import ipa-4.9.2-3.module+el8.4.0+10412+5ecb5b37
This commit is contained in:
parent
eb3a2cb921
commit
c837b107f7
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/freeipa-4.8.7.tar.gz
|
SOURCES/freeipa-4.9.2.tar.gz
|
||||||
|
@ -1 +1 @@
|
|||||||
0099d799a77a757eeb4a95a69a38bdec24e45026 SOURCES/freeipa-4.8.7.tar.gz
|
c7b37727ffbdebe311990f7d31ae3b8bf2d06792 SOURCES/freeipa-4.9.2.tar.gz
|
||||||
|
@ -1,409 +0,0 @@
|
|||||||
From c2ba333b9681d008d9c528a79dbdd76ce11a3ecd Mon Sep 17 00:00:00 2001
|
|
||||||
From: Serhii Tsymbaliuk <stsymbal@redhat.com>
|
|
||||||
Date: Thu, 28 May 2020 08:47:49 +0200
|
|
||||||
Subject: [PATCH 01/22] WebUI: Fix "IPA Error 3007: RequirmentError" while
|
|
||||||
adding idoverrideuser association
|
|
||||||
|
|
||||||
Add builder for association adder dialog which allows to override behavior of the component.
|
|
||||||
Replace default implementation with a custom one for idoverrideuser.
|
|
||||||
Replace text filter with 'ID view' select box in the idoverrideuser dialog.
|
|
||||||
|
|
||||||
Ticket: https://pagure.io/freeipa/issue/8335
|
|
||||||
|
|
||||||
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
install/ui/src/freeipa/association.js | 13 ++++-
|
|
||||||
install/ui/src/freeipa/dialog.js | 73 ++++++++++++++++-----------
|
|
||||||
install/ui/src/freeipa/group.js | 14 +++++
|
|
||||||
install/ui/src/freeipa/idviews.js | 58 +++++++++++++++++++++
|
|
||||||
ipaserver/plugins/internal.py | 6 +++
|
|
||||||
5 files changed, 133 insertions(+), 31 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js
|
|
||||||
index f10ccb2a5..b083a79f9 100644
|
|
||||||
--- a/install/ui/src/freeipa/association.js
|
|
||||||
+++ b/install/ui/src/freeipa/association.js
|
|
||||||
@@ -25,6 +25,7 @@
|
|
||||||
define([
|
|
||||||
'dojo/_base/lang',
|
|
||||||
'dojo/Deferred',
|
|
||||||
+ './builder',
|
|
||||||
'./metadata',
|
|
||||||
'./ipa',
|
|
||||||
'./jquery',
|
|
||||||
@@ -38,7 +39,7 @@ define([
|
|
||||||
'./facet',
|
|
||||||
'./search',
|
|
||||||
'./dialog'],
|
|
||||||
- function(lang, Deferred, metadata_provider, IPA, $, metadata,
|
|
||||||
+ function(lang, Deferred, builder, metadata_provider, IPA, $, metadata,
|
|
||||||
navigation, phases, reg, rpc, su, text) {
|
|
||||||
|
|
||||||
/**
|
|
||||||
@@ -1209,7 +1210,8 @@ exp.association_facet = IPA.association_facet = function (spec, no_init) {
|
|
||||||
|
|
||||||
var pkeys = that.data.result.result[that.get_attribute_name()];
|
|
||||||
|
|
||||||
- var dialog = IPA.association_adder_dialog({
|
|
||||||
+ var dialog = builder.build('association_adder_dialog', {
|
|
||||||
+ $type: that.other_entity.name,
|
|
||||||
title: title,
|
|
||||||
entity: that.entity,
|
|
||||||
pkey: pkey,
|
|
||||||
@@ -1675,6 +1677,13 @@ IPA.attr_read_only_evaluator = function(spec) {
|
|
||||||
return that;
|
|
||||||
};
|
|
||||||
|
|
||||||
+// Create a registry for adder dialogs where key is name of 'other entity'.
|
|
||||||
+// It allows to override dialogs for some specific cases of association
|
|
||||||
+// creation.
|
|
||||||
+var dialog_builder = builder.get('association_adder_dialog');
|
|
||||||
+dialog_builder.factory = IPA.association_adder_dialog;
|
|
||||||
+reg.set('association_adder_dialog', dialog_builder.registry);
|
|
||||||
+
|
|
||||||
phases.on('registration', function() {
|
|
||||||
var w = reg.widget;
|
|
||||||
var f = reg.field;
|
|
||||||
diff --git a/install/ui/src/freeipa/dialog.js b/install/ui/src/freeipa/dialog.js
|
|
||||||
index c153120df..d67d63b6d 100644
|
|
||||||
--- a/install/ui/src/freeipa/dialog.js
|
|
||||||
+++ b/install/ui/src/freeipa/dialog.js
|
|
||||||
@@ -919,35 +919,7 @@ IPA.adder_dialog = function(spec) {
|
|
||||||
'class': 'input-group col-md-12 adder-dialog-top'
|
|
||||||
}).appendTo(container);
|
|
||||||
|
|
||||||
- var filter_placeholder = text.get('@i18n:association.filter_placeholder');
|
|
||||||
- filter_placeholder = filter_placeholder.replace('${other_entity}',
|
|
||||||
- that.other_entity.metadata.label);
|
|
||||||
-
|
|
||||||
- that.filter_field = $('<input/>', {
|
|
||||||
- type: 'text',
|
|
||||||
- name: 'filter',
|
|
||||||
- 'class': 'form-control',
|
|
||||||
- 'placeholder': filter_placeholder,
|
|
||||||
- keyup: function(event) {
|
|
||||||
- if (event.keyCode === keys.ENTER) {
|
|
||||||
- that.search();
|
|
||||||
- return false;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
- }).appendTo(input_group);
|
|
||||||
-
|
|
||||||
- var input_group_btn = $('<div/>', {
|
|
||||||
- 'class': 'input-group-btn'
|
|
||||||
- }).appendTo(input_group);
|
|
||||||
-
|
|
||||||
- that.find_button = IPA.button({
|
|
||||||
- name: 'find',
|
|
||||||
- label: '@i18n:buttons.filter',
|
|
||||||
- click: function() {
|
|
||||||
- that.search();
|
|
||||||
- return false;
|
|
||||||
- }
|
|
||||||
- }).appendTo(input_group_btn);
|
|
||||||
+ that.filter_field = that.get_filter_field(input_group);
|
|
||||||
|
|
||||||
var row = $('<div/>', { 'class': 'row adder-dialog-main'}).appendTo(container);
|
|
||||||
//
|
|
||||||
@@ -1132,6 +1104,49 @@ IPA.adder_dialog = function(spec) {
|
|
||||||
return that.filter_field.val();
|
|
||||||
};
|
|
||||||
|
|
||||||
+ /**
|
|
||||||
+ * Return field for filtering available items
|
|
||||||
+ *
|
|
||||||
+ * Default implementation returns text input + "Filter" button.
|
|
||||||
+ * It can be overridden.
|
|
||||||
+ *
|
|
||||||
+ * @param {HTMLElement} input_group - container for a filter field
|
|
||||||
+ * @return {HTMLElement}
|
|
||||||
+ */
|
|
||||||
+ that.get_filter_field = function(input_group) {
|
|
||||||
+ var filter_placeholder = text.get(
|
|
||||||
+ '@i18n:association.filter_placeholder'
|
|
||||||
+ ).replace('${other_entity}', that.other_entity.metadata.label);
|
|
||||||
+
|
|
||||||
+ var filter_field = $('<input/>', {
|
|
||||||
+ type: 'text',
|
|
||||||
+ name: 'filter',
|
|
||||||
+ 'class': 'form-control',
|
|
||||||
+ 'placeholder': filter_placeholder,
|
|
||||||
+ keyup: function(event) {
|
|
||||||
+ if (event.keyCode === keys.ENTER) {
|
|
||||||
+ that.search();
|
|
||||||
+ return false;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }).appendTo(input_group);
|
|
||||||
+
|
|
||||||
+ var input_group_btn = $('<div/>', {
|
|
||||||
+ 'class': 'input-group-btn'
|
|
||||||
+ }).appendTo(input_group);
|
|
||||||
+
|
|
||||||
+ that.find_button = IPA.button({
|
|
||||||
+ name: 'find',
|
|
||||||
+ label: '@i18n:buttons.filter',
|
|
||||||
+ click: function() {
|
|
||||||
+ that.search();
|
|
||||||
+ return false;
|
|
||||||
+ }
|
|
||||||
+ }).appendTo(input_group_btn);
|
|
||||||
+
|
|
||||||
+ return filter_field;
|
|
||||||
+ };
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* Clear rows in available table
|
|
||||||
*/
|
|
||||||
diff --git a/install/ui/src/freeipa/group.js b/install/ui/src/freeipa/group.js
|
|
||||||
index e46d8c7e3..2984bd4b2 100644
|
|
||||||
--- a/install/ui/src/freeipa/group.js
|
|
||||||
+++ b/install/ui/src/freeipa/group.js
|
|
||||||
@@ -205,6 +205,20 @@ return {
|
|
||||||
add_title: '@i18n:objects.group.add_into_sudo',
|
|
||||||
remove_method: 'remove_user',
|
|
||||||
remove_title: '@i18n:objects.group.remove_from_sudo'
|
|
||||||
+ },
|
|
||||||
+ {
|
|
||||||
+ $type: 'association',
|
|
||||||
+ name: 'member_idoverrideuser',
|
|
||||||
+ associator: IPA.serial_associator,
|
|
||||||
+ add_title: '@i18n:objects.group.add_idoverride_user',
|
|
||||||
+ remove_title: '@i18n:objects.group.remove_idoverride_users',
|
|
||||||
+ columns: [
|
|
||||||
+ {
|
|
||||||
+ name: 'ipaanchoruuid',
|
|
||||||
+ label: '@i18n:objects.idoverrideuser.anchor_label',
|
|
||||||
+ link: false
|
|
||||||
+ }
|
|
||||||
+ ]
|
|
||||||
}
|
|
||||||
],
|
|
||||||
standard_association_facets: true,
|
|
||||||
diff --git a/install/ui/src/freeipa/idviews.js b/install/ui/src/freeipa/idviews.js
|
|
||||||
index 35dc998c8..a4fca6205 100644
|
|
||||||
--- a/install/ui/src/freeipa/idviews.js
|
|
||||||
+++ b/install/ui/src/freeipa/idviews.js
|
|
||||||
@@ -966,6 +966,58 @@ idviews.unapply_action = function(spec) {
|
|
||||||
return that;
|
|
||||||
};
|
|
||||||
|
|
||||||
+idviews.idoverrideuser_adder_dialog = function(spec) {
|
|
||||||
+
|
|
||||||
+ spec = spec || {};
|
|
||||||
+
|
|
||||||
+ var that = IPA.association_adder_dialog(spec);
|
|
||||||
+
|
|
||||||
+ that.base_search = that.search;
|
|
||||||
+
|
|
||||||
+ that.search = function() {
|
|
||||||
+ // Search for users only in case a ID view is selected
|
|
||||||
+ if (that.get_filter()) {
|
|
||||||
+ that.base_search();
|
|
||||||
+ }
|
|
||||||
+ };
|
|
||||||
+
|
|
||||||
+ /**
|
|
||||||
+ * Replace default text filter with a select box for filtering by ID view
|
|
||||||
+ */
|
|
||||||
+ that.get_filter_field = function(input_group) {
|
|
||||||
+
|
|
||||||
+ var filter_field = $('<select/>', {
|
|
||||||
+ name: 'filter',
|
|
||||||
+ 'class': 'form-control',
|
|
||||||
+ change: function(event) {
|
|
||||||
+ that.search();
|
|
||||||
+ }
|
|
||||||
+ }).appendTo(input_group);
|
|
||||||
+
|
|
||||||
+ rpc.command({
|
|
||||||
+ entity: 'idview',
|
|
||||||
+ method: 'find',
|
|
||||||
+ on_success: function(data) {
|
|
||||||
+ var results = data.result;
|
|
||||||
+
|
|
||||||
+ for (var i=0; i<results.count; i++) {
|
|
||||||
+ var result = results.result[i];
|
|
||||||
+ $('<option/>', {
|
|
||||||
+ text: result.cn[0],
|
|
||||||
+ value: result.cn[0]
|
|
||||||
+ }).appendTo(filter_field);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ that.search();
|
|
||||||
+ }
|
|
||||||
+ }).execute();
|
|
||||||
+
|
|
||||||
+ return filter_field;
|
|
||||||
+ };
|
|
||||||
+
|
|
||||||
+ return that;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* ID View entity specification object
|
|
||||||
* @member idviews
|
|
||||||
@@ -993,6 +1045,7 @@ idviews.register = function() {
|
|
||||||
var f = reg.facet;
|
|
||||||
var a = reg.action;
|
|
||||||
var w = reg.widget;
|
|
||||||
+ var ad = reg.association_adder_dialog;
|
|
||||||
|
|
||||||
e.register({type: 'idview', spec: idviews.spec});
|
|
||||||
e.register({
|
|
||||||
@@ -1012,6 +1065,11 @@ idviews.register = function() {
|
|
||||||
|
|
||||||
w.register('idviews_certs', idviews.idviews_certs_widget);
|
|
||||||
w.register('cert_textarea', idviews.cert_textarea_widget);
|
|
||||||
+
|
|
||||||
+ ad.register({
|
|
||||||
+ type: 'idoverrideuser',
|
|
||||||
+ factory: idviews.idoverrideuser_adder_dialog
|
|
||||||
+ });
|
|
||||||
};
|
|
||||||
|
|
||||||
phases.on('registration', idviews.register);
|
|
||||||
diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py
|
|
||||||
index 5f2b1fdc2..7622e65dc 100644
|
|
||||||
--- a/ipaserver/plugins/internal.py
|
|
||||||
+++ b/ipaserver/plugins/internal.py
|
|
||||||
@@ -835,6 +835,9 @@ class i18n_messages(Command):
|
|
||||||
"Remove users from member managers for user group "
|
|
||||||
"'${primary_key}'"
|
|
||||||
),
|
|
||||||
+ "add_idoverride_user": _(
|
|
||||||
+ "Add user ID override into user group '${primary_key}'"
|
|
||||||
+ ),
|
|
||||||
"details": _("Group Settings"),
|
|
||||||
"external": _("External"),
|
|
||||||
"groups": _("Groups"),
|
|
||||||
@@ -868,6 +871,9 @@ class i18n_messages(Command):
|
|
||||||
"remove_users": _(
|
|
||||||
"Remove users from user group '${primary_key}'"
|
|
||||||
),
|
|
||||||
+ "remove_idoverride_users": _(
|
|
||||||
+ "Remove user ID overrides from user group '${primary_key}'"
|
|
||||||
+ ),
|
|
||||||
"type": _("Group Type"),
|
|
||||||
"user_groups": _("User Groups"),
|
|
||||||
},
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From f6c460aee8542d4d81cd9970d71051c240156973 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Serhii Tsymbaliuk <stsymbal@redhat.com>
|
|
||||||
Date: Thu, 16 Jul 2020 18:52:24 +0200
|
|
||||||
Subject: [PATCH] WebUI: Fix error "unknown command
|
|
||||||
'idoverrideuser_add_member'"
|
|
||||||
|
|
||||||
There was wrong IPA.associator class used for 'Groups' -> 'User ID overrides' association,
|
|
||||||
as a result a wrong command was sent to the server.
|
|
||||||
|
|
||||||
Ticket: https://pagure.io/freeipa/issue/8416
|
|
||||||
|
|
||||||
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
|
|
||||||
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
install/ui/src/freeipa/group.js | 1 -
|
|
||||||
1 file changed, 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/install/ui/src/freeipa/group.js b/install/ui/src/freeipa/group.js
|
|
||||||
index 2984bd4b2..61c19a82f 100644
|
|
||||||
--- a/install/ui/src/freeipa/group.js
|
|
||||||
+++ b/install/ui/src/freeipa/group.js
|
|
||||||
@@ -209,7 +209,6 @@ return {
|
|
||||||
{
|
|
||||||
$type: 'association',
|
|
||||||
name: 'member_idoverrideuser',
|
|
||||||
- associator: IPA.serial_associator,
|
|
||||||
add_title: '@i18n:objects.group.add_idoverride_user',
|
|
||||||
remove_title: '@i18n:objects.group.remove_idoverride_users',
|
|
||||||
columns: [
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From e35739b7e9f6bb016b37abbd92bdaee71a59a288 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Serhii Tsymbaliuk <stsymbal@redhat.com>
|
|
||||||
Date: Wed, 29 Jul 2020 09:41:36 +0200
|
|
||||||
Subject: [PATCH] WebUI tests: Add test case to cover user ID override feature
|
|
||||||
|
|
||||||
The test case includes adding an user ID override to Default Trust View
|
|
||||||
and adding the ID override to some IPA group.
|
|
||||||
|
|
||||||
Ticket: https://pagure.io/freeipa/issue/8416
|
|
||||||
|
|
||||||
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
|
|
||||||
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_webui/test_trust.py | 41 +++++++++++++++++++++++++++++++
|
|
||||||
1 file changed, 41 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_webui/test_trust.py b/ipatests/test_webui/test_trust.py
|
|
||||||
index c04c2fcd8..605f8a2a7 100644
|
|
||||||
--- a/ipatests/test_webui/test_trust.py
|
|
||||||
+++ b/ipatests/test_webui/test_trust.py
|
|
||||||
@@ -21,6 +21,8 @@
|
|
||||||
Trust tests
|
|
||||||
"""
|
|
||||||
|
|
||||||
+import ipatests.test_webui.data_group as group
|
|
||||||
+import ipatests.test_webui.data_idviews as idview
|
|
||||||
from ipatests.test_webui.ui_driver import UI_driver
|
|
||||||
from ipatests.test_webui.ui_driver import screenshot
|
|
||||||
from ipatests.test_webui.task_range import range_tasks
|
|
||||||
@@ -29,6 +31,8 @@ import pytest
|
|
||||||
ENTITY = 'trust'
|
|
||||||
CONFIG_ENTITY = 'trustconfig'
|
|
||||||
|
|
||||||
+DEFAULT_TRUST_VIEW = 'Default Trust View'
|
|
||||||
+
|
|
||||||
CONFIG_DATA = {
|
|
||||||
'mod': [
|
|
||||||
['combobox', 'ipantfallbackprimarygroup', 'admins'],
|
|
||||||
@@ -164,3 +168,40 @@ class test_trust(trust_tasks):
|
|
||||||
|
|
||||||
self.mod_record(CONFIG_ENTITY, CONFIG_DATA)
|
|
||||||
self.mod_record(CONFIG_ENTITY, CONFIG_DATA2)
|
|
||||||
+
|
|
||||||
+ @screenshot
|
|
||||||
+ def test_group_member_idoverrideuser(self):
|
|
||||||
+
|
|
||||||
+ self.init_app()
|
|
||||||
+
|
|
||||||
+ # Create new trust
|
|
||||||
+ data = self.get_data()
|
|
||||||
+ self.add_record(ENTITY, data)
|
|
||||||
+
|
|
||||||
+ # Create an user ID override
|
|
||||||
+ ad_domain = self.config.get('ad_domain')
|
|
||||||
+ ad_admin = self.config.get('ad_admin')
|
|
||||||
+ idoverrideuser_pkey = '{}@{}'.format(ad_admin, ad_domain).lower()
|
|
||||||
+
|
|
||||||
+ self.navigate_to_record(DEFAULT_TRUST_VIEW, entity=idview.ENTITY)
|
|
||||||
+ self.add_record(idview.ENTITY, {
|
|
||||||
+ 'pkey': idoverrideuser_pkey,
|
|
||||||
+ 'add': [
|
|
||||||
+ ('textbox', 'ipaanchoruuid_default', idoverrideuser_pkey),
|
|
||||||
+ ],
|
|
||||||
+ }, facet='idoverrideuser')
|
|
||||||
+
|
|
||||||
+ # Create new group and add the user ID override there
|
|
||||||
+ self.navigate_to_entity(group.ENTITY)
|
|
||||||
+ self.add_record(group.ENTITY, group.DATA)
|
|
||||||
+ self.navigate_to_record(group.PKEY)
|
|
||||||
+ self.add_associations([idoverrideuser_pkey],
|
|
||||||
+ facet='member_idoverrideuser', delete=True)
|
|
||||||
+
|
|
||||||
+ # Clean up data
|
|
||||||
+ self.navigate_to_entity(group.ENTITY)
|
|
||||||
+ self.delete_record(group.PKEY)
|
|
||||||
+ self.navigate_to_record(DEFAULT_TRUST_VIEW, entity=idview.ENTITY)
|
|
||||||
+ self.delete_record(idoverrideuser_pkey)
|
|
||||||
+ self.navigate_to_entity(ENTITY)
|
|
||||||
+ self.delete_record(ad_domain)
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -0,0 +1,381 @@
|
|||||||
|
From b590dcef10680b4ea3181ae1caec183e5967562b Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||||
|
Date: Fri, 11 Dec 2020 07:35:59 +0200
|
||||||
|
Subject: [PATCH] ipatests: add TestInstallWithoutSudo
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Test IPA servers and clients behavior when sudo is not installed.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/8530
|
||||||
|
Signed-off-by: François Cami <fcami@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Reviewed-By: Armando Neto <abiagion@redhat.com>
|
||||||
|
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Reviewed-By: Armando Neto <abiagion@redhat.com>
|
||||||
|
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||||
|
---
|
||||||
|
.../nightly_ipa-4-9_latest.yaml | 12 ++++
|
||||||
|
.../nightly_ipa-4-9_latest_selinux.yaml | 13 ++++
|
||||||
|
.../nightly_ipa-4-9_previous.yaml | 12 ++++
|
||||||
|
.../test_integration/test_installation.py | 66 +++++++++++++++++++
|
||||||
|
4 files changed, 103 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
||||||
|
index 3acd6a13c..d91b16cab 100644
|
||||||
|
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
||||||
|
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
||||||
|
@@ -535,6 +535,18 @@ jobs:
|
||||||
|
timeout: 10800
|
||||||
|
topology: *master_1repl
|
||||||
|
|
||||||
|
+ fedora-latest-ipa-4-9/test_installation_TestInstallWithoutSudo:
|
||||||
|
+ requires: [fedora-latest-ipa-4-9/build]
|
||||||
|
+ priority: 50
|
||||||
|
+ job:
|
||||||
|
+ class: RunPytest
|
||||||
|
+ args:
|
||||||
|
+ build_url: '{fedora-latest-ipa-4-9/build_url}'
|
||||||
|
+ test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
|
||||||
|
+ template: *ci-ipa-4-9-latest
|
||||||
|
+ timeout: 4800
|
||||||
|
+ topology: *master_1repl_1client
|
||||||
|
+
|
||||||
|
fedora-latest-ipa-4-9/test_idviews:
|
||||||
|
requires: [fedora-latest-ipa-4-9/build]
|
||||||
|
priority: 50
|
||||||
|
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
|
||||||
|
index c01192cf5..8adb06d0c 100644
|
||||||
|
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
|
||||||
|
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
|
||||||
|
@@ -575,6 +575,19 @@ jobs:
|
||||||
|
timeout: 10800
|
||||||
|
topology: *master_1repl
|
||||||
|
|
||||||
|
+ fedora-latest-ipa-4-9/test_installation_TestInstallWithoutSudo:
|
||||||
|
+ requires: [fedora-latest-ipa-4-9/build]
|
||||||
|
+ priority: 50
|
||||||
|
+ job:
|
||||||
|
+ class: RunPytest
|
||||||
|
+ args:
|
||||||
|
+ build_url: '{fedora-latest-ipa-4-9/build_url}'
|
||||||
|
+ selinux_enforcing: True
|
||||||
|
+ test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
|
||||||
|
+ template: *ci-ipa-4-9-latest
|
||||||
|
+ timeout: 4800
|
||||||
|
+ topology: *master_1repl_1client
|
||||||
|
+
|
||||||
|
fedora-latest-ipa-4-9/test_idviews:
|
||||||
|
requires: [fedora-latest-ipa-4-9/build]
|
||||||
|
priority: 50
|
||||||
|
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
||||||
|
index a6ea24f6a..2b5d4fd5e 100644
|
||||||
|
--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
||||||
|
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
||||||
|
@@ -535,6 +535,18 @@ jobs:
|
||||||
|
timeout: 10800
|
||||||
|
topology: *master_1repl
|
||||||
|
|
||||||
|
+ fedora-previous-ipa-4-9/test_installation_TestInstallWithoutSudo:
|
||||||
|
+ requires: [fedora-previous-ipa-4-9/build]
|
||||||
|
+ priority: 50
|
||||||
|
+ job:
|
||||||
|
+ class: RunPytest
|
||||||
|
+ args:
|
||||||
|
+ build_url: '{fedora-previous-ipa-4-9/build_url}'
|
||||||
|
+ test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
|
||||||
|
+ template: *ci-ipa-4-9-previous
|
||||||
|
+ timeout: 4800
|
||||||
|
+ topology: *master_1repl_1client
|
||||||
|
+
|
||||||
|
fedora-previous-ipa-4-9/test_idviews:
|
||||||
|
requires: [fedora-previous-ipa-4-9/build]
|
||||||
|
priority: 50
|
||||||
|
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
||||||
|
index eb6f7d78e..6e8af024c 100644
|
||||||
|
--- a/ipatests/test_integration/test_installation.py
|
||||||
|
+++ b/ipatests/test_integration/test_installation.py
|
||||||
|
@@ -1537,3 +1537,69 @@ class TestInstallReplicaAgainstSpecificServer(IntegrationTest):
|
||||||
|
self.replicas[0].hostname],
|
||||||
|
stdin_text=dirman_password)
|
||||||
|
assert self.replicas[0].hostname not in cmd.stdout_text
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+class TestInstallWithoutSudo(IntegrationTest):
|
||||||
|
+
|
||||||
|
+ num_clients = 1
|
||||||
|
+ num_replicas = 1
|
||||||
|
+ no_sudo_str = "The sudo binary does not seem to be present on this"
|
||||||
|
+
|
||||||
|
+ @classmethod
|
||||||
|
+ def install(cls, mh):
|
||||||
|
+ pass
|
||||||
|
+
|
||||||
|
+ def test_sudo_removal(self):
|
||||||
|
+ # ipa-client makes sudo depend on libsss_sudo.
|
||||||
|
+
|
||||||
|
+ # --nodeps is mandatory because dogtag uses sudo at install
|
||||||
|
+ # time until commit 49585867207922479644a03078c29548de02cd03
|
||||||
|
+ # which is scheduled to land in 10.10.
|
||||||
|
+
|
||||||
|
+ # This also means sudo+libsss_sudo cannot be uninstalled on
|
||||||
|
+ # IPA servers with a CA.
|
||||||
|
+ assert tasks.is_package_installed(self.clients[0], 'sudo')
|
||||||
|
+ assert tasks.is_package_installed(self.clients[0], 'libsss_sudo')
|
||||||
|
+ tasks.uninstall_packages(
|
||||||
|
+ self.clients[0], ['sudo', 'libsss_sudo'], nodeps=True
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ def test_ipa_installation_without_sudo(self):
|
||||||
|
+ # FixMe: When Dogtag 10.10 is out, test installation without sudo
|
||||||
|
+ tasks.install_master(self.master, setup_dns=True)
|
||||||
|
+
|
||||||
|
+ def test_replica_installation_without_sudo(self):
|
||||||
|
+ # FixMe: When Dogtag 10.10 is out, test replica installation
|
||||||
|
+ # without sudo and with CA
|
||||||
|
+ tasks.uninstall_packages(
|
||||||
|
+ self.replicas[0], ['sudo', 'libsss_sudo'], nodeps=True
|
||||||
|
+ )
|
||||||
|
+ # One-step install is needed.
|
||||||
|
+ # With promote=True, two-step install is done and that only captures
|
||||||
|
+ # the ipa-replica-install stdout/stderr, not ipa-client-install's.
|
||||||
|
+ result = tasks.install_replica(
|
||||||
|
+ self.master, self.replicas[0], promote=False,
|
||||||
|
+ setup_dns=True, setup_ca=False
|
||||||
|
+ )
|
||||||
|
+ assert self.no_sudo_str in result.stderr_text
|
||||||
|
+
|
||||||
|
+ def test_client_installation_without_sudo(self):
|
||||||
|
+ result = tasks.install_client(self.master, self.clients[0])
|
||||||
|
+ assert self.no_sudo_str in result.stderr_text
|
||||||
|
+
|
||||||
|
+ def test_remove_sudo_on_ipa(self):
|
||||||
|
+ tasks.uninstall_packages(
|
||||||
|
+ self.master, ['sudo', 'libsss_sudo'], nodeps=True
|
||||||
|
+ )
|
||||||
|
+ self.master.run_command(
|
||||||
|
+ ['ipactl', 'restart']
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ def test_install_sudo_on_client(self):
|
||||||
|
+ """ Check that installing sudo pulls libsss_sudo in"""
|
||||||
|
+ for pkg in ('sudo', 'libsss_sudo'):
|
||||||
|
+ assert tasks.is_package_installed(self.clients[0], pkg) is False
|
||||||
|
+ tasks.uninstall_client(self.clients[0])
|
||||||
|
+ tasks.install_packages(self.clients[0], ['sudo'])
|
||||||
|
+ for pkg in ('sudo', 'libsss_sudo'):
|
||||||
|
+ assert tasks.is_package_installed(self.clients[0], pkg)
|
||||||
|
--
|
||||||
|
2.29.2
|
||||||
|
|
||||||
|
From 0c2741af9f353d2fbb21a5768e6433c0e99da0e9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||||
|
Date: Thu, 10 Dec 2020 08:35:12 +0200
|
||||||
|
Subject: [PATCH] ipatests: tasks: handle uninstalling packages with nodeps
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Handle package removal without taking dependencies into account.
|
||||||
|
E.g. add frontends for rpm -e --nodeps.
|
||||||
|
|
||||||
|
Related: ipatests/pytest_ipa/integration/tasks.py
|
||||||
|
Signed-off-by: François Cami <fcami@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Reviewed-By: Armando Neto <abiagion@redhat.com>
|
||||||
|
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Reviewed-By: Armando Neto <abiagion@redhat.com>
|
||||||
|
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/pytest_ipa/integration/tasks.py | 51 +++++++++++++++++++-----
|
||||||
|
1 file changed, 41 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
|
||||||
|
index b91859816..2fe78367f 100755
|
||||||
|
--- a/ipatests/pytest_ipa/integration/tasks.py
|
||||||
|
+++ b/ipatests/pytest_ipa/integration/tasks.py
|
||||||
|
@@ -29,6 +29,7 @@ import re
|
||||||
|
import collections
|
||||||
|
import itertools
|
||||||
|
import shutil
|
||||||
|
+import shlex
|
||||||
|
import copy
|
||||||
|
import subprocess
|
||||||
|
import tempfile
|
||||||
|
@@ -2381,20 +2382,33 @@ def download_packages(host, pkgs):
|
||||||
|
return tmpdir
|
||||||
|
|
||||||
|
|
||||||
|
-def uninstall_packages(host, pkgs):
|
||||||
|
+def uninstall_packages(host, pkgs, nodeps=False):
|
||||||
|
"""Uninstall packages on a remote host.
|
||||||
|
- :param host: the host where the uninstallation takes place
|
||||||
|
- :param pkgs: packages to uninstall, provided as a list of strings
|
||||||
|
+ :param host: the host where the uninstallation takes place.
|
||||||
|
+ :param pkgs: packages to uninstall, provided as a list of strings.
|
||||||
|
+ :param nodeps: ignore dependencies (dangerous!).
|
||||||
|
"""
|
||||||
|
platform = get_platform(host)
|
||||||
|
- # Only supports RHEL 8+ and Fedora for now
|
||||||
|
- if platform in ('rhel', 'fedora'):
|
||||||
|
- install_cmd = ['/usr/bin/dnf', 'remove', '-y']
|
||||||
|
- elif platform in ('ubuntu'):
|
||||||
|
- install_cmd = ['apt-get', 'remove', '-y']
|
||||||
|
+ if platform not in ('rhel', 'fedora', 'ubuntu'):
|
||||||
|
+ raise ValueError('uninstall_packages: unknown platform %s' % platform)
|
||||||
|
+ if nodeps:
|
||||||
|
+ if platform in ('rhel', 'fedora'):
|
||||||
|
+ cmd = "rpm -e --nodeps"
|
||||||
|
+ elif platform in ('ubuntu'):
|
||||||
|
+ cmd = "dpkg -P --force-depends"
|
||||||
|
+ for package in pkgs:
|
||||||
|
+ uninstall_cmd = shlex.split(cmd)
|
||||||
|
+ uninstall_cmd.append(package)
|
||||||
|
+ # keep raiseonerr=True here. --fcami
|
||||||
|
+ host.run_command(uninstall_cmd)
|
||||||
|
else:
|
||||||
|
- raise ValueError('install_packages: unknown platform %s' % platform)
|
||||||
|
- host.run_command(install_cmd + pkgs, raiseonerr=False)
|
||||||
|
+ if platform in ('rhel', 'fedora'):
|
||||||
|
+ cmd = "/usr/bin/dnf remove -y"
|
||||||
|
+ elif platform in ('ubuntu'):
|
||||||
|
+ cmd = "apt-get remove -y"
|
||||||
|
+ uninstall_cmd = shlex.split(cmd)
|
||||||
|
+ uninstall_cmd.extend(pkgs)
|
||||||
|
+ host.run_command(uninstall_cmd, raiseonerr=False)
|
||||||
|
|
||||||
|
|
||||||
|
def wait_for_request(host, request_id, timeout=120):
|
||||||
|
@@ -2649,3 +2663,20 @@ def run_ssh_cmd(
|
||||||
|
assert "Authentication succeeded" not in stderr
|
||||||
|
assert "No more authentication methods to try." in stderr
|
||||||
|
return (return_code, stdout, stderr)
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+def is_package_installed(host, pkg):
|
||||||
|
+ platform = get_platform(host)
|
||||||
|
+ if platform in ('rhel', 'fedora'):
|
||||||
|
+ result = host.run_command(
|
||||||
|
+ ['rpm', '-q', pkg], raiseonerr=False
|
||||||
|
+ )
|
||||||
|
+ elif platform in ['ubuntu']:
|
||||||
|
+ result = host.run_command(
|
||||||
|
+ ['dpkg', '-s', pkg], raiseonerr=False
|
||||||
|
+ )
|
||||||
|
+ else:
|
||||||
|
+ raise ValueError(
|
||||||
|
+ 'is_package_installed: unknown platform %s' % platform
|
||||||
|
+ )
|
||||||
|
+ return result.returncode == 0
|
||||||
|
--
|
||||||
|
2.29.2
|
||||||
|
|
||||||
|
From fe157ca349e3146a53884e90e6e588efb4e97eeb Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||||
|
Date: Thu, 10 Dec 2020 08:15:22 +0200
|
||||||
|
Subject: [PATCH] ipa-client-install: output a warning if sudo is not present
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/8530
|
||||||
|
Signed-off-by: François Cami <fcami@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Reviewed-By: Armando Neto <abiagion@redhat.com>
|
||||||
|
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Reviewed-By: Armando Neto <abiagion@redhat.com>
|
||||||
|
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||||
|
---
|
||||||
|
ipaclient/install/client.py | 14 +++++++++++++-
|
||||||
|
1 file changed, 13 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
|
||||||
|
index 8acfa0cd1..0e478fa26 100644
|
||||||
|
--- a/ipaclient/install/client.py
|
||||||
|
+++ b/ipaclient/install/client.py
|
||||||
|
@@ -24,6 +24,7 @@ import re
|
||||||
|
import SSSDConfig
|
||||||
|
import shutil
|
||||||
|
import socket
|
||||||
|
+import subprocess
|
||||||
|
import sys
|
||||||
|
import tempfile
|
||||||
|
import textwrap
|
||||||
|
@@ -2200,7 +2201,18 @@ def install_check(options):
|
||||||
|
"authentication resources",
|
||||||
|
rval=CLIENT_INSTALL_ERROR)
|
||||||
|
|
||||||
|
- # when installing with '--no-sssd' option, check whether nss-ldap is
|
||||||
|
+ # When installing without the "--no-sudo" option, check whether sudo is
|
||||||
|
+ # available.
|
||||||
|
+ if options.conf_sudo:
|
||||||
|
+ try:
|
||||||
|
+ subprocess.Popen(['sudo -V'])
|
||||||
|
+ except FileNotFoundError:
|
||||||
|
+ logger.info(
|
||||||
|
+ "The sudo binary does not seem to be present on this "
|
||||||
|
+ "system. Please consider installing sudo if required."
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ # when installing with the '--no-sssd' option, check whether nss-ldap is
|
||||||
|
# installed
|
||||||
|
if not options.sssd:
|
||||||
|
if not os.path.exists(paths.PAM_KRB5_SO):
|
||||||
|
--
|
||||||
|
2.29.2
|
||||||
|
|
||||||
|
From ee0ba2df41cf545b82d3d26e7e7e42447bb0f63e Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||||
|
Date: Thu, 10 Dec 2020 07:55:16 +0200
|
||||||
|
Subject: [PATCH] freeipa.spec: client: depend on libsss_sudo and sudo
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
On 10.10+ releases of Dogtag, the PKI installer will not depend
|
||||||
|
on sudo anymore. This opens the possibility of creating IPA servers
|
||||||
|
without a properly configured sudo.
|
||||||
|
In fact, even IPA clients should have sudo and libsss_sudo installed
|
||||||
|
in most cases, so add a weak dependency on both of them to the client
|
||||||
|
subpackage.
|
||||||
|
Also make sure libsss_sudo is installed if sudo is present.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/8530
|
||||||
|
Signed-off-by: François Cami <fcami@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Reviewed-By: Armando Neto <abiagion@redhat.com>
|
||||||
|
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Reviewed-By: Armando Neto <abiagion@redhat.com>
|
||||||
|
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||||
|
---
|
||||||
|
freeipa.spec.in | 5 +++++
|
||||||
|
1 file changed, 5 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||||
|
index ba52a3834..93e473ac4 100755
|
||||||
|
--- a/freeipa.spec.in
|
||||||
|
+++ b/freeipa.spec.in
|
||||||
|
@@ -640,6 +640,11 @@ Requires: nfs-utils
|
||||||
|
Requires: sssd-tools >= %{sssd_version}
|
||||||
|
Requires(post): policycoreutils
|
||||||
|
|
||||||
|
+# https://pagure.io/freeipa/issue/8530
|
||||||
|
+Recommends: libsss_sudo
|
||||||
|
+Recommends: sudo
|
||||||
|
+Requires: (libsss_sudo if sudo)
|
||||||
|
+
|
||||||
|
Provides: %{alt_name}-client = %{version}
|
||||||
|
Conflicts: %{alt_name}-client
|
||||||
|
Obsoletes: %{alt_name}-client < %{version}
|
||||||
|
--
|
||||||
|
2.29.2
|
||||||
|
|
@ -1,601 +0,0 @@
|
|||||||
From 77fae8c48bbe0f4499f4d8ed91b268568c64cd7c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Date: Thu, 11 Jun 2020 11:17:25 +0200
|
|
||||||
Subject: [PATCH] Move ipa-epn systemd files and run RPM hooks
|
|
||||||
|
|
||||||
The init/systemd directory is for server only and not part of
|
|
||||||
CLIENT_ONLY builds.
|
|
||||||
|
|
||||||
It's necesary to run pre/post installation hooks to make systemd aware
|
|
||||||
of new files.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8367
|
|
||||||
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
|
||||||
---
|
|
||||||
.gitignore | 4 +--
|
|
||||||
client/Makefile.am | 1 +
|
|
||||||
client/share/Makefile.am | 5 ++++
|
|
||||||
{install => client}/share/expire_msg.template | 0
|
|
||||||
client/systemd/Makefile.am | 27 +++++++++++++++++++
|
|
||||||
{init => client}/systemd/ipa-epn.service.in | 0
|
|
||||||
{init => client}/systemd/ipa-epn.timer.in | 0
|
|
||||||
configure.ac | 24 +++++++++++++++--
|
|
||||||
freeipa.spec.in | 15 +++++++++++
|
|
||||||
init/systemd/Makefile.am | 8 +++---
|
|
||||||
install/share/Makefile.am | 5 ----
|
|
||||||
server.m4 | 19 -------------
|
|
||||||
12 files changed, 76 insertions(+), 32 deletions(-)
|
|
||||||
rename {install => client}/share/expire_msg.template (100%)
|
|
||||||
create mode 100644 client/systemd/Makefile.am
|
|
||||||
rename {init => client}/systemd/ipa-epn.service.in (100%)
|
|
||||||
rename {init => client}/systemd/ipa-epn.timer.in (100%)
|
|
||||||
|
|
||||||
#diff --git a/.gitignore b/.gitignore
|
|
||||||
#index 6584c3b4f..4cedb1ff2 100644
|
|
||||||
#--- a/.gitignore
|
|
||||||
#+++ b/.gitignore
|
|
||||||
#@@ -94,8 +94,6 @@ freeipa2-dev-doc
|
|
||||||
# /init/ipa_memcached
|
|
||||||
# /init/systemd/ipa-custodia.service
|
|
||||||
# /init/systemd/ipa.service
|
|
||||||
#-/init/systemd/ipa-epn.service
|
|
||||||
#-/init/systemd/ipa-epn.timer
|
|
||||||
# /init/tmpfilesd/ipa.conf
|
|
||||||
#
|
|
||||||
# !/install/ui/doc/Makefile.in
|
|
||||||
#@@ -116,6 +114,8 @@ freeipa2-dev-doc
|
|
||||||
# /client/ipa-getkeytab
|
|
||||||
# /client/ipa-join
|
|
||||||
# /client/ipa-rmkeytab
|
|
||||||
#+/client/systemd/ipa-epn.service
|
|
||||||
#+/client/systemd/ipa-epn.timer
|
|
||||||
#
|
|
||||||
# /ipaplatform/override.py
|
|
||||||
# /ipapython/version.py
|
|
||||||
diff --git a/client/Makefile.am b/client/Makefile.am
|
|
||||||
index 858a9369e..87da87fcd 100644
|
|
||||||
--- a/client/Makefile.am
|
|
||||||
+++ b/client/Makefile.am
|
|
||||||
@@ -95,6 +95,7 @@ SUBDIRS = \
|
|
||||||
share \
|
|
||||||
man \
|
|
||||||
sysconfig \
|
|
||||||
+ systemd \
|
|
||||||
$(NULL)
|
|
||||||
# init
|
|
||||||
|
|
||||||
diff --git a/client/share/Makefile.am b/client/share/Makefile.am
|
|
||||||
index 6d4a62d5e..1402a3a9d 100644
|
|
||||||
--- a/client/share/Makefile.am
|
|
||||||
+++ b/client/share/Makefile.am
|
|
||||||
@@ -4,3 +4,8 @@ appdir = $(IPA_DATA_DIR)/client
|
|
||||||
dist_app_DATA = \
|
|
||||||
freeipa.template \
|
|
||||||
$(NULL)
|
|
||||||
+
|
|
||||||
+epnconfdir = $(IPA_SYSCONF_DIR)/epn
|
|
||||||
+dist_epnconf_DATA = \
|
|
||||||
+ expire_msg.template \
|
|
||||||
+ $(NULL)
|
|
||||||
diff --git a/install/share/expire_msg.template b/client/share/expire_msg.template
|
|
||||||
similarity index 100%
|
|
||||||
rename from install/share/expire_msg.template
|
|
||||||
rename to client/share/expire_msg.template
|
|
||||||
diff --git a/client/systemd/Makefile.am b/client/systemd/Makefile.am
|
|
||||||
new file mode 100644
|
|
||||||
index 000000000..1f591be83
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/client/systemd/Makefile.am
|
|
||||||
@@ -0,0 +1,27 @@
|
|
||||||
+# This file will be processed with automake-1.7 to create Makefile.in
|
|
||||||
+#
|
|
||||||
+AUTOMAKE_OPTIONS = 1.7
|
|
||||||
+
|
|
||||||
+NULL =
|
|
||||||
+
|
|
||||||
+dist_noinst_DATA = \
|
|
||||||
+ ipa-epn.service.in \
|
|
||||||
+ ipa-epn.timer.in \
|
|
||||||
+ $(NULL)
|
|
||||||
+
|
|
||||||
+systemdsystemunit_DATA = \
|
|
||||||
+ ipa-epn.service \
|
|
||||||
+ ipa-epn.timer \
|
|
||||||
+ $(NULL)
|
|
||||||
+
|
|
||||||
+CLEANFILES = $(systemdsystemunit_DATA)
|
|
||||||
+
|
|
||||||
+%: %.in Makefile
|
|
||||||
+ sed \
|
|
||||||
+ -e 's|@bindir[@]|$(bindir)|g' \
|
|
||||||
+ -e 's|@IPA_SYSCONF_DIR[@]|$(IPA_SYSCONF_DIR)|g' \
|
|
||||||
+ -e 's|@localstatedir[@]|$(localstatedir)|g' \
|
|
||||||
+ -e 's|@sbindir[@]|$(sbindir)|g' \
|
|
||||||
+ -e 's|@libexecdir[@]|$(libexecdir)|g' \
|
|
||||||
+ -e 's|@sysconfenvdir[@]|$(sysconfenvdir)|g' \
|
|
||||||
+ '$(srcdir)/$@.in' >$@
|
|
||||||
diff --git a/init/systemd/ipa-epn.service.in b/client/systemd/ipa-epn.service.in
|
|
||||||
similarity index 100%
|
|
||||||
rename from init/systemd/ipa-epn.service.in
|
|
||||||
rename to client/systemd/ipa-epn.service.in
|
|
||||||
diff --git a/init/systemd/ipa-epn.timer.in b/client/systemd/ipa-epn.timer.in
|
|
||||||
similarity index 100%
|
|
||||||
rename from init/systemd/ipa-epn.timer.in
|
|
||||||
rename to client/systemd/ipa-epn.timer.in
|
|
||||||
diff --git a/configure.ac b/configure.ac
|
|
||||||
index 5ec529088..586b2532a 100644
|
|
||||||
--- a/configure.ac
|
|
||||||
+++ b/configure.ac
|
|
||||||
@@ -220,6 +220,25 @@ AC_ARG_WITH([runstatedir],
|
|
||||||
[runstatedir="/run"])
|
|
||||||
AC_SUBST([runstatedir])
|
|
||||||
|
|
||||||
+dnl ---------------------------------------------------------------------------
|
|
||||||
+dnl - Check for systemd directories
|
|
||||||
+dnl ---------------------------------------------------------------------------
|
|
||||||
+
|
|
||||||
+PKG_CHECK_EXISTS([systemd], [], [AC_MSG_ERROR([systemd not found])])
|
|
||||||
+AC_ARG_WITH([systemdsystemunitdir],
|
|
||||||
+ AS_HELP_STRING([--with-systemdsystemunitdir=DIR],
|
|
||||||
+ [Directory for systemd service files]),
|
|
||||||
+ [systemdsystemunitdir=$with_systemdsystemunitdir],
|
|
||||||
+ [systemdsystemunitdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=systemdsystemunitdir systemd)])
|
|
||||||
+AC_SUBST([systemdsystemunitdir])
|
|
||||||
+
|
|
||||||
+AC_ARG_WITH([systemdtmpfilesdir],
|
|
||||||
+ AS_HELP_STRING([--with-systemdtmpfilesdir=DIR],
|
|
||||||
+ [Directory for systemd-tmpfiles configuration files]),
|
|
||||||
+ [systemdtmpfilesdir=$with_systemdtmpfilesdir],
|
|
||||||
+ [systemdtmpfilesdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=tmpfilesdir systemd)])
|
|
||||||
+AC_SUBST([systemdtmpfilesdir])
|
|
||||||
+
|
|
||||||
dnl ---------------------------------------------------------------------------
|
|
||||||
dnl - Server-only configuration
|
|
||||||
dnl ---------------------------------------------------------------------------
|
|
||||||
@@ -544,6 +563,7 @@ AC_CONFIG_FILES([
|
|
||||||
client/share/Makefile
|
|
||||||
client/man/Makefile
|
|
||||||
client/sysconfig/Makefile
|
|
||||||
+ client/systemd/Makefile
|
|
||||||
contrib/completion/Makefile
|
|
||||||
contrib/Makefile
|
|
||||||
daemons/dnssec/Makefile
|
|
||||||
@@ -637,13 +657,13 @@ echo "
|
|
||||||
jslint: ${JSLINT}
|
|
||||||
LDAP libs: ${LDAP_LIBS}
|
|
||||||
OpenSSL crypto libs: ${CRYPTO_LIBS}
|
|
||||||
- KRB5 libs: ${KRB5_LIBS}"
|
|
||||||
+ KRB5 libs: ${KRB5_LIBS}
|
|
||||||
+ systemdsystemunitdir: ${systemdsystemunitdir}"
|
|
||||||
|
|
||||||
AM_COND_IF([ENABLE_SERVER], [
|
|
||||||
echo "\
|
|
||||||
KRAD libs: ${KRAD_LIBS}
|
|
||||||
krb5rundir: ${krb5rundir}
|
|
||||||
- systemdsystemunitdir: ${systemdsystemunitdir}
|
|
||||||
systemdtmpfilesdir: ${systemdtmpfilesdir}
|
|
||||||
build mode: server & client"
|
|
||||||
], [
|
|
||||||
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
|
||||||
index cec57e64e..1d8f4e6aa 100755
|
|
||||||
--- a/freeipa.spec.in
|
|
||||||
+++ b/freeipa.spec.in
|
|
||||||
@@ -586,6 +586,10 @@ on the machine enrolled into a FreeIPA environment
|
|
||||||
%package client-epn
|
|
||||||
Summary: Tools to configure Expiring Password Notification in IPA
|
|
||||||
Group: System Environment/Base
|
|
||||||
+Requires: systemd-units
|
|
||||||
+Requires(post): systemd-units
|
|
||||||
+Requires(preun): systemd-units
|
|
||||||
+Requires(postun): systemd-units
|
|
||||||
Requires: %{name}-client = %{version}-%{release}
|
|
||||||
|
|
||||||
%description client-epn
|
|
||||||
@@ -1003,6 +1007,17 @@ fi
|
|
||||||
# ONLY_CLIENT
|
|
||||||
%endif
|
|
||||||
|
|
||||||
+%preun client-epn
|
|
||||||
+%systemd_preun ipa-epn.service
|
|
||||||
+%systemd_preun ipa-epn.timer
|
|
||||||
+
|
|
||||||
+%postun client-epn
|
|
||||||
+%systemd_postun ipa-epn.service
|
|
||||||
+%systemd_postun ipa-epn.timer
|
|
||||||
+
|
|
||||||
+%post client-epn
|
|
||||||
+%systemd_post ipa-epn.service
|
|
||||||
+%systemd_post ipa-epn.timer
|
|
||||||
|
|
||||||
%post client
|
|
||||||
if [ $1 -gt 1 ] ; then
|
|
||||||
diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am
|
|
||||||
index 5053dbff6..175178787 100644
|
|
||||||
--- a/init/systemd/Makefile.am
|
|
||||||
+++ b/init/systemd/Makefile.am
|
|
||||||
@@ -2,17 +2,17 @@
|
|
||||||
#
|
|
||||||
AUTOMAKE_OPTIONS = 1.7
|
|
||||||
|
|
||||||
+NULL =
|
|
||||||
+
|
|
||||||
dist_noinst_DATA = \
|
|
||||||
ipa-custodia.service.in \
|
|
||||||
ipa.service.in \
|
|
||||||
- ipa-epn.service.in \
|
|
||||||
- ipa-epn.timer.in
|
|
||||||
+ $(NULL)
|
|
||||||
|
|
||||||
systemdsystemunit_DATA = \
|
|
||||||
ipa-custodia.service \
|
|
||||||
ipa.service \
|
|
||||||
- ipa-epn.service \
|
|
||||||
- ipa-epn.timer
|
|
||||||
+ $(NULL)
|
|
||||||
|
|
||||||
CLEANFILES = $(systemdsystemunit_DATA)
|
|
||||||
|
|
||||||
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
|
|
||||||
index 496e81288..e95796dfb 100644
|
|
||||||
--- a/install/share/Makefile.am
|
|
||||||
+++ b/install/share/Makefile.am
|
|
||||||
@@ -106,8 +106,3 @@ dist_app_DATA = \
|
|
||||||
kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy
|
|
||||||
dist_kdcproxyconf_DATA = \
|
|
||||||
kdcproxy.conf
|
|
||||||
-
|
|
||||||
-epnconfdir = $(IPA_SYSCONF_DIR)/epn
|
|
||||||
-dist_epnconf_DATA = \
|
|
||||||
- expire_msg.template \
|
|
||||||
- $(NULL)
|
|
||||||
diff --git a/server.m4 b/server.m4
|
|
||||||
index d35823e80..842d599d2 100644
|
|
||||||
--- a/server.m4
|
|
||||||
+++ b/server.m4
|
|
||||||
@@ -153,22 +153,3 @@ dnl Check for libverto
|
|
||||||
dnl ---------------------------------------------------------------------------
|
|
||||||
|
|
||||||
PKG_CHECK_MODULES([LIBVERTO], [libverto])
|
|
||||||
-
|
|
||||||
-dnl ---------------------------------------------------------------------------
|
|
||||||
-dnl - Check for systemd directories
|
|
||||||
-dnl ---------------------------------------------------------------------------
|
|
||||||
-
|
|
||||||
-PKG_CHECK_EXISTS([systemd], [], [AC_MSG_ERROR([systemd not found])])
|
|
||||||
-AC_ARG_WITH([systemdsystemunitdir],
|
|
||||||
- AS_HELP_STRING([--with-systemdsystemunitdir=DIR],
|
|
||||||
- [Directory for systemd service files]),
|
|
||||||
- [systemdsystemunitdir=$with_systemdsystemunitdir],
|
|
||||||
- [systemdsystemunitdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=systemdsystemunitdir systemd)])
|
|
||||||
-AC_SUBST([systemdsystemunitdir])
|
|
||||||
-
|
|
||||||
-AC_ARG_WITH([systemdtmpfilesdir],
|
|
||||||
- AS_HELP_STRING([--with-systemdtmpfilesdir=DIR],
|
|
||||||
- [Directory for systemd-tmpfiles configuration files]),
|
|
||||||
- [systemdtmpfilesdir=$with_systemdtmpfilesdir],
|
|
||||||
- [systemdtmpfilesdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=tmpfilesdir systemd)])
|
|
||||||
-AC_SUBST([systemdtmpfilesdir])
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From 23e2935e5c5cb402dd4f6f44eaa4b013e6a8188a Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Mon, 22 Jun 2020 16:39:02 +0200
|
|
||||||
Subject: [PATCH] EPN: ship the configuration file.
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Ship and install /etc/ipa/epn.conf.
|
|
||||||
Minor fixes to the associated man page.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8374
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
client/man/epn.conf.5 | 5 ++--
|
|
||||||
client/share/Makefile.am | 7 +++++-
|
|
||||||
client/share/epn.conf | 54 ++++++++++++++++++++++++++++++++++++++++
|
|
||||||
freeipa.spec.in | 4 ++-
|
|
||||||
4 files changed, 65 insertions(+), 5 deletions(-)
|
|
||||||
create mode 100644 client/share/epn.conf
|
|
||||||
|
|
||||||
diff --git a/client/man/epn.conf.5 b/client/man/epn.conf.5
|
|
||||||
index 38e99e25d..14f5dbb75 100644
|
|
||||||
--- a/client/man/epn.conf.5
|
|
||||||
+++ b/client/man/epn.conf.5
|
|
||||||
@@ -71,11 +71,10 @@ Specifies the From e-mail address value in the e-mails sent. The default is
|
|
||||||
root@localhost. Bounces will be sent here.
|
|
||||||
.TP
|
|
||||||
.B smtp_delay <milliseconds>
|
|
||||||
-Time to wait, in milliseconds, between each e-mail sent to try to avoid overloading the mail queue.
|
|
||||||
+Time to wait, in milliseconds, between each e-mail sent to try to avoid overloading the mail queue. The default is 0.
|
|
||||||
.TP
|
|
||||||
.B mail_from <address>
|
|
||||||
-Specifies the From: e-mal address value in the e-mails sent. The default is
|
|
||||||
-noreply@ipadefaultemaildomain. This value can be found by running
|
|
||||||
+Specifies the From: e-mail address value in the e-mails sent. The default is noreply@ipadefaultemaildomain. This value can be found by running
|
|
||||||
.I ipa config-show
|
|
||||||
.TP
|
|
||||||
.B notify_ttls <list of days>
|
|
||||||
diff --git a/client/share/Makefile.am b/client/share/Makefile.am
|
|
||||||
index 1402a3a9d..472242e62 100644
|
|
||||||
--- a/client/share/Makefile.am
|
|
||||||
+++ b/client/share/Makefile.am
|
|
||||||
@@ -5,7 +5,12 @@ dist_app_DATA = \
|
|
||||||
freeipa.template \
|
|
||||||
$(NULL)
|
|
||||||
|
|
||||||
-epnconfdir = $(IPA_SYSCONF_DIR)/epn
|
|
||||||
+epnconfdir = $(IPA_SYSCONF_DIR)
|
|
||||||
dist_epnconf_DATA = \
|
|
||||||
+ epn.conf \
|
|
||||||
+ $(NULL)
|
|
||||||
+
|
|
||||||
+epntemplatedir = $(IPA_SYSCONF_DIR)/epn
|
|
||||||
+dist_epntemplate_DATA = \
|
|
||||||
expire_msg.template \
|
|
||||||
$(NULL)
|
|
||||||
diff --git a/client/share/epn.conf b/client/share/epn.conf
|
|
||||||
new file mode 100644
|
|
||||||
index 000000000..0e590dfc3
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/client/share/epn.conf
|
|
||||||
@@ -0,0 +1,54 @@
|
|
||||||
+# Global IPA-EPN [0] configuration file.
|
|
||||||
+# For a complete explanation of each parameter, see the epn.conf(5)
|
|
||||||
+# manual page.
|
|
||||||
+# For best results, change no more than a single parameter at a time,
|
|
||||||
+# and test if ipa-epn(1) still works as intended, using --dry-run when
|
|
||||||
+# it makes sense.
|
|
||||||
+#
|
|
||||||
+# [0] https://github.com/freeipa/freeipa/blob/master/doc/designs/expiring-password-notification.md
|
|
||||||
+
|
|
||||||
+[global]
|
|
||||||
+
|
|
||||||
+# Specifies the SMTP server to use.
|
|
||||||
+smtp_server = localhost
|
|
||||||
+
|
|
||||||
+# Specifies the SMTP port.
|
|
||||||
+smtp_port = 25
|
|
||||||
+
|
|
||||||
+# Specifies the id of the user to authenticate with the SMTP server.
|
|
||||||
+# Default None (empty value).
|
|
||||||
+# smtp_user =
|
|
||||||
+
|
|
||||||
+# Specifies the password for the authorized user.
|
|
||||||
+# Default None (empty value).
|
|
||||||
+# smtp_password =
|
|
||||||
+
|
|
||||||
+# pecifies the number of seconds to wait for SMTP to respond.
|
|
||||||
+smtp_timeout = 60
|
|
||||||
+
|
|
||||||
+# Specifies the type of secure connection to make. Options are: none,
|
|
||||||
+# starttls and ssl.
|
|
||||||
+smtp_security = none
|
|
||||||
+
|
|
||||||
+# Specifies the From e-mail address value in the e-mails sent. Bounces will
|
|
||||||
+# be sent here.
|
|
||||||
+smtp_admin = root@localhost
|
|
||||||
+
|
|
||||||
+# Time to wait, in milliseconds, between each e-mail sent to try to avoid
|
|
||||||
+# overloading the mail queue.
|
|
||||||
+smtp_delay = 0
|
|
||||||
+
|
|
||||||
+# Specifies the From: e-mail address value in the e-mails sent.
|
|
||||||
+# The default when unset is noreply@ipadefaultemaildomain.
|
|
||||||
+# This value can be found by running ipa config-show.
|
|
||||||
+# mail_from =
|
|
||||||
+
|
|
||||||
+# The list of days before a password expiration when ipa-epn should notify
|
|
||||||
+# a user that their password will soon require a reset.
|
|
||||||
+notify_ttls = 28, 14, 7, 3, 1
|
|
||||||
+
|
|
||||||
+# Set the character set of the message.
|
|
||||||
+msg_charset = utf8
|
|
||||||
+
|
|
||||||
+# Set the message's MIME sub-content type.
|
|
||||||
+msg_subtype = plain
|
|
||||||
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
|
||||||
index 5bce6f118..8cca99697 100755
|
|
||||||
--- a/freeipa.spec.in
|
|
||||||
+++ b/freeipa.spec.in
|
|
||||||
@@ -1387,13 +1387,15 @@ fi
|
|
||||||
|
|
||||||
%files client-epn
|
|
||||||
%doc README.md Contributors.txt
|
|
||||||
+%dir %{_sysconfdir}/ipa/epn
|
|
||||||
%license COPYING
|
|
||||||
%{_sbindir}/ipa-epn
|
|
||||||
%{_mandir}/man1/ipa-epn.1*
|
|
||||||
%{_mandir}/man5/epn.conf.5*
|
|
||||||
%attr(644,root,root) %{_unitdir}/ipa-epn.service
|
|
||||||
%attr(644,root,root) %{_unitdir}/ipa-epn.timer
|
|
||||||
-%attr(644,root,root) %{_sysconfdir}/ipa/epn/expire_msg.template
|
|
||||||
+%attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf
|
|
||||||
+%attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn/expire_msg.template
|
|
||||||
|
|
||||||
%files -n python3-ipaclient
|
|
||||||
%doc README.md Contributors.txt
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From 3b43950d35f78b28d4edde4fda475b5aa84f4587 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Tue, 23 Jun 2020 09:39:02 +0200
|
|
||||||
Subject: [PATCH] man pages: fix epn.conf.5 and ipa-epn.1 formatting
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Fix formatting issues found with mandoc.
|
|
||||||
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
client/man/epn.conf.5 | 2 +-
|
|
||||||
client/man/ipa-epn.1 | 8 ++++----
|
|
||||||
2 files changed, 5 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/client/man/epn.conf.5 b/client/man/epn.conf.5
|
|
||||||
index 14f5dbb75..df1f0156c 100644
|
|
||||||
--- a/client/man/epn.conf.5
|
|
||||||
+++ b/client/man/epn.conf.5
|
|
||||||
@@ -16,7 +16,7 @@
|
|
||||||
.\"
|
|
||||||
.\" Author: Rob Crittenden <rcritten@@redhat.com>
|
|
||||||
.\"
|
|
||||||
-.TH "epn.conf" "5" "Apr 28 2020" "FreeIPA" "FreeIPA Manual Pages"
|
|
||||||
+.TH "EPN.CONF" "5" "April 28, 2020" "FreeIPA" "FreeIPA Manual Pages"
|
|
||||||
.SH "NAME"
|
|
||||||
epn.conf \- Expiring Password Notification configuration file
|
|
||||||
.SH "SYNOPSIS"
|
|
||||||
diff --git a/client/man/ipa-epn.1 b/client/man/ipa-epn.1
|
|
||||||
index 9999ea8ca..124fd4536 100644
|
|
||||||
--- a/client/man/ipa-epn.1
|
|
||||||
+++ b/client/man/ipa-epn.1
|
|
||||||
@@ -15,14 +15,14 @@
|
|
||||||
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
.\"
|
|
||||||
.\"
|
|
||||||
-.TH "ipa-epn" "1" "Apr 24 2020" "FreeIPA" "FreeIPA Manual Pages"
|
|
||||||
+.TH "IPA-EPN" "1" "April 24, 2020" "FreeIPA" "FreeIPA Manual Pages"
|
|
||||||
.SH "NAME"
|
|
||||||
ipa\-epn \- Send expiring password nofications
|
|
||||||
.SH "SYNOPSIS"
|
|
||||||
-ipa\-epn \[options\]
|
|
||||||
+ipa\-epn \fR[options\fR]
|
|
||||||
|
|
||||||
.SH "DESCRIPTION"
|
|
||||||
-ipa\-epn provides a method to warn users via email that their IPA account password is about to expire.
|
|
||||||
+ipa\-epn provides a method to warn users via email that their IPA account password is about to expire.
|
|
||||||
|
|
||||||
It can be used in dry\-run mode which is recommmended during setup. The output is always JSON in this case.
|
|
||||||
|
|
||||||
@@ -38,7 +38,7 @@ The \-\-to\-nbdays CLI option can be used to determine the number of notificatio
|
|
||||||
|
|
||||||
If \fB\-\-from\-nbdays\fR is not specified, ipa\-epn will look within a 24\-hour long time range in <number of days> days.
|
|
||||||
|
|
||||||
-if \fB\-\-from\-nbdays\fR is specified, the date range starts at \fB\-\-from\-nbdays\fR days in the future and ends at \fB\-\-to\-nbdays\fR in the future.
|
|
||||||
+if \fB\-\-from\-nbdays\fR is specified, the date range starts at \fB\-\-from\-nbdays\fR days in the future and ends at \fB\-\-to\-nbdays\fR in the future.
|
|
||||||
|
|
||||||
Together, these two CLI options can be used to determine how many emails would be sent in a specific time in the future.
|
|
||||||
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From 2648c218467792e907435eaa5267a0f3457f634f Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Tue, 23 Jun 2020 13:50:02 +0200
|
|
||||||
Subject: [PATCH] ipatests: check that EPN's configuration file is installed.
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8374
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_epn.py | 14 ++++++++++++++
|
|
||||||
1 file changed, 14 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
|
|
||||||
index 7f56d4bc0..409d588d5 100644
|
|
||||||
--- a/ipatests/test_integration/test_epn.py
|
|
||||||
+++ b/ipatests/test_integration/test_epn.py
|
|
||||||
@@ -209,6 +209,20 @@ class TestEPN(IntegrationTest):
|
|
||||||
cls.master.run_command(r'rm -f /etc/pki/tls/private/postfix.key')
|
|
||||||
cls.master.run_command(r'rm -f /etc/pki/tls/certs/postfix.pem')
|
|
||||||
|
|
||||||
+ @pytest.mark.xfail(reason='pr-ci issue 378', strict=True)
|
|
||||||
+ def test_EPN_config_file(self):
|
|
||||||
+ """Check that the EPN configuration file is installed.
|
|
||||||
+ https://pagure.io/freeipa/issue/8374
|
|
||||||
+ """
|
|
||||||
+ epn_conf = "/etc/ipa/epn.conf"
|
|
||||||
+ epn_template = "/etc/ipa/epn/expire_msg.template"
|
|
||||||
+ cmd1 = self.master.run_command(["rpm", "-qc", "freeipa-client-epn"])
|
|
||||||
+ assert epn_conf in cmd1.stdout_text
|
|
||||||
+ assert epn_template in cmd1.stdout_text
|
|
||||||
+ cmd2 = self.master.run_command(["sha256sum", epn_conf])
|
|
||||||
+ ck = "4c207b5c9c760c36db0d3b2b93da50ea49edcc4002d6d1e7383601f0ec30b957"
|
|
||||||
+ assert cmd2.stdout_text.find(ck) == 0
|
|
||||||
+
|
|
||||||
def test_EPN_smoketest_1(self):
|
|
||||||
"""No users except admin. Check --dry-run output.
|
|
||||||
With the default configuration, the result should be an empty list.
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From 06accac8906f66ebbb31849d6528b39ae006b124 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Wed, 24 Jun 2020 23:24:36 +0200
|
|
||||||
Subject: [PATCH] ipatests: ipa_epn: uninstall/reinstall ipa-client-epn
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Due to https://github.com/freeipa/freeipa-pr-ci/issues/378
|
|
||||||
the installed version of freeipa-client-epn is not the built
|
|
||||||
one. Temporarily force uninstall/reinstall of this package
|
|
||||||
before running the test.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8374
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_epn.py | 20 +++++++++++++++++++-
|
|
||||||
1 file changed, 19 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
|
|
||||||
index 409d588d5..9a9fb17b9 100644
|
|
||||||
--- a/ipatests/test_integration/test_epn.py
|
|
||||||
+++ b/ipatests/test_integration/test_epn.py
|
|
||||||
@@ -209,11 +209,29 @@ class TestEPN(IntegrationTest):
|
|
||||||
cls.master.run_command(r'rm -f /etc/pki/tls/private/postfix.key')
|
|
||||||
cls.master.run_command(r'rm -f /etc/pki/tls/certs/postfix.pem')
|
|
||||||
|
|
||||||
- @pytest.mark.xfail(reason='pr-ci issue 378', strict=True)
|
|
||||||
+ @pytest.mark.skip_if_platform(
|
|
||||||
+ "debian", reason="Cannot check installed packages using RPM"
|
|
||||||
+ )
|
|
||||||
def test_EPN_config_file(self):
|
|
||||||
"""Check that the EPN configuration file is installed.
|
|
||||||
https://pagure.io/freeipa/issue/8374
|
|
||||||
"""
|
|
||||||
+ # workaround for https://github.com/freeipa/freeipa-pr-ci/issues/378
|
|
||||||
+ rpm_q_cmds = [
|
|
||||||
+ ["rpm", "-qi", "freeipa-client"],
|
|
||||||
+ ["rpm", "-qi", "freeipa-client-epn"],
|
|
||||||
+ ["rpm", "-qc", "freeipa-client-epn"],
|
|
||||||
+ ["rpm", "-V", "freeipa-client-epn"],
|
|
||||||
+ ["rpm", "-qvc", "freeipa-client-epn"],
|
|
||||||
+ ["ls", "-l", "/etc/ipa", "/etc/ipa/epn"],
|
|
||||||
+ ]
|
|
||||||
+ for cmd in rpm_q_cmds:
|
|
||||||
+ self.master.run_command(cmd, raiseonerr=False)
|
|
||||||
+ tasks.uninstall_packages(self.master, ["*ipa-client-epn"])
|
|
||||||
+ tasks.install_packages(self.master, ["*ipa-client-epn"])
|
|
||||||
+ for cmd in rpm_q_cmds:
|
|
||||||
+ self.master.run_command(cmd, raiseonerr=False)
|
|
||||||
+ # end workaround
|
|
||||||
epn_conf = "/etc/ipa/epn.conf"
|
|
||||||
epn_template = "/etc/ipa/epn/expire_msg.template"
|
|
||||||
cmd1 = self.master.run_command(["rpm", "-qc", "freeipa-client-epn"])
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -0,0 +1,60 @@
|
|||||||
|
From 6b25cd3241a5609b4d903d5697b8947fab403c90 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
|
||||||
|
Date: Wed, 17 Feb 2021 19:43:00 +0530
|
||||||
|
Subject: [PATCH] ipatests: error message check in uninstall log for KRA
|
||||||
|
|
||||||
|
This test checks that there is no error message in uninstall
|
||||||
|
log for KRA instance when IPA was installed with KRA.
|
||||||
|
|
||||||
|
related: https://pagure.io/freeipa/issue/8550
|
||||||
|
|
||||||
|
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
---
|
||||||
|
.../test_backup_and_restore.py | 22 ++++++++++++++++---
|
||||||
|
1 file changed, 19 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py
|
||||||
|
index f13dfb5cb..6890ef201 100644
|
||||||
|
--- a/ipatests/test_integration/test_backup_and_restore.py
|
||||||
|
+++ b/ipatests/test_integration/test_backup_and_restore.py
|
||||||
|
@@ -451,9 +451,11 @@ class BaseBackupAndRestoreWithKRA(IntegrationTest):
|
||||||
|
|
||||||
|
backup_path = tasks.get_backup_dir(self.master)
|
||||||
|
|
||||||
|
- self.master.run_command(['ipa-server-install',
|
||||||
|
- '--uninstall',
|
||||||
|
- '-U'])
|
||||||
|
+ # check that no error message in uninstall log for KRA instance
|
||||||
|
+ cmd = self.master.run_command(['ipa-server-install',
|
||||||
|
+ '--uninstall',
|
||||||
|
+ '-U'])
|
||||||
|
+ assert "failed to uninstall KRA" not in cmd.stderr_text
|
||||||
|
|
||||||
|
if reinstall:
|
||||||
|
tasks.install_master(self.master, setup_dns=True)
|
||||||
|
@@ -482,6 +484,20 @@ class TestBackupReinstallRestoreWithKRA(BaseBackupAndRestoreWithKRA):
|
||||||
|
"""backup, uninstall, reinstall, restore"""
|
||||||
|
self._full_backup_restore_with_vault(reinstall=True)
|
||||||
|
|
||||||
|
+ def test_no_error_message_with_uninstall_ipa_with_kra(self):
|
||||||
|
+ """Test there is no error message in uninstall log for KRA instance
|
||||||
|
+
|
||||||
|
+ There was error message in uninstall log when IPA with KRA was
|
||||||
|
+ uninstalled. This test check that there is no error message in
|
||||||
|
+ uninstall log for kra instance.
|
||||||
|
+
|
||||||
|
+ related: https://pagure.io/freeipa/issue/8550
|
||||||
|
+ """
|
||||||
|
+ cmd = self.master.run_command(['ipa-server-install',
|
||||||
|
+ '--uninstall',
|
||||||
|
+ '-U'])
|
||||||
|
+ assert "failed to uninstall KRA" not in cmd.stderr_text
|
||||||
|
+
|
||||||
|
|
||||||
|
class TestBackupAndRestoreWithReplica(IntegrationTest):
|
||||||
|
"""Regression tests for issues 7234 and 7455
|
||||||
|
--
|
||||||
|
2.29.2
|
||||||
|
|
@ -1,147 +0,0 @@
|
|||||||
From be48983558a560dadad410a70a4a1684565ed481 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Scheel <ascheel@redhat.com>
|
|
||||||
Date: Mon, 15 Jun 2020 18:38:35 -0400
|
|
||||||
Subject: [PATCH] Clarify AJP connector creation process
|
|
||||||
|
|
||||||
We do two things:
|
|
||||||
|
|
||||||
1. Fix the xpath for AJP connector verification. An AJP connector is
|
|
||||||
one which has protocol="AJP/1.3", NOT one that has port="8009". An
|
|
||||||
AJP connector can exist on any port and port 8009 can have any
|
|
||||||
protocol. Secrets only make sense on AJP connectors, so make the
|
|
||||||
xpath match the existing comment.
|
|
||||||
|
|
||||||
2. Add some background in-line documentation about AJP secret
|
|
||||||
provisioning. This should help future developers understand why this
|
|
||||||
was added to IPA and what limitations there are in what PKI or IPA
|
|
||||||
can do. Most notably, explain why Dogtag can't upgrade the AJP
|
|
||||||
connector to have a secret in the general case.
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/install/dogtaginstance.py | 20 +++++++++++++++++---
|
|
||||||
1 file changed, 17 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
|
|
||||||
index 42c9db3fb..aa3baeb7c 100644
|
|
||||||
--- a/ipaserver/install/dogtaginstance.py
|
|
||||||
+++ b/ipaserver/install/dogtaginstance.py
|
|
||||||
@@ -308,11 +308,12 @@ class DogtagInstance(service.Service):
|
|
||||||
doc = server_xml.getroot()
|
|
||||||
|
|
||||||
# no AJP connector means no need to update anything
|
|
||||||
- connectors = doc.xpath('//Connector[@port="8009"]')
|
|
||||||
+ connectors = doc.xpath('//Connector[@protocol="AJP/1.3"]')
|
|
||||||
if len(connectors) == 0:
|
|
||||||
return
|
|
||||||
|
|
||||||
- # AJP connector is set on port 8009. Use non-greedy search to find it
|
|
||||||
+ # AJP protocol is at version 1.3. Assume there is only one as
|
|
||||||
+ # Dogtag only provisions one.
|
|
||||||
connector = connectors[0]
|
|
||||||
|
|
||||||
# Detect tomcat version and choose the right option name
|
|
||||||
@@ -331,11 +332,24 @@ class DogtagInstance(service.Service):
|
|
||||||
rewrite = False
|
|
||||||
else:
|
|
||||||
if oldattr in connector.attrib:
|
|
||||||
+ # Sufficiently new Dogtag versions (10.9.0-a2) handle the
|
|
||||||
+ # upgrade for us; we need only to ensure that we're not both
|
|
||||||
+ # attempting to upgrade server.xml at the same time.
|
|
||||||
+ # Hopefully this is guaranteed for us.
|
|
||||||
self.ajp_secret = connector.attrib[oldattr]
|
|
||||||
connector.attrib[secretattr] = self.ajp_secret
|
|
||||||
del connector.attrib[oldattr]
|
|
||||||
else:
|
|
||||||
- # Generate password, don't use special chars to not break XML
|
|
||||||
+ # Generate password, don't use special chars to not break XML.
|
|
||||||
+ #
|
|
||||||
+ # If we hit this case, pkispawn was run on an older Dogtag
|
|
||||||
+ # version and we're stuck migrating, choosing a password
|
|
||||||
+ # ourselves. Dogtag can't generate one randomly because a
|
|
||||||
+ # Dogtag administrator might've configured AJP and might
|
|
||||||
+ # not be using IPA.
|
|
||||||
+ #
|
|
||||||
+ # Newer Dogtag versions will generate a random password
|
|
||||||
+ # during pkispawn.
|
|
||||||
self.ajp_secret = ipautil.ipa_generate_password(special=None)
|
|
||||||
connector.attrib[secretattr] = self.ajp_secret
|
|
||||||
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From 1e804bf19da4ee274e735fd49452d4df5d73a002 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Scheel <ascheel@redhat.com>
|
|
||||||
Date: Wed, 17 Jun 2020 16:00:25 -0400
|
|
||||||
Subject: [PATCH] Configure PKI AJP Secret with 256-bit secret
|
|
||||||
|
|
||||||
By default, PKI's AJP secret is generated as a 75-bit password. By
|
|
||||||
generating it in IPA, we can guarantee the strength of the AJP secret.
|
|
||||||
It makes sense to use a stronger AJP secret because it typically
|
|
||||||
isn't rotated; access to AJP allows an attacker to impersonate an admin
|
|
||||||
while talking to PKI.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8372
|
|
||||||
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849146
|
|
||||||
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1845447
|
|
||||||
Related: https://github.com/dogtagpki/pki/pull/437
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
install/share/ipaca_customize.ini | 1 +
|
|
||||||
install/share/ipaca_default.ini | 2 ++
|
|
||||||
ipaserver/install/dogtaginstance.py | 4 +++-
|
|
||||||
3 files changed, 6 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/install/share/ipaca_customize.ini b/install/share/ipaca_customize.ini
|
|
||||||
index 6d58579af..948734241 100644
|
|
||||||
--- a/install/share/ipaca_customize.ini
|
|
||||||
+++ b/install/share/ipaca_customize.ini
|
|
||||||
@@ -12,6 +12,7 @@
|
|
||||||
#
|
|
||||||
# Predefined variables
|
|
||||||
# - ipa_ca_subject
|
|
||||||
+# - ipa_ajp_secret
|
|
||||||
# - ipa_fqdn
|
|
||||||
# - ipa_subject_base
|
|
||||||
# - pki_admin_password
|
|
||||||
diff --git a/install/share/ipaca_default.ini b/install/share/ipaca_default.ini
|
|
||||||
index 2b9900286..a51256116 100644
|
|
||||||
--- a/install/share/ipaca_default.ini
|
|
||||||
+++ b/install/share/ipaca_default.ini
|
|
||||||
@@ -12,6 +12,7 @@ ipa_ca_pem_file=/etc/ipa/ca.crt
|
|
||||||
|
|
||||||
## dynamic values
|
|
||||||
# ipa_ca_subject=
|
|
||||||
+# ipa_ajp_secret=
|
|
||||||
# ipa_subject_base=
|
|
||||||
# ipa_fqdn=
|
|
||||||
# ipa_ocsp_uri=
|
|
||||||
@@ -66,6 +67,7 @@ pki_issuing_ca=%(pki_issuing_ca_uri)s
|
|
||||||
pki_replication_password=
|
|
||||||
|
|
||||||
pki_enable_proxy=True
|
|
||||||
+pki_ajp_secret=%(ipa_ajp_secret)s
|
|
||||||
pki_restart_configured_instance=False
|
|
||||||
pki_security_domain_hostname=%(ipa_fqdn)s
|
|
||||||
pki_security_domain_https_port=443
|
|
||||||
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
|
|
||||||
index aa3baeb7c..361d80a8c 100644
|
|
||||||
--- a/ipaserver/install/dogtaginstance.py
|
|
||||||
+++ b/ipaserver/install/dogtaginstance.py
|
|
||||||
@@ -840,7 +840,9 @@ class PKIIniLoader:
|
|
||||||
pki_subsystem_type=subsystem.lower(),
|
|
||||||
home_dir=os.path.expanduser("~"),
|
|
||||||
# for softhsm2 testing
|
|
||||||
- softhsm2_so=paths.LIBSOFTHSM2_SO
|
|
||||||
+ softhsm2_so=paths.LIBSOFTHSM2_SO,
|
|
||||||
+ # Configure a more secure AJP password by default
|
|
||||||
+ ipa_ajp_secret=ipautil.ipa_generate_password(special=None)
|
|
||||||
)
|
|
||||||
|
|
||||||
@classmethod
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -0,0 +1,119 @@
|
|||||||
|
From 6d7b2d7d1b4711255ea72d62d27b5c5f4ec7c6e1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sergey Orlov <sorlov@redhat.com>
|
||||||
|
Date: Tue, 16 Feb 2021 12:32:55 +0100
|
||||||
|
Subject: [PATCH] ipatests: skip tests for AD trust with shared secret in FIPS
|
||||||
|
mode
|
||||||
|
|
||||||
|
Related to https://pagure.io/freeipa/issue/8715
|
||||||
|
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_trust.py | 22 ++++++++++++++++++++++
|
||||||
|
1 file changed, 22 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
|
||||||
|
index 3e522617d..c8a348212 100644
|
||||||
|
--- a/ipatests/test_integration/test_trust.py
|
||||||
|
+++ b/ipatests/test_integration/test_trust.py
|
||||||
|
@@ -5,6 +5,7 @@ from __future__ import absolute_import
|
||||||
|
import re
|
||||||
|
import textwrap
|
||||||
|
import time
|
||||||
|
+import functools
|
||||||
|
|
||||||
|
import pytest
|
||||||
|
|
||||||
|
@@ -13,6 +14,7 @@ from ipaplatform.paths import paths
|
||||||
|
|
||||||
|
from ipatests.test_integration.base import IntegrationTest
|
||||||
|
from ipatests.pytest_ipa.integration import tasks
|
||||||
|
+from ipatests.pytest_ipa.integration import fips
|
||||||
|
from ipapython.dn import DN
|
||||||
|
from collections import namedtuple
|
||||||
|
from contextlib import contextmanager
|
||||||
|
@@ -20,6 +22,18 @@ from contextlib import contextmanager
|
||||||
|
TestDataRule = namedtuple('TestDataRule',
|
||||||
|
['name', 'ruletype', 'user', 'subject'])
|
||||||
|
|
||||||
|
+
|
||||||
|
+def skip_in_fips_mode_due_to_issue_8715(test_method):
|
||||||
|
+ @functools.wraps(test_method)
|
||||||
|
+ def wrapper(instance):
|
||||||
|
+ if fips.is_fips_enabled(instance.master):
|
||||||
|
+ pytest.skip('Skipping in FIPS mode due to '
|
||||||
|
+ 'https://pagure.io/freeipa/issue/8715')
|
||||||
|
+ else:
|
||||||
|
+ test_method(instance)
|
||||||
|
+ return wrapper
|
||||||
|
+
|
||||||
|
+
|
||||||
|
class BaseTestTrust(IntegrationTest):
|
||||||
|
num_clients = 1
|
||||||
|
topology = 'line'
|
||||||
|
@@ -751,6 +765,7 @@ class TestTrust(BaseTestTrust):
|
||||||
|
|
||||||
|
# Test for one-way forest trust with shared secret
|
||||||
|
|
||||||
|
+ @skip_in_fips_mode_due_to_issue_8715
|
||||||
|
def test_establish_forest_trust_with_shared_secret(self):
|
||||||
|
tasks.configure_dns_for_trust(self.master, self.ad)
|
||||||
|
tasks.configure_windows_dns_for_trust(self.ad, self.master)
|
||||||
|
@@ -775,6 +790,7 @@ class TestTrust(BaseTestTrust):
|
||||||
|
tasks.establish_trust_with_ad(
|
||||||
|
self.master, self.ad_domain, shared_secret=self.shared_secret)
|
||||||
|
|
||||||
|
+ @skip_in_fips_mode_due_to_issue_8715
|
||||||
|
def test_trustdomains_found_in_forest_trust_with_shared_secret(self):
|
||||||
|
result = self.master.run_command(
|
||||||
|
['ipa', 'trust-fetch-domains', self.ad.domain.name],
|
||||||
|
@@ -783,6 +799,7 @@ class TestTrust(BaseTestTrust):
|
||||||
|
self.check_trustdomains(
|
||||||
|
self.ad_domain, [self.ad_domain, self.ad_subdomain])
|
||||||
|
|
||||||
|
+ @skip_in_fips_mode_due_to_issue_8715
|
||||||
|
def test_user_gid_uid_resolution_in_forest_trust_with_shared_secret(self):
|
||||||
|
"""Check that user has SID-generated UID"""
|
||||||
|
# Using domain name since it is lowercased realm name for AD domains
|
||||||
|
@@ -801,6 +818,7 @@ class TestTrust(BaseTestTrust):
|
||||||
|
assert re.search(
|
||||||
|
testuser_regex, result.stdout_text), result.stdout_text
|
||||||
|
|
||||||
|
+ @skip_in_fips_mode_due_to_issue_8715
|
||||||
|
def test_remove_forest_trust_with_shared_secret(self):
|
||||||
|
ps_cmd = (
|
||||||
|
'[System.DirectoryServices.ActiveDirectory.Forest]'
|
||||||
|
@@ -823,6 +841,7 @@ class TestTrust(BaseTestTrust):
|
||||||
|
|
||||||
|
# Test for one-way external trust with shared secret
|
||||||
|
|
||||||
|
+ @skip_in_fips_mode_due_to_issue_8715
|
||||||
|
def test_establish_external_trust_with_shared_secret(self):
|
||||||
|
tasks.configure_dns_for_trust(self.master, self.ad)
|
||||||
|
tasks.configure_windows_dns_for_trust(self.ad, self.master)
|
||||||
|
@@ -838,6 +857,7 @@ class TestTrust(BaseTestTrust):
|
||||||
|
self.master, self.ad_domain, shared_secret=self.shared_secret,
|
||||||
|
extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
|
||||||
|
|
||||||
|
+ @skip_in_fips_mode_due_to_issue_8715
|
||||||
|
def test_trustdomains_found_in_external_trust_with_shared_secret(self):
|
||||||
|
result = self.master.run_command(
|
||||||
|
['ipa', 'trust-fetch-domains', self.ad.domain.name],
|
||||||
|
@@ -846,6 +866,7 @@ class TestTrust(BaseTestTrust):
|
||||||
|
self.check_trustdomains(
|
||||||
|
self.ad_domain, [self.ad_domain])
|
||||||
|
|
||||||
|
+ @skip_in_fips_mode_due_to_issue_8715
|
||||||
|
def test_user_uid_resolution_in_external_trust_with_shared_secret(self):
|
||||||
|
"""Check that user has SID-generated UID"""
|
||||||
|
# Using domain name since it is lowercased realm name for AD domains
|
||||||
|
@@ -864,6 +885,7 @@ class TestTrust(BaseTestTrust):
|
||||||
|
assert re.search(
|
||||||
|
testuser_regex, result.stdout_text), result.stdout_text
|
||||||
|
|
||||||
|
+ @skip_in_fips_mode_due_to_issue_8715
|
||||||
|
def test_remove_external_trust_with_shared_secret(self):
|
||||||
|
self.ad.run_command(
|
||||||
|
['netdom.exe', 'trust', self.master.domain.name,
|
||||||
|
--
|
||||||
|
2.29.2
|
||||||
|
|
@ -1,167 +0,0 @@
|
|||||||
From a090b429fda35c5a9c3cfb672ab42a5985d00ff9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Petr Vobornik <pvoborni@redhat.com>
|
|
||||||
Date: Mon, 8 Jun 2020 19:27:30 +0200
|
|
||||||
Subject: [PATCH] baseuser: fix ipanthomedirectorydrive option name
|
|
||||||
|
|
||||||
It should be ipanthomedirectorydrive and not ipanthomedirectoryrive.
|
|
||||||
|
|
||||||
This fixes showing the field in Web UI and also should fix CLI as it
|
|
||||||
probably never worked.
|
|
||||||
|
|
||||||
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
API.txt | 8 ++++----
|
|
||||||
ipaserver/plugins/baseuser.py | 2 +-
|
|
||||||
2 files changed, 5 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/API.txt b/API.txt
|
|
||||||
index 5354a33a0..300b3d9b1 100644
|
|
||||||
--- a/API.txt
|
|
||||||
+++ b/API.txt
|
|
||||||
@@ -5085,7 +5085,7 @@ option: Str('in_role*', cli_name='in_roles')
|
|
||||||
option: Str('in_sudorule*', cli_name='in_sudorules')
|
|
||||||
option: Str('initials?', autofill=False)
|
|
||||||
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
|
|
||||||
-option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
|
|
||||||
+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
|
|
||||||
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
|
|
||||||
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
|
|
||||||
option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
|
|
||||||
@@ -5147,7 +5147,7 @@ option: Str('givenname?', autofill=False, cli_name='first')
|
|
||||||
option: Str('homedirectory?', autofill=False, cli_name='homedir')
|
|
||||||
option: Str('initials?', autofill=False)
|
|
||||||
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
|
|
||||||
-option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
|
|
||||||
+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
|
|
||||||
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
|
|
||||||
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
|
|
||||||
option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
|
|
||||||
@@ -6185,7 +6185,7 @@ option: Str('in_role*', cli_name='in_roles')
|
|
||||||
option: Str('in_sudorule*', cli_name='in_sudorules')
|
|
||||||
option: Str('initials?', autofill=False)
|
|
||||||
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
|
|
||||||
-option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
|
|
||||||
+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
|
|
||||||
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
|
|
||||||
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
|
|
||||||
option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
|
|
||||||
@@ -6250,7 +6250,7 @@ option: Str('givenname?', autofill=False, cli_name='first')
|
|
||||||
option: Str('homedirectory?', autofill=False, cli_name='homedir')
|
|
||||||
option: Str('initials?', autofill=False)
|
|
||||||
option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
|
|
||||||
-option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
|
|
||||||
+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
|
|
||||||
option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
|
|
||||||
option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
|
|
||||||
option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
|
|
||||||
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
|
|
||||||
index a0ed65874..e1b7763f0 100644
|
|
||||||
--- a/ipaserver/plugins/baseuser.py
|
|
||||||
+++ b/ipaserver/plugins/baseuser.py
|
|
||||||
@@ -420,7 +420,7 @@ class baseuser(LDAPObject):
|
|
||||||
label=_('SMB Home Directory'),
|
|
||||||
flags=['no_create'],
|
|
||||||
),
|
|
||||||
- StrEnum('ipanthomedirectoryrive?',
|
|
||||||
+ StrEnum('ipanthomedirectorydrive?',
|
|
||||||
cli_name='smb_home_drive',
|
|
||||||
label=_('SMB Home Directory Drive'),
|
|
||||||
flags=['no_create'],
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From 691b3cddb275821630f443f22706fa75e7c7a5c8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Petr Vobornik <pvoborni@redhat.com>
|
|
||||||
Date: Mon, 8 Jun 2020 19:11:33 +0200
|
|
||||||
Subject: [PATCH] webui: hide user attributes for SMB services section if empty
|
|
||||||
|
|
||||||
This section should be hidded if user object hasn't ipantuserattrs
|
|
||||||
object class. I.e. when trusts are not enabled.
|
|
||||||
|
|
||||||
Web UI framework already supports hidding of sections if the
|
|
||||||
section contains no visible field. So to achieve it we simply needs
|
|
||||||
to hide the fields. Given that attributelevelrights
|
|
||||||
contains rights only for attributes of current object classes, all
|
|
||||||
of these are regarded as not writable.
|
|
||||||
|
|
||||||
We can leverage feature of input_widget that it gets hidden
|
|
||||||
when the attribute is not writable and has no value and widget's
|
|
||||||
"hidden_if_empty" is set to true. Thus doing it here.
|
|
||||||
|
|
||||||
For this to work, it is also required to fix an issue with
|
|
||||||
"ipanthomedirectorydrive" which is optional (in API) but Web UI
|
|
||||||
doesn't offer "empty" ("") value. Adding it here.
|
|
||||||
|
|
||||||
fixes: https://pagure.io/freeipa/issue/8336
|
|
||||||
|
|
||||||
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
|
|
||||||
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
install/ui/src/freeipa/user.js | 20 +++++++++++---------
|
|
||||||
1 file changed, 11 insertions(+), 9 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
|
|
||||||
index fb626f2a1..8f1f5cd85 100644
|
|
||||||
--- a/install/ui/src/freeipa/user.js
|
|
||||||
+++ b/install/ui/src/freeipa/user.js
|
|
||||||
@@ -367,36 +367,39 @@ return {
|
|
||||||
{
|
|
||||||
name: 'smb_attributes',
|
|
||||||
label: '@i18n:objects.smb_attributes.title',
|
|
||||||
- show_cond: ['oc_ipantuserattrs'],
|
|
||||||
fields: [{
|
|
||||||
name: 'ipantlogonscript',
|
|
||||||
tooltip: {
|
|
||||||
title: '@i18n:objects.smb_attributes.ipantlogonscript_tooltip'
|
|
||||||
- }
|
|
||||||
+ },
|
|
||||||
+ hidden_if_empty: true
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: 'ipantprofilepath',
|
|
||||||
tooltip: {
|
|
||||||
title: '@i18n:objects.smb_attributes.ipantprofilepath_tooltip'
|
|
||||||
- }
|
|
||||||
+ },
|
|
||||||
+ hidden_if_empty: true
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: 'ipanthomedirectory',
|
|
||||||
tooltip: {
|
|
||||||
title: '@i18n:objects.smb_attributes.ipanthomedirectory_tooltip'
|
|
||||||
- }
|
|
||||||
+ },
|
|
||||||
+ hidden_if_empty: true
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: 'ipanthomedirectorydrive',
|
|
||||||
$type: 'select',
|
|
||||||
options: IPA.create_options([
|
|
||||||
- 'A:', 'B:', 'C:', 'D:', 'E:', 'F:', 'G:', 'H:', 'I:',
|
|
||||||
- 'J:', 'K:', 'L:', 'M:', 'N:', 'O:', 'P:', 'Q:', 'R:',
|
|
||||||
- 'S:', 'T:', 'U:', 'V:', 'W:', 'X:', 'Y:', 'Z:'
|
|
||||||
+ '', 'A:', 'B:', 'C:', 'D:', 'E:', 'F:', 'G:', 'H:',
|
|
||||||
+ 'I:', 'J:', 'K:', 'L:', 'M:', 'N:', 'O:', 'P:', 'Q:',
|
|
||||||
+ 'R:', 'S:', 'T:', 'U:', 'V:', 'W:', 'X:', 'Y:', 'Z:'
|
|
||||||
]),
|
|
||||||
tooltip: {
|
|
||||||
title: '@i18n:objects.smb_attributes.ipanthomedirectorydrive_tooltip'
|
|
||||||
- }
|
|
||||||
+ },
|
|
||||||
+ hidden_if_empty: true
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
@@ -482,7 +485,6 @@ return {
|
|
||||||
IPA.user.self_service_other_user_evaluator,
|
|
||||||
IPA.user.preserved_user_evaluator,
|
|
||||||
IPA.user.is_locked_evaluator,
|
|
||||||
- IPA.object_class_evaluator,
|
|
||||||
IPA.cert.certificate_evaluator
|
|
||||||
],
|
|
||||||
summary_conditions: [
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -0,0 +1,347 @@
|
|||||||
|
From a0626e09b3eaf5d030982e2ff03e95841ad1b4b9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Wed, 3 Feb 2021 15:52:05 -0500
|
||||||
|
Subject: [PATCH] ipa-cert-fix: Don't hardcode the NSS certificate nickname
|
||||||
|
|
||||||
|
The nickname of the 389-ds certificate was hardcoded as
|
||||||
|
Server-Cert which failed if the user had installed a
|
||||||
|
third-party certificate using ipa-server-certinstall.
|
||||||
|
|
||||||
|
Instead pull the nickname from the DS configuration and
|
||||||
|
retrieve it based on that.
|
||||||
|
|
||||||
|
https://pagure.io/freeipa/issue/8600
|
||||||
|
|
||||||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
---
|
||||||
|
ipaserver/install/ipa_cert_fix.py | 17 +++++++++++------
|
||||||
|
1 file changed, 11 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
|
||||||
|
index 2f2c15613..29af89cd5 100644
|
||||||
|
--- a/ipaserver/install/ipa_cert_fix.py
|
||||||
|
+++ b/ipaserver/install/ipa_cert_fix.py
|
||||||
|
@@ -203,9 +203,12 @@ def expired_ipa_certs(now):
|
||||||
|
certs.append((IPACertType.HTTPS, cert))
|
||||||
|
|
||||||
|
# LDAPS
|
||||||
|
- ds_dbdir = dsinstance.config_dirname(realm_to_serverid(api.env.realm))
|
||||||
|
+ serverid = realm_to_serverid(api.env.realm)
|
||||||
|
+ ds = dsinstance.DsInstance(realm_name=api.env.realm)
|
||||||
|
+ ds_dbdir = dsinstance.config_dirname(serverid)
|
||||||
|
+ ds_nickname = ds.get_server_cert_nickname(serverid)
|
||||||
|
db = NSSDatabase(nssdir=ds_dbdir)
|
||||||
|
- cert = db.get_cert('Server-Cert')
|
||||||
|
+ cert = db.get_cert(ds_nickname)
|
||||||
|
if cert.not_valid_after <= now:
|
||||||
|
certs.append((IPACertType.LDAPS, cert))
|
||||||
|
|
||||||
|
@@ -344,11 +347,13 @@ def install_ipa_certs(subject_base, ca_subject_dn, certs):
|
||||||
|
elif certtype is IPACertType.HTTPS:
|
||||||
|
shutil.copyfile(cert_path, paths.HTTPD_CERT_FILE)
|
||||||
|
elif certtype is IPACertType.LDAPS:
|
||||||
|
- ds_dbdir = dsinstance.config_dirname(
|
||||||
|
- realm_to_serverid(api.env.realm))
|
||||||
|
+ serverid = realm_to_serverid(api.env.realm)
|
||||||
|
+ ds = dsinstance.DsInstance(realm_name=api.env.realm)
|
||||||
|
+ ds_dbdir = dsinstance.config_dirname(serverid)
|
||||||
|
db = NSSDatabase(nssdir=ds_dbdir)
|
||||||
|
- db.delete_cert('Server-Cert')
|
||||||
|
- db.import_pem_cert('Server-Cert', EMPTY_TRUST_FLAGS, cert_path)
|
||||||
|
+ ds_nickname = ds.get_server_cert_nickname(serverid)
|
||||||
|
+ db.delete_cert(ds_nickname)
|
||||||
|
+ db.import_pem_cert(ds_nickname, EMPTY_TRUST_FLAGS, cert_path)
|
||||||
|
elif certtype is IPACertType.KDC:
|
||||||
|
shutil.copyfile(cert_path, paths.KDC_CERT)
|
||||||
|
|
||||||
|
--
|
||||||
|
2.29.2
|
||||||
|
|
||||||
|
From 660507fda2394b17d709c47a05ce5df548a47990 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Thu, 4 Feb 2021 08:25:48 -0500
|
||||||
|
Subject: [PATCH] ipatests: test third-party 389-ds cert with ipa-cert-fix
|
||||||
|
|
||||||
|
ipa-cert-fix was hardcoded to use Server-Cert as the nickname
|
||||||
|
so would fail if a third-party certificate was installed for DS.
|
||||||
|
|
||||||
|
https://pagure.io/freeipa/issue/8600
|
||||||
|
|
||||||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
---
|
||||||
|
.../test_integration/test_ipa_cert_fix.py | 57 +++++++++++++++++++
|
||||||
|
1 file changed, 57 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||||
|
index 2f7de5526..f9e5fe6e2 100644
|
||||||
|
--- a/ipatests/test_integration/test_ipa_cert_fix.py
|
||||||
|
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||||
|
@@ -11,6 +11,17 @@ import time
|
||||||
|
from ipaplatform.paths import paths
|
||||||
|
from ipatests.pytest_ipa.integration import tasks
|
||||||
|
from ipatests.test_integration.base import IntegrationTest
|
||||||
|
+from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+def server_install_teardown(func):
|
||||||
|
+ def wrapped(*args):
|
||||||
|
+ master = args[0].master
|
||||||
|
+ try:
|
||||||
|
+ func(*args)
|
||||||
|
+ finally:
|
||||||
|
+ ipa_certs_cleanup(master)
|
||||||
|
+ return wrapped
|
||||||
|
|
||||||
|
|
||||||
|
class TestIpaCertFix(IntegrationTest):
|
||||||
|
@@ -94,3 +105,49 @@ class TestIpaCertFix(IntegrationTest):
|
||||||
|
else:
|
||||||
|
# timeout
|
||||||
|
raise AssertionError('Timeout: Failed to renew all the certs')
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+class TestIpaCertFixThirdParty(CALessBase):
|
||||||
|
+ """
|
||||||
|
+ Test that ipa-cert-fix works with an installation with custom certs.
|
||||||
|
+ """
|
||||||
|
+
|
||||||
|
+ @classmethod
|
||||||
|
+ def install(cls, mh):
|
||||||
|
+ cls.nickname = 'ca1/server'
|
||||||
|
+
|
||||||
|
+ super(TestIpaCertFixThirdParty, cls).install(mh)
|
||||||
|
+ tasks.install_master(cls.master, setup_dns=True)
|
||||||
|
+
|
||||||
|
+ @server_install_teardown
|
||||||
|
+ def test_third_party_certs(self):
|
||||||
|
+ self.create_pkcs12(self.nickname,
|
||||||
|
+ password=self.cert_password,
|
||||||
|
+ filename='server.p12')
|
||||||
|
+ self.prepare_cacert('ca1')
|
||||||
|
+
|
||||||
|
+ # We have a chain length of one. If this is extended then the
|
||||||
|
+ # additional cert names will need to be calculated.
|
||||||
|
+ nick_chain = self.nickname.split('/')
|
||||||
|
+ ca_cert = '%s.crt' % nick_chain[0]
|
||||||
|
+
|
||||||
|
+ # Add the CA to the IPA store
|
||||||
|
+ self.copy_cert(self.master, ca_cert)
|
||||||
|
+ self.master.run_command(['ipa-cacert-manage', 'install', ca_cert])
|
||||||
|
+
|
||||||
|
+ # Apply the new cert chain otherwise ipa-server-certinstall will fail
|
||||||
|
+ self.master.run_command(['ipa-certupdate'])
|
||||||
|
+
|
||||||
|
+ # Install the updated certs and restart the world
|
||||||
|
+ self.copy_cert(self.master, 'server.p12')
|
||||||
|
+ args = ['ipa-server-certinstall',
|
||||||
|
+ '-p', self.master.config.dirman_password,
|
||||||
|
+ '--pin', self.master.config.admin_password,
|
||||||
|
+ '-d', 'server.p12']
|
||||||
|
+ self.master.run_command(args)
|
||||||
|
+ self.master.run_command(['ipactl', 'restart',])
|
||||||
|
+
|
||||||
|
+ # Run ipa-cert-fix. This is basically a no-op but tests that
|
||||||
|
+ # the DS nickname is used and not a hardcoded value.
|
||||||
|
+ result = self.master.run_command(['ipa-cert-fix', '-v'],)
|
||||||
|
+ assert self.nickname in result.stderr_text
|
||||||
|
--
|
||||||
|
2.29.2
|
||||||
|
|
||||||
|
From 4cb6f0ba0df928eea60b20892a6fc85373627946 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Fri, 5 Feb 2021 09:00:54 -0500
|
||||||
|
Subject: [PATCH] Set pki-core dependency to 10.3.3 for pki-server cert-fix bug
|
||||||
|
|
||||||
|
Related: https://github.com/dogtagpki/pki/issues/3387
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
---
|
||||||
|
freeipa.spec.in | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||||
|
index 93e473ac4..0e261285b 100755
|
||||||
|
--- a/freeipa.spec.in
|
||||||
|
+++ b/freeipa.spec.in
|
||||||
|
@@ -128,11 +128,11 @@
|
||||||
|
%if 0%{?rhel} == 8
|
||||||
|
# PKIConnection has been modified to always validate certs.
|
||||||
|
# https://pagure.io/freeipa/issue/8379
|
||||||
|
-%global pki_version 10.9.0-0.4
|
||||||
|
+%global pki_version 10.10.4-1
|
||||||
|
%else
|
||||||
|
# New KRA profile, ACME support
|
||||||
|
# https://pagure.io/freeipa/issue/8545
|
||||||
|
-%global pki_version 10.10.0-2
|
||||||
|
+%global pki_version 10.10.3-1
|
||||||
|
%endif
|
||||||
|
|
||||||
|
# RHEL 8.3+, F32+ has 0.79.13
|
||||||
|
--
|
||||||
|
2.29.2
|
||||||
|
|
||||||
|
From f3463728f2196589d36e14cedccb26c03730a7c0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Wed, 10 Feb 2021 16:07:13 -0500
|
||||||
|
Subject: [PATCH] Don't renew non-IPA issued certs in ipa-cert-fix
|
||||||
|
|
||||||
|
If the Apache, 389-ds or KDC certificate was issued by
|
||||||
|
a third party there is nothing we can do, regardless of
|
||||||
|
whether it is expired or not.
|
||||||
|
|
||||||
|
Report which certificates will not be renewed so the
|
||||||
|
admin can manually do do (likely in the event of a
|
||||||
|
third-party certificate).
|
||||||
|
|
||||||
|
https://pagure.io/freeipa/issue/8600
|
||||||
|
|
||||||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
---
|
||||||
|
ipaserver/install/ipa_cert_fix.py | 53 +++++++++++++++++++++++++------
|
||||||
|
1 file changed, 43 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
|
||||||
|
index 29af89cd5..210cf80f1 100644
|
||||||
|
--- a/ipaserver/install/ipa_cert_fix.py
|
||||||
|
+++ b/ipaserver/install/ipa_cert_fix.py
|
||||||
|
@@ -43,6 +43,7 @@ from ipapython.certdb import NSSDatabase, EMPTY_TRUST_FLAGS
|
||||||
|
from ipapython.dn import DN
|
||||||
|
from ipapython.ipaldap import realm_to_serverid
|
||||||
|
from ipaserver.install import ca, cainstance, dsinstance
|
||||||
|
+from ipaserver.install.certs import is_ipa_issued_cert
|
||||||
|
from ipapython import directivesetter
|
||||||
|
from ipapython import ipautil
|
||||||
|
|
||||||
|
@@ -104,6 +105,13 @@ class IPACertFix(AdminTool):
|
||||||
|
|
||||||
|
api.bootstrap(in_server=True, confdir=paths.ETC_IPA)
|
||||||
|
api.finalize()
|
||||||
|
+
|
||||||
|
+ if not dsinstance.is_ds_running(realm_to_serverid(api.env.realm)):
|
||||||
|
+ print(
|
||||||
|
+ "The LDAP server is not running; cannot proceed."
|
||||||
|
+ )
|
||||||
|
+ return 1
|
||||||
|
+
|
||||||
|
api.Backend.ldap2.connect() # ensure DS is up
|
||||||
|
|
||||||
|
subject_base = dsinstance.DsInstance().find_subject_base()
|
||||||
|
@@ -113,7 +121,7 @@ class IPACertFix(AdminTool):
|
||||||
|
ca_subject_dn = ca.lookup_ca_subject(api, subject_base)
|
||||||
|
|
||||||
|
now = datetime.datetime.now() + datetime.timedelta(weeks=2)
|
||||||
|
- certs, extra_certs = expired_certs(now)
|
||||||
|
+ certs, extra_certs, non_renewed = expired_certs(now)
|
||||||
|
|
||||||
|
if not certs and not extra_certs:
|
||||||
|
print("Nothing to do.")
|
||||||
|
@@ -121,7 +129,7 @@ class IPACertFix(AdminTool):
|
||||||
|
|
||||||
|
print(msg)
|
||||||
|
|
||||||
|
- print_intentions(certs, extra_certs)
|
||||||
|
+ print_intentions(certs, extra_certs, non_renewed)
|
||||||
|
|
||||||
|
response = ipautil.user_input('Enter "yes" to proceed')
|
||||||
|
if response.lower() != 'yes':
|
||||||
|
@@ -133,7 +141,10 @@ class IPACertFix(AdminTool):
|
||||||
|
fix_certreq_directives(certs)
|
||||||
|
run_cert_fix(certs, extra_certs)
|
||||||
|
except ipautil.CalledProcessError:
|
||||||
|
- if any(x[0] is IPACertType.LDAPS for x in extra_certs):
|
||||||
|
+ if any(
|
||||||
|
+ x[0] is IPACertType.LDAPS
|
||||||
|
+ for x in extra_certs + non_renewed
|
||||||
|
+ ):
|
||||||
|
# The DS cert was expired. This will cause
|
||||||
|
# 'pki-server cert-fix' to fail at the final
|
||||||
|
# restart. Therefore ignore the CalledProcessError
|
||||||
|
@@ -152,13 +163,15 @@ class IPACertFix(AdminTool):
|
||||||
|
print("Becoming renewal master.")
|
||||||
|
cainstance.CAInstance().set_renewal_master()
|
||||||
|
|
||||||
|
+ print("Restarting IPA")
|
||||||
|
ipautil.run(['ipactl', 'restart'], raiseonerr=True)
|
||||||
|
|
||||||
|
return 0
|
||||||
|
|
||||||
|
|
||||||
|
def expired_certs(now):
|
||||||
|
- return expired_dogtag_certs(now), expired_ipa_certs(now)
|
||||||
|
+ expired_ipa, non_renew_ipa = expired_ipa_certs(now)
|
||||||
|
+ return expired_dogtag_certs(now), expired_ipa, non_renew_ipa
|
||||||
|
|
||||||
|
|
||||||
|
def expired_dogtag_certs(now):
|
||||||
|
@@ -191,6 +204,7 @@ def expired_ipa_certs(now):
|
||||||
|
|
||||||
|
"""
|
||||||
|
certs = []
|
||||||
|
+ non_renewed = []
|
||||||
|
|
||||||
|
# IPA RA
|
||||||
|
cert = x509.load_certificate_from_file(paths.RA_AGENT_PEM)
|
||||||
|
@@ -200,7 +214,10 @@ def expired_ipa_certs(now):
|
||||||
|
# Apache HTTPD
|
||||||
|
cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE)
|
||||||
|
if cert.not_valid_after <= now:
|
||||||
|
- certs.append((IPACertType.HTTPS, cert))
|
||||||
|
+ if not is_ipa_issued_cert(api, cert):
|
||||||
|
+ non_renewed.append((IPACertType.HTTPS, cert))
|
||||||
|
+ else:
|
||||||
|
+ certs.append((IPACertType.HTTPS, cert))
|
||||||
|
|
||||||
|
# LDAPS
|
||||||
|
serverid = realm_to_serverid(api.env.realm)
|
||||||
|
@@ -210,18 +227,24 @@ def expired_ipa_certs(now):
|
||||||
|
db = NSSDatabase(nssdir=ds_dbdir)
|
||||||
|
cert = db.get_cert(ds_nickname)
|
||||||
|
if cert.not_valid_after <= now:
|
||||||
|
- certs.append((IPACertType.LDAPS, cert))
|
||||||
|
+ if not is_ipa_issued_cert(api, cert):
|
||||||
|
+ non_renewed.append((IPACertType.LDAPS, cert))
|
||||||
|
+ else:
|
||||||
|
+ certs.append((IPACertType.LDAPS, cert))
|
||||||
|
|
||||||
|
# KDC
|
||||||
|
cert = x509.load_certificate_from_file(paths.KDC_CERT)
|
||||||
|
if cert.not_valid_after <= now:
|
||||||
|
- certs.append((IPACertType.KDC, cert))
|
||||||
|
+ if not is_ipa_issued_cert(api, cert):
|
||||||
|
+ non_renewed.append((IPACertType.HTTPS, cert))
|
||||||
|
+ else:
|
||||||
|
+ certs.append((IPACertType.KDC, cert))
|
||||||
|
|
||||||
|
- return certs
|
||||||
|
+ return certs, non_renewed
|
||||||
|
|
||||||
|
|
||||||
|
-def print_intentions(dogtag_certs, ipa_certs):
|
||||||
|
- print("The following certificates will be renewed: ")
|
||||||
|
+def print_intentions(dogtag_certs, ipa_certs, non_renewed):
|
||||||
|
+ print("The following certificates will be renewed:")
|
||||||
|
print()
|
||||||
|
|
||||||
|
for certid, cert in dogtag_certs:
|
||||||
|
@@ -230,6 +253,16 @@ def print_intentions(dogtag_certs, ipa_certs):
|
||||||
|
for certtype, cert in ipa_certs:
|
||||||
|
print_cert_info("IPA", certtype.value, cert)
|
||||||
|
|
||||||
|
+ if non_renewed:
|
||||||
|
+ print(
|
||||||
|
+ "The following certificates will NOT be renewed because "
|
||||||
|
+ "they were not issued by the IPA CA:"
|
||||||
|
+ )
|
||||||
|
+ print()
|
||||||
|
+
|
||||||
|
+ for certtype, cert in non_renewed:
|
||||||
|
+ print_cert_info("IPA", certtype.value, cert)
|
||||||
|
+
|
||||||
|
|
||||||
|
def print_cert_info(context, desc, cert):
|
||||||
|
print("{} {} certificate:".format(context, desc))
|
||||||
|
--
|
||||||
|
2.29.2
|
||||||
|
|
@ -0,0 +1,135 @@
|
|||||||
|
From 80ccac79b9d123e158a5ba60f9853611d0854188 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sergey Orlov <sorlov@redhat.com>
|
||||||
|
Date: Wed, 17 Feb 2021 16:48:33 +0100
|
||||||
|
Subject: [PATCH] ipatests: test Samba mount with NTLM authentication
|
||||||
|
|
||||||
|
Related to https://pagure.io/freeipa/issue/8636
|
||||||
|
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/pytest_ipa/integration/__init__.py | 17 ++++++
|
||||||
|
ipatests/test_integration/test_smb.py | 63 +++++++++++++++++++++
|
||||||
|
2 files changed, 80 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/pytest_ipa/integration/__init__.py b/ipatests/pytest_ipa/integration/__init__.py
|
||||||
|
index 55291ae8b..f62b667bd 100644
|
||||||
|
--- a/ipatests/pytest_ipa/integration/__init__.py
|
||||||
|
+++ b/ipatests/pytest_ipa/integration/__init__.py
|
||||||
|
@@ -28,12 +28,14 @@ import os
|
||||||
|
import tempfile
|
||||||
|
import shutil
|
||||||
|
import re
|
||||||
|
+import functools
|
||||||
|
|
||||||
|
import pytest
|
||||||
|
from pytest_multihost import make_multihost_fixture
|
||||||
|
|
||||||
|
from ipapython import ipautil
|
||||||
|
from ipaplatform.paths import paths
|
||||||
|
+from . import fips
|
||||||
|
from .config import Config
|
||||||
|
from .env_config import get_global_config
|
||||||
|
from . import tasks
|
||||||
|
@@ -478,3 +480,18 @@ def del_compat_attrs(cls):
|
||||||
|
del cls.ad_subdomains
|
||||||
|
del cls.ad_treedomains
|
||||||
|
del cls.ad_domains
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+def skip_if_fips(reason='Not supported in FIPS mode', host='master'):
|
||||||
|
+ if callable(reason):
|
||||||
|
+ raise TypeError('Invalid decorator usage, add "()"')
|
||||||
|
+
|
||||||
|
+ def decorator(test_method):
|
||||||
|
+ @functools.wraps(test_method)
|
||||||
|
+ def wrapper(instance, *args, **kwargs):
|
||||||
|
+ if fips.is_fips_enabled(getattr(instance, host)):
|
||||||
|
+ pytest.skip(reason)
|
||||||
|
+ else:
|
||||||
|
+ test_method(instance, *args, **kwargs)
|
||||||
|
+ return wrapper
|
||||||
|
+ return decorator
|
||||||
|
diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py
|
||||||
|
index 37725ab15..749a96325 100644
|
||||||
|
--- a/ipatests/test_integration/test_smb.py
|
||||||
|
+++ b/ipatests/test_integration/test_smb.py
|
||||||
|
@@ -19,6 +19,7 @@ from ipatests.test_integration.base import IntegrationTest
|
||||||
|
from ipatests.pytest_ipa.integration import tasks
|
||||||
|
from ipaplatform.osinfo import osinfo
|
||||||
|
from ipaplatform.paths import paths
|
||||||
|
+from ipatests.pytest_ipa.integration import skip_if_fips
|
||||||
|
|
||||||
|
|
||||||
|
def wait_smbd_functional(host):
|
||||||
|
@@ -378,6 +379,68 @@ class TestSMB(IntegrationTest):
|
||||||
|
finally:
|
||||||
|
self.cleanup_mount(mountpoint)
|
||||||
|
|
||||||
|
+ def check_repeated_smb_mount(self, options):
|
||||||
|
+ mountpoint = '/mnt/smb'
|
||||||
|
+ unc = '//{}/homes'.format(self.smbserver.hostname)
|
||||||
|
+ test_file = 'ntlm_test'
|
||||||
|
+ test_file_server_path = '/home/{}/{}'.format(self.ipa_user1, test_file)
|
||||||
|
+ test_file_client_path = '{}/{}'.format(mountpoint, test_file)
|
||||||
|
+
|
||||||
|
+ self.smbclient.run_command(['mkdir', '-p', mountpoint])
|
||||||
|
+ self.smbserver.put_file_contents(test_file_server_path, '')
|
||||||
|
+ try:
|
||||||
|
+ for i in [1, 2]:
|
||||||
|
+ res = self.smbclient.run_command([
|
||||||
|
+ 'mount', '-t', 'cifs', unc, mountpoint, '-o', options],
|
||||||
|
+ raiseonerr=False)
|
||||||
|
+ assert res.returncode == 0, (
|
||||||
|
+ 'Mount failed at iteration {}. Output: {}'
|
||||||
|
+ .format(i, res.stdout_text + res.stderr_text))
|
||||||
|
+ assert self.smbclient.transport.file_exists(
|
||||||
|
+ test_file_client_path)
|
||||||
|
+ self.smbclient.run_command(['umount', mountpoint])
|
||||||
|
+ finally:
|
||||||
|
+ self.cleanup_mount(mountpoint)
|
||||||
|
+ self.smbserver.run_command(['rm', '-f', test_file_server_path])
|
||||||
|
+
|
||||||
|
+ @skip_if_fips()
|
||||||
|
+ def test_ntlm_authentication_with_auto_domain(self):
|
||||||
|
+ """Repeatedly try to authenticate with username and password with
|
||||||
|
+ automatic domain discovery.
|
||||||
|
+
|
||||||
|
+ This is a regression test for https://pagure.io/freeipa/issue/8636
|
||||||
|
+ """
|
||||||
|
+ tasks.kdestroy_all(self.smbclient)
|
||||||
|
+
|
||||||
|
+ mount_options = 'user={user},pass={password},domainauto'.format(
|
||||||
|
+ user=self.ipa_user1,
|
||||||
|
+ password=self.ipa_user1_password
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ self.check_repeated_smb_mount(mount_options)
|
||||||
|
+
|
||||||
|
+ @skip_if_fips()
|
||||||
|
+ def test_ntlm_authentication_with_upn_with_lowercase_domain(self):
|
||||||
|
+ tasks.kdestroy_all(self.smbclient)
|
||||||
|
+
|
||||||
|
+ mount_options = 'user={user}@{domain},pass={password}'.format(
|
||||||
|
+ user=self.ipa_user1,
|
||||||
|
+ password=self.ipa_user1_password,
|
||||||
|
+ domain=self.master.domain.name.lower()
|
||||||
|
+ )
|
||||||
|
+ self.check_repeated_smb_mount(mount_options)
|
||||||
|
+
|
||||||
|
+ @skip_if_fips()
|
||||||
|
+ def test_ntlm_authentication_with_upn_with_uppercase_domain(self):
|
||||||
|
+ tasks.kdestroy_all(self.smbclient)
|
||||||
|
+
|
||||||
|
+ mount_options = 'user={user}@{domain},pass={password}'.format(
|
||||||
|
+ user=self.ipa_user1,
|
||||||
|
+ password=self.ipa_user1_password,
|
||||||
|
+ domain=self.master.domain.name.upper()
|
||||||
|
+ )
|
||||||
|
+ self.check_repeated_smb_mount(mount_options)
|
||||||
|
+
|
||||||
|
def test_uninstall_samba(self):
|
||||||
|
self.smbserver.run_command(['ipa-client-samba', '--uninstall', '-U'])
|
||||||
|
res = self.smbserver.run_command(
|
||||||
|
--
|
||||||
|
2.29.2
|
||||||
|
|
@ -1,93 +0,0 @@
|
|||||||
From 42dd1628a1211363c860917e474ecc5b9c1fdb84 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Thu, 2 Jul 2020 15:50:00 +0300
|
|
||||||
Subject: [PATCH] selinux: allow oddjobd to set up ipa_helper_t context for
|
|
||||||
execution
|
|
||||||
|
|
||||||
On Fedora 32+ and RHEL 8.3.0+ execution of ipa_helper_t context requires
|
|
||||||
SELinux policy permission to use 'noatsecure'. This comes most likely
|
|
||||||
from execve() setup by glibc.
|
|
||||||
|
|
||||||
Add SELinux interface ipa_helper_noatsecure() that can be called by
|
|
||||||
oddjob's SELinux policy definition.
|
|
||||||
|
|
||||||
In addition, if ipa_helper_t runs ipa-getkeytab, libkrb5 will attempt to
|
|
||||||
access SELinux configuration and produce AVC for that. Allow reading
|
|
||||||
general userspace SELinux configuration.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8395
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
---
|
|
||||||
selinux/ipa.if | 18 ++++++++++++++++++
|
|
||||||
selinux/ipa.te | 1 +
|
|
||||||
2 files changed, 19 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/selinux/ipa.if b/selinux/ipa.if
|
|
||||||
index ea971b8fa..783db8b78 100644
|
|
||||||
--- a/selinux/ipa.if
|
|
||||||
+++ b/selinux/ipa.if
|
|
||||||
@@ -419,3 +419,21 @@ ifndef(`dirsrv_systemctl',`
|
|
||||||
ps_process_pattern($1, dirsrv_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+########################################
|
|
||||||
+## <summary>
|
|
||||||
+## Allow ipa_helper noatsecure
|
|
||||||
+## </summary>
|
|
||||||
+## <param name="domain">
|
|
||||||
+## <summary>
|
|
||||||
+## Domain allowed access.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+#
|
|
||||||
+interface(`ipa_helper_noatsecure',`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type ipa_helper_t;
|
|
||||||
+ ')
|
|
||||||
+ allow $1 ipa_helper_t:process { noatsecure };
|
|
||||||
+')
|
|
||||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
|
||||||
index 587e5e585..383979094 100644
|
|
||||||
--- a/selinux/ipa.te
|
|
||||||
+++ b/selinux/ipa.te
|
|
||||||
@@ -115,6 +115,7 @@ optional_policy(`
|
|
||||||
|
|
||||||
|
|
||||||
allow ipa_helper_t self:capability { net_admin dac_read_search dac_override chown };
|
|
||||||
+seutil_read_config(ipa_helper_t);
|
|
||||||
|
|
||||||
#kernel bug
|
|
||||||
dontaudit ipa_helper_t self:capability2 block_suspend;
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From 0d70addbbf2a99e7398a518bc98d5fe109469bb5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Fri, 3 Jul 2020 17:20:49 +0300
|
|
||||||
Subject: [PATCH] selinux: support running ipa-custodia with PrivateTmp=yes
|
|
||||||
|
|
||||||
Related: https://pagure.io/freeipa/issue/8395
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
---
|
|
||||||
selinux/ipa.te | 4 ++++
|
|
||||||
1 file changed, 4 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
|
||||||
index 383979094..a3381217a 100644
|
|
||||||
--- a/selinux/ipa.te
|
|
||||||
+++ b/selinux/ipa.te
|
|
||||||
@@ -390,3 +390,7 @@ optional_policy(`
|
|
||||||
sssd_search_lib(ipa_custodia_t)
|
|
||||||
sssd_stream_connect(ipa_custodia_t)
|
|
||||||
')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ systemd_private_tmp(ipa_custodia_tmp_t)
|
|
||||||
+')
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,180 +0,0 @@
|
|||||||
From 128500198d3782a76616cf1d971d5aeb17e8c1da Mon Sep 17 00:00:00 2001
|
|
||||||
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
||||||
Date: Thu, 11 Jun 2020 22:42:38 +1000
|
|
||||||
Subject: [PATCH] fix iPAddress cert issuance for >1 host/service
|
|
||||||
|
|
||||||
The 'cert_request' command accumulates DNS names from the CSR,
|
|
||||||
before checking that all IP addresses in the CSR are reachable from
|
|
||||||
those DNS names. Before adding a DNS name to the set, we check that
|
|
||||||
that it corresponds to the FQDN of a known host/service principal
|
|
||||||
(including principal aliases). When a DNS name maps to a
|
|
||||||
"alternative" principal (i.e. not the one given via the 'principal'
|
|
||||||
argument), this check was not being performed correctly.
|
|
||||||
Specifically, we were looking for the 'krbprincipalname' field on
|
|
||||||
the RPC response object directly, instead of its 'result' field.
|
|
||||||
|
|
||||||
To resolve the issue, dereference the RPC response to its 'result'
|
|
||||||
field before invoking the '_dns_name_matches_principal' subroutine.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8368
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/plugins/cert.py | 6 +-
|
|
||||||
.../test_cert_request_ip_address.py | 62 +++++++++++++++++--
|
|
||||||
2 files changed, 61 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
|
|
||||||
index d353bc3ea..fe7ea34f5 100644
|
|
||||||
--- a/ipaserver/plugins/cert.py
|
|
||||||
+++ b/ipaserver/plugins/cert.py
|
|
||||||
@@ -827,13 +827,13 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
|
|
||||||
try:
|
|
||||||
if principal_type == HOST:
|
|
||||||
alt_principal_obj = api.Command['host_show'](
|
|
||||||
- name, all=True)
|
|
||||||
+ name, all=True)['result']
|
|
||||||
elif principal_type == KRBTGT:
|
|
||||||
alt_principal = kerberos.Principal(
|
|
||||||
(u'host', name), principal.realm)
|
|
||||||
elif principal_type == SERVICE:
|
|
||||||
alt_principal_obj = api.Command['service_show'](
|
|
||||||
- alt_principal, all=True)
|
|
||||||
+ alt_principal, all=True)['result']
|
|
||||||
except errors.NotFound:
|
|
||||||
# We don't want to issue any certificates referencing
|
|
||||||
# machines we don't know about. Nothing is stored in this
|
|
||||||
@@ -866,7 +866,7 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
|
|
||||||
pass
|
|
||||||
|
|
||||||
# Now check write access and caacl
|
|
||||||
- altdn = alt_principal_obj['result']['dn']
|
|
||||||
+ altdn = alt_principal_obj['dn']
|
|
||||||
if not ldap.can_write(altdn, "usercertificate"):
|
|
||||||
raise errors.ACIError(info=_(
|
|
||||||
"Insufficient privilege to create a certificate "
|
|
||||||
diff --git a/ipatests/test_xmlrpc/test_cert_request_ip_address.py b/ipatests/test_xmlrpc/test_cert_request_ip_address.py
|
|
||||||
index bf4de05bf..c0475d30d 100644
|
|
||||||
--- a/ipatests/test_xmlrpc/test_cert_request_ip_address.py
|
|
||||||
+++ b/ipatests/test_xmlrpc/test_cert_request_ip_address.py
|
|
||||||
@@ -28,10 +28,16 @@ from ipatests.test_xmlrpc.tracker.host_plugin import HostTracker
|
|
||||||
from ipatests.test_xmlrpc.tracker.user_plugin import UserTracker
|
|
||||||
from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
|
|
||||||
|
|
||||||
-host_fqdn = f'iptest.{api.env.domain}'
|
|
||||||
+host_shortname = 'iptest'
|
|
||||||
+host_fqdn = f'{host_shortname}.{api.env.domain}'
|
|
||||||
host_princ = f'host/{host_fqdn}'
|
|
||||||
host_ptr = f'{host_fqdn}.'
|
|
||||||
|
|
||||||
+host2_shortname = 'iptest2'
|
|
||||||
+host2_fqdn = f'{host2_shortname}.{api.env.domain}'
|
|
||||||
+host2_princ = f'host/{host2_fqdn}'
|
|
||||||
+host2_ptr = f'{host2_fqdn}.'
|
|
||||||
+
|
|
||||||
other_fqdn = f'other.{api.env.domain}'
|
|
||||||
other_ptr = f'{other_fqdn}.'
|
|
||||||
|
|
||||||
@@ -39,6 +45,10 @@ ipv4_address = '169.254.0.42'
|
|
||||||
ipv4_revzone_s = '0.254.169.in-addr.arpa.'
|
|
||||||
ipv4_revrec_s = '42'
|
|
||||||
|
|
||||||
+host2_ipv4_address = '169.254.0.43'
|
|
||||||
+host2_ipv4_revzone_s = '0.254.169.in-addr.arpa.'
|
|
||||||
+host2_ipv4_revrec_s = '43'
|
|
||||||
+
|
|
||||||
ipv6_address = 'fe80::8f18:bdab:4299:95fa'
|
|
||||||
ipv6_revzone_s = '0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa.'
|
|
||||||
ipv6_revrec_s = 'a.f.5.9.9.9.2.4.b.a.d.b.8.1.f.8'
|
|
||||||
@@ -46,7 +56,13 @@ ipv6_revrec_s = 'a.f.5.9.9.9.2.4.b.a.d.b.8.1.f.8'
|
|
||||||
|
|
||||||
@pytest.fixture(scope='class')
|
|
||||||
def host(request, xmlrpc_setup):
|
|
||||||
- tr = HostTracker('iptest')
|
|
||||||
+ tr = HostTracker(host_shortname)
|
|
||||||
+ return tr.make_fixture(request)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+@pytest.fixture(scope='class')
|
|
||||||
+def host2(request, xmlrpc_setup):
|
|
||||||
+ tr = HostTracker(host2_shortname)
|
|
||||||
return tr.make_fixture(request)
|
|
||||||
|
|
||||||
|
|
||||||
@@ -88,6 +104,12 @@ def ipv6_revzone(host):
|
|
||||||
yield from _zone_setup(host, ipv6_revzone_s)
|
|
||||||
|
|
||||||
|
|
||||||
+@pytest.fixture(scope='class')
|
|
||||||
+def host2_ipv4_ptr(host2, ipv4_revzone):
|
|
||||||
+ yield from _record_setup(
|
|
||||||
+ host2, ipv4_revzone, host2_ipv4_revrec_s, ptrrecord=host2_ptr)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
@pytest.fixture(scope='class')
|
|
||||||
def ipv4_ptr(host, ipv4_revzone):
|
|
||||||
yield from _record_setup(
|
|
||||||
@@ -100,16 +122,22 @@ def ipv6_ptr(host, ipv6_revzone):
|
|
||||||
host, ipv6_revzone, ipv6_revrec_s, ptrrecord=host_ptr)
|
|
||||||
|
|
||||||
|
|
||||||
+@pytest.fixture(scope='class')
|
|
||||||
+def host2_ipv4_a(host2):
|
|
||||||
+ yield from _record_setup(
|
|
||||||
+ host2, api.env.domain, host2_shortname, arecord=host2_ipv4_address)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
@pytest.fixture(scope='class')
|
|
||||||
def ipv4_a(host):
|
|
||||||
yield from _record_setup(
|
|
||||||
- host, api.env.domain, 'iptest', arecord=ipv4_address)
|
|
||||||
+ host, api.env.domain, host_shortname, arecord=ipv4_address)
|
|
||||||
|
|
||||||
|
|
||||||
@pytest.fixture(scope='class')
|
|
||||||
def ipv6_aaaa(host):
|
|
||||||
yield from _record_setup(
|
|
||||||
- host, api.env.domain, 'iptest', aaaarecord=ipv6_address)
|
|
||||||
+ host, api.env.domain, host_shortname, aaaarecord=ipv6_address)
|
|
||||||
|
|
||||||
|
|
||||||
@pytest.fixture(scope='class')
|
|
||||||
@@ -210,6 +238,12 @@ csr_cname2 = csr([
|
|
||||||
x509.DNSName(f'cname2.{api.env.domain}'),
|
|
||||||
x509.IPAddress(ipaddress.ip_address(ipv4_address)),
|
|
||||||
])
|
|
||||||
+csr_two_dnsname_two_ip = csr([
|
|
||||||
+ x509.DNSName(host_fqdn),
|
|
||||||
+ x509.IPAddress(ipaddress.ip_address(ipv4_address)),
|
|
||||||
+ x509.DNSName(host2_fqdn),
|
|
||||||
+ x509.IPAddress(ipaddress.ip_address(host2_ipv4_address)),
|
|
||||||
+])
|
|
||||||
|
|
||||||
|
|
||||||
@pytest.fixture
|
|
||||||
@@ -449,3 +483,23 @@ class TestIPAddressCNAME(XMLRPC_test):
|
|
||||||
def test_two_levels(self, host, csr_cname2):
|
|
||||||
with pytest.raises(errors.ValidationError, match=PAT_FWD):
|
|
||||||
host.run_command('cert_request', csr_cname2, principal=host_princ)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+@pytest.mark.tier1
|
|
||||||
+class TestTwoHostsTwoIPAddresses(XMLRPC_test):
|
|
||||||
+ """
|
|
||||||
+ Test certificate issuance with CSR containing two hosts
|
|
||||||
+ and two IP addresses (one for each host).
|
|
||||||
+
|
|
||||||
+ """
|
|
||||||
+ def test_host_exists(
|
|
||||||
+ self, host, host2, ipv4_a, ipv4_ptr, host2_ipv4_a, host2_ipv4_ptr,
|
|
||||||
+ ):
|
|
||||||
+ # for convenience, this test also establishes the DNS
|
|
||||||
+ # record fixtures, which have class scope
|
|
||||||
+ host.ensure_exists()
|
|
||||||
+ host2.ensure_exists()
|
|
||||||
+
|
|
||||||
+ def test_issuance(self, host, csr_two_dnsname_two_ip):
|
|
||||||
+ host.run_command(
|
|
||||||
+ 'cert_request', csr_two_dnsname_two_ip, principal=host_princ)
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -0,0 +1,79 @@
|
|||||||
|
From 20bb855a57080145d0d5555294381c890ef605bb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Antonio Torres <antorres@redhat.com>
|
||||||
|
Date: Tue, 16 Feb 2021 16:53:24 +0100
|
||||||
|
Subject: [PATCH] ipaserver: don't ignore zonemgr option on install
|
||||||
|
|
||||||
|
Fix zonemgr option in ipaserver install being
|
||||||
|
ignored because of an incorrect condition.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/8718
|
||||||
|
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
---
|
||||||
|
ipaserver/install/bindinstance.py | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
|
||||||
|
index 3b446ce76..19941cd00 100644
|
||||||
|
--- a/ipaserver/install/bindinstance.py
|
||||||
|
+++ b/ipaserver/install/bindinstance.py
|
||||||
|
@@ -355,7 +355,7 @@ def add_zone(name, zonemgr=None, dns_backup=None, ns_hostname=None,
|
||||||
|
else:
|
||||||
|
update_policy = get_dns_forward_zone_update_policy(api.env.realm)
|
||||||
|
|
||||||
|
- if zonemgr is None:
|
||||||
|
+ if not zonemgr:
|
||||||
|
zonemgr = 'hostmaster.%s' % name
|
||||||
|
|
||||||
|
if ns_hostname:
|
||||||
|
@@ -682,7 +682,7 @@ class BindInstance(service.Service):
|
||||||
|
self.forward_policy = forward_policy
|
||||||
|
self.reverse_zones = reverse_zones
|
||||||
|
|
||||||
|
- if zonemgr is not None:
|
||||||
|
+ if not zonemgr:
|
||||||
|
self.zonemgr = 'hostmaster.%s' % normalize_zone(self.domain)
|
||||||
|
else:
|
||||||
|
self.zonemgr = normalize_zonemgr(zonemgr)
|
||||||
|
--
|
||||||
|
2.29.2
|
||||||
|
|
||||||
|
From 82043e1fd052618608d3b7786473a632478795ee Mon Sep 17 00:00:00 2001
|
||||||
|
From: Antonio Torres <antorres@redhat.com>
|
||||||
|
Date: Tue, 16 Feb 2021 18:24:26 +0100
|
||||||
|
Subject: [PATCH] ipatests: check that zonemgr is set correctly during server
|
||||||
|
install
|
||||||
|
|
||||||
|
Add test to check that zonemgr is correctly
|
||||||
|
set when installing IPA server.
|
||||||
|
|
||||||
|
Related: https://pagure.io/freeipa/issue/8718
|
||||||
|
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_installation.py | 7 +++++++
|
||||||
|
1 file changed, 7 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
||||||
|
index 6e8af024c..18c5bd243 100644
|
||||||
|
--- a/ipatests/test_integration/test_installation.py
|
||||||
|
+++ b/ipatests/test_integration/test_installation.py
|
||||||
|
@@ -1171,6 +1171,13 @@ class TestInstallMasterDNS(IntegrationTest):
|
||||||
|
extra_args=['--zonemgr', 'me@example.org'],
|
||||||
|
)
|
||||||
|
|
||||||
|
+ tasks.kinit_admin(self.master)
|
||||||
|
+ result = self.master.run_command(
|
||||||
|
+ ['ipa', 'dnszone-show', self.master.domain.name]
|
||||||
|
+ ).stdout_text
|
||||||
|
+
|
||||||
|
+ assert "Administrator e-mail address: me.example.org" in result
|
||||||
|
+
|
||||||
|
def test_server_install_lock_bind_recursion(self):
|
||||||
|
"""Test if server installer lock Bind9 recursion
|
||||||
|
|
||||||
|
--
|
||||||
|
2.29.2
|
||||||
|
|
@ -1,118 +0,0 @@
|
|||||||
From 9ded9e2573a00c388533f2a09365c499a4e2961e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Scheel <ascheel@redhat.com>
|
|
||||||
Date: Fri, 19 Jun 2020 08:48:56 -0400
|
|
||||||
Subject: [PATCH] Specify cert_paths when calling PKIConnection
|
|
||||||
|
|
||||||
PKIConnection now defaults to specifying verify=True. We've introduced
|
|
||||||
a new parameter, cert_paths, to specify additional paths (directories or
|
|
||||||
files) to load as certificates. Specify the IPA CA certificate file so
|
|
||||||
we can guarantee connections succeed and validate the peer's certificate.
|
|
||||||
|
|
||||||
Point to IPA CA certificate during pkispawn
|
|
||||||
|
|
||||||
Bump pki_version to 10.9.0-0.4 (aka -b2)
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8379
|
|
||||||
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849155
|
|
||||||
Related: https://github.com/dogtagpki/pki/pull/443
|
|
||||||
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1426572
|
|
||||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
|
||||||
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
---
|
|
||||||
freeipa.spec.in | 6 +++---
|
|
||||||
install/tools/ipa-pki-wait-running.in | 3 ++-
|
|
||||||
ipaserver/install/cainstance.py | 7 +++++++
|
|
||||||
ipaserver/install/dogtaginstance.py | 3 ++-
|
|
||||||
ipaserver/plugins/dogtag.py | 11 +++++------
|
|
||||||
5 files changed, 19 insertions(+), 11 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
|
||||||
index 74e752ea5..d00b9d640 100755
|
|
||||||
--- a/freeipa.spec.in
|
|
||||||
+++ b/freeipa.spec.in
|
|
||||||
@@ -112,9 +112,9 @@
|
|
||||||
# Fedora
|
|
||||||
%endif
|
|
||||||
|
|
||||||
-# 10.7.3 supports LWCA key replication using AES
|
|
||||||
-# https://pagure.io/freeipa/issue/8020
|
|
||||||
-%global pki_version 10.7.3-1
|
|
||||||
+# PKIConnection has been modified to always validate certs.
|
|
||||||
+# https://pagure.io/freeipa/issue/8379
|
|
||||||
+%global pki_version 10.9.0-0.4
|
|
||||||
|
|
||||||
# https://pagure.io/certmonger/issue/90
|
|
||||||
%global certmonger_version 0.79.7-1
|
|
||||||
diff --git a/install/tools/ipa-pki-wait-running.in b/install/tools/ipa-pki-wait-running.in
|
|
||||||
index 69f5ec296..4f0f2f34a 100644
|
|
||||||
--- a/install/tools/ipa-pki-wait-running.in
|
|
||||||
+++ b/install/tools/ipa-pki-wait-running.in
|
|
||||||
@@ -59,7 +59,8 @@ def get_conn(hostname, subsystem):
|
|
||||||
"""
|
|
||||||
conn = PKIConnection(
|
|
||||||
hostname=hostname,
|
|
||||||
- subsystem=subsystem
|
|
||||||
+ subsystem=subsystem,
|
|
||||||
+ cert_paths=paths.IPA_CA_CRT
|
|
||||||
)
|
|
||||||
logger.info(
|
|
||||||
"Created connection %s://%s:%s/%s",
|
|
||||||
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
|
||||||
index 706bc28cc..9294f1dba 100644
|
|
||||||
--- a/ipaserver/install/cainstance.py
|
|
||||||
+++ b/ipaserver/install/cainstance.py
|
|
||||||
@@ -509,6 +509,13 @@ class CAInstance(DogtagInstance):
|
|
||||||
else:
|
|
||||||
pki_pin = None
|
|
||||||
|
|
||||||
+ # When spawning a CA instance, always point to IPA_CA_CRT if it
|
|
||||||
+ # exists. Later, when we're performing step 2 of an external CA
|
|
||||||
+ # installation, we'll overwrite this key to point to the real
|
|
||||||
+ # external CA.
|
|
||||||
+ if os.path.exists(paths.IPA_CA_CRT):
|
|
||||||
+ cfg['pki_cert_chain_path'] = paths.IPA_CA_CRT
|
|
||||||
+
|
|
||||||
if self.clone:
|
|
||||||
if self.no_db_setup:
|
|
||||||
cfg.update(
|
|
||||||
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
|
|
||||||
index 361d80a8c..7e295665c 100644
|
|
||||||
--- a/ipaserver/install/dogtaginstance.py
|
|
||||||
+++ b/ipaserver/install/dogtaginstance.py
|
|
||||||
@@ -70,7 +70,8 @@ def get_security_domain():
|
|
||||||
connection = PKIConnection(
|
|
||||||
protocol='https',
|
|
||||||
hostname=api.env.ca_host,
|
|
||||||
- port='8443'
|
|
||||||
+ port='8443',
|
|
||||||
+ cert_paths=paths.IPA_CA_CRT
|
|
||||||
)
|
|
||||||
domain_client = pki.system.SecurityDomainClient(connection)
|
|
||||||
info = domain_client.get_security_domain_info()
|
|
||||||
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
|
|
||||||
index 4de26d76f..b300f6b18 100644
|
|
||||||
--- a/ipaserver/plugins/dogtag.py
|
|
||||||
+++ b/ipaserver/plugins/dogtag.py
|
|
||||||
@@ -2082,13 +2082,12 @@ class kra(Backend):
|
|
||||||
'https',
|
|
||||||
self.kra_host,
|
|
||||||
str(self.kra_port),
|
|
||||||
- 'kra')
|
|
||||||
+ 'kra',
|
|
||||||
+ cert_paths=paths.IPA_CA_CRT
|
|
||||||
+ )
|
|
||||||
|
|
||||||
- connection.session.cert = (paths.RA_AGENT_PEM, paths.RA_AGENT_KEY)
|
|
||||||
- # uncomment the following when this commit makes it to release
|
|
||||||
- # https://git.fedorahosted.org/cgit/pki.git/commit/?id=71ae20c
|
|
||||||
- # connection.set_authentication_cert(paths.RA_AGENT_PEM,
|
|
||||||
- # paths.RA_AGENT_KEY)
|
|
||||||
+ connection.set_authentication_cert(paths.RA_AGENT_PEM,
|
|
||||||
+ paths.RA_AGENT_KEY)
|
|
||||||
|
|
||||||
try:
|
|
||||||
yield KRAClient(connection, crypto)
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -0,0 +1,318 @@
|
|||||||
|
From 7f30ddb1b7e30c22f9b7d14d2658b58a0ea6b459 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Date: Tue, 2 Feb 2021 17:33:57 +0530
|
||||||
|
Subject: [PATCH] ipatests: Test if ipa-cert-fix renews expired certs
|
||||||
|
|
||||||
|
Test moves system date to expire certs. Then calls ipa-cert-fix
|
||||||
|
to renew them. This certs include subsystem, audit-signing,
|
||||||
|
OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs.
|
||||||
|
|
||||||
|
related: https://pagure.io/freeipa/issue/7885
|
||||||
|
|
||||||
|
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Anuja More <amore@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Anuja More <amore@redhat.com>
|
||||||
|
---
|
||||||
|
.../test_integration/test_ipa_cert_fix.py | 60 +++++++++++++++++++
|
||||||
|
1 file changed, 60 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||||
|
index f9e5fe6e2..da68af573 100644
|
||||||
|
--- a/ipatests/test_integration/test_ipa_cert_fix.py
|
||||||
|
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||||
|
@@ -8,12 +8,16 @@ Module provides tests for ipa-cert-fix CLI.
|
||||||
|
import pytest
|
||||||
|
import time
|
||||||
|
|
||||||
|
+import logging
|
||||||
|
from ipaplatform.paths import paths
|
||||||
|
from ipatests.pytest_ipa.integration import tasks
|
||||||
|
from ipatests.test_integration.base import IntegrationTest
|
||||||
|
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
|
||||||
|
|
||||||
|
|
||||||
|
+logger = logging.getLogger(__name__)
|
||||||
|
+
|
||||||
|
+
|
||||||
|
def server_install_teardown(func):
|
||||||
|
def wrapped(*args):
|
||||||
|
master = args[0].master
|
||||||
|
@@ -24,6 +28,26 @@ def server_install_teardown(func):
|
||||||
|
return wrapped
|
||||||
|
|
||||||
|
|
||||||
|
+def check_status(host, cert_count, state, timeout=600):
|
||||||
|
+ """Helper method to check that if all the certs are in given state
|
||||||
|
+ :param host: the host
|
||||||
|
+ :param cert_count: no of cert to look for
|
||||||
|
+ :param state: state to check for
|
||||||
|
+ :param timeout: max time in seconds to wait for the state
|
||||||
|
+ """
|
||||||
|
+ for _i in range(0, timeout, 10):
|
||||||
|
+ result = host.run_command(['getcert', 'list'])
|
||||||
|
+ count = result.stdout_text.count(f"status: {state}")
|
||||||
|
+ logger.info("cert count in %s state : %s", state, count)
|
||||||
|
+ if int(count) == cert_count:
|
||||||
|
+ break
|
||||||
|
+ time.sleep(10)
|
||||||
|
+ else:
|
||||||
|
+ raise RuntimeError("request timed out")
|
||||||
|
+
|
||||||
|
+ return count
|
||||||
|
+
|
||||||
|
+
|
||||||
|
class TestIpaCertFix(IntegrationTest):
|
||||||
|
@classmethod
|
||||||
|
def uninstall(cls, mh):
|
||||||
|
@@ -106,6 +130,42 @@ class TestIpaCertFix(IntegrationTest):
|
||||||
|
# timeout
|
||||||
|
raise AssertionError('Timeout: Failed to renew all the certs')
|
||||||
|
|
||||||
|
+ def test_renew_expired_cert_on_master(self, expire_cert_critical):
|
||||||
|
+ """Test if ipa-cert-fix renews expired certs
|
||||||
|
+
|
||||||
|
+ Test moves system date to expire certs. Then calls ipa-cert-fix
|
||||||
|
+ to renew them. This certs include subsystem, audit-signing,
|
||||||
|
+ OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs.
|
||||||
|
+
|
||||||
|
+ related: https://pagure.io/freeipa/issue/7885
|
||||||
|
+ """
|
||||||
|
+ # wait for cert expiry
|
||||||
|
+ check_status(self.master, 8, "CA_UNREACHABLE")
|
||||||
|
+
|
||||||
|
+ self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
|
||||||
|
+
|
||||||
|
+ check_status(self.master, 9, "MONITORING")
|
||||||
|
+
|
||||||
|
+ # second iteration of ipa-cert-fix
|
||||||
|
+ result = self.master.run_command(
|
||||||
|
+ ['ipa-cert-fix', '-v'],
|
||||||
|
+ stdin_text='yes\n'
|
||||||
|
+ )
|
||||||
|
+ assert "Nothing to do" in result.stdout_text
|
||||||
|
+ check_status(self.master, 9, "MONITORING")
|
||||||
|
+
|
||||||
|
+ def test_ipa_cert_fix_non_ipa(self):
|
||||||
|
+ """Test ipa-cert-fix doesn't work on non ipa system
|
||||||
|
+
|
||||||
|
+ ipa-cert-fix tool should not work on non ipa system.
|
||||||
|
+
|
||||||
|
+ related: https://pagure.io/freeipa/issue/7885
|
||||||
|
+ """
|
||||||
|
+ result = self.master.run_command(['ipa-cert-fix', '-v'],
|
||||||
|
+ stdin_text='yes\n',
|
||||||
|
+ raiseonerr=False)
|
||||||
|
+ assert result.returncode == 2
|
||||||
|
+
|
||||||
|
|
||||||
|
class TestIpaCertFixThirdParty(CALessBase):
|
||||||
|
"""
|
||||||
|
--
|
||||||
|
2.29.2
|
||||||
|
|
||||||
|
From 36a60dbb35cb4429f00528f79bec8b7982a30c74 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Date: Thu, 11 Feb 2021 16:54:22 +0530
|
||||||
|
Subject: [PATCH] Move fixture outside the class and add setup_kra capability
|
||||||
|
|
||||||
|
Moved fixture to use across multiple classes. Added capability
|
||||||
|
to install the KRA to the fixture
|
||||||
|
|
||||||
|
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Anuja More <amore@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Anuja More <amore@redhat.com>
|
||||||
|
---
|
||||||
|
.../test_integration/test_ipa_cert_fix.py | 46 ++++++++++++-------
|
||||||
|
1 file changed, 30 insertions(+), 16 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||||
|
index da68af573..591dc5031 100644
|
||||||
|
--- a/ipatests/test_integration/test_ipa_cert_fix.py
|
||||||
|
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||||
|
@@ -48,6 +48,33 @@ def check_status(host, cert_count, state, timeout=600):
|
||||||
|
return count
|
||||||
|
|
||||||
|
|
||||||
|
+@pytest.fixture
|
||||||
|
+def expire_cert_critical():
|
||||||
|
+ """
|
||||||
|
+ Fixture to expire the certs by moving the system date using
|
||||||
|
+ date -s command and revert it back
|
||||||
|
+ """
|
||||||
|
+
|
||||||
|
+ hosts = dict()
|
||||||
|
+
|
||||||
|
+ def _expire_cert_critical(host, setup_kra=False):
|
||||||
|
+ hosts['host'] = host
|
||||||
|
+ # Do not install NTP as the test plays with the date
|
||||||
|
+ tasks.install_master(host, setup_dns=False,
|
||||||
|
+ extra_args=['--no-ntp'])
|
||||||
|
+ if setup_kra:
|
||||||
|
+ tasks.install_kra(host)
|
||||||
|
+ host.run_command(['systemctl', 'stop', 'chronyd'])
|
||||||
|
+ host.run_command(['date', '-s', '+3Years+1day'])
|
||||||
|
+
|
||||||
|
+ yield _expire_cert_critical
|
||||||
|
+
|
||||||
|
+ host = hosts.pop('host')
|
||||||
|
+ tasks.uninstall_master(host)
|
||||||
|
+ host.run_command(['date', '-s', '-3Years-1day'])
|
||||||
|
+ host.run_command(['systemctl', 'start', 'chronyd'])
|
||||||
|
+
|
||||||
|
+
|
||||||
|
class TestIpaCertFix(IntegrationTest):
|
||||||
|
@classmethod
|
||||||
|
def uninstall(cls, mh):
|
||||||
|
@@ -55,22 +82,6 @@ class TestIpaCertFix(IntegrationTest):
|
||||||
|
# the fixture
|
||||||
|
pass
|
||||||
|
|
||||||
|
- @pytest.fixture
|
||||||
|
- def expire_cert_critical(self):
|
||||||
|
- """
|
||||||
|
- Fixture to expire the certs by moving the system date using
|
||||||
|
- date -s command and revert it back
|
||||||
|
- """
|
||||||
|
- # Do not install NTP as the test plays with the date
|
||||||
|
- tasks.install_master(self.master, setup_dns=False,
|
||||||
|
- extra_args=['--no-ntp'])
|
||||||
|
- self.master.run_command(['systemctl', 'stop', 'chronyd'])
|
||||||
|
- self.master.run_command(['date','-s', '+3Years+1day'])
|
||||||
|
- yield
|
||||||
|
- tasks.uninstall_master(self.master)
|
||||||
|
- self.master.run_command(['date','-s', '-3Years-1day'])
|
||||||
|
- self.master.run_command(['systemctl', 'start', 'chronyd'])
|
||||||
|
-
|
||||||
|
def test_missing_csr(self, expire_cert_critical):
|
||||||
|
"""
|
||||||
|
Test that ipa-cert-fix succeeds when CSR is missing from CS.cfg
|
||||||
|
@@ -82,6 +93,7 @@ class TestIpaCertFix(IntegrationTest):
|
||||||
|
- call getcert resubmit in order to create the CSR in certmonger file
|
||||||
|
- use ipa-cert-fix, no issue should be seen
|
||||||
|
"""
|
||||||
|
+ expire_cert_critical(self.master)
|
||||||
|
# pki must be stopped in order to edit CS.cfg
|
||||||
|
self.master.run_command(['ipactl', 'stop'])
|
||||||
|
self.master.run_command(['sed', '-i', r'/ca\.sslserver\.certreq=/d',
|
||||||
|
@@ -139,6 +151,8 @@ class TestIpaCertFix(IntegrationTest):
|
||||||
|
|
||||||
|
related: https://pagure.io/freeipa/issue/7885
|
||||||
|
"""
|
||||||
|
+ expire_cert_critical(self.master)
|
||||||
|
+
|
||||||
|
# wait for cert expiry
|
||||||
|
check_status(self.master, 8, "CA_UNREACHABLE")
|
||||||
|
|
||||||
|
--
|
||||||
|
2.29.2
|
||||||
|
|
||||||
|
From c84e0547e1a693ba0e9edbfeea7bafdb2fb2b4a2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Date: Thu, 11 Feb 2021 16:59:53 +0530
|
||||||
|
Subject: [PATCH] ipatests: Test if ipa-cert-fix renews expired certs with kra
|
||||||
|
installed
|
||||||
|
|
||||||
|
This test check if ipa-cert-fix renews certs with kra
|
||||||
|
certificate installed.
|
||||||
|
|
||||||
|
related: https://pagure.io/freeipa/issue/7885
|
||||||
|
|
||||||
|
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Anuja More <amore@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Anuja More <amore@redhat.com>
|
||||||
|
---
|
||||||
|
.../test_integration/test_ipa_cert_fix.py | 25 +++++++++++++++++++
|
||||||
|
1 file changed, 25 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||||
|
index 591dc5031..b2e92d4dc 100644
|
||||||
|
--- a/ipatests/test_integration/test_ipa_cert_fix.py
|
||||||
|
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||||
|
@@ -225,3 +225,28 @@ class TestIpaCertFixThirdParty(CALessBase):
|
||||||
|
# the DS nickname is used and not a hardcoded value.
|
||||||
|
result = self.master.run_command(['ipa-cert-fix', '-v'],)
|
||||||
|
assert self.nickname in result.stderr_text
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+class TestCertFixKRA(IntegrationTest):
|
||||||
|
+ @classmethod
|
||||||
|
+ def uninstall(cls, mh):
|
||||||
|
+ # Uninstall method is empty as the uninstallation is done in
|
||||||
|
+ # the fixture
|
||||||
|
+ pass
|
||||||
|
+
|
||||||
|
+ def test_renew_expired_cert_with_kra(self, expire_cert_critical):
|
||||||
|
+ """Test if ipa-cert-fix renews expired certs with kra installed
|
||||||
|
+
|
||||||
|
+ This test check if ipa-cert-fix renews certs with kra
|
||||||
|
+ certificate installed.
|
||||||
|
+
|
||||||
|
+ related: https://pagure.io/freeipa/issue/7885
|
||||||
|
+ """
|
||||||
|
+ expire_cert_critical(self.master, setup_kra=True)
|
||||||
|
+
|
||||||
|
+ # check if all subsystem cert expired
|
||||||
|
+ check_status(self.master, 11, "CA_UNREACHABLE")
|
||||||
|
+
|
||||||
|
+ self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
|
||||||
|
+
|
||||||
|
+ check_status(self.master, 12, "MONITORING")
|
||||||
|
--
|
||||||
|
2.29.2
|
||||||
|
|
||||||
|
From 260fbcb03297ef1ed5418b16c0df0587d2989b22 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Date: Tue, 2 Mar 2021 11:42:36 +0530
|
||||||
|
Subject: [PATCH] ipatests: update nightly definition for ipa_cert_fix suite
|
||||||
|
|
||||||
|
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Anuja More <amore@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml | 2 +-
|
||||||
|
ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml | 2 +-
|
||||||
|
ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml | 2 +-
|
||||||
|
3 files changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
||||||
|
index ebd539246..8a88698eb 100644
|
||||||
|
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
||||||
|
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
||||||
|
@@ -1687,5 +1687,5 @@ jobs:
|
||||||
|
build_url: '{fedora-latest-ipa-4-9/build_url}'
|
||||||
|
test_suite: test_integration/test_ipa_cert_fix.py
|
||||||
|
template: *ci-ipa-4-9-latest
|
||||||
|
- timeout: 3600
|
||||||
|
+ timeout: 7200
|
||||||
|
topology: *master_1repl
|
||||||
|
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
|
||||||
|
index d4b597d6e..14f0c4292 100644
|
||||||
|
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
|
||||||
|
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
|
||||||
|
@@ -1821,5 +1821,5 @@ jobs:
|
||||||
|
selinux_enforcing: True
|
||||||
|
test_suite: test_integration/test_ipa_cert_fix.py
|
||||||
|
template: *ci-ipa-4-9-latest
|
||||||
|
- timeout: 3600
|
||||||
|
+ timeout: 7200
|
||||||
|
topology: *master_1repl
|
||||||
|
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
||||||
|
index 1fd589e6a..b7f8d2b3e 100644
|
||||||
|
--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
||||||
|
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
||||||
|
@@ -1687,5 +1687,5 @@ jobs:
|
||||||
|
build_url: '{fedora-previous-ipa-4-9/build_url}'
|
||||||
|
test_suite: test_integration/test_ipa_cert_fix.py
|
||||||
|
template: *ci-ipa-4-9-previous
|
||||||
|
- timeout: 3600
|
||||||
|
+ timeout: 7200
|
||||||
|
topology: *master_1repl
|
||||||
|
--
|
||||||
|
2.29.2
|
||||||
|
|
@ -1,34 +0,0 @@
|
|||||||
From d83b760d1f76a3ba8e527dd27551e51a600b22c0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Date: Wed, 15 Jul 2020 10:23:35 +0200
|
|
||||||
Subject: [PATCH] Add missing SELinux rule for ipa-custodia.sock
|
|
||||||
|
|
||||||
A SELinux rule for ipa_custodia_stream_connect(httpd_t) was not copied
|
|
||||||
from upstream rules. It breaks installations on systems that don't have
|
|
||||||
ipa_custodia_stream_connect in SELinux domain for apache, e.g. RHEL 8.3.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8412
|
|
||||||
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
|
||||||
---
|
|
||||||
selinux/ipa.te | 7 +++++++
|
|
||||||
1 file changed, 7 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
|
||||||
index a3381217a4..c4c3fa805e 100644
|
|
||||||
--- a/selinux/ipa.te
|
|
||||||
+++ b/selinux/ipa.te
|
|
||||||
@@ -378,6 +378,13 @@ optional_policy(`
|
|
||||||
ipa_search_lib(ipa_custodia_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
+optional_policy(`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type httpd_t;
|
|
||||||
+ ')
|
|
||||||
+ ipa_custodia_stream_connect(httpd_t)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
optional_policy(`
|
|
||||||
pki_manage_tomcat_etc_rw(ipa_custodia_t)
|
|
||||||
pki_read_tomcat_cert(ipa_custodia_t)
|
|
@ -0,0 +1,37 @@
|
|||||||
|
From caf748860860293e010e695d72f6b3b3d8509f8a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Tue, 2 Mar 2021 08:44:35 +0100
|
||||||
|
Subject: [PATCH] ipatests: use whole date when calling journalctl --since
|
||||||
|
|
||||||
|
The test test_commands.py::TestIPACommand::test_ssh_key_connection
|
||||||
|
is checking the content of the journal using journalctl --since ...
|
||||||
|
but provides only the time, not the whole date with year-month-day.
|
||||||
|
As a consequence, if the test is executed around midnight it may
|
||||||
|
find nothing in the journal because it's looking for logs after 11:50PM,
|
||||||
|
which is a date in the future.
|
||||||
|
|
||||||
|
The fix provides a complete date with year-month-day hours:min:sec.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/8728
|
||||||
|
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_commands.py | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
|
||||||
|
index 45f642bf2..b7ffb926f 100644
|
||||||
|
--- a/ipatests/test_integration/test_commands.py
|
||||||
|
+++ b/ipatests/test_integration/test_commands.py
|
||||||
|
@@ -642,7 +642,8 @@ class TestIPACommand(IntegrationTest):
|
||||||
|
# start to look at logs a bit before "now"
|
||||||
|
# https://pagure.io/freeipa/issue/8432
|
||||||
|
since = time.strftime(
|
||||||
|
- '%H:%M:%S', (datetime.now() - timedelta(seconds=10)).timetuple()
|
||||||
|
+ '%Y-%m-%d %H:%M:%S',
|
||||||
|
+ (datetime.now() - timedelta(seconds=10)).timetuple()
|
||||||
|
)
|
||||||
|
|
||||||
|
tasks.run_ssh_cmd(
|
||||||
|
--
|
||||||
|
2.29.2
|
||||||
|
|
@ -1,189 +0,0 @@
|
|||||||
From ca880cfb117fc870a6e2710b9e31b2f67d5651e1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Date: Wed, 29 Jul 2020 13:35:49 +0200
|
|
||||||
Subject: [PATCH] ipa-client-install: use the authselect backup during
|
|
||||||
uninstall
|
|
||||||
|
|
||||||
When ipa-client-install is run on a system with no existing
|
|
||||||
authselect configuration (for instance a fedora 31 new install),
|
|
||||||
uninstallation is picking sssd profile but this may lead to
|
|
||||||
a configuration with differences compared to the pre-ipa-client
|
|
||||||
state.
|
|
||||||
|
|
||||||
Now that authselect provides an option to backup the existing
|
|
||||||
configuration prior to setting a profile, the client install
|
|
||||||
can save the backup name and uninstall is able to apply the
|
|
||||||
backup in order to go back to the pre-ipa-client state.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8189
|
|
||||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
|
||||||
---
|
|
||||||
ipaplatform/redhat/authconfig.py | 37 ++++++++++++++------------------
|
|
||||||
1 file changed, 16 insertions(+), 21 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipaplatform/redhat/authconfig.py b/ipaplatform/redhat/authconfig.py
|
|
||||||
index 758376f2b..89f452d66 100644
|
|
||||||
--- a/ipaplatform/redhat/authconfig.py
|
|
||||||
+++ b/ipaplatform/redhat/authconfig.py
|
|
||||||
@@ -27,6 +27,7 @@ from ipaplatform.paths import paths
|
|
||||||
from ipapython import ipautil
|
|
||||||
from ipapython.admintool import ScriptError
|
|
||||||
import os
|
|
||||||
+import time
|
|
||||||
|
|
||||||
FILES_TO_NOT_BACKUP = ['passwd', 'group', 'shadow', 'gshadow']
|
|
||||||
|
|
||||||
@@ -103,28 +104,16 @@ class RedHatAuthSelect(RedHatAuthToolBase):
|
|
||||||
def configure(self, sssd, mkhomedir, statestore, sudo=True):
|
|
||||||
# In the statestore, the following keys are used for the
|
|
||||||
# 'authselect' module:
|
|
||||||
+ # Old method:
|
|
||||||
# profile: name of the profile configured pre-installation
|
|
||||||
# features_list: list of features configured pre-installation
|
|
||||||
# mkhomedir: True if installation was called with --mkhomedir
|
|
||||||
# profile and features_list are used when reverting to the
|
|
||||||
# pre-install state
|
|
||||||
- cfg = self._parse_authselect_output()
|
|
||||||
- if cfg:
|
|
||||||
- statestore.backup_state('authselect', 'profile', cfg[0])
|
|
||||||
- statestore.backup_state(
|
|
||||||
- 'authselect', 'features_list', " ".join(cfg[1]))
|
|
||||||
- else:
|
|
||||||
- # cfg = None means that the current conf is not managed by
|
|
||||||
- # authselect but by authconfig.
|
|
||||||
- # As we are using authselect to configure the host,
|
|
||||||
- # it will not be possible to revert to a custom authconfig
|
|
||||||
- # configuration later (during uninstall)
|
|
||||||
- # Best thing to do will be to use sssd profile at this time
|
|
||||||
- logger.warning(
|
|
||||||
- "WARNING: The configuration pre-client installation is not "
|
|
||||||
- "managed by authselect and cannot be backed up. "
|
|
||||||
- "Uninstallation may not be able to revert to the original "
|
|
||||||
- "state.")
|
|
||||||
+ # New method:
|
|
||||||
+ # backup: name of the authselect backup
|
|
||||||
+ backup_name = "pre_ipaclient_{}".format(time.strftime("%Y%m%d%H%M%S"))
|
|
||||||
+ statestore.backup_state('authselect', 'backup', backup_name)
|
|
||||||
|
|
||||||
cmd = [paths.AUTHSELECT, "select", "sssd"]
|
|
||||||
if mkhomedir:
|
|
||||||
@@ -133,6 +122,7 @@ class RedHatAuthSelect(RedHatAuthToolBase):
|
|
||||||
if sudo:
|
|
||||||
cmd.append("with-sudo")
|
|
||||||
cmd.append("--force")
|
|
||||||
+ cmd.append("--backup={}".format(backup_name))
|
|
||||||
|
|
||||||
ipautil.run(cmd)
|
|
||||||
|
|
||||||
@@ -179,10 +169,15 @@ class RedHatAuthSelect(RedHatAuthToolBase):
|
|
||||||
else:
|
|
||||||
features = []
|
|
||||||
|
|
||||||
- cmd = [paths.AUTHSELECT, "select", profile]
|
|
||||||
- cmd.extend(features)
|
|
||||||
- cmd.append("--force")
|
|
||||||
- ipautil.run(cmd)
|
|
||||||
+ backup = statestore.restore_state('authselect', 'backup')
|
|
||||||
+ if backup:
|
|
||||||
+ cmd = [paths.AUTHSELECT, "backup-restore", backup]
|
|
||||||
+ ipautil.run(cmd)
|
|
||||||
+ else:
|
|
||||||
+ cmd = [paths.AUTHSELECT, "select", profile]
|
|
||||||
+ cmd.extend(features)
|
|
||||||
+ cmd.append("--force")
|
|
||||||
+ ipautil.run(cmd)
|
|
||||||
|
|
||||||
def backup(self, path):
|
|
||||||
current = self._get_authselect_current_output()
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
# Not needed for 4.7.8 release
|
|
||||||
#
|
|
||||||
#From 3eaab97e317584bc47d4a27a607267ed90df7ff7 Mon Sep 17 00:00:00 2001
|
|
||||||
#From: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
#Date: Wed, 29 Jul 2020 13:40:26 +0200
|
|
||||||
#Subject: [PATCH] ipatests: remove the xfail for test_nfs.py
|
|
||||||
#
|
|
||||||
#Related: https://pagure.io/freeipa/issue/8189
|
|
||||||
#Reviewed-By: Francois Cami <fcami@redhat.com>
|
|
||||||
#Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
|
||||||
#---
|
|
||||||
# ipatests/test_integration/test_nfs.py | 4 ----
|
|
||||||
# 1 file changed, 4 deletions(-)
|
|
||||||
#
|
|
||||||
#diff --git a/ipatests/test_integration/test_nfs.py b/ipatests/test_integration/test_nfs.py
|
|
||||||
#index 7272b0d44..832c56cca 100644
|
|
||||||
#--- a/ipatests/test_integration/test_nfs.py
|
|
||||||
#+++ b/ipatests/test_integration/test_nfs.py
|
|
||||||
#@@ -363,10 +363,6 @@ class TestIpaClientAutomountFileRestore(IntegrationTest):
|
|
||||||
# cmd = self.clients[0].run_command(sha256nsswitch_cmd)
|
|
||||||
# assert cmd.stdout_text == orig_sha256
|
|
||||||
#
|
|
||||||
#- @pytest.mark.xfail(
|
|
||||||
#- reason="https://pagure.io/freeipa/issue/8189",
|
|
||||||
#- strict=True
|
|
||||||
#- )
|
|
||||||
# def test_nsswitch_backup_restore_sssd(self):
|
|
||||||
# self.nsswitch_backup_restore()
|
|
||||||
#
|
|
||||||
#--
|
|
||||||
#2.26.2
|
|
||||||
|
|
||||||
From 4baf6b292f28481ece483bb8ecbd6a0807d9d45a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Date: Wed, 29 Jul 2020 17:57:53 +0200
|
|
||||||
Subject: [PATCH] ipatests: fix test_authselect
|
|
||||||
|
|
||||||
Before the code fix, install/uninstall on a config without
|
|
||||||
any authselect profile was not able to restore the exact
|
|
||||||
state but configured sssd profile instead.
|
|
||||||
|
|
||||||
Now that the code is doing a pre-install backup, uninstall
|
|
||||||
restores the exact state and the test needs to be updated
|
|
||||||
accordingly.
|
|
||||||
|
|
||||||
Related: https://pagure.io/freeipa/issue/8189
|
|
||||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_authselect.py | 13 ++++++++-----
|
|
||||||
1 file changed, 8 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_authselect.py b/ipatests/test_integration/test_authselect.py
|
|
||||||
index bdf7d9f77..cba23e707 100644
|
|
||||||
--- a/ipatests/test_integration/test_authselect.py
|
|
||||||
+++ b/ipatests/test_integration/test_authselect.py
|
|
||||||
@@ -100,7 +100,9 @@ class TestClientInstallation(IntegrationTest):
|
|
||||||
['rm', '-f', '/etc/authselect/authselect.conf'])
|
|
||||||
result = self._install_client()
|
|
||||||
assert result.returncode == 0
|
|
||||||
- assert self.msg_warn_install in result.stderr_text
|
|
||||||
+ # With the fix for 8189, there is no warning any more
|
|
||||||
+ # because install is performing a pre-install backup
|
|
||||||
+ assert self.msg_warn_install not in result.stderr_text
|
|
||||||
# Client installation must configure the 'sssd' profile
|
|
||||||
# with sudo
|
|
||||||
check_authselect_profile(self.client, default_profile, ('with-sudo',))
|
|
||||||
@@ -109,12 +111,13 @@ class TestClientInstallation(IntegrationTest):
|
|
||||||
"""
|
|
||||||
Test client un-installation when there was no authselect profile
|
|
||||||
"""
|
|
||||||
- # As the client did not have any authselect profile before install,
|
|
||||||
- # uninstall must print a warning about restoring 'sssd' profile
|
|
||||||
- # by default
|
|
||||||
+ # The client did not have any authselect profile before install,
|
|
||||||
+ # but uninstall must be able to restore the backup
|
|
||||||
+ # Check that no profile is configured after uninstall
|
|
||||||
result = self._uninstall_client()
|
|
||||||
assert result.returncode == 0
|
|
||||||
- check_authselect_profile(self.client, default_profile)
|
|
||||||
+ assert not self.client.transport.file_exists(
|
|
||||||
+ '/etc/authselect/authselect.conf')
|
|
||||||
|
|
||||||
def test_install_client_preconfigured_profile(self):
|
|
||||||
"""
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,30 +1,239 @@
|
|||||||
Adapted version due to missing patches:
|
From 2832810891acfaca68142df7271d6f0a50a588eb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Date: Fri, 19 Feb 2021 15:37:47 +0200
|
||||||
|
Subject: [PATCH] ipa-kdb: do not use OpenLDAP functions with NULL LDAP context
|
||||||
|
|
||||||
commit 1f1e7dbe6131b3cdc0ba81b454c7729126bfa6ee
|
Calling to ipadb_get_connection() will remove LDAP context if any error
|
||||||
Author: Slava Aseev <ptrnine@altlinux.org>
|
happens. This means upper layers must always verify that LDAP context
|
||||||
Date: Mon Nov 23 18:23:01 2020 +0300
|
exists after such calls.
|
||||||
|
|
||||||
ipa-kdb: handle dates up to 2106-02-07 06:28:16
|
ipadb_get_user_auth() may re-read global configuration and that may fail
|
||||||
|
and cause IPA context to have NULL LDAP context.
|
||||||
|
|
||||||
commit 44c222aca9bb0056004f15dfb187d3f249ed0452
|
Fixes: https://pagure.io/freeipa/issue/8681
|
||||||
Author: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Thu Dec 17 12:22:47 2020 +0200
|
|
||||||
|
|
||||||
ipa-kdb: use predefined filters for a wild-card searches
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
---
|
||||||
|
daemons/ipa-kdb/ipa_kdb.c | 1 +
|
||||||
|
daemons/ipa-kdb/ipa_kdb_mspac.c | 32 +++++++++++++++-------------
|
||||||
|
daemons/ipa-kdb/ipa_kdb_principals.c | 26 ++++++++++++++++------
|
||||||
|
3 files changed, 37 insertions(+), 22 deletions(-)
|
||||||
|
|
||||||
commit 78a7ab0daf0d5ebd388046aec6e1c9328e0564a8
|
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
|
||||||
Author: Robbie Harwood <rharwood@redhat.com>
|
index 43ba955ac..6e1e3e351 100644
|
||||||
Date: Tue Nov 10 14:07:47 2020 -0500
|
--- a/daemons/ipa-kdb/ipa_kdb.c
|
||||||
|
+++ b/daemons/ipa-kdb/ipa_kdb.c
|
||||||
|
@@ -57,6 +57,7 @@ static void ipadb_context_free(krb5_context kcontext,
|
||||||
|
/* ldap free lcontext */
|
||||||
|
if ((*ctx)->lcontext) {
|
||||||
|
ldap_unbind_ext_s((*ctx)->lcontext, NULL, NULL);
|
||||||
|
+ (*ctx)->lcontext = NULL;
|
||||||
|
}
|
||||||
|
free((*ctx)->supp_encs);
|
||||||
|
free((*ctx)->def_encs);
|
||||||
|
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
|
index 31f617129..81a8fd483 100644
|
||||||
|
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
|
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
|
@@ -418,7 +418,6 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
||||||
|
krb5_timestamp authtime,
|
||||||
|
struct netr_SamInfo3 *info3)
|
||||||
|
{
|
||||||
|
- LDAP *lcontext = ipactx->lcontext;
|
||||||
|
LDAPDerefRes *deref_results = NULL;
|
||||||
|
struct dom_sid sid;
|
||||||
|
gid_t prigid = -1;
|
||||||
|
@@ -435,7 +434,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
||||||
|
bool is_idobject = false;
|
||||||
|
krb5_principal princ;
|
||||||
|
|
||||||
ipa-kdb: implement AS-REQ lifetime jitter
|
- ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "objectClass",
|
||||||
|
+ ret = ipadb_ldap_attr_to_strlist(ipactx->lcontext, lentry, "objectClass",
|
||||||
|
&objectclasses);
|
||||||
|
if (ret == 0 && objectclasses != NULL) {
|
||||||
|
for (c = 0; objectclasses[c] != NULL; c++) {
|
||||||
|
@@ -472,13 +471,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
||||||
|
}
|
||||||
|
|
||||||
commit d6a8fc290aa93fc5d53025f4400a9736366175eb
|
if (is_host) {
|
||||||
Author: Rob Crittenden <rcritten@redhat.com>
|
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "fqdn", &strres);
|
||||||
Date: Thu Sep 24 22:39:36 2020 -0400
|
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "fqdn", &strres);
|
||||||
|
if (ret) {
|
||||||
|
/* fqdn is mandatory for hosts */
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
} else if (is_service) {
|
||||||
|
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbCanonicalName", &strres);
|
||||||
|
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
||||||
|
+ "krbCanonicalName", &strres);
|
||||||
|
if (ret) {
|
||||||
|
/* krbCanonicalName is mandatory for services */
|
||||||
|
return ret;
|
||||||
|
@@ -498,7 +498,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
||||||
|
return ENOENT;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "uid", &strres);
|
||||||
|
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "uid", &strres);
|
||||||
|
if (ret) {
|
||||||
|
/* uid is mandatory */
|
||||||
|
return ret;
|
||||||
|
@@ -511,7 +511,8 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
||||||
|
if (is_host || is_service) {
|
||||||
|
prigid = 515; /* Well known RID for domain computers group */
|
||||||
|
} else {
|
||||||
|
- ret = ipadb_ldap_attr_to_int(lcontext, lentry, "gidNumber", &intres);
|
||||||
|
+ ret = ipadb_ldap_attr_to_int(ipactx->lcontext, lentry,
|
||||||
|
+ "gidNumber", &intres);
|
||||||
|
if (ret) {
|
||||||
|
/* gidNumber is mandatory */
|
||||||
|
return ret;
|
||||||
|
@@ -544,7 +545,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
||||||
|
info3->base.kickoff_time = INT64_MAX;
|
||||||
|
#endif
|
||||||
|
|
||||||
Pass the user to the password policy check in the kdb driver
|
- ret = ipadb_ldap_attr_to_time_t(lcontext, lentry,
|
||||||
|
+ ret = ipadb_ldap_attr_to_time_t(ipactx->lcontext, lentry,
|
||||||
|
"krbLastPwdChange", &timeres);
|
||||||
|
switch (ret) {
|
||||||
|
case 0:
|
||||||
|
@@ -562,7 +563,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
||||||
|
info3->base.allow_password_change = info3->base.last_password_change;
|
||||||
|
info3->base.force_password_change = INT64_MAX;
|
||||||
|
|
||||||
From 701d0fb0415497fe9fe8fbf25fa800041e2a2b40 Mon Sep 17 00:00:00 2001
|
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "cn", &strres);
|
||||||
|
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "cn", &strres);
|
||||||
|
switch (ret) {
|
||||||
|
case 0:
|
||||||
|
info3->base.full_name.string = talloc_strdup(memctx, strres);
|
||||||
|
@@ -575,7 +576,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
|
||||||
|
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
||||||
|
"ipaNTLogonScript", &strres);
|
||||||
|
switch (ret) {
|
||||||
|
case 0:
|
||||||
|
@@ -589,7 +590,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
|
||||||
|
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
||||||
|
"ipaNTProfilePath", &strres);
|
||||||
|
switch (ret) {
|
||||||
|
case 0:
|
||||||
|
@@ -603,7 +604,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
|
||||||
|
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
||||||
|
"ipaNTHomeDirectory", &strres);
|
||||||
|
switch (ret) {
|
||||||
|
case 0:
|
||||||
|
@@ -617,7 +618,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
|
||||||
|
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
||||||
|
"ipaNTHomeDirectoryDrive", &strres);
|
||||||
|
switch (ret) {
|
||||||
|
case 0:
|
||||||
|
@@ -648,7 +649,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
||||||
|
info3->base.rid = 515;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
|
||||||
|
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
||||||
|
"ipaNTSecurityIdentifier", &strres);
|
||||||
|
if (ret) {
|
||||||
|
/* SID is mandatory */
|
||||||
|
@@ -665,7 +666,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- ret = ipadb_ldap_deref_results(lcontext, lentry, &deref_results);
|
||||||
|
+ ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
|
||||||
|
switch (ret) {
|
||||||
|
LDAPDerefRes *dres;
|
||||||
|
LDAPDerefVal *dval;
|
||||||
|
@@ -2511,7 +2512,7 @@ static void ipadb_free_sid_blacklists(char ***sid_blocklist_incoming, char ***si
|
||||||
|
krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
||||||
|
{
|
||||||
|
struct ipadb_adtrusts *t;
|
||||||
|
- LDAP *lc = ipactx->lcontext;
|
||||||
|
+ LDAP *lc = NULL;
|
||||||
|
char *attrs[] = { "cn", "ipaNTTrustPartner", "ipaNTFlatName",
|
||||||
|
"ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming",
|
||||||
|
"ipaNTSIDBlacklistOutgoing", "ipaNTAdditionalSuffixes", NULL };
|
||||||
|
@@ -2545,6 +2546,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ lc = ipactx->lcontext;
|
||||||
|
for (le = ldap_first_entry(lc, res); le; le = ldap_next_entry(lc, le)) {
|
||||||
|
dnstr = ldap_get_dn(lc, le);
|
||||||
|
|
||||||
|
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||||
|
index d1fa51578..cf1b4f53e 100644
|
||||||
|
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||||
|
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||||
|
@@ -333,6 +333,11 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
|
||||||
|
if (gcfg != NULL)
|
||||||
|
gua = gcfg->user_auth;
|
||||||
|
|
||||||
|
+ /* lcontext == NULL means ipadb_get_global_config() failed to load
|
||||||
|
+ * global config and cleared the ipactx */
|
||||||
|
+ if (ipactx->lcontext == NULL)
|
||||||
|
+ return IPADB_USER_AUTH_NONE;
|
||||||
|
+
|
||||||
|
/* Get the user's user_auth settings if not disabled. */
|
||||||
|
if ((gua & IPADB_USER_AUTH_DISABLED) == 0)
|
||||||
|
ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua);
|
||||||
|
@@ -607,8 +612,16 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
|
||||||
|
free(entry);
|
||||||
|
return KRB5_KDB_DBNOTINITED;
|
||||||
|
}
|
||||||
|
- lcontext = ipactx->lcontext;
|
||||||
|
- if (!lcontext) {
|
||||||
|
+
|
||||||
|
+ entry->magic = KRB5_KDB_MAGIC_NUMBER;
|
||||||
|
+ entry->len = KRB5_KDB_V1_BASE_LENGTH;
|
||||||
|
+
|
||||||
|
+ /* Get User Auth configuration. */
|
||||||
|
+ ua = ipadb_get_user_auth(ipactx, lentry);
|
||||||
|
+
|
||||||
|
+ /* ipadb_get_user_auth() calls into ipadb_get_global_config()
|
||||||
|
+ * and that might fail, causing lcontext to become NULL */
|
||||||
|
+ if (!ipactx->lcontext) {
|
||||||
|
krb5_klog_syslog(LOG_INFO,
|
||||||
|
"No LDAP connection in ipadb_parse_ldap_entry(); retrying...\n");
|
||||||
|
ret = ipadb_get_connection(ipactx);
|
||||||
|
@@ -620,11 +633,10 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- entry->magic = KRB5_KDB_MAGIC_NUMBER;
|
||||||
|
- entry->len = KRB5_KDB_V1_BASE_LENGTH;
|
||||||
|
-
|
||||||
|
- /* Get User Auth configuration. */
|
||||||
|
- ua = ipadb_get_user_auth(ipactx, lentry);
|
||||||
|
+ /* If any code below would result in invalidating ipactx->lcontext,
|
||||||
|
+ * lcontext must be updated with the new ipactx->lcontext value.
|
||||||
|
+ * We rely on the fact that none of LDAP-parsing helpers does it. */
|
||||||
|
+ lcontext = ipactx->lcontext;
|
||||||
|
|
||||||
|
/* ignore mask for now */
|
||||||
|
|
||||||
|
--
|
||||||
|
2.29.2
|
||||||
|
|
||||||
|
From 0da9de495ca41a1bf0926aef7c9c75c3e53dcd63 Mon Sep 17 00:00:00 2001
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
Date: Tue, 23 Feb 2021 10:06:25 +0200
|
Date: Tue, 23 Feb 2021 10:06:25 +0200
|
||||||
Subject: [PATCH] ipa-kdb: fix compiler warnings
|
Subject: [PATCH] ipa-kdb: fix compiler warnings
|
||||||
@ -38,7 +247,6 @@ In the same way, SID structures have own requirements.
|
|||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
---
|
---
|
||||||
daemons/ipa-kdb/ipa_kdb_audit_as.c | 4 ++--
|
daemons/ipa-kdb/ipa_kdb_audit_as.c | 4 ++--
|
||||||
daemons/ipa-kdb/ipa_kdb_mspac.c | 6 +++---
|
daemons/ipa-kdb/ipa_kdb_mspac.c | 6 +++---
|
||||||
@ -50,10 +258,10 @@ diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_
|
|||||||
index ed48ea758..ec2046bfe 100644
|
index ed48ea758..ec2046bfe 100644
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
|
--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
|
+++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
|
||||||
@@ -110,13 +110,13 @@ void ipadb_audit_as_req(krb5_context kcontext,
|
@@ -112,13 +112,13 @@ void ipadb_audit_as_req(krb5_context kcontext,
|
||||||
}
|
|
||||||
|
|
||||||
if (client->last_failed + ied->pol->lockout_duration > authtime &&
|
if (krb5_ts_after(krb5_ts_incr(client->last_failed,
|
||||||
|
ied->pol->lockout_duration), authtime) &&
|
||||||
- (client->fail_auth_count >= ied->pol->max_fail &&
|
- (client->fail_auth_count >= ied->pol->max_fail &&
|
||||||
+ (client->fail_auth_count >= (krb5_kvno) ied->pol->max_fail &&
|
+ (client->fail_auth_count >= (krb5_kvno) ied->pol->max_fail &&
|
||||||
ied->pol->max_fail != 0)) {
|
ied->pol->max_fail != 0)) {
|
||||||
@ -67,10 +275,10 @@ index ed48ea758..ec2046bfe 100644
|
|||||||
client->fail_auth_count++;
|
client->fail_auth_count++;
|
||||||
client->mask |= KMASK_FAIL_AUTH_COUNT;
|
client->mask |= KMASK_FAIL_AUTH_COUNT;
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
index c6ac593ca..050100430 100644
|
index 81a8fd483..9691b14f6 100644
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
@@ -147,9 +147,9 @@ int string_to_sid(const char *str, struct dom_sid *sid)
|
@@ -148,9 +148,9 @@ int string_to_sid(const char *str, struct dom_sid *sid)
|
||||||
|
|
||||||
char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid)
|
char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid)
|
||||||
{
|
{
|
||||||
@ -82,7 +290,7 @@ index c6ac593ca..050100430 100644
|
|||||||
uint32_t ia;
|
uint32_t ia;
|
||||||
char *buf;
|
char *buf;
|
||||||
|
|
||||||
@@ -2606,7 +2606,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
@@ -2612,7 +2612,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
||||||
|
|
||||||
t[n].upn_suffixes_len = NULL;
|
t[n].upn_suffixes_len = NULL;
|
||||||
if (t[n].upn_suffixes != NULL) {
|
if (t[n].upn_suffixes != NULL) {
|
||||||
@ -92,10 +300,10 @@ index c6ac593ca..050100430 100644
|
|||||||
for (; t[n].upn_suffixes[len] != NULL; len++);
|
for (; t[n].upn_suffixes[len] != NULL; len++);
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
|
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||||
index d1fa51578..59337a4ca 100644
|
index cf1b4f53e..0a98ff054 100644
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
|
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
|
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||||
@@ -491,7 +491,7 @@ static krb5_error_code ipadb_get_ldap_auth_ind(krb5_context kcontext,
|
@@ -494,7 +494,7 @@ static krb5_error_code ipadb_get_ldap_auth_ind(krb5_context kcontext,
|
||||||
l = len;
|
l = len;
|
||||||
for (i = 0; i < count; i++) {
|
for (i = 0; i < count; i++) {
|
||||||
ret = snprintf(ap, l, "%s ", authinds[i]);
|
ret = snprintf(ap, l, "%s ", authinds[i]);
|
||||||
@ -104,7 +312,7 @@ index d1fa51578..59337a4ca 100644
|
|||||||
ret = ENOMEM;
|
ret = ENOMEM;
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
@@ -2064,7 +2064,7 @@ static krb5_error_code ipadb_get_ldap_mod_auth_ind(krb5_context kcontext,
|
@@ -2086,7 +2086,7 @@ static krb5_error_code ipadb_get_ldap_mod_auth_ind(krb5_context kcontext,
|
||||||
char *s = NULL;
|
char *s = NULL;
|
||||||
size_t ai_size = 0;
|
size_t ai_size = 0;
|
||||||
int cnt = 0;
|
int cnt = 0;
|
||||||
@ -113,7 +321,7 @@ index d1fa51578..59337a4ca 100644
|
|||||||
|
|
||||||
ret = krb5_dbe_get_string(kcontext, entry, "require_auth", &ais);
|
ret = krb5_dbe_get_string(kcontext, entry, "require_auth", &ais);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
@@ -2445,7 +2445,7 @@ static krb5_error_code ipadb_entry_default_attrs(struct ipadb_mods *imods)
|
@@ -2467,7 +2467,7 @@ static krb5_error_code ipadb_entry_default_attrs(struct ipadb_mods *imods)
|
||||||
{
|
{
|
||||||
krb5_error_code kerr;
|
krb5_error_code kerr;
|
||||||
LDAPMod *m = NULL;
|
LDAPMod *m = NULL;
|
||||||
@ -126,7 +334,7 @@ diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpo
|
|||||||
index 4965e6d7f..6f21ef867 100644
|
index 4965e6d7f..6f21ef867 100644
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
|
--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
|
+++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
|
||||||
@@ -328,7 +328,7 @@ krb5_error_code ipadb_check_policy_as(krb5_context kcontext,
|
@@ -361,7 +361,7 @@ krb5_error_code ipadb_check_policy_as(krb5_context kcontext,
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ied->pol->max_fail == 0 ||
|
if (ied->pol->max_fail == 0 ||
|
||||||
@ -138,7 +346,7 @@ index 4965e6d7f..6f21ef867 100644
|
|||||||
--
|
--
|
||||||
2.29.2
|
2.29.2
|
||||||
|
|
||||||
From d454ca8f004954f19622fe61ad9e2854359f3784 Mon Sep 17 00:00:00 2001
|
From c7ce801b590e29263e9b1904995c603735007771 Mon Sep 17 00:00:00 2001
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
Date: Wed, 24 Feb 2021 20:51:40 +0200
|
Date: Wed, 24 Feb 2021 20:51:40 +0200
|
||||||
Subject: [PATCH] ipa-kdb: add missing prototypes
|
Subject: [PATCH] ipa-kdb: add missing prototypes
|
||||||
@ -152,7 +360,6 @@ We also default to -Werror=implicit-function-declaration
|
|||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
---
|
---
|
||||||
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 4 ++++
|
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 4 ++++
|
||||||
daemons/ipa-kdb/ipa_kdb_mspac.c | 20 ++++++++++++--------
|
daemons/ipa-kdb/ipa_kdb_mspac.c | 20 ++++++++++++--------
|
||||||
@ -160,25 +367,25 @@ Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|||||||
3 files changed, 20 insertions(+), 8 deletions(-)
|
3 files changed, 20 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
||||||
index 7f03f2f03..6976f9ba9 100644
|
index a89f8bbda..aa61a2d1b 100644
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
||||||
@@ -9,6 +9,10 @@
|
@@ -14,6 +14,10 @@
|
||||||
#include "ipa_krb5.h"
|
#define ONE_DAY_SECONDS (24 * 60 * 60)
|
||||||
#include "ipa_kdb.h"
|
#define JITTER_WINDOW_SECONDS (1 * 60 * 60)
|
||||||
|
|
||||||
+krb5_error_code kdcpolicy_ipakdb_initvt(krb5_context context,
|
+krb5_error_code kdcpolicy_ipakdb_initvt(krb5_context context,
|
||||||
+ int maj_ver, int min_ver,
|
+ int maj_ver, int min_ver,
|
||||||
+ krb5_plugin_vtable vtable);
|
+ krb5_plugin_vtable vtable);
|
||||||
+
|
+
|
||||||
static krb5_error_code
|
static void
|
||||||
ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
|
jitter(krb5_deltat baseline, krb5_deltat *lifetime_out)
|
||||||
const krb5_kdc_req *request,
|
{
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
index 050100430..c05fb717a 100644
|
index 9691b14f6..47b12a16f 100644
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||||
@@ -2403,9 +2403,10 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
|
@@ -2408,9 +2408,10 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
|
||||||
*mspac = NULL;
|
*mspac = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -192,21 +399,21 @@ index 050100430..c05fb717a 100644
|
|||||||
{
|
{
|
||||||
int len, i;
|
int len, i;
|
||||||
char **source;
|
char **source;
|
||||||
@@ -2436,9 +2437,10 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
|
@@ -2441,9 +2442,10 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
-krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
|
-krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
|
||||||
- char **sid_blacklist_incoming,
|
- char **sid_blocklist_incoming,
|
||||||
- char **sid_blacklist_outgoing)
|
- char **sid_blocklist_outgoing)
|
||||||
+static krb5_error_code
|
+static krb5_error_code
|
||||||
+ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
|
+ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
|
||||||
+ char **sid_blacklist_incoming,
|
+ char **sid_blocklist_incoming,
|
||||||
+ char **sid_blacklist_outgoing)
|
+ char **sid_blocklist_outgoing)
|
||||||
{
|
{
|
||||||
krb5_error_code kerr;
|
krb5_error_code kerr;
|
||||||
|
|
||||||
@@ -2459,7 +2461,8 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrus
|
@@ -2464,7 +2466,8 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrus
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -216,7 +423,7 @@ index 050100430..c05fb717a 100644
|
|||||||
{
|
{
|
||||||
char *attrs[] = { NULL };
|
char *attrs[] = { NULL };
|
||||||
char *filter = "(objectclass=ipaNTTrustedDomain)";
|
char *filter = "(objectclass=ipaNTTrustedDomain)";
|
||||||
@@ -2504,7 +2507,8 @@ static void ipadb_free_sid_blacklists(char ***sid_blacklist_incoming, char ***si
|
@@ -2509,7 +2512,8 @@ static void ipadb_free_sid_blacklists(char ***sid_blocklist_incoming, char ***si
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -225,9 +432,9 @@ index 050100430..c05fb717a 100644
|
|||||||
+ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
+ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
||||||
{
|
{
|
||||||
struct ipadb_adtrusts *t;
|
struct ipadb_adtrusts *t;
|
||||||
LDAP *lc = ipactx->lcontext;
|
LDAP *lc = NULL;
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
|
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
|
||||||
index b21aa163f..2369e16f8 100644
|
index d23a14a0b..8c8a3a001 100644
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h
|
--- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
|
+++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
|
||||||
@@ -53,3 +53,7 @@ struct ipadb_adtrusts {
|
@@ -53,3 +53,7 @@ struct ipadb_adtrusts {
|
||||||
@ -242,7 +449,7 @@ index b21aa163f..2369e16f8 100644
|
|||||||
--
|
--
|
||||||
2.29.2
|
2.29.2
|
||||||
|
|
||||||
From da98a6fcb81ee3ac7df8bb238a0793809c2be3fd Mon Sep 17 00:00:00 2001
|
From f340baa4283c76957d9e0a85896c7fa3a994bba6 Mon Sep 17 00:00:00 2001
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
Date: Wed, 24 Feb 2021 20:52:15 +0200
|
Date: Wed, 24 Feb 2021 20:52:15 +0200
|
||||||
Subject: [PATCH] ipa-kdb: reformat ipa_kdb_certauth
|
Subject: [PATCH] ipa-kdb: reformat ipa_kdb_certauth
|
||||||
@ -254,7 +461,6 @@ Replace few tabs by spaces and mark static code as static.
|
|||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
---
|
---
|
||||||
daemons/ipa-kdb/ipa_kdb_certauth.c | 25 ++++++++++++++-----------
|
daemons/ipa-kdb/ipa_kdb_certauth.c | 25 ++++++++++++++-----------
|
||||||
1 file changed, 14 insertions(+), 11 deletions(-)
|
1 file changed, 14 insertions(+), 11 deletions(-)
|
||||||
@ -317,7 +523,7 @@ index bc6b26578..3a3060c92 100644
|
|||||||
--
|
--
|
||||||
2.29.2
|
2.29.2
|
||||||
|
|
||||||
From aa7f99c08ff41f216d60152d6235922c561c2881 Mon Sep 17 00:00:00 2001
|
From 2968609fd9f8f91b704dc8167d39ecc67beb8ddd Mon Sep 17 00:00:00 2001
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
Date: Wed, 24 Feb 2021 20:55:41 +0200
|
Date: Wed, 24 Feb 2021 20:55:41 +0200
|
||||||
Subject: [PATCH] ipa-kdb: mark test functions as static
|
Subject: [PATCH] ipa-kdb: mark test functions as static
|
||||||
@ -327,16 +533,15 @@ No need to define missing prototypes to single use test functions.
|
|||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
---
|
---
|
||||||
daemons/ipa-kdb/tests/ipa_kdb_tests.c | 13 +++++--------
|
daemons/ipa-kdb/tests/ipa_kdb_tests.c | 13 +++++--------
|
||||||
1 file changed, 5 insertions(+), 8 deletions(-)
|
1 file changed, 5 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
|
diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
|
||||||
index 368a2f978..960200b6e 100644
|
index 2a174ce6b..0b51ffb96 100644
|
||||||
--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
|
--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
|
||||||
+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
|
+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
|
||||||
@@ -180,7 +180,7 @@ extern krb5_error_code filter_logon_info(krb5_context context,
|
@@ -181,7 +181,7 @@ extern krb5_error_code filter_logon_info(krb5_context context,
|
||||||
krb5_data realm,
|
krb5_data realm,
|
||||||
struct PAC_LOGON_INFO_CTR *info);
|
struct PAC_LOGON_INFO_CTR *info);
|
||||||
|
|
||||||
@ -345,7 +550,7 @@ index 368a2f978..960200b6e 100644
|
|||||||
{
|
{
|
||||||
krb5_error_code kerr;
|
krb5_error_code kerr;
|
||||||
krb5_data realm = {KV5M_DATA, REALM_LEN, REALM};
|
krb5_data realm = {KV5M_DATA, REALM_LEN, REALM};
|
||||||
@@ -315,10 +315,7 @@ void test_filter_logon_info(void **state)
|
@@ -316,10 +316,7 @@ void test_filter_logon_info(void **state)
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -357,7 +562,7 @@ index 368a2f978..960200b6e 100644
|
|||||||
{
|
{
|
||||||
bool with_pac;
|
bool with_pac;
|
||||||
bool with_pad;
|
bool with_pad;
|
||||||
@@ -436,7 +433,7 @@ void test_get_authz_data_types(void **state)
|
@@ -437,7 +434,7 @@ void test_get_authz_data_types(void **state)
|
||||||
krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ);
|
krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -366,7 +571,7 @@ index 368a2f978..960200b6e 100644
|
|||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
struct dom_sid sid;
|
struct dom_sid sid;
|
||||||
@@ -468,7 +465,7 @@ void test_string_to_sid(void **state)
|
@@ -469,7 +466,7 @@ void test_string_to_sid(void **state)
|
||||||
assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid));
|
assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid));
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -375,7 +580,7 @@ index 368a2f978..960200b6e 100644
|
|||||||
{
|
{
|
||||||
struct test_ctx *test_ctx;
|
struct test_ctx *test_ctx;
|
||||||
char *str_sid;
|
char *str_sid;
|
||||||
@@ -494,7 +491,7 @@ void test_dom_sid_string(void **state)
|
@@ -495,7 +492,7 @@ void test_dom_sid_string(void **state)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -387,239 +592,3 @@ index 368a2f978..960200b6e 100644
|
|||||||
--
|
--
|
||||||
2.29.2
|
2.29.2
|
||||||
|
|
||||||
From 79baa0932d1349d46d162e7478fa4e3c8e88dc09 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Fri, 19 Feb 2021 15:37:47 +0200
|
|
||||||
Subject: [PATCH] ipa-kdb: do not use OpenLDAP functions with NULL LDAP context
|
|
||||||
|
|
||||||
Calling to ipadb_get_connection() will remove LDAP context if any error
|
|
||||||
happens. This means upper layers must always verify that LDAP context
|
|
||||||
exists after such calls.
|
|
||||||
|
|
||||||
ipadb_get_user_auth() may re-read global configuration and that may fail
|
|
||||||
and cause IPA context to have NULL LDAP context.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8681
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
---
|
|
||||||
daemons/ipa-kdb/ipa_kdb.c | 1 +
|
|
||||||
daemons/ipa-kdb/ipa_kdb_mspac.c | 32 +++++++++++++++-------------
|
|
||||||
daemons/ipa-kdb/ipa_kdb_principals.c | 26 ++++++++++++++++------
|
|
||||||
3 files changed, 37 insertions(+), 22 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
|
|
||||||
index 33d2a6773..e7b8d7dbf 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb.c
|
|
||||||
@@ -56,6 +56,7 @@ static void ipadb_context_free(krb5_context kcontext,
|
|
||||||
/* ldap free lcontext */
|
|
||||||
if ((*ctx)->lcontext) {
|
|
||||||
ldap_unbind_ext_s((*ctx)->lcontext, NULL, NULL);
|
|
||||||
+ (*ctx)->lcontext = NULL;
|
|
||||||
}
|
|
||||||
free((*ctx)->supp_encs);
|
|
||||||
free((*ctx)->def_encs);
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
index c05fb717a..1e59189ed 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
@@ -416,7 +416,6 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
TALLOC_CTX *memctx,
|
|
||||||
struct netr_SamInfo3 *info3)
|
|
||||||
{
|
|
||||||
- LDAP *lcontext = ipactx->lcontext;
|
|
||||||
LDAPDerefRes *deref_results = NULL;
|
|
||||||
struct dom_sid sid;
|
|
||||||
gid_t prigid = -1;
|
|
||||||
@@ -433,7 +432,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
bool is_idobject = false;
|
|
||||||
krb5_principal princ;
|
|
||||||
|
|
||||||
- ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "objectClass",
|
|
||||||
+ ret = ipadb_ldap_attr_to_strlist(ipactx->lcontext, lentry, "objectClass",
|
|
||||||
&objectclasses);
|
|
||||||
if (ret == 0 && objectclasses != NULL) {
|
|
||||||
for (c = 0; objectclasses[c] != NULL; c++) {
|
|
||||||
@@ -470,13 +469,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
}
|
|
||||||
|
|
||||||
if (is_host) {
|
|
||||||
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "fqdn", &strres);
|
|
||||||
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "fqdn", &strres);
|
|
||||||
if (ret) {
|
|
||||||
/* fqdn is mandatory for hosts */
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
} else if (is_service) {
|
|
||||||
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbCanonicalName", &strres);
|
|
||||||
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
||||||
+ "krbCanonicalName", &strres);
|
|
||||||
if (ret) {
|
|
||||||
/* krbCanonicalName is mandatory for services */
|
|
||||||
return ret;
|
|
||||||
@@ -496,7 +496,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
return ENOENT;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "uid", &strres);
|
|
||||||
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "uid", &strres);
|
|
||||||
if (ret) {
|
|
||||||
/* uid is mandatory */
|
|
||||||
return ret;
|
|
||||||
@@ -509,7 +509,8 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
if (is_host || is_service) {
|
|
||||||
prigid = 515; /* Well known RID for domain computers group */
|
|
||||||
} else {
|
|
||||||
- ret = ipadb_ldap_attr_to_int(lcontext, lentry, "gidNumber", &intres);
|
|
||||||
+ ret = ipadb_ldap_attr_to_int(ipactx->lcontext, lentry,
|
|
||||||
+ "gidNumber", &intres);
|
|
||||||
if (ret) {
|
|
||||||
/* gidNumber is mandatory */
|
|
||||||
return ret;
|
|
||||||
@@ -540,7 +541,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
info3->base.kickoff_time = -1;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
- ret = ipadb_ldap_attr_to_time_t(lcontext, lentry,
|
|
||||||
+ ret = ipadb_ldap_attr_to_time_t(ipactx->lcontext, lentry,
|
|
||||||
"krbLastPwdChange", &timeres);
|
|
||||||
switch (ret) {
|
|
||||||
case 0:
|
|
||||||
@@ -557,7 +558,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
info3->base.allow_password_change = 0;
|
|
||||||
info3->base.force_password_change = -1;
|
|
||||||
|
|
||||||
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "cn", &strres);
|
|
||||||
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "cn", &strres);
|
|
||||||
switch (ret) {
|
|
||||||
case 0:
|
|
||||||
info3->base.full_name.string = talloc_strdup(memctx, strres);
|
|
||||||
@@ -570,7 +571,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
|
|
||||||
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
||||||
"ipaNTLogonScript", &strres);
|
|
||||||
switch (ret) {
|
|
||||||
case 0:
|
|
||||||
@@ -584,7 +585,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
|
|
||||||
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
||||||
"ipaNTProfilePath", &strres);
|
|
||||||
switch (ret) {
|
|
||||||
case 0:
|
|
||||||
@@ -598,7 +599,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
|
|
||||||
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
||||||
"ipaNTHomeDirectory", &strres);
|
|
||||||
switch (ret) {
|
|
||||||
case 0:
|
|
||||||
@@ -612,7 +613,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
|
|
||||||
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
||||||
"ipaNTHomeDirectoryDrive", &strres);
|
|
||||||
switch (ret) {
|
|
||||||
case 0:
|
|
||||||
@@ -643,7 +644,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
info3->base.rid = 515;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
|
|
||||||
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
||||||
"ipaNTSecurityIdentifier", &strres);
|
|
||||||
if (ret) {
|
|
||||||
/* SID is mandatory */
|
|
||||||
@@ -660,7 +661,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = ipadb_ldap_deref_results(lcontext, lentry, &deref_results);
|
|
||||||
+ ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
|
|
||||||
switch (ret) {
|
|
||||||
LDAPDerefRes *dres;
|
|
||||||
LDAPDerefVal *dval;
|
|
||||||
@@ -2511,7 +2512,7 @@ static krb5_error_code
|
|
||||||
ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
|
||||||
{
|
|
||||||
struct ipadb_adtrusts *t;
|
|
||||||
- LDAP *lc = ipactx->lcontext;
|
|
||||||
+ LDAP *lc = NULL;
|
|
||||||
char *attrs[] = { "cn", "ipaNTTrustPartner", "ipaNTFlatName",
|
|
||||||
"ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming",
|
|
||||||
"ipaNTSIDBlacklistOutgoing", "ipaNTAdditionalSuffixes", NULL };
|
|
||||||
@@ -2545,6 +2546,7 @@ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ lc = ipactx->lcontext;
|
|
||||||
for (le = ldap_first_entry(lc, res); le; le = ldap_next_entry(lc, le)) {
|
|
||||||
dnstr = ldap_get_dn(lc, le);
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
||||||
index 59337a4ca..0a98ff054 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
||||||
@@ -335,6 +335,11 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
|
|
||||||
if (gcfg != NULL)
|
|
||||||
gua = gcfg->user_auth;
|
|
||||||
|
|
||||||
+ /* lcontext == NULL means ipadb_get_global_config() failed to load
|
|
||||||
+ * global config and cleared the ipactx */
|
|
||||||
+ if (ipactx->lcontext == NULL)
|
|
||||||
+ return IPADB_USER_AUTH_NONE;
|
|
||||||
+
|
|
||||||
/* Get the user's user_auth settings if not disabled. */
|
|
||||||
if ((gua & IPADB_USER_AUTH_DISABLED) == 0)
|
|
||||||
ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua);
|
|
||||||
@@ -608,8 +613,16 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
|
|
||||||
free(entry);
|
|
||||||
return KRB5_KDB_DBNOTINITED;
|
|
||||||
}
|
|
||||||
- lcontext = ipactx->lcontext;
|
|
||||||
- if (!lcontext) {
|
|
||||||
+
|
|
||||||
+ entry->magic = KRB5_KDB_MAGIC_NUMBER;
|
|
||||||
+ entry->len = KRB5_KDB_V1_BASE_LENGTH;
|
|
||||||
+
|
|
||||||
+ /* Get User Auth configuration. */
|
|
||||||
+ ua = ipadb_get_user_auth(ipactx, lentry);
|
|
||||||
+
|
|
||||||
+ /* ipadb_get_user_auth() calls into ipadb_get_global_config()
|
|
||||||
+ * and that might fail, causing lcontext to become NULL */
|
|
||||||
+ if (!ipactx->lcontext) {
|
|
||||||
krb5_klog_syslog(LOG_INFO,
|
|
||||||
"No LDAP connection in ipadb_parse_ldap_entry(); retrying...\n");
|
|
||||||
ret = ipadb_get_connection(ipactx);
|
|
||||||
@@ -621,11 +634,10 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- entry->magic = KRB5_KDB_MAGIC_NUMBER;
|
|
||||||
- entry->len = KRB5_KDB_V1_BASE_LENGTH;
|
|
||||||
-
|
|
||||||
- /* Get User Auth configuration. */
|
|
||||||
- ua = ipadb_get_user_auth(ipactx, lentry);
|
|
||||||
+ /* If any code below would result in invalidating ipactx->lcontext,
|
|
||||||
+ * lcontext must be updated with the new ipactx->lcontext value.
|
|
||||||
+ * We rely on the fact that none of LDAP-parsing helpers does it. */
|
|
||||||
+ lcontext = ipactx->lcontext;
|
|
||||||
|
|
||||||
/* ignore mask for now */
|
|
||||||
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
@ -1,32 +0,0 @@
|
|||||||
From 66a5a0efd538e31a190ca6ecb775bc1dfc4ee232 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Date: Wed, 29 Jul 2020 13:42:43 -0400
|
|
||||||
Subject: [PATCH] Replace SSLCertVerificationError with CertificateError for
|
|
||||||
py36
|
|
||||||
|
|
||||||
This exception was added in python 3.7. Use CertificateError
|
|
||||||
instead which is an alias and will work with older python releases.
|
|
||||||
|
|
||||||
https://bugzilla.redhat.com/show_bug.cgi?id=1858318
|
|
||||||
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/install/server/upgrade.py | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
|
|
||||||
index 2c36bc0e2..2c1517865 100644
|
|
||||||
--- a/ipaserver/install/server/upgrade.py
|
|
||||||
+++ b/ipaserver/install/server/upgrade.py
|
|
||||||
@@ -667,7 +667,7 @@ def http_certificate_ensure_ipa_ca_dnsname(http):
|
|
||||||
|
|
||||||
try:
|
|
||||||
cert.match_hostname(expect)
|
|
||||||
- except ssl.SSLCertVerificationError:
|
|
||||||
+ except ssl.CertificateError:
|
|
||||||
if certs.is_ipa_issued_cert(api, cert):
|
|
||||||
request_id = certmonger.get_request_id(
|
|
||||||
{'cert-file': paths.HTTPD_CERT_FILE})
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -0,0 +1,64 @@
|
|||||||
|
From 061e0b63ef3a72ba3261b42ec5f2ce290070c613 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||||
|
Date: Mon, 15 Mar 2021 16:55:08 +0100
|
||||||
|
Subject: [PATCH] ipa-client-install: output a warning if sudo is not present
|
||||||
|
(2)
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/8530
|
||||||
|
Signed-off-by: François Cami <fcami@redhat.com>
|
||||||
|
Reviewed-By: Armando Neto <abiagion@redhat.com>
|
||||||
|
---
|
||||||
|
ipaclient/install/client.py | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
|
||||||
|
index 0e478fa26..9bdfbddaf 100644
|
||||||
|
--- a/ipaclient/install/client.py
|
||||||
|
+++ b/ipaclient/install/client.py
|
||||||
|
@@ -2205,7 +2205,7 @@ def install_check(options):
|
||||||
|
# available.
|
||||||
|
if options.conf_sudo:
|
||||||
|
try:
|
||||||
|
- subprocess.Popen(['sudo -V'])
|
||||||
|
+ subprocess.Popen(['sudo', '-V'])
|
||||||
|
except FileNotFoundError:
|
||||||
|
logger.info(
|
||||||
|
"The sudo binary does not seem to be present on this "
|
||||||
|
--
|
||||||
|
2.30.2
|
||||||
|
|
||||||
|
From 4b917833fdd62cce2fd72809fd5c963194efba3e Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||||
|
Date: Mon, 15 Mar 2021 17:00:05 +0100
|
||||||
|
Subject: [PATCH] ipatests: check for the "no sudo present" string absence
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
When sudo is installed, no warning should be output about sudo not
|
||||||
|
being available (obviously). Check that the relevant string is
|
||||||
|
not present.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/8530
|
||||||
|
Signed-off-by: François Cami <fcami@redhat.com>
|
||||||
|
Reviewed-By: Armando Neto <abiagion@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_installation.py | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
||||||
|
index a50a59f1a..a5ff17a0d 100644
|
||||||
|
--- a/ipatests/test_integration/test_installation.py
|
||||||
|
+++ b/ipatests/test_integration/test_installation.py
|
||||||
|
@@ -1620,3 +1620,5 @@ class TestInstallWithoutSudo(IntegrationTest):
|
||||||
|
tasks.install_packages(self.clients[0], ['sudo'])
|
||||||
|
for pkg in ('sudo', 'libsss_sudo'):
|
||||||
|
assert tasks.is_package_installed(self.clients[0], pkg)
|
||||||
|
+ result = tasks.install_client(self.master, self.clients[0])
|
||||||
|
+ assert self.no_sudo_str not in result.stderr_text
|
||||||
|
--
|
||||||
|
2.30.2
|
||||||
|
|
@ -1,103 +0,0 @@
|
|||||||
From c72ef1ed965aca79da4576d9579dec5459e14b99 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Date: Fri, 8 May 2020 15:27:01 +0200
|
|
||||||
Subject: [PATCH] SELinux: Backport dirsrv_systemctl interface
|
|
||||||
|
|
||||||
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
---
|
|
||||||
selinux/ipa.if | 27 +++++++++++++++++++++++++++
|
|
||||||
1 file changed, 27 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/selinux/ipa.if b/selinux/ipa.if
|
|
||||||
index cefae5d90..ea971b8fa 100644
|
|
||||||
--- a/selinux/ipa.if
|
|
||||||
+++ b/selinux/ipa.if
|
|
||||||
@@ -392,3 +392,30 @@ ifndef(`apache_manage_pid_files',`
|
|
||||||
manage_sock_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
|
|
||||||
')
|
|
||||||
')
|
|
||||||
+
|
|
||||||
+########################################
|
|
||||||
+## <summary>
|
|
||||||
+## Execute dirsrv server in the dirsrv domain.
|
|
||||||
+## Backport from https://github.com/fedora-selinux/selinux-policy-contrib/pull/241
|
|
||||||
+## </summary>
|
|
||||||
+## <param name="domain">
|
|
||||||
+## <summary>
|
|
||||||
+## Domain allowed to transition.
|
|
||||||
+## </summary>
|
|
||||||
+## </param>
|
|
||||||
+#
|
|
||||||
+ifndef(`dirsrv_systemctl',`
|
|
||||||
+ interface(`dirsrv_systemctl',`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type dirsrv_unit_file_t;
|
|
||||||
+ type dirsrv_t;
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ systemd_exec_systemctl($1)
|
|
||||||
+ init_reload_services($1)
|
|
||||||
+ allow $1 dirsrv_unit_file_t:file read_file_perms;
|
|
||||||
+ allow $1 dirsrv_unit_file_t:service manage_service_perms;
|
|
||||||
+
|
|
||||||
+ ps_process_pattern($1, dirsrv_t)
|
|
||||||
+ ')
|
|
||||||
+')
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From f76c56c6072418c78f138678b1c4dd917fea6ee1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Zdenek Pytela <zpytela@redhat.com>
|
|
||||||
Date: Thu, 7 May 2020 16:17:12 +0200
|
|
||||||
Subject: [PATCH] Allow ipa-adtrust-install restart sssd and dirsrv services
|
|
||||||
|
|
||||||
Allow ipa_helper_t connect to init using /run/systemd/private socket.
|
|
||||||
Allow ipa_helper_t read init process state.
|
|
||||||
Allow ipa_helper_t manage sssd and dirsrv units.
|
|
||||||
|
|
||||||
See: https://bugzilla.redhat.com/show_bug.cgi?id=1820298
|
|
||||||
See: https://github.com/fedora-selinux/selinux-policy-contrib/pull/241
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
---
|
|
||||||
selinux/ipa.te | 8 ++++++++
|
|
||||||
1 file changed, 8 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
|
||||||
index b1e29c8e2..587e5e585 100644
|
|
||||||
--- a/selinux/ipa.te
|
|
||||||
+++ b/selinux/ipa.te
|
|
||||||
@@ -147,6 +147,9 @@ auth_use_nsswitch(ipa_helper_t)
|
|
||||||
|
|
||||||
files_list_tmp(ipa_helper_t)
|
|
||||||
|
|
||||||
+init_read_state(ipa_helper_t)
|
|
||||||
+init_stream_connect(ipa_helper_t)
|
|
||||||
+
|
|
||||||
ipa_manage_pid_files(ipa_helper_t)
|
|
||||||
ipa_read_lib(ipa_helper_t)
|
|
||||||
|
|
||||||
@@ -156,6 +159,10 @@ optional_policy(`
|
|
||||||
dirsrv_stream_connect(ipa_helper_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
+optional_policy(`
|
|
||||||
+ dirsrv_systemctl(ipa_helper_t)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
optional_policy(`
|
|
||||||
ldap_stream_connect(ipa_helper_t)
|
|
||||||
')
|
|
||||||
@@ -182,6 +189,7 @@ optional_policy(`
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
sssd_manage_lib_files(ipa_helper_t)
|
|
||||||
+ sssd_systemctl(ipa_helper_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,84 +0,0 @@
|
|||||||
From 81c955e561dd42ab70a39bf636c90e82a9d7d899 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Date: Mon, 3 Aug 2020 18:52:07 +0200
|
|
||||||
Subject: [PATCH] CAless installation: set the perms on KDC cert file
|
|
||||||
|
|
||||||
In CA less installation, the KDC certificate file does not have
|
|
||||||
the expected 644 permissions. As a consequence, WebUI login
|
|
||||||
fails.
|
|
||||||
|
|
||||||
The fix makes sure that the KDC cert file is saved with 644 perms.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8440
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/install/krbinstance.py | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
|
|
||||||
index 09d14693c..1910ff374 100644
|
|
||||||
--- a/ipaserver/install/krbinstance.py
|
|
||||||
+++ b/ipaserver/install/krbinstance.py
|
|
||||||
@@ -536,6 +536,8 @@ class KrbInstance(service.Service):
|
|
||||||
certs.install_pem_from_p12(self.pkcs12_info[0],
|
|
||||||
self.pkcs12_info[1],
|
|
||||||
paths.KDC_CERT)
|
|
||||||
+ # The KDC cert needs to be readable by everyone
|
|
||||||
+ os.chmod(paths.KDC_CERT, 0o644)
|
|
||||||
certs.install_key_from_p12(self.pkcs12_info[0],
|
|
||||||
self.pkcs12_info[1],
|
|
||||||
paths.KDC_KEY)
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From 295dd4235f693b7b4b4270b46a28cb6e7b3d00b4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Date: Mon, 3 Aug 2020 18:53:47 +0200
|
|
||||||
Subject: [PATCH] ipatests: check KDC cert permissions in CA less install
|
|
||||||
|
|
||||||
The KDC certificate file must be stored with 644 permissions.
|
|
||||||
Add a test checking the file permissions on server + replica.
|
|
||||||
|
|
||||||
Related: https://pagure.io/freeipa/issue/8440
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_caless.py | 9 +++++++++
|
|
||||||
1 file changed, 9 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
|
|
||||||
index a7b2cbbbc..1ea7d9896 100644
|
|
||||||
--- a/ipatests/test_integration/test_caless.py
|
|
||||||
+++ b/ipatests/test_integration/test_caless.py
|
|
||||||
@@ -1527,6 +1527,13 @@ class TestCertInstall(CALessBase):
|
|
||||||
assert result.returncode == 0
|
|
||||||
|
|
||||||
|
|
||||||
+def verify_kdc_cert_perms(host):
|
|
||||||
+ """Verify that the KDC cert pem file has 0644 perms"""
|
|
||||||
+ cmd = host.run_command(['stat', '-c',
|
|
||||||
+ '"%a %G:%U"', paths.KDC_CERT])
|
|
||||||
+ assert "644 root:root" in cmd.stdout_text
|
|
||||||
+
|
|
||||||
+
|
|
||||||
class TestPKINIT(CALessBase):
|
|
||||||
"""Install master and replica with PKINIT"""
|
|
||||||
num_replicas = 1
|
|
||||||
@@ -1540,6 +1547,7 @@ class TestPKINIT(CALessBase):
|
|
||||||
result = cls.install_server(pkinit_pkcs12_exists=True,
|
|
||||||
pkinit_pin=_DEFAULT)
|
|
||||||
assert result.returncode == 0
|
|
||||||
+ verify_kdc_cert_perms(cls.master)
|
|
||||||
|
|
||||||
@replica_install_teardown
|
|
||||||
def test_server_replica_install_pkinit(self):
|
|
||||||
@@ -1549,6 +1557,7 @@ class TestPKINIT(CALessBase):
|
|
||||||
pkinit_pin=_DEFAULT)
|
|
||||||
assert result.returncode == 0
|
|
||||||
self.verify_installation()
|
|
||||||
+ verify_kdc_cert_perms(self.replicas[0])
|
|
||||||
|
|
||||||
|
|
||||||
class TestServerReplicaCALessToCAFull(CALessBase):
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,145 +0,0 @@
|
|||||||
From b95817e35716bbab000633043817202e17d7c53e Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Thu, 6 Aug 2020 17:07:36 +0200
|
|
||||||
Subject: [PATCH] IPA-EPN: Use a helper to retrieve LDAP attributes from an
|
|
||||||
entry
|
|
||||||
|
|
||||||
Allow for empty attributes.
|
|
||||||
|
|
||||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
|
||||||
---
|
|
||||||
ipaclient/install/ipa_epn.py | 22 +++++++++++++++-------
|
|
||||||
1 file changed, 15 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py
|
|
||||||
index 65f9f3d47..0d1ae2add 100644
|
|
||||||
--- a/ipaclient/install/ipa_epn.py
|
|
||||||
+++ b/ipaclient/install/ipa_epn.py
|
|
||||||
@@ -122,22 +122,30 @@ class EPNUserList:
|
|
||||||
"""Return len(self)."""
|
|
||||||
return len(self._expiring_password_user_dq)
|
|
||||||
|
|
||||||
+ def get_ldap_attr(self, entry, attr):
|
|
||||||
+ """Get a single value from a multi-valued attr in a safe way"""
|
|
||||||
+ return str(entry.get(attr, [""]).pop(0))
|
|
||||||
+
|
|
||||||
def add(self, entry):
|
|
||||||
"""Parses and appends an LDAP user entry with the uid, cn,
|
|
||||||
givenname, sn, krbpasswordexpiration and mail attributes.
|
|
||||||
"""
|
|
||||||
try:
|
|
||||||
self._sorted = False
|
|
||||||
+ if entry.get("mail") is None:
|
|
||||||
+ logger.error("IPA-EPN: No mail address defined for: %s",
|
|
||||||
+ entry.dn)
|
|
||||||
+ return
|
|
||||||
self._expiring_password_user_dq.append(
|
|
||||||
dict(
|
|
||||||
- uid=str(entry["uid"].pop(0)),
|
|
||||||
- cn=str(entry["cn"].pop(0)),
|
|
||||||
- givenname=str(entry["givenname"].pop(0)),
|
|
||||||
- sn=str(entry["sn"].pop(0)),
|
|
||||||
- krbpasswordexpiration=str(
|
|
||||||
- entry["krbpasswordexpiration"].pop(0)
|
|
||||||
+ uid=self.get_ldap_attr(entry, "uid"),
|
|
||||||
+ cn=self.get_ldap_attr(entry, "cn"),
|
|
||||||
+ givenname=self.get_ldap_attr(entry, "givenname"),
|
|
||||||
+ sn=self.get_ldap_attr(entry, "sn"),
|
|
||||||
+ krbpasswordexpiration=(
|
|
||||||
+ self.get_ldap_attr(entry,"krbpasswordexpiration")
|
|
||||||
),
|
|
||||||
- mail=str(entry["mail"]),
|
|
||||||
+ mail=str(entry.get("mail")),
|
|
||||||
)
|
|
||||||
)
|
|
||||||
except IndexError as e:
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From 8e810d8cf38ec60d76178bd673e218fb05d56c8e Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Thu, 6 Aug 2020 17:13:19 +0200
|
|
||||||
Subject: [PATCH] IPA-EPN: fix configuration file typo
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
|
||||||
---
|
|
||||||
client/share/epn.conf | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/client/share/epn.conf b/client/share/epn.conf
|
|
||||||
index 0e590dfc3..e3645801c 100644
|
|
||||||
--- a/client/share/epn.conf
|
|
||||||
+++ b/client/share/epn.conf
|
|
||||||
@@ -23,7 +23,7 @@ smtp_port = 25
|
|
||||||
# Default None (empty value).
|
|
||||||
# smtp_password =
|
|
||||||
|
|
||||||
-# pecifies the number of seconds to wait for SMTP to respond.
|
|
||||||
+# Specifies the number of seconds to wait for SMTP to respond.
|
|
||||||
smtp_timeout = 60
|
|
||||||
|
|
||||||
# Specifies the type of secure connection to make. Options are: none,
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From 1b1dbcbe9d83ba35f3cfdd01399f123816ec6e5b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Date: Thu, 6 Aug 2020 18:57:10 -0400
|
|
||||||
Subject: [PATCH] IPA-EPN: Test that users without givenname and/or mail are
|
|
||||||
handled
|
|
||||||
|
|
||||||
The admin user does not have a givenname by default, allow for that.
|
|
||||||
|
|
||||||
Report errors for users without a default e-mail address.
|
|
||||||
|
|
||||||
Update the SHA256 hash with the typo fix.
|
|
||||||
|
|
||||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_epn.py | 22 +++++++++++++++++++++-
|
|
||||||
1 file changed, 21 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
|
|
||||||
index 18f73c722..c5c73835a 100644
|
|
||||||
--- a/ipatests/test_integration/test_epn.py
|
|
||||||
+++ b/ipatests/test_integration/test_epn.py
|
|
||||||
@@ -240,7 +240,7 @@ class TestEPN(IntegrationTest):
|
|
||||||
assert epn_conf in cmd1.stdout_text
|
|
||||||
assert epn_template in cmd1.stdout_text
|
|
||||||
cmd2 = self.master.run_command(["sha256sum", epn_conf])
|
|
||||||
- ck = "4c207b5c9c760c36db0d3b2b93da50ea49edcc4002d6d1e7383601f0ec30b957"
|
|
||||||
+ ck = "192481b52fb591112afd7b55b12a44c6618fdbc7e05a3b1866fd67ec579c51df"
|
|
||||||
assert cmd2.stdout_text.find(ck) == 0
|
|
||||||
|
|
||||||
def test_EPN_smoketest_1(self):
|
|
||||||
@@ -591,3 +591,23 @@ class TestEPN(IntegrationTest):
|
|
||||||
self.master.put_file_contents('/etc/ipa/epn.conf', epn_conf)
|
|
||||||
result = tasks.ipa_epn(self.master, raiseonerr=False)
|
|
||||||
assert "smtp_delay cannot be less than zero" in result.stderr_text
|
|
||||||
+
|
|
||||||
+ def test_EPN_admin(self):
|
|
||||||
+ """The admin user is special and has no givenName by default
|
|
||||||
+ It also doesn't by default have an e-mail address
|
|
||||||
+ Check --dry-run output.
|
|
||||||
+ """
|
|
||||||
+ epn_conf = textwrap.dedent('''
|
|
||||||
+ [global]
|
|
||||||
+ ''')
|
|
||||||
+ self.master.put_file_contents('/etc/ipa/epn.conf', epn_conf)
|
|
||||||
+ self.master.run_command(
|
|
||||||
+ ['ipa', 'user-mod', 'admin', '--password-expiration',
|
|
||||||
+ datetime_to_generalized_time(
|
|
||||||
+ datetime.datetime.utcnow() + datetime.timedelta(days=7)
|
|
||||||
+ )]
|
|
||||||
+ )
|
|
||||||
+ (unused, stderr_text, _unused) = self._check_epn_output(
|
|
||||||
+ self.master, dry_run=True
|
|
||||||
+ )
|
|
||||||
+ assert "uid=admin" in stderr_text
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,404 +0,0 @@
|
|||||||
From 9479a393a71fe1de7d62ca2b50a7d3d8698d4ba1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Tue, 4 Aug 2020 11:05:31 +0200
|
|
||||||
Subject: [PATCH] ipatests: tasks.py: fix ipa-epn invocation
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
tasks.py::ipa_epn would previously fail to invoke ipa-epn with
|
|
||||||
from_nbdays=0.
|
|
||||||
|
|
||||||
Related: https://pagure.io/freeipa/issue/8449
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/pytest_ipa/integration/tasks.py | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
|
|
||||||
index a3f7cc838..c0a592750 100755
|
|
||||||
--- a/ipatests/pytest_ipa/integration/tasks.py
|
|
||||||
+++ b/ipatests/pytest_ipa/integration/tasks.py
|
|
||||||
@@ -1470,9 +1470,9 @@ def ipa_epn(
|
|
||||||
cmd.append("--dry-run")
|
|
||||||
if mailtest:
|
|
||||||
cmd.append("--mail-test")
|
|
||||||
- if from_nbdays:
|
|
||||||
+ if from_nbdays is not None:
|
|
||||||
cmd.extend(("--from-nbdays", str(from_nbdays)))
|
|
||||||
- if to_nbdays:
|
|
||||||
+ if to_nbdays is not None:
|
|
||||||
cmd.extend(("--to-nbdays", str(to_nbdays)))
|
|
||||||
return host.run_command(cmd, raiseonerr=raiseonerr)
|
|
||||||
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From 3b8fdd87760cfb8ec739c67298f012cf0bd3ac39 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Wed, 5 Aug 2020 10:02:31 +0200
|
|
||||||
Subject: [PATCH] ipatests: test_epn: test_EPN_nbdays enhancements
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Enhance test_EPN_nbdays so that it checks:
|
|
||||||
* that no emails get sent when using --dry-run
|
|
||||||
* that --from-nbdays implies --dry-run
|
|
||||||
* that --to-nbdays requires --from-nbdays
|
|
||||||
* illegal inputs for nbdays:
|
|
||||||
** from-nbdays > to-nbdays
|
|
||||||
** non-numerical input
|
|
||||||
** decimal input
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8449
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_epn.py | 130 +++++++++++++++++++++++---
|
|
||||||
1 file changed, 117 insertions(+), 13 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
|
|
||||||
index f4c123c6d..18f73c722 100644
|
|
||||||
--- a/ipatests/test_integration/test_epn.py
|
|
||||||
+++ b/ipatests/test_integration/test_epn.py
|
|
||||||
@@ -15,6 +15,13 @@
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
|
|
||||||
+######
|
|
||||||
+# This test suite will _expectedly_ fail if run at the end of the UTC day
|
|
||||||
+# because users would be created during day N and then EPN output checked
|
|
||||||
+# during day N+1. This is expected and should be ignored as it does not
|
|
||||||
+# reflect a product bug. -- fcami
|
|
||||||
+######
|
|
||||||
+
|
|
||||||
from __future__ import print_function, absolute_import
|
|
||||||
|
|
||||||
import base64
|
|
||||||
@@ -178,12 +185,14 @@ class TestEPN(IntegrationTest):
|
|
||||||
from_nbdays=None,
|
|
||||||
to_nbdays=None,
|
|
||||||
raiseonerr=True,
|
|
||||||
+ validatejson=True
|
|
||||||
):
|
|
||||||
result = tasks.ipa_epn(host, raiseonerr=raiseonerr, dry_run=dry_run,
|
|
||||||
from_nbdays=from_nbdays,
|
|
||||||
to_nbdays=to_nbdays)
|
|
||||||
- json.dumps(json.loads(result.stdout_text), ensure_ascii=False)
|
|
||||||
- return (result.stdout_text, result.stderr_text)
|
|
||||||
+ if validatejson:
|
|
||||||
+ json.dumps(json.loads(result.stdout_text), ensure_ascii=False)
|
|
||||||
+ return (result.stdout_text, result.stderr_text, result.returncode)
|
|
||||||
|
|
||||||
@classmethod
|
|
||||||
def install(cls, mh):
|
|
||||||
@@ -244,12 +253,12 @@ class TestEPN(IntegrationTest):
|
|
||||||
''')
|
|
||||||
self.master.put_file_contents('/etc/ipa/epn.conf', epn_conf)
|
|
||||||
# check EPN on client (LDAP+GSSAPI)
|
|
||||||
- (stdout_text, unused) = self._check_epn_output(
|
|
||||||
+ (stdout_text, unused, _unused) = self._check_epn_output(
|
|
||||||
self.clients[0], dry_run=True
|
|
||||||
)
|
|
||||||
assert len(json.loads(stdout_text)) == 0
|
|
||||||
# check EPN on master (LDAPI)
|
|
||||||
- (stdout_text, unused) = self._check_epn_output(
|
|
||||||
+ (stdout_text, unused, _unused) = self._check_epn_output(
|
|
||||||
self.master, dry_run=True
|
|
||||||
)
|
|
||||||
assert len(json.loads(stdout_text)) == 0
|
|
||||||
@@ -292,10 +301,10 @@ class TestEPN(IntegrationTest):
|
|
||||||
),
|
|
||||||
],
|
|
||||||
)
|
|
||||||
- (stdout_text_client, unused) = self._check_epn_output(
|
|
||||||
+ (stdout_text_client, unused, _unused) = self._check_epn_output(
|
|
||||||
self.clients[0], dry_run=True
|
|
||||||
)
|
|
||||||
- (stdout_text_master, unused) = self._check_epn_output(
|
|
||||||
+ (stdout_text_master, unused, _unused) = self._check_epn_output(
|
|
||||||
self.master, dry_run=True
|
|
||||||
)
|
|
||||||
assert stdout_text_master == stdout_text_client
|
|
||||||
@@ -331,10 +340,10 @@ class TestEPN(IntegrationTest):
|
|
||||||
password=None,
|
|
||||||
)
|
|
||||||
|
|
||||||
- (stdout_text_client, unused) = self._check_epn_output(
|
|
||||||
+ (stdout_text_client, unused, _unused) = self._check_epn_output(
|
|
||||||
self.clients[0], dry_run=True
|
|
||||||
)
|
|
||||||
- (stdout_text_master, unused) = self._check_epn_output(
|
|
||||||
+ (stdout_text_master, unused, _unused) = self._check_epn_output(
|
|
||||||
self.master, dry_run=True
|
|
||||||
)
|
|
||||||
assert stdout_text_master == stdout_text_client
|
|
||||||
@@ -344,22 +353,117 @@ class TestEPN(IntegrationTest):
|
|
||||||
expected_users = ["user1", "user3", "user7", "user14", "user28"]
|
|
||||||
assert sorted(user_lst) == sorted(expected_users)
|
|
||||||
|
|
||||||
- def test_EPN_nbdays(self):
|
|
||||||
+ def test_EPN_nbdays_0(self, cleanupmail):
|
|
||||||
"""Test the to/from nbdays options (implies --dry-run)
|
|
||||||
|
|
||||||
We have a set of users installed with varying expiration
|
|
||||||
dates. Confirm that to/from nbdays finds them.
|
|
||||||
+
|
|
||||||
+ Make sure --dry-run does not accidentally send emails.
|
|
||||||
"""
|
|
||||||
|
|
||||||
- # Compare the notify_ttls values
|
|
||||||
+ # Use the notify_ttls values with a 1-day sliding window
|
|
||||||
for i in self.notify_ttls:
|
|
||||||
user_list = []
|
|
||||||
- (stdout_text_client, unused) = self._check_epn_output(
|
|
||||||
- self.clients[0], from_nbdays=i, to_nbdays=i + 1, dry_run=True)
|
|
||||||
+ (stdout_text_client, unused, _unused) = self._check_epn_output(
|
|
||||||
+ self.clients[0], from_nbdays=i, to_nbdays=i + 1, dry_run=True
|
|
||||||
+ )
|
|
||||||
for user in json.loads(stdout_text_client):
|
|
||||||
user_list.append(user["uid"])
|
|
||||||
assert len(user_list) == 1
|
|
||||||
- assert user_list[0] == "user%d" % i
|
|
||||||
+ userid = "user{id}".format(id=i)
|
|
||||||
+ assert user_list[0] == userid
|
|
||||||
+
|
|
||||||
+ # Check that the user list is expected for any given notify_ttls.
|
|
||||||
+ (stdout_text_client, unused, _unused) = self._check_epn_output(
|
|
||||||
+ self.clients[0], to_nbdays=i
|
|
||||||
+ )
|
|
||||||
+ user_list = [user["uid"] for user in json.loads(stdout_text_client)]
|
|
||||||
+ assert len(user_list) == 1
|
|
||||||
+ assert user_list[0] == "user{id}".format(id=i - 1)
|
|
||||||
+
|
|
||||||
+ # make sure no emails were sent
|
|
||||||
+ result = self.clients[0].run_command(['ls', '-lha', '/var/mail/'])
|
|
||||||
+ assert userid not in result.stdout_text
|
|
||||||
+
|
|
||||||
+ def test_EPN_nbdays_1(self, cleanupmail):
|
|
||||||
+ """Test that for a given range, we find the users in that range"""
|
|
||||||
+
|
|
||||||
+ # Use hardcoded date ranges for now
|
|
||||||
+ for date_range in [(0, 5), (7, 15), (1, 20)]:
|
|
||||||
+ expected_user_list = ["user{i}".format(i=i)
|
|
||||||
+ for i in range(date_range[0], date_range[1])]
|
|
||||||
+ (stdout_text_client, unused, _unused) = self._check_epn_output(
|
|
||||||
+ self.clients[0],
|
|
||||||
+ from_nbdays=date_range[0],
|
|
||||||
+ to_nbdays=date_range[1]
|
|
||||||
+ )
|
|
||||||
+ user_list = [user["uid"] for user in json.loads(stdout_text_client)]
|
|
||||||
+ for user in expected_user_list:
|
|
||||||
+ assert user in user_list
|
|
||||||
+ for user in user_list:
|
|
||||||
+ assert user in expected_user_list
|
|
||||||
+
|
|
||||||
+ # Test the to/from nbdays options behavior with illegal input
|
|
||||||
+
|
|
||||||
+ def test_EPN_nbdays_input_0(self):
|
|
||||||
+ """Make sure that --to-nbdays implies --dry-run ;
|
|
||||||
+ therefore check that the output is valid JSON and contains the
|
|
||||||
+ expected user.
|
|
||||||
+ """
|
|
||||||
+
|
|
||||||
+ (stdout_text_client, unused, _unused) = self._check_epn_output(
|
|
||||||
+ self.clients[0], to_nbdays=5, dry_run=False
|
|
||||||
+ )
|
|
||||||
+ assert len(json.loads(stdout_text_client)) == 1
|
|
||||||
+ assert json.loads(stdout_text_client)[0]["uid"] == "user4"
|
|
||||||
+
|
|
||||||
+ def test_EPN_nbdays_input_1(self):
|
|
||||||
+ """Make sure that --from-nbdays cannot be used without --to-nbdays"""
|
|
||||||
+
|
|
||||||
+ (unused, stderr_text_client, rc) = \
|
|
||||||
+ self._check_epn_output(
|
|
||||||
+ self.clients[0], from_nbdays=3,
|
|
||||||
+ raiseonerr=False, validatejson=False
|
|
||||||
+ )
|
|
||||||
+ assert "You cannot specify --from-nbdays without --to-nbdays" \
|
|
||||||
+ in stderr_text_client
|
|
||||||
+ assert rc > 0
|
|
||||||
+
|
|
||||||
+ @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
|
|
||||||
+ def test_EPN_nbdays_input_2(self):
|
|
||||||
+ """alpha input"""
|
|
||||||
+
|
|
||||||
+ (unused, stderr, rc) = self._check_epn_output(
|
|
||||||
+ self.clients[0], to_nbdays="abc",
|
|
||||||
+ raiseonerr=False, validatejson=False
|
|
||||||
+ )
|
|
||||||
+ assert "error: --to-nbdays must be an integer." in stderr
|
|
||||||
+ assert rc > 0
|
|
||||||
+
|
|
||||||
+ @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
|
|
||||||
+ def test_EPN_nbdays_input_3(self):
|
|
||||||
+ """from_nbdays > to_nbdays"""
|
|
||||||
+
|
|
||||||
+ (unused, stderr, rc) = self._check_epn_output(
|
|
||||||
+ self.clients[0], from_nbdays=9, to_nbdays=7,
|
|
||||||
+ raiseonerr=False, validatejson=False
|
|
||||||
+ )
|
|
||||||
+ assert "error: --from-nbdays must be smaller than --to-nbdays." in \
|
|
||||||
+ stderr
|
|
||||||
+ assert rc > 0
|
|
||||||
+
|
|
||||||
+ @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
|
|
||||||
+ def test_EPN_nbdays_input_4(self):
|
|
||||||
+ """decimal input"""
|
|
||||||
+
|
|
||||||
+ (unused, stderr, rc) = self._check_epn_output(
|
|
||||||
+ self.clients[0], to_nbdays=7.3,
|
|
||||||
+ raiseonerr=False, validatejson=False
|
|
||||||
+ )
|
|
||||||
+ logger.info(stderr)
|
|
||||||
+ assert rc > 0
|
|
||||||
+ assert "error: --to-nbdays must be an integer." in stderr
|
|
||||||
|
|
||||||
# From here the tests build on one another:
|
|
||||||
# 1) add auth
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From b4266023e04729db12de2f7e0de4da9e1d00db38 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Fri, 7 Aug 2020 19:08:39 +0200
|
|
||||||
Subject: [PATCH] ipatests: test_epn: update error messages
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Update error messages in the test.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8449
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_epn.py | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
|
|
||||||
index e03521193..af662140a 100644
|
|
||||||
--- a/ipatests/test_integration/test_epn.py
|
|
||||||
+++ b/ipatests/test_integration/test_epn.py
|
|
||||||
@@ -458,7 +458,7 @@ class TestEPN(IntegrationTest):
|
|
||||||
self.clients[0], to_nbdays="abc",
|
|
||||||
raiseonerr=False, validatejson=False
|
|
||||||
)
|
|
||||||
- assert "error: --to-nbdays must be an integer." in stderr
|
|
||||||
+ assert "error: --to-nbdays must be a positive integer." in stderr
|
|
||||||
assert rc > 0
|
|
||||||
|
|
||||||
@pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
|
|
||||||
@@ -483,7 +483,7 @@ class TestEPN(IntegrationTest):
|
|
||||||
)
|
|
||||||
logger.info(stderr)
|
|
||||||
assert rc > 0
|
|
||||||
- assert "error: --to-nbdays must be an integer." in stderr
|
|
||||||
+ assert "error: --to-nbdays must be a positive integer." in stderr
|
|
||||||
|
|
||||||
# From here the tests build on one another:
|
|
||||||
# 1) add auth
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From 2809084a44e3b174fa48a611e79f04358e1d6dca Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Wed, 5 Aug 2020 09:05:31 +0200
|
|
||||||
Subject: [PATCH] IPA-EPN: enhance input validation
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Enhance input validation:
|
|
||||||
* make sure --from-nbdays and --to-nbdays are integer
|
|
||||||
* make sure --from-nbdays < --to-nbdays
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8444
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
---
|
|
||||||
ipaclient/install/ipa_epn.py | 28 +++++++++++++++++++++++++--
|
|
||||||
ipatests/test_integration/test_epn.py | 3 ---
|
|
||||||
2 files changed, 26 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py
|
|
||||||
index 82d7b3f57..88c926e88 100644
|
|
||||||
--- a/ipaclient/install/ipa_epn.py
|
|
||||||
+++ b/ipaclient/install/ipa_epn.py
|
|
||||||
@@ -246,9 +246,33 @@ class EPN(admintool.AdminTool):
|
|
||||||
|
|
||||||
def validate_options(self):
|
|
||||||
super(EPN, self).validate_options(needs_root=True)
|
|
||||||
- if self.options.to_nbdays:
|
|
||||||
+ if self.options.to_nbdays is not None:
|
|
||||||
+ try:
|
|
||||||
+ if int(self.options.to_nbdays) < 0:
|
|
||||||
+ raise RuntimeError('Input is negative.')
|
|
||||||
+ except Exception as e:
|
|
||||||
+ self.option_parser.error(
|
|
||||||
+ "--to-nbdays must be a positive integer. "
|
|
||||||
+ "{error}".format(error=e)
|
|
||||||
+ )
|
|
||||||
self.options.dry_run = True
|
|
||||||
- if self.options.from_nbdays and not self.options.to_nbdays:
|
|
||||||
+ if self.options.from_nbdays is not None:
|
|
||||||
+ try:
|
|
||||||
+ if int(self.options.from_nbdays) < 0:
|
|
||||||
+ raise RuntimeError('Input is negative.')
|
|
||||||
+ except Exception as e:
|
|
||||||
+ self.option_parser.error(
|
|
||||||
+ "--from-nbdays must be a positive integer. "
|
|
||||||
+ "{error}".format(error=e)
|
|
||||||
+ )
|
|
||||||
+ if self.options.from_nbdays is not None and \
|
|
||||||
+ self.options.to_nbdays is not None:
|
|
||||||
+ if int(self.options.from_nbdays) >= int(self.options.to_nbdays):
|
|
||||||
+ self.option_parser.error(
|
|
||||||
+ "--from-nbdays must be smaller than --to-nbdays."
|
|
||||||
+ )
|
|
||||||
+ if self.options.from_nbdays is not None and \
|
|
||||||
+ self.options.to_nbdays is None:
|
|
||||||
self.option_parser.error(
|
|
||||||
"You cannot specify --from-nbdays without --to-nbdays"
|
|
||||||
)
|
|
||||||
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
|
|
||||||
index af662140a..fc26888cb 100644
|
|
||||||
--- a/ipatests/test_integration/test_epn.py
|
|
||||||
+++ b/ipatests/test_integration/test_epn.py
|
|
||||||
@@ -450,7 +450,6 @@ class TestEPN(IntegrationTest):
|
|
||||||
in stderr_text_client
|
|
||||||
assert rc > 0
|
|
||||||
|
|
||||||
- @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
|
|
||||||
def test_EPN_nbdays_input_2(self):
|
|
||||||
"""alpha input"""
|
|
||||||
|
|
||||||
@@ -461,7 +460,6 @@ class TestEPN(IntegrationTest):
|
|
||||||
assert "error: --to-nbdays must be a positive integer." in stderr
|
|
||||||
assert rc > 0
|
|
||||||
|
|
||||||
- @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
|
|
||||||
def test_EPN_nbdays_input_3(self):
|
|
||||||
"""from_nbdays > to_nbdays"""
|
|
||||||
|
|
||||||
@@ -473,7 +471,6 @@ class TestEPN(IntegrationTest):
|
|
||||||
stderr
|
|
||||||
assert rc > 0
|
|
||||||
|
|
||||||
- @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
|
|
||||||
def test_EPN_nbdays_input_4(self):
|
|
||||||
"""decimal input"""
|
|
||||||
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,141 +0,0 @@
|
|||||||
From 3cf7fb1014ae40fd5a5278f27577a8196a4af051 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Fri, 7 Aug 2020 07:51:53 +0200
|
|
||||||
Subject: [PATCH] ipatests: test_epn: add test_EPN_connection_refused
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Add a test for EPN behavior when the configured SMTP does not
|
|
||||||
accept connections.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8445
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_epn.py | 27 ++++++++++++++++++++++++---
|
|
||||||
1 file changed, 24 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
|
|
||||||
index c5c73835a..1a25d3710 100644
|
|
||||||
--- a/ipatests/test_integration/test_epn.py
|
|
||||||
+++ b/ipatests/test_integration/test_epn.py
|
|
||||||
@@ -182,14 +182,20 @@ class TestEPN(IntegrationTest):
|
|
||||||
self,
|
|
||||||
host,
|
|
||||||
dry_run=False,
|
|
||||||
+ mailtest=False,
|
|
||||||
from_nbdays=None,
|
|
||||||
to_nbdays=None,
|
|
||||||
raiseonerr=True,
|
|
||||||
validatejson=True
|
|
||||||
):
|
|
||||||
- result = tasks.ipa_epn(host, raiseonerr=raiseonerr, dry_run=dry_run,
|
|
||||||
- from_nbdays=from_nbdays,
|
|
||||||
- to_nbdays=to_nbdays)
|
|
||||||
+ result = tasks.ipa_epn(
|
|
||||||
+ host,
|
|
||||||
+ from_nbdays=from_nbdays,
|
|
||||||
+ to_nbdays=to_nbdays,
|
|
||||||
+ mailtest=mailtest,
|
|
||||||
+ dry_run=dry_run,
|
|
||||||
+ raiseonerr=raiseonerr
|
|
||||||
+ )
|
|
||||||
if validatejson:
|
|
||||||
json.dumps(json.loads(result.stdout_text), ensure_ascii=False)
|
|
||||||
return (result.stdout_text, result.stderr_text, result.returncode)
|
|
||||||
@@ -243,6 +249,21 @@ class TestEPN(IntegrationTest):
|
|
||||||
ck = "192481b52fb591112afd7b55b12a44c6618fdbc7e05a3b1866fd67ec579c51df"
|
|
||||||
assert cmd2.stdout_text.find(ck) == 0
|
|
||||||
|
|
||||||
+ @pytest.mark.xfail(reason='freeipa ticket 8445', strict=True)
|
|
||||||
+ def test_EPN_connection_refused(self):
|
|
||||||
+ """Test EPN behavior when the configured SMTP is down
|
|
||||||
+ """
|
|
||||||
+
|
|
||||||
+ self.master.run_command(["systemctl", "stop", "postfix"])
|
|
||||||
+ (unused, stderr_text, rc) = self._check_epn_output(
|
|
||||||
+ self.master, mailtest=True,
|
|
||||||
+ raiseonerr=False, validatejson=False
|
|
||||||
+ )
|
|
||||||
+ self.master.run_command(["systemctl", "start", "postfix"])
|
|
||||||
+ assert "IPA-EPN: Could not connect to the configured SMTP server" in \
|
|
||||||
+ stderr_text
|
|
||||||
+ assert rc > 0
|
|
||||||
+
|
|
||||||
def test_EPN_smoketest_1(self):
|
|
||||||
"""No users except admin. Check --dry-run output.
|
|
||||||
With the default configuration, the result should be an empty list.
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From 53f330b053740b169d211aa16b3b36fb61157bbd Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Fri, 7 Aug 2020 06:19:31 +0200
|
|
||||||
Subject: [PATCH] IPA-EPN: Fix SMTP connection error handling
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Enhance error message when SMTP is down.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8445
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
ipaclient/install/ipa_epn.py | 17 ++++++++++-------
|
|
||||||
ipatests/test_integration/test_epn.py | 1 -
|
|
||||||
2 files changed, 10 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py
|
|
||||||
index 0d1ae2add..82d7b3f57 100644
|
|
||||||
--- a/ipaclient/install/ipa_epn.py
|
|
||||||
+++ b/ipaclient/install/ipa_epn.py
|
|
||||||
@@ -38,6 +38,7 @@ from email.mime.multipart import MIMEMultipart
|
|
||||||
from email.mime.text import MIMEText
|
|
||||||
from email.header import Header
|
|
||||||
from email.utils import make_msgid
|
|
||||||
+from socket import error as socketerror
|
|
||||||
|
|
||||||
from ipaplatform.paths import paths
|
|
||||||
from ipalib import api, errors
|
|
||||||
@@ -640,13 +641,15 @@ class MTAClient:
|
|
||||||
port=self._smtp_port,
|
|
||||||
timeout=self._smtp_timeout,
|
|
||||||
)
|
|
||||||
- except smtplib.SMTPException as e:
|
|
||||||
- logger.error(
|
|
||||||
- "IPA-EPN: Unable to connect to %s:%s: %s",
|
|
||||||
- self._smtp_hostname,
|
|
||||||
- self._smtp_port,
|
|
||||||
- e,
|
|
||||||
- )
|
|
||||||
+ except (socketerror, smtplib.SMTPException) as e:
|
|
||||||
+ msg = \
|
|
||||||
+ "IPA-EPN: Could not connect to the configured SMTP server: " \
|
|
||||||
+ "{host}:{port}: {error}".format(
|
|
||||||
+ host=self._smtp_hostname,
|
|
||||||
+ port=self._smtp_port,
|
|
||||||
+ error=e
|
|
||||||
+ )
|
|
||||||
+ raise admintool.ScriptError(msg)
|
|
||||||
|
|
||||||
try:
|
|
||||||
self._conn.ehlo()
|
|
||||||
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
|
|
||||||
index 1a25d3710..e03521193 100644
|
|
||||||
--- a/ipatests/test_integration/test_epn.py
|
|
||||||
+++ b/ipatests/test_integration/test_epn.py
|
|
||||||
@@ -249,7 +249,6 @@ class TestEPN(IntegrationTest):
|
|
||||||
ck = "192481b52fb591112afd7b55b12a44c6618fdbc7e05a3b1866fd67ec579c51df"
|
|
||||||
assert cmd2.stdout_text.find(ck) == 0
|
|
||||||
|
|
||||||
- @pytest.mark.xfail(reason='freeipa ticket 8445', strict=True)
|
|
||||||
def test_EPN_connection_refused(self):
|
|
||||||
"""Test EPN behavior when the configured SMTP is down
|
|
||||||
"""
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,110 +0,0 @@
|
|||||||
From 4a97145c3a76a4d9ebf52b3905410a0bd7bec856 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Date: Tue, 4 Aug 2020 15:09:56 -0400
|
|
||||||
Subject: [PATCH] Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations
|
|
||||||
|
|
||||||
It was previously being set to 0444 which triggered a warning
|
|
||||||
in freeipa-healthcheck.
|
|
||||||
|
|
||||||
Even root needs DAC_OVERRIDE capability to write to a 0o444 file
|
|
||||||
which may not be available in some environments.
|
|
||||||
|
|
||||||
https://pagure.io/freeipa/issue/8441
|
|
||||||
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/install/certs.py | 2 +-
|
|
||||||
ipaserver/install/server/install.py | 5 ++---
|
|
||||||
2 files changed, 3 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
|
|
||||||
index 22ee79bd1..51d9f9221 100644
|
|
||||||
--- a/ipaserver/install/certs.py
|
|
||||||
+++ b/ipaserver/install/certs.py
|
|
||||||
@@ -329,7 +329,7 @@ class CertDB:
|
|
||||||
ipautil.backup_file(cacert_fname)
|
|
||||||
root_nicknames = self.find_root_cert(nickname)[:-1]
|
|
||||||
with open(cacert_fname, "w") as f:
|
|
||||||
- os.fchmod(f.fileno(), stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
|
|
||||||
+ os.fchmod(f.fileno(), 0o644)
|
|
||||||
for root in root_nicknames:
|
|
||||||
result = self.run_certutil(["-L", "-n", root, "-a"],
|
|
||||||
capture_output=True)
|
|
||||||
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
|
|
||||||
index b53c58e2a..6a593602f 100644
|
|
||||||
--- a/ipaserver/install/server/install.py
|
|
||||||
+++ b/ipaserver/install/server/install.py
|
|
||||||
@@ -891,9 +891,8 @@ def install(installer):
|
|
||||||
|
|
||||||
ca.install_step_0(False, None, options, custodia=custodia)
|
|
||||||
else:
|
|
||||||
- # Put the CA cert where other instances expect it
|
|
||||||
- x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT)
|
|
||||||
- os.chmod(paths.IPA_CA_CRT, 0o444)
|
|
||||||
+ # /etc/ipa/ca.crt is created as a side-effect of
|
|
||||||
+ # dsinstance::enable_ssl() via export_ca_cert()
|
|
||||||
|
|
||||||
if not options.no_pkinit:
|
|
||||||
x509.write_certificate(http_ca_cert, paths.KDC_CA_BUNDLE_PEM)
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From da2079ce2cc841aec56da872131112eb24326f81 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Date: Tue, 4 Aug 2020 15:12:20 -0400
|
|
||||||
Subject: [PATCH] ipatests: Check permissions of /etc/ipa/ca.crt new
|
|
||||||
installations
|
|
||||||
|
|
||||||
It should be 0644 root:root for both CA-ful and CA-less installs.
|
|
||||||
|
|
||||||
https://pagure.io/freeipa/issue/8441
|
|
||||||
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_caless.py | 8 ++++++++
|
|
||||||
ipatests/test_integration/test_installation.py | 10 ++++++++++
|
|
||||||
2 files changed, 18 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
|
|
||||||
index 1ea7d9896..16dfbb320 100644
|
|
||||||
--- a/ipatests/test_integration/test_caless.py
|
|
||||||
+++ b/ipatests/test_integration/test_caless.py
|
|
||||||
@@ -394,6 +394,14 @@ class CALessBase(IntegrationTest):
|
|
||||||
host, cert_from_ldap.public_bytes(x509.Encoding.PEM))
|
|
||||||
assert cert_from_ldap == expected_cacrt
|
|
||||||
|
|
||||||
+ result = host.run_command(
|
|
||||||
+ ["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT]
|
|
||||||
+ )
|
|
||||||
+ (owner, group, mode) = result.stdout_text.strip().split(':')
|
|
||||||
+ assert owner == "root"
|
|
||||||
+ assert group == "root"
|
|
||||||
+ assert mode == "644"
|
|
||||||
+
|
|
||||||
# Verify certmonger was not started
|
|
||||||
result = host.run_command(['getcert', 'list'], raiseonerr=False)
|
|
||||||
assert result.returncode == 0
|
|
||||||
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
|
||||||
index 100a5a766..fb1990083 100644
|
|
||||||
--- a/ipatests/test_integration/test_installation.py
|
|
||||||
+++ b/ipatests/test_integration/test_installation.py
|
|
||||||
@@ -346,6 +346,16 @@ class TestInstallCA(IntegrationTest):
|
|
||||||
status = tasks.wait_for_request(self.master, request_id[0], 300)
|
|
||||||
assert status == "MONITORING"
|
|
||||||
|
|
||||||
+ def test_ipa_ca_crt_permissions(self):
|
|
||||||
+ """Verify that /etc/ipa/ca.cert is mode 0644 root:root"""
|
|
||||||
+ result = self.master.run_command(
|
|
||||||
+ ["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT]
|
|
||||||
+ )
|
|
||||||
+ out = str(result.stdout_text.strip())
|
|
||||||
+ (owner, group, mode) = out.split(':')
|
|
||||||
+ assert mode == "644"
|
|
||||||
+ assert owner == "root"
|
|
||||||
+ assert group == "root"
|
|
||||||
|
|
||||||
class TestInstallWithCA_KRA1(InstallTestBase1):
|
|
||||||
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,62 +0,0 @@
|
|||||||
From 438285470610dee4aa6a56523df22307840ede87 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Mon, 7 Sep 2020 11:07:21 +0200
|
|
||||||
Subject: [PATCH] SELinux Policy: let custodia replicate keys
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Enhance the SELinux policy so that custodia can replicate sub-CA keys
|
|
||||||
and certificates:
|
|
||||||
allow ipa_custodia_t self:tcp_socket { bind create };
|
|
||||||
allow ipa_custodia_t node_t:tcp_socket node_bind;
|
|
||||||
allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
|
|
||||||
allow ipa_custodia_t pki_tomcat_cert_t:file create;
|
|
||||||
allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
|
|
||||||
allow ipa_custodia_t self:process execmem;
|
|
||||||
|
|
||||||
Found by: test_replica_promotion::TestSubCAkeyReplication
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8488
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
selinux/ipa.te | 11 +++++++++++
|
|
||||||
1 file changed, 11 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
|
||||||
index c4c3fa805..3fa4ba980 100644
|
|
||||||
--- a/selinux/ipa.te
|
|
||||||
+++ b/selinux/ipa.te
|
|
||||||
@@ -72,6 +72,9 @@ logging_log_file(ipa_custodia_log_t)
|
|
||||||
type ipa_custodia_tmp_t;
|
|
||||||
files_tmp_file(ipa_custodia_tmp_t)
|
|
||||||
|
|
||||||
+type pki_tomcat_cert_t;
|
|
||||||
+type node_t;
|
|
||||||
+
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# ipa_otpd local policy
|
|
||||||
@@ -323,10 +326,18 @@ optional_policy(`
|
|
||||||
allow ipa_custodia_t self:capability { setgid setuid };
|
|
||||||
allow ipa_custodia_t self:fifo_file rw_fifo_file_perms;
|
|
||||||
allow ipa_custodia_t self:netlink_route_socket { create_socket_perms nlmsg_read };
|
|
||||||
+allow ipa_custodia_t self:process execmem;
|
|
||||||
allow ipa_custodia_t self:unix_stream_socket create_stream_socket_perms;
|
|
||||||
allow ipa_custodia_t self:unix_dgram_socket create_socket_perms;
|
|
||||||
+allow ipa_custodia_t self:tcp_socket { bind create };
|
|
||||||
allow ipa_custodia_t self:udp_socket create_socket_perms;
|
|
||||||
|
|
||||||
+allow ipa_custodia_t node_t:tcp_socket node_bind;
|
|
||||||
+
|
|
||||||
+allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
|
|
||||||
+allow ipa_custodia_t pki_tomcat_cert_t:file create;
|
|
||||||
+allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
|
|
||||||
+
|
|
||||||
manage_dirs_pattern(ipa_custodia_t,ipa_custodia_log_t,ipa_custodia_log_t)
|
|
||||||
manage_files_pattern(ipa_custodia_t, ipa_custodia_log_t, ipa_custodia_log_t)
|
|
||||||
logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,117 +0,0 @@
|
|||||||
Adapted version of d1c860e59b52. to make it apply without commits
|
|
||||||
|
|
||||||
34b4d9bce5 - ipatests: Test ipa user login with wrong password
|
|
||||||
ab36d79adc - ipatests: Test for ipa-nis-manage CLI tool.
|
|
||||||
|
|
||||||
From d1c860e59b5237178066ed963cc2fa50d99cd690 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Wed, 16 Sep 2020 17:07:21 +0200
|
|
||||||
Subject: [PATCH] ipatests: check that pkispawn log is not empty
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Since commits:
|
|
||||||
https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
|
|
||||||
https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e
|
|
||||||
pkispawn will not honor the pki_log_level configuration item.
|
|
||||||
All 10.9 Dogtag versions have these commits.
|
|
||||||
This affects FreeIPA in that it makes debugging Dogtag installation issues next
|
|
||||||
to impossible.
|
|
||||||
Adding --debug to the pkispawn CLI is required to revert to the previous
|
|
||||||
behavior.
|
|
||||||
Therefore check that the log is not empty and contains DEBUG+INFO lines.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8503
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_commands.py | 23 ++++++++++++++++++++++
|
|
||||||
1 file changed, 23 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
|
|
||||||
index fa6abd81e..3a12bcde2 100644
|
|
||||||
--- a/ipatests/test_integration/test_commands.py
|
|
||||||
+++ b/ipatests/test_integration/test_commands.py
|
|
||||||
@@ -1295,3 +1295,26 @@ class TestIPACommand(IntegrationTest):
|
|
||||||
assert msg2 not in result.stderr_text
|
|
||||||
finally:
|
|
||||||
bashrc_backup.restore()
|
|
||||||
+
|
|
||||||
+ def test_pkispawn_log_is_present(self):
|
|
||||||
+ """
|
|
||||||
+ This testcase checks if pkispawn logged properly.
|
|
||||||
+ It is a candidate from being moved out of test_commands.
|
|
||||||
+ """
|
|
||||||
+ result = self.master.run_command(
|
|
||||||
+ ["ls", "/var/log/pki/"]
|
|
||||||
+ )
|
|
||||||
+ pkispawnlogfile = None
|
|
||||||
+ for file in result.stdout_text.splitlines():
|
|
||||||
+ if file.startswith("pki-ca-spawn"):
|
|
||||||
+ pkispawnlogfile = file
|
|
||||||
+ break
|
|
||||||
+ assert pkispawnlogfile is not None
|
|
||||||
+ pkispawnlogfile = os.path.sep.join(("/var/log/pki", pkispawnlogfile))
|
|
||||||
+ pkispawnlog = self.master.get_file_contents(
|
|
||||||
+ pkispawnlogfile, encoding='utf-8'
|
|
||||||
+ )
|
|
||||||
+ # Totally arbitrary. pkispawn debug logs tend to be > 10KiB.
|
|
||||||
+ assert len(pkispawnlog) > 1024
|
|
||||||
+ assert "DEBUG" in pkispawnlog
|
|
||||||
+ assert "INFO" in pkispawnlog
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From 97c6d2d2c2359b8ff5585afa0d2e5f5599cd5048 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Thu, 17 Sep 2020 07:31:59 +0200
|
|
||||||
Subject: [PATCH] dogtaginstance.py: add --debug to pkispawn
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Since commits:
|
|
||||||
https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
|
|
||||||
https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e
|
|
||||||
pkispawn will not honor the pki_log_level configuration item.
|
|
||||||
All 10.9 Dogtag versions have these commits.
|
|
||||||
This affects FreeIPA in that it makes debugging Dogtag installation issues next
|
|
||||||
to impossible.
|
|
||||||
Adding --debug to the pkispawn CLI is required to revert to the previous
|
|
||||||
behavior.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8503
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/install/dogtaginstance.py | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
|
|
||||||
index 524262ad7..03fdd7c0b 100644
|
|
||||||
--- a/ipaserver/install/dogtaginstance.py
|
|
||||||
+++ b/ipaserver/install/dogtaginstance.py
|
|
||||||
@@ -183,7 +183,8 @@ class DogtagInstance(service.Service):
|
|
||||||
subsystem = self.subsystem
|
|
||||||
args = [paths.PKISPAWN,
|
|
||||||
"-s", subsystem,
|
|
||||||
- "-f", cfg_file]
|
|
||||||
+ "-f", cfg_file,
|
|
||||||
+ "--debug"]
|
|
||||||
|
|
||||||
with open(cfg_file) as f:
|
|
||||||
logger.debug(
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,549 +0,0 @@
|
|||||||
From 52929cbadf0252fcac1019b74663a2808061ea1b Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Thu, 17 Sep 2020 11:30:45 +0200
|
|
||||||
Subject: [PATCH] ipatests: enhance TestSubCAkeyReplication
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
enhance the test suite so that it covers:
|
|
||||||
- deleting subCAs (disabling them first)
|
|
||||||
- checking what happens when creating a dozen+ subCAs at a time
|
|
||||||
- adding a subCA that already exists and expect failure
|
|
||||||
|
|
||||||
Related: https://pagure.io/freeipa/issue/8488
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
|
||||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
|
||||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
|
||||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
|
||||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
|
||||||
---
|
|
||||||
.../test_replica_promotion.py | 52 +++++++++++++++++--
|
|
||||||
1 file changed, 47 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
|
|
||||||
index 82117054f..f0b72e1f8 100644
|
|
||||||
--- a/ipatests/test_integration/test_replica_promotion.py
|
|
||||||
+++ b/ipatests/test_integration/test_replica_promotion.py
|
|
||||||
@@ -474,17 +474,35 @@ class TestSubCAkeyReplication(IntegrationTest):
|
|
||||||
SERVER_CERT_NICK: 'u,u,u',
|
|
||||||
}
|
|
||||||
|
|
||||||
- def add_subca(self, host, name, subject):
|
|
||||||
+ def add_subca(self, host, name, subject, raiseonerr=True):
|
|
||||||
result = host.run_command([
|
|
||||||
'ipa', 'ca-add', name,
|
|
||||||
'--subject', subject,
|
|
||||||
- '--desc', self.SUBCA_DESC,
|
|
||||||
+ '--desc', self.SUBCA_DESC],
|
|
||||||
+ raiseonerr=raiseonerr
|
|
||||||
+ )
|
|
||||||
+ if raiseonerr:
|
|
||||||
+ assert "ipa: ERROR:" not in result.stderr_text
|
|
||||||
+ auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text))
|
|
||||||
+ return '{} {}'.format(IPA_CA_NICKNAME, auth_id)
|
|
||||||
+ else:
|
|
||||||
+ assert "ipa: ERROR:" in result.stderr_text
|
|
||||||
+ assert result.returncode != 0
|
|
||||||
+ return result
|
|
||||||
+
|
|
||||||
+ def del_subca(self, host, name):
|
|
||||||
+ host.run_command([
|
|
||||||
+ 'ipa', 'ca-disable', name
|
|
||||||
])
|
|
||||||
- auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text))
|
|
||||||
- return '{} {}'.format(IPA_CA_NICKNAME, auth_id)
|
|
||||||
+ result = host.run_command([
|
|
||||||
+ 'ipa', 'ca-del', name
|
|
||||||
+ ])
|
|
||||||
+ assert "Deleted CA \"{}\"".format(name) in result.stdout_text
|
|
||||||
|
|
||||||
def check_subca(self, host, name, cert_nick):
|
|
||||||
- host.run_command(['ipa', 'ca-show', name])
|
|
||||||
+ result = host.run_command(['ipa', 'ca-show', name])
|
|
||||||
+ # ipa ca-show returns 0 even if the cert cannot be found locally.
|
|
||||||
+ assert "ipa: ERROR:" not in result.stderr_text
|
|
||||||
tasks.run_certutil(
|
|
||||||
host, ['-L', '-n', cert_nick], paths.PKI_TOMCAT_ALIAS_DIR
|
|
||||||
)
|
|
||||||
@@ -627,6 +645,30 @@ class TestSubCAkeyReplication(IntegrationTest):
|
|
||||||
ssl = replica.run_command(ssl_cmd)
|
|
||||||
assert 'Issuer: CN = {}'.format(self.SUBCA_MASTER) in ssl.stdout_text
|
|
||||||
|
|
||||||
+ def test_del_subca_master_on_replica(self):
|
|
||||||
+ self.del_subca(self.replicas[0], self.SUBCA_MASTER)
|
|
||||||
+
|
|
||||||
+ def test_del_subca_replica(self):
|
|
||||||
+ self.del_subca(self.replicas[0], self.SUBCA_REPLICA)
|
|
||||||
+
|
|
||||||
+ def test_scale_add_subca(self):
|
|
||||||
+ master = self.master
|
|
||||||
+ replica = self.replicas[0]
|
|
||||||
+
|
|
||||||
+ subcas = {}
|
|
||||||
+ for i in range(0, 16):
|
|
||||||
+ name = "_".join((self.SUBCA_MASTER, str(i)))
|
|
||||||
+ cn = "_".join((self.SUBCA_MASTER_CN, str(i)))
|
|
||||||
+ subcas[name] = self.add_subca(master, name, cn)
|
|
||||||
+ self.add_subca(master, name, cn, raiseonerr=False)
|
|
||||||
+
|
|
||||||
+ # give replication some time
|
|
||||||
+ time.sleep(15)
|
|
||||||
+
|
|
||||||
+ for name in subcas:
|
|
||||||
+ self.check_subca(replica, name, subcas[name])
|
|
||||||
+ self.del_subca(replica, name)
|
|
||||||
+
|
|
||||||
|
|
||||||
class TestReplicaInstallCustodia(IntegrationTest):
|
|
||||||
"""
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From 5a5962426d8174212f0b7efef1a9e53aaecb5901 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Fri, 18 Sep 2020 11:55:37 +0200
|
|
||||||
Subject: [PATCH] SELinux: Add dedicated policy for ipa-pki-retrieve-key
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Add proper labeling, transition and policy for ipa-pki-retrieve-key.
|
|
||||||
Make sure tomcat_t can execute ipa-pki-retrieve-key.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8488
|
|
||||||
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
|
||||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
|
||||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
|
||||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
|
||||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
|
||||||
---
|
|
||||||
selinux/ipa.fc | 1 +
|
|
||||||
selinux/ipa.te | 28 ++++++++++++++++++++++++++++
|
|
||||||
2 files changed, 29 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/selinux/ipa.fc b/selinux/ipa.fc
|
|
||||||
index a98cc4665..1176f383c 100644
|
|
||||||
--- a/selinux/ipa.fc
|
|
||||||
+++ b/selinux/ipa.fc
|
|
||||||
@@ -30,5 +30,6 @@
|
|
||||||
/usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat -- gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0)
|
|
||||||
/usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat-wrapped -- gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0)
|
|
||||||
/usr/libexec/ipa/custodia/ipa-custodia-ra-agent -- gen_context(system_u:object_r:ipa_custodia_ra_agent_exec_t,s0)
|
|
||||||
+/usr/libexec/ipa/ipa-pki-retrieve-key -- gen_context(system_u:object_r:ipa_pki_retrieve_key_exec_t,s0)
|
|
||||||
|
|
||||||
/var/log/ipa-custodia.audit.log(/.*)? -- gen_context(system_u:object_r:ipa_custodia_log_t,s0)
|
|
||||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
|
||||||
index 3fa4ba980..26daed293 100644
|
|
||||||
--- a/selinux/ipa.te
|
|
||||||
+++ b/selinux/ipa.te
|
|
||||||
@@ -75,6 +75,9 @@ files_tmp_file(ipa_custodia_tmp_t)
|
|
||||||
type pki_tomcat_cert_t;
|
|
||||||
type node_t;
|
|
||||||
|
|
||||||
+type ipa_pki_retrieve_key_exec_t;
|
|
||||||
+init_script_file(ipa_pki_retrieve_key_exec_t)
|
|
||||||
+
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# ipa_otpd local policy
|
|
||||||
@@ -412,3 +415,28 @@ optional_policy(`
|
|
||||||
optional_policy(`
|
|
||||||
systemd_private_tmp(ipa_custodia_tmp_t)
|
|
||||||
')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type tomcat_t;
|
|
||||||
+ ')
|
|
||||||
+ can_exec(tomcat_t, ipa_pki_retrieve_key_exec_t)
|
|
||||||
+ pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_exec_t)
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type devlog_t;
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ dontaudit ipa_custodia_t devlog_t:lnk_file read_lnk_file_perms;
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ java_exec(ipa_custodia_pki_tomcat_exec_t)
|
|
||||||
+ # allow Java to read system status and RNG
|
|
||||||
+ dev_read_urand(ipa_custodia_t)
|
|
||||||
+ dev_read_rand(ipa_custodia_t)
|
|
||||||
+ kernel_read_network_state(ipa_custodia_t)
|
|
||||||
+ dev_read_sysfs(ipa_custodia_t)
|
|
||||||
+')
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From c126610ea6605a1ff36cecf2e2f5b2cb97130831 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Fri, 18 Sep 2020 17:45:39 +0200
|
|
||||||
Subject: [PATCH] SELinux Policy: let custodia_t map custodia_tmp_t
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
This is used by the JVM perf counters.
|
|
||||||
|
|
||||||
Related: https://pagure.io/freeipa/issue/8488
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
|
||||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
|
||||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
|
||||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
|
||||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
|
||||||
---
|
|
||||||
selinux/ipa.te | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
|
||||||
index 26daed293..0a9ccaf83 100644
|
|
||||||
--- a/selinux/ipa.te
|
|
||||||
+++ b/selinux/ipa.te
|
|
||||||
@@ -347,6 +347,7 @@ logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
|
|
||||||
|
|
||||||
manage_dirs_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
|
|
||||||
manage_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
|
|
||||||
+mmap_exec_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
|
|
||||||
files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
|
|
||||||
|
|
||||||
kernel_dgram_send(ipa_custodia_t)
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From 310dbd6eec337f0747d73fa87363083a742fc5dc Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Mon, 21 Sep 2020 11:32:52 +0200
|
|
||||||
Subject: [PATCH] SELinux Policy: ipa_pki_retrieve_key_exec_t =>
|
|
||||||
ipa_pki_retrieve_key_t
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Grant pki_manage_tomcat_etc_rw to ipa_pki_retrieve_key_t instead of
|
|
||||||
ipa_pki_retrieve_key_exec_t.
|
|
||||||
As suggested by Ondrej Mosnáček.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8488
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
|
||||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
|
||||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
|
||||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
|
||||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
|
||||||
---
|
|
||||||
selinux/ipa.te | 4 +++-
|
|
||||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
|
||||||
index 0a9ccaf83..92a3b2359 100644
|
|
||||||
--- a/selinux/ipa.te
|
|
||||||
+++ b/selinux/ipa.te
|
|
||||||
@@ -78,6 +78,8 @@ type node_t;
|
|
||||||
type ipa_pki_retrieve_key_exec_t;
|
|
||||||
init_script_file(ipa_pki_retrieve_key_exec_t)
|
|
||||||
|
|
||||||
+type ipa_pki_retrieve_key_t;
|
|
||||||
+
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# ipa_otpd local policy
|
|
||||||
@@ -422,7 +424,7 @@ optional_policy(`
|
|
||||||
type tomcat_t;
|
|
||||||
')
|
|
||||||
can_exec(tomcat_t, ipa_pki_retrieve_key_exec_t)
|
|
||||||
- pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_exec_t)
|
|
||||||
+ pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From 0518c63768b50973f3d3129547f5b4b95335f4a8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Mon, 21 Sep 2020 11:37:12 +0200
|
|
||||||
Subject: [PATCH] SELinux Policy: ipa_custodia_pki_tomcat_exec_t =>
|
|
||||||
ipa_custodia_pki_tomcat_t
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
ipa_custodia_pki_tomcat_exec_t was granted java_exec by mistake ; replace by
|
|
||||||
ipa_custodia_pki_tomcat_t.
|
|
||||||
As suggested by Ondrej Mosnáček.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8488
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
|
||||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
|
||||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
|
||||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
|
||||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
|
||||||
---
|
|
||||||
selinux/ipa.te | 4 +++-
|
|
||||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
|
||||||
index 92a3b2359..b2c618a53 100644
|
|
||||||
--- a/selinux/ipa.te
|
|
||||||
+++ b/selinux/ipa.te
|
|
||||||
@@ -63,6 +63,8 @@ init_script_file(ipa_custodia_dmldap_exec_t)
|
|
||||||
type ipa_custodia_pki_tomcat_exec_t;
|
|
||||||
init_script_file(ipa_custodia_pki_tomcat_exec_t)
|
|
||||||
|
|
||||||
+type ipa_custodia_pki_tomcat_t;
|
|
||||||
+
|
|
||||||
type ipa_custodia_ra_agent_exec_t;
|
|
||||||
init_script_file(ipa_custodia_ra_agent_exec_t)
|
|
||||||
|
|
||||||
@@ -436,7 +438,7 @@ optional_policy(`
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
- java_exec(ipa_custodia_pki_tomcat_exec_t)
|
|
||||||
+ java_exec(ipa_custodia_pki_tomcat_t)
|
|
||||||
# allow Java to read system status and RNG
|
|
||||||
dev_read_urand(ipa_custodia_t)
|
|
||||||
dev_read_rand(ipa_custodia_t)
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From 25cf7af0d41bbd34621f37c95802675b42baeae9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Tue, 22 Sep 2020 11:36:13 +0200
|
|
||||||
Subject: [PATCH] SELinux Policy: flag ipa_pki_retrieve_key_exec_t as
|
|
||||||
domain_type
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8488
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
|
||||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
|
||||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
|
||||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
|
||||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
|
||||||
---
|
|
||||||
selinux/ipa.te | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
|
||||||
index b2c618a53..42b010133 100644
|
|
||||||
--- a/selinux/ipa.te
|
|
||||||
+++ b/selinux/ipa.te
|
|
||||||
@@ -78,6 +78,7 @@ type pki_tomcat_cert_t;
|
|
||||||
type node_t;
|
|
||||||
|
|
||||||
type ipa_pki_retrieve_key_exec_t;
|
|
||||||
+domain_type(ipa_pki_retrieve_key_exec_t)
|
|
||||||
init_script_file(ipa_pki_retrieve_key_exec_t)
|
|
||||||
|
|
||||||
type ipa_pki_retrieve_key_t;
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From 7ad04841245668e3126cb1718ef7ec1b744526e8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Tue, 22 Sep 2020 13:12:05 +0200
|
|
||||||
Subject: [PATCH] SELinux Policy: make interfaces for kernel modules
|
|
||||||
non-optional
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Interfaces for kernel modules do not need to be in an optional module.
|
|
||||||
Also make sure ipa_custodia_t can log.
|
|
||||||
Suggested by Lukas Vrabec.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8488
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
|
||||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
|
||||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
|
||||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
|
||||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
|
||||||
---
|
|
||||||
selinux/ipa.te | 16 +++++++++-------
|
|
||||||
1 file changed, 9 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
|
||||||
index 42b010133..f984a0f94 100644
|
|
||||||
--- a/selinux/ipa.te
|
|
||||||
+++ b/selinux/ipa.te
|
|
||||||
@@ -78,10 +78,9 @@ type pki_tomcat_cert_t;
|
|
||||||
type node_t;
|
|
||||||
|
|
||||||
type ipa_pki_retrieve_key_exec_t;
|
|
||||||
-domain_type(ipa_pki_retrieve_key_exec_t)
|
|
||||||
-init_script_file(ipa_pki_retrieve_key_exec_t)
|
|
||||||
-
|
|
||||||
type ipa_pki_retrieve_key_t;
|
|
||||||
+domain_type(ipa_pki_retrieve_key_t)
|
|
||||||
+init_script_file(ipa_pki_retrieve_key_exec_t)
|
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
@@ -356,6 +355,7 @@ mmap_exec_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
|
|
||||||
files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
|
|
||||||
|
|
||||||
kernel_dgram_send(ipa_custodia_t)
|
|
||||||
+kernel_read_network_state(ipa_custodia_t)
|
|
||||||
|
|
||||||
auth_read_passwd(ipa_custodia_t)
|
|
||||||
|
|
||||||
@@ -366,6 +366,10 @@ can_exec(ipa_custodia_t, ipa_custodia_ra_agent_exec_t)
|
|
||||||
corecmd_exec_bin(ipa_custodia_t)
|
|
||||||
corecmd_mmap_bin_files(ipa_custodia_t)
|
|
||||||
|
|
||||||
+dev_read_urand(ipa_custodia_t)
|
|
||||||
+dev_read_rand(ipa_custodia_t)
|
|
||||||
+dev_read_sysfs(ipa_custodia_t)
|
|
||||||
+
|
|
||||||
domain_use_interactive_fds(ipa_custodia_t)
|
|
||||||
|
|
||||||
files_mmap_usr_files(ipa_custodia_t)
|
|
||||||
@@ -377,6 +381,8 @@ files_read_etc_files(ipa_custodia_t)
|
|
||||||
libs_exec_ldconfig(ipa_custodia_t)
|
|
||||||
libs_ldconfig_exec_entry_type(ipa_custodia_t)
|
|
||||||
|
|
||||||
+logging_send_syslog_msg(ipa_custodia_t)
|
|
||||||
+
|
|
||||||
miscfiles_read_generic_certs(ipa_custodia_t)
|
|
||||||
miscfiles_read_localization(ipa_custodia_t)
|
|
||||||
|
|
||||||
@@ -441,8 +447,4 @@ optional_policy(`
|
|
||||||
optional_policy(`
|
|
||||||
java_exec(ipa_custodia_pki_tomcat_t)
|
|
||||||
# allow Java to read system status and RNG
|
|
||||||
- dev_read_urand(ipa_custodia_t)
|
|
||||||
- dev_read_rand(ipa_custodia_t)
|
|
||||||
- kernel_read_network_state(ipa_custodia_t)
|
|
||||||
- dev_read_sysfs(ipa_custodia_t)
|
|
||||||
')
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
From 6a31605c1d249416ed7627755bca23a1cc45a581 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Tue, 22 Sep 2020 13:34:40 +0200
|
|
||||||
Subject: [PATCH] SELinux Policy: Allow tomcat_t to read kerberos keytabs
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
This is required to fix:
|
|
||||||
avc: denied { search } for pid=1930 comm="ipa-pki-retriev" name="krb5" dev="dm-0" ino=8620822 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
|
|
||||||
|
|
||||||
Macros suggested by: Ondrej Mosnacek
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8488
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
|
||||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
|
||||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
|
|
||||||
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
|
|
||||||
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
|
|
||||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
|
||||||
---
|
|
||||||
selinux/ipa.te | 8 ++++++++
|
|
||||||
1 file changed, 8 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
|
||||||
index f984a0f94..fa577191c 100644
|
|
||||||
--- a/selinux/ipa.te
|
|
||||||
+++ b/selinux/ipa.te
|
|
||||||
@@ -448,3 +448,11 @@ optional_policy(`
|
|
||||||
java_exec(ipa_custodia_pki_tomcat_t)
|
|
||||||
# allow Java to read system status and RNG
|
|
||||||
')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type tomcat_t;
|
|
||||||
+ ')
|
|
||||||
+ kerberos_read_config(tomcat_t)
|
|
||||||
+ kerberos_read_keytab(tomcat_t)
|
|
||||||
+')
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,68 +0,0 @@
|
|||||||
From 58c3343a67a3922dcc84d3d4b1deca515c48a6f8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Wed, 23 Sep 2020 09:17:53 +0200
|
|
||||||
Subject: [PATCH] SELinux: do not double-define node_t and pki_tomcat_cert_t
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
node_t and pki_tomcat_cert_t are defined in other modules.
|
|
||||||
Do not double-define them.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8513
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
---
|
|
||||||
selinux/ipa.te | 25 ++++++++++++++++---------
|
|
||||||
1 file changed, 16 insertions(+), 9 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
|
||||||
index fa577191c..d80e64a0b 100644
|
|
||||||
--- a/selinux/ipa.te
|
|
||||||
+++ b/selinux/ipa.te
|
|
||||||
@@ -74,9 +74,6 @@ logging_log_file(ipa_custodia_log_t)
|
|
||||||
type ipa_custodia_tmp_t;
|
|
||||||
files_tmp_file(ipa_custodia_tmp_t)
|
|
||||||
|
|
||||||
-type pki_tomcat_cert_t;
|
|
||||||
-type node_t;
|
|
||||||
-
|
|
||||||
type ipa_pki_retrieve_key_exec_t;
|
|
||||||
type ipa_pki_retrieve_key_t;
|
|
||||||
domain_type(ipa_pki_retrieve_key_t)
|
|
||||||
@@ -339,12 +336,6 @@ allow ipa_custodia_t self:unix_dgram_socket create_socket_perms;
|
|
||||||
allow ipa_custodia_t self:tcp_socket { bind create };
|
|
||||||
allow ipa_custodia_t self:udp_socket create_socket_perms;
|
|
||||||
|
|
||||||
-allow ipa_custodia_t node_t:tcp_socket node_bind;
|
|
||||||
-
|
|
||||||
-allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
|
|
||||||
-allow ipa_custodia_t pki_tomcat_cert_t:file create;
|
|
||||||
-allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
|
|
||||||
-
|
|
||||||
manage_dirs_pattern(ipa_custodia_t,ipa_custodia_log_t,ipa_custodia_log_t)
|
|
||||||
manage_files_pattern(ipa_custodia_t, ipa_custodia_log_t, ipa_custodia_log_t)
|
|
||||||
logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
|
|
||||||
@@ -456,3 +447,19 @@ optional_policy(`
|
|
||||||
kerberos_read_config(tomcat_t)
|
|
||||||
kerberos_read_keytab(tomcat_t)
|
|
||||||
')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type node_t;
|
|
||||||
+ ')
|
|
||||||
+ allow ipa_custodia_t node_t:tcp_socket node_bind;
|
|
||||||
+')
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type pki_tomcat_cert_t;
|
|
||||||
+ ')
|
|
||||||
+ allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
|
|
||||||
+ allow ipa_custodia_t pki_tomcat_cert_t:file create;
|
|
||||||
+ allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
|
|
||||||
+')
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,215 +0,0 @@
|
|||||||
Adapted patch for ipatests/test_integration/test_installation.py due to
|
|
||||||
missing commit 930f4b3d1dc03f9e365b007b027d65e146a08f05 (Prevent local account
|
|
||||||
takeover).
|
|
||||||
|
|
||||||
From 87e5c0500b76b7cbeecedc0c28d44095c7063186 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Date: Thu, 24 Sep 2020 12:32:37 +0200
|
|
||||||
Subject: [PATCH] Fix nsslapd-db-lock tuning of BDB backend
|
|
||||||
|
|
||||||
nsslapd-db-lock was moved from cn=config,cn=ldbm database,cn=plugins,cn=config
|
|
||||||
entry to cn=bdb subentry. Manual patching of dse.ldif was no longer
|
|
||||||
working. Installations with 389-DS 1.4.3 and newer are affected.
|
|
||||||
|
|
||||||
Low lock count can affect performance during high load, e.g. mass-import
|
|
||||||
of users or lots of concurrent connections.
|
|
||||||
|
|
||||||
Bump minimal DS version to 1.4.3. Fedora 32 and RHEL 8.3 have 1.4.3.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8515
|
|
||||||
See: https://pagure.io/freeipa/issue/5914
|
|
||||||
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
||||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
|
||||||
---
|
|
||||||
freeipa.spec.in | 17 ++++++-----------
|
|
||||||
install/share/Makefile.am | 1 +
|
|
||||||
install/share/ldbm-tuning.ldif | 4 ++++
|
|
||||||
install/updates/10-db-locks.update | 10 ++++++++++
|
|
||||||
install/updates/Makefile.am | 1 +
|
|
||||||
ipapython/ipaldap.py | 1 +
|
|
||||||
ipaserver/install/dsinstance.py | 9 ++++-----
|
|
||||||
.../test_customized_ds_config_install.py | 3 ++-
|
|
||||||
.../test_integration/test_installation.py | 19 +++++++++++++++++++
|
|
||||||
9 files changed, 48 insertions(+), 17 deletions(-)
|
|
||||||
create mode 100644 install/share/ldbm-tuning.ldif
|
|
||||||
create mode 100644 install/updates/10-db-locks.update
|
|
||||||
|
|
||||||
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
|
||||||
index 1db7d6457..8e6736b60 100755
|
|
||||||
--- a/freeipa.spec.in
|
|
||||||
+++ b/freeipa.spec.in
|
|
||||||
@@ -55,10 +55,9 @@
|
|
||||||
%global selinux_policy_version 3.14.3-21
|
|
||||||
%global slapi_nis_version 0.56.1-4
|
|
||||||
%global python_ldap_version 3.1.0-1
|
|
||||||
-# python3-lib389
|
|
||||||
-# Fix for "Installation fails: Replica Busy"
|
|
||||||
-# https://pagure.io/389-ds-base/issue/49818
|
|
||||||
-%global ds_version 1.4.0.16
|
|
||||||
+# 1.4.3 moved nsslapd-db-locks to cn=bdb sub-entry
|
|
||||||
+# https://pagure.io/freeipa/issue/8515
|
|
||||||
+%global ds_version 1.4.3
|
|
||||||
# Fix for TLS 1.3 PHA, RHBZ#1775158
|
|
||||||
%global httpd_version 2.4.37-21
|
|
||||||
|
|
||||||
@@ -89,13 +88,9 @@
|
|
||||||
|
|
||||||
# fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324
|
|
||||||
%global python_ldap_version 3.1.0-1
|
|
||||||
-# Fix for create suffix
|
|
||||||
-# https://pagure.io/389-ds-base/issue/49984
|
|
||||||
-%if 0%{?fedora} >= 30
|
|
||||||
-%global ds_version 1.4.1.1
|
|
||||||
-%else
|
|
||||||
-%global ds_version 1.4.0.21
|
|
||||||
-%endif
|
|
||||||
+# 1.4.3 moved nsslapd-db-locks to cn=bdb sub-entry
|
|
||||||
+# https://pagure.io/freeipa/issue/8515
|
|
||||||
+%global ds_version 1.4.3
|
|
||||||
|
|
||||||
# Fix for TLS 1.3 PHA, RHBZ#1775146
|
|
||||||
%if 0%{?fedora} >= 31
|
|
||||||
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
|
|
||||||
index 53bd8f5d5..53485edfa 100644
|
|
||||||
--- a/install/share/Makefile.am
|
|
||||||
+++ b/install/share/Makefile.am
|
|
||||||
@@ -102,6 +102,7 @@ dist_app_DATA = \
|
|
||||||
ipaca_default.ini \
|
|
||||||
ipaca_customize.ini \
|
|
||||||
ipaca_softhsm2.ini \
|
|
||||||
+ ldbm-tuning.ldif \
|
|
||||||
$(NULL)
|
|
||||||
|
|
||||||
kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy
|
|
||||||
diff --git a/install/share/ldbm-tuning.ldif b/install/share/ldbm-tuning.ldif
|
|
||||||
new file mode 100644
|
|
||||||
index 000000000..765ccb01a
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/install/share/ldbm-tuning.ldif
|
|
||||||
@@ -0,0 +1,4 @@
|
|
||||||
+dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
|
|
||||||
+changetype: modify
|
|
||||||
+replace: nsslapd-db-locks
|
|
||||||
+nsslapd-db-locks: 50000
|
|
||||||
diff --git a/install/updates/10-db-locks.update b/install/updates/10-db-locks.update
|
|
||||||
new file mode 100644
|
|
||||||
index 000000000..31d2e4352
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/install/updates/10-db-locks.update
|
|
||||||
@@ -0,0 +1,10 @@
|
|
||||||
+# Fix nsslapd-db-locks move
|
|
||||||
+# https://pagure.io/freeipa/issue/8515
|
|
||||||
+
|
|
||||||
+# replace 389-DS default with 50000 locks
|
|
||||||
+dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
|
|
||||||
+replace: nsslapd-db-locks:10000::50000
|
|
||||||
+
|
|
||||||
+# remove setting from old location
|
|
||||||
+dn: cn=config,cn=ldbm database,cn=plugins,cn=config
|
|
||||||
+remove: nsslapd-db-locks: 50000
|
|
||||||
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
|
|
||||||
index 8a4d9cc6c..957ad4fa2 100644
|
|
||||||
--- a/install/updates/Makefile.am
|
|
||||||
+++ b/install/updates/Makefile.am
|
|
||||||
@@ -4,6 +4,7 @@ appdir = $(IPA_DATA_DIR)/updates
|
|
||||||
app_DATA = \
|
|
||||||
05-pre_upgrade_plugins.update \
|
|
||||||
10-config.update \
|
|
||||||
+ 10-db-locks.update \
|
|
||||||
10-enable-betxn.update \
|
|
||||||
10-ipapwd.update \
|
|
||||||
10-selinuxusermap.update \
|
|
||||||
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
|
|
||||||
index 3eac95a87..5c43413cc 100644
|
|
||||||
--- a/ipapython/ipaldap.py
|
|
||||||
+++ b/ipapython/ipaldap.py
|
|
||||||
@@ -753,6 +753,7 @@ class LDAPClient:
|
|
||||||
'nsslapd-anonlimitsdn': True,
|
|
||||||
'nsslapd-minssf-exclude-rootdse': True,
|
|
||||||
'nsslapd-enable-upgrade-hash': True,
|
|
||||||
+ 'nsslapd-db-locks': True,
|
|
||||||
})
|
|
||||||
|
|
||||||
time_limit = -1.0 # unlimited
|
|
||||||
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
|
|
||||||
index 3fc0de371..065c6f78f 100644
|
|
||||||
--- a/ipaserver/install/dsinstance.py
|
|
||||||
+++ b/ipaserver/install/dsinstance.py
|
|
||||||
@@ -226,6 +226,7 @@ class DsInstance(service.Service):
|
|
||||||
|
|
||||||
self.step("creating directory server instance", self.__create_instance)
|
|
||||||
self.step("configure autobind for root", self.__root_autobind)
|
|
||||||
+ self.step("tune ldbm plugin", self.__tune_ldbm)
|
|
||||||
self.step("stopping directory server", self.__stop_instance)
|
|
||||||
self.step("updating configuration in dse.ldif", self.__update_dse_ldif)
|
|
||||||
self.step("starting directory server", self.__start_instance)
|
|
||||||
@@ -592,6 +593,9 @@ class DsInstance(service.Service):
|
|
||||||
# Done!
|
|
||||||
logger.debug("completed creating DS instance")
|
|
||||||
|
|
||||||
+ def __tune_ldbm(self):
|
|
||||||
+ self._ldap_mod("ldbm-tuning.ldif")
|
|
||||||
+
|
|
||||||
def __update_dse_ldif(self):
|
|
||||||
"""
|
|
||||||
This method updates dse.ldif right after instance creation. This is
|
|
||||||
@@ -610,11 +614,6 @@ class DsInstance(service.Service):
|
|
||||||
temp_filename = new_dse_ldif.name
|
|
||||||
with open(dse_filename, "r") as input_file:
|
|
||||||
parser = installutils.ModifyLDIF(input_file, new_dse_ldif)
|
|
||||||
- parser.replace_value(
|
|
||||||
- 'cn=config,cn=ldbm database,cn=plugins,cn=config',
|
|
||||||
- 'nsslapd-db-locks',
|
|
||||||
- [b'50000']
|
|
||||||
- )
|
|
||||||
if self.config_ldif:
|
|
||||||
# parse modifications from ldif file supplied by the admin
|
|
||||||
with open(self.config_ldif, "r") as config_ldif:
|
|
||||||
diff --git a/ipatests/test_integration/test_customized_ds_config_install.py b/ipatests/test_integration/test_customized_ds_config_install.py
|
|
||||||
index a2fcc7dd2..95195a014 100644
|
|
||||||
--- a/ipatests/test_integration/test_customized_ds_config_install.py
|
|
||||||
+++ b/ipatests/test_integration/test_customized_ds_config_install.py
|
|
||||||
@@ -4,7 +4,8 @@ from ipatests.pytest_ipa.integration import tasks
|
|
||||||
|
|
||||||
DIRSRV_CONFIG_MODS = """
|
|
||||||
# https://fedorahosted.org/freeipa/ticket/4949
|
|
||||||
-dn: cn=config,cn=ldbm database,cn=plugins,cn=config
|
|
||||||
+# https://pagure.io/freeipa/issue/8515
|
|
||||||
+dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
|
|
||||||
changetype: modify
|
|
||||||
replace: nsslapd-db-locks
|
|
||||||
nsslapd-db-locks: 100000
|
|
||||||
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
|
||||||
index c939c6450..ec826edb7 100644
|
|
||||||
--- a/ipatests/test_integration/test_installation.py
|
|
||||||
+++ b/ipatests/test_integration/test_installation.py
|
|
||||||
@@ -972,6 +972,25 @@ class TestInstallMaster(IntegrationTest):
|
|
||||||
)
|
|
||||||
assert "nsslapd-enable-upgrade-hash: off" in result.stdout_text
|
|
||||||
|
|
||||||
+ def test_ldbm_tuning(self):
|
|
||||||
+ # check db-locks in new cn=bdb subentry (1.4.3+)
|
|
||||||
+ result = tasks.ldapsearch_dm(
|
|
||||||
+ self.master,
|
|
||||||
+ "cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config",
|
|
||||||
+ ["nsslapd-db-locks"],
|
|
||||||
+ scope="base"
|
|
||||||
+ )
|
|
||||||
+ assert "nsslapd-db-locks: 50000" in result.stdout_text
|
|
||||||
+
|
|
||||||
+ # no db-locks configuration in old global entry
|
|
||||||
+ result = tasks.ldapsearch_dm(
|
|
||||||
+ self.master,
|
|
||||||
+ "cn=config,cn=ldbm database,cn=plugins,cn=config",
|
|
||||||
+ ["nsslapd-db-locks"],
|
|
||||||
+ scope="base"
|
|
||||||
+ )
|
|
||||||
+ assert "nsslapd-db-locks" not in result.stdout_text
|
|
||||||
+
|
|
||||||
|
|
||||||
class TestInstallMasterKRA(IntegrationTest):
|
|
||||||
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,236 +0,0 @@
|
|||||||
From 1441b999d3fe9b4e59fe942294d13480ecee7d94 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Wed, 28 Oct 2020 17:46:56 +0200
|
|
||||||
Subject: [PATCH] rpcserver: fallback to non-armored kinit in case of trusted
|
|
||||||
domains
|
|
||||||
|
|
||||||
MIT Kerberos implements FAST negotiation as specified in RFC 6806
|
|
||||||
section 11. The implementation relies on the caller to provide a hint
|
|
||||||
whether FAST armoring must be used.
|
|
||||||
|
|
||||||
FAST armor can only be used when both client and KDC have a shared
|
|
||||||
secret. When KDC is from a trusted domain, there is no way to have a
|
|
||||||
shared secret between a generic Kerberos client and that KDC.
|
|
||||||
|
|
||||||
[MS-KILE] section 3.2.5.4 'Using FAST When the Realm Supports FAST'
|
|
||||||
allows KILE clients (Kerberos clients) to have local settings that
|
|
||||||
direct it to enforce use of FAST. This is equal to the current
|
|
||||||
implementation of 'kinit' utility in MIT Kerberos requiring to use FAST
|
|
||||||
if armor cache (option '-T') is provided.
|
|
||||||
|
|
||||||
[MS-KILE] section 3.3.5.7.4 defines a way for a computer from a
|
|
||||||
different realm to use compound identity TGS-REQ to create FAST TGS-REQ
|
|
||||||
explicitly armored with the computer's TGT. However, this method is not
|
|
||||||
available to IPA framework as we don't have access to the IPA server's
|
|
||||||
host key. In addition, 'kinit' utility does not support this method.
|
|
||||||
|
|
||||||
Active Directory has a policy to force use of FAST when client
|
|
||||||
advertizes its use. Since we cannot know in advance whether a principal
|
|
||||||
to obtain initial credentials for belongs to our realm or to a trusted
|
|
||||||
one due to enterprise principal canonicalization, we have to try to
|
|
||||||
kinit. Right now we fail unconditionally if FAST couldn't be used and
|
|
||||||
libkrb5 communication with a KDC from the user realm (e.g. from a
|
|
||||||
trusted forest) causes enforcement of a FAST.
|
|
||||||
|
|
||||||
In the latter case, as we cannot use FAST anyway, try to kinit again
|
|
||||||
without advertizing FAST. This works even in the situations when FAST
|
|
||||||
enforcement is enabled on Active Directory side: if client doesn't
|
|
||||||
advertize FAST capability, it is not required. Additionally, FAST cannot
|
|
||||||
be used for any practical need for a trusted domain's users yet.
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
ipalib/errors.py | 6 ++
|
|
||||||
ipaserver/rpcserver.py | 94 ++++++++++++++++---------
|
|
||||||
ipatests/test_integration/test_trust.py | 21 ++++++
|
|
||||||
3 files changed, 86 insertions(+), 35 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipalib/errors.py b/ipalib/errors.py
|
|
||||||
index 1b17ca7ed..fa51e15c0 100644
|
|
||||||
--- a/ipalib/errors.py
|
|
||||||
+++ b/ipalib/errors.py
|
|
||||||
@@ -245,6 +245,12 @@ class PluginModuleError(PrivateError):
|
|
||||||
format = '%(name)s is not a valid plugin module'
|
|
||||||
|
|
||||||
|
|
||||||
+class KrbPrincipalWrongFAST(PrivateError):
|
|
||||||
+ """
|
|
||||||
+ Raised when it is not possible to use our FAST armor for kinit
|
|
||||||
+ """
|
|
||||||
+ format = '%(principal)s cannot use Anonymous PKINIT as a FAST armor'
|
|
||||||
+
|
|
||||||
##############################################################################
|
|
||||||
# Public errors:
|
|
||||||
|
|
||||||
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
|
|
||||||
index 181295471..ed775170e 100644
|
|
||||||
--- a/ipaserver/rpcserver.py
|
|
||||||
+++ b/ipaserver/rpcserver.py
|
|
||||||
@@ -46,9 +46,11 @@ from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES
|
|
||||||
from ipalib.frontend import Local
|
|
||||||
from ipalib.install.kinit import kinit_armor, kinit_password
|
|
||||||
from ipalib.backend import Executioner
|
|
||||||
-from ipalib.errors import (PublicError, InternalError, JSONError,
|
|
||||||
+from ipalib.errors import (
|
|
||||||
+ PublicError, InternalError, JSONError,
|
|
||||||
CCacheError, RefererError, InvalidSessionPassword, NotFound, ACIError,
|
|
||||||
- ExecutionError, PasswordExpired, KrbPrincipalExpired, UserLocked)
|
|
||||||
+ ExecutionError, PasswordExpired, KrbPrincipalExpired, KrbPrincipalWrongFAST,
|
|
||||||
+ UserLocked)
|
|
||||||
from ipalib.request import context, destroy_context
|
|
||||||
from ipalib.rpc import (xml_dumps, xml_loads,
|
|
||||||
json_encode_binary, json_decode_binary)
|
|
||||||
@@ -957,6 +959,34 @@ class login_password(Backend, KerberosSession):
|
|
||||||
self.api.Backend.wsgi_dispatch.mount(self, self.key)
|
|
||||||
|
|
||||||
def __call__(self, environ, start_response):
|
|
||||||
+ def attempt_kinit(user_principal, password,
|
|
||||||
+ ipa_ccache_name, use_armor=True):
|
|
||||||
+ try:
|
|
||||||
+ # try to remove in case an old file was there
|
|
||||||
+ os.unlink(ipa_ccache_name)
|
|
||||||
+ except OSError:
|
|
||||||
+ pass
|
|
||||||
+ try:
|
|
||||||
+ self.kinit(user_principal, password,
|
|
||||||
+ ipa_ccache_name, use_armor=use_armor)
|
|
||||||
+ except PasswordExpired as e:
|
|
||||||
+ return self.unauthorized(environ, start_response,
|
|
||||||
+ str(e), 'password-expired')
|
|
||||||
+ except InvalidSessionPassword as e:
|
|
||||||
+ return self.unauthorized(environ, start_response,
|
|
||||||
+ str(e), 'invalid-password')
|
|
||||||
+ except KrbPrincipalExpired as e:
|
|
||||||
+ return self.unauthorized(environ,
|
|
||||||
+ start_response,
|
|
||||||
+ str(e),
|
|
||||||
+ 'krbprincipal-expired')
|
|
||||||
+ except UserLocked as e:
|
|
||||||
+ return self.unauthorized(environ,
|
|
||||||
+ start_response,
|
|
||||||
+ str(e),
|
|
||||||
+ 'user-locked')
|
|
||||||
+ return None
|
|
||||||
+
|
|
||||||
logger.debug('WSGI login_password.__call__:')
|
|
||||||
|
|
||||||
# Get the user and password parameters from the request
|
|
||||||
@@ -1007,26 +1037,14 @@ class login_password(Backend, KerberosSession):
|
|
||||||
ipa_ccache_name = os.path.join(paths.IPA_CCACHES,
|
|
||||||
'kinit_{}'.format(os.getpid()))
|
|
||||||
try:
|
|
||||||
- # try to remove in case an old file was there
|
|
||||||
- os.unlink(ipa_ccache_name)
|
|
||||||
- except OSError:
|
|
||||||
- pass
|
|
||||||
- try:
|
|
||||||
- self.kinit(user_principal, password, ipa_ccache_name)
|
|
||||||
- except PasswordExpired as e:
|
|
||||||
- return self.unauthorized(environ, start_response, str(e), 'password-expired')
|
|
||||||
- except InvalidSessionPassword as e:
|
|
||||||
- return self.unauthorized(environ, start_response, str(e), 'invalid-password')
|
|
||||||
- except KrbPrincipalExpired as e:
|
|
||||||
- return self.unauthorized(environ,
|
|
||||||
- start_response,
|
|
||||||
- str(e),
|
|
||||||
- 'krbprincipal-expired')
|
|
||||||
- except UserLocked as e:
|
|
||||||
- return self.unauthorized(environ,
|
|
||||||
- start_response,
|
|
||||||
- str(e),
|
|
||||||
- 'user-locked')
|
|
||||||
+ result = attempt_kinit(user_principal, password,
|
|
||||||
+ ipa_ccache_name, use_armor=True)
|
|
||||||
+ except KrbPrincipalWrongFAST:
|
|
||||||
+ result = attempt_kinit(user_principal, password,
|
|
||||||
+ ipa_ccache_name, use_armor=False)
|
|
||||||
+
|
|
||||||
+ if result is not None:
|
|
||||||
+ return result
|
|
||||||
|
|
||||||
result = self.finalize_kerberos_acquisition('login_password',
|
|
||||||
ipa_ccache_name, environ,
|
|
||||||
@@ -1038,21 +1056,24 @@ class login_password(Backend, KerberosSession):
|
|
||||||
pass
|
|
||||||
return result
|
|
||||||
|
|
||||||
- def kinit(self, principal, password, ccache_name):
|
|
||||||
- # get anonymous ccache as an armor for FAST to enable OTP auth
|
|
||||||
- armor_path = os.path.join(paths.IPA_CCACHES,
|
|
||||||
- "armor_{}".format(os.getpid()))
|
|
||||||
+ def kinit(self, principal, password, ccache_name, use_armor=True):
|
|
||||||
+ if use_armor:
|
|
||||||
+ # get anonymous ccache as an armor for FAST to enable OTP auth
|
|
||||||
+ armor_path = os.path.join(paths.IPA_CCACHES,
|
|
||||||
+ "armor_{}".format(os.getpid()))
|
|
||||||
|
|
||||||
- logger.debug('Obtaining armor in ccache %s', armor_path)
|
|
||||||
+ logger.debug('Obtaining armor in ccache %s', armor_path)
|
|
||||||
|
|
||||||
- try:
|
|
||||||
- kinit_armor(
|
|
||||||
- armor_path,
|
|
||||||
- pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
|
|
||||||
- )
|
|
||||||
- except RuntimeError as e:
|
|
||||||
- logger.error("Failed to obtain armor cache")
|
|
||||||
- # We try to continue w/o armor, 2FA will be impacted
|
|
||||||
+ try:
|
|
||||||
+ kinit_armor(
|
|
||||||
+ armor_path,
|
|
||||||
+ pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
|
|
||||||
+ )
|
|
||||||
+ except RuntimeError as e:
|
|
||||||
+ logger.error("Failed to obtain armor cache")
|
|
||||||
+ # We try to continue w/o armor, 2FA will be impacted
|
|
||||||
+ armor_path = None
|
|
||||||
+ else:
|
|
||||||
armor_path = None
|
|
||||||
|
|
||||||
try:
|
|
||||||
@@ -1080,6 +1101,9 @@ class login_password(Backend, KerberosSession):
|
|
||||||
'while getting initial credentials') in str(e):
|
|
||||||
raise UserLocked(principal=principal,
|
|
||||||
message=unicode(e))
|
|
||||||
+ elif ('kinit: Error constructing AP-REQ armor: '
|
|
||||||
+ 'Matching credential not found') in str(e):
|
|
||||||
+ raise KrbPrincipalWrongFAST(principal=principal)
|
|
||||||
raise InvalidSessionPassword(principal=principal,
|
|
||||||
message=unicode(e))
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
|
|
||||||
index a6a055c2a..bec918a31 100644
|
|
||||||
--- a/ipatests/test_integration/test_trust.py
|
|
||||||
+++ b/ipatests/test_integration/test_trust.py
|
|
||||||
@@ -175,6 +175,27 @@ class TestTrust(BaseTestTrust):
|
|
||||||
tasks.kdestroy_all(self.master)
|
|
||||||
tasks.kinit_admin(self.master)
|
|
||||||
|
|
||||||
+ def test_password_login_as_aduser(self):
|
|
||||||
+ """Test if AD user can login with password to Web UI"""
|
|
||||||
+ ad_admin = 'Administrator@%s' % self.ad_domain
|
|
||||||
+
|
|
||||||
+ tasks.kdestroy_all(self.master)
|
|
||||||
+ user_and_password = ('user=%s&password=%s' %
|
|
||||||
+ (ad_admin, self.master.config.ad_admin_password))
|
|
||||||
+ host = self.master.hostname
|
|
||||||
+ cmd_args = [
|
|
||||||
+ paths.BIN_CURL,
|
|
||||||
+ '-v',
|
|
||||||
+ '-H', 'referer:https://{}/ipa'.format(host),
|
|
||||||
+ '-H', 'Content-Type:application/x-www-form-urlencoded',
|
|
||||||
+ '-H', 'Accept:text/plain',
|
|
||||||
+ '--cacert', paths.IPA_CA_CRT,
|
|
||||||
+ '--data', user_and_password,
|
|
||||||
+ 'https://{}/ipa/session/login_password'.format(host)]
|
|
||||||
+ result = self.master.run_command(cmd_args)
|
|
||||||
+ assert "Set-Cookie: ipa_session=MagBearerToken" in result.stdout_text
|
|
||||||
+ tasks.kinit_admin(self.master)
|
|
||||||
+
|
|
||||||
def test_ipauser_authentication_with_nonposix_trust(self):
|
|
||||||
ipauser = u'tuser'
|
|
||||||
original_passwd = 'Secret123'
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
@ -1,27 +0,0 @@
|
|||||||
From 12de9ee69f12f7c0021ea98e9c1163db7d59e5d3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Wed, 28 Oct 2020 19:37:11 +0200
|
|
||||||
Subject: [PATCH] pylint: remove unused variable
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/rpcserver.py | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
|
|
||||||
index 27850e867..181295471 100644
|
|
||||||
--- a/ipaserver/rpcserver.py
|
|
||||||
+++ b/ipaserver/rpcserver.py
|
|
||||||
@@ -972,7 +972,7 @@ class login_password(Backend, KerberosSession):
|
|
||||||
|
|
||||||
try:
|
|
||||||
query_dict = parse_qs(query_string)
|
|
||||||
- except Exception as e:
|
|
||||||
+ except Exception:
|
|
||||||
return self.bad_request(environ, start_response, "cannot parse query data")
|
|
||||||
|
|
||||||
user = query_dict.get('user', None)
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
@ -1,121 +0,0 @@
|
|||||||
From 29262465edf034d521c165e3854e28835d86b98d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Fri, 6 Nov 2020 09:53:35 +0200
|
|
||||||
Subject: [PATCH] wgi/plugins.py: ignore empty plugin directories
|
|
||||||
|
|
||||||
Dynamic plugin registry returns as a plugin any folder within the
|
|
||||||
plugins directory. Web UI then attempts to load for each plugin 'foo' a
|
|
||||||
JavaScript file named 'foo/foo.js'. The problem is that if 'foo/foo.js'
|
|
||||||
does not exist, Web UI breaks and it is impossible to recover until the
|
|
||||||
empty folder is removed or 'foo/foo.js' (even empty) is created at the
|
|
||||||
server side.
|
|
||||||
|
|
||||||
Check that 'foo/foo.js' actual exists when including a plugin into the
|
|
||||||
registry.
|
|
||||||
|
|
||||||
Test the registry generator by creating fake plugins and removing them
|
|
||||||
during the test.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8567
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
---
|
|
||||||
install/wsgi/plugins.py | 5 +-
|
|
||||||
ipatests/test_ipaserver/test_jsplugins.py | 68 +++++++++++++++++++++++
|
|
||||||
2 files changed, 72 insertions(+), 1 deletion(-)
|
|
||||||
create mode 100644 ipatests/test_ipaserver/test_jsplugins.py
|
|
||||||
|
|
||||||
diff --git a/install/wsgi/plugins.py b/install/wsgi/plugins.py
|
|
||||||
index f80cfb9fe..4c43e7f87 100644
|
|
||||||
--- a/install/wsgi/plugins.py
|
|
||||||
+++ b/install/wsgi/plugins.py
|
|
||||||
@@ -36,7 +36,10 @@ def get_plugin_index():
|
|
||||||
|
|
||||||
dirs = os.listdir(paths.IPA_JS_PLUGINS_DIR)
|
|
||||||
index = 'define([],function(){return['
|
|
||||||
- index += ','.join("'"+x+"'" for x in dirs)
|
|
||||||
+ for x in dirs:
|
|
||||||
+ p = os.path.join(paths.IPA_JS_PLUGINS_DIR, x, x + '.js')
|
|
||||||
+ if os.path.exists(p):
|
|
||||||
+ index += "'" + x + "',"
|
|
||||||
index += '];});'
|
|
||||||
return index.encode('utf-8')
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_ipaserver/test_jsplugins.py b/ipatests/test_ipaserver/test_jsplugins.py
|
|
||||||
new file mode 100644
|
|
||||||
index 000000000..354e6992c
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/ipatests/test_ipaserver/test_jsplugins.py
|
|
||||||
@@ -0,0 +1,68 @@
|
|
||||||
+# Copyright (C) 2020 FreeIPA Contributors see COPYING for license
|
|
||||||
+
|
|
||||||
+import os
|
|
||||||
+import pytest
|
|
||||||
+
|
|
||||||
+from ipatests.test_ipaserver.httptest import Unauthorized_HTTP_test
|
|
||||||
+from ipatests.util import assert_equal, assert_not_equal
|
|
||||||
+from ipaplatform.paths import paths
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+@pytest.mark.tier1
|
|
||||||
+class test_jsplugins(Unauthorized_HTTP_test):
|
|
||||||
+ app_uri = '/ipa/ui/js/freeipa/plugins.js'
|
|
||||||
+ jsplugins = (('foo', 'foo.js'), ('bar', ''))
|
|
||||||
+ content_type = 'application/javascript'
|
|
||||||
+
|
|
||||||
+ def test_jsplugins(self):
|
|
||||||
+ empty_response = "define([],function(){return[];});"
|
|
||||||
+
|
|
||||||
+ # Step 1: make sure default response has no additional plugins
|
|
||||||
+ response = self.send_request(method='GET')
|
|
||||||
+ assert_equal(response.status, 200)
|
|
||||||
+ response_data = response.read().decode(encoding='utf-8')
|
|
||||||
+ assert_equal(response_data, empty_response)
|
|
||||||
+
|
|
||||||
+ # Step 2: add fake plugins
|
|
||||||
+ try:
|
|
||||||
+ for (d, f) in self.jsplugins:
|
|
||||||
+ dir = os.path.join(paths.IPA_JS_PLUGINS_DIR, d)
|
|
||||||
+ if not os.path.exists(dir):
|
|
||||||
+ os.mkdir(dir, 0o755)
|
|
||||||
+ if f:
|
|
||||||
+ with open(os.path.join(dir, f), 'w') as js:
|
|
||||||
+ js.write("/* test js plugin */")
|
|
||||||
+
|
|
||||||
+ except OSError as e:
|
|
||||||
+ pytest.skip(
|
|
||||||
+ 'Cannot set up test JS plugin: %s' % e
|
|
||||||
+ )
|
|
||||||
+
|
|
||||||
+ # Step 3: query plugins to see if our plugins exist
|
|
||||||
+ response = self.send_request(method='GET')
|
|
||||||
+ assert_equal(response.status, 200)
|
|
||||||
+ response_data = response.read().decode(encoding='utf-8')
|
|
||||||
+ assert_not_equal(response_data, empty_response)
|
|
||||||
+ for (d, f) in self.jsplugins:
|
|
||||||
+ if f:
|
|
||||||
+ assert "'" + d + "'" in response_data
|
|
||||||
+ else:
|
|
||||||
+ assert "'" + d + "'" not in response_data
|
|
||||||
+
|
|
||||||
+ # Step 4: remove fake plugins
|
|
||||||
+ try:
|
|
||||||
+ for (d, f) in self.jsplugins:
|
|
||||||
+ dir = os.path.join(paths.IPA_JS_PLUGINS_DIR, d)
|
|
||||||
+ file = os.path.join(dir, f)
|
|
||||||
+ if f and os.path.exists(file):
|
|
||||||
+ os.unlink(file)
|
|
||||||
+ if os.path.exists(dir):
|
|
||||||
+ os.rmdir(dir)
|
|
||||||
+ except OSError:
|
|
||||||
+ pass
|
|
||||||
+
|
|
||||||
+ # Step 5: make sure default response has no additional plugins
|
|
||||||
+ response = self.send_request(method='GET')
|
|
||||||
+ assert_equal(response.status, 200)
|
|
||||||
+ response_data = response.read().decode(encoding='utf-8')
|
|
||||||
+ assert_equal(response_data, empty_response)
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
@ -1,76 +0,0 @@
|
|||||||
From d5cca835d5439331c05475d0ad2f993ac6f8b615 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sudhir Menon <sumenon@redhat.com>
|
|
||||||
Date: Wed, 11 Nov 2020 14:55:32 +0530
|
|
||||||
Subject: [PATCH] ipatests: support subordinate upn suffixes
|
|
||||||
|
|
||||||
This test adds new UPN Suffix on the AD side
|
|
||||||
within the ad.test subtree i.e new.ad.test and this
|
|
||||||
UPN is then assigned to aduser and then try to
|
|
||||||
kinit using aduser along with the UPN set, to ensure
|
|
||||||
that the kinit succeeds
|
|
||||||
|
|
||||||
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_trust.py | 45 +++++++++++++++++++++++++
|
|
||||||
1 file changed, 45 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
|
|
||||||
index 7e4dbcc6e..31349ced7 100644
|
|
||||||
--- a/ipatests/test_integration/test_trust.py
|
|
||||||
+++ b/ipatests/test_integration/test_trust.py
|
|
||||||
@@ -245,6 +245,51 @@ class TestTrust(BaseTestTrust):
|
|
||||||
self.master.run_command(['kinit', '-C', '-E', self.upn_principal],
|
|
||||||
stdin_text=self.upn_password)
|
|
||||||
|
|
||||||
+ def test_subordinate_suffix(self):
|
|
||||||
+ """Test subordinate UPN Suffixes"""
|
|
||||||
+ tasks.configure_dns_for_trust(self.master, self.ad)
|
|
||||||
+ tasks.establish_trust_with_ad(
|
|
||||||
+ self.master, self.ad_domain,
|
|
||||||
+ extra_args=['--range-type', 'ipa-ad-trust'])
|
|
||||||
+ # Clear all UPN Suffixes
|
|
||||||
+ ps_cmd = "Get-ADForest | Set-ADForest -UPNSuffixes $null"
|
|
||||||
+ self.ad.run_command(["powershell", "-c", ps_cmd])
|
|
||||||
+ result = self.master.run_command(["ipa", "trust-show", self.ad_domain])
|
|
||||||
+ assert (
|
|
||||||
+ "ipantadditionalsuffixes: {}".format(self.upn_suffix)
|
|
||||||
+ not in result.stdout_text
|
|
||||||
+ )
|
|
||||||
+ # Run Get-ADForest
|
|
||||||
+ ps_cmd1 = "Get-ADForest"
|
|
||||||
+ self.ad.run_command(["powershell", "-c", ps_cmd1])
|
|
||||||
+ # Add new UPN for AD
|
|
||||||
+ ps_cmd2 = (
|
|
||||||
+ 'Get-ADForest | Set-ADForest -UPNSuffixes '
|
|
||||||
+ '@{add="new.ad.test", "upn.dom"}'
|
|
||||||
+ )
|
|
||||||
+ self.ad.run_command(["powershell", "-c", ps_cmd2])
|
|
||||||
+ self.ad.run_command(["powershell", "-c", ps_cmd1])
|
|
||||||
+ self.master.run_command(
|
|
||||||
+ ["ipa", "trust-fetch-domains", self.ad_domain],
|
|
||||||
+ raiseonerr=False)
|
|
||||||
+ self.master.run_command(["ipa", "trust-show", self.ad_domain])
|
|
||||||
+ # Set UPN for the aduser
|
|
||||||
+ ps_cmd3 = (
|
|
||||||
+ 'set-aduser -UserPrincipalName '
|
|
||||||
+ 'Administrator@new.ad.test -Identity Administrator'
|
|
||||||
+ )
|
|
||||||
+ self.ad.run_command(["powershell", "-c", ps_cmd3])
|
|
||||||
+ # kinit to IPA using AD user Administrator@new.ad.test
|
|
||||||
+ result = self.master.run_command(
|
|
||||||
+ ["getent", "passwd", "Administrator@new.ad.test"]
|
|
||||||
+ )
|
|
||||||
+ assert result.returncode == 0
|
|
||||||
+ self.master.run_command(
|
|
||||||
+ ["kinit", "-E", "Administrator@new.ad.test"],
|
|
||||||
+ stdin_text="Secret123",
|
|
||||||
+ )
|
|
||||||
+ tasks.kdestroy_all(self.master)
|
|
||||||
+
|
|
||||||
def test_remove_nonposix_trust(self):
|
|
||||||
self.remove_trust(self.ad)
|
|
||||||
tasks.unconfigure_dns_for_trust(self.master, self.ad)
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
@ -1,114 +0,0 @@
|
|||||||
From 1f0702bf9231a4898a2d58325fc51c71fea25047 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Fri, 23 Oct 2020 18:45:09 +0300
|
|
||||||
Subject: [PATCH] ipa-kdb: support subordinate/superior UPN suffixes
|
|
||||||
|
|
||||||
[MS-ADTS] 6.1.6.9.3.2 requires msDS-TrustForestTrustInfo attribute of
|
|
||||||
trusted domain information in Active Directory to conform certain rules.
|
|
||||||
One side-effect of those rules is that list of UPN suffixes reported
|
|
||||||
through the netr_DsRGetForestTrustInformation function is dynamically
|
|
||||||
filtered to deduplicate subordinate suffixes.
|
|
||||||
|
|
||||||
It means that if list of UPN suffixes contains the following top level
|
|
||||||
names (TLNs):
|
|
||||||
|
|
||||||
fabrikam.com
|
|
||||||
sub.fabrikam.com
|
|
||||||
|
|
||||||
then netr_DsRGetForestTrustInformation would only return 'fabrikam.com'
|
|
||||||
as the TLN, fully filtering 'sub.fabrikam.com'.
|
|
||||||
|
|
||||||
IPA KDB driver used exact comparison of the UPN suffixes so any
|
|
||||||
subordinate had to be specified exactly.
|
|
||||||
|
|
||||||
Modify logic so that if exact check does not succeed, we validate a
|
|
||||||
realm to test being a subordinate of the known UPN suffixes. The
|
|
||||||
subordinate check is done by making sure UPN suffix is at the end of the
|
|
||||||
test realm and is immediately preceded with a dot.
|
|
||||||
|
|
||||||
Because the function to check suffixes potentially called for every
|
|
||||||
Kerberos principal, precalculate and cache length for each UPN suffix at
|
|
||||||
the time we retrieve the list of them.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8554
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
---
|
|
||||||
daemons/ipa-kdb/ipa_kdb_mspac.c | 30 +++++++++++++++++++++++++
|
|
||||||
daemons/ipa-kdb/ipa_kdb_mspac_private.h | 1 +
|
|
||||||
2 files changed, 31 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
index 29dadc183..692f542c9 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
@@ -2393,6 +2393,7 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
|
|
||||||
free((*mspac)->trusts[i].upn_suffixes[j]);
|
|
||||||
}
|
|
||||||
free((*mspac)->trusts[i].upn_suffixes);
|
|
||||||
+ free((*mspac)->trusts[i].upn_suffixes_len);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
free((*mspac)->trusts);
|
|
||||||
@@ -2603,6 +2604,24 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ t[n].upn_suffixes_len = NULL;
|
|
||||||
+ if (t[n].upn_suffixes != NULL) {
|
|
||||||
+ size_t len = 0;
|
|
||||||
+
|
|
||||||
+ for (; t[n].upn_suffixes[len] != NULL; len++);
|
|
||||||
+
|
|
||||||
+ if (len != 0) {
|
|
||||||
+ t[n].upn_suffixes_len = calloc(n, sizeof(size_t));
|
|
||||||
+ if (t[n].upn_suffixes_len == NULL) {
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ for (i = 0; i < len; i++) {
|
|
||||||
+ t[n].upn_suffixes_len[i] = strlen(t[n].upn_suffixes[i]);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ret = ipadb_ldap_attr_to_strlist(lc, le, "ipaNTSIDBlacklistIncoming",
|
|
||||||
&sid_blacklist_incoming);
|
|
||||||
|
|
||||||
@@ -2972,6 +2991,17 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
|
|
||||||
result = strncasecmp(test_realm,
|
|
||||||
ipactx->mspac->trusts[i].upn_suffixes[j],
|
|
||||||
size) == 0;
|
|
||||||
+ if (!result) {
|
|
||||||
+ /* if UPN suffix did not match exactly, find if it is
|
|
||||||
+ * superior to the test_realm, e.g. if test_realm ends
|
|
||||||
+ * with the UPN suffix prefixed with dot*/
|
|
||||||
+ size_t len = ipactx->mspac->trusts[i].upn_suffixes_len[j];
|
|
||||||
+ if ((size > len) && (test_realm[size - len - 1] == '.')) {
|
|
||||||
+ result = strncasecmp(test_realm + (size - len),
|
|
||||||
+ ipactx->mspac->trusts[i].upn_suffixes[j],
|
|
||||||
+ len) == 0;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
if (result)
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
|
|
||||||
index 30382d2ee..b21aa163f 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
|
|
||||||
@@ -48,6 +48,7 @@ struct ipadb_adtrusts {
|
|
||||||
struct ipadb_adtrusts *parent;
|
|
||||||
char *parent_name;
|
|
||||||
char **upn_suffixes;
|
|
||||||
+ size_t *upn_suffixes_len;
|
|
||||||
};
|
|
||||||
|
|
||||||
int string_to_sid(const char *str, struct dom_sid *sid);
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
@ -1,57 +0,0 @@
|
|||||||
From 6b224e57672e3f73f93bb9eddd9031e945529a1e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Tue, 24 Nov 2020 16:03:36 +0200
|
|
||||||
Subject: [PATCH] ad trust: accept subordinate domains of the forest trust root
|
|
||||||
|
|
||||||
Commit 8b6d1ab854387840f7526d6d59ddc7102231957f added support for
|
|
||||||
subordinate UPN suffixes but missed the case where subordinate UPN is a
|
|
||||||
subdomain of the forest root domain and not mentioned in the UPN
|
|
||||||
suffixes list.
|
|
||||||
|
|
||||||
Correct this situation by applying the same check to the trusted domain
|
|
||||||
name as well.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8554
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
daemons/ipa-kdb/ipa_kdb_mspac.c | 12 +++++++++++-
|
|
||||||
1 file changed, 11 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
index f2bd60e11..c6ac593ca 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
@@ -2976,10 +2976,20 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
|
|
||||||
|
|
||||||
/* Iterate through list of trusts and check if input realm belongs to any of the trust */
|
|
||||||
for(i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
|
|
||||||
+ size_t len = 0;
|
|
||||||
result = strncasecmp(test_realm,
|
|
||||||
ipactx->mspac->trusts[i].domain_name,
|
|
||||||
size) == 0;
|
|
||||||
|
|
||||||
+ if (!result) {
|
|
||||||
+ len = strlen(ipactx->mspac->trusts[i].domain_name);
|
|
||||||
+ if ((size > len) && (test_realm[size - len - 1] == '.')) {
|
|
||||||
+ result = strncasecmp(test_realm + (size - len),
|
|
||||||
+ ipactx->mspac->trusts[i].domain_name,
|
|
||||||
+ len) == 0;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (!result && (ipactx->mspac->trusts[i].flat_name != NULL)) {
|
|
||||||
result = strncasecmp(test_realm,
|
|
||||||
ipactx->mspac->trusts[i].flat_name,
|
|
||||||
@@ -2995,7 +3005,7 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
|
|
||||||
/* if UPN suffix did not match exactly, find if it is
|
|
||||||
* superior to the test_realm, e.g. if test_realm ends
|
|
||||||
* with the UPN suffix prefixed with dot*/
|
|
||||||
- size_t len = ipactx->mspac->trusts[i].upn_suffixes_len[j];
|
|
||||||
+ len = ipactx->mspac->trusts[i].upn_suffixes_len[j];
|
|
||||||
if ((size > len) && (test_realm[size - len - 1] == '.')) {
|
|
||||||
result = strncasecmp(test_realm + (size - len),
|
|
||||||
ipactx->mspac->trusts[i].upn_suffixes[j],
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
@ -1,127 +0,0 @@
|
|||||||
From 81cbee4e3ff2e667946e0d41097b402257608b7e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Fri, 6 Nov 2020 14:07:10 +0200
|
|
||||||
Subject: [PATCH] ipa-kdb: fix crash in MS-PAC cache init code
|
|
||||||
|
|
||||||
When initializing UPN suffixes, we calculate their sizes and didn't use
|
|
||||||
the right variable to allocate their size. This affects us if there are
|
|
||||||
more than one UPN suffix available for a trust due to memory corruption
|
|
||||||
while filling in sizes.
|
|
||||||
|
|
||||||
Add unit test for multiple UPN suffixes.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8566
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
---
|
|
||||||
daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +-
|
|
||||||
daemons/ipa-kdb/tests/ipa_kdb_tests.c | 50 +++++++++++++++++++++++++++
|
|
||||||
2 files changed, 51 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
index dd29db190..fe5b586b6 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
@@ -2610,7 +2610,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
|
||||||
for (; t[n].upn_suffixes[len] != NULL; len++);
|
|
||||||
|
|
||||||
if (len != 0) {
|
|
||||||
- t[n].upn_suffixes_len = calloc(n, sizeof(size_t));
|
|
||||||
+ t[n].upn_suffixes_len = calloc(len, sizeof(size_t));
|
|
||||||
if (t[n].upn_suffixes_len == NULL) {
|
|
||||||
ret = ENOMEM;
|
|
||||||
goto done;
|
|
||||||
diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
|
|
||||||
index d3ef5c00d..752b24ea4 100644
|
|
||||||
--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
|
|
||||||
+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
|
|
||||||
@@ -71,6 +71,10 @@
|
|
||||||
#define DOM_SID "S-1-5-21-1-2-3"
|
|
||||||
#define DOM_SID_TRUST "S-1-5-21-4-5-6"
|
|
||||||
#define BLACKLIST_SID "S-1-5-1"
|
|
||||||
+#define NUM_SUFFIXES 10
|
|
||||||
+#define SUFFIX_TEMPLATE "d%0d" DOMAIN_NAME
|
|
||||||
+#define TEST_REALM_TEMPLATE "some." SUFFIX_TEMPLATE
|
|
||||||
+#define EXTERNAL_REALM "WRONG.DOMAIN"
|
|
||||||
|
|
||||||
static int setup(void **state)
|
|
||||||
{
|
|
||||||
@@ -92,6 +96,9 @@
|
|
||||||
ipa_ctx = calloc(1, sizeof(struct ipadb_context));
|
|
||||||
assert_non_null(ipa_ctx);
|
|
||||||
|
|
||||||
+ kerr = krb5_get_default_realm(krb5_ctx, &ipa_ctx->realm);
|
|
||||||
+ assert_int_equal(kerr, 0);
|
|
||||||
+
|
|
||||||
ipa_ctx->mspac = calloc(1, sizeof(struct ipadb_mspac));
|
|
||||||
assert_non_null(ipa_ctx->mspac);
|
|
||||||
|
|
||||||
@@ -126,6 +133,15 @@
|
|
||||||
&ipa_ctx->mspac->trusts[0].sid_blacklist_incoming[0]);
|
|
||||||
assert_int_equal(ret, 0);
|
|
||||||
|
|
||||||
+ ipa_ctx->mspac->trusts[0].upn_suffixes = calloc(NUM_SUFFIXES + 1, sizeof(char *));
|
|
||||||
+ ipa_ctx->mspac->trusts[0].upn_suffixes_len = calloc(NUM_SUFFIXES, sizeof(size_t));
|
|
||||||
+ for (size_t i = 0; i < NUM_SUFFIXES; i++) {
|
|
||||||
+ asprintf(&(ipa_ctx->mspac->trusts[0].upn_suffixes[i]), SUFFIX_TEMPLATE, i);
|
|
||||||
+ ipa_ctx->mspac->trusts[0].upn_suffixes_len[i] =
|
|
||||||
+ strlen(ipa_ctx->mspac->trusts[0].upn_suffixes[i]);
|
|
||||||
+
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ipa_ctx->kcontext = krb5_ctx;
|
|
||||||
kerr = krb5_db_set_context(krb5_ctx, ipa_ctx);
|
|
||||||
assert_int_equal(kerr, 0);
|
|
||||||
@@ -478,6 +494,38 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
+void test_check_trusted_realms(void **state)
|
|
||||||
+{
|
|
||||||
+ struct test_ctx *test_ctx;
|
|
||||||
+ krb5_error_code kerr = 0;
|
|
||||||
+ char *trusted_realm = NULL;
|
|
||||||
+
|
|
||||||
+ test_ctx = (struct test_ctx *) *state;
|
|
||||||
+
|
|
||||||
+ for(size_t i = 0; i < NUM_SUFFIXES; i++) {
|
|
||||||
+ char *test_realm = NULL;
|
|
||||||
+ asprintf(&test_realm, TEST_REALM_TEMPLATE, i);
|
|
||||||
+
|
|
||||||
+ if (test_realm) {
|
|
||||||
+ kerr = ipadb_is_princ_from_trusted_realm(
|
|
||||||
+ test_ctx->krb5_ctx,
|
|
||||||
+ test_realm,
|
|
||||||
+ strlen(test_realm),
|
|
||||||
+ &trusted_realm);
|
|
||||||
+ assert_int_equal(kerr, 0);
|
|
||||||
+ free(test_realm);
|
|
||||||
+ free(trusted_realm);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ kerr = ipadb_is_princ_from_trusted_realm(
|
|
||||||
+ test_ctx->krb5_ctx,
|
|
||||||
+ EXTERNAL_REALM,
|
|
||||||
+ strlen(EXTERNAL_REALM),
|
|
||||||
+ &trusted_realm);
|
|
||||||
+ assert_int_equal(kerr, KRB5_KDB_NOENTRY);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int main(int argc, const char *argv[])
|
|
||||||
{
|
|
||||||
const struct CMUnitTest tests[] = {
|
|
||||||
@@ -488,6 +536,8 @@
|
|
||||||
cmocka_unit_test(test_string_to_sid),
|
|
||||||
cmocka_unit_test_setup_teardown(test_dom_sid_string,
|
|
||||||
setup, teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_check_trusted_realms,
|
|
||||||
+ setup, teardown),
|
|
||||||
};
|
|
||||||
|
|
||||||
return cmocka_run_group_tests(tests, NULL, NULL);
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
File diff suppressed because one or more lines are too long
File diff suppressed because it is too large
Load Diff
@ -1,134 +0,0 @@
|
|||||||
From 2f8e87ce9ccaab51b32a395c6cf6c764434ed0e2 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Thomas Woerner <twoerner@redhat.com>
|
|
||||||
Date: Thu, 11 Jun 2020 10:40:57 +0200
|
|
||||||
Subject: [PATCH] Revert "WebUI: use python3-rjsmin to minify JavaScript files"
|
|
||||||
|
|
||||||
This reverts commit d986e844bbd37ccc7a532175631a55acd315cda3.
|
|
||||||
---
|
|
||||||
.lgtm.yml | 4 ++--
|
|
||||||
freeipa.spec.in | 2 +-
|
|
||||||
install/ui/build/freeipa/Makefile.am | 2 +-
|
|
||||||
install/ui/src/webui.profile.js | 4 ++--
|
|
||||||
install/ui/util/build/README | 4 ++--
|
|
||||||
install/ui/util/compile.sh | 8 ++++----
|
|
||||||
6 files changed, 12 insertions(+), 12 deletions(-)
|
|
||||||
|
|
||||||
#diff --git a/.lgtm.yml b/.lgtm.yml
|
|
||||||
#index b3898116e..e63615918 100644
|
|
||||||
#--- a/.lgtm.yml
|
|
||||||
#+++ b/.lgtm.yml
|
|
||||||
#@@ -39,7 +39,7 @@ extraction:
|
|
||||||
# - python3-setuptools
|
|
||||||
# - python3-wheel
|
|
||||||
# - nodejs
|
|
||||||
#- - python3-rjsmin
|
|
||||||
#+ - uglifyjs
|
|
||||||
# - systemd
|
|
||||||
# - 389-ds-base-dev
|
|
||||||
# - libssl-dev
|
|
||||||
#@@ -79,7 +79,7 @@ extraction:
|
|
||||||
# - python3-setuptools
|
|
||||||
# - python3-wheel
|
|
||||||
# - nodejs
|
|
||||||
#- - python3-rjsmin
|
|
||||||
#+ - uglifyjs
|
|
||||||
# - systemd
|
|
||||||
# - 389-ds-base-dev
|
|
||||||
# - libssl-dev
|
|
||||||
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
|
||||||
index b6eb79593..a4682497a 100755
|
|
||||||
--- a/freeipa.spec.in
|
|
||||||
+++ b/freeipa.spec.in
|
|
||||||
@@ -191,7 +191,7 @@ BuildRequires: libsss_idmap-devel
|
|
||||||
BuildRequires: libsss_certmap-devel
|
|
||||||
BuildRequires: libsss_nss_idmap-devel >= %{sssd_version}
|
|
||||||
BuildRequires: nodejs(abi)
|
|
||||||
-BuildRequires: python3-rjsmin
|
|
||||||
+BuildRequires: uglify-js
|
|
||||||
BuildRequires: libverto-devel
|
|
||||||
BuildRequires: libunistring-devel
|
|
||||||
# 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773
|
|
||||||
diff --git a/install/ui/build/freeipa/Makefile.am b/install/ui/build/freeipa/Makefile.am
|
|
||||||
index f4d97819e..05e82f4da 100644
|
|
||||||
--- a/install/ui/build/freeipa/Makefile.am
|
|
||||||
+++ b/install/ui/build/freeipa/Makefile.am
|
|
||||||
@@ -18,6 +18,6 @@ widgets := $(wildcard ../../src/freeipa/widgets/*.js)
|
|
||||||
nav := $(wildcard ../../src/freeipa/navigation/*.js)
|
|
||||||
|
|
||||||
app.js: $(core) $(base) $(widgets) $(nav)
|
|
||||||
- PYTHON=$(PYTHON) $(srcdir)/../../util/make-ui.sh
|
|
||||||
+ $(srcdir)/../../util/make-ui.sh
|
|
||||||
|
|
||||||
core.js: app.js
|
|
||||||
diff --git a/install/ui/src/webui.profile.js b/install/ui/src/webui.profile.js
|
|
||||||
index 2d4d691dc..1d7a6cc84 100644
|
|
||||||
--- a/install/ui/src/webui.profile.js
|
|
||||||
+++ b/install/ui/src/webui.profile.js
|
|
||||||
@@ -9,7 +9,7 @@ var profile = (function(){
|
|
||||||
releaseName: "lib",
|
|
||||||
action: "release",
|
|
||||||
|
|
||||||
- // optimization done separately by python3-rjsmin
|
|
||||||
+ // optimization done separately by uglify.js
|
|
||||||
layerOptimize: false,
|
|
||||||
optimize: false,
|
|
||||||
cssOptimize: false,
|
|
||||||
@@ -123,4 +123,4 @@ var profile = (function(){
|
|
||||||
}
|
|
||||||
}
|
|
||||||
};
|
|
||||||
-})();
|
|
||||||
+})();
|
|
||||||
\ No newline at end of file
|
|
||||||
diff --git a/install/ui/util/build/README b/install/ui/util/build/README
|
|
||||||
index 2c4e0ecac..0772532d4 100644
|
|
||||||
--- a/install/ui/util/build/README
|
|
||||||
+++ b/install/ui/util/build/README
|
|
||||||
@@ -1,5 +1,5 @@
|
|
||||||
build.js is builded dojo builder, with applied patches from 'patches' folder, by
|
|
||||||
-itself and compiled using python3-rjsmin
|
|
||||||
+itself and compiled using uglify.js
|
|
||||||
|
|
||||||
_base/configRhino.js is unmodifed file from dojo/dojo. Required for a build to work.
|
|
||||||
|
|
||||||
@@ -9,4 +9,4 @@ Available via Academic Free License >= 2.1 OR the modified BSD license.
|
|
||||||
see: http://dojotoolkit.org/license for details
|
|
||||||
|
|
||||||
= License =
|
|
||||||
-Full Dojo license is in LICENSE file.
|
|
||||||
+Full Dojo license is in LICENSE file.
|
|
||||||
\ No newline at end of file
|
|
||||||
diff --git a/install/ui/util/compile.sh b/install/ui/util/compile.sh
|
|
||||||
index 1516b815f..d14f90ab0 100755
|
|
||||||
--- a/install/ui/util/compile.sh
|
|
||||||
+++ b/install/ui/util/compile.sh
|
|
||||||
@@ -26,14 +26,14 @@ RDIR=$DIR/../release
|
|
||||||
usage() {
|
|
||||||
cat <<-__EOF__;
|
|
||||||
NAME
|
|
||||||
- compile.sh - Compiles layer file of Dojo build using Python rjsmin.
|
|
||||||
+ compile.sh - Compiles layer file of Dojo build using uglify.js.
|
|
||||||
Deletes all other files.
|
|
||||||
|
|
||||||
SYNOPSIS
|
|
||||||
path/to/compile.sh [--help] --release RELEASE --layer NAME/NAME
|
|
||||||
|
|
||||||
DESCRIPTION
|
|
||||||
- Compiles layer file of Dojo build output using Python rjsmin.
|
|
||||||
+ Compiles layer file of Dojo build output using uglify.js.
|
|
||||||
Deletes all other files.
|
|
||||||
|
|
||||||
OPTIONS
|
|
||||||
@@ -105,7 +105,7 @@ if [[ ! $OUTPUT_FILE ]] ; then
|
|
||||||
OUTPUT_FILE=$RDIR/$RELEASE/$LAYER.js
|
|
||||||
fi
|
|
||||||
|
|
||||||
-# compile using python rjsmin
|
|
||||||
+# compile using uglifyjs
|
|
||||||
echo "Minimizing: $RDIR/$RELEASE/$LAYER.js"
|
|
||||||
echo "Target file: $OUTPUT_FILE"
|
|
||||||
-${PYTHON:-python3} -m rjsmin < $RDIR/$RELEASE/$LAYER.js > $OUTPUT_FILE
|
|
||||||
+uglifyjs $RDIR/$RELEASE/$LAYER.js > $OUTPUT_FILE
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,16 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAl7hNhYACgkQRxniuKu/
|
|
||||||
Yhq2rxAAnK8YHbQtivjssWz6BBRiU5TKootA3fSqfvbhACYG14629/Dpc5IIkYZ1
|
|
||||||
0AE4CUFA7Oi92emFbxrLJyeSuxuzTxSVmydJ5HW/OTkRRSnmjL5oeBg2D++B9OaO
|
|
||||||
qVAXRZbi5YNfW5y//9BIRzCGw0RHpbR/QjZ1ipDymky6nr5IS+EhfZ0iHeEyiNXd
|
|
||||||
OP3OJv538HSvRrv3mJvz52pKVfegw1OTd8yUnmuPEc9ClQfPQHjXqsOeFYCbR8fg
|
|
||||||
59y0twMMrOc2J4eL0OkNE/By+o+1vAMUwEs736sCdbJJPigerfuK0e7ZxP+x98BP
|
|
||||||
bmIBxv7eUf20Rn3An7+vTqQP60V4tS+FOnc2LD3OpHH4vy34ovWZfYZWVKbg0z1+
|
|
||||||
5E/0TWifhlibbRZctDaxkZfFVchQnixHnO0Awv8wNxRzh/XvvsTPz1zJXk5kHk3r
|
|
||||||
Ws2/GbeWTiJLe8sIXJz0MNTayWLnsDJG6BCRf+K0HwCdL80p4TG71dTwa9PW5HEy
|
|
||||||
UklxW/zfr+chS1AszNgb8wJa6WtDHfQnktJwSSj7CkD3JdUVx+L/cJiOfbCM+WUi
|
|
||||||
BRzhVhNUDX/FkpGUyvC4AYXX+wcwHph9BDChUDqcG886aIK28TAsie3Vwz/F7hKP
|
|
||||||
TYpF1+YIImcRfUQ737pnbHL12o5yzfhkBfD2GMsojEd0x71B3PY=
|
|
||||||
=B33Z
|
|
||||||
-----END PGP SIGNATURE-----
|
|
16
SOURCES/freeipa-4.9.2.tar.gz.asc
Normal file
16
SOURCES/freeipa-4.9.2.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmAqwW4ACgkQRxniuKu/
|
||||||
|
YhoqEw/+J2+fMEF4qYDnb6LPs0h/xbiMU+WG5SI0Ybcy6FUrCp2utFqO6N8r7K3J
|
||||||
|
k9WTcAXweqwEO5aP1fjvbQiIc55lQgN1rlJc+GtnBbPPKabrJB0xgx2VpP2MI8Jl
|
||||||
|
JRSAdSNvSghaR1v0MYL3ly7GPRLUrb1+Avln+eJIHRfAuUjf9j4MWh7VNDsSp7pQ
|
||||||
|
vMqz8OHEvSSRQYGKyJ5vQlcHRQNot2pZoWHVfEcRXMD6qn2N7yUU4o9wNOYvJMw8
|
||||||
|
YEyInE24D13UV33F9K5QrLEaJ7lpIwJ9lmhAFuZoDUC81s5aAmLtNzUWcdwlOSzk
|
||||||
|
tY4T+ucpq+0eH1gUiDm6bME7Uw87nc9KuNS3+Q+P2Y7RdUrrbLj8BIsz30VSk8n1
|
||||||
|
rH2DZo/1NOFwQ5qDN92QjTeGotqCjwK/j+uRB12HkRgOHkouoZjqwcYRfdxmBhKd
|
||||||
|
wk6BdDtvSP4voqqoeuZNCbeOKCYsqE2HlGZE9YiLbBAQs081Ir9Tajpn8sgMVURi
|
||||||
|
7kQN7Xq9/jEl7sQ14VkRMQP8A+rRkmLM1sW3vqhMFDSOyi+qQNnzAnR28qxDBXC3
|
||||||
|
4gG/yFGgqX7mSXsfvTVrjhcVEO6IsqkkPAcFR3Xivpy146LoONSlIGgtA8mGMIeO
|
||||||
|
Zd3awH4T8kAt3d9RBI+R34sZm//uKQgOKDrAx0VjekFkK0tj2qU=
|
||||||
|
=XC/f
|
||||||
|
-----END PGP SIGNATURE-----
|
614
SPECS/ipa.spec
614
SPECS/ipa.spec
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user