diff --git a/.gitignore b/.gitignore index 0701480..8ff185b 100644 --- a/.gitignore +++ b/.gitignore @@ -59,3 +59,5 @@ /freeipa-4.6.0.tar.gz.asc /freeipa-4.6.1.tar.gz /freeipa-4.6.1.tar.gz.asc +/freeipa-4.6.3.tar.gz +/freeipa-4.6.3.tar.gz.asc diff --git a/0001-Block-PyOpenSSL-to-prevent-SELinux-execmem-in-wsgi.patch b/0001-Block-PyOpenSSL-to-prevent-SELinux-execmem-in-wsgi.patch deleted file mode 100644 index 072a9d1..0000000 --- a/0001-Block-PyOpenSSL-to-prevent-SELinux-execmem-in-wsgi.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 7589f2c71de95807dbdb64a845a8dc90e7542ee6 Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Tue, 17 Oct 2017 09:40:05 +0200 -Subject: [PATCH] Block PyOpenSSL to prevent SELinux execmem in wsgi - -Some dependencies like Dogtag's pki.client library and custodia use -python-requsts to make HTTPS connection. python-requests prefers -PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top -of python-cryptography which trigger a execmem SELinux violation -in the context of Apache HTTPD (httpd_execmem). - -When requests is imported, it always tries to import pyopenssl glue -code from urllib3's contrib directory. The import of PyOpenSSL is -enough to trigger the SELinux denial. - -Block any import of PyOpenSSL's SSL module in wsgi by raising an -ImportError. The block is compatible with new python-requests with -unbundled urllib3, too. - -Fixes: FreeIPA #5442 -Fixes: RHBZ#1491508 -Signed-off-by: Christian Heimes ---- - install/share/wsgi.py | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/install/share/wsgi.py b/install/share/wsgi.py -index e263b81..e5cabc0 100644 ---- a/install/share/wsgi.py -+++ b/install/share/wsgi.py -@@ -25,6 +25,18 @@ WSGI appliction for IPA server. - """ - import logging - import os -+import sys -+ -+# Some dependencies like Dogtag's pki.client library and custodia use -+# python-requsts to make HTTPS connection. python-requests prefers -+# PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top -+# of python-cryptography which trigger a execmem SELinux violation -+# in the context of Apache HTTPD (httpd_execmem). -+# When requests is imported, it always tries to import pyopenssl glue -+# code from urllib3's contrib directory. The import of PyOpenSSL is -+# enough to trigger the SELinux denial. -+# Block any import of PyOpenSSL's SSL module by raising an ImportError -+sys.modules['OpenSSL.SSL'] = None - - from ipaplatform.paths import paths - from ipalib import api --- -2.9.5 - diff --git a/0007-ipa-p11-kit-fixes.patch b/0007-ipa-p11-kit-fixes.patch deleted file mode 100644 index b35933d..0000000 --- a/0007-ipa-p11-kit-fixes.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 912f42fe943bd407e0bb73df7c6b2ab2031a4f6e Mon Sep 17 00:00:00 2001 -From: Stanislav Laznicka -Date: Mon, 16 Oct 2017 13:29:07 +0200 -Subject: [PATCH] p11-kit: add serial number in DER format - -This causes Firefox to report our CA certificate as not-trustworthy. -We were previously doing this correctly, however it slipped as an -error due to certificate refactoring. - -https://pagure.io/freeipa/issue/7210 ---- - ipalib/x509.py | 7 +++++++ - ipaplatform/redhat/tasks.py | 4 ++-- - 2 files changed, 9 insertions(+), 2 deletions(-) - -diff --git a/ipalib/x509.py b/ipalib/x509.py -index 9f7a3c3115..205e2f82d3 100644 ---- a/ipalib/x509.py -+++ b/ipalib/x509.py -@@ -123,18 +123,21 @@ def __init__(self, cert, backend=None): - # some field types encode-decoding is not strongly defined - self._subject = self.__get_der_field('subject') - self._issuer = self.__get_der_field('issuer') -+ self._serial_number = self.__get_der_field('serialNumber') - - def __getstate__(self): - state = { - '_cert': self.public_bytes(Encoding.DER), - '_subject': self.subject_bytes, - '_issuer': self.issuer_bytes, -+ '_serial_number': self._serial_number, - } - return state - - def __setstate__(self, state): - self._subject = state['_subject'] - self._issuer = state['_issuer'] -+ self._issuer = state['_serial_number'] - self._cert = crypto_x509.load_der_x509_certificate( - state['_cert'], backend=default_backend()) - -@@ -216,6 +219,10 @@ def serial_number(self): - return self._cert.serial_number - - @property -+ def serial_number_bytes(self): -+ return self._serial_number -+ -+ @property - def version(self): - return self._cert.version - -diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py -index 81c9286daf..0e7810f623 100644 ---- a/ipaplatform/redhat/tasks.py -+++ b/ipaplatform/redhat/tasks.py -@@ -274,7 +274,7 @@ def insert_ca_certs_into_systemwide_ca_store(self, ca_certs): - try: - subject = cert.subject_bytes - issuer = cert.issuer_bytes -- serial_number = cert.serial_number -+ serial_number = cert.serial_number_bytes - public_key_info = cert.public_key_info_bytes - except (PyAsn1Error, ValueError, CertificateError) as e: - logger.warning( -@@ -284,7 +284,7 @@ def insert_ca_certs_into_systemwide_ca_store(self, ca_certs): - label = urllib.parse.quote(nickname) - subject = urllib.parse.quote(subject) - issuer = urllib.parse.quote(issuer) -- serial_number = urllib.parse.quote(str(serial_number)) -+ serial_number = urllib.parse.quote(serial_number) - public_key_info = urllib.parse.quote(public_key_info) - - obj = ("[p11-kit-object-v1]\n" diff --git a/freeipa.spec b/freeipa.spec index e1c8811..6e09505 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -25,6 +25,12 @@ %endif %endif +%if 0%{?with_python3} +%global python %{__python3} +%else +%global python %{__python2} +%endif + # lint is not executed during rpmbuild # %%global with_lint 1 %if 0%{?with_lint} @@ -44,6 +50,7 @@ %global samba_build_version %{samba_version} %global selinux_policy_version 3.12.1-153 %global slapi_nis_version 0.56.0-4 +%global python2_ldap_version 2.4.15 %else # 1.15.1-7: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561) %global krb5_version 1.15.1-7 @@ -54,21 +61,34 @@ %global samba_build_version 2:4.2.1 %global selinux_policy_version 3.13.1-158.4 %global slapi_nis_version 0.56.1 + +# Use python3-pyldap to be compatible with old python3-pyldap 2.x and new +# python3-ldap 3.0. The python3-ldap package also provides python3-pyldap. +%if 0%{?fedora} >= 28 +# https://pagure.io/freeipa/issue/7257 DNSSEC daemons on Python 3 +%global python2_ldap_version 3.0.0-0.4.b4 +%global python3_ldap_version 3.0.0-0.4.b4 +%else +%global python2_ldap_version 2.4.15 +%global python3_ldap_version 2.4.35.1-2 %endif +%endif + + %define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+') %global plugin_dir %{_libdir}/dirsrv/plugins %global etc_systemd_dir %{_sysconfdir}/systemd/system %global gettext_domain ipa -%global VERSION 4.6.1 +%global VERSION 4.6.3 %define _hardened_build 1 Name: freeipa Version: %{VERSION} -Release: 5%{?dist} +Release: 1%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -78,12 +98,6 @@ Source0: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz Source1: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.asc BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -# https://github.com/freeipa/freeipa/pull/1158 -Patch0001: 0001-Block-PyOpenSSL-to-prevent-SELinux-execmem-in-wsgi.patch -# https://github.com/freeipa/freeipa/pull/1137 -Patch0002: 0002-ipa-kdb-support-KDB-DAL-version-7.0.patch -# https://github.com/freeipa/freeipa/pull/1156 -Patch0007: 0007-ipa-p11-kit-fixes.patch # For the timestamp trick in patch application BuildRequires: diffstat @@ -92,9 +106,13 @@ BuildRequires: openldap-devel # For KDB DAL version, make explicit dependency so that increase of version # will cause the build to fail due to unsatisfied dependencies. # DAL version change may cause code crash or memory leaks, it is better to fail early. +%if 0%{?fedora} > 27 +BuildRequires: krb5-kdb-version = 7.0 +%else %if 0%{?fedora} > 25 BuildRequires: krb5-kdb-version = 7.0 %endif +%endif BuildRequires: krb5-devel >= %{krb5_version} # 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation BuildRequires: xmlrpc-c-devel >= 1.27.4 @@ -104,8 +122,8 @@ BuildRequires: automake BuildRequires: libtool BuildRequires: gettext BuildRequires: gettext-devel -BuildRequires: python-devel -BuildRequires: python-setuptools +BuildRequires: python2-devel +BuildRequires: python2-setuptools %if 0%{?with_python3} BuildRequires: python3-devel BuildRequires: python3-setuptools @@ -141,13 +159,12 @@ BuildRequires: python-lesscpy # Build dependencies for makeapi/makeaci # makeapi/makeaci is using Python 2 only for now # -BuildRequires: python-ldap -BuildRequires: m2crypto -BuildRequires: python-netaddr +BuildRequires: python2-ldap >= %{python2_ldap_version} +BuildRequires: python2-netaddr BuildRequires: python2-pyasn1 BuildRequires: python2-pyasn1-modules BuildRequires: python2-dns -BuildRequires: python-six +BuildRequires: python2-six BuildRequires: python2-libsss_nss_idmap BuildRequires: python2-cffi @@ -168,18 +185,20 @@ BuildRequires: python3-wheel %endif # with_wheels # -# Build dependencies for lint +# Build dependencies for lint and fastcheck # %if 0%{?with_lint} -BuildRequires: samba-python +BuildRequires: python2-samba # 1.6: x509.Name.rdns (https://github.com/pyca/cryptography/issues/3199) BuildRequires: python2-cryptography >= 1.6 -BuildRequires: python-gssapi >= 1.2.0-5 +BuildRequires: python2-gssapi >= 1.2.0-5 +BuildRequires: softhsm %if 0%{?fedora} >= 26 BuildRequires: python2-pylint %else BuildRequires: pylint >= 1.7 %endif +BuildRequires: python2-pycodestyle # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 BuildRequires: python2-polib BuildRequires: python2-libipa_hbac @@ -191,23 +210,27 @@ BuildRequires: python2-dns >= 1.15 BuildRequires: jsl BuildRequires: python2-yubico # pki Python package -BuildRequires: pki-base-python2 -BuildRequires: python-pytest-multihost -BuildRequires: python-pytest-sourceorder +BuildRequires: pki-base-python2 >= 10.5.1-2 +BuildRequires: python2-pytest-multihost +BuildRequires: python2-pytest-sourceorder # 0.4.2: Py3 fix https://bugzilla.redhat.com/show_bug.cgi?id=1476150 -BuildRequires: python-jwcrypto >= 0.4.2 +BuildRequires: python2-jwcrypto >= 0.4.2 # 0.3: sd_notify (https://pagure.io/freeipa/issue/5825) BuildRequires: python2-custodia >= 0.3.1 +%if 0%{?fedora} >= 28 +BuildRequires: python2-dbus +%else BuildRequires: dbus-python +%endif BuildRequires: python2-dateutil -BuildRequires: python-enum34 -BuildRequires: python-netifaces +BuildRequires: python2-enum34 +BuildRequires: python2-netifaces BuildRequires: python2-sss BuildRequires: python2-sss-murmur BuildRequires: python2-sssdconfig BuildRequires: python2-nose BuildRequires: python2-paste -BuildRequires: systemd-python +BuildRequires: python2-systemd BuildRequires: python2-jinja2 BuildRequires: python2-augeas @@ -217,6 +240,7 @@ BuildRequires: python3-samba BuildRequires: python3-cryptography >= 1.6 BuildRequires: python3-gssapi >= 1.2.0 BuildRequires: python3-pylint >= 1.7 +BuildRequires: python3-pycodestyle # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 BuildRequires: python3-polib BuildRequires: python3-libipa_hbac @@ -228,7 +252,7 @@ BuildRequires: python3-qrcode-core >= 5.0.0 BuildRequires: python3-dns >= 1.15 BuildRequires: python3-yubico # pki Python package -BuildRequires: pki-base-python3 +BuildRequires: pki-base-python3 >= 10.5.1-2 BuildRequires: python3-pytest-multihost BuildRequires: python3-pytest-sourceorder # 0.4.2: Py3 fix https://bugzilla.redhat.com/show_bug.cgi?id=1476150 @@ -251,7 +275,7 @@ BuildRequires: python3-augeas BuildRequires: python3-netaddr BuildRequires: python3-pyasn1 BuildRequires: python3-pyasn1-modules -BuildRequires: python3-pyldap +BuildRequires: python3-pyldap >= %{python3_ldap_version} %endif # with_python3 %endif # with_lint @@ -260,7 +284,6 @@ BuildRequires: python3-pyldap # %if ! %{ONLY_CLIENT} BuildRequires: libcmocka-devel -BuildRequires: nss_wrapper # Required by ipa_kdb_tests BuildRequires: %{_libdir}/krb5/plugins/kdb/db2.so %endif # ONLY_CLIENT @@ -283,10 +306,13 @@ Requires: %{name}-client = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} %if 0%{?with_python3} Requires: python3-ipaserver = %{version}-%{release} +Requires: python3-pyldap >= %{python3_ldap_version} %else Requires: python2-ipaserver = %{version}-%{release} +Requires: python2-ldap >= %{python2_ldap_version} %endif -Requires: 389-ds-base >= 1.3.5.14 +# 1.3.7.6-1: https://bugzilla.redhat.com/show_bug.cgi?id=1488295 +Requires: 389-ds-base >= 1.3.7.6-1 Requires: openldap-clients > 2.4.35-4 Requires: nss >= 3.14.3-12.0 Requires: nss-tools >= 3.14.3-12.0 @@ -297,9 +323,19 @@ Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: httpd >= 2.4.6-31 %if 0%{with_python3} +Requires(preun): python3 +Requires(postun): python3 +Requires: python3-gssapi >= 1.2.0-5 +Requires: python3-systemd Requires: python3-mod_wsgi +Conflicts: mod_wsgi %else +Requires(preun): python2 +Requires(postun): python2 +Requires: python2-gssapi >= 1.2.0-5 +Requires: python2-systemd Requires: mod_wsgi +Conflicts: python3-mod_wsgi %endif Requires: mod_auth_gssapi >= 1.5.0 # 1.0.14-3: https://bugzilla.redhat.com/show_bug.cgi?id=1431206 @@ -307,8 +343,6 @@ Requires: mod_nss >= 1.0.14-3 Requires: mod_session # 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3 Requires: mod_lookup_identity >= 0.9.9 -Requires: python-ldap >= 2.4.15 -Requires: python-gssapi >= 1.2.0-5 Requires: acl Requires: systemd-units >= 38 Requires(pre): shadow-utils @@ -317,21 +351,21 @@ Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base >= %{selinux_policy_version} Requires: slapi-nis >= %{slapi_nis_version} -Requires: pki-ca >= 10.4.0-1 -Requires: pki-kra >= 10.4.0-1 -Requires(preun): python systemd-units -Requires(postun): python systemd-units +# 10.5.1-2 contains Python 3 vault fix +Requires: pki-ca >= 10.5.1-2 +Requires: pki-kra >= 10.5.1-2 +Requires(preun): systemd-units +Requires(postun): systemd-units Requires: policycoreutils >= 2.1.12-5 Requires: tar -# certmonger-0.79.4-2 fixes newlines in PEM files -Requires(pre): certmonger >= 0.79.4-2 -Requires(pre): 389-ds-base >= 1.3.5.14 +Requires(pre): certmonger >= 0.79.5-1 +# 1.3.7.6-1: https://bugzilla.redhat.com/show_bug.cgi?id=1488295 +Requires(pre): 389-ds-base >= 1.3.7.6-1 Requires: fontawesome-fonts Requires: open-sans-fonts Requires: openssl Requires: softhsm >= 2.0.0rc1-1 Requires: p11-kit -Requires: systemd-python Requires: %{etc_systemd_dir} Requires: gzip Requires: oddjob @@ -374,16 +408,20 @@ Requires: %{name}-server-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python2-ipaclient = %{version}-%{release} Requires: python2-custodia >= 0.3.1 -Requires: python-ldap >= 2.4.15 +Requires: python2-ldap >= %{python2_ldap_version} Requires: python2-lxml -Requires: python-gssapi >= 1.2.0-5 +Requires: python2-gssapi >= 1.2.0-5 Requires: python2-sssdconfig Requires: python2-pyasn1 >= 0.3.2-2 -Requires: dbus-python +%if 0%{?fedora} >= 28 +BuildRequires: python2-dbus +%else +BuildRequires: dbus-python +%endif Requires: python2-dns >= 1.15 -Requires: python-kdcproxy >= 0.3 +Requires: python2-kdcproxy >= 0.3 Requires: rpm-libs -Requires: pki-base-python2 +Requires: pki-base-python2 >= 10.5.1-2 Requires: python2-augeas %description -n python2-ipaserver @@ -407,7 +445,7 @@ Requires: %{name}-common = %{version}-%{release} Requires: python3-ipaclient = %{version}-%{release} Requires: python3-custodia >= 0.3.1 # we need pre-requires since earlier versions may break upgrade -Requires(pre): python3-pyldap >= 2.4.35.1-2 +Requires(pre): python3-pyldap >= %{python3_ldap_version} Requires: python3-lxml Requires: python3-gssapi >= 1.2.0 Requires: python3-sssdconfig @@ -417,7 +455,7 @@ Requires: python3-dns >= 1.15 Requires: python3-kdcproxy >= 0.3 Requires: python3-augeas Requires: rpm-libs -Requires: pki-base-python3 +Requires: pki-base-python3 >= 10.5.1-2 %description -n python3-ipaserver IPA is an integrated solution to provide centrally managed Identity (users, @@ -491,10 +529,12 @@ Requires: samba-winbind Requires: libsss_idmap %if 0%{?with_python3} +Requires(post): python3 Requires: python3-samba Requires: python3-libsss_nss_idmap Requires: python3-sss %else +Requires(post): python2 Requires: python2-samba Requires: python2-libsss_nss_idmap Requires: python2-sss @@ -505,7 +545,6 @@ Requires: python2-sss # IPA AD trusts cannot be used at the same time with the locator plugin # since Winbindd will be configured in a different mode Requires(post): %{_sbindir}/update-alternatives -Requires(post): python Requires(postun): %{_sbindir}/update-alternatives Requires(preun): %{_sbindir}/update-alternatives @@ -527,11 +566,16 @@ Group: System Environment/Base Requires: %{name}-client-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} %if 0%{?with_python3} +Requires: python3-gssapi >= 1.2.0-5 Requires: python3-ipaclient = %{version}-%{release} +Requires: python3-pyldap >= %{python3_ldap_version} +Requires: python3-sssdconfig %else +Requires: python2-gssapi >= 1.2.0-5 Requires: python2-ipaclient = %{version}-%{release} +Requires: python2-ldap >= %{python2_ldap_version} +Requires: python2-sssdconfig %endif -Requires: python-ldap Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: krb5-workstation >= %{krb5_version} @@ -542,13 +586,10 @@ Requires: initscripts Requires: libcurl >= 7.21.7-2 Requires: xmlrpc-c >= 1.27.4 Requires: sssd >= 1.14.0 -Requires: python-sssdconfig -# certmonger-0.79.4-2 fixes newlines in PEM files -Requires: certmonger >= 0.79.4-2 +Requires: certmonger >= 0.79.5-1 Requires: nss-tools Requires: bind-utils Requires: oddjob-mkhomedir -Requires: python-gssapi >= 1.2.0-5 Requires: libsss_autofs Requires: autofs Requires: libnfsidmap @@ -689,14 +730,12 @@ Provides: python2-ipaplatform = %{version}-%{release} %{?python_provide:%python_provide python2-ipaplatform} %{!?python_provide:Provides: python-ipaplatform = %{version}-%{release}} Requires: %{name}-common = %{version}-%{release} -Requires: python-gssapi >= 1.2.0-5 +Requires: python2-gssapi >= 1.2.0-5 Requires: gnupg Requires: keyutils -Requires: pyOpenSSL -Requires: python >= 2.7.9 -Requires: m2crypto +Requires: python2 >= 2.7.9 Requires: python2-cryptography >= 1.6 -Requires: python-netaddr >= %{python_netaddr_version} +Requires: python2-netaddr >= %{python_netaddr_version} Requires: python2-libipa_hbac Requires: python-qrcode-core >= 5.0.0 Requires: python2-pyasn1 >= 0.3.2-2 @@ -704,17 +743,21 @@ Requires: python2-pyasn1-modules >= 0.3.2-2 Requires: python2-dateutil Requires: python2-yubico >= 1.2.3 Requires: python2-sss-murmur -Requires: dbus-python +%if 0%{?fedora} >= 28 +BuildRequires: python2-dbus +%else +BuildRequires: dbus-python +%endif Requires: python2-setuptools -Requires: python-six +Requires: python2-six # 0.4.2: Py3 fix https://bugzilla.redhat.com/show_bug.cgi?id=1476150 -Requires: python-jwcrypto >= 0.4.2 +Requires: python2-jwcrypto >= 0.4.2 Requires: python2-cffi -Requires: python-ldap >= 2.4.15 +Requires: python2-ldap >= %{python2_ldap_version} Requires: python2-requests Requires: python2-dns >= 1.15 -Requires: python-enum34 -Requires: python-netifaces >= 0.10.4 +Requires: python2-enum34 +Requires: python2-netifaces >= 0.10.4 Requires: pyusb Conflicts: %{alt_name}-python < %{version} @@ -743,7 +786,6 @@ Requires: %{name}-common = %{version}-%{release} Requires: python3-gssapi >= 1.2.0 Requires: gnupg Requires: keyutils -Requires: python3-pyOpenSSL Requires: python3-cryptography >= 1.6 Requires: python3-netaddr >= %{python_netaddr_version} Requires: python3-libipa_hbac @@ -761,7 +803,7 @@ Requires: python3-six Requires: python3-jwcrypto >= 0.4.2 Requires: python3-cffi # we need pre-requires since earlier versions may break upgrade -Requires(pre): python3-pyldap >= 2.4.35.1-2 +Requires(pre): python3-pyldap >= %{python3_ldap_version} Requires: python3-requests Requires: python3-dns >= 1.15 Requires: python3-netifaces >= 0.10.4 @@ -818,8 +860,8 @@ Requires: python2-paste Requires: python2-coverage # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 Requires: python2-polib -Requires: python-pytest-multihost >= 0.5 -Requires: python-pytest-sourceorder +Requires: python2-pytest-multihost >= 0.5 +Requires: python2-pytest-sourceorder Requires: ldns-utils Requires: python2-sssdconfig Requires: python2-cryptography >= 1.6 @@ -946,6 +988,7 @@ install/tools/ipa-cacert-manage install/tools/ipa-compat-manage install/tools/ipa-csreplica-manage install/tools/ipa-custodia +install/tools/ipa-custodia-check install/tools/ipa-dns-install install/tools/ipa-httpd-kdcproxy install/tools/ipa-kra-install @@ -1055,10 +1098,21 @@ mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{p ln -s %{_bindir}/ipa-run-tests-%{python2_version} %{buildroot}%{_bindir}/ipa-run-tests-2 ln -s %{_bindir}/ipa-test-config-%{python2_version} %{buildroot}%{_bindir}/ipa-test-config-2 ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-test-task-2 -# test framework defaults to Python 2 +%endif # with_ipatests + +# Decide which Python (2 or 3) should be used as default for tests +%if 0%{?with_ipatests} +%if 0%{?with_python3} +# Building with python3 => make it default for tests +ln -s %{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests +ln -s %{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config +ln -s %{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task +%else +# Building python2 only => make it default for tests ln -s %{_bindir}/ipa-run-tests-%{python2_version} %{buildroot}%{_bindir}/ipa-run-tests ln -s %{_bindir}/ipa-test-config-%{python2_version} %{buildroot}%{_bindir}/ipa-test-config ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-test-task +%endif # with_python3 %endif # with_ipatests # Move /usr/bin/ipa out of the way @@ -1141,24 +1195,21 @@ fi %posttrans server # don't execute upgrade and restart of IPA when server is not installed -python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1 +%{python} -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1 if [ $? -eq 0 ]; then # This is necessary for Fedora system upgrades which by default # work with the network being offline /bin/systemctl start network-online.target - # This must be run in posttrans so that updates from previous - # execution that may no longer be shipped are not applied. - /usr/sbin/ipa-server-upgrade --quiet >/dev/null || : - # Restart IPA processes. This must be also run in postrans so that plugins - # and software is in consistent state + # and software is in consistent state. This will also perform the + # system upgrade. # NOTE: systemd specific section /bin/systemctl is-enabled ipa.service >/dev/null 2>&1 if [ $? -eq 0 ]; then - /bin/systemctl restart ipa.service >/dev/null 2>&1 || : + /bin/systemctl restart ipa.service >/dev/null fi fi # END @@ -1210,7 +1261,7 @@ fi %posttrans server-trust-ad -python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1 +%{python} -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1 if [ $? -eq 0 ]; then # NOTE: systemd specific section /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || : @@ -1261,7 +1312,7 @@ if [ $1 -gt 1 ] ; then fi if [ $restore -ge 2 ]; then - python2 -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1 + %{python} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1 fi fi @@ -1334,6 +1385,7 @@ fi %{_libexecdir}/certmonger/ipa-server-guard %dir %{_libexecdir}/ipa %{_libexecdir}/ipa/ipa-custodia +%{_libexecdir}/ipa/ipa-custodia-check %{_libexecdir}/ipa/ipa-dnskeysyncd %{_libexecdir}/ipa/ipa-dnskeysync-replica %{_libexecdir}/ipa/ipa-ods-exporter @@ -1615,9 +1667,14 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb +# old dbm format %ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db %ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db %ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db +# new sql format +%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert9.db +%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key4.db +%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pkcs11.txt %ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt %ghost %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit %dir %{_localstatedir}/lib/ipa-client @@ -1649,6 +1706,7 @@ fi %{python_sitelib}/ipapython-*.egg-info %{python_sitelib}/ipalib-*.egg-info %{python_sitelib}/ipaplatform-*.egg-info +%{python_sitelib}/ipaplatform-*-nspkg.pth %files common -f %{gettext_domain}.lang @@ -1670,6 +1728,7 @@ fi %{python3_sitelib}/ipapython-*.egg-info %{python3_sitelib}/ipalib-*.egg-info %{python3_sitelib}/ipaplatform-*.egg-info +%{python3_sitelib}/ipaplatform-*-nspkg.pth %endif # with_python3 @@ -1716,6 +1775,9 @@ fi %endif # with_ipatests %changelog +* Wed Jan 31 2018 Rob Crittenden - 4.6.3-1 +- Update to upstream 4.6.3 + * Wed Jan 03 2018 Lumír Balhar - 4.6.1-5 - Fix directory ownership in python3 subpackage diff --git a/sources b/sources index 5f513d1..b415a0b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (freeipa-4.6.1.tar.gz) = 0b2a1bacf8462f92b366c73111b3b04b67f6b9bd4b57a3fd69bd1b531e3d78f26f8fe53dee48b167f2c2803990c8687e8b72c2f85be36b69b3057c2a71e8bfd4 -SHA512 (freeipa-4.6.1.tar.gz.asc) = c1164f7a4e1cfea1d6b7da38a024ba92eee7e3dea52783d691926e8874588f964be27e47754369494afc70bd64aa7b400f5918c11bc7a782c50d15693d4ad245 +SHA512 (freeipa-4.6.3.tar.gz) = 5013c2f080757c3faf56976a11dd9c60c07a88dba80a31a167bfee6ad43052a9e98b7aa26af4a8f1791378baaec04671b3087d735d5597e5617e8cacd0a85142 +SHA512 (freeipa-4.6.3.tar.gz.asc) = 06c73d96f18b6e6d8c0193f5f30460849dc5ae8eb29eefbc6f10db7da4b0515949b18f3d143ad57b1d39a5aecf59a1735e5e909315dce10dee5fe507bfe542b0