From b412308f26fd717059ac528154dcfebbbeedb23e Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Thu, 3 Feb 2022 09:21:01 +0100 Subject: [PATCH] ipa-4.9.8-2 - Resolves: rhbz#2040619 - Changing default pac type to 'nfs:NONE and MS-PAC' doesnot display error 'ipa: ERROR: no modifications to be performed' - Resolves: rhbz#2048510 - [rhel-9.0] Backport latest test fixes in python3-ipatests - Resolves: rhbz#2049104 - User can't log in after ipa-user-mod --user-auth-type=hardened - Resolves: rhbz#2049174 - KRA GetStatus service blocked by IPA proxy --- ...t_ipa_cert_fix.py-TestCertFixReplica.patch | 48 ++++ ...ee-if-replica-is-not-shown-when-runn.patch | 29 +++ ...t-default-value-of-nsslapd-sizelimit.patch | 40 ++++ ...pty-cert-request-doesn-t-force-certm.patch | 123 +++++++++++ ...es-for-ipa-replica-conncheck-command.patch | 104 +++++++++ 0008-PEP8-Fixes.patch | 59 +++++ ...ests-webui-Tests-for-subordinate-ids.patch | 209 ++++++++++++++++++ ...turn-EmptyModlist-when-no-change-is-.patch | 39 ++++ ...d-a-test-ensuring-EmptyModlist-is-re.patch | 36 +++ ...se-safe-loader-for-loading-YAML-conf.patch | 36 +++ ...mation-for-SHA384withRSA-CSR-support.patch | 107 +++++++++ ...nf-provide-access-to-kra-admin-kra-g.patch | 44 ++++ ...emove-keys-for-hardened-auth-enabled.patch | 59 +++++ ...case-for-hardened-only-ticket-policy.patch | 63 ++++++ freeipa.spec | 36 ++- 15 files changed, 1031 insertions(+), 1 deletion(-) create mode 100644 0003-ipatests-Fix-test_ipa_cert_fix.py-TestCertFixReplica.patch create mode 100644 0004-Extend-test-to-see-if-replica-is-not-shown-when-runn.patch create mode 100644 0005-ipatests-Test-default-value-of-nsslapd-sizelimit.patch create mode 100644 0006-ipatests-Test-empty-cert-request-doesn-t-force-certm.patch create mode 100644 0007-Test-cases-for-ipa-replica-conncheck-command.patch create mode 100644 0008-PEP8-Fixes.patch create mode 100644 0009-ipatests-webui-Tests-for-subordinate-ids.patch create mode 100644 0010-Config-plugin-return-EmptyModlist-when-no-change-is-.patch create mode 100644 0011-config-plugin-add-a-test-ensuring-EmptyModlist-is-re.patch create mode 100644 0012-ipatests-webui-Use-safe-loader-for-loading-YAML-conf.patch create mode 100644 0013-Added-test-automation-for-SHA384withRSA-CSR-support.patch create mode 100644 0014-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-g.patch create mode 100644 0015-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled.patch create mode 100644 0016-ipatests-add-case-for-hardened-only-ticket-policy.patch diff --git a/0003-ipatests-Fix-test_ipa_cert_fix.py-TestCertFixReplica.patch b/0003-ipatests-Fix-test_ipa_cert_fix.py-TestCertFixReplica.patch new file mode 100644 index 0000000..022ae84 --- /dev/null +++ b/0003-ipatests-Fix-test_ipa_cert_fix.py-TestCertFixReplica.patch @@ -0,0 +1,48 @@ +From ba7ec71ba96280da3841ebe47df2a6dc1cd6341e Mon Sep 17 00:00:00 2001 +From: Mohammad Rizwan +Date: Fri, 26 Nov 2021 12:11:21 +0530 +Subject: [PATCH] ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica + teardown + +Fixture `expire_certs` moves date back after renewing the certs. +This is causing the ipa-replica to fail. This fix first uninstalls +the server then moves back the date. + +Fixes: https://pagure.io/freeipa/issue/9052 + +Signed-off-by: Mohammad Rizwan +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_ipa_cert_fix.py | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py +index 39904d5de64c59416f01646f437aabf797d57dd9..5b56054b4f16d5654ebeb61971a8775bfaf341b8 100644 +--- a/ipatests/test_integration/test_ipa_cert_fix.py ++++ b/ipatests/test_integration/test_ipa_cert_fix.py +@@ -389,6 +389,12 @@ class TestCertFixReplica(IntegrationTest): + setup_dns=False, extra_args=['--no-ntp'] + ) + ++ @classmethod ++ def uninstall(cls, mh): ++ # Uninstall method is empty as the uninstallation is done in ++ # the fixture ++ pass ++ + @pytest.fixture + def expire_certs(self): + # move system date to expire certs +@@ -398,7 +404,8 @@ class TestCertFixReplica(IntegrationTest): + yield + + # move date back on replica and master +- for host in self.master, self.replicas[0]: ++ for host in self.replicas[0], self.master: ++ tasks.uninstall_master(host) + tasks.move_date(host, 'start', '-3years-1days') + + def test_renew_expired_cert_replica(self, expire_certs): +-- +2.34.1 + diff --git a/0004-Extend-test-to-see-if-replica-is-not-shown-when-runn.patch b/0004-Extend-test-to-see-if-replica-is-not-shown-when-runn.patch new file mode 100644 index 0000000..f8d5334 --- /dev/null +++ b/0004-Extend-test-to-see-if-replica-is-not-shown-when-runn.patch @@ -0,0 +1,29 @@ +From 8b22ee018c3bb7f58a1b6694a7fd611688f8e74f Mon Sep 17 00:00:00 2001 +From: Sumedh Sidhaye +Date: Thu, 25 Nov 2021 17:48:20 +0530 +Subject: [PATCH] Extend test to see if replica is not shown when running + `ipa-replica-manage list -v ` + +Related: https://pagure.io/freeipa/issue/8605 + +Signed-off-by: Sumedh Sidhaye +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_simple_replication.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ipatests/test_integration/test_simple_replication.py b/ipatests/test_integration/test_simple_replication.py +index 8de3851447abdfd36171134cbb683115b34df749..17092a49966e61d5a4a9b04c15abcb1de8be9683 100644 +--- a/ipatests/test_integration/test_simple_replication.py ++++ b/ipatests/test_integration/test_simple_replication.py +@@ -111,5 +111,6 @@ class TestSimpleReplication(IntegrationTest): + # has to be run with --force, there is no --unattended + self.master.run_command(['ipa-replica-manage', 'del', + self.replicas[0].hostname, '--force']) +- result = self.master.run_command(['ipa-replica-manage', 'list']) ++ result = self.master.run_command( ++ ['ipa-replica-manage', 'list', '-v', self.master.hostname]) + assert self.replicas[0].hostname not in result.stdout_text +-- +2.34.1 + diff --git a/0005-ipatests-Test-default-value-of-nsslapd-sizelimit.patch b/0005-ipatests-Test-default-value-of-nsslapd-sizelimit.patch new file mode 100644 index 0000000..d73aecd --- /dev/null +++ b/0005-ipatests-Test-default-value-of-nsslapd-sizelimit.patch @@ -0,0 +1,40 @@ +From 465f1669a6c5abc72da1ecaf9aefa8488f80806c Mon Sep 17 00:00:00 2001 +From: Anuja More +Date: Mon, 13 Dec 2021 17:37:05 +0530 +Subject: [PATCH] ipatests: Test default value of nsslapd-sizelimit. + +related : https://pagure.io/freeipa/issue/8962 + +Signed-off-by: Anuja More +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_installation.py | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py +index 95cfaad54c33a581c6af352097ea95ed435ea2b1..0947241ae2738419c4855e2517670c9033e634f0 100644 +--- a/ipatests/test_integration/test_installation.py ++++ b/ipatests/test_integration/test_installation.py +@@ -1067,6 +1067,19 @@ class TestInstallMaster(IntegrationTest): + ) + assert "nsslapd-db-locks" not in result.stdout_text + ++ def test_nsslapd_sizelimit(self): ++ """ Test for default value of nsslapd-sizelimit. ++ ++ Related : https://pagure.io/freeipa/issue/8962 ++ """ ++ result = tasks.ldapsearch_dm( ++ self.master, ++ "cn=config", ++ ["nsslapd-sizelimit"], ++ scope="base" ++ ) ++ assert "nsslapd-sizelimit: 100000" in result.stdout_text ++ + def test_admin_root_alias_CVE_2020_10747(self): + # Test for CVE-2020-10747 fix + # https://bugzilla.redhat.com/show_bug.cgi?id=1810160 +-- +2.34.1 + diff --git a/0006-ipatests-Test-empty-cert-request-doesn-t-force-certm.patch b/0006-ipatests-Test-empty-cert-request-doesn-t-force-certm.patch new file mode 100644 index 0000000..a8c1ba2 --- /dev/null +++ b/0006-ipatests-Test-empty-cert-request-doesn-t-force-certm.patch @@ -0,0 +1,123 @@ +From cbd9ac6ab07dfb60f67da762fdd70856ad35c230 Mon Sep 17 00:00:00 2001 +From: Mohammad Rizwan +Date: Thu, 25 Nov 2021 13:10:05 +0530 +Subject: [PATCH] ipatests: Test empty cert request doesn't force certmonger to + segfault + +When empty cert request is submitted to certmonger, it goes to +segfault. This fix test that if something like this happens, +certmonger should gracefuly handle it + +and some PEP8 fixes + +related: https://pagure.io/certmonger/issue/191 + +Signed-off-by: Mohammad Rizwan +--- + ipatests/test_integration/test_cert.py | 79 +++++++++++++++++++++++++- + 1 file changed, 78 insertions(+), 1 deletion(-) + +diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py +index 5ffb8c6086328d563084f1d4b73daa1d01d956e7..0518d79545f7592d17571068e2681474bd9e5b14 100644 +--- a/ipatests/test_integration/test_cert.py ++++ b/ipatests/test_integration/test_cert.py +@@ -14,6 +14,7 @@ import random + import re + import string + import time ++import textwrap + + from ipaplatform.paths import paths + from ipapython.dn import DN +@@ -193,7 +194,7 @@ class TestInstallMasterClient(IntegrationTest): + tasks.kinit_admin(self.master) + tasks.user_add(self.master, user) + +- for id in (0,1): ++ for id in (0, 1): + csr_file = f'{id}.csr' + key_file = f'{id}.key' + cert_file = f'{id}.crt' +@@ -584,3 +585,79 @@ class TestCAShowErrorHandling(IntegrationTest): + error_msg = 'ipa: ERROR: The certificate for ' \ + '{} is not available on this server.'.format(lwca) + assert error_msg in result.stderr_text ++ ++ def test_certmonger_empty_cert_not_segfault(self): ++ """Test empty cert request doesn't force certmonger to segfault ++ ++ Test scenario: ++ create a cert request file in /var/lib/certmonger/requests which is ++ missing most of the required information, and ask request a new ++ certificate to certmonger. The wrong request file should not make ++ certmonger crash. ++ ++ related: https://pagure.io/certmonger/issue/191 ++ """ ++ empty_cert_req_content = textwrap.dedent(""" ++ id=dogtag-ipa-renew-agent ++ key_type=UNSPECIFIED ++ key_gen_type=UNSPECIFIED ++ key_size=0 ++ key_gen_size=0 ++ key_next_type=UNSPECIFIED ++ key_next_gen_type=UNSPECIFIED ++ key_next_size=0 ++ key_next_gen_size=0 ++ key_preserve=0 ++ key_storage_type=NONE ++ key_perms=0 ++ key_requested_count=0 ++ key_issued_count=0 ++ cert_storage_type=FILE ++ cert_perms=0 ++ cert_is_ca=0 ++ cert_ca_path_length=0 ++ cert_no_ocsp_check=0 ++ last_need_notify_check=19700101000000 ++ last_need_enroll_check=19700101000000 ++ template_is_ca=0 ++ template_ca_path_length=-1 ++ template_no_ocsp_check=0 ++ state=NEED_KEY_PAIR ++ autorenew=0 ++ monitor=0 ++ submitted=19700101000000 ++ """) ++ # stop certmonger service ++ self.master.run_command(['systemctl', 'stop', 'certmonger']) ++ ++ # place an empty cert request file to certmonger request dir ++ self.master.put_file_contents( ++ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'), ++ empty_cert_req_content ++ ) ++ ++ # start certmonger, it should not fail ++ self.master.run_command(['systemctl', 'start', 'certmonger']) ++ ++ # request a new cert, should succeed and certmonger doesn't goes ++ # to segfault ++ result = self.master.run_command([ ++ "ipa-getcert", "request", ++ "-f", os.path.join(paths.OPENSSL_CERTS_DIR, "test.pem"), ++ "-k", os.path.join(paths.OPENSSL_PRIVATE_DIR, "test.key"), ++ ]) ++ request_id = re.findall(r'\d+', result.stdout_text) ++ ++ # check if certificate is in MONITORING state ++ status = tasks.wait_for_request(self.master, request_id[0], 50) ++ assert status == "MONITORING" ++ ++ self.master.run_command( ++ ['ipa-getcert', 'stop-tracking', '-i', request_id[0]] ++ ) ++ self.master.run_command([ ++ 'rm', '-rf', ++ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'), ++ os.path.join(paths.OPENSSL_CERTS_DIR, 'test.pem'), ++ os.path.join(paths.OPENSSL_PRIVATE_DIR, 'test.key') ++ ]) +-- +2.34.1 + diff --git a/0007-Test-cases-for-ipa-replica-conncheck-command.patch b/0007-Test-cases-for-ipa-replica-conncheck-command.patch new file mode 100644 index 0000000..dfc7a74 --- /dev/null +++ b/0007-Test-cases-for-ipa-replica-conncheck-command.patch @@ -0,0 +1,104 @@ +From 1d19b860d4cd3bd65a4b143b588425d9a64237fd Mon Sep 17 00:00:00 2001 +From: Mohammad Rizwan +Date: Thu, 18 Nov 2021 18:36:58 +0530 +Subject: [PATCH] Test cases for ipa-replica-conncheck command + +Following test cases would be checked: +- when called with --principal (it should then prompt for a password) +- when called with --principal / --password +- when called without principal and password but with a kerberos TGT, + kinit admin done before calling ipa-replica-conncheck +- when called without principal and password, and without any kerberos + TGT (it should default to principal=admin and prompt for a password) + +related: https://pagure.io/freeipa/issue/9047 + +Signed-off-by: Mohammad Rizwan +--- + .../test_replica_promotion.py | 70 +++++++++++++++++++ + 1 file changed, 70 insertions(+) + +diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py +index b9c56f775d08885cb6b1226eeb7bcf105f87cdc1..1a4e9bc121abf41a3919aedda3d334de9404d1a0 100644 +--- a/ipatests/test_integration/test_replica_promotion.py ++++ b/ipatests/test_integration/test_replica_promotion.py +@@ -437,6 +437,76 @@ class TestRenewalMaster(IntegrationTest): + self.assertCARenewalMaster(master, replica.hostname) + self.assertCARenewalMaster(replica, replica.hostname) + ++ def test_replica_concheck(self): ++ """Test cases for ipa-replica-conncheck command ++ ++ Following test cases would be checked: ++ - when called with --principal (it should then prompt for a password) ++ - when called with --principal / --password ++ - when called without principal and password but with a kerberos TGT, ++ kinit admin done before calling ipa-replica-conncheck ++ - when called without principal and password, and without any kerberos ++ TGT (it should default to principal=admin and prompt for a password) ++ ++ related: https://pagure.io/freeipa/issue/9047 ++ """ ++ exp_str1 = "Connection from replica to master is OK." ++ exp_str2 = "Connection from master to replica is OK" ++ tasks.kdestroy_all(self.replicas[0]) ++ # when called with --principal (it should then prompt for a password) ++ result = self.replicas[0].run_command( ++ ['ipa-replica-conncheck', '--auto-master-check', ++ '--master', self.master.hostname, ++ '-r', self.replicas[0].domain.realm, ++ '-p', self.replicas[0].config.admin_name], ++ stdin_text=self.master.config.admin_password ++ ) ++ assert result.returncode == 0 ++ assert ( ++ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text ++ ) ++ ++ # when called with --principal / --password ++ result = self.replicas[0].run_command([ ++ 'ipa-replica-conncheck', '--auto-master-check', ++ '--master', self.master.hostname, ++ '-r', self.replicas[0].domain.realm, ++ '-p', self.replicas[0].config.admin_name, ++ '-w', self.master.config.admin_password ++ ]) ++ assert result.returncode == 0 ++ assert ( ++ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text ++ ) ++ ++ # when called without principal and password, and without ++ # any kerberos TGT, it should default to principal=admin ++ # and prompt for a password ++ result = self.replicas[0].run_command( ++ ['ipa-replica-conncheck', '--auto-master-check', ++ '--master', self.master.hostname, ++ '-r', self.replicas[0].domain.realm], ++ stdin_text=self.master.config.admin_password ++ ) ++ assert result.returncode == 0 ++ assert ( ++ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text ++ ) ++ ++ # when called without principal and password but with a kerberos TGT, ++ # kinit admin done before calling ipa-replica-conncheck ++ tasks.kinit_admin(self.replicas[0]) ++ result = self.replicas[0].run_command( ++ ['ipa-replica-conncheck', '--auto-master-check', ++ '--master', self.master.hostname, ++ '-r', self.replicas[0].domain.realm] ++ ) ++ assert result.returncode == 0 ++ assert ( ++ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text ++ ) ++ tasks.kdestroy_all(self.replicas[0]) ++ + def test_automatic_renewal_master_transfer_ondelete(self): + # Test that after replica uninstallation, master overtakes the cert + # renewal master role from replica (which was previously set there) +-- +2.34.1 + diff --git a/0008-PEP8-Fixes.patch b/0008-PEP8-Fixes.patch new file mode 100644 index 0000000..52df09e --- /dev/null +++ b/0008-PEP8-Fixes.patch @@ -0,0 +1,59 @@ +From 5444da016edc416c0c9481c660c013053dbb93b5 Mon Sep 17 00:00:00 2001 +From: Mohammad Rizwan +Date: Thu, 18 Nov 2021 18:43:22 +0530 +Subject: [PATCH] PEP8 Fixes + +Signed-off-by: Mohammad Rizwan +--- + .../test_integration/test_replica_promotion.py | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py +index 1a4e9bc121abf41a3919aedda3d334de9404d1a0..c328b1a08ffc8ac5efb0986d2b18c5074f573432 100644 +--- a/ipatests/test_integration/test_replica_promotion.py ++++ b/ipatests/test_integration/test_replica_promotion.py +@@ -138,7 +138,6 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase): + assert res.returncode == 1 + assert expected_err in res.stderr_text + +- + @replicas_cleanup + def test_one_command_installation(self): + """ +@@ -150,11 +149,11 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase): + Firewall(self.replicas[0]).enable_services(["freeipa-ldap", + "freeipa-ldaps"]) + self.replicas[0].run_command(['ipa-replica-install', '-w', +- self.master.config.admin_password, +- '-n', self.master.domain.name, +- '-r', self.master.domain.realm, +- '--server', self.master.hostname, +- '-U']) ++ self.master.config.admin_password, ++ '-n', self.master.domain.name, ++ '-r', self.master.domain.realm, ++ '--server', self.master.hostname, ++ '-U']) + # Ensure that pkinit is properly configured, test for 7566 + result = self.replicas[0].run_command(['ipa-pkinit-manage', 'status']) + assert "PKINIT is enabled" in result.stdout_text +@@ -321,7 +320,7 @@ class TestWrongClientDomain(IntegrationTest): + result1 = client.run_command(['ipa-replica-install', '-U', '-w', + self.master.config.dirman_password], + raiseonerr=False) +- assert(result1.returncode == 0), ( ++ assert (result1.returncode == 0), ( + 'Failed to promote the client installed with the upcase domain name') + + def test_client_rollback(self): +@@ -355,6 +354,7 @@ class TestWrongClientDomain(IntegrationTest): + assert("An error occurred while removing SSSD" not in + result.stdout_text) + ++ + class TestRenewalMaster(IntegrationTest): + + topology = 'star' +-- +2.34.1 + diff --git a/0009-ipatests-webui-Tests-for-subordinate-ids.patch b/0009-ipatests-webui-Tests-for-subordinate-ids.patch new file mode 100644 index 0000000..a8f7a4f --- /dev/null +++ b/0009-ipatests-webui-Tests-for-subordinate-ids.patch @@ -0,0 +1,209 @@ +From edbd8f692a28fc999b92e9032614d366511db323 Mon Sep 17 00:00:00 2001 +From: Anuja More +Date: Mon, 6 Dec 2021 20:50:01 +0530 +Subject: [PATCH] ipatests: webui: Tests for subordinate ids. + +Added web-ui tests to verify where operations +using subordinate ids are working as expected. + +Related : https://pagure.io/freeipa/issue/8361 + +Signed-off-by: Anuja More +Reviewed-By: Michal Polovka +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_webui/test_subid.py | 141 ++++++++++++++++++++++++++++++ + ipatests/test_webui/ui_driver.py | 28 ++++++ + 2 files changed, 169 insertions(+) + create mode 100644 ipatests/test_webui/test_subid.py + +diff --git a/ipatests/test_webui/test_subid.py b/ipatests/test_webui/test_subid.py +new file mode 100644 +index 0000000000000000000000000000000000000000..26decdba03955f28ab21a41ccffae2a9af7b09fe +--- /dev/null ++++ b/ipatests/test_webui/test_subid.py +@@ -0,0 +1,141 @@ ++ ++""" ++Tests for subordinateid. ++""" ++ ++from ipatests.test_webui.ui_driver import UI_driver ++import ipatests.test_webui.data_config as config_data ++import ipatests.test_webui.data_user as user_data ++from ipatests.test_webui.ui_driver import screenshot ++import re ++ ++ ++class test_subid(UI_driver): ++ ++ def add_user(self, pkey, name, surname): ++ self.add_record('user', { ++ 'pkey': pkey, ++ 'add': [ ++ ('textbox', 'uid', pkey), ++ ('textbox', 'givenname', name), ++ ('textbox', 'sn', surname), ++ ] ++ }) ++ ++ def set_default_subid(self): ++ self.navigate_to_entity(config_data.ENTITY) ++ self.check_option('ipauserdefaultsubordinateid', 'checked') ++ self.facet_button_click('save') ++ ++ def get_user_count(self, user_pkey): ++ self.navigate_to_entity('subid', facet='search') ++ self.apply_search_filter(user_pkey) ++ self.wait_for_request() ++ return self.get_rows() ++ ++ @screenshot ++ def test_set_defaultsubid(self): ++ """ ++ Test to verify that enable/disable is working for ++ adding subids to new users. ++ """ ++ self.init_app() ++ self.add_record(user_data.ENTITY, user_data.DATA2) ++ self.navigate_to_entity(config_data.ENTITY) ++ # test subid can be enabled/disabled. ++ self.set_default_subid() ++ assert self.get_field_checked('ipauserdefaultsubordinateid') ++ self.set_default_subid() ++ assert not self.get_field_checked('ipauserdefaultsubordinateid') ++ ++ @screenshot ++ def test_user_defaultsubid(self): ++ """ ++ Test to verify that subid is generated for new user. ++ """ ++ self.init_app() ++ user_pkey = "some-user" ++ ++ self.set_default_subid() ++ assert self.get_field_checked('ipauserdefaultsubordinateid') ++ ++ before_count = self.get_user_count(user_pkey) ++ assert len(before_count) == 0 ++ ++ self.add_user(user_pkey, 'Some', 'User') ++ after_count = self.get_user_count(user_pkey) ++ assert len(after_count) == 1 ++ ++ @screenshot ++ def test_user_subid_mod_desc(self): ++ """ ++ Test to verify that auto-assigned subid description is modified. ++ """ ++ self.init_app() ++ self.navigate_to_record("some-user") ++ self.switch_to_facet('memberof_subid') ++ rows = self.get_rows() ++ self.navigate_to_row_record(rows[-1]) ++ self.fill_textbox("description", "some-user-subid-desc") ++ self.facet_button_click('save') ++ ++ @screenshot ++ def test_admin_subid(self): ++ """ ++ Test to verify that subid range is created with owner admin. ++ """ ++ self.init_app() ++ self.navigate_to_entity('subid', facet='search') ++ self.facet_button_click('add') ++ self.select_combobox('ipaowner', 'admin') ++ self.dialog_button_click('add') ++ self.wait(0.3) ++ self.assert_no_error_dialog() ++ ++ @screenshot ++ def test_admin_subid_negative(self): ++ """ ++ Test to verify that readding the subid fails with error. ++ """ ++ self.init_app() ++ self.navigate_to_entity('subid', facet='search') ++ self.facet_button_click('add') ++ self.select_combobox('ipaowner', 'admin') ++ self.dialog_button_click('add') ++ self.wait(0.3) ++ err_dialog = self.get_last_error_dialog(dialog_name='error_dialog') ++ text = self.get_text('.modal-body div p', err_dialog) ++ text = text.strip() ++ pattern = r'Subordinate id with with name .* already exists.' ++ assert re.search(pattern, text) is not None ++ self.close_all_dialogs() ++ ++ @screenshot ++ def test_user_subid_add(self): ++ """ ++ Test to verify that subid range is created for given user. ++ """ ++ self.init_app() ++ self.navigate_to_entity('subid', facet='search') ++ before_count = self.get_rows() ++ self.facet_button_click('add') ++ self.select_combobox('ipaowner', user_data.PKEY2) ++ self.dialog_button_click('add') ++ self.wait(0.3) ++ self.assert_no_error_dialog() ++ after_count = self.get_rows() ++ assert len(before_count) < len(after_count) ++ ++ @screenshot ++ def test_subid_del(self): ++ """ ++ Test to remove subordinate id for given user. ++ """ ++ self.init_app() ++ self.navigate_to_entity('subid', facet='search') ++ user_uid = self.get_record_pkey("some-user", "ipaowner", ++ table_name="ipauniqueid") ++ before_count = self.get_rows() ++ self.delete_record(user_uid, table_name="ipauniqueid") ++ after_count = self.get_rows() ++ assert len(before_count) > len(after_count) +diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py +index 46fd512ae67bee65be55ae0d4dedec53cc29de97..77fd74e49593183a37fe735bedf2e0d6b9257ac7 100644 +--- a/ipatests/test_webui/ui_driver.py ++++ b/ipatests/test_webui/ui_driver.py +@@ -1151,6 +1151,34 @@ class UI_driver: + return row + return None + ++ def get_row_by_column_value(self, key, column_name, parent=None, ++ table_name=None): ++ """ ++ Get the first matched row element of a search table with given key ++ matched against selected column. None if not found ++ """ ++ rows = self.get_rows(parent, table_name) ++ s = "td div[name='%s']" % column_name ++ for row in rows: ++ has = self.find(s, By.CSS_SELECTOR, row) ++ if has.text == key: ++ return row ++ return None ++ ++ def get_record_pkey(self, key, column, parent=None, table_name=None): ++ """ ++ Get record pkey if value of column is known ++ """ ++ row = self.get_row_by_column_value(key, ++ column_name=column, ++ parent=parent, ++ table_name=table_name) ++ val = None ++ if row: ++ el = self.find("td input", By.CSS_SELECTOR, row) ++ val = el.get_attribute("value") ++ return val ++ + def navigate_to_row_record(self, row, pkey_column=None): + """ + Navigate to record by clicking on a link. +-- +2.34.1 + diff --git a/0010-Config-plugin-return-EmptyModlist-when-no-change-is-.patch b/0010-Config-plugin-return-EmptyModlist-when-no-change-is-.patch new file mode 100644 index 0000000..c71d334 --- /dev/null +++ b/0010-Config-plugin-return-EmptyModlist-when-no-change-is-.patch @@ -0,0 +1,39 @@ +From b9c42fed9b6f60801f908c368d0d97a2a69f7bb2 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Wed, 15 Dec 2021 10:47:02 +0100 +Subject: [PATCH] Config plugin: return EmptyModlist when no change is applied + +When ipa config-mod is called with the option --enable-sid, +the code needs to trap EmptyModlist exception (it is expected +that no LDAP attribute is modified by this operation). +The code had a flaw and was checking: + 'enable_sid' in options +instead of + options['enable_sid'] + +"'enable_sid' in options" always returns true as this option +is a Flag with a default value, hence always present even if +not specified on the command line. + +Fixes: https://pagure.io/freeipa/issue/9063 +Reviewed-By: Rob Crittenden +--- + ipaserver/plugins/config.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py +index eae401fc3f7a1b7628eb211db206ba4bc2b36754..24446beb0b03a1510a96316eae915780817db102 100644 +--- a/ipaserver/plugins/config.py ++++ b/ipaserver/plugins/config.py +@@ -707,7 +707,7 @@ class config_mod(LDAPUpdate): + if (isinstance(exc, errors.EmptyModlist) and + call_func.__name__ == 'update_entry' and + ('ca_renewal_master_server' in options or +- 'enable_sid' in options)): ++ options['enable_sid'])): + return + + super(config_mod, self).exc_callback( +-- +2.34.1 + diff --git a/0011-config-plugin-add-a-test-ensuring-EmptyModlist-is-re.patch b/0011-config-plugin-add-a-test-ensuring-EmptyModlist-is-re.patch new file mode 100644 index 0000000..2bdb49c --- /dev/null +++ b/0011-config-plugin-add-a-test-ensuring-EmptyModlist-is-re.patch @@ -0,0 +1,36 @@ +From cd735099e86304294217147ed578ac902fcf3dd3 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Wed, 15 Dec 2021 10:51:05 +0100 +Subject: [PATCH] config plugin: add a test ensuring EmptyModlist is returned + +Add a test to test_config_plugin, that calls ipa config-mod +with the same value as already present in LDAP. +The call must return EmptyModlist. + +Related: https://pagure.io/freeipa/issue/9063 +Reviewed-By: Rob Crittenden +--- + ipatests/test_xmlrpc/test_config_plugin.py | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/ipatests/test_xmlrpc/test_config_plugin.py b/ipatests/test_xmlrpc/test_config_plugin.py +index e981bb4a03d39de450fc459d4b1ce4b636c19029..a8ec9f0e558d7efa091b50deca9fa7ca59fd7b11 100644 +--- a/ipatests/test_xmlrpc/test_config_plugin.py ++++ b/ipatests/test_xmlrpc/test_config_plugin.py +@@ -312,4 +312,13 @@ class test_config(Declarative): + 'value': None, + }, + ), ++ dict( ++ desc='Set the value to the already set value, no modifications', ++ command=( ++ 'config_mod', [], { ++ 'ipasearchrecordslimit': u'100', ++ }, ++ ), ++ expected=errors.EmptyModlist(), ++ ), + ] +-- +2.34.1 + diff --git a/0012-ipatests-webui-Use-safe-loader-for-loading-YAML-conf.patch b/0012-ipatests-webui-Use-safe-loader-for-loading-YAML-conf.patch new file mode 100644 index 0000000..4b7c9b8 --- /dev/null +++ b/0012-ipatests-webui-Use-safe-loader-for-loading-YAML-conf.patch @@ -0,0 +1,36 @@ +From 419d7fd6e5a9ed2d356ad05eef1043309f5646ef Mon Sep 17 00:00:00 2001 +From: Michal Polovka +Date: Fri, 7 Jan 2022 12:12:26 +0100 +Subject: [PATCH] ipatests: webui: Use safe-loader for loading YAML + configuration file + +FullLoader class for YAML loader was introduced in version 5.1 which +also deprecated default loader. SafeLoader, however, stays consistent +across the versions and brings added security. + +This fix is necessary as PyYAML > 5.1 is not available in downstream. + +Related: https://pagure.io/freeipa/issue/9009 + +Signed-off-by: Michal Polovka +Reviewed-By: Rob Crittenden +--- + ipatests/test_webui/ui_driver.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py +index 77fd74e49593183a37fe735bedf2e0d6b9257ac7..519efee9bba3de2114d22865a08df87f9b5f348a 100644 +--- a/ipatests/test_webui/ui_driver.py ++++ b/ipatests/test_webui/ui_driver.py +@@ -192,7 +192,7 @@ class UI_driver: + if not NO_YAML and os.path.isfile(path): + try: + with open(path, 'r') as conf: +- cls.config = yaml.load(stream=conf, Loader=yaml.FullLoader) ++ cls.config = yaml.safe_load(stream=conf) + except yaml.YAMLError as e: + pytest.skip("Invalid Web UI config.\n%s" % e) + except IOError as e: +-- +2.34.1 + diff --git a/0013-Added-test-automation-for-SHA384withRSA-CSR-support.patch b/0013-Added-test-automation-for-SHA384withRSA-CSR-support.patch new file mode 100644 index 0000000..1fe86c1 --- /dev/null +++ b/0013-Added-test-automation-for-SHA384withRSA-CSR-support.patch @@ -0,0 +1,107 @@ +From 0edf915efbb39fac45c784171dd715ec6b28861a Mon Sep 17 00:00:00 2001 +From: Sumedh Sidhaye +Date: Fri, 14 Jan 2022 19:55:13 +0530 +Subject: [PATCH] Added test automation for SHA384withRSA CSR support + +Scenario 1: +Setup master with --ca-signing-algorithm=SHA384withRSA +Run certutil and check Signing Algorithm + +Scenario 2: +Setup a master +Stop services +Modify default.params.signingAlg in CS.cfg +Restart services +Resubmit cert (Resubmitted cert should have new Algorithm) + +Pagure Link: https://pagure.io/freeipa/issue/8906 + +Signed-off-by: Sumedh Sidhaye +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +Reviewed-By: Antonio Torres +--- + .../test_integration/test_installation.py | 63 +++++++++++++++++++ + 1 file changed, 63 insertions(+) + +diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py +index 0947241ae2738419c4855e2517670c9033e634f0..f2d372c0c0356f244971a2af808db45dd6c8cb5b 100644 +--- a/ipatests/test_integration/test_installation.py ++++ b/ipatests/test_integration/test_installation.py +@@ -34,6 +34,7 @@ from ipatests.pytest_ipa.integration import tasks + from ipatests.pytest_ipa.integration.env_config import get_global_config + from ipatests.test_integration.base import IntegrationTest + from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup ++from ipatests.test_integration.test_cert import get_certmonger_fs_id + from ipaplatform import services + + +@@ -1916,3 +1917,65 @@ class TestInstallWithoutNamed(IntegrationTest): + tasks.install_replica( + self.master, self.replicas[0], setup_ca=False, setup_dns=False + ) ++ ++ ++class TestInstallwithSHA384withRSA(IntegrationTest): ++ num_replicas = 0 ++ ++ def test_install_master_withalgo_sha384withrsa(self, server_cleanup): ++ tasks.install_master( ++ self.master, ++ extra_args=['--ca-signing-algorithm=SHA384withRSA'], ++ ) ++ ++ # check Signing Algorithm post installation ++ dashed_domain = self.master.domain.realm.replace(".", '-') ++ cmd_args = ['certutil', '-L', '-d', ++ '/etc/dirsrv/slapd-{}/'.format(dashed_domain), ++ '-n', 'Server-Cert'] ++ result = self.master.run_command(cmd_args) ++ assert 'SHA-384 With RSA Encryption' in result.stdout_text ++ ++ def test_install_master_modify_existing(self, server_cleanup): ++ """ ++ Setup a master ++ Stop services ++ Modify default.params.signingAlg in CS.cfg ++ Restart services ++ Resubmit cert (Resubmitted cert should have new Algorithm) ++ """ ++ tasks.install_master(self.master) ++ self.master.run_command(['ipactl', 'stop']) ++ cs_cfg_content = self.master.get_file_contents(paths.CA_CS_CFG_PATH, ++ encoding='utf-8') ++ new_lines = [] ++ replace_str = "ca.signing.defaultSigningAlgorithm=SHA384withRSA" ++ ocsp_rep_str = "ca.ocsp_signing.defaultSigningAlgorithm=SHA384withRSA" ++ for line in cs_cfg_content.split('\n'): ++ if line.startswith('ca.signing.defaultSigningAlgorithm'): ++ new_lines.append(replace_str) ++ elif line.startswith('ca.ocsp_signing.defaultSigningAlgorithm'): ++ new_lines.append(ocsp_rep_str) ++ else: ++ new_lines.append(line) ++ self.master.put_file_contents(paths.CA_CS_CFG_PATH, ++ '\n'.join(new_lines)) ++ self.master.run_command(['ipactl', 'start']) ++ ++ cmd = ['getcert', 'list', '-f', paths.RA_AGENT_PEM] ++ result = self.master.run_command(cmd) ++ request_id = get_certmonger_fs_id(result.stdout_text) ++ ++ # resubmit RA Agent cert ++ cmd = ['getcert', 'resubmit', '-f', paths.RA_AGENT_PEM] ++ self.master.run_command(cmd) ++ ++ tasks.wait_for_certmonger_status(self.master, ++ ('CA_WORKING', 'MONITORING'), ++ request_id) ++ ++ cmd_args = ['openssl', 'x509', '-in', ++ paths.RA_AGENT_PEM, '-noout', '-text'] ++ result = self.master.run_command(cmd_args) ++ assert_str = 'Signature Algorithm: sha384WithRSAEncryption' ++ assert assert_str in result.stdout_text +-- +2.34.1 + diff --git a/0014-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-g.patch b/0014-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-g.patch new file mode 100644 index 0000000..f8593f8 --- /dev/null +++ b/0014-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-g.patch @@ -0,0 +1,44 @@ +From 9bae5492270d8b695999cd82831cbee62b04626b Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Fri, 28 Jan 2022 16:58:42 +0100 +Subject: [PATCH] ipa-pki-proxy.conf: provide access to + /kra/admin/kra/getStatus + +The access to /kra/admin/kra/getStatus will be needed +in order to fix pki-healthcheck. +Note that this commit is a pre-requisite for the fix +to be done on PKI side. No test added since the full +integration test already exists in test_replica_promotion.py, +in TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica + +Fixes: https://pagure.io/freeipa/issue/9099 +Related: https://pagure.io/freeipa/issue/8582 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +--- + install/share/ipa-pki-proxy.conf.template | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/install/share/ipa-pki-proxy.conf.template b/install/share/ipa-pki-proxy.conf.template +index 96708482cdac128930efaca33a806daaeba68042..7a46f20b9058bab63238f56295a92533c232d47a 100644 +--- a/install/share/ipa-pki-proxy.conf.template ++++ b/install/share/ipa-pki-proxy.conf.template +@@ -1,4 +1,4 @@ +-# VERSION 16 - DO NOT REMOVE THIS LINE ++# VERSION 17 - DO NOT REMOVE THIS LINE + + ProxyRequests Off + +@@ -11,7 +11,7 @@ ProxyRequests Off + + + # matches for admin port and installer +- ++ + SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + SSLVerifyClient none + ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET +-- +2.34.1 + diff --git a/0015-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled.patch b/0015-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled.patch new file mode 100644 index 0000000..c9be53f --- /dev/null +++ b/0015-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled.patch @@ -0,0 +1,59 @@ +From 6d70421f57d0eca066a922e09416ef7195ee96d4 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Tue, 1 Feb 2022 16:43:09 +0100 +Subject: [PATCH] ipa-kdb: do not remove keys for hardened auth-enabled users + +Since 5d51ae5, principal keys were dropped in case user auth indicator +was not including password. Thereafter, the key removal behavior was +removed by 15ff9c8 in the context of the kdcpolicy plugin introduction. +Support for hardened pre-auth methods (FAST and SPAKE) was added in +d057040, and the removal of principal keys was restored afterwards by +f0d12b7, but not taking the new hardened auth indicator into account. + +Fixes: https://pagure.io/freeipa/issue/9065 +Related to: https://pagure.io/freeipa/issue/8001 + +Signed-off-by: Julien Rische +Reviewed-By: Alexander Bokovoy +Reviewed-By: Francisco Trivino +--- + daemons/ipa-kdb/ipa_kdb_principals.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c +index 15f3df4fee8bdfadf60a4b1d9a5115407d1bb294..0d0d3748ce63a8252e84220d036140818ffdfb6e 100644 +--- a/daemons/ipa-kdb/ipa_kdb_principals.c ++++ b/daemons/ipa-kdb/ipa_kdb_principals.c +@@ -788,17 +788,18 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, + &res_key_data, &result, &mkvno); + switch (ret) { + case 0: +- /* Only set a principal's key if password auth can be used. Otherwise +- * the KDC would add pre-authentication methods to the NEEDED_PREAUTH +- * reply for AS-REQs which indicate the password authentication is +- * available. This might confuse applications like e.g. SSSD which try +- * to determine suitable authentication methods and corresponding +- * prompts with the help of MIT Kerberos' responder interface which +- * acts on the returned pre-authentication methods. A typical example +- * is enforced OTP authentication where of course keys are available +- * for the first factor but password authentication should not be +- * advertised by the KDC. */ +- if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) { ++ /* Only set a principal's key if password or hardened auth can be used. ++ * Otherwise the KDC would add pre-authentication methods to the ++ * NEEDED_PREAUTH reply for AS-REQs which indicate the password ++ * authentication is available. This might confuse applications like ++ * e.g. SSSD which try to determine suitable authentication methods and ++ * corresponding prompts with the help of MIT Kerberos' responder ++ * interface which acts on the returned pre-authentication methods. A ++ * typical example is enforced OTP authentication where of course keys ++ * are available for the first factor but password authentication ++ * should not be advertised by the KDC. */ ++ if (!(ua & (IPADB_USER_AUTH_PASSWORD | IPADB_USER_AUTH_HARDENED)) && ++ (ua != IPADB_USER_AUTH_NONE)) { + /* This is the same behavior as ENOENT below. */ + ipa_krb5_free_key_data(res_key_data, result); + break; +-- +2.34.1 + diff --git a/0016-ipatests-add-case-for-hardened-only-ticket-policy.patch b/0016-ipatests-add-case-for-hardened-only-ticket-policy.patch new file mode 100644 index 0000000..ba0214e --- /dev/null +++ b/0016-ipatests-add-case-for-hardened-only-ticket-policy.patch @@ -0,0 +1,63 @@ +From 294ae35a61e6ca8816b261c57508e4be21221864 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Tue, 1 Feb 2022 19:38:29 +0100 +Subject: [PATCH] ipatests: add case for hardened-only ticket policy + +Signed-off-by: Julien Rische +Reviewed-By: Alexander Bokovoy +Reviewed-By: Francisco Trivino +--- + ipatests/test_integration/test_krbtpolicy.py | 30 ++++++++++++++++++-- + 1 file changed, 28 insertions(+), 2 deletions(-) + +diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py +index 63e75ae67f493352b1d3a611e7b079d914a7b253..9489fbc97b7836aecf491b57627f254d4849eb56 100644 +--- a/ipatests/test_integration/test_krbtpolicy.py ++++ b/ipatests/test_integration/test_krbtpolicy.py +@@ -103,8 +103,8 @@ class TestPWPolicy(IntegrationTest): + result = master.run_command('klist | grep krbtgt') + assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True + +- def test_krbtpolicy_hardended(self): +- """Test a hardened kerberos ticket policy with 10 min tickets""" ++ def test_krbtpolicy_password_and_hardended(self): ++ """Test a pwd and hardened kerberos ticket policy with 10min tickets""" + master = self.master + master.run_command(['ipa', 'user-mod', USER1, + '--user-auth-type', 'password', +@@ -131,6 +131,32 @@ class TestPWPolicy(IntegrationTest): + result = master.run_command('klist | grep krbtgt') + assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True + ++ def test_krbtpolicy_hardended(self): ++ """Test a hardened kerberos ticket policy with 30min tickets""" ++ master = self.master ++ master.run_command(['ipa', 'user-mod', USER1, ++ '--user-auth-type', 'hardened']) ++ master.run_command(['ipa', 'config-mod', ++ '--user-auth-type', 'hardened']) ++ master.run_command(['ipa', 'krbtpolicy-mod', USER1, ++ '--hardened-maxlife', '1800']) ++ ++ tasks.kdestroy_all(master) ++ ++ master.run_command(['kinit', USER1], ++ stdin_text=PASSWORD + '\n') ++ result = master.run_command('klist | grep krbtgt') ++ assert maxlife_within_policy(result.stdout_text, 1800, ++ slush=1800) is True ++ ++ tasks.kdestroy_all(master) ++ ++ # Verify that the short policy only applies to USER1 ++ master.run_command(['kinit', USER2], ++ stdin_text=PASSWORD + '\n') ++ result = master.run_command('klist | grep krbtgt') ++ assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True ++ + def test_krbtpolicy_password(self): + """Test the kerberos ticket policy which issues 20 min tickets""" + master = self.master +-- +2.34.1 + diff --git a/freeipa.spec b/freeipa.spec index 3c5e656..2831c3e 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -198,7 +198,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 1%{?rc_version:.%rc_version}%{?dist} +Release: 2%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -220,6 +220,20 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers %if 0%{?rhel} >= 8 Patch0001: 0001-ipa-kdb-issue-PAC_REQUESTER_SID-only-for-TGTs.patch Patch0002: 0002-ipa-kdb-fix-requester-SID-check-according-to-MS-KILE.patch +Patch0003: 0003-ipatests-Fix-test_ipa_cert_fix.py-TestCertFixReplica.patch +Patch0004: 0004-Extend-test-to-see-if-replica-is-not-shown-when-runn.patch +Patch0005: 0005-ipatests-Test-default-value-of-nsslapd-sizelimit.patch +Patch0006: 0006-ipatests-Test-empty-cert-request-doesn-t-force-certm.patch +Patch0007: 0007-Test-cases-for-ipa-replica-conncheck-command.patch +Patch0008: 0008-PEP8-Fixes.patch +Patch0009: 0009-ipatests-webui-Tests-for-subordinate-ids.patch +Patch0010: 0010-Config-plugin-return-EmptyModlist-when-no-change-is-.patch +Patch0011: 0011-config-plugin-add-a-test-ensuring-EmptyModlist-is-re.patch +Patch0012: 0012-ipatests-webui-Use-safe-loader-for-loading-YAML-conf.patch +Patch0013: 0013-Added-test-automation-for-SHA384withRSA-CSR-support.patch +Patch0014: 0014-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-g.patch +Patch0015: 0015-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled.patch +Patch0016: 0016-ipatests-add-case-for-hardened-only-ticket-policy.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -1711,6 +1725,26 @@ fi %endif %changelog +* Thu Feb 03 2022 Florence Blanc-Renaud - 4.9.8-2 +- Resolves: rhbz#2040619 - Changing default pac type to 'nfs:NONE and MS-PAC' doesnot display error 'ipa: ERROR: no modifications to be performed' + - Config plugin: return EmptyModlist when no change is applied + - config plugin: add a test ensuring EmptyModlist is returned +- Resolves: rhbz#2048510 - [rhel-9.0] Backport latest test fixes in python3-ipatests + - ipatests: webui: Tests for subordinate ids. + - ipatests: webui: Use safe-loader for loading YAML configuration file + - ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica teardown + - Test cases for ipa-replica-conncheck command + - PEP8 Fixes + - ipatests: Test empty cert request doesn't force certmonger to segfault + - ipatests: Test default value of nsslapd-sizelimit. + - Extend test to see if replica is not shown when running `ipa-replica-manage list -v ` + - Added test automation for SHA384withRSA CSR support +- Resolves: rhbz#2049104 - User can't log in after ipa-user-mod --user-auth-type=hardened + - ipa-kdb: do not remove keys for hardened auth-enabled users + - ipatests: add case for hardened-only ticket policy +- Resolves: rhbz#2049174 - KRA GetStatus service blocked by IPA proxy + - ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus + * Thu Dec 02 2021 Florence Blanc-Renaud - 4.9.8-1 - Resolves: rhbz#2015608 - [Rebase] Rebase ipa to latest 4.9.x release RHEL9 - Resolves: rhbz#1825010 - Concerns regarding 'ipa pwpolicy-mod --minlife 24 --maxlife 1'