From 7eef088ee03ec628bf1c6f26bdc36ef7a0ba1691 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 29 Apr 2019 23:01:26 +0300
Subject: [PATCH] Update spec file

---
 freeipa.spec | 119 +++++++++++++++++----------------------------------
 1 file changed, 40 insertions(+), 79 deletions(-)

diff --git a/freeipa.spec b/freeipa.spec
index 0687ce9..190e9b4 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -64,13 +64,16 @@
 %global selinux_policy_version 3.14.1-14
 %global slapi_nis_version 0.56.1-4
 %global python_ldap_version 3.1.0-1
+# python3-lib389
 # Fix for "Installation fails: Replica Busy"
-# https://bugzilla.redhat.com/show_bug.cgi?id=1598478
-%global ds_version 1.3.8.4-15
+# https://pagure.io/389-ds-base/issue/49818
+%global ds_version 1.4.0.16
+
 %else
 # Fedora
 %global package_name freeipa
 %global alt_name ipa
+# Fix for CVE-2018-20217
 %global krb5_version 1.17
 %global krb5_kdb_version 7.0
 # 0.7.16: https://github.com/drkjam/netaddr/issues/71
@@ -83,12 +86,9 @@
 
 # fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324
 %global python_ldap_version 3.1.0-1
-
-# Fix for "Crash when failing to read from SASL connection"
-# https://pagure.io/389-ds-base/issue/49639
-# Fix for "Installation fails: Replica Busy"
-# https://pagure.io/389-ds-base/issue/49818
-%global ds_version 1.4.0.16-1
+# Fix for create suffix
+# https://pagure.io/389-ds-base/issue/49984
+%global ds_version 1.4.1.1
 
 # Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet.
 # Some packages don't provide new dist aliases.
@@ -97,19 +97,24 @@
 
 %endif  # Fedora
 
-# Require Dogtag PKI 10.6.7-3 which fixes UpdateNumberRange clone
-# installation issue; https://pagure.io/freeipa/issue/7654
+# Require Dogtag PKI 10.6.8-3 (10.6.7 was never pushed to stable)
+# 10.6.7 fixes UpdateNumberRange clone installation issue
+# https://pagure.io/freeipa/issue/7654 and empty token issue
 # and https://pagure.io/dogtagpki/issue/3073
-%global pki_version 10.6.7-3
+%global pki_version 10.6.8-3
 
-# NSS release with fix for CKA_LABEL import bug in shared SQL database.
-# https://bugzilla.redhat.com/show_bug.cgi?id=1568271
-%global nss_version 3.36.1-1.1
+# https://pagure.io/certmonger/issue/90
+%global certmonger_version 0.79.7-1
 
-# One-Way Trust authenticated by trust secret
-# https://bugzilla.redhat.com/show_bug.cgi?id=1345975#c20
-# Also, PYSSS: Re-add the pysss.getgrouplist() interface
-%global sssd_version 2.0.0-4
+# NSS release with fix for p11-kit-proxy issue, affects F28
+# https://pagure.io/freeipa/issue/7810
+%if 0%{?fedora} == 28
+%global nss_version 3.41.0-3
+%else
+%global nss_version 3.41.0-1
+%endif
+
+%global sssd_version 2.1.0-2
 
 %define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
 
@@ -189,7 +194,6 @@ BuildRequires:  python3-lesscpy >= 0.13.0-2
 #
 # Build dependencies for makeapi/makeaci
 #
-%if %{with_default_python} == 3
 BuildRequires:  python3-cffi
 BuildRequires:  python3-dns
 BuildRequires:  python3-ldap >= %{python_ldap_version}
@@ -198,16 +202,6 @@ BuildRequires:  python3-netaddr >= %{python_netaddr_version}
 BuildRequires:  python3-pyasn1
 BuildRequires:  python3-pyasn1-modules
 BuildRequires:  python3-six
-%else
-BuildRequires:  python2-cffi
-BuildRequires:  python2-dns
-BuildRequires:  python2-ldap >= %{python_ldap_version}
-BuildRequires:  python2-libsss_nss_idmap
-BuildRequires:  python2-netaddr >= %{python_netaddr_version}
-BuildRequires:  python2-pyasn1
-BuildRequires:  python2-pyasn1-modules
-BuildRequires:  python2-six
-%endif
 
 #
 # Build dependencies for wheel packaging and PyPI upload
@@ -229,6 +223,7 @@ BuildRequires:  python3-wheel
 #
 %if 0%{?with_lint}
 BuildRequires:  jsl
+BuildRequires:  rpmlint
 BuildRequires:  softhsm
 
 BuildRequires:  python3-augeas
@@ -297,15 +292,9 @@ Summary: The IPA authentication server
 Requires: %{name}-server-common = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
-%if %{with_default_python} == 3
 Requires: python3-ipaserver = %{version}-%{release}
 Requires: python3-ldap >= %{python_ldap_version}
-%else
-Requires: python2-ipaserver = %{version}-%{release}
-Requires: python2-ldap >= %{python_ldap_version}
-%endif
 Requires: 389-ds-base >= %{ds_version}
-Requires: 389-ds-base-legacy-tools >= %{ds_version}
 Requires: openldap-clients > 2.4.35-4
 Requires: nss >= %{nss_version}
 Requires: nss-tools >= %{nss_version}
@@ -315,19 +304,11 @@ Requires: krb5-pkinit-openssl >= %{krb5_version}
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: chrony
 Requires: httpd >= 2.4.6-31
-%if %{with_default_python} == 3
 Requires(preun): python3
 Requires(postun): python3
 Requires: python3-gssapi >= 1.2.0-5
 Requires: python3-systemd
 Requires: python3-mod_wsgi
-%else
-Requires(preun): python2
-Requires(postun): python2
-Requires: python2-gssapi >= 1.2.0-5
-Requires: python2-systemd
-Requires: mod_wsgi
-%endif
 Requires: mod_auth_gssapi >= 1.5.0
 Requires: mod_ssl
 Requires: mod_session
@@ -341,17 +322,13 @@ Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base >= %{selinux_policy_version}
 Requires: slapi-nis >= %{slapi_nis_version}
-# jss is an indirect dependency. 4.4.5 fixes sub CA replication bug,
-# see https://pagure.io/freeipa/issue/7536
-# see https://pagure.io/freeipa/issue/7590
-Requires: jss >= 4.4.5-1
 Requires: pki-ca >= %{pki_version}
 Requires: pki-kra >= %{pki_version}
 Requires(preun): systemd-units
 Requires(postun): systemd-units
 Requires: policycoreutils >= 2.1.12-5
 Requires: tar
-Requires(pre): certmonger >= 0.79.5-1
+Requires(pre): certmonger >= %{certmonger_version}
 Requires(pre): 389-ds-base >= %{ds_version}
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
@@ -395,10 +372,6 @@ BuildArch: noarch
 %{?python_provide:%python_provide python3-ipaserver}
 Requires: %{name}-server-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
-%if 0%{?fedora} >= 29
-Conflicts: python2-ipaserver
-Obsoletes: python2-ipaserver < %{version}
-%endif
 # we need pre-requires since earlier versions may break upgrade
 Requires(pre): python3-ldap >= %{python_ldap_version}
 Requires: python3-augeas
@@ -477,17 +450,10 @@ Requires: samba >= %{samba_version}
 Requires: samba-winbind
 Requires: libsss_idmap
 
-%if %{with_default_python} == 3
 Requires(post): python3
 Requires: python3-samba
 Requires: python3-libsss_nss_idmap
 Requires: python3-sss
-%else
-Requires(post): python2
-Requires: python2-samba
-Requires: python2-libsss_nss_idmap
-Requires: python2-sss
-%endif  # with_default_python
 
 # We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5
 # on the installes where server-trust-ad subpackage is installed because
@@ -513,17 +479,10 @@ dependencies at once.
 Summary: IPA authentication for use on clients
 Requires: %{name}-client-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
-%if %{with_default_python} == 3
 Requires: python3-gssapi >= 1.2.0-5
 Requires: python3-ipaclient = %{version}-%{release}
 Requires: python3-ldap >= %{python_ldap_version}
 Requires: python3-sssdconfig >= %{sssd_version}
-%else
-Requires: python2-gssapi >= 1.2.0-5
-Requires: python2-ipaclient = %{version}-%{release}
-Requires: python2-ldap >= %{python_ldap_version}
-Requires: python2-sssdconfig
-%endif
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: chrony
 Requires: krb5-workstation >= %{krb5_version}
@@ -538,7 +497,7 @@ Requires: initscripts
 Requires: libcurl >= 7.21.7-2
 Requires: xmlrpc-c >= 1.27.4
 Requires: sssd-ipa >= %{sssd_version}
-Requires: certmonger >= 0.79.5-1
+Requires: certmonger >= %{certmonger_version}
 Requires: nss-tools >= %{nss_version}
 Requires: bind-utils
 Requires: oddjob-mkhomedir
@@ -615,11 +574,7 @@ BuildArch: noarch
 Obsoletes: %{name}-python < 4.2.91
 Provides: %{name}-python = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
-%if %{with_default_python} == 3
 Requires: python3-ipalib = %{version}-%{release}
-%else
-Requires: python2-ipalib = %{version}-%{release}
-%endif
 
 Provides: %{alt_name}-python-compat = %{version}
 Conflicts: %{alt_name}-python-compat
@@ -635,10 +590,11 @@ hosts, services), Authentication (SSO, 2FA), and Authorization
 features for further integration with Linux based clients (SUDO, automount)
 and integration with Active Directory based infrastructures (Trusts).
 This is a compatibility package to accommodate %{name}-python split into
-python2-ipalib and %{name}-common. Packages still depending on
+python3-ipalib and %{name}-common. Packages still depending on
 %{name}-python should be fixed to depend on python2-ipaclient or
 %{name}-common instead.
 
+
 %package -n python3-ipalib
 Summary: Python3 libraries used by IPA
 BuildArch: noarch
@@ -709,10 +665,6 @@ BuildArch: noarch
 %{?python_provide:%python_provide python3-ipatests}
 Requires: python3-ipaclient = %{version}-%{release}
 Requires: python3-ipaserver = %{version}-%{release}
-%if 0%{?fedora} >= 29
-Conflicts: python2-ipatests
-Obsoletes: python2-ipatests < %{version}
-%endif
 Requires: iptables
 Requires: ldns-utils
 Requires: python3-coverage
@@ -867,7 +819,7 @@ fi
 
 %posttrans server
 # don't execute upgrade and restart of IPA when server is not installed
-%{python} -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
+%{__python3} -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
 
 if [  $? -eq 0 ]; then
     # This is necessary for Fedora system upgrades which by default
@@ -946,7 +898,7 @@ fi
 
 
 %posttrans server-trust-ad
-%{python} -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
+%{__python3} -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
 if [  $? -eq 0 ]; then
 # NOTE: systemd specific section
     /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || :
@@ -988,7 +940,7 @@ if [ $1 -gt 1 ] ; then
     fi
 
     if [ $restore -ge 2 ]; then
-        %{python} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1
+        %{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1
     fi
 fi
 
@@ -1055,14 +1007,20 @@ fi
 %{_sbindir}/ipa-cacert-manage
 %{_sbindir}/ipa-winsync-migrate
 %{_sbindir}/ipa-pkinit-manage
+%{_sbindir}/ipa-crlgen-manage
 %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
 %{_libexecdir}/certmonger/ipa-server-guard
+%{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
+%{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat
+%{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat-wrapped
+%{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent
 %dir %{_libexecdir}/ipa
 %{_libexecdir}/ipa/ipa-custodia
 %{_libexecdir}/ipa/ipa-custodia-check
 %{_libexecdir}/ipa/ipa-httpd-kdcproxy
 %{_libexecdir}/ipa/ipa-httpd-pwdreader
 %{_libexecdir}/ipa/ipa-pki-retrieve-key
+%{_libexecdir}/ipa/ipa-pki-wait-running
 %{_libexecdir}/ipa/ipa-otpd
 %dir %{_libexecdir}/ipa/oddjob
 %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
@@ -1113,6 +1071,8 @@ fi
 %{_mandir}/man1/ipa-cacert-manage.1*
 %{_mandir}/man1/ipa-winsync-migrate.1*
 %{_mandir}/man1/ipa-pkinit-manage.1*
+%{_mandir}/man1/ipa-crlgen-manage.1*
+
 
 %files -n python3-ipaserver
 %doc README.md Contributors.txt
@@ -1134,6 +1094,7 @@ fi
 # END
 %{_usr}/share/ipa/wsgi.py*
 %{_usr}/share/ipa/kdcproxy.wsgi
+%{_usr}/share/ipa/ipaca*.ini
 %{_usr}/share/ipa/*.ldif
 %{_usr}/share/ipa/*.uldif
 %{_usr}/share/ipa/*.template