* no -s, use the host value from /etc/ipa/default.conf +* -s is '_srv_', do DNS discovery + +https://pagure.io/freeipa/issue/8478 + +Signed-off-by: Rob Crittenden +Reviewed-By: Alexander Bokovoy +Reviewed-By: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_commands.py | 58 ++++++++++++++++++++++ + 1 file changed, 58 insertions(+) + +diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py +index d64519eb7..2035ced56 100644 +--- a/ipatests/test_integration/test_commands.py ++++ b/ipatests/test_integration/test_commands.py +@@ -1467,6 +1467,64 @@ class TestIPACommand(IntegrationTest): + assert 'This account is currently not available' in \ + result.stdout_text + ++ def test_ipa_getkeytab_server(self): ++ """ ++ Exercise the ipa-getkeytab server options ++ ++ This relies on the behavior that without a TGT ++ ipa-getkeytab will quit and not do much of anything. ++ ++ A bogus keytab and principal are passed in to satisfy the ++ minimum requirements. ++ """ ++ tasks.kdestroy_all(self.master) ++ ++ # Pass in a server name to use ++ result = self.master.run_command( ++ [ ++ paths.IPA_GETKEYTAB, ++ "-k", ++ "/tmp/keytab", ++ "-p", ++ "foo", ++ "-s", ++ self.master.hostname, ++ "-v", ++ ], raiseonerr=False).stderr_text ++ ++ assert 'Using provided server %s' % self.master.hostname in result ++ ++ # Don't pass in a name, should use /etc/ipa/default.conf ++ result = self.master.run_command( ++ [ ++ paths.IPA_GETKEYTAB, ++ "-k", ++ "/tmp/keytab", ++ "-p", ++ "foo", ++ "-v", ++ ], raiseonerr=False).stderr_text ++ ++ assert ( ++ 'Using server from config %s' % self.master.hostname ++ in result ++ ) ++ ++ # Use DNS SRV lookup ++ result = self.master.run_command( ++ [ ++ paths.IPA_GETKEYTAB, ++ "-k", ++ "/tmp/keytab", ++ "-p", ++ "foo", ++ "-s", ++ "_srv_", ++ "-v", ++ ], raiseonerr=False).stderr_text ++ ++ assert 'Discovered server %s' % self.master.hostname in result ++ + + class TestIPACommandWithoutReplica(IntegrationTest): + """ +-- +2.31.1 + diff --git a/0037-ipatests-Test-for-OTP-when-the-LDAP-connection-timed.patch b/0037-ipatests-Test-for-OTP-when-the-LDAP-connection-timed.patch new file mode 100644 index 0000000..d24f83c --- /dev/null +++ b/0037-ipatests-Test-for-OTP-when-the-LDAP-connection-timed.patch @@ -0,0 +1,91 @@ +From 25a4acf3ad5964eacddbcb83ddf9f84432968918 Mon Sep 17 00:00:00 2001 +From: Anuja More +Date: Thu, 22 Jul 2021 14:55:50 +0530 +Subject: [PATCH] ipatests: Test for OTP when the LDAP connection timed out. + +Test to verify that when the idle timeout is exceeded (30s idle, +60s sleep) then the ipa-otpd process should exit without error. + +Related : https://pagure.io/freeipa/issue/6587 + +Signed-off-by: Anuja More +Reviewed-By: Mohammad Rizwan +Reviewed-By: Rob Crittenden +--- + ipatests/test_integration/test_otp.py | 56 +++++++++++++++++++++++++++ + 1 file changed, 56 insertions(+) + +diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py +index b2e65af1b..fd55898ca 100644 +--- a/ipatests/test_integration/test_otp.py ++++ b/ipatests/test_integration/test_otp.py +@@ -20,6 +20,7 @@ from cryptography.hazmat.primitives.twofactor.totp import TOTP + from ipatests.test_integration.base import IntegrationTest + from ipaplatform.paths import paths + from ipatests.pytest_ipa.integration import tasks ++from ipapython.dn import DN + + + PASSWORD = "DummyPassword123" +@@ -309,3 +310,58 @@ class TestOTPToken(IntegrationTest): + master.run_command(['ipa', 'user-del', USER2]) + self.master.run_command(['semanage', 'login', '-D']) + sssd_conf_backup.restore() ++ ++ @pytest.fixture ++ def setup_otp_nsslapd(self): ++ # setting nsslapd-idletimeout ++ new_limit = 30 ++ conn = self.master.ldap_connect() ++ dn = DN(('cn', 'config')) ++ entry = conn.get_entry(dn) # pylint: disable=no-member ++ orig_limit = entry.single_value.get('nsslapd-idletimeout') ++ ldap_query = textwrap.dedent(""" ++ dn: cn=config ++ changetype: modify ++ replace: nsslapd-idletimeout ++ nsslapd-idletimeout: {limit} ++ """) ++ tasks.ldapmodify_dm(self.master, ldap_query.format(limit=new_limit)) ++ # Be sure no services are running and failed units ++ self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False) ++ check_services = self.master.run_command( ++ ['systemctl', 'list-units', '--state=failed'] ++ ) ++ assert "0 loaded units listed" in check_services.stdout_text ++ assert "ipa-otpd" not in check_services.stdout_text ++ yield ++ # cleanup ++ tasks.ldapmodify_dm(self.master, ldap_query.format(limit=orig_limit)) ++ ++ def test_check_otpd_after_idle_timeout(self, setup_otp_nsslapd): ++ """Test for OTP when the LDAP connection timed out. ++ ++ Test for : https://pagure.io/freeipa/issue/6587 ++ ++ ipa-otpd was exiting with failure when LDAP connection timed out. ++ Test to verify that when the nsslapd-idletimeout is exceeded (30s idle, ++ 60s sleep) then the ipa-otpd process should exit without error. ++ """ ++ since = time.strftime('%H:%M:%S') ++ tasks.kinit_admin(self.master) ++ otpuid, totp = add_otptoken(self.master, USER, otptype="totp") ++ try: ++ # kinit with OTP auth ++ otpvalue = totp.generate(int(time.time())).decode("ascii") ++ kinit_otp(self.master, USER, password=PASSWORD, otp=otpvalue) ++ time.sleep(60) ++ failed_services = self.master.run_command( ++ ['systemctl', 'list-units', '--state=failed'] ++ ) ++ assert "ipa-otpd" not in failed_services.stdout_text ++ cmd_jornalctl = self.master.run_command( ++ ['journalctl', '--since={}'.format(since)] ++ ) ++ regex = r".*ipa-otpd@.*\sSucceeded" ++ assert re.search(regex, cmd_jornalctl.stdout_text) ++ finally: ++ del_otptoken(self.master, otpuid) +-- +2.31.1 + diff --git a/0038-ipatests-verify-that-getcert-output-includes-the-iss.patch b/0038-ipatests-verify-that-getcert-output-includes-the-iss.patch new file mode 100644 index 0000000..af90a1f --- /dev/null +++ b/0038-ipatests-verify-that-getcert-output-includes-the-iss.patch @@ -0,0 +1,51 @@ +From 826b5825bd644fc69a9bee17626d71fe03cc0190 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 26 Jul 2021 16:14:19 -0400 +Subject: [PATCH] ipatests: verify that getcert output includes the issued date + +certmonger 0.79.14 included a new feature that provides the +NotBefore (or issued) date to the certificate list output. + +Verify that it is present in the output. + +https://bugzilla.redhat.com/show_bug.cgi?id=1940261 + +Signed-off-by: Rob Crittenden +Reviewed-By: Mohammad Rizwan +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_cert.py | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py +index b6bb2f08a..9a90db5e2 100644 +--- a/ipatests/test_integration/test_cert.py ++++ b/ipatests/test_integration/test_cert.py +@@ -19,6 +19,7 @@ from ipaplatform.paths import paths + from cryptography import x509 + from cryptography.x509.oid import ExtensionOID + from cryptography.hazmat.backends import default_backend ++from pkg_resources import parse_version + + from ipatests.pytest_ipa.integration import tasks + from ipatests.test_integration.base import IntegrationTest +@@ -257,6 +258,16 @@ class TestInstallMasterClient(IntegrationTest): + raise AssertionError("certmonger request is " + "in state {}". format(status)) + ++ def test_getcert_notafter_output(self): ++ """Test that currrent certmonger includes NotBefore in output""" ++ result = self.master.run_command(["certmonger", "-v"]).stdout_text ++ if parse_version(result.split()[1]) < parse_version('0.79.14'): ++ raise pytest.skip("not_before not provided in this version") ++ result = self.master.run_command( ++ ["getcert", "list", "-f", paths.HTTPD_CERT_FILE] ++ ).stdout_text ++ assert 'issued:' in result ++ + + class TestCertmongerRekey(IntegrationTest): + +-- +2.31.1 + diff --git a/0039-ipatests-Look-for-warning-into-stderr-instead-of-std.patch b/0039-ipatests-Look-for-warning-into-stderr-instead-of-std.patch new file mode 100644 index 0000000..a231506 --- /dev/null +++ b/0039-ipatests-Look-for-warning-into-stderr-instead-of-std.patch @@ -0,0 +1,43 @@ +From 96dd8ac1cd2e7fb8177d83e7ba5c6d79f4216ea3 Mon Sep 17 00:00:00 2001 +From: Mohammad Rizwan +Date: Mon, 2 Aug 2021 19:26:28 +0530 +Subject: [PATCH] ipatests: Look for warning into stderr instead of stdout + +In https://github.com/freeipa/freeipa/pull/5855 was looking +into stdout_text for warning instead of stderr_text, hence +was failing for pki version > 10.11.0. + +related: https://pagure.io/freeipa/issue/8890 + +Signed-off-by: Mohammad Rizwan +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_ipa_cert_fix.py | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py +index 394e85603..f3cf59afc 100644 +--- a/ipatests/test_integration/test_ipa_cert_fix.py ++++ b/ipatests/test_integration/test_ipa_cert_fix.py +@@ -241,16 +241,14 @@ class TestIpaCertFix(IntegrationTest): + # check that pki-server cert-fix command fails + err_msg2 = ("ERROR: CalledProcessError(Command " + "['pki-server', 'cert-fix'") +- warn_msg = ("WARNING: No selftests configured in " +- f"{paths.CA_CS_CFG_PATH} " +- "(selftests.container.order.startup)") ++ warn_msg = "WARNING: No selftests configured in" + + if (tasks.get_pki_version(self.master) + < tasks.parse_version('10.11.0')): + assert (err_msg1 in result.stderr_text + and err_msg2 in result.stderr_text) + else: +- assert warn_msg in result.stdout_text ++ assert warn_msg in result.stderr_text + + def test_expired_CA_cert(self, expire_ca_cert): + """Test to check ipa-cert-fix when CA certificate is expired +-- +2.31.1 + diff --git a/0040-ipatests-use-krb5_trace-in-TestIpaAdTrustInstall.patch b/0040-ipatests-use-krb5_trace-in-TestIpaAdTrustInstall.patch new file mode 100644 index 0000000..56e1db3 --- /dev/null +++ b/0040-ipatests-use-krb5_trace-in-TestIpaAdTrustInstall.patch @@ -0,0 +1,56 @@ +From 9ae23e1257478bfee04b08b54f36dda7f5850348 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= +Date: Thu, 5 Aug 2021 11:37:35 +0200 +Subject: [PATCH] ipatests: use krb5_trace in TestIpaAdTrustInstall +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +tasks.create_active_user can fail in a subtle way when there +are two IPA servers due to replication delays. +Using the debug-enabled version of create_active_user helps +determine whether there is another underlying issue and, in +general, prevents the above problem. + +Fixes: https://pagure.io/freeipa/issue/8944 +Signed-off-by: François Cami +Reviewed-By: Anuja More +--- + ipatests/test_integration/test_adtrust_install.py | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/ipatests/test_integration/test_adtrust_install.py b/ipatests/test_integration/test_adtrust_install.py +index bbbb385a5..f23221186 100644 +--- a/ipatests/test_integration/test_adtrust_install.py ++++ b/ipatests/test_integration/test_adtrust_install.py +@@ -257,8 +257,11 @@ class TestIpaAdTrustInstall(IntegrationTest): + user_princ = '@'.join([user, self.master.domain.realm]) + passwd = 'Secret123' + # Create a user with a password +- tasks.create_active_user(self.master, user, passwd, extra_args=[ +- '--homedir', '/home/{}'.format(user)]) ++ tasks.create_active_user( ++ self.master, user, passwd, ++ extra_args=["--homedir", "/home/{}".format(user)], ++ krb5_trace=True ++ ) + try: + # Defaults: host/... principal for service + # keytab in /etc/krb5.keytab +@@ -282,8 +285,11 @@ class TestIpaAdTrustInstall(IntegrationTest): + user_princ = '@'.join([user, self.master.domain.realm]) + passwd = 'Secret123' + # Create a user with a password +- tasks.create_active_user(self.master, user, passwd, extra_args=[ +- '--homedir', '/home/{}'.format(user)]) ++ tasks.create_active_user( ++ self.master, user, passwd, ++ extra_args=["--homedir", "/home/{}".format(user)], ++ krb5_trace=True ++ ) + try: + # Defaults: host/... principal for service + # keytab in /etc/krb5.keytab +-- +2.31.1 + diff --git a/0041-ipatests-Test-ldapsearch-with-base-scope-works-with-.patch b/0041-ipatests-Test-ldapsearch-with-base-scope-works-with-.patch new file mode 100644 index 0000000..f616c59 --- /dev/null +++ b/0041-ipatests-Test-ldapsearch-with-base-scope-works-with-.patch @@ -0,0 +1,45 @@ +From a3d71eb72a6125a80a9d7b698f34dcb95dc25184 Mon Sep 17 00:00:00 2001 +From: Anuja More +Date: Thu, 5 Aug 2021 20:03:21 +0530 +Subject: [PATCH] ipatests: Test ldapsearch with base scope works with compat + tree. + +Added test to verify that ldapsearch for compat tree +with scope base and sub is not failing. + +Related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909 + +Signed-off-by: Anuja More +Reviewed-By: Mohammad Rizwan +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_commands.py | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py +index 2035ced56..e3a0d867e 100644 +--- a/ipatests/test_integration/test_commands.py ++++ b/ipatests/test_integration/test_commands.py +@@ -1558,6 +1558,19 @@ class TestIPACommandWithoutReplica(IntegrationTest): + # Run the command again after cache is removed + self.master.run_command(['ipa', 'user-show', 'ipauser1']) + ++ def test_basesearch_compat_tree(self): ++ """Test ldapsearch against compat tree is working ++ ++ This to ensure that ldapsearch with base scope is not failing. ++ ++ related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909 ++ """ ++ tasks.kinit_admin(self.master) ++ base_dn = str(self.master.domain.basedn) ++ base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn) ++ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='sub') ++ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='base') ++ + + class TestIPAautomount(IntegrationTest): + @classmethod +-- +2.31.1 + diff --git a/0042-ipatests-skip-test_basesearch_compat_tree-on-fedora.patch b/0042-ipatests-skip-test_basesearch_compat_tree-on-fedora.patch new file mode 100644 index 0000000..012b885 --- /dev/null +++ b/0042-ipatests-skip-test_basesearch_compat_tree-on-fedora.patch @@ -0,0 +1,44 @@ +From d4062e407d242a72b9d4e32f4fdd6aed086ce005 Mon Sep 17 00:00:00 2001 +From: Anuja More +Date: Thu, 5 Aug 2021 20:23:15 +0530 +Subject: [PATCH] ipatests: skip test_basesearch_compat_tree on fedora. + +slapi-nis with fix is not part of fedora yet. +test requires with fix: +https://pagure.io/slapi-nis/c/61ea8f6a104da25329e301a8f56944f860de8177? + +Signed-off-by: Anuja More +Reviewed-By: Mohammad Rizwan +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_commands.py | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py +index e3a0d867e..4d9a81652 100644 +--- a/ipatests/test_integration/test_commands.py ++++ b/ipatests/test_integration/test_commands.py +@@ -38,6 +38,7 @@ from ipatests.create_external_ca import ExternalCA + from ipatests.test_ipalib.test_x509 import good_pkcs7, badcert + from ipapython.ipautil import realm_to_suffix, ipa_generate_password + from ipaserver.install.installutils import realm_to_serverid ++from pkg_resources import parse_version + + logger = logging.getLogger(__name__) + +@@ -1565,6 +1566,12 @@ class TestIPACommandWithoutReplica(IntegrationTest): + + related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909 + """ ++ version = self.master.run_command( ++ ["rpm", "-qa", "--qf", "%{VERSION}", "slapi-nis"] ++ ) ++ if tasks.get_platform(self.master) == "fedora" and parse_version( ++ version.stdout_text) <= parse_version("0.56.7"): ++ pytest.skip("Test requires slapi-nis with fix on fedora") + tasks.kinit_admin(self.master) + base_dn = str(self.master.domain.basedn) + base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn) +-- +2.31.1 + diff --git a/0043-ipatests-Refactor-test_check_otpd_after_idle_timeout.patch b/0043-ipatests-Refactor-test_check_otpd_after_idle_timeout.patch new file mode 100644 index 0000000..cbba6ba --- /dev/null +++ b/0043-ipatests-Refactor-test_check_otpd_after_idle_timeout.patch @@ -0,0 +1,89 @@ +From eac03d6828d0bac1925c897090fc77e250eaee04 Mon Sep 17 00:00:00 2001 +From: Anuja More +Date: Thu, 5 Aug 2021 12:27:38 +0530 +Subject: [PATCH] ipatests: Refactor test_check_otpd_after_idle_timeout + +Use whole date when calling journalctl --since +ipa-otpd don't flush its logs to syslog immediately, +so check with run_repeatedly. +Also list failed units when ldap connection is +timed out. + +Related: https://pagure.io/freeipa/issue/6587 + +Signed-off-by: Anuja More +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +--- + ipatests/test_integration/test_otp.py | 31 ++++++++++++++++----------- + 1 file changed, 18 insertions(+), 13 deletions(-) + +diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py +index fd55898ca..353470897 100644 +--- a/ipatests/test_integration/test_otp.py ++++ b/ipatests/test_integration/test_otp.py +@@ -313,6 +313,13 @@ class TestOTPToken(IntegrationTest): + + @pytest.fixture + def setup_otp_nsslapd(self): ++ check_services = self.master.run_command( ++ ['systemctl', 'list-units', '--state=failed'] ++ ) ++ assert "0 loaded units listed" in check_services.stdout_text ++ assert "ipa-otpd" not in check_services.stdout_text ++ # Be sure no services are running and failed units ++ self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False) + # setting nsslapd-idletimeout + new_limit = 30 + conn = self.master.ldap_connect() +@@ -326,13 +333,6 @@ class TestOTPToken(IntegrationTest): + nsslapd-idletimeout: {limit} + """) + tasks.ldapmodify_dm(self.master, ldap_query.format(limit=new_limit)) +- # Be sure no services are running and failed units +- self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False) +- check_services = self.master.run_command( +- ['systemctl', 'list-units', '--state=failed'] +- ) +- assert "0 loaded units listed" in check_services.stdout_text +- assert "ipa-otpd" not in check_services.stdout_text + yield + # cleanup + tasks.ldapmodify_dm(self.master, ldap_query.format(limit=orig_limit)) +@@ -346,7 +346,7 @@ class TestOTPToken(IntegrationTest): + Test to verify that when the nsslapd-idletimeout is exceeded (30s idle, + 60s sleep) then the ipa-otpd process should exit without error. + """ +- since = time.strftime('%H:%M:%S') ++ since = time.strftime('%Y-%m-%d %H:%M:%S') + tasks.kinit_admin(self.master) + otpuid, totp = add_otptoken(self.master, USER, otptype="totp") + try: +@@ -354,14 +354,19 @@ class TestOTPToken(IntegrationTest): + otpvalue = totp.generate(int(time.time())).decode("ascii") + kinit_otp(self.master, USER, password=PASSWORD, otp=otpvalue) + time.sleep(60) ++ ++ def test_cb(cmd_jornalctl): ++ # check if LDAP connection is timed out ++ expected_msg = "Can't contact LDAP server" ++ return expected_msg in cmd_jornalctl ++ ++ # ipa-otpd don't flush its logs to syslog immediately ++ cmd = ['journalctl', '--since={}'.format(since)] ++ tasks.run_repeatedly( ++ self.master, command=cmd, test=test_cb, timeout=90) + failed_services = self.master.run_command( + ['systemctl', 'list-units', '--state=failed'] + ) + assert "ipa-otpd" not in failed_services.stdout_text +- cmd_jornalctl = self.master.run_command( +- ['journalctl', '--since={}'.format(since)] +- ) +- regex = r".*ipa-otpd@.*\sSucceeded" +- assert re.search(regex, cmd_jornalctl.stdout_text) + finally: + del_otptoken(self.master, otpuid) +-- +2.31.1 + diff --git a/freeipa.spec b/freeipa.spec index 2401eec..6e02ce1 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -196,7 +196,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 4%{?rc_version:.%rc_version}%{?dist}.1 +Release: 5%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -236,6 +236,29 @@ Patch0017: 0017-Use-new-method-in-check-to-prevent-removal-of-last-K.patch Patch0018: 0018-ipatests-test-removing-last-KRA-when-it-is-not-runni.patch Patch0019: 0019-rhel-platform-add-a-named-crypto-policy-support.patch Patch0020: 0020-Index-Fix-definition-for-memberOf.patch +Patch0021: 0021-ipatests-use-whole-date-when-calling-journalctl-sinc.patch +Patch0022: 0022-ipatests-Fix-for-test_source_ipahealthcheck_ipa_host.patch +Patch0023: 0023-ipatests-test_ipahealthcheck-print-a-message-if-a-sy.patch +Patch0024: 0024-ipatests-test_installation-move-tracking_reqs-depend.patch +Patch0025: 0025-webui-tests-close-notification-when-revoking-cert.patch +Patch0026: 0026-ipatests-Test-ipa-cert-fix-warns-when-startup-direct.patch +Patch0027: 0027-webui-tests-fix-algo-for-finding-available-idrange.patch +Patch0028: 0028-ipatests-smbclient-k-use-kerberos-desired.patch +Patch0029: 0029-test_acme-refactor-with-tasks.patch +Patch0030: 0030-test_acme-make-password-renewal-more-robust.patch +Patch0031: 0031-tasks.py-fix-flake8-reported-issues.patch +Patch0032: 0032-Fix-ldapupdate.get_sub_dict-for-missing-named-user.patch +Patch0033: 0033-freeipa.spec.in-remove-python3-pexpect-from-Requires.patch +Patch0034: 0034-ipa-getkeytab-add-option-to-discover-servers-using-D.patch +Patch0035: 0035-ipa-getkeytab-fix-compiler-warnings.patch +Patch0036: 0036-ipatests-test-ipa-getkeytab-server-option.patch +Patch0037: 0037-ipatests-Test-for-OTP-when-the-LDAP-connection-timed.patch +Patch0038: 0038-ipatests-verify-that-getcert-output-includes-the-iss.patch +Patch0039: 0039-ipatests-Look-for-warning-into-stderr-instead-of-std.patch +Patch0040: 0040-ipatests-use-krb5_trace-in-TestIpaAdTrustInstall.patch +Patch0041: 0041-ipatests-Test-ldapsearch-with-base-scope-works-with-.patch +Patch0042: 0042-ipatests-skip-test_basesearch_compat_tree-on-fedora.patch +Patch0043: 0043-ipatests-Refactor-test_check_otpd_after_idle_timeout.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif @@ -344,11 +367,18 @@ BuildRequires: python3-m2r # Build dependencies for lint and fastcheck # %if %{with lint} -BuildRequires: git -%if 0%{?fedora} < 34 + +# python3-pexpect might not be available in RHEL9 +%if 0%{?fedora} || 0%{?rhel} < 9 +BuildRequires: python3-pexpect +%endif + # jsl is orphaned in Fedora 34+ +%if 0%{?fedora} < 34 BuildRequires: jsl %endif + +BuildRequires: git BuildRequires: nss-tools BuildRequires: rpmlint BuildRequires: softhsm @@ -373,7 +403,6 @@ BuildRequires: python3-lxml BuildRequires: python3-netaddr >= %{python_netaddr_version} BuildRequires: python3-netifaces BuildRequires: python3-paste -BuildRequires: python3-pexpect BuildRequires: python3-pki >= %{pki_version} BuildRequires: python3-polib BuildRequires: python3-pyasn1 @@ -894,11 +923,11 @@ Requires: python3-ipaclient = %{version}-%{release} Requires: python3-ipaserver = %{version}-%{release} Requires: iptables Requires: python3-cryptography >= 1.6 -Requires: python3-pexpect %if 0%{?fedora} # These packages do not exist on RHEL and for ipatests use # they are installed on the controller through other means Requires: ldns-utils +Requires: python3-pexpect # update-crypto-policies Requires: crypto-policies-scripts Requires: python3-polib @@ -1717,6 +1746,35 @@ fi %endif %changelog +* Tue Aug 17 2021 Florence Blanc-Renaud - 4.9.6-5 +- Resolves: rhbz#1988383 Do SRV discovery in ipa-getkeytab if -s and -H aren't provided + - ipa-getkeytab: add option to discover servers using DNS SRV + - ipa-getkeytab: fix compiler warnings + - ipatests: test ipa-getkeytab server option +- Resolves: rhbz#1986329 ipa-server install failure without DNS + - Fix ldapupdate.get_sub_dict() for missing named user +- Resolves: rhbz#1980734 Remove python3-pexpect as dependency for ipatests pkg + - freeipa.spec.in: remove python3-pexpect from Requires +- Resolves: rhbz#1992538 Backport recent test fixes in python3-ipatests + - ipatests: use whole date when calling journalctl --since + - ipatests: Fix for test_source_ipahealthcheck_ipa_host_check_ipahostkeytab + - ipatests: test_ipahealthcheck: print a message if a system is healthy + - ipatests: test_installation: move tracking_reqs dependency to ipalib constants ipaserver: krainstance: utilize moved tracking_reqs dependency + - webui tests: close notification when revoking cert + - ipatests: Test ipa-cert-fix warns when startup directive is missing from CS.cfg + - webui tests: fix algo for finding available idrange + - ipatests: smbclient "-k" => "--use-kerberos=desired" + - test_acme: refactor with tasks + - test_acme: make password renewal more robust + - tasks.py: fix flake8-reported issues + - ipatests: Test for OTP when the LDAP connection timed out. + - ipatests: verify that getcert output includes the issued date + - ipatests: Look for warning into stderr instead of stdout + - ipatests: use krb5_trace in TestIpaAdTrustInstall + - ipatests: Test ldapsearch with base scope works with compat tree. + - ipatests: skip test_basesearch_compat_tree on fedora. + - ipatests: Refactor test_check_otpd_after_idle_timeout + * Mon Aug 09 2021 Mohan Boddu - 4.9.6-4.1 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688