import ipa-4.8.4-2.module+el8.2.0+5265+c70de5c4

This commit is contained in:
CentOS Sources 2020-01-22 06:15:30 -05:00 committed by Stepan Oksanichenko
parent 7c8968e6e6
commit d1dc358eba
12 changed files with 778 additions and 768 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/freeipa-4.7.90.pre1.tar.gz
SOURCES/freeipa-4.8.4.tar.gz

View File

@ -1 +1 @@
a61a3e7f174a021934368252c4773da6238de820 SOURCES/freeipa-4.7.90.pre1.tar.gz
72c91f01b2039795223417dc6761edf8ee0f36ee SOURCES/freeipa-4.8.4.tar.gz

View File

@ -1,30 +0,0 @@
From 486ba017ceab1fb240f2fc48fea6169bc8c97319 Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam@redhat.com>
Date: Wed, 1 May 2019 16:19:53 -0700
Subject: [PATCH] Correct default fontawesome path (broken by da2cf1c5)
On Fedora/RHEL, it does not have a dash in it. The changes in
da2cf1c5 inadvertently added a dash to the path in the 'base'
paths definition (used on Fedora/RHEL), so the font wasn't found.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
---
ipaplatform/base/paths.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 1cd2591bc..e1d396690 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -249,7 +249,7 @@ class BasePathNamespace:
USERADD = "/usr/sbin/useradd"
FONTS_DIR = "/usr/share/fonts"
FONTS_OPENSANS_DIR = "/usr/share/fonts/open-sans"
- FONTS_FONTAWESOME_DIR = "/usr/share/fonts/font-awesome"
+ FONTS_FONTAWESOME_DIR = "/usr/share/fonts/fontawesome"
USR_SHARE_IPA_DIR = "/usr/share/ipa/"
USR_SHARE_IPA_CLIENT_DIR = "/usr/share/ipa/client"
CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif"
--
2.21.0

View File

@ -0,0 +1,47 @@
From 2c2cef7063315766d893b275185b422be3f3c019 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Dec 16 2019 20:37:17 +0000
Subject: DNS install check: Fix overlapping DNS zone from the master itself
The change to allow overlapping zone to be from the master itself has
introduced two issues: The check for the master itself should only executed
if options.force and options.allow_zone_overlap are both false and the
reverse zone check later on was still handling ValueError instead of
dnsutil.DNSZoneAlreadyExists.
Both issues have been fixed and the deployment with existing name servers
is properly working again.
Fixes: https://pagure.io/freeipa/issue/8150
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index 36ba6f8..9f08e86 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -135,15 +135,15 @@ def install_check(standalone, api, replica, options, hostname):
logger.warning("%s Please make sure that the domain is "
"properly delegated to this IPA server.",
e)
-
- hst = dnsutil.DNSName(hostname).make_absolute().to_text()
- if hst not in e.kwargs['ns']:
- raise ValueError(str(e))
+ else:
+ hst = dnsutil.DNSName(hostname).make_absolute().to_text()
+ if hst not in e.kwargs['ns']:
+ raise ValueError(str(e))
for reverse_zone in options.reverse_zones:
try:
dnsutil.check_zone_overlap(reverse_zone)
- except ValueError as e:
+ except dnsutil.DNSZoneAlreadyExists as e:
if options.force or options.allow_zone_overlap:
logger.warning('%s', str(e))
else:

View File

@ -1,32 +0,0 @@
From b3378c32603e83ea3d4651cee3af99e644a30457 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 20 Jul 2018 11:06:55 -0400
Subject: [PATCH] No need to call rhel-specific domainname service
It was moved upstream into hostname package which named it
nis-domainname. When it was in the initscripts package there were
separate fedora-domainname and rhel-domainname services.
From F29+ it will be nis-domainname. We can use that as well in
RHEL 8.
---
ipaplatform/rhel/services.py | 3 ---
1 file changed, 3 deletions(-)
diff --git a/ipaplatform/rhel/services.py b/ipaplatform/rhel/services.py
index 1403d08..06fa633 100644
--- a/ipaplatform/rhel/services.py
+++ b/ipaplatform/rhel/services.py
@@ -30,9 +30,6 @@ from ipaplatform.redhat import services as redhat_services
# to their actual systemd service names
rhel_system_units = redhat_services.redhat_system_units
-# Service that sets domainname on RHEL is called rhel-domainname.service
-rhel_system_units['domainname'] = 'rhel-domainname.service'
-
# Service classes that implement RHEL-specific behaviour
--
2.13.6

View File

@ -1,136 +0,0 @@
From 8177734d3b6c141c251c74ee29d223a7d414ab13 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 1 May 2019 21:25:31 +0300
Subject: [PATCH] Revert "Require a minimum SASL security factor of 56"
This reverts commit 350954589774499d99bf87cb5631c664bb0707c4.
---
install/share/Makefile.am | 1 -
install/share/min-ssf.ldif | 14 --------------
ipalib/constants.py | 3 ---
ipapython/ipaldap.py | 17 ++---------------
ipaserver/install/dsinstance.py | 5 -----
5 files changed, 2 insertions(+), 38 deletions(-)
delete mode 100644 install/share/min-ssf.ldif
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index be83bdf75..8d039d95c 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -94,7 +94,6 @@ dist_app_DATA = \
ipa-kdc-proxy.conf.template \
ipa-pki-proxy.conf.template \
ipa-rewrite.conf.template \
- min-ssf.ldif \
ipaca_default.ini \
ipaca_customize.ini \
ipaca_softhsm2.ini \
diff --git a/install/share/min-ssf.ldif b/install/share/min-ssf.ldif
deleted file mode 100644
index 1c2566f84..000000000
--- a/install/share/min-ssf.ldif
+++ /dev/null
@@ -1,14 +0,0 @@
-# config
-# pretend SSF for LDAPI connections
-# nsslapd-localssf must be equal to or greater than nsslapd-minssf
-dn: cn=config
-changetype: modify
-replace: nsslapd-localssf
-nsslapd-localssf: 256
-
-# minimum security strength factor for SASL and TLS
-# 56 is considered weak, but some old clients announce wrong SSF.
-dn: cn=config
-changetype: modify
-replace: nsslapd-minssf
-nsslapd-minssf: 56
diff --git a/ipalib/constants.py b/ipalib/constants.py
index bcf6f3373..c22dd26ae 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -311,9 +311,6 @@ TLS_VERSIONS = [
]
TLS_VERSION_MINIMAL = "tls1.0"
-# minimum SASL secure strength factor for LDAP connections
-# 56 provides backwards compatibility with old libraries.
-LDAP_SSF_MIN_THRESHOLD = 56
# Use cache path
USER_CACHE_PATH = (
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index d9d67be1d..9ff443fe4 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -43,9 +43,7 @@ import six
# pylint: disable=ipa-forbidden-import
from ipalib import errors, x509, _
-from ipalib.constants import (
- LDAP_GENERALIZED_TIME_FORMAT, LDAP_SSF_MIN_THRESHOLD
-)
+from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT
# pylint: enable=ipa-forbidden-import
from ipaplatform.paths import paths
from ipapython.ipautil import format_netloc, CIDict
@@ -105,8 +103,7 @@ def realm_to_ldapi_uri(realm_name):
return 'ldapi://' + ldapurl.ldapUrlEscape(socketname)
-def ldap_initialize(uri, cacertfile=None,
- ssf_min_threshold=LDAP_SSF_MIN_THRESHOLD):
+def ldap_initialize(uri, cacertfile=None):
"""Wrapper around ldap.initialize()
The function undoes global and local ldap.conf settings that may cause
@@ -117,10 +114,6 @@ def ldap_initialize(uri, cacertfile=None,
locations, also known as system-wide trust store.
* Cert validation is enforced.
* SSLv2 and SSLv3 are disabled.
- * Require a minimum SASL security factor of 56. That level ensures
- data integrity and confidentiality. Although at least AES128 is
- enforced pretty much everywhere, 56 is required for backwards
- compatibility with systems that announce wrong SSF.
"""
conn = ldap.initialize(uri)
@@ -128,12 +121,6 @@ def ldap_initialize(uri, cacertfile=None,
conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_ON)
if not uri.startswith('ldapi://'):
- # require a minimum SSF for TCP connections, but don't lower SSF_MIN
- # if the current value is already larger.
- cur_min_ssf = conn.get_option(ldap.OPT_X_SASL_SSF_MIN)
- if cur_min_ssf < ssf_min_threshold:
- conn.set_option(ldap.OPT_X_SASL_SSF_MIN, ssf_min_threshold)
-
if cacertfile:
if not os.path.isfile(cacertfile):
raise IOError(errno.ENOENT, cacertfile)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 8240e3043..9f05db1db 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -324,8 +324,6 @@ class DsInstance(service.Service):
else:
self.step("importing CA certificates from LDAP",
self.__import_ca_certs)
- # set min SSF after DS is configured for TLS
- self.step("require minimal SSF", self.__min_ssf)
self.step("restarting directory server", self.__restart_instance)
self.start_creation()
@@ -1243,9 +1241,6 @@ class DsInstance(service.Service):
dm_password=self.dm_password
)
- def __min_ssf(self):
- self._ldap_mod("min-ssf.ldif")
-
def __add_sudo_binduser(self):
self._ldap_mod("sudobind.ldif", self.sub_dict)
--
2.21.0

View File

@ -1,44 +0,0 @@
From 528a21996734467be193673e4f987e7e3acc3ad9 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sat, 11 May 2019 11:54:40 +0300
Subject: [PATCH] upgrade: adtrust - catch empty result when retrieving list of
trusts
Upgrade failure when ipa-server-upgrade is being run on a system with no
trust established but trust configured
Fixes: https://pagure.io/freeipa/issue/7939
---
ipaserver/install/plugins/adtrust.py | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
index 6b4e2caa2..cdc3a8b04 100644
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@@ -609,11 +609,17 @@ class update_tdo_to_new_layout(Updater):
trusts_dn = self.api.env.container_adtrusts + self.api.env.basedn
- trusts = ldap.get_entries(
- base_dn=trusts_dn,
- scope=ldap.SCOPE_ONELEVEL,
- filter=self.trust_filter,
- attrs_list=self.trust_attrs)
+ # We might be in a situation when no trusts exist yet
+ # In such case there is nothing to upgrade but we have to catch
+ # an exception or it will abort the whole upgrade process
+ try:
+ trusts = ldap.get_entries(
+ base_dn=trusts_dn,
+ scope=ldap.SCOPE_ONELEVEL,
+ filter=self.trust_filter,
+ attrs_list=self.trust_attrs)
+ except errors.EmptyResult:
+ trusts = []
# For every trust, retrieve its principals and convert
for t_entry in trusts:
--
2.21.0

File diff suppressed because one or more lines are too long

View File

@ -1,3 +1,12 @@
Addtional patches that need to be partly reverted that are touching csrgen
related files:
7b8a2af2197381058ca532d1ae206defb16fac88
ac6568dcf58ec8d06df5493d14a28aa41845d4ef
9c86d35a3f0af4a793fada7dfe726e9cc66782ea
9836511a2b6d7cf48b1a54cb3158e5eac674081a
b431e9b684df11c811892bd9d2a5711355f0076e
This is a collection of an existing patch to remove csrgen for 4.7.1 and
additional patches that have been added for 4.7.90 pre1.
@ -91,10 +100,10 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1432630
delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl
delete mode 100644 ipatests/test_ipaclient/test_csrgen.py
diff -urN freeipa-4.7.90.pre1.orig/freeipa.spec.in freeipa-4.7.90.pre1/freeipa.spec.in
--- freeipa-4.7.90.pre1.orig/freeipa.spec.in 2019-04-29 08:28:24.722860593 +0200
+++ freeipa-4.7.90.pre1/freeipa.spec.in 2019-05-06 18:31:26.443792711 +0200
@@ -1225,13 +1225,6 @@
diff -urN freeipa-4.8.0/freeipa.spec.in freeipa-4.8.0.removed_csrgen/freeipa.spec.in
--- freeipa-4.8.0/freeipa.spec.in 2019-06-29 10:01:30.458735813 +0200
+++ freeipa-4.8.0.removed_csrgen/freeipa.spec.in 2019-07-03 13:24:38.471222723 +0200
@@ -1247,13 +1247,6 @@
%dir %{python3_sitelib}/ipaclient/remote_plugins/2_*
%{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py
%{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py*
@ -108,9 +117,9 @@ diff -urN freeipa-4.7.90.pre1.orig/freeipa.spec.in freeipa-4.7.90.pre1/freeipa.s
%{python3_sitelib}/ipaclient-*.egg-info
diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/profiles/caIPAserviceCert.json freeipa-4.7.90.pre1/ipaclient/csrgen/profiles/caIPAserviceCert.json
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/profiles/caIPAserviceCert.json 2019-04-29 17:06:41.408224320 +0200
+++ freeipa-4.7.90.pre1/ipaclient/csrgen/profiles/caIPAserviceCert.json 1970-01-01 01:00:00.000000000 +0100
diff -urN freeipa-4.8.0/ipaclient/csrgen/profiles/caIPAserviceCert.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/profiles/caIPAserviceCert.json
--- freeipa-4.8.0/ipaclient/csrgen/profiles/caIPAserviceCert.json 2019-07-03 08:42:41.844539797 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/profiles/caIPAserviceCert.json 1970-01-01 01:00:00.000000000 +0100
@@ -1,15 +0,0 @@
-[
- {
@ -127,9 +136,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/profiles/caIPAserviceCert.js
- ]
- }
-]
diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/profiles/userCert.json freeipa-4.7.90.pre1/ipaclient/csrgen/profiles/userCert.json
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/profiles/userCert.json 2019-04-29 17:06:41.417224194 +0200
+++ freeipa-4.7.90.pre1/ipaclient/csrgen/profiles/userCert.json 1970-01-01 01:00:00.000000000 +0100
diff -urN freeipa-4.8.0/ipaclient/csrgen/profiles/userCert.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/profiles/userCert.json
--- freeipa-4.8.0/ipaclient/csrgen/profiles/userCert.json 2019-07-03 08:42:41.848539737 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/profiles/userCert.json 1970-01-01 01:00:00.000000000 +0100
@@ -1,15 +0,0 @@
-[
- {
@ -146,9 +155,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/profiles/userCert.json freei
- ]
- }
-]
diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataDNS.json freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataDNS.json
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataDNS.json 2019-04-29 17:06:41.422224125 +0200
+++ freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataDNS.json 1970-01-01 01:00:00.000000000 +0100
diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/dataDNS.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataDNS.json
--- freeipa-4.8.0/ipaclient/csrgen/rules/dataDNS.json 2019-07-03 08:42:41.853539663 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataDNS.json 1970-01-01 01:00:00.000000000 +0100
@@ -1,8 +0,0 @@
-{
- "rule": {
@ -158,9 +167,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataDNS.json freeipa-4
- "data_source": "subject.krbprincipalname.0.partition('/')[2].partition('@')[0]"
- }
-}
diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataEmail.json freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataEmail.json
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataEmail.json 2019-04-29 17:06:41.426224069 +0200
+++ freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataEmail.json 1970-01-01 01:00:00.000000000 +0100
diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/dataEmail.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataEmail.json
--- freeipa-4.8.0/ipaclient/csrgen/rules/dataEmail.json 2019-07-03 08:42:41.857539603 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataEmail.json 1970-01-01 01:00:00.000000000 +0100
@@ -1,8 +0,0 @@
-{
- "rule": {
@ -170,9 +179,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataEmail.json freeipa
- "data_source": "subject.mail.0"
- }
-}
diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataHostCN.json freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataHostCN.json
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataHostCN.json 2019-04-29 17:06:41.430224013 +0200
+++ freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataHostCN.json 1970-01-01 01:00:00.000000000 +0100
diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/dataHostCN.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataHostCN.json
--- freeipa-4.8.0/ipaclient/csrgen/rules/dataHostCN.json 2019-07-03 08:42:41.861539544 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataHostCN.json 1970-01-01 01:00:00.000000000 +0100
@@ -1,8 +0,0 @@
-{
- "rule": {
@ -182,9 +191,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataHostCN.json freeip
- "data_source": "subject.krbprincipalname.0.partition('/')[2].partition('@')[0]"
- }
-}
diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataSubjectBase.json freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataSubjectBase.json
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataSubjectBase.json 2019-04-29 17:06:41.437223916 +0200
+++ freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataSubjectBase.json 1970-01-01 01:00:00.000000000 +0100
diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/dataSubjectBase.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataSubjectBase.json
--- freeipa-4.8.0/ipaclient/csrgen/rules/dataSubjectBase.json 2019-07-03 08:42:41.865539484 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataSubjectBase.json 1970-01-01 01:00:00.000000000 +0100
@@ -1,8 +0,0 @@
-{
- "rule": {
@ -194,9 +203,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataSubjectBase.json f
- "data_source": "config.ipacertificatesubjectbase.0"
- }
-}
diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataUsernameCN.json freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataUsernameCN.json
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataUsernameCN.json 2019-04-29 17:06:41.449223748 +0200
+++ freeipa-4.7.90.pre1/ipaclient/csrgen/rules/dataUsernameCN.json 1970-01-01 01:00:00.000000000 +0100
diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/dataUsernameCN.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataUsernameCN.json
--- freeipa-4.8.0/ipaclient/csrgen/rules/dataUsernameCN.json 2019-07-03 08:42:41.869539424 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataUsernameCN.json 1970-01-01 01:00:00.000000000 +0100
@@ -1,8 +0,0 @@
-{
- "rule": {
@ -206,9 +215,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/dataUsernameCN.json fr
- "data_source": "subject.uid.0"
- }
-}
diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/syntaxSAN.json freeipa-4.7.90.pre1/ipaclient/csrgen/rules/syntaxSAN.json
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/syntaxSAN.json 2019-04-29 17:06:41.456223650 +0200
+++ freeipa-4.7.90.pre1/ipaclient/csrgen/rules/syntaxSAN.json 1970-01-01 01:00:00.000000000 +0100
diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/syntaxSAN.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/syntaxSAN.json
--- freeipa-4.8.0/ipaclient/csrgen/rules/syntaxSAN.json 2019-07-03 08:42:41.874539350 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/syntaxSAN.json 1970-01-01 01:00:00.000000000 +0100
@@ -1,8 +0,0 @@
-{
- "rule": {
@ -218,9 +227,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/syntaxSAN.json freeipa
- "extension": true
- }
-}
diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/syntaxSubject.json freeipa-4.7.90.pre1/ipaclient/csrgen/rules/syntaxSubject.json
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/syntaxSubject.json 2019-04-29 17:06:41.461223581 +0200
+++ freeipa-4.7.90.pre1/ipaclient/csrgen/rules/syntaxSubject.json 1970-01-01 01:00:00.000000000 +0100
diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/syntaxSubject.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/syntaxSubject.json
--- freeipa-4.8.0/ipaclient/csrgen/rules/syntaxSubject.json 2019-07-03 08:42:41.878539290 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/syntaxSubject.json 1970-01-01 01:00:00.000000000 +0100
@@ -1,9 +0,0 @@
-{
- "rule": {
@ -231,9 +240,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/rules/syntaxSubject.json fre
- "data_source_combinator": "and"
- }
-}
diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/templates/openssl_base.tmpl freeipa-4.7.90.pre1/ipaclient/csrgen/templates/openssl_base.tmpl
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/templates/openssl_base.tmpl 2019-04-29 17:06:41.469223469 +0200
+++ freeipa-4.7.90.pre1/ipaclient/csrgen/templates/openssl_base.tmpl 1970-01-01 01:00:00.000000000 +0100
diff -urN freeipa-4.8.0/ipaclient/csrgen/templates/openssl_base.tmpl freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/templates/openssl_base.tmpl
--- freeipa-4.8.0/ipaclient/csrgen/templates/openssl_base.tmpl 2019-07-03 08:42:41.882539231 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/templates/openssl_base.tmpl 1970-01-01 01:00:00.000000000 +0100
@@ -1,17 +0,0 @@
-{% raw -%}
-{% import "openssl_macros.tmpl" as openssl -%}
@ -252,9 +261,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/templates/openssl_base.tmpl
-{% endif %}
-{{ openssl.openssl_sections|join('\n\n') }}
-{%- endraw %}
diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/templates/openssl_macros.tmpl freeipa-4.7.90.pre1/ipaclient/csrgen/templates/openssl_macros.tmpl
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen/templates/openssl_macros.tmpl 2019-04-29 17:06:41.475223385 +0200
+++ freeipa-4.7.90.pre1/ipaclient/csrgen/templates/openssl_macros.tmpl 1970-01-01 01:00:00.000000000 +0100
diff -urN freeipa-4.8.0/ipaclient/csrgen/templates/openssl_macros.tmpl freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/templates/openssl_macros.tmpl
--- freeipa-4.8.0/ipaclient/csrgen/templates/openssl_macros.tmpl 2019-07-03 08:42:41.886539171 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/templates/openssl_macros.tmpl 1970-01-01 01:00:00.000000000 +0100
@@ -1,29 +0,0 @@
-{# List containing rendered sections to be included at end #}
-{% set openssl_sections = [] %}
@ -285,10 +294,10 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen/templates/openssl_macros.tmp
-[ {{ name }} ]
-{{ contents -}}
-{% endmacro %}
diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen_ffi.py freeipa-4.7.90.pre1/ipaclient/csrgen_ffi.py
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen_ffi.py 2019-04-29 17:06:41.367224892 +0200
+++ freeipa-4.7.90.pre1/ipaclient/csrgen_ffi.py 1970-01-01 01:00:00.000000000 +0100
@@ -1,331 +0,0 @@
diff -urN freeipa-4.8.0/ipaclient/csrgen_ffi.py freeipa-4.8.0.removed_csrgen/ipaclient/csrgen_ffi.py
--- freeipa-4.8.0/ipaclient/csrgen_ffi.py 2019-07-03 08:42:41.816540214 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen_ffi.py 1970-01-01 01:00:00.000000000 +0100
@@ -1,387 +0,0 @@
-from cffi import FFI
-import ctypes.util
-
@ -297,6 +306,48 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen_ffi.py freeipa-4.7.90.pre1/i
-_ffi = FFI()
-
-_ffi.cdef('''
-/* libcrypto/crypto.h */
-unsigned long OpenSSL_version_num(void);
-unsigned long SSLeay(void);
-const char * OpenSSL_version(int t);
-const char * SSLeay_version(int t);
-
-#define OPENSSL_VERSION 0
-''')
-
-_libcrypto = _ffi.dlopen(ctypes.util.find_library('crypto'))
-
-# SSLeay_version has been renamed with OpenSSL_version in OpenSSL 1.1.0
-# LibreSSL has OpenSSL_version since 2.7.0
-try:
- OpenSSL_version = _libcrypto.OpenSSL_version
-except AttributeError:
- OpenSSL_version = _libcrypto.SSLeay_version
-
-_version = OpenSSL_version(_libcrypto.OPENSSL_VERSION)
-_version = _ffi.string(_version).decode('utf-8')
-LIBRESSL = _version.startswith('LibreSSL')
-if not _version.startswith("OpenSSL") and not LIBRESSL:
- raise ImportError("Only LibreSSL and OpenSSL are supported")
-
-# SSLeay has been renamed with OpenSSL_version_num in OpenSSL 1.1.0
-# LibreSSL has OpenSSL_version_num since 2.7.0
-try:
- OpenSSL_version_num = _libcrypto.OpenSSL_version_num
-except AttributeError:
- OpenSSL_version_num = _libcrypto.SSLeay
-
-# OpenSSL_version_num()/SSLeay() returns the value of OPENSSL_VERSION_NUMBER
-#
-# OPENSSL_VERSION_NUMBER is a numeric release version identifier:
-# MNNFFPPS: major minor fix patch status
-# For example,
-# 0x000906000 == 0.9.6 dev
-# 0x000906023 == 0.9.6b beta 3
-# 0x00090605f == 0.9.6e release
-_openssl_version = OpenSSL_version_num()
-
-_ffi.cdef('''
-typedef ... CONF;
-typedef ... CONF_METHOD;
-typedef ... BIO;
@ -350,7 +401,6 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen_ffi.py freeipa-4.7.90.pre1/i
-typedef ... ASN1_BIT_STRING;
-typedef ... ASN1_OBJECT;
-typedef ... X509;
-typedef ... X509_ALGOR;
-typedef ... X509_CRL;
-typedef ... X509_NAME;
-typedef ... X509_PUBKEY;
@ -364,14 +414,23 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen_ffi.py freeipa-4.7.90.pre1/i
- /* d=2 hl=2 l= 0 cons: cont: 00 */
- ipa_STACK_OF_X509_ATTRIBUTE *attributes; /* [ 0 ] */
-} X509_REQ_INFO;
-''')
-
-typedef struct X509_req_st {
- X509_REQ_INFO *req_info;
- X509_ALGOR *sig_alg;
- ASN1_BIT_STRING *signature;
- int references;
-} X509_REQ;
-# since OpenSSL 1.1.0 req_info field is no longer pointer to X509_REQ_INFO
-if _openssl_version >= 0x10100000 and not LIBRESSL:
- _ffi.cdef('''
- typedef struct X509_req_st {
- X509_REQ_INFO req_info;
- } X509_REQ;
- ''')
-else:
- _ffi.cdef('''
- typedef struct X509_req_st {
- X509_REQ_INFO *req_info;
- } X509_REQ;
- ''')
-
-_ffi.cdef('''
-X509_REQ *X509_REQ_new(void);
-void X509_REQ_free(X509_REQ *);
-EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a);
@ -409,10 +468,7 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen_ffi.py freeipa-4.7.90.pre1/i
-char *ERR_error_string(unsigned long e, char *buf);
-''') # noqa: E501
-
-_libcrypto = _ffi.dlopen(ctypes.util.find_library('crypto'))
-
-NULL = _ffi.NULL
-
-# openssl/conf.h
-NCONF_new = _libcrypto.NCONF_new
-NCONF_free = _libcrypto.NCONF_free
@ -597,13 +653,22 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen_ffi.py freeipa-4.7.90.pre1/i
- reqdata, ext_ctx, extn_section, req):
- _raise_openssl_errors()
-
- der_len = i2d_X509_REQ_INFO(req.req_info, NULL)
- if _openssl_version < 0x10100000 or LIBRESSL:
- der_len = i2d_X509_REQ_INFO(req.req_info, NULL)
- else:
- req_info = _ffi.new("X509_REQ_INFO *", req.req_info)
- der_len = i2d_X509_REQ_INFO(req_info, NULL)
- req.req_info = req_info[0]
- if der_len < 0:
- _raise_openssl_errors()
-
- der_buf = _ffi.new("unsigned char[%d]" % der_len)
- der_out = _ffi.new("unsigned char **", der_buf)
- der_len = i2d_X509_REQ_INFO(req.req_info, der_out)
- if _openssl_version < 0x10100000 or LIBRESSL:
- der_len = i2d_X509_REQ_INFO(req.req_info, der_out)
- else:
- der_len = i2d_X509_REQ_INFO(req_info, der_out)
- req.req_info = req_info[0]
- if der_len < 0:
- _raise_openssl_errors()
-
@ -620,9 +685,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen_ffi.py freeipa-4.7.90.pre1/i
- BIO_free(pubkey_bio)
- if pubkey != NULL:
- EVP_PKEY_free(pubkey)
diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen.py freeipa-4.7.90.pre1/ipaclient/csrgen.py
--- freeipa-4.7.90.pre1.orig/ipaclient/csrgen.py 2019-04-29 17:06:41.360224990 +0200
+++ freeipa-4.7.90.pre1/ipaclient/csrgen.py 1970-01-01 01:00:00.000000000 +0100
diff -urN freeipa-4.8.0/ipaclient/csrgen.py freeipa-4.8.0.removed_csrgen/ipaclient/csrgen.py
--- freeipa-4.8.0/ipaclient/csrgen.py 2019-07-03 08:42:41.811540288 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen.py 1970-01-01 01:00:00.000000000 +0100
@@ -1,488 +0,0 @@
-#
-# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
@ -1112,9 +1177,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/csrgen.py freeipa-4.7.90.pre1/ipacl
-
- def sign_csr(self, certification_request_info):
- raise NotImplementedError('NSS is not yet supported')
diff -urN freeipa-4.7.90.pre1.orig/ipaclient/plugins/cert.py freeipa-4.7.90.pre1/ipaclient/plugins/cert.py
--- freeipa-4.7.90.pre1.orig/ipaclient/plugins/cert.py 2019-04-29 17:06:41.645221012 +0200
+++ freeipa-4.7.90.pre1/ipaclient/plugins/cert.py 2019-05-06 18:31:28.384751096 +0200
diff -urN freeipa-4.8.0/ipaclient/plugins/cert.py freeipa-4.8.0.removed_csrgen/ipaclient/plugins/cert.py
--- freeipa-4.8.0/ipaclient/plugins/cert.py 2019-07-03 08:42:41.978537802 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/plugins/cert.py 2019-07-03 13:24:38.477222594 +0200
@@ -21,8 +21,6 @@
import base64
@ -1222,9 +1287,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/plugins/cert.py freeipa-4.7.90.pre1
@register(override=True, no_fail=True)
class cert_show(CertRetrieveOverride):
diff -urN freeipa-4.7.90.pre1.orig/ipaclient/plugins/cert.py.orig freeipa-4.7.90.pre1/ipaclient/plugins/cert.py.orig
--- freeipa-4.7.90.pre1.orig/ipaclient/plugins/cert.py.orig 1970-01-01 01:00:00.000000000 +0100
+++ freeipa-4.7.90.pre1/ipaclient/plugins/cert.py.orig 2019-04-29 17:06:41.645221012 +0200
diff -urN freeipa-4.8.0/ipaclient/plugins/cert.py.orig freeipa-4.8.0.removed_csrgen/ipaclient/plugins/cert.py.orig
--- freeipa-4.8.0/ipaclient/plugins/cert.py.orig 1970-01-01 01:00:00.000000000 +0100
+++ freeipa-4.8.0.removed_csrgen/ipaclient/plugins/cert.py.orig 2019-07-03 13:24:38.478222573 +0200
@@ -0,0 +1,215 @@
+# Authors:
+# Andrew Wnuk <awnuk@redhat.com>
@ -1441,9 +1506,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/plugins/cert.py.orig freeipa-4.7.90
+ options.pop('file'))
+
+ return super(cert_find, self).forward(*args, **options)
diff -urN freeipa-4.7.90.pre1.orig/ipaclient/plugins/csrgen.py freeipa-4.7.90.pre1/ipaclient/plugins/csrgen.py
--- freeipa-4.7.90.pre1.orig/ipaclient/plugins/csrgen.py 2019-04-29 17:06:41.669220677 +0200
+++ freeipa-4.7.90.pre1/ipaclient/plugins/csrgen.py 1970-01-01 01:00:00.000000000 +0100
diff -urN freeipa-4.8.0/ipaclient/plugins/csrgen.py freeipa-4.8.0.removed_csrgen/ipaclient/plugins/csrgen.py
--- freeipa-4.8.0/ipaclient/plugins/csrgen.py 2019-07-03 08:42:41.990537623 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/plugins/csrgen.py 1970-01-01 01:00:00.000000000 +0100
@@ -1,128 +0,0 @@
-#
-# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
@ -1573,9 +1638,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/plugins/csrgen.py freeipa-4.7.90.pr
- return dict(
- result=result
- )
diff -urN freeipa-4.7.90.pre1.orig/ipaclient/setup.py freeipa-4.7.90.pre1/ipaclient/setup.py
--- freeipa-4.7.90.pre1.orig/ipaclient/setup.py 2019-04-29 17:06:41.393224529 +0200
+++ freeipa-4.7.90.pre1/ipaclient/setup.py 2019-05-06 18:33:16.002443738 +0200
diff -urN freeipa-4.8.0/ipaclient/setup.py freeipa-4.8.0.removed_csrgen/ipaclient/setup.py
--- freeipa-4.8.0/ipaclient/setup.py 2019-07-03 08:42:41.836539916 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/setup.py 2019-07-03 13:24:38.479222551 +0200
@@ -41,13 +41,6 @@
"ipaclient.remote_plugins.2_156",
"ipaclient.remote_plugins.2_164",
@ -1598,9 +1663,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipaclient/setup.py freeipa-4.7.90.pre1/ipacli
"ldap": ["python-ldap"], # ipapython.ipaldap
},
zip_safe=False,
diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf
--- freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf 2019-04-29 17:06:49.265114643 +0200
+++ freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf 1970-01-01 01:00:00.000000000 +0100
diff -urN freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf
--- freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf 2019-07-03 08:42:45.972478335 +0200
+++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf 1970-01-01 01:00:00.000000000 +0100
@@ -1,16 +0,0 @@
-[ req ]
-prompt = no
@ -1618,9 +1683,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/conf
-
-[ sec2 ]
-subjectAltName = @sec1
diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf
--- freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf 2019-04-29 17:06:49.277114475 +0200
+++ freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf 1970-01-01 01:00:00.000000000 +0100
diff -urN freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf
--- freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf 2019-07-03 08:42:45.976478276 +0200
+++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf 1970-01-01 01:00:00.000000000 +0100
@@ -1,16 +0,0 @@
-[ req ]
-prompt = no
@ -1638,9 +1703,9 @@ diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/conf
-
-[ sec2 ]
-subjectAltName = @sec1
diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json
--- freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json 2019-04-29 17:06:49.283114391 +0200
+++ freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json 1970-01-01 01:00:00.000000000 +0100
diff -urN freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json
--- freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json 2019-07-03 08:42:45.980478216 +0200
+++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json 1970-01-01 01:00:00.000000000 +0100
@@ -1,8 +0,0 @@
-[
- {
@ -1650,18 +1715,18 @@ diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/prof
- ]
- }
-]
diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json
--- freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json 2019-04-29 17:06:49.294114238 +0200
+++ freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json 1970-01-01 01:00:00.000000000 +0100
diff -urN freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json
--- freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json 2019-07-03 08:42:45.984478157 +0200
+++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json 1970-01-01 01:00:00.000000000 +0100
@@ -1,5 +0,0 @@
-{
- "rule": {
- "template": "openssl_rule"
- }
-}
diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/rules/options.json freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/rules/options.json
--- freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/rules/options.json 2019-04-29 17:06:49.300114154 +0200
+++ freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/rules/options.json 1970-01-01 01:00:00.000000000 +0100
diff -urN freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/rules/options.json freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/rules/options.json
--- freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/rules/options.json 2019-07-03 08:42:45.988478097 +0200
+++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/rules/options.json 1970-01-01 01:00:00.000000000 +0100
@@ -1,8 +0,0 @@
-{
- "rule": {
@ -1671,14 +1736,14 @@ diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/rule
- "rule_option": true
- }
-}
diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl
--- freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl 2019-04-29 17:06:49.313113973 +0200
+++ freeipa-4.7.90.pre1/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl 1970-01-01 01:00:00.000000000 +0100
diff -urN freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl
--- freeipa-4.8.0/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl 2019-07-03 08:42:45.993478023 +0200
+++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl 1970-01-01 01:00:00.000000000 +0100
@@ -1 +0,0 @@
-{{ options|join(";") }}
diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/test_csrgen.py freeipa-4.7.90.pre1/ipatests/test_ipaclient/test_csrgen.py
--- freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/test_csrgen.py 2019-04-29 17:06:49.251114838 +0200
+++ freeipa-4.7.90.pre1/ipatests/test_ipaclient/test_csrgen.py 1970-01-01 01:00:00.000000000 +0100
diff -urN freeipa-4.8.0/ipatests/test_ipaclient/test_csrgen.py freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/test_csrgen.py
--- freeipa-4.8.0/ipatests/test_ipaclient/test_csrgen.py 2019-07-03 08:42:45.963478469 +0200
+++ freeipa-4.8.0.removed_csrgen/ipatests/test_ipaclient/test_csrgen.py 1970-01-01 01:00:00.000000000 +0100
@@ -1,304 +0,0 @@
-#
-# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
@ -1941,7 +2006,7 @@ diff -urN freeipa-4.7.90.pre1.orig/ipatests/test_ipaclient/test_csrgen.py freeip
-
- with pytest.raises(
- errors.CSRTemplateError,
- message='unrecognised attribute type: X'):
- match=r'^unrecognised attribute type: X$'):
- csrgen_ffi.build_requestinfo(
- config.encode('utf-8'), adaptor.get_subject_public_key_info())
-

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAlzHE98ACgkQRxniuKu/
YhrICw/8DE6jyt3bnUmzGiXdsV7q1KZUGSIC7GLpvbmewwpUVcXnplHiVCTjrNGI
jw/jc6y9bIlvqfYNWjAmXNGXyB3AbXweaYRAEzntOHlAmFDlwMXv/D6JL0849/9/
uRWEefIpHlw/P++WOxm+us7T9h/d6xEe1xY7vaaXVVPjRBewJqddG6ISJgWZ0DSR
41b/kgOXEvBMOU+gsKCm1fCgKU6KcfwsFq39uSxmTfhKE/578eOUkSAracOwrP2Z
RePKA4JKqw/Tttl26bgKAkAD8hxJhv6J1MYOSPKp7zssSKw1s1qiPbR6DdJGF/E0
gqiJwLynZdkkMOsWqHvUK0NDT5LmDdluHBFDle+zupBy1CAE4y1fchsUh910wbRm
LnrdtkXKUHtE+WGZianMSc1gHCB6EjipHx9iLTrcsGbjz9ziWRb6P6BLgbw2doPG
mYQVMWBNLQi3gcAjN7IX1+dRWoam+ON/M0GMi5jSplqONBFUj5xwB8LFNV5VfIAu
zJa0F5V0Qu5XbO7YFoihDcD1OF8fUyKtK+lGa0O/QazR37tl8m5mgYVjDErBx3F+
ipiB40w+qA1MsJXqdOljoldTvJZCzN+kEJu8aMdQpKcIfkJjKQsrbrh0Ck3cmRHW
vE3sApyx1p9XvoVtb6lz69B1XJu+Q+Gljlm7JSRLQ3p7GZTT7/Q=
=5N4+
-----END PGP SIGNATURE-----

View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAl302dsACgkQRxniuKu/
Yhrd0RAAvUv30O5rSlww30kxqV3oQb5CIJYSGb/jpWMAhj1Nr+1Ye1P3rCyJLP4R
+fVu23bgIywv8qkWPZdQxohkYCuiTZa8ogl3gXWJDRCp5f5oKWALzwU+Zlu8HlVj
z8UAOFXEO1fYwvwpOPdr+gGiTS5pLq39EIBZSVjvuviXR0adwVcVvw0R2YXYmiLE
x5uaM289YQ4hKY/V0rgqNn0nYiogFcFvSlhkM9oi4+JiKypocPqKTjM4n8EcdXv4
rSJ6Zv6FgnyoREBITCZjKaTn8OTkhqhhzMOgMzWr8QSmNl44UKA9aq5ZIEJgEnMR
N3vW6Br1f4TDJ3JyWeMoizQcNeTFyuoxN9HhGpvDotx+6g+j2yNfAK7ZZAtjULhm
m13zb1svCbGtvRxB8QfIQe62l3drooimWRf5o9fgPVU0MIxgL7x7AulxrZekik6J
NdwXiz75SKfbFZZWVdf9FjJkaBZ3CpJMJnDQiQyCs+xBWOpXYGYkz9a1NRoFgCdC
y8bY9ErfzhLdcgjbZ3EE24FkWMBeUdW+BC4AYSChZlqUZ9CMTQIdyqPVSG/u5sc9
2Rn1YasAfu0P3DJgRCI0BUcxkxFet5M8hfB0iuLE4OJTKnyhmmOUKmO2wUSw0QIr
ogzzN9DF84wwXD1P4X6WFEzOOthCdLPUHyDo3u5fVIy4QWZZDlQ=
=TTzs
-----END PGP SIGNATURE-----

View File

@ -55,26 +55,28 @@
%if 0%{?rhel}
%global package_name ipa
%global alt_name freeipa
%global krb5_version 1.16.1
%global krb5_version 1.17-12
%global krb5_kdb_version 7.0
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.16
%global python_netaddr_version 0.7.19
# Require 4.7.0 which brings Python 3 bindings
%global samba_version 4.7.0
%global selinux_policy_version 3.14.1-14
%global samba_version 4.10.4-9
# Require 3.14.3-24 - Allow ipa_ods_exporter_t domain to read krb5_keytab files
%global selinux_policy_version 3.14.3-24
%global slapi_nis_version 0.56.1-4
%global python_ldap_version 3.1.0-1
# python3-lib389
# Fix for "Installation fails: Replica Busy"
# https://pagure.io/389-ds-base/issue/49818
%global ds_version 1.4.0.16
# currently set to 1.4.1.3 until 389-ds rebases to 1.4.2
%global ds_version 1.4.1.3
%else
# Fedora
%global package_name freeipa
%global alt_name ipa
# Fix for CVE-2018-20217
%global krb5_version 1.17
%global krb5_version 1.17-17
%global krb5_kdb_version 7.0
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.16
@ -101,10 +103,10 @@
# 10.6.7 fixes UpdateNumberRange clone installation issue
# https://pagure.io/freeipa/issue/7654 and empty token issue
# and https://pagure.io/dogtagpki/issue/3073
%global pki_version 10.6.8-3
%global pki_version 10.8.0
# https://pagure.io/certmonger/issue/90
%global certmonger_version 0.79.7-1
%global certmonger_version 0.79.7-3
# NSS release with fix for p11-kit-proxy issue, affects F28
# https://pagure.io/freeipa/issue/7810
@ -114,15 +116,9 @@
%global nss_version 3.41.0-1
%endif
# There are issues currently with the sssd rebase to 2.1.0, therefore this
# will be set to 2.0.0-43 for now.
#global sssd_version 2.1.0-2
%global sssd_version 2.0.0-43
%global sssd_version 2.2.0-19
# python3-kdcproxy 0.4.1 is not in the repository, therefore 0.4 will be
# used for now.
#global kdcproxy_version 0.4.1
%global kdcproxy_version 0.4
%global kdcproxy_version 0.4-3
%global plugin_dir %{_libdir}/dirsrv/plugins
%global etc_systemd_dir %{_sysconfdir}/systemd/system
@ -132,16 +128,16 @@
# Work-around fact that RPM SPEC parser does not accept
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
%define IPA_VERSION 4.7.90.pre1
%define IPA_VERSION 4.8.4
%define AT_SIGN @
# redefine IPA_VERSION only if its value matches the Autoconf placeholder
%if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}"
%define IPA_VERSION nonsense.to.please.RPM.SPEC.parser
%define IPA_VERSION nonsense.to.please.RPM.SPEC.parser
%endif
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 3%{?dist}
Release: 2%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@ -156,16 +152,9 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.as
# RHEL spec file only: END: Change branding to IPA and Identity Management
# RHEL spec file only: START
Patch0001: 0001-No-need-to-call-rhel-specific-domainname-service.patch
Patch0002: 0001-revert-minssf-defaults.patch
# https://github.com/freeipa/freeipa/pull/3104
# Fix an error in the path the webUI uses for fontawesome
Patch0003: 0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch
Patch0004: 0002-upgrade-adtrust-when-no-trusts.patch
Patch0001: 0001-DNS-install-check-Fix-overlapping-DNS-zone-from-the-master-itself_2c2cef7_rhbz#1784003.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-4.7.90pre1-Remove-csrgen.patch
Patch1002: 1002-4.8.0-Remove-csrgen.patch
# RHEL spec file only: END
# For the timestamp trick in patch application
@ -325,6 +314,7 @@ Requires: openldap-clients > 2.4.35-4
Requires: nss >= %{nss_version}
Requires: nss-tools >= %{nss_version}
Requires(post): krb5-server >= %{krb5_version}
Requires(post): krb5-kdb-version = %{krb5_kdb_version}
Requires: krb5-pkinit-openssl >= %{krb5_version}
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: chrony
@ -454,7 +444,7 @@ If you are installing an IPA server, you need to install this package.
Summary: IPA integrated DNS server with support for automatic DNSSEC signing
BuildArch: noarch
Requires: %{name}-server = %{version}-%{release}
Requires: bind-dyndb-ldap >= 11.0-2
Requires: bind-dyndb-ldap >= 11.2-2
Requires: bind >= 9.11.0-6.P2
Requires: bind-utils >= 9.11.0-6.P2
Requires: bind-pkcs11 >= 9.11.0-6.P2
@ -558,6 +548,22 @@ If your network uses IPA for authentication, this package should be
installed on every client machine.
This package provides command-line tools for IPA administrators.
%package client-samba
Summary: Tools to configure Samba on IPA client
Group: System Environment/Base
Requires: %{name}-client = %{version}-%{release}
Requires: python3-samba
Requires: samba-client
Requires: samba-winbind
Requires: samba-common-tools
Requires: samba
Requires: sssd-winbind-idmap
Requires: tdb-tools
Requires: cifs-utils
%description client-samba
This package provides command-line tools to deploy Samba domain member
on the machine enrolled into a FreeIPA environment
%package -n python3-ipaclient
Summary: Python libraries used by IPA client
@ -1001,11 +1007,17 @@ if [ $1 -gt 1 ] ; then
cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/kdc-ca-bundle.pem
cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem
fi
%{python} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1
fi
if [ $restore -ge 2 ]; then
%{python} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1
fi
if [ $restore -ge 2 ]; then
sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' /etc/ssh/ssh_config
fi
fi
@ -1072,6 +1084,7 @@ fi
%{_sbindir}/ipa-winsync-migrate
%{_sbindir}/ipa-pkinit-manage
%{_sbindir}/ipa-crlgen-manage
%{_sbindir}/ipa-cert-fix
%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
%{_libexecdir}/certmonger/ipa-server-guard
%{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
@ -1136,6 +1149,7 @@ fi
%{_mandir}/man1/ipa-winsync-migrate.1*
%{_mandir}/man1/ipa-pkinit-manage.1*
%{_mandir}/man1/ipa-crlgen-manage.1*
%{_mandir}/man1/ipa-cert-fix.1*
%files -n python3-ipaserver
@ -1162,6 +1176,7 @@ fi
%{_usr}/share/ipa/*.ldif
%{_usr}/share/ipa/*.uldif
%{_usr}/share/ipa/*.template
%{_usr}/share/ipa/bind.ipa-ext.conf
%dir %{_usr}/share/ipa/advise
%dir %{_usr}/share/ipa/advise/legacy
%{_usr}/share/ipa/advise/legacy/*.template
@ -1208,6 +1223,7 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-ext.conf
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con
@ -1271,6 +1287,7 @@ fi
%{_sbindir}/ipa-join
%{_bindir}/ipa
%config %{_sysconfdir}/bash_completion.d
%config %{_sysconfdir}/sysconfig/certmonger
%{_mandir}/man1/ipa.1*
%{_mandir}/man1/ipa-getkeytab.1*
%{_mandir}/man1/ipa-rmkeytab.1*
@ -1279,6 +1296,11 @@ fi
%{_mandir}/man1/ipa-certupdate.1*
%{_mandir}/man1/ipa-join.1*
%files client-samba
%doc README.md Contributors.txt
%license COPYING
%{_sbindir}/ipa-client-samba
%{_mandir}/man1/ipa-client-samba.1*
%files -n python3-ipaclient
%doc README.md Contributors.txt
@ -1370,6 +1392,113 @@ fi
%changelog
* Mon Dec 14 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.4-2
- DNS install check: Fix overlapping DNS zone from the master itself
Resolves: RHBZ#1784003
* Sat Dec 14 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.4-1
- Rebase to upstream release 4.8.4
- Removed upstream patches 0001 to 0008 that are part of version 4.8.3-3
Resolves: RHBZ#1782658
Resolves: RHBZ#1782169
Resolves: RHBZ#1783046
Related: RHBZ#1748987
* Mon Dec 2 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.3-3
- Fix otptoken_sync plugin
Resolves: RHBZ#1777811
* Mon Dec 2 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.3-2
- Use default crypto policy for TLS and enable TLS 1.3 support
Resolves: RHBZ#1777809
- Covscan fixes
Resolves: RHBZ#1777920
- Change pki_version to 10.8.0
Related: RHBZ#1748987
* Thu Nov 28 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.3-1
- Rebase to security release 4.8.3 (CVE-2019-14867, CVE-2019-10195)
Resolves: RHBZ#1767304
Resolves: RHBZ#1776939
- Support KDC ticket policies for authentication indicators
Resolves: RHBZ#1777564
* Tue Nov 26 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.2-4
- CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf()
Resolves: RHBZ#1767304
- CVE-2019-10195: Don't log passwords embedded in commands in calls using batch
Resolves: RHBZ#1776939
* Fri Nov 22 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.2-3
- Use default ssh host key algorithms
Resolves: RHBZ#1756432
- Do not run trust upgrade code if master lacks Samba bindings
Resolves: RHBZ#1757064
- Finish group membership management UI
Resolves: RHBZ#1773528
* Mon Nov 18 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.2-2
- Update dependency for bind-dndb-ldap to 11.2-2
Related: RHBZ#1762813
* Thu Nov 14 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.2-1
- Rebase to upstream release 4.8.2
- Removed upstream patches 0001 to 0010 that are part of version 4.8.2
- Updated branding patch
Resolves: RHBZ#1748987
* Thu Aug 29 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-10
- Fix automount behavior with authselect
Resolves: RHBZ#1740167
* Mon Aug 19 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-9
- extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT
Resolves: RHBZ#1741530
* Thu Aug 15 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-8
- FreeIPA 4.8.0 tarball lacks two update files that are in git
Resolves: RHBZ#1741170
* Tue Aug 13 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-7
- Allow insecure binds for migration
Resolves: RHBZ#1731963
* Fri Aug 2 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-6
- Fix --external-ca-profile not passed to CSR
Resolves: RHBZ#1731813
* Tue Jul 30 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-5
- Remove posixAccount from service_find search filter
Resolves: RHBZ#1731437
- Fix repeated uninstallation of ipa-client-samba crashes
Resolves: RHBZ#1732529
- WebUI: Add PKINIT status field to 'Configuration' page
Resolves: RHBZ#1518153
* Tue Jul 16 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.0-4
- Fix krb5-kdb-server -> krb5-kdb-version
Related: RHBZ#1700121
* Mon Jul 15 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.0-3
- Make sure ipa-server depends on krb5-kdb-version to pick up
right MIT Kerberos KDB ABI
Related: RHBZ#1700121
- User field separator uses '$$' within ipaSELInuxUserMapOrder
Fixes: RHBZ#1729099
* Wed Jul 3 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-2
- Fixed kdcproxy_version to 0.4-3
- Fixed krb5_version to 1.17-7
Related: RHBZ#1684528
* Wed Jul 3 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-1
- New upstream release 4.8.0
- New subpackage: freeipa-client-samba
- Added command ipa-cert-fix with man page
- New sysconfdir sysconfig/certmonger
- Updated pki_version, certmonger_version, sssd_version and kdcproxy_version
Related: RHBZ#1684528
* Tue May 21 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.90-3
- Fix upgrade issue with AD trust when no trust yet established
Fixes: RHBZ#1708874