import ipa-4.9.8-7.module+el8.6.0+14337+19b76db2

This commit is contained in:
CentOS Sources 2022-05-10 03:08:07 -04:00 committed by Stepan Oksanichenko
parent 646ea186ee
commit dc93cf38a4
35 changed files with 2056 additions and 5594 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/freeipa-4.9.6.tar.gz SOURCES/freeipa-4.9.8.tar.gz

View File

@ -1 +1 @@
b7b91082908db35e4acbcd0221b8df4044913dc1 SOURCES/freeipa-4.9.6.tar.gz 38641a7f95779ba35089fcc10e25ec82a9b0248e SOURCES/freeipa-4.9.8.tar.gz

View File

@ -0,0 +1,70 @@
From 0d44e959e5bbe822b51137a8e7cf48fa25533805 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Fri, 10 Dec 2021 12:15:36 -0300
Subject: [PATCH] Revert "freeipa.spec: depend on bind-dnssec-utils"
This reverts commit f89d59b6e18b54967682f6a37ce92ae67ab3fcda.
---
freeipa.spec.in | 4 +---
ipaplatform/base/paths.py | 2 +-
ipaplatform/fedora/paths.py | 1 +
ipaserver/dnssec/bindmgr.py | 1 -
4 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 8f5c370e5..e20edb7bc 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -576,11 +576,9 @@ Requires: %{name}-server = %{version}-%{release}
Requires: bind-dyndb-ldap >= 11.2-2
Requires: bind >= %{bind_version}
Requires: bind-utils >= %{bind_version}
-# bind-dnssec-utils is required by the OpenDNSSec integration
-# https://pagure.io/freeipa/issue/9026
-Requires: bind-dnssec-utils >= %{bind_version}
%if %{with bind_pkcs11}
Requires: bind-pkcs11 >= %{bind_version}
+Requires: bind-pkcs11-utils >= %{bind_version}
%else
Requires: softhsm >= %{softhsm_version}
Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 7d21367ec..42a47f1df 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -259,7 +259,7 @@ class BasePathNamespace:
IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key"
IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader"
IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running"
- DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
+ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
GETSEBOOL = "/usr/sbin/getsebool"
GROUPADD = "/usr/sbin/groupadd"
USERMOD = "/usr/sbin/usermod"
diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py
index 4e993c063..92a948966 100644
--- a/ipaplatform/fedora/paths.py
+++ b/ipaplatform/fedora/paths.py
@@ -36,6 +36,7 @@ class FedoraPathNamespace(RedHatPathNamespace):
NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
if HAS_NFS_CONF:
SYSCONFIG_NFS = '/etc/nfs.conf'
+ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
paths = FedoraPathNamespace()
diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py
index 0c79cc03d..a15c0e601 100644
--- a/ipaserver/dnssec/bindmgr.py
+++ b/ipaserver/dnssec/bindmgr.py
@@ -127,7 +127,6 @@ class BINDMgr:
)
cmd = [
paths.DNSSEC_KEYFROMLABEL,
- '-E', 'pkcs11',
'-K', workdir,
'-a', attrs['idnsSecAlgorithm'][0],
'-l', uri
--
2.31.1

View File

@ -1,136 +0,0 @@
From e713c227bb420a841ce3ae146bca55a84a1b0dbf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Tue, 22 Jun 2021 14:36:51 +0200
Subject: [PATCH] paths: add IPA_SERVER_CONF
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Related: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaplatform/base/paths.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 91423b332..de217d9ef 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -71,6 +71,7 @@ class BasePathNamespace:
IPA_DEFAULT_CONF = "/etc/ipa/default.conf"
IPA_DNSKEYSYNCD_KEYTAB = "/etc/ipa/dnssec/ipa-dnskeysyncd.keytab"
IPA_ODS_EXPORTER_KEYTAB = "/etc/ipa/dnssec/ipa-ods-exporter.keytab"
+ IPA_SERVER_CONF = "/etc/ipa/server.conf"
DNSSEC_OPENSSL_CONF = "/etc/ipa/dnssec/openssl.cnf"
DNSSEC_SOFTHSM2_CONF = "/etc/ipa/dnssec/softhsm2.conf"
DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so"
--
2.31.1
From ee4be290e1583834a573c3896ee1d97b3fbb6c24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Tue, 22 Jun 2021 14:45:49 +0200
Subject: [PATCH] ipatests: smoke test for server debug mode.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add a smoke test to make sure the server can be set in debug mode
without issue.
Related: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../test_integration/test_installation.py | 27 +++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index 301767b8d..0c96536f0 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -703,6 +703,33 @@ class TestInstallMaster(IntegrationTest):
def test_install_master(self):
tasks.install_master(self.master, setup_dns=False)
+ @pytest.mark.skip_if_platform(
+ "debian", reason="This test hardcodes the httpd service name"
+ )
+ def test_smoke_test_for_debug_mode(self):
+ """Test if an IPA server works in debug mode.
+ Related: https://pagure.io/freeipa/issue/8891
+
+ Note: this test hardcodes the "httpd" service name.
+ """
+
+ target_fname = paths.IPA_SERVER_CONF
+ assert not self.master.transport.file_exists(target_fname)
+
+ # set the IPA server in debug mode
+ server_conf = "[global]\ndebug=True"
+ self.master.put_file_contents(target_fname, server_conf)
+ self.master.run_command(["systemctl", "restart", "httpd"])
+
+ # smoke test in debug mode
+ tasks.kdestroy_all(self.master)
+ tasks.kinit_admin(self.master)
+ self.master.run_command(["ipa", "user-show", "admin"])
+
+ # rollback
+ self.master.run_command(["rm", target_fname])
+ self.master.run_command(["systemctl", "restart", "httpd"])
+
def test_schema_compat_attribute_and_tree_disable(self):
"""Test if schema-compat-entry-attribute is set
--
2.31.1
From 1539c7383116647ad9c5b125b343f972e9c9653b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Wed, 23 Jun 2021 06:35:19 +0200
Subject: [PATCH] rpcserver.py: perf_counter_ns is Python 3.7+
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
perf_counter_ns is only available in Python 3.7 and later.
Define a lambda for 3.6 and lower.
Fixes: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/rpcserver.py | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index b121316bf..e612528e0 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -31,6 +31,7 @@ import os
import time
import traceback
from io import BytesIO
+from sys import version_info
from urllib.parse import parse_qs
from xmlrpc.client import Fault
@@ -72,6 +73,10 @@ from requests.auth import AuthBase
if six.PY3:
unicode = str
+# time.perf_counter_ns appeared in Python 3.7.
+if version_info < (3, 7):
+ time.perf_counter_ns = lambda: int(time.perf_counter() * 10**9)
+
logger = logging.getLogger(__name__)
HTTP_STATUS_SUCCESS = '200 Success'
--
2.31.1

View File

@ -1,272 +0,0 @@
From a5d2857297cfcf87ed8973df96e89ebcef22850d Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Mon, 8 Mar 2021 18:15:50 +0100
Subject: [PATCH] Add checks to prevent adding auth indicators to internal IPA
services
Authentication indicators should not be enforced against internal
IPA services, since not all users of those services are able to produce
Kerberos tickets with all the auth indicator options. This includes
host, ldap, HTTP and cifs in IPA server and cifs in IPA clients.
If a client that is being promoted to replica has an auth indicator
in its host principal then the promotion is aborted.
Fixes: https://pagure.io/freeipa/issue/8206
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
ipaserver/install/server/replicainstall.py | 13 ++++++++++++
ipaserver/plugins/host.py | 5 ++++-
ipaserver/plugins/service.py | 24 ++++++++++++++++++++++
3 files changed, 41 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 73967a224..f1fb91036 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -770,6 +770,15 @@ def promotion_check_ipa_domain(master_ldap_conn, basedn):
))
+def promotion_check_host_principal_auth_ind(conn, hostdn):
+ entry = conn.get_entry(hostdn, ['krbprincipalauthind'])
+ if 'krbprincipalauthind' in entry:
+ raise RuntimeError(
+ "Client cannot be promoted to a replica if the host principal "
+ "has an authentication indicator set."
+ )
+
+
@common_cleanup
@preserve_enrollment_state
def promote_check(installer):
@@ -956,6 +965,10 @@ def promote_check(installer):
config.master_host_name, None)
promotion_check_ipa_domain(conn, remote_api.env.basedn)
+ hostdn = DN(('fqdn', api.env.host),
+ api.env.container_host,
+ api.env.basedn)
+ promotion_check_host_principal_auth_ind(conn, hostdn)
# Make sure that domain fulfills minimal domain level
# requirement
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index eb1f8ef04..41fa933e2 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -38,7 +38,7 @@ from .baseldap import (LDAPQuery, LDAPObject, LDAPCreate,
LDAPAddAttributeViaOption,
LDAPRemoveAttributeViaOption)
from .service import (
- validate_realm, normalize_principal,
+ validate_realm, validate_auth_indicator, normalize_principal,
set_certificate_attrs, ticket_flags_params, update_krbticketflags,
set_kerberos_attrs, rename_ipaallowedtoperform_from_ldap,
rename_ipaallowedtoperform_to_ldap, revoke_certs)
@@ -735,6 +735,8 @@ class host_add(LDAPCreate):
update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
if 'krbticketflags' in entry_attrs:
entry_attrs['objectclass'].append('krbticketpolicyaux')
+ validate_auth_indicator(entry_attrs)
+
return dn
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
@@ -993,6 +995,7 @@ class host_mod(LDAPUpdate):
if 'krbprincipalaux' not in (item.lower() for item in
entry_attrs['objectclass']):
entry_attrs['objectclass'].append('krbprincipalaux')
+ validate_auth_indicator(entry_attrs)
add_sshpubkey_to_attrs_pre(self.context, attrs_list)
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index 1c9347804..cfbbff3c6 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -201,6 +201,28 @@ def validate_realm(ugettext, principal):
raise errors.RealmMismatch()
+def validate_auth_indicator(entry):
+ new_value = entry.get('krbprincipalauthind', None)
+ if not new_value:
+ return
+ # The following services are considered internal IPA services
+ # and shouldn't be allowed to have auth indicators.
+ # https://pagure.io/freeipa/issue/8206
+ pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
+ principal = kerberos.Principal(pkey)
+ server = api.Command.server_find(principal.hostname)['result']
+ if server:
+ prefixes = ("host", "cifs", "ldap", "HTTP")
+ else:
+ prefixes = ("cifs",)
+ if principal.service_name in prefixes:
+ raise errors.ValidationError(
+ name='krbprincipalauthind',
+ error=_('authentication indicators not allowed '
+ 'in service "%s"' % principal.service_name)
+ )
+
+
def normalize_principal(value):
"""
Ensure that the name in the principal is lower-case. The realm is
@@ -652,6 +674,7 @@ class service_add(LDAPCreate):
hostname)
self.obj.validate_ipakrbauthzdata(entry_attrs)
+ validate_auth_indicator(entry_attrs)
if not options.get('force', False):
# We know the host exists if we've gotten this far but we
@@ -846,6 +869,7 @@ class service_mod(LDAPUpdate):
assert isinstance(dn, DN)
self.obj.validate_ipakrbauthzdata(entry_attrs)
+ validate_auth_indicator(entry_attrs)
# verify certificates
certs = entry_attrs.get('usercertificate') or []
--
2.31.1
From 28484c3dee225662e41acc691bfe6b1c1cee99c8 Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Mon, 8 Mar 2021 18:20:35 +0100
Subject: [PATCH] ipatests: ensure auth indicators can't be added to internal
IPA services
Authentication indicators should not be added to internal IPA services,
since this can lead to a broken IPA setup. In case a client with
an auth indicator set in its host principal, promoting it to a replica
should fail.
Related: https://pagure.io/freeipa/issue/8206
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
.../test_replica_promotion.py | 38 +++++++++++++++++++
ipatests/test_xmlrpc/test_host_plugin.py | 10 +++++
ipatests/test_xmlrpc/test_service_plugin.py | 21 ++++++++++
3 files changed, 69 insertions(+)
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 0a137dbdc..b9c56f775 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -101,6 +101,44 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
assert result.returncode == 1
assert expected_err in result.stderr_text
+ @replicas_cleanup
+ def test_install_with_host_auth_ind_set(self):
+ """ A client shouldn't be able to be promoted if it has
+ any auth indicator set in the host principal.
+ https://pagure.io/freeipa/issue/8206
+ """
+
+ client = self.replicas[0]
+ # Configure firewall first
+ Firewall(client).enable_services(["freeipa-ldap",
+ "freeipa-ldaps"])
+
+ client.run_command(['ipa-client-install', '-U',
+ '--domain', self.master.domain.name,
+ '--realm', self.master.domain.realm,
+ '-p', 'admin',
+ '-w', self.master.config.admin_password,
+ '--server', self.master.hostname,
+ '--force-join'])
+
+ tasks.kinit_admin(client)
+
+ client.run_command(['ipa', 'host-mod', '--auth-ind=otp',
+ client.hostname])
+
+ res = client.run_command(['ipa-replica-install', '-U', '-w',
+ self.master.config.dirman_password],
+ raiseonerr=False)
+
+ client.run_command(['ipa', 'host-mod', '--auth-ind=',
+ client.hostname])
+
+ expected_err = ("Client cannot be promoted to a replica if the host "
+ "principal has an authentication indicator set.")
+ assert res.returncode == 1
+ assert expected_err in res.stderr_text
+
+
@replicas_cleanup
def test_one_command_installation(self):
"""
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
index c66bbc865..9cfde3565 100644
--- a/ipatests/test_xmlrpc/test_host_plugin.py
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
@@ -605,6 +605,16 @@ class TestProtectedMaster(XMLRPC_test):
error=u'An IPA master host cannot be deleted or disabled')):
command()
+ def test_try_add_auth_ind_master(self, this_host):
+ command = this_host.make_update_command({
+ u'krbprincipalauthind': u'radius'})
+ with raises_exact(errors.ValidationError(
+ name='krbprincipalauthind',
+ error=u'authentication indicators not allowed '
+ 'in service "host"'
+ )):
+ command()
+
@pytest.mark.tier1
class TestValidation(XMLRPC_test):
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
index 4c845938c..ed634a045 100644
--- a/ipatests/test_xmlrpc/test_service_plugin.py
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
@@ -25,6 +25,7 @@ from ipalib import api, errors
from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test
+from ipatests.test_xmlrpc.xmlrpc_test import raises_exact
from ipatests.test_xmlrpc import objectclasses
from ipatests.test_xmlrpc.testcert import get_testcert, subject_base
from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn
@@ -1552,6 +1553,15 @@ def indicators_host(request):
return tracker.make_fixture(request)
+@pytest.fixture(scope='function')
+def this_host(request):
+ """Fixture for the current master"""
+ tracker = HostTracker(name=api.env.host.partition('.')[0],
+ fqdn=api.env.host)
+ tracker.exists = True
+ return tracker
+
+
@pytest.fixture(scope='function')
def indicators_service(request):
tracker = ServiceTracker(
@@ -1587,6 +1597,17 @@ class TestAuthenticationIndicators(XMLRPC_test):
expected_updates={u'krbprincipalauthind': [u'radius']}
)
+ def test_update_indicator_internal_service(self, this_host):
+ command = this_host.make_command('service_mod',
+ 'ldap/' + this_host.fqdn,
+ **dict(krbprincipalauthind='otp'))
+ with raises_exact(errors.ValidationError(
+ name='krbprincipalauthind',
+ error=u'authentication indicators not allowed '
+ 'in service "ldap"'
+ )):
+ command()
+
@pytest.fixture(scope='function')
def managing_host(request):
--
2.31.1

View File

@ -0,0 +1,75 @@
From b9c42fed9b6f60801f908c368d0d97a2a69f7bb2 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 15 Dec 2021 10:47:02 +0100
Subject: [PATCH] Config plugin: return EmptyModlist when no change is applied
When ipa config-mod is called with the option --enable-sid,
the code needs to trap EmptyModlist exception (it is expected
that no LDAP attribute is modified by this operation).
The code had a flaw and was checking:
'enable_sid' in options
instead of
options['enable_sid']
"'enable_sid' in options" always returns true as this option
is a Flag with a default value, hence always present even if
not specified on the command line.
Fixes: https://pagure.io/freeipa/issue/9063
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/plugins/config.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
index eae401fc3..24446beb0 100644
--- a/ipaserver/plugins/config.py
+++ b/ipaserver/plugins/config.py
@@ -707,7 +707,7 @@ class config_mod(LDAPUpdate):
if (isinstance(exc, errors.EmptyModlist) and
call_func.__name__ == 'update_entry' and
('ca_renewal_master_server' in options or
- 'enable_sid' in options)):
+ options['enable_sid'])):
return
super(config_mod, self).exc_callback(
--
2.34.1
From cd735099e86304294217147ed578ac902fcf3dd3 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 15 Dec 2021 10:51:05 +0100
Subject: [PATCH] config plugin: add a test ensuring EmptyModlist is returned
Add a test to test_config_plugin, that calls ipa config-mod
with the same value as already present in LDAP.
The call must return EmptyModlist.
Related: https://pagure.io/freeipa/issue/9063
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_xmlrpc/test_config_plugin.py | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/ipatests/test_xmlrpc/test_config_plugin.py b/ipatests/test_xmlrpc/test_config_plugin.py
index e981bb4a0..a8ec9f0e5 100644
--- a/ipatests/test_xmlrpc/test_config_plugin.py
+++ b/ipatests/test_xmlrpc/test_config_plugin.py
@@ -312,4 +312,13 @@ class test_config(Declarative):
'value': None,
},
),
+ dict(
+ desc='Set the value to the already set value, no modifications',
+ command=(
+ 'config_mod', [], {
+ 'ipasearchrecordslimit': u'100',
+ },
+ ),
+ expected=errors.EmptyModlist(),
+ ),
]
--
2.34.1

View File

@ -1,8 +1,7 @@
From 653a7fe02880c168755984133ee143567cc7bb4e Mon Sep 17 00:00:00 2001 From 653a7fe02880c168755984133ee143567cc7bb4e Mon Sep 17 00:00:00 2001
From: Francisco Trivino <ftrivino@redhat.com> From: Francisco Trivino <ftrivino@redhat.com>
Date: Feb 01 2022 07:57:24 +0000 Date: Wed, 26 Jan 2022 15:43:39 +0100
Subject: Custodia: use a stronger encryption algo when exporting keys Subject: [PATCH] Custodia: use a stronger encryption algo when exporting keys
The Custodia key export handler is using the default's OpenSSL encryption The Custodia key export handler is using the default's OpenSSL encryption
scheme for PKCS#12. scheme for PKCS#12.
@ -25,11 +24,12 @@ Fixes: https://pagure.io/freeipa/issue/9101
Signed-off-by: Francisco Trivino <ftrivino@redhat.com> Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
--- ---
ipaserver/secrets/handlers/pemfile.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ipaserver/secrets/handlers/pemfile.py b/ipaserver/secrets/handlers/pemfile.py diff --git a/ipaserver/secrets/handlers/pemfile.py b/ipaserver/secrets/handlers/pemfile.py
index 4e8eff0..ad36bd0 100644 index 4e8eff0e3..ad36bd020 100644
--- a/ipaserver/secrets/handlers/pemfile.py --- a/ipaserver/secrets/handlers/pemfile.py
+++ b/ipaserver/secrets/handlers/pemfile.py +++ b/ipaserver/secrets/handlers/pemfile.py
@@ -31,6 +31,9 @@ def export_key(args, tmpdir): @@ -31,6 +31,9 @@ def export_key(args, tmpdir):
@ -42,4 +42,6 @@ index 4e8eff0..ad36bd0 100644
]) ])
with open(pk12file, 'rb') as f: with open(pk12file, 'rb') as f:
--
2.34.1

View File

@ -1,89 +0,0 @@
From 06468b2f604c56b02231904072cb57412966a701 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 5 Jul 2021 09:51:41 +0200
Subject: [PATCH] stageuser: add ipauserauthtypeclass when required
The command
ipa stageuser-add --user-auth-type=xxx
is currently failing because the objectclass ipauserauthtypeclass
is missing from the created entry.
There is code adding the missing objectclass in the
pre_common_callback method of user_add, and this code should
be common to user_add and stageuser_add. In order to avoid code
duplication, it makes more sense to move the existing code to
pre_common_callback of baseuser_add, that is called by both
classes.
Fixes: https://pagure.io/freeipa/issue/8909
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/plugins/baseuser.py | 3 +++
ipaserver/plugins/user.py | 4 ----
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index ae16a978a..6035228f1 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -539,6 +539,9 @@ class baseuser_add(LDAPCreate):
if entry_attrs.get('ipatokenradiususername', None):
add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn,
entry_attrs, update=False)
+ if entry_attrs.get('ipauserauthtype', None):
+ add_missing_object_class(ldap, u'ipauserauthtypeclass', dn,
+ entry_attrs, update=False)
def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index 6f7facb53..e4ee572b2 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -617,10 +617,6 @@ class user_add(baseuser_add):
'ipauser' not in entry_attrs['objectclass']:
entry_attrs['objectclass'].append('ipauser')
- if 'ipauserauthtype' in entry_attrs and \
- 'ipauserauthtypeclass' not in entry_attrs['objectclass']:
- entry_attrs['objectclass'].append('ipauserauthtypeclass')
-
rcl = entry_attrs.get('ipatokenradiusconfiglink', None)
if rcl:
if 'ipatokenradiusproxyuser' not in entry_attrs['objectclass']:
--
2.31.1
From 4a5a0fe7d25209a41a2eadd159f7f4c771e5d7fc Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 5 Jul 2021 10:22:31 +0200
Subject: [PATCH] XMLRPC test: add a test for stageuser-add --user-auth-type
Related: https://pagure.io/freeipa/issue/8909
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipatests/test_xmlrpc/test_stageuser_plugin.py | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
index 5586fc607..bc606b093 100644
--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
@@ -343,6 +343,12 @@ class TestStagedUser(XMLRPC_test):
result = command()
assert result['count'] == 1
+ def test_create_withuserauthtype(self, stageduser):
+ stageduser.ensure_missing()
+ command = stageduser.make_create_command(
+ options={u'ipauserauthtype': u'password'})
+ command()
+
@pytest.mark.tier1
class TestCreateInvalidAttributes(XMLRPC_test):
--
2.31.1

View File

@ -0,0 +1,122 @@
From 6d70421f57d0eca066a922e09416ef7195ee96d4 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Tue, 1 Feb 2022 16:43:09 +0100
Subject: [PATCH] ipa-kdb: do not remove keys for hardened auth-enabled users
Since 5d51ae5, principal keys were dropped in case user auth indicator
was not including password. Thereafter, the key removal behavior was
removed by 15ff9c8 in the context of the kdcpolicy plugin introduction.
Support for hardened pre-auth methods (FAST and SPAKE) was added in
d057040, and the removal of principal keys was restored afterwards by
f0d12b7, but not taking the new hardened auth indicator into account.
Fixes: https://pagure.io/freeipa/issue/9065
Related to: https://pagure.io/freeipa/issue/8001
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_principals.c | 23 ++++++++++++-----------
1 file changed, 12 insertions(+), 11 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 15f3df4fe..0d0d3748c 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -788,17 +788,18 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
&res_key_data, &result, &mkvno);
switch (ret) {
case 0:
- /* Only set a principal's key if password auth can be used. Otherwise
- * the KDC would add pre-authentication methods to the NEEDED_PREAUTH
- * reply for AS-REQs which indicate the password authentication is
- * available. This might confuse applications like e.g. SSSD which try
- * to determine suitable authentication methods and corresponding
- * prompts with the help of MIT Kerberos' responder interface which
- * acts on the returned pre-authentication methods. A typical example
- * is enforced OTP authentication where of course keys are available
- * for the first factor but password authentication should not be
- * advertised by the KDC. */
- if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) {
+ /* Only set a principal's key if password or hardened auth can be used.
+ * Otherwise the KDC would add pre-authentication methods to the
+ * NEEDED_PREAUTH reply for AS-REQs which indicate the password
+ * authentication is available. This might confuse applications like
+ * e.g. SSSD which try to determine suitable authentication methods and
+ * corresponding prompts with the help of MIT Kerberos' responder
+ * interface which acts on the returned pre-authentication methods. A
+ * typical example is enforced OTP authentication where of course keys
+ * are available for the first factor but password authentication
+ * should not be advertised by the KDC. */
+ if (!(ua & (IPADB_USER_AUTH_PASSWORD | IPADB_USER_AUTH_HARDENED)) &&
+ (ua != IPADB_USER_AUTH_NONE)) {
/* This is the same behavior as ENOENT below. */
ipa_krb5_free_key_data(res_key_data, result);
break;
--
2.34.1
From 294ae35a61e6ca8816b261c57508e4be21221864 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Tue, 1 Feb 2022 19:38:29 +0100
Subject: [PATCH] ipatests: add case for hardened-only ticket policy
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
ipatests/test_integration/test_krbtpolicy.py | 30 ++++++++++++++++++--
1 file changed, 28 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py
index 63e75ae67..9489fbc97 100644
--- a/ipatests/test_integration/test_krbtpolicy.py
+++ b/ipatests/test_integration/test_krbtpolicy.py
@@ -103,8 +103,8 @@ class TestPWPolicy(IntegrationTest):
result = master.run_command('klist | grep krbtgt')
assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
- def test_krbtpolicy_hardended(self):
- """Test a hardened kerberos ticket policy with 10 min tickets"""
+ def test_krbtpolicy_password_and_hardended(self):
+ """Test a pwd and hardened kerberos ticket policy with 10min tickets"""
master = self.master
master.run_command(['ipa', 'user-mod', USER1,
'--user-auth-type', 'password',
@@ -131,6 +131,32 @@ class TestPWPolicy(IntegrationTest):
result = master.run_command('klist | grep krbtgt')
assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
+ def test_krbtpolicy_hardended(self):
+ """Test a hardened kerberos ticket policy with 30min tickets"""
+ master = self.master
+ master.run_command(['ipa', 'user-mod', USER1,
+ '--user-auth-type', 'hardened'])
+ master.run_command(['ipa', 'config-mod',
+ '--user-auth-type', 'hardened'])
+ master.run_command(['ipa', 'krbtpolicy-mod', USER1,
+ '--hardened-maxlife', '1800'])
+
+ tasks.kdestroy_all(master)
+
+ master.run_command(['kinit', USER1],
+ stdin_text=PASSWORD + '\n')
+ result = master.run_command('klist | grep krbtgt')
+ assert maxlife_within_policy(result.stdout_text, 1800,
+ slush=1800) is True
+
+ tasks.kdestroy_all(master)
+
+ # Verify that the short policy only applies to USER1
+ master.run_command(['kinit', USER2],
+ stdin_text=PASSWORD + '\n')
+ result = master.run_command('klist | grep krbtgt')
+ assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
+
def test_krbtpolicy_password(self):
"""Test the kerberos ticket policy which issues 20 min tickets"""
master = self.master
--
2.34.1

View File

@ -1,35 +0,0 @@
From 195035cef51a132b2b80df57ed50f2fe620244e6 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 7 Jul 2021 14:11:40 +0200
Subject: [PATCH] man page: update ipa-server-upgrade.1
The man page needs to clarify in which case the command needs
to be run.
Fixes: https://pagure.io/freeipa/issue/8913
Reviewed-By: Francois Cami <fcami@redhat.com>
---
install/tools/man/ipa-server-upgrade.1 | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-server-upgrade.1 b/install/tools/man/ipa-server-upgrade.1
index 3db19b0f1..f01e21c6b 100644
--- a/install/tools/man/ipa-server-upgrade.1
+++ b/install/tools/man/ipa-server-upgrade.1
@@ -8,7 +8,12 @@ ipa\-server\-upgrade \- upgrade IPA server
.SH "SYNOPSIS"
ipa\-server\-upgrade [options]
.SH "DESCRIPTION"
-ipa\-server\-upgrade is used to upgrade IPA server when the IPA packages are being updated. It is not intended to be executed by end\-users.
+ipa\-server\-upgrade is executed automatically to upgrade IPA server when
+the IPA packages are being updated. It is not intended to be executed by
+end\-users, unless the automatic execution reports an error. In this case,
+the administrator needs to identify and fix the issue that is causing the
+upgrade failure (with the help of /var/log/ipaupgrade.log)
+and manually re\-run ipa\-server\-upgrade.
ipa\-server\-upgrade will:
--
2.31.1

View File

@ -1,69 +0,0 @@
From 8ad535b618d60fa016061212ff85d0ad28ccae59 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 12 Jul 2021 11:02:10 -0400
Subject: [PATCH] Fall back to krbprincipalname when validating host auth
indicators
When adding a new host the principal cannot be determined because it
relies on either:
a) an entry to already exist
b) krbprincipalname be a component of the dn
As a result the full dn is being passed into ipapython.Kerberos
which can't parse it.
Look into the entry in validate_validate_auth_indicator() for
krbprincipalname in this case.
https://pagure.io/freeipa/issue/8206
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaserver/plugins/service.py | 5 +++++
ipatests/test_xmlrpc/test_host_plugin.py | 11 +++++++++++
2 files changed, 16 insertions(+)
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index cfbbff3c6..498f5e444 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -209,6 +209,11 @@ def validate_auth_indicator(entry):
# and shouldn't be allowed to have auth indicators.
# https://pagure.io/freeipa/issue/8206
pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
+ if pkey == str(entry.dn):
+ # krbcanonicalname may not be set yet if this is a host entry,
+ # try krbprincipalname
+ if 'krbprincipalname' in entry:
+ pkey = entry['krbprincipalname']
principal = kerberos.Principal(pkey)
server = api.Command.server_find(principal.hostname)['result']
if server:
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
index 9cfde3565..ff50e796c 100644
--- a/ipatests/test_xmlrpc/test_host_plugin.py
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
@@ -615,6 +615,17 @@ class TestProtectedMaster(XMLRPC_test):
)):
command()
+ def test_add_non_master_with_auth_ind(self, host5):
+ host5.ensure_missing()
+ command = host5.make_command(
+ 'host_add', host5.fqdn, krbprincipalauthind=['radius'],
+ force=True
+ )
+ result = command()
+ # The fact that the command succeeds exercises the change but
+ # let's check the indicator as well.
+ assert result['result']['krbprincipalauthind'] == ('radius',)
+
@pytest.mark.tier1
class TestValidation(XMLRPC_test):
--
2.31.1

View File

@ -0,0 +1,44 @@
From 9bae5492270d8b695999cd82831cbee62b04626b Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Fri, 28 Jan 2022 16:58:42 +0100
Subject: [PATCH] ipa-pki-proxy.conf: provide access to
/kra/admin/kra/getStatus
The access to /kra/admin/kra/getStatus will be needed
in order to fix pki-healthcheck.
Note that this commit is a pre-requisite for the fix
to be done on PKI side. No test added since the full
integration test already exists in test_replica_promotion.py,
in TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica
Fixes: https://pagure.io/freeipa/issue/9099
Related: https://pagure.io/freeipa/issue/8582
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
install/share/ipa-pki-proxy.conf.template | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/install/share/ipa-pki-proxy.conf.template b/install/share/ipa-pki-proxy.conf.template
index 96708482c..7a46f20b9 100644
--- a/install/share/ipa-pki-proxy.conf.template
+++ b/install/share/ipa-pki-proxy.conf.template
@@ -1,4 +1,4 @@
-# VERSION 16 - DO NOT REMOVE THIS LINE
+# VERSION 17 - DO NOT REMOVE THIS LINE
ProxyRequests Off
@@ -11,7 +11,7 @@ ProxyRequests Off
</LocationMatch>
# matches for admin port and installer
-<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries">
+<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries|^/kra/admin/kra/getStatus">
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
SSLVerifyClient none
ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
--
2.34.1

View File

@ -0,0 +1,755 @@
From 0edf915efbb39fac45c784171dd715ec6b28861a Mon Sep 17 00:00:00 2001
From: Sumedh Sidhaye <ssidhaye@redhat.com>
Date: Fri, 14 Jan 2022 19:55:13 +0530
Subject: [PATCH] Added test automation for SHA384withRSA CSR support
Scenario 1:
Setup master with --ca-signing-algorithm=SHA384withRSA
Run certutil and check Signing Algorithm
Scenario 2:
Setup a master
Stop services
Modify default.params.signingAlg in CS.cfg
Restart services
Resubmit cert (Resubmitted cert should have new Algorithm)
Pagure Link: https://pagure.io/freeipa/issue/8906
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
---
.../test_integration/test_installation.py | 63 +++++++++++++++++++
1 file changed, 63 insertions(+)
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index 0947241ae..f2d372c0c 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -34,6 +34,7 @@ from ipatests.pytest_ipa.integration import tasks
from ipatests.pytest_ipa.integration.env_config import get_global_config
from ipatests.test_integration.base import IntegrationTest
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
+from ipatests.test_integration.test_cert import get_certmonger_fs_id
from ipaplatform import services
@@ -1916,3 +1917,65 @@ class TestInstallWithoutNamed(IntegrationTest):
tasks.install_replica(
self.master, self.replicas[0], setup_ca=False, setup_dns=False
)
+
+
+class TestInstallwithSHA384withRSA(IntegrationTest):
+ num_replicas = 0
+
+ def test_install_master_withalgo_sha384withrsa(self, server_cleanup):
+ tasks.install_master(
+ self.master,
+ extra_args=['--ca-signing-algorithm=SHA384withRSA'],
+ )
+
+ # check Signing Algorithm post installation
+ dashed_domain = self.master.domain.realm.replace(".", '-')
+ cmd_args = ['certutil', '-L', '-d',
+ '/etc/dirsrv/slapd-{}/'.format(dashed_domain),
+ '-n', 'Server-Cert']
+ result = self.master.run_command(cmd_args)
+ assert 'SHA-384 With RSA Encryption' in result.stdout_text
+
+ def test_install_master_modify_existing(self, server_cleanup):
+ """
+ Setup a master
+ Stop services
+ Modify default.params.signingAlg in CS.cfg
+ Restart services
+ Resubmit cert (Resubmitted cert should have new Algorithm)
+ """
+ tasks.install_master(self.master)
+ self.master.run_command(['ipactl', 'stop'])
+ cs_cfg_content = self.master.get_file_contents(paths.CA_CS_CFG_PATH,
+ encoding='utf-8')
+ new_lines = []
+ replace_str = "ca.signing.defaultSigningAlgorithm=SHA384withRSA"
+ ocsp_rep_str = "ca.ocsp_signing.defaultSigningAlgorithm=SHA384withRSA"
+ for line in cs_cfg_content.split('\n'):
+ if line.startswith('ca.signing.defaultSigningAlgorithm'):
+ new_lines.append(replace_str)
+ elif line.startswith('ca.ocsp_signing.defaultSigningAlgorithm'):
+ new_lines.append(ocsp_rep_str)
+ else:
+ new_lines.append(line)
+ self.master.put_file_contents(paths.CA_CS_CFG_PATH,
+ '\n'.join(new_lines))
+ self.master.run_command(['ipactl', 'start'])
+
+ cmd = ['getcert', 'list', '-f', paths.RA_AGENT_PEM]
+ result = self.master.run_command(cmd)
+ request_id = get_certmonger_fs_id(result.stdout_text)
+
+ # resubmit RA Agent cert
+ cmd = ['getcert', 'resubmit', '-f', paths.RA_AGENT_PEM]
+ self.master.run_command(cmd)
+
+ tasks.wait_for_certmonger_status(self.master,
+ ('CA_WORKING', 'MONITORING'),
+ request_id)
+
+ cmd_args = ['openssl', 'x509', '-in',
+ paths.RA_AGENT_PEM, '-noout', '-text']
+ result = self.master.run_command(cmd_args)
+ assert_str = 'Signature Algorithm: sha384WithRSAEncryption'
+ assert assert_str in result.stdout_text
--
2.34.1
From 8b22ee018c3bb7f58a1b6694a7fd611688f8e74f Mon Sep 17 00:00:00 2001
From: Sumedh Sidhaye <ssidhaye@redhat.com>
Date: Thu, 25 Nov 2021 17:48:20 +0530
Subject: [PATCH] Extend test to see if replica is not shown when running
`ipa-replica-manage list -v <FQDN>`
Related: https://pagure.io/freeipa/issue/8605
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_simple_replication.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_simple_replication.py b/ipatests/test_integration/test_simple_replication.py
index 8de385144..17092a499 100644
--- a/ipatests/test_integration/test_simple_replication.py
+++ b/ipatests/test_integration/test_simple_replication.py
@@ -111,5 +111,6 @@ class TestSimpleReplication(IntegrationTest):
# has to be run with --force, there is no --unattended
self.master.run_command(['ipa-replica-manage', 'del',
self.replicas[0].hostname, '--force'])
- result = self.master.run_command(['ipa-replica-manage', 'list'])
+ result = self.master.run_command(
+ ['ipa-replica-manage', 'list', '-v', self.master.hostname])
assert self.replicas[0].hostname not in result.stdout_text
--
2.34.1
From ba7ec71ba96280da3841ebe47df2a6dc1cd6341e Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Fri, 26 Nov 2021 12:11:21 +0530
Subject: [PATCH] ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica
teardown
Fixture `expire_certs` moves date back after renewing the certs.
This is causing the ipa-replica to fail. This fix first uninstalls
the server then moves back the date.
Fixes: https://pagure.io/freeipa/issue/9052
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_ipa_cert_fix.py | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index 39904d5de..5b56054b4 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -389,6 +389,12 @@ class TestCertFixReplica(IntegrationTest):
setup_dns=False, extra_args=['--no-ntp']
)
+ @classmethod
+ def uninstall(cls, mh):
+ # Uninstall method is empty as the uninstallation is done in
+ # the fixture
+ pass
+
@pytest.fixture
def expire_certs(self):
# move system date to expire certs
@@ -398,7 +404,8 @@ class TestCertFixReplica(IntegrationTest):
yield
# move date back on replica and master
- for host in self.master, self.replicas[0]:
+ for host in self.replicas[0], self.master:
+ tasks.uninstall_master(host)
tasks.move_date(host, 'start', '-3years-1days')
def test_renew_expired_cert_replica(self, expire_certs):
--
2.34.1
From 465f1669a6c5abc72da1ecaf9aefa8488f80806c Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Mon, 13 Dec 2021 17:37:05 +0530
Subject: [PATCH] ipatests: Test default value of nsslapd-sizelimit.
related : https://pagure.io/freeipa/issue/8962
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_installation.py | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index 95cfaad54..0947241ae 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -1067,6 +1067,19 @@ class TestInstallMaster(IntegrationTest):
)
assert "nsslapd-db-locks" not in result.stdout_text
+ def test_nsslapd_sizelimit(self):
+ """ Test for default value of nsslapd-sizelimit.
+
+ Related : https://pagure.io/freeipa/issue/8962
+ """
+ result = tasks.ldapsearch_dm(
+ self.master,
+ "cn=config",
+ ["nsslapd-sizelimit"],
+ scope="base"
+ )
+ assert "nsslapd-sizelimit: 100000" in result.stdout_text
+
def test_admin_root_alias_CVE_2020_10747(self):
# Test for CVE-2020-10747 fix
# https://bugzilla.redhat.com/show_bug.cgi?id=1810160
--
2.34.1
From cbd9ac6ab07dfb60f67da762fdd70856ad35c230 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Thu, 25 Nov 2021 13:10:05 +0530
Subject: [PATCH] ipatests: Test empty cert request doesn't force certmonger to
segfault
When empty cert request is submitted to certmonger, it goes to
segfault. This fix test that if something like this happens,
certmonger should gracefuly handle it
and some PEP8 fixes
related: https://pagure.io/certmonger/issue/191
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
---
ipatests/test_integration/test_cert.py | 79 +++++++++++++++++++++++++-
1 file changed, 78 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
index 5ffb8c608..0518d7954 100644
--- a/ipatests/test_integration/test_cert.py
+++ b/ipatests/test_integration/test_cert.py
@@ -14,6 +14,7 @@ import random
import re
import string
import time
+import textwrap
from ipaplatform.paths import paths
from ipapython.dn import DN
@@ -193,7 +194,7 @@ class TestInstallMasterClient(IntegrationTest):
tasks.kinit_admin(self.master)
tasks.user_add(self.master, user)
- for id in (0,1):
+ for id in (0, 1):
csr_file = f'{id}.csr'
key_file = f'{id}.key'
cert_file = f'{id}.crt'
@@ -584,3 +585,79 @@ class TestCAShowErrorHandling(IntegrationTest):
error_msg = 'ipa: ERROR: The certificate for ' \
'{} is not available on this server.'.format(lwca)
assert error_msg in result.stderr_text
+
+ def test_certmonger_empty_cert_not_segfault(self):
+ """Test empty cert request doesn't force certmonger to segfault
+
+ Test scenario:
+ create a cert request file in /var/lib/certmonger/requests which is
+ missing most of the required information, and ask request a new
+ certificate to certmonger. The wrong request file should not make
+ certmonger crash.
+
+ related: https://pagure.io/certmonger/issue/191
+ """
+ empty_cert_req_content = textwrap.dedent("""
+ id=dogtag-ipa-renew-agent
+ key_type=UNSPECIFIED
+ key_gen_type=UNSPECIFIED
+ key_size=0
+ key_gen_size=0
+ key_next_type=UNSPECIFIED
+ key_next_gen_type=UNSPECIFIED
+ key_next_size=0
+ key_next_gen_size=0
+ key_preserve=0
+ key_storage_type=NONE
+ key_perms=0
+ key_requested_count=0
+ key_issued_count=0
+ cert_storage_type=FILE
+ cert_perms=0
+ cert_is_ca=0
+ cert_ca_path_length=0
+ cert_no_ocsp_check=0
+ last_need_notify_check=19700101000000
+ last_need_enroll_check=19700101000000
+ template_is_ca=0
+ template_ca_path_length=-1
+ template_no_ocsp_check=0
+ state=NEED_KEY_PAIR
+ autorenew=0
+ monitor=0
+ submitted=19700101000000
+ """)
+ # stop certmonger service
+ self.master.run_command(['systemctl', 'stop', 'certmonger'])
+
+ # place an empty cert request file to certmonger request dir
+ self.master.put_file_contents(
+ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'),
+ empty_cert_req_content
+ )
+
+ # start certmonger, it should not fail
+ self.master.run_command(['systemctl', 'start', 'certmonger'])
+
+ # request a new cert, should succeed and certmonger doesn't goes
+ # to segfault
+ result = self.master.run_command([
+ "ipa-getcert", "request",
+ "-f", os.path.join(paths.OPENSSL_CERTS_DIR, "test.pem"),
+ "-k", os.path.join(paths.OPENSSL_PRIVATE_DIR, "test.key"),
+ ])
+ request_id = re.findall(r'\d+', result.stdout_text)
+
+ # check if certificate is in MONITORING state
+ status = tasks.wait_for_request(self.master, request_id[0], 50)
+ assert status == "MONITORING"
+
+ self.master.run_command(
+ ['ipa-getcert', 'stop-tracking', '-i', request_id[0]]
+ )
+ self.master.run_command([
+ 'rm', '-rf',
+ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'),
+ os.path.join(paths.OPENSSL_CERTS_DIR, 'test.pem'),
+ os.path.join(paths.OPENSSL_PRIVATE_DIR, 'test.key')
+ ])
--
2.34.1
From edbd8f692a28fc999b92e9032614d366511db323 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Mon, 6 Dec 2021 20:50:01 +0530
Subject: [PATCH] ipatests: webui: Tests for subordinate ids.
Added web-ui tests to verify where operations
using subordinate ids are working as expected.
Related : https://pagure.io/freeipa/issue/8361
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_webui/test_subid.py | 141 ++++++++++++++++++++++++++++++
ipatests/test_webui/ui_driver.py | 28 ++++++
2 files changed, 169 insertions(+)
create mode 100644 ipatests/test_webui/test_subid.py
diff --git a/ipatests/test_webui/test_subid.py b/ipatests/test_webui/test_subid.py
new file mode 100644
index 000000000..26decdba0
--- /dev/null
+++ b/ipatests/test_webui/test_subid.py
@@ -0,0 +1,141 @@
+
+"""
+Tests for subordinateid.
+"""
+
+from ipatests.test_webui.ui_driver import UI_driver
+import ipatests.test_webui.data_config as config_data
+import ipatests.test_webui.data_user as user_data
+from ipatests.test_webui.ui_driver import screenshot
+import re
+
+
+class test_subid(UI_driver):
+
+ def add_user(self, pkey, name, surname):
+ self.add_record('user', {
+ 'pkey': pkey,
+ 'add': [
+ ('textbox', 'uid', pkey),
+ ('textbox', 'givenname', name),
+ ('textbox', 'sn', surname),
+ ]
+ })
+
+ def set_default_subid(self):
+ self.navigate_to_entity(config_data.ENTITY)
+ self.check_option('ipauserdefaultsubordinateid', 'checked')
+ self.facet_button_click('save')
+
+ def get_user_count(self, user_pkey):
+ self.navigate_to_entity('subid', facet='search')
+ self.apply_search_filter(user_pkey)
+ self.wait_for_request()
+ return self.get_rows()
+
+ @screenshot
+ def test_set_defaultsubid(self):
+ """
+ Test to verify that enable/disable is working for
+ adding subids to new users.
+ """
+ self.init_app()
+ self.add_record(user_data.ENTITY, user_data.DATA2)
+ self.navigate_to_entity(config_data.ENTITY)
+ # test subid can be enabled/disabled.
+ self.set_default_subid()
+ assert self.get_field_checked('ipauserdefaultsubordinateid')
+ self.set_default_subid()
+ assert not self.get_field_checked('ipauserdefaultsubordinateid')
+
+ @screenshot
+ def test_user_defaultsubid(self):
+ """
+ Test to verify that subid is generated for new user.
+ """
+ self.init_app()
+ user_pkey = "some-user"
+
+ self.set_default_subid()
+ assert self.get_field_checked('ipauserdefaultsubordinateid')
+
+ before_count = self.get_user_count(user_pkey)
+ assert len(before_count) == 0
+
+ self.add_user(user_pkey, 'Some', 'User')
+ after_count = self.get_user_count(user_pkey)
+ assert len(after_count) == 1
+
+ @screenshot
+ def test_user_subid_mod_desc(self):
+ """
+ Test to verify that auto-assigned subid description is modified.
+ """
+ self.init_app()
+ self.navigate_to_record("some-user")
+ self.switch_to_facet('memberof_subid')
+ rows = self.get_rows()
+ self.navigate_to_row_record(rows[-1])
+ self.fill_textbox("description", "some-user-subid-desc")
+ self.facet_button_click('save')
+
+ @screenshot
+ def test_admin_subid(self):
+ """
+ Test to verify that subid range is created with owner admin.
+ """
+ self.init_app()
+ self.navigate_to_entity('subid', facet='search')
+ self.facet_button_click('add')
+ self.select_combobox('ipaowner', 'admin')
+ self.dialog_button_click('add')
+ self.wait(0.3)
+ self.assert_no_error_dialog()
+
+ @screenshot
+ def test_admin_subid_negative(self):
+ """
+ Test to verify that readding the subid fails with error.
+ """
+ self.init_app()
+ self.navigate_to_entity('subid', facet='search')
+ self.facet_button_click('add')
+ self.select_combobox('ipaowner', 'admin')
+ self.dialog_button_click('add')
+ self.wait(0.3)
+ err_dialog = self.get_last_error_dialog(dialog_name='error_dialog')
+ text = self.get_text('.modal-body div p', err_dialog)
+ text = text.strip()
+ pattern = r'Subordinate id with with name .* already exists.'
+ assert re.search(pattern, text) is not None
+ self.close_all_dialogs()
+
+ @screenshot
+ def test_user_subid_add(self):
+ """
+ Test to verify that subid range is created for given user.
+ """
+ self.init_app()
+ self.navigate_to_entity('subid', facet='search')
+ before_count = self.get_rows()
+ self.facet_button_click('add')
+ self.select_combobox('ipaowner', user_data.PKEY2)
+ self.dialog_button_click('add')
+ self.wait(0.3)
+ self.assert_no_error_dialog()
+ after_count = self.get_rows()
+ assert len(before_count) < len(after_count)
+
+ @screenshot
+ def test_subid_del(self):
+ """
+ Test to remove subordinate id for given user.
+ """
+ self.init_app()
+ self.navigate_to_entity('subid', facet='search')
+ user_uid = self.get_record_pkey("some-user", "ipaowner",
+ table_name="ipauniqueid")
+ before_count = self.get_rows()
+ self.delete_record(user_uid, table_name="ipauniqueid")
+ after_count = self.get_rows()
+ assert len(before_count) > len(after_count)
diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py
index 46fd512ae..77fd74e49 100644
--- a/ipatests/test_webui/ui_driver.py
+++ b/ipatests/test_webui/ui_driver.py
@@ -1151,6 +1151,34 @@ class UI_driver:
return row
return None
+ def get_row_by_column_value(self, key, column_name, parent=None,
+ table_name=None):
+ """
+ Get the first matched row element of a search table with given key
+ matched against selected column. None if not found
+ """
+ rows = self.get_rows(parent, table_name)
+ s = "td div[name='%s']" % column_name
+ for row in rows:
+ has = self.find(s, By.CSS_SELECTOR, row)
+ if has.text == key:
+ return row
+ return None
+
+ def get_record_pkey(self, key, column, parent=None, table_name=None):
+ """
+ Get record pkey if value of column is known
+ """
+ row = self.get_row_by_column_value(key,
+ column_name=column,
+ parent=parent,
+ table_name=table_name)
+ val = None
+ if row:
+ el = self.find("td input", By.CSS_SELECTOR, row)
+ val = el.get_attribute("value")
+ return val
+
def navigate_to_row_record(self, row, pkey_column=None):
"""
Navigate to record by clicking on a link.
--
2.34.1
From 419d7fd6e5a9ed2d356ad05eef1043309f5646ef Mon Sep 17 00:00:00 2001
From: Michal Polovka <mpolovka@redhat.com>
Date: Fri, 7 Jan 2022 12:12:26 +0100
Subject: [PATCH] ipatests: webui: Use safe-loader for loading YAML
configuration file
FullLoader class for YAML loader was introduced in version 5.1 which
also deprecated default loader. SafeLoader, however, stays consistent
across the versions and brings added security.
This fix is necessary as PyYAML > 5.1 is not available in downstream.
Related: https://pagure.io/freeipa/issue/9009
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_webui/ui_driver.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py
index 77fd74e49..519efee9b 100644
--- a/ipatests/test_webui/ui_driver.py
+++ b/ipatests/test_webui/ui_driver.py
@@ -192,7 +192,7 @@ class UI_driver:
if not NO_YAML and os.path.isfile(path):
try:
with open(path, 'r') as conf:
- cls.config = yaml.load(stream=conf, Loader=yaml.FullLoader)
+ cls.config = yaml.safe_load(stream=conf)
except yaml.YAMLError as e:
pytest.skip("Invalid Web UI config.\n%s" % e)
except IOError as e:
--
2.34.1
From 5444da016edc416c0c9481c660c013053dbb93b5 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Thu, 18 Nov 2021 18:43:22 +0530
Subject: [PATCH] PEP8 Fixes
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
---
.../test_integration/test_replica_promotion.py | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 1a4e9bc12..c328b1a08 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -138,7 +138,6 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
assert res.returncode == 1
assert expected_err in res.stderr_text
-
@replicas_cleanup
def test_one_command_installation(self):
"""
@@ -150,11 +149,11 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
Firewall(self.replicas[0]).enable_services(["freeipa-ldap",
"freeipa-ldaps"])
self.replicas[0].run_command(['ipa-replica-install', '-w',
- self.master.config.admin_password,
- '-n', self.master.domain.name,
- '-r', self.master.domain.realm,
- '--server', self.master.hostname,
- '-U'])
+ self.master.config.admin_password,
+ '-n', self.master.domain.name,
+ '-r', self.master.domain.realm,
+ '--server', self.master.hostname,
+ '-U'])
# Ensure that pkinit is properly configured, test for 7566
result = self.replicas[0].run_command(['ipa-pkinit-manage', 'status'])
assert "PKINIT is enabled" in result.stdout_text
@@ -321,7 +320,7 @@ class TestWrongClientDomain(IntegrationTest):
result1 = client.run_command(['ipa-replica-install', '-U', '-w',
self.master.config.dirman_password],
raiseonerr=False)
- assert(result1.returncode == 0), (
+ assert (result1.returncode == 0), (
'Failed to promote the client installed with the upcase domain name')
def test_client_rollback(self):
@@ -355,6 +354,7 @@ class TestWrongClientDomain(IntegrationTest):
assert("An error occurred while removing SSSD" not in
result.stdout_text)
+
class TestRenewalMaster(IntegrationTest):
topology = 'star'
--
2.34.1
From 1d19b860d4cd3bd65a4b143b588425d9a64237fd Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Thu, 18 Nov 2021 18:36:58 +0530
Subject: [PATCH] Test cases for ipa-replica-conncheck command
Following test cases would be checked:
- when called with --principal (it should then prompt for a password)
- when called with --principal / --password
- when called without principal and password but with a kerberos TGT,
kinit admin done before calling ipa-replica-conncheck
- when called without principal and password, and without any kerberos
TGT (it should default to principal=admin and prompt for a password)
related: https://pagure.io/freeipa/issue/9047
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
---
.../test_replica_promotion.py | 70 +++++++++++++++++++
1 file changed, 70 insertions(+)
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index b9c56f775..1a4e9bc12 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -437,6 +437,76 @@ class TestRenewalMaster(IntegrationTest):
self.assertCARenewalMaster(master, replica.hostname)
self.assertCARenewalMaster(replica, replica.hostname)
+ def test_replica_concheck(self):
+ """Test cases for ipa-replica-conncheck command
+
+ Following test cases would be checked:
+ - when called with --principal (it should then prompt for a password)
+ - when called with --principal / --password
+ - when called without principal and password but with a kerberos TGT,
+ kinit admin done before calling ipa-replica-conncheck
+ - when called without principal and password, and without any kerberos
+ TGT (it should default to principal=admin and prompt for a password)
+
+ related: https://pagure.io/freeipa/issue/9047
+ """
+ exp_str1 = "Connection from replica to master is OK."
+ exp_str2 = "Connection from master to replica is OK"
+ tasks.kdestroy_all(self.replicas[0])
+ # when called with --principal (it should then prompt for a password)
+ result = self.replicas[0].run_command(
+ ['ipa-replica-conncheck', '--auto-master-check',
+ '--master', self.master.hostname,
+ '-r', self.replicas[0].domain.realm,
+ '-p', self.replicas[0].config.admin_name],
+ stdin_text=self.master.config.admin_password
+ )
+ assert result.returncode == 0
+ assert (
+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
+ )
+
+ # when called with --principal / --password
+ result = self.replicas[0].run_command([
+ 'ipa-replica-conncheck', '--auto-master-check',
+ '--master', self.master.hostname,
+ '-r', self.replicas[0].domain.realm,
+ '-p', self.replicas[0].config.admin_name,
+ '-w', self.master.config.admin_password
+ ])
+ assert result.returncode == 0
+ assert (
+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
+ )
+
+ # when called without principal and password, and without
+ # any kerberos TGT, it should default to principal=admin
+ # and prompt for a password
+ result = self.replicas[0].run_command(
+ ['ipa-replica-conncheck', '--auto-master-check',
+ '--master', self.master.hostname,
+ '-r', self.replicas[0].domain.realm],
+ stdin_text=self.master.config.admin_password
+ )
+ assert result.returncode == 0
+ assert (
+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
+ )
+
+ # when called without principal and password but with a kerberos TGT,
+ # kinit admin done before calling ipa-replica-conncheck
+ tasks.kinit_admin(self.replicas[0])
+ result = self.replicas[0].run_command(
+ ['ipa-replica-conncheck', '--auto-master-check',
+ '--master', self.master.hostname,
+ '-r', self.replicas[0].domain.realm]
+ )
+ assert result.returncode == 0
+ assert (
+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
+ )
+ tasks.kdestroy_all(self.replicas[0])
+
def test_automatic_renewal_master_transfer_ondelete(self):
# Test that after replica uninstallation, master overtakes the cert
# renewal master role from replica (which was previously set there)
--
2.34.1

View File

@ -1,30 +0,0 @@
From 1a5159b216455070eb51b6a11ceaf0033fc8ce4c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 16 Jul 2021 09:20:33 +0300
Subject: [PATCH] rhel platform: add a named crypto-policy support
RHEL 8+ provides bind system-wide crypto policy support, enable it.
Fixes: https://pagure.io/freeipa/issue/8925
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
ipaplatform/rhel/paths.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ipaplatform/rhel/paths.py b/ipaplatform/rhel/paths.py
index c081ada32..3631550eb 100644
--- a/ipaplatform/rhel/paths.py
+++ b/ipaplatform/rhel/paths.py
@@ -30,6 +30,7 @@ from ipaplatform.rhel.constants import HAS_NFS_CONF
class RHELPathNamespace(RedHatPathNamespace):
+ NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
if HAS_NFS_CONF:
SYSCONFIG_NFS = '/etc/nfs.conf'
--
2.31.1

View File

@ -1,53 +0,0 @@
From a6e708ab4006d6623c37de1692de5362fcdb5dd6 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 30 Aug 2021 16:44:47 -0400
Subject: [PATCH] Catch and log errors when adding CA profiles
Rather than stopping the installer entirely, catch and report
errors adding new certificate profiles, and remove the
broken profile entry from LDAP so it may be re-added later.
It was discovered that installing a newer IPA that has the
ACME profile which requires sanToCNDefault will fail when
installing a new server against a very old one that lacks
this class.
Running ipa-server-upgrade post-install will add the profile
and generate the missing ipa-ca SAN record so that ACME
can work.
https://pagure.io/freeipa/issue/8974
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaserver/install/cainstance.py | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 9e842b33e..8c8bf1b3a 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1973,8 +1973,17 @@ def import_included_profiles():
# Create the profile, replacing any existing profile of same name
profile_data = __get_profile_config(profile_id)
- _create_dogtag_profile(profile_id, profile_data, overwrite=True)
- logger.debug("Imported profile '%s'", profile_id)
+ try:
+ _create_dogtag_profile(profile_id, profile_data,
+ overwrite=True)
+ except errors.HTTPRequestError as e:
+ logger.warning("Failed to import profile '%s': %s. Running "
+ "ipa-server-upgrade when installation is "
+ "completed may resolve this issue.",
+ profile_id, e)
+ conn.delete_entry(entry)
+ else:
+ logger.debug("Imported profile '%s'", profile_id)
else:
logger.debug(
"Profile '%s' is already in LDAP; skipping", profile_id
--
2.31.1

View File

@ -0,0 +1,104 @@
From edb216849e4f47d6cae95981edf0c3fe2653fd7a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 28 Jan 2022 16:46:35 -0500
Subject: [PATCH] Don't always override the port in import_included_profiles
I can only guess to the original purpose of this override. I
believe it was because this is called in the installer prior
to Apache being set up. The expectation was that this would
only be called locally. It predates the RestClient class.
RestClient will attempt to find an available service. In this
case, during a CA installation, the local server is not
considered available because it lacks an entry in
cn=masters. So it will never be returned as an option.
So by overriding the port to 8443 the remote connection will
likely fail because we don't require that the port be open.
So instead, instantiate a RestClient and see what happens.
There are several use-cases:
1. Installing an initial server. The RestClient connection
should fail, so we will fall back to the override port and
use the local server. If Apache happens to be running with
a globally-issued certificate then the RestClient will
succeed. In this case if the connected host and the local
hostname are the same, override in that case as well.
2. Installing as a replica. In this case the local server should
be ignored in all cases and a remote CA will be picked with
no override done.
3. Switching from CA-less to CA-ful. The web server will be
trusted but the RestClient login will fail with a 404. Fall
back to the override port in this case.
The motivation for this is trying to install an EL 8.x replica
against an EL 7.9 server. 8.5+ includes the ACME service and
a new profile is needed which doesn't exist in 7. This was
failing because the RestClient determined that the local server
wasn't running a CA so tried the remote one (7.9) on the override
port 8443. Since this port isn't open: failure.
Chances are that adding the profile is still going to fail
because again, 7.9 lacks ACME capabilities, but it will fail in
a way that allows the installation to continue.
I suspect that all of the overrides can similarly handled, or
handled directly within the RestClient class, but for the sake
of "do no harm" I'm only changing this instance for now.
https://pagure.io/freeipa/issue/9100
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaserver/install/cainstance.py | 30 +++++++++++++++++++++++++++++-
1 file changed, 29 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 8c8bf1b3a..ad206aad4 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1953,7 +1953,35 @@ def import_included_profiles():
cn=['certprofiles'],
)
- api.Backend.ra_certprofile.override_port = 8443
+ # At this point Apache may or may not be running with a valid
+ # certificate. The local server is not yet recognized as a full
+ # CA yet so it isn't discoverable. So try to do some detection
+ # on what port to use, 443 (remote) or 8443 (local) for importing
+ # the profiles.
+ #
+ # api.Backend.ra_certprofile invokes the RestClient class
+ # which will discover and login to the CA REST API. We can
+ # use this information to detect where to import the profiles.
+ #
+ # If the login is successful (e.g. doesn't raise an exception)
+ # and it returns our hostname (it prefers the local host) then
+ # we override and talk locally.
+ #
+ # Otherwise a NetworkError means we can't connect on 443 (perhaps
+ # a firewall) or we get an HTTP error (valid TLS certificate on
+ # Apache but no CA, login fails with 404) so we override to the
+ # local server.
+ #
+ # When override port was always set to 8443 the RestClient could
+ # pick a remote server and since 8443 isn't in our firewall profile
+ # setting up a new server would fail.
+ try:
+ with api.Backend.ra_certprofile as profile_api:
+ if profile_api.ca_host == api.env.host:
+ api.Backend.ra_certprofile.override_port = 8443
+ except (errors.NetworkError, errors.RemoteRetrieveError) as e:
+ logger.debug('Overriding CA port: %s', e)
+ api.Backend.ra_certprofile.override_port = 8443
for (profile_id, desc, store_issued) in dogtag.INCLUDED_PROFILES:
dn = DN(('cn', profile_id),
--
2.34.1

View File

@ -0,0 +1,115 @@
From 7c5540bb47799b4db95673d22f61995ad5c56440 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 31 Jan 2022 17:31:50 -0500
Subject: [PATCH] Remove ipa-join errors from behind the debug option
This brings it inline with the previous XML-RPC output which
only hid the request and response from the output and not
any errors returned.
https://pagure.io/freeipa/issue/9103
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Peter Keresztes Schmidt <carbenium@outlook.com>
---
client/ipa-join.c | 27 +++++++++------------------
1 file changed, 9 insertions(+), 18 deletions(-)
diff --git a/client/ipa-join.c b/client/ipa-join.c
index d98739a9a..5888a33bf 100644
--- a/client/ipa-join.c
+++ b/client/ipa-join.c
@@ -743,8 +743,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
json_str = json_dumps(json, 0);
if (!json_str) {
- if (debug)
- fprintf(stderr, _("json_dumps() failed\n"));
+ fprintf(stderr, _("json_dumps() failed\n"));
rval = 17;
goto cleanup;
@@ -758,8 +757,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
CURLcode res = curl_easy_perform(curl);
if (res != CURLE_OK)
{
- if (debug)
- fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res));
+ fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res));
rval = 17;
goto cleanup;
@@ -769,8 +767,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &resp_code);
if (resp_code != 200) {
- if (debug)
- fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code);
+ fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code);
if (!quiet && resp_code == 401)
fprintf(stderr, _("JSON-RPC call was unauthorized. Check your credentials.\n"));
@@ -848,8 +845,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) {
j_root = json_loads(payload, 0, &j_error);
if (!j_root) {
- if (debug)
- fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text);
+ fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text);
rval = 17;
goto cleanup;
@@ -864,8 +860,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) {
*j_result_obj = json_object_get(j_root, "result");
if (!*j_result_obj) {
- if (debug)
- fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n"));
+ fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n"));
rval = 17;
goto cleanup;
@@ -897,8 +892,7 @@ jsonrpc_parse_join_response(const char *payload, join_info *join_i, bool quiet)
&tmp_hostdn,
"krbprincipalname", &tmp_princ,
"krblastpwdchange", &tmp_pwdch) != 0) {
- if (debug)
- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
+ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
rval = 17;
goto cleanup;
@@ -941,8 +935,7 @@ join_krb5_jsonrpc(const char *ipaserver, const char *hostname, char **hostdn, co
"nshardwareplatform", uinfo.machine);
if (!json_req) {
- if (debug)
- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
+ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
rval = 17;
goto cleanup;
@@ -990,8 +983,7 @@ jsonrpc_parse_unenroll_response(const char *payload, bool* result, bool quiet) {
if (json_unpack_ex(j_result_obj, &j_error, 0, "{s:b}",
"result", result) != 0) {
- if (debug)
- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
+ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
rval = 20;
goto cleanup;
@@ -1021,8 +1013,7 @@ jsonrpc_unenroll_host(const char *ipaserver, const char *host, bool quiet) {
host);
if (!json_req) {
- if (debug)
- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
+ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
rval = 17;
goto cleanup;
--
2.34.1

View File

@ -1,41 +0,0 @@
From 07e2bf732f54f936cccc4e0c7b468d77f97e911a Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 30 Aug 2021 18:40:24 +0200
Subject: [PATCH] selinux policy: allow custodia to access /proc/cpuinfo
On aarch64, custodia creates AVC when accessing /proc/cpuinfo.
According to gcrypt manual
(https://gnupg.org/documentation/manuals/gcrypt/Configuration.html),
/proc/cpuinfo is used on ARM architecture to read the hardware
capabilities of the CPU. This explains why the issue happens only
on aarch64.
audit2allow suggests to add the following:
allow ipa_custodia_t proc_t:file { getattr open read };
but this policy would be too broad. Instead, the patch is using
the interface kernel_read_system_state.
Fixes: https://pagure.io/freeipa/issue/8972
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
selinux/ipa.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/selinux/ipa.te b/selinux/ipa.te
index 68e109419..7492fca04 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -364,6 +364,7 @@ files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
kernel_dgram_send(ipa_custodia_t)
kernel_read_network_state(ipa_custodia_t)
+kernel_read_system_state(ipa_custodia_t)
auth_read_passwd(ipa_custodia_t)
--
2.31.1

View File

@ -0,0 +1,118 @@
From 9b6d0bb1245c4891ccc270f360d0f72a4b1444c1 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 7 Feb 2022 10:39:55 -0500
Subject: [PATCH] Enable the ccache sweep timer during installation
The timer was only being enabled during package installation
if IPA was configured. So effectively only on upgrade.
Add as a separate installation step after the ccache directory
is configured.
Fixes: https://pagure.io/freeipa/issue/9107
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/install/httpinstance.py | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 732bb58d4..50ccf5e50 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -140,6 +140,8 @@ class HTTPInstance(service.Service):
self.step("publish CA cert", self.__publish_ca_cert)
self.step("clean up any existing httpd ccaches",
self.remove_httpd_ccaches)
+ self.step("enable ccache sweep",
+ self.enable_ccache_sweep)
self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
if not self.is_kdcproxy_configured():
self.step("create KDC proxy config", self.create_kdcproxy_conf)
@@ -177,6 +179,11 @@ class HTTPInstance(service.Service):
[paths.SYSTEMD_TMPFILES, '--create', '--prefix', paths.IPA_CCACHES]
)
+ def enable_ccache_sweep(self):
+ ipautil.run(
+ [paths.SYSTEMCTL, 'enable', 'ipa-ccache-sweep.timer']
+ )
+
def __configure_http(self):
self.update_httpd_service_ipa_conf()
self.update_httpd_wsgi_conf()
--
2.34.1
From 0d9eb3d515385412abefe9c33e0099ea14f33cbc Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Wed, 9 Feb 2022 18:56:21 +0530
Subject: [PATCH] Test ipa-ccache-sweep.timer enabled by default during
installation
This test checks that ipa-ccache-sweep.timer is enabled by default
during the ipa installation.
related: https://pagure.io/freeipa/issue/9107
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
.../test_integration/test_installation.py | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index f2d372c0c..63edbaa2b 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -475,7 +475,7 @@ class TestInstallCA(IntegrationTest):
# Tweak sysrestore.state to drop installation section
self.master.run_command(
- ['sed','-i', r's/\[installation\]/\[badinstallation\]/',
+ ['sed', '-i', r's/\[installation\]/\[badinstallation\]/',
os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
# Re-run installation check and it should fall back to old method
@@ -485,7 +485,7 @@ class TestInstallCA(IntegrationTest):
# Restore installation section.
self.master.run_command(
- ['sed','-i', r's/\[badinstallation\]/\[installation\]/',
+ ['sed', '-i', r's/\[badinstallation\]/\[installation\]/',
os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
# Uninstall and confirm that the old method reports correctly
@@ -690,6 +690,7 @@ def get_pki_tomcatd_pid(host):
break
return(pid)
+
def get_ipa_services_pids(host):
ipa_services_name = [
"krb5kdc", "kadmin", "named", "httpd", "ipa-custodia",
@@ -1309,6 +1310,20 @@ class TestInstallMasterKRA(IntegrationTest):
def test_install_master(self):
tasks.install_master(self.master, setup_dns=False, setup_kra=True)
+ def test_ipa_ccache_sweep_timer_enabled(self):
+ """Test ipa-ccache-sweep.timer enabled by default during installation
+
+ This test checks that ipa-ccache-sweep.timer is enabled by default
+ during the ipa installation.
+
+ related: https://pagure.io/freeipa/issue/9107
+ """
+ result = self.master.run_command(
+ ['systemctl', 'is-enabled', 'ipa-ccache-sweep.timer'],
+ raiseonerr=False
+ )
+ assert 'enabled' in result.stdout_text
+
def test_install_dns(self):
tasks.install_dns(self.master)
--
2.34.1

View File

@ -1,46 +0,0 @@
From 4fca95751ca32a1ed16a6d8a4e557c5799ec5c78 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 25 Aug 2021 17:10:29 +0200
Subject: [PATCH] extdom: return LDAP_NO_SUCH_OBJECT if domains differ
If a client sends a request to lookup an object from a given trusted
domain by UID or GID and an object with matching ID is only found in a
different domain the extdom should return LDAP_NO_SUCH_OBJECT to
indicate to the client that the requested ID does not exists in the
given domain.
Resolves: https://pagure.io/freeipa/issue/8965
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../ipa-extdom-extop/ipa_extdom_common.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index 5d97ff613..6f646b9f4 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -542,7 +542,9 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
if (strcasecmp(locat+1, domain_name) == 0 ) {
locat[0] = '\0';
} else {
- ret = LDAP_INVALID_SYNTAX;
+ /* The found object is from a different domain than requested,
+ * that means it does not exist in the requested domain */
+ ret = LDAP_NO_SUCH_OBJECT;
goto done;
}
}
@@ -655,7 +657,9 @@ int pack_ber_group(enum response_types response_type,
if (strcasecmp(locat+1, domain_name) == 0 ) {
locat[0] = '\0';
} else {
- ret = LDAP_INVALID_SYNTAX;
+ /* The found object is from a different domain than requested,
+ * that means it does not exist in the requested domain */
+ ret = LDAP_NO_SUCH_OBJECT;
goto done;
}
}
--
2.31.1

View File

@ -0,0 +1,31 @@
From b36bcf4ea5ed93baa4dc63f8e2be542d678211fb Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Thu, 10 Feb 2022 18:49:06 +0530
Subject: [PATCH] ipatests: remove additional check for failed units.
On RHEL tests are randomly failing because of this check
and the test doesn't need to check this.
Related : https://pagure.io/freeipa/issue/9108
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_otp.py | 1 -
1 file changed, 1 deletion(-)
diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
index d8ce527ca..6e70ddcb3 100644
--- a/ipatests/test_integration/test_otp.py
+++ b/ipatests/test_integration/test_otp.py
@@ -316,7 +316,6 @@ class TestOTPToken(IntegrationTest):
check_services = self.master.run_command(
['systemctl', 'list-units', '--state=failed']
)
- assert "0 loaded units listed" in check_services.stdout_text
assert "ipa-otpd" not in check_services.stdout_text
# Be sure no services are running and failed units
self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False)
--
2.34.1

View File

@ -1,37 +0,0 @@
From 3c4f9e7347965ff9a887147df34e720224ffa7cc Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 7 Sep 2021 17:06:53 +0200
Subject: [PATCH] migrate-ds: workaround to detect compat tree
Migrate-ds needs to check if compat tree is enabled before
migrating users and groups. The check is doing a base
search on cn=compat,$SUFFIX and considers the compat tree
enabled when the entry exists.
Due to a bug in slapi-nis, the base search may return NotFound
even though the compat tree is enabled. The workaround is to
perform a base search on cn=users,cn=compat,$SUFFIX instead.
Fixes: https://pagure.io/freeipa/issue/8984
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/plugins/migration.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
index db5241915..6ee205fc8 100644
--- a/ipaserver/plugins/migration.py
+++ b/ipaserver/plugins/migration.py
@@ -922,7 +922,8 @@ migration process might be incomplete\n''')
# check whether the compat plugin is enabled
if not options.get('compat'):
try:
- ldap.get_entry(DN(('cn', 'compat'), (api.env.basedn)))
+ ldap.get_entry(DN(('cn', 'users'), ('cn', 'compat'),
+ (api.env.basedn)))
return dict(result={}, failed={}, enabled=True, compat=False)
except errors.NotFound:
pass
--
2.31.1

View File

@ -1,89 +0,0 @@
From a3d71eb72a6125a80a9d7b698f34dcb95dc25184 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Thu, 5 Aug 2021 20:03:21 +0530
Subject: [PATCH] ipatests: Test ldapsearch with base scope works with compat
tree.
Added test to verify that ldapsearch for compat tree
with scope base and sub is not failing.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/test_integration/test_commands.py | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index 2035ced56..e3a0d867e 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -1558,6 +1558,19 @@ class TestIPACommandWithoutReplica(IntegrationTest):
# Run the command again after cache is removed
self.master.run_command(['ipa', 'user-show', 'ipauser1'])
+ def test_basesearch_compat_tree(self):
+ """Test ldapsearch against compat tree is working
+
+ This to ensure that ldapsearch with base scope is not failing.
+
+ related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
+ """
+ tasks.kinit_admin(self.master)
+ base_dn = str(self.master.domain.basedn)
+ base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn)
+ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='sub')
+ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='base')
+
class TestIPAautomount(IntegrationTest):
@classmethod
--
2.31.1
From d4062e407d242a72b9d4e32f4fdd6aed086ce005 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Thu, 5 Aug 2021 20:23:15 +0530
Subject: [PATCH] ipatests: skip test_basesearch_compat_tree on fedora.
slapi-nis with fix is not part of fedora yet.
test requires with fix:
https://pagure.io/slapi-nis/c/61ea8f6a104da25329e301a8f56944f860de8177?
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/test_integration/test_commands.py | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index e3a0d867e..4d9a81652 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -38,6 +38,7 @@ from ipatests.create_external_ca import ExternalCA
from ipatests.test_ipalib.test_x509 import good_pkcs7, badcert
from ipapython.ipautil import realm_to_suffix, ipa_generate_password
from ipaserver.install.installutils import realm_to_serverid
+from pkg_resources import parse_version
logger = logging.getLogger(__name__)
@@ -1565,6 +1566,12 @@ class TestIPACommandWithoutReplica(IntegrationTest):
related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
"""
+ version = self.master.run_command(
+ ["rpm", "-qa", "--qf", "%{VERSION}", "slapi-nis"]
+ )
+ if tasks.get_platform(self.master) == "fedora" and parse_version(
+ version.stdout_text) <= parse_version("0.56.7"):
+ pytest.skip("Test requires slapi-nis with fix on fedora")
tasks.kinit_admin(self.master)
base_dn = str(self.master.domain.basedn)
base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn)
--
2.31.1

View File

@ -0,0 +1,38 @@
From 186ebe311bc9545d7a9860cd5e8c748131bbe41e Mon Sep 17 00:00:00 2001
From: Francisco Trivino <ftrivino@redhat.com>
Date: Thu, 10 Feb 2022 14:23:12 +0100
Subject: [PATCH] ipa_cldap: fix memory leak
ipa_cldap_encode_netlogon() allocates memory to store binary data as part of
berval (bv_val) when processing a CLDAP packet request from a worker. The
data is used by ipa_cldap_respond() but bv_val is not freed later on.
This commit is adding the corresponding free() after ipa_cldap_respond()
is completed.
Discovered by LeakSanitizer
Fixes: https://pagure.io/freeipa/issue/9110
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
---
daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
index db4a3d061..252bcf647 100644
--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
+++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
@@ -287,6 +287,7 @@ done:
ipa_cldap_respond(ctx, req, &reply);
ipa_cldap_free_kvps(&req->kvps);
+ free(reply.bv_val);
free(req);
return;
}
--
2.34.1

View File

@ -1,162 +0,0 @@
From 4fdab0c94c4e17e42e5f38a0e671bea39bcc9b74 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Mon, 9 Aug 2021 20:57:22 +0530
Subject: [PATCH] ipatests: Test unsecure nsupdate.
The test configures an external bind server on the ipa-server
(not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
When the IPA client is registered using ipa-client-install,
DNS records are added for the client in the bind server using nsupdate.
The first try is using GSS-TIG but fails as expected, and the client
installer then tries with unauthenticated nsupdate.
Related : https://pagure.io/freeipa/issue/8402
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
.../test_installation_client.py | 118 ++++++++++++++++++
1 file changed, 118 insertions(+)
diff --git a/ipatests/test_integration/test_installation_client.py b/ipatests/test_integration/test_installation_client.py
index fa59a5255..014b0f6ab 100644
--- a/ipatests/test_integration/test_installation_client.py
+++ b/ipatests/test_integration/test_installation_client.py
@@ -8,10 +8,15 @@ Module provides tests for various options of ipa-client-install.
from __future__ import absolute_import
+import pytest
+import re
import shlex
+import textwrap
+from ipaplatform.paths import paths
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
+from ipatests.pytest_ipa.integration.firewall import Firewall
class TestInstallClient(IntegrationTest):
@@ -70,3 +75,116 @@ class TestInstallClient(IntegrationTest):
extra_args=['--ssh-trust-dns'])
result = self.clients[0].run_command(['cat', '/etc/ssh/ssh_config'])
assert 'HostKeyAlgorithms' not in result.stdout_text
+
+
+class TestClientInstallBind(IntegrationTest):
+ """
+ The test configures an external bind server on the ipa-server
+ (not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
+ When the IPA client is registered using ipa-client-install,
+ DNS records are added for the client in the bind server using nsupdate.
+ The first try is using GSS-TIG but fails as expected, and the client
+ installer then tries with unauthenticated nsupdate.
+ """
+
+ num_clients = 1
+
+ @classmethod
+ def install(cls, mh):
+ cls.client = cls.clients[0]
+
+ @pytest.fixture
+ def setup_bindserver(self):
+ bindserver = self.master
+ named_conf_backup = tasks.FileBackup(self.master, paths.NAMED_CONF)
+ # create a zone in the BIND server that is identical to the IPA
+ add_zone = textwrap.dedent("""
+ zone "{domain}" IN {{ type master;
+ file "{domain}.db"; allow-query {{ any; }};
+ allow-update {{ any; }}; }};
+ """).format(domain=bindserver.domain.name)
+
+ namedcfg = bindserver.get_file_contents(
+ paths.NAMED_CONF, encoding='utf-8')
+ namedcfg += '\n' + add_zone
+ bindserver.put_file_contents(paths.NAMED_CONF, namedcfg)
+
+ def update_contents(path, pattern, replace):
+ contents = bindserver.get_file_contents(path, encoding='utf-8')
+ namedcfg_query = re.sub(pattern, replace, contents)
+ bindserver.put_file_contents(path, namedcfg_query)
+
+ update_contents(paths.NAMED_CONF, 'localhost;', 'any;')
+ update_contents(paths.NAMED_CONF, "listen-on port 53 { 127.0.0.1; };",
+ "#listen-on port 53 { 127.0.0.1; };")
+ update_contents(paths.NAMED_CONF, "listen-on-v6 port 53 { ::1; };",
+ "#listen-on-v6 port 53 { ::1; };")
+
+ add_records = textwrap.dedent("""
+ @ IN SOA {fqdn}. root.{domain}. (
+ 1001 ;Serial
+ 3H ;Refresh
+ 15M ;Retry
+ 1W ;Expire
+ 1D ;Minimum 1D
+ )
+ @ IN NS {fqdn}.
+ ns1 IN A {bindserverip}
+ _kerberos.{domain}. IN TXT {zoneupper}
+ {fqdn}. IN A {bindserverip}
+ ipa-ca.{domain}. IN A {bindserverip}
+ _kerberos-master._tcp.{domain}. IN SRV 0 100 88 {fqdn}.
+ _kerberos-master._udp.{domain}. IN SRV 0 100 88 {fqdn}.
+ _kerberos._tcp.{domain}. IN SRV 0 100 88 {fqdn}.
+ _kerberos._udp.{domain}. IN SRV 0 100 88 {fqdn}.
+ _kpasswd._tcp.{domain}. IN SRV 0 100 464 {fqdn}.
+ _kpasswd._udp.{domain}. IN SRV 0 100 464 {fqdn}.
+ _ldap._tcp.{domain}. IN SRV 0 100 389 {fqdn}.
+ """).format(
+ fqdn=bindserver.hostname,
+ domain=bindserver.domain.name,
+ bindserverip=bindserver.ip,
+ zoneupper=bindserver.domain.name.upper()
+ )
+ bindserverdb = "/var/named/{0}.db".format(bindserver.domain.name)
+ bindserver.put_file_contents(bindserverdb, add_records)
+ bindserver.run_command(['systemctl', 'start', 'named'])
+ Firewall(bindserver).enable_services(["dns"])
+ yield
+ named_conf_backup.restore()
+ bindserver.run_command(['rm', '-rf', bindserverdb])
+
+ def test_client_nsupdate(self, setup_bindserver):
+ """Test secure nsupdate failed, then try unsecure nsupdate..
+
+ Test to verify when bind is configured with dynamic update policy,
+ and during client-install 'nsupdate -g' fails then it should run with
+ second call using unauthenticated nsupdate.
+
+ Related : https://pagure.io/freeipa/issue/8402
+ """
+ # with pre-configured bind server, install ipa-server without dns.
+ tasks.install_master(self.master, setup_dns=False)
+ self.client.resolver.backup()
+ self.client.resolver.setup_resolver(
+ self.master.ip, self.master.domain.name)
+ try:
+ self.client.run_command(['ipa-client-install', '-U',
+ '--domain', self.client.domain.name,
+ '--realm', self.client.domain.realm,
+ '-p', self.client.config.admin_name,
+ '-w', self.client.config.admin_password,
+ '--server', self.master.hostname])
+ # call unauthenticated nsupdate if GSS-TSIG nsupdate failed.
+ str1 = "nsupdate (GSS-TSIG) failed"
+ str2 = "'/usr/bin/nsupdate', '/etc/ipa/.dns_update.txt'"
+ client_log = self.client.get_file_contents(
+ paths.IPACLIENT_INSTALL_LOG, encoding='utf-8'
+ )
+ assert str1 in client_log and str2 in client_log
+ dig_after = self.client.run_command(
+ ['dig', '@{0}'.format(self.master.ip), self.client.hostname,
+ '-t', 'SSHFP'])
+ assert "ANSWER: 0" not in dig_after.stdout_text.strip()
+ finally:
+ self.client.resolver.restore()
--
2.31.1

View File

@ -0,0 +1,40 @@
From 4c54e9d6ddb72eab6f654bf3dc2d29f27498ac96 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Sun, 5 Dec 2021 17:38:58 +0100
Subject: [PATCH] ipatests: fix
TestOTPToken::test_check_otpd_after_idle_timeout
The test sets 389-ds nsslapd-idletimeout to 60s, then does a
kinit with an otp token (which makes ipa-otpd create a LDAP
connection), then sleeps for 60s. The expectation is that
ns-slapd will detect that the LDAP conn from ipa-otpd is idle
and close the connection.
According to 389ds doc, the idle timeout is enforced when the
connection table is walked. By doing a ldapsearch, the test
"wakes up" ns-slapd and forces the detection of ipa-otpd
idle connection.
Fixes: https://pagure.io/freeipa/issue/9044
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
ipatests/test_integration/test_otp.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
index 353470897..d8ce527ca 100644
--- a/ipatests/test_integration/test_otp.py
+++ b/ipatests/test_integration/test_otp.py
@@ -354,6 +354,9 @@ class TestOTPToken(IntegrationTest):
otpvalue = totp.generate(int(time.time())).decode("ascii")
kinit_otp(self.master, USER, password=PASSWORD, otp=otpvalue)
time.sleep(60)
+ # ldapsearch will wake up slapd and force walking through
+ # the connection list, in order to spot the idle connections
+ tasks.ldapsearch_dm(self.master, "", ldap_args=[], scope="base")
def test_cb(cmd_jornalctl):
# check if LDAP connection is timed out
--
2.34.1

View File

@ -0,0 +1,407 @@
From 6b70e3c49acc55b5553101cf850fc40978861979 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Mon, 17 Jan 2022 16:57:52 +0530
Subject: [PATCH] ipatests: Tests for Autoprivate group.
Added tests using posix AD trust and non posix AD trust.
For option --auto-private-groups=[hybrid/true/false]
Related : https://pagure.io/freeipa/issue/8807
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
.../nightly_ipa-4-9_latest.yaml | 2 +-
.../nightly_ipa-4-9_latest_selinux.yaml | 2 +-
.../nightly_ipa-4-9_previous.yaml | 2 +-
ipatests/test_integration/test_trust.py | 242 +++++++++++++++++-
4 files changed, 240 insertions(+), 8 deletions(-)
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
index 6817421b2..8b1f58c4d 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
@@ -1627,7 +1627,7 @@ jobs:
build_url: '{fedora-latest-ipa-4-9/build_url}'
test_suite: test_integration/test_trust.py
template: *ci-ipa-4-9-latest
- timeout: 9000
+ timeout: 10000
topology: *adroot_adchild_adtree_master_1client
fedora-latest-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust:
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
index 817329756..a11376ab8 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
@@ -1743,7 +1743,7 @@ jobs:
selinux_enforcing: True
test_suite: test_integration/test_trust.py
template: *ci-ipa-4-9-latest
- timeout: 9000
+ timeout: 10000
topology: *adroot_adchild_adtree_master_1client
fedora-latest-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust:
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
index 4196265c7..3f8ce8b76 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
@@ -1627,7 +1627,7 @@ jobs:
build_url: '{fedora-previous-ipa-4-9/build_url}'
test_suite: test_integration/test_trust.py
template: *ci-ipa-4-9-previous
- timeout: 9000
+ timeout: 10000
topology: *adroot_adchild_adtree_master_1client
fedora-previous-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust:
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index 0634badbb..ff2dd9cc8 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -62,11 +62,12 @@ class BaseTestTrust(IntegrationTest):
cls.check_sid_generation()
tasks.sync_time(cls.master, cls.ad)
- cls.child_ad = cls.ad_subdomains[0]
- cls.ad_subdomain = cls.child_ad.domain.name
- cls.tree_ad = cls.ad_treedomains[0]
- cls.ad_treedomain = cls.tree_ad.domain.name
-
+ if cls.num_ad_subdomains > 0:
+ cls.child_ad = cls.ad_subdomains[0]
+ cls.ad_subdomain = cls.child_ad.domain.name
+ if cls.num_ad_treedomains > 0:
+ cls.tree_ad = cls.ad_treedomains[0]
+ cls.ad_treedomain = cls.tree_ad.domain.name
# values used in workaround for
# https://bugzilla.redhat.com/show_bug.cgi?id=1711958
cls.srv_gc_record_name = \
@@ -106,6 +107,63 @@ class BaseTestTrust(IntegrationTest):
expected_text = 'iparangetype: %s\n' % expected_type
assert expected_text in result.stdout_text
+ def mod_idrange_auto_private_group(
+ self, option='false'
+ ):
+ """
+ Set the auto-private-group option of the default trusted
+ AD domain range.
+ """
+ tasks.kinit_admin(self.master)
+ rangename = self.ad_domain.upper() + '_id_range'
+ error_msg = "ipa: ERROR: no modifications to be performed"
+ cmd = ["ipa", "idrange-mod", rangename,
+ "--auto-private-groups", option]
+ result = self.master.run_command(cmd, raiseonerr=False)
+ if result.returncode != 0:
+ tasks.assert_error(result, error_msg)
+ tasks.clear_sssd_cache(self.master)
+ tasks.clear_sssd_cache(self.clients[0])
+ test = self.master.run_command(["ipa", "idrange-show", rangename])
+ assert "Auto private groups: {0}".format(option) in test.stdout_text
+
+ def get_user_id(self, host, username):
+ """
+ User uid gid is parsed from the output of id user command.
+ """
+ tasks.clear_sssd_cache(self.master)
+ tasks.clear_sssd_cache(self.clients[0])
+ self.master.run_command(["id", username])
+ test_id = host.run_command(["id", username])
+ regex = r"^uid=(?P<uid>\d+).*gid=(?P<gid>\d+).*groups=(?P<groups>\d+)"
+ match = re.match(regex, test_id.stdout_text)
+ uid = match.group('uid')
+ gid = match.group('gid')
+ return uid, gid
+
+ @contextmanager
+ def set_idoverrideuser(self, user, uid, gid):
+ """
+ Fixture to add/remove idoverrideuser for default idview,
+ also creates idm group with the provided gid because
+ gid overrides requires an existing group.
+ """
+ tasks.clear_sssd_cache(self.master)
+ tasks.clear_sssd_cache(self.clients[0])
+ tasks.kinit_admin(self.master)
+ try:
+ args = ["ipa", "idoverrideuser-add", "Default Trust View",
+ "--gid", gid, "--uid", uid, user]
+ self.master.run_command(args)
+ tasks.group_add(self.master, "idgroup",
+ extra_args=["--gid", gid])
+ yield
+ finally:
+ self.master.run_command([
+ "ipa", "idoverrideuser-del", "Default Trust View", user]
+ )
+ self.master.run_command(["ipa", "group-del", "idgroup"])
+
def remove_trust(self, ad):
tasks.remove_trust_with_ad(self.master,
ad.domain.name, ad.hostname)
@@ -993,3 +1051,177 @@ class TestTrust(BaseTestTrust):
self.master.run_command(['rm', '-f', ad_zone_file])
tasks.configure_dns_for_trust(self.master, self.ad)
self.remove_trust(self.ad)
+
+
+class TestNonPosixAutoPrivateGroup(BaseTestTrust):
+ """
+ Tests for auto-private-groups option with non posix AD trust
+ Related : https://pagure.io/freeipa/issue/8807
+ """
+ topology = 'line'
+ num_ad_domains = 1
+ num_clients = 1
+ num_ad_subdomains = 0
+ num_ad_treedomains = 0
+ uid_override = "99999999"
+ gid_override = "78878787"
+
+ def test_add_nonposix_trust(self):
+ tasks.configure_dns_for_trust(self.master, self.ad)
+ tasks.establish_trust_with_ad(
+ self.master, self.ad_domain,
+ extra_args=['--range-type', 'ipa-ad-trust'])
+
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
+ def test_auto_private_groups_default_trusted_range(self, type):
+ """
+ Modify existing range for default trusted AD domain range
+ with auto-private-groups set as true/hybrid/false and test
+ user with no posix attributes.
+ """
+ self.mod_idrange_auto_private_group(type)
+ nonposixuser = "nonposixuser@%s" % self.ad_domain
+ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser)
+ if type == "true":
+ assert uid == gid
+ else:
+ test_group = self.clients[0].run_command(["id", nonposixuser])
+ gid_str = "gid={0}(domain users@{1})".format(gid, self.ad_domain)
+ grp_str = "groups={0}(domain users@{1})".format(gid,
+ self.ad_domain)
+ assert gid_str in test_group.stdout_text
+ assert grp_str in test_group.stdout_text
+ assert uid != gid
+
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
+ def test_idoverride_with_auto_private_group(self, type):
+ """
+ Override ad trusted user in default trust view
+ and set auto-private-groups=[hybrid,true,false]
+ and ensure that overridden values takes effect.
+ """
+ nonposixuser = "nonposixuser@%s" % self.ad_domain
+ with self.set_idoverrideuser(nonposixuser,
+ self.uid_override,
+ self.gid_override
+ ):
+ self.mod_idrange_auto_private_group(type)
+ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser)
+ assert (uid == self.uid_override and gid == self.gid_override)
+ test_group = self.clients[0].run_command(
+ ["id", nonposixuser]).stdout_text
+ assert "domain users@{0}".format(self.ad_domain) in test_group
+
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
+ def test_nonposixuser_nondefault_primary_group(self, type):
+ """
+ Test for non default primary group.
+ For hybrid/false gid corresponds to the group testgroup1.
+ """
+ nonposixuser1 = "nonposixuser1@%s" % self.ad_domain
+ self.mod_idrange_auto_private_group(type)
+ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser1)
+ if type == "true":
+ assert uid == gid
+ else:
+ test_group = self.clients[0].run_command(["id", nonposixuser1])
+ gid_str = "gid={0}(testgroup1@{1})".format(gid, self.ad_domain)
+ group = "groups={0}(testgroup1@{1})".format(gid, self.ad_domain)
+ assert (gid_str in test_group.stdout_text
+ and group in test_group.stdout_text)
+
+
+class TestPosixAutoPrivateGroup(BaseTestTrust):
+ """
+ Tests for auto-private-groups option with posix AD trust
+ Related : https://pagure.io/freeipa/issue/8807
+ """
+ topology = 'line'
+ num_ad_domains = 1
+ num_clients = 1
+ num_ad_subdomains = 0
+ num_ad_treedomains = 0
+ uid_override = "99999999"
+ gid_override = "78878787"
+
+ def test_add_posix_trust(self):
+ tasks.configure_dns_for_trust(self.master, self.ad)
+ tasks.establish_trust_with_ad(
+ self.master, self.ad_domain,
+ extra_args=['--range-type', 'ipa-ad-trust-posix'])
+
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
+ def test_gidnumber_not_corresponding_existing_group(self, type):
+ """
+ Test checks that sssd can resolve AD users which
+ contain posix attributes (uidNumber and gidNumber)
+ but there is no group with the corresponding gidNumber.
+ """
+ posixuser = "testuser2@%s" % self.ad_domain
+ self.mod_idrange_auto_private_group(type)
+ if type != "true":
+ result = self.clients[0].run_command(['id', posixuser],
+ raiseonerr=False)
+ tasks.assert_error(result, "no such user")
+ else:
+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
+ assert uid == gid
+ assert uid == '10060'
+
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
+ def test_only_uid_number_auto_private_group_default(self, type):
+ """
+ Test checks that posix user with only uidNumber defined
+ and gidNumber not set, auto-private-group
+ is set to false/true/hybrid
+ """
+ posixuser = "testuser1@%s" % self.ad_domain
+ self.mod_idrange_auto_private_group(type)
+ if type == "true":
+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
+ assert uid == gid
+ else:
+ for host in [self.master, self.clients[0]]:
+ result = host.run_command(['id', posixuser], raiseonerr=False)
+ tasks.assert_error(result, "no such user")
+
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
+ def test_auto_private_group_primary_group(self, type):
+ """
+ Test checks that AD users which contain posix attributes
+ (uidNumber and gidNumber) and there is primary group
+ with gid number defined.
+ """
+ posixuser = "testuser@%s" % self.ad_domain
+ self.mod_idrange_auto_private_group(type)
+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
+ test_grp = self.clients[0].run_command(["id", posixuser])
+ assert uid == '10042'
+ if type == "true":
+ assert uid == gid
+ groups = "groups=10042(testuser@{0}),10047(testgroup@{1})".format(
+ self.ad_domain, self.ad_domain)
+ assert groups in test_grp.stdout_text
+ else:
+ assert gid == '10047'
+ groups = "10047(testgroup@{0})".format(self.ad_domain)
+ assert groups in test_grp.stdout_text
+
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
+ def test_idoverride_with_auto_private_group(self, type):
+ """
+ Override ad trusted user in default trust view
+ and set auto-private-groups=[hybrid,true,false]
+ and ensure that overridden values takes effect.
+ """
+ posixuser = "testuser@%s" % self.ad_domain
+ with self.set_idoverrideuser(posixuser,
+ self.uid_override,
+ self.gid_override):
+ self.mod_idrange_auto_private_group(type)
+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
+ assert(uid == self.uid_override
+ and gid == self.gid_override)
+ result = self.clients[0].run_command(['id', posixuser])
+ assert "10047(testgroup@{0})".format(
+ self.ad_domain) in result.stdout_text
--
2.35.1
From 84381001d2e114b1f29fe89e16155c040b56b80f Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Thu, 10 Feb 2022 17:07:45 +0530
Subject: [PATCH] mark xfail for
test_idoverride_with_auto_private_group[hybrid]
Related : https://github.com/SSSD/sssd/issues/5989
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
ipatests/test_integration/test_trust.py | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index ff2dd9cc8..54bd15462 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -15,6 +15,7 @@ from ipaplatform.paths import paths
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
from ipatests.pytest_ipa.integration import fips
+from ipatests.util import xfail_context
from ipapython.dn import DN
from collections import namedtuple
from contextlib import contextmanager
@@ -1110,7 +1111,11 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust):
assert (uid == self.uid_override and gid == self.gid_override)
test_group = self.clients[0].run_command(
["id", nonposixuser]).stdout_text
- assert "domain users@{0}".format(self.ad_domain) in test_group
+ version = tasks.get_sssd_version(self.clients[0])
+ with xfail_context(version <= tasks.parse_version('2.6.3')
+ and type == "hybrid",
+ 'https://github.com/SSSD/sssd/issues/5989'):
+ assert "domain users@{0}".format(self.ad_domain) in test_group
@pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
def test_nonposixuser_nondefault_primary_group(self, type):
--
2.35.1
From 7ad500e5d3f7d9af81e8a3137158672c6fafb0b4 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Thu, 10 Feb 2022 17:29:45 +0530
Subject: [PATCH] Mark xfail
test_gidnumber_not_corresponding_existing_group[true,hybrid]
Related : https://github.com/SSSD/sssd/issues/5988
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
ipatests/test_integration/test_trust.py | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index 54bd15462..c12837815 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -1169,9 +1169,12 @@ class TestPosixAutoPrivateGroup(BaseTestTrust):
raiseonerr=False)
tasks.assert_error(result, "no such user")
else:
- (uid, gid) = self.get_user_id(self.clients[0], posixuser)
- assert uid == gid
- assert uid == '10060'
+ sssd_version = tasks.get_sssd_version(self.clients[0])
+ with xfail_context(sssd_version <= tasks.parse_version('2.6.3'),
+ 'https://github.com/SSSD/sssd/issues/5988'):
+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
+ assert uid == gid
+ assert uid == '10060'
@pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
def test_only_uid_number_auto_private_group_default(self, type):
--
2.35.1

View File

@ -1,128 +0,0 @@
From be1e3bbfc13aff9a583108376f245b81cc3666fb Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 9 Sep 2021 15:26:55 -0400
Subject: [PATCH] Don't store entries with a usercertificate in the LDAP cache
usercertificate often has a subclass and both the plain and
subclassed (binary) values are queried. I'm concerned that
they are used more or less interchangably in places so not
caching these entries is the safest path forward for now until
we can dedicate the time to find all usages, determine their
safety and/or perhaps handle this gracefully within the cache
now.
What we see in this bug is that usercertificate;binary holds the
first certificate value but a user-mod is done with
setattr usercertificate=<new_cert>. Since there is no
usercertificate value (remember, it's usercertificate;binary)
a replace is done and 389-ds wipes the existing value as we've
asked it to.
I'm not comfortable with simply treating them the same because
in LDAP they are not.
https://pagure.io/freeipa/issue/8986
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
---
ipapython/ipaldap.py | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index f94b784d6..ced8f1bd6 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -1821,9 +1821,17 @@ class LDAPCache(LDAPClient):
entry=None, exception=None):
# idnsname - caching prevents delete when mod value to None
# cospriority - in a Class of Service object, uncacheable
- # TODO - usercertificate was banned at one point and I don't remember
- # why...
- BANNED_ATTRS = {'idnsname', 'cospriority'}
+ # usercertificate* - caching subtypes is tricky, trade less
+ # complexity for performance
+ #
+ # TODO: teach the cache about subtypes
+
+ BANNED_ATTRS = {
+ 'idnsname',
+ 'cospriority',
+ 'usercertificate',
+ 'usercertificate;binary'
+ }
if not self._enable_cache:
return
--
2.31.1
From 86588640137562b2016fdb0f91142d00bc38e54a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 10 Sep 2021 09:01:48 -0400
Subject: [PATCH] ipatests: Test that a user can be issued multiple
certificates
Prevent regressions in the LDAP cache layer that caused newly
issued certificates to overwrite existing ones.
https://pagure.io/freeipa/issue/8986
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
---
ipatests/test_integration/test_cert.py | 29 ++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
index 7d51b76ee..b4e85eadc 100644
--- a/ipatests/test_integration/test_cert.py
+++ b/ipatests/test_integration/test_cert.py
@@ -16,6 +16,7 @@ import string
import time
from ipaplatform.paths import paths
+from ipapython.dn import DN
from cryptography import x509
from cryptography.x509.oid import ExtensionOID
from cryptography.hazmat.backends import default_backend
@@ -183,6 +184,34 @@ class TestInstallMasterClient(IntegrationTest):
)
assert "profile: caServerCert" in result.stdout_text
+ def test_multiple_user_certificates(self):
+ """Test that a user may be issued multiple certificates"""
+ ldap = self.master.ldap_connect()
+
+ user = 'user1'
+
+ tasks.kinit_admin(self.master)
+ tasks.user_add(self.master, user)
+
+ for id in (0,1):
+ csr_file = f'{id}.csr'
+ key_file = f'{id}.key'
+ cert_file = f'{id}.crt'
+ openssl_cmd = [
+ 'openssl', 'req', '-newkey', 'rsa:2048', '-keyout', key_file,
+ '-nodes', '-out', csr_file, '-subj', '/CN=' + user]
+ self.master.run_command(openssl_cmd)
+
+ cmd_args = ['ipa', 'cert-request', '--principal', user,
+ '--certificate-out', cert_file, csr_file]
+ self.master.run_command(cmd_args)
+
+ # easier to count by pulling the LDAP entry
+ entry = ldap.get_entry(DN(('uid', user), ('cn', 'users'),
+ ('cn', 'accounts'), self.master.domain.basedn))
+
+ assert len(entry.get('usercertificate')) == 2
+
@pytest.fixture
def test_subca_certs(self):
"""
--
2.31.1

View File

@ -1,95 +0,0 @@
From 6302769b83af75f267c76fe6f854d5b42b6b80f5 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Oct 21 2021 19:58:19 +0000
Subject: ipa-server-install uninstall: remove tdb files
ipa-server-install uninstaller must remove samba *.tdb files
in /var/lib/samba, /var/lib/samba/private and /var/lib/samba/lock.
The current code calls rm on the relative path filename
instead of building an absolute path filename,
resulting in failure to remove the tdb files.
Related: https://pagure.io/freeipa/issue/8687
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 24e90f3..e034fab 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -918,11 +918,18 @@ class ADTRUSTInstance(service.Service):
ipautil.remove_file(self.smb_conf)
# Remove samba's persistent and temporary tdb files
- if os.path.isdir(paths.SAMBA_DIR):
- tdb_files = [tdb_file for tdb_file in os.listdir(paths.SAMBA_DIR)
- if tdb_file.endswith(".tdb")]
- for tdb_file in tdb_files:
- ipautil.remove_file(tdb_file)
+ # in /var/lib/samba and /var/lib/samba/private
+ for smbpath in (paths.SAMBA_DIR,
+ os.path.join(paths.SAMBA_DIR, "private"),
+ os.path.join(paths.SAMBA_DIR, "lock")):
+ if os.path.isdir(smbpath):
+ tdb_files = [
+ os.path.join(smbpath, tdb_file)
+ for tdb_file in os.listdir(smbpath)
+ if tdb_file.endswith(".tdb")
+ ]
+ for tdb_file in tdb_files:
+ ipautil.remove_file(tdb_file)
# Remove our keys from samba's keytab
self.clean_samba_keytab()
From 82eaa2eac454aed75a498d2c6ccd9e921f9c8a89 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Oct 21 2021 19:58:19 +0000
Subject: ipa-client-samba uninstall: remove tdb files
ipa-client-samba uninstaller must remove samba *.tdb files
in /var/lib/samba, /var/lib/samba/private and /var/lib/samba/lock.
The current code calls rm on the relative path filename
instead of building an absolute path filename,
resulting in failure to remove the tdb files.
Fixes: https://pagure.io/freeipa/issue/8687
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
diff --git a/ipaclient/install/ipa_client_samba.py b/ipaclient/install/ipa_client_samba.py
index fd89e59..222ff31 100755
--- a/ipaclient/install/ipa_client_samba.py
+++ b/ipaclient/install/ipa_client_samba.py
@@ -446,13 +446,17 @@ def uninstall(fstore, statestore, options):
fstore.restore_file(paths.SMB_CONF)
# Remove samba's persistent and temporary tdb files
- tdb_files = [
- tdb_file
- for tdb_file in os.listdir(paths.SAMBA_DIR)
- if tdb_file.endswith(".tdb")
- ]
- for tdb_file in tdb_files:
- ipautil.remove_file(tdb_file)
+ # in /var/lib/samba and /var/lib/samba/private
+ for smbpath in (paths.SAMBA_DIR,
+ os.path.join(paths.SAMBA_DIR, "private"),
+ os.path.join(paths.SAMBA_DIR, "lock")):
+ tdb_files = [
+ os.path.join(smbpath, tdb_file)
+ for tdb_file in os.listdir(smbpath)
+ if tdb_file.endswith(".tdb")
+ ]
+ for tdb_file in tdb_files:
+ ipautil.remove_file(tdb_file)
# Remove our keys from samba's keytab
if os.path.exists(paths.SAMBA_KEYTAB):

View File

@ -1,222 +0,0 @@
From fe59e6a0b06926a3d71c6b6f361714d1422d5b0f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 11 Nov 2021 09:58:09 +0200
Subject: [PATCH 1/2] ipa-kdb: honor SID from the host or service entry
If the SID was explicitly set for the host or service entry, honor it
when issuing PAC. For normal services and hosts we don't allocate
individual SIDs but for cifs/... principals on domain members we do as
they need to login to Samba domain controller.
Related: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 46 ++++++++++++++++++++-------------
1 file changed, 28 insertions(+), 18 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 0e0ee3616..6f272f9fe 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -653,6 +653,28 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
* clear it after detecting the changes */
info3->base.acct_flags = ACB_USE_AES_KEYS;
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+ "ipaNTSecurityIdentifier", &strres);
+ if (ret) {
+ /* SID is mandatory for all but host/services */
+ if (!(is_host || is_service)) {
+ return ret;
+ }
+ info3->base.rid = 0;
+ } else {
+ ret = ipadb_string_to_sid(strres, &sid);
+ free(strres);
+ if (ret) {
+ return ret;
+ }
+ ret = sid_split_rid(&sid, &info3->base.rid);
+ if (ret) {
+ return ret;
+ }
+ }
+
+ /* If SID was present prefer using it even for hosts and services
+ * but we still need to set the account flags correctly */
if ((is_host || is_service)) {
/* it is either host or service, so get the hostname first */
char *sep = strchr(info3->base.account_name.string, '/');
@@ -661,29 +683,17 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
sep ? sep + 1 : info3->base.account_name.string);
if (is_master) {
/* Well known RID of domain controllers group */
- info3->base.rid = 516;
+ if (info3->base.rid == 0) {
+ info3->base.rid = 516;
+ }
info3->base.acct_flags |= ACB_SVRTRUST;
} else {
/* Well known RID of domain computers group */
- info3->base.rid = 515;
+ if (info3->base.rid == 0) {
+ info3->base.rid = 515;
+ }
info3->base.acct_flags |= ACB_WSTRUST;
}
- } else {
- ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
- "ipaNTSecurityIdentifier", &strres);
- if (ret) {
- /* SID is mandatory */
- return ret;
- }
- ret = ipadb_string_to_sid(strres, &sid);
- free(strres);
- if (ret) {
- return ret;
- }
- ret = sid_split_rid(&sid, &info3->base.rid);
- if (ret) {
- return ret;
- }
}
ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
--
2.33.1
From 21af43550aa0a31e1ec5240578bd64fcbdd4ee24 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 11 Nov 2021 10:16:47 +0200
Subject: [PATCH 2/2] ipa-kdb: validate domain SID in incoming PAC for trusted
domains for S4U
Previously, ipadb_check_logon_info() was called only for cross-realm
case. Now we call it for both in-realm and cross-realm cases. In case of
the S4U2Proxy, we would be passed a PAC of the original caller which
might be a principal from the trusted realm. We cannot validate that PAC
against our local client DB entry because this is the proxy entry which
is guaranteed to have different SID.
In such case, validate the SID of the domain in PAC against our realm
and any trusted doman but skip an additional check of the DB entry in
the S4U2Proxy case.
Related: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 54 ++++++++++++++++++++++++++-------
1 file changed, 43 insertions(+), 11 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 6f272f9fe..6f7d1ac15 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1637,11 +1637,13 @@ static void filter_logon_info_log_message_rid(struct dom_sid *sid, uint32_t rid)
static krb5_error_code check_logon_info_consistent(krb5_context context,
TALLOC_CTX *memctx,
krb5_const_principal client_princ,
+ krb5_boolean is_s4u,
struct PAC_LOGON_INFO_CTR *info)
{
krb5_error_code kerr = 0;
struct ipadb_context *ipactx;
bool result;
+ bool is_from_trusted_domain = false;
krb5_db_entry *client_actual = NULL;
struct ipadb_e_data *ied = NULL;
int flags = 0;
@@ -1671,14 +1673,36 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
result = dom_sid_check(&ipactx->mspac->domsid,
info->info->info3.base.domain_sid, true);
if (!result) {
- /* memctx is freed by the caller */
- char *sid = dom_sid_string(memctx, info->info->info3.base.domain_sid);
- char *dom = dom_sid_string(memctx, &ipactx->mspac->domsid);
- krb5_klog_syslog(LOG_ERR, "PAC issue: PAC record claims domain SID different "
- "to local domain SID: local [%s], PAC [%s]",
- dom ? dom : "<failed to display>",
- sid ? sid : "<failed to display>");
- return KRB5KDC_ERR_POLICY;
+ /* In S4U case we might be dealing with the PAC issued by the trusted domain */
+ if (is_s4u && (ipactx->mspac->trusts != NULL)) {
+ /* Iterate through list of trusts and check if this SID belongs to
+ * one of the domains we trust */
+ for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
+ result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
+ info->info->info3.base.domain_sid, true);
+ if (result) {
+ is_from_trusted_domain = true;
+ break;
+ }
+ }
+ }
+
+ if (!result) {
+ /* memctx is freed by the caller */
+ char *sid = dom_sid_string(memctx, info->info->info3.base.domain_sid);
+ char *dom = dom_sid_string(memctx, &ipactx->mspac->domsid);
+ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC record claims domain SID different "
+ "to local domain SID or any trusted domain SID: "
+ "local [%s], PAC [%s]",
+ dom ? dom : "<failed to display>",
+ sid ? sid : "<failed to display>");
+ return KRB5KDC_ERR_POLICY;
+ }
+ }
+
+ if (is_s4u && is_from_trusted_domain) {
+ /* If the PAC belongs to a user from the trusted domain, we cannot compare SIDs */
+ return 0;
}
kerr = ipadb_get_principal(context, client_princ, flags, &client_actual);
@@ -1703,6 +1727,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
goto done;
}
+
kerr = ipadb_get_sid_from_pac(memctx, info->info, &client_sid);
if (kerr) {
goto done;
@@ -1956,6 +1981,7 @@ krb5_error_code filter_logon_info(krb5_context context,
static krb5_error_code ipadb_check_logon_info(krb5_context context,
krb5_const_principal client_princ,
krb5_boolean is_cross_realm,
+ krb5_boolean is_s4u,
krb5_data *pac_blob,
struct dom_sid *requester_sid)
{
@@ -1999,8 +2025,11 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context,
if (!is_cross_realm) {
/* For local realm case we need to check whether the PAC is for our user
- * but we don't need to process further */
- kerr = check_logon_info_consistent(context, tmpctx, client_princ, &info);
+ * but we don't need to process further. In S4U2Proxy case when the client
+ * is ours but operates on behalf of the cross-realm principal, we will
+ * search through the trusted domains but otherwise skip the exact SID check
+ * as we are not responsible for the principal from the trusted domain */
+ kerr = check_logon_info_consistent(context, tmpctx, client_princ, is_s4u, &info);
goto done;
}
@@ -2251,7 +2280,10 @@ static krb5_error_code ipadb_verify_pac(krb5_context context,
#endif
kerr = ipadb_check_logon_info(context,
- client_princ, is_cross_realm, &pac_blob,
+ client_princ,
+ is_cross_realm,
+ (flags & KRB5_KDB_FLAGS_S4U),
+ &pac_blob,
requester_sid);
if (kerr != 0) {
goto done;
--
2.33.1

File diff suppressed because it is too large Load Diff

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmDbPRQACgkQRxniuKu/
Yhr7uBAAnpF70nH8Cn/HhKKpfafPoN3B9fDNIfAa+jsJ52OyeNMKVNi4MEob32iN
1aMGGFCJUMle/M7v1+w8WH59eiHs1jKHcFZnl2R4Ap5SxVtypYT+ewXbNnSHII2w
qWS5PvLkJwjh6Bw/HlyBwDRSrw9Yah4oZZbJt3zE06+Imr8BpB3IWqyhuAi7FjYO
J9hHCwCvtJvWK4yplZSXCt8OS1JA68/Djgjecm5lUSamuqKaBVhDb+ZAPLDJpBf5
Pz2JpUF/W/rplt+Q9wAFdhDB9iC0vd3MBkgs4KPsjuyS9+GGNu8LyXs0C1Wm/VgX
liX2pjZmpnTrhH3QQ2nufwH784ZpinXxS2fcbvCfX1Utgr77wNHjwqDt2NBffJl1
BM7JJr1ZwGOGSki6yjRDXbeSAsiEX9l7f2mv2t/8ZjHMRJ7mJmBbmh5Qhk5qsMou
BptNDE20cG77xcjBtTCDpii/UatETuNAyMd/l2smfe76z8y61fQrvScxRwOCHckw
u/ERChpBZOUlQt59Efj3ja313oXZMxXRw01n/72Hh5rnk+XZf75zQ1zUDBYnwzAr
4cdqyrfpFkQu1sRQvgjT8ZLkP8istjRdVEI/Oj61zb5+6+scQ/Zh/R/mYGCV4/h+
RzojBwUAXuwUMrj1jTbb5Lkz58+vY3Lk4xNOY2hSAc8rCcDVRZY=
=TQFs
-----END PGP SIGNATURE-----

View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmGf1XcACgkQaYdvcqbi
00/kMQ//Vano94V0/L3YsLaqKiFcGo/py5pTq1Os3wB9zzCYSuU0P/eajuHLBYNe
MfxecZihFFlmUdNooNWbewT4CE0ey1qFLwPfGXuLrse6fXVLLaYnAv2mkPUmDSpM
XfXO0PFU0BtdkMAUsdUATngPCpQzYjVUKsAMwPovi3UcLzFZ8tWJKMA55urhwC4q
E042wPLqzcX6Ee5JBSBkfNe35vG2LY7o3Ynh8SVCee2lBJvdWiuFT5XRhybXUsOp
q3eTsVPz68p7CvOrjlLSsWPP0nbGF1O1UQsN+oaDZAav1Nx8lTOlxUCUQXWbs2X6
BTUAOmZ6VjYu61sNgNSj+BSHlHIT3uRJ55JO5nLH/hLm0Oxn6SGRTVMueqV376QA
CsIk7UrdcX9QUtu70eRxuu1aAWJ5eaF4GDWnFP+62wzd/d6LjWEE+9kXgvrcTF0C
UzjWrmbI8x23bB4kqcROHz8lryMsBpZ94QKPHVppMiPgapDKRkculYkSeRLboADi
q4mh2prkDSq9diWV4HvZTGwPU77oiLrQsvbGuvwD62PAlyQ4rZpfW3FllTL2Lcxy
urA8a9UnQWQtDOsZIyxmMJ7R04gjI5fZfDhq6S09L9MfjFEKjsqO4FzXamj+SbAo
w25sIp1qT0sV1vOt+/R/HYSIyggQyTZpQJu5UB34QLqpfDdUwFg=
=t9up
-----END PGP SIGNATURE-----

View File

@ -68,8 +68,8 @@
%global krb5_kdb_version 8.0 %global krb5_kdb_version 8.0
# 0.7.16: https://github.com/drkjam/netaddr/issues/71 # 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.19 %global python_netaddr_version 0.7.19
# Require 4.14.5-6 which brings CVE-2020-25717 fixes in RHEL 8.5.z # Require 4.14.5-13 which brings CVE-2020-25717 fixes
%global samba_version 4.14.5-6 %global samba_version 4.14.5-13
%global selinux_policy_version 3.14.3-52 %global selinux_policy_version 3.14.3-52
%global slapi_nis_version 0.56.4 %global slapi_nis_version 0.56.4
%global python_ldap_version 3.1.0-1 %global python_ldap_version 3.1.0-1
@ -178,7 +178,7 @@
# Work-around fact that RPM SPEC parser does not accept # Work-around fact that RPM SPEC parser does not accept
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
%define IPA_VERSION 4.9.6 %define IPA_VERSION 4.9.8
# Release candidate version -- uncomment with one percent for RC versions # Release candidate version -- uncomment with one percent for RC versions
#%%global rc_version %%nil #%%global rc_version %%nil
%define AT_SIGN @ %define AT_SIGN @
@ -191,7 +191,7 @@
Name: %{package_name} Name: %{package_name}
Version: %{IPA_VERSION} Version: %{IPA_VERSION}
Release: 12%{?rc_version:.%rc_version}%{?dist} Release: 7%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system Summary: The Identity, Policy and Audit system
License: GPLv3+ License: GPLv3+
@ -211,30 +211,24 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
# RHEL spec file only: START # RHEL spec file only: START
%if %{NON_DEVELOPER_BUILD} %if %{NON_DEVELOPER_BUILD}
%if 0%{?rhel} >= 8 %if 0%{?rhel} >= 8
Patch0001: 0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch Patch0001: 0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
Patch0002: 0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch Patch0002: 0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch
Patch0003: 0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch Patch0003: 0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch
Patch0004: 0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch Patch0004: 0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch
Patch0005: 0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch Patch0005: 0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch
Patch0006: 0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch Patch0006: 0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch
Patch0007: 0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch Patch0007: 0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch
Patch0008: 0008-selinux-policy-allow-custodia-to-access-proc-cpuinfo_rhbz#1998129.patch Patch0008: 0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch
Patch0009: 0009-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ_rhbz#2000263.patch Patch0009: 0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch
Patch0010: 0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.patch Patch0010: 0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch
Patch0011: 0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch Patch0011: 0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch
Patch0012: 0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch Patch0012: 0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch
Patch0013: 0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch Patch0013: 0013-Backport_test_fixes_in_python3_ipatests_rhbz#2057505.patch
Patch0014: 0014-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2062404.patch
Patch0015: 0015-uninstall-remove-tdb-files_rhbz#2065719.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif %endif
%endif %endif
# RHEL spec file only: END # RHEL spec file only: END
# SID hardening patches Patch1101: 1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch
Patch1100: freeipa-4.9.6-bf.patch
Patch1101: freeipa-4.9.6-bf-2.patch
Patch1102: freeipa-4.9.6-bf-3.patch
# For the timestamp trick in patch application # For the timestamp trick in patch application
BuildRequires: diffstat BuildRequires: diffstat
@ -1379,6 +1373,7 @@ fi
%{_libexecdir}/ipa/ipa-pki-wait-running %{_libexecdir}/ipa/ipa-pki-wait-running
%{_libexecdir}/ipa/ipa-otpd %{_libexecdir}/ipa/ipa-otpd
%{_libexecdir}/ipa/ipa-print-pac %{_libexecdir}/ipa/ipa-print-pac
%{_libexecdir}/ipa/ipa-subids
%dir %{_libexecdir}/ipa/custodia %dir %{_libexecdir}/ipa/custodia
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap %attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat %attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat
@ -1719,46 +1714,75 @@ fi
%changelog %changelog
* Fri Mar 18 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-12 * Thu Feb 24 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-7
- ipa-server-install uninstall: remove tdb files - ipatests: Backport test fixes in python3-ipatests.
- ipa-client-samba uninstall: remove tdb files Resolves: RHBZ#2057505
Resolves: RHBZ#2065719
* Tue Mar 15 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-11 * Mon Feb 14 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-6
- Custodia use a stronger encryption algo when exporting keys - ipatests: fix TestOTPToken::test_check_otpd_after_idle_timeout
Resolves: RHBZ#2062404 Related: RHBZ#2053024
* Thu Nov 30 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-10 * Mon Feb 14 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-5
- Bump realease version due to build issue. - ipatests: remove additional check for failed units.
Related: RHBZ#2021489 Resolves: RHBZ#2053024
- ipa-cldap: fix memory leak.
Resolves: RHBZ#2032738
* Thu Nov 30 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-9 * Thu Feb 10 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-4
- Hardening for CVE-2020-25717, part 3 - Don't always override the port in import_included_profiles
Related: RHBZ#2021489 Fixes: RHBZ#2022483
- Remove ipa-join errors from behind the debug option
Fixes: RHBZ#2048558
- Enable the ccache sweep timer during installation
Fixes: RHBZ#2051575
* Thu Nov 18 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-8 * Thu Feb 3 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-3
- Hardening for CVE-2020-25717, part 2 - Config plugin: return EmptyModlist when no change is applied.
- Related: RHBZ#2021171 Resolves: RHBZ#2031825
- Custodia: use a stronger encryption algo when exporting keys.
Resolves: RHBZ#2032806
- ipa-kdb: do not remove keys for hardened auth-enabled users.
Resolves: RHBZ#2033342
- ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus
Resolves: RHBZ#2049167
- Backport latest test fxes in python3 ipatests.
Resolves: RHBZ#2048509
- Removed unused patch files that were part of 4.9.8 rebase.
* Sun Nov 07 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-7 * Fri Dec 10 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-2
- Revert bind-pkcs11-utils configuration in freeipa.spec.
Resolves: RHBZ#2026732
* Tue Nov 30 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-1
- Upstream release FreeIPA 4.9.8
Related: RHBZ#2015607
- Hardening for CVE-2020-25717 - Hardening for CVE-2020-25717
- Related: RHBZ#2021171
* Fri Sep 17 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-6 * Fri Nov 12 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-9.1
- Don't store entries with a usercertificate in the LDAP cache - Fix S4U2Self regression for cross-realm requester SID buffer
Resolves: RHBZ#1999893 - Related: RHBZ#2021443
* Mon Sep 13 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-5 * Fri Nov 12 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-9
- Catch and log errors when adding CA profiles - Require samba 4.14.5-13 with IPA DC server role fixes
Resolves: RHBZ#1999142 - Related: RHBZ#2021443
- selinux policy: allow custodia to access /proc/cpuinfo
Resolves: RHBZ#1998129 * Fri Nov 12 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-8
- extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT - Add versioned dependency of samba-client-libs to ipa-server
Resolves: RHBZ#2000263 - Related: RHBZ#2021443
- ipa migrate-ds command fails to warn when compat plugin is enabled
Resolves: RHBZ#1999992 * Thu Nov 11 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-7
- Backport latest test fixes in python3-ipatests - Hardening for CVE-2020-25717
Resolves: RHBZ#2000553 - Harden processing of trusted domains' users in S4U operations
- Resolves: RHBZ#2021443
* Wed Nov 10 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-6
- Hardening for CVE-2020-25717
- Rebuild against samba-4.14.5-11.el8
- Resolves: RHBZ#2021443
* Sun Nov 07 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-5
- Hardening for CVE-2020-25717
- Related: RHBZ#2019668
* Thu Jul 22 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-4 * Thu Jul 22 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-4
- ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL - ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL