From b91bf7ae0f1a620611388f35025258511521b67d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 9 Dec 2020 20:07:18 +0200
Subject: [PATCH] Apply 4.9.0rc2 fixes from upstream

Allow mod_auth_gssapi to create and access ccaches in /run/ipa/ccaches
Fixes: https://pagure.io/freeipa/issue/8613

upgrade: provide DOMAIN to the server upgrade dictionary
Fixes: https://pagure.io/freeipa/issue/8615
---
 freeipa-4.9.0-rc2-fixes.patch | 98 +++++++++++++++++++++++++++++++++++
 freeipa.spec                  |  8 ++-
 2 files changed, 105 insertions(+), 1 deletion(-)
 create mode 100644 freeipa-4.9.0-rc2-fixes.patch

diff --git a/freeipa-4.9.0-rc2-fixes.patch b/freeipa-4.9.0-rc2-fixes.patch
new file mode 100644
index 0000000..2914d5f
--- /dev/null
+++ b/freeipa-4.9.0-rc2-fixes.patch
@@ -0,0 +1,98 @@
+From cd2fe2947589aaf8de0e9e64839c8840b68e9664 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 9 Dec 2020 11:15:20 +0200
+Subject: [PATCH 1/2] Allow mod_auth_gssapi to create and access ccaches in
+ /run/ipa/ccaches
+
+With commit c6644b8566f747fa80e2c1925b79bad9f8c92bd7 we default to
+create unique credential caches in /run/ipa/ccaches for every client
+that connects to IPA with a new session. On F34, mod_auth_gssapi process
+running as 'apache' cannot create the ccache in /run/ipa/ccaches because
+it has no access rights.
+
+The core of the problem is that we have two different paths to obtaining
+a ccache: one where 'apache' running httpd process creates it directly
+and one where an internal redirect from 'ipaapi' running httpd process
+is happening.
+
+Use SUID and SGID to 'ipaapi'/'ipaapi' and allow 'apache' group to write
+to '/run/ipa/ccaches'. This fixes the problem.
+
+Note that we cannot completely remove 'GssapiDelegCcachePerms'. If we'd
+do so, mod_auth_gssapi will do redirects and fail.
+
+Fixes: https://pagure.io/freeipa/issue/8613
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ init/tmpfilesd/ipa.conf.in      | 3 ++-
+ install/share/ipa.conf.template | 4 ++--
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/init/tmpfilesd/ipa.conf.in b/init/tmpfilesd/ipa.conf.in
+index 183ceeda6..6467e1b93 100644
+--- a/init/tmpfilesd/ipa.conf.in
++++ b/init/tmpfilesd/ipa.conf.in
+@@ -1,2 +1,3 @@
+ d /run/ipa 0711 root root
+-d /run/ipa/ccaches 0770 ipaapi ipaapi
++d /run/ipa/ccaches 6770 ipaapi ipaapi
++a+ /run/ipa/ccaches - - - - g:apache:rwx
+diff --git a/install/share/ipa.conf.template b/install/share/ipa.conf.template
+index ca51d2ea3..d74e14d4f 100644
+--- a/install/share/ipa.conf.template
++++ b/install/share/ipa.conf.template
+@@ -75,7 +75,7 @@ WSGIScriptReloading Off
+ 
+   GssapiImpersonate On
+   GssapiDelegCcacheDir $IPA_CCACHES
+-  GssapiDelegCcachePerms mode:0660 gid:ipaapi
++  GssapiDelegCcachePerms mode:0660
+   GssapiDelegCcacheUnique On
+   GssapiUseS4U2Proxy on
+   GssapiAllowedMech krb5
+@@ -117,7 +117,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
+ <Location "/ipa/session/login_x509">
+   AuthType none
+   GssapiDelegCcacheDir $IPA_CCACHES
+-  GssapiDelegCcachePerms mode:0660 gid:ipaapi
++  GssapiDelegCcachePerms mode:0660
+   GssapiDelegCcacheUnique On
+   SSLVerifyClient require
+   SSLUserName SSL_CLIENT_CERT
+-- 
+2.29.2
+
+
+From 786e0823cdc58ad232b8320af94ea9ad89df88d6 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 9 Dec 2020 13:26:05 +0200
+Subject: [PATCH 2/2] upgrade: provide DOMAIN to the server upgrade dictionary
+
+Rules in ipa-rewrite.conf use $DOMAIN variable but it is not available
+in the dictionary. Regression was introduced with
+e731b2725a3772cd037683ff2e08c514fd02019f.
+
+Fixes: https://pagure.io/freeipa/issue/8615
+Related: https://pagure.io/freeipa/issue/8595
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipaserver/install/server/upgrade.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
+index 18891d53c..00a133a4d 100644
+--- a/ipaserver/install/server/upgrade.py
++++ b/ipaserver/install/server/upgrade.py
+@@ -1578,6 +1578,7 @@ def upgrade_configuration():
+         IPA_CCACHES=paths.IPA_CCACHES,
+         IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET,
+         KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG,
++        DOMAIN=api.env.domain,
+     )
+ 
+     subject_base = find_subject_base()
+-- 
+2.29.2
+
diff --git a/freeipa.spec b/freeipa.spec
index 1c6f579..16f7646 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -176,7 +176,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        0.3%{?rc_version:.%rc_version}%{?dist}
+Release:        0.4%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -201,6 +201,8 @@ Patch1002:      1002-4.8.0-Remove-csrgen.patch
 Patch1003:      1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch
 %endif
 # RHEL spec file only: END
+Patch0101:      freeipa-4.9.0-rc2-fixes.patch
+
 
 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@@ -1675,6 +1677,10 @@ fi
 %endif
 
 %changelog
+* Wed Dec  9 20:06:03 EET 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.4.rc2
+- Fix upgrade script for CA rule rewrites
+- Fix permissions for /run/ipa/ccaches
+
 * Fri Dec  4 22:17:00 EET 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.3.rc2
 - Correct SELinux policy requirements