From 8ac40118cbaa92803a75269bf310414a22b5c588 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 20 Aug 2020 19:24:07 +0200 Subject: [PATCH] FreeIPA 4.8.7 upstream release --- .gitignore | 2 + freeipa-fix-unittests-glibc-2.31.9000.patch | 228 -------------------- freeipa.spec | 30 ++- sources | 4 +- 4 files changed, 31 insertions(+), 233 deletions(-) delete mode 100644 freeipa-fix-unittests-glibc-2.31.9000.patch diff --git a/.gitignore b/.gitignore index 546f23c..3d258dd 100644 --- a/.gitignore +++ b/.gitignore @@ -90,3 +90,5 @@ /freeipa-4.8.6.tar.gz.asc /freeipa-4.8.7.tar.gz /freeipa-4.8.7.tar.gz.asc +/freeipa-4.8.9.tar.gz +/freeipa-4.8.9.tar.gz.asc diff --git a/freeipa-fix-unittests-glibc-2.31.9000.patch b/freeipa-fix-unittests-glibc-2.31.9000.patch deleted file mode 100644 index da3b14d..0000000 --- a/freeipa-fix-unittests-glibc-2.31.9000.patch +++ /dev/null @@ -1,228 +0,0 @@ -From 4c8a875082f0da0ea78977e97696b22d622728a6 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Sat, 1 Aug 2020 11:49:30 +0300 -Subject: [PATCH] extdom-extop: refactor tests to use unshare+chroot to - override nss_files configuration - -Unit tests for ipa-extdom-extop plugin use nss_files.so.2 module to test the -functionality instead of relying on SSSD API or nss_sss.so.2 module. The latter -two cannot be used in build environment. - -nss_files.so.2 always tries to open /etc/passwd and /etc/group. In past, we -overloaded 'fopen()' to change the path to opened file but this stops working -after glibc consolidate file opening in nss_files with the code starting at -https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=299210c1fa67e2dfb564475986fce11cd33db9ad, -this method is not usable anymore and builds against glibc 2.31.9000+ fail in -cmocka unit test execution in Rawhide. - -Apply an alternative approach that uses a new user namespace to unshare the -test from its parent and chroot to the test data where expected /etc/passwd and -/etc/group are provided. This method works only on Linux, thus only run the -unit test on Linux. - -Fixes: https://pagure.io/freeipa/issue/8437 -Signed-off-by: Alexander Bokovoy ---- - configure.ac | 2 + - .../ipa-extdom-extop/Makefile.am | 2 + - .../ipa_extdom_cmocka_tests.c | 60 ++++++++----------- - .../test_data/{ => etc}/group | 0 - .../test_data/{ => etc}/passwd | 0 - server.m4 | 8 +++ - 6 files changed, 37 insertions(+), 35 deletions(-) - rename daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/{ => etc}/group (100%) - rename daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/{ => etc}/passwd (100%) - -diff --git a/configure.ac b/configure.ac -index 5ec529088..3dfa9ac44 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -527,6 +527,8 @@ AS_CASE([$JSLINT], - AC_SUBST([JSLINT]) - AM_CONDITIONAL([WITH_JSLINT], [test "x${JSLINT}" != "xno"]) - -+AM_CONDITIONAL([HAVE_UNSHARE], -+ [test "x${ac_cv_func_unshare}" = "xyes" -a "x${ac_cv_func_chroot}" = "xyes"]) - - # Flags - -diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am -index cbdd570ea..1dd1cca5f 100644 ---- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am -+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am -@@ -50,9 +50,11 @@ TESTS = - check_PROGRAMS = - - if HAVE_CMOCKA -+if HAVE_UNSHARE - TESTS += extdom_cmocka_tests - check_PROGRAMS += extdom_cmocka_tests - endif -+endif - - extdom_cmocka_tests_SOURCES = \ - ipa_extdom_cmocka_tests.c \ -diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c -index 1fa4c6af8..04fb0b63c 100644 ---- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c -+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c -@@ -21,6 +21,7 @@ - */ - #define _GNU_SOURCE - -+#include - #include - #include - #include -@@ -36,10 +37,13 @@ - #include - #include - -+static bool skip_tests = false; -+ - #define MAX_BUF (1024*1024*1024) - struct test_data { - struct extdom_req *req; - struct ipa_extdom_ctx *ctx; -+ bool skip_test; - }; - - /* -@@ -138,40 +142,6 @@ fail: - return -1; - } - --struct { -- const char *o, *n; --} path_table[] = { -- { .o = "/etc/passwd", .n = "./test_data/passwd"}, -- { .o = "/etc/group", .n = "./test_data/group"}, -- { .o = NULL, .n = NULL}}; -- --FILE *(*original_fopen)(const char*, const char*) = NULL; -- --FILE *fopen(const char *path, const char *mode) { -- const char *_path = NULL; -- -- /* Do not handle before-main() cases */ -- if (original_fopen == NULL) { -- return NULL; -- } -- for(int i=0; path_table[i].o != NULL; i++) { -- if (strcmp(path, path_table[i].o) == 0) { -- _path = path_table[i].n; -- break; -- } -- } -- return (*original_fopen)(_path ? _path : path, mode); --} -- --/* Attempt to initialize original_fopen before main() -- * There is no explicit order when all initializers are called, -- * so we might still be late here compared to a code in a shared -- * library initializer, like libselinux */ --void redefined_fopen_ctor (void) __attribute__ ((constructor)); --void redefined_fopen_ctor(void) { -- original_fopen = dlsym(RTLD_NEXT, "fopen"); --} -- - void test_getpwnam_r_wrapper(void **state) - { - int ret; -@@ -181,6 +151,9 @@ void test_getpwnam_r_wrapper(void **state) - struct test_data *test_data; - - test_data = (struct test_data *) *state; -+ if (test_data->skip_test) { -+ skip(); -+ } - - ret = get_buffer(&buf_len, &buf); - assert_int_equal(ret, 0); -@@ -238,6 +211,9 @@ void test_getpwuid_r_wrapper(void **state) - struct test_data *test_data; - - test_data = (struct test_data *) *state; -+ if (test_data->skip_test) { -+ skip(); -+ } - - ret = get_buffer(&buf_len, &buf); - assert_int_equal(ret, 0); -@@ -290,6 +266,9 @@ void test_getgrnam_r_wrapper(void **state) - struct test_data *test_data; - - test_data = (struct test_data *) *state; -+ if (test_data->skip_test) { -+ skip(); -+ } - - ret = get_buffer(&buf_len, &buf); - assert_int_equal(ret, 0); -@@ -340,6 +319,9 @@ void test_getgrgid_r_wrapper(void **state) - struct test_data *test_data; - - test_data = (struct test_data *) *state; -+ if (test_data->skip_test) { -+ skip(); -+ } - - ret = get_buffer(&buf_len, &buf); - assert_int_equal(ret, 0); -@@ -389,6 +371,9 @@ void test_get_user_grouplist(void **state) - struct test_data *test_data; - - test_data = (struct test_data *) *state; -+ if (test_data->skip_test) { -+ skip(); -+ } - - /* This is a bit odd behaviour of getgrouplist() it does not check if the - * user exists, only if memberships of the user can be found. */ -@@ -446,6 +431,11 @@ static int extdom_req_setup(void **state) - assert_non_null(test_data->ctx->nss_ctx); - - back_extdom_set_timeout(test_data->ctx->nss_ctx, 10000); -+ -+ test_data->skip_test = skip_tests; -+ if (chroot("test_data") != 0) { -+ test_data->skip_test = true; -+ } - *state = test_data; - - return 0; -@@ -655,6 +645,6 @@ int main(int argc, const char *argv[]) - cmocka_unit_test(test_decode), - }; - -- assert_non_null(original_fopen); -+ skip_tests = (unshare(CLONE_NEWUSER) == -1); - return cmocka_run_group_tests(tests, extdom_req_setup, extdom_req_teardown); - } -diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/etc/group -similarity index 100% -rename from daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group -rename to daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/etc/group -diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/passwd b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/etc/passwd -similarity index 100% -rename from daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/passwd -rename to daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/etc/passwd -diff --git a/server.m4 b/server.m4 -index d35823e80..a8d4930fc 100644 ---- a/server.m4 -+++ b/server.m4 -@@ -172,3 +172,11 @@ AC_ARG_WITH([systemdtmpfilesdir], - [systemdtmpfilesdir=$with_systemdtmpfilesdir], - [systemdtmpfilesdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=tmpfilesdir systemd)]) - AC_SUBST([systemdtmpfilesdir]) -+ -+dnl Check for unshare(2) - Linux-only. We also check for chroot(2) as we use both -+dnl --------------------------------------------------------------------------- -+ -+AC_CHECK_HEADER(sched.h, [ -+ AC_CHECK_FUNC(unshare, [], [AC_MSG_WARN([unshare not found, no extdom unit tests to be run])]) -+ AC_CHECK_FUNC(chroot, [], [AC_MSG_WARN([chroot not found, no extdom unit tests to be run])]) -+], [AC_MSG_WARN([sched.h not found, unshare is not available])]) --- -2.26.2 - diff --git a/freeipa.spec b/freeipa.spec index f142a41..7f21362 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -147,7 +147,7 @@ # Work-around fact that RPM SPEC parser does not accept # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement -%define IPA_VERSION 4.8.7 +%define IPA_VERSION 4.8.9 %define AT_SIGN @ # redefine IPA_VERSION only if its value matches the Autoconf placeholder %if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}" @@ -156,14 +156,13 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 5%{?dist} +Release: 1%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ URL: http://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz Source1: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.asc -Patch0: freeipa-fix-unittests-glibc-2.31.9000.patch # For the timestamp trick in patch application BuildRequires: diffstat @@ -592,6 +591,10 @@ on the machine enrolled into a FreeIPA environment %package client-epn Summary: Tools to configure Expiring Password Notification in IPA Group: System Environment/Base +Requires: systemd-units +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units Requires: %{name}-client = %{version}-%{release} %description client-epn @@ -917,6 +920,10 @@ mkdir -p %{buildroot}%{_sysconfdir}/cron.d rm %{buildroot}/%{_sbindir}/ipa-epn rm %{buildroot}/%{_mandir}/man1/ipa-epn.1* rm %{buildroot}/%{_mandir}/man5/epn.conf.5* +rm %{buildroot}/%{_unitdir}/ipa-epn.service +rm %{buildroot}/%{_unitdir}/ipa-epn.timer +rm %{buildroot}/%{_sysconfdir}/ipa/epn.conf +rm %{buildroot}/%{_sysconfdir}/ipa/epn/expire_msg.template %endif %if ! %{ONLY_CLIENT} @@ -1029,6 +1036,18 @@ if [ $1 -eq 0 ]; then /bin/systemctl reload-or-try-restart oddjobd fi +%preun client-epn +%systemd_preun ipa-epn.service +%systemd_preun ipa-epn.timer + +%postun client-epn +%systemd_postun ipa-epn.service +%systemd_postun ipa-epn.timer + +%post client-epn +%systemd_post ipa-epn.service +%systemd_post ipa-epn.timer + # ONLY_CLIENT %endif @@ -1376,12 +1395,14 @@ fi %if ! %{ONLY_CLIENT} %files client-epn %doc README.md Contributors.txt +%dir %{_sysconfdir}/ipa/epn %license COPYING %{_sbindir}/ipa-epn %{_mandir}/man1/ipa-epn.1* %{_mandir}/man5/epn.conf.5* %attr(644,root,root) %{_unitdir}/ipa-epn.service %attr(644,root,root) %{_unitdir}/ipa-epn.timer +%attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf %attr(644,root,root) %{_sysconfdir}/ipa/epn/expire_msg.template %endif @@ -1492,6 +1513,9 @@ fi %endif %changelog +* Thu Aug 20 2020 François Cami - 4.8.9-1 +- Upstream release FreeIPA 4.8.9 + * Mon Aug 03 2020 Alexander Bokovoy - 4.8.7-5 - Make use of unshare+chroot in ipa-extdom-extop unittests to work against glibc 2.32 diff --git a/sources b/sources index dcff7ae..18db8f2 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (freeipa-4.8.7.tar.gz) = 8bcf0cea184c7c364606327a4fac8943d43c4981b2632e20d7979189d5c02099a34b75aeb7122176f7438698aefae4efd3ac6ebba12b720b24d3823638171b05 -SHA512 (freeipa-4.8.7.tar.gz.asc) = 7d3e10fbfaa28413dbfeb0614ae49c9a93251fe464a4d4bc495df03511a12adbb66f998e671fb7c2675c2c69d1d000848f7d4dd91b86235554f4da6118805494 +SHA512 (freeipa-4.8.9.tar.gz) = 5db9056b63316023e2d94db1400e14d90b1915e129a01a3518d2487ef4461af1b6fa596da1a44ff36ffa6130d03c0f9d9c04d97ac73164d3bd24ebf06afa7451 +SHA512 (freeipa-4.8.9.tar.gz.asc) = dcd4ec94394fe44b3737d7b39a36a5057a152352a290dd78c7f64fc48dfe06a6cc613c6f75f9d1b2b32289b873ee81533096355b8f194425506f4a9b1cf3e879