diff --git a/.gitignore b/.gitignore index c25669c..8860c90 100644 --- a/.gitignore +++ b/.gitignore @@ -96,3 +96,5 @@ /freeipa-4.8.10.tar.gz.asc /freeipa-4.9.0rc1.tar.gz /freeipa-4.9.0rc1.tar.gz.asc +/freeipa-4.9.0rc2.tar.gz +/freeipa-4.9.0rc2.tar.gz.asc diff --git a/freeipa.spec b/freeipa.spec index f77ddb5..306ad9c 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -15,10 +15,8 @@ # 389-ds-base 1.4 no longer supports i686 platform, build only client # packages, https://bugzilla.redhat.com/show_bug.cgi?id=1544386 -%if 0%{?fedora} >= 28 || 0%{?rhel} > 7 - %ifarch %{ix86} - %{!?ONLY_CLIENT:%global ONLY_CLIENT 1} - %endif +%ifarch %{ix86} + %{!?ONLY_CLIENT:%global ONLY_CLIENT 1} %endif # Define ONLY_CLIENT to only make the ipa-client and ipa-python @@ -35,10 +33,18 @@ %endif # Whether to build ipatests -%global with_ipatests_option %{?_with_ipatests} +%if %{with ipatests} + %global with_ipatests_option --with-ipatests +%else + %global with_ipatests_option --without-ipatests +%endif # Whether to use XML-RPC with ipa-join -%global with_ipa_join_xml_option %{?_with_ipa_join_xml} +%if %{with ipa_join_xml} + %global with_ipa_join_xml_option --with-ipa-join-xml +%else + %global with_ipa_join_xml_option --without-ipa-join-xml +%endif # lint is not executed during rpmbuild # %%global with_lint 1 @@ -49,7 +55,7 @@ %endif # Include SELinux subpackage -%if 0%{?fedora} >= 30 || 0%{?rhel} +%if 0%{?fedora} >= 30 || 0%{?rhel} >= 8 %global with_selinux 1 %global selinuxtype targeted %global modulename ipa @@ -58,7 +64,7 @@ %if 0%{?rhel} %global package_name ipa %global alt_name freeipa -%global krb5_version 1.18.2 +%global krb5_version 1.18.2-2 %global krb5_kdb_version 8.0 # 0.7.16: https://github.com/drkjam/netaddr/issues/71 %global python_netaddr_version 0.7.19 @@ -73,25 +79,22 @@ %global ds_version 1.4.2.4-6 # Fix for TLS 1.3 PHA, RHBZ#1775158 %global httpd_version 2.4.37-21 +%global bind_version 9.11.20-6 %else # Fedora %global package_name freeipa %global alt_name ipa -# Fix for CVE-2018-20217 -%global krb5_version 1.18 +# Fix for CVE-2020-28196 +%global krb5_version 1.18.2-29 # 0.7.16: https://github.com/drkjam/netaddr/issues/71 %global python_netaddr_version 0.7.16 # Require 4.7.0 which brings Python 3 bindings # Require 4.12 which has DsRGetForestTrustInformation access rights fixes -%global samba_version 2:4.12 +%global samba_version 2:4.12.10 -# SELinux context for dirsrv unit file, BZ 1820298 -%if 0%{?fedora} >= 32 -%global selinux_policy_version 3.14.5-39 -%else -%global selinux_policy_version 3.14.4-52 -%endif +# 3.14.5-45 or later includes a number of interfaces fixes for IPA interface +%global selinux_policy_version 3.14.5-45 %global slapi_nis_version 0.56.5 %global krb5_kdb_version 8.0 @@ -103,50 +106,53 @@ %global ds_version 1.4.3 # Fix for TLS 1.3 PHA, RHBZ#1775146 -%if 0%{?fedora} >= 31 %global httpd_version 2.4.41-9 -%else -%global httpd_version 2.4.41-6.1 + +%global bind_version 9.11.24-1 +# Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet. +# Some packages don't provide new dist aliases. +# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/ +%{?python_disable_dependency_generator} +# Fedora %endif # BIND employs 'pkcs11' OpenSSL engine instead of native PKCS11 # Fedora 31+ uses OpenSSL engine, as well as Fedora ELN (RHEL9) -%if 0%{?fedora} || 0%{?rhel} > 8 +%if 0%{?fedora} || 0%{?rhel} >= 9 %global openssl_pkcs11_version 0.4.10-6 %global softhsm_version 2.5.0-4 %else %global with_bind_pkcs11 1 %endif -# Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet. -# Some packages don't provide new dist aliases. -# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/ -%{?python_disable_dependency_generator} - -# Fedora -%endif - +%if 0%{?rhel} == 8 # PKIConnection has been modified to always validate certs. # https://pagure.io/freeipa/issue/8379 %global pki_version 10.9.0-0.4 +%else +# New KRA profile, ACME support +# https://pagure.io/freeipa/issue/8545 +%global pki_version 10.10.0-2 +%endif -# https://pagure.io/certmonger/issue/90 -%global certmonger_version 0.79.7-1 +# RHEL 8.3+, F32+ has 0.79.13 +%global certmonger_version 0.79.7-3 -%global nss_version 3.41.0-1 +# RHEL 8.2+, F32+ has 3.58 +%global nss_version 3.44.0-4 -# One-Way Trust authenticated by trust secret -# https://bugzilla.redhat.com/show_bug.cgi?id=1345975#c20 -%global sssd_version 1.16.3-2 +# RHEL 8.3+, F32+ +%global sssd_version 2.4.0 -%define krb5_base_version %(LC_ALL=C pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version) +%define krb5_base_version %(LC_ALL=C /usr/bin/pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version) +%global kdcproxy_version 0.4-3 -%if 0%{?fedora} >= 33 +%if 0%{?fedora} >= 33 || 0%{?rhel} >= 9 # systemd with resolved enabled # see https://pagure.io/freeipa/issue/8275 %global systemd_version 246.6-3 %else -%global systemd_version 245 +%global systemd_version 239 %endif %global plugin_dir %{_libdir}/dirsrv/plugins @@ -158,24 +164,43 @@ # Work-around fact that RPM SPEC parser does not accept # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement %define IPA_VERSION 4.9.0 -# Release candidate version -- set to %%nil (one percent sign) for a release -%global rc_version rc1 +# Release candidate version -- uncomment with one percent for RC versions +%global rc_version rc2 %define AT_SIGN @ # redefine IPA_VERSION only if its value matches the Autoconf placeholder %if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}" %define IPA_VERSION nonsense.to.please.RPM.SPEC.parser %endif +%define NON_DEVELOPER_BUILD ("%{lua: print(rpm.expand('%{suffix:%IPA_VERSION}'):find('^dev'))}" == "nil") + Name: %{package_name} Version: %{IPA_VERSION} -Release: 0.1%{?rc_version:.%rc_version}%{?dist} +Release: 0.2%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ URL: http://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz +# Only use detached signature for the distribution builds. If it is a developer build, skip it +%if %{NON_DEVELOPER_BUILD} Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz.asc -Patch1: https://github.com/freeipa/freeipa/pull/5273.patch +%endif + +# RHEL spec file only: START: Change branding to IPA and Identity Management +# Moved branding logos and background to redhat-logos-ipa-80.4: +# header-logo.png, login-screen-background.jpg, login-screen-logo.png, +# product-name.png +# RHEL spec file only: END: Change branding to IPA and Identity Management + +# RHEL spec file only: START +%if 0%{?rhel} == 8 && %{NON_DEVELOPER_BUILD} +Patch0001: 0001_util_Fix_client-only_build-upstream_5273.patch +Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch +Patch1002: 1002-4.8.0-Remove-csrgen.patch +Patch1003: 1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch +%endif +# RHEL spec file only: END # For the timestamp trick in patch application BuildRequires: diffstat @@ -202,6 +227,7 @@ BuildRequires: pkgconfig BuildRequires: pkgconf BuildRequires: autoconf BuildRequires: automake +BuildRequires: make BuildRequires: libtool BuildRequires: gettext BuildRequires: gettext-devel @@ -226,7 +252,7 @@ BuildRequires: libsss_certmap-devel BuildRequires: libsss_nss_idmap-devel >= %{sssd_version} BuildRequires: nodejs(abi) # use old dependency on RHEL 8 for now -%if 0%{?fedora} >= 31 || 0%{?rhel} > 8 +%if 0%{?fedora} >= 31 || 0%{?rhel} >= 9 BuildRequires: python3-rjsmin %else BuildRequires: uglify-js @@ -283,6 +309,7 @@ BuildRequires: jsl BuildRequires: nss-tools BuildRequires: rpmlint BuildRequires: softhsm + BuildRequires: keyutils BuildRequires: python3-augeas BuildRequires: python3-cffi @@ -309,7 +336,7 @@ BuildRequires: python3-polib BuildRequires: python3-pyasn1 BuildRequires: python3-pyasn1-modules BuildRequires: python3-pycodestyle -%if 0%{?fedora} || %{?rhel} > 8 +%if 0%{?fedora} || 0%{?rhel} > 8 # https://bugzilla.redhat.com/show_bug.cgi?id=1648299 BuildRequires: python3-pylint >= 2.1.1-2 %else @@ -339,10 +366,8 @@ BuildRequires: krb5-server >= %{krb5_version} # ONLY_CLIENT %endif -# # Build dependencies for SELinux policy -# 3.14.6-9 includes fix for https://github.com/fedora-selinux/selinux-policy/pull/333 -%if 0%{?with_selinux} +%if %{with selinux} BuildRequires: selinux-policy-devel >= %{selinux_policy_version} %endif @@ -369,7 +394,6 @@ Requires: nss-tools >= %{nss_version} Requires(post): krb5-server >= %{krb5_version} Requires(post): krb5-server >= %{krb5_base_version} Requires: krb5-kdb-version = %{krb5_kdb_version} - Requires: krb5-pkinit-openssl >= %{krb5_version} Requires: cyrus-sasl-gssapi%{?_isa} Requires: chrony @@ -431,6 +455,13 @@ Obsoletes: %{name}-server <= 4.2.0 # member. Conflicts: nss-pam-ldapd < 0.8.4 +# RHEL spec file only: START: Do not build tests +%if 0%{?rhel} == 8 +# ipa-tests subpackage was moved to separate srpm +Conflicts: ipa-tests < 3.3.3-9 +%endif +# RHEL spec file only: END: Do not build tests + %description server IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization @@ -454,7 +485,7 @@ Requires: python3-dbus Requires: python3-dns >= 1.15 Requires: python3-gssapi >= 1.2.0 Requires: python3-ipaclient = %{version}-%{release} -Requires: python3-kdcproxy >= 0.4.1 +Requires: python3-kdcproxy >= %{kdcproxy_version} Requires: python3-lxml Requires: python3-pki >= %{pki_version} Requires: python3-pyasn1 >= 0.3.2-2 @@ -468,7 +499,6 @@ Requires: python3-urllib3 >= 1.24.2-3 Requires: python3-urllib3 >= 1.25.7 %endif - %description -n python3-ipaserver IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization @@ -484,6 +514,10 @@ BuildArch: noarch Requires: %{name}-client-common = %{version}-%{release} Requires: httpd >= %{httpd_version} Requires: systemd-units >= %{systemd_version} +Requires: custodia >= 0.3.1 +%if 0%{?rhel} >= 8 +Requires: redhat-logos-ipa >= 80.4 +%endif Provides: %{alt_name}-server-common = %{version} Conflicts: %{alt_name}-server-common @@ -502,22 +536,19 @@ If you are installing an IPA server, you need to install this package. Summary: IPA integrated DNS server with support for automatic DNSSEC signing BuildArch: noarch Requires: %{name}-server = %{version}-%{release} -Requires: bind-dyndb-ldap >= 11.0-2 -Requires: bind >= 9.11.0-6.P2 -Requires: bind-utils >= 9.11.0-6.P2 +Requires: bind-dyndb-ldap >= 11.2-2 +Requires: bind >= %{bind_version} +Requires: bind-utils >= %{bind_version} %if %{with bind_pkcs11} -Requires: bind-pkcs11 >= 9.11.0-6.P2 -Requires: bind-pkcs11-utils >= 9.11.0-6.P2 +Requires: bind-pkcs11 >= %{bind_version} +Requires: bind-pkcs11-utils >= %{bind_version} %else Requires: softhsm >= %{softhsm_version} Requires: openssl-pkcs11 >= %{openssl_pkcs11_version} %endif -%if 0%{?fedora} >= 32 || 0%{?rhel} >= 9 # See https://bugzilla.redhat.com/show_bug.cgi?id=1825812 +# RHEL 8.3+ and Fedora 32+ have 2.1 Requires: opendnssec >= 2.1.6-5 -%else -Requires: opendnssec >= 1.4.6-4 -%endif %{?systemd_requires} Provides: %{alt_name}-server-dns = %{version} @@ -540,7 +571,9 @@ Requires: %{name}-common = %{version}-%{release} Requires: samba >= %{samba_version} Requires: samba-winbind Requires: libsss_idmap - +%if 0%{?rhel} +Obsoletes: ipa-idoverride-memberof-plugin <= 0.1 +%endif Requires(post): python3 Requires: python3-samba Requires: python3-libsss_nss_idmap @@ -612,6 +645,11 @@ Obsoletes: %{alt_name}-admintools < 4.4.1 Obsoletes: %{name}-admintools < 4.4.1 Provides: %{name}-admintools = %{version}-%{release} +%if 0%{?rhel} == 8 +# Conflict with crypto-policies < 20200629-1 to get AD-SUPPORT policy module +Conflicts: crypto-policies < 20200629-1 +%endif + %description client IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization @@ -642,12 +680,11 @@ on the machine enrolled into a FreeIPA environment %package client-epn Summary: Tools to configure Expiring Password Notification in IPA Group: System Environment/Base -Requires: systemd-units +Requires: %{name}-client = %{version}-%{release} Requires: systemd-units >= %{systemd_version} Requires(post): systemd-units >= %{systemd_version} Requires(preun): systemd-units >= %{systemd_version} Requires(postun): systemd-units >= %{systemd_version} -Requires: %{name}-client = %{version}-%{release} %description client-epn This package provides a service to collect and send expiring password @@ -673,7 +710,6 @@ and integration with Active Directory based infrastructures (Trusts). If your network uses IPA for authentication, this package should be installed on every client machine. - %package client-common Summary: Common files used by IPA client BuildArch: noarch @@ -753,10 +789,14 @@ Requires: python3-pyasn1-modules >= 0.3.2-2 Requires: python3-pyusb Requires: python3-qrcode-core >= 5.0.0 Requires: python3-requests -Requires: python3-setuptools Requires: python3-six Requires: python3-sss-murmur Requires: python3-yubico >= 1.3.2-7 +%if 0%{?rhel} && 0%{?rhel} >= 8 +Requires: platform-python-setuptools +%else +Requires: python3-setuptools +%endif %description -n python3-ipalib IPA is an integrated solution to provide centrally managed Identity (users, @@ -803,18 +843,25 @@ BuildArch: noarch Requires: python3-ipaclient = %{version}-%{release} Requires: python3-ipaserver = %{version}-%{release} Requires: iptables -Requires: ldns-utils Requires: python3-coverage Requires: python3-cryptography >= 1.6 +%if 0%{?fedora} +# These packages do not exist on RHEL and for ipatests use +# they are installed on the controller through other means +Requires: ldns-utils Requires: python3-polib Requires: python3-pytest >= 3.9.1 Requires: python3-pytest-multihost >= 0.5 Requires: python3-pytest-sourceorder +Requires: sshpass +%endif Requires: python3-sssdconfig >= %{sssd_version} Requires: tar Requires: xz Requires: openssh-clients -Requires: sshpass +%if 0%{?rhel} +AutoReqProv: no +%endif %description -n python3-ipatests IPA is an integrated solution to provide centrally managed Identity (users, @@ -824,21 +871,23 @@ features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). This package contains tests that verify IPA functionality under Python 3. -# with_ipatests +# with ipatests %endif + %if %{with selinux} # SELinux subpackage %package selinux Summary: FreeIPA SELinux policy BuildArch: noarch +Requires: %{name}-server = %{version}-%{release} Requires: selinux-policy-%{selinuxtype} Requires(post): selinux-policy-%{selinuxtype} %{?selinux_requires} %description selinux Custom SELinux policy module for FreeIPA -# with_selinux +# with selinux %endif @@ -925,6 +974,18 @@ ln -frs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_b # remove files which are useful only for make uninstall find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \; +%if 0%{?rhel} +# RHEL spec file only: START +# Moved branding logos and background to redhat-logos-ipa-80.4: +# header-logo.png, login-screen-background.jpg, login-screen-logo.png, +# product-name.png +rm -f %{buildroot}%{_usr}/share/ipa/ui/images/header-logo.png +rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-background.jpg +rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png +rm -f %{buildroot}%{_usr}/share/ipa/ui/images/product-name.png +%endif +# RHEL spec file only: END + %find_lang %{gettext_domain} %if ! %{ONLY_CLIENT} @@ -1006,6 +1067,11 @@ if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then /bin/systemctl restart ipa.service >/dev/null fi + + /bin/systemctl is-enabled ipa-ccache-sweep.timer >/dev/null 2>&1 + if [ $? -eq 1 ]; then + /bin/systemctl enable ipa-ccache-sweep.timer>/dev/null + fi fi # END @@ -1188,6 +1254,7 @@ if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then fi fi + %triggerin client -- openssh-server >= 8.2 # Has the client been configured? restore=0 @@ -1252,6 +1319,7 @@ fi %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit %{_libexecdir}/certmonger/ipa-server-guard %dir %{_libexecdir}/ipa +%{_libexecdir}/ipa/ipa-ccache-sweeper %{_libexecdir}/ipa/ipa-custodia %{_libexecdir}/ipa/ipa-custodia-check %{_libexecdir}/ipa/ipa-httpd-kdcproxy @@ -1276,6 +1344,8 @@ fi %attr(644,root,root) %{_unitdir}/ipa.service %attr(644,root,root) %{_unitdir}/ipa-otpd.socket %attr(644,root,root) %{_unitdir}/ipa-otpd@.service +%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.service +%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.timer # END %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so %attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so @@ -1318,6 +1388,7 @@ fi %{_mandir}/man1/ipa-cert-fix.1* %{_mandir}/man1/ipa-acme-manage.1* + %files -n python3-ipaserver %doc README.md Contributors.txt %license COPYING @@ -1373,8 +1444,15 @@ fi %{_usr}/share/ipa/ui/js/freeipa/core.js %dir %{_usr}/share/ipa/ui/js/plugins %dir %{_usr}/share/ipa/ui/images +%if 0%{?rhel} +%{_usr}/share/ipa/ui/images/facet-*.png +# Moved branding logos and background to redhat-logos-ipa-80.4: +# header-logo.png, login-screen-background.jpg, login-screen-logo.png, +# product-name.png +%else %{_usr}/share/ipa/ui/images/*.jpg %{_usr}/share/ipa/ui/images/*.png +%endif %dir %{_usr}/share/ipa/wsgi %{_usr}/share/ipa/wsgi/plugins.py* %dir %{_sysconfdir}/ipa @@ -1472,6 +1550,7 @@ fi %{_sbindir}/ipa-client-samba %{_mandir}/man1/ipa-client-samba.1* + %files client-epn %doc README.md Contributors.txt %dir %{_sysconfdir}/ipa/epn @@ -1502,6 +1581,9 @@ fi %dir %{python3_sitelib}/ipaclient/remote_plugins/2_* %{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py %{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py* +%if 0%{?rhel} +# RHEL spec file only: DELETED: Remove csrgen +%else %dir %{python3_sitelib}/ipaclient/csrgen %dir %{python3_sitelib}/ipaclient/csrgen/profiles %{python3_sitelib}/ipaclient/csrgen/profiles/*.json @@ -1509,6 +1591,7 @@ fi %{python3_sitelib}/ipaclient/csrgen/rules/*.json %dir %{python3_sitelib}/ipaclient/csrgen/templates %{python3_sitelib}/ipaclient/csrgen/templates/*.tmpl +%endif %{python3_sitelib}/ipaclient-*.egg-info @@ -1562,6 +1645,7 @@ fi %if %{with ipatests} + %files -n python3-ipatests %doc README.md Contributors.txt %license COPYING @@ -1580,17 +1664,21 @@ fi %{_mandir}/man1/ipa-test-config.1* %{_mandir}/man1/ipa-test-task.1* -# with_ipatests +# with ipatests %endif + %if %{with selinux} %files selinux %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} -# with_selinux +# with selinux %endif %changelog +* Fri Dec 4 13:41:28 EET 2020 Alexander Bokovoy - 4.9.0-0.2.rc2 +- FreeIPA 4.9.0 release candidate 2 + * Thu Nov 19 2020 Alexander Bokovoy - 4.9.0-0.1.rc1 - Use correct bind PKCS11 engine dependencies - Fix SELinux build requirement diff --git a/sources b/sources index 8d65a89..1dae0ab 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (freeipa-4.9.0rc1.tar.gz) = 384ac0163f3977311ef523a6ed71ac8ceb33347d44f89763583e97e8e50eed2f9ec94e32f23dc8d9514c8e7e26d03ae859d045e9a1dd17b3f0cdd0fced82d464 -SHA512 (freeipa-4.9.0rc1.tar.gz.asc) = 2be55c28456c07104bb45984d2c6d804730e90172e9288b21ae45dc5542fceddbb621b96c3e3e5e2b613ebfa55c792727adfb43b349d2069d150f42067c91bf2 +SHA512 (freeipa-4.9.0rc2.tar.gz) = bc4282102451195e4c25b38b72dcea76eaffbf0a9f516d1c09df1c104ba8fdee0185db7131c85aaee54d2fd0ef88f4730f30479f26980ea4d74ab52b4c4c4469 +SHA512 (freeipa-4.9.0rc2.tar.gz.asc) = 21943770e057aaf85ed67582b6d64e5bdde7d10bd3b0588a3aae46a249467c740208838fc9e7cb8a687cad55588030005241a9ab9903e24b83b96cee96f770da