ipa release 4.9.13-16

- Add a- heck into ipa-cert-fix tool to avoid updating certs if CA is close to expire Resolves: RHEL-4941 - Fix rpminspect's 'patches' warnings Resolves: RHEL-22497 Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
2025-03-31 14:18:24 -03:00 · 2025-03-31 14:18:24 -03:00 · 74fc7d8915
commit 74fc7d8915
parent f69a9dccaa
5 changed files with 116 additions and 29 deletions
--- a/0014-krb5kdc-Fix-start-when-pkinit-and-otp-auth-type-are-enabled_rhel#4874.patch
+++ b/0014-krb5kdc-Fix-start-when-pkinit-and-otp-auth-type-are-enabled_rhel#4874.patch
@ -43,9 +43,8 @@ index 06d511c76..dbb98dba6 100644

 #define IPADB_GLOBAL_CONFIG_CACHE_TIME 60

-@@ -207,6 +208,19 @@ static const struct {
+@@ -207,5 +208,18 @@ static const struct {
     { "idp", IPADB_USER_AUTH_IDP },
-     { "passkey", IPADB_USER_AUTH_PASSKEY },
     { }
 +},
 +  objclass_table[] = {
--- a/0037-Replica-CA-installation-ignore-skew-during-initial-replication_rhel#80995.patch
+++ b/0037-Replica-CA-installation-ignore-skew-during-initial-replication_rhel#80995.patch
@ -50,7 +50,7 @@ diff --git a/install/tools/ipa-replica-manage.in b/install/tools/ipa-replica-man
 index cebf73a..71851be 100644
 --- a/install/tools/ipa-replica-manage.in
 +++ b/install/tools/ipa-replica-manage.in
-@@ -1269,12 +1269,12 @@ def force_sync(realm, thishost, fromhost, dirman_passwd, nolookup=False):
+@@ -1237,12 +1237,13 @@ def force_sync(realm, thishost, fromhost, dirman_passwd, nolookup=False):
         repl.force_sync(repl.conn, fromhost)
     else:
         ds = dsinstance.DsInstance(realm_name=realm)
@ -62,9 +62,10 @@ index cebf73a..71851be 100644
         repl.wait_for_repl_update(repl.conn, agreement.dn)
 -        ds.replica_manage_time_skew(prevent=True)
 +        ds.replica_revert_time_skew()
- 
+

 def show_DNA_ranges(hostname, master, realm, dirman_passwd, nextrange=False,
+                     nolookup=False):
 diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
 index 35cec89..e15e629 100644
 --- a/ipaserver/install/cainstance.py
--- a/0038-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating-certs-if-CA-is-close-to-being-expired_rhel#4941.patch
+++ b/0038-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating-certs-if-CA-is-close-to-being-expired_rhel#4941.patch
@ -0,0 +1,82 @@
+From ac6eee670d8a753e66ba69a65eff55447fff2822 Mon Sep 17 00:00:00 2001
+From: Aleksandr Sharov <asharov@redhat.com>
+Date: Mar 25 2025 09:33:06 +0000
+Subject: Add a check into ipa-cert-fix tool to avoid updating certs if CA is close to being expired.
+
+
+Fixes: https://pagure.io/freeipa/issue/9760
+Signed-off-by: Aleksandr Sharov <asharov@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+
+---
+
+diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
+index 8e02d1e..960d7b9 100644
+--- a/ipaserver/install/ipa_cert_fix.py
+++ b/ipaserver/install/ipa_cert_fix.py
+@@ -69,6 +69,7 @@ logger = logging.getLogger(__name__)
+ 
+ 
+ cert_nicknames = {
+    'ca_issuing': 'caSigningCert cert-pki-ca',
+     'sslserver': 'Server-Cert cert-pki-ca',
+     'subsystem': 'subsystemCert cert-pki-ca',
+     'ca_ocsp_signing': 'ocspSigningCert cert-pki-ca',
+@@ -137,6 +138,16 @@ class IPACertFix(AdminTool):
+             print("Nothing to do.")
+             return 0
+ 
+        if any(key == 'ca_issuing' for key, _ in certs):
+            logger.debug("CA signing cert is expired, exiting!")
+            print(
+                "The CA signing certificate is expired or will expire within "
+                "the next two weeks.\n\nipa-cert-fix cannot proceed, please "
+                "refer to the ipa-cacert-manage tool to renew the CA "
+                "certificate before proceeding."
+            )
+            return 1
+
+         print(msg)
+ 
+         print_intentions(certs, extra_certs, non_renewed)
+
+From cdc03d7b6233f736c51c10aa07225aac9715e4c0 Mon Sep 17 00:00:00 2001
+From: Aleksandr Sharov <asharov@redhat.com>
+Date: Mar 25 2025 18:03:54 +0000
+Subject: Test fix for the update
+
+
+Fixes: https://pagure.io/freeipa/issue/9760
+Signed-off-by: Aleksandr Sharov <asharov@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+
+---
+
+diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
+index 15d8a81..d11fd3d 100644
+--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
+@@ -301,13 +301,18 @@ class TestIpaCertFix(IntegrationTest):
+         valid. If CA cert expired, ipa-cert-fix won't work.
+ 
+         related: https://pagure.io/freeipa/issue/8721
+
+        If CA cert is close to expiry, there's no reason to issue new certs
+        with short validity period. So, ipa-cert-fix should fail in this case.
+
+        related: https://pagure.io/freeipa/issue/9760
+         """
+         result = self.master.run_command(['ipa-cert-fix', '-v'],
+                                          stdin_text='yes\n',
+                                          raiseonerr=False)
+         # check that pki-server cert-fix command fails
+-        err_msg = ("ERROR: CalledProcessError(Command "
+-                   "['pki-server', 'cert-fix'")
+        err_msg = ("CA signing cert is expired, exiting!")
+        assert result.returncode == 1
+         assert err_msg in result.stderr_text
+ 
+ 
+
--- a/1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
+++ b/1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
@ -32,7 +32,7 @@ diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
 index 7d21367ec..42a47f1df 100644
 --- a/ipaplatform/base/paths.py
 +++ b/ipaplatform/base/paths.py
-@@ -259,7 +259,6 @@ class BasePathNamespace:
+@@ -258,8 +258,7 @@ class BasePathNamespace:
     IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key"
     IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader"
     IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running"
@ -41,6 +41,7 @@ index 7d21367ec..42a47f1df 100644
 -    DNSSEC_KEYFROMLABEL_9_17 = "/usr/bin/dnssec-keyfromlabel"
     GETSEBOOL = "/usr/sbin/getsebool"
     GROUPADD = "/usr/sbin/groupadd"
+     USERMOD = "/usr/sbin/usermod"
 diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py
 index 4e993c063..92a948966 100644
 --- a/ipaplatform/fedora/paths.py
--- a/ipa.spec
+++ b/ipa.spec
@ -190,7 +190,7 @@

 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        15%{?rc_version:.%rc_version}%{?dist}
+Release:        16%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system

 License:        GPLv3+
@ -246,6 +246,7 @@ Patch0034:      0034-Add-ipa-idrange-fix_rhel#56920.patch
 Patch0035:      0035-Unconditionally-add-MS-PAC-to-global-config-on-update_rhel#49437.patch
 Patch0036:      0036-ipatests-Update-ipa-adtrust-install-test_rhel#40894.patch
 Patch0037:      0037-Replica-CA-installation-ignore-skew-during-initial-replication_rhel#80995.patch
+Patch0038:      0038-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating-certs-if-CA-is-close-to-being-expired_rhel#4941.patch
 %if 0%{?rhel} >= 8
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 Patch1002:      1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
@ -1009,10 +1010,7 @@ for i in *.po ; do
 done
 popd

-for p in %patches ; do
-    %__patch -p1 -i $p
-    UpdateTimestamps -p1 $p
-done
+%autopatch -p1 -q

 %build
 # PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235
@ -1763,6 +1761,12 @@ fi
 %endif

 %changelog
+* Mon Mar 31 2025 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-16
+- Add a- heck into ipa-cert-fix tool to avoid updating certs if CA is close to expire
+  Resolves: RHEL-4941
+- Fix rpminspect's 'patches' warnings
+  Resolves: RHEL-22497
+
 * Mon Mar 10 2025 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-15
 - Replica CA installation: ignore skew during initial replication
  Resolves RHEL-80995