Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/freeipa.git#41b946dfeb35544f4011cf5777ba33fd98d11f72

.gitignore

@@ -0,0 +1,98 @@
+/freeipa-2.0.0GIT442d6ad.tar.gz
+/freeipa-2.0.0.pre2.tar.gz
+/freeipa-2.0.0.rc1.tar.gz
+/freeipa-2.0.0.rc2.tar.gz
+/freeipa-2.0.0.tar.gz
+/freeipa-2.0.1.tar.gz
+/freeipa-2.1.0.tar.gz
+/freeipa-2.1.2.tar.gz
+/freeipa-2.1.2-2.1.3.patch.gz
+/freeipa-2.1.3-systemd.patch.gz
+/freeipa-2.1.3.tar.gz
+/freeipa-2.1.3-wait_for_socket.patch.gz
+/freeipa-2.1.4.tar.gz
+/freeipa-2.1.90.pre1.tar.gz
+/freeipa-2.1.90.rc1.tar.gz
+/freeipa-2.2.0.tar.gz
+/freeipa-3.0.0.pre1.tar.gz
+/freeipa-3.0.0.pre2.tar.gz
+/freeipa-3.0.0.rc1.tar.gz
+/freeipa-3.0.0.rc2.tar.gz
+/freeipa-3.0.0.tar.gz
+/freeipa-3.1.0.tar.gz
+/freeipa-3.1.2.tar.gz
+/freeipa-3.2.0.pre1.tar.gz
+/freeipa-3.2.0.tar.gz
+/freeipa-3.2.2.tar.gz
+/freeipa-3.3.0.tar.gz
+/freeipa-3.3.1.tar.gz
+/freeipa-3.3.3.tar.gz
+/freeipa-3.3.4.tar.gz
+/freeipa-3.3.5.tar.gz
+/freeipa-4.0.0.tar.gz
+/freeipa-4.0.1.tar.gz
+/freeipa-4.0.2.tar.gz
+/freeipa-4.0.3.tar.gz
+/freeipa-4.1.0.tar.gz
+/freeipa-4.1.1.tar.gz
+/freeipa-4.1.2.tar.gz
+/freeipa-4.1.3.tar.gz
+/freeipa-4.1.4.tar.gz
+/freeipa-4.2.1.tar.gz
+/freeipa-4.2.2.tar.gz
+/freeipa-4.2.3.tar.gz
+/freeipa-4.3.0.tar.gz
+/freeipa-4.3.1.tar.gz
+/freeipa-4.3.2.tar.gz
+/freeipa-4.4.1.tar.gz
+/freeipa-4.4.2.tar.gz
+/freeipa-4.4.3.tar.gz
+/freeipa-4.4.4.tar.gz
+/freeipa-4.4.4.tar.gz.asc
+/freeipa-4.5.1.tar.gz
+/freeipa-4.5.1.tar.gz.asc
+/freeipa-4.5.2.tar.gz
+/freeipa-4.5.2.tar.gz.asc
+/freeipa-4.5.3.tar.gz
+/freeipa-4.5.3.tar.gz.asc
+/freeipa-4.6.0.tar.gz
+/freeipa-4.6.0.tar.gz.asc
+/freeipa-4.6.1.tar.gz
+/freeipa-4.6.1.tar.gz.asc
+/freeipa-4.6.3.tar.gz
+/freeipa-4.6.3.tar.gz.asc
+/freeipa-4.6.90.pre1-1.fc29.src.rpm
+/freeipa-4.6.90.pre1.tar.gz
+/freeipa-4.6.90.pre1.tar.gz.asc
+/freeipa-4.6.90.pre2.tar.gz
+/freeipa-4.6.90.pre2.tar.gz.asc
+/freeipa-4.7.0.tar.gz
+/freeipa-4.7.0.tar.gz.asc
+/freeipa-4.7.1.tar.gz
+/freeipa-4.7.1.tar.gz.asc
+/freeipa-4.7.2.tar.gz
+/freeipa-4.7.2.tar.gz.asc
+/freeipa-4.7.90.pre1.tar.gz
+/freeipa-4.7.90.pre1.tar.gz.asc
+/freeipa-4.8.0.tar.gz
+/freeipa-4.8.0.tar.gz.asc
+/freeipa-4.8.1.tar.gz
+/freeipa-4.8.1.tar.gz.asc
+/freeipa-4.8.2.tar.gz
+/freeipa-4.8.2.tar.gz.asc
+/freeipa-4.8.3.tar.gz
+/freeipa-4.8.3.tar.gz.asc
+/freeipa-4.8.4.tar.gz
+/freeipa-4.8.4.tar.gz.asc
+/freeipa-4.8.5.tar.gz
+/freeipa-4.8.5.tar.gz.asc
+/freeipa-4.8.6.tar.gz
+/freeipa-4.8.6.tar.gz.asc
+/freeipa-4.8.7.tar.gz
+/freeipa-4.8.7.tar.gz.asc
+/freeipa-4.8.9.tar.gz
+/freeipa-4.8.9.tar.gz.asc
+/freeipa-4.8.10.tar.gz
+/freeipa-4.8.10.tar.gz.asc
+/freeipa-4.9.0rc1.tar.gz
+/freeipa-4.9.0rc1.tar.gz.asc

5212.patch

@@ -0,0 +1,56 @@
+From 2695789db45c2e7fe92e53a49521dc22fdffe317 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Wed, 28 Oct 2020 10:34:31 -0400
+Subject: [PATCH] New validation efforts in 389-ds-base require that the
+ backend entry for a database be created before the mapping tree entry. This
+ enforces that the mapping tree entry (the suffix) actually belongs to an
+ existing backend.
+
+For IPA we simply need to reverse the order of the backend vs mapping tree
+creation in cainstance.py -> __create_ds_db()
+
+Fixes: https://pagure.io/freeipa/issue/8558
+---
+ ipaserver/install/cainstance.py | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index fca829de094..1c2fab1dffb 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -1162,17 +1162,6 @@ def __create_ds_db(self):
+         backend = 'ipaca'
+         suffix = DN(('o', 'ipaca'))
+ 
+-        # replication
+-        dn = DN(('cn', str(suffix)), ('cn', 'mapping tree'), ('cn', 'config'))
+-        entry = api.Backend.ldap2.make_entry(
+-            dn,
+-            objectclass=["top", "extensibleObject", "nsMappingTree"],
+-            cn=[suffix],
+-        )
+-        entry['nsslapd-state'] = ['Backend']
+-        entry['nsslapd-backend'] = [backend]
+-        api.Backend.ldap2.add_entry(entry)
+-
+         # database
+         dn = DN(('cn', 'ipaca'), ('cn', 'ldbm database'), ('cn', 'plugins'),
+                 ('cn', 'config'))
+@@ -1184,6 +1173,17 @@ def __create_ds_db(self):
+         entry['nsslapd-suffix'] = [suffix]
+         api.Backend.ldap2.add_entry(entry)
+ 
++        # replication
++        dn = DN(('cn', str(suffix)), ('cn', 'mapping tree'), ('cn', 'config'))
++        entry = api.Backend.ldap2.make_entry(
++            dn,
++            objectclass=["top", "extensibleObject", "nsMappingTree"],
++            cn=[suffix],
++        )
++        entry['nsslapd-state'] = ['Backend']
++        entry['nsslapd-backend'] = [backend]
++        api.Backend.ldap2.add_entry(entry)
++
+     def __setup_replication(self):
+         repl = replication.CAReplicationManager(self.realm, self.fqdn)
+         repl.setup_cs_replication(self.master_host)

5273.patch

@@ -0,0 +1,107 @@
+From 87813eb6404ae0aa15b95b1af788db0d37e2efa5 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 18 Nov 2020 12:35:38 +0200
+Subject: [PATCH] util: Fix client-only build
+
+Commit 26b9a697844c3bb66bdf83dad3a9738b3cb65361 did not fully fix the
+client-only build as util/ipa_pwd.c unconditionally includes
+pwquality.h.
+
+Make sure we define USE_PWQUALITY in the full server configuration and
+if that one is defined, include libpwquality use.
+
+Fixes: https://pagure.io/freeipa/issue/8587
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ configure.ac     |  4 +++-
+ util/Makefile.am | 10 +++++++---
+ util/ipa_pwd.c   |  9 ++++++++-
+ 3 files changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index ef1a1c6867e..5d04d446e0a 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -117,7 +117,9 @@ dnl ---------------------------------------------------------------------------
+ dnl - Check for pwquality library
+ dnl ---------------------------------------------------------------------------
+ AM_COND_IF([ENABLE_SERVER], [
+-	PKG_CHECK_MODULES([PWQUALITY], [pwquality])
++	PKG_CHECK_MODULES([PWQUALITY], [pwquality],
++		[AC_DEFINE(USE_PWQUALITY,1,[Use password quality checks])]
++	)
+ ])
+ 
+ dnl ---------------------------------------------------------------------------
+diff --git a/util/Makefile.am b/util/Makefile.am
+index 5e21c098f14..b3803777809 100644
+--- a/util/Makefile.am
++++ b/util/Makefile.am
+@@ -21,7 +21,11 @@ libutil_la_SOURCES = \
+ 
+ libutil_la_LIBADD = $(CRYPTO_LIBS) $(KRB5_LIBS) $(LDAP_LIBS) $(PWQUALITY_LIBS)
+ 
+-check_PROGRAMS = t_pwd t_policy
+-TESTS = $(check_PROGRAMS)
++check_PROGRAMS = t_pwd
+ t_pwd_LDADD = libutil.la
+-t_policy_LDADD = libutil.la 
++if ENABLE_SERVER
++check_PROGRAMS += t_policy
++t_policy_LDADD = libutil.la
++endif
++
++TESTS = $(check_PROGRAMS)
+diff --git a/util/ipa_pwd.c b/util/ipa_pwd.c
+index dbff5ef1cba..8fa413c69cf 100644
+--- a/util/ipa_pwd.c
++++ b/util/ipa_pwd.c
+@@ -23,6 +23,7 @@
+ #ifndef _GNU_SOURCE
+ #define _GNU_SOURCE
+ #endif
++#include "config.h"
+ #include <stdio.h>
+ #include <string.h>
+ #include <time.h>
+@@ -31,7 +32,9 @@
+ #include <syslog.h>
+ #include <unistd.h>
+ #include <errno.h>
++#if defined(USE_PWQUALITY)
+ #include <pwquality.h>
++#endif
+ #include <openssl/evp.h>
+ #include <openssl/rand.h>
+ #include <openssl/sha.h>
+@@ -417,11 +420,13 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
+ {
+     int pwdlen, blen;
+     int ret;
++#if defined(USE_PWQUALITY)
+     pwquality_settings_t *pwq;
+     int check_pwquality = 0;
+-    int entropy;
++    int entropy = 0;
+     char buf[PWQ_MAX_ERROR_MESSAGE_LEN];
+     void *auxerror;
++#endif
+ 
+     if (!policy || !password) {
+         return IPAPWD_POLICY_ERROR;
+@@ -534,6 +539,7 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
+         }
+     }
+ 
++#if defined(USE_PWQUALITY)
+     /* Only call into libpwquality if at least one setting is made
+      * because there are a number of checks that don't have knobs
+      * so preserve the previous behavior.
+@@ -601,6 +607,7 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
+ #endif
+         }
+     }
++#endif /* USE_PWQUALITY */
+ 
+     if (pwd_history) {
+         char *hash;

dead.package

@@ -1 +0,0 @@
-2014-06-04 - This package was already retired in pkgdb/blocked in koji, but no dead.package file existed. The original retirement reason is unclear.

freeipa-4.8.10-systemd-resolved-configuration.patch

@@ -0,0 +1,74 @@
+From 2e4f9ef1552d1ef784bb91918aa60de0f05e453a Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Mon, 28 Sep 2020 12:00:01 +0200
+Subject: [PATCH 1/2] Ensure that resolved.conf.d is accessible
+
+systemd-resolved runs as user systemd-resolve. Ensure that
+resolved.conf.d drop-in directory is accessible when installer runs with
+restricted umask. Also ensure the file and directory has correct SELinux
+context.
+
+The parent directory /etc/systemd exists on all platforms.
+
+Fixes: https://pagure.io/freeipa/issue/8275
+Signed-off-by: Christian Heimes <cheimes@redhat.com>
+---
+ ipaplatform/base/tasks.py | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
+index a39857e869..adf320b700 100644
+--- a/ipaplatform/base/tasks.py
++++ b/ipaplatform/base/tasks.py
+@@ -336,7 +336,11 @@ def configure_dns_resolver(self, nameservers, searchdomains, *,
+             from ipaplatform.services import knownservices
+ 
+             confd = os.path.dirname(paths.SYSTEMD_RESOLVED_IPA_CONF)
+-            os.makedirs(confd, exist_ok=True)
++            if not os.path.isdir(confd):
++                os.mkdir(confd)
++                # owned by root, readable by systemd-resolve user
++                os.chmod(confd, 0o755)
++                tasks.restore_context(confd, force=True)
+ 
+             cfg = RESOLVE1_IPA_CONF.format(
+                 searchdomains=" ".join(searchdomains)
+@@ -345,6 +349,10 @@ def configure_dns_resolver(self, nameservers, searchdomains, *,
+                 os.fchmod(f.fileno(), 0o644)
+                 f.write(cfg)
+ 
++            tasks.restore_context(
++                paths.SYSTEMD_RESOLVED_IPA_CONF, force=True
++            )
++
+             knownservices["systemd-resolved"].reload_or_restart()
+ 
+     def unconfigure_dns_resolver(self, fstore=None):
+
+From 8b193f09018c3be283e0a3ecdfd1a58d49af360a Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Mon, 28 Sep 2020 12:29:00 +0200
+Subject: [PATCH 2/2] Also backup DNS config drop-ins
+
+/etc/NetworkManager/conf.d and /etc/systemd/resolved.conf.d drop-in
+files were not backed up.
+
+Related: https://pagure.io/freeipa/issue/8275
+Signed-off-by: Christian Heimes <cheimes@redhat.com>
+---
+ ipaserver/install/ipa_backup.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
+index 39347643d3..d472990afe 100644
+--- a/ipaserver/install/ipa_backup.py
++++ b/ipaserver/install/ipa_backup.py
+@@ -194,6 +194,8 @@ class Backup(admintool.AdminTool):
+         paths.GSSPROXY_CONF,
+         paths.HOSTS,
+         paths.SYSTEMD_PKI_TOMCAT_IPA_CONF,
++        paths.NETWORK_MANAGER_IPA_CONF,
++        paths.SYSTEMD_RESOLVED_IPA_CONF,
+     ) + tuple(
+         os.path.join(paths.IPA_NSSDB_DIR, file)
+         for file in (certdb.NSS_DBM_FILES + certdb.NSS_SQL_FILES)

freeipa-4.8.10-systemd-resolved-selinux-fixes.patch

@@ -0,0 +1,36 @@
+From 8b2002cc7e2e0400e1afa3a21963a22947c7a908 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Tue, 29 Sep 2020 10:39:01 +0200
+Subject: [PATCH] configure_dns_resolver: call self.restore_context
+
+Use the platform implementation of restore_context() instead of the base
+implementation.
+
+Fixes: https://pagure.io/freeipa/issue/8518
+Signed-off-by: Christian Heimes <cheimes@redhat.com>
+---
+ ipaplatform/base/tasks.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
+index adf320b700..4387e0e12f 100644
+--- a/ipaplatform/base/tasks.py
++++ b/ipaplatform/base/tasks.py
+@@ -340,7 +340,7 @@ def configure_dns_resolver(self, nameservers, searchdomains, *,
+                 os.mkdir(confd)
+                 # owned by root, readable by systemd-resolve user
+                 os.chmod(confd, 0o755)
+-                tasks.restore_context(confd, force=True)
++                self.restore_context(confd, force=True)
+ 
+             cfg = RESOLVE1_IPA_CONF.format(
+                 searchdomains=" ".join(searchdomains)
+@@ -349,7 +349,7 @@ def configure_dns_resolver(self, nameservers, searchdomains, *,
+                 os.fchmod(f.fileno(), 0o644)
+                 f.write(cfg)
+ 
+-            tasks.restore_context(
++            self.restore_context(
+                 paths.SYSTEMD_RESOLVED_IPA_CONF, force=True
+             )
+ 

freeipa-4.8.10-systemd-resolved.patch

@@ -0,0 +1,37 @@
+From f9900ef2401070351353724ef92111ec541e67f0 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Sat, 26 Sep 2020 16:30:58 +0300
+Subject: [PATCH] Pre-populate IP addresses for the name server upgrades
+
+Setting up resolv.conf in BIND instance expects IP addresses of the
+server to be provided. This is done wiht BindInstance.setup() method
+call. However, when reusing resolver setup during upgrade BIND instance
+has no IP addresses configured and fails with an assert in
+tasks.configure_dns_resolver().
+
+Pass through the server's IP addresses during upgrade.
+
+Fixes: https://pagure.io/freeipa/issue/8518
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipaserver/install/server/upgrade.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
+index 332f8b251..144b340a4 100644
+--- a/ipaserver/install/server/upgrade.py
++++ b/ipaserver/install/server/upgrade.py
+@@ -1451,6 +1451,9 @@ def upgrade_bind(fstore):
+     # resolve1's stub resolver config file.
+     has_resolved_ipa_conf = os.path.isfile(paths.SYSTEMD_RESOLVED_IPA_CONF)
+     if not has_resolved_ipa_conf and detect_resolve1_resolv_conf():
++        ip_addresses = installutils.get_server_ip_address(
++            api.env.host, True, False, [])
++        bind.ip_addresses = ip_addresses
+         bind.setup_resolv_conf()
+         logger.info("Updated systemd-resolved configuration")
+ 
+-- 
+2.28.0
+

freeipa-4.8.9-support-older-installations.patch

@@ -0,0 +1,282 @@
+From 071e283b19e925bea596a25b4758ab2cbc657914 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Tue, 11 Aug 2020 10:47:05 -0400
+Subject: [PATCH 1/3] Fall back to old server installation detection when
+ needed
+
+If there is no installation section the the install pre-dated
+this new method of detecting a successful installation, fall back
+to that.
+
+https://pagure.io/freeipa/issue/8458
+
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Stanislav Levin <slev@altlinux.org>
+Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
+---
+ ipalib/facts.py                     | 31 ++++++++++++++++++++++++++++-
+ ipaserver/install/installutils.py   |  4 ----
+ ipaserver/install/server/install.py |  3 ++-
+ ipaserver/install/server/upgrade.py |  7 +++++--
+ 4 files changed, 37 insertions(+), 8 deletions(-)
+
+diff --git a/ipalib/facts.py b/ipalib/facts.py
+index 5106fc2ac5..d78c1a2275 100644
+--- a/ipalib/facts.py
++++ b/ipalib/facts.py
+@@ -6,17 +6,46 @@
+ Facts about the installation
+ """
+ 
++import logging
+ import os
+ from . import sysrestore
+ from ipaplatform.paths import paths
+ 
++logger = logging.getLogger(__name__)
++
++# Used to determine install status
++IPA_MODULES = [
++    'httpd', 'kadmin', 'dirsrv', 'pki-tomcatd', 'install', 'krb5kdc', 'named']
++
+ 
+ def is_ipa_configured():
+     """
+     Use the state to determine if IPA has been configured.
+     """
+     sstore = sysrestore.StateFile(paths.SYSRESTORE)
+-    return sstore.get_state('installation', 'complete')
++    if sstore.has_state('installation'):
++        return sstore.get_state('installation', 'complete')
++
++    # Fall back to older method in case this is an existing installation
++
++    installed = False
++
++    fstore = sysrestore.FileStore(paths.SYSRESTORE)
++
++    for module in IPA_MODULES:
++        if sstore.has_state(module):
++            logger.debug('%s is configured', module)
++            installed = True
++        else:
++            logger.debug('%s is not configured', module)
++
++    if fstore.has_files():
++        logger.debug('filestore has files')
++        installed = True
++    else:
++        logger.debug('filestore is tracking no files')
++
++    return installed
+ 
+ 
+ def is_ipa_client_configured(on_master=False):
+diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
+index 583b1aca0b..13baf494cd 100644
+--- a/ipaserver/install/installutils.py
++++ b/ipaserver/install/installutils.py
+@@ -63,10 +63,6 @@
+ 
+ logger = logging.getLogger(__name__)
+ 
+-# Used to determine install status
+-IPA_MODULES = [
+-    'httpd', 'kadmin', 'dirsrv', 'pki-tomcatd', 'install', 'krb5kdc', 'named']
+-
+ 
+ class BadHostError(Exception):
+     pass
+diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
+index b86c3fec15..4d8e3ad78f 100644
+--- a/ipaserver/install/server/install.py
++++ b/ipaserver/install/server/install.py
+@@ -37,13 +37,14 @@
+     validate_domain_name,
+     no_matching_interface_for_ip_address_warning,
+ )
++from ipalib.facts import IPA_MODULES
+ from ipaserver.install import (
+     adtrust, adtrustinstance, bindinstance, ca, dns, dsinstance,
+     httpinstance, installutils, kra, krbinstance,
+     otpdinstance, custodiainstance, replication, service,
+     sysupgrade)
+ from ipaserver.install.installutils import (
+-    IPA_MODULES, BadHostError, get_fqdn, get_server_ip_address,
++    BadHostError, get_fqdn, get_server_ip_address,
+     load_pkcs12, read_password, verify_fqdn, update_hosts_file,
+     validate_mask)
+ 
+diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
+index f0d9b746cd..109d1e100e 100644
+--- a/ipaserver/install/server/upgrade.py
++++ b/ipaserver/install/server/upgrade.py
+@@ -1455,8 +1455,11 @@ def upgrade_configuration():
+     fstore = sysrestore.FileStore(paths.SYSRESTORE)
+     sstore = sysrestore.StateFile(paths.SYSRESTORE)
+ 
+-    if is_ipa_configured() is None:
+-        sstore.backup_state('installation', 'complete', True)
++    if not sstore.has_state('installation'):
++        if is_ipa_configured():
++            sstore.backup_state('installation', 'complete', True)
++        else:
++            sstore.backup_state('installation', 'complete', False)
+ 
+     fqdn = api.env.host
+ 
+
+From 7d84d919a8f5767ade1dcc380ce4eebadac6a8b5 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Tue, 11 Aug 2020 11:12:55 -0400
+Subject: [PATCH 2/3] Use is_ipa_configured from ipalib.facts
+
+A couple of places still used the deprecated installutils version.
+
+https://pagure.io/freeipa/issue/8458
+
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Stanislav Levin <slev@altlinux.org>
+Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
+---
+ ipaserver/install/installutils.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
+index 13baf494cd..a3274d5797 100644
+--- a/ipaserver/install/installutils.py
++++ b/ipaserver/install/installutils.py
+@@ -665,7 +665,7 @@ def check_server_configuration():
+     Most convenient use case for the function is in install tools that require
+     configured IPA for its function.
+     """
+-    if not is_ipa_configured():
++    if not facts.is_ipa_configured():
+         raise ScriptError("IPA is not configured on this system.",
+                           rval=SERVER_NOT_CONFIGURED)
+ 
+
+From 36ecfdbfe4ceedcfe056816cbb22162842fae975 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Tue, 11 Aug 2020 13:55:54 -0400
+Subject: [PATCH 3/3] ipatests: Add test for is_ipa_configured
+
+Validate that is_ipa_configured() returns True when using either
+the original and the new configuration methods. This will allow
+older installs to successfully upgrade.
+
+https://pagure.io/freeipa/issue/8458
+
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Stanislav Levin <slev@altlinux.org>
+Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
+---
+ .../test_integration/test_installation.py     | 88 +++++++++++++++++++
+ 1 file changed, 88 insertions(+)
+
+diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
+index fb19900838..98bdc98ab8 100644
+--- a/ipatests/test_integration/test_installation.py
++++ b/ipatests/test_integration/test_installation.py
+@@ -21,6 +21,7 @@
+ 
+ from ipalib import x509
+ from ipalib.constants import DOMAIN_LEVEL_0
++from ipalib.sysrestore import SYSRESTORE_STATEFILE, SYSRESTORE_INDEXFILE
+ from ipapython.dn import DN
+ from ipaplatform.constants import constants
+ from ipaplatform.osinfo import osinfo
+@@ -357,6 +358,93 @@ def test_ipa_ca_crt_permissions(self):
+         assert owner == "root"
+         assert group == "root"
+ 
++    def test_is_ipa_configured(self):
++        """Verify that the old and new methods of is_ipa_installed works
++
++           If there is an installation section then it is the status.
++
++           If not then it will fall back to looking for configured
++           services and files and use that for determination.
++        """
++        def set_installation_state(host, state):
++            """
++            Update the complete value in the installation section
++            """
++            host.run_command(
++                ['python3', '-c',
++                 'from ipalib.install import sysrestore; '
++                 'from ipaplatform.paths import paths;'
++                 'sstore = sysrestore.StateFile(paths.SYSRESTORE); '
++                 'sstore.backup_state("installation", "complete", '
++                 '{state})'.format(state=state)])
++
++        def get_installation_state(host):
++            """
++            Retrieve the installation state from new install method
++            """
++            result = host.run_command(
++                ['python3', '-c',
++                 'from ipalib.install import sysrestore; '
++                 'from ipaplatform.paths import paths;'
++                 'sstore = sysrestore.StateFile(paths.SYSRESTORE); '
++                 'print(sstore.get_state("installation", "complete"))'])
++            return result.stdout_text.strip()  # a string
++
++        # This comes from freeipa.spec and is used to determine whether
++        # an upgrade is required.
++        cmd = ['python3', '-c',
++               'import sys; from ipalib import facts; sys.exit(0 '
++               'if facts.is_ipa_configured() else 1);']
++
++        # This will use the new method since this is a fresh install,
++        # verify that it is true.
++        self.master.run_command(cmd)
++        assert get_installation_state(self.master) == 'True'
++
++        # Set complete to False which should cause the command to fail
++        # This tests the state of a failed or in-process installation.
++        set_installation_state(self.master, False)
++        result = self.master.run_command(cmd, raiseonerr=False)
++        assert result.returncode == 1
++        set_installation_state(self.master, True)
++
++        # Tweak sysrestore.state to drop installation section
++        self.master.run_command(
++            ['sed','-i', r's/\[installation\]/\[badinstallation\]/',
++             os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
++
++        # Re-run installation check and it should fall back to old method
++        # and be successful.
++        self.master.run_command(cmd)
++        assert get_installation_state(self.master) == 'None'
++
++        # Restore installation section.
++        self.master.run_command(
++            ['sed','-i', r's/\[badinstallation\]/\[installation\]/',
++             os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
++
++        # Uninstall and confirm that the old method reports correctly
++        # on uninstalled servers. It will exercise the old method since
++        # there is no state.
++        tasks.uninstall_master(self.master)
++
++        # ensure there is no stale state
++        result = self.master.run_command(r'test -f {}'.format(
++            os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)),
++            raiseonerr=False
++        )
++        assert result.returncode == 1
++        result = self.master.run_command(r'test -f {}'.format(
++            os.path.join(paths.SYSRESTORE, SYSRESTORE_INDEXFILE)),
++            raiseonerr=False
++        )
++        assert result.returncode == 1
++
++        # Now run is_ipa_configured() and it should be False
++        result = self.master.run_command(cmd, raiseonerr=False)
++        assert result.returncode == 1
++
++
+ class TestInstallWithCA_KRA1(InstallTestBase1):
+ 
+     @classmethod

sources

@@ -0,0 +1,2 @@
+SHA512 (freeipa-4.9.0rc1.tar.gz) = 384ac0163f3977311ef523a6ed71ac8ceb33347d44f89763583e97e8e50eed2f9ec94e32f23dc8d9514c8e7e26d03ae859d045e9a1dd17b3f0cdd0fced82d464
+SHA512 (freeipa-4.9.0rc1.tar.gz.asc) = 2be55c28456c07104bb45984d2c6d804730e90172e9288b21ae45dc5542fceddbb621b96c3e3e5e2b613ebfa55c792727adfb43b349d2069d150f42067c91bf2