rpms
/
ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

ipa release 4.9.12-4 

- kdb: Use-krb5_pac_full_sign_compat() when available
  Resolves: RHBZ#2176406
- OTP: fix-data-type-to-avoid-endianness-issue
  Resolves: RHBZ#2218293
- Upgrade: fix replica agreement
  Resolves: RHBZ#2216551
- Upgrade: add PKI drop-in file if missing
  Resolves: RHBZ#2215336
- Use the python-cryptography parser directly in cert-find
  Resolves: RHBZ#2164349
- Backport test updates
  Resolves: RHBZ#221884

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
This commit is contained in:
Rafael Guterres Jeffman 2023-06-29 17:53:05 -03:00
parent 0d91a32452
commit 9570499a0c
6 changed files with 1068 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

242
0002-Use-the-python-cryptography-parser-directly-in-cert-find_rhbz#2164349.patch Normal file
View File

@ -0,0 +1,242 @@
From 9fe30f21c987bdccf80ef5f6d645fdc59b393bdb Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Jun 16 2023 19:09:52 +0000
Subject: Revert "Use the OpenSSL certificate parser in cert-find"
This reverts commit 191880bc9f77c3e8a3cecc82e6eea33ab5ad03e4.
The problem isn't with python-cryptography, it is with the
IPACertificate class which does way more work on a certificate
than is necessary in cert-find.
Related: https://pagure.io/freeipa/issue/9331
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
diff --git a/freeipa.spec.in b/freeipa.spec.in
index f3380b4..2b18963 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -390,7 +390,6 @@ BuildRequires: python3-pylint
BuildRequires: python3-pytest-multihost
BuildRequires: python3-pytest-sourceorder
BuildRequires: python3-qrcode-core >= 5.0.0
-BuildRequires: python3-pyOpenSSL
BuildRequires: python3-samba
BuildRequires: python3-six
BuildRequires: python3-sss
@@ -862,7 +861,6 @@ Requires: python3-netifaces >= 0.10.4
Requires: python3-pyasn1 >= 0.3.2-2
Requires: python3-pyasn1-modules >= 0.3.2-2
Requires: python3-pyusb
-Requires: python3-pyOpenSSL
Requires: python3-qrcode-core >= 5.0.0
Requires: python3-requests
Requires: python3-six
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index cec3d93..88c6b62 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -30,7 +30,6 @@ import cryptography.x509
from cryptography.hazmat.primitives import hashes, serialization
from dns import resolver, reversename
import six
-import sys
from ipalib import Command, Str, Int, Flag, StrEnum
from ipalib import api
@@ -1623,19 +1622,7 @@ class cert_find(Search, CertMethod):
)
def _get_cert_key(self, cert):
- # for cert-find with a certificate value
- if isinstance(cert, x509.IPACertificate):
- return (DN(cert.issuer), cert.serial_number)
-
- issuer = []
- for oid, value in cert.get_issuer().get_components():
- issuer.append(
- '{}={}'.format(oid.decode('utf-8'), value.decode('utf-8'))
- )
- issuer = ','.join(issuer)
- # Use this to flip from OpenSSL reverse to X500 ordering
- issuer = DN(issuer).x500_text()
- return (DN(issuer), cert.get_serial_number())
+ return (DN(cert.issuer), cert.serial_number)
def _cert_search(self, pkey_only, **options):
result = collections.OrderedDict()
@@ -1755,11 +1742,6 @@ class cert_find(Search, CertMethod):
return result, False, complete
def _ldap_search(self, all, pkey_only, no_members, **options):
- # defer import of the OpenSSL module to not affect the requests
- # module which will use pyopenssl if this is available.
- if sys.modules.get('OpenSSL.SSL', False) is None:
- del sys.modules["OpenSSL.SSL"]
- import OpenSSL.crypto
ldap = self.api.Backend.ldap2
filters = []
@@ -1818,14 +1800,12 @@ class cert_find(Search, CertMethod):
ca_enabled = getattr(context, 'ca_enabled')
for entry in entries:
for attr in ('usercertificate', 'usercertificate;binary'):
- for der in entry.raw.get(attr, []):
- cert = OpenSSL.crypto.load_certificate(
- OpenSSL.crypto.FILETYPE_ASN1, der)
+ for cert in entry.get(attr, []):
cert_key = self._get_cert_key(cert)
try:
obj = result[cert_key]
except KeyError:
- obj = {'serial_number': cert.get_serial_number()}
+ obj = {'serial_number': cert.serial_number}
if not pkey_only and (all or not ca_enabled):
# Retrieving certificate details is now deferred
# until after all certificates are collected.
From 3b1dbcdba2994bf57908f530913998e9ab888e4c Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Jun 16 2023 19:09:52 +0000
Subject: Revert "cert_find: fix call with --all"
This reverts commit 1f30cc65276a532e7288217f216b72a2b0628c8f.
The problem isn't with python-cryptography, it is with the
IPACertificate class which does way more work on a certificate
than is necessary in cert-find.
Related: https://pagure.io/freeipa/issue/9331
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 88c6b62..ba37525 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -1812,7 +1812,6 @@ class cert_find(Search, CertMethod):
# For the case of CA-less we need to keep
# the certificate because getting it again later
# would require unnecessary LDAP searches.
- cert = cert.to_cryptography()
obj['certificate'] = (
base64.b64encode(
cert.public_bytes(x509.Encoding.DER))
From d00fd3398c32beb2c3e72f4878c87f9d2c0e833d Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Jun 16 2023 19:09:52 +0000
Subject: Use the python-cryptography parser directly in cert-find
cert-find is a rather complex beast because it not only
looks for certificates in the optional CA but within the
IPA LDAP database as well. It has a process to deduplicate
the certificates since any PKI issued certificates will
also be associated with an IPA record.
In order to obtain the data to deduplicate the certificates
the cert from LDAP must be parser for issuer and serial number.
ipaldap has automation to determine the datatype of an
attribute and will use the ipalib.x509 IPACertificate class to
decode a certificate automatically if you access
entry['usercertificate'].
The downside is that this is comparatively slow. Here is the
parse time in microseconds:
cryptography 0.0081
OpenSSL.crypto 0.2271
ipalib.x509 2.6814
Since only issuer and subject are required there is no need to
make the expensive IPACertificate call.
The IPACertificate parsing time is fine if you're parsing one
certificate but if the LDAP search returns a lot of certificates,
say in the thousands, then those microseconds add up quickly.
In testing it took ~17 seconds to parse 5k certificates (excluding
transmission overhead, etc).
cert-find when there are a lot of certificates has been
historically slow. It isn't related to the CA which returns
large sets (well, 5k anyway) in a second or two. It was the
LDAP comparision adding tens of seconds to the runtime.
When searching with the default sizelimit of 100 the time is
~10s without this patch. With it the time is 1.5s.
CLI times from before and after searching for all certs:
original:
-------------------------------
Number of entries returned 5038
-------------------------------
real 0m15.507s
user 0m0.828s
sys 0m0.241s
using cryptography:
real 0m4.037s
user 0m0.816s
sys 0m0.193s
Fixes: https://pagure.io/freeipa/issue/9331
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index ba37525..619be83 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -1800,7 +1800,8 @@ class cert_find(Search, CertMethod):
ca_enabled = getattr(context, 'ca_enabled')
for entry in entries:
for attr in ('usercertificate', 'usercertificate;binary'):
- for cert in entry.get(attr, []):
+ for der in entry.raw.get(attr, []):
+ cert = cryptography.x509.load_der_x509_certificate(der)
cert_key = self._get_cert_key(cert)
try:
obj = result[cert_key]
diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py
index 433cebc..583c67f 100644
--- a/ipatests/test_xmlrpc/test_cert_plugin.py
+++ b/ipatests/test_xmlrpc/test_cert_plugin.py
@@ -254,6 +254,16 @@ class test_cert(BaseCert):
result = _emails_are_valid(email_addrs, [])
assert not result
+ def test_00012_cert_find_all(self):
+ """
+ Test that cert-find --all returns successfully.
+
+ We don't know how many we'll get but there should be at least 10
+ by default.
+ """
+ res = api.Command['cert_find'](all=True)
+ assert 'count' in res and res['count'] >= 10
+
def test_99999_cleanup(self):
"""
Clean up cert test data
@@ -283,7 +293,7 @@ class test_cert_find(XMLRPC_test):
short = api.env.host.split('.', maxsplit=1)[0]
- def test_0001_find_all(self):
+ def test_0001_find_all_certs(self):
"""
Search for all certificates.

87
0003-Upgrade-add-PKI-drop-in-file-if-missing_rhbz#2215336.patch Normal file
View File

@ -0,0 +1,87 @@
From 86c1426b2d376a390e87b074d3e10d85fa124abf Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Jun 21 2023 17:02:48 +0000
Subject: Upgrade: add PKI drop-in file if missing
During the installation of IPA server, the installer adds a drop-in
file in /etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf
that ensures the CA is reachable before the start command returns.
If the file is missing (for instance because the server was installed
with an old version before this drop-in was created), the upgrade
should add the file.
Fixes: https://pagure.io/freeipa/issue/9381
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index dd22ac2..e4dc7ae 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1737,6 +1737,10 @@ def upgrade_configuration():
os.path.join(paths.USR_SHARE_IPA_DIR,
"ipa-kdc-proxy.conf.template"))
if ca.is_configured():
+ # Ensure that the drop-in file is present
+ if not os.path.isfile(paths.SYSTEMD_PKI_TOMCAT_IPA_CONF):
+ ca.add_ipa_wait()
+
# Handle upgrade of AJP connector configuration
rewrite = ca.secure_ajp_connector()
if ca.ajp_secret:
From 356ec5cbfe0876686239f938bdf54892dc30571e Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Jun 21 2023 17:02:48 +0000
Subject: Integration test: add a test for upgrade and PKI drop-in file
Add an upgrade test with the following scenario:
- remove PKI drop-in file (to simulate an upgrade from an old
version)
- remove caECServerCertWithSCT profile from LDAP
- launch the ipa-server-upgrade command
- check that the upgrade added the file
Related: https://pagure.io/freeipa/issue/9381
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py
index 9203503..182e3b5 100644
--- a/ipatests/test_integration/test_upgrade.py
+++ b/ipatests/test_integration/test_upgrade.py
@@ -455,3 +455,25 @@ class TestUpgrade(IntegrationTest):
assert 'tXTRecord' in location_krb_rec
assert len(location_krb_rec['tXTRecord']) == 1
assert location_krb_rec['tXTRecord'][0] == f'"{realm}"'
+
+ def test_pki_dropin_file(self):
+ """Test that upgrade adds the drop-in file if missing
+
+ Test for ticket 9381
+ Simulate an update from a version that didn't provide
+ /etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf,
+ remove one of the certificate profiles from LDAP and check that upgrade
+ completes successfully and adds the missing file.
+ When the drop-in file is missing, the upgrade tries to login to
+ PKI in order to migrate the profile and fails because PKI failed to
+ start.
+ """
+ self.master.run_command(["rm", "-f", paths.SYSTEMD_PKI_TOMCAT_IPA_CONF])
+ ldif = textwrap.dedent("""
+ dn: cn=caECServerCertWithSCT,ou=certificateProfiles,ou=ca,o=ipaca
+ changetype: delete
+ """)
+ tasks.ldapmodify_dm(self.master, ldif)
+ self.master.run_command(['ipa-server-upgrade'])
+ assert self.master.transport.file_exists(
+ paths.SYSTEMD_PKI_TOMCAT_IPA_CONF)

493
0004-Upgrade-fix-replica-agreement_rhbz#2216551.patch Normal file
View File

@ -0,0 +1,493 @@
<!DOCTYPE html>
<html lang='en'>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>Commit - freeipa - d29b47512a39ada02fb371521994576cd9815a6c - Pagure.io</title>
<link rel="shortcut icon" type="image/vnd.microsoft.icon"
href="/theme/static/favicon.ico?version=5.13.3"/>
<link href="/theme/static/fedora-bootstrap-1.3.0/fedora-bootstrap.min.css?version=5.13.3"
type="text/css" rel="stylesheet" />
<link href="/theme/static/fonts/fonts.css?version=5.13.3"
rel="stylesheet" type="text/css" />
<link href="/theme/static/fonts/hack_fonts/css/hack-extended.min.css?version=5.13.3"
type="text/css" rel="stylesheet" />
<link href="/theme/static/theme.css?version=5.13.3"
type="text/css" rel="stylesheet" />
<link type="text/css" rel="stylesheet" nonce="qdLhc1wjRNfkrQnukB32BzvfC" href="/static/vendor/font-awesome/font-awesome.css?version=5.13.3"/>
<link type="text/css" rel="stylesheet" nonce="qdLhc1wjRNfkrQnukB32BzvfC" href="/static/pagure.css?version=5.13.3"/>
<link rel="stylesheet" nonce="qdLhc1wjRNfkrQnukB32BzvfC" href="/static/vendor/highlight.js/styles/github.css?version=5.13.3"/>
<link rel="stylesheet" nonce="qdLhc1wjRNfkrQnukB32BzvfC" href="/static/vendor/diff2html/diff2html.css?version=5.13.3"/>
</head>
<body id="home">
<!-- start masthead -->
<nav class="navbar navbar-light masthead p-0 navbar-expand">
<div class="container">
<a href="/" class="navbar-brand">
<img height="40" src="/theme/static/pagure-logo.png?version=5.13.3"
alt="pagure Logo" id="pagureLogo"/>
</a>
<ul class="navbar-nav ml-auto">
<li class="nav-item">
<a class="btn btn-primary" href="/login/?next=https://pagure.io/freeipa/c/d29b47512a39ada02fb371521994576cd9815a6c">Log In</a>
</li>
</ul>
</div>
</nav>
<!-- close masthead-->
<div class="bodycontent">
<div class="bg-light border border-bottom pt-3">
<div class="container">
<div class="row mb-3">
<div class="col-6">
<div class="row">
<div class="col-auto pr-0">
<h3>
<i class="fa fa-calendar-o fa-rotate-270 text-muted"></i></h3>
</div>
<div class="col-auto pl-2">
<h3 class="mb-0">
<a href="/freeipa"><strong>freeipa</strong></a>
</h3>
</div>
</div>
</div>
<div class="col-6 text-right">
<div class="btn-group">
<div class="btn-group">
<a href="#"
class="btn btn-sm dropdown-toggle btn-outline-primary"
data-toggle="dropdown" id="watch-button">
<i class="fa fa-clone fa-fw"></i>
<span>Clone</span>
</a>
<div class="dropdown-menu dropdown-menu-right">
<div class="m-3" id="source-dropdown">
<div>
<h5><strong>Source Code</strong></h5>
<div class="form-group">
<div class="input-group input-group-sm">
<div class="input-group-prepend"><span class="input-group-text">GIT</span></div>
<input class="form-control bg-white select-on-focus" type="text" value="https://pagure.io/freeipa.git" readonly>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<ul class="nav nav-tabs nav-small border-bottom-0">
<li class="nav-item mr-2 text-dark">
<a class="nav-link active" href="/freeipa">
<i class="fa fa-code fa-fw text-muted"></i>
<span class="d-none d-md-inline">Source</span>
</a>
</li>
<li class="nav-item mr-2 text-dark">
<a class="nav-link" href="/freeipa/issues">
<i class="fa fa-fw text-muted fa-exclamation-circle"></i>
<span class="d-none d-md-inline">Issues&nbsp;</span>
<span class="badge badge-secondary py-0 d-none d-md-inline">
986
</span>
</a>
</li>
<li class="nav-item mr-2 text-dark">
<a class="nav-link" href="/freeipa/roadmap"
class="btn btn-outline-dark btn-sm">
<i class="fa fa-fw text-muted fa-map-signs"></i>
<span class="d-none d-md-inline">Roadmap&nbsp;</span>
</a>
</li>
<li class="nav-item mr-2 text-dark">
<a class="nav-link" href="/freeipa/stats">
<i class="fa fa-line-chart fa-fw text-muted"></i>
<span class="d-none d-md-inline">Stats</span>
</a>
</li>
</ul>
</div>
</div>
<div class="container pt-5 repo-body-container">
<div class="row">
<div class="col">
<nav class="nav nav-tabs nav-sidetabs flex-column">
<a class=
"nav-link nowrap
"
href="/freeipa">
<i class="fa fa-home text-muted fa-fw"></i>&nbsp;<span class="d-none d-md-inline">Overview</span>
</a>
<a class=
"nav-link nowrap
"
href="/freeipa/tree">
<i class="fa fa-file-code-o text-muted fa-fw"></i>&nbsp;Files
</a>
<a class=
"nav-link nowrap
active"
href="/freeipa/commits">
<i class="fa fa-list-alt text-muted fa-fw" data-glyph="spreadsheet"></i>&nbsp;Commits
</a>
<a class=
"nav-link nowrap
"
href="/freeipa/branches">
<i class="fa fa-random text-muted fa-fw"></i>&nbsp;Branches
</a>
<a class=
"nav-link nowrap
"
href="/freeipa/forks">
<i class="fa fa-code-fork text-muted fa-fw"></i>&nbsp;Forks
</a>
<a class=
"nav-link nowrap
"
href="/freeipa/releases">
<i class="fa fa-tags text-muted fa-fw"></i>&nbsp;Releases
</a>
</nav> </div>
<div class="col-10">
<div class="d-flex">
<div>
<h4 class="font-weight-bold">
<span title="d29b47512a39ada02fb371521994576cd9815a6c"><code class="text-white bg-primary">d29b475</code></span>
<span>Upgrade: fix replica agreement</span>
</h4>
<h5 class="text-muted pt-1 mb-0">
Authored and Committed by <img class="avatar circle lazyload" src="https://seccdn.libravatar.org/avatar/1e52aaae9646f0f890f5f6c771cd060c66898d5fdf78e8a6021eb2b75e27ffe2?s=16&d=retro"/> <a title='Florence Blanc-Renaud' href='/user/frenaud' >frenaud</a>
<span title="2023-06-22 15:49:40 UTC" data-toggle="tooltip">7 days ago</span>
</h5>
</div>
<div class="ml-auto">
<div class="btn-group">
<a class="btn btn-outline-primary btn-sm" href="/freeipa/raw/d29b47512a39ada02fb371521994576cd9815a6c" title="View as raw">raw</a>
<a class="btn btn-outline-primary btn-sm" href="/freeipa/c/d29b47512a39ada02fb371521994576cd9815a6c.patch">patch</a>
<a class="btn btn-outline-primary btn-sm" href="/freeipa/tree/d29b47512a39ada02fb371521994576cd9815a6c">tree</a>
<a class="btn btn-outline-primary btn-sm" title=356ec5cbfe0876686239f938bdf54892dc30571e href="/freeipa/c/356ec5cbfe0876686239f938bdf54892dc30571e">parent</a>
</div>
</div>
</div>
<div class="card border-0 mb-3">
<div class="card-header border-0 bg-white font-weight-bold p-0">
<a href="#commit-overview-collapse" data-toggle="collapse" data-target="#commit-overview-collapse">1 file changed.</a>
<span class="text-success">38 lines added</span>.
<span class="text-danger">42 lines removed</span>.
</div>
<div class="card-body p-0 collapse" id="commit-overview-collapse">
<div class="list-group ">
<a href="#_1" class="list-group-item list-group-item-action">
<div class="d-flex">
<div class="font-weight-bold">
ipaserver/install/plugins/fix_replica_agreements.py
</div>
<div class="ml-auto font-weight-bold">
<span class="font-weight-bold btn btn-sm btn-outline-secondary border-0 disabled opacity-100">file modified</span>
<div class="btn-group">
<span class="font-weight-bold btn btn-sm btn-success disabled opacity-100">+38</span>
<span class="font-weight-bold btn btn-sm btn-danger disabled opacity-100">-42</span>
</div>
</div>
</div>
</a> </div>
</div>
</div>
<div class="m-y-1">
<pre class="commit_message_body">
Upgrade: fix replica agreement
The upgrade checks the replication agreements to ensure that
some attributes are excluded from replication. The agreements
are stored in entries like
cn=serverToreplica,cn=replica,cn=_suffix_,cn=mapping tree,cn=config
but those entries are managed by the replication topology plugin
and should not be updated directly. The consequence is that the update
of the attributes fails and ipa-server-update prints an error message:
Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling
to perform: Entry and attributes are managed by topology <a href="http://plugin.No" rel="nofollow">plugin.No</a> direct
modifications allowed.
Error caught updating nsDS5ReplicatedAttributeListTotal: Server is
unwilling to perform: Entry and attributes are managed by topology
<a href="http://plugin.No" rel="nofollow">plugin.No</a> direct modifications allowed.
The upgrade continues but the replication is not excluding
passwordgraceusertime.
Instead of editing the agreements, perform the modifications on
the topology segments.
Fixes: <a href="https://pagure.io/freeipa/issue/9385" rel="nofollow">https://pagure.io/freeipa/issue/9385</a>
Signed-off-by: Florence Blanc-Renaud &lt;flo@redhat.com&gt;
Reviewed-By: Rob Crittenden &lt;rcritten@redhat.com&gt;
</pre>
</div>
<section class="commit_diff">
<div class="card mt-3" id="_1">
<div class="card-header">
<div class="d-flex align-items-center">
<div>
<a class="font-weight-bold ml-2" href="/freeipa/blob/d29b47512a39ada02fb371521994576cd9815a6c/f/ipaserver/install/plugins/fix_replica_agreements.py"
title="View file as of d29b475">ipaserver/install/plugins/fix_replica_agreements.py</a>
</div>
<div class="d-flex align-items-center ml-auto">
<div class="btn btn-outline-secondary disabled opacity-100 border-0 font-weight-bold">file modified</div>
<div class="btn-group">
<span class="btn btn-success btn-sm font-weight-bold disabled opacity-100">+38</span>
<span class="btn btn-danger btn-sm font-weight-bold disabled opacity-100">-42</span>
</div>
<a class="btn btn-outline-primary btn-sm ml-2" href="/freeipa/blob/d29b47512a39ada02fb371521994576cd9815a6c/f/ipaserver/install/plugins/fix_replica_agreements.py"
title="View file as of d29b475">
<i class="fa fa-file-code-o fa-fw"></i>
</a>
<a href="diff2html_1" class="btn btn-sm btn-outline-primary diffcollapse ml-2" data-toggle="collapse" data-target="#diff2html_1">
<i class="fa fa-fw fa-caret-up"></i>
</a>
</div></div>
</div>
<div class="diff2html-output collapse show" data-diffno="1" id="diff2html_1"></div>
</div>
</section>
</div>
</div>
</div>
</div>
<div class="footer pt-4 text-white">
<div class="container">
<div class="d-flex align-items-center">
<div>
<div>Powered by <a href="https://pagure.io/pagure" class="notblue">Pagure</a> 5.13.3</div>
<div>
<a href="https://docs.pagure.org/pagure/usage/index.html" class="notblue">Documentation</a> &bull;
<a href="https://pagure.io/pagure/new_issue" class="notblue">File an Issue</a> &bull;
<a href="/about">About</a> &bull;
<a href="/ssh_info" class="notblue">SSH Hostkey/Fingerprint</a>
</div>
</div>
<div class="ml-auto text-right">
<div>&copy; Red Hat, Inc. and others.</div>
</div>
</div>
</div>
</div>
<script type="text/javascript" nonce="qdLhc1wjRNfkrQnukB32BzvfC" src="/static/vendor/jquery/jquery.min.js?version=5.13.3"></script>
<script src="/static/vendor/bootstrap/bootstrap.bundle.min.js?version=5.13.3"></script>
<script type="text/javascript" nonce="qdLhc1wjRNfkrQnukB32BzvfC">
$('[data-toggle="tooltip"]').tooltip({placement : 'bottom'});
$(".cancel_btn").click(function() {
history.back();
});
</script>
<script type="text/javascript" nonce="qdLhc1wjRNfkrQnukB32BzvfC" src="/static/vendor/lazyload/lazyload.min.js?version=5.13.3"></script>
<script type="text/javascript" nonce="qdLhc1wjRNfkrQnukB32BzvfC">
window.addEventListener("load", function(event) {
lazyload();
});
</script>
<script type="text/javascript" nonce="qdLhc1wjRNfkrQnukB32BzvfC">
$("#giturl-toggle").on('click', function(event){
event.stopPropagation();
$("#giturl-more").toggle();
$("#giturl-toggle").hide();
})
$(".fork_project_btn").click(function() {
$('#fork_project').submit();
});
$(".select-on-focus").on("focus", function() {
$(this).select();
});
</script>
<script type="text/javascript" nonce="qdLhc1wjRNfkrQnukB32BzvfC" src="/static/vendor/diff2html/diff2html.min.js?version=5.13.3"></script>
<script type="text/javascript" nonce="qdLhc1wjRNfkrQnukB32BzvfC" src="/static/vendor/highlight.js/highlight.pack.js?version=5.13.3"></script>
<script type="text/javascript" nonce="qdLhc1wjRNfkrQnukB32BzvfC" src="/static/vendor/highlight.js/spec.js?version=5.13.3"></script>
<script type="text/javascript" nonce="qdLhc1wjRNfkrQnukB32BzvfC" src="/static/vendor/diff2html/diff2html-ui.min.js?version=5.13.3"></script>
<script type="text/javascript" nonce="qdLhc1wjRNfkrQnukB32BzvfC">
$(document).ready(function() {
$(".diffcollapse").click(function(e){
$(this).find("i").toggleClass("fa-caret-down fa-caret-up")
});
});
$(function(){
$('#diff_list_link').click(function(){
$('#diff_list').toggle();
});
});
$.ajax({
url: '/freeipa/c/d29b47512a39ada02fb371521994576cd9815a6c.diff?js=True' ,
type: 'GET',
dataType: 'json',
success: function(res) {
$(".diff2html-output").each(function(){
var diffString = res[$(this).attr("data-diffno")];
var diff2htmlUi = new Diff2HtmlUI({diff: diffString});
diff2htmlUi.draw('#diff2html_'+$(this).attr("data-diffno"), {inputFormat: 'diff'});
diff2htmlUi.highlightCode('#diff2html_'+$(this).attr("data-diffno"));
});
}
});
$.ajax({
url: '/pv/branches/commit/' ,
type: 'POST',
data: {
repo: "freeipa",
repouser: "",
namespace: "",
commit_id: "d29b47512a39ada02fb371521994576cd9815a6c",
csrf_token: "IjBlMjNjZTVhYTU0ZTdiNDg1ODAyM2E4YjRmM2NmZjBhZjkwZTM0ZjQi.F394iA.hp0mU_A319AwGFwaTxBoPMzh1VQ",
},
dataType: 'json',
success: function(res) {
if (res.branches.length == 0){
return;
}
var _br = '';
for (var i = 0; i < res.branches.length; ++i) {
if (_br.length > 0){
_br += ', ';
}
_br += res.branches[i]
}
var el = $('#diff-file-1');
if (!el){
return;
}
el.before(
'<div class=""><i class="fa fa-code-fork"></i> '
+ _br + '</div>');
}
});
</script>
</body>
</html>From 93d97b59600c15e5028ee39b0e98450544165158 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Jun 22 2023 15:49:40 +0000
Subject: Integration tests: add a test to ipa-server-upgrade
Add an integration test ensuring that the upgrade
properly updates the attributes to be excluded from
replication.
Related: https://pagure.io/freeipa/issue/9385
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
diff --git a/ipatests/test_integration/test_simple_replication.py b/ipatests/test_integration/test_simple_replication.py
index 17092a4..d1e65ef 100644
--- a/ipatests/test_integration/test_simple_replication.py
+++ b/ipatests/test_integration/test_simple_replication.py
@@ -23,8 +23,10 @@ import pytest
from ipaplatform.paths import paths
from ipapython.dn import DN
+from ipaserver.install.replication import EXCLUDES
from ipatests.pytest_ipa.integration import tasks
from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.test_topology import find_segment
def check_replication(source_host, dest_host, login):
@@ -104,6 +106,34 @@ class TestSimpleReplication(IntegrationTest):
[paths.IPA_CUSTODIA_CHECK, self.master.hostname]
)
+ def test_fix_agreements(self):
+ """Test that upgrade fixes the list of attributes excluded from repl
+
+ Test for ticket 9385
+ """
+ # Prepare the server by removing some values from
+ # from the nsDS5ReplicatedAttributeList
+ segment = find_segment(self.master, self.replicas[0], "domain")
+ self.master.run_command([
+ "ipa", "topologysegment-mod", "domain", segment,
+ "--replattrs",
+ "(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn"])
+ # Run the upgrade
+ result = self.master.run_command(["ipa-server-upgrade"])
+ # Ensure that the upgrade updated the attribute without error
+ errmsg = "Error caught updating nsDS5ReplicatedAttributeList"
+ assert errmsg not in result.stdout_text
+ # Check the updated value
+ suffix = DN(self.master.domain.basedn)
+ dn = DN(('cn', str(suffix)), ('cn', 'mapping tree'), ('cn', 'config'))
+ result = tasks.ldapsearch_dm(self.master, str(dn),
+ ["nsDS5ReplicatedAttributeList"])
+ output = result.stdout_text.lower()
+
+ template = 'nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE %s'
+ expected_value = template % " ".join(EXCLUDES)
+ assert expected_value.lower() in output
+
def test_replica_removal(self):
"""Test replica removal"""
result = self.master.run_command(['ipa-replica-manage', 'list'])

52
0005-OTP-fix-data-type-to-avoid-endianness-issue_rhbz#2218293.patch Normal file
View File

@ -0,0 +1,52 @@
From a7e167154b889f75463ccc9cd91a75c1afb22da9 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Jun 28 2023 19:43:16 +0000
Subject: OTP: fix data type to avoid endianness issue
When 389-ds process an OTP authentication, the ipa-pwd-extop
plugin reads a buffer to extract the authentication type.
The type is stored in an int but the data is a ber_tag_t.
On big endian machines the type cast does not cause any issue
but on s390x the buffer that should return 128 is seen as 0.
As a consequence, the plugin considers that the method is not
LDAP_AUTH_SIMPLE and exits early, without processing the OTP.
The fix is simple and consists in using the right type
(ber_tag_t is an unsigned long).
Fixes: https://pagure.io/freeipa/issue/9402
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 9375941..4562652 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -1433,7 +1433,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
Slapi_DN *target_sdn = NULL;
Slapi_DN *sdn = NULL;
const char *dn = NULL;
- int method = 0;
+ ber_tag_t method = 0;
bool syncreq;
bool otpreq;
int ret = 0;
@@ -1454,8 +1454,10 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
}
/* We're only interested in simple authentication. */
- if (method != LDAP_AUTH_SIMPLE || credentials->bv_len == 0)
+ if (method != LDAP_AUTH_SIMPLE || credentials->bv_len == 0) {
+ LOG("Not handled (not simple bind or NULL dn/credentials)\n");
return 0;
+ }
/* Retrieve the user's entry. */
sdn = slapi_sdn_dup(target_sdn);

173
0006-Backport-test-updates-8-9-release_rhbz#2218847.patch Normal file
View File

@ -0,0 +1,173 @@
From 7a94acca6a9efb546f1cf59f63fcb89f98944ea5 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 25 May 2023 08:16:33 +0200
Subject: [PATCH] ACME tests: fix issue_and_expire_acme_cert method
The fixture issue_and_expire_acme_cert is changing the date
on master and client. It also resets the admin password as
it gets expired after the date change.
Currently the code is resetting the password by performing
kinit on the client, which leaves the master with an expired
ticket in its cache. Reset the password on the master instead
in order to have a valid ticket for the next operations.
Fixes: https://pagure.io/freeipa/issue/9383
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
---
ipatests/test_integration/test_acme.py | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
index c73f441fc..c69e810da 100644
--- a/ipatests/test_integration/test_acme.py
+++ b/ipatests/test_integration/test_acme.py
@@ -583,20 +583,20 @@ class TestACMERenew(IntegrationTest):
tasks.kdestroy_all(host)
tasks.move_date(host, 'stop', '+90days')
- tasks.get_kdcinfo(host)
+ tasks.get_kdcinfo(self.master)
# Note raiseonerr=False:
# the assert is located after kdcinfo retrieval.
# run kinit command repeatedly until sssd gets settle
# after date change
tasks.run_repeatedly(
- host, "KRB5_TRACE=/dev/stdout kinit admin",
+ self.master, "KRB5_TRACE=/dev/stdout kinit admin",
stdin_text='{0}\n{0}\n{0}\n'.format(
- self.clients[0].config.admin_password
+ self.master.config.admin_password
)
)
# Retrieve kdc.$REALM after the password change, just in case SSSD
# domain status flipped to online during the password change.
- tasks.get_kdcinfo(host)
+ tasks.get_kdcinfo(self.master)
yield
--
2.41.0
From 998bafee86a870ad1ea4d6bccf12f0fae64c398c Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 31 May 2023 11:50:14 +0200
Subject: [PATCH] ipatest: remove xfail from test_smb
test_smb is now successful because the windows server version
has been updated to windows-server-2022 with
- KB5012170
- KB5025230
- KB5022507
- servicing stack 10.0.20348.1663
in freeipa-pr-ci commit 3ba4151.
Remove the xfail.
Fixes: https://pagure.io/freeipa/issue/9124
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
---
ipatests/test_integration/test_smb.py | 1 -
1 file changed, 1 deletion(-)
diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py
index 30f8d5901..eb3981bdd 100644
--- a/ipatests/test_integration/test_smb.py
+++ b/ipatests/test_integration/test_smb.py
@@ -349,7 +349,6 @@ class TestSMB(IntegrationTest):
@pytest.mark.skipif(
osinfo.id == 'fedora' and osinfo.version_number <= (31,),
reason='Test requires krb 1.18')
- @pytest.mark.xfail(reason="Pagure ticket 9124", strict=True)
def test_smb_service_s4u2self(self):
"""Test S4U2Self operation by IPA service
against both AD and IPA users
--
2.41.0
From 1b51fa4cb07380d1102891233e85a7940f804c72 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Thu, 11 May 2023 12:50:10 +0530
Subject: [PATCH] ipatests: Check that SSSD_PUBCONF_KRB5_INCLUDE_D_DIR is not
included in krb5.conf
SSSD already provides a config snippet which includes
SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java.
Test checks that krb5.conf does not include
SSSD_PUBCONF_KRB5_INCLUDE_D_DIR.
Related: https://pagure.io/freeipa/issue/9267
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
.../test_integration/test_installation_client.py | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/ipatests/test_integration/test_installation_client.py b/ipatests/test_integration/test_installation_client.py
index 014b0f6ab..56e1593bf 100644
--- a/ipatests/test_integration/test_installation_client.py
+++ b/ipatests/test_integration/test_installation_client.py
@@ -76,6 +76,21 @@ class TestInstallClient(IntegrationTest):
result = self.clients[0].run_command(['cat', '/etc/ssh/ssh_config'])
assert 'HostKeyAlgorithms' not in result.stdout_text
+ def test_client_install_with_krb5(self):
+ """Test that SSSD_PUBCONF_KRB5_INCLUDE_D_DIR is not added in krb5.conf
+
+ SSSD already provides a config snippet which includes
+ SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java.
+ Test checks that krb5.conf does not include
+ SSSD_PUBCONF_KRB5_INCLUDE_D_DIR.
+
+ related: https://pagure.io/freeipa/issue/9267
+ """
+ krb5_cfg = self.master.get_file_contents(paths.KRB5_CONF)
+ assert 'includedir {dir}'.format(
+ dir=paths.SSSD_PUBCONF_KRB5_INCLUDE_D_DIR
+ ).encode() not in krb5_cfg
+
class TestClientInstallBind(IntegrationTest):
"""
--
2.41.0
From f599e2d67bad5945e4dcf99fdd584f01f1e20d1e Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 6 Jun 2023 09:04:48 +0200
Subject: [PATCH] webuitests: close notification which hides Add button
The webui test test_service.py::test_service::test_arbitrary_certificates
randomly fails.
The test is creating a new service then navigates to the Service page
and clicks on the Add Certificate button.
The notification area may still be present and hide the button, with
the message "Service successfully added".
Close all notifications before navigating to the Service page.
Fixes: https://pagure.io/freeipa/issue/9389
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
---
ipatests/test_webui/test_service.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ipatests/test_webui/test_service.py b/ipatests/test_webui/test_service.py
index f1d9a9d62..e2976d73a 100644
--- a/ipatests/test_webui/test_service.py
+++ b/ipatests/test_webui/test_service.py
@@ -296,6 +296,7 @@ class test_service(sevice_tasks):
cert_widget_sel = "div.certificate-widget"
self.add_record(ENTITY, data)
+ self.close_notifications()
self.navigate_to_record(pkey)
# check whether certificate section is present
--
2.41.0

25
ipa.spec
View File

@ -189,7 +189,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 3%{?rc_version:.%rc_version}%{?dist}
Release: 4%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@ -210,6 +210,11 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
%if %{NON_DEVELOPER_BUILD}
%if 0%{?rhel} >= 8
Patch0001: 0001-user-or-group-name-explain-the-supported-format_rhbz#2150217.patch
Patch0002: 0002-Use-the-python-cryptography-parser-directly-in-cert-find_rhbz#2164349.patch
Patch0003: 0003-Upgrade-add-PKI-drop-in-file-if-missing_rhbz#2215336.patch
Patch0004: 0004-Upgrade-fix-replica-agreement_rhbz#2216551.patch
Patch0005: 0005-OTP-fix-data-type-to-avoid-endianness-issue_rhbz#2218293.patch
Patch0006: 0006-Backport-test-updates-8-9-release_rhbz#2218847.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
Patch1003: 1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch
@ -370,7 +375,6 @@ BuildRequires: python3-pylint
BuildRequires: python3-pytest-multihost
BuildRequires: python3-pytest-sourceorder
BuildRequires: python3-qrcode-core >= 5.0.0
BuildRequires: python3-pyOpenSSL
BuildRequires: python3-samba
BuildRequires: python3-six
BuildRequires: python3-sss
@ -841,7 +845,6 @@ Requires: python3-netifaces >= 0.10.4
Requires: python3-pyasn1 >= 0.3.2-2
Requires: python3-pyasn1-modules >= 0.3.2-2
Requires: python3-pyusb
Requires: python3-pyOpenSSL
Requires: python3-qrcode-core >= 5.0.0
Requires: python3-requests
Requires: python3-six
@ -1726,11 +1729,25 @@ fi
%endif
%changelog
* Fri Jun 30 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.12-4
- kdb: Use-krb5_pac_full_sign_compat() when available
Resolves: RHBZ#2176406
- OTP: fix-data-type-to-avoid-endianness-issue
Resolves: RHBZ#2218293
- Upgrade: fix replica agreement
Resolves: RHBZ#2216551
- Upgrade: add PKI drop-in file if missing
Resolves: RHBZ#2215336
- Use the python-cryptography parser directly in cert-find
Resolves: RHBZ#2164349
- Backport test updates
Resolves: RHBZ#221884
* Wed Jun 21 2023 Julien Rische <jrische@redhat.com> - 4.9.12-3
- Rely on sssd-krb5 to include SSSD-generated krb5 configuration
Resolves: RHBZ#2214563
* Thu May 25 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.12-1
* Thu May 25 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.12-2
- Use the OpenSSL certificate parser in cert-find
Resolves: RHBZ#2209947