diff --git a/0001-ipatests-fix-healthcheck-test-without-DNS.patch b/0001-ipatests-fix-healthcheck-test-without-DNS.patch new file mode 100644 index 0000000..730cc64 --- /dev/null +++ b/0001-ipatests-fix-healthcheck-test-without-DNS.patch @@ -0,0 +1,44 @@ +From 4c8512168f6a9f224277a4db055f5432af37a552 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Thu, 28 Sep 2023 17:39:32 +0200 +Subject: [PATCH] ipatests: fix healthcheck test without DNS + +ipa-healthcheck has added a new check for ipa-ca record +missing. The test needs to be adapted to handle the new check. + +Fixes: https://pagure.io/freeipa/issue/9459 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +--- + ipatests/test_integration/test_ipahealthcheck.py | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py +index 6e01642f36a3d39ac7b3c2721664b21356bf424b..822f550d2ee241a9dd14c99d75199e6207b78e9c 100644 +--- a/ipatests/test_integration/test_ipahealthcheck.py ++++ b/ipatests/test_integration/test_ipahealthcheck.py +@@ -1640,13 +1640,19 @@ class TestIpaHealthCheckWithoutDNS(IntegrationTest): + "Got {count} ipa-ca AAAA records, expected {expected}", + "Expected URI record missing", + } +- else: ++ elif (parse_version(version) < parse_version('0.13')): + expected_msgs = { + "Expected SRV record missing", + "Unexpected ipa-ca address {ipaddr}", + "expected ipa-ca to contain {ipaddr} for {server}", + "Expected URI record missing", + } ++ else: ++ expected_msgs = { ++ "Expected SRV record missing", ++ "Expected URI record missing", ++ "missing IP address for ipa-ca server {server}", ++ } + + tasks.install_packages(self.master, HEALTHCHECK_PKG) + returncode, data = run_healthcheck( +-- +2.41.0 + diff --git a/0002-ipatests-fix-healthcheck-test-for-indent-option.patch b/0002-ipatests-fix-healthcheck-test-for-indent-option.patch new file mode 100644 index 0000000..174bc62 --- /dev/null +++ b/0002-ipatests-fix-healthcheck-test-for-indent-option.patch @@ -0,0 +1,47 @@ +From ca4ac6c06dd37deab5ba7c4df8789acf9e45d03e Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Thu, 28 Sep 2023 12:48:37 +0200 +Subject: [PATCH] ipatests: fix healthcheck test for --indent option + +ipa-healthcheck --indent option expects an integer. The error +message changed with ipa-healthcheck 0.13. +Recent versions also check that the value is in the range 0-32. + +The test must be compatible with old and new versions. + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +--- + ipatests/test_integration/test_ipahealthcheck.py | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py +index 822f550d2ee241a9dd14c99d75199e6207b78e9c..35fcfe10508589ded021207a4eba4fb0143495b4 100644 +--- a/ipatests/test_integration/test_ipahealthcheck.py ++++ b/ipatests/test_integration/test_ipahealthcheck.py +@@ -2412,12 +2412,19 @@ class TestIpaHealthCLI(IntegrationTest): + cmd = self.base_cmd + ["--indent", option] + result = self.master.run_command(cmd, raiseonerr=False) + assert result.returncode == 2 +- assert 'invalid int value' in result.stderr_text ++ assert ('invalid int value' in result.stderr_text ++ or 'is not an integer' in result.stderr_text) + +- # unusual success, arguably odd but not invalid :-) ++ version = tasks.get_healthcheck_version(self.master) + for option in ('-1', '5000'): + cmd = self.base_cmd + ["--indent", option] +- result = self.master.run_command(cmd) ++ result = self.master.run_command(cmd, raiseonerr=False) ++ if parse_version(version) >= parse_version('0.13'): ++ assert result.returncode == 2 ++ assert 'is not in the range 0-32' in result.stderr_text ++ else: ++ # Older versions did not check for a given allowed range ++ assert result.returncode == 0 + + def test_severity(self): + """ +-- +2.41.0 + diff --git a/0003-ipatests-fix-test_ipactl_scenario_check.patch b/0003-ipatests-fix-test_ipactl_scenario_check.patch new file mode 100644 index 0000000..c6ac0b8 --- /dev/null +++ b/0003-ipatests-fix-test_ipactl_scenario_check.patch @@ -0,0 +1,35 @@ +From 8ffcce91c694d83f6698a0539b970f41ea056e2d Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Thu, 21 Sep 2023 10:32:41 +0200 +Subject: [PATCH] ipatests: fix test_ipactl_scenario_check + +The test is comparing the PID of services before and after +calling ipactl start, expecting to have the same value. +It should not compare the pid for ipa-dnskeysyncd as this service +is automatically restarted upon failure. + +Fixes: https://pagure.io/freeipa/issue/9415 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy +Reviewed-By: Rob Crittenden +--- + ipatests/test_integration/test_installation.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py +index 39fbff2b674296b0696defa7bac3efe35c89e0b7..68a442a9cd7746eec728ee38fda34dbc5361c59b 100644 +--- a/ipatests/test_integration/test_installation.py ++++ b/ipatests/test_integration/test_installation.py +@@ -695,7 +695,7 @@ def get_pki_tomcatd_pid(host): + def get_ipa_services_pids(host): + ipa_services_name = [ + "krb5kdc", "kadmin", "named", "httpd", "ipa-custodia", +- "pki_tomcatd", "ipa-dnskeysyncd" ++ "pki_tomcatd" + ] + pids_of_ipa_services = {} + for name in ipa_services_name: +-- +2.41.0 + diff --git a/0004-ipalib-fix-the-IPACertificate-validity-dates.patch b/0004-ipalib-fix-the-IPACertificate-validity-dates.patch new file mode 100644 index 0000000..6b04dab --- /dev/null +++ b/0004-ipalib-fix-the-IPACertificate-validity-dates.patch @@ -0,0 +1,88 @@ +From d9ad56155e76f97ad9326d5c1bcc6e19eea3a0da Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Mon, 9 Oct 2023 13:54:17 +0200 +Subject: [PATCH] ipalib: fix the IPACertificate validity dates + +The class IPACertificate builds objects from x509 Certificate +objects and creates the not_valid_before and not_valid_after values +by converting to a timestamp + applying timezone delta to UTC + reading +from the timestamp. This results in applying twice the delta. + +Use a simpler method that replaces the timezone info with UTC in the +datetime object. + +Fixes: https://pagure.io/freeipa/issue/9462 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +--- + ipalib/x509.py | 6 ++---- + ipatests/test_ipalib/test_x509.py | 25 +++++++++++++++++++++++++ + 2 files changed, 27 insertions(+), 4 deletions(-) + +diff --git a/ipalib/x509.py b/ipalib/x509.py +index 7396688ae60cff76069c7325bab69441babfb8a7..769d480077e0d167646424627f252c336336f531 100644 +--- a/ipalib/x509.py ++++ b/ipalib/x509.py +@@ -266,13 +266,11 @@ class IPACertificate(crypto_x509.Certificate): + + @property + def not_valid_before(self): +- return datetime.datetime.fromtimestamp( +- self._cert.not_valid_before.timestamp(), tz=datetime.timezone.utc) ++ return self._cert.not_valid_before.replace(tzinfo=datetime.timezone.utc) + + @property + def not_valid_after(self): +- return datetime.datetime.fromtimestamp( +- self._cert.not_valid_after.timestamp(), tz=datetime.timezone.utc) ++ return self._cert.not_valid_after.replace(tzinfo=datetime.timezone.utc) + + @property + def tbs_certificate_bytes(self): +diff --git a/ipatests/test_ipalib/test_x509.py b/ipatests/test_ipalib/test_x509.py +index c25e8a0b5b6b918e50b155890fe20cfdd4d747c4..74287c84a581a800fa1c2700ad749fcacbc9d249 100644 +--- a/ipatests/test_ipalib/test_x509.py ++++ b/ipatests/test_ipalib/test_x509.py +@@ -26,6 +26,7 @@ from binascii import hexlify + from configparser import RawConfigParser + import datetime + from io import StringIO ++import os + import pickle + + import pytest +@@ -253,6 +254,30 @@ class test_x509: + b'+\x06\x01\x05\x05\x07\x03\x01' + ) + ++ def test_cert_with_timezone(self): ++ """ ++ Test the not_before and not_after values in a diffent timezone ++ ++ Test for https://pagure.io/freeipa/issue/9462 ++ """ ++ # Store initial timezone, then set to New York ++ tz = os.environ.get('TZ', None) ++ os.environ['TZ'] = 'America/New_York' ++ # Load the cert, extract not before and not after ++ cert = x509.load_pem_x509_certificate(goodcert_headers) ++ not_before = datetime.datetime(2010, 6, 25, 13, 0, 42, 0, ++ datetime.timezone.utc) ++ not_after = datetime.datetime(2015, 6, 25, 13, 0, 42, 0, ++ datetime.timezone.utc) ++ # Reset timezone to previous value ++ if tz: ++ os.environ['TZ'] = tz ++ else: ++ del os.environ['TZ'] ++ # ensure the timezone doesn't mess with not_before and not_after ++ assert cert.not_valid_before == not_before ++ assert cert.not_valid_after == not_after ++ + def test_load_pkcs7_pem(self): + certlist = x509.pkcs7_to_certs(good_pkcs7, datatype=x509.PEM) + assert len(certlist) == 1 +-- +2.41.0 + diff --git a/0005-Allow-password-policy-minlength-to-be-removed-like-o.patch b/0005-Allow-password-policy-minlength-to-be-removed-like-o.patch new file mode 100644 index 0000000..af3c80d --- /dev/null +++ b/0005-Allow-password-policy-minlength-to-be-removed-like-o.patch @@ -0,0 +1,135 @@ +From 9b0b723a0e62f18d41be53900ab8a3e710708563 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 18 May 2023 09:23:32 -0400 +Subject: [PATCH] Allow password policy minlength to be removed like other + values + +This is a side-effect of adding the libpwquality options. It +imposes its own hardcoded minimum password length so some care +was needed to ensure that it isn't set too low. + +So if there are no libpwquality options used then it's fine to +have no minlength in the policy. + +Fixes: https://pagure.io/freeipa/issue/9297 + +Signed-off-by: Rob Crittenden +Reviewed-By: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/plugins/pwpolicy.py | 10 +++-- + ipatests/test_integration/test_pwpolicy.py | 45 +++++++++++++++++++++- + 2 files changed, 50 insertions(+), 5 deletions(-) + +diff --git a/ipaserver/plugins/pwpolicy.py b/ipaserver/plugins/pwpolicy.py +index 5ea3e6b78c9ee98d204b8382fbed9e21edf51d10..15cfef45b69743c852e43d58b7428976b9e55681 100644 +--- a/ipaserver/plugins/pwpolicy.py ++++ b/ipaserver/plugins/pwpolicy.py +@@ -462,6 +462,7 @@ class pwpolicy(LDAPObject): + return False + + has_pwquality_value = False ++ min_length = 0 + if not add: + if len(keys) > 0: + existing_entry = self.api.Command.pwpolicy_show( +@@ -470,14 +471,15 @@ class pwpolicy(LDAPObject): + existing_entry = self.api.Command.pwpolicy_show( + all=True,)['result'] + existing_entry.update(entry_attrs) +- min_length = int(get_val(existing_entry, 'krbpwdminlength')) +- ++ if existing_entry.get('krbpwdminlength'): ++ min_length = int(get_val(existing_entry, 'krbpwdminlength')) + has_pwquality_value = has_pwquality_set(existing_entry) + else: +- min_length = int(get_val(entry_attrs, 'krbpwdminlength')) ++ if entry_attrs.get('krbpwdminlength'): ++ min_length = int(get_val(entry_attrs, 'krbpwdminlength')) + has_pwquality_value = has_pwquality_set(entry_attrs) + +- if min_length and min_length < 6 and has_pwquality_value: ++ if min_length < 6 and has_pwquality_value: + raise errors.ValidationError( + name='minlength', + error=_('Minimum length must be >= 6 if maxrepeat, ' +diff --git a/ipatests/test_integration/test_pwpolicy.py b/ipatests/test_integration/test_pwpolicy.py +index 41d6e9070a90c2bde7b3182ad6ecf1a923bba203..652c95e47bdab8bbe137f660d0b2ea2c0496c53e 100644 +--- a/ipatests/test_integration/test_pwpolicy.py ++++ b/ipatests/test_integration/test_pwpolicy.py +@@ -36,7 +36,9 @@ class TestPWPolicy(IntegrationTest): + cls.master.run_command(['ipa', 'group-add-member', POLICY, + '--users', USER]) + cls.master.run_command(['ipa', 'pwpolicy-add', POLICY, +- '--priority', '1', '--gracelimit', '-1']) ++ '--priority', '1', ++ '--gracelimit', '-1', ++ '--minlength', '6']) + cls.master.run_command(['ipa', 'passwd', USER], + stdin_text='{password}\n{password}\n'.format( + password=PASSWORD +@@ -92,6 +94,12 @@ class TestPWPolicy(IntegrationTest): + "--minlength", "0", + "--minclasses", "0",], + ) ++ # minlength => 6 is required for any of the libpwquality settings ++ self.master.run_command( ++ ["ipa", "pwpolicy-mod", POLICY, ++ "--minlength", "6"], ++ raiseonerr=False, ++ ) + + @pytest.fixture + def reset_pwpolicy(self): +@@ -212,6 +220,7 @@ class TestPWPolicy(IntegrationTest): + assert 'Password is too simple' in \ + result.stdout_text + ++ self.reset_password(self.master) + # test with valid password + for valid in ('Passw0rd', 'password1!', 'Password!'): + self.kinit_as_user(self.master, PASSWORD, valid) +@@ -252,6 +261,40 @@ class TestPWPolicy(IntegrationTest): + assert result.returncode != 0 + assert 'minlength' in result.stderr_text + ++ def test_minlength_empty(self, reset_pwpolicy): ++ """Test that the pwpolicy minlength can be blank ++ """ ++ # Ensure it is set to a non-zero value to avoid EmptyModlist ++ self.master.run_command( ++ ["ipa", "pwpolicy-mod", POLICY, ++ "--minlength", "10",] ++ ) ++ # Enable one of the libpwquality options, removing minlength ++ # should fail. ++ self.master.run_command( ++ ["ipa", "pwpolicy-mod", POLICY, ++ "--maxrepeat", "4",] ++ ) ++ result = self.master.run_command( ++ ["ipa", "pwpolicy-mod", POLICY, ++ "--minlength", "",], raiseonerr=False ++ ) ++ assert result.returncode != 0 ++ ++ # Remove the blocking value ++ self.master.run_command( ++ ["ipa", "pwpolicy-mod", POLICY, ++ "--maxrepeat", "",] ++ ) ++ ++ # Now erase it ++ result = self.master.run_command( ++ ["ipa", "pwpolicy-mod", POLICY, ++ "--minlength", "",] ++ ) ++ assert result.returncode == 0 ++ assert 'minlength' not in result.stderr_text ++ + def test_minlength_add(self): + """Test that adding a new policy with minlength is caught. + """ +-- +2.41.0 + diff --git a/0006-ipatests-Skip-the-test-failing-due-to-FIPS-policy.patch b/0006-ipatests-Skip-the-test-failing-due-to-FIPS-policy.patch new file mode 100644 index 0000000..5d809a2 --- /dev/null +++ b/0006-ipatests-Skip-the-test-failing-due-to-FIPS-policy.patch @@ -0,0 +1,70 @@ +From cfb8748b23e93f84c2a6b03cc55d1116d7d1332e Mon Sep 17 00:00:00 2001 +From: Sudhir Menon +Date: Tue, 10 Oct 2023 15:22:27 +0530 +Subject: [PATCH] ipatests: Skip the test failing due to FIPS policy + +1. test_certmonger_reads_token_HSM test in test_installaton.py +is failing in FIPS/STIG mode with the below error. + +SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import. +Error attempting to import private key in STIG mode + +2. Adding the posfix config change, because there was a crash +seen in smtpd in FIPS mode. + +ie. postconf -e smtpd_tls_fingerprint_digest=sha256 + +KCS: https://access.redhat.com/solutions/6958957 + +Signed-off-by: Sudhir Menon +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_epn.py | 4 +++- + ipatests/test_integration/test_installation.py | 2 ++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py +index 8ea79cefbdd067b148ef0b7050c9fc803339371a..b391e32219bb0a799c8d75c113af5da24aa58b46 100644 +--- a/ipatests/test_integration/test_epn.py ++++ b/ipatests/test_integration/test_epn.py +@@ -180,7 +180,6 @@ def configure_starttls(host): + postconf(host, 'smtpd_tls_session_cache_timeout = 3600s') + # announce STARTTLS support to remote SMTP clients, not require + postconf(host, 'smtpd_tls_security_level = may') +- + host.run_command(["systemctl", "restart", "postfix"]) + + +@@ -208,6 +207,9 @@ def configure_ssl_client_cert(host): + # CA certificates of root CAs trusted to sign remote SMTP client cert + postconf(host, f"smtpd_tls_CAfile = {paths.IPA_CA_CRT}") + ++ if host.is_fips_mode: ++ postconf(host, 'smtpd_tls_fingerprint_digest = sha256') ++ + host.run_command(["systemctl", "restart", "postfix"]) + + +diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py +index 68a442a9cd7746eec728ee38fda34dbc5361c59b..bf4163abc0f138ed42c639eee3e95df52da43a71 100644 +--- a/ipatests/test_integration/test_installation.py ++++ b/ipatests/test_integration/test_installation.py +@@ -35,6 +35,7 @@ from ipatests.pytest_ipa.integration.env_config import get_global_config + from ipatests.test_integration.base import IntegrationTest + from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup + from ipatests.test_integration.test_cert import get_certmonger_fs_id ++from ipatests.pytest_ipa.integration import skip_if_fips + from ipaplatform import services + + +@@ -298,6 +299,7 @@ class TestInstallCA(IntegrationTest): + tasks.install_replica(self.master, self.replicas[1], setup_ca=False) + tasks.install_ca(self.replicas[1], extra_args=["--skip-schema-check"]) + ++ @skip_if_fips() + def test_certmonger_reads_token_HSM(self): + """Test if certmonger reads the token in HSM + +-- +2.41.0 + diff --git a/0007-The-PKI-JSON-API-the-revocation-reason-key-may-be-ca.patch b/0007-The-PKI-JSON-API-the-revocation-reason-key-may-be-ca.patch new file mode 100644 index 0000000..66d6c63 --- /dev/null +++ b/0007-The-PKI-JSON-API-the-revocation-reason-key-may-be-ca.patch @@ -0,0 +1,50 @@ +From d4271391adc45c781092db0fb89b802743a9dda8 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 11 Sep 2023 21:37:05 +0000 +Subject: [PATCH] The PKI JSON API the revocation reason key may be + case-sensitive + +PKI 11.4.0 changed the reason keyword in the REST API from lower-case +to camel-case in https://github.com/dogtagpki/pki/commit/926eb221ce6 + +Use Reason instead of reason as the keyword for revocations +for PKI 11.4.0+ + +Related: https://pagure.io/freeipa/issue/9345 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Thomas Woerner +--- + ipaserver/plugins/dogtag.py | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py +index 1c2c51824eecb71cfa8146ceb30435c5ad5d79c7..0036803c86652b557ebeb3cd048877bc01a6b71a 100644 +--- a/ipaserver/plugins/dogtag.py ++++ b/ipaserver/plugins/dogtag.py +@@ -274,6 +274,8 @@ if six.PY3: + + logger = logging.getLogger(__name__) + ++pki_version = pki.util.Version(pki.specification_version()) ++ + # These are general status return values used when + # CMSServlet.outputError() is invoked. + CMS_SUCCESS = 0 +@@ -1130,7 +1132,11 @@ class ra(rabase.rabase, RestClient): + serial_number = int(serial_number, 0) + + path = 'agent/certs/{}/revoke'.format(serial_number) +- data = '{{"reason":"{}"}}'.format(reasons[revocation_reason]) ++ if pki_version < pki.util.Version("11.4.0"): ++ keyword = "reason" ++ else: ++ keyword = "Reason" ++ data = '{{"{}":"{}"}}'.format(keyword, reasons[revocation_reason]) + + http_status, _http_headers, http_body = self._ssldo( + 'POST', path, +-- +2.41.0 + diff --git a/0008-WIP-Get-the-PKI-version-from-the-remote-to-determine.patch b/0008-WIP-Get-the-PKI-version-from-the-remote-to-determine.patch new file mode 100644 index 0000000..2f85e4f --- /dev/null +++ b/0008-WIP-Get-the-PKI-version-from-the-remote-to-determine.patch @@ -0,0 +1,102 @@ +From 0539d97f3e9d2b7d80549ff08d78fe55afcc2dbb Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 26 Oct 2023 13:59:21 -0400 +Subject: [PATCH] WIP: Get the PKI version from the remote to determine the + argument + +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Thomas Woerner +--- + ipaserver/plugins/dogtag.py | 55 ++++++++++++++++++++++++++++++++----- + 1 file changed, 48 insertions(+), 7 deletions(-) + +diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py +index 0036803c86652b557ebeb3cd048877bc01a6b71a..7cd51ae58ae0edfe69f0ac7fa190290e2669b0d2 100644 +--- a/ipaserver/plugins/dogtag.py ++++ b/ipaserver/plugins/dogtag.py +@@ -274,8 +274,6 @@ if six.PY3: + + logger = logging.getLogger(__name__) + +-pki_version = pki.util.Version(pki.specification_version()) +- + # These are general status return values used when + # CMSServlet.outputError() is invoked. + CMS_SUCCESS = 0 +@@ -1059,6 +1057,39 @@ class ra(rabase.rabase, RestClient): + + return cmd_result + ++ def get_pki_version(self): ++ """ ++ Retrieve the version of a remote PKI server. ++ ++ The REST API request is a GET to the info URI: ++ GET /pki/rest/info HTTP/1.1 ++ ++ The response is: {"Version":"11.5.0","Attributes":{"Attribute":[]}} ++ """ ++ path = "/pki/rest/info" ++ logger.debug('%s.get_pki_version()', type(self).__name__) ++ http_status, _http_headers, http_body = self._ssldo( ++ 'GET', path, ++ headers={ ++ 'Content-Type': 'application/json', ++ 'Accept': 'application/json', ++ }, ++ use_session=False, ++ ) ++ if http_status != 200: ++ self.raise_certificate_operation_error('get_pki_version', ++ detail=http_status) ++ ++ try: ++ response = json.loads(ipautil.decode_json(http_body)) ++ except ValueError as e: ++ logger.debug("Response from CA was not valid JSON: %s", e) ++ raise errors.RemoteRetrieveError( ++ reason=_("Response from CA was not valid JSON") ++ ) ++ ++ return response.get('Version') ++ + + def revoke_certificate(self, serial_number, revocation_reason=0): + """ +@@ -1125,6 +1156,20 @@ class ra(rabase.rabase, RestClient): + detail='7 is not a valid revocation reason' + ) + ++ # dogtag changed the argument case for revocation from ++ # "reason" to "Reason" in PKI 11.4.0. Detect that change ++ # based on the remote version and pass the expected value ++ # in. ++ pki_version = pki.util.Version(self.get_pki_version()) ++ if pki_version is None: ++ self.raise_certificate_operation_error('revoke_certificate', ++ detail="Remove version not " ++ "detected") ++ if pki_version < pki.util.Version("11.4.0"): ++ reason = "reason" ++ else: ++ reason = "Reason" ++ + # Convert serial number to integral type from string to properly handle + # radix issues. Note: the int object constructor will properly handle + # large magnitude integral values by returning a Python long type +@@ -1132,11 +1177,7 @@ class ra(rabase.rabase, RestClient): + serial_number = int(serial_number, 0) + + path = 'agent/certs/{}/revoke'.format(serial_number) +- if pki_version < pki.util.Version("11.4.0"): +- keyword = "reason" +- else: +- keyword = "Reason" +- data = '{{"{}":"{}"}}'.format(keyword, reasons[revocation_reason]) ++ data = '{{"{}":"{}"}}'.format(reason, reasons[revocation_reason]) + + http_status, _http_headers, http_body = self._ssldo( + 'POST', path, +-- +2.41.0 + diff --git a/freeipa.spec b/freeipa.spec index bf420bb..1548f41 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -223,7 +223,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 1%{?rc_version:.%rc_version}%{?dist} +Release: 2%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPL-3.0-or-later @@ -247,6 +247,14 @@ Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch %endif %if 0%{?rhel} == 9 +Patch0001: 0001-ipatests-fix-healthcheck-test-without-DNS.patch +Patch0002: 0002-ipatests-fix-healthcheck-test-for-indent-option.patch +Patch0003: 0003-ipatests-fix-test_ipactl_scenario_check.patch +Patch0004: 0004-ipalib-fix-the-IPACertificate-validity-dates.patch +Patch0005: 0005-Allow-password-policy-minlength-to-be-removed-like-o.patch +Patch0006: 0006-ipatests-Skip-the-test-failing-due-to-FIPS-policy.patch +Patch0007: 0007-The-PKI-JSON-API-the-revocation-reason-key-may-be-ca.patch +Patch0008: 0008-WIP-Get-the-PKI-version-from-the-remote-to-determine.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -1739,6 +1747,12 @@ fi %endif %changelog +* Mon Nov 6 2023 Florence Blanc-Renaud - 4.11.0-2 +- Resolves: RHEL-14292 Backport latest test fixes in python3-ipatests +- Resolves: RHEL-15443 Server install: failure to install with externally signed CA because of timezone issue +- Resolves: RHEL-15444 Minimum length parameter in pwpolicy cannot be removed with empty string +- Resolves: RHEL-14842 Upstream xmlrpc tests are failing in RHEL9.4 + * Fri Oct 06 2023 Florence Blanc-Renaud - 4.11.0-1 - Resolves: RHEL-11652 Rebase ipa to latest 4.11.x version for RHEL 9.4