From 9570499a0c990bd6b9dbdf5e794c363dee34f462 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Thu, 29 Jun 2023 17:53:05 -0300 Subject: [PATCH] ipa release 4.9.12-4 - kdb: Use-krb5_pac_full_sign_compat() when available Resolves: RHBZ#2176406 - OTP: fix-data-type-to-avoid-endianness-issue Resolves: RHBZ#2218293 - Upgrade: fix replica agreement Resolves: RHBZ#2216551 - Upgrade: add PKI drop-in file if missing Resolves: RHBZ#2215336 - Use the python-cryptography parser directly in cert-find Resolves: RHBZ#2164349 - Backport test updates Resolves: RHBZ#221884 Signed-off-by: Rafael Guterres Jeffman --- ...r-directly-in-cert-find_rhbz#2164349.patch | 242 +++++++++ ...drop-in-file-if-missing_rhbz#2215336.patch | 87 ++++ ...e-fix-replica-agreement_rhbz#2216551.patch | 493 ++++++++++++++++++ ...-avoid-endianness-issue_rhbz#2218293.patch | 52 ++ ...est-updates-8-9-release_rhbz#2218847.patch | 173 ++++++ ipa.spec | 25 +- 6 files changed, 1068 insertions(+), 4 deletions(-) create mode 100644 0002-Use-the-python-cryptography-parser-directly-in-cert-find_rhbz#2164349.patch create mode 100644 0003-Upgrade-add-PKI-drop-in-file-if-missing_rhbz#2215336.patch create mode 100644 0004-Upgrade-fix-replica-agreement_rhbz#2216551.patch create mode 100644 0005-OTP-fix-data-type-to-avoid-endianness-issue_rhbz#2218293.patch create mode 100644 0006-Backport-test-updates-8-9-release_rhbz#2218847.patch diff --git a/0002-Use-the-python-cryptography-parser-directly-in-cert-find_rhbz#2164349.patch b/0002-Use-the-python-cryptography-parser-directly-in-cert-find_rhbz#2164349.patch new file mode 100644 index 0000000..7fc5737 --- /dev/null +++ b/0002-Use-the-python-cryptography-parser-directly-in-cert-find_rhbz#2164349.patch @@ -0,0 +1,242 @@ +From 9fe30f21c987bdccf80ef5f6d645fdc59b393bdb Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Jun 16 2023 19:09:52 +0000 +Subject: Revert "Use the OpenSSL certificate parser in cert-find" + + +This reverts commit 191880bc9f77c3e8a3cecc82e6eea33ab5ad03e4. + +The problem isn't with python-cryptography, it is with the +IPACertificate class which does way more work on a certificate +than is necessary in cert-find. + +Related: https://pagure.io/freeipa/issue/9331 +Reviewed-By: Florence Blanc-Renaud + +--- + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index f3380b4..2b18963 100755 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -390,7 +390,6 @@ BuildRequires: python3-pylint + BuildRequires: python3-pytest-multihost + BuildRequires: python3-pytest-sourceorder + BuildRequires: python3-qrcode-core >= 5.0.0 +-BuildRequires: python3-pyOpenSSL + BuildRequires: python3-samba + BuildRequires: python3-six + BuildRequires: python3-sss +@@ -862,7 +861,6 @@ Requires: python3-netifaces >= 0.10.4 + Requires: python3-pyasn1 >= 0.3.2-2 + Requires: python3-pyasn1-modules >= 0.3.2-2 + Requires: python3-pyusb +-Requires: python3-pyOpenSSL + Requires: python3-qrcode-core >= 5.0.0 + Requires: python3-requests + Requires: python3-six +diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py +index cec3d93..88c6b62 100644 +--- a/ipaserver/plugins/cert.py ++++ b/ipaserver/plugins/cert.py +@@ -30,7 +30,6 @@ import cryptography.x509 + from cryptography.hazmat.primitives import hashes, serialization + from dns import resolver, reversename + import six +-import sys + + from ipalib import Command, Str, Int, Flag, StrEnum + from ipalib import api +@@ -1623,19 +1622,7 @@ class cert_find(Search, CertMethod): + ) + + def _get_cert_key(self, cert): +- # for cert-find with a certificate value +- if isinstance(cert, x509.IPACertificate): +- return (DN(cert.issuer), cert.serial_number) +- +- issuer = [] +- for oid, value in cert.get_issuer().get_components(): +- issuer.append( +- '{}={}'.format(oid.decode('utf-8'), value.decode('utf-8')) +- ) +- issuer = ','.join(issuer) +- # Use this to flip from OpenSSL reverse to X500 ordering +- issuer = DN(issuer).x500_text() +- return (DN(issuer), cert.get_serial_number()) ++ return (DN(cert.issuer), cert.serial_number) + + def _cert_search(self, pkey_only, **options): + result = collections.OrderedDict() +@@ -1755,11 +1742,6 @@ class cert_find(Search, CertMethod): + return result, False, complete + + def _ldap_search(self, all, pkey_only, no_members, **options): +- # defer import of the OpenSSL module to not affect the requests +- # module which will use pyopenssl if this is available. +- if sys.modules.get('OpenSSL.SSL', False) is None: +- del sys.modules["OpenSSL.SSL"] +- import OpenSSL.crypto + ldap = self.api.Backend.ldap2 + + filters = [] +@@ -1818,14 +1800,12 @@ class cert_find(Search, CertMethod): + ca_enabled = getattr(context, 'ca_enabled') + for entry in entries: + for attr in ('usercertificate', 'usercertificate;binary'): +- for der in entry.raw.get(attr, []): +- cert = OpenSSL.crypto.load_certificate( +- OpenSSL.crypto.FILETYPE_ASN1, der) ++ for cert in entry.get(attr, []): + cert_key = self._get_cert_key(cert) + try: + obj = result[cert_key] + except KeyError: +- obj = {'serial_number': cert.get_serial_number()} ++ obj = {'serial_number': cert.serial_number} + if not pkey_only and (all or not ca_enabled): + # Retrieving certificate details is now deferred + # until after all certificates are collected. + +From 3b1dbcdba2994bf57908f530913998e9ab888e4c Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Jun 16 2023 19:09:52 +0000 +Subject: Revert "cert_find: fix call with --all" + + +This reverts commit 1f30cc65276a532e7288217f216b72a2b0628c8f. + +The problem isn't with python-cryptography, it is with the +IPACertificate class which does way more work on a certificate +than is necessary in cert-find. + +Related: https://pagure.io/freeipa/issue/9331 +Reviewed-By: Florence Blanc-Renaud + +--- + +diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py +index 88c6b62..ba37525 100644 +--- a/ipaserver/plugins/cert.py ++++ b/ipaserver/plugins/cert.py +@@ -1812,7 +1812,6 @@ class cert_find(Search, CertMethod): + # For the case of CA-less we need to keep + # the certificate because getting it again later + # would require unnecessary LDAP searches. +- cert = cert.to_cryptography() + obj['certificate'] = ( + base64.b64encode( + cert.public_bytes(x509.Encoding.DER)) + +From d00fd3398c32beb2c3e72f4878c87f9d2c0e833d Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Jun 16 2023 19:09:52 +0000 +Subject: Use the python-cryptography parser directly in cert-find + + +cert-find is a rather complex beast because it not only +looks for certificates in the optional CA but within the +IPA LDAP database as well. It has a process to deduplicate +the certificates since any PKI issued certificates will +also be associated with an IPA record. + +In order to obtain the data to deduplicate the certificates +the cert from LDAP must be parser for issuer and serial number. +ipaldap has automation to determine the datatype of an +attribute and will use the ipalib.x509 IPACertificate class to +decode a certificate automatically if you access +entry['usercertificate']. + +The downside is that this is comparatively slow. Here is the +parse time in microseconds: + +cryptography 0.0081 +OpenSSL.crypto 0.2271 +ipalib.x509 2.6814 + +Since only issuer and subject are required there is no need to +make the expensive IPACertificate call. + +The IPACertificate parsing time is fine if you're parsing one +certificate but if the LDAP search returns a lot of certificates, +say in the thousands, then those microseconds add up quickly. +In testing it took ~17 seconds to parse 5k certificates (excluding +transmission overhead, etc). + +cert-find when there are a lot of certificates has been +historically slow. It isn't related to the CA which returns +large sets (well, 5k anyway) in a second or two. It was the +LDAP comparision adding tens of seconds to the runtime. + +When searching with the default sizelimit of 100 the time is +~10s without this patch. With it the time is 1.5s. + +CLI times from before and after searching for all certs: + +original: + +------------------------------- +Number of entries returned 5038 +------------------------------- +real 0m15.507s +user 0m0.828s +sys 0m0.241s + +using cryptography: + +real 0m4.037s +user 0m0.816s +sys 0m0.193s + +Fixes: https://pagure.io/freeipa/issue/9331 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud + +--- + +diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py +index ba37525..619be83 100644 +--- a/ipaserver/plugins/cert.py ++++ b/ipaserver/plugins/cert.py +@@ -1800,7 +1800,8 @@ class cert_find(Search, CertMethod): + ca_enabled = getattr(context, 'ca_enabled') + for entry in entries: + for attr in ('usercertificate', 'usercertificate;binary'): +- for cert in entry.get(attr, []): ++ for der in entry.raw.get(attr, []): ++ cert = cryptography.x509.load_der_x509_certificate(der) + cert_key = self._get_cert_key(cert) + try: + obj = result[cert_key] +diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py +index 433cebc..583c67f 100644 +--- a/ipatests/test_xmlrpc/test_cert_plugin.py ++++ b/ipatests/test_xmlrpc/test_cert_plugin.py +@@ -254,6 +254,16 @@ class test_cert(BaseCert): + result = _emails_are_valid(email_addrs, []) + assert not result + ++ def test_00012_cert_find_all(self): ++ """ ++ Test that cert-find --all returns successfully. ++ ++ We don't know how many we'll get but there should be at least 10 ++ by default. ++ """ ++ res = api.Command['cert_find'](all=True) ++ assert 'count' in res and res['count'] >= 10 ++ + def test_99999_cleanup(self): + """ + Clean up cert test data +@@ -283,7 +293,7 @@ class test_cert_find(XMLRPC_test): + + short = api.env.host.split('.', maxsplit=1)[0] + +- def test_0001_find_all(self): ++ def test_0001_find_all_certs(self): + """ + Search for all certificates. + + diff --git a/0003-Upgrade-add-PKI-drop-in-file-if-missing_rhbz#2215336.patch b/0003-Upgrade-add-PKI-drop-in-file-if-missing_rhbz#2215336.patch new file mode 100644 index 0000000..b719fa3 --- /dev/null +++ b/0003-Upgrade-add-PKI-drop-in-file-if-missing_rhbz#2215336.patch @@ -0,0 +1,87 @@ +From 86c1426b2d376a390e87b074d3e10d85fa124abf Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Jun 21 2023 17:02:48 +0000 +Subject: Upgrade: add PKI drop-in file if missing + + +During the installation of IPA server, the installer adds a drop-in +file in /etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf +that ensures the CA is reachable before the start command returns. +If the file is missing (for instance because the server was installed +with an old version before this drop-in was created), the upgrade +should add the file. + +Fixes: https://pagure.io/freeipa/issue/9381 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden + +--- + +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index dd22ac2..e4dc7ae 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -1737,6 +1737,10 @@ def upgrade_configuration(): + os.path.join(paths.USR_SHARE_IPA_DIR, + "ipa-kdc-proxy.conf.template")) + if ca.is_configured(): ++ # Ensure that the drop-in file is present ++ if not os.path.isfile(paths.SYSTEMD_PKI_TOMCAT_IPA_CONF): ++ ca.add_ipa_wait() ++ + # Handle upgrade of AJP connector configuration + rewrite = ca.secure_ajp_connector() + if ca.ajp_secret: + +From 356ec5cbfe0876686239f938bdf54892dc30571e Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Jun 21 2023 17:02:48 +0000 +Subject: Integration test: add a test for upgrade and PKI drop-in file + + +Add an upgrade test with the following scenario: +- remove PKI drop-in file (to simulate an upgrade from an old +version) +- remove caECServerCertWithSCT profile from LDAP +- launch the ipa-server-upgrade command +- check that the upgrade added the file + +Related: https://pagure.io/freeipa/issue/9381 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden + +--- + +diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py +index 9203503..182e3b5 100644 +--- a/ipatests/test_integration/test_upgrade.py ++++ b/ipatests/test_integration/test_upgrade.py +@@ -455,3 +455,25 @@ class TestUpgrade(IntegrationTest): + assert 'tXTRecord' in location_krb_rec + assert len(location_krb_rec['tXTRecord']) == 1 + assert location_krb_rec['tXTRecord'][0] == f'"{realm}"' ++ ++ def test_pki_dropin_file(self): ++ """Test that upgrade adds the drop-in file if missing ++ ++ Test for ticket 9381 ++ Simulate an update from a version that didn't provide ++ /etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf, ++ remove one of the certificate profiles from LDAP and check that upgrade ++ completes successfully and adds the missing file. ++ When the drop-in file is missing, the upgrade tries to login to ++ PKI in order to migrate the profile and fails because PKI failed to ++ start. ++ """ ++ self.master.run_command(["rm", "-f", paths.SYSTEMD_PKI_TOMCAT_IPA_CONF]) ++ ldif = textwrap.dedent(""" ++ dn: cn=caECServerCertWithSCT,ou=certificateProfiles,ou=ca,o=ipaca ++ changetype: delete ++ """) ++ tasks.ldapmodify_dm(self.master, ldif) ++ self.master.run_command(['ipa-server-upgrade']) ++ assert self.master.transport.file_exists( ++ paths.SYSTEMD_PKI_TOMCAT_IPA_CONF) + diff --git a/0004-Upgrade-fix-replica-agreement_rhbz#2216551.patch b/0004-Upgrade-fix-replica-agreement_rhbz#2216551.patch new file mode 100644 index 0000000..34e672f --- /dev/null +++ b/0004-Upgrade-fix-replica-agreement_rhbz#2216551.patch @@ -0,0 +1,493 @@ + + + + + + Commit - freeipa - d29b47512a39ada02fb371521994576cd9815a6c - Pagure.io + + + + + + + + + + + + + + + + + + +
+ + +
+
+
+
+
+
+

+

+
+
+

+freeipa +

+
+
+
+
+
+
+ + + Clone + +
+
+
+
Source Code
+ +
+
+
GIT
+ +
+
+
+
+
+ +
+
+
+
+ + +
+
+ +
+
+
+
+
+
+
+

+ d29b475 + Upgrade: fix replica agreement +

+
+ Authored and Committed by frenaud + 7 days ago +
+
+
+
+ raw + patch + tree + parent +
+
+
+ +
+
+ 1 file changed. + 38 lines added. + 42 lines removed. +
+
+
+ +
+
+ ipaserver/install/plugins/fix_replica_agreements.py +
+
+ file modified +
+ +38 + -42 +
+
+
+
+
+
+ + +
+ 
+    Upgrade: fix replica agreement
+    
+    The upgrade checks the replication agreements to ensure that
+    some attributes are excluded from replication. The agreements
+    are stored in entries like
+    cn=serverToreplica,cn=replica,cn=_suffix_,cn=mapping tree,cn=config
+    but those entries are managed by the replication topology plugin
+    and should not be updated directly. The consequence is that the update
+    of the attributes fails and ipa-server-update prints an error message:
+    
+    Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling
+    to perform: Entry and attributes are managed by topology plugin.No direct
+    modifications allowed.
+    Error caught updating nsDS5ReplicatedAttributeListTotal: Server is
+    unwilling to perform: Entry and attributes are managed by topology
+    plugin.No direct modifications allowed.
+    
+    The upgrade continues but the replication is not excluding
+    passwordgraceusertime.
+    
+    Instead of editing the agreements, perform the modifications on
+    the topology segments.
+    
+    Fixes: https://pagure.io/freeipa/issue/9385
+    Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+    
+
+
+ + + + + +
+
+
+
+ + + + + + + +
+
file modified
+ +
+ +38 + -42 +
+ + + + + + + + + +
+
+
+ +
+
+ + +
+
+ + +
+
+ +
+
+
+
+
Powered by Pagure 5.13.3
+ +
+
+
© Red Hat, Inc. and others.
+
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + +From 93d97b59600c15e5028ee39b0e98450544165158 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Jun 22 2023 15:49:40 +0000 +Subject: Integration tests: add a test to ipa-server-upgrade + + +Add an integration test ensuring that the upgrade +properly updates the attributes to be excluded from +replication. + +Related: https://pagure.io/freeipa/issue/9385 +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden + +--- + +diff --git a/ipatests/test_integration/test_simple_replication.py b/ipatests/test_integration/test_simple_replication.py +index 17092a4..d1e65ef 100644 +--- a/ipatests/test_integration/test_simple_replication.py ++++ b/ipatests/test_integration/test_simple_replication.py +@@ -23,8 +23,10 @@ import pytest + + from ipaplatform.paths import paths + from ipapython.dn import DN ++from ipaserver.install.replication import EXCLUDES + from ipatests.pytest_ipa.integration import tasks + from ipatests.test_integration.base import IntegrationTest ++from ipatests.test_integration.test_topology import find_segment + + + def check_replication(source_host, dest_host, login): +@@ -104,6 +106,34 @@ class TestSimpleReplication(IntegrationTest): + [paths.IPA_CUSTODIA_CHECK, self.master.hostname] + ) + ++ def test_fix_agreements(self): ++ """Test that upgrade fixes the list of attributes excluded from repl ++ ++ Test for ticket 9385 ++ """ ++ # Prepare the server by removing some values from ++ # from the nsDS5ReplicatedAttributeList ++ segment = find_segment(self.master, self.replicas[0], "domain") ++ self.master.run_command([ ++ "ipa", "topologysegment-mod", "domain", segment, ++ "--replattrs", ++ "(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn"]) ++ # Run the upgrade ++ result = self.master.run_command(["ipa-server-upgrade"]) ++ # Ensure that the upgrade updated the attribute without error ++ errmsg = "Error caught updating nsDS5ReplicatedAttributeList" ++ assert errmsg not in result.stdout_text ++ # Check the updated value ++ suffix = DN(self.master.domain.basedn) ++ dn = DN(('cn', str(suffix)), ('cn', 'mapping tree'), ('cn', 'config')) ++ result = tasks.ldapsearch_dm(self.master, str(dn), ++ ["nsDS5ReplicatedAttributeList"]) ++ output = result.stdout_text.lower() ++ ++ template = 'nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE %s' ++ expected_value = template % " ".join(EXCLUDES) ++ assert expected_value.lower() in output ++ + def test_replica_removal(self): + """Test replica removal""" + result = self.master.run_command(['ipa-replica-manage', 'list']) + diff --git a/0005-OTP-fix-data-type-to-avoid-endianness-issue_rhbz#2218293.patch b/0005-OTP-fix-data-type-to-avoid-endianness-issue_rhbz#2218293.patch new file mode 100644 index 0000000..6d5b7b6 --- /dev/null +++ b/0005-OTP-fix-data-type-to-avoid-endianness-issue_rhbz#2218293.patch @@ -0,0 +1,52 @@ +From a7e167154b889f75463ccc9cd91a75c1afb22da9 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Jun 28 2023 19:43:16 +0000 +Subject: OTP: fix data type to avoid endianness issue + + +When 389-ds process an OTP authentication, the ipa-pwd-extop +plugin reads a buffer to extract the authentication type. +The type is stored in an int but the data is a ber_tag_t. + +On big endian machines the type cast does not cause any issue +but on s390x the buffer that should return 128 is seen as 0. + +As a consequence, the plugin considers that the method is not +LDAP_AUTH_SIMPLE and exits early, without processing the OTP. + +The fix is simple and consists in using the right type +(ber_tag_t is an unsigned long). + +Fixes: https://pagure.io/freeipa/issue/9402 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden + +--- + +diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c +index 9375941..4562652 100644 +--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c ++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c +@@ -1433,7 +1433,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) + Slapi_DN *target_sdn = NULL; + Slapi_DN *sdn = NULL; + const char *dn = NULL; +- int method = 0; ++ ber_tag_t method = 0; + bool syncreq; + bool otpreq; + int ret = 0; +@@ -1454,8 +1454,10 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) + } + + /* We're only interested in simple authentication. */ +- if (method != LDAP_AUTH_SIMPLE || credentials->bv_len == 0) ++ if (method != LDAP_AUTH_SIMPLE || credentials->bv_len == 0) { ++ LOG("Not handled (not simple bind or NULL dn/credentials)\n"); + return 0; ++ } + + /* Retrieve the user's entry. */ + sdn = slapi_sdn_dup(target_sdn); + diff --git a/0006-Backport-test-updates-8-9-release_rhbz#2218847.patch b/0006-Backport-test-updates-8-9-release_rhbz#2218847.patch new file mode 100644 index 0000000..8b44931 --- /dev/null +++ b/0006-Backport-test-updates-8-9-release_rhbz#2218847.patch @@ -0,0 +1,173 @@ +From 7a94acca6a9efb546f1cf59f63fcb89f98944ea5 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Thu, 25 May 2023 08:16:33 +0200 +Subject: [PATCH] ACME tests: fix issue_and_expire_acme_cert method + +The fixture issue_and_expire_acme_cert is changing the date +on master and client. It also resets the admin password as +it gets expired after the date change. +Currently the code is resetting the password by performing +kinit on the client, which leaves the master with an expired +ticket in its cache. Reset the password on the master instead +in order to have a valid ticket for the next operations. + +Fixes: https://pagure.io/freeipa/issue/9383 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Mohammad Rizwan +--- + ipatests/test_integration/test_acme.py | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py +index c73f441fc..c69e810da 100644 +--- a/ipatests/test_integration/test_acme.py ++++ b/ipatests/test_integration/test_acme.py +@@ -583,20 +583,20 @@ class TestACMERenew(IntegrationTest): + tasks.kdestroy_all(host) + tasks.move_date(host, 'stop', '+90days') + +- tasks.get_kdcinfo(host) ++ tasks.get_kdcinfo(self.master) + # Note raiseonerr=False: + # the assert is located after kdcinfo retrieval. + # run kinit command repeatedly until sssd gets settle + # after date change + tasks.run_repeatedly( +- host, "KRB5_TRACE=/dev/stdout kinit admin", ++ self.master, "KRB5_TRACE=/dev/stdout kinit admin", + stdin_text='{0}\n{0}\n{0}\n'.format( +- self.clients[0].config.admin_password ++ self.master.config.admin_password + ) + ) + # Retrieve kdc.$REALM after the password change, just in case SSSD + # domain status flipped to online during the password change. +- tasks.get_kdcinfo(host) ++ tasks.get_kdcinfo(self.master) + + yield + +-- +2.41.0 + +From 998bafee86a870ad1ea4d6bccf12f0fae64c398c Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Wed, 31 May 2023 11:50:14 +0200 +Subject: [PATCH] ipatest: remove xfail from test_smb + +test_smb is now successful because the windows server version +has been updated to windows-server-2022 with +- KB5012170 +- KB5025230 +- KB5022507 +- servicing stack 10.0.20348.1663 +in freeipa-pr-ci commit 3ba4151. + +Remove the xfail. + +Fixes: https://pagure.io/freeipa/issue/9124 +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Mohammad Rizwan +--- + ipatests/test_integration/test_smb.py | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py +index 30f8d5901..eb3981bdd 100644 +--- a/ipatests/test_integration/test_smb.py ++++ b/ipatests/test_integration/test_smb.py +@@ -349,7 +349,6 @@ class TestSMB(IntegrationTest): + @pytest.mark.skipif( + osinfo.id == 'fedora' and osinfo.version_number <= (31,), + reason='Test requires krb 1.18') +- @pytest.mark.xfail(reason="Pagure ticket 9124", strict=True) + def test_smb_service_s4u2self(self): + """Test S4U2Self operation by IPA service + against both AD and IPA users +-- +2.41.0 + +From 1b51fa4cb07380d1102891233e85a7940f804c72 Mon Sep 17 00:00:00 2001 +From: Anuja More +Date: Thu, 11 May 2023 12:50:10 +0530 +Subject: [PATCH] ipatests: Check that SSSD_PUBCONF_KRB5_INCLUDE_D_DIR is not + included in krb5.conf + +SSSD already provides a config snippet which includes +SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java. +Test checks that krb5.conf does not include +SSSD_PUBCONF_KRB5_INCLUDE_D_DIR. + +Related: https://pagure.io/freeipa/issue/9267 + +Signed-off-by: Anuja More +Reviewed-By: Florence Blanc-Renaud +--- + .../test_integration/test_installation_client.py | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/ipatests/test_integration/test_installation_client.py b/ipatests/test_integration/test_installation_client.py +index 014b0f6ab..56e1593bf 100644 +--- a/ipatests/test_integration/test_installation_client.py ++++ b/ipatests/test_integration/test_installation_client.py +@@ -76,6 +76,21 @@ class TestInstallClient(IntegrationTest): + result = self.clients[0].run_command(['cat', '/etc/ssh/ssh_config']) + assert 'HostKeyAlgorithms' not in result.stdout_text + ++ def test_client_install_with_krb5(self): ++ """Test that SSSD_PUBCONF_KRB5_INCLUDE_D_DIR is not added in krb5.conf ++ ++ SSSD already provides a config snippet which includes ++ SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java. ++ Test checks that krb5.conf does not include ++ SSSD_PUBCONF_KRB5_INCLUDE_D_DIR. ++ ++ related: https://pagure.io/freeipa/issue/9267 ++ """ ++ krb5_cfg = self.master.get_file_contents(paths.KRB5_CONF) ++ assert 'includedir {dir}'.format( ++ dir=paths.SSSD_PUBCONF_KRB5_INCLUDE_D_DIR ++ ).encode() not in krb5_cfg ++ + + class TestClientInstallBind(IntegrationTest): + """ +-- +2.41.0 + +From f599e2d67bad5945e4dcf99fdd584f01f1e20d1e Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Tue, 6 Jun 2023 09:04:48 +0200 +Subject: [PATCH] webuitests: close notification which hides Add button + +The webui test test_service.py::test_service::test_arbitrary_certificates +randomly fails. +The test is creating a new service then navigates to the Service page +and clicks on the Add Certificate button. +The notification area may still be present and hide the button, with +the message "Service successfully added". +Close all notifications before navigating to the Service page. + +Fixes: https://pagure.io/freeipa/issue/9389 +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Michal Polovka +--- + ipatests/test_webui/test_service.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ipatests/test_webui/test_service.py b/ipatests/test_webui/test_service.py +index f1d9a9d62..e2976d73a 100644 +--- a/ipatests/test_webui/test_service.py ++++ b/ipatests/test_webui/test_service.py +@@ -296,6 +296,7 @@ class test_service(sevice_tasks): + cert_widget_sel = "div.certificate-widget" + + self.add_record(ENTITY, data) ++ self.close_notifications() + self.navigate_to_record(pkey) + + # check whether certificate section is present +-- +2.41.0 + diff --git a/ipa.spec b/ipa.spec index 384f800..9dfc118 100644 --- a/ipa.spec +++ b/ipa.spec @@ -189,7 +189,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 3%{?rc_version:.%rc_version}%{?dist} +Release: 4%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -210,6 +210,11 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers %if %{NON_DEVELOPER_BUILD} %if 0%{?rhel} >= 8 Patch0001: 0001-user-or-group-name-explain-the-supported-format_rhbz#2150217.patch +Patch0002: 0002-Use-the-python-cryptography-parser-directly-in-cert-find_rhbz#2164349.patch +Patch0003: 0003-Upgrade-add-PKI-drop-in-file-if-missing_rhbz#2215336.patch +Patch0004: 0004-Upgrade-fix-replica-agreement_rhbz#2216551.patch +Patch0005: 0005-OTP-fix-data-type-to-avoid-endianness-issue_rhbz#2218293.patch +Patch0006: 0006-Backport-test-updates-8-9-release_rhbz#2218847.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch Patch1003: 1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch @@ -370,7 +375,6 @@ BuildRequires: python3-pylint BuildRequires: python3-pytest-multihost BuildRequires: python3-pytest-sourceorder BuildRequires: python3-qrcode-core >= 5.0.0 -BuildRequires: python3-pyOpenSSL BuildRequires: python3-samba BuildRequires: python3-six BuildRequires: python3-sss @@ -841,7 +845,6 @@ Requires: python3-netifaces >= 0.10.4 Requires: python3-pyasn1 >= 0.3.2-2 Requires: python3-pyasn1-modules >= 0.3.2-2 Requires: python3-pyusb -Requires: python3-pyOpenSSL Requires: python3-qrcode-core >= 5.0.0 Requires: python3-requests Requires: python3-six @@ -1726,11 +1729,25 @@ fi %endif %changelog +* Fri Jun 30 2023 Rafael Jeffman - 4.9.12-4 +- kdb: Use-krb5_pac_full_sign_compat() when available + Resolves: RHBZ#2176406 +- OTP: fix-data-type-to-avoid-endianness-issue + Resolves: RHBZ#2218293 +- Upgrade: fix replica agreement + Resolves: RHBZ#2216551 +- Upgrade: add PKI drop-in file if missing + Resolves: RHBZ#2215336 +- Use the python-cryptography parser directly in cert-find + Resolves: RHBZ#2164349 +- Backport test updates + Resolves: RHBZ#221884 + * Wed Jun 21 2023 Julien Rische - 4.9.12-3 - Rely on sssd-krb5 to include SSSD-generated krb5 configuration Resolves: RHBZ#2214563 -* Thu May 25 2023 Rafael Jeffman - 4.9.12-1 +* Thu May 25 2023 Rafael Jeffman - 4.9.12-2 - Use the OpenSSL certificate parser in cert-find Resolves: RHBZ#2209947