rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import ipa-4.9.2-3.module+el8.4.0+10412+5ecb5b37

Browse Source
This commit is contained in:
CentOS Sources 2021-05-18 02:44:18 -04:00 committed by Andrew Lukoshko
parent eb3a2cb921
commit c837b107f7
46 changed files with 2246 additions and 10141 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/freeipa-4.8.7.tar.gz SOURCES/freeipa-4.9.2.tar.gz

2
.ipa.metadata
View File

@ -1 +1 @@
0099d799a77a757eeb4a95a69a38bdec24e45026 SOURCES/freeipa-4.8.7.tar.gz c7b37727ffbdebe311990f7d31ae3b8bf2d06792 SOURCES/freeipa-4.9.2.tar.gz

409
SOURCES/0001-WebUI-Fix-IPA-Error-3007-RequirmentError-while-addin_rhbz#1757045.patch
View File

@ -1,409 +0,0 @@
From c2ba333b9681d008d9c528a79dbdd76ce11a3ecd Mon Sep 17 00:00:00 2001
From: Serhii Tsymbaliuk <stsymbal@redhat.com>
Date: Thu, 28 May 2020 08:47:49 +0200
Subject: [PATCH 01/22] WebUI: Fix "IPA Error 3007: RequirmentError" while
adding idoverrideuser association
Add builder for association adder dialog which allows to override behavior of the component.
Replace default implementation with a custom one for idoverrideuser.
Replace text filter with 'ID view' select box in the idoverrideuser dialog.
Ticket: https://pagure.io/freeipa/issue/8335
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
install/ui/src/freeipa/association.js | 13 ++++-
install/ui/src/freeipa/dialog.js | 73 ++++++++++++++++-----------
install/ui/src/freeipa/group.js | 14 +++++
install/ui/src/freeipa/idviews.js | 58 +++++++++++++++++++++
ipaserver/plugins/internal.py | 6 +++
5 files changed, 133 insertions(+), 31 deletions(-)
diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js
index f10ccb2a5..b083a79f9 100644
--- a/install/ui/src/freeipa/association.js
+++ b/install/ui/src/freeipa/association.js
@@ -25,6 +25,7 @@
define([
'dojo/_base/lang',
'dojo/Deferred',
+ './builder',
'./metadata',
'./ipa',
'./jquery',
@@ -38,7 +39,7 @@ define([
'./facet',
'./search',
'./dialog'],
- function(lang, Deferred, metadata_provider, IPA, $, metadata,
+ function(lang, Deferred, builder, metadata_provider, IPA, $, metadata,
navigation, phases, reg, rpc, su, text) {
/**
@@ -1209,7 +1210,8 @@ exp.association_facet = IPA.association_facet = function (spec, no_init) {
var pkeys = that.data.result.result[that.get_attribute_name()];
- var dialog = IPA.association_adder_dialog({
+ var dialog = builder.build('association_adder_dialog', {
+ $type: that.other_entity.name,
title: title,
entity: that.entity,
pkey: pkey,
@@ -1675,6 +1677,13 @@ IPA.attr_read_only_evaluator = function(spec) {
return that;
};
+// Create a registry for adder dialogs where key is name of 'other entity'.
+// It allows to override dialogs for some specific cases of association
+// creation.
+var dialog_builder = builder.get('association_adder_dialog');
+dialog_builder.factory = IPA.association_adder_dialog;
+reg.set('association_adder_dialog', dialog_builder.registry);
+
phases.on('registration', function() {
var w = reg.widget;
var f = reg.field;
diff --git a/install/ui/src/freeipa/dialog.js b/install/ui/src/freeipa/dialog.js
index c153120df..d67d63b6d 100644
--- a/install/ui/src/freeipa/dialog.js
+++ b/install/ui/src/freeipa/dialog.js
@@ -919,35 +919,7 @@ IPA.adder_dialog = function(spec) {
'class': 'input-group col-md-12 adder-dialog-top'
}).appendTo(container);
- var filter_placeholder = text.get('@i18n:association.filter_placeholder');
- filter_placeholder = filter_placeholder.replace('${other_entity}',
- that.other_entity.metadata.label);
-
- that.filter_field = $('<input/>', {
- type: 'text',
- name: 'filter',
- 'class': 'form-control',
- 'placeholder': filter_placeholder,
- keyup: function(event) {
- if (event.keyCode === keys.ENTER) {
- that.search();
- return false;
- }
- }
- }).appendTo(input_group);
-
- var input_group_btn = $('<div/>', {
- 'class': 'input-group-btn'
- }).appendTo(input_group);
-
- that.find_button = IPA.button({
- name: 'find',
- label: '@i18n:buttons.filter',
- click: function() {
- that.search();
- return false;
- }
- }).appendTo(input_group_btn);
+ that.filter_field = that.get_filter_field(input_group);
var row = $('<div/>', { 'class': 'row adder-dialog-main'}).appendTo(container);
//
@@ -1132,6 +1104,49 @@ IPA.adder_dialog = function(spec) {
return that.filter_field.val();
};
+ /**
+ * Return field for filtering available items
+ *
+ * Default implementation returns text input + "Filter" button.
+ * It can be overridden.
+ *
+ * @param {HTMLElement} input_group - container for a filter field
+ * @return {HTMLElement}
+ */
+ that.get_filter_field = function(input_group) {
+ var filter_placeholder = text.get(
+ '@i18n:association.filter_placeholder'
+ ).replace('${other_entity}', that.other_entity.metadata.label);
+
+ var filter_field = $('<input/>', {
+ type: 'text',
+ name: 'filter',
+ 'class': 'form-control',
+ 'placeholder': filter_placeholder,
+ keyup: function(event) {
+ if (event.keyCode === keys.ENTER) {
+ that.search();
+ return false;
+ }
+ }
+ }).appendTo(input_group);
+
+ var input_group_btn = $('<div/>', {
+ 'class': 'input-group-btn'
+ }).appendTo(input_group);
+
+ that.find_button = IPA.button({
+ name: 'find',
+ label: '@i18n:buttons.filter',
+ click: function() {
+ that.search();
+ return false;
+ }
+ }).appendTo(input_group_btn);
+
+ return filter_field;
+ };
+
/**
* Clear rows in available table
*/
diff --git a/install/ui/src/freeipa/group.js b/install/ui/src/freeipa/group.js
index e46d8c7e3..2984bd4b2 100644
--- a/install/ui/src/freeipa/group.js
+++ b/install/ui/src/freeipa/group.js
@@ -205,6 +205,20 @@ return {
add_title: '@i18n:objects.group.add_into_sudo',
remove_method: 'remove_user',
remove_title: '@i18n:objects.group.remove_from_sudo'
+ },
+ {
+ $type: 'association',
+ name: 'member_idoverrideuser',
+ associator: IPA.serial_associator,
+ add_title: '@i18n:objects.group.add_idoverride_user',
+ remove_title: '@i18n:objects.group.remove_idoverride_users',
+ columns: [
+ {
+ name: 'ipaanchoruuid',
+ label: '@i18n:objects.idoverrideuser.anchor_label',
+ link: false
+ }
+ ]
}
],
standard_association_facets: true,
diff --git a/install/ui/src/freeipa/idviews.js b/install/ui/src/freeipa/idviews.js
index 35dc998c8..a4fca6205 100644
--- a/install/ui/src/freeipa/idviews.js
+++ b/install/ui/src/freeipa/idviews.js
@@ -966,6 +966,58 @@ idviews.unapply_action = function(spec) {
return that;
};
+idviews.idoverrideuser_adder_dialog = function(spec) {
+
+ spec = spec || {};
+
+ var that = IPA.association_adder_dialog(spec);
+
+ that.base_search = that.search;
+
+ that.search = function() {
+ // Search for users only in case a ID view is selected
+ if (that.get_filter()) {
+ that.base_search();
+ }
+ };
+
+ /**
+ * Replace default text filter with a select box for filtering by ID view
+ */
+ that.get_filter_field = function(input_group) {
+
+ var filter_field = $('<select/>', {
+ name: 'filter',
+ 'class': 'form-control',
+ change: function(event) {
+ that.search();
+ }
+ }).appendTo(input_group);
+
+ rpc.command({
+ entity: 'idview',
+ method: 'find',
+ on_success: function(data) {
+ var results = data.result;
+
+ for (var i=0; i<results.count; i++) {
+ var result = results.result[i];
+ $('<option/>', {
+ text: result.cn[0],
+ value: result.cn[0]
+ }).appendTo(filter_field);
+ }
+
+ that.search();
+ }
+ }).execute();
+
+ return filter_field;
+ };
+
+ return that;
+};
+
/**
* ID View entity specification object
* @member idviews
@@ -993,6 +1045,7 @@ idviews.register = function() {
var f = reg.facet;
var a = reg.action;
var w = reg.widget;
+ var ad = reg.association_adder_dialog;
e.register({type: 'idview', spec: idviews.spec});
e.register({
@@ -1012,6 +1065,11 @@ idviews.register = function() {
w.register('idviews_certs', idviews.idviews_certs_widget);
w.register('cert_textarea', idviews.cert_textarea_widget);
+
+ ad.register({
+ type: 'idoverrideuser',
+ factory: idviews.idoverrideuser_adder_dialog
+ });
};
phases.on('registration', idviews.register);
diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py
index 5f2b1fdc2..7622e65dc 100644
--- a/ipaserver/plugins/internal.py
+++ b/ipaserver/plugins/internal.py
@@ -835,6 +835,9 @@ class i18n_messages(Command):
"Remove users from member managers for user group "
"'${primary_key}'"
),
+ "add_idoverride_user": _(
+ "Add user ID override into user group '${primary_key}'"
+ ),
"details": _("Group Settings"),
"external": _("External"),
"groups": _("Groups"),
@@ -868,6 +871,9 @@ class i18n_messages(Command):
"remove_users": _(
"Remove users from user group '${primary_key}'"
),
+ "remove_idoverride_users": _(
+ "Remove user ID overrides from user group '${primary_key}'"
+ ),
"type": _("Group Type"),
"user_groups": _("User Groups"),
},
--
2.26.2
From f6c460aee8542d4d81cd9970d71051c240156973 Mon Sep 17 00:00:00 2001
From: Serhii Tsymbaliuk <stsymbal@redhat.com>
Date: Thu, 16 Jul 2020 18:52:24 +0200
Subject: [PATCH] WebUI: Fix error "unknown command
'idoverrideuser_add_member'"
There was wrong IPA.associator class used for 'Groups' -> 'User ID overrides' association,
as a result a wrong command was sent to the server.
Ticket: https://pagure.io/freeipa/issue/8416
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
install/ui/src/freeipa/group.js | 1 -
1 file changed, 1 deletion(-)
diff --git a/install/ui/src/freeipa/group.js b/install/ui/src/freeipa/group.js
index 2984bd4b2..61c19a82f 100644
--- a/install/ui/src/freeipa/group.js
+++ b/install/ui/src/freeipa/group.js
@@ -209,7 +209,6 @@ return {
{
$type: 'association',
name: 'member_idoverrideuser',
- associator: IPA.serial_associator,
add_title: '@i18n:objects.group.add_idoverride_user',
remove_title: '@i18n:objects.group.remove_idoverride_users',
columns: [
--
2.26.2
From e35739b7e9f6bb016b37abbd92bdaee71a59a288 Mon Sep 17 00:00:00 2001
From: Serhii Tsymbaliuk <stsymbal@redhat.com>
Date: Wed, 29 Jul 2020 09:41:36 +0200
Subject: [PATCH] WebUI tests: Add test case to cover user ID override feature
The test case includes adding an user ID override to Default Trust View
and adding the ID override to some IPA group.
Ticket: https://pagure.io/freeipa/issue/8416
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipatests/test_webui/test_trust.py | 41 +++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
diff --git a/ipatests/test_webui/test_trust.py b/ipatests/test_webui/test_trust.py
index c04c2fcd8..605f8a2a7 100644
--- a/ipatests/test_webui/test_trust.py
+++ b/ipatests/test_webui/test_trust.py
@@ -21,6 +21,8 @@
Trust tests
"""
+import ipatests.test_webui.data_group as group
+import ipatests.test_webui.data_idviews as idview
from ipatests.test_webui.ui_driver import UI_driver
from ipatests.test_webui.ui_driver import screenshot
from ipatests.test_webui.task_range import range_tasks
@@ -29,6 +31,8 @@ import pytest
ENTITY = 'trust'
CONFIG_ENTITY = 'trustconfig'
+DEFAULT_TRUST_VIEW = 'Default Trust View'
+
CONFIG_DATA = {
'mod': [
['combobox', 'ipantfallbackprimarygroup', 'admins'],
@@ -164,3 +168,40 @@ class test_trust(trust_tasks):
self.mod_record(CONFIG_ENTITY, CONFIG_DATA)
self.mod_record(CONFIG_ENTITY, CONFIG_DATA2)
+
+ @screenshot
+ def test_group_member_idoverrideuser(self):
+
+ self.init_app()
+
+ # Create new trust
+ data = self.get_data()
+ self.add_record(ENTITY, data)
+
+ # Create an user ID override
+ ad_domain = self.config.get('ad_domain')
+ ad_admin = self.config.get('ad_admin')
+ idoverrideuser_pkey = '{}@{}'.format(ad_admin, ad_domain).lower()
+
+ self.navigate_to_record(DEFAULT_TRUST_VIEW, entity=idview.ENTITY)
+ self.add_record(idview.ENTITY, {
+ 'pkey': idoverrideuser_pkey,
+ 'add': [
+ ('textbox', 'ipaanchoruuid_default', idoverrideuser_pkey),
+ ],
+ }, facet='idoverrideuser')
+
+ # Create new group and add the user ID override there
+ self.navigate_to_entity(group.ENTITY)
+ self.add_record(group.ENTITY, group.DATA)
+ self.navigate_to_record(group.PKEY)
+ self.add_associations([idoverrideuser_pkey],
+ facet='member_idoverrideuser', delete=True)
+
+ # Clean up data
+ self.navigate_to_entity(group.ENTITY)
+ self.delete_record(group.PKEY)
+ self.navigate_to_record(DEFAULT_TRUST_VIEW, entity=idview.ENTITY)
+ self.delete_record(idoverrideuser_pkey)
+ self.navigate_to_entity(ENTITY)
+ self.delete_record(ad_domain)
--
2.26.2

381
SOURCES/0001-ipatests_libsss_sudo_and_sudo_pagure#8530_rhbz#1932289.patch Normal file
View File

@ -0,0 +1,381 @@
From b590dcef10680b4ea3181ae1caec183e5967562b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Fri, 11 Dec 2020 07:35:59 +0200
Subject: [PATCH] ipatests: add TestInstallWithoutSudo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Test IPA servers and clients behavior when sudo is not installed.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
.../nightly_ipa-4-9_latest.yaml | 12 ++++
.../nightly_ipa-4-9_latest_selinux.yaml | 13 ++++
.../nightly_ipa-4-9_previous.yaml | 12 ++++
.../test_integration/test_installation.py | 66 +++++++++++++++++++
4 files changed, 103 insertions(+)
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
index 3acd6a13c..d91b16cab 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
@@ -535,6 +535,18 @@ jobs:
timeout: 10800
topology: *master_1repl
+ fedora-latest-ipa-4-9/test_installation_TestInstallWithoutSudo:
+ requires: [fedora-latest-ipa-4-9/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-latest-ipa-4-9/build_url}'
+ test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
+ template: *ci-ipa-4-9-latest
+ timeout: 4800
+ topology: *master_1repl_1client
+
fedora-latest-ipa-4-9/test_idviews:
requires: [fedora-latest-ipa-4-9/build]
priority: 50
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
index c01192cf5..8adb06d0c 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
@@ -575,6 +575,19 @@ jobs:
timeout: 10800
topology: *master_1repl
+ fedora-latest-ipa-4-9/test_installation_TestInstallWithoutSudo:
+ requires: [fedora-latest-ipa-4-9/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-latest-ipa-4-9/build_url}'
+ selinux_enforcing: True
+ test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
+ template: *ci-ipa-4-9-latest
+ timeout: 4800
+ topology: *master_1repl_1client
+
fedora-latest-ipa-4-9/test_idviews:
requires: [fedora-latest-ipa-4-9/build]
priority: 50
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
index a6ea24f6a..2b5d4fd5e 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
@@ -535,6 +535,18 @@ jobs:
timeout: 10800
topology: *master_1repl
+ fedora-previous-ipa-4-9/test_installation_TestInstallWithoutSudo:
+ requires: [fedora-previous-ipa-4-9/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-previous-ipa-4-9/build_url}'
+ test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
+ template: *ci-ipa-4-9-previous
+ timeout: 4800
+ topology: *master_1repl_1client
+
fedora-previous-ipa-4-9/test_idviews:
requires: [fedora-previous-ipa-4-9/build]
priority: 50
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index eb6f7d78e..6e8af024c 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -1537,3 +1537,69 @@ class TestInstallReplicaAgainstSpecificServer(IntegrationTest):
self.replicas[0].hostname],
stdin_text=dirman_password)
assert self.replicas[0].hostname not in cmd.stdout_text
+
+
+class TestInstallWithoutSudo(IntegrationTest):
+
+ num_clients = 1
+ num_replicas = 1
+ no_sudo_str = "The sudo binary does not seem to be present on this"
+
+ @classmethod
+ def install(cls, mh):
+ pass
+
+ def test_sudo_removal(self):
+ # ipa-client makes sudo depend on libsss_sudo.
+
+ # --nodeps is mandatory because dogtag uses sudo at install
+ # time until commit 49585867207922479644a03078c29548de02cd03
+ # which is scheduled to land in 10.10.
+
+ # This also means sudo+libsss_sudo cannot be uninstalled on
+ # IPA servers with a CA.
+ assert tasks.is_package_installed(self.clients[0], 'sudo')
+ assert tasks.is_package_installed(self.clients[0], 'libsss_sudo')
+ tasks.uninstall_packages(
+ self.clients[0], ['sudo', 'libsss_sudo'], nodeps=True
+ )
+
+ def test_ipa_installation_without_sudo(self):
+ # FixMe: When Dogtag 10.10 is out, test installation without sudo
+ tasks.install_master(self.master, setup_dns=True)
+
+ def test_replica_installation_without_sudo(self):
+ # FixMe: When Dogtag 10.10 is out, test replica installation
+ # without sudo and with CA
+ tasks.uninstall_packages(
+ self.replicas[0], ['sudo', 'libsss_sudo'], nodeps=True
+ )
+ # One-step install is needed.
+ # With promote=True, two-step install is done and that only captures
+ # the ipa-replica-install stdout/stderr, not ipa-client-install's.
+ result = tasks.install_replica(
+ self.master, self.replicas[0], promote=False,
+ setup_dns=True, setup_ca=False
+ )
+ assert self.no_sudo_str in result.stderr_text
+
+ def test_client_installation_without_sudo(self):
+ result = tasks.install_client(self.master, self.clients[0])
+ assert self.no_sudo_str in result.stderr_text
+
+ def test_remove_sudo_on_ipa(self):
+ tasks.uninstall_packages(
+ self.master, ['sudo', 'libsss_sudo'], nodeps=True
+ )
+ self.master.run_command(
+ ['ipactl', 'restart']
+ )
+
+ def test_install_sudo_on_client(self):
+ """ Check that installing sudo pulls libsss_sudo in"""
+ for pkg in ('sudo', 'libsss_sudo'):
+ assert tasks.is_package_installed(self.clients[0], pkg) is False
+ tasks.uninstall_client(self.clients[0])
+ tasks.install_packages(self.clients[0], ['sudo'])
+ for pkg in ('sudo', 'libsss_sudo'):
+ assert tasks.is_package_installed(self.clients[0], pkg)
--
2.29.2
From 0c2741af9f353d2fbb21a5768e6433c0e99da0e9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Thu, 10 Dec 2020 08:35:12 +0200
Subject: [PATCH] ipatests: tasks: handle uninstalling packages with nodeps
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Handle package removal without taking dependencies into account.
E.g. add frontends for rpm -e --nodeps.
Related: ipatests/pytest_ipa/integration/tasks.py
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/pytest_ipa/integration/tasks.py | 51 +++++++++++++++++++-----
1 file changed, 41 insertions(+), 10 deletions(-)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index b91859816..2fe78367f 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -29,6 +29,7 @@ import re
import collections
import itertools
import shutil
+import shlex
import copy
import subprocess
import tempfile
@@ -2381,20 +2382,33 @@ def download_packages(host, pkgs):
return tmpdir
-def uninstall_packages(host, pkgs):
+def uninstall_packages(host, pkgs, nodeps=False):
"""Uninstall packages on a remote host.
- :param host: the host where the uninstallation takes place
- :param pkgs: packages to uninstall, provided as a list of strings
+ :param host: the host where the uninstallation takes place.
+ :param pkgs: packages to uninstall, provided as a list of strings.
+ :param nodeps: ignore dependencies (dangerous!).
"""
platform = get_platform(host)
- # Only supports RHEL 8+ and Fedora for now
- if platform in ('rhel', 'fedora'):
- install_cmd = ['/usr/bin/dnf', 'remove', '-y']
- elif platform in ('ubuntu'):
- install_cmd = ['apt-get', 'remove', '-y']
+ if platform not in ('rhel', 'fedora', 'ubuntu'):
+ raise ValueError('uninstall_packages: unknown platform %s' % platform)
+ if nodeps:
+ if platform in ('rhel', 'fedora'):
+ cmd = "rpm -e --nodeps"
+ elif platform in ('ubuntu'):
+ cmd = "dpkg -P --force-depends"
+ for package in pkgs:
+ uninstall_cmd = shlex.split(cmd)
+ uninstall_cmd.append(package)
+ # keep raiseonerr=True here. --fcami
+ host.run_command(uninstall_cmd)
else:
- raise ValueError('install_packages: unknown platform %s' % platform)
- host.run_command(install_cmd + pkgs, raiseonerr=False)
+ if platform in ('rhel', 'fedora'):
+ cmd = "/usr/bin/dnf remove -y"
+ elif platform in ('ubuntu'):
+ cmd = "apt-get remove -y"
+ uninstall_cmd = shlex.split(cmd)
+ uninstall_cmd.extend(pkgs)
+ host.run_command(uninstall_cmd, raiseonerr=False)
def wait_for_request(host, request_id, timeout=120):
@@ -2649,3 +2663,20 @@ def run_ssh_cmd(
assert "Authentication succeeded" not in stderr
assert "No more authentication methods to try." in stderr
return (return_code, stdout, stderr)
+
+
+def is_package_installed(host, pkg):
+ platform = get_platform(host)
+ if platform in ('rhel', 'fedora'):
+ result = host.run_command(
+ ['rpm', '-q', pkg], raiseonerr=False
+ )
+ elif platform in ['ubuntu']:
+ result = host.run_command(
+ ['dpkg', '-s', pkg], raiseonerr=False
+ )
+ else:
+ raise ValueError(
+ 'is_package_installed: unknown platform %s' % platform
+ )
+ return result.returncode == 0
--
2.29.2
From fe157ca349e3146a53884e90e6e588efb4e97eeb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Thu, 10 Dec 2020 08:15:22 +0200
Subject: [PATCH] ipa-client-install: output a warning if sudo is not present
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaclient/install/client.py | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 8acfa0cd1..0e478fa26 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -24,6 +24,7 @@ import re
import SSSDConfig
import shutil
import socket
+import subprocess
import sys
import tempfile
import textwrap
@@ -2200,7 +2201,18 @@ def install_check(options):
"authentication resources",
rval=CLIENT_INSTALL_ERROR)
- # when installing with '--no-sssd' option, check whether nss-ldap is
+ # When installing without the "--no-sudo" option, check whether sudo is
+ # available.
+ if options.conf_sudo:
+ try:
+ subprocess.Popen(['sudo -V'])
+ except FileNotFoundError:
+ logger.info(
+ "The sudo binary does not seem to be present on this "
+ "system. Please consider installing sudo if required."
+ )
+
+ # when installing with the '--no-sssd' option, check whether nss-ldap is
# installed
if not options.sssd:
if not os.path.exists(paths.PAM_KRB5_SO):
--
2.29.2
From ee0ba2df41cf545b82d3d26e7e7e42447bb0f63e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Thu, 10 Dec 2020 07:55:16 +0200
Subject: [PATCH] freeipa.spec: client: depend on libsss_sudo and sudo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
On 10.10+ releases of Dogtag, the PKI installer will not depend
on sudo anymore. This opens the possibility of creating IPA servers
without a properly configured sudo.
In fact, even IPA clients should have sudo and libsss_sudo installed
in most cases, so add a weak dependency on both of them to the client
subpackage.
Also make sure libsss_sudo is installed if sudo is present.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
freeipa.spec.in | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index ba52a3834..93e473ac4 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -640,6 +640,11 @@ Requires: nfs-utils
Requires: sssd-tools >= %{sssd_version}
Requires(post): policycoreutils
+# https://pagure.io/freeipa/issue/8530
+Recommends: libsss_sudo
+Recommends: sudo
+Requires: (libsss_sudo if sudo)
+
Provides: %{alt_name}-client = %{version}
Conflicts: %{alt_name}-client
Obsoletes: %{alt_name}-client < %{version}
--
2.29.2

601
SOURCES/0002-EPN-does-not-ship-its-default-configuration_rhbz#1847999.patch
View File

@ -1,601 +0,0 @@
From 77fae8c48bbe0f4499f4d8ed91b268568c64cd7c Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Thu, 11 Jun 2020 11:17:25 +0200
Subject: [PATCH] Move ipa-epn systemd files and run RPM hooks
The init/systemd directory is for server only and not part of
CLIENT_ONLY builds.
It's necesary to run pre/post installation hooks to make systemd aware
of new files.
Fixes: https://pagure.io/freeipa/issue/8367
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
---
.gitignore | 4 +--
client/Makefile.am | 1 +
client/share/Makefile.am | 5 ++++
{install => client}/share/expire_msg.template | 0
client/systemd/Makefile.am | 27 +++++++++++++++++++
{init => client}/systemd/ipa-epn.service.in | 0
{init => client}/systemd/ipa-epn.timer.in | 0
configure.ac | 24 +++++++++++++++--
freeipa.spec.in | 15 +++++++++++
init/systemd/Makefile.am | 8 +++---
install/share/Makefile.am | 5 ----
server.m4 | 19 -------------
12 files changed, 76 insertions(+), 32 deletions(-)
rename {install => client}/share/expire_msg.template (100%)
create mode 100644 client/systemd/Makefile.am
rename {init => client}/systemd/ipa-epn.service.in (100%)
rename {init => client}/systemd/ipa-epn.timer.in (100%)
#diff --git a/.gitignore b/.gitignore
#index 6584c3b4f..4cedb1ff2 100644
#--- a/.gitignore
#+++ b/.gitignore
#@@ -94,8 +94,6 @@ freeipa2-dev-doc
# /init/ipa_memcached
# /init/systemd/ipa-custodia.service
# /init/systemd/ipa.service
#-/init/systemd/ipa-epn.service
#-/init/systemd/ipa-epn.timer
# /init/tmpfilesd/ipa.conf
#
# !/install/ui/doc/Makefile.in
#@@ -116,6 +114,8 @@ freeipa2-dev-doc
# /client/ipa-getkeytab
# /client/ipa-join
# /client/ipa-rmkeytab
#+/client/systemd/ipa-epn.service
#+/client/systemd/ipa-epn.timer
#
# /ipaplatform/override.py
# /ipapython/version.py
diff --git a/client/Makefile.am b/client/Makefile.am
index 858a9369e..87da87fcd 100644
--- a/client/Makefile.am
+++ b/client/Makefile.am
@@ -95,6 +95,7 @@ SUBDIRS = \
share \
man \
sysconfig \
+ systemd \
$(NULL)
# init
diff --git a/client/share/Makefile.am b/client/share/Makefile.am
index 6d4a62d5e..1402a3a9d 100644
--- a/client/share/Makefile.am
+++ b/client/share/Makefile.am
@@ -4,3 +4,8 @@ appdir = $(IPA_DATA_DIR)/client
dist_app_DATA = \
freeipa.template \
$(NULL)
+
+epnconfdir = $(IPA_SYSCONF_DIR)/epn
+dist_epnconf_DATA = \
+ expire_msg.template \
+ $(NULL)
diff --git a/install/share/expire_msg.template b/client/share/expire_msg.template
similarity index 100%
rename from install/share/expire_msg.template
rename to client/share/expire_msg.template
diff --git a/client/systemd/Makefile.am b/client/systemd/Makefile.am
new file mode 100644
index 000000000..1f591be83
--- /dev/null
+++ b/client/systemd/Makefile.am
@@ -0,0 +1,27 @@
+# This file will be processed with automake-1.7 to create Makefile.in
+#
+AUTOMAKE_OPTIONS = 1.7
+
+NULL =
+
+dist_noinst_DATA = \
+ ipa-epn.service.in \
+ ipa-epn.timer.in \
+ $(NULL)
+
+systemdsystemunit_DATA = \
+ ipa-epn.service \
+ ipa-epn.timer \
+ $(NULL)
+
+CLEANFILES = $(systemdsystemunit_DATA)
+
+%: %.in Makefile
+ sed \
+ -e 's|@bindir[@]|$(bindir)|g' \
+ -e 's|@IPA_SYSCONF_DIR[@]|$(IPA_SYSCONF_DIR)|g' \
+ -e 's|@localstatedir[@]|$(localstatedir)|g' \
+ -e 's|@sbindir[@]|$(sbindir)|g' \
+ -e 's|@libexecdir[@]|$(libexecdir)|g' \
+ -e 's|@sysconfenvdir[@]|$(sysconfenvdir)|g' \
+ '$(srcdir)/$@.in' >$@
diff --git a/init/systemd/ipa-epn.service.in b/client/systemd/ipa-epn.service.in
similarity index 100%
rename from init/systemd/ipa-epn.service.in
rename to client/systemd/ipa-epn.service.in
diff --git a/init/systemd/ipa-epn.timer.in b/client/systemd/ipa-epn.timer.in
similarity index 100%
rename from init/systemd/ipa-epn.timer.in
rename to client/systemd/ipa-epn.timer.in
diff --git a/configure.ac b/configure.ac
index 5ec529088..586b2532a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -220,6 +220,25 @@ AC_ARG_WITH([runstatedir],
[runstatedir="/run"])
AC_SUBST([runstatedir])
+dnl ---------------------------------------------------------------------------
+dnl - Check for systemd directories
+dnl ---------------------------------------------------------------------------
+
+PKG_CHECK_EXISTS([systemd], [], [AC_MSG_ERROR([systemd not found])])
+AC_ARG_WITH([systemdsystemunitdir],
+ AS_HELP_STRING([--with-systemdsystemunitdir=DIR],
+ [Directory for systemd service files]),
+ [systemdsystemunitdir=$with_systemdsystemunitdir],
+ [systemdsystemunitdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=systemdsystemunitdir systemd)])
+AC_SUBST([systemdsystemunitdir])
+
+AC_ARG_WITH([systemdtmpfilesdir],
+ AS_HELP_STRING([--with-systemdtmpfilesdir=DIR],
+ [Directory for systemd-tmpfiles configuration files]),
+ [systemdtmpfilesdir=$with_systemdtmpfilesdir],
+ [systemdtmpfilesdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=tmpfilesdir systemd)])
+AC_SUBST([systemdtmpfilesdir])
+
dnl ---------------------------------------------------------------------------
dnl - Server-only configuration
dnl ---------------------------------------------------------------------------
@@ -544,6 +563,7 @@ AC_CONFIG_FILES([
client/share/Makefile
client/man/Makefile
client/sysconfig/Makefile
+ client/systemd/Makefile
contrib/completion/Makefile
contrib/Makefile
daemons/dnssec/Makefile
@@ -637,13 +657,13 @@ echo "
jslint: ${JSLINT}
LDAP libs: ${LDAP_LIBS}
OpenSSL crypto libs: ${CRYPTO_LIBS}
- KRB5 libs: ${KRB5_LIBS}"
+ KRB5 libs: ${KRB5_LIBS}
+ systemdsystemunitdir: ${systemdsystemunitdir}"
AM_COND_IF([ENABLE_SERVER], [
echo "\
KRAD libs: ${KRAD_LIBS}
krb5rundir: ${krb5rundir}
- systemdsystemunitdir: ${systemdsystemunitdir}
systemdtmpfilesdir: ${systemdtmpfilesdir}
build mode: server & client"
], [
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cec57e64e..1d8f4e6aa 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -586,6 +586,10 @@ on the machine enrolled into a FreeIPA environment
%package client-epn
Summary: Tools to configure Expiring Password Notification in IPA
Group: System Environment/Base
+Requires: systemd-units
+Requires(post): systemd-units
+Requires(preun): systemd-units
+Requires(postun): systemd-units
Requires: %{name}-client = %{version}-%{release}
%description client-epn
@@ -1003,6 +1007,17 @@ fi
# ONLY_CLIENT
%endif
+%preun client-epn
+%systemd_preun ipa-epn.service
+%systemd_preun ipa-epn.timer
+
+%postun client-epn
+%systemd_postun ipa-epn.service
+%systemd_postun ipa-epn.timer
+
+%post client-epn
+%systemd_post ipa-epn.service
+%systemd_post ipa-epn.timer
%post client
if [ $1 -gt 1 ] ; then
diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am
index 5053dbff6..175178787 100644
--- a/init/systemd/Makefile.am
+++ b/init/systemd/Makefile.am
@@ -2,17 +2,17 @@
#
AUTOMAKE_OPTIONS = 1.7
+NULL =
+
dist_noinst_DATA = \
ipa-custodia.service.in \
ipa.service.in \
- ipa-epn.service.in \
- ipa-epn.timer.in
+ $(NULL)
systemdsystemunit_DATA = \
ipa-custodia.service \
ipa.service \
- ipa-epn.service \
- ipa-epn.timer
+ $(NULL)
CLEANFILES = $(systemdsystemunit_DATA)
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 496e81288..e95796dfb 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -106,8 +106,3 @@ dist_app_DATA = \
kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy
dist_kdcproxyconf_DATA = \
kdcproxy.conf
-
-epnconfdir = $(IPA_SYSCONF_DIR)/epn
-dist_epnconf_DATA = \
- expire_msg.template \
- $(NULL)
diff --git a/server.m4 b/server.m4
index d35823e80..842d599d2 100644
--- a/server.m4
+++ b/server.m4
@@ -153,22 +153,3 @@ dnl Check for libverto
dnl ---------------------------------------------------------------------------
PKG_CHECK_MODULES([LIBVERTO], [libverto])
-
-dnl ---------------------------------------------------------------------------
-dnl - Check for systemd directories
-dnl ---------------------------------------------------------------------------
-
-PKG_CHECK_EXISTS([systemd], [], [AC_MSG_ERROR([systemd not found])])
-AC_ARG_WITH([systemdsystemunitdir],
- AS_HELP_STRING([--with-systemdsystemunitdir=DIR],
- [Directory for systemd service files]),
- [systemdsystemunitdir=$with_systemdsystemunitdir],
- [systemdsystemunitdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=systemdsystemunitdir systemd)])
-AC_SUBST([systemdsystemunitdir])
-
-AC_ARG_WITH([systemdtmpfilesdir],
- AS_HELP_STRING([--with-systemdtmpfilesdir=DIR],
- [Directory for systemd-tmpfiles configuration files]),
- [systemdtmpfilesdir=$with_systemdtmpfilesdir],
- [systemdtmpfilesdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=tmpfilesdir systemd)])
-AC_SUBST([systemdtmpfilesdir])
--
2.26.2
From 23e2935e5c5cb402dd4f6f44eaa4b013e6a8188a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Mon, 22 Jun 2020 16:39:02 +0200
Subject: [PATCH] EPN: ship the configuration file.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Ship and install /etc/ipa/epn.conf.
Minor fixes to the associated man page.
Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
client/man/epn.conf.5 | 5 ++--
client/share/Makefile.am | 7 +++++-
client/share/epn.conf | 54 ++++++++++++++++++++++++++++++++++++++++
freeipa.spec.in | 4 ++-
4 files changed, 65 insertions(+), 5 deletions(-)
create mode 100644 client/share/epn.conf
diff --git a/client/man/epn.conf.5 b/client/man/epn.conf.5
index 38e99e25d..14f5dbb75 100644
--- a/client/man/epn.conf.5
+++ b/client/man/epn.conf.5
@@ -71,11 +71,10 @@ Specifies the From e-mail address value in the e-mails sent. The default is
root@localhost. Bounces will be sent here.
.TP
.B smtp_delay <milliseconds>
-Time to wait, in milliseconds, between each e-mail sent to try to avoid overloading the mail queue.
+Time to wait, in milliseconds, between each e-mail sent to try to avoid overloading the mail queue. The default is 0.
.TP
.B mail_from <address>
-Specifies the From: e-mal address value in the e-mails sent. The default is
-noreply@ipadefaultemaildomain. This value can be found by running
+Specifies the From: e-mail address value in the e-mails sent. The default is noreply@ipadefaultemaildomain. This value can be found by running
.I ipa config-show
.TP
.B notify_ttls <list of days>
diff --git a/client/share/Makefile.am b/client/share/Makefile.am
index 1402a3a9d..472242e62 100644
--- a/client/share/Makefile.am
+++ b/client/share/Makefile.am
@@ -5,7 +5,12 @@ dist_app_DATA = \
freeipa.template \
$(NULL)
-epnconfdir = $(IPA_SYSCONF_DIR)/epn
+epnconfdir = $(IPA_SYSCONF_DIR)
dist_epnconf_DATA = \
+ epn.conf \
+ $(NULL)
+
+epntemplatedir = $(IPA_SYSCONF_DIR)/epn
+dist_epntemplate_DATA = \
expire_msg.template \
$(NULL)
diff --git a/client/share/epn.conf b/client/share/epn.conf
new file mode 100644
index 000000000..0e590dfc3
--- /dev/null
+++ b/client/share/epn.conf
@@ -0,0 +1,54 @@
+# Global IPA-EPN [0] configuration file.
+# For a complete explanation of each parameter, see the epn.conf(5)
+# manual page.
+# For best results, change no more than a single parameter at a time,
+# and test if ipa-epn(1) still works as intended, using --dry-run when
+# it makes sense.
+#
+# [0] https://github.com/freeipa/freeipa/blob/master/doc/designs/expiring-password-notification.md
+
+[global]
+
+# Specifies the SMTP server to use.
+smtp_server = localhost
+
+# Specifies the SMTP port.
+smtp_port = 25
+
+# Specifies the id of the user to authenticate with the SMTP server.
+# Default None (empty value).
+# smtp_user =
+
+# Specifies the password for the authorized user.
+# Default None (empty value).
+# smtp_password =
+
+# pecifies the number of seconds to wait for SMTP to respond.
+smtp_timeout = 60
+
+# Specifies the type of secure connection to make. Options are: none,
+# starttls and ssl.
+smtp_security = none
+
+# Specifies the From e-mail address value in the e-mails sent. Bounces will
+# be sent here.
+smtp_admin = root@localhost
+
+# Time to wait, in milliseconds, between each e-mail sent to try to avoid
+# overloading the mail queue.
+smtp_delay = 0
+
+# Specifies the From: e-mail address value in the e-mails sent.
+# The default when unset is noreply@ipadefaultemaildomain.
+# This value can be found by running ipa config-show.
+# mail_from =
+
+# The list of days before a password expiration when ipa-epn should notify
+# a user that their password will soon require a reset.
+notify_ttls = 28, 14, 7, 3, 1
+
+# Set the character set of the message.
+msg_charset = utf8
+
+# Set the message's MIME sub-content type.
+msg_subtype = plain
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5bce6f118..8cca99697 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1387,13 +1387,15 @@ fi
%files client-epn
%doc README.md Contributors.txt
+%dir %{_sysconfdir}/ipa/epn
%license COPYING
%{_sbindir}/ipa-epn
%{_mandir}/man1/ipa-epn.1*
%{_mandir}/man5/epn.conf.5*
%attr(644,root,root) %{_unitdir}/ipa-epn.service
%attr(644,root,root) %{_unitdir}/ipa-epn.timer
-%attr(644,root,root) %{_sysconfdir}/ipa/epn/expire_msg.template
+%attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf
+%attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn/expire_msg.template
%files -n python3-ipaclient
%doc README.md Contributors.txt
--
2.26.2
From 3b43950d35f78b28d4edde4fda475b5aa84f4587 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Tue, 23 Jun 2020 09:39:02 +0200
Subject: [PATCH] man pages: fix epn.conf.5 and ipa-epn.1 formatting
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fix formatting issues found with mandoc.
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
client/man/epn.conf.5 | 2 +-
client/man/ipa-epn.1 | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/client/man/epn.conf.5 b/client/man/epn.conf.5
index 14f5dbb75..df1f0156c 100644
--- a/client/man/epn.conf.5
+++ b/client/man/epn.conf.5
@@ -16,7 +16,7 @@
.\"
.\" Author: Rob Crittenden <rcritten@@redhat.com>
.\"
-.TH "epn.conf" "5" "Apr 28 2020" "FreeIPA" "FreeIPA Manual Pages"
+.TH "EPN.CONF" "5" "April 28, 2020" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
epn.conf \- Expiring Password Notification configuration file
.SH "SYNOPSIS"
diff --git a/client/man/ipa-epn.1 b/client/man/ipa-epn.1
index 9999ea8ca..124fd4536 100644
--- a/client/man/ipa-epn.1
+++ b/client/man/ipa-epn.1
@@ -15,14 +15,14 @@
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\"
-.TH "ipa-epn" "1" "Apr 24 2020" "FreeIPA" "FreeIPA Manual Pages"
+.TH "IPA-EPN" "1" "April 24, 2020" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-epn \- Send expiring password nofications
.SH "SYNOPSIS"
-ipa\-epn \[options\]
+ipa\-epn \fR[options\fR]
.SH "DESCRIPTION"
-ipa\-epn provides a method to warn users via email that their IPA account password is about to expire.
+ipa\-epn provides a method to warn users via email that their IPA account password is about to expire.
It can be used in dry\-run mode which is recommmended during setup. The output is always JSON in this case.
@@ -38,7 +38,7 @@ The \-\-to\-nbdays CLI option can be used to determine the number of notificatio
If \fB\-\-from\-nbdays\fR is not specified, ipa\-epn will look within a 24\-hour long time range in <number of days> days.
-if \fB\-\-from\-nbdays\fR is specified, the date range starts at \fB\-\-from\-nbdays\fR days in the future and ends at \fB\-\-to\-nbdays\fR in the future.
+if \fB\-\-from\-nbdays\fR is specified, the date range starts at \fB\-\-from\-nbdays\fR days in the future and ends at \fB\-\-to\-nbdays\fR in the future.
Together, these two CLI options can be used to determine how many emails would be sent in a specific time in the future.
--
2.26.2
From 2648c218467792e907435eaa5267a0f3457f634f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Tue, 23 Jun 2020 13:50:02 +0200
Subject: [PATCH] ipatests: check that EPN's configuration file is installed.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_epn.py | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
index 7f56d4bc0..409d588d5 100644
--- a/ipatests/test_integration/test_epn.py
+++ b/ipatests/test_integration/test_epn.py
@@ -209,6 +209,20 @@ class TestEPN(IntegrationTest):
cls.master.run_command(r'rm -f /etc/pki/tls/private/postfix.key')
cls.master.run_command(r'rm -f /etc/pki/tls/certs/postfix.pem')
+ @pytest.mark.xfail(reason='pr-ci issue 378', strict=True)
+ def test_EPN_config_file(self):
+ """Check that the EPN configuration file is installed.
+ https://pagure.io/freeipa/issue/8374
+ """
+ epn_conf = "/etc/ipa/epn.conf"
+ epn_template = "/etc/ipa/epn/expire_msg.template"
+ cmd1 = self.master.run_command(["rpm", "-qc", "freeipa-client-epn"])
+ assert epn_conf in cmd1.stdout_text
+ assert epn_template in cmd1.stdout_text
+ cmd2 = self.master.run_command(["sha256sum", epn_conf])
+ ck = "4c207b5c9c760c36db0d3b2b93da50ea49edcc4002d6d1e7383601f0ec30b957"
+ assert cmd2.stdout_text.find(ck) == 0
+
def test_EPN_smoketest_1(self):
"""No users except admin. Check --dry-run output.
With the default configuration, the result should be an empty list.
--
2.26.2
From 06accac8906f66ebbb31849d6528b39ae006b124 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Wed, 24 Jun 2020 23:24:36 +0200
Subject: [PATCH] ipatests: ipa_epn: uninstall/reinstall ipa-client-epn
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Due to https://github.com/freeipa/freeipa-pr-ci/issues/378
the installed version of freeipa-client-epn is not the built
one. Temporarily force uninstall/reinstall of this package
before running the test.
Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_epn.py | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
index 409d588d5..9a9fb17b9 100644
--- a/ipatests/test_integration/test_epn.py
+++ b/ipatests/test_integration/test_epn.py
@@ -209,11 +209,29 @@ class TestEPN(IntegrationTest):
cls.master.run_command(r'rm -f /etc/pki/tls/private/postfix.key')
cls.master.run_command(r'rm -f /etc/pki/tls/certs/postfix.pem')
- @pytest.mark.xfail(reason='pr-ci issue 378', strict=True)
+ @pytest.mark.skip_if_platform(
+ "debian", reason="Cannot check installed packages using RPM"
+ )
def test_EPN_config_file(self):
"""Check that the EPN configuration file is installed.
https://pagure.io/freeipa/issue/8374
"""
+ # workaround for https://github.com/freeipa/freeipa-pr-ci/issues/378
+ rpm_q_cmds = [
+ ["rpm", "-qi", "freeipa-client"],
+ ["rpm", "-qi", "freeipa-client-epn"],
+ ["rpm", "-qc", "freeipa-client-epn"],
+ ["rpm", "-V", "freeipa-client-epn"],
+ ["rpm", "-qvc", "freeipa-client-epn"],
+ ["ls", "-l", "/etc/ipa", "/etc/ipa/epn"],
+ ]
+ for cmd in rpm_q_cmds:
+ self.master.run_command(cmd, raiseonerr=False)
+ tasks.uninstall_packages(self.master, ["*ipa-client-epn"])
+ tasks.install_packages(self.master, ["*ipa-client-epn"])
+ for cmd in rpm_q_cmds:
+ self.master.run_command(cmd, raiseonerr=False)
+ # end workaround
epn_conf = "/etc/ipa/epn.conf"
epn_template = "/etc/ipa/epn/expire_msg.template"
cmd1 = self.master.run_command(["rpm", "-qc", "freeipa-client-epn"])
--
2.26.2

60
SOURCES/0002-ipatests-error-message-check-in-uninstall-log-for-KR_rhbz#1932289.patch Normal file
View File

@ -0,0 +1,60 @@
From 6b25cd3241a5609b4d903d5697b8947fab403c90 Mon Sep 17 00:00:00 2001
From: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Date: Wed, 17 Feb 2021 19:43:00 +0530
Subject: [PATCH] ipatests: error message check in uninstall log for KRA
This test checks that there is no error message in uninstall
log for KRA instance when IPA was installed with KRA.
related: https://pagure.io/freeipa/issue/8550
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../test_backup_and_restore.py | 22 ++++++++++++++++---
1 file changed, 19 insertions(+), 3 deletions(-)
diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py
index f13dfb5cb..6890ef201 100644
--- a/ipatests/test_integration/test_backup_and_restore.py
+++ b/ipatests/test_integration/test_backup_and_restore.py
@@ -451,9 +451,11 @@ class BaseBackupAndRestoreWithKRA(IntegrationTest):
backup_path = tasks.get_backup_dir(self.master)
- self.master.run_command(['ipa-server-install',
- '--uninstall',
- '-U'])
+ # check that no error message in uninstall log for KRA instance
+ cmd = self.master.run_command(['ipa-server-install',
+ '--uninstall',
+ '-U'])
+ assert "failed to uninstall KRA" not in cmd.stderr_text
if reinstall:
tasks.install_master(self.master, setup_dns=True)
@@ -482,6 +484,20 @@ class TestBackupReinstallRestoreWithKRA(BaseBackupAndRestoreWithKRA):
"""backup, uninstall, reinstall, restore"""
self._full_backup_restore_with_vault(reinstall=True)
+ def test_no_error_message_with_uninstall_ipa_with_kra(self):
+ """Test there is no error message in uninstall log for KRA instance
+
+ There was error message in uninstall log when IPA with KRA was
+ uninstalled. This test check that there is no error message in
+ uninstall log for kra instance.
+
+ related: https://pagure.io/freeipa/issue/8550
+ """
+ cmd = self.master.run_command(['ipa-server-install',
+ '--uninstall',
+ '-U'])
+ assert "failed to uninstall KRA" not in cmd.stderr_text
+
class TestBackupAndRestoreWithReplica(IntegrationTest):
"""Regression tests for issues 7234 and 7455
--
2.29.2

147
SOURCES/0003-Use-256-bit-AJP-secret_rhbz#1849914.patch
View File

@ -1,147 +0,0 @@
From be48983558a560dadad410a70a4a1684565ed481 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Mon, 15 Jun 2020 18:38:35 -0400
Subject: [PATCH] Clarify AJP connector creation process
We do two things:
1. Fix the xpath for AJP connector verification. An AJP connector is
one which has protocol="AJP/1.3", NOT one that has port="8009". An
AJP connector can exist on any port and port 8009 can have any
protocol. Secrets only make sense on AJP connectors, so make the
xpath match the existing comment.
2. Add some background in-line documentation about AJP secret
provisioning. This should help future developers understand why this
was added to IPA and what limitations there are in what PKI or IPA
can do. Most notably, explain why Dogtag can't upgrade the AJP
connector to have a secret in the general case.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/install/dogtaginstance.py | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 42c9db3fb..aa3baeb7c 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -308,11 +308,12 @@ class DogtagInstance(service.Service):
doc = server_xml.getroot()
# no AJP connector means no need to update anything
- connectors = doc.xpath('//Connector[@port="8009"]')
+ connectors = doc.xpath('//Connector[@protocol="AJP/1.3"]')
if len(connectors) == 0:
return
- # AJP connector is set on port 8009. Use non-greedy search to find it
+ # AJP protocol is at version 1.3. Assume there is only one as
+ # Dogtag only provisions one.
connector = connectors[0]
# Detect tomcat version and choose the right option name
@@ -331,11 +332,24 @@ class DogtagInstance(service.Service):
rewrite = False
else:
if oldattr in connector.attrib:
+ # Sufficiently new Dogtag versions (10.9.0-a2) handle the
+ # upgrade for us; we need only to ensure that we're not both
+ # attempting to upgrade server.xml at the same time.
+ # Hopefully this is guaranteed for us.
self.ajp_secret = connector.attrib[oldattr]
connector.attrib[secretattr] = self.ajp_secret
del connector.attrib[oldattr]
else:
- # Generate password, don't use special chars to not break XML
+ # Generate password, don't use special chars to not break XML.
+ #
+ # If we hit this case, pkispawn was run on an older Dogtag
+ # version and we're stuck migrating, choosing a password
+ # ourselves. Dogtag can't generate one randomly because a
+ # Dogtag administrator might've configured AJP and might
+ # not be using IPA.
+ #
+ # Newer Dogtag versions will generate a random password
+ # during pkispawn.
self.ajp_secret = ipautil.ipa_generate_password(special=None)
connector.attrib[secretattr] = self.ajp_secret
--
2.26.2
From 1e804bf19da4ee274e735fd49452d4df5d73a002 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 17 Jun 2020 16:00:25 -0400
Subject: [PATCH] Configure PKI AJP Secret with 256-bit secret
By default, PKI's AJP secret is generated as a 75-bit password. By
generating it in IPA, we can guarantee the strength of the AJP secret.
It makes sense to use a stronger AJP secret because it typically
isn't rotated; access to AJP allows an attacker to impersonate an admin
while talking to PKI.
Fixes: https://pagure.io/freeipa/issue/8372
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849146
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1845447
Related: https://github.com/dogtagpki/pki/pull/437
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
install/share/ipaca_customize.ini | 1 +
install/share/ipaca_default.ini | 2 ++
ipaserver/install/dogtaginstance.py | 4 +++-
3 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/install/share/ipaca_customize.ini b/install/share/ipaca_customize.ini
index 6d58579af..948734241 100644
--- a/install/share/ipaca_customize.ini
+++ b/install/share/ipaca_customize.ini
@@ -12,6 +12,7 @@
#
# Predefined variables
# - ipa_ca_subject
+# - ipa_ajp_secret
# - ipa_fqdn
# - ipa_subject_base
# - pki_admin_password
diff --git a/install/share/ipaca_default.ini b/install/share/ipaca_default.ini
index 2b9900286..a51256116 100644
--- a/install/share/ipaca_default.ini
+++ b/install/share/ipaca_default.ini
@@ -12,6 +12,7 @@ ipa_ca_pem_file=/etc/ipa/ca.crt
## dynamic values
# ipa_ca_subject=
+# ipa_ajp_secret=
# ipa_subject_base=
# ipa_fqdn=
# ipa_ocsp_uri=
@@ -66,6 +67,7 @@ pki_issuing_ca=%(pki_issuing_ca_uri)s
pki_replication_password=
pki_enable_proxy=True
+pki_ajp_secret=%(ipa_ajp_secret)s
pki_restart_configured_instance=False
pki_security_domain_hostname=%(ipa_fqdn)s
pki_security_domain_https_port=443
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index aa3baeb7c..361d80a8c 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -840,7 +840,9 @@ class PKIIniLoader:
pki_subsystem_type=subsystem.lower(),
home_dir=os.path.expanduser("~"),
# for softhsm2 testing
- softhsm2_so=paths.LIBSOFTHSM2_SO
+ softhsm2_so=paths.LIBSOFTHSM2_SO,
+ # Configure a more secure AJP password by default
+ ipa_ajp_secret=ipautil.ipa_generate_password(special=None)
)
@classmethod
--
2.26.2

119
SOURCES/0003-ipatests-skip-tests-for-AD-trust-with-shared-secret-_rhbz#1932289.patch Normal file
View File

@ -0,0 +1,119 @@
From 6d7b2d7d1b4711255ea72d62d27b5c5f4ec7c6e1 Mon Sep 17 00:00:00 2001
From: Sergey Orlov <sorlov@redhat.com>
Date: Tue, 16 Feb 2021 12:32:55 +0100
Subject: [PATCH] ipatests: skip tests for AD trust with shared secret in FIPS
mode
Related to https://pagure.io/freeipa/issue/8715
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipatests/test_integration/test_trust.py | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index 3e522617d..c8a348212 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -5,6 +5,7 @@ from __future__ import absolute_import
import re
import textwrap
import time
+import functools
import pytest
@@ -13,6 +14,7 @@ from ipaplatform.paths import paths
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
+from ipatests.pytest_ipa.integration import fips
from ipapython.dn import DN
from collections import namedtuple
from contextlib import contextmanager
@@ -20,6 +22,18 @@ from contextlib import contextmanager
TestDataRule = namedtuple('TestDataRule',
['name', 'ruletype', 'user', 'subject'])
+
+def skip_in_fips_mode_due_to_issue_8715(test_method):
+ @functools.wraps(test_method)
+ def wrapper(instance):
+ if fips.is_fips_enabled(instance.master):
+ pytest.skip('Skipping in FIPS mode due to '
+ 'https://pagure.io/freeipa/issue/8715')
+ else:
+ test_method(instance)
+ return wrapper
+
+
class BaseTestTrust(IntegrationTest):
num_clients = 1
topology = 'line'
@@ -751,6 +765,7 @@ class TestTrust(BaseTestTrust):
# Test for one-way forest trust with shared secret
+ @skip_in_fips_mode_due_to_issue_8715
def test_establish_forest_trust_with_shared_secret(self):
tasks.configure_dns_for_trust(self.master, self.ad)
tasks.configure_windows_dns_for_trust(self.ad, self.master)
@@ -775,6 +790,7 @@ class TestTrust(BaseTestTrust):
tasks.establish_trust_with_ad(
self.master, self.ad_domain, shared_secret=self.shared_secret)
+ @skip_in_fips_mode_due_to_issue_8715
def test_trustdomains_found_in_forest_trust_with_shared_secret(self):
result = self.master.run_command(
['ipa', 'trust-fetch-domains', self.ad.domain.name],
@@ -783,6 +799,7 @@ class TestTrust(BaseTestTrust):
self.check_trustdomains(
self.ad_domain, [self.ad_domain, self.ad_subdomain])
+ @skip_in_fips_mode_due_to_issue_8715
def test_user_gid_uid_resolution_in_forest_trust_with_shared_secret(self):
"""Check that user has SID-generated UID"""
# Using domain name since it is lowercased realm name for AD domains
@@ -801,6 +818,7 @@ class TestTrust(BaseTestTrust):
assert re.search(
testuser_regex, result.stdout_text), result.stdout_text
+ @skip_in_fips_mode_due_to_issue_8715
def test_remove_forest_trust_with_shared_secret(self):
ps_cmd = (
'[System.DirectoryServices.ActiveDirectory.Forest]'
@@ -823,6 +841,7 @@ class TestTrust(BaseTestTrust):
# Test for one-way external trust with shared secret
+ @skip_in_fips_mode_due_to_issue_8715
def test_establish_external_trust_with_shared_secret(self):
tasks.configure_dns_for_trust(self.master, self.ad)
tasks.configure_windows_dns_for_trust(self.ad, self.master)
@@ -838,6 +857,7 @@ class TestTrust(BaseTestTrust):
self.master, self.ad_domain, shared_secret=self.shared_secret,
extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
+ @skip_in_fips_mode_due_to_issue_8715
def test_trustdomains_found_in_external_trust_with_shared_secret(self):
result = self.master.run_command(
['ipa', 'trust-fetch-domains', self.ad.domain.name],
@@ -846,6 +866,7 @@ class TestTrust(BaseTestTrust):
self.check_trustdomains(
self.ad_domain, [self.ad_domain])
+ @skip_in_fips_mode_due_to_issue_8715
def test_user_uid_resolution_in_external_trust_with_shared_secret(self):
"""Check that user has SID-generated UID"""
# Using domain name since it is lowercased realm name for AD domains
@@ -864,6 +885,7 @@ class TestTrust(BaseTestTrust):
assert re.search(
testuser_regex, result.stdout_text), result.stdout_text
+ @skip_in_fips_mode_due_to_issue_8715
def test_remove_external_trust_with_shared_secret(self):
self.ad.run_command(
['netdom.exe', 'trust', self.master.domain.name,
--
2.29.2

167
SOURCES/0004-baseuser-fix-ipanthomedirectorydrive-option-name_rhbz#1851411.patch
View File

@ -1,167 +0,0 @@
From a090b429fda35c5a9c3cfb672ab42a5985d00ff9 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni@redhat.com>
Date: Mon, 8 Jun 2020 19:27:30 +0200
Subject: [PATCH] baseuser: fix ipanthomedirectorydrive option name
It should be ipanthomedirectorydrive and not ipanthomedirectoryrive.
This fixes showing the field in Web UI and also should fix CLI as it
probably never worked.
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
API.txt | 8 ++++----
ipaserver/plugins/baseuser.py | 2 +-
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/API.txt b/API.txt
index 5354a33a0..300b3d9b1 100644
--- a/API.txt
+++ b/API.txt
@@ -5085,7 +5085,7 @@ option: Str('in_role*', cli_name='in_roles')
option: Str('in_sudorule*', cli_name='in_sudorules')
option: Str('initials?', autofill=False)
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
-option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
@@ -5147,7 +5147,7 @@ option: Str('givenname?', autofill=False, cli_name='first')
option: Str('homedirectory?', autofill=False, cli_name='homedir')
option: Str('initials?', autofill=False)
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
-option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
@@ -6185,7 +6185,7 @@ option: Str('in_role*', cli_name='in_roles')
option: Str('in_sudorule*', cli_name='in_sudorules')
option: Str('initials?', autofill=False)
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
-option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
@@ -6250,7 +6250,7 @@ option: Str('givenname?', autofill=False, cli_name='first')
option: Str('homedirectory?', autofill=False, cli_name='homedir')
option: Str('initials?', autofill=False)
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
-option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index a0ed65874..e1b7763f0 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -420,7 +420,7 @@ class baseuser(LDAPObject):
label=_('SMB Home Directory'),
flags=['no_create'],
),
- StrEnum('ipanthomedirectoryrive?',
+ StrEnum('ipanthomedirectorydrive?',
cli_name='smb_home_drive',
label=_('SMB Home Directory Drive'),
flags=['no_create'],
--
2.26.2
From 691b3cddb275821630f443f22706fa75e7c7a5c8 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni@redhat.com>
Date: Mon, 8 Jun 2020 19:11:33 +0200
Subject: [PATCH] webui: hide user attributes for SMB services section if empty
This section should be hidded if user object hasn't ipantuserattrs
object class. I.e. when trusts are not enabled.
Web UI framework already supports hidding of sections if the
section contains no visible field. So to achieve it we simply needs
to hide the fields. Given that attributelevelrights
contains rights only for attributes of current object classes, all
of these are regarded as not writable.
We can leverage feature of input_widget that it gets hidden
when the attribute is not writable and has no value and widget's
"hidden_if_empty" is set to true. Thus doing it here.
For this to work, it is also required to fix an issue with
"ipanthomedirectorydrive" which is optional (in API) but Web UI
doesn't offer "empty" ("") value. Adding it here.
fixes: https://pagure.io/freeipa/issue/8336
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
install/ui/src/freeipa/user.js | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
index fb626f2a1..8f1f5cd85 100644
--- a/install/ui/src/freeipa/user.js
+++ b/install/ui/src/freeipa/user.js
@@ -367,36 +367,39 @@ return {
{
name: 'smb_attributes',
label: '@i18n:objects.smb_attributes.title',
- show_cond: ['oc_ipantuserattrs'],
fields: [{
name: 'ipantlogonscript',
tooltip: {
title: '@i18n:objects.smb_attributes.ipantlogonscript_tooltip'
- }
+ },
+ hidden_if_empty: true
},
{
name: 'ipantprofilepath',
tooltip: {
title: '@i18n:objects.smb_attributes.ipantprofilepath_tooltip'
- }
+ },
+ hidden_if_empty: true
},
{
name: 'ipanthomedirectory',
tooltip: {
title: '@i18n:objects.smb_attributes.ipanthomedirectory_tooltip'
- }
+ },
+ hidden_if_empty: true
},
{
name: 'ipanthomedirectorydrive',
$type: 'select',
options: IPA.create_options([
- 'A:', 'B:', 'C:', 'D:', 'E:', 'F:', 'G:', 'H:', 'I:',
- 'J:', 'K:', 'L:', 'M:', 'N:', 'O:', 'P:', 'Q:', 'R:',
- 'S:', 'T:', 'U:', 'V:', 'W:', 'X:', 'Y:', 'Z:'
+ '', 'A:', 'B:', 'C:', 'D:', 'E:', 'F:', 'G:', 'H:',
+ 'I:', 'J:', 'K:', 'L:', 'M:', 'N:', 'O:', 'P:', 'Q:',
+ 'R:', 'S:', 'T:', 'U:', 'V:', 'W:', 'X:', 'Y:', 'Z:'
]),
tooltip: {
title: '@i18n:objects.smb_attributes.ipanthomedirectorydrive_tooltip'
- }
+ },
+ hidden_if_empty: true
}
]
}
@@ -482,7 +485,6 @@ return {
IPA.user.self_service_other_user_evaluator,
IPA.user.preserved_user_evaluator,
IPA.user.is_locked_evaluator,
- IPA.object_class_evaluator,
IPA.cert.certificate_evaluator
],
summary_conditions: [
--
2.26.2

347
SOURCES/0004-ipatests-ipa-cert-fix_pagure#8600_rhbz#1932289.patch Normal file
View File

@ -0,0 +1,347 @@
From a0626e09b3eaf5d030982e2ff03e95841ad1b4b9 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 3 Feb 2021 15:52:05 -0500
Subject: [PATCH] ipa-cert-fix: Don't hardcode the NSS certificate nickname
The nickname of the 389-ds certificate was hardcoded as
Server-Cert which failed if the user had installed a
third-party certificate using ipa-server-certinstall.
Instead pull the nickname from the DS configuration and
retrieve it based on that.
https://pagure.io/freeipa/issue/8600
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/ipa_cert_fix.py | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
index 2f2c15613..29af89cd5 100644
--- a/ipaserver/install/ipa_cert_fix.py
+++ b/ipaserver/install/ipa_cert_fix.py
@@ -203,9 +203,12 @@ def expired_ipa_certs(now):
certs.append((IPACertType.HTTPS, cert))
# LDAPS
- ds_dbdir = dsinstance.config_dirname(realm_to_serverid(api.env.realm))
+ serverid = realm_to_serverid(api.env.realm)
+ ds = dsinstance.DsInstance(realm_name=api.env.realm)
+ ds_dbdir = dsinstance.config_dirname(serverid)
+ ds_nickname = ds.get_server_cert_nickname(serverid)
db = NSSDatabase(nssdir=ds_dbdir)
- cert = db.get_cert('Server-Cert')
+ cert = db.get_cert(ds_nickname)
if cert.not_valid_after <= now:
certs.append((IPACertType.LDAPS, cert))
@@ -344,11 +347,13 @@ def install_ipa_certs(subject_base, ca_subject_dn, certs):
elif certtype is IPACertType.HTTPS:
shutil.copyfile(cert_path, paths.HTTPD_CERT_FILE)
elif certtype is IPACertType.LDAPS:
- ds_dbdir = dsinstance.config_dirname(
- realm_to_serverid(api.env.realm))
+ serverid = realm_to_serverid(api.env.realm)
+ ds = dsinstance.DsInstance(realm_name=api.env.realm)
+ ds_dbdir = dsinstance.config_dirname(serverid)
db = NSSDatabase(nssdir=ds_dbdir)
- db.delete_cert('Server-Cert')
- db.import_pem_cert('Server-Cert', EMPTY_TRUST_FLAGS, cert_path)
+ ds_nickname = ds.get_server_cert_nickname(serverid)
+ db.delete_cert(ds_nickname)
+ db.import_pem_cert(ds_nickname, EMPTY_TRUST_FLAGS, cert_path)
elif certtype is IPACertType.KDC:
shutil.copyfile(cert_path, paths.KDC_CERT)
--
2.29.2
From 660507fda2394b17d709c47a05ce5df548a47990 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 4 Feb 2021 08:25:48 -0500
Subject: [PATCH] ipatests: test third-party 389-ds cert with ipa-cert-fix
ipa-cert-fix was hardcoded to use Server-Cert as the nickname
so would fail if a third-party certificate was installed for DS.
https://pagure.io/freeipa/issue/8600
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
.../test_integration/test_ipa_cert_fix.py | 57 +++++++++++++++++++
1 file changed, 57 insertions(+)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index 2f7de5526..f9e5fe6e2 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -11,6 +11,17 @@ import time
from ipaplatform.paths import paths
from ipatests.pytest_ipa.integration import tasks
from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
+
+
+def server_install_teardown(func):
+ def wrapped(*args):
+ master = args[0].master
+ try:
+ func(*args)
+ finally:
+ ipa_certs_cleanup(master)
+ return wrapped
class TestIpaCertFix(IntegrationTest):
@@ -94,3 +105,49 @@ class TestIpaCertFix(IntegrationTest):
else:
# timeout
raise AssertionError('Timeout: Failed to renew all the certs')
+
+
+class TestIpaCertFixThirdParty(CALessBase):
+ """
+ Test that ipa-cert-fix works with an installation with custom certs.
+ """
+
+ @classmethod
+ def install(cls, mh):
+ cls.nickname = 'ca1/server'
+
+ super(TestIpaCertFixThirdParty, cls).install(mh)
+ tasks.install_master(cls.master, setup_dns=True)
+
+ @server_install_teardown
+ def test_third_party_certs(self):
+ self.create_pkcs12(self.nickname,
+ password=self.cert_password,
+ filename='server.p12')
+ self.prepare_cacert('ca1')
+
+ # We have a chain length of one. If this is extended then the
+ # additional cert names will need to be calculated.
+ nick_chain = self.nickname.split('/')
+ ca_cert = '%s.crt' % nick_chain[0]
+
+ # Add the CA to the IPA store
+ self.copy_cert(self.master, ca_cert)
+ self.master.run_command(['ipa-cacert-manage', 'install', ca_cert])
+
+ # Apply the new cert chain otherwise ipa-server-certinstall will fail
+ self.master.run_command(['ipa-certupdate'])
+
+ # Install the updated certs and restart the world
+ self.copy_cert(self.master, 'server.p12')
+ args = ['ipa-server-certinstall',
+ '-p', self.master.config.dirman_password,
+ '--pin', self.master.config.admin_password,
+ '-d', 'server.p12']
+ self.master.run_command(args)
+ self.master.run_command(['ipactl', 'restart',])
+
+ # Run ipa-cert-fix. This is basically a no-op but tests that
+ # the DS nickname is used and not a hardcoded value.
+ result = self.master.run_command(['ipa-cert-fix', '-v'],)
+ assert self.nickname in result.stderr_text
--
2.29.2
From 4cb6f0ba0df928eea60b20892a6fc85373627946 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 5 Feb 2021 09:00:54 -0500
Subject: [PATCH] Set pki-core dependency to 10.3.3 for pki-server cert-fix bug
Related: https://github.com/dogtagpki/pki/issues/3387
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
freeipa.spec.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 93e473ac4..0e261285b 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -128,11 +128,11 @@
%if 0%{?rhel} == 8
# PKIConnection has been modified to always validate certs.
# https://pagure.io/freeipa/issue/8379
-%global pki_version 10.9.0-0.4
+%global pki_version 10.10.4-1
%else
# New KRA profile, ACME support
# https://pagure.io/freeipa/issue/8545
-%global pki_version 10.10.0-2
+%global pki_version 10.10.3-1
%endif
# RHEL 8.3+, F32+ has 0.79.13
--
2.29.2
From f3463728f2196589d36e14cedccb26c03730a7c0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 10 Feb 2021 16:07:13 -0500
Subject: [PATCH] Don't renew non-IPA issued certs in ipa-cert-fix
If the Apache, 389-ds or KDC certificate was issued by
a third party there is nothing we can do, regardless of
whether it is expired or not.
Report which certificates will not be renewed so the
admin can manually do do (likely in the event of a
third-party certificate).
https://pagure.io/freeipa/issue/8600
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/ipa_cert_fix.py | 53 +++++++++++++++++++++++++------
1 file changed, 43 insertions(+), 10 deletions(-)
diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
index 29af89cd5..210cf80f1 100644
--- a/ipaserver/install/ipa_cert_fix.py
+++ b/ipaserver/install/ipa_cert_fix.py
@@ -43,6 +43,7 @@ from ipapython.certdb import NSSDatabase, EMPTY_TRUST_FLAGS
from ipapython.dn import DN
from ipapython.ipaldap import realm_to_serverid
from ipaserver.install import ca, cainstance, dsinstance
+from ipaserver.install.certs import is_ipa_issued_cert
from ipapython import directivesetter
from ipapython import ipautil
@@ -104,6 +105,13 @@ class IPACertFix(AdminTool):
api.bootstrap(in_server=True, confdir=paths.ETC_IPA)
api.finalize()
+
+ if not dsinstance.is_ds_running(realm_to_serverid(api.env.realm)):
+ print(
+ "The LDAP server is not running; cannot proceed."
+ )
+ return 1
+
api.Backend.ldap2.connect() # ensure DS is up
subject_base = dsinstance.DsInstance().find_subject_base()
@@ -113,7 +121,7 @@ class IPACertFix(AdminTool):
ca_subject_dn = ca.lookup_ca_subject(api, subject_base)
now = datetime.datetime.now() + datetime.timedelta(weeks=2)
- certs, extra_certs = expired_certs(now)
+ certs, extra_certs, non_renewed = expired_certs(now)
if not certs and not extra_certs:
print("Nothing to do.")
@@ -121,7 +129,7 @@ class IPACertFix(AdminTool):
print(msg)
- print_intentions(certs, extra_certs)
+ print_intentions(certs, extra_certs, non_renewed)
response = ipautil.user_input('Enter "yes" to proceed')
if response.lower() != 'yes':
@@ -133,7 +141,10 @@ class IPACertFix(AdminTool):
fix_certreq_directives(certs)
run_cert_fix(certs, extra_certs)
except ipautil.CalledProcessError:
- if any(x[0] is IPACertType.LDAPS for x in extra_certs):
+ if any(
+ x[0] is IPACertType.LDAPS
+ for x in extra_certs + non_renewed
+ ):
# The DS cert was expired. This will cause
# 'pki-server cert-fix' to fail at the final
# restart. Therefore ignore the CalledProcessError
@@ -152,13 +163,15 @@ class IPACertFix(AdminTool):
print("Becoming renewal master.")
cainstance.CAInstance().set_renewal_master()
+ print("Restarting IPA")
ipautil.run(['ipactl', 'restart'], raiseonerr=True)
return 0
def expired_certs(now):
- return expired_dogtag_certs(now), expired_ipa_certs(now)
+ expired_ipa, non_renew_ipa = expired_ipa_certs(now)
+ return expired_dogtag_certs(now), expired_ipa, non_renew_ipa
def expired_dogtag_certs(now):
@@ -191,6 +204,7 @@ def expired_ipa_certs(now):
"""
certs = []
+ non_renewed = []
# IPA RA
cert = x509.load_certificate_from_file(paths.RA_AGENT_PEM)
@@ -200,7 +214,10 @@ def expired_ipa_certs(now):
# Apache HTTPD
cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE)
if cert.not_valid_after <= now:
- certs.append((IPACertType.HTTPS, cert))
+ if not is_ipa_issued_cert(api, cert):
+ non_renewed.append((IPACertType.HTTPS, cert))
+ else:
+ certs.append((IPACertType.HTTPS, cert))
# LDAPS
serverid = realm_to_serverid(api.env.realm)
@@ -210,18 +227,24 @@ def expired_ipa_certs(now):
db = NSSDatabase(nssdir=ds_dbdir)
cert = db.get_cert(ds_nickname)
if cert.not_valid_after <= now:
- certs.append((IPACertType.LDAPS, cert))
+ if not is_ipa_issued_cert(api, cert):
+ non_renewed.append((IPACertType.LDAPS, cert))
+ else:
+ certs.append((IPACertType.LDAPS, cert))
# KDC
cert = x509.load_certificate_from_file(paths.KDC_CERT)
if cert.not_valid_after <= now:
- certs.append((IPACertType.KDC, cert))
+ if not is_ipa_issued_cert(api, cert):
+ non_renewed.append((IPACertType.HTTPS, cert))
+ else:
+ certs.append((IPACertType.KDC, cert))
- return certs
+ return certs, non_renewed
-def print_intentions(dogtag_certs, ipa_certs):
- print("The following certificates will be renewed: ")
+def print_intentions(dogtag_certs, ipa_certs, non_renewed):
+ print("The following certificates will be renewed:")
print()
for certid, cert in dogtag_certs:
@@ -230,6 +253,16 @@ def print_intentions(dogtag_certs, ipa_certs):
for certtype, cert in ipa_certs:
print_cert_info("IPA", certtype.value, cert)
+ if non_renewed:
+ print(
+ "The following certificates will NOT be renewed because "
+ "they were not issued by the IPA CA:"
+ )
+ print()
+
+ for certtype, cert in non_renewed:
+ print_cert_info("IPA", certtype.value, cert)
+
def print_cert_info(context, desc, cert):
print("{} {} certificate:".format(context, desc))
--
2.29.2

135
SOURCES/0005-ipatests-test-Samba-mount-with-NTLM-authentication_rhbz#1932289.patch Normal file
View File

@ -0,0 +1,135 @@
From 80ccac79b9d123e158a5ba60f9853611d0854188 Mon Sep 17 00:00:00 2001
From: Sergey Orlov <sorlov@redhat.com>
Date: Wed, 17 Feb 2021 16:48:33 +0100
Subject: [PATCH] ipatests: test Samba mount with NTLM authentication
Related to https://pagure.io/freeipa/issue/8636
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipatests/pytest_ipa/integration/__init__.py | 17 ++++++
ipatests/test_integration/test_smb.py | 63 +++++++++++++++++++++
2 files changed, 80 insertions(+)
diff --git a/ipatests/pytest_ipa/integration/__init__.py b/ipatests/pytest_ipa/integration/__init__.py
index 55291ae8b..f62b667bd 100644
--- a/ipatests/pytest_ipa/integration/__init__.py
+++ b/ipatests/pytest_ipa/integration/__init__.py
@@ -28,12 +28,14 @@ import os
import tempfile
import shutil
import re
+import functools
import pytest
from pytest_multihost import make_multihost_fixture
from ipapython import ipautil
from ipaplatform.paths import paths
+from . import fips
from .config import Config
from .env_config import get_global_config
from . import tasks
@@ -478,3 +480,18 @@ def del_compat_attrs(cls):
del cls.ad_subdomains
del cls.ad_treedomains
del cls.ad_domains
+
+
+def skip_if_fips(reason='Not supported in FIPS mode', host='master'):
+ if callable(reason):
+ raise TypeError('Invalid decorator usage, add "()"')
+
+ def decorator(test_method):
+ @functools.wraps(test_method)
+ def wrapper(instance, *args, **kwargs):
+ if fips.is_fips_enabled(getattr(instance, host)):
+ pytest.skip(reason)
+ else:
+ test_method(instance, *args, **kwargs)
+ return wrapper
+ return decorator
diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py
index 37725ab15..749a96325 100644
--- a/ipatests/test_integration/test_smb.py
+++ b/ipatests/test_integration/test_smb.py
@@ -19,6 +19,7 @@ from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
from ipaplatform.osinfo import osinfo
from ipaplatform.paths import paths
+from ipatests.pytest_ipa.integration import skip_if_fips
def wait_smbd_functional(host):
@@ -378,6 +379,68 @@ class TestSMB(IntegrationTest):
finally:
self.cleanup_mount(mountpoint)
+ def check_repeated_smb_mount(self, options):
+ mountpoint = '/mnt/smb'
+ unc = '//{}/homes'.format(self.smbserver.hostname)
+ test_file = 'ntlm_test'
+ test_file_server_path = '/home/{}/{}'.format(self.ipa_user1, test_file)
+ test_file_client_path = '{}/{}'.format(mountpoint, test_file)
+
+ self.smbclient.run_command(['mkdir', '-p', mountpoint])
+ self.smbserver.put_file_contents(test_file_server_path, '')
+ try:
+ for i in [1, 2]:
+ res = self.smbclient.run_command([
+ 'mount', '-t', 'cifs', unc, mountpoint, '-o', options],
+ raiseonerr=False)
+ assert res.returncode == 0, (
+ 'Mount failed at iteration {}. Output: {}'
+ .format(i, res.stdout_text + res.stderr_text))
+ assert self.smbclient.transport.file_exists(
+ test_file_client_path)
+ self.smbclient.run_command(['umount', mountpoint])
+ finally:
+ self.cleanup_mount(mountpoint)
+ self.smbserver.run_command(['rm', '-f', test_file_server_path])
+
+ @skip_if_fips()
+ def test_ntlm_authentication_with_auto_domain(self):
+ """Repeatedly try to authenticate with username and password with
+ automatic domain discovery.
+
+ This is a regression test for https://pagure.io/freeipa/issue/8636
+ """
+ tasks.kdestroy_all(self.smbclient)
+
+ mount_options = 'user={user},pass={password},domainauto'.format(
+ user=self.ipa_user1,
+ password=self.ipa_user1_password
+ )
+
+ self.check_repeated_smb_mount(mount_options)
+
+ @skip_if_fips()
+ def test_ntlm_authentication_with_upn_with_lowercase_domain(self):
+ tasks.kdestroy_all(self.smbclient)
+
+ mount_options = 'user={user}@{domain},pass={password}'.format(
+ user=self.ipa_user1,
+ password=self.ipa_user1_password,
+ domain=self.master.domain.name.lower()
+ )
+ self.check_repeated_smb_mount(mount_options)
+
+ @skip_if_fips()
+ def test_ntlm_authentication_with_upn_with_uppercase_domain(self):
+ tasks.kdestroy_all(self.smbclient)
+
+ mount_options = 'user={user}@{domain},pass={password}'.format(
+ user=self.ipa_user1,
+ password=self.ipa_user1_password,
+ domain=self.master.domain.name.upper()
+ )
+ self.check_repeated_smb_mount(mount_options)
+
def test_uninstall_samba(self):
self.smbserver.run_command(['ipa-client-samba', '--uninstall', '-U'])
res = self.smbserver.run_command(
--
2.29.2

93
SOURCES/0005-selinux-don-t-audit-rules-deny-fetching-trust-topology_rhbz#1845596.patch
View File

@ -1,93 +0,0 @@
From 42dd1628a1211363c860917e474ecc5b9c1fdb84 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 2 Jul 2020 15:50:00 +0300
Subject: [PATCH] selinux: allow oddjobd to set up ipa_helper_t context for
execution
On Fedora 32+ and RHEL 8.3.0+ execution of ipa_helper_t context requires
SELinux policy permission to use 'noatsecure'. This comes most likely
from execve() setup by glibc.
Add SELinux interface ipa_helper_noatsecure() that can be called by
oddjob's SELinux policy definition.
In addition, if ipa_helper_t runs ipa-getkeytab, libkrb5 will attempt to
access SELinux configuration and produce AVC for that. Allow reading
general userspace SELinux configuration.
Fixes: https://pagure.io/freeipa/issue/8395
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
selinux/ipa.if | 18 ++++++++++++++++++
selinux/ipa.te | 1 +
2 files changed, 19 insertions(+)
diff --git a/selinux/ipa.if b/selinux/ipa.if
index ea971b8fa..783db8b78 100644
--- a/selinux/ipa.if
+++ b/selinux/ipa.if
@@ -419,3 +419,21 @@ ifndef(`dirsrv_systemctl',`
ps_process_pattern($1, dirsrv_t)
')
')
+
+
+########################################
+## <summary>
+## Allow ipa_helper noatsecure
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipa_helper_noatsecure',`
+ gen_require(`
+ type ipa_helper_t;
+ ')
+ allow $1 ipa_helper_t:process { noatsecure };
+')
diff --git a/selinux/ipa.te b/selinux/ipa.te
index 587e5e585..383979094 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -115,6 +115,7 @@ optional_policy(`
allow ipa_helper_t self:capability { net_admin dac_read_search dac_override chown };
+seutil_read_config(ipa_helper_t);
#kernel bug
dontaudit ipa_helper_t self:capability2 block_suspend;
--
2.26.2
From 0d70addbbf2a99e7398a518bc98d5fe109469bb5 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 3 Jul 2020 17:20:49 +0300
Subject: [PATCH] selinux: support running ipa-custodia with PrivateTmp=yes
Related: https://pagure.io/freeipa/issue/8395
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
selinux/ipa.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/selinux/ipa.te b/selinux/ipa.te
index 383979094..a3381217a 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -390,3 +390,7 @@ optional_policy(`
sssd_search_lib(ipa_custodia_t)
sssd_stream_connect(ipa_custodia_t)
')
+
+optional_policy(`
+ systemd_private_tmp(ipa_custodia_tmp_t)
+')
--
2.26.2

180
SOURCES/0006-fix-iPAddress-cert-issuance-for-1-host-service_rhbz#1846352.patch
View File

@ -1,180 +0,0 @@
From 128500198d3782a76616cf1d971d5aeb17e8c1da Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Thu, 11 Jun 2020 22:42:38 +1000
Subject: [PATCH] fix iPAddress cert issuance for >1 host/service
The 'cert_request' command accumulates DNS names from the CSR,
before checking that all IP addresses in the CSR are reachable from
those DNS names. Before adding a DNS name to the set, we check that
that it corresponds to the FQDN of a known host/service principal
(including principal aliases). When a DNS name maps to a
"alternative" principal (i.e. not the one given via the 'principal'
argument), this check was not being performed correctly.
Specifically, we were looking for the 'krbprincipalname' field on
the RPC response object directly, instead of its 'result' field.
To resolve the issue, dereference the RPC response to its 'result'
field before invoking the '_dns_name_matches_principal' subroutine.
Fixes: https://pagure.io/freeipa/issue/8368
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/plugins/cert.py | 6 +-
.../test_cert_request_ip_address.py | 62 +++++++++++++++++--
2 files changed, 61 insertions(+), 7 deletions(-)
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index d353bc3ea..fe7ea34f5 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -827,13 +827,13 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
try:
if principal_type == HOST:
alt_principal_obj = api.Command['host_show'](
- name, all=True)
+ name, all=True)['result']
elif principal_type == KRBTGT:
alt_principal = kerberos.Principal(
(u'host', name), principal.realm)
elif principal_type == SERVICE:
alt_principal_obj = api.Command['service_show'](
- alt_principal, all=True)
+ alt_principal, all=True)['result']
except errors.NotFound:
# We don't want to issue any certificates referencing
# machines we don't know about. Nothing is stored in this
@@ -866,7 +866,7 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
pass
# Now check write access and caacl
- altdn = alt_principal_obj['result']['dn']
+ altdn = alt_principal_obj['dn']
if not ldap.can_write(altdn, "usercertificate"):
raise errors.ACIError(info=_(
"Insufficient privilege to create a certificate "
diff --git a/ipatests/test_xmlrpc/test_cert_request_ip_address.py b/ipatests/test_xmlrpc/test_cert_request_ip_address.py
index bf4de05bf..c0475d30d 100644
--- a/ipatests/test_xmlrpc/test_cert_request_ip_address.py
+++ b/ipatests/test_xmlrpc/test_cert_request_ip_address.py
@@ -28,10 +28,16 @@ from ipatests.test_xmlrpc.tracker.host_plugin import HostTracker
from ipatests.test_xmlrpc.tracker.user_plugin import UserTracker
from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
-host_fqdn = f'iptest.{api.env.domain}'
+host_shortname = 'iptest'
+host_fqdn = f'{host_shortname}.{api.env.domain}'
host_princ = f'host/{host_fqdn}'
host_ptr = f'{host_fqdn}.'
+host2_shortname = 'iptest2'
+host2_fqdn = f'{host2_shortname}.{api.env.domain}'
+host2_princ = f'host/{host2_fqdn}'
+host2_ptr = f'{host2_fqdn}.'
+
other_fqdn = f'other.{api.env.domain}'
other_ptr = f'{other_fqdn}.'
@@ -39,6 +45,10 @@ ipv4_address = '169.254.0.42'
ipv4_revzone_s = '0.254.169.in-addr.arpa.'
ipv4_revrec_s = '42'
+host2_ipv4_address = '169.254.0.43'
+host2_ipv4_revzone_s = '0.254.169.in-addr.arpa.'
+host2_ipv4_revrec_s = '43'
+
ipv6_address = 'fe80::8f18:bdab:4299:95fa'
ipv6_revzone_s = '0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa.'
ipv6_revrec_s = 'a.f.5.9.9.9.2.4.b.a.d.b.8.1.f.8'
@@ -46,7 +56,13 @@ ipv6_revrec_s = 'a.f.5.9.9.9.2.4.b.a.d.b.8.1.f.8'
@pytest.fixture(scope='class')
def host(request, xmlrpc_setup):
- tr = HostTracker('iptest')
+ tr = HostTracker(host_shortname)
+ return tr.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
+def host2(request, xmlrpc_setup):
+ tr = HostTracker(host2_shortname)
return tr.make_fixture(request)
@@ -88,6 +104,12 @@ def ipv6_revzone(host):
yield from _zone_setup(host, ipv6_revzone_s)
+@pytest.fixture(scope='class')
+def host2_ipv4_ptr(host2, ipv4_revzone):
+ yield from _record_setup(
+ host2, ipv4_revzone, host2_ipv4_revrec_s, ptrrecord=host2_ptr)
+
+
@pytest.fixture(scope='class')
def ipv4_ptr(host, ipv4_revzone):
yield from _record_setup(
@@ -100,16 +122,22 @@ def ipv6_ptr(host, ipv6_revzone):
host, ipv6_revzone, ipv6_revrec_s, ptrrecord=host_ptr)
+@pytest.fixture(scope='class')
+def host2_ipv4_a(host2):
+ yield from _record_setup(
+ host2, api.env.domain, host2_shortname, arecord=host2_ipv4_address)
+
+
@pytest.fixture(scope='class')
def ipv4_a(host):
yield from _record_setup(
- host, api.env.domain, 'iptest', arecord=ipv4_address)
+ host, api.env.domain, host_shortname, arecord=ipv4_address)
@pytest.fixture(scope='class')
def ipv6_aaaa(host):
yield from _record_setup(
- host, api.env.domain, 'iptest', aaaarecord=ipv6_address)
+ host, api.env.domain, host_shortname, aaaarecord=ipv6_address)
@pytest.fixture(scope='class')
@@ -210,6 +238,12 @@ csr_cname2 = csr([
x509.DNSName(f'cname2.{api.env.domain}'),
x509.IPAddress(ipaddress.ip_address(ipv4_address)),
])
+csr_two_dnsname_two_ip = csr([
+ x509.DNSName(host_fqdn),
+ x509.IPAddress(ipaddress.ip_address(ipv4_address)),
+ x509.DNSName(host2_fqdn),
+ x509.IPAddress(ipaddress.ip_address(host2_ipv4_address)),
+])
@pytest.fixture
@@ -449,3 +483,23 @@ class TestIPAddressCNAME(XMLRPC_test):
def test_two_levels(self, host, csr_cname2):
with pytest.raises(errors.ValidationError, match=PAT_FWD):
host.run_command('cert_request', csr_cname2, principal=host_princ)
+
+
+@pytest.mark.tier1
+class TestTwoHostsTwoIPAddresses(XMLRPC_test):
+ """
+ Test certificate issuance with CSR containing two hosts
+ and two IP addresses (one for each host).
+
+ """
+ def test_host_exists(
+ self, host, host2, ipv4_a, ipv4_ptr, host2_ipv4_a, host2_ipv4_ptr,
+ ):
+ # for convenience, this test also establishes the DNS
+ # record fixtures, which have class scope
+ host.ensure_exists()
+ host2.ensure_exists()
+
+ def test_issuance(self, host, csr_two_dnsname_two_ip):
+ host.run_command(
+ 'cert_request', csr_two_dnsname_two_ip, principal=host_princ)
--
2.26.2

79
SOURCES/0006-ipatests_do_not_ignore_zonemgr_pagure#8718_rhbz#1932289.patch Normal file
View File

@ -0,0 +1,79 @@
From 20bb855a57080145d0d5555294381c890ef605bb Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Tue, 16 Feb 2021 16:53:24 +0100
Subject: [PATCH] ipaserver: don't ignore zonemgr option on install
Fix zonemgr option in ipaserver install being
ignored because of an incorrect condition.
Fixes: https://pagure.io/freeipa/issue/8718
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/bindinstance.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 3b446ce76..19941cd00 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -355,7 +355,7 @@ def add_zone(name, zonemgr=None, dns_backup=None, ns_hostname=None,
else:
update_policy = get_dns_forward_zone_update_policy(api.env.realm)
- if zonemgr is None:
+ if not zonemgr:
zonemgr = 'hostmaster.%s' % name
if ns_hostname:
@@ -682,7 +682,7 @@ class BindInstance(service.Service):
self.forward_policy = forward_policy
self.reverse_zones = reverse_zones
- if zonemgr is not None:
+ if not zonemgr:
self.zonemgr = 'hostmaster.%s' % normalize_zone(self.domain)
else:
self.zonemgr = normalize_zonemgr(zonemgr)
--
2.29.2
From 82043e1fd052618608d3b7786473a632478795ee Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Tue, 16 Feb 2021 18:24:26 +0100
Subject: [PATCH] ipatests: check that zonemgr is set correctly during server
install
Add test to check that zonemgr is correctly
set when installing IPA server.
Related: https://pagure.io/freeipa/issue/8718
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_installation.py | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index 6e8af024c..18c5bd243 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -1171,6 +1171,13 @@ class TestInstallMasterDNS(IntegrationTest):
extra_args=['--zonemgr', 'me@example.org'],
)
+ tasks.kinit_admin(self.master)
+ result = self.master.run_command(
+ ['ipa', 'dnszone-show', self.master.domain.name]
+ ).stdout_text
+
+ assert "Administrator e-mail address: me.example.org" in result
+
def test_server_install_lock_bind_recursion(self):
"""Test if server installer lock Bind9 recursion
--
2.29.2

118
SOURCES/0007-Specify-cert_paths-when-calling-PKIConnection_rhbz#1849155.patch
View File

@ -1,118 +0,0 @@
From 9ded9e2573a00c388533f2a09365c499a4e2961e Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 19 Jun 2020 08:48:56 -0400
Subject: [PATCH] Specify cert_paths when calling PKIConnection
PKIConnection now defaults to specifying verify=True. We've introduced
a new parameter, cert_paths, to specify additional paths (directories or
files) to load as certificates. Specify the IPA CA certificate file so
we can guarantee connections succeed and validate the peer's certificate.
Point to IPA CA certificate during pkispawn
Bump pki_version to 10.9.0-0.4 (aka -b2)
Fixes: https://pagure.io/freeipa/issue/8379
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849155
Related: https://github.com/dogtagpki/pki/pull/443
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1426572
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
freeipa.spec.in | 6 +++---
install/tools/ipa-pki-wait-running.in | 3 ++-
ipaserver/install/cainstance.py | 7 +++++++
ipaserver/install/dogtaginstance.py | 3 ++-
ipaserver/plugins/dogtag.py | 11 +++++------
5 files changed, 19 insertions(+), 11 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 74e752ea5..d00b9d640 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -112,9 +112,9 @@
# Fedora
%endif
-# 10.7.3 supports LWCA key replication using AES
-# https://pagure.io/freeipa/issue/8020
-%global pki_version 10.7.3-1
+# PKIConnection has been modified to always validate certs.
+# https://pagure.io/freeipa/issue/8379
+%global pki_version 10.9.0-0.4
# https://pagure.io/certmonger/issue/90
%global certmonger_version 0.79.7-1
diff --git a/install/tools/ipa-pki-wait-running.in b/install/tools/ipa-pki-wait-running.in
index 69f5ec296..4f0f2f34a 100644
--- a/install/tools/ipa-pki-wait-running.in
+++ b/install/tools/ipa-pki-wait-running.in
@@ -59,7 +59,8 @@ def get_conn(hostname, subsystem):
"""
conn = PKIConnection(
hostname=hostname,
- subsystem=subsystem
+ subsystem=subsystem,
+ cert_paths=paths.IPA_CA_CRT
)
logger.info(
"Created connection %s://%s:%s/%s",
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 706bc28cc..9294f1dba 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -509,6 +509,13 @@ class CAInstance(DogtagInstance):
else:
pki_pin = None
+ # When spawning a CA instance, always point to IPA_CA_CRT if it
+ # exists. Later, when we're performing step 2 of an external CA
+ # installation, we'll overwrite this key to point to the real
+ # external CA.
+ if os.path.exists(paths.IPA_CA_CRT):
+ cfg['pki_cert_chain_path'] = paths.IPA_CA_CRT
+
if self.clone:
if self.no_db_setup:
cfg.update(
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 361d80a8c..7e295665c 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -70,7 +70,8 @@ def get_security_domain():
connection = PKIConnection(
protocol='https',
hostname=api.env.ca_host,
- port='8443'
+ port='8443',
+ cert_paths=paths.IPA_CA_CRT
)
domain_client = pki.system.SecurityDomainClient(connection)
info = domain_client.get_security_domain_info()
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 4de26d76f..b300f6b18 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -2082,13 +2082,12 @@ class kra(Backend):
'https',
self.kra_host,
str(self.kra_port),
- 'kra')
+ 'kra',
+ cert_paths=paths.IPA_CA_CRT
+ )
- connection.session.cert = (paths.RA_AGENT_PEM, paths.RA_AGENT_KEY)
- # uncomment the following when this commit makes it to release
- # https://git.fedorahosted.org/cgit/pki.git/commit/?id=71ae20c
- # connection.set_authentication_cert(paths.RA_AGENT_PEM,
- # paths.RA_AGENT_KEY)
+ connection.set_authentication_cert(paths.RA_AGENT_PEM,
+ paths.RA_AGENT_KEY)
try:
yield KRAClient(connection, crypto)
--
2.26.2

318
SOURCES/0007-ipatests_ipa-cert-fix_renews_pagure#7885_rhbz#1932289.patch Normal file
View File

@ -0,0 +1,318 @@
From 7f30ddb1b7e30c22f9b7d14d2658b58a0ea6b459 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Tue, 2 Feb 2021 17:33:57 +0530
Subject: [PATCH] ipatests: Test if ipa-cert-fix renews expired certs
Test moves system date to expire certs. Then calls ipa-cert-fix
to renew them. This certs include subsystem, audit-signing,
OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs.
related: https://pagure.io/freeipa/issue/7885
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
.../test_integration/test_ipa_cert_fix.py | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index f9e5fe6e2..da68af573 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -8,12 +8,16 @@ Module provides tests for ipa-cert-fix CLI.
import pytest
import time
+import logging
from ipaplatform.paths import paths
from ipatests.pytest_ipa.integration import tasks
from ipatests.test_integration.base import IntegrationTest
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
+logger = logging.getLogger(__name__)
+
+
def server_install_teardown(func):
def wrapped(*args):
master = args[0].master
@@ -24,6 +28,26 @@ def server_install_teardown(func):
return wrapped
+def check_status(host, cert_count, state, timeout=600):
+ """Helper method to check that if all the certs are in given state
+ :param host: the host
+ :param cert_count: no of cert to look for
+ :param state: state to check for
+ :param timeout: max time in seconds to wait for the state
+ """
+ for _i in range(0, timeout, 10):
+ result = host.run_command(['getcert', 'list'])
+ count = result.stdout_text.count(f"status: {state}")
+ logger.info("cert count in %s state : %s", state, count)
+ if int(count) == cert_count:
+ break
+ time.sleep(10)
+ else:
+ raise RuntimeError("request timed out")
+
+ return count
+
+
class TestIpaCertFix(IntegrationTest):
@classmethod
def uninstall(cls, mh):
@@ -106,6 +130,42 @@ class TestIpaCertFix(IntegrationTest):
# timeout
raise AssertionError('Timeout: Failed to renew all the certs')
+ def test_renew_expired_cert_on_master(self, expire_cert_critical):
+ """Test if ipa-cert-fix renews expired certs
+
+ Test moves system date to expire certs. Then calls ipa-cert-fix
+ to renew them. This certs include subsystem, audit-signing,
+ OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs.
+
+ related: https://pagure.io/freeipa/issue/7885
+ """
+ # wait for cert expiry
+ check_status(self.master, 8, "CA_UNREACHABLE")
+
+ self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
+
+ check_status(self.master, 9, "MONITORING")
+
+ # second iteration of ipa-cert-fix
+ result = self.master.run_command(
+ ['ipa-cert-fix', '-v'],
+ stdin_text='yes\n'
+ )
+ assert "Nothing to do" in result.stdout_text
+ check_status(self.master, 9, "MONITORING")
+
+ def test_ipa_cert_fix_non_ipa(self):
+ """Test ipa-cert-fix doesn't work on non ipa system
+
+ ipa-cert-fix tool should not work on non ipa system.
+
+ related: https://pagure.io/freeipa/issue/7885
+ """
+ result = self.master.run_command(['ipa-cert-fix', '-v'],
+ stdin_text='yes\n',
+ raiseonerr=False)
+ assert result.returncode == 2
+
class TestIpaCertFixThirdParty(CALessBase):
"""
--
2.29.2
From 36a60dbb35cb4429f00528f79bec8b7982a30c74 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Thu, 11 Feb 2021 16:54:22 +0530
Subject: [PATCH] Move fixture outside the class and add setup_kra capability
Moved fixture to use across multiple classes. Added capability
to install the KRA to the fixture
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
.../test_integration/test_ipa_cert_fix.py | 46 ++++++++++++-------
1 file changed, 30 insertions(+), 16 deletions(-)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index da68af573..591dc5031 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -48,6 +48,33 @@ def check_status(host, cert_count, state, timeout=600):
return count
+@pytest.fixture
+def expire_cert_critical():
+ """
+ Fixture to expire the certs by moving the system date using
+ date -s command and revert it back
+ """
+
+ hosts = dict()
+
+ def _expire_cert_critical(host, setup_kra=False):
+ hosts['host'] = host
+ # Do not install NTP as the test plays with the date
+ tasks.install_master(host, setup_dns=False,
+ extra_args=['--no-ntp'])
+ if setup_kra:
+ tasks.install_kra(host)
+ host.run_command(['systemctl', 'stop', 'chronyd'])
+ host.run_command(['date', '-s', '+3Years+1day'])
+
+ yield _expire_cert_critical
+
+ host = hosts.pop('host')
+ tasks.uninstall_master(host)
+ host.run_command(['date', '-s', '-3Years-1day'])
+ host.run_command(['systemctl', 'start', 'chronyd'])
+
+
class TestIpaCertFix(IntegrationTest):
@classmethod
def uninstall(cls, mh):
@@ -55,22 +82,6 @@ class TestIpaCertFix(IntegrationTest):
# the fixture
pass
- @pytest.fixture
- def expire_cert_critical(self):
- """
- Fixture to expire the certs by moving the system date using
- date -s command and revert it back
- """
- # Do not install NTP as the test plays with the date
- tasks.install_master(self.master, setup_dns=False,
- extra_args=['--no-ntp'])
- self.master.run_command(['systemctl', 'stop', 'chronyd'])
- self.master.run_command(['date','-s', '+3Years+1day'])
- yield
- tasks.uninstall_master(self.master)
- self.master.run_command(['date','-s', '-3Years-1day'])
- self.master.run_command(['systemctl', 'start', 'chronyd'])
-
def test_missing_csr(self, expire_cert_critical):
"""
Test that ipa-cert-fix succeeds when CSR is missing from CS.cfg
@@ -82,6 +93,7 @@ class TestIpaCertFix(IntegrationTest):
- call getcert resubmit in order to create the CSR in certmonger file
- use ipa-cert-fix, no issue should be seen
"""
+ expire_cert_critical(self.master)
# pki must be stopped in order to edit CS.cfg
self.master.run_command(['ipactl', 'stop'])
self.master.run_command(['sed', '-i', r'/ca\.sslserver\.certreq=/d',
@@ -139,6 +151,8 @@ class TestIpaCertFix(IntegrationTest):
related: https://pagure.io/freeipa/issue/7885
"""
+ expire_cert_critical(self.master)
+
# wait for cert expiry
check_status(self.master, 8, "CA_UNREACHABLE")
--
2.29.2
From c84e0547e1a693ba0e9edbfeea7bafdb2fb2b4a2 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Thu, 11 Feb 2021 16:59:53 +0530
Subject: [PATCH] ipatests: Test if ipa-cert-fix renews expired certs with kra
installed
This test check if ipa-cert-fix renews certs with kra
certificate installed.
related: https://pagure.io/freeipa/issue/7885
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
.../test_integration/test_ipa_cert_fix.py | 25 +++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index 591dc5031..b2e92d4dc 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -225,3 +225,28 @@ class TestIpaCertFixThirdParty(CALessBase):
# the DS nickname is used and not a hardcoded value.
result = self.master.run_command(['ipa-cert-fix', '-v'],)
assert self.nickname in result.stderr_text
+
+
+class TestCertFixKRA(IntegrationTest):
+ @classmethod
+ def uninstall(cls, mh):
+ # Uninstall method is empty as the uninstallation is done in
+ # the fixture
+ pass
+
+ def test_renew_expired_cert_with_kra(self, expire_cert_critical):
+ """Test if ipa-cert-fix renews expired certs with kra installed
+
+ This test check if ipa-cert-fix renews certs with kra
+ certificate installed.
+
+ related: https://pagure.io/freeipa/issue/7885
+ """
+ expire_cert_critical(self.master, setup_kra=True)
+
+ # check if all subsystem cert expired
+ check_status(self.master, 11, "CA_UNREACHABLE")
+
+ self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
+
+ check_status(self.master, 12, "MONITORING")
--
2.29.2
From 260fbcb03297ef1ed5418b16c0df0587d2989b22 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Tue, 2 Mar 2021 11:42:36 +0530
Subject: [PATCH] ipatests: update nightly definition for ipa_cert_fix suite
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml | 2 +-
ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml | 2 +-
ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
index ebd539246..8a88698eb 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
@@ -1687,5 +1687,5 @@ jobs:
build_url: '{fedora-latest-ipa-4-9/build_url}'
test_suite: test_integration/test_ipa_cert_fix.py
template: *ci-ipa-4-9-latest
- timeout: 3600
+ timeout: 7200
topology: *master_1repl
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
index d4b597d6e..14f0c4292 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
@@ -1821,5 +1821,5 @@ jobs:
selinux_enforcing: True
test_suite: test_integration/test_ipa_cert_fix.py
template: *ci-ipa-4-9-latest
- timeout: 3600
+ timeout: 7200
topology: *master_1repl
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
index 1fd589e6a..b7f8d2b3e 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
@@ -1687,5 +1687,5 @@ jobs:
build_url: '{fedora-previous-ipa-4-9/build_url}'
test_suite: test_integration/test_ipa_cert_fix.py
template: *ci-ipa-4-9-previous
- timeout: 3600
+ timeout: 7200
topology: *master_1repl
--
2.29.2

34
SOURCES/0008-Add-missing-SELinux-rule-for-ipa-custodia.sock_rhbz#1857157.patch
View File

@ -1,34 +0,0 @@
From d83b760d1f76a3ba8e527dd27551e51a600b22c0 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Wed, 15 Jul 2020 10:23:35 +0200
Subject: [PATCH] Add missing SELinux rule for ipa-custodia.sock
A SELinux rule for ipa_custodia_stream_connect(httpd_t) was not copied
from upstream rules. It breaks installations on systems that don't have
ipa_custodia_stream_connect in SELinux domain for apache, e.g. RHEL 8.3.
Fixes: https://pagure.io/freeipa/issue/8412
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
---
selinux/ipa.te | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/selinux/ipa.te b/selinux/ipa.te
index a3381217a4..c4c3fa805e 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -378,6 +378,13 @@ optional_policy(`
ipa_search_lib(ipa_custodia_t)
')
+optional_policy(`
+ gen_require(`
+ type httpd_t;
+ ')
+ ipa_custodia_stream_connect(httpd_t)
+')
+
optional_policy(`
pki_manage_tomcat_etc_rw(ipa_custodia_t)
pki_read_tomcat_cert(ipa_custodia_t)

37
SOURCES/0008-ipatests-use-whole-date-when-calling-journalctl-sinc_rhbz#1932289.patch Normal file
View File

@ -0,0 +1,37 @@
From caf748860860293e010e695d72f6b3b3d8509f8a Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 2 Mar 2021 08:44:35 +0100
Subject: [PATCH] ipatests: use whole date when calling journalctl --since
The test test_commands.py::TestIPACommand::test_ssh_key_connection
is checking the content of the journal using journalctl --since ...
but provides only the time, not the whole date with year-month-day.
As a consequence, if the test is executed around midnight it may
find nothing in the journal because it's looking for logs after 11:50PM,
which is a date in the future.
The fix provides a complete date with year-month-day hours:min:sec.
Fixes: https://pagure.io/freeipa/issue/8728
Reviewed-By: Francois Cami <fcami@redhat.com>
---
ipatests/test_integration/test_commands.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index 45f642bf2..b7ffb926f 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -642,7 +642,8 @@ class TestIPACommand(IntegrationTest):
# start to look at logs a bit before "now"
# https://pagure.io/freeipa/issue/8432
since = time.strftime(
- '%H:%M:%S', (datetime.now() - timedelta(seconds=10)).timetuple()
+ '%Y-%m-%d %H:%M:%S',
+ (datetime.now() - timedelta(seconds=10)).timetuple()
)
tasks.run_ssh_cmd(
--
2.29.2

189
SOURCES/0009-ipa-client-install-use-the-authselect-backup-during_rhbz#1810179.patch
View File

@ -1,189 +0,0 @@
From ca880cfb117fc870a6e2710b9e31b2f67d5651e1 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 29 Jul 2020 13:35:49 +0200
Subject: [PATCH] ipa-client-install: use the authselect backup during
uninstall
When ipa-client-install is run on a system with no existing
authselect configuration (for instance a fedora 31 new install),
uninstallation is picking sssd profile but this may lead to
a configuration with differences compared to the pre-ipa-client
state.
Now that authselect provides an option to backup the existing
configuration prior to setting a profile, the client install
can save the backup name and uninstall is able to apply the
backup in order to go back to the pre-ipa-client state.
Fixes: https://pagure.io/freeipa/issue/8189
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
---
ipaplatform/redhat/authconfig.py | 37 ++++++++++++++------------------
1 file changed, 16 insertions(+), 21 deletions(-)
diff --git a/ipaplatform/redhat/authconfig.py b/ipaplatform/redhat/authconfig.py
index 758376f2b..89f452d66 100644
--- a/ipaplatform/redhat/authconfig.py
+++ b/ipaplatform/redhat/authconfig.py
@@ -27,6 +27,7 @@ from ipaplatform.paths import paths
from ipapython import ipautil
from ipapython.admintool import ScriptError
import os
+import time
FILES_TO_NOT_BACKUP = ['passwd', 'group', 'shadow', 'gshadow']
@@ -103,28 +104,16 @@ class RedHatAuthSelect(RedHatAuthToolBase):
def configure(self, sssd, mkhomedir, statestore, sudo=True):
# In the statestore, the following keys are used for the
# 'authselect' module:
+ # Old method:
# profile: name of the profile configured pre-installation
# features_list: list of features configured pre-installation
# mkhomedir: True if installation was called with --mkhomedir
# profile and features_list are used when reverting to the
# pre-install state
- cfg = self._parse_authselect_output()
- if cfg:
- statestore.backup_state('authselect', 'profile', cfg[0])
- statestore.backup_state(
- 'authselect', 'features_list', " ".join(cfg[1]))
- else:
- # cfg = None means that the current conf is not managed by
- # authselect but by authconfig.
- # As we are using authselect to configure the host,
- # it will not be possible to revert to a custom authconfig
- # configuration later (during uninstall)
- # Best thing to do will be to use sssd profile at this time
- logger.warning(
- "WARNING: The configuration pre-client installation is not "
- "managed by authselect and cannot be backed up. "
- "Uninstallation may not be able to revert to the original "
- "state.")
+ # New method:
+ # backup: name of the authselect backup
+ backup_name = "pre_ipaclient_{}".format(time.strftime("%Y%m%d%H%M%S"))
+ statestore.backup_state('authselect', 'backup', backup_name)
cmd = [paths.AUTHSELECT, "select", "sssd"]
if mkhomedir:
@@ -133,6 +122,7 @@ class RedHatAuthSelect(RedHatAuthToolBase):
if sudo:
cmd.append("with-sudo")
cmd.append("--force")
+ cmd.append("--backup={}".format(backup_name))
ipautil.run(cmd)
@@ -179,10 +169,15 @@ class RedHatAuthSelect(RedHatAuthToolBase):
else:
features = []
- cmd = [paths.AUTHSELECT, "select", profile]
- cmd.extend(features)
- cmd.append("--force")
- ipautil.run(cmd)
+ backup = statestore.restore_state('authselect', 'backup')
+ if backup:
+ cmd = [paths.AUTHSELECT, "backup-restore", backup]
+ ipautil.run(cmd)
+ else:
+ cmd = [paths.AUTHSELECT, "select", profile]
+ cmd.extend(features)
+ cmd.append("--force")
+ ipautil.run(cmd)
def backup(self, path):
current = self._get_authselect_current_output()
--
2.26.2
# Not needed for 4.7.8 release
#
#From 3eaab97e317584bc47d4a27a607267ed90df7ff7 Mon Sep 17 00:00:00 2001
#From: Florence Blanc-Renaud <flo@redhat.com>
#Date: Wed, 29 Jul 2020 13:40:26 +0200
#Subject: [PATCH] ipatests: remove the xfail for test_nfs.py
#
#Related: https://pagure.io/freeipa/issue/8189
#Reviewed-By: Francois Cami <fcami@redhat.com>
#Reviewed-By: Michal Polovka <mpolovka@redhat.com>
#---
# ipatests/test_integration/test_nfs.py | 4 ----
# 1 file changed, 4 deletions(-)
#
#diff --git a/ipatests/test_integration/test_nfs.py b/ipatests/test_integration/test_nfs.py
#index 7272b0d44..832c56cca 100644
#--- a/ipatests/test_integration/test_nfs.py
#+++ b/ipatests/test_integration/test_nfs.py
#@@ -363,10 +363,6 @@ class TestIpaClientAutomountFileRestore(IntegrationTest):
# cmd = self.clients[0].run_command(sha256nsswitch_cmd)
# assert cmd.stdout_text == orig_sha256
#
#- @pytest.mark.xfail(
#- reason="https://pagure.io/freeipa/issue/8189",
#- strict=True
#- )
# def test_nsswitch_backup_restore_sssd(self):
# self.nsswitch_backup_restore()
#
#--
#2.26.2
From 4baf6b292f28481ece483bb8ecbd6a0807d9d45a Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 29 Jul 2020 17:57:53 +0200
Subject: [PATCH] ipatests: fix test_authselect
Before the code fix, install/uninstall on a config without
any authselect profile was not able to restore the exact
state but configured sssd profile instead.
Now that the code is doing a pre-install backup, uninstall
restores the exact state and the test needs to be updated
accordingly.
Related: https://pagure.io/freeipa/issue/8189
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
---
ipatests/test_integration/test_authselect.py | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/ipatests/test_integration/test_authselect.py b/ipatests/test_integration/test_authselect.py
index bdf7d9f77..cba23e707 100644
--- a/ipatests/test_integration/test_authselect.py
+++ b/ipatests/test_integration/test_authselect.py
@@ -100,7 +100,9 @@ class TestClientInstallation(IntegrationTest):
['rm', '-f', '/etc/authselect/authselect.conf'])
result = self._install_client()
assert result.returncode == 0
- assert self.msg_warn_install in result.stderr_text
+ # With the fix for 8189, there is no warning any more
+ # because install is performing a pre-install backup
+ assert self.msg_warn_install not in result.stderr_text
# Client installation must configure the 'sssd' profile
# with sudo
check_authselect_profile(self.client, default_profile, ('with-sudo',))
@@ -109,12 +111,13 @@ class TestClientInstallation(IntegrationTest):
"""
Test client un-installation when there was no authselect profile
"""
- # As the client did not have any authselect profile before install,
- # uninstall must print a warning about restoring 'sssd' profile
- # by default
+ # The client did not have any authselect profile before install,
+ # but uninstall must be able to restore the backup
+ # Check that no profile is configured after uninstall
result = self._uninstall_client()
assert result.returncode == 0
- check_authselect_profile(self.client, default_profile)
+ assert not self.client.transport.file_exists(
+ '/etc/authselect/authselect.conf')
def test_install_client_preconfigured_profile(self):
"""
--
2.26.2

561
SOURCES/0029-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1935146.patch → SOURCES/0009-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1932784.patch
View File

@ -1,30 +1,239 @@
Adapted version due to missing patches: From 2832810891acfaca68142df7271d6f0a50a588eb Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 19 Feb 2021 15:37:47 +0200
Subject: [PATCH] ipa-kdb: do not use OpenLDAP functions with NULL LDAP context
commit 1f1e7dbe6131b3cdc0ba81b454c7729126bfa6ee Calling to ipadb_get_connection() will remove LDAP context if any error
Author: Slava Aseev <ptrnine@altlinux.org> happens. This means upper layers must always verify that LDAP context
Date: Mon Nov 23 18:23:01 2020 +0300 exists after such calls.
ipa-kdb: handle dates up to 2106-02-07 06:28:16 ipadb_get_user_auth() may re-read global configuration and that may fail
and cause IPA context to have NULL LDAP context.
commit 44c222aca9bb0056004f15dfb187d3f249ed0452 Fixes: https://pagure.io/freeipa/issue/8681
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu Dec 17 12:22:47 2020 +0200
ipa-kdb: use predefined filters for a wild-card searches Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
daemons/ipa-kdb/ipa_kdb.c | 1 +
daemons/ipa-kdb/ipa_kdb_mspac.c | 32 +++++++++++++++-------------
daemons/ipa-kdb/ipa_kdb_principals.c | 26 ++++++++++++++++------
3 files changed, 37 insertions(+), 22 deletions(-)
commit 78a7ab0daf0d5ebd388046aec6e1c9328e0564a8 diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
Author: Robbie Harwood <rharwood@redhat.com> index 43ba955ac..6e1e3e351 100644
Date: Tue Nov 10 14:07:47 2020 -0500 --- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -57,6 +57,7 @@ static void ipadb_context_free(krb5_context kcontext,
/* ldap free lcontext */
if ((*ctx)->lcontext) {
ldap_unbind_ext_s((*ctx)->lcontext, NULL, NULL);
+ (*ctx)->lcontext = NULL;
}
free((*ctx)->supp_encs);
free((*ctx)->def_encs);
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 31f617129..81a8fd483 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -418,7 +418,6 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
krb5_timestamp authtime,
struct netr_SamInfo3 *info3)
{
- LDAP *lcontext = ipactx->lcontext;
LDAPDerefRes *deref_results = NULL;
struct dom_sid sid;
gid_t prigid = -1;
@@ -435,7 +434,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
bool is_idobject = false;
krb5_principal princ;
ipa-kdb: implement AS-REQ lifetime jitter - ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "objectClass",
+ ret = ipadb_ldap_attr_to_strlist(ipactx->lcontext, lentry, "objectClass",
&objectclasses);
if (ret == 0 && objectclasses != NULL) {
for (c = 0; objectclasses[c] != NULL; c++) {
@@ -472,13 +471,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
}
commit d6a8fc290aa93fc5d53025f4400a9736366175eb if (is_host) {
Author: Rob Crittenden <rcritten@redhat.com> - ret = ipadb_ldap_attr_to_str(lcontext, lentry, "fqdn", &strres);
Date: Thu Sep 24 22:39:36 2020 -0400 + ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "fqdn", &strres);
if (ret) {
/* fqdn is mandatory for hosts */
return ret;
}
} else if (is_service) {
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbCanonicalName", &strres);
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+ "krbCanonicalName", &strres);
if (ret) {
/* krbCanonicalName is mandatory for services */
return ret;
@@ -498,7 +498,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ENOENT;
}
} else {
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "uid", &strres);
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "uid", &strres);
if (ret) {
/* uid is mandatory */
return ret;
@@ -511,7 +511,8 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
if (is_host || is_service) {
prigid = 515; /* Well known RID for domain computers group */
} else {
- ret = ipadb_ldap_attr_to_int(lcontext, lentry, "gidNumber", &intres);
+ ret = ipadb_ldap_attr_to_int(ipactx->lcontext, lentry,
+ "gidNumber", &intres);
if (ret) {
/* gidNumber is mandatory */
return ret;
@@ -544,7 +545,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
info3->base.kickoff_time = INT64_MAX;
#endif
Pass the user to the password policy check in the kdb driver - ret = ipadb_ldap_attr_to_time_t(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_time_t(ipactx->lcontext, lentry,
"krbLastPwdChange", &timeres);
switch (ret) {
case 0:
@@ -562,7 +563,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
info3->base.allow_password_change = info3->base.last_password_change;
info3->base.force_password_change = INT64_MAX;
From 701d0fb0415497fe9fe8fbf25fa800041e2a2b40 Mon Sep 17 00:00:00 2001 - ret = ipadb_ldap_attr_to_str(lcontext, lentry, "cn", &strres);
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "cn", &strres);
switch (ret) {
case 0:
info3->base.full_name.string = talloc_strdup(memctx, strres);
@@ -575,7 +576,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ret;
}
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"ipaNTLogonScript", &strres);
switch (ret) {
case 0:
@@ -589,7 +590,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ret;
}
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"ipaNTProfilePath", &strres);
switch (ret) {
case 0:
@@ -603,7 +604,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ret;
}
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"ipaNTHomeDirectory", &strres);
switch (ret) {
case 0:
@@ -617,7 +618,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ret;
}
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"ipaNTHomeDirectoryDrive", &strres);
switch (ret) {
case 0:
@@ -648,7 +649,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
info3->base.rid = 515;
}
} else {
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"ipaNTSecurityIdentifier", &strres);
if (ret) {
/* SID is mandatory */
@@ -665,7 +666,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
}
}
- ret = ipadb_ldap_deref_results(lcontext, lentry, &deref_results);
+ ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
switch (ret) {
LDAPDerefRes *dres;
LDAPDerefVal *dval;
@@ -2511,7 +2512,7 @@ static void ipadb_free_sid_blacklists(char ***sid_blocklist_incoming, char ***si
krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
{
struct ipadb_adtrusts *t;
- LDAP *lc = ipactx->lcontext;
+ LDAP *lc = NULL;
char *attrs[] = { "cn", "ipaNTTrustPartner", "ipaNTFlatName",
"ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming",
"ipaNTSIDBlacklistOutgoing", "ipaNTAdditionalSuffixes", NULL };
@@ -2545,6 +2546,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
goto done;
}
+ lc = ipactx->lcontext;
for (le = ldap_first_entry(lc, res); le; le = ldap_next_entry(lc, le)) {
dnstr = ldap_get_dn(lc, le);
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index d1fa51578..cf1b4f53e 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -333,6 +333,11 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
if (gcfg != NULL)
gua = gcfg->user_auth;
+ /* lcontext == NULL means ipadb_get_global_config() failed to load
+ * global config and cleared the ipactx */
+ if (ipactx->lcontext == NULL)
+ return IPADB_USER_AUTH_NONE;
+
/* Get the user's user_auth settings if not disabled. */
if ((gua & IPADB_USER_AUTH_DISABLED) == 0)
ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua);
@@ -607,8 +612,16 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
free(entry);
return KRB5_KDB_DBNOTINITED;
}
- lcontext = ipactx->lcontext;
- if (!lcontext) {
+
+ entry->magic = KRB5_KDB_MAGIC_NUMBER;
+ entry->len = KRB5_KDB_V1_BASE_LENGTH;
+
+ /* Get User Auth configuration. */
+ ua = ipadb_get_user_auth(ipactx, lentry);
+
+ /* ipadb_get_user_auth() calls into ipadb_get_global_config()
+ * and that might fail, causing lcontext to become NULL */
+ if (!ipactx->lcontext) {
krb5_klog_syslog(LOG_INFO,
"No LDAP connection in ipadb_parse_ldap_entry(); retrying...\n");
ret = ipadb_get_connection(ipactx);
@@ -620,11 +633,10 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
}
}
- entry->magic = KRB5_KDB_MAGIC_NUMBER;
- entry->len = KRB5_KDB_V1_BASE_LENGTH;
-
- /* Get User Auth configuration. */
- ua = ipadb_get_user_auth(ipactx, lentry);
+ /* If any code below would result in invalidating ipactx->lcontext,
+ * lcontext must be updated with the new ipactx->lcontext value.
+ * We rely on the fact that none of LDAP-parsing helpers does it. */
+ lcontext = ipactx->lcontext;
/* ignore mask for now */
--
2.29.2
From 0da9de495ca41a1bf0926aef7c9c75c3e53dcd63 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com> From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 23 Feb 2021 10:06:25 +0200 Date: Tue, 23 Feb 2021 10:06:25 +0200
Subject: [PATCH] ipa-kdb: fix compiler warnings Subject: [PATCH] ipa-kdb: fix compiler warnings
@ -38,7 +247,6 @@ In the same way, SID structures have own requirements.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
--- ---
daemons/ipa-kdb/ipa_kdb_audit_as.c | 4 ++-- daemons/ipa-kdb/ipa_kdb_audit_as.c | 4 ++--
daemons/ipa-kdb/ipa_kdb_mspac.c | 6 +++--- daemons/ipa-kdb/ipa_kdb_mspac.c | 6 +++---
@ -50,10 +258,10 @@ diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_
index ed48ea758..ec2046bfe 100644 index ed48ea758..ec2046bfe 100644
--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c --- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
+++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c +++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
@@ -110,13 +110,13 @@ void ipadb_audit_as_req(krb5_context kcontext, @@ -112,13 +112,13 @@ void ipadb_audit_as_req(krb5_context kcontext,
}
if (client->last_failed + ied->pol->lockout_duration > authtime && if (krb5_ts_after(krb5_ts_incr(client->last_failed,
ied->pol->lockout_duration), authtime) &&
- (client->fail_auth_count >= ied->pol->max_fail && - (client->fail_auth_count >= ied->pol->max_fail &&
+ (client->fail_auth_count >= (krb5_kvno) ied->pol->max_fail && + (client->fail_auth_count >= (krb5_kvno) ied->pol->max_fail &&
ied->pol->max_fail != 0)) { ied->pol->max_fail != 0)) {
@ -67,10 +275,10 @@ index ed48ea758..ec2046bfe 100644
client->fail_auth_count++; client->fail_auth_count++;
client->mask |= KMASK_FAIL_AUTH_COUNT; client->mask |= KMASK_FAIL_AUTH_COUNT;
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index c6ac593ca..050100430 100644 index 81a8fd483..9691b14f6 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c --- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -147,9 +147,9 @@ int string_to_sid(const char *str, struct dom_sid *sid) @@ -148,9 +148,9 @@ int string_to_sid(const char *str, struct dom_sid *sid)
char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid) char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid)
{ {
@ -82,7 +290,7 @@ index c6ac593ca..050100430 100644
uint32_t ia; uint32_t ia;
char *buf; char *buf;
@@ -2606,7 +2606,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) @@ -2612,7 +2612,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
t[n].upn_suffixes_len = NULL; t[n].upn_suffixes_len = NULL;
if (t[n].upn_suffixes != NULL) { if (t[n].upn_suffixes != NULL) {
@ -92,10 +300,10 @@ index c6ac593ca..050100430 100644
for (; t[n].upn_suffixes[len] != NULL; len++); for (; t[n].upn_suffixes[len] != NULL; len++);
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index d1fa51578..59337a4ca 100644 index cf1b4f53e..0a98ff054 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c --- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -491,7 +491,7 @@ static krb5_error_code ipadb_get_ldap_auth_ind(krb5_context kcontext, @@ -494,7 +494,7 @@ static krb5_error_code ipadb_get_ldap_auth_ind(krb5_context kcontext,
l = len; l = len;
for (i = 0; i < count; i++) { for (i = 0; i < count; i++) {
ret = snprintf(ap, l, "%s ", authinds[i]); ret = snprintf(ap, l, "%s ", authinds[i]);
@ -104,7 +312,7 @@ index d1fa51578..59337a4ca 100644
ret = ENOMEM; ret = ENOMEM;
goto cleanup; goto cleanup;
} }
@@ -2064,7 +2064,7 @@ static krb5_error_code ipadb_get_ldap_mod_auth_ind(krb5_context kcontext, @@ -2086,7 +2086,7 @@ static krb5_error_code ipadb_get_ldap_mod_auth_ind(krb5_context kcontext,
char *s = NULL; char *s = NULL;
size_t ai_size = 0; size_t ai_size = 0;
int cnt = 0; int cnt = 0;
@ -113,7 +321,7 @@ index d1fa51578..59337a4ca 100644
ret = krb5_dbe_get_string(kcontext, entry, "require_auth", &ais); ret = krb5_dbe_get_string(kcontext, entry, "require_auth", &ais);
if (ret) { if (ret) {
@@ -2445,7 +2445,7 @@ static krb5_error_code ipadb_entry_default_attrs(struct ipadb_mods *imods) @@ -2467,7 +2467,7 @@ static krb5_error_code ipadb_entry_default_attrs(struct ipadb_mods *imods)
{ {
krb5_error_code kerr; krb5_error_code kerr;
LDAPMod *m = NULL; LDAPMod *m = NULL;
@ -126,7 +334,7 @@ diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpo
index 4965e6d7f..6f21ef867 100644 index 4965e6d7f..6f21ef867 100644
--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c --- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c +++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
@@ -328,7 +328,7 @@ krb5_error_code ipadb_check_policy_as(krb5_context kcontext, @@ -361,7 +361,7 @@ krb5_error_code ipadb_check_policy_as(krb5_context kcontext,
} }
if (ied->pol->max_fail == 0 || if (ied->pol->max_fail == 0 ||
@ -138,7 +346,7 @@ index 4965e6d7f..6f21ef867 100644
-- --
2.29.2 2.29.2
From d454ca8f004954f19622fe61ad9e2854359f3784 Mon Sep 17 00:00:00 2001 From c7ce801b590e29263e9b1904995c603735007771 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com> From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 24 Feb 2021 20:51:40 +0200 Date: Wed, 24 Feb 2021 20:51:40 +0200
Subject: [PATCH] ipa-kdb: add missing prototypes Subject: [PATCH] ipa-kdb: add missing prototypes
@ -152,7 +360,6 @@ We also default to -Werror=implicit-function-declaration
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
--- ---
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 4 ++++ daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 4 ++++
daemons/ipa-kdb/ipa_kdb_mspac.c | 20 ++++++++++++-------- daemons/ipa-kdb/ipa_kdb_mspac.c | 20 ++++++++++++--------
@ -160,25 +367,25 @@ Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
3 files changed, 20 insertions(+), 8 deletions(-) 3 files changed, 20 insertions(+), 8 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
index 7f03f2f03..6976f9ba9 100644 index a89f8bbda..aa61a2d1b 100644
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c --- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c +++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
@@ -9,6 +9,10 @@ @@ -14,6 +14,10 @@
#include "ipa_krb5.h" #define ONE_DAY_SECONDS (24 * 60 * 60)
#include "ipa_kdb.h" #define JITTER_WINDOW_SECONDS (1 * 60 * 60)
+krb5_error_code kdcpolicy_ipakdb_initvt(krb5_context context, +krb5_error_code kdcpolicy_ipakdb_initvt(krb5_context context,
+ int maj_ver, int min_ver, + int maj_ver, int min_ver,
+ krb5_plugin_vtable vtable); + krb5_plugin_vtable vtable);
+ +
static krb5_error_code static void
ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata, jitter(krb5_deltat baseline, krb5_deltat *lifetime_out)
const krb5_kdc_req *request, {
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 050100430..c05fb717a 100644 index 9691b14f6..47b12a16f 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c --- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2403,9 +2403,10 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac) @@ -2408,9 +2408,10 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
*mspac = NULL; *mspac = NULL;
} }
@ -192,21 +399,21 @@ index 050100430..c05fb717a 100644
{ {
int len, i; int len, i;
char **source; char **source;
@@ -2436,9 +2437,10 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist, @@ -2441,9 +2442,10 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
return 0; return 0;
} }
-krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust, -krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
- char **sid_blacklist_incoming, - char **sid_blocklist_incoming,
- char **sid_blacklist_outgoing) - char **sid_blocklist_outgoing)
+static krb5_error_code +static krb5_error_code
+ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust, +ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
+ char **sid_blacklist_incoming, + char **sid_blocklist_incoming,
+ char **sid_blacklist_outgoing) + char **sid_blocklist_outgoing)
{ {
krb5_error_code kerr; krb5_error_code kerr;
@@ -2459,7 +2461,8 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrus @@ -2464,7 +2466,8 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrus
return 0; return 0;
} }
@ -216,7 +423,7 @@ index 050100430..c05fb717a 100644
{ {
char *attrs[] = { NULL }; char *attrs[] = { NULL };
char *filter = "(objectclass=ipaNTTrustedDomain)"; char *filter = "(objectclass=ipaNTTrustedDomain)";
@@ -2504,7 +2507,8 @@ static void ipadb_free_sid_blacklists(char ***sid_blacklist_incoming, char ***si @@ -2509,7 +2512,8 @@ static void ipadb_free_sid_blacklists(char ***sid_blocklist_incoming, char ***si
} }
} }
@ -225,9 +432,9 @@ index 050100430..c05fb717a 100644
+ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) +ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
{ {
struct ipadb_adtrusts *t; struct ipadb_adtrusts *t;
LDAP *lc = ipactx->lcontext; LDAP *lc = NULL;
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
index b21aa163f..2369e16f8 100644 index d23a14a0b..8c8a3a001 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h --- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h
+++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h +++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
@@ -53,3 +53,7 @@ struct ipadb_adtrusts { @@ -53,3 +53,7 @@ struct ipadb_adtrusts {
@ -242,7 +449,7 @@ index b21aa163f..2369e16f8 100644
-- --
2.29.2 2.29.2
From da98a6fcb81ee3ac7df8bb238a0793809c2be3fd Mon Sep 17 00:00:00 2001 From f340baa4283c76957d9e0a85896c7fa3a994bba6 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com> From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 24 Feb 2021 20:52:15 +0200 Date: Wed, 24 Feb 2021 20:52:15 +0200
Subject: [PATCH] ipa-kdb: reformat ipa_kdb_certauth Subject: [PATCH] ipa-kdb: reformat ipa_kdb_certauth
@ -254,7 +461,6 @@ Replace few tabs by spaces and mark static code as static.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
--- ---
daemons/ipa-kdb/ipa_kdb_certauth.c | 25 ++++++++++++++----------- daemons/ipa-kdb/ipa_kdb_certauth.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-) 1 file changed, 14 insertions(+), 11 deletions(-)
@ -317,7 +523,7 @@ index bc6b26578..3a3060c92 100644
-- --
2.29.2 2.29.2
From aa7f99c08ff41f216d60152d6235922c561c2881 Mon Sep 17 00:00:00 2001 From 2968609fd9f8f91b704dc8167d39ecc67beb8ddd Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com> From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 24 Feb 2021 20:55:41 +0200 Date: Wed, 24 Feb 2021 20:55:41 +0200
Subject: [PATCH] ipa-kdb: mark test functions as static Subject: [PATCH] ipa-kdb: mark test functions as static
@ -327,16 +533,15 @@ No need to define missing prototypes to single use test functions.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
--- ---
daemons/ipa-kdb/tests/ipa_kdb_tests.c | 13 +++++-------- daemons/ipa-kdb/tests/ipa_kdb_tests.c | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-) 1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
index 368a2f978..960200b6e 100644 index 2a174ce6b..0b51ffb96 100644
--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c --- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c +++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
@@ -180,7 +180,7 @@ extern krb5_error_code filter_logon_info(krb5_context context, @@ -181,7 +181,7 @@ extern krb5_error_code filter_logon_info(krb5_context context,
krb5_data realm, krb5_data realm,
struct PAC_LOGON_INFO_CTR *info); struct PAC_LOGON_INFO_CTR *info);
@ -345,7 +550,7 @@ index 368a2f978..960200b6e 100644
{ {
krb5_error_code kerr; krb5_error_code kerr;
krb5_data realm = {KV5M_DATA, REALM_LEN, REALM}; krb5_data realm = {KV5M_DATA, REALM_LEN, REALM};
@@ -315,10 +315,7 @@ void test_filter_logon_info(void **state) @@ -316,10 +316,7 @@ void test_filter_logon_info(void **state)
} }
@ -357,7 +562,7 @@ index 368a2f978..960200b6e 100644
{ {
bool with_pac; bool with_pac;
bool with_pad; bool with_pad;
@@ -436,7 +433,7 @@ void test_get_authz_data_types(void **state) @@ -437,7 +434,7 @@ void test_get_authz_data_types(void **state)
krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ); krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ);
} }
@ -366,7 +571,7 @@ index 368a2f978..960200b6e 100644
{ {
int ret; int ret;
struct dom_sid sid; struct dom_sid sid;
@@ -468,7 +465,7 @@ void test_string_to_sid(void **state) @@ -469,7 +466,7 @@ void test_string_to_sid(void **state)
assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid)); assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid));
} }
@ -375,7 +580,7 @@ index 368a2f978..960200b6e 100644
{ {
struct test_ctx *test_ctx; struct test_ctx *test_ctx;
char *str_sid; char *str_sid;
@@ -494,7 +491,7 @@ void test_dom_sid_string(void **state) @@ -495,7 +492,7 @@ void test_dom_sid_string(void **state)
} }
@ -387,239 +592,3 @@ index 368a2f978..960200b6e 100644
-- --
2.29.2 2.29.2
From 79baa0932d1349d46d162e7478fa4e3c8e88dc09 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 19 Feb 2021 15:37:47 +0200
Subject: [PATCH] ipa-kdb: do not use OpenLDAP functions with NULL LDAP context
Calling to ipadb_get_connection() will remove LDAP context if any error
happens. This means upper layers must always verify that LDAP context
exists after such calls.
ipadb_get_user_auth() may re-read global configuration and that may fail
and cause IPA context to have NULL LDAP context.
Fixes: https://pagure.io/freeipa/issue/8681
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
daemons/ipa-kdb/ipa_kdb.c | 1 +
daemons/ipa-kdb/ipa_kdb_mspac.c | 32 +++++++++++++++-------------
daemons/ipa-kdb/ipa_kdb_principals.c | 26 ++++++++++++++++------
3 files changed, 37 insertions(+), 22 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 33d2a6773..e7b8d7dbf 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -56,6 +56,7 @@ static void ipadb_context_free(krb5_context kcontext,
/* ldap free lcontext */
if ((*ctx)->lcontext) {
ldap_unbind_ext_s((*ctx)->lcontext, NULL, NULL);
+ (*ctx)->lcontext = NULL;
}
free((*ctx)->supp_encs);
free((*ctx)->def_encs);
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index c05fb717a..1e59189ed 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -416,7 +416,6 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
TALLOC_CTX *memctx,
struct netr_SamInfo3 *info3)
{
- LDAP *lcontext = ipactx->lcontext;
LDAPDerefRes *deref_results = NULL;
struct dom_sid sid;
gid_t prigid = -1;
@@ -433,7 +432,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
bool is_idobject = false;
krb5_principal princ;
- ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "objectClass",
+ ret = ipadb_ldap_attr_to_strlist(ipactx->lcontext, lentry, "objectClass",
&objectclasses);
if (ret == 0 && objectclasses != NULL) {
for (c = 0; objectclasses[c] != NULL; c++) {
@@ -470,13 +469,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
}
if (is_host) {
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "fqdn", &strres);
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "fqdn", &strres);
if (ret) {
/* fqdn is mandatory for hosts */
return ret;
}
} else if (is_service) {
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbCanonicalName", &strres);
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+ "krbCanonicalName", &strres);
if (ret) {
/* krbCanonicalName is mandatory for services */
return ret;
@@ -496,7 +496,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ENOENT;
}
} else {
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "uid", &strres);
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "uid", &strres);
if (ret) {
/* uid is mandatory */
return ret;
@@ -509,7 +509,8 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
if (is_host || is_service) {
prigid = 515; /* Well known RID for domain computers group */
} else {
- ret = ipadb_ldap_attr_to_int(lcontext, lentry, "gidNumber", &intres);
+ ret = ipadb_ldap_attr_to_int(ipactx->lcontext, lentry,
+ "gidNumber", &intres);
if (ret) {
/* gidNumber is mandatory */
return ret;
@@ -540,7 +541,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
info3->base.kickoff_time = -1;
#endif
- ret = ipadb_ldap_attr_to_time_t(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_time_t(ipactx->lcontext, lentry,
"krbLastPwdChange", &timeres);
switch (ret) {
case 0:
@@ -557,7 +558,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
info3->base.allow_password_change = 0;
info3->base.force_password_change = -1;
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "cn", &strres);
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "cn", &strres);
switch (ret) {
case 0:
info3->base.full_name.string = talloc_strdup(memctx, strres);
@@ -570,7 +571,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ret;
}
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"ipaNTLogonScript", &strres);
switch (ret) {
case 0:
@@ -584,7 +585,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ret;
}
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"ipaNTProfilePath", &strres);
switch (ret) {
case 0:
@@ -598,7 +599,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ret;
}
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"ipaNTHomeDirectory", &strres);
switch (ret) {
case 0:
@@ -612,7 +613,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ret;
}
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"ipaNTHomeDirectoryDrive", &strres);
switch (ret) {
case 0:
@@ -643,7 +644,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
info3->base.rid = 515;
}
} else {
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"ipaNTSecurityIdentifier", &strres);
if (ret) {
/* SID is mandatory */
@@ -660,7 +661,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
}
}
- ret = ipadb_ldap_deref_results(lcontext, lentry, &deref_results);
+ ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
switch (ret) {
LDAPDerefRes *dres;
LDAPDerefVal *dval;
@@ -2511,7 +2512,7 @@ static krb5_error_code
ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
{
struct ipadb_adtrusts *t;
- LDAP *lc = ipactx->lcontext;
+ LDAP *lc = NULL;
char *attrs[] = { "cn", "ipaNTTrustPartner", "ipaNTFlatName",
"ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming",
"ipaNTSIDBlacklistOutgoing", "ipaNTAdditionalSuffixes", NULL };
@@ -2545,6 +2546,7 @@ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
goto done;
}
+ lc = ipactx->lcontext;
for (le = ldap_first_entry(lc, res); le; le = ldap_next_entry(lc, le)) {
dnstr = ldap_get_dn(lc, le);
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 59337a4ca..0a98ff054 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -335,6 +335,11 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
if (gcfg != NULL)
gua = gcfg->user_auth;
+ /* lcontext == NULL means ipadb_get_global_config() failed to load
+ * global config and cleared the ipactx */
+ if (ipactx->lcontext == NULL)
+ return IPADB_USER_AUTH_NONE;
+
/* Get the user's user_auth settings if not disabled. */
if ((gua & IPADB_USER_AUTH_DISABLED) == 0)
ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua);
@@ -608,8 +613,16 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
free(entry);
return KRB5_KDB_DBNOTINITED;
}
- lcontext = ipactx->lcontext;
- if (!lcontext) {
+
+ entry->magic = KRB5_KDB_MAGIC_NUMBER;
+ entry->len = KRB5_KDB_V1_BASE_LENGTH;
+
+ /* Get User Auth configuration. */
+ ua = ipadb_get_user_auth(ipactx, lentry);
+
+ /* ipadb_get_user_auth() calls into ipadb_get_global_config()
+ * and that might fail, causing lcontext to become NULL */
+ if (!ipactx->lcontext) {
krb5_klog_syslog(LOG_INFO,
"No LDAP connection in ipadb_parse_ldap_entry(); retrying...\n");
ret = ipadb_get_connection(ipactx);
@@ -621,11 +634,10 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
}
}
- entry->magic = KRB5_KDB_MAGIC_NUMBER;
- entry->len = KRB5_KDB_V1_BASE_LENGTH;
-
- /* Get User Auth configuration. */
- ua = ipadb_get_user_auth(ipactx, lentry);
+ /* If any code below would result in invalidating ipactx->lcontext,
+ * lcontext must be updated with the new ipactx->lcontext value.
+ * We rely on the fact that none of LDAP-parsing helpers does it. */
+ lcontext = ipactx->lcontext;
/* ignore mask for now */
--
2.29.2

32
SOURCES/0010-Replace-SSLCertVerificationError-with-CertificateErr_rhbz#1858318.patch
View File

@ -1,32 +0,0 @@
From 66a5a0efd538e31a190ca6ecb775bc1dfc4ee232 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 29 Jul 2020 13:42:43 -0400
Subject: [PATCH] Replace SSLCertVerificationError with CertificateError for
py36
This exception was added in python 3.7. Use CertificateError
instead which is an alias and will work with older python releases.
https://bugzilla.redhat.com/show_bug.cgi?id=1858318
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/server/upgrade.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 2c36bc0e2..2c1517865 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -667,7 +667,7 @@ def http_certificate_ensure_ipa_ca_dnsname(http):
try:
cert.match_hostname(expect)
- except ssl.SSLCertVerificationError:
+ except ssl.CertificateError:
if certs.is_ipa_issued_cert(api, cert):
request_id = certmonger.get_request_id(
{'cert-file': paths.HTTPD_CERT_FILE})
--
2.26.2

64
SOURCES/0010-ipa-client-install-output-a-warning-if-sudo-is-not-p_rhbz#1939371.patch Normal file
View File

@ -0,0 +1,64 @@
From 061e0b63ef3a72ba3261b42ec5f2ce290070c613 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Mon, 15 Mar 2021 16:55:08 +0100
Subject: [PATCH] ipa-client-install: output a warning if sudo is not present
(2)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
---
ipaclient/install/client.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 0e478fa26..9bdfbddaf 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2205,7 +2205,7 @@ def install_check(options):
# available.
if options.conf_sudo:
try:
- subprocess.Popen(['sudo -V'])
+ subprocess.Popen(['sudo', '-V'])
except FileNotFoundError:
logger.info(
"The sudo binary does not seem to be present on this "
--
2.30.2
From 4b917833fdd62cce2fd72809fd5c963194efba3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Mon, 15 Mar 2021 17:00:05 +0100
Subject: [PATCH] ipatests: check for the "no sudo present" string absence
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When sudo is installed, no warning should be output about sudo not
being available (obviously). Check that the relevant string is
not present.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
---
ipatests/test_integration/test_installation.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index a50a59f1a..a5ff17a0d 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -1620,3 +1620,5 @@ class TestInstallWithoutSudo(IntegrationTest):
tasks.install_packages(self.clients[0], ['sudo'])
for pkg in ('sudo', 'libsss_sudo'):
assert tasks.is_package_installed(self.clients[0], pkg)
+ result = tasks.install_client(self.master, self.clients[0])
+ assert self.no_sudo_str not in result.stderr_text
--
2.30.2

103
SOURCES/0011-Fix-AVC-denial-during-ipa-adtrust-install---add-agents_rhbz#1859213.patch
View File

@ -1,103 +0,0 @@
From c72ef1ed965aca79da4576d9579dec5459e14b99 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Fri, 8 May 2020 15:27:01 +0200
Subject: [PATCH] SELinux: Backport dirsrv_systemctl interface
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
selinux/ipa.if | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/selinux/ipa.if b/selinux/ipa.if
index cefae5d90..ea971b8fa 100644
--- a/selinux/ipa.if
+++ b/selinux/ipa.if
@@ -392,3 +392,30 @@ ifndef(`apache_manage_pid_files',`
manage_sock_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
')
')
+
+########################################
+## <summary>
+## Execute dirsrv server in the dirsrv domain.
+## Backport from https://github.com/fedora-selinux/selinux-policy-contrib/pull/241
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+ifndef(`dirsrv_systemctl',`
+ interface(`dirsrv_systemctl',`
+ gen_require(`
+ type dirsrv_unit_file_t;
+ type dirsrv_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 dirsrv_unit_file_t:file read_file_perms;
+ allow $1 dirsrv_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, dirsrv_t)
+ ')
+')
--
2.26.2
From f76c56c6072418c78f138678b1c4dd917fea6ee1 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 7 May 2020 16:17:12 +0200
Subject: [PATCH] Allow ipa-adtrust-install restart sssd and dirsrv services
Allow ipa_helper_t connect to init using /run/systemd/private socket.
Allow ipa_helper_t read init process state.
Allow ipa_helper_t manage sssd and dirsrv units.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1820298
See: https://github.com/fedora-selinux/selinux-policy-contrib/pull/241
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
selinux/ipa.te | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/selinux/ipa.te b/selinux/ipa.te
index b1e29c8e2..587e5e585 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -147,6 +147,9 @@ auth_use_nsswitch(ipa_helper_t)
files_list_tmp(ipa_helper_t)
+init_read_state(ipa_helper_t)
+init_stream_connect(ipa_helper_t)
+
ipa_manage_pid_files(ipa_helper_t)
ipa_read_lib(ipa_helper_t)
@@ -156,6 +159,10 @@ optional_policy(`
dirsrv_stream_connect(ipa_helper_t)
')
+optional_policy(`
+ dirsrv_systemctl(ipa_helper_t)
+')
+
optional_policy(`
ldap_stream_connect(ipa_helper_t)
')
@@ -182,6 +189,7 @@ optional_policy(`
optional_policy(`
sssd_manage_lib_files(ipa_helper_t)
+ sssd_systemctl(ipa_helper_t)
')
########################################
--
2.26.2

84
SOURCES/0012-CAless-installation-set-the-perms-on-KDC-cert-file_rhbz#1863616.patch
View File

@ -1,84 +0,0 @@
From 81c955e561dd42ab70a39bf636c90e82a9d7d899 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 3 Aug 2020 18:52:07 +0200
Subject: [PATCH] CAless installation: set the perms on KDC cert file
In CA less installation, the KDC certificate file does not have
the expected 644 permissions. As a consequence, WebUI login
fails.
The fix makes sure that the KDC cert file is saved with 644 perms.
Fixes: https://pagure.io/freeipa/issue/8440
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/install/krbinstance.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 09d14693c..1910ff374 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -536,6 +536,8 @@ class KrbInstance(service.Service):
certs.install_pem_from_p12(self.pkcs12_info[0],
self.pkcs12_info[1],
paths.KDC_CERT)
+ # The KDC cert needs to be readable by everyone
+ os.chmod(paths.KDC_CERT, 0o644)
certs.install_key_from_p12(self.pkcs12_info[0],
self.pkcs12_info[1],
paths.KDC_KEY)
--
2.26.2
From 295dd4235f693b7b4b4270b46a28cb6e7b3d00b4 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 3 Aug 2020 18:53:47 +0200
Subject: [PATCH] ipatests: check KDC cert permissions in CA less install
The KDC certificate file must be stored with 644 permissions.
Add a test checking the file permissions on server + replica.
Related: https://pagure.io/freeipa/issue/8440
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_caless.py | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index a7b2cbbbc..1ea7d9896 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -1527,6 +1527,13 @@ class TestCertInstall(CALessBase):
assert result.returncode == 0
+def verify_kdc_cert_perms(host):
+ """Verify that the KDC cert pem file has 0644 perms"""
+ cmd = host.run_command(['stat', '-c',
+ '"%a %G:%U"', paths.KDC_CERT])
+ assert "644 root:root" in cmd.stdout_text
+
+
class TestPKINIT(CALessBase):
"""Install master and replica with PKINIT"""
num_replicas = 1
@@ -1540,6 +1547,7 @@ class TestPKINIT(CALessBase):
result = cls.install_server(pkinit_pkcs12_exists=True,
pkinit_pin=_DEFAULT)
assert result.returncode == 0
+ verify_kdc_cert_perms(cls.master)
@replica_install_teardown
def test_server_replica_install_pkinit(self):
@@ -1549,6 +1557,7 @@ class TestPKINIT(CALessBase):
pkinit_pin=_DEFAULT)
assert result.returncode == 0
self.verify_installation()
+ verify_kdc_cert_perms(self.replicas[0])
class TestServerReplicaCALessToCAFull(CALessBase):
--
2.26.2

145
SOURCES/0013-IPA-EPN-Use-a-helper-to-retrieve-LDAP-attributes-fro_rhbz#1866938.patch
View File

@ -1,145 +0,0 @@
From b95817e35716bbab000633043817202e17d7c53e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Thu, 6 Aug 2020 17:07:36 +0200
Subject: [PATCH] IPA-EPN: Use a helper to retrieve LDAP attributes from an
entry
Allow for empty attributes.
Reviewed-By: Francois Cami <fcami@redhat.com>
---
ipaclient/install/ipa_epn.py | 22 +++++++++++++++-------
1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py
index 65f9f3d47..0d1ae2add 100644
--- a/ipaclient/install/ipa_epn.py
+++ b/ipaclient/install/ipa_epn.py
@@ -122,22 +122,30 @@ class EPNUserList:
"""Return len(self)."""
return len(self._expiring_password_user_dq)
+ def get_ldap_attr(self, entry, attr):
+ """Get a single value from a multi-valued attr in a safe way"""
+ return str(entry.get(attr, [""]).pop(0))
+
def add(self, entry):
"""Parses and appends an LDAP user entry with the uid, cn,
givenname, sn, krbpasswordexpiration and mail attributes.
"""
try:
self._sorted = False
+ if entry.get("mail") is None:
+ logger.error("IPA-EPN: No mail address defined for: %s",
+ entry.dn)
+ return
self._expiring_password_user_dq.append(
dict(
- uid=str(entry["uid"].pop(0)),
- cn=str(entry["cn"].pop(0)),
- givenname=str(entry["givenname"].pop(0)),
- sn=str(entry["sn"].pop(0)),
- krbpasswordexpiration=str(
- entry["krbpasswordexpiration"].pop(0)
+ uid=self.get_ldap_attr(entry, "uid"),
+ cn=self.get_ldap_attr(entry, "cn"),
+ givenname=self.get_ldap_attr(entry, "givenname"),
+ sn=self.get_ldap_attr(entry, "sn"),
+ krbpasswordexpiration=(
+ self.get_ldap_attr(entry,"krbpasswordexpiration")
),
- mail=str(entry["mail"]),
+ mail=str(entry.get("mail")),
)
)
except IndexError as e:
--
2.26.2
From 8e810d8cf38ec60d76178bd673e218fb05d56c8e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Thu, 6 Aug 2020 17:13:19 +0200
Subject: [PATCH] IPA-EPN: fix configuration file typo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
---
client/share/epn.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/client/share/epn.conf b/client/share/epn.conf
index 0e590dfc3..e3645801c 100644
--- a/client/share/epn.conf
+++ b/client/share/epn.conf
@@ -23,7 +23,7 @@ smtp_port = 25
# Default None (empty value).
# smtp_password =
-# pecifies the number of seconds to wait for SMTP to respond.
+# Specifies the number of seconds to wait for SMTP to respond.
smtp_timeout = 60
# Specifies the type of secure connection to make. Options are: none,
--
2.26.2
From 1b1dbcbe9d83ba35f3cfdd01399f123816ec6e5b Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 6 Aug 2020 18:57:10 -0400
Subject: [PATCH] IPA-EPN: Test that users without givenname and/or mail are
handled
The admin user does not have a givenname by default, allow for that.
Report errors for users without a default e-mail address.
Update the SHA256 hash with the typo fix.
Reviewed-By: Francois Cami <fcami@redhat.com>
---
ipatests/test_integration/test_epn.py | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
index 18f73c722..c5c73835a 100644
--- a/ipatests/test_integration/test_epn.py
+++ b/ipatests/test_integration/test_epn.py
@@ -240,7 +240,7 @@ class TestEPN(IntegrationTest):
assert epn_conf in cmd1.stdout_text
assert epn_template in cmd1.stdout_text
cmd2 = self.master.run_command(["sha256sum", epn_conf])
- ck = "4c207b5c9c760c36db0d3b2b93da50ea49edcc4002d6d1e7383601f0ec30b957"
+ ck = "192481b52fb591112afd7b55b12a44c6618fdbc7e05a3b1866fd67ec579c51df"
assert cmd2.stdout_text.find(ck) == 0
def test_EPN_smoketest_1(self):
@@ -591,3 +591,23 @@ class TestEPN(IntegrationTest):
self.master.put_file_contents('/etc/ipa/epn.conf', epn_conf)
result = tasks.ipa_epn(self.master, raiseonerr=False)
assert "smtp_delay cannot be less than zero" in result.stderr_text
+
+ def test_EPN_admin(self):
+ """The admin user is special and has no givenName by default
+ It also doesn't by default have an e-mail address
+ Check --dry-run output.
+ """
+ epn_conf = textwrap.dedent('''
+ [global]
+ ''')
+ self.master.put_file_contents('/etc/ipa/epn.conf', epn_conf)
+ self.master.run_command(
+ ['ipa', 'user-mod', 'admin', '--password-expiration',
+ datetime_to_generalized_time(
+ datetime.datetime.utcnow() + datetime.timedelta(days=7)
+ )]
+ )
+ (unused, stderr_text, _unused) = self._check_epn_output(
+ self.master, dry_run=True
+ )
+ assert "uid=admin" in stderr_text
--
2.26.2

404
SOURCES/0014-IPA-EPN-enhance-input-validation_rhbz#1866291.patch
View File

@ -1,404 +0,0 @@
From 9479a393a71fe1de7d62ca2b50a7d3d8698d4ba1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Tue, 4 Aug 2020 11:05:31 +0200
Subject: [PATCH] ipatests: tasks.py: fix ipa-epn invocation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
tasks.py::ipa_epn would previously fail to invoke ipa-epn with
from_nbdays=0.
Related: https://pagure.io/freeipa/issue/8449
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/pytest_ipa/integration/tasks.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index a3f7cc838..c0a592750 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -1470,9 +1470,9 @@ def ipa_epn(
cmd.append("--dry-run")
if mailtest:
cmd.append("--mail-test")
- if from_nbdays:
+ if from_nbdays is not None:
cmd.extend(("--from-nbdays", str(from_nbdays)))
- if to_nbdays:
+ if to_nbdays is not None:
cmd.extend(("--to-nbdays", str(to_nbdays)))
return host.run_command(cmd, raiseonerr=raiseonerr)
--
2.26.2
From 3b8fdd87760cfb8ec739c67298f012cf0bd3ac39 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Wed, 5 Aug 2020 10:02:31 +0200
Subject: [PATCH] ipatests: test_epn: test_EPN_nbdays enhancements
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Enhance test_EPN_nbdays so that it checks:
* that no emails get sent when using --dry-run
* that --from-nbdays implies --dry-run
* that --to-nbdays requires --from-nbdays
* illegal inputs for nbdays:
** from-nbdays > to-nbdays
** non-numerical input
** decimal input
Fixes: https://pagure.io/freeipa/issue/8449
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/test_integration/test_epn.py | 130 +++++++++++++++++++++++---
1 file changed, 117 insertions(+), 13 deletions(-)
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
index f4c123c6d..18f73c722 100644
--- a/ipatests/test_integration/test_epn.py
+++ b/ipatests/test_integration/test_epn.py
@@ -15,6 +15,13 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+######
+# This test suite will _expectedly_ fail if run at the end of the UTC day
+# because users would be created during day N and then EPN output checked
+# during day N+1. This is expected and should be ignored as it does not
+# reflect a product bug. -- fcami
+######
+
from __future__ import print_function, absolute_import
import base64
@@ -178,12 +185,14 @@ class TestEPN(IntegrationTest):
from_nbdays=None,
to_nbdays=None,
raiseonerr=True,
+ validatejson=True
):
result = tasks.ipa_epn(host, raiseonerr=raiseonerr, dry_run=dry_run,
from_nbdays=from_nbdays,
to_nbdays=to_nbdays)
- json.dumps(json.loads(result.stdout_text), ensure_ascii=False)
- return (result.stdout_text, result.stderr_text)
+ if validatejson:
+ json.dumps(json.loads(result.stdout_text), ensure_ascii=False)
+ return (result.stdout_text, result.stderr_text, result.returncode)
@classmethod
def install(cls, mh):
@@ -244,12 +253,12 @@ class TestEPN(IntegrationTest):
''')
self.master.put_file_contents('/etc/ipa/epn.conf', epn_conf)
# check EPN on client (LDAP+GSSAPI)
- (stdout_text, unused) = self._check_epn_output(
+ (stdout_text, unused, _unused) = self._check_epn_output(
self.clients[0], dry_run=True
)
assert len(json.loads(stdout_text)) == 0
# check EPN on master (LDAPI)
- (stdout_text, unused) = self._check_epn_output(
+ (stdout_text, unused, _unused) = self._check_epn_output(
self.master, dry_run=True
)
assert len(json.loads(stdout_text)) == 0
@@ -292,10 +301,10 @@ class TestEPN(IntegrationTest):
),
],
)
- (stdout_text_client, unused) = self._check_epn_output(
+ (stdout_text_client, unused, _unused) = self._check_epn_output(
self.clients[0], dry_run=True
)
- (stdout_text_master, unused) = self._check_epn_output(
+ (stdout_text_master, unused, _unused) = self._check_epn_output(
self.master, dry_run=True
)
assert stdout_text_master == stdout_text_client
@@ -331,10 +340,10 @@ class TestEPN(IntegrationTest):
password=None,
)
- (stdout_text_client, unused) = self._check_epn_output(
+ (stdout_text_client, unused, _unused) = self._check_epn_output(
self.clients[0], dry_run=True
)
- (stdout_text_master, unused) = self._check_epn_output(
+ (stdout_text_master, unused, _unused) = self._check_epn_output(
self.master, dry_run=True
)
assert stdout_text_master == stdout_text_client
@@ -344,22 +353,117 @@ class TestEPN(IntegrationTest):
expected_users = ["user1", "user3", "user7", "user14", "user28"]
assert sorted(user_lst) == sorted(expected_users)
- def test_EPN_nbdays(self):
+ def test_EPN_nbdays_0(self, cleanupmail):
"""Test the to/from nbdays options (implies --dry-run)
We have a set of users installed with varying expiration
dates. Confirm that to/from nbdays finds them.
+
+ Make sure --dry-run does not accidentally send emails.
"""
- # Compare the notify_ttls values
+ # Use the notify_ttls values with a 1-day sliding window
for i in self.notify_ttls:
user_list = []
- (stdout_text_client, unused) = self._check_epn_output(
- self.clients[0], from_nbdays=i, to_nbdays=i + 1, dry_run=True)
+ (stdout_text_client, unused, _unused) = self._check_epn_output(
+ self.clients[0], from_nbdays=i, to_nbdays=i + 1, dry_run=True
+ )
for user in json.loads(stdout_text_client):
user_list.append(user["uid"])
assert len(user_list) == 1
- assert user_list[0] == "user%d" % i
+ userid = "user{id}".format(id=i)
+ assert user_list[0] == userid
+
+ # Check that the user list is expected for any given notify_ttls.
+ (stdout_text_client, unused, _unused) = self._check_epn_output(
+ self.clients[0], to_nbdays=i
+ )
+ user_list = [user["uid"] for user in json.loads(stdout_text_client)]
+ assert len(user_list) == 1
+ assert user_list[0] == "user{id}".format(id=i - 1)
+
+ # make sure no emails were sent
+ result = self.clients[0].run_command(['ls', '-lha', '/var/mail/'])
+ assert userid not in result.stdout_text
+
+ def test_EPN_nbdays_1(self, cleanupmail):
+ """Test that for a given range, we find the users in that range"""
+
+ # Use hardcoded date ranges for now
+ for date_range in [(0, 5), (7, 15), (1, 20)]:
+ expected_user_list = ["user{i}".format(i=i)
+ for i in range(date_range[0], date_range[1])]
+ (stdout_text_client, unused, _unused) = self._check_epn_output(
+ self.clients[0],
+ from_nbdays=date_range[0],
+ to_nbdays=date_range[1]
+ )
+ user_list = [user["uid"] for user in json.loads(stdout_text_client)]
+ for user in expected_user_list:
+ assert user in user_list
+ for user in user_list:
+ assert user in expected_user_list
+
+ # Test the to/from nbdays options behavior with illegal input
+
+ def test_EPN_nbdays_input_0(self):
+ """Make sure that --to-nbdays implies --dry-run ;
+ therefore check that the output is valid JSON and contains the
+ expected user.
+ """
+
+ (stdout_text_client, unused, _unused) = self._check_epn_output(
+ self.clients[0], to_nbdays=5, dry_run=False
+ )
+ assert len(json.loads(stdout_text_client)) == 1
+ assert json.loads(stdout_text_client)[0]["uid"] == "user4"
+
+ def test_EPN_nbdays_input_1(self):
+ """Make sure that --from-nbdays cannot be used without --to-nbdays"""
+
+ (unused, stderr_text_client, rc) = \
+ self._check_epn_output(
+ self.clients[0], from_nbdays=3,
+ raiseonerr=False, validatejson=False
+ )
+ assert "You cannot specify --from-nbdays without --to-nbdays" \
+ in stderr_text_client
+ assert rc > 0
+
+ @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
+ def test_EPN_nbdays_input_2(self):
+ """alpha input"""
+
+ (unused, stderr, rc) = self._check_epn_output(
+ self.clients[0], to_nbdays="abc",
+ raiseonerr=False, validatejson=False
+ )
+ assert "error: --to-nbdays must be an integer." in stderr
+ assert rc > 0
+
+ @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
+ def test_EPN_nbdays_input_3(self):
+ """from_nbdays > to_nbdays"""
+
+ (unused, stderr, rc) = self._check_epn_output(
+ self.clients[0], from_nbdays=9, to_nbdays=7,
+ raiseonerr=False, validatejson=False
+ )
+ assert "error: --from-nbdays must be smaller than --to-nbdays." in \
+ stderr
+ assert rc > 0
+
+ @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
+ def test_EPN_nbdays_input_4(self):
+ """decimal input"""
+
+ (unused, stderr, rc) = self._check_epn_output(
+ self.clients[0], to_nbdays=7.3,
+ raiseonerr=False, validatejson=False
+ )
+ logger.info(stderr)
+ assert rc > 0
+ assert "error: --to-nbdays must be an integer." in stderr
# From here the tests build on one another:
# 1) add auth
--
2.26.2
From b4266023e04729db12de2f7e0de4da9e1d00db38 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Fri, 7 Aug 2020 19:08:39 +0200
Subject: [PATCH] ipatests: test_epn: update error messages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Update error messages in the test.
Fixes: https://pagure.io/freeipa/issue/8449
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/test_integration/test_epn.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
index e03521193..af662140a 100644
--- a/ipatests/test_integration/test_epn.py
+++ b/ipatests/test_integration/test_epn.py
@@ -458,7 +458,7 @@ class TestEPN(IntegrationTest):
self.clients[0], to_nbdays="abc",
raiseonerr=False, validatejson=False
)
- assert "error: --to-nbdays must be an integer." in stderr
+ assert "error: --to-nbdays must be a positive integer." in stderr
assert rc > 0
@pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
@@ -483,7 +483,7 @@ class TestEPN(IntegrationTest):
)
logger.info(stderr)
assert rc > 0
- assert "error: --to-nbdays must be an integer." in stderr
+ assert "error: --to-nbdays must be a positive integer." in stderr
# From here the tests build on one another:
# 1) add auth
--
2.26.2
From 2809084a44e3b174fa48a611e79f04358e1d6dca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Wed, 5 Aug 2020 09:05:31 +0200
Subject: [PATCH] IPA-EPN: enhance input validation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Enhance input validation:
* make sure --from-nbdays and --to-nbdays are integer
* make sure --from-nbdays < --to-nbdays
Fixes: https://pagure.io/freeipa/issue/8444
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaclient/install/ipa_epn.py | 28 +++++++++++++++++++++++++--
ipatests/test_integration/test_epn.py | 3 ---
2 files changed, 26 insertions(+), 5 deletions(-)
diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py
index 82d7b3f57..88c926e88 100644
--- a/ipaclient/install/ipa_epn.py
+++ b/ipaclient/install/ipa_epn.py
@@ -246,9 +246,33 @@ class EPN(admintool.AdminTool):
def validate_options(self):
super(EPN, self).validate_options(needs_root=True)
- if self.options.to_nbdays:
+ if self.options.to_nbdays is not None:
+ try:
+ if int(self.options.to_nbdays) < 0:
+ raise RuntimeError('Input is negative.')
+ except Exception as e:
+ self.option_parser.error(
+ "--to-nbdays must be a positive integer. "
+ "{error}".format(error=e)
+ )
self.options.dry_run = True
- if self.options.from_nbdays and not self.options.to_nbdays:
+ if self.options.from_nbdays is not None:
+ try:
+ if int(self.options.from_nbdays) < 0:
+ raise RuntimeError('Input is negative.')
+ except Exception as e:
+ self.option_parser.error(
+ "--from-nbdays must be a positive integer. "
+ "{error}".format(error=e)
+ )
+ if self.options.from_nbdays is not None and \
+ self.options.to_nbdays is not None:
+ if int(self.options.from_nbdays) >= int(self.options.to_nbdays):
+ self.option_parser.error(
+ "--from-nbdays must be smaller than --to-nbdays."
+ )
+ if self.options.from_nbdays is not None and \
+ self.options.to_nbdays is None:
self.option_parser.error(
"You cannot specify --from-nbdays without --to-nbdays"
)
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
index af662140a..fc26888cb 100644
--- a/ipatests/test_integration/test_epn.py
+++ b/ipatests/test_integration/test_epn.py
@@ -450,7 +450,6 @@ class TestEPN(IntegrationTest):
in stderr_text_client
assert rc > 0
- @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
def test_EPN_nbdays_input_2(self):
"""alpha input"""
@@ -461,7 +460,6 @@ class TestEPN(IntegrationTest):
assert "error: --to-nbdays must be a positive integer." in stderr
assert rc > 0
- @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
def test_EPN_nbdays_input_3(self):
"""from_nbdays > to_nbdays"""
@@ -473,7 +471,6 @@ class TestEPN(IntegrationTest):
stderr
assert rc > 0
- @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
def test_EPN_nbdays_input_4(self):
"""decimal input"""
--
2.26.2

141
SOURCES/0015-IPA-EPN-Fix-SMTP-connection-error-handling_rhbz#1863079.patch
View File

@ -1,141 +0,0 @@
From 3cf7fb1014ae40fd5a5278f27577a8196a4af051 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Fri, 7 Aug 2020 07:51:53 +0200
Subject: [PATCH] ipatests: test_epn: add test_EPN_connection_refused
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add a test for EPN behavior when the configured SMTP does not
accept connections.
Fixes: https://pagure.io/freeipa/issue/8445
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_epn.py | 27 ++++++++++++++++++++++++---
1 file changed, 24 insertions(+), 3 deletions(-)
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
index c5c73835a..1a25d3710 100644
--- a/ipatests/test_integration/test_epn.py
+++ b/ipatests/test_integration/test_epn.py
@@ -182,14 +182,20 @@ class TestEPN(IntegrationTest):
self,
host,
dry_run=False,
+ mailtest=False,
from_nbdays=None,
to_nbdays=None,
raiseonerr=True,
validatejson=True
):
- result = tasks.ipa_epn(host, raiseonerr=raiseonerr, dry_run=dry_run,
- from_nbdays=from_nbdays,
- to_nbdays=to_nbdays)
+ result = tasks.ipa_epn(
+ host,
+ from_nbdays=from_nbdays,
+ to_nbdays=to_nbdays,
+ mailtest=mailtest,
+ dry_run=dry_run,
+ raiseonerr=raiseonerr
+ )
if validatejson:
json.dumps(json.loads(result.stdout_text), ensure_ascii=False)
return (result.stdout_text, result.stderr_text, result.returncode)
@@ -243,6 +249,21 @@ class TestEPN(IntegrationTest):
ck = "192481b52fb591112afd7b55b12a44c6618fdbc7e05a3b1866fd67ec579c51df"
assert cmd2.stdout_text.find(ck) == 0
+ @pytest.mark.xfail(reason='freeipa ticket 8445', strict=True)
+ def test_EPN_connection_refused(self):
+ """Test EPN behavior when the configured SMTP is down
+ """
+
+ self.master.run_command(["systemctl", "stop", "postfix"])
+ (unused, stderr_text, rc) = self._check_epn_output(
+ self.master, mailtest=True,
+ raiseonerr=False, validatejson=False
+ )
+ self.master.run_command(["systemctl", "start", "postfix"])
+ assert "IPA-EPN: Could not connect to the configured SMTP server" in \
+ stderr_text
+ assert rc > 0
+
def test_EPN_smoketest_1(self):
"""No users except admin. Check --dry-run output.
With the default configuration, the result should be an empty list.
--
2.26.2
From 53f330b053740b169d211aa16b3b36fb61157bbd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Fri, 7 Aug 2020 06:19:31 +0200
Subject: [PATCH] IPA-EPN: Fix SMTP connection error handling
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Enhance error message when SMTP is down.
Fixes: https://pagure.io/freeipa/issue/8445
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaclient/install/ipa_epn.py | 17 ++++++++++-------
ipatests/test_integration/test_epn.py | 1 -
2 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py
index 0d1ae2add..82d7b3f57 100644
--- a/ipaclient/install/ipa_epn.py
+++ b/ipaclient/install/ipa_epn.py
@@ -38,6 +38,7 @@ from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from email.header import Header
from email.utils import make_msgid
+from socket import error as socketerror
from ipaplatform.paths import paths
from ipalib import api, errors
@@ -640,13 +641,15 @@ class MTAClient:
port=self._smtp_port,
timeout=self._smtp_timeout,
)
- except smtplib.SMTPException as e:
- logger.error(
- "IPA-EPN: Unable to connect to %s:%s: %s",
- self._smtp_hostname,
- self._smtp_port,
- e,
- )
+ except (socketerror, smtplib.SMTPException) as e:
+ msg = \
+ "IPA-EPN: Could not connect to the configured SMTP server: " \
+ "{host}:{port}: {error}".format(
+ host=self._smtp_hostname,
+ port=self._smtp_port,
+ error=e
+ )
+ raise admintool.ScriptError(msg)
try:
self._conn.ehlo()
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
index 1a25d3710..e03521193 100644
--- a/ipatests/test_integration/test_epn.py
+++ b/ipatests/test_integration/test_epn.py
@@ -249,7 +249,6 @@ class TestEPN(IntegrationTest):
ck = "192481b52fb591112afd7b55b12a44c6618fdbc7e05a3b1866fd67ec579c51df"
assert cmd2.stdout_text.find(ck) == 0
- @pytest.mark.xfail(reason='freeipa ticket 8445', strict=True)
def test_EPN_connection_refused(self):
"""Test EPN behavior when the configured SMTP is down
"""
--
2.26.2

110
SOURCES/0016-Set-mode-of-etc-ipa-ca.crt-to-0644-in-CA-less-instal_rhbz#1870202.patch
View File

@ -1,110 +0,0 @@
From 4a97145c3a76a4d9ebf52b3905410a0bd7bec856 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 4 Aug 2020 15:09:56 -0400
Subject: [PATCH] Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations
It was previously being set to 0444 which triggered a warning
in freeipa-healthcheck.
Even root needs DAC_OVERRIDE capability to write to a 0o444 file
which may not be available in some environments.
https://pagure.io/freeipa/issue/8441
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/install/certs.py | 2 +-
ipaserver/install/server/install.py | 5 ++---
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 22ee79bd1..51d9f9221 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -329,7 +329,7 @@ class CertDB:
ipautil.backup_file(cacert_fname)
root_nicknames = self.find_root_cert(nickname)[:-1]
with open(cacert_fname, "w") as f:
- os.fchmod(f.fileno(), stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
+ os.fchmod(f.fileno(), 0o644)
for root in root_nicknames:
result = self.run_certutil(["-L", "-n", root, "-a"],
capture_output=True)
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index b53c58e2a..6a593602f 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -891,9 +891,8 @@ def install(installer):
ca.install_step_0(False, None, options, custodia=custodia)
else:
- # Put the CA cert where other instances expect it
- x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT)
- os.chmod(paths.IPA_CA_CRT, 0o444)
+ # /etc/ipa/ca.crt is created as a side-effect of
+ # dsinstance::enable_ssl() via export_ca_cert()
if not options.no_pkinit:
x509.write_certificate(http_ca_cert, paths.KDC_CA_BUNDLE_PEM)
--
2.26.2
From da2079ce2cc841aec56da872131112eb24326f81 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 4 Aug 2020 15:12:20 -0400
Subject: [PATCH] ipatests: Check permissions of /etc/ipa/ca.crt new
installations
It should be 0644 root:root for both CA-ful and CA-less installs.
https://pagure.io/freeipa/issue/8441
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipatests/test_integration/test_caless.py | 8 ++++++++
ipatests/test_integration/test_installation.py | 10 ++++++++++
2 files changed, 18 insertions(+)
diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 1ea7d9896..16dfbb320 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -394,6 +394,14 @@ class CALessBase(IntegrationTest):
host, cert_from_ldap.public_bytes(x509.Encoding.PEM))
assert cert_from_ldap == expected_cacrt
+ result = host.run_command(
+ ["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT]
+ )
+ (owner, group, mode) = result.stdout_text.strip().split(':')
+ assert owner == "root"
+ assert group == "root"
+ assert mode == "644"
+
# Verify certmonger was not started
result = host.run_command(['getcert', 'list'], raiseonerr=False)
assert result.returncode == 0
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index 100a5a766..fb1990083 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -346,6 +346,16 @@ class TestInstallCA(IntegrationTest):
status = tasks.wait_for_request(self.master, request_id[0], 300)
assert status == "MONITORING"
+ def test_ipa_ca_crt_permissions(self):
+ """Verify that /etc/ipa/ca.cert is mode 0644 root:root"""
+ result = self.master.run_command(
+ ["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT]
+ )
+ out = str(result.stdout_text.strip())
+ (owner, group, mode) = out.split(':')
+ assert mode == "644"
+ assert owner == "root"
+ assert group == "root"
class TestInstallWithCA_KRA1(InstallTestBase1):
--
2.26.2

62
SOURCES/0017-SELinux-Policy-let-custodia-replicate-keys_rhbz#1868432.patch
View File

@ -1,62 +0,0 @@
From 438285470610dee4aa6a56523df22307840ede87 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Mon, 7 Sep 2020 11:07:21 +0200
Subject: [PATCH] SELinux Policy: let custodia replicate keys
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Enhance the SELinux policy so that custodia can replicate sub-CA keys
and certificates:
allow ipa_custodia_t self:tcp_socket { bind create };
allow ipa_custodia_t node_t:tcp_socket node_bind;
allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
allow ipa_custodia_t pki_tomcat_cert_t:file create;
allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
allow ipa_custodia_t self:process execmem;
Found by: test_replica_promotion::TestSubCAkeyReplication
Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
selinux/ipa.te | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/selinux/ipa.te b/selinux/ipa.te
index c4c3fa805..3fa4ba980 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -72,6 +72,9 @@ logging_log_file(ipa_custodia_log_t)
type ipa_custodia_tmp_t;
files_tmp_file(ipa_custodia_tmp_t)
+type pki_tomcat_cert_t;
+type node_t;
+
########################################
#
# ipa_otpd local policy
@@ -323,10 +326,18 @@ optional_policy(`
allow ipa_custodia_t self:capability { setgid setuid };
allow ipa_custodia_t self:fifo_file rw_fifo_file_perms;
allow ipa_custodia_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow ipa_custodia_t self:process execmem;
allow ipa_custodia_t self:unix_stream_socket create_stream_socket_perms;
allow ipa_custodia_t self:unix_dgram_socket create_socket_perms;
+allow ipa_custodia_t self:tcp_socket { bind create };
allow ipa_custodia_t self:udp_socket create_socket_perms;
+allow ipa_custodia_t node_t:tcp_socket node_bind;
+
+allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
+allow ipa_custodia_t pki_tomcat_cert_t:file create;
+allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
+
manage_dirs_pattern(ipa_custodia_t,ipa_custodia_log_t,ipa_custodia_log_t)
manage_files_pattern(ipa_custodia_t, ipa_custodia_log_t, ipa_custodia_log_t)
logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
--
2.26.2

117
SOURCES/0018-dogtaginstance.py-add-debug-to-pkispawn_rhbz#1879604.patch
View File

@ -1,117 +0,0 @@
Adapted version of d1c860e59b52. to make it apply without commits
34b4d9bce5 - ipatests: Test ipa user login with wrong password
ab36d79adc - ipatests: Test for ipa-nis-manage CLI tool.
From d1c860e59b5237178066ed963cc2fa50d99cd690 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Wed, 16 Sep 2020 17:07:21 +0200
Subject: [PATCH] ipatests: check that pkispawn log is not empty
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Since commits:
https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e
pkispawn will not honor the pki_log_level configuration item.
All 10.9 Dogtag versions have these commits.
This affects FreeIPA in that it makes debugging Dogtag installation issues next
to impossible.
Adding --debug to the pkispawn CLI is required to revert to the previous
behavior.
Therefore check that the log is not empty and contains DEBUG+INFO lines.
Fixes: https://pagure.io/freeipa/issue/8503
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_commands.py | 23 ++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index fa6abd81e..3a12bcde2 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -1295,3 +1295,26 @@ class TestIPACommand(IntegrationTest):
assert msg2 not in result.stderr_text
finally:
bashrc_backup.restore()
+
+ def test_pkispawn_log_is_present(self):
+ """
+ This testcase checks if pkispawn logged properly.
+ It is a candidate from being moved out of test_commands.
+ """
+ result = self.master.run_command(
+ ["ls", "/var/log/pki/"]
+ )
+ pkispawnlogfile = None
+ for file in result.stdout_text.splitlines():
+ if file.startswith("pki-ca-spawn"):
+ pkispawnlogfile = file
+ break
+ assert pkispawnlogfile is not None
+ pkispawnlogfile = os.path.sep.join(("/var/log/pki", pkispawnlogfile))
+ pkispawnlog = self.master.get_file_contents(
+ pkispawnlogfile, encoding='utf-8'
+ )
+ # Totally arbitrary. pkispawn debug logs tend to be > 10KiB.
+ assert len(pkispawnlog) > 1024
+ assert "DEBUG" in pkispawnlog
+ assert "INFO" in pkispawnlog
--
2.26.2
From 97c6d2d2c2359b8ff5585afa0d2e5f5599cd5048 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Thu, 17 Sep 2020 07:31:59 +0200
Subject: [PATCH] dogtaginstance.py: add --debug to pkispawn
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Since commits:
https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e
pkispawn will not honor the pki_log_level configuration item.
All 10.9 Dogtag versions have these commits.
This affects FreeIPA in that it makes debugging Dogtag installation issues next
to impossible.
Adding --debug to the pkispawn CLI is required to revert to the previous
behavior.
Fixes: https://pagure.io/freeipa/issue/8503
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/install/dogtaginstance.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 524262ad7..03fdd7c0b 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -183,7 +183,8 @@ class DogtagInstance(service.Service):
subsystem = self.subsystem
args = [paths.PKISPAWN,
"-s", subsystem,
- "-f", cfg_file]
+ "-f", cfg_file,
+ "--debug"]
with open(cfg_file) as f:
logger.debug(
--
2.26.2

549
SOURCES/0019-SELinux-add-dedicated-policy-for-ipa-pki-retrieve-key-ipatests-enhance-TestSubCAkeyReplication_rhbz#1870202.patch
View File

@ -1,549 +0,0 @@
From 52929cbadf0252fcac1019b74663a2808061ea1b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Thu, 17 Sep 2020 11:30:45 +0200
Subject: [PATCH] ipatests: enhance TestSubCAkeyReplication
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
enhance the test suite so that it covers:
- deleting subCAs (disabling them first)
- checking what happens when creating a dozen+ subCAs at a time
- adding a subCA that already exists and expect failure
Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
---
.../test_replica_promotion.py | 52 +++++++++++++++++--
1 file changed, 47 insertions(+), 5 deletions(-)
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 82117054f..f0b72e1f8 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -474,17 +474,35 @@ class TestSubCAkeyReplication(IntegrationTest):
SERVER_CERT_NICK: 'u,u,u',
}
- def add_subca(self, host, name, subject):
+ def add_subca(self, host, name, subject, raiseonerr=True):
result = host.run_command([
'ipa', 'ca-add', name,
'--subject', subject,
- '--desc', self.SUBCA_DESC,
+ '--desc', self.SUBCA_DESC],
+ raiseonerr=raiseonerr
+ )
+ if raiseonerr:
+ assert "ipa: ERROR:" not in result.stderr_text
+ auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text))
+ return '{} {}'.format(IPA_CA_NICKNAME, auth_id)
+ else:
+ assert "ipa: ERROR:" in result.stderr_text
+ assert result.returncode != 0
+ return result
+
+ def del_subca(self, host, name):
+ host.run_command([
+ 'ipa', 'ca-disable', name
])
- auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text))
- return '{} {}'.format(IPA_CA_NICKNAME, auth_id)
+ result = host.run_command([
+ 'ipa', 'ca-del', name
+ ])
+ assert "Deleted CA \"{}\"".format(name) in result.stdout_text
def check_subca(self, host, name, cert_nick):
- host.run_command(['ipa', 'ca-show', name])
+ result = host.run_command(['ipa', 'ca-show', name])
+ # ipa ca-show returns 0 even if the cert cannot be found locally.
+ assert "ipa: ERROR:" not in result.stderr_text
tasks.run_certutil(
host, ['-L', '-n', cert_nick], paths.PKI_TOMCAT_ALIAS_DIR
)
@@ -627,6 +645,30 @@ class TestSubCAkeyReplication(IntegrationTest):
ssl = replica.run_command(ssl_cmd)
assert 'Issuer: CN = {}'.format(self.SUBCA_MASTER) in ssl.stdout_text
+ def test_del_subca_master_on_replica(self):
+ self.del_subca(self.replicas[0], self.SUBCA_MASTER)
+
+ def test_del_subca_replica(self):
+ self.del_subca(self.replicas[0], self.SUBCA_REPLICA)
+
+ def test_scale_add_subca(self):
+ master = self.master
+ replica = self.replicas[0]
+
+ subcas = {}
+ for i in range(0, 16):
+ name = "_".join((self.SUBCA_MASTER, str(i)))
+ cn = "_".join((self.SUBCA_MASTER_CN, str(i)))
+ subcas[name] = self.add_subca(master, name, cn)
+ self.add_subca(master, name, cn, raiseonerr=False)
+
+ # give replication some time
+ time.sleep(15)
+
+ for name in subcas:
+ self.check_subca(replica, name, subcas[name])
+ self.del_subca(replica, name)
+
class TestReplicaInstallCustodia(IntegrationTest):
"""
--
2.26.2
From 5a5962426d8174212f0b7efef1a9e53aaecb5901 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Fri, 18 Sep 2020 11:55:37 +0200
Subject: [PATCH] SELinux: Add dedicated policy for ipa-pki-retrieve-key
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add proper labeling, transition and policy for ipa-pki-retrieve-key.
Make sure tomcat_t can execute ipa-pki-retrieve-key.
Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
---
selinux/ipa.fc | 1 +
selinux/ipa.te | 28 ++++++++++++++++++++++++++++
2 files changed, 29 insertions(+)
diff --git a/selinux/ipa.fc b/selinux/ipa.fc
index a98cc4665..1176f383c 100644
--- a/selinux/ipa.fc
+++ b/selinux/ipa.fc
@@ -30,5 +30,6 @@
/usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat -- gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0)
/usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat-wrapped -- gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0)
/usr/libexec/ipa/custodia/ipa-custodia-ra-agent -- gen_context(system_u:object_r:ipa_custodia_ra_agent_exec_t,s0)
+/usr/libexec/ipa/ipa-pki-retrieve-key -- gen_context(system_u:object_r:ipa_pki_retrieve_key_exec_t,s0)
/var/log/ipa-custodia.audit.log(/.*)? -- gen_context(system_u:object_r:ipa_custodia_log_t,s0)
diff --git a/selinux/ipa.te b/selinux/ipa.te
index 3fa4ba980..26daed293 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -75,6 +75,9 @@ files_tmp_file(ipa_custodia_tmp_t)
type pki_tomcat_cert_t;
type node_t;
+type ipa_pki_retrieve_key_exec_t;
+init_script_file(ipa_pki_retrieve_key_exec_t)
+
########################################
#
# ipa_otpd local policy
@@ -412,3 +415,28 @@ optional_policy(`
optional_policy(`
systemd_private_tmp(ipa_custodia_tmp_t)
')
+
+optional_policy(`
+ gen_require(`
+ type tomcat_t;
+ ')
+ can_exec(tomcat_t, ipa_pki_retrieve_key_exec_t)
+ pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_exec_t)
+')
+
+optional_policy(`
+ gen_require(`
+ type devlog_t;
+ ')
+
+ dontaudit ipa_custodia_t devlog_t:lnk_file read_lnk_file_perms;
+')
+
+optional_policy(`
+ java_exec(ipa_custodia_pki_tomcat_exec_t)
+ # allow Java to read system status and RNG
+ dev_read_urand(ipa_custodia_t)
+ dev_read_rand(ipa_custodia_t)
+ kernel_read_network_state(ipa_custodia_t)
+ dev_read_sysfs(ipa_custodia_t)
+')
--
2.26.2
From c126610ea6605a1ff36cecf2e2f5b2cb97130831 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Fri, 18 Sep 2020 17:45:39 +0200
Subject: [PATCH] SELinux Policy: let custodia_t map custodia_tmp_t
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is used by the JVM perf counters.
Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
---
selinux/ipa.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/selinux/ipa.te b/selinux/ipa.te
index 26daed293..0a9ccaf83 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -347,6 +347,7 @@ logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
manage_dirs_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
manage_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
+mmap_exec_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
kernel_dgram_send(ipa_custodia_t)
--
2.26.2
From 310dbd6eec337f0747d73fa87363083a742fc5dc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Mon, 21 Sep 2020 11:32:52 +0200
Subject: [PATCH] SELinux Policy: ipa_pki_retrieve_key_exec_t =>
ipa_pki_retrieve_key_t
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Grant pki_manage_tomcat_etc_rw to ipa_pki_retrieve_key_t instead of
ipa_pki_retrieve_key_exec_t.
As suggested by Ondrej Mosnáček.
Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
---
selinux/ipa.te | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/selinux/ipa.te b/selinux/ipa.te
index 0a9ccaf83..92a3b2359 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -78,6 +78,8 @@ type node_t;
type ipa_pki_retrieve_key_exec_t;
init_script_file(ipa_pki_retrieve_key_exec_t)
+type ipa_pki_retrieve_key_t;
+
########################################
#
# ipa_otpd local policy
@@ -422,7 +424,7 @@ optional_policy(`
type tomcat_t;
')
can_exec(tomcat_t, ipa_pki_retrieve_key_exec_t)
- pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_exec_t)
+ pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_t)
')
optional_policy(`
--
2.26.2
From 0518c63768b50973f3d3129547f5b4b95335f4a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Mon, 21 Sep 2020 11:37:12 +0200
Subject: [PATCH] SELinux Policy: ipa_custodia_pki_tomcat_exec_t =>
ipa_custodia_pki_tomcat_t
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
ipa_custodia_pki_tomcat_exec_t was granted java_exec by mistake ; replace by
ipa_custodia_pki_tomcat_t.
As suggested by Ondrej Mosnáček.
Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
---
selinux/ipa.te | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/selinux/ipa.te b/selinux/ipa.te
index 92a3b2359..b2c618a53 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -63,6 +63,8 @@ init_script_file(ipa_custodia_dmldap_exec_t)
type ipa_custodia_pki_tomcat_exec_t;
init_script_file(ipa_custodia_pki_tomcat_exec_t)
+type ipa_custodia_pki_tomcat_t;
+
type ipa_custodia_ra_agent_exec_t;
init_script_file(ipa_custodia_ra_agent_exec_t)
@@ -436,7 +438,7 @@ optional_policy(`
')
optional_policy(`
- java_exec(ipa_custodia_pki_tomcat_exec_t)
+ java_exec(ipa_custodia_pki_tomcat_t)
# allow Java to read system status and RNG
dev_read_urand(ipa_custodia_t)
dev_read_rand(ipa_custodia_t)
--
2.26.2
From 25cf7af0d41bbd34621f37c95802675b42baeae9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Tue, 22 Sep 2020 11:36:13 +0200
Subject: [PATCH] SELinux Policy: flag ipa_pki_retrieve_key_exec_t as
domain_type
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
---
selinux/ipa.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/selinux/ipa.te b/selinux/ipa.te
index b2c618a53..42b010133 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -78,6 +78,7 @@ type pki_tomcat_cert_t;
type node_t;
type ipa_pki_retrieve_key_exec_t;
+domain_type(ipa_pki_retrieve_key_exec_t)
init_script_file(ipa_pki_retrieve_key_exec_t)
type ipa_pki_retrieve_key_t;
--
2.26.2
From 7ad04841245668e3126cb1718ef7ec1b744526e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Tue, 22 Sep 2020 13:12:05 +0200
Subject: [PATCH] SELinux Policy: make interfaces for kernel modules
non-optional
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Interfaces for kernel modules do not need to be in an optional module.
Also make sure ipa_custodia_t can log.
Suggested by Lukas Vrabec.
Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
---
selinux/ipa.te | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/selinux/ipa.te b/selinux/ipa.te
index 42b010133..f984a0f94 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -78,10 +78,9 @@ type pki_tomcat_cert_t;
type node_t;
type ipa_pki_retrieve_key_exec_t;
-domain_type(ipa_pki_retrieve_key_exec_t)
-init_script_file(ipa_pki_retrieve_key_exec_t)
-
type ipa_pki_retrieve_key_t;
+domain_type(ipa_pki_retrieve_key_t)
+init_script_file(ipa_pki_retrieve_key_exec_t)
########################################
#
@@ -356,6 +355,7 @@ mmap_exec_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
kernel_dgram_send(ipa_custodia_t)
+kernel_read_network_state(ipa_custodia_t)
auth_read_passwd(ipa_custodia_t)
@@ -366,6 +366,10 @@ can_exec(ipa_custodia_t, ipa_custodia_ra_agent_exec_t)
corecmd_exec_bin(ipa_custodia_t)
corecmd_mmap_bin_files(ipa_custodia_t)
+dev_read_urand(ipa_custodia_t)
+dev_read_rand(ipa_custodia_t)
+dev_read_sysfs(ipa_custodia_t)
+
domain_use_interactive_fds(ipa_custodia_t)
files_mmap_usr_files(ipa_custodia_t)
@@ -377,6 +381,8 @@ files_read_etc_files(ipa_custodia_t)
libs_exec_ldconfig(ipa_custodia_t)
libs_ldconfig_exec_entry_type(ipa_custodia_t)
+logging_send_syslog_msg(ipa_custodia_t)
+
miscfiles_read_generic_certs(ipa_custodia_t)
miscfiles_read_localization(ipa_custodia_t)
@@ -441,8 +447,4 @@ optional_policy(`
optional_policy(`
java_exec(ipa_custodia_pki_tomcat_t)
# allow Java to read system status and RNG
- dev_read_urand(ipa_custodia_t)
- dev_read_rand(ipa_custodia_t)
- kernel_read_network_state(ipa_custodia_t)
- dev_read_sysfs(ipa_custodia_t)
')
--
2.26.2
From 6a31605c1d249416ed7627755bca23a1cc45a581 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Tue, 22 Sep 2020 13:34:40 +0200
Subject: [PATCH] SELinux Policy: Allow tomcat_t to read kerberos keytabs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is required to fix:
avc: denied { search } for pid=1930 comm="ipa-pki-retriev" name="krb5" dev="dm-0" ino=8620822 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
Macros suggested by: Ondrej Mosnacek
Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
---
selinux/ipa.te | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/selinux/ipa.te b/selinux/ipa.te
index f984a0f94..fa577191c 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -448,3 +448,11 @@ optional_policy(`
java_exec(ipa_custodia_pki_tomcat_t)
# allow Java to read system status and RNG
')
+
+optional_policy(`
+ gen_require(`
+ type tomcat_t;
+ ')
+ kerberos_read_config(tomcat_t)
+ kerberos_read_keytab(tomcat_t)
+')
--
2.26.2

68
SOURCES/0020-SELinux-do-not-double-define-node_t-and-pki_tomcat_c_rhbz#1870202.patch
View File

@ -1,68 +0,0 @@
From 58c3343a67a3922dcc84d3d4b1deca515c48a6f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Wed, 23 Sep 2020 09:17:53 +0200
Subject: [PATCH] SELinux: do not double-define node_t and pki_tomcat_cert_t
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
node_t and pki_tomcat_cert_t are defined in other modules.
Do not double-define them.
Fixes: https://pagure.io/freeipa/issue/8513
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
selinux/ipa.te | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git a/selinux/ipa.te b/selinux/ipa.te
index fa577191c..d80e64a0b 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -74,9 +74,6 @@ logging_log_file(ipa_custodia_log_t)
type ipa_custodia_tmp_t;
files_tmp_file(ipa_custodia_tmp_t)
-type pki_tomcat_cert_t;
-type node_t;
-
type ipa_pki_retrieve_key_exec_t;
type ipa_pki_retrieve_key_t;
domain_type(ipa_pki_retrieve_key_t)
@@ -339,12 +336,6 @@ allow ipa_custodia_t self:unix_dgram_socket create_socket_perms;
allow ipa_custodia_t self:tcp_socket { bind create };
allow ipa_custodia_t self:udp_socket create_socket_perms;
-allow ipa_custodia_t node_t:tcp_socket node_bind;
-
-allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
-allow ipa_custodia_t pki_tomcat_cert_t:file create;
-allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
-
manage_dirs_pattern(ipa_custodia_t,ipa_custodia_log_t,ipa_custodia_log_t)
manage_files_pattern(ipa_custodia_t, ipa_custodia_log_t, ipa_custodia_log_t)
logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
@@ -456,3 +447,19 @@ optional_policy(`
kerberos_read_config(tomcat_t)
kerberos_read_keytab(tomcat_t)
')
+
+optional_policy(`
+ gen_require(`
+ type node_t;
+ ')
+ allow ipa_custodia_t node_t:tcp_socket node_bind;
+')
+
+optional_policy(`
+ gen_require(`
+ type pki_tomcat_cert_t;
+ ')
+ allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
+ allow ipa_custodia_t pki_tomcat_cert_t:file create;
+ allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
+')
--
2.26.2

215
SOURCES/0021-Fix-nsslapd-db-lock-tuning-of-BDB-backend_rhbz#1882472.patch
View File

@ -1,215 +0,0 @@
Adapted patch for ipatests/test_integration/test_installation.py due to
missing commit 930f4b3d1dc03f9e365b007b027d65e146a08f05 (Prevent local account
takeover).
From 87e5c0500b76b7cbeecedc0c28d44095c7063186 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Thu, 24 Sep 2020 12:32:37 +0200
Subject: [PATCH] Fix nsslapd-db-lock tuning of BDB backend
nsslapd-db-lock was moved from cn=config,cn=ldbm database,cn=plugins,cn=config
entry to cn=bdb subentry. Manual patching of dse.ldif was no longer
working. Installations with 389-DS 1.4.3 and newer are affected.
Low lock count can affect performance during high load, e.g. mass-import
of users or lots of concurrent connections.
Bump minimal DS version to 1.4.3. Fedora 32 and RHEL 8.3 have 1.4.3.
Fixes: https://pagure.io/freeipa/issue/8515
See: https://pagure.io/freeipa/issue/5914
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
---
freeipa.spec.in | 17 ++++++-----------
install/share/Makefile.am | 1 +
install/share/ldbm-tuning.ldif | 4 ++++
install/updates/10-db-locks.update | 10 ++++++++++
install/updates/Makefile.am | 1 +
ipapython/ipaldap.py | 1 +
ipaserver/install/dsinstance.py | 9 ++++-----
.../test_customized_ds_config_install.py | 3 ++-
.../test_integration/test_installation.py | 19 +++++++++++++++++++
9 files changed, 48 insertions(+), 17 deletions(-)
create mode 100644 install/share/ldbm-tuning.ldif
create mode 100644 install/updates/10-db-locks.update
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 1db7d6457..8e6736b60 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -55,10 +55,9 @@
%global selinux_policy_version 3.14.3-21
%global slapi_nis_version 0.56.1-4
%global python_ldap_version 3.1.0-1
-# python3-lib389
-# Fix for "Installation fails: Replica Busy"
-# https://pagure.io/389-ds-base/issue/49818
-%global ds_version 1.4.0.16
+# 1.4.3 moved nsslapd-db-locks to cn=bdb sub-entry
+# https://pagure.io/freeipa/issue/8515
+%global ds_version 1.4.3
# Fix for TLS 1.3 PHA, RHBZ#1775158
%global httpd_version 2.4.37-21
@@ -89,13 +88,9 @@
# fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324
%global python_ldap_version 3.1.0-1
-# Fix for create suffix
-# https://pagure.io/389-ds-base/issue/49984
-%if 0%{?fedora} >= 30
-%global ds_version 1.4.1.1
-%else
-%global ds_version 1.4.0.21
-%endif
+# 1.4.3 moved nsslapd-db-locks to cn=bdb sub-entry
+# https://pagure.io/freeipa/issue/8515
+%global ds_version 1.4.3
# Fix for TLS 1.3 PHA, RHBZ#1775146
%if 0%{?fedora} >= 31
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 53bd8f5d5..53485edfa 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -102,6 +102,7 @@ dist_app_DATA = \
ipaca_default.ini \
ipaca_customize.ini \
ipaca_softhsm2.ini \
+ ldbm-tuning.ldif \
$(NULL)
kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy
diff --git a/install/share/ldbm-tuning.ldif b/install/share/ldbm-tuning.ldif
new file mode 100644
index 000000000..765ccb01a
--- /dev/null
+++ b/install/share/ldbm-tuning.ldif
@@ -0,0 +1,4 @@
+dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
+changetype: modify
+replace: nsslapd-db-locks
+nsslapd-db-locks: 50000
diff --git a/install/updates/10-db-locks.update b/install/updates/10-db-locks.update
new file mode 100644
index 000000000..31d2e4352
--- /dev/null
+++ b/install/updates/10-db-locks.update
@@ -0,0 +1,10 @@
+# Fix nsslapd-db-locks move
+# https://pagure.io/freeipa/issue/8515
+
+# replace 389-DS default with 50000 locks
+dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
+replace: nsslapd-db-locks:10000::50000
+
+# remove setting from old location
+dn: cn=config,cn=ldbm database,cn=plugins,cn=config
+remove: nsslapd-db-locks: 50000
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 8a4d9cc6c..957ad4fa2 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -4,6 +4,7 @@ appdir = $(IPA_DATA_DIR)/updates
app_DATA = \
05-pre_upgrade_plugins.update \
10-config.update \
+ 10-db-locks.update \
10-enable-betxn.update \
10-ipapwd.update \
10-selinuxusermap.update \
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 3eac95a87..5c43413cc 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -753,6 +753,7 @@ class LDAPClient:
'nsslapd-anonlimitsdn': True,
'nsslapd-minssf-exclude-rootdse': True,
'nsslapd-enable-upgrade-hash': True,
+ 'nsslapd-db-locks': True,
})
time_limit = -1.0 # unlimited
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 3fc0de371..065c6f78f 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -226,6 +226,7 @@ class DsInstance(service.Service):
self.step("creating directory server instance", self.__create_instance)
self.step("configure autobind for root", self.__root_autobind)
+ self.step("tune ldbm plugin", self.__tune_ldbm)
self.step("stopping directory server", self.__stop_instance)
self.step("updating configuration in dse.ldif", self.__update_dse_ldif)
self.step("starting directory server", self.__start_instance)
@@ -592,6 +593,9 @@ class DsInstance(service.Service):
# Done!
logger.debug("completed creating DS instance")
+ def __tune_ldbm(self):
+ self._ldap_mod("ldbm-tuning.ldif")
+
def __update_dse_ldif(self):
"""
This method updates dse.ldif right after instance creation. This is
@@ -610,11 +614,6 @@ class DsInstance(service.Service):
temp_filename = new_dse_ldif.name
with open(dse_filename, "r") as input_file:
parser = installutils.ModifyLDIF(input_file, new_dse_ldif)
- parser.replace_value(
- 'cn=config,cn=ldbm database,cn=plugins,cn=config',
- 'nsslapd-db-locks',
- [b'50000']
- )
if self.config_ldif:
# parse modifications from ldif file supplied by the admin
with open(self.config_ldif, "r") as config_ldif:
diff --git a/ipatests/test_integration/test_customized_ds_config_install.py b/ipatests/test_integration/test_customized_ds_config_install.py
index a2fcc7dd2..95195a014 100644
--- a/ipatests/test_integration/test_customized_ds_config_install.py
+++ b/ipatests/test_integration/test_customized_ds_config_install.py
@@ -4,7 +4,8 @@ from ipatests.pytest_ipa.integration import tasks
DIRSRV_CONFIG_MODS = """
# https://fedorahosted.org/freeipa/ticket/4949
-dn: cn=config,cn=ldbm database,cn=plugins,cn=config
+# https://pagure.io/freeipa/issue/8515
+dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
changetype: modify
replace: nsslapd-db-locks
nsslapd-db-locks: 100000
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index c939c6450..ec826edb7 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -972,6 +972,25 @@ class TestInstallMaster(IntegrationTest):
)
assert "nsslapd-enable-upgrade-hash: off" in result.stdout_text
+ def test_ldbm_tuning(self):
+ # check db-locks in new cn=bdb subentry (1.4.3+)
+ result = tasks.ldapsearch_dm(
+ self.master,
+ "cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config",
+ ["nsslapd-db-locks"],
+ scope="base"
+ )
+ assert "nsslapd-db-locks: 50000" in result.stdout_text
+
+ # no db-locks configuration in old global entry
+ result = tasks.ldapsearch_dm(
+ self.master,
+ "cn=config,cn=ldbm database,cn=plugins,cn=config",
+ ["nsslapd-db-locks"],
+ scope="base"
+ )
+ assert "nsslapd-db-locks" not in result.stdout_text
+
class TestInstallMasterKRA(IntegrationTest):
--
2.26.2

236
SOURCES/0022-rpcserver-fallback-to-non-armored-kinit-in-case-of-trusted-domains_rhbz#1914821.patch
View File

@ -1,236 +0,0 @@
From 1441b999d3fe9b4e59fe942294d13480ecee7d94 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 28 Oct 2020 17:46:56 +0200
Subject: [PATCH] rpcserver: fallback to non-armored kinit in case of trusted
domains
MIT Kerberos implements FAST negotiation as specified in RFC 6806
section 11. The implementation relies on the caller to provide a hint
whether FAST armoring must be used.
FAST armor can only be used when both client and KDC have a shared
secret. When KDC is from a trusted domain, there is no way to have a
shared secret between a generic Kerberos client and that KDC.
[MS-KILE] section 3.2.5.4 'Using FAST When the Realm Supports FAST'
allows KILE clients (Kerberos clients) to have local settings that
direct it to enforce use of FAST. This is equal to the current
implementation of 'kinit' utility in MIT Kerberos requiring to use FAST
if armor cache (option '-T') is provided.
[MS-KILE] section 3.3.5.7.4 defines a way for a computer from a
different realm to use compound identity TGS-REQ to create FAST TGS-REQ
explicitly armored with the computer's TGT. However, this method is not
available to IPA framework as we don't have access to the IPA server's
host key. In addition, 'kinit' utility does not support this method.
Active Directory has a policy to force use of FAST when client
advertizes its use. Since we cannot know in advance whether a principal
to obtain initial credentials for belongs to our realm or to a trusted
one due to enterprise principal canonicalization, we have to try to
kinit. Right now we fail unconditionally if FAST couldn't be used and
libkrb5 communication with a KDC from the user realm (e.g. from a
trusted forest) causes enforcement of a FAST.
In the latter case, as we cannot use FAST anyway, try to kinit again
without advertizing FAST. This works even in the situations when FAST
enforcement is enabled on Active Directory side: if client doesn't
advertize FAST capability, it is not required. Additionally, FAST cannot
be used for any practical need for a trusted domain's users yet.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipalib/errors.py | 6 ++
ipaserver/rpcserver.py | 94 ++++++++++++++++---------
ipatests/test_integration/test_trust.py | 21 ++++++
3 files changed, 86 insertions(+), 35 deletions(-)
diff --git a/ipalib/errors.py b/ipalib/errors.py
index 1b17ca7ed..fa51e15c0 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -245,6 +245,12 @@ class PluginModuleError(PrivateError):
format = '%(name)s is not a valid plugin module'
+class KrbPrincipalWrongFAST(PrivateError):
+ """
+ Raised when it is not possible to use our FAST armor for kinit
+ """
+ format = '%(principal)s cannot use Anonymous PKINIT as a FAST armor'
+
##############################################################################
# Public errors:
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 181295471..ed775170e 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -46,9 +46,11 @@ from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES
from ipalib.frontend import Local
from ipalib.install.kinit import kinit_armor, kinit_password
from ipalib.backend import Executioner
-from ipalib.errors import (PublicError, InternalError, JSONError,
+from ipalib.errors import (
+ PublicError, InternalError, JSONError,
CCacheError, RefererError, InvalidSessionPassword, NotFound, ACIError,
- ExecutionError, PasswordExpired, KrbPrincipalExpired, UserLocked)
+ ExecutionError, PasswordExpired, KrbPrincipalExpired, KrbPrincipalWrongFAST,
+ UserLocked)
from ipalib.request import context, destroy_context
from ipalib.rpc import (xml_dumps, xml_loads,
json_encode_binary, json_decode_binary)
@@ -957,6 +959,34 @@ class login_password(Backend, KerberosSession):
self.api.Backend.wsgi_dispatch.mount(self, self.key)
def __call__(self, environ, start_response):
+ def attempt_kinit(user_principal, password,
+ ipa_ccache_name, use_armor=True):
+ try:
+ # try to remove in case an old file was there
+ os.unlink(ipa_ccache_name)
+ except OSError:
+ pass
+ try:
+ self.kinit(user_principal, password,
+ ipa_ccache_name, use_armor=use_armor)
+ except PasswordExpired as e:
+ return self.unauthorized(environ, start_response,
+ str(e), 'password-expired')
+ except InvalidSessionPassword as e:
+ return self.unauthorized(environ, start_response,
+ str(e), 'invalid-password')
+ except KrbPrincipalExpired as e:
+ return self.unauthorized(environ,
+ start_response,
+ str(e),
+ 'krbprincipal-expired')
+ except UserLocked as e:
+ return self.unauthorized(environ,
+ start_response,
+ str(e),
+ 'user-locked')
+ return None
+
logger.debug('WSGI login_password.__call__:')
# Get the user and password parameters from the request
@@ -1007,26 +1037,14 @@ class login_password(Backend, KerberosSession):
ipa_ccache_name = os.path.join(paths.IPA_CCACHES,
'kinit_{}'.format(os.getpid()))
try:
- # try to remove in case an old file was there
- os.unlink(ipa_ccache_name)
- except OSError:
- pass
- try:
- self.kinit(user_principal, password, ipa_ccache_name)
- except PasswordExpired as e:
- return self.unauthorized(environ, start_response, str(e), 'password-expired')
- except InvalidSessionPassword as e:
- return self.unauthorized(environ, start_response, str(e), 'invalid-password')
- except KrbPrincipalExpired as e:
- return self.unauthorized(environ,
- start_response,
- str(e),
- 'krbprincipal-expired')
- except UserLocked as e:
- return self.unauthorized(environ,
- start_response,
- str(e),
- 'user-locked')
+ result = attempt_kinit(user_principal, password,
+ ipa_ccache_name, use_armor=True)
+ except KrbPrincipalWrongFAST:
+ result = attempt_kinit(user_principal, password,
+ ipa_ccache_name, use_armor=False)
+
+ if result is not None:
+ return result
result = self.finalize_kerberos_acquisition('login_password',
ipa_ccache_name, environ,
@@ -1038,21 +1056,24 @@ class login_password(Backend, KerberosSession):
pass
return result
- def kinit(self, principal, password, ccache_name):
- # get anonymous ccache as an armor for FAST to enable OTP auth
- armor_path = os.path.join(paths.IPA_CCACHES,
- "armor_{}".format(os.getpid()))
+ def kinit(self, principal, password, ccache_name, use_armor=True):
+ if use_armor:
+ # get anonymous ccache as an armor for FAST to enable OTP auth
+ armor_path = os.path.join(paths.IPA_CCACHES,
+ "armor_{}".format(os.getpid()))
- logger.debug('Obtaining armor in ccache %s', armor_path)
+ logger.debug('Obtaining armor in ccache %s', armor_path)
- try:
- kinit_armor(
- armor_path,
- pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
- )
- except RuntimeError as e:
- logger.error("Failed to obtain armor cache")
- # We try to continue w/o armor, 2FA will be impacted
+ try:
+ kinit_armor(
+ armor_path,
+ pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
+ )
+ except RuntimeError as e:
+ logger.error("Failed to obtain armor cache")
+ # We try to continue w/o armor, 2FA will be impacted
+ armor_path = None
+ else:
armor_path = None
try:
@@ -1080,6 +1101,9 @@ class login_password(Backend, KerberosSession):
'while getting initial credentials') in str(e):
raise UserLocked(principal=principal,
message=unicode(e))
+ elif ('kinit: Error constructing AP-REQ armor: '
+ 'Matching credential not found') in str(e):
+ raise KrbPrincipalWrongFAST(principal=principal)
raise InvalidSessionPassword(principal=principal,
message=unicode(e))
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index a6a055c2a..bec918a31 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -175,6 +175,27 @@ class TestTrust(BaseTestTrust):
tasks.kdestroy_all(self.master)
tasks.kinit_admin(self.master)
+ def test_password_login_as_aduser(self):
+ """Test if AD user can login with password to Web UI"""
+ ad_admin = 'Administrator@%s' % self.ad_domain
+
+ tasks.kdestroy_all(self.master)
+ user_and_password = ('user=%s&password=%s' %
+ (ad_admin, self.master.config.ad_admin_password))
+ host = self.master.hostname
+ cmd_args = [
+ paths.BIN_CURL,
+ '-v',
+ '-H', 'referer:https://{}/ipa'.format(host),
+ '-H', 'Content-Type:application/x-www-form-urlencoded',
+ '-H', 'Accept:text/plain',
+ '--cacert', paths.IPA_CA_CRT,
+ '--data', user_and_password,
+ 'https://{}/ipa/session/login_password'.format(host)]
+ result = self.master.run_command(cmd_args)
+ assert "Set-Cookie: ipa_session=MagBearerToken" in result.stdout_text
+ tasks.kinit_admin(self.master)
+
def test_ipauser_authentication_with_nonposix_trust(self):
ipauser = u'tuser'
original_passwd = 'Secret123'
--
2.29.2

27
SOURCES/0023-pylint-remove-unused-variable_rhbz#1914821.patch
View File

@ -1,27 +0,0 @@
From 12de9ee69f12f7c0021ea98e9c1163db7d59e5d3 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 28 Oct 2020 19:37:11 +0200
Subject: [PATCH] pylint: remove unused variable
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/rpcserver.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 27850e867..181295471 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -972,7 +972,7 @@ class login_password(Backend, KerberosSession):
try:
query_dict = parse_qs(query_string)
- except Exception as e:
+ except Exception:
return self.bad_request(environ, start_response, "cannot parse query data")
user = query_dict.get('user', None)
--
2.29.2

121
SOURCES/0024-wgi-plugins.py-ignore-empty-plugin-directories_rhbz#1895910.patch
View File

@ -1,121 +0,0 @@
From 29262465edf034d521c165e3854e28835d86b98d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 6 Nov 2020 09:53:35 +0200
Subject: [PATCH] wgi/plugins.py: ignore empty plugin directories
Dynamic plugin registry returns as a plugin any folder within the
plugins directory. Web UI then attempts to load for each plugin 'foo' a
JavaScript file named 'foo/foo.js'. The problem is that if 'foo/foo.js'
does not exist, Web UI breaks and it is impossible to recover until the
empty folder is removed or 'foo/foo.js' (even empty) is created at the
server side.
Check that 'foo/foo.js' actual exists when including a plugin into the
registry.
Test the registry generator by creating fake plugins and removing them
during the test.
Fixes: https://pagure.io/freeipa/issue/8567
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
install/wsgi/plugins.py | 5 +-
ipatests/test_ipaserver/test_jsplugins.py | 68 +++++++++++++++++++++++
2 files changed, 72 insertions(+), 1 deletion(-)
create mode 100644 ipatests/test_ipaserver/test_jsplugins.py
diff --git a/install/wsgi/plugins.py b/install/wsgi/plugins.py
index f80cfb9fe..4c43e7f87 100644
--- a/install/wsgi/plugins.py
+++ b/install/wsgi/plugins.py
@@ -36,7 +36,10 @@ def get_plugin_index():
dirs = os.listdir(paths.IPA_JS_PLUGINS_DIR)
index = 'define([],function(){return['
- index += ','.join("'"+x+"'" for x in dirs)
+ for x in dirs:
+ p = os.path.join(paths.IPA_JS_PLUGINS_DIR, x, x + '.js')
+ if os.path.exists(p):
+ index += "'" + x + "',"
index += '];});'
return index.encode('utf-8')
diff --git a/ipatests/test_ipaserver/test_jsplugins.py b/ipatests/test_ipaserver/test_jsplugins.py
new file mode 100644
index 000000000..354e6992c
--- /dev/null
+++ b/ipatests/test_ipaserver/test_jsplugins.py
@@ -0,0 +1,68 @@
+# Copyright (C) 2020 FreeIPA Contributors see COPYING for license
+
+import os
+import pytest
+
+from ipatests.test_ipaserver.httptest import Unauthorized_HTTP_test
+from ipatests.util import assert_equal, assert_not_equal
+from ipaplatform.paths import paths
+
+
+@pytest.mark.tier1
+class test_jsplugins(Unauthorized_HTTP_test):
+ app_uri = '/ipa/ui/js/freeipa/plugins.js'
+ jsplugins = (('foo', 'foo.js'), ('bar', ''))
+ content_type = 'application/javascript'
+
+ def test_jsplugins(self):
+ empty_response = "define([],function(){return[];});"
+
+ # Step 1: make sure default response has no additional plugins
+ response = self.send_request(method='GET')
+ assert_equal(response.status, 200)
+ response_data = response.read().decode(encoding='utf-8')
+ assert_equal(response_data, empty_response)
+
+ # Step 2: add fake plugins
+ try:
+ for (d, f) in self.jsplugins:
+ dir = os.path.join(paths.IPA_JS_PLUGINS_DIR, d)
+ if not os.path.exists(dir):
+ os.mkdir(dir, 0o755)
+ if f:
+ with open(os.path.join(dir, f), 'w') as js:
+ js.write("/* test js plugin */")
+
+ except OSError as e:
+ pytest.skip(
+ 'Cannot set up test JS plugin: %s' % e
+ )
+
+ # Step 3: query plugins to see if our plugins exist
+ response = self.send_request(method='GET')
+ assert_equal(response.status, 200)
+ response_data = response.read().decode(encoding='utf-8')
+ assert_not_equal(response_data, empty_response)
+ for (d, f) in self.jsplugins:
+ if f:
+ assert "'" + d + "'" in response_data
+ else:
+ assert "'" + d + "'" not in response_data
+
+ # Step 4: remove fake plugins
+ try:
+ for (d, f) in self.jsplugins:
+ dir = os.path.join(paths.IPA_JS_PLUGINS_DIR, d)
+ file = os.path.join(dir, f)
+ if f and os.path.exists(file):
+ os.unlink(file)
+ if os.path.exists(dir):
+ os.rmdir(dir)
+ except OSError:
+ pass
+
+ # Step 5: make sure default response has no additional plugins
+ response = self.send_request(method='GET')
+ assert_equal(response.status, 200)
+ response_data = response.read().decode(encoding='utf-8')
+ assert_equal(response_data, empty_response)
--
2.29.2

76
SOURCES/0025-ipatests-support-subordinate-upn-suffixes_rhbz#1914823.patch
View File

@ -1,76 +0,0 @@
From d5cca835d5439331c05475d0ad2f993ac6f8b615 Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Wed, 11 Nov 2020 14:55:32 +0530
Subject: [PATCH] ipatests: support subordinate upn suffixes
This test adds new UPN Suffix on the AD side
within the ad.test subtree i.e new.ad.test and this
UPN is then assigned to aduser and then try to
kinit using aduser along with the UPN set, to ensure
that the kinit succeeds
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipatests/test_integration/test_trust.py | 45 +++++++++++++++++++++++++
1 file changed, 45 insertions(+)
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index 7e4dbcc6e..31349ced7 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -245,6 +245,51 @@ class TestTrust(BaseTestTrust):
self.master.run_command(['kinit', '-C', '-E', self.upn_principal],
stdin_text=self.upn_password)
+ def test_subordinate_suffix(self):
+ """Test subordinate UPN Suffixes"""
+ tasks.configure_dns_for_trust(self.master, self.ad)
+ tasks.establish_trust_with_ad(
+ self.master, self.ad_domain,
+ extra_args=['--range-type', 'ipa-ad-trust'])
+ # Clear all UPN Suffixes
+ ps_cmd = "Get-ADForest | Set-ADForest -UPNSuffixes $null"
+ self.ad.run_command(["powershell", "-c", ps_cmd])
+ result = self.master.run_command(["ipa", "trust-show", self.ad_domain])
+ assert (
+ "ipantadditionalsuffixes: {}".format(self.upn_suffix)
+ not in result.stdout_text
+ )
+ # Run Get-ADForest
+ ps_cmd1 = "Get-ADForest"
+ self.ad.run_command(["powershell", "-c", ps_cmd1])
+ # Add new UPN for AD
+ ps_cmd2 = (
+ 'Get-ADForest | Set-ADForest -UPNSuffixes '
+ '@{add="new.ad.test", "upn.dom"}'
+ )
+ self.ad.run_command(["powershell", "-c", ps_cmd2])
+ self.ad.run_command(["powershell", "-c", ps_cmd1])
+ self.master.run_command(
+ ["ipa", "trust-fetch-domains", self.ad_domain],
+ raiseonerr=False)
+ self.master.run_command(["ipa", "trust-show", self.ad_domain])
+ # Set UPN for the aduser
+ ps_cmd3 = (
+ 'set-aduser -UserPrincipalName '
+ 'Administrator@new.ad.test -Identity Administrator'
+ )
+ self.ad.run_command(["powershell", "-c", ps_cmd3])
+ # kinit to IPA using AD user Administrator@new.ad.test
+ result = self.master.run_command(
+ ["getent", "passwd", "Administrator@new.ad.test"]
+ )
+ assert result.returncode == 0
+ self.master.run_command(
+ ["kinit", "-E", "Administrator@new.ad.test"],
+ stdin_text="Secret123",
+ )
+ tasks.kdestroy_all(self.master)
+
def test_remove_nonposix_trust(self):
self.remove_trust(self.ad)
tasks.unconfigure_dns_for_trust(self.master, self.ad)
--
2.29.2

114
SOURCES/0026-ipa-kdb-support-subordinate-superior-UPN-suffixes_rhbz#1914823.patch
View File

@ -1,114 +0,0 @@
From 1f0702bf9231a4898a2d58325fc51c71fea25047 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 23 Oct 2020 18:45:09 +0300
Subject: [PATCH] ipa-kdb: support subordinate/superior UPN suffixes
[MS-ADTS] 6.1.6.9.3.2 requires msDS-TrustForestTrustInfo attribute of
trusted domain information in Active Directory to conform certain rules.
One side-effect of those rules is that list of UPN suffixes reported
through the netr_DsRGetForestTrustInformation function is dynamically
filtered to deduplicate subordinate suffixes.
It means that if list of UPN suffixes contains the following top level
names (TLNs):
fabrikam.com
sub.fabrikam.com
then netr_DsRGetForestTrustInformation would only return 'fabrikam.com'
as the TLN, fully filtering 'sub.fabrikam.com'.
IPA KDB driver used exact comparison of the UPN suffixes so any
subordinate had to be specified exactly.
Modify logic so that if exact check does not succeed, we validate a
realm to test being a subordinate of the known UPN suffixes. The
subordinate check is done by making sure UPN suffix is at the end of the
test realm and is immediately preceded with a dot.
Because the function to check suffixes potentially called for every
Kerberos principal, precalculate and cache length for each UPN suffix at
the time we retrieve the list of them.
Fixes: https://pagure.io/freeipa/issue/8554
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 30 +++++++++++++++++++++++++
daemons/ipa-kdb/ipa_kdb_mspac_private.h | 1 +
2 files changed, 31 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 29dadc183..692f542c9 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2393,6 +2393,7 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
free((*mspac)->trusts[i].upn_suffixes[j]);
}
free((*mspac)->trusts[i].upn_suffixes);
+ free((*mspac)->trusts[i].upn_suffixes_len);
}
}
free((*mspac)->trusts);
@@ -2603,6 +2604,24 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
}
}
+ t[n].upn_suffixes_len = NULL;
+ if (t[n].upn_suffixes != NULL) {
+ size_t len = 0;
+
+ for (; t[n].upn_suffixes[len] != NULL; len++);
+
+ if (len != 0) {
+ t[n].upn_suffixes_len = calloc(n, sizeof(size_t));
+ if (t[n].upn_suffixes_len == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+ for (i = 0; i < len; i++) {
+ t[n].upn_suffixes_len[i] = strlen(t[n].upn_suffixes[i]);
+ }
+ }
+ }
+
ret = ipadb_ldap_attr_to_strlist(lc, le, "ipaNTSIDBlacklistIncoming",
&sid_blacklist_incoming);
@@ -2972,6 +2991,17 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
result = strncasecmp(test_realm,
ipactx->mspac->trusts[i].upn_suffixes[j],
size) == 0;
+ if (!result) {
+ /* if UPN suffix did not match exactly, find if it is
+ * superior to the test_realm, e.g. if test_realm ends
+ * with the UPN suffix prefixed with dot*/
+ size_t len = ipactx->mspac->trusts[i].upn_suffixes_len[j];
+ if ((size > len) && (test_realm[size - len - 1] == '.')) {
+ result = strncasecmp(test_realm + (size - len),
+ ipactx->mspac->trusts[i].upn_suffixes[j],
+ len) == 0;
+ }
+ }
if (result)
break;
}
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
index 30382d2ee..b21aa163f 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h
+++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
@@ -48,6 +48,7 @@ struct ipadb_adtrusts {
struct ipadb_adtrusts *parent;
char *parent_name;
char **upn_suffixes;
+ size_t *upn_suffixes_len;
};
int string_to_sid(const char *str, struct dom_sid *sid);
--
2.29.2

57
SOURCES/0027-ad-trust-accept-subordinate-domains-of-the-forest-trust-root_rhbz#1914823.patch
View File

@ -1,57 +0,0 @@
From 6b224e57672e3f73f93bb9eddd9031e945529a1e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 24 Nov 2020 16:03:36 +0200
Subject: [PATCH] ad trust: accept subordinate domains of the forest trust root
Commit 8b6d1ab854387840f7526d6d59ddc7102231957f added support for
subordinate UPN suffixes but missed the case where subordinate UPN is a
subdomain of the forest root domain and not mentioned in the UPN
suffixes list.
Correct this situation by applying the same check to the trusted domain
name as well.
Fixes: https://pagure.io/freeipa/issue/8554
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index f2bd60e11..c6ac593ca 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2976,10 +2976,20 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
/* Iterate through list of trusts and check if input realm belongs to any of the trust */
for(i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
+ size_t len = 0;
result = strncasecmp(test_realm,
ipactx->mspac->trusts[i].domain_name,
size) == 0;
+ if (!result) {
+ len = strlen(ipactx->mspac->trusts[i].domain_name);
+ if ((size > len) && (test_realm[size - len - 1] == '.')) {
+ result = strncasecmp(test_realm + (size - len),
+ ipactx->mspac->trusts[i].domain_name,
+ len) == 0;
+ }
+ }
+
if (!result && (ipactx->mspac->trusts[i].flat_name != NULL)) {
result = strncasecmp(test_realm,
ipactx->mspac->trusts[i].flat_name,
@@ -2995,7 +3005,7 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
/* if UPN suffix did not match exactly, find if it is
* superior to the test_realm, e.g. if test_realm ends
* with the UPN suffix prefixed with dot*/
- size_t len = ipactx->mspac->trusts[i].upn_suffixes_len[j];
+ len = ipactx->mspac->trusts[i].upn_suffixes_len[j];
if ((size > len) && (test_realm[size - len - 1] == '.')) {
result = strncasecmp(test_realm + (size - len),
ipactx->mspac->trusts[i].upn_suffixes[j],
--
2.29.2

127
SOURCES/0028-ipa-kdb-fix-crash-in-MS-PAC-cache-init-code.patch
View File

@ -1,127 +0,0 @@
From 81cbee4e3ff2e667946e0d41097b402257608b7e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 6 Nov 2020 14:07:10 +0200
Subject: [PATCH] ipa-kdb: fix crash in MS-PAC cache init code
When initializing UPN suffixes, we calculate their sizes and didn't use
the right variable to allocate their size. This affects us if there are
more than one UPN suffix available for a trust due to memory corruption
while filling in sizes.
Add unit test for multiple UPN suffixes.
Fixes: https://pagure.io/freeipa/issue/8566
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +-
daemons/ipa-kdb/tests/ipa_kdb_tests.c | 50 +++++++++++++++++++++++++++
2 files changed, 51 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index dd29db190..fe5b586b6 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2610,7 +2610,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
for (; t[n].upn_suffixes[len] != NULL; len++);
if (len != 0) {
- t[n].upn_suffixes_len = calloc(n, sizeof(size_t));
+ t[n].upn_suffixes_len = calloc(len, sizeof(size_t));
if (t[n].upn_suffixes_len == NULL) {
ret = ENOMEM;
goto done;
diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
index d3ef5c00d..752b24ea4 100644
--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
@@ -71,6 +71,10 @@
#define DOM_SID "S-1-5-21-1-2-3"
#define DOM_SID_TRUST "S-1-5-21-4-5-6"
#define BLACKLIST_SID "S-1-5-1"
+#define NUM_SUFFIXES 10
+#define SUFFIX_TEMPLATE "d%0d" DOMAIN_NAME
+#define TEST_REALM_TEMPLATE "some." SUFFIX_TEMPLATE
+#define EXTERNAL_REALM "WRONG.DOMAIN"
static int setup(void **state)
{
@@ -92,6 +96,9 @@
ipa_ctx = calloc(1, sizeof(struct ipadb_context));
assert_non_null(ipa_ctx);
+ kerr = krb5_get_default_realm(krb5_ctx, &ipa_ctx->realm);
+ assert_int_equal(kerr, 0);
+
ipa_ctx->mspac = calloc(1, sizeof(struct ipadb_mspac));
assert_non_null(ipa_ctx->mspac);
@@ -126,6 +133,15 @@
&ipa_ctx->mspac->trusts[0].sid_blacklist_incoming[0]);
assert_int_equal(ret, 0);
+ ipa_ctx->mspac->trusts[0].upn_suffixes = calloc(NUM_SUFFIXES + 1, sizeof(char *));
+ ipa_ctx->mspac->trusts[0].upn_suffixes_len = calloc(NUM_SUFFIXES, sizeof(size_t));
+ for (size_t i = 0; i < NUM_SUFFIXES; i++) {
+ asprintf(&(ipa_ctx->mspac->trusts[0].upn_suffixes[i]), SUFFIX_TEMPLATE, i);
+ ipa_ctx->mspac->trusts[0].upn_suffixes_len[i] =
+ strlen(ipa_ctx->mspac->trusts[0].upn_suffixes[i]);
+
+ }
+
ipa_ctx->kcontext = krb5_ctx;
kerr = krb5_db_set_context(krb5_ctx, ipa_ctx);
assert_int_equal(kerr, 0);
@@ -478,6 +494,38 @@
}
+void test_check_trusted_realms(void **state)
+{
+ struct test_ctx *test_ctx;
+ krb5_error_code kerr = 0;
+ char *trusted_realm = NULL;
+
+ test_ctx = (struct test_ctx *) *state;
+
+ for(size_t i = 0; i < NUM_SUFFIXES; i++) {
+ char *test_realm = NULL;
+ asprintf(&test_realm, TEST_REALM_TEMPLATE, i);
+
+ if (test_realm) {
+ kerr = ipadb_is_princ_from_trusted_realm(
+ test_ctx->krb5_ctx,
+ test_realm,
+ strlen(test_realm),
+ &trusted_realm);
+ assert_int_equal(kerr, 0);
+ free(test_realm);
+ free(trusted_realm);
+ }
+ }
+
+ kerr = ipadb_is_princ_from_trusted_realm(
+ test_ctx->krb5_ctx,
+ EXTERNAL_REALM,
+ strlen(EXTERNAL_REALM),
+ &trusted_realm);
+ assert_int_equal(kerr, KRB5_KDB_NOENTRY);
+}
+
int main(int argc, const char *argv[])
{
const struct CMUnitTest tests[] = {
@@ -488,6 +536,8 @@
cmocka_unit_test(test_string_to_sid),
cmocka_unit_test_setup_teardown(test_dom_sid_string,
setup, teardown),
+ cmocka_unit_test_setup_teardown(test_check_trusted_realms,
+ setup, teardown),
};
return cmocka_run_group_tests(tests, NULL, NULL);
--
2.29.2

2713
SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
View File

File diff suppressed because one or more lines are too long

2051
SOURCES/1002-4.8.0-Remove-csrgen.patch
View File

File diff suppressed because it is too large Load Diff

134
SOURCES/1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch
View File

@ -1,134 +0,0 @@
From 2f8e87ce9ccaab51b32a395c6cf6c764434ed0e2 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Thu, 11 Jun 2020 10:40:57 +0200
Subject: [PATCH] Revert "WebUI: use python3-rjsmin to minify JavaScript files"
This reverts commit d986e844bbd37ccc7a532175631a55acd315cda3.
---
.lgtm.yml | 4 ++--
freeipa.spec.in | 2 +-
install/ui/build/freeipa/Makefile.am | 2 +-
install/ui/src/webui.profile.js | 4 ++--
install/ui/util/build/README | 4 ++--
install/ui/util/compile.sh | 8 ++++----
6 files changed, 12 insertions(+), 12 deletions(-)
#diff --git a/.lgtm.yml b/.lgtm.yml
#index b3898116e..e63615918 100644
#--- a/.lgtm.yml
#+++ b/.lgtm.yml
#@@ -39,7 +39,7 @@ extraction:
# - python3-setuptools
# - python3-wheel
# - nodejs
#- - python3-rjsmin
#+ - uglifyjs
# - systemd
# - 389-ds-base-dev
# - libssl-dev
#@@ -79,7 +79,7 @@ extraction:
# - python3-setuptools
# - python3-wheel
# - nodejs
#- - python3-rjsmin
#+ - uglifyjs
# - systemd
# - 389-ds-base-dev
# - libssl-dev
diff --git a/freeipa.spec.in b/freeipa.spec.in
index b6eb79593..a4682497a 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -191,7 +191,7 @@ BuildRequires: libsss_idmap-devel
BuildRequires: libsss_certmap-devel
BuildRequires: libsss_nss_idmap-devel >= %{sssd_version}
BuildRequires: nodejs(abi)
-BuildRequires: python3-rjsmin
+BuildRequires: uglify-js
BuildRequires: libverto-devel
BuildRequires: libunistring-devel
# 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773
diff --git a/install/ui/build/freeipa/Makefile.am b/install/ui/build/freeipa/Makefile.am
index f4d97819e..05e82f4da 100644
--- a/install/ui/build/freeipa/Makefile.am
+++ b/install/ui/build/freeipa/Makefile.am
@@ -18,6 +18,6 @@ widgets := $(wildcard ../../src/freeipa/widgets/*.js)
nav := $(wildcard ../../src/freeipa/navigation/*.js)
app.js: $(core) $(base) $(widgets) $(nav)
- PYTHON=$(PYTHON) $(srcdir)/../../util/make-ui.sh
+ $(srcdir)/../../util/make-ui.sh
core.js: app.js
diff --git a/install/ui/src/webui.profile.js b/install/ui/src/webui.profile.js
index 2d4d691dc..1d7a6cc84 100644
--- a/install/ui/src/webui.profile.js
+++ b/install/ui/src/webui.profile.js
@@ -9,7 +9,7 @@ var profile = (function(){
releaseName: "lib",
action: "release",
- // optimization done separately by python3-rjsmin
+ // optimization done separately by uglify.js
layerOptimize: false,
optimize: false,
cssOptimize: false,
@@ -123,4 +123,4 @@ var profile = (function(){
}
}
};
-})();
+})();
\ No newline at end of file
diff --git a/install/ui/util/build/README b/install/ui/util/build/README
index 2c4e0ecac..0772532d4 100644
--- a/install/ui/util/build/README
+++ b/install/ui/util/build/README
@@ -1,5 +1,5 @@
build.js is builded dojo builder, with applied patches from 'patches' folder, by
-itself and compiled using python3-rjsmin
+itself and compiled using uglify.js
_base/configRhino.js is unmodifed file from dojo/dojo. Required for a build to work.
@@ -9,4 +9,4 @@ Available via Academic Free License >= 2.1 OR the modified BSD license.
see: http://dojotoolkit.org/license for details
= License =
-Full Dojo license is in LICENSE file.
+Full Dojo license is in LICENSE file.
\ No newline at end of file
diff --git a/install/ui/util/compile.sh b/install/ui/util/compile.sh
index 1516b815f..d14f90ab0 100755
--- a/install/ui/util/compile.sh
+++ b/install/ui/util/compile.sh
@@ -26,14 +26,14 @@ RDIR=$DIR/../release
usage() {
cat <<-__EOF__;
NAME
- compile.sh - Compiles layer file of Dojo build using Python rjsmin.
+ compile.sh - Compiles layer file of Dojo build using uglify.js.
Deletes all other files.
SYNOPSIS
path/to/compile.sh [--help] --release RELEASE --layer NAME/NAME
DESCRIPTION
- Compiles layer file of Dojo build output using Python rjsmin.
+ Compiles layer file of Dojo build output using uglify.js.
Deletes all other files.
OPTIONS
@@ -105,7 +105,7 @@ if [[ ! $OUTPUT_FILE ]] ; then
OUTPUT_FILE=$RDIR/$RELEASE/$LAYER.js
fi
-# compile using python rjsmin
+# compile using uglifyjs
echo "Minimizing: $RDIR/$RELEASE/$LAYER.js"
echo "Target file: $OUTPUT_FILE"
-${PYTHON:-python3} -m rjsmin < $RDIR/$RELEASE/$LAYER.js > $OUTPUT_FILE
+uglifyjs $RDIR/$RELEASE/$LAYER.js > $OUTPUT_FILE
--
2.26.2

16
SOURCES/freeipa-4.8.7.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAl7hNhYACgkQRxniuKu/
Yhq2rxAAnK8YHbQtivjssWz6BBRiU5TKootA3fSqfvbhACYG14629/Dpc5IIkYZ1
0AE4CUFA7Oi92emFbxrLJyeSuxuzTxSVmydJ5HW/OTkRRSnmjL5oeBg2D++B9OaO
qVAXRZbi5YNfW5y//9BIRzCGw0RHpbR/QjZ1ipDymky6nr5IS+EhfZ0iHeEyiNXd
OP3OJv538HSvRrv3mJvz52pKVfegw1OTd8yUnmuPEc9ClQfPQHjXqsOeFYCbR8fg
59y0twMMrOc2J4eL0OkNE/By+o+1vAMUwEs736sCdbJJPigerfuK0e7ZxP+x98BP
bmIBxv7eUf20Rn3An7+vTqQP60V4tS+FOnc2LD3OpHH4vy34ovWZfYZWVKbg0z1+
5E/0TWifhlibbRZctDaxkZfFVchQnixHnO0Awv8wNxRzh/XvvsTPz1zJXk5kHk3r
Ws2/GbeWTiJLe8sIXJz0MNTayWLnsDJG6BCRf+K0HwCdL80p4TG71dTwa9PW5HEy
UklxW/zfr+chS1AszNgb8wJa6WtDHfQnktJwSSj7CkD3JdUVx+L/cJiOfbCM+WUi
BRzhVhNUDX/FkpGUyvC4AYXX+wcwHph9BDChUDqcG886aIK28TAsie3Vwz/F7hKP
TYpF1+YIImcRfUQ737pnbHL12o5yzfhkBfD2GMsojEd0x71B3PY=
=B33Z
-----END PGP SIGNATURE-----

16
SOURCES/freeipa-4.9.2.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmAqwW4ACgkQRxniuKu/
YhoqEw/+J2+fMEF4qYDnb6LPs0h/xbiMU+WG5SI0Ybcy6FUrCp2utFqO6N8r7K3J
k9WTcAXweqwEO5aP1fjvbQiIc55lQgN1rlJc+GtnBbPPKabrJB0xgx2VpP2MI8Jl
JRSAdSNvSghaR1v0MYL3ly7GPRLUrb1+Avln+eJIHRfAuUjf9j4MWh7VNDsSp7pQ
vMqz8OHEvSSRQYGKyJ5vQlcHRQNot2pZoWHVfEcRXMD6qn2N7yUU4o9wNOYvJMw8
YEyInE24D13UV33F9K5QrLEaJ7lpIwJ9lmhAFuZoDUC81s5aAmLtNzUWcdwlOSzk
tY4T+ucpq+0eH1gUiDm6bME7Uw87nc9KuNS3+Q+P2Y7RdUrrbLj8BIsz30VSk8n1
rH2DZo/1NOFwQ5qDN92QjTeGotqCjwK/j+uRB12HkRgOHkouoZjqwcYRfdxmBhKd
wk6BdDtvSP4voqqoeuZNCbeOKCYsqE2HlGZE9YiLbBAQs081Ir9Tajpn8sgMVURi
7kQN7Xq9/jEl7sQ14VkRMQP8A+rRkmLM1sW3vqhMFDSOyi+qQNnzAnR28qxDBXC3
4gG/yFGgqX7mSXsfvTVrjhcVEO6IsqkkPAcFR3Xivpy146LoONSlIGgtA8mGMIeO
Zd3awH4T8kAt3d9RBI+R34sZm//uKQgOKDrAx0VjekFkK0tj2qU=
=XC/f
-----END PGP SIGNATURE-----

608
SPECS/ipa.spec
View File

File diff suppressed because it is too large Load Diff