ipa-4.11.0-2

- Resolves: RHEL-14292 Backport latest test fixes in python3-ipatests
- Resolves: RHEL-15443 Server install: failure to install with externally signed CA because of timezone issue
- Resolves: RHEL-15444 Minimum length parameter in pwpolicy cannot be removed with empty string
- Resolves: RHEL-14842 Upstream xmlrpc tests are failing in RHEL9.4

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>

0001-ipatests-fix-healthcheck-test-without-DNS.patch

@@ -0,0 +1,44 @@
+From 4c8512168f6a9f224277a4db055f5432af37a552 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Thu, 28 Sep 2023 17:39:32 +0200
+Subject: [PATCH] ipatests: fix healthcheck test without DNS
+
+ipa-healthcheck has added a new check for ipa-ca record
+missing. The test needs to be adapted to handle the new check.
+
+Fixes: https://pagure.io/freeipa/issue/9459
+
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipatests/test_integration/test_ipahealthcheck.py | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
+index 6e01642f36a3d39ac7b3c2721664b21356bf424b..822f550d2ee241a9dd14c99d75199e6207b78e9c 100644
+--- a/ipatests/test_integration/test_ipahealthcheck.py
++++ b/ipatests/test_integration/test_ipahealthcheck.py
+@@ -1640,13 +1640,19 @@ class TestIpaHealthCheckWithoutDNS(IntegrationTest):
+                 "Got {count} ipa-ca AAAA records, expected {expected}",
+                 "Expected URI record missing",
+             }
+-        else:
++        elif (parse_version(version) < parse_version('0.13')):
+             expected_msgs = {
+                 "Expected SRV record missing",
+                 "Unexpected ipa-ca address {ipaddr}",
+                 "expected ipa-ca to contain {ipaddr} for {server}",
+                 "Expected URI record missing",
+             }
++        else:
++            expected_msgs = {
++                "Expected SRV record missing",
++                "Expected URI record missing",
++                "missing IP address for ipa-ca server {server}",
++            }
+ 
+         tasks.install_packages(self.master, HEALTHCHECK_PKG)
+         returncode, data = run_healthcheck(
+-- 
+2.41.0
+

0002-ipatests-fix-healthcheck-test-for-indent-option.patch

@@ -0,0 +1,47 @@
+From ca4ac6c06dd37deab5ba7c4df8789acf9e45d03e Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Thu, 28 Sep 2023 12:48:37 +0200
+Subject: [PATCH] ipatests: fix healthcheck test for --indent option
+
+ipa-healthcheck --indent option expects an integer. The error
+message changed with ipa-healthcheck 0.13.
+Recent versions also check that the value is in the range 0-32.
+
+The test must be compatible with old and new versions.
+
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipatests/test_integration/test_ipahealthcheck.py | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
+index 822f550d2ee241a9dd14c99d75199e6207b78e9c..35fcfe10508589ded021207a4eba4fb0143495b4 100644
+--- a/ipatests/test_integration/test_ipahealthcheck.py
++++ b/ipatests/test_integration/test_ipahealthcheck.py
+@@ -2412,12 +2412,19 @@ class TestIpaHealthCLI(IntegrationTest):
+             cmd = self.base_cmd + ["--indent", option]
+             result = self.master.run_command(cmd, raiseonerr=False)
+             assert result.returncode == 2
+-            assert 'invalid int value' in result.stderr_text
++            assert ('invalid int value' in result.stderr_text
++                    or 'is not an integer' in result.stderr_text)
+ 
+-        # unusual success, arguably odd but not invalid :-)
++        version = tasks.get_healthcheck_version(self.master)
+         for option in ('-1', '5000'):
+             cmd = self.base_cmd + ["--indent", option]
+-            result = self.master.run_command(cmd)
++            result = self.master.run_command(cmd, raiseonerr=False)
++            if parse_version(version) >= parse_version('0.13'):
++                assert result.returncode == 2
++                assert 'is not in the range 0-32' in result.stderr_text
++            else:
++                # Older versions did not check for a given allowed range
++                assert result.returncode == 0
+ 
+     def test_severity(self):
+         """
+-- 
+2.41.0
+

0003-ipatests-fix-test_ipactl_scenario_check.patch

@@ -0,0 +1,35 @@
+From 8ffcce91c694d83f6698a0539b970f41ea056e2d Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Thu, 21 Sep 2023 10:32:41 +0200
+Subject: [PATCH] ipatests: fix test_ipactl_scenario_check
+
+The test is comparing the PID of services before and after
+calling ipactl start, expecting to have the same value.
+It should not compare the pid for ipa-dnskeysyncd as this service
+is automatically restarted upon failure.
+
+Fixes: https://pagure.io/freeipa/issue/9415
+
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipatests/test_integration/test_installation.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
+index 39fbff2b674296b0696defa7bac3efe35c89e0b7..68a442a9cd7746eec728ee38fda34dbc5361c59b 100644
+--- a/ipatests/test_integration/test_installation.py
++++ b/ipatests/test_integration/test_installation.py
+@@ -695,7 +695,7 @@ def get_pki_tomcatd_pid(host):
+ def get_ipa_services_pids(host):
+     ipa_services_name = [
+         "krb5kdc", "kadmin", "named", "httpd", "ipa-custodia",
+-        "pki_tomcatd", "ipa-dnskeysyncd"
++        "pki_tomcatd"
+     ]
+     pids_of_ipa_services = {}
+     for name in ipa_services_name:
+-- 
+2.41.0
+

0004-ipalib-fix-the-IPACertificate-validity-dates.patch

@@ -0,0 +1,88 @@
+From d9ad56155e76f97ad9326d5c1bcc6e19eea3a0da Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Mon, 9 Oct 2023 13:54:17 +0200
+Subject: [PATCH] ipalib: fix the IPACertificate validity dates
+
+The class IPACertificate builds objects from x509 Certificate
+objects and creates the not_valid_before and not_valid_after values
+by converting to a timestamp + applying timezone delta to UTC + reading
+from the timestamp. This results in applying twice the delta.
+
+Use a simpler method that replaces the timezone info with UTC in the
+datetime object.
+
+Fixes: https://pagure.io/freeipa/issue/9462
+
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipalib/x509.py                    |  6 ++----
+ ipatests/test_ipalib/test_x509.py | 25 +++++++++++++++++++++++++
+ 2 files changed, 27 insertions(+), 4 deletions(-)
+
+diff --git a/ipalib/x509.py b/ipalib/x509.py
+index 7396688ae60cff76069c7325bab69441babfb8a7..769d480077e0d167646424627f252c336336f531 100644
+--- a/ipalib/x509.py
++++ b/ipalib/x509.py
+@@ -266,13 +266,11 @@ class IPACertificate(crypto_x509.Certificate):
+ 
+     @property
+     def not_valid_before(self):
+-        return datetime.datetime.fromtimestamp(
+-            self._cert.not_valid_before.timestamp(), tz=datetime.timezone.utc)
++        return self._cert.not_valid_before.replace(tzinfo=datetime.timezone.utc)
+ 
+     @property
+     def not_valid_after(self):
+-        return datetime.datetime.fromtimestamp(
+-            self._cert.not_valid_after.timestamp(), tz=datetime.timezone.utc)
++        return self._cert.not_valid_after.replace(tzinfo=datetime.timezone.utc)
+ 
+     @property
+     def tbs_certificate_bytes(self):
+diff --git a/ipatests/test_ipalib/test_x509.py b/ipatests/test_ipalib/test_x509.py
+index c25e8a0b5b6b918e50b155890fe20cfdd4d747c4..74287c84a581a800fa1c2700ad749fcacbc9d249 100644
+--- a/ipatests/test_ipalib/test_x509.py
++++ b/ipatests/test_ipalib/test_x509.py
+@@ -26,6 +26,7 @@ from binascii import hexlify
+ from configparser import RawConfigParser
+ import datetime
+ from io import StringIO
++import os
+ import pickle
+ 
+ import pytest
+@@ -253,6 +254,30 @@ class test_x509:
+             b'+\x06\x01\x05\x05\x07\x03\x01'
+         )
+ 
++    def test_cert_with_timezone(self):
++        """
++        Test the not_before and not_after values in a diffent timezone
++
++        Test for https://pagure.io/freeipa/issue/9462
++        """
++        # Store initial timezone, then set to New York
++        tz = os.environ.get('TZ', None)
++        os.environ['TZ'] = 'America/New_York'
++        # Load the cert, extract not before and not after
++        cert = x509.load_pem_x509_certificate(goodcert_headers)
++        not_before = datetime.datetime(2010, 6, 25, 13, 0, 42, 0,
++                                       datetime.timezone.utc)
++        not_after = datetime.datetime(2015, 6, 25, 13, 0, 42, 0,
++                                      datetime.timezone.utc)
++        # Reset timezone to previous value
++        if tz:
++            os.environ['TZ'] = tz
++        else:
++            del os.environ['TZ']
++        # ensure the timezone doesn't mess with not_before and not_after
++        assert cert.not_valid_before == not_before
++        assert cert.not_valid_after == not_after
++
+     def test_load_pkcs7_pem(self):
+         certlist = x509.pkcs7_to_certs(good_pkcs7, datatype=x509.PEM)
+         assert len(certlist) == 1
+-- 
+2.41.0
+

0005-Allow-password-policy-minlength-to-be-removed-like-o.patch

@@ -0,0 +1,135 @@
+From 9b0b723a0e62f18d41be53900ab8a3e710708563 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 18 May 2023 09:23:32 -0400
+Subject: [PATCH] Allow password policy minlength to be removed like other
+ values
+
+This is a side-effect of adding the libpwquality options. It
+imposes its own hardcoded minimum password length so some care
+was needed to ensure that it isn't set too low.
+
+So if there are no libpwquality options used then it's fine to
+have no minlength in the policy.
+
+Fixes: https://pagure.io/freeipa/issue/9297
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ ipaserver/plugins/pwpolicy.py              | 10 +++--
+ ipatests/test_integration/test_pwpolicy.py | 45 +++++++++++++++++++++-
+ 2 files changed, 50 insertions(+), 5 deletions(-)
+
+diff --git a/ipaserver/plugins/pwpolicy.py b/ipaserver/plugins/pwpolicy.py
+index 5ea3e6b78c9ee98d204b8382fbed9e21edf51d10..15cfef45b69743c852e43d58b7428976b9e55681 100644
+--- a/ipaserver/plugins/pwpolicy.py
++++ b/ipaserver/plugins/pwpolicy.py
+@@ -462,6 +462,7 @@ class pwpolicy(LDAPObject):
+             return False
+ 
+         has_pwquality_value = False
++        min_length = 0
+         if not add:
+             if len(keys) > 0:
+                 existing_entry = self.api.Command.pwpolicy_show(
+@@ -470,14 +471,15 @@ class pwpolicy(LDAPObject):
+                 existing_entry = self.api.Command.pwpolicy_show(
+                     all=True,)['result']
+             existing_entry.update(entry_attrs)
+-            min_length = int(get_val(existing_entry, 'krbpwdminlength'))
+-
++            if existing_entry.get('krbpwdminlength'):
++                min_length = int(get_val(existing_entry, 'krbpwdminlength'))
+             has_pwquality_value = has_pwquality_set(existing_entry)
+         else:
+-            min_length = int(get_val(entry_attrs, 'krbpwdminlength'))
++            if entry_attrs.get('krbpwdminlength'):
++                min_length = int(get_val(entry_attrs, 'krbpwdminlength'))
+             has_pwquality_value = has_pwquality_set(entry_attrs)
+ 
+-        if min_length and min_length < 6 and has_pwquality_value:
++        if min_length < 6 and has_pwquality_value:
+             raise errors.ValidationError(
+                 name='minlength',
+                 error=_('Minimum length must be >= 6 if maxrepeat, '
+diff --git a/ipatests/test_integration/test_pwpolicy.py b/ipatests/test_integration/test_pwpolicy.py
+index 41d6e9070a90c2bde7b3182ad6ecf1a923bba203..652c95e47bdab8bbe137f660d0b2ea2c0496c53e 100644
+--- a/ipatests/test_integration/test_pwpolicy.py
++++ b/ipatests/test_integration/test_pwpolicy.py
+@@ -36,7 +36,9 @@ class TestPWPolicy(IntegrationTest):
+         cls.master.run_command(['ipa', 'group-add-member', POLICY,
+                                 '--users', USER])
+         cls.master.run_command(['ipa', 'pwpolicy-add', POLICY,
+-                                '--priority', '1', '--gracelimit', '-1'])
++                                '--priority', '1',
++                                '--gracelimit', '-1',
++                                '--minlength', '6'])
+         cls.master.run_command(['ipa', 'passwd', USER],
+                                stdin_text='{password}\n{password}\n'.format(
+                                password=PASSWORD
+@@ -92,6 +94,12 @@ class TestPWPolicy(IntegrationTest):
+              "--minlength", "0",
+              "--minclasses", "0",],
+         )
++        # minlength => 6 is required for any of the libpwquality settings
++        self.master.run_command(
++            ["ipa", "pwpolicy-mod", POLICY,
++             "--minlength", "6"],
++            raiseonerr=False,
++        )
+ 
+     @pytest.fixture
+     def reset_pwpolicy(self):
+@@ -212,6 +220,7 @@ class TestPWPolicy(IntegrationTest):
+             assert 'Password is too simple' in \
+                 result.stdout_text
+ 
++        self.reset_password(self.master)
+         # test with valid password
+         for valid in ('Passw0rd', 'password1!', 'Password!'):
+             self.kinit_as_user(self.master, PASSWORD, valid)
+@@ -252,6 +261,40 @@ class TestPWPolicy(IntegrationTest):
+             assert result.returncode != 0
+             assert 'minlength' in result.stderr_text
+ 
++    def test_minlength_empty(self, reset_pwpolicy):
++        """Test that the pwpolicy minlength can be blank
++        """
++        # Ensure it is set to a non-zero value to avoid EmptyModlist
++        self.master.run_command(
++            ["ipa", "pwpolicy-mod", POLICY,
++             "--minlength", "10",]
++        )
++        # Enable one of the libpwquality options, removing minlength
++        # should fail.
++        self.master.run_command(
++            ["ipa", "pwpolicy-mod", POLICY,
++             "--maxrepeat", "4",]
++        )
++        result = self.master.run_command(
++            ["ipa", "pwpolicy-mod", POLICY,
++             "--minlength", "",], raiseonerr=False
++        )
++        assert result.returncode != 0
++
++        # Remove the blocking value
++        self.master.run_command(
++            ["ipa", "pwpolicy-mod", POLICY,
++             "--maxrepeat", "",]
++        )
++
++        # Now erase it
++        result = self.master.run_command(
++            ["ipa", "pwpolicy-mod", POLICY,
++             "--minlength", "",]
++        )
++        assert result.returncode == 0
++        assert 'minlength' not in result.stderr_text
++
+     def test_minlength_add(self):
+         """Test that adding a new policy with minlength is caught.
+         """
+-- 
+2.41.0
+

0006-ipatests-Skip-the-test-failing-due-to-FIPS-policy.patch

@@ -0,0 +1,70 @@
+From cfb8748b23e93f84c2a6b03cc55d1116d7d1332e Mon Sep 17 00:00:00 2001
+From: Sudhir Menon <sumenon@redhat.com>
+Date: Tue, 10 Oct 2023 15:22:27 +0530
+Subject: [PATCH] ipatests: Skip the test failing due to FIPS policy
+
+1. test_certmonger_reads_token_HSM test in test_installaton.py
+is failing in FIPS/STIG mode with the below error.
+
+SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.
+Error attempting to import private key in STIG mode
+
+2. Adding the posfix config change, because there was a crash
+seen in smtpd in FIPS mode.
+
+ie. postconf -e smtpd_tls_fingerprint_digest=sha256
+
+KCS: https://access.redhat.com/solutions/6958957
+
+Signed-off-by: Sudhir Menon <sumenon@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipatests/test_integration/test_epn.py          | 4 +++-
+ ipatests/test_integration/test_installation.py | 2 ++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
+index 8ea79cefbdd067b148ef0b7050c9fc803339371a..b391e32219bb0a799c8d75c113af5da24aa58b46 100644
+--- a/ipatests/test_integration/test_epn.py
++++ b/ipatests/test_integration/test_epn.py
+@@ -180,7 +180,6 @@ def configure_starttls(host):
+     postconf(host, 'smtpd_tls_session_cache_timeout = 3600s')
+     # announce STARTTLS support to remote SMTP clients, not require
+     postconf(host, 'smtpd_tls_security_level = may')
+-
+     host.run_command(["systemctl", "restart", "postfix"])
+ 
+ 
+@@ -208,6 +207,9 @@ def configure_ssl_client_cert(host):
+     # CA certificates of root CAs trusted to sign remote SMTP client cert
+     postconf(host, f"smtpd_tls_CAfile = {paths.IPA_CA_CRT}")
+ 
++    if host.is_fips_mode:
++        postconf(host, 'smtpd_tls_fingerprint_digest = sha256')
++
+     host.run_command(["systemctl", "restart", "postfix"])
+ 
+ 
+diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
+index 68a442a9cd7746eec728ee38fda34dbc5361c59b..bf4163abc0f138ed42c639eee3e95df52da43a71 100644
+--- a/ipatests/test_integration/test_installation.py
++++ b/ipatests/test_integration/test_installation.py
+@@ -35,6 +35,7 @@ from ipatests.pytest_ipa.integration.env_config import get_global_config
+ from ipatests.test_integration.base import IntegrationTest
+ from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
+ from ipatests.test_integration.test_cert import get_certmonger_fs_id
++from ipatests.pytest_ipa.integration import skip_if_fips
+ from ipaplatform import services
+ 
+ 
+@@ -298,6 +299,7 @@ class TestInstallCA(IntegrationTest):
+         tasks.install_replica(self.master, self.replicas[1], setup_ca=False)
+         tasks.install_ca(self.replicas[1], extra_args=["--skip-schema-check"])
+ 
++    @skip_if_fips()
+     def test_certmonger_reads_token_HSM(self):
+         """Test if certmonger reads the token in HSM
+ 
+-- 
+2.41.0
+

0007-The-PKI-JSON-API-the-revocation-reason-key-may-be-ca.patch

@@ -0,0 +1,50 @@
+From d4271391adc45c781092db0fb89b802743a9dda8 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 11 Sep 2023 21:37:05 +0000
+Subject: [PATCH] The PKI JSON API the revocation reason key may be
+ case-sensitive
+
+PKI 11.4.0 changed the reason keyword in the REST API from lower-case
+to camel-case in https://github.com/dogtagpki/pki/commit/926eb221ce6
+
+Use Reason instead of reason as the keyword for revocations
+for PKI 11.4.0+
+
+Related: https://pagure.io/freeipa/issue/9345
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+---
+ ipaserver/plugins/dogtag.py | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
+index 1c2c51824eecb71cfa8146ceb30435c5ad5d79c7..0036803c86652b557ebeb3cd048877bc01a6b71a 100644
+--- a/ipaserver/plugins/dogtag.py
++++ b/ipaserver/plugins/dogtag.py
+@@ -274,6 +274,8 @@ if six.PY3:
+ 
+ logger = logging.getLogger(__name__)
+ 
++pki_version = pki.util.Version(pki.specification_version())
++
+ # These are general status return values used when
+ # CMSServlet.outputError() is invoked.
+ CMS_SUCCESS      = 0
+@@ -1130,7 +1132,11 @@ class ra(rabase.rabase, RestClient):
+         serial_number = int(serial_number, 0)
+ 
+         path = 'agent/certs/{}/revoke'.format(serial_number)
+-        data = '{{"reason":"{}"}}'.format(reasons[revocation_reason])
++        if pki_version < pki.util.Version("11.4.0"):
++            keyword = "reason"
++        else:
++            keyword = "Reason"
++        data = '{{"{}":"{}"}}'.format(keyword, reasons[revocation_reason])
+ 
+         http_status, _http_headers, http_body = self._ssldo(
+             'POST', path,
+-- 
+2.41.0
+

0008-WIP-Get-the-PKI-version-from-the-remote-to-determine.patch

@@ -0,0 +1,102 @@
+From 0539d97f3e9d2b7d80549ff08d78fe55afcc2dbb Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 26 Oct 2023 13:59:21 -0400
+Subject: [PATCH] WIP: Get the PKI version from the remote to determine the
+ argument
+
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Thomas Woerner <twoerner@redhat.com>
+---
+ ipaserver/plugins/dogtag.py | 55 ++++++++++++++++++++++++++++++++-----
+ 1 file changed, 48 insertions(+), 7 deletions(-)
+
+diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
+index 0036803c86652b557ebeb3cd048877bc01a6b71a..7cd51ae58ae0edfe69f0ac7fa190290e2669b0d2 100644
+--- a/ipaserver/plugins/dogtag.py
++++ b/ipaserver/plugins/dogtag.py
+@@ -274,8 +274,6 @@ if six.PY3:
+ 
+ logger = logging.getLogger(__name__)
+ 
+-pki_version = pki.util.Version(pki.specification_version())
+-
+ # These are general status return values used when
+ # CMSServlet.outputError() is invoked.
+ CMS_SUCCESS      = 0
+@@ -1059,6 +1057,39 @@ class ra(rabase.rabase, RestClient):
+ 
+         return cmd_result
+ 
++    def get_pki_version(self):
++        """
++        Retrieve the version of a remote PKI server.
++
++        The REST API request is a GET to the info URI:
++            GET /pki/rest/info HTTP/1.1
++
++        The response is: {"Version":"11.5.0","Attributes":{"Attribute":[]}}
++        """
++        path = "/pki/rest/info"
++        logger.debug('%s.get_pki_version()', type(self).__name__)
++        http_status, _http_headers, http_body = self._ssldo(
++            'GET', path,
++            headers={
++                'Content-Type': 'application/json',
++                'Accept': 'application/json',
++            },
++            use_session=False,
++        )
++        if http_status != 200:
++            self.raise_certificate_operation_error('get_pki_version',
++                                                   detail=http_status)
++
++        try:
++            response = json.loads(ipautil.decode_json(http_body))
++        except ValueError as e:
++            logger.debug("Response from CA was not valid JSON: %s", e)
++            raise errors.RemoteRetrieveError(
++                reason=_("Response from CA was not valid JSON")
++            )
++
++        return response.get('Version')
++
+ 
+     def revoke_certificate(self, serial_number, revocation_reason=0):
+         """
+@@ -1125,6 +1156,20 @@ class ra(rabase.rabase, RestClient):
+                 detail='7 is not a valid revocation reason'
+             )
+ 
++        # dogtag changed the argument case for revocation from
++        # "reason" to "Reason" in PKI 11.4.0. Detect that change
++        # based on the remote version and pass the expected value
++        # in.
++        pki_version = pki.util.Version(self.get_pki_version())
++        if pki_version is None:
++            self.raise_certificate_operation_error('revoke_certificate',
++                                                   detail="Remove version not "
++                                                          "detected")
++        if pki_version < pki.util.Version("11.4.0"):
++            reason = "reason"
++        else:
++            reason = "Reason"
++
+         # Convert serial number to integral type from string to properly handle
+         # radix issues. Note: the int object constructor will properly handle
+         # large magnitude integral values by returning a Python long type
+@@ -1132,11 +1177,7 @@ class ra(rabase.rabase, RestClient):
+         serial_number = int(serial_number, 0)
+ 
+         path = 'agent/certs/{}/revoke'.format(serial_number)
+-        if pki_version < pki.util.Version("11.4.0"):
+-            keyword = "reason"
+-        else:
+-            keyword = "Reason"
+-        data = '{{"{}":"{}"}}'.format(keyword, reasons[revocation_reason])
++        data = '{{"{}":"{}"}}'.format(reason, reasons[revocation_reason])
+ 
+         http_status, _http_headers, http_body = self._ssldo(
+             'POST', path,
+-- 
+2.41.0
+

freeipa.spec

@@ -223,7 +223,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        1%{?rc_version:.%rc_version}%{?dist}
+Release:        2%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPL-3.0-or-later
@@ -247,6 +247,14 @@ Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 Patch1002:      1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
 %endif
 %if 0%{?rhel} == 9
+Patch0001:      0001-ipatests-fix-healthcheck-test-without-DNS.patch
+Patch0002:      0002-ipatests-fix-healthcheck-test-for-indent-option.patch
+Patch0003:      0003-ipatests-fix-test_ipactl_scenario_check.patch
+Patch0004:      0004-ipalib-fix-the-IPACertificate-validity-dates.patch
+Patch0005:      0005-Allow-password-policy-minlength-to-be-removed-like-o.patch
+Patch0006:      0006-ipatests-Skip-the-test-failing-due-to-FIPS-policy.patch
+Patch0007:      0007-The-PKI-JSON-API-the-revocation-reason-key-may-be-ca.patch
+Patch0008:      0008-WIP-Get-the-PKI-version-from-the-remote-to-determine.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 %endif
 %endif
@@ -1739,6 +1747,12 @@ fi
 %endif
 
 %changelog
+* Mon Nov 6 2023 Florence Blanc-Renaud <flo@redhat.com> - 4.11.0-2
+- Resolves: RHEL-14292 Backport latest test fixes in python3-ipatests
+- Resolves: RHEL-15443 Server install: failure to install with externally signed CA because of timezone issue
+- Resolves: RHEL-15444 Minimum length parameter in pwpolicy cannot be removed with empty string
+- Resolves: RHEL-14842 Upstream xmlrpc tests are failing in RHEL9.4
+
 * Fri Oct 06 2023 Florence Blanc-Renaud <flo@redhat.com> - 4.11.0-1
 - Resolves: RHEL-11652 Rebase ipa to latest 4.11.x version for RHEL 9.4