rpms
/
ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

ipa-4.9.6-4 

- Use new method in check to prevent removal of last KRA (#1985072)
- ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL (#1982952)
- Fix index definition for memberOf (#1952028)

Resolves: #1985072, #1982952, #1952028
This commit is contained in:
Rob Crittenden 2021-07-23 09:31:03 -04:00
parent 5a5afdbc6f
commit d7b02057af
5 changed files with 188 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
0017-Use-new-method-in-check-to-prevent-removal-of-last-K.patch Normal file
View File

@ -0,0 +1,58 @@
From 0b9adf1d8d5efb48e734650e4101e8816b01e1d3 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 19 Jul 2021 17:51:44 -0400
Subject: [PATCH] Use new method in check to prevent removal of last KRA
It previously used a vault connection to determine if any
KRA servers were installed. This would fail if the last KRA
was not available.
Use server roles instead to determine if the last KRA server
is to be removed.
https://pagure.io/freeipa/issue/8397
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
---
ipaserver/plugins/server.py | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py
index b3dda8469..5fa7a58bd 100644
--- a/ipaserver/plugins/server.py
+++ b/ipaserver/plugins/server.py
@@ -508,17 +508,19 @@ class server_del(LDAPDelete):
if self.api.Command.ca_is_enabled()['result']:
try:
- vault_config = self.api.Command.vaultconfig_show()['result']
- kra_servers = vault_config.get('kra_server_server', [])
- except errors.InvocationError:
- # KRA is not configured
- pass
- else:
- if kra_servers == [hostname]:
- handler(
- _("Deleting this server is not allowed as it would "
- "leave your installation without a KRA."),
- ignore_last_of_role)
+ roles = self.api.Command.server_role_find(
+ server_server=hostname,
+ role_servrole='KRA server',
+ status='enabled',
+ include_master=True,
+ )['result']
+ except errors.NotFound:
+ roles = ()
+ if len(roles) == 1 and roles[0]['server_server'] == hostname:
+ handler(
+ _("Deleting this server is not allowed as it would "
+ "leave your installation without a KRA."),
+ ignore_last_of_role)
ca_servers = ipa_config.get('ca_server_server', [])
ca_renewal_master = ipa_config.get(
--
2.26.3

49
0018-ipatests-test-removing-last-KRA-when-it-is-not-runni.patch Normal file
View File

@ -0,0 +1,49 @@
From 8ea8f8b68b5a7217518f68065a5fc1df16126314 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 19 Jul 2021 21:54:22 -0400
Subject: [PATCH] ipatests: test removing last KRA when it is not running
Use the new role-based mechanism, one that doesn't rely
on direct communication to the server, to determine whether
the server being removed by `ipa server-del` contains the
last KRA server.
https://pagure.io/freeipa/issue/8397
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
---
ipatests/test_integration/test_server_del.py | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/ipatests/test_integration/test_server_del.py b/ipatests/test_integration/test_server_del.py
index 5e627d5db..9d7f5ef7a 100644
--- a/ipatests/test_integration/test_server_del.py
+++ b/ipatests/test_integration/test_server_del.py
@@ -302,6 +302,23 @@ class TestLastServices(ServerDelBase):
1
)
+ def test_removal_of_server_raises_error_about_last_kra(self):
+ """
+ test that removal of server fails on the last KRA
+
+ We shut it down to verify that it can be removed if it failed.
+ """
+ tasks.install_kra(self.master)
+ self.master.run_command(['ipactl', 'stop'])
+ tasks.assert_error(
+ tasks.run_server_del(self.replicas[0], self.master.hostname),
+ "Deleting this server is not allowed as it would leave your "
+ "installation without a KRA.",
+ 1
+ )
+ # Restarting the server we stopped is not necessary as it will
+ # be removed in the next test.
+
def test_forced_removal_of_master(self):
"""
Tests that we can still force remove the master using
--
2.26.3

30
0019-rhel-platform-add-a-named-crypto-policy-support.patch Normal file
View File

@ -0,0 +1,30 @@
From 1a5159b216455070eb51b6a11ceaf0033fc8ce4c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 16 Jul 2021 09:20:33 +0300
Subject: [PATCH] rhel platform: add a named crypto-policy support
RHEL 8+ provides bind system-wide crypto policy support, enable it.
Fixes: https://pagure.io/freeipa/issue/8925
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
ipaplatform/rhel/paths.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ipaplatform/rhel/paths.py b/ipaplatform/rhel/paths.py
index c081ada32..3631550eb 100644
--- a/ipaplatform/rhel/paths.py
+++ b/ipaplatform/rhel/paths.py
@@ -30,6 +30,7 @@ from ipaplatform.rhel.constants import HAS_NFS_CONF
class RHELPathNamespace(RedHatPathNamespace):
+ NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
if HAS_NFS_CONF:
SYSCONFIG_NFS = '/etc/nfs.conf'
--
2.26.3

40
0020-Index-Fix-definition-for-memberOf.patch Normal file
View File

@ -0,0 +1,40 @@
From b132956e42a88ab39bb8d6a854e7c5d28d544a11 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Fri, 16 Jul 2021 09:43:54 +0200
Subject: [PATCH] Index: Fix definition for memberOf
The index definition for memberOf is inconsistent:
dn: cn=memberOf,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn: member
nsIndexType: eq
nsIndexType: sub
nsSystemIndex: false
objectClass: top
objectClass: nsIndex
The cn attribute should be memberOf, not member. Fix the definition.
Fixes: https://pagure.io/freeipa/issue/8920
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
install/updates/20-indices.update | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update
index d6df5b37d..cb1a11dd5 100644
--- a/install/updates/20-indices.update
+++ b/install/updates/20-indices.update
@@ -434,7 +434,7 @@ add:nsIndexType: eq
add:nsIndexType: pres
dn: cn=memberOf,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-only:cn: member
+only:cn: memberOf
add:nsIndexType: sub
dn: cn=memberPrincipal,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
--
2.26.3

12
freeipa.spec
View File

@ -196,7 +196,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 3%{?rc_version:.%rc_version}%{?dist}
Release: 4%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@ -232,6 +232,11 @@ Patch0013: 0013-WebUI-Improve-subordinate-ids-user-workflow.patch
Patch0014: 0014-Test-DNA-plugin-configuration.patch
Patch0015: 0015-Fall-back-to-krbprincipalname-when-validating-host-a.patch
Patch0016: 0016-spec-file-Trust-controller-role-should-pull-sssd-win.patch
Patch0017: 0017-Use-new-method-in-check-to-prevent-removal-of-last-K.patch
Patch0018: 0018-ipatests-test-removing-last-KRA-when-it-is-not-runni.patch
Patch0019: 0019-rhel-platform-add-a-named-crypto-policy-support.patch
Patch0020: 0020-Index-Fix-definition-for-memberOf.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -1712,6 +1717,11 @@ fi
%endif
%changelog
* Fri Jul 23 2021 Rob Crittenden <rcritten@redhat.com> - 4.9.6-4
- Use new method in check to prevent removal of last KRA (#1985072)
- ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL (#1982952)
- Fix index definition for memberOf (#1952028)
* Thu Jul 15 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-3
- Resolves: rhbz#1979629 Add checks to prevent assigning authentication indicators to internal IPA services
- Resolves: rhbz#1982212 ipa-trust-add fails with "not enough quota"