rpms/ipa
5
0
Fork 0
Code Issues Pull Requests Releases Activity

ipa-4.12.2-11

Browse Source 
- Resolves: RHEL-75658 Include latest fixes in python3-ipatests package
- Resolves: RHEL-74466 kinit with external idp user is failing

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Florence Blanc-Renaud 2025-01-22 09:46:51 +01:00
parent 84d0312b89
commit d45f8dce3d
5 changed files with 336 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
0060-ipatests-skip-test_ipahealthcheck_ds_configcheck-for.patch Normal file
View File

@ -0,0 +1,51 @@
From 45f96a0f978dfda0e2faa8360182a1dfd3122b94 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Fri, 10 Jan 2025 13:22:29 +0100
Subject: [PATCH] ipatests: skip test_ipahealthcheck_ds_configcheck for recent
versions
389-ds removed the parameter nsslapd-logging-hr-timestamps-enabled
in 2.5.3 and above. Skip the test that exercises the corresponding
healthcheck.
Fixes: https://pagure.io/freeipa/issue/9730
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_ipahealthcheck.py | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index cc51a5a6a62fbc50927fc2fc51f129a069e70b69..6b6f15aa433a423fe599118d2226e4c4ec62b13b 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -18,7 +18,7 @@ import uuid
import pytest
-from ipalib import x509
+from ipalib import errors, x509
from ipapython.dn import DN
from ipapython.ipaldap import realm_to_serverid
from ipapython.certdb import NSS_SQL_FILES
@@ -1146,8 +1146,14 @@ class TestIpaHealthCheck(IntegrationTest):
)
entry = ldap.get_entry(dn)
entry.single_value["nsslapd-logging-hr-timestamps-enabled"] = 'off'
- ldap.update_entry(entry)
-
+ try:
+ ldap.update_entry(entry)
+ except errors.DatabaseError as e:
+ expected_msg = "Unknown attribute " \
+ "nsslapd-logging-hr-timestamps-enabled"
+ if expected_msg in e.message:
+ pytest.skip(
+ "389-ds removed nsslapd-logging-hr-timestamps-enabled")
yield
entry = ldap.get_entry(dn)
--
2.47.1

35
0061-ipatests-restart-dirsrv-after-time-jumps.patch Normal file
View File

@ -0,0 +1,35 @@
From ec94ee72714296c86ba1227a5a945a7ed0bc7fac Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 16 Jan 2025 15:43:17 +0100
Subject: [PATCH] ipatests: restart dirsrv after time jumps
The test for ipa-healthcheck is moving the date in the future.
Restart the dirsrv instance because the LDAP server is
sensitive to large time jumps.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_ipahealthcheck.py | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 6b6f15aa433a423fe599118d2226e4c4ec62b13b..7c3f5857a477070d8a9b52c04d41f35ac580c97f 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -1634,6 +1634,11 @@ class TestIpaHealthCheck(IntegrationTest):
grace_date = datetime.strftime(grace_date, "%Y-%m-%d 00:00:01 Z")
self.master.run_command(['date', '-s', grace_date])
+ # Restart dirsrv as it doesn't like time jumps
+ instance = realm_to_serverid(self.master.domain.realm)
+ cmd = ["systemctl", "restart", "dirsrv@{}".format(instance)]
+ self.master.run_command(cmd)
+
for check in ("IPACertmongerExpirationCheck",
"IPACertfileExpirationCheck",):
execute_expiring_check(check)
--
2.47.1

67
0062-ipa-otpd-do-not-pass-OIDC-client-secret-if-there-is-.patch Normal file
View File

@ -0,0 +1,67 @@
From d86db9d2c107c66372f422f1d628624b1a55ad45 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 17 Jan 2025 09:44:22 +0200
Subject: [PATCH] ipa-otpd: do not pass OIDC client secret if there is none to
pass
If there is no client secret specified for the OIDC client, don't push
it to oidc_child via stdin. oidc_child does only expect client secret if
--client-secret-stdin option was specified and we already specify it
only if client secret is not empty.
In addition, if client secret is empty (it is a public OIDC client),
then strlen(NULL) would crash in glibc internals. Avoid that!
Fixes: https://pagure.io/freeipa/issue/9734
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
daemons/ipa-otpd/oauth2.c | 29 +++++++++++++++++++----------
1 file changed, 19 insertions(+), 10 deletions(-)
diff --git a/daemons/ipa-otpd/oauth2.c b/daemons/ipa-otpd/oauth2.c
index 52d7d7c9cb6c410bdbaa2e5eddccfea2204d3e69..0eb43b2372701d47b9ef62cbbdb32b97a5f7a0ba 100644
--- a/daemons/ipa-otpd/oauth2.c
+++ b/daemons/ipa-otpd/oauth2.c
@@ -104,17 +104,26 @@ static void oauth2_on_child_writable(verto_ctx *vctx, verto_ev *ev)
}
if (child_ctx->oauth2_state == OAUTH2_GET_DEVICE_CODE) {
- io = write(verto_get_fd(ev), child_ctx->item->idp.ipaidpClientSecret,
- strlen(child_ctx->item->idp.ipaidpClientSecret));
+ if (child_ctx->item->idp.ipaidpClientSecret != NULL) {
+ io = write(verto_get_fd(ev), child_ctx->item->idp.ipaidpClientSecret,
+ strlen(child_ctx->item->idp.ipaidpClientSecret));
+ } else {
+ io = 0;
+ }
} else {
- iov[0].iov_base = child_ctx->item->idp.ipaidpClientSecret;
- iov[0].iov_len = strlen(child_ctx->item->idp.ipaidpClientSecret);
- iov[1].iov_base = "\n";
- iov[1].iov_len = 1;
- iov[2].iov_base = child_ctx->saved_item->oauth2.device_code_reply;
- iov[2].iov_len = strlen(child_ctx->saved_item->oauth2.device_code_reply);
-
- io = writev(verto_get_fd(ev), iov, 3);
+ int idx = 0;
+ if (child_ctx->item->idp.ipaidpClientSecret != NULL) {
+ iov[idx].iov_base = child_ctx->item->idp.ipaidpClientSecret;
+ iov[idx].iov_len = strlen(child_ctx->item->idp.ipaidpClientSecret);
+ idx++;
+ iov[idx].iov_base = "\n";
+ iov[idx].iov_len = 1;
+ idx++;
+ }
+ iov[idx].iov_base = child_ctx->saved_item->oauth2.device_code_reply;
+ iov[idx].iov_len = strlen(child_ctx->saved_item->oauth2.device_code_reply);
+ idx++;
+ io = writev(verto_get_fd(ev), iov, idx);
}
otpd_queue_item_free(child_ctx->saved_item);
--
2.47.1

165
0063-Migrate-Keycloak-tests-to-JDK-21-and-Keycloak-26.patch Normal file
View File

@ -0,0 +1,165 @@
From 431a5804949417257b204125ff0a898b98dd2a90 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 17 Jan 2025 12:33:54 +0200
Subject: [PATCH] Migrate Keycloak tests to JDK 21 and Keycloak 26
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../pytest_ipa/integration/create_bridge.py | 2 +-
.../pytest_ipa/integration/create_keycloak.py | 28 +++++++++----------
ipatests/test_integration/test_idp.py | 4 +--
ipatests/test_integration/test_sso.py | 4 +--
4 files changed, 18 insertions(+), 20 deletions(-)
diff --git a/ipatests/pytest_ipa/integration/create_bridge.py b/ipatests/pytest_ipa/integration/create_bridge.py
index 618c645feef86f846a60e5727e7777defc67624c..5dd2f305c2ba6f707ee40be12581ff62c951805b 100644
--- a/ipatests/pytest_ipa/integration/create_bridge.py
+++ b/ipatests/pytest_ipa/integration/create_bridge.py
@@ -147,7 +147,7 @@ def setup_keycloak_scim_plugin(host, bridge_server):
# Login to keycloak as admin
kcadmin_sh = "/opt/keycloak/bin/kcadm.sh"
kcadmin = [kcadmin_sh, "config", "credentials", "--server",
- f"https://{host.hostname}:8443/auth/",
+ f"https://{host.hostname}:8443",
"--realm", "master", "--user", "admin",
"--password", password]
tasks.run_repeatedly(host, kcadmin, timeout=60)
diff --git a/ipatests/pytest_ipa/integration/create_keycloak.py b/ipatests/pytest_ipa/integration/create_keycloak.py
index 1340b95715c25f1bf1cbbf2e3c6e60731f3af08e..addade7594d7a1b8edefdb8c67ec4bc7abe70ef4 100644
--- a/ipatests/pytest_ipa/integration/create_keycloak.py
+++ b/ipatests/pytest_ipa/integration/create_keycloak.py
@@ -6,10 +6,10 @@ from ipaplatform.paths import paths
from ipatests.pytest_ipa.integration import tasks
-def setup_keycloakserver(host, version='17.0.0'):
+def setup_keycloakserver(host, version='26.1.0'):
dir = "/opt/keycloak"
password = host.config.admin_password
- tasks.install_packages(host, ["unzip", "java-11-openjdk-headless",
+ tasks.install_packages(host, ["unzip", "java-21-openjdk-headless",
"openssl", "maven", "wget",
"firefox", "xorg-x11-server-Xvfb"])
# add keycloak system user/group and folder
@@ -33,7 +33,7 @@ def setup_keycloakserver(host, version='17.0.0'):
key = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.key")
crt = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.crt")
- keystore = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.store")
+ keystore = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.jks")
host.run_command(["ipa-getcert", "request", "-K",
"HTTP/{0}".format(host.hostname),
@@ -49,14 +49,13 @@ def setup_keycloakserver(host, version='17.0.0'):
# Setup keycloak service and config files
contents = textwrap.dedent("""
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD={admin_pswd}
- KC_HOSTNAME={host}:8443
+ KC_BOOTSTRAP_ADMIN_USERNAME=admin
+ KC_BOOTSTRAP_ADMIN_PASSWORD={admin_pswd}
+ KC_HOSTNAME=https://{host}:8443/
KC_HTTPS_CERTIFICATE_FILE={crt}
KC_HTTPS_CERTIFICATE_KEY_FILE={key}
KC_HTTPS_TRUST_STORE_FILE={store}
KC_HTTPS_TRUST_STORE_PASSWORD={store_pswd}
- KC_HTTP_RELATIVE_PATH=/auth
""").format(admin_pswd=password, host=host.hostname, crt=crt, key=key,
store=keystore, store_pswd=password)
host.put_file_contents("/etc/sysconfig/keycloak", contents)
@@ -84,14 +83,13 @@ def setup_keycloakserver(host, version='17.0.0'):
# Run build stage first
env_vars = textwrap.dedent("""
- export KEYCLOAK_ADMIN=admin
- export KC_HOSTNAME={hostname}:8443
+ export KC_BOOTSTRAP_ADMIN_USERNAME=admin
+ export KC_HOSTNAME=https://{hostname}:8443/
export KC_HTTPS_CERTIFICATE_FILE=/etc/pki/tls/certs/keycloak.crt
export KC_HTTPS_CERTIFICATE_KEY_FILE=/etc/pki/tls/private/keycloak.key
- export KC_HTTPS_TRUST_STORE_FILE=/etc/pki/tls/private/keycloak.store
+ export KC_HTTPS_TRUST_STORE_FILE=/etc/pki/tls/private/keycloak.jks
export KC_HTTPS_TRUST_STORE_PASSWORD={STORE_PASS}
- export KEYCLOAK_ADMIN_PASSWORD={ADMIN_PASS}
- export KC_HTTP_RELATIVE_PATH=/auth
+ export KC_BOOTSTRAP_ADMIN_PASSWORD={ADMIN_PASS}
""").format(hostname=host.hostname, STORE_PASS=password,
ADMIN_PASS=password)
@@ -112,7 +110,7 @@ def setup_keycloakserver(host, version='17.0.0'):
host.run_command([kcadmin_sh, "config", "truststore",
"--trustpass", password, keystore])
kcadmin = [kcadmin_sh, "config", "credentials", "--server",
- "https://{0}:8443/auth/".format(host.hostname),
+ "https://{0}:8443/".format(host.hostname),
"--realm", "master", "--user", "admin",
"--password", password
]
@@ -133,7 +131,7 @@ def setup_keycloak_client(host):
password = host.config.admin_password
host.run_command(["/opt/keycloak/bin/kcreg.sh",
"config", "credentials", "--server",
- "https://{0}:8443/auth/".format(host.hostname),
+ "https://{0}:8443/".format(host.hostname),
"--realm", "master", "--user", "admin",
"--password", password]
)
@@ -163,7 +161,7 @@ def setup_keycloak_client(host):
def uninstall_keycloak(host):
key = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.key")
crt = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.crt")
- keystore = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.store")
+ keystore = os.path.join(paths.OPENSSL_PRIVATE_DIR, "keycloak.jks")
host.run_command(["systemctl", "stop", "keycloak"], raiseonerr=False)
host.run_command(["getcert", "stop-tracking", "-k", key, "-f", crt],
diff --git a/ipatests/test_integration/test_idp.py b/ipatests/test_integration/test_idp.py
index ca2fcecb22459685450f2ed6c3ac1b9b215170f6..76edc9458e4448e05362ff040b8dab7a53cd3054 100644
--- a/ipatests/test_integration/test_idp.py
+++ b/ipatests/test_integration/test_idp.py
@@ -122,7 +122,7 @@ class TestIDPKeycloak(IntegrationTest):
tasks.kinit_admin(self.master)
cmd = ["ipa", "idp-add", "keycloakidp", "--provider=keycloak",
"--client-id=ipa_oidc_client", "--org=master",
- "--base-url={0}:8443/auth".format(self.client.hostname)]
+ "--base-url={0}:8443".format(self.client.hostname)]
self.master.run_command(cmd, stdin_text="{0}\n{0}".format(
self.client.config.admin_password))
tasks.user_add(self.master, 'keycloakuser',
@@ -282,7 +282,7 @@ class TestIDPKeycloak(IntegrationTest):
user = "backupuser"
cmd = ["ipa", "idp-add", "testidp", "--provider=keycloak",
"--client-id=ipa_oidc_client", "--org=master",
- "--base-url={0}:8443/auth".format(self.client.hostname)]
+ "--base-url={0}:8443".format(self.client.hostname)]
self.master.run_command(cmd, stdin_text="{0}\n{0}".format(
self.client.config.admin_password))
diff --git a/ipatests/test_integration/test_sso.py b/ipatests/test_integration/test_sso.py
index 9708e9fa05a75cb2657c657b39b015249f3fd208..57c5a96bae986ee9721fc540d2be2cdc443e78fb 100644
--- a/ipatests/test_integration/test_sso.py
+++ b/ipatests/test_integration/test_sso.py
@@ -18,7 +18,7 @@ from selenium.webdriver.support import expected_conditions as EC
options = Options()
options.headless = True
driver = webdriver.Firefox(executable_path="/opt/geckodriver", options=options)
-verification_uri = "https://{hostname}:8443/auth/realms/master/account/#/"
+verification_uri = "https://{hostname}:8443/realms/master/account/#/"
driver.get(verification_uri)
try:
@@ -60,7 +60,7 @@ def keycloak_add_user(host, kcadm_pass, username, password=None):
domain = host.domain.name
kcadmin_sh = "/opt/keycloak/bin/kcadm.sh"
kcadmin = [kcadmin_sh, "config", "credentials", "--server",
- f"https://{host.hostname}:8443/auth/",
+ f"https://{host.hostname}:8443",
"--realm", "master", "--user", "admin",
"--password", kcadm_pass]
--
2.47.1

28
freeipa.spec
View File

@ -207,7 +207,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 10%{?rc_version:.%rc_version}%{?dist}
Release: 11%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPL-3.0-or-later
@ -288,15 +288,19 @@ Patch0047: 0047-pyca-adapt-import-paths-for-TripleDES-cipher.patch
Patch0048: 0048-ipa-pwd-extop-clarify-OTP-use-over-LDAP-binds.patch
Patch0049: 0049-adtrust-add-missing-ipaAllowedOperations-objectclass.patch
Patch0050: 0050-Fix-the-typo-in-ipa_migrate_constants.patch
patch0051: 0051-test_ipahealthcheck-skip-connectivity_and_data-check.patch
patch0052: 0052-ipatests-Fixes-for-ipa-ipa-migration-tool.patch
patch0053: 0053-Installation-test-KRA-on-replica-after-cert-renewal.patch
patch0054: 0054-KRA-cert-renewal-update-ca.connector.KRA.transportCe.patch
patch0055: 0055-Add-30-second-timeout-for-certmonger-request-start-t.patch
patch0056: 0056-Unify-use-of-option-parsers.patch
patch0057: 0057-ipa-tools-remove-sensitive-material-from-the-command.patch
patch0058: 0058-ipa-otpd-use-oidc_child-s-client-secret-stdin-option.patch
patch0059: 0059-Fix-pylint-issue-in-ipatests-i18n.py.patch
Patch0051: 0051-test_ipahealthcheck-skip-connectivity_and_data-check.patch
Patch0052: 0052-ipatests-Fixes-for-ipa-ipa-migration-tool.patch
Patch0053: 0053-Installation-test-KRA-on-replica-after-cert-renewal.patch
Patch0054: 0054-KRA-cert-renewal-update-ca.connector.KRA.transportCe.patch
Patch0055: 0055-Add-30-second-timeout-for-certmonger-request-start-t.patch
Patch0056: 0056-Unify-use-of-option-parsers.patch
Patch0057: 0057-ipa-tools-remove-sensitive-material-from-the-command.patch
Patch0058: 0058-ipa-otpd-use-oidc_child-s-client-secret-stdin-option.patch
Patch0059: 0059-Fix-pylint-issue-in-ipatests-i18n.py.patch
Patch0060: 0060-ipatests-skip-test_ipahealthcheck_ds_configcheck-for.patch
Patch0061: 0061-ipatests-restart-dirsrv-after-time-jumps.patch
Patch0062: 0062-ipa-otpd-do-not-pass-OIDC-client-secret-if-there-is-.patch
Patch0063: 0063-Migrate-Keycloak-tests-to-JDK-21-and-Keycloak-26.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -1915,6 +1919,10 @@ fi
%endif
%changelog
* Wed Jan 22 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-11
- Resolves: RHEL-75658 Include latest fixes in python3-ipatests package
- Resolves: RHEL-74466 kinit with external idp user is failing
* Thu Jan 16 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-10
- Resolves: RHEL-72580 A slow HSM can cause IPA server installation to fail setting up certificate tracking
- Resolves: RHEL-71964 KRA installation failure caused by a certificate mismatch in NSS DB and configuration file