rpms
/
ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

ipa-4.11.0-2 

- Resolves: RHEL-14292 Backport latest test fixes in python3-ipatests
- Resolves: RHEL-15443 Server install: failure to install with externally signed CA because of timezone issue
- Resolves: RHEL-15444 Minimum length parameter in pwpolicy cannot be removed with empty string
- Resolves: RHEL-14842 Upstream xmlrpc tests are failing in RHEL9.4

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Florence Blanc-Renaud 2023-11-06 17:15:36 +01:00
parent 7cca66eef5
commit 80c7b3b6fc
9 changed files with 586 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
0001-ipatests-fix-healthcheck-test-without-DNS.patch Normal file
View File

@ -0,0 +1,44 @@
From 4c8512168f6a9f224277a4db055f5432af37a552 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 28 Sep 2023 17:39:32 +0200
Subject: [PATCH] ipatests: fix healthcheck test without DNS
ipa-healthcheck has added a new check for ipa-ca record
missing. The test needs to be adapted to handle the new check.
Fixes: https://pagure.io/freeipa/issue/9459
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_ipahealthcheck.py | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 6e01642f36a3d39ac7b3c2721664b21356bf424b..822f550d2ee241a9dd14c99d75199e6207b78e9c 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -1640,13 +1640,19 @@ class TestIpaHealthCheckWithoutDNS(IntegrationTest):
"Got {count} ipa-ca AAAA records, expected {expected}",
"Expected URI record missing",
}
- else:
+ elif (parse_version(version) < parse_version('0.13')):
expected_msgs = {
"Expected SRV record missing",
"Unexpected ipa-ca address {ipaddr}",
"expected ipa-ca to contain {ipaddr} for {server}",
"Expected URI record missing",
}
+ else:
+ expected_msgs = {
+ "Expected SRV record missing",
+ "Expected URI record missing",
+ "missing IP address for ipa-ca server {server}",
+ }
tasks.install_packages(self.master, HEALTHCHECK_PKG)
returncode, data = run_healthcheck(
--
2.41.0

47
0002-ipatests-fix-healthcheck-test-for-indent-option.patch Normal file
View File

@ -0,0 +1,47 @@
From ca4ac6c06dd37deab5ba7c4df8789acf9e45d03e Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 28 Sep 2023 12:48:37 +0200
Subject: [PATCH] ipatests: fix healthcheck test for --indent option
ipa-healthcheck --indent option expects an integer. The error
message changed with ipa-healthcheck 0.13.
Recent versions also check that the value is in the range 0-32.
The test must be compatible with old and new versions.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_ipahealthcheck.py | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 822f550d2ee241a9dd14c99d75199e6207b78e9c..35fcfe10508589ded021207a4eba4fb0143495b4 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -2412,12 +2412,19 @@ class TestIpaHealthCLI(IntegrationTest):
cmd = self.base_cmd + ["--indent", option]
result = self.master.run_command(cmd, raiseonerr=False)
assert result.returncode == 2
- assert 'invalid int value' in result.stderr_text
+ assert ('invalid int value' in result.stderr_text
+ or 'is not an integer' in result.stderr_text)
- # unusual success, arguably odd but not invalid :-)
+ version = tasks.get_healthcheck_version(self.master)
for option in ('-1', '5000'):
cmd = self.base_cmd + ["--indent", option]
- result = self.master.run_command(cmd)
+ result = self.master.run_command(cmd, raiseonerr=False)
+ if parse_version(version) >= parse_version('0.13'):
+ assert result.returncode == 2
+ assert 'is not in the range 0-32' in result.stderr_text
+ else:
+ # Older versions did not check for a given allowed range
+ assert result.returncode == 0
def test_severity(self):
"""
--
2.41.0

35
0003-ipatests-fix-test_ipactl_scenario_check.patch Normal file
View File

@ -0,0 +1,35 @@
From 8ffcce91c694d83f6698a0539b970f41ea056e2d Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 21 Sep 2023 10:32:41 +0200
Subject: [PATCH] ipatests: fix test_ipactl_scenario_check
The test is comparing the PID of services before and after
calling ipactl start, expecting to have the same value.
It should not compare the pid for ipa-dnskeysyncd as this service
is automatically restarted upon failure.
Fixes: https://pagure.io/freeipa/issue/9415
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_installation.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index 39fbff2b674296b0696defa7bac3efe35c89e0b7..68a442a9cd7746eec728ee38fda34dbc5361c59b 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -695,7 +695,7 @@ def get_pki_tomcatd_pid(host):
def get_ipa_services_pids(host):
ipa_services_name = [
"krb5kdc", "kadmin", "named", "httpd", "ipa-custodia",
- "pki_tomcatd", "ipa-dnskeysyncd"
+ "pki_tomcatd"
]
pids_of_ipa_services = {}
for name in ipa_services_name:
--
2.41.0

88
0004-ipalib-fix-the-IPACertificate-validity-dates.patch Normal file
View File

@ -0,0 +1,88 @@
From d9ad56155e76f97ad9326d5c1bcc6e19eea3a0da Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 9 Oct 2023 13:54:17 +0200
Subject: [PATCH] ipalib: fix the IPACertificate validity dates
The class IPACertificate builds objects from x509 Certificate
objects and creates the not_valid_before and not_valid_after values
by converting to a timestamp + applying timezone delta to UTC + reading
from the timestamp. This results in applying twice the delta.
Use a simpler method that replaces the timezone info with UTC in the
datetime object.
Fixes: https://pagure.io/freeipa/issue/9462
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipalib/x509.py | 6 ++----
ipatests/test_ipalib/test_x509.py | 25 +++++++++++++++++++++++++
2 files changed, 27 insertions(+), 4 deletions(-)
diff --git a/ipalib/x509.py b/ipalib/x509.py
index 7396688ae60cff76069c7325bab69441babfb8a7..769d480077e0d167646424627f252c336336f531 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -266,13 +266,11 @@ class IPACertificate(crypto_x509.Certificate):
@property
def not_valid_before(self):
- return datetime.datetime.fromtimestamp(
- self._cert.not_valid_before.timestamp(), tz=datetime.timezone.utc)
+ return self._cert.not_valid_before.replace(tzinfo=datetime.timezone.utc)
@property
def not_valid_after(self):
- return datetime.datetime.fromtimestamp(
- self._cert.not_valid_after.timestamp(), tz=datetime.timezone.utc)
+ return self._cert.not_valid_after.replace(tzinfo=datetime.timezone.utc)
@property
def tbs_certificate_bytes(self):
diff --git a/ipatests/test_ipalib/test_x509.py b/ipatests/test_ipalib/test_x509.py
index c25e8a0b5b6b918e50b155890fe20cfdd4d747c4..74287c84a581a800fa1c2700ad749fcacbc9d249 100644
--- a/ipatests/test_ipalib/test_x509.py
+++ b/ipatests/test_ipalib/test_x509.py
@@ -26,6 +26,7 @@ from binascii import hexlify
from configparser import RawConfigParser
import datetime
from io import StringIO
+import os
import pickle
import pytest
@@ -253,6 +254,30 @@ class test_x509:
b'+\x06\x01\x05\x05\x07\x03\x01'
)
+ def test_cert_with_timezone(self):
+ """
+ Test the not_before and not_after values in a diffent timezone
+
+ Test for https://pagure.io/freeipa/issue/9462
+ """
+ # Store initial timezone, then set to New York
+ tz = os.environ.get('TZ', None)
+ os.environ['TZ'] = 'America/New_York'
+ # Load the cert, extract not before and not after
+ cert = x509.load_pem_x509_certificate(goodcert_headers)
+ not_before = datetime.datetime(2010, 6, 25, 13, 0, 42, 0,
+ datetime.timezone.utc)
+ not_after = datetime.datetime(2015, 6, 25, 13, 0, 42, 0,
+ datetime.timezone.utc)
+ # Reset timezone to previous value
+ if tz:
+ os.environ['TZ'] = tz
+ else:
+ del os.environ['TZ']
+ # ensure the timezone doesn't mess with not_before and not_after
+ assert cert.not_valid_before == not_before
+ assert cert.not_valid_after == not_after
+
def test_load_pkcs7_pem(self):
certlist = x509.pkcs7_to_certs(good_pkcs7, datatype=x509.PEM)
assert len(certlist) == 1
--
2.41.0

135
0005-Allow-password-policy-minlength-to-be-removed-like-o.patch Normal file
View File

@ -0,0 +1,135 @@
From 9b0b723a0e62f18d41be53900ab8a3e710708563 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 18 May 2023 09:23:32 -0400
Subject: [PATCH] Allow password policy minlength to be removed like other
values
This is a side-effect of adding the libpwquality options. It
imposes its own hardcoded minimum password length so some care
was needed to ensure that it isn't set too low.
So if there are no libpwquality options used then it's fine to
have no minlength in the policy.
Fixes: https://pagure.io/freeipa/issue/9297
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaserver/plugins/pwpolicy.py | 10 +++--
ipatests/test_integration/test_pwpolicy.py | 45 +++++++++++++++++++++-
2 files changed, 50 insertions(+), 5 deletions(-)
diff --git a/ipaserver/plugins/pwpolicy.py b/ipaserver/plugins/pwpolicy.py
index 5ea3e6b78c9ee98d204b8382fbed9e21edf51d10..15cfef45b69743c852e43d58b7428976b9e55681 100644
--- a/ipaserver/plugins/pwpolicy.py
+++ b/ipaserver/plugins/pwpolicy.py
@@ -462,6 +462,7 @@ class pwpolicy(LDAPObject):
return False
has_pwquality_value = False
+ min_length = 0
if not add:
if len(keys) > 0:
existing_entry = self.api.Command.pwpolicy_show(
@@ -470,14 +471,15 @@ class pwpolicy(LDAPObject):
existing_entry = self.api.Command.pwpolicy_show(
all=True,)['result']
existing_entry.update(entry_attrs)
- min_length = int(get_val(existing_entry, 'krbpwdminlength'))
-
+ if existing_entry.get('krbpwdminlength'):
+ min_length = int(get_val(existing_entry, 'krbpwdminlength'))
has_pwquality_value = has_pwquality_set(existing_entry)
else:
- min_length = int(get_val(entry_attrs, 'krbpwdminlength'))
+ if entry_attrs.get('krbpwdminlength'):
+ min_length = int(get_val(entry_attrs, 'krbpwdminlength'))
has_pwquality_value = has_pwquality_set(entry_attrs)
- if min_length and min_length < 6 and has_pwquality_value:
+ if min_length < 6 and has_pwquality_value:
raise errors.ValidationError(
name='minlength',
error=_('Minimum length must be >= 6 if maxrepeat, '
diff --git a/ipatests/test_integration/test_pwpolicy.py b/ipatests/test_integration/test_pwpolicy.py
index 41d6e9070a90c2bde7b3182ad6ecf1a923bba203..652c95e47bdab8bbe137f660d0b2ea2c0496c53e 100644
--- a/ipatests/test_integration/test_pwpolicy.py
+++ b/ipatests/test_integration/test_pwpolicy.py
@@ -36,7 +36,9 @@ class TestPWPolicy(IntegrationTest):
cls.master.run_command(['ipa', 'group-add-member', POLICY,
'--users', USER])
cls.master.run_command(['ipa', 'pwpolicy-add', POLICY,
- '--priority', '1', '--gracelimit', '-1'])
+ '--priority', '1',
+ '--gracelimit', '-1',
+ '--minlength', '6'])
cls.master.run_command(['ipa', 'passwd', USER],
stdin_text='{password}\n{password}\n'.format(
password=PASSWORD
@@ -92,6 +94,12 @@ class TestPWPolicy(IntegrationTest):
"--minlength", "0",
"--minclasses", "0",],
)
+ # minlength => 6 is required for any of the libpwquality settings
+ self.master.run_command(
+ ["ipa", "pwpolicy-mod", POLICY,
+ "--minlength", "6"],
+ raiseonerr=False,
+ )
@pytest.fixture
def reset_pwpolicy(self):
@@ -212,6 +220,7 @@ class TestPWPolicy(IntegrationTest):
assert 'Password is too simple' in \
result.stdout_text
+ self.reset_password(self.master)
# test with valid password
for valid in ('Passw0rd', 'password1!', 'Password!'):
self.kinit_as_user(self.master, PASSWORD, valid)
@@ -252,6 +261,40 @@ class TestPWPolicy(IntegrationTest):
assert result.returncode != 0
assert 'minlength' in result.stderr_text
+ def test_minlength_empty(self, reset_pwpolicy):
+ """Test that the pwpolicy minlength can be blank
+ """
+ # Ensure it is set to a non-zero value to avoid EmptyModlist
+ self.master.run_command(
+ ["ipa", "pwpolicy-mod", POLICY,
+ "--minlength", "10",]
+ )
+ # Enable one of the libpwquality options, removing minlength
+ # should fail.
+ self.master.run_command(
+ ["ipa", "pwpolicy-mod", POLICY,
+ "--maxrepeat", "4",]
+ )
+ result = self.master.run_command(
+ ["ipa", "pwpolicy-mod", POLICY,
+ "--minlength", "",], raiseonerr=False
+ )
+ assert result.returncode != 0
+
+ # Remove the blocking value
+ self.master.run_command(
+ ["ipa", "pwpolicy-mod", POLICY,
+ "--maxrepeat", "",]
+ )
+
+ # Now erase it
+ result = self.master.run_command(
+ ["ipa", "pwpolicy-mod", POLICY,
+ "--minlength", "",]
+ )
+ assert result.returncode == 0
+ assert 'minlength' not in result.stderr_text
+
def test_minlength_add(self):
"""Test that adding a new policy with minlength is caught.
"""
--
2.41.0

70
0006-ipatests-Skip-the-test-failing-due-to-FIPS-policy.patch Normal file
View File

@ -0,0 +1,70 @@
From cfb8748b23e93f84c2a6b03cc55d1116d7d1332e Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Tue, 10 Oct 2023 15:22:27 +0530
Subject: [PATCH] ipatests: Skip the test failing due to FIPS policy
1. test_certmonger_reads_token_HSM test in test_installaton.py
is failing in FIPS/STIG mode with the below error.
SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.
Error attempting to import private key in STIG mode
2. Adding the posfix config change, because there was a crash
seen in smtpd in FIPS mode.
ie. postconf -e smtpd_tls_fingerprint_digest=sha256
KCS: https://access.redhat.com/solutions/6958957
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_epn.py | 4 +++-
ipatests/test_integration/test_installation.py | 2 ++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
index 8ea79cefbdd067b148ef0b7050c9fc803339371a..b391e32219bb0a799c8d75c113af5da24aa58b46 100644
--- a/ipatests/test_integration/test_epn.py
+++ b/ipatests/test_integration/test_epn.py
@@ -180,7 +180,6 @@ def configure_starttls(host):
postconf(host, 'smtpd_tls_session_cache_timeout = 3600s')
# announce STARTTLS support to remote SMTP clients, not require
postconf(host, 'smtpd_tls_security_level = may')
-
host.run_command(["systemctl", "restart", "postfix"])
@@ -208,6 +207,9 @@ def configure_ssl_client_cert(host):
# CA certificates of root CAs trusted to sign remote SMTP client cert
postconf(host, f"smtpd_tls_CAfile = {paths.IPA_CA_CRT}")
+ if host.is_fips_mode:
+ postconf(host, 'smtpd_tls_fingerprint_digest = sha256')
+
host.run_command(["systemctl", "restart", "postfix"])
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index 68a442a9cd7746eec728ee38fda34dbc5361c59b..bf4163abc0f138ed42c639eee3e95df52da43a71 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -35,6 +35,7 @@ from ipatests.pytest_ipa.integration.env_config import get_global_config
from ipatests.test_integration.base import IntegrationTest
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
from ipatests.test_integration.test_cert import get_certmonger_fs_id
+from ipatests.pytest_ipa.integration import skip_if_fips
from ipaplatform import services
@@ -298,6 +299,7 @@ class TestInstallCA(IntegrationTest):
tasks.install_replica(self.master, self.replicas[1], setup_ca=False)
tasks.install_ca(self.replicas[1], extra_args=["--skip-schema-check"])
+ @skip_if_fips()
def test_certmonger_reads_token_HSM(self):
"""Test if certmonger reads the token in HSM
--
2.41.0

50
0007-The-PKI-JSON-API-the-revocation-reason-key-may-be-ca.patch Normal file
View File

@ -0,0 +1,50 @@
From d4271391adc45c781092db0fb89b802743a9dda8 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 11 Sep 2023 21:37:05 +0000
Subject: [PATCH] The PKI JSON API the revocation reason key may be
case-sensitive
PKI 11.4.0 changed the reason keyword in the REST API from lower-case
to camel-case in https://github.com/dogtagpki/pki/commit/926eb221ce6
Use Reason instead of reason as the keyword for revocations
for PKI 11.4.0+
Related: https://pagure.io/freeipa/issue/9345
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
---
ipaserver/plugins/dogtag.py | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 1c2c51824eecb71cfa8146ceb30435c5ad5d79c7..0036803c86652b557ebeb3cd048877bc01a6b71a 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -274,6 +274,8 @@ if six.PY3:
logger = logging.getLogger(__name__)
+pki_version = pki.util.Version(pki.specification_version())
+
# These are general status return values used when
# CMSServlet.outputError() is invoked.
CMS_SUCCESS = 0
@@ -1130,7 +1132,11 @@ class ra(rabase.rabase, RestClient):
serial_number = int(serial_number, 0)
path = 'agent/certs/{}/revoke'.format(serial_number)
- data = '{{"reason":"{}"}}'.format(reasons[revocation_reason])
+ if pki_version < pki.util.Version("11.4.0"):
+ keyword = "reason"
+ else:
+ keyword = "Reason"
+ data = '{{"{}":"{}"}}'.format(keyword, reasons[revocation_reason])
http_status, _http_headers, http_body = self._ssldo(
'POST', path,
--
2.41.0

102
0008-WIP-Get-the-PKI-version-from-the-remote-to-determine.patch Normal file
View File

@ -0,0 +1,102 @@
From 0539d97f3e9d2b7d80549ff08d78fe55afcc2dbb Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 26 Oct 2023 13:59:21 -0400
Subject: [PATCH] WIP: Get the PKI version from the remote to determine the
argument
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
---
ipaserver/plugins/dogtag.py | 55 ++++++++++++++++++++++++++++++++-----
1 file changed, 48 insertions(+), 7 deletions(-)
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 0036803c86652b557ebeb3cd048877bc01a6b71a..7cd51ae58ae0edfe69f0ac7fa190290e2669b0d2 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -274,8 +274,6 @@ if six.PY3:
logger = logging.getLogger(__name__)
-pki_version = pki.util.Version(pki.specification_version())
-
# These are general status return values used when
# CMSServlet.outputError() is invoked.
CMS_SUCCESS = 0
@@ -1059,6 +1057,39 @@ class ra(rabase.rabase, RestClient):
return cmd_result
+ def get_pki_version(self):
+ """
+ Retrieve the version of a remote PKI server.
+
+ The REST API request is a GET to the info URI:
+ GET /pki/rest/info HTTP/1.1
+
+ The response is: {"Version":"11.5.0","Attributes":{"Attribute":[]}}
+ """
+ path = "/pki/rest/info"
+ logger.debug('%s.get_pki_version()', type(self).__name__)
+ http_status, _http_headers, http_body = self._ssldo(
+ 'GET', path,
+ headers={
+ 'Content-Type': 'application/json',
+ 'Accept': 'application/json',
+ },
+ use_session=False,
+ )
+ if http_status != 200:
+ self.raise_certificate_operation_error('get_pki_version',
+ detail=http_status)
+
+ try:
+ response = json.loads(ipautil.decode_json(http_body))
+ except ValueError as e:
+ logger.debug("Response from CA was not valid JSON: %s", e)
+ raise errors.RemoteRetrieveError(
+ reason=_("Response from CA was not valid JSON")
+ )
+
+ return response.get('Version')
+
def revoke_certificate(self, serial_number, revocation_reason=0):
"""
@@ -1125,6 +1156,20 @@ class ra(rabase.rabase, RestClient):
detail='7 is not a valid revocation reason'
)
+ # dogtag changed the argument case for revocation from
+ # "reason" to "Reason" in PKI 11.4.0. Detect that change
+ # based on the remote version and pass the expected value
+ # in.
+ pki_version = pki.util.Version(self.get_pki_version())
+ if pki_version is None:
+ self.raise_certificate_operation_error('revoke_certificate',
+ detail="Remove version not "
+ "detected")
+ if pki_version < pki.util.Version("11.4.0"):
+ reason = "reason"
+ else:
+ reason = "Reason"
+
# Convert serial number to integral type from string to properly handle
# radix issues. Note: the int object constructor will properly handle
# large magnitude integral values by returning a Python long type
@@ -1132,11 +1177,7 @@ class ra(rabase.rabase, RestClient):
serial_number = int(serial_number, 0)
path = 'agent/certs/{}/revoke'.format(serial_number)
- if pki_version < pki.util.Version("11.4.0"):
- keyword = "reason"
- else:
- keyword = "Reason"
- data = '{{"{}":"{}"}}'.format(keyword, reasons[revocation_reason])
+ data = '{{"{}":"{}"}}'.format(reason, reasons[revocation_reason])
http_status, _http_headers, http_body = self._ssldo(
'POST', path,
--
2.41.0

16
freeipa.spec
View File

@ -223,7 +223,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 1%{?rc_version:.%rc_version}%{?dist}
Release: 2%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPL-3.0-or-later
@ -247,6 +247,14 @@ Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
%endif
%if 0%{?rhel} == 9
Patch0001: 0001-ipatests-fix-healthcheck-test-without-DNS.patch
Patch0002: 0002-ipatests-fix-healthcheck-test-for-indent-option.patch
Patch0003: 0003-ipatests-fix-test_ipactl_scenario_check.patch
Patch0004: 0004-ipalib-fix-the-IPACertificate-validity-dates.patch
Patch0005: 0005-Allow-password-policy-minlength-to-be-removed-like-o.patch
Patch0006: 0006-ipatests-Skip-the-test-failing-due-to-FIPS-policy.patch
Patch0007: 0007-The-PKI-JSON-API-the-revocation-reason-key-may-be-ca.patch
Patch0008: 0008-WIP-Get-the-PKI-version-from-the-remote-to-determine.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -1739,6 +1747,12 @@ fi
%endif
%changelog
* Mon Nov 6 2023 Florence Blanc-Renaud <flo@redhat.com> - 4.11.0-2
- Resolves: RHEL-14292 Backport latest test fixes in python3-ipatests
- Resolves: RHEL-15443 Server install: failure to install with externally signed CA because of timezone issue
- Resolves: RHEL-15444 Minimum length parameter in pwpolicy cannot be removed with empty string
- Resolves: RHEL-14842 Upstream xmlrpc tests are failing in RHEL9.4
* Fri Oct 06 2023 Florence Blanc-Renaud <flo@redhat.com> - 4.11.0-1
- Resolves: RHEL-11652 Rebase ipa to latest 4.11.x version for RHEL 9.4