4.6.3-1: rebase to upstream 4.6.3

.gitignore

@@ -59,3 +59,5 @@
 /freeipa-4.6.0.tar.gz.asc
 /freeipa-4.6.1.tar.gz
 /freeipa-4.6.1.tar.gz.asc
+/freeipa-4.6.3.tar.gz
+/freeipa-4.6.3.tar.gz.asc

0001-Block-PyOpenSSL-to-prevent-SELinux-execmem-in-wsgi.patch

@@ -1,52 +0,0 @@
-From 7589f2c71de95807dbdb64a845a8dc90e7542ee6 Mon Sep 17 00:00:00 2001
-From: Christian Heimes <cheimes@redhat.com>
-Date: Tue, 17 Oct 2017 09:40:05 +0200
-Subject: [PATCH] Block PyOpenSSL to prevent SELinux execmem in wsgi
-
-Some dependencies like Dogtag's pki.client library and custodia use
-python-requsts to make HTTPS connection. python-requests prefers
-PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
-of python-cryptography which trigger a execmem SELinux violation
-in the context of Apache HTTPD (httpd_execmem).
-
-When requests is imported, it always tries to import pyopenssl glue
-code from urllib3's contrib directory. The import of PyOpenSSL is
-enough to trigger the SELinux denial.
-
-Block any import of PyOpenSSL's SSL module in wsgi by raising an
-ImportError. The block is compatible with new python-requests with
-unbundled urllib3, too.
-
-Fixes: FreeIPA #5442
-Fixes: RHBZ#1491508
-Signed-off-by: Christian Heimes <cheimes@redhat.com>
----
- install/share/wsgi.py | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/install/share/wsgi.py b/install/share/wsgi.py
-index e263b81..e5cabc0 100644
---- a/install/share/wsgi.py
-+++ b/install/share/wsgi.py
-@@ -25,6 +25,18 @@ WSGI appliction for IPA server.
- """
- import logging
- import os
-+import sys
-+
-+# Some dependencies like Dogtag's pki.client library and custodia use
-+# python-requsts to make HTTPS connection. python-requests prefers
-+# PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
-+# of python-cryptography which trigger a execmem SELinux violation
-+# in the context of Apache HTTPD (httpd_execmem).
-+# When requests is imported, it always tries to import pyopenssl glue
-+# code from urllib3's contrib directory. The import of PyOpenSSL is
-+# enough to trigger the SELinux denial.
-+# Block any import of PyOpenSSL's SSL module by raising an ImportError
-+sys.modules['OpenSSL.SSL'] = None
- 
- from ipaplatform.paths import paths
- from ipalib import api
--- 
-2.9.5
-

0007-ipa-p11-kit-fixes.patch

@@ -1,74 +0,0 @@
-From 912f42fe943bd407e0bb73df7c6b2ab2031a4f6e Mon Sep 17 00:00:00 2001
-From: Stanislav Laznicka <slaznick@redhat.com>
-Date: Mon, 16 Oct 2017 13:29:07 +0200
-Subject: [PATCH] p11-kit: add serial number in DER format
-
-This causes Firefox to report our CA certificate as not-trustworthy.
-We were previously doing this correctly, however it slipped as an
-error due to certificate refactoring.
-
-https://pagure.io/freeipa/issue/7210
----
- ipalib/x509.py              | 7 +++++++
- ipaplatform/redhat/tasks.py | 4 ++--
- 2 files changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/ipalib/x509.py b/ipalib/x509.py
-index 9f7a3c3115..205e2f82d3 100644
---- a/ipalib/x509.py
-+++ b/ipalib/x509.py
-@@ -123,18 +123,21 @@ def __init__(self, cert, backend=None):
-         # some field types encode-decoding is not strongly defined
-         self._subject = self.__get_der_field('subject')
-         self._issuer = self.__get_der_field('issuer')
-+        self._serial_number = self.__get_der_field('serialNumber')
- 
-     def __getstate__(self):
-         state = {
-             '_cert': self.public_bytes(Encoding.DER),
-             '_subject': self.subject_bytes,
-             '_issuer': self.issuer_bytes,
-+            '_serial_number': self._serial_number,
-         }
-         return state
- 
-     def __setstate__(self, state):
-         self._subject = state['_subject']
-         self._issuer = state['_issuer']
-+        self._issuer = state['_serial_number']
-         self._cert = crypto_x509.load_der_x509_certificate(
-             state['_cert'], backend=default_backend())
- 
-@@ -216,6 +219,10 @@ def serial_number(self):
-         return self._cert.serial_number
- 
-     @property
-+    def serial_number_bytes(self):
-+        return self._serial_number
-+
-+    @property
-     def version(self):
-         return self._cert.version
- 
-diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
-index 81c9286daf..0e7810f623 100644
---- a/ipaplatform/redhat/tasks.py
-+++ b/ipaplatform/redhat/tasks.py
-@@ -274,7 +274,7 @@ def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
-             try:
-                 subject = cert.subject_bytes
-                 issuer = cert.issuer_bytes
--                serial_number = cert.serial_number
-+                serial_number = cert.serial_number_bytes
-                 public_key_info = cert.public_key_info_bytes
-             except (PyAsn1Error, ValueError, CertificateError) as e:
-                 logger.warning(
-@@ -284,7 +284,7 @@ def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
-             label = urllib.parse.quote(nickname)
-             subject = urllib.parse.quote(subject)
-             issuer = urllib.parse.quote(issuer)
--            serial_number = urllib.parse.quote(str(serial_number))
-+            serial_number = urllib.parse.quote(serial_number)
-             public_key_info = urllib.parse.quote(public_key_info)
- 
-             obj = ("[p11-kit-object-v1]\n"

freeipa.spec

@@ -25,6 +25,12 @@
 %endif
 %endif
 
+%if 0%{?with_python3}
+%global python %{__python3}
+%else
+%global python %{__python2}
+%endif
+
 # lint is not executed during rpmbuild
 # %%global with_lint 1
 %if 0%{?with_lint}
@@ -44,6 +50,7 @@
 %global samba_build_version %{samba_version}
 %global selinux_policy_version 3.12.1-153
 %global slapi_nis_version 0.56.0-4
+%global python2_ldap_version 2.4.15
 %else
 # 1.15.1-7: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561)
 %global krb5_version 1.15.1-7
@@ -54,21 +61,34 @@
 %global samba_build_version 2:4.2.1
 %global selinux_policy_version 3.13.1-158.4
 %global slapi_nis_version 0.56.1
+
+# Use python3-pyldap to be compatible with old python3-pyldap 2.x and new
+# python3-ldap 3.0. The python3-ldap package also provides python3-pyldap.
+%if 0%{?fedora} >= 28
+# https://pagure.io/freeipa/issue/7257 DNSSEC daemons on Python 3
+%global python2_ldap_version 3.0.0-0.4.b4
+%global python3_ldap_version 3.0.0-0.4.b4
+%else
+%global python2_ldap_version 2.4.15
+%global python3_ldap_version 2.4.35.1-2
 %endif
 
+%endif
+
+
 %define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
 
 %global plugin_dir %{_libdir}/dirsrv/plugins
 %global etc_systemd_dir %{_sysconfdir}/systemd/system
 %global gettext_domain ipa
 
-%global VERSION 4.6.1
+%global VERSION 4.6.3
 
 %define _hardened_build 1
 
 Name:           freeipa
 Version:        %{VERSION}
-Release:        5%{?dist}
+Release:        1%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -78,12 +98,6 @@ Source0:        https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz
 Source1:        https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.asc
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
-# https://github.com/freeipa/freeipa/pull/1158
-Patch0001:      0001-Block-PyOpenSSL-to-prevent-SELinux-execmem-in-wsgi.patch
-# https://github.com/freeipa/freeipa/pull/1137
-Patch0002:      0002-ipa-kdb-support-KDB-DAL-version-7.0.patch
-# https://github.com/freeipa/freeipa/pull/1156
-Patch0007:      0007-ipa-p11-kit-fixes.patch
 
 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@@ -92,9 +106,13 @@ BuildRequires:  openldap-devel
 # For KDB DAL version, make explicit dependency so that increase of version
 # will cause the build to fail due to unsatisfied dependencies.
 # DAL version change may cause code crash or memory leaks, it is better to fail early.
+%if 0%{?fedora} > 27
+BuildRequires: krb5-kdb-version = 7.0
+%else
 %if 0%{?fedora} > 25
 BuildRequires: krb5-kdb-version = 7.0
 %endif
+%endif
 BuildRequires:  krb5-devel >= %{krb5_version}
 # 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation
 BuildRequires:  xmlrpc-c-devel >= 1.27.4
@@ -104,8 +122,8 @@ BuildRequires:  automake
 BuildRequires:  libtool
 BuildRequires:  gettext
 BuildRequires:  gettext-devel
-BuildRequires:  python-devel
+BuildRequires:  python2-devel
-BuildRequires:  python-setuptools
+BuildRequires:  python2-setuptools
 %if 0%{?with_python3}
 BuildRequires:  python3-devel
 BuildRequires:  python3-setuptools
@@ -141,13 +159,12 @@ BuildRequires:  python-lesscpy
 # Build dependencies for makeapi/makeaci
 # makeapi/makeaci is using Python 2 only for now
 #
-BuildRequires:  python-ldap
+BuildRequires:  python2-ldap >= %{python2_ldap_version}
-BuildRequires:  m2crypto
+BuildRequires:  python2-netaddr
-BuildRequires:  python-netaddr
 BuildRequires:  python2-pyasn1
 BuildRequires:  python2-pyasn1-modules
 BuildRequires:  python2-dns
-BuildRequires:  python-six
+BuildRequires:  python2-six
 BuildRequires:  python2-libsss_nss_idmap
 BuildRequires:  python2-cffi
 
@@ -168,18 +185,20 @@ BuildRequires:  python3-wheel
 %endif # with_wheels
 
 #
-# Build dependencies for lint
+# Build dependencies for lint and fastcheck
 #
 %if 0%{?with_lint}
-BuildRequires:  samba-python
+BuildRequires:  python2-samba
 # 1.6: x509.Name.rdns (https://github.com/pyca/cryptography/issues/3199)
 BuildRequires:  python2-cryptography >= 1.6
-BuildRequires:  python-gssapi >= 1.2.0-5
+BuildRequires:  python2-gssapi >= 1.2.0-5
+BuildRequires:  softhsm
 %if 0%{?fedora} >= 26
 BuildRequires:  python2-pylint
 %else
 BuildRequires:  pylint >= 1.7
 %endif
+BuildRequires:  python2-pycodestyle
 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
 BuildRequires:  python2-polib
 BuildRequires:  python2-libipa_hbac
@@ -191,23 +210,27 @@ BuildRequires:  python2-dns >= 1.15
 BuildRequires:  jsl
 BuildRequires:  python2-yubico
 # pki Python package
-BuildRequires:  pki-base-python2
+BuildRequires:  pki-base-python2 >= 10.5.1-2
-BuildRequires:  python-pytest-multihost
+BuildRequires:  python2-pytest-multihost
-BuildRequires:  python-pytest-sourceorder
+BuildRequires:  python2-pytest-sourceorder
 # 0.4.2: Py3 fix https://bugzilla.redhat.com/show_bug.cgi?id=1476150
-BuildRequires:  python-jwcrypto >= 0.4.2
+BuildRequires:  python2-jwcrypto >= 0.4.2
 # 0.3: sd_notify (https://pagure.io/freeipa/issue/5825)
 BuildRequires:  python2-custodia >= 0.3.1
+%if 0%{?fedora} >= 28
+BuildRequires:  python2-dbus
+%else
 BuildRequires:  dbus-python
+%endif
 BuildRequires:  python2-dateutil
-BuildRequires:  python-enum34
+BuildRequires:  python2-enum34
-BuildRequires:  python-netifaces
+BuildRequires:  python2-netifaces
 BuildRequires:  python2-sss
 BuildRequires:  python2-sss-murmur
 BuildRequires:  python2-sssdconfig
 BuildRequires:  python2-nose
 BuildRequires:  python2-paste
-BuildRequires:  systemd-python
+BuildRequires:  python2-systemd
 BuildRequires:  python2-jinja2
 BuildRequires:  python2-augeas
 
@@ -217,6 +240,7 @@ BuildRequires:  python3-samba
 BuildRequires:  python3-cryptography >= 1.6
 BuildRequires:  python3-gssapi >= 1.2.0
 BuildRequires:  python3-pylint >= 1.7
+BuildRequires:  python3-pycodestyle
 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
 BuildRequires:  python3-polib
 BuildRequires:  python3-libipa_hbac
@@ -228,7 +252,7 @@ BuildRequires:  python3-qrcode-core >= 5.0.0
 BuildRequires:  python3-dns >= 1.15
 BuildRequires:  python3-yubico
 # pki Python package
-BuildRequires:  pki-base-python3
+BuildRequires:  pki-base-python3 >= 10.5.1-2
 BuildRequires:  python3-pytest-multihost
 BuildRequires:  python3-pytest-sourceorder
 # 0.4.2: Py3 fix https://bugzilla.redhat.com/show_bug.cgi?id=1476150
@@ -251,7 +275,7 @@ BuildRequires:  python3-augeas
 BuildRequires:  python3-netaddr
 BuildRequires:  python3-pyasn1
 BuildRequires:  python3-pyasn1-modules
-BuildRequires:  python3-pyldap
+BuildRequires:  python3-pyldap >= %{python3_ldap_version}
 %endif # with_python3
 %endif # with_lint
 
@@ -260,7 +284,6 @@ BuildRequires:  python3-pyldap
 #
 %if ! %{ONLY_CLIENT}
 BuildRequires:  libcmocka-devel
-BuildRequires:  nss_wrapper
 # Required by ipa_kdb_tests
 BuildRequires:  %{_libdir}/krb5/plugins/kdb/db2.so
 %endif # ONLY_CLIENT
@@ -283,10 +306,13 @@ Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 %if 0%{?with_python3}
 Requires: python3-ipaserver = %{version}-%{release}
+Requires: python3-pyldap >= %{python3_ldap_version}
 %else
 Requires: python2-ipaserver = %{version}-%{release}
+Requires: python2-ldap >= %{python2_ldap_version}
 %endif
-Requires: 389-ds-base >= 1.3.5.14
+# 1.3.7.6-1: https://bugzilla.redhat.com/show_bug.cgi?id=1488295
+Requires: 389-ds-base >= 1.3.7.6-1
 Requires: openldap-clients > 2.4.35-4
 Requires: nss >= 3.14.3-12.0
 Requires: nss-tools >= 3.14.3-12.0
@@ -297,9 +323,19 @@ Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
 Requires: httpd >= 2.4.6-31
 %if 0%{with_python3}
+Requires(preun): python3
+Requires(postun): python3
+Requires: python3-gssapi >= 1.2.0-5
+Requires: python3-systemd
 Requires: python3-mod_wsgi
+Conflicts: mod_wsgi
 %else
+Requires(preun): python2
+Requires(postun): python2
+Requires: python2-gssapi >= 1.2.0-5
+Requires: python2-systemd
 Requires: mod_wsgi
+Conflicts: python3-mod_wsgi
 %endif
 Requires: mod_auth_gssapi >= 1.5.0
 # 1.0.14-3: https://bugzilla.redhat.com/show_bug.cgi?id=1431206
@@ -307,8 +343,6 @@ Requires: mod_nss >= 1.0.14-3
 Requires: mod_session
 # 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3
 Requires: mod_lookup_identity >= 0.9.9
-Requires: python-ldap >= 2.4.15
-Requires: python-gssapi >= 1.2.0-5
 Requires: acl
 Requires: systemd-units >= 38
 Requires(pre): shadow-utils
@@ -317,21 +351,21 @@ Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base >= %{selinux_policy_version}
 Requires: slapi-nis >= %{slapi_nis_version}
-Requires: pki-ca >= 10.4.0-1
+# 10.5.1-2 contains Python 3 vault fix
-Requires: pki-kra >= 10.4.0-1
+Requires: pki-ca >= 10.5.1-2
-Requires(preun): python systemd-units
+Requires: pki-kra >= 10.5.1-2
-Requires(postun): python systemd-units
+Requires(preun): systemd-units
+Requires(postun): systemd-units
 Requires: policycoreutils >= 2.1.12-5
 Requires: tar
-# certmonger-0.79.4-2 fixes newlines in PEM files
+Requires(pre): certmonger >= 0.79.5-1
-Requires(pre): certmonger >= 0.79.4-2
+# 1.3.7.6-1: https://bugzilla.redhat.com/show_bug.cgi?id=1488295
-Requires(pre): 389-ds-base >= 1.3.5.14
+Requires(pre): 389-ds-base >= 1.3.7.6-1
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
 Requires: openssl
 Requires: softhsm >= 2.0.0rc1-1
 Requires: p11-kit
-Requires: systemd-python
 Requires: %{etc_systemd_dir}
 Requires: gzip
 Requires: oddjob
@@ -374,16 +408,20 @@ Requires: %{name}-server-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python2-ipaclient = %{version}-%{release}
 Requires: python2-custodia >= 0.3.1
-Requires: python-ldap >= 2.4.15
+Requires: python2-ldap >= %{python2_ldap_version}
 Requires: python2-lxml
-Requires: python-gssapi >= 1.2.0-5
+Requires: python2-gssapi >= 1.2.0-5
 Requires: python2-sssdconfig
 Requires: python2-pyasn1 >= 0.3.2-2
-Requires: dbus-python
+%if 0%{?fedora} >= 28
+BuildRequires:  python2-dbus
+%else
+BuildRequires:  dbus-python
+%endif
 Requires: python2-dns >= 1.15
-Requires: python-kdcproxy >= 0.3
+Requires: python2-kdcproxy >= 0.3
 Requires: rpm-libs
-Requires: pki-base-python2
+Requires: pki-base-python2 >= 10.5.1-2
 Requires: python2-augeas
 
 %description -n python2-ipaserver
@@ -407,7 +445,7 @@ Requires: %{name}-common = %{version}-%{release}
 Requires: python3-ipaclient = %{version}-%{release}
 Requires: python3-custodia >= 0.3.1
 # we need pre-requires since earlier versions may break upgrade
-Requires(pre): python3-pyldap >= 2.4.35.1-2
+Requires(pre): python3-pyldap >= %{python3_ldap_version}
 Requires: python3-lxml
 Requires: python3-gssapi >= 1.2.0
 Requires: python3-sssdconfig
@@ -417,7 +455,7 @@ Requires: python3-dns >= 1.15
 Requires: python3-kdcproxy >= 0.3
 Requires: python3-augeas
 Requires: rpm-libs
-Requires: pki-base-python3
+Requires: pki-base-python3 >= 10.5.1-2
 
 %description -n python3-ipaserver
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -491,10 +529,12 @@ Requires: samba-winbind
 Requires: libsss_idmap
 
 %if 0%{?with_python3}
+Requires(post): python3
 Requires: python3-samba
 Requires: python3-libsss_nss_idmap
 Requires: python3-sss
 %else
+Requires(post): python2
 Requires: python2-samba
 Requires: python2-libsss_nss_idmap
 Requires: python2-sss
@@ -505,7 +545,6 @@ Requires: python2-sss
 # IPA AD trusts cannot be used at the same time with the locator plugin
 # since Winbindd will be configured in a different mode
 Requires(post): %{_sbindir}/update-alternatives
-Requires(post): python
 Requires(postun): %{_sbindir}/update-alternatives
 Requires(preun): %{_sbindir}/update-alternatives
 
@@ -527,11 +566,16 @@ Group: System Environment/Base
 Requires: %{name}-client-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 %if 0%{?with_python3}
+Requires: python3-gssapi >= 1.2.0-5
 Requires: python3-ipaclient = %{version}-%{release}
+Requires: python3-pyldap >= %{python3_ldap_version}
+Requires: python3-sssdconfig
 %else
+Requires: python2-gssapi >= 1.2.0-5
 Requires: python2-ipaclient = %{version}-%{release}
+Requires: python2-ldap >= %{python2_ldap_version}
+Requires: python2-sssdconfig
 %endif
-Requires: python-ldap
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
 Requires: krb5-workstation >= %{krb5_version}
@@ -542,13 +586,10 @@ Requires: initscripts
 Requires: libcurl >= 7.21.7-2
 Requires: xmlrpc-c >= 1.27.4
 Requires: sssd >= 1.14.0
-Requires: python-sssdconfig
+Requires: certmonger >= 0.79.5-1
-# certmonger-0.79.4-2 fixes newlines in PEM files
-Requires: certmonger >= 0.79.4-2
 Requires: nss-tools
 Requires: bind-utils
 Requires: oddjob-mkhomedir
-Requires: python-gssapi >= 1.2.0-5
 Requires: libsss_autofs
 Requires: autofs
 Requires: libnfsidmap
@@ -689,14 +730,12 @@ Provides: python2-ipaplatform = %{version}-%{release}
 %{?python_provide:%python_provide python2-ipaplatform}
 %{!?python_provide:Provides: python-ipaplatform = %{version}-%{release}}
 Requires: %{name}-common = %{version}-%{release}
-Requires: python-gssapi >= 1.2.0-5
+Requires: python2-gssapi >= 1.2.0-5
 Requires: gnupg
 Requires: keyutils
-Requires: pyOpenSSL
+Requires: python2 >= 2.7.9
-Requires: python >= 2.7.9
-Requires: m2crypto
 Requires: python2-cryptography >= 1.6
-Requires: python-netaddr >= %{python_netaddr_version}
+Requires: python2-netaddr >= %{python_netaddr_version}
 Requires: python2-libipa_hbac
 Requires: python-qrcode-core >= 5.0.0
 Requires: python2-pyasn1 >= 0.3.2-2
@@ -704,17 +743,21 @@ Requires: python2-pyasn1-modules >= 0.3.2-2
 Requires: python2-dateutil
 Requires: python2-yubico >= 1.2.3
 Requires: python2-sss-murmur
-Requires: dbus-python
+%if 0%{?fedora} >= 28
+BuildRequires:  python2-dbus
+%else
+BuildRequires:  dbus-python
+%endif
 Requires: python2-setuptools
-Requires: python-six
+Requires: python2-six
 # 0.4.2: Py3 fix https://bugzilla.redhat.com/show_bug.cgi?id=1476150
-Requires: python-jwcrypto >= 0.4.2
+Requires: python2-jwcrypto >= 0.4.2
 Requires: python2-cffi
-Requires: python-ldap >= 2.4.15
+Requires: python2-ldap >= %{python2_ldap_version}
 Requires: python2-requests
 Requires: python2-dns >= 1.15
-Requires: python-enum34
+Requires: python2-enum34
-Requires: python-netifaces >= 0.10.4
+Requires: python2-netifaces >= 0.10.4
 Requires: pyusb
 
 Conflicts: %{alt_name}-python < %{version}
@@ -743,7 +786,6 @@ Requires: %{name}-common = %{version}-%{release}
 Requires: python3-gssapi >= 1.2.0
 Requires: gnupg
 Requires: keyutils
-Requires: python3-pyOpenSSL
 Requires: python3-cryptography >= 1.6
 Requires: python3-netaddr >= %{python_netaddr_version}
 Requires: python3-libipa_hbac
@@ -761,7 +803,7 @@ Requires: python3-six
 Requires: python3-jwcrypto >= 0.4.2
 Requires: python3-cffi
 # we need pre-requires since earlier versions may break upgrade
-Requires(pre): python3-pyldap >= 2.4.35.1-2
+Requires(pre): python3-pyldap >= %{python3_ldap_version}
 Requires: python3-requests
 Requires: python3-dns >= 1.15
 Requires: python3-netifaces >= 0.10.4
@@ -818,8 +860,8 @@ Requires: python2-paste
 Requires: python2-coverage
 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
 Requires: python2-polib
-Requires: python-pytest-multihost >= 0.5
+Requires: python2-pytest-multihost >= 0.5
-Requires: python-pytest-sourceorder
+Requires: python2-pytest-sourceorder
 Requires: ldns-utils
 Requires: python2-sssdconfig
 Requires: python2-cryptography >= 1.6
@@ -946,6 +988,7 @@ install/tools/ipa-cacert-manage
 install/tools/ipa-compat-manage
 install/tools/ipa-csreplica-manage
 install/tools/ipa-custodia
+install/tools/ipa-custodia-check
 install/tools/ipa-dns-install
 install/tools/ipa-httpd-kdcproxy
 install/tools/ipa-kra-install
@@ -1055,10 +1098,21 @@ mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{p
 ln -s %{_bindir}/ipa-run-tests-%{python2_version} %{buildroot}%{_bindir}/ipa-run-tests-2
 ln -s %{_bindir}/ipa-test-config-%{python2_version} %{buildroot}%{_bindir}/ipa-test-config-2
 ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-test-task-2
-# test framework defaults to Python 2
+%endif # with_ipatests
+
+# Decide which Python (2 or 3) should be used as default for tests
+%if 0%{?with_ipatests}
+%if 0%{?with_python3}
+# Building with python3 => make it default for tests
+ln -s %{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests
+ln -s %{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config
+ln -s %{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task
+%else
+# Building python2 only => make it default for tests
 ln -s %{_bindir}/ipa-run-tests-%{python2_version} %{buildroot}%{_bindir}/ipa-run-tests
 ln -s %{_bindir}/ipa-test-config-%{python2_version} %{buildroot}%{_bindir}/ipa-test-config
 ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-test-task
+%endif # with_python3
 %endif # with_ipatests
 
 # Move /usr/bin/ipa out of the way
@@ -1141,24 +1195,21 @@ fi
 
 %posttrans server
 # don't execute upgrade and restart of IPA when server is not installed
-python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
+%{python} -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
 
 if [  $? -eq 0 ]; then
     # This is necessary for Fedora system upgrades which by default
     # work with the network being offline
     /bin/systemctl start network-online.target
 
-    # This must be run in posttrans so that updates from previous
-    # execution that may no longer be shipped are not applied.
-    /usr/sbin/ipa-server-upgrade --quiet >/dev/null || :
-
     # Restart IPA processes. This must be also run in postrans so that plugins
-    # and software is in consistent state
+    # and software is in consistent state. This will also perform the
+    # system upgrade.
     # NOTE: systemd specific section
 
     /bin/systemctl is-enabled ipa.service >/dev/null 2>&1
     if [  $? -eq 0 ]; then
-        /bin/systemctl restart ipa.service >/dev/null 2>&1 || :
+        /bin/systemctl restart ipa.service >/dev/null
     fi
 fi
 # END
@@ -1210,7 +1261,7 @@ fi
 
 
 %posttrans server-trust-ad
-python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
+%{python} -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
 if [  $? -eq 0 ]; then
 # NOTE: systemd specific section
     /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || :
@@ -1261,7 +1312,7 @@ if [ $1 -gt 1 ] ; then
     fi
 
     if [ $restore -ge 2 ]; then
-        python2 -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1
+        %{python} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1
     fi
 fi
 
@@ -1334,6 +1385,7 @@ fi
 %{_libexecdir}/certmonger/ipa-server-guard
 %dir %{_libexecdir}/ipa
 %{_libexecdir}/ipa/ipa-custodia
+%{_libexecdir}/ipa/ipa-custodia-check
 %{_libexecdir}/ipa/ipa-dnskeysyncd
 %{_libexecdir}/ipa/ipa-dnskeysync-replica
 %{_libexecdir}/ipa/ipa-ods-exporter
@@ -1615,9 +1667,14 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 %dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb
+# old dbm format
 %ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db
 %ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db
 %ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db
+# new sql format
+%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert9.db
+%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key4.db
+%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pkcs11.txt
 %ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt
 %ghost %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit
 %dir %{_localstatedir}/lib/ipa-client
@@ -1649,6 +1706,7 @@ fi
 %{python_sitelib}/ipapython-*.egg-info
 %{python_sitelib}/ipalib-*.egg-info
 %{python_sitelib}/ipaplatform-*.egg-info
+%{python_sitelib}/ipaplatform-*-nspkg.pth
 
 
 %files common -f %{gettext_domain}.lang
@@ -1670,6 +1728,7 @@ fi
 %{python3_sitelib}/ipapython-*.egg-info
 %{python3_sitelib}/ipalib-*.egg-info
 %{python3_sitelib}/ipaplatform-*.egg-info
+%{python3_sitelib}/ipaplatform-*-nspkg.pth
 
 %endif # with_python3
 
@@ -1716,6 +1775,9 @@ fi
 %endif # with_ipatests
 
 %changelog
+* Wed Jan 31 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.3-1
+- Update to upstream 4.6.3
+
 * Wed Jan 03 2018 Lumír Balhar <lbalhar@redhat.com> - 4.6.1-5
 - Fix directory ownership in python3 subpackage
 

sources

@@ -1,2 +1,2 @@
-SHA512 (freeipa-4.6.1.tar.gz) = 0b2a1bacf8462f92b366c73111b3b04b67f6b9bd4b57a3fd69bd1b531e3d78f26f8fe53dee48b167f2c2803990c8687e8b72c2f85be36b69b3057c2a71e8bfd4
+SHA512 (freeipa-4.6.3.tar.gz) = 5013c2f080757c3faf56976a11dd9c60c07a88dba80a31a167bfee6ad43052a9e98b7aa26af4a8f1791378baaec04671b3087d735d5597e5617e8cacd0a85142
-SHA512 (freeipa-4.6.1.tar.gz.asc) = c1164f7a4e1cfea1d6b7da38a024ba92eee7e3dea52783d691926e8874588f964be27e47754369494afc70bd64aa7b400f5918c11bc7a782c50d15693d4ad245
+SHA512 (freeipa-4.6.3.tar.gz.asc) = 06c73d96f18b6e6d8c0193f5f30460849dc5ae8eb29eefbc6f10db7da4b0515949b18f3d143ad57b1d39a5aecf59a1735e5e909315dce10dee5fe507bfe542b0