FreeIPA 4.8.7 upstream release

.gitignore

@@ -90,3 +90,5 @@
 /freeipa-4.8.6.tar.gz.asc
 /freeipa-4.8.7.tar.gz
 /freeipa-4.8.7.tar.gz.asc
+/freeipa-4.8.9.tar.gz
+/freeipa-4.8.9.tar.gz.asc

freeipa-fix-unittests-glibc-2.31.9000.patch

@@ -1,228 +0,0 @@
-From 4c8a875082f0da0ea78977e97696b22d622728a6 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <ab@vda.li>
-Date: Sat, 1 Aug 2020 11:49:30 +0300
-Subject: [PATCH] extdom-extop: refactor tests to use unshare+chroot to
- override nss_files configuration
-
-Unit tests for ipa-extdom-extop plugin use nss_files.so.2 module to test the
-functionality instead of relying on SSSD API or nss_sss.so.2 module. The latter
-two cannot be used in build environment.
-
-nss_files.so.2 always tries to open /etc/passwd and /etc/group. In past, we
-overloaded 'fopen()' to change the path to opened file but this stops working
-after glibc consolidate file opening in nss_files with the code starting at
-https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=299210c1fa67e2dfb564475986fce11cd33db9ad,
-this method is not usable anymore and builds against glibc 2.31.9000+ fail in
-cmocka unit test execution in Rawhide.
-
-Apply an alternative approach that uses a new user namespace to unshare the
-test from its parent and chroot to the test data where expected /etc/passwd and
-/etc/group are provided. This method works only on Linux, thus only run the
-unit test on Linux.
-
-Fixes: https://pagure.io/freeipa/issue/8437
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
----
- configure.ac                                  |  2 +
- .../ipa-extdom-extop/Makefile.am              |  2 +
- .../ipa_extdom_cmocka_tests.c                 | 60 ++++++++-----------
- .../test_data/{ => etc}/group                 |  0
- .../test_data/{ => etc}/passwd                |  0
- server.m4                                     |  8 +++
- 6 files changed, 37 insertions(+), 35 deletions(-)
- rename daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/{ => etc}/group (100%)
- rename daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/{ => etc}/passwd (100%)
-
-diff --git a/configure.ac b/configure.ac
-index 5ec529088..3dfa9ac44 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -527,6 +527,8 @@ AS_CASE([$JSLINT],
- AC_SUBST([JSLINT])
- AM_CONDITIONAL([WITH_JSLINT], [test "x${JSLINT}" != "xno"])
- 
-+AM_CONDITIONAL([HAVE_UNSHARE],
-+    [test "x${ac_cv_func_unshare}" = "xyes" -a "x${ac_cv_func_chroot}" = "xyes"])
- 
- # Flags
- 
-diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
-index cbdd570ea..1dd1cca5f 100644
---- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
-+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
-@@ -50,9 +50,11 @@ TESTS =
- check_PROGRAMS =
- 
- if HAVE_CMOCKA
-+if HAVE_UNSHARE
- TESTS += extdom_cmocka_tests
- check_PROGRAMS += extdom_cmocka_tests
- endif
-+endif
- 
- extdom_cmocka_tests_SOURCES = 		\
- 	ipa_extdom_cmocka_tests.c	\
-diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
-index 1fa4c6af8..04fb0b63c 100644
---- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
-+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
-@@ -21,6 +21,7 @@
- */
- #define _GNU_SOURCE
- 
-+#include <sched.h>
- #include <errno.h>
- #include <stdarg.h>
- #include <stddef.h>
-@@ -36,10 +37,13 @@
- #include <stdio.h>
- #include <dlfcn.h>
- 
-+static bool skip_tests = false;
-+
- #define MAX_BUF (1024*1024*1024)
- struct test_data {
-     struct extdom_req *req;
-     struct ipa_extdom_ctx *ctx;
-+    bool skip_test;
- };
- 
- /*
-@@ -138,40 +142,6 @@ fail:
-     return -1;
- }
- 
--struct {
--    const char *o, *n;
--} path_table[] = {
--    { .o = "/etc/passwd", .n = "./test_data/passwd"},
--    { .o = "/etc/group",  .n = "./test_data/group"},
--    { .o = NULL, .n = NULL}};
--
--FILE *(*original_fopen)(const char*, const char*) = NULL;
--
--FILE *fopen(const char *path, const char *mode) {
--    const char *_path = NULL;
--
--    /* Do not handle before-main() cases */
--    if (original_fopen == NULL) {
--        return NULL;
--    }
--    for(int i=0; path_table[i].o != NULL; i++) {
--        if (strcmp(path, path_table[i].o) == 0) {
--                _path = path_table[i].n;
--                break;
--        }
--    }
--    return (*original_fopen)(_path ? _path : path, mode);
--}
--
--/* Attempt to initialize original_fopen before main()
-- * There is no explicit order when all initializers are called,
-- * so we might still be late here compared to a code in a shared
-- * library initializer, like libselinux */
--void redefined_fopen_ctor (void) __attribute__ ((constructor));
--void redefined_fopen_ctor(void) {
--    original_fopen = dlsym(RTLD_NEXT, "fopen");
--}
--
- void test_getpwnam_r_wrapper(void **state)
- {
-     int ret;
-@@ -181,6 +151,9 @@ void test_getpwnam_r_wrapper(void **state)
-     struct test_data *test_data;
- 
-     test_data = (struct test_data *) *state;
-+    if (test_data->skip_test) {
-+        skip();
-+    }
- 
-     ret = get_buffer(&buf_len, &buf);
-     assert_int_equal(ret, 0);
-@@ -238,6 +211,9 @@ void test_getpwuid_r_wrapper(void **state)
-     struct test_data *test_data;
- 
-     test_data = (struct test_data *) *state;
-+    if (test_data->skip_test) {
-+        skip();
-+    }
- 
-     ret = get_buffer(&buf_len, &buf);
-     assert_int_equal(ret, 0);
-@@ -290,6 +266,9 @@ void test_getgrnam_r_wrapper(void **state)
-     struct test_data *test_data;
- 
-     test_data = (struct test_data *) *state;
-+    if (test_data->skip_test) {
-+        skip();
-+    }
- 
-     ret = get_buffer(&buf_len, &buf);
-     assert_int_equal(ret, 0);
-@@ -340,6 +319,9 @@ void test_getgrgid_r_wrapper(void **state)
-     struct test_data *test_data;
- 
-     test_data = (struct test_data *) *state;
-+    if (test_data->skip_test) {
-+        skip();
-+    }
- 
-     ret = get_buffer(&buf_len, &buf);
-     assert_int_equal(ret, 0);
-@@ -389,6 +371,9 @@ void test_get_user_grouplist(void **state)
-     struct test_data *test_data;
- 
-     test_data = (struct test_data *) *state;
-+    if (test_data->skip_test) {
-+        skip();
-+    }
- 
-     /* This is a bit odd behaviour of getgrouplist() it does not check if the
-      * user exists, only if memberships of the user can be found. */
-@@ -446,6 +431,11 @@ static int  extdom_req_setup(void **state)
-     assert_non_null(test_data->ctx->nss_ctx);
- 
-     back_extdom_set_timeout(test_data->ctx->nss_ctx, 10000);
-+
-+    test_data->skip_test = skip_tests;
-+    if (chroot("test_data") != 0) {
-+        test_data->skip_test = true;
-+    }
-     *state = test_data;
- 
-     return 0;
-@@ -655,6 +645,6 @@ int main(int argc, const char *argv[])
-         cmocka_unit_test(test_decode),
-     };
- 
--    assert_non_null(original_fopen);
-+    skip_tests = (unshare(CLONE_NEWUSER) == -1);
-     return cmocka_run_group_tests(tests, extdom_req_setup, extdom_req_teardown);
- }
-diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/etc/group
-similarity index 100%
-rename from daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group
-rename to daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/etc/group
-diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/passwd b/daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/etc/passwd
-similarity index 100%
-rename from daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/passwd
-rename to daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/etc/passwd
-diff --git a/server.m4 b/server.m4
-index d35823e80..a8d4930fc 100644
---- a/server.m4
-+++ b/server.m4
-@@ -172,3 +172,11 @@ AC_ARG_WITH([systemdtmpfilesdir],
-             [systemdtmpfilesdir=$with_systemdtmpfilesdir],
-         [systemdtmpfilesdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=tmpfilesdir systemd)])
- AC_SUBST([systemdtmpfilesdir])
-+
-+dnl Check for unshare(2) - Linux-only. We also check for chroot(2) as we use both
-+dnl ---------------------------------------------------------------------------
-+
-+AC_CHECK_HEADER(sched.h, [
-+    AC_CHECK_FUNC(unshare, [], [AC_MSG_WARN([unshare not found, no extdom unit tests to be run])])
-+    AC_CHECK_FUNC(chroot, [], [AC_MSG_WARN([chroot not found, no extdom unit tests to be run])])
-+], [AC_MSG_WARN([sched.h not found, unshare is not available])])
--- 
-2.26.2
-

freeipa.spec

@@ -147,7 +147,7 @@
 
 # Work-around fact that RPM SPEC parser does not accept
 # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
-%define IPA_VERSION 4.8.7
+%define IPA_VERSION 4.8.9
 %define AT_SIGN @
 # redefine IPA_VERSION only if its value matches the Autoconf placeholder
 %if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}"
@@ -156,14 +156,13 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        5%{?dist}
+Release:        1%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
 URL:            http://www.freeipa.org/
 Source0:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
 Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.asc
-Patch0:         freeipa-fix-unittests-glibc-2.31.9000.patch
 
 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@@ -592,6 +591,10 @@ on the machine enrolled into a FreeIPA environment
 %package client-epn
 Summary: Tools to configure Expiring Password Notification in IPA
 Group: System Environment/Base
+Requires: systemd-units
+Requires(post): systemd-units
+Requires(preun): systemd-units
+Requires(postun): systemd-units
 Requires: %{name}-client = %{version}-%{release}
 
 %description client-epn
@@ -917,6 +920,10 @@ mkdir -p %{buildroot}%{_sysconfdir}/cron.d
 rm %{buildroot}/%{_sbindir}/ipa-epn
 rm %{buildroot}/%{_mandir}/man1/ipa-epn.1*
 rm %{buildroot}/%{_mandir}/man5/epn.conf.5*
+rm %{buildroot}/%{_unitdir}/ipa-epn.service
+rm %{buildroot}/%{_unitdir}/ipa-epn.timer
+rm %{buildroot}/%{_sysconfdir}/ipa/epn.conf
+rm %{buildroot}/%{_sysconfdir}/ipa/epn/expire_msg.template
 %endif
 
 %if ! %{ONLY_CLIENT}
@@ -1029,6 +1036,18 @@ if [ $1 -eq 0 ]; then
     /bin/systemctl reload-or-try-restart oddjobd
 fi
 
+%preun client-epn
+%systemd_preun ipa-epn.service
+%systemd_preun ipa-epn.timer
+
+%postun client-epn
+%systemd_postun ipa-epn.service
+%systemd_postun ipa-epn.timer
+
+%post client-epn
+%systemd_post ipa-epn.service
+%systemd_post ipa-epn.timer
+
 # ONLY_CLIENT
 %endif
 
@@ -1376,12 +1395,14 @@ fi
 %if ! %{ONLY_CLIENT}
 %files client-epn
 %doc README.md Contributors.txt
+%dir %{_sysconfdir}/ipa/epn
 %license COPYING
 %{_sbindir}/ipa-epn
 %{_mandir}/man1/ipa-epn.1*
 %{_mandir}/man5/epn.conf.5*
 %attr(644,root,root) %{_unitdir}/ipa-epn.service
 %attr(644,root,root) %{_unitdir}/ipa-epn.timer
+%attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf
 %attr(644,root,root) %{_sysconfdir}/ipa/epn/expire_msg.template
 %endif
 
@@ -1492,6 +1513,9 @@ fi
 %endif
 
 %changelog
+* Thu Aug 20 2020 François Cami <fcami@redhat.com> - 4.8.9-1
+- Upstream release FreeIPA 4.8.9
+
 * Mon Aug 03 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.7-5
 - Make use of unshare+chroot in ipa-extdom-extop unittests to work against glibc 2.32
 

sources

@@ -1,2 +1,2 @@
-SHA512 (freeipa-4.8.7.tar.gz) = 8bcf0cea184c7c364606327a4fac8943d43c4981b2632e20d7979189d5c02099a34b75aeb7122176f7438698aefae4efd3ac6ebba12b720b24d3823638171b05
+SHA512 (freeipa-4.8.9.tar.gz) = 5db9056b63316023e2d94db1400e14d90b1915e129a01a3518d2487ef4461af1b6fa596da1a44ff36ffa6130d03c0f9d9c04d97ac73164d3bd24ebf06afa7451
-SHA512 (freeipa-4.8.7.tar.gz.asc) = 7d3e10fbfaa28413dbfeb0614ae49c9a93251fe464a4d4bc495df03511a12adbb66f998e671fb7c2675c2c69d1d000848f7d4dd91b86235554f4da6118805494
+SHA512 (freeipa-4.8.9.tar.gz.asc) = dcd4ec94394fe44b3737d7b39a36a5057a152352a290dd78c7f64fc48dfe06a6cc613c6f75f9d1b2b32289b873ee81533096355b8f194425506f4a9b1cf3e879