import ipa-4.9.8-7.module+el8.6.0+14337+19b76db2
This commit is contained in:
parent
646ea186ee
commit
dc93cf38a4
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/freeipa-4.9.6.tar.gz
|
SOURCES/freeipa-4.9.8.tar.gz
|
||||||
|
@ -1 +1 @@
|
|||||||
b7b91082908db35e4acbcd0221b8df4044913dc1 SOURCES/freeipa-4.9.6.tar.gz
|
38641a7f95779ba35089fcc10e25ec82a9b0248e SOURCES/freeipa-4.9.8.tar.gz
|
||||||
|
@ -0,0 +1,70 @@
|
|||||||
|
From 0d44e959e5bbe822b51137a8e7cf48fa25533805 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
|
||||||
|
Date: Fri, 10 Dec 2021 12:15:36 -0300
|
||||||
|
Subject: [PATCH] Revert "freeipa.spec: depend on bind-dnssec-utils"
|
||||||
|
|
||||||
|
This reverts commit f89d59b6e18b54967682f6a37ce92ae67ab3fcda.
|
||||||
|
---
|
||||||
|
freeipa.spec.in | 4 +---
|
||||||
|
ipaplatform/base/paths.py | 2 +-
|
||||||
|
ipaplatform/fedora/paths.py | 1 +
|
||||||
|
ipaserver/dnssec/bindmgr.py | 1 -
|
||||||
|
4 files changed, 3 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||||
|
index 8f5c370e5..e20edb7bc 100755
|
||||||
|
--- a/freeipa.spec.in
|
||||||
|
+++ b/freeipa.spec.in
|
||||||
|
@@ -576,11 +576,9 @@ Requires: %{name}-server = %{version}-%{release}
|
||||||
|
Requires: bind-dyndb-ldap >= 11.2-2
|
||||||
|
Requires: bind >= %{bind_version}
|
||||||
|
Requires: bind-utils >= %{bind_version}
|
||||||
|
-# bind-dnssec-utils is required by the OpenDNSSec integration
|
||||||
|
-# https://pagure.io/freeipa/issue/9026
|
||||||
|
-Requires: bind-dnssec-utils >= %{bind_version}
|
||||||
|
%if %{with bind_pkcs11}
|
||||||
|
Requires: bind-pkcs11 >= %{bind_version}
|
||||||
|
+Requires: bind-pkcs11-utils >= %{bind_version}
|
||||||
|
%else
|
||||||
|
Requires: softhsm >= %{softhsm_version}
|
||||||
|
Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
|
||||||
|
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
|
||||||
|
index 7d21367ec..42a47f1df 100644
|
||||||
|
--- a/ipaplatform/base/paths.py
|
||||||
|
+++ b/ipaplatform/base/paths.py
|
||||||
|
@@ -259,7 +259,7 @@ class BasePathNamespace:
|
||||||
|
IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key"
|
||||||
|
IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader"
|
||||||
|
IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running"
|
||||||
|
- DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
|
||||||
|
+ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
|
||||||
|
GETSEBOOL = "/usr/sbin/getsebool"
|
||||||
|
GROUPADD = "/usr/sbin/groupadd"
|
||||||
|
USERMOD = "/usr/sbin/usermod"
|
||||||
|
diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py
|
||||||
|
index 4e993c063..92a948966 100644
|
||||||
|
--- a/ipaplatform/fedora/paths.py
|
||||||
|
+++ b/ipaplatform/fedora/paths.py
|
||||||
|
@@ -36,6 +36,7 @@ class FedoraPathNamespace(RedHatPathNamespace):
|
||||||
|
NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
|
||||||
|
if HAS_NFS_CONF:
|
||||||
|
SYSCONFIG_NFS = '/etc/nfs.conf'
|
||||||
|
+ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
|
||||||
|
|
||||||
|
|
||||||
|
paths = FedoraPathNamespace()
|
||||||
|
diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py
|
||||||
|
index 0c79cc03d..a15c0e601 100644
|
||||||
|
--- a/ipaserver/dnssec/bindmgr.py
|
||||||
|
+++ b/ipaserver/dnssec/bindmgr.py
|
||||||
|
@@ -127,7 +127,6 @@ class BINDMgr:
|
||||||
|
)
|
||||||
|
cmd = [
|
||||||
|
paths.DNSSEC_KEYFROMLABEL,
|
||||||
|
- '-E', 'pkcs11',
|
||||||
|
'-K', workdir,
|
||||||
|
'-a', attrs['idnsSecAlgorithm'][0],
|
||||||
|
'-l', uri
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -1,136 +0,0 @@
|
|||||||
From e713c227bb420a841ce3ae146bca55a84a1b0dbf Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Tue, 22 Jun 2021 14:36:51 +0200
|
|
||||||
Subject: [PATCH] paths: add IPA_SERVER_CONF
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Related: https://pagure.io/freeipa/issue/8891
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Stanislav Levin <slev@altlinux.org>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
ipaplatform/base/paths.py | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
|
|
||||||
index 91423b332..de217d9ef 100644
|
|
||||||
--- a/ipaplatform/base/paths.py
|
|
||||||
+++ b/ipaplatform/base/paths.py
|
|
||||||
@@ -71,6 +71,7 @@ class BasePathNamespace:
|
|
||||||
IPA_DEFAULT_CONF = "/etc/ipa/default.conf"
|
|
||||||
IPA_DNSKEYSYNCD_KEYTAB = "/etc/ipa/dnssec/ipa-dnskeysyncd.keytab"
|
|
||||||
IPA_ODS_EXPORTER_KEYTAB = "/etc/ipa/dnssec/ipa-ods-exporter.keytab"
|
|
||||||
+ IPA_SERVER_CONF = "/etc/ipa/server.conf"
|
|
||||||
DNSSEC_OPENSSL_CONF = "/etc/ipa/dnssec/openssl.cnf"
|
|
||||||
DNSSEC_SOFTHSM2_CONF = "/etc/ipa/dnssec/softhsm2.conf"
|
|
||||||
DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so"
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
||||||
From ee4be290e1583834a573c3896ee1d97b3fbb6c24 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Tue, 22 Jun 2021 14:45:49 +0200
|
|
||||||
Subject: [PATCH] ipatests: smoke test for server debug mode.
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Add a smoke test to make sure the server can be set in debug mode
|
|
||||||
without issue.
|
|
||||||
|
|
||||||
Related: https://pagure.io/freeipa/issue/8891
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Stanislav Levin <slev@altlinux.org>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
.../test_integration/test_installation.py | 27 +++++++++++++++++++
|
|
||||||
1 file changed, 27 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
|
||||||
index 301767b8d..0c96536f0 100644
|
|
||||||
--- a/ipatests/test_integration/test_installation.py
|
|
||||||
+++ b/ipatests/test_integration/test_installation.py
|
|
||||||
@@ -703,6 +703,33 @@ class TestInstallMaster(IntegrationTest):
|
|
||||||
def test_install_master(self):
|
|
||||||
tasks.install_master(self.master, setup_dns=False)
|
|
||||||
|
|
||||||
+ @pytest.mark.skip_if_platform(
|
|
||||||
+ "debian", reason="This test hardcodes the httpd service name"
|
|
||||||
+ )
|
|
||||||
+ def test_smoke_test_for_debug_mode(self):
|
|
||||||
+ """Test if an IPA server works in debug mode.
|
|
||||||
+ Related: https://pagure.io/freeipa/issue/8891
|
|
||||||
+
|
|
||||||
+ Note: this test hardcodes the "httpd" service name.
|
|
||||||
+ """
|
|
||||||
+
|
|
||||||
+ target_fname = paths.IPA_SERVER_CONF
|
|
||||||
+ assert not self.master.transport.file_exists(target_fname)
|
|
||||||
+
|
|
||||||
+ # set the IPA server in debug mode
|
|
||||||
+ server_conf = "[global]\ndebug=True"
|
|
||||||
+ self.master.put_file_contents(target_fname, server_conf)
|
|
||||||
+ self.master.run_command(["systemctl", "restart", "httpd"])
|
|
||||||
+
|
|
||||||
+ # smoke test in debug mode
|
|
||||||
+ tasks.kdestroy_all(self.master)
|
|
||||||
+ tasks.kinit_admin(self.master)
|
|
||||||
+ self.master.run_command(["ipa", "user-show", "admin"])
|
|
||||||
+
|
|
||||||
+ # rollback
|
|
||||||
+ self.master.run_command(["rm", target_fname])
|
|
||||||
+ self.master.run_command(["systemctl", "restart", "httpd"])
|
|
||||||
+
|
|
||||||
def test_schema_compat_attribute_and_tree_disable(self):
|
|
||||||
"""Test if schema-compat-entry-attribute is set
|
|
||||||
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
||||||
From 1539c7383116647ad9c5b125b343f972e9c9653b Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Wed, 23 Jun 2021 06:35:19 +0200
|
|
||||||
Subject: [PATCH] rpcserver.py: perf_counter_ns is Python 3.7+
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
perf_counter_ns is only available in Python 3.7 and later.
|
|
||||||
Define a lambda for 3.6 and lower.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8891
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Stanislav Levin <slev@altlinux.org>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/rpcserver.py | 5 +++++
|
|
||||||
1 file changed, 5 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
|
|
||||||
index b121316bf..e612528e0 100644
|
|
||||||
--- a/ipaserver/rpcserver.py
|
|
||||||
+++ b/ipaserver/rpcserver.py
|
|
||||||
@@ -31,6 +31,7 @@ import os
|
|
||||||
import time
|
|
||||||
import traceback
|
|
||||||
from io import BytesIO
|
|
||||||
+from sys import version_info
|
|
||||||
from urllib.parse import parse_qs
|
|
||||||
from xmlrpc.client import Fault
|
|
||||||
|
|
||||||
@@ -72,6 +73,10 @@ from requests.auth import AuthBase
|
|
||||||
if six.PY3:
|
|
||||||
unicode = str
|
|
||||||
|
|
||||||
+# time.perf_counter_ns appeared in Python 3.7.
|
|
||||||
+if version_info < (3, 7):
|
|
||||||
+ time.perf_counter_ns = lambda: int(time.perf_counter() * 10**9)
|
|
||||||
+
|
|
||||||
logger = logging.getLogger(__name__)
|
|
||||||
|
|
||||||
HTTP_STATUS_SUCCESS = '200 Success'
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -1,272 +0,0 @@
|
|||||||
From a5d2857297cfcf87ed8973df96e89ebcef22850d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Antonio Torres <antorres@redhat.com>
|
|
||||||
Date: Mon, 8 Mar 2021 18:15:50 +0100
|
|
||||||
Subject: [PATCH] Add checks to prevent adding auth indicators to internal IPA
|
|
||||||
services
|
|
||||||
|
|
||||||
Authentication indicators should not be enforced against internal
|
|
||||||
IPA services, since not all users of those services are able to produce
|
|
||||||
Kerberos tickets with all the auth indicator options. This includes
|
|
||||||
host, ldap, HTTP and cifs in IPA server and cifs in IPA clients.
|
|
||||||
If a client that is being promoted to replica has an auth indicator
|
|
||||||
in its host principal then the promotion is aborted.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8206
|
|
||||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/install/server/replicainstall.py | 13 ++++++++++++
|
|
||||||
ipaserver/plugins/host.py | 5 ++++-
|
|
||||||
ipaserver/plugins/service.py | 24 ++++++++++++++++++++++
|
|
||||||
3 files changed, 41 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
|
|
||||||
index 73967a224..f1fb91036 100644
|
|
||||||
--- a/ipaserver/install/server/replicainstall.py
|
|
||||||
+++ b/ipaserver/install/server/replicainstall.py
|
|
||||||
@@ -770,6 +770,15 @@ def promotion_check_ipa_domain(master_ldap_conn, basedn):
|
|
||||||
))
|
|
||||||
|
|
||||||
|
|
||||||
+def promotion_check_host_principal_auth_ind(conn, hostdn):
|
|
||||||
+ entry = conn.get_entry(hostdn, ['krbprincipalauthind'])
|
|
||||||
+ if 'krbprincipalauthind' in entry:
|
|
||||||
+ raise RuntimeError(
|
|
||||||
+ "Client cannot be promoted to a replica if the host principal "
|
|
||||||
+ "has an authentication indicator set."
|
|
||||||
+ )
|
|
||||||
+
|
|
||||||
+
|
|
||||||
@common_cleanup
|
|
||||||
@preserve_enrollment_state
|
|
||||||
def promote_check(installer):
|
|
||||||
@@ -956,6 +965,10 @@ def promote_check(installer):
|
|
||||||
config.master_host_name, None)
|
|
||||||
|
|
||||||
promotion_check_ipa_domain(conn, remote_api.env.basedn)
|
|
||||||
+ hostdn = DN(('fqdn', api.env.host),
|
|
||||||
+ api.env.container_host,
|
|
||||||
+ api.env.basedn)
|
|
||||||
+ promotion_check_host_principal_auth_ind(conn, hostdn)
|
|
||||||
|
|
||||||
# Make sure that domain fulfills minimal domain level
|
|
||||||
# requirement
|
|
||||||
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
|
|
||||||
index eb1f8ef04..41fa933e2 100644
|
|
||||||
--- a/ipaserver/plugins/host.py
|
|
||||||
+++ b/ipaserver/plugins/host.py
|
|
||||||
@@ -38,7 +38,7 @@ from .baseldap import (LDAPQuery, LDAPObject, LDAPCreate,
|
|
||||||
LDAPAddAttributeViaOption,
|
|
||||||
LDAPRemoveAttributeViaOption)
|
|
||||||
from .service import (
|
|
||||||
- validate_realm, normalize_principal,
|
|
||||||
+ validate_realm, validate_auth_indicator, normalize_principal,
|
|
||||||
set_certificate_attrs, ticket_flags_params, update_krbticketflags,
|
|
||||||
set_kerberos_attrs, rename_ipaallowedtoperform_from_ldap,
|
|
||||||
rename_ipaallowedtoperform_to_ldap, revoke_certs)
|
|
||||||
@@ -735,6 +735,8 @@ class host_add(LDAPCreate):
|
|
||||||
update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
|
|
||||||
if 'krbticketflags' in entry_attrs:
|
|
||||||
entry_attrs['objectclass'].append('krbticketpolicyaux')
|
|
||||||
+ validate_auth_indicator(entry_attrs)
|
|
||||||
+
|
|
||||||
return dn
|
|
||||||
|
|
||||||
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
|
||||||
@@ -993,6 +995,7 @@ class host_mod(LDAPUpdate):
|
|
||||||
if 'krbprincipalaux' not in (item.lower() for item in
|
|
||||||
entry_attrs['objectclass']):
|
|
||||||
entry_attrs['objectclass'].append('krbprincipalaux')
|
|
||||||
+ validate_auth_indicator(entry_attrs)
|
|
||||||
|
|
||||||
add_sshpubkey_to_attrs_pre(self.context, attrs_list)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
|
|
||||||
index 1c9347804..cfbbff3c6 100644
|
|
||||||
--- a/ipaserver/plugins/service.py
|
|
||||||
+++ b/ipaserver/plugins/service.py
|
|
||||||
@@ -201,6 +201,28 @@ def validate_realm(ugettext, principal):
|
|
||||||
raise errors.RealmMismatch()
|
|
||||||
|
|
||||||
|
|
||||||
+def validate_auth_indicator(entry):
|
|
||||||
+ new_value = entry.get('krbprincipalauthind', None)
|
|
||||||
+ if not new_value:
|
|
||||||
+ return
|
|
||||||
+ # The following services are considered internal IPA services
|
|
||||||
+ # and shouldn't be allowed to have auth indicators.
|
|
||||||
+ # https://pagure.io/freeipa/issue/8206
|
|
||||||
+ pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
|
|
||||||
+ principal = kerberos.Principal(pkey)
|
|
||||||
+ server = api.Command.server_find(principal.hostname)['result']
|
|
||||||
+ if server:
|
|
||||||
+ prefixes = ("host", "cifs", "ldap", "HTTP")
|
|
||||||
+ else:
|
|
||||||
+ prefixes = ("cifs",)
|
|
||||||
+ if principal.service_name in prefixes:
|
|
||||||
+ raise errors.ValidationError(
|
|
||||||
+ name='krbprincipalauthind',
|
|
||||||
+ error=_('authentication indicators not allowed '
|
|
||||||
+ 'in service "%s"' % principal.service_name)
|
|
||||||
+ )
|
|
||||||
+
|
|
||||||
+
|
|
||||||
def normalize_principal(value):
|
|
||||||
"""
|
|
||||||
Ensure that the name in the principal is lower-case. The realm is
|
|
||||||
@@ -652,6 +674,7 @@ class service_add(LDAPCreate):
|
|
||||||
hostname)
|
|
||||||
|
|
||||||
self.obj.validate_ipakrbauthzdata(entry_attrs)
|
|
||||||
+ validate_auth_indicator(entry_attrs)
|
|
||||||
|
|
||||||
if not options.get('force', False):
|
|
||||||
# We know the host exists if we've gotten this far but we
|
|
||||||
@@ -846,6 +869,7 @@ class service_mod(LDAPUpdate):
|
|
||||||
assert isinstance(dn, DN)
|
|
||||||
|
|
||||||
self.obj.validate_ipakrbauthzdata(entry_attrs)
|
|
||||||
+ validate_auth_indicator(entry_attrs)
|
|
||||||
|
|
||||||
# verify certificates
|
|
||||||
certs = entry_attrs.get('usercertificate') or []
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
||||||
From 28484c3dee225662e41acc691bfe6b1c1cee99c8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Antonio Torres <antorres@redhat.com>
|
|
||||||
Date: Mon, 8 Mar 2021 18:20:35 +0100
|
|
||||||
Subject: [PATCH] ipatests: ensure auth indicators can't be added to internal
|
|
||||||
IPA services
|
|
||||||
|
|
||||||
Authentication indicators should not be added to internal IPA services,
|
|
||||||
since this can lead to a broken IPA setup. In case a client with
|
|
||||||
an auth indicator set in its host principal, promoting it to a replica
|
|
||||||
should fail.
|
|
||||||
|
|
||||||
Related: https://pagure.io/freeipa/issue/8206
|
|
||||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
|
||||||
---
|
|
||||||
.../test_replica_promotion.py | 38 +++++++++++++++++++
|
|
||||||
ipatests/test_xmlrpc/test_host_plugin.py | 10 +++++
|
|
||||||
ipatests/test_xmlrpc/test_service_plugin.py | 21 ++++++++++
|
|
||||||
3 files changed, 69 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
|
|
||||||
index 0a137dbdc..b9c56f775 100644
|
|
||||||
--- a/ipatests/test_integration/test_replica_promotion.py
|
|
||||||
+++ b/ipatests/test_integration/test_replica_promotion.py
|
|
||||||
@@ -101,6 +101,44 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
|
|
||||||
assert result.returncode == 1
|
|
||||||
assert expected_err in result.stderr_text
|
|
||||||
|
|
||||||
+ @replicas_cleanup
|
|
||||||
+ def test_install_with_host_auth_ind_set(self):
|
|
||||||
+ """ A client shouldn't be able to be promoted if it has
|
|
||||||
+ any auth indicator set in the host principal.
|
|
||||||
+ https://pagure.io/freeipa/issue/8206
|
|
||||||
+ """
|
|
||||||
+
|
|
||||||
+ client = self.replicas[0]
|
|
||||||
+ # Configure firewall first
|
|
||||||
+ Firewall(client).enable_services(["freeipa-ldap",
|
|
||||||
+ "freeipa-ldaps"])
|
|
||||||
+
|
|
||||||
+ client.run_command(['ipa-client-install', '-U',
|
|
||||||
+ '--domain', self.master.domain.name,
|
|
||||||
+ '--realm', self.master.domain.realm,
|
|
||||||
+ '-p', 'admin',
|
|
||||||
+ '-w', self.master.config.admin_password,
|
|
||||||
+ '--server', self.master.hostname,
|
|
||||||
+ '--force-join'])
|
|
||||||
+
|
|
||||||
+ tasks.kinit_admin(client)
|
|
||||||
+
|
|
||||||
+ client.run_command(['ipa', 'host-mod', '--auth-ind=otp',
|
|
||||||
+ client.hostname])
|
|
||||||
+
|
|
||||||
+ res = client.run_command(['ipa-replica-install', '-U', '-w',
|
|
||||||
+ self.master.config.dirman_password],
|
|
||||||
+ raiseonerr=False)
|
|
||||||
+
|
|
||||||
+ client.run_command(['ipa', 'host-mod', '--auth-ind=',
|
|
||||||
+ client.hostname])
|
|
||||||
+
|
|
||||||
+ expected_err = ("Client cannot be promoted to a replica if the host "
|
|
||||||
+ "principal has an authentication indicator set.")
|
|
||||||
+ assert res.returncode == 1
|
|
||||||
+ assert expected_err in res.stderr_text
|
|
||||||
+
|
|
||||||
+
|
|
||||||
@replicas_cleanup
|
|
||||||
def test_one_command_installation(self):
|
|
||||||
"""
|
|
||||||
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
|
|
||||||
index c66bbc865..9cfde3565 100644
|
|
||||||
--- a/ipatests/test_xmlrpc/test_host_plugin.py
|
|
||||||
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
|
|
||||||
@@ -605,6 +605,16 @@ class TestProtectedMaster(XMLRPC_test):
|
|
||||||
error=u'An IPA master host cannot be deleted or disabled')):
|
|
||||||
command()
|
|
||||||
|
|
||||||
+ def test_try_add_auth_ind_master(self, this_host):
|
|
||||||
+ command = this_host.make_update_command({
|
|
||||||
+ u'krbprincipalauthind': u'radius'})
|
|
||||||
+ with raises_exact(errors.ValidationError(
|
|
||||||
+ name='krbprincipalauthind',
|
|
||||||
+ error=u'authentication indicators not allowed '
|
|
||||||
+ 'in service "host"'
|
|
||||||
+ )):
|
|
||||||
+ command()
|
|
||||||
+
|
|
||||||
|
|
||||||
@pytest.mark.tier1
|
|
||||||
class TestValidation(XMLRPC_test):
|
|
||||||
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
|
|
||||||
index 4c845938c..ed634a045 100644
|
|
||||||
--- a/ipatests/test_xmlrpc/test_service_plugin.py
|
|
||||||
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
|
|
||||||
@@ -25,6 +25,7 @@ from ipalib import api, errors
|
|
||||||
from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash
|
|
||||||
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer
|
|
||||||
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test
|
|
||||||
+from ipatests.test_xmlrpc.xmlrpc_test import raises_exact
|
|
||||||
from ipatests.test_xmlrpc import objectclasses
|
|
||||||
from ipatests.test_xmlrpc.testcert import get_testcert, subject_base
|
|
||||||
from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn
|
|
||||||
@@ -1552,6 +1553,15 @@ def indicators_host(request):
|
|
||||||
return tracker.make_fixture(request)
|
|
||||||
|
|
||||||
|
|
||||||
+@pytest.fixture(scope='function')
|
|
||||||
+def this_host(request):
|
|
||||||
+ """Fixture for the current master"""
|
|
||||||
+ tracker = HostTracker(name=api.env.host.partition('.')[0],
|
|
||||||
+ fqdn=api.env.host)
|
|
||||||
+ tracker.exists = True
|
|
||||||
+ return tracker
|
|
||||||
+
|
|
||||||
+
|
|
||||||
@pytest.fixture(scope='function')
|
|
||||||
def indicators_service(request):
|
|
||||||
tracker = ServiceTracker(
|
|
||||||
@@ -1587,6 +1597,17 @@ class TestAuthenticationIndicators(XMLRPC_test):
|
|
||||||
expected_updates={u'krbprincipalauthind': [u'radius']}
|
|
||||||
)
|
|
||||||
|
|
||||||
+ def test_update_indicator_internal_service(self, this_host):
|
|
||||||
+ command = this_host.make_command('service_mod',
|
|
||||||
+ 'ldap/' + this_host.fqdn,
|
|
||||||
+ **dict(krbprincipalauthind='otp'))
|
|
||||||
+ with raises_exact(errors.ValidationError(
|
|
||||||
+ name='krbprincipalauthind',
|
|
||||||
+ error=u'authentication indicators not allowed '
|
|
||||||
+ 'in service "ldap"'
|
|
||||||
+ )):
|
|
||||||
+ command()
|
|
||||||
+
|
|
||||||
|
|
||||||
@pytest.fixture(scope='function')
|
|
||||||
def managing_host(request):
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -0,0 +1,75 @@
|
|||||||
|
From b9c42fed9b6f60801f908c368d0d97a2a69f7bb2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Wed, 15 Dec 2021 10:47:02 +0100
|
||||||
|
Subject: [PATCH] Config plugin: return EmptyModlist when no change is applied
|
||||||
|
|
||||||
|
When ipa config-mod is called with the option --enable-sid,
|
||||||
|
the code needs to trap EmptyModlist exception (it is expected
|
||||||
|
that no LDAP attribute is modified by this operation).
|
||||||
|
The code had a flaw and was checking:
|
||||||
|
'enable_sid' in options
|
||||||
|
instead of
|
||||||
|
options['enable_sid']
|
||||||
|
|
||||||
|
"'enable_sid' in options" always returns true as this option
|
||||||
|
is a Flag with a default value, hence always present even if
|
||||||
|
not specified on the command line.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9063
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
---
|
||||||
|
ipaserver/plugins/config.py | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
|
||||||
|
index eae401fc3..24446beb0 100644
|
||||||
|
--- a/ipaserver/plugins/config.py
|
||||||
|
+++ b/ipaserver/plugins/config.py
|
||||||
|
@@ -707,7 +707,7 @@ class config_mod(LDAPUpdate):
|
||||||
|
if (isinstance(exc, errors.EmptyModlist) and
|
||||||
|
call_func.__name__ == 'update_entry' and
|
||||||
|
('ca_renewal_master_server' in options or
|
||||||
|
- 'enable_sid' in options)):
|
||||||
|
+ options['enable_sid'])):
|
||||||
|
return
|
||||||
|
|
||||||
|
super(config_mod, self).exc_callback(
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
From cd735099e86304294217147ed578ac902fcf3dd3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Wed, 15 Dec 2021 10:51:05 +0100
|
||||||
|
Subject: [PATCH] config plugin: add a test ensuring EmptyModlist is returned
|
||||||
|
|
||||||
|
Add a test to test_config_plugin, that calls ipa config-mod
|
||||||
|
with the same value as already present in LDAP.
|
||||||
|
The call must return EmptyModlist.
|
||||||
|
|
||||||
|
Related: https://pagure.io/freeipa/issue/9063
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_xmlrpc/test_config_plugin.py | 9 +++++++++
|
||||||
|
1 file changed, 9 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_xmlrpc/test_config_plugin.py b/ipatests/test_xmlrpc/test_config_plugin.py
|
||||||
|
index e981bb4a0..a8ec9f0e5 100644
|
||||||
|
--- a/ipatests/test_xmlrpc/test_config_plugin.py
|
||||||
|
+++ b/ipatests/test_xmlrpc/test_config_plugin.py
|
||||||
|
@@ -312,4 +312,13 @@ class test_config(Declarative):
|
||||||
|
'value': None,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
+ dict(
|
||||||
|
+ desc='Set the value to the already set value, no modifications',
|
||||||
|
+ command=(
|
||||||
|
+ 'config_mod', [], {
|
||||||
|
+ 'ipasearchrecordslimit': u'100',
|
||||||
|
+ },
|
||||||
|
+ ),
|
||||||
|
+ expected=errors.EmptyModlist(),
|
||||||
|
+ ),
|
||||||
|
]
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -1,8 +1,7 @@
|
|||||||
From 653a7fe02880c168755984133ee143567cc7bb4e Mon Sep 17 00:00:00 2001
|
From 653a7fe02880c168755984133ee143567cc7bb4e Mon Sep 17 00:00:00 2001
|
||||||
From: Francisco Trivino <ftrivino@redhat.com>
|
From: Francisco Trivino <ftrivino@redhat.com>
|
||||||
Date: Feb 01 2022 07:57:24 +0000
|
Date: Wed, 26 Jan 2022 15:43:39 +0100
|
||||||
Subject: Custodia: use a stronger encryption algo when exporting keys
|
Subject: [PATCH] Custodia: use a stronger encryption algo when exporting keys
|
||||||
|
|
||||||
|
|
||||||
The Custodia key export handler is using the default's OpenSSL encryption
|
The Custodia key export handler is using the default's OpenSSL encryption
|
||||||
scheme for PKCS#12.
|
scheme for PKCS#12.
|
||||||
@ -25,11 +24,12 @@ Fixes: https://pagure.io/freeipa/issue/9101
|
|||||||
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
|
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
|
||||||
---
|
---
|
||||||
|
ipaserver/secrets/handlers/pemfile.py | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
diff --git a/ipaserver/secrets/handlers/pemfile.py b/ipaserver/secrets/handlers/pemfile.py
|
diff --git a/ipaserver/secrets/handlers/pemfile.py b/ipaserver/secrets/handlers/pemfile.py
|
||||||
index 4e8eff0..ad36bd0 100644
|
index 4e8eff0e3..ad36bd020 100644
|
||||||
--- a/ipaserver/secrets/handlers/pemfile.py
|
--- a/ipaserver/secrets/handlers/pemfile.py
|
||||||
+++ b/ipaserver/secrets/handlers/pemfile.py
|
+++ b/ipaserver/secrets/handlers/pemfile.py
|
||||||
@@ -31,6 +31,9 @@ def export_key(args, tmpdir):
|
@@ -31,6 +31,9 @@ def export_key(args, tmpdir):
|
||||||
@ -42,4 +42,6 @@ index 4e8eff0..ad36bd0 100644
|
|||||||
])
|
])
|
||||||
|
|
||||||
with open(pk12file, 'rb') as f:
|
with open(pk12file, 'rb') as f:
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -1,89 +0,0 @@
|
|||||||
From 06468b2f604c56b02231904072cb57412966a701 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Date: Mon, 5 Jul 2021 09:51:41 +0200
|
|
||||||
Subject: [PATCH] stageuser: add ipauserauthtypeclass when required
|
|
||||||
|
|
||||||
The command
|
|
||||||
ipa stageuser-add --user-auth-type=xxx
|
|
||||||
is currently failing because the objectclass ipauserauthtypeclass
|
|
||||||
is missing from the created entry.
|
|
||||||
|
|
||||||
There is code adding the missing objectclass in the
|
|
||||||
pre_common_callback method of user_add, and this code should
|
|
||||||
be common to user_add and stageuser_add. In order to avoid code
|
|
||||||
duplication, it makes more sense to move the existing code to
|
|
||||||
pre_common_callback of baseuser_add, that is called by both
|
|
||||||
classes.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8909
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/plugins/baseuser.py | 3 +++
|
|
||||||
ipaserver/plugins/user.py | 4 ----
|
|
||||||
2 files changed, 3 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
|
|
||||||
index ae16a978a..6035228f1 100644
|
|
||||||
--- a/ipaserver/plugins/baseuser.py
|
|
||||||
+++ b/ipaserver/plugins/baseuser.py
|
|
||||||
@@ -539,6 +539,9 @@ class baseuser_add(LDAPCreate):
|
|
||||||
if entry_attrs.get('ipatokenradiususername', None):
|
|
||||||
add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn,
|
|
||||||
entry_attrs, update=False)
|
|
||||||
+ if entry_attrs.get('ipauserauthtype', None):
|
|
||||||
+ add_missing_object_class(ldap, u'ipauserauthtypeclass', dn,
|
|
||||||
+ entry_attrs, update=False)
|
|
||||||
|
|
||||||
def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
|
||||||
assert isinstance(dn, DN)
|
|
||||||
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
|
|
||||||
index 6f7facb53..e4ee572b2 100644
|
|
||||||
--- a/ipaserver/plugins/user.py
|
|
||||||
+++ b/ipaserver/plugins/user.py
|
|
||||||
@@ -617,10 +617,6 @@ class user_add(baseuser_add):
|
|
||||||
'ipauser' not in entry_attrs['objectclass']:
|
|
||||||
entry_attrs['objectclass'].append('ipauser')
|
|
||||||
|
|
||||||
- if 'ipauserauthtype' in entry_attrs and \
|
|
||||||
- 'ipauserauthtypeclass' not in entry_attrs['objectclass']:
|
|
||||||
- entry_attrs['objectclass'].append('ipauserauthtypeclass')
|
|
||||||
-
|
|
||||||
rcl = entry_attrs.get('ipatokenradiusconfiglink', None)
|
|
||||||
if rcl:
|
|
||||||
if 'ipatokenradiusproxyuser' not in entry_attrs['objectclass']:
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
||||||
From 4a5a0fe7d25209a41a2eadd159f7f4c771e5d7fc Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Date: Mon, 5 Jul 2021 10:22:31 +0200
|
|
||||||
Subject: [PATCH] XMLRPC test: add a test for stageuser-add --user-auth-type
|
|
||||||
|
|
||||||
Related: https://pagure.io/freeipa/issue/8909
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_xmlrpc/test_stageuser_plugin.py | 6 ++++++
|
|
||||||
1 file changed, 6 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
|
|
||||||
index 5586fc607..bc606b093 100644
|
|
||||||
--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
|
|
||||||
+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
|
|
||||||
@@ -343,6 +343,12 @@ class TestStagedUser(XMLRPC_test):
|
|
||||||
result = command()
|
|
||||||
assert result['count'] == 1
|
|
||||||
|
|
||||||
+ def test_create_withuserauthtype(self, stageduser):
|
|
||||||
+ stageduser.ensure_missing()
|
|
||||||
+ command = stageduser.make_create_command(
|
|
||||||
+ options={u'ipauserauthtype': u'password'})
|
|
||||||
+ command()
|
|
||||||
+
|
|
||||||
|
|
||||||
@pytest.mark.tier1
|
|
||||||
class TestCreateInvalidAttributes(XMLRPC_test):
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -0,0 +1,122 @@
|
|||||||
|
From 6d70421f57d0eca066a922e09416ef7195ee96d4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Julien Rische <jrische@redhat.com>
|
||||||
|
Date: Tue, 1 Feb 2022 16:43:09 +0100
|
||||||
|
Subject: [PATCH] ipa-kdb: do not remove keys for hardened auth-enabled users
|
||||||
|
|
||||||
|
Since 5d51ae5, principal keys were dropped in case user auth indicator
|
||||||
|
was not including password. Thereafter, the key removal behavior was
|
||||||
|
removed by 15ff9c8 in the context of the kdcpolicy plugin introduction.
|
||||||
|
Support for hardened pre-auth methods (FAST and SPAKE) was added in
|
||||||
|
d057040, and the removal of principal keys was restored afterwards by
|
||||||
|
f0d12b7, but not taking the new hardened auth indicator into account.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9065
|
||||||
|
Related to: https://pagure.io/freeipa/issue/8001
|
||||||
|
|
||||||
|
Signed-off-by: Julien Rische <jrische@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
||||||
|
---
|
||||||
|
daemons/ipa-kdb/ipa_kdb_principals.c | 23 ++++++++++++-----------
|
||||||
|
1 file changed, 12 insertions(+), 11 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||||
|
index 15f3df4fe..0d0d3748c 100644
|
||||||
|
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||||
|
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||||
|
@@ -788,17 +788,18 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
|
||||||
|
&res_key_data, &result, &mkvno);
|
||||||
|
switch (ret) {
|
||||||
|
case 0:
|
||||||
|
- /* Only set a principal's key if password auth can be used. Otherwise
|
||||||
|
- * the KDC would add pre-authentication methods to the NEEDED_PREAUTH
|
||||||
|
- * reply for AS-REQs which indicate the password authentication is
|
||||||
|
- * available. This might confuse applications like e.g. SSSD which try
|
||||||
|
- * to determine suitable authentication methods and corresponding
|
||||||
|
- * prompts with the help of MIT Kerberos' responder interface which
|
||||||
|
- * acts on the returned pre-authentication methods. A typical example
|
||||||
|
- * is enforced OTP authentication where of course keys are available
|
||||||
|
- * for the first factor but password authentication should not be
|
||||||
|
- * advertised by the KDC. */
|
||||||
|
- if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) {
|
||||||
|
+ /* Only set a principal's key if password or hardened auth can be used.
|
||||||
|
+ * Otherwise the KDC would add pre-authentication methods to the
|
||||||
|
+ * NEEDED_PREAUTH reply for AS-REQs which indicate the password
|
||||||
|
+ * authentication is available. This might confuse applications like
|
||||||
|
+ * e.g. SSSD which try to determine suitable authentication methods and
|
||||||
|
+ * corresponding prompts with the help of MIT Kerberos' responder
|
||||||
|
+ * interface which acts on the returned pre-authentication methods. A
|
||||||
|
+ * typical example is enforced OTP authentication where of course keys
|
||||||
|
+ * are available for the first factor but password authentication
|
||||||
|
+ * should not be advertised by the KDC. */
|
||||||
|
+ if (!(ua & (IPADB_USER_AUTH_PASSWORD | IPADB_USER_AUTH_HARDENED)) &&
|
||||||
|
+ (ua != IPADB_USER_AUTH_NONE)) {
|
||||||
|
/* This is the same behavior as ENOENT below. */
|
||||||
|
ipa_krb5_free_key_data(res_key_data, result);
|
||||||
|
break;
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
From 294ae35a61e6ca8816b261c57508e4be21221864 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Julien Rische <jrische@redhat.com>
|
||||||
|
Date: Tue, 1 Feb 2022 19:38:29 +0100
|
||||||
|
Subject: [PATCH] ipatests: add case for hardened-only ticket policy
|
||||||
|
|
||||||
|
Signed-off-by: Julien Rische <jrische@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_krbtpolicy.py | 30 ++++++++++++++++++--
|
||||||
|
1 file changed, 28 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py
|
||||||
|
index 63e75ae67..9489fbc97 100644
|
||||||
|
--- a/ipatests/test_integration/test_krbtpolicy.py
|
||||||
|
+++ b/ipatests/test_integration/test_krbtpolicy.py
|
||||||
|
@@ -103,8 +103,8 @@ class TestPWPolicy(IntegrationTest):
|
||||||
|
result = master.run_command('klist | grep krbtgt')
|
||||||
|
assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
|
||||||
|
|
||||||
|
- def test_krbtpolicy_hardended(self):
|
||||||
|
- """Test a hardened kerberos ticket policy with 10 min tickets"""
|
||||||
|
+ def test_krbtpolicy_password_and_hardended(self):
|
||||||
|
+ """Test a pwd and hardened kerberos ticket policy with 10min tickets"""
|
||||||
|
master = self.master
|
||||||
|
master.run_command(['ipa', 'user-mod', USER1,
|
||||||
|
'--user-auth-type', 'password',
|
||||||
|
@@ -131,6 +131,32 @@ class TestPWPolicy(IntegrationTest):
|
||||||
|
result = master.run_command('klist | grep krbtgt')
|
||||||
|
assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
|
||||||
|
|
||||||
|
+ def test_krbtpolicy_hardended(self):
|
||||||
|
+ """Test a hardened kerberos ticket policy with 30min tickets"""
|
||||||
|
+ master = self.master
|
||||||
|
+ master.run_command(['ipa', 'user-mod', USER1,
|
||||||
|
+ '--user-auth-type', 'hardened'])
|
||||||
|
+ master.run_command(['ipa', 'config-mod',
|
||||||
|
+ '--user-auth-type', 'hardened'])
|
||||||
|
+ master.run_command(['ipa', 'krbtpolicy-mod', USER1,
|
||||||
|
+ '--hardened-maxlife', '1800'])
|
||||||
|
+
|
||||||
|
+ tasks.kdestroy_all(master)
|
||||||
|
+
|
||||||
|
+ master.run_command(['kinit', USER1],
|
||||||
|
+ stdin_text=PASSWORD + '\n')
|
||||||
|
+ result = master.run_command('klist | grep krbtgt')
|
||||||
|
+ assert maxlife_within_policy(result.stdout_text, 1800,
|
||||||
|
+ slush=1800) is True
|
||||||
|
+
|
||||||
|
+ tasks.kdestroy_all(master)
|
||||||
|
+
|
||||||
|
+ # Verify that the short policy only applies to USER1
|
||||||
|
+ master.run_command(['kinit', USER2],
|
||||||
|
+ stdin_text=PASSWORD + '\n')
|
||||||
|
+ result = master.run_command('klist | grep krbtgt')
|
||||||
|
+ assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
|
||||||
|
+
|
||||||
|
def test_krbtpolicy_password(self):
|
||||||
|
"""Test the kerberos ticket policy which issues 20 min tickets"""
|
||||||
|
master = self.master
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -1,35 +0,0 @@
|
|||||||
From 195035cef51a132b2b80df57ed50f2fe620244e6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Date: Wed, 7 Jul 2021 14:11:40 +0200
|
|
||||||
Subject: [PATCH] man page: update ipa-server-upgrade.1
|
|
||||||
|
|
||||||
The man page needs to clarify in which case the command needs
|
|
||||||
to be run.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8913
|
|
||||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
|
||||||
---
|
|
||||||
install/tools/man/ipa-server-upgrade.1 | 7 ++++++-
|
|
||||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/install/tools/man/ipa-server-upgrade.1 b/install/tools/man/ipa-server-upgrade.1
|
|
||||||
index 3db19b0f1..f01e21c6b 100644
|
|
||||||
--- a/install/tools/man/ipa-server-upgrade.1
|
|
||||||
+++ b/install/tools/man/ipa-server-upgrade.1
|
|
||||||
@@ -8,7 +8,12 @@ ipa\-server\-upgrade \- upgrade IPA server
|
|
||||||
.SH "SYNOPSIS"
|
|
||||||
ipa\-server\-upgrade [options]
|
|
||||||
.SH "DESCRIPTION"
|
|
||||||
-ipa\-server\-upgrade is used to upgrade IPA server when the IPA packages are being updated. It is not intended to be executed by end\-users.
|
|
||||||
+ipa\-server\-upgrade is executed automatically to upgrade IPA server when
|
|
||||||
+the IPA packages are being updated. It is not intended to be executed by
|
|
||||||
+end\-users, unless the automatic execution reports an error. In this case,
|
|
||||||
+the administrator needs to identify and fix the issue that is causing the
|
|
||||||
+upgrade failure (with the help of /var/log/ipaupgrade.log)
|
|
||||||
+and manually re\-run ipa\-server\-upgrade.
|
|
||||||
|
|
||||||
ipa\-server\-upgrade will:
|
|
||||||
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -1,69 +0,0 @@
|
|||||||
From 8ad535b618d60fa016061212ff85d0ad28ccae59 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Date: Mon, 12 Jul 2021 11:02:10 -0400
|
|
||||||
Subject: [PATCH] Fall back to krbprincipalname when validating host auth
|
|
||||||
indicators
|
|
||||||
|
|
||||||
When adding a new host the principal cannot be determined because it
|
|
||||||
relies on either:
|
|
||||||
|
|
||||||
a) an entry to already exist
|
|
||||||
b) krbprincipalname be a component of the dn
|
|
||||||
|
|
||||||
As a result the full dn is being passed into ipapython.Kerberos
|
|
||||||
which can't parse it.
|
|
||||||
|
|
||||||
Look into the entry in validate_validate_auth_indicator() for
|
|
||||||
krbprincipalname in this case.
|
|
||||||
|
|
||||||
https://pagure.io/freeipa/issue/8206
|
|
||||||
|
|
||||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/plugins/service.py | 5 +++++
|
|
||||||
ipatests/test_xmlrpc/test_host_plugin.py | 11 +++++++++++
|
|
||||||
2 files changed, 16 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
|
|
||||||
index cfbbff3c6..498f5e444 100644
|
|
||||||
--- a/ipaserver/plugins/service.py
|
|
||||||
+++ b/ipaserver/plugins/service.py
|
|
||||||
@@ -209,6 +209,11 @@ def validate_auth_indicator(entry):
|
|
||||||
# and shouldn't be allowed to have auth indicators.
|
|
||||||
# https://pagure.io/freeipa/issue/8206
|
|
||||||
pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
|
|
||||||
+ if pkey == str(entry.dn):
|
|
||||||
+ # krbcanonicalname may not be set yet if this is a host entry,
|
|
||||||
+ # try krbprincipalname
|
|
||||||
+ if 'krbprincipalname' in entry:
|
|
||||||
+ pkey = entry['krbprincipalname']
|
|
||||||
principal = kerberos.Principal(pkey)
|
|
||||||
server = api.Command.server_find(principal.hostname)['result']
|
|
||||||
if server:
|
|
||||||
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
|
|
||||||
index 9cfde3565..ff50e796c 100644
|
|
||||||
--- a/ipatests/test_xmlrpc/test_host_plugin.py
|
|
||||||
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
|
|
||||||
@@ -615,6 +615,17 @@ class TestProtectedMaster(XMLRPC_test):
|
|
||||||
)):
|
|
||||||
command()
|
|
||||||
|
|
||||||
+ def test_add_non_master_with_auth_ind(self, host5):
|
|
||||||
+ host5.ensure_missing()
|
|
||||||
+ command = host5.make_command(
|
|
||||||
+ 'host_add', host5.fqdn, krbprincipalauthind=['radius'],
|
|
||||||
+ force=True
|
|
||||||
+ )
|
|
||||||
+ result = command()
|
|
||||||
+ # The fact that the command succeeds exercises the change but
|
|
||||||
+ # let's check the indicator as well.
|
|
||||||
+ assert result['result']['krbprincipalauthind'] == ('radius',)
|
|
||||||
+
|
|
||||||
|
|
||||||
@pytest.mark.tier1
|
|
||||||
class TestValidation(XMLRPC_test):
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -0,0 +1,44 @@
|
|||||||
|
From 9bae5492270d8b695999cd82831cbee62b04626b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Fri, 28 Jan 2022 16:58:42 +0100
|
||||||
|
Subject: [PATCH] ipa-pki-proxy.conf: provide access to
|
||||||
|
/kra/admin/kra/getStatus
|
||||||
|
|
||||||
|
The access to /kra/admin/kra/getStatus will be needed
|
||||||
|
in order to fix pki-healthcheck.
|
||||||
|
Note that this commit is a pre-requisite for the fix
|
||||||
|
to be done on PKI side. No test added since the full
|
||||||
|
integration test already exists in test_replica_promotion.py,
|
||||||
|
in TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9099
|
||||||
|
Related: https://pagure.io/freeipa/issue/8582
|
||||||
|
|
||||||
|
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
---
|
||||||
|
install/share/ipa-pki-proxy.conf.template | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/install/share/ipa-pki-proxy.conf.template b/install/share/ipa-pki-proxy.conf.template
|
||||||
|
index 96708482c..7a46f20b9 100644
|
||||||
|
--- a/install/share/ipa-pki-proxy.conf.template
|
||||||
|
+++ b/install/share/ipa-pki-proxy.conf.template
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-# VERSION 16 - DO NOT REMOVE THIS LINE
|
||||||
|
+# VERSION 17 - DO NOT REMOVE THIS LINE
|
||||||
|
|
||||||
|
ProxyRequests Off
|
||||||
|
|
||||||
|
@@ -11,7 +11,7 @@ ProxyRequests Off
|
||||||
|
</LocationMatch>
|
||||||
|
|
||||||
|
# matches for admin port and installer
|
||||||
|
-<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries">
|
||||||
|
+<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries|^/kra/admin/kra/getStatus">
|
||||||
|
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
|
||||||
|
SSLVerifyClient none
|
||||||
|
ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,755 @@
|
|||||||
|
From 0edf915efbb39fac45c784171dd715ec6b28861a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumedh Sidhaye <ssidhaye@redhat.com>
|
||||||
|
Date: Fri, 14 Jan 2022 19:55:13 +0530
|
||||||
|
Subject: [PATCH] Added test automation for SHA384withRSA CSR support
|
||||||
|
|
||||||
|
Scenario 1:
|
||||||
|
Setup master with --ca-signing-algorithm=SHA384withRSA
|
||||||
|
Run certutil and check Signing Algorithm
|
||||||
|
|
||||||
|
Scenario 2:
|
||||||
|
Setup a master
|
||||||
|
Stop services
|
||||||
|
Modify default.params.signingAlg in CS.cfg
|
||||||
|
Restart services
|
||||||
|
Resubmit cert (Resubmitted cert should have new Algorithm)
|
||||||
|
|
||||||
|
Pagure Link: https://pagure.io/freeipa/issue/8906
|
||||||
|
|
||||||
|
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Antonio Torres <antorres@redhat.com>
|
||||||
|
---
|
||||||
|
.../test_integration/test_installation.py | 63 +++++++++++++++++++
|
||||||
|
1 file changed, 63 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
||||||
|
index 0947241ae..f2d372c0c 100644
|
||||||
|
--- a/ipatests/test_integration/test_installation.py
|
||||||
|
+++ b/ipatests/test_integration/test_installation.py
|
||||||
|
@@ -34,6 +34,7 @@ from ipatests.pytest_ipa.integration import tasks
|
||||||
|
from ipatests.pytest_ipa.integration.env_config import get_global_config
|
||||||
|
from ipatests.test_integration.base import IntegrationTest
|
||||||
|
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
|
||||||
|
+from ipatests.test_integration.test_cert import get_certmonger_fs_id
|
||||||
|
from ipaplatform import services
|
||||||
|
|
||||||
|
|
||||||
|
@@ -1916,3 +1917,65 @@ class TestInstallWithoutNamed(IntegrationTest):
|
||||||
|
tasks.install_replica(
|
||||||
|
self.master, self.replicas[0], setup_ca=False, setup_dns=False
|
||||||
|
)
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+class TestInstallwithSHA384withRSA(IntegrationTest):
|
||||||
|
+ num_replicas = 0
|
||||||
|
+
|
||||||
|
+ def test_install_master_withalgo_sha384withrsa(self, server_cleanup):
|
||||||
|
+ tasks.install_master(
|
||||||
|
+ self.master,
|
||||||
|
+ extra_args=['--ca-signing-algorithm=SHA384withRSA'],
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ # check Signing Algorithm post installation
|
||||||
|
+ dashed_domain = self.master.domain.realm.replace(".", '-')
|
||||||
|
+ cmd_args = ['certutil', '-L', '-d',
|
||||||
|
+ '/etc/dirsrv/slapd-{}/'.format(dashed_domain),
|
||||||
|
+ '-n', 'Server-Cert']
|
||||||
|
+ result = self.master.run_command(cmd_args)
|
||||||
|
+ assert 'SHA-384 With RSA Encryption' in result.stdout_text
|
||||||
|
+
|
||||||
|
+ def test_install_master_modify_existing(self, server_cleanup):
|
||||||
|
+ """
|
||||||
|
+ Setup a master
|
||||||
|
+ Stop services
|
||||||
|
+ Modify default.params.signingAlg in CS.cfg
|
||||||
|
+ Restart services
|
||||||
|
+ Resubmit cert (Resubmitted cert should have new Algorithm)
|
||||||
|
+ """
|
||||||
|
+ tasks.install_master(self.master)
|
||||||
|
+ self.master.run_command(['ipactl', 'stop'])
|
||||||
|
+ cs_cfg_content = self.master.get_file_contents(paths.CA_CS_CFG_PATH,
|
||||||
|
+ encoding='utf-8')
|
||||||
|
+ new_lines = []
|
||||||
|
+ replace_str = "ca.signing.defaultSigningAlgorithm=SHA384withRSA"
|
||||||
|
+ ocsp_rep_str = "ca.ocsp_signing.defaultSigningAlgorithm=SHA384withRSA"
|
||||||
|
+ for line in cs_cfg_content.split('\n'):
|
||||||
|
+ if line.startswith('ca.signing.defaultSigningAlgorithm'):
|
||||||
|
+ new_lines.append(replace_str)
|
||||||
|
+ elif line.startswith('ca.ocsp_signing.defaultSigningAlgorithm'):
|
||||||
|
+ new_lines.append(ocsp_rep_str)
|
||||||
|
+ else:
|
||||||
|
+ new_lines.append(line)
|
||||||
|
+ self.master.put_file_contents(paths.CA_CS_CFG_PATH,
|
||||||
|
+ '\n'.join(new_lines))
|
||||||
|
+ self.master.run_command(['ipactl', 'start'])
|
||||||
|
+
|
||||||
|
+ cmd = ['getcert', 'list', '-f', paths.RA_AGENT_PEM]
|
||||||
|
+ result = self.master.run_command(cmd)
|
||||||
|
+ request_id = get_certmonger_fs_id(result.stdout_text)
|
||||||
|
+
|
||||||
|
+ # resubmit RA Agent cert
|
||||||
|
+ cmd = ['getcert', 'resubmit', '-f', paths.RA_AGENT_PEM]
|
||||||
|
+ self.master.run_command(cmd)
|
||||||
|
+
|
||||||
|
+ tasks.wait_for_certmonger_status(self.master,
|
||||||
|
+ ('CA_WORKING', 'MONITORING'),
|
||||||
|
+ request_id)
|
||||||
|
+
|
||||||
|
+ cmd_args = ['openssl', 'x509', '-in',
|
||||||
|
+ paths.RA_AGENT_PEM, '-noout', '-text']
|
||||||
|
+ result = self.master.run_command(cmd_args)
|
||||||
|
+ assert_str = 'Signature Algorithm: sha384WithRSAEncryption'
|
||||||
|
+ assert assert_str in result.stdout_text
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
From 8b22ee018c3bb7f58a1b6694a7fd611688f8e74f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumedh Sidhaye <ssidhaye@redhat.com>
|
||||||
|
Date: Thu, 25 Nov 2021 17:48:20 +0530
|
||||||
|
Subject: [PATCH] Extend test to see if replica is not shown when running
|
||||||
|
`ipa-replica-manage list -v <FQDN>`
|
||||||
|
|
||||||
|
Related: https://pagure.io/freeipa/issue/8605
|
||||||
|
|
||||||
|
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_simple_replication.py | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_simple_replication.py b/ipatests/test_integration/test_simple_replication.py
|
||||||
|
index 8de385144..17092a499 100644
|
||||||
|
--- a/ipatests/test_integration/test_simple_replication.py
|
||||||
|
+++ b/ipatests/test_integration/test_simple_replication.py
|
||||||
|
@@ -111,5 +111,6 @@ class TestSimpleReplication(IntegrationTest):
|
||||||
|
# has to be run with --force, there is no --unattended
|
||||||
|
self.master.run_command(['ipa-replica-manage', 'del',
|
||||||
|
self.replicas[0].hostname, '--force'])
|
||||||
|
- result = self.master.run_command(['ipa-replica-manage', 'list'])
|
||||||
|
+ result = self.master.run_command(
|
||||||
|
+ ['ipa-replica-manage', 'list', '-v', self.master.hostname])
|
||||||
|
assert self.replicas[0].hostname not in result.stdout_text
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
From ba7ec71ba96280da3841ebe47df2a6dc1cd6341e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Date: Fri, 26 Nov 2021 12:11:21 +0530
|
||||||
|
Subject: [PATCH] ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica
|
||||||
|
teardown
|
||||||
|
|
||||||
|
Fixture `expire_certs` moves date back after renewing the certs.
|
||||||
|
This is causing the ipa-replica to fail. This fix first uninstalls
|
||||||
|
the server then moves back the date.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9052
|
||||||
|
|
||||||
|
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_ipa_cert_fix.py | 9 ++++++++-
|
||||||
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||||
|
index 39904d5de..5b56054b4 100644
|
||||||
|
--- a/ipatests/test_integration/test_ipa_cert_fix.py
|
||||||
|
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||||
|
@@ -389,6 +389,12 @@ class TestCertFixReplica(IntegrationTest):
|
||||||
|
setup_dns=False, extra_args=['--no-ntp']
|
||||||
|
)
|
||||||
|
|
||||||
|
+ @classmethod
|
||||||
|
+ def uninstall(cls, mh):
|
||||||
|
+ # Uninstall method is empty as the uninstallation is done in
|
||||||
|
+ # the fixture
|
||||||
|
+ pass
|
||||||
|
+
|
||||||
|
@pytest.fixture
|
||||||
|
def expire_certs(self):
|
||||||
|
# move system date to expire certs
|
||||||
|
@@ -398,7 +404,8 @@ class TestCertFixReplica(IntegrationTest):
|
||||||
|
yield
|
||||||
|
|
||||||
|
# move date back on replica and master
|
||||||
|
- for host in self.master, self.replicas[0]:
|
||||||
|
+ for host in self.replicas[0], self.master:
|
||||||
|
+ tasks.uninstall_master(host)
|
||||||
|
tasks.move_date(host, 'start', '-3years-1days')
|
||||||
|
|
||||||
|
def test_renew_expired_cert_replica(self, expire_certs):
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
From 465f1669a6c5abc72da1ecaf9aefa8488f80806c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Anuja More <amore@redhat.com>
|
||||||
|
Date: Mon, 13 Dec 2021 17:37:05 +0530
|
||||||
|
Subject: [PATCH] ipatests: Test default value of nsslapd-sizelimit.
|
||||||
|
|
||||||
|
related : https://pagure.io/freeipa/issue/8962
|
||||||
|
|
||||||
|
Signed-off-by: Anuja More <amore@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_installation.py | 13 +++++++++++++
|
||||||
|
1 file changed, 13 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
||||||
|
index 95cfaad54..0947241ae 100644
|
||||||
|
--- a/ipatests/test_integration/test_installation.py
|
||||||
|
+++ b/ipatests/test_integration/test_installation.py
|
||||||
|
@@ -1067,6 +1067,19 @@ class TestInstallMaster(IntegrationTest):
|
||||||
|
)
|
||||||
|
assert "nsslapd-db-locks" not in result.stdout_text
|
||||||
|
|
||||||
|
+ def test_nsslapd_sizelimit(self):
|
||||||
|
+ """ Test for default value of nsslapd-sizelimit.
|
||||||
|
+
|
||||||
|
+ Related : https://pagure.io/freeipa/issue/8962
|
||||||
|
+ """
|
||||||
|
+ result = tasks.ldapsearch_dm(
|
||||||
|
+ self.master,
|
||||||
|
+ "cn=config",
|
||||||
|
+ ["nsslapd-sizelimit"],
|
||||||
|
+ scope="base"
|
||||||
|
+ )
|
||||||
|
+ assert "nsslapd-sizelimit: 100000" in result.stdout_text
|
||||||
|
+
|
||||||
|
def test_admin_root_alias_CVE_2020_10747(self):
|
||||||
|
# Test for CVE-2020-10747 fix
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1810160
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
From cbd9ac6ab07dfb60f67da762fdd70856ad35c230 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Date: Thu, 25 Nov 2021 13:10:05 +0530
|
||||||
|
Subject: [PATCH] ipatests: Test empty cert request doesn't force certmonger to
|
||||||
|
segfault
|
||||||
|
|
||||||
|
When empty cert request is submitted to certmonger, it goes to
|
||||||
|
segfault. This fix test that if something like this happens,
|
||||||
|
certmonger should gracefuly handle it
|
||||||
|
|
||||||
|
and some PEP8 fixes
|
||||||
|
|
||||||
|
related: https://pagure.io/certmonger/issue/191
|
||||||
|
|
||||||
|
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_cert.py | 79 +++++++++++++++++++++++++-
|
||||||
|
1 file changed, 78 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
|
||||||
|
index 5ffb8c608..0518d7954 100644
|
||||||
|
--- a/ipatests/test_integration/test_cert.py
|
||||||
|
+++ b/ipatests/test_integration/test_cert.py
|
||||||
|
@@ -14,6 +14,7 @@ import random
|
||||||
|
import re
|
||||||
|
import string
|
||||||
|
import time
|
||||||
|
+import textwrap
|
||||||
|
|
||||||
|
from ipaplatform.paths import paths
|
||||||
|
from ipapython.dn import DN
|
||||||
|
@@ -193,7 +194,7 @@ class TestInstallMasterClient(IntegrationTest):
|
||||||
|
tasks.kinit_admin(self.master)
|
||||||
|
tasks.user_add(self.master, user)
|
||||||
|
|
||||||
|
- for id in (0,1):
|
||||||
|
+ for id in (0, 1):
|
||||||
|
csr_file = f'{id}.csr'
|
||||||
|
key_file = f'{id}.key'
|
||||||
|
cert_file = f'{id}.crt'
|
||||||
|
@@ -584,3 +585,79 @@ class TestCAShowErrorHandling(IntegrationTest):
|
||||||
|
error_msg = 'ipa: ERROR: The certificate for ' \
|
||||||
|
'{} is not available on this server.'.format(lwca)
|
||||||
|
assert error_msg in result.stderr_text
|
||||||
|
+
|
||||||
|
+ def test_certmonger_empty_cert_not_segfault(self):
|
||||||
|
+ """Test empty cert request doesn't force certmonger to segfault
|
||||||
|
+
|
||||||
|
+ Test scenario:
|
||||||
|
+ create a cert request file in /var/lib/certmonger/requests which is
|
||||||
|
+ missing most of the required information, and ask request a new
|
||||||
|
+ certificate to certmonger. The wrong request file should not make
|
||||||
|
+ certmonger crash.
|
||||||
|
+
|
||||||
|
+ related: https://pagure.io/certmonger/issue/191
|
||||||
|
+ """
|
||||||
|
+ empty_cert_req_content = textwrap.dedent("""
|
||||||
|
+ id=dogtag-ipa-renew-agent
|
||||||
|
+ key_type=UNSPECIFIED
|
||||||
|
+ key_gen_type=UNSPECIFIED
|
||||||
|
+ key_size=0
|
||||||
|
+ key_gen_size=0
|
||||||
|
+ key_next_type=UNSPECIFIED
|
||||||
|
+ key_next_gen_type=UNSPECIFIED
|
||||||
|
+ key_next_size=0
|
||||||
|
+ key_next_gen_size=0
|
||||||
|
+ key_preserve=0
|
||||||
|
+ key_storage_type=NONE
|
||||||
|
+ key_perms=0
|
||||||
|
+ key_requested_count=0
|
||||||
|
+ key_issued_count=0
|
||||||
|
+ cert_storage_type=FILE
|
||||||
|
+ cert_perms=0
|
||||||
|
+ cert_is_ca=0
|
||||||
|
+ cert_ca_path_length=0
|
||||||
|
+ cert_no_ocsp_check=0
|
||||||
|
+ last_need_notify_check=19700101000000
|
||||||
|
+ last_need_enroll_check=19700101000000
|
||||||
|
+ template_is_ca=0
|
||||||
|
+ template_ca_path_length=-1
|
||||||
|
+ template_no_ocsp_check=0
|
||||||
|
+ state=NEED_KEY_PAIR
|
||||||
|
+ autorenew=0
|
||||||
|
+ monitor=0
|
||||||
|
+ submitted=19700101000000
|
||||||
|
+ """)
|
||||||
|
+ # stop certmonger service
|
||||||
|
+ self.master.run_command(['systemctl', 'stop', 'certmonger'])
|
||||||
|
+
|
||||||
|
+ # place an empty cert request file to certmonger request dir
|
||||||
|
+ self.master.put_file_contents(
|
||||||
|
+ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'),
|
||||||
|
+ empty_cert_req_content
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ # start certmonger, it should not fail
|
||||||
|
+ self.master.run_command(['systemctl', 'start', 'certmonger'])
|
||||||
|
+
|
||||||
|
+ # request a new cert, should succeed and certmonger doesn't goes
|
||||||
|
+ # to segfault
|
||||||
|
+ result = self.master.run_command([
|
||||||
|
+ "ipa-getcert", "request",
|
||||||
|
+ "-f", os.path.join(paths.OPENSSL_CERTS_DIR, "test.pem"),
|
||||||
|
+ "-k", os.path.join(paths.OPENSSL_PRIVATE_DIR, "test.key"),
|
||||||
|
+ ])
|
||||||
|
+ request_id = re.findall(r'\d+', result.stdout_text)
|
||||||
|
+
|
||||||
|
+ # check if certificate is in MONITORING state
|
||||||
|
+ status = tasks.wait_for_request(self.master, request_id[0], 50)
|
||||||
|
+ assert status == "MONITORING"
|
||||||
|
+
|
||||||
|
+ self.master.run_command(
|
||||||
|
+ ['ipa-getcert', 'stop-tracking', '-i', request_id[0]]
|
||||||
|
+ )
|
||||||
|
+ self.master.run_command([
|
||||||
|
+ 'rm', '-rf',
|
||||||
|
+ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'),
|
||||||
|
+ os.path.join(paths.OPENSSL_CERTS_DIR, 'test.pem'),
|
||||||
|
+ os.path.join(paths.OPENSSL_PRIVATE_DIR, 'test.key')
|
||||||
|
+ ])
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
From edbd8f692a28fc999b92e9032614d366511db323 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Anuja More <amore@redhat.com>
|
||||||
|
Date: Mon, 6 Dec 2021 20:50:01 +0530
|
||||||
|
Subject: [PATCH] ipatests: webui: Tests for subordinate ids.
|
||||||
|
|
||||||
|
Added web-ui tests to verify where operations
|
||||||
|
using subordinate ids are working as expected.
|
||||||
|
|
||||||
|
Related : https://pagure.io/freeipa/issue/8361
|
||||||
|
|
||||||
|
Signed-off-by: Anuja More <amore@redhat.com>
|
||||||
|
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_webui/test_subid.py | 141 ++++++++++++++++++++++++++++++
|
||||||
|
ipatests/test_webui/ui_driver.py | 28 ++++++
|
||||||
|
2 files changed, 169 insertions(+)
|
||||||
|
create mode 100644 ipatests/test_webui/test_subid.py
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_webui/test_subid.py b/ipatests/test_webui/test_subid.py
|
||||||
|
new file mode 100644
|
||||||
|
index 000000000..26decdba0
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/ipatests/test_webui/test_subid.py
|
||||||
|
@@ -0,0 +1,141 @@
|
||||||
|
+
|
||||||
|
+"""
|
||||||
|
+Tests for subordinateid.
|
||||||
|
+"""
|
||||||
|
+
|
||||||
|
+from ipatests.test_webui.ui_driver import UI_driver
|
||||||
|
+import ipatests.test_webui.data_config as config_data
|
||||||
|
+import ipatests.test_webui.data_user as user_data
|
||||||
|
+from ipatests.test_webui.ui_driver import screenshot
|
||||||
|
+import re
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+class test_subid(UI_driver):
|
||||||
|
+
|
||||||
|
+ def add_user(self, pkey, name, surname):
|
||||||
|
+ self.add_record('user', {
|
||||||
|
+ 'pkey': pkey,
|
||||||
|
+ 'add': [
|
||||||
|
+ ('textbox', 'uid', pkey),
|
||||||
|
+ ('textbox', 'givenname', name),
|
||||||
|
+ ('textbox', 'sn', surname),
|
||||||
|
+ ]
|
||||||
|
+ })
|
||||||
|
+
|
||||||
|
+ def set_default_subid(self):
|
||||||
|
+ self.navigate_to_entity(config_data.ENTITY)
|
||||||
|
+ self.check_option('ipauserdefaultsubordinateid', 'checked')
|
||||||
|
+ self.facet_button_click('save')
|
||||||
|
+
|
||||||
|
+ def get_user_count(self, user_pkey):
|
||||||
|
+ self.navigate_to_entity('subid', facet='search')
|
||||||
|
+ self.apply_search_filter(user_pkey)
|
||||||
|
+ self.wait_for_request()
|
||||||
|
+ return self.get_rows()
|
||||||
|
+
|
||||||
|
+ @screenshot
|
||||||
|
+ def test_set_defaultsubid(self):
|
||||||
|
+ """
|
||||||
|
+ Test to verify that enable/disable is working for
|
||||||
|
+ adding subids to new users.
|
||||||
|
+ """
|
||||||
|
+ self.init_app()
|
||||||
|
+ self.add_record(user_data.ENTITY, user_data.DATA2)
|
||||||
|
+ self.navigate_to_entity(config_data.ENTITY)
|
||||||
|
+ # test subid can be enabled/disabled.
|
||||||
|
+ self.set_default_subid()
|
||||||
|
+ assert self.get_field_checked('ipauserdefaultsubordinateid')
|
||||||
|
+ self.set_default_subid()
|
||||||
|
+ assert not self.get_field_checked('ipauserdefaultsubordinateid')
|
||||||
|
+
|
||||||
|
+ @screenshot
|
||||||
|
+ def test_user_defaultsubid(self):
|
||||||
|
+ """
|
||||||
|
+ Test to verify that subid is generated for new user.
|
||||||
|
+ """
|
||||||
|
+ self.init_app()
|
||||||
|
+ user_pkey = "some-user"
|
||||||
|
+
|
||||||
|
+ self.set_default_subid()
|
||||||
|
+ assert self.get_field_checked('ipauserdefaultsubordinateid')
|
||||||
|
+
|
||||||
|
+ before_count = self.get_user_count(user_pkey)
|
||||||
|
+ assert len(before_count) == 0
|
||||||
|
+
|
||||||
|
+ self.add_user(user_pkey, 'Some', 'User')
|
||||||
|
+ after_count = self.get_user_count(user_pkey)
|
||||||
|
+ assert len(after_count) == 1
|
||||||
|
+
|
||||||
|
+ @screenshot
|
||||||
|
+ def test_user_subid_mod_desc(self):
|
||||||
|
+ """
|
||||||
|
+ Test to verify that auto-assigned subid description is modified.
|
||||||
|
+ """
|
||||||
|
+ self.init_app()
|
||||||
|
+ self.navigate_to_record("some-user")
|
||||||
|
+ self.switch_to_facet('memberof_subid')
|
||||||
|
+ rows = self.get_rows()
|
||||||
|
+ self.navigate_to_row_record(rows[-1])
|
||||||
|
+ self.fill_textbox("description", "some-user-subid-desc")
|
||||||
|
+ self.facet_button_click('save')
|
||||||
|
+
|
||||||
|
+ @screenshot
|
||||||
|
+ def test_admin_subid(self):
|
||||||
|
+ """
|
||||||
|
+ Test to verify that subid range is created with owner admin.
|
||||||
|
+ """
|
||||||
|
+ self.init_app()
|
||||||
|
+ self.navigate_to_entity('subid', facet='search')
|
||||||
|
+ self.facet_button_click('add')
|
||||||
|
+ self.select_combobox('ipaowner', 'admin')
|
||||||
|
+ self.dialog_button_click('add')
|
||||||
|
+ self.wait(0.3)
|
||||||
|
+ self.assert_no_error_dialog()
|
||||||
|
+
|
||||||
|
+ @screenshot
|
||||||
|
+ def test_admin_subid_negative(self):
|
||||||
|
+ """
|
||||||
|
+ Test to verify that readding the subid fails with error.
|
||||||
|
+ """
|
||||||
|
+ self.init_app()
|
||||||
|
+ self.navigate_to_entity('subid', facet='search')
|
||||||
|
+ self.facet_button_click('add')
|
||||||
|
+ self.select_combobox('ipaowner', 'admin')
|
||||||
|
+ self.dialog_button_click('add')
|
||||||
|
+ self.wait(0.3)
|
||||||
|
+ err_dialog = self.get_last_error_dialog(dialog_name='error_dialog')
|
||||||
|
+ text = self.get_text('.modal-body div p', err_dialog)
|
||||||
|
+ text = text.strip()
|
||||||
|
+ pattern = r'Subordinate id with with name .* already exists.'
|
||||||
|
+ assert re.search(pattern, text) is not None
|
||||||
|
+ self.close_all_dialogs()
|
||||||
|
+
|
||||||
|
+ @screenshot
|
||||||
|
+ def test_user_subid_add(self):
|
||||||
|
+ """
|
||||||
|
+ Test to verify that subid range is created for given user.
|
||||||
|
+ """
|
||||||
|
+ self.init_app()
|
||||||
|
+ self.navigate_to_entity('subid', facet='search')
|
||||||
|
+ before_count = self.get_rows()
|
||||||
|
+ self.facet_button_click('add')
|
||||||
|
+ self.select_combobox('ipaowner', user_data.PKEY2)
|
||||||
|
+ self.dialog_button_click('add')
|
||||||
|
+ self.wait(0.3)
|
||||||
|
+ self.assert_no_error_dialog()
|
||||||
|
+ after_count = self.get_rows()
|
||||||
|
+ assert len(before_count) < len(after_count)
|
||||||
|
+
|
||||||
|
+ @screenshot
|
||||||
|
+ def test_subid_del(self):
|
||||||
|
+ """
|
||||||
|
+ Test to remove subordinate id for given user.
|
||||||
|
+ """
|
||||||
|
+ self.init_app()
|
||||||
|
+ self.navigate_to_entity('subid', facet='search')
|
||||||
|
+ user_uid = self.get_record_pkey("some-user", "ipaowner",
|
||||||
|
+ table_name="ipauniqueid")
|
||||||
|
+ before_count = self.get_rows()
|
||||||
|
+ self.delete_record(user_uid, table_name="ipauniqueid")
|
||||||
|
+ after_count = self.get_rows()
|
||||||
|
+ assert len(before_count) > len(after_count)
|
||||||
|
diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py
|
||||||
|
index 46fd512ae..77fd74e49 100644
|
||||||
|
--- a/ipatests/test_webui/ui_driver.py
|
||||||
|
+++ b/ipatests/test_webui/ui_driver.py
|
||||||
|
@@ -1151,6 +1151,34 @@ class UI_driver:
|
||||||
|
return row
|
||||||
|
return None
|
||||||
|
|
||||||
|
+ def get_row_by_column_value(self, key, column_name, parent=None,
|
||||||
|
+ table_name=None):
|
||||||
|
+ """
|
||||||
|
+ Get the first matched row element of a search table with given key
|
||||||
|
+ matched against selected column. None if not found
|
||||||
|
+ """
|
||||||
|
+ rows = self.get_rows(parent, table_name)
|
||||||
|
+ s = "td div[name='%s']" % column_name
|
||||||
|
+ for row in rows:
|
||||||
|
+ has = self.find(s, By.CSS_SELECTOR, row)
|
||||||
|
+ if has.text == key:
|
||||||
|
+ return row
|
||||||
|
+ return None
|
||||||
|
+
|
||||||
|
+ def get_record_pkey(self, key, column, parent=None, table_name=None):
|
||||||
|
+ """
|
||||||
|
+ Get record pkey if value of column is known
|
||||||
|
+ """
|
||||||
|
+ row = self.get_row_by_column_value(key,
|
||||||
|
+ column_name=column,
|
||||||
|
+ parent=parent,
|
||||||
|
+ table_name=table_name)
|
||||||
|
+ val = None
|
||||||
|
+ if row:
|
||||||
|
+ el = self.find("td input", By.CSS_SELECTOR, row)
|
||||||
|
+ val = el.get_attribute("value")
|
||||||
|
+ return val
|
||||||
|
+
|
||||||
|
def navigate_to_row_record(self, row, pkey_column=None):
|
||||||
|
"""
|
||||||
|
Navigate to record by clicking on a link.
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
From 419d7fd6e5a9ed2d356ad05eef1043309f5646ef Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michal Polovka <mpolovka@redhat.com>
|
||||||
|
Date: Fri, 7 Jan 2022 12:12:26 +0100
|
||||||
|
Subject: [PATCH] ipatests: webui: Use safe-loader for loading YAML
|
||||||
|
configuration file
|
||||||
|
|
||||||
|
FullLoader class for YAML loader was introduced in version 5.1 which
|
||||||
|
also deprecated default loader. SafeLoader, however, stays consistent
|
||||||
|
across the versions and brings added security.
|
||||||
|
|
||||||
|
This fix is necessary as PyYAML > 5.1 is not available in downstream.
|
||||||
|
|
||||||
|
Related: https://pagure.io/freeipa/issue/9009
|
||||||
|
|
||||||
|
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_webui/ui_driver.py | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py
|
||||||
|
index 77fd74e49..519efee9b 100644
|
||||||
|
--- a/ipatests/test_webui/ui_driver.py
|
||||||
|
+++ b/ipatests/test_webui/ui_driver.py
|
||||||
|
@@ -192,7 +192,7 @@ class UI_driver:
|
||||||
|
if not NO_YAML and os.path.isfile(path):
|
||||||
|
try:
|
||||||
|
with open(path, 'r') as conf:
|
||||||
|
- cls.config = yaml.load(stream=conf, Loader=yaml.FullLoader)
|
||||||
|
+ cls.config = yaml.safe_load(stream=conf)
|
||||||
|
except yaml.YAMLError as e:
|
||||||
|
pytest.skip("Invalid Web UI config.\n%s" % e)
|
||||||
|
except IOError as e:
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
From 5444da016edc416c0c9481c660c013053dbb93b5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Date: Thu, 18 Nov 2021 18:43:22 +0530
|
||||||
|
Subject: [PATCH] PEP8 Fixes
|
||||||
|
|
||||||
|
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
---
|
||||||
|
.../test_integration/test_replica_promotion.py | 14 +++++++-------
|
||||||
|
1 file changed, 7 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
|
||||||
|
index 1a4e9bc12..c328b1a08 100644
|
||||||
|
--- a/ipatests/test_integration/test_replica_promotion.py
|
||||||
|
+++ b/ipatests/test_integration/test_replica_promotion.py
|
||||||
|
@@ -138,7 +138,6 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
|
||||||
|
assert res.returncode == 1
|
||||||
|
assert expected_err in res.stderr_text
|
||||||
|
|
||||||
|
-
|
||||||
|
@replicas_cleanup
|
||||||
|
def test_one_command_installation(self):
|
||||||
|
"""
|
||||||
|
@@ -150,11 +149,11 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
|
||||||
|
Firewall(self.replicas[0]).enable_services(["freeipa-ldap",
|
||||||
|
"freeipa-ldaps"])
|
||||||
|
self.replicas[0].run_command(['ipa-replica-install', '-w',
|
||||||
|
- self.master.config.admin_password,
|
||||||
|
- '-n', self.master.domain.name,
|
||||||
|
- '-r', self.master.domain.realm,
|
||||||
|
- '--server', self.master.hostname,
|
||||||
|
- '-U'])
|
||||||
|
+ self.master.config.admin_password,
|
||||||
|
+ '-n', self.master.domain.name,
|
||||||
|
+ '-r', self.master.domain.realm,
|
||||||
|
+ '--server', self.master.hostname,
|
||||||
|
+ '-U'])
|
||||||
|
# Ensure that pkinit is properly configured, test for 7566
|
||||||
|
result = self.replicas[0].run_command(['ipa-pkinit-manage', 'status'])
|
||||||
|
assert "PKINIT is enabled" in result.stdout_text
|
||||||
|
@@ -321,7 +320,7 @@ class TestWrongClientDomain(IntegrationTest):
|
||||||
|
result1 = client.run_command(['ipa-replica-install', '-U', '-w',
|
||||||
|
self.master.config.dirman_password],
|
||||||
|
raiseonerr=False)
|
||||||
|
- assert(result1.returncode == 0), (
|
||||||
|
+ assert (result1.returncode == 0), (
|
||||||
|
'Failed to promote the client installed with the upcase domain name')
|
||||||
|
|
||||||
|
def test_client_rollback(self):
|
||||||
|
@@ -355,6 +354,7 @@ class TestWrongClientDomain(IntegrationTest):
|
||||||
|
assert("An error occurred while removing SSSD" not in
|
||||||
|
result.stdout_text)
|
||||||
|
|
||||||
|
+
|
||||||
|
class TestRenewalMaster(IntegrationTest):
|
||||||
|
|
||||||
|
topology = 'star'
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
From 1d19b860d4cd3bd65a4b143b588425d9a64237fd Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Date: Thu, 18 Nov 2021 18:36:58 +0530
|
||||||
|
Subject: [PATCH] Test cases for ipa-replica-conncheck command
|
||||||
|
|
||||||
|
Following test cases would be checked:
|
||||||
|
- when called with --principal (it should then prompt for a password)
|
||||||
|
- when called with --principal / --password
|
||||||
|
- when called without principal and password but with a kerberos TGT,
|
||||||
|
kinit admin done before calling ipa-replica-conncheck
|
||||||
|
- when called without principal and password, and without any kerberos
|
||||||
|
TGT (it should default to principal=admin and prompt for a password)
|
||||||
|
|
||||||
|
related: https://pagure.io/freeipa/issue/9047
|
||||||
|
|
||||||
|
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
---
|
||||||
|
.../test_replica_promotion.py | 70 +++++++++++++++++++
|
||||||
|
1 file changed, 70 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
|
||||||
|
index b9c56f775..1a4e9bc12 100644
|
||||||
|
--- a/ipatests/test_integration/test_replica_promotion.py
|
||||||
|
+++ b/ipatests/test_integration/test_replica_promotion.py
|
||||||
|
@@ -437,6 +437,76 @@ class TestRenewalMaster(IntegrationTest):
|
||||||
|
self.assertCARenewalMaster(master, replica.hostname)
|
||||||
|
self.assertCARenewalMaster(replica, replica.hostname)
|
||||||
|
|
||||||
|
+ def test_replica_concheck(self):
|
||||||
|
+ """Test cases for ipa-replica-conncheck command
|
||||||
|
+
|
||||||
|
+ Following test cases would be checked:
|
||||||
|
+ - when called with --principal (it should then prompt for a password)
|
||||||
|
+ - when called with --principal / --password
|
||||||
|
+ - when called without principal and password but with a kerberos TGT,
|
||||||
|
+ kinit admin done before calling ipa-replica-conncheck
|
||||||
|
+ - when called without principal and password, and without any kerberos
|
||||||
|
+ TGT (it should default to principal=admin and prompt for a password)
|
||||||
|
+
|
||||||
|
+ related: https://pagure.io/freeipa/issue/9047
|
||||||
|
+ """
|
||||||
|
+ exp_str1 = "Connection from replica to master is OK."
|
||||||
|
+ exp_str2 = "Connection from master to replica is OK"
|
||||||
|
+ tasks.kdestroy_all(self.replicas[0])
|
||||||
|
+ # when called with --principal (it should then prompt for a password)
|
||||||
|
+ result = self.replicas[0].run_command(
|
||||||
|
+ ['ipa-replica-conncheck', '--auto-master-check',
|
||||||
|
+ '--master', self.master.hostname,
|
||||||
|
+ '-r', self.replicas[0].domain.realm,
|
||||||
|
+ '-p', self.replicas[0].config.admin_name],
|
||||||
|
+ stdin_text=self.master.config.admin_password
|
||||||
|
+ )
|
||||||
|
+ assert result.returncode == 0
|
||||||
|
+ assert (
|
||||||
|
+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ # when called with --principal / --password
|
||||||
|
+ result = self.replicas[0].run_command([
|
||||||
|
+ 'ipa-replica-conncheck', '--auto-master-check',
|
||||||
|
+ '--master', self.master.hostname,
|
||||||
|
+ '-r', self.replicas[0].domain.realm,
|
||||||
|
+ '-p', self.replicas[0].config.admin_name,
|
||||||
|
+ '-w', self.master.config.admin_password
|
||||||
|
+ ])
|
||||||
|
+ assert result.returncode == 0
|
||||||
|
+ assert (
|
||||||
|
+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ # when called without principal and password, and without
|
||||||
|
+ # any kerberos TGT, it should default to principal=admin
|
||||||
|
+ # and prompt for a password
|
||||||
|
+ result = self.replicas[0].run_command(
|
||||||
|
+ ['ipa-replica-conncheck', '--auto-master-check',
|
||||||
|
+ '--master', self.master.hostname,
|
||||||
|
+ '-r', self.replicas[0].domain.realm],
|
||||||
|
+ stdin_text=self.master.config.admin_password
|
||||||
|
+ )
|
||||||
|
+ assert result.returncode == 0
|
||||||
|
+ assert (
|
||||||
|
+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ # when called without principal and password but with a kerberos TGT,
|
||||||
|
+ # kinit admin done before calling ipa-replica-conncheck
|
||||||
|
+ tasks.kinit_admin(self.replicas[0])
|
||||||
|
+ result = self.replicas[0].run_command(
|
||||||
|
+ ['ipa-replica-conncheck', '--auto-master-check',
|
||||||
|
+ '--master', self.master.hostname,
|
||||||
|
+ '-r', self.replicas[0].domain.realm]
|
||||||
|
+ )
|
||||||
|
+ assert result.returncode == 0
|
||||||
|
+ assert (
|
||||||
|
+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
|
||||||
|
+ )
|
||||||
|
+ tasks.kdestroy_all(self.replicas[0])
|
||||||
|
+
|
||||||
|
def test_automatic_renewal_master_transfer_ondelete(self):
|
||||||
|
# Test that after replica uninstallation, master overtakes the cert
|
||||||
|
# renewal master role from replica (which was previously set there)
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -1,30 +0,0 @@
|
|||||||
From 1a5159b216455070eb51b6a11ceaf0033fc8ce4c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Fri, 16 Jul 2021 09:20:33 +0300
|
|
||||||
Subject: [PATCH] rhel platform: add a named crypto-policy support
|
|
||||||
|
|
||||||
RHEL 8+ provides bind system-wide crypto policy support, enable it.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8925
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Anuja More <amore@redhat.com>
|
|
||||||
---
|
|
||||||
ipaplatform/rhel/paths.py | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/ipaplatform/rhel/paths.py b/ipaplatform/rhel/paths.py
|
|
||||||
index c081ada32..3631550eb 100644
|
|
||||||
--- a/ipaplatform/rhel/paths.py
|
|
||||||
+++ b/ipaplatform/rhel/paths.py
|
|
||||||
@@ -30,6 +30,7 @@ from ipaplatform.rhel.constants import HAS_NFS_CONF
|
|
||||||
|
|
||||||
|
|
||||||
class RHELPathNamespace(RedHatPathNamespace):
|
|
||||||
+ NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
|
|
||||||
if HAS_NFS_CONF:
|
|
||||||
SYSCONFIG_NFS = '/etc/nfs.conf'
|
|
||||||
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -1,53 +0,0 @@
|
|||||||
From a6e708ab4006d6623c37de1692de5362fcdb5dd6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Date: Mon, 30 Aug 2021 16:44:47 -0400
|
|
||||||
Subject: [PATCH] Catch and log errors when adding CA profiles
|
|
||||||
|
|
||||||
Rather than stopping the installer entirely, catch and report
|
|
||||||
errors adding new certificate profiles, and remove the
|
|
||||||
broken profile entry from LDAP so it may be re-added later.
|
|
||||||
|
|
||||||
It was discovered that installing a newer IPA that has the
|
|
||||||
ACME profile which requires sanToCNDefault will fail when
|
|
||||||
installing a new server against a very old one that lacks
|
|
||||||
this class.
|
|
||||||
|
|
||||||
Running ipa-server-upgrade post-install will add the profile
|
|
||||||
and generate the missing ipa-ca SAN record so that ACME
|
|
||||||
can work.
|
|
||||||
|
|
||||||
https://pagure.io/freeipa/issue/8974
|
|
||||||
|
|
||||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/install/cainstance.py | 13 +++++++++++--
|
|
||||||
1 file changed, 11 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
|
||||||
index 9e842b33e..8c8bf1b3a 100644
|
|
||||||
--- a/ipaserver/install/cainstance.py
|
|
||||||
+++ b/ipaserver/install/cainstance.py
|
|
||||||
@@ -1973,8 +1973,17 @@ def import_included_profiles():
|
|
||||||
|
|
||||||
# Create the profile, replacing any existing profile of same name
|
|
||||||
profile_data = __get_profile_config(profile_id)
|
|
||||||
- _create_dogtag_profile(profile_id, profile_data, overwrite=True)
|
|
||||||
- logger.debug("Imported profile '%s'", profile_id)
|
|
||||||
+ try:
|
|
||||||
+ _create_dogtag_profile(profile_id, profile_data,
|
|
||||||
+ overwrite=True)
|
|
||||||
+ except errors.HTTPRequestError as e:
|
|
||||||
+ logger.warning("Failed to import profile '%s': %s. Running "
|
|
||||||
+ "ipa-server-upgrade when installation is "
|
|
||||||
+ "completed may resolve this issue.",
|
|
||||||
+ profile_id, e)
|
|
||||||
+ conn.delete_entry(entry)
|
|
||||||
+ else:
|
|
||||||
+ logger.debug("Imported profile '%s'", profile_id)
|
|
||||||
else:
|
|
||||||
logger.debug(
|
|
||||||
"Profile '%s' is already in LDAP; skipping", profile_id
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -0,0 +1,104 @@
|
|||||||
|
From edb216849e4f47d6cae95981edf0c3fe2653fd7a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Fri, 28 Jan 2022 16:46:35 -0500
|
||||||
|
Subject: [PATCH] Don't always override the port in import_included_profiles
|
||||||
|
|
||||||
|
I can only guess to the original purpose of this override. I
|
||||||
|
believe it was because this is called in the installer prior
|
||||||
|
to Apache being set up. The expectation was that this would
|
||||||
|
only be called locally. It predates the RestClient class.
|
||||||
|
|
||||||
|
RestClient will attempt to find an available service. In this
|
||||||
|
case, during a CA installation, the local server is not
|
||||||
|
considered available because it lacks an entry in
|
||||||
|
cn=masters. So it will never be returned as an option.
|
||||||
|
|
||||||
|
So by overriding the port to 8443 the remote connection will
|
||||||
|
likely fail because we don't require that the port be open.
|
||||||
|
|
||||||
|
So instead, instantiate a RestClient and see what happens.
|
||||||
|
|
||||||
|
There are several use-cases:
|
||||||
|
|
||||||
|
1. Installing an initial server. The RestClient connection
|
||||||
|
should fail, so we will fall back to the override port and
|
||||||
|
use the local server. If Apache happens to be running with
|
||||||
|
a globally-issued certificate then the RestClient will
|
||||||
|
succeed. In this case if the connected host and the local
|
||||||
|
hostname are the same, override in that case as well.
|
||||||
|
|
||||||
|
2. Installing as a replica. In this case the local server should
|
||||||
|
be ignored in all cases and a remote CA will be picked with
|
||||||
|
no override done.
|
||||||
|
|
||||||
|
3. Switching from CA-less to CA-ful. The web server will be
|
||||||
|
trusted but the RestClient login will fail with a 404. Fall
|
||||||
|
back to the override port in this case.
|
||||||
|
|
||||||
|
The motivation for this is trying to install an EL 8.x replica
|
||||||
|
against an EL 7.9 server. 8.5+ includes the ACME service and
|
||||||
|
a new profile is needed which doesn't exist in 7. This was
|
||||||
|
failing because the RestClient determined that the local server
|
||||||
|
wasn't running a CA so tried the remote one (7.9) on the override
|
||||||
|
port 8443. Since this port isn't open: failure.
|
||||||
|
|
||||||
|
Chances are that adding the profile is still going to fail
|
||||||
|
because again, 7.9 lacks ACME capabilities, but it will fail in
|
||||||
|
a way that allows the installation to continue.
|
||||||
|
|
||||||
|
I suspect that all of the overrides can similarly handled, or
|
||||||
|
handled directly within the RestClient class, but for the sake
|
||||||
|
of "do no harm" I'm only changing this instance for now.
|
||||||
|
|
||||||
|
https://pagure.io/freeipa/issue/9100
|
||||||
|
|
||||||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||||
|
---
|
||||||
|
ipaserver/install/cainstance.py | 30 +++++++++++++++++++++++++++++-
|
||||||
|
1 file changed, 29 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
||||||
|
index 8c8bf1b3a..ad206aad4 100644
|
||||||
|
--- a/ipaserver/install/cainstance.py
|
||||||
|
+++ b/ipaserver/install/cainstance.py
|
||||||
|
@@ -1953,7 +1953,35 @@ def import_included_profiles():
|
||||||
|
cn=['certprofiles'],
|
||||||
|
)
|
||||||
|
|
||||||
|
- api.Backend.ra_certprofile.override_port = 8443
|
||||||
|
+ # At this point Apache may or may not be running with a valid
|
||||||
|
+ # certificate. The local server is not yet recognized as a full
|
||||||
|
+ # CA yet so it isn't discoverable. So try to do some detection
|
||||||
|
+ # on what port to use, 443 (remote) or 8443 (local) for importing
|
||||||
|
+ # the profiles.
|
||||||
|
+ #
|
||||||
|
+ # api.Backend.ra_certprofile invokes the RestClient class
|
||||||
|
+ # which will discover and login to the CA REST API. We can
|
||||||
|
+ # use this information to detect where to import the profiles.
|
||||||
|
+ #
|
||||||
|
+ # If the login is successful (e.g. doesn't raise an exception)
|
||||||
|
+ # and it returns our hostname (it prefers the local host) then
|
||||||
|
+ # we override and talk locally.
|
||||||
|
+ #
|
||||||
|
+ # Otherwise a NetworkError means we can't connect on 443 (perhaps
|
||||||
|
+ # a firewall) or we get an HTTP error (valid TLS certificate on
|
||||||
|
+ # Apache but no CA, login fails with 404) so we override to the
|
||||||
|
+ # local server.
|
||||||
|
+ #
|
||||||
|
+ # When override port was always set to 8443 the RestClient could
|
||||||
|
+ # pick a remote server and since 8443 isn't in our firewall profile
|
||||||
|
+ # setting up a new server would fail.
|
||||||
|
+ try:
|
||||||
|
+ with api.Backend.ra_certprofile as profile_api:
|
||||||
|
+ if profile_api.ca_host == api.env.host:
|
||||||
|
+ api.Backend.ra_certprofile.override_port = 8443
|
||||||
|
+ except (errors.NetworkError, errors.RemoteRetrieveError) as e:
|
||||||
|
+ logger.debug('Overriding CA port: %s', e)
|
||||||
|
+ api.Backend.ra_certprofile.override_port = 8443
|
||||||
|
|
||||||
|
for (profile_id, desc, store_issued) in dogtag.INCLUDED_PROFILES:
|
||||||
|
dn = DN(('cn', profile_id),
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,115 @@
|
|||||||
|
From 7c5540bb47799b4db95673d22f61995ad5c56440 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Mon, 31 Jan 2022 17:31:50 -0500
|
||||||
|
Subject: [PATCH] Remove ipa-join errors from behind the debug option
|
||||||
|
|
||||||
|
This brings it inline with the previous XML-RPC output which
|
||||||
|
only hid the request and response from the output and not
|
||||||
|
any errors returned.
|
||||||
|
|
||||||
|
https://pagure.io/freeipa/issue/9103
|
||||||
|
|
||||||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||||
|
Reviewed-By: Peter Keresztes Schmidt <carbenium@outlook.com>
|
||||||
|
---
|
||||||
|
client/ipa-join.c | 27 +++++++++------------------
|
||||||
|
1 file changed, 9 insertions(+), 18 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/client/ipa-join.c b/client/ipa-join.c
|
||||||
|
index d98739a9a..5888a33bf 100644
|
||||||
|
--- a/client/ipa-join.c
|
||||||
|
+++ b/client/ipa-join.c
|
||||||
|
@@ -743,8 +743,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
|
||||||
|
|
||||||
|
json_str = json_dumps(json, 0);
|
||||||
|
if (!json_str) {
|
||||||
|
- if (debug)
|
||||||
|
- fprintf(stderr, _("json_dumps() failed\n"));
|
||||||
|
+ fprintf(stderr, _("json_dumps() failed\n"));
|
||||||
|
|
||||||
|
rval = 17;
|
||||||
|
goto cleanup;
|
||||||
|
@@ -758,8 +757,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
|
||||||
|
CURLcode res = curl_easy_perform(curl);
|
||||||
|
if (res != CURLE_OK)
|
||||||
|
{
|
||||||
|
- if (debug)
|
||||||
|
- fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res));
|
||||||
|
+ fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res));
|
||||||
|
|
||||||
|
rval = 17;
|
||||||
|
goto cleanup;
|
||||||
|
@@ -769,8 +767,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
|
||||||
|
curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &resp_code);
|
||||||
|
|
||||||
|
if (resp_code != 200) {
|
||||||
|
- if (debug)
|
||||||
|
- fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code);
|
||||||
|
+ fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code);
|
||||||
|
|
||||||
|
if (!quiet && resp_code == 401)
|
||||||
|
fprintf(stderr, _("JSON-RPC call was unauthorized. Check your credentials.\n"));
|
||||||
|
@@ -848,8 +845,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) {
|
||||||
|
|
||||||
|
j_root = json_loads(payload, 0, &j_error);
|
||||||
|
if (!j_root) {
|
||||||
|
- if (debug)
|
||||||
|
- fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text);
|
||||||
|
+ fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text);
|
||||||
|
|
||||||
|
rval = 17;
|
||||||
|
goto cleanup;
|
||||||
|
@@ -864,8 +860,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) {
|
||||||
|
|
||||||
|
*j_result_obj = json_object_get(j_root, "result");
|
||||||
|
if (!*j_result_obj) {
|
||||||
|
- if (debug)
|
||||||
|
- fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n"));
|
||||||
|
+ fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n"));
|
||||||
|
|
||||||
|
rval = 17;
|
||||||
|
goto cleanup;
|
||||||
|
@@ -897,8 +892,7 @@ jsonrpc_parse_join_response(const char *payload, join_info *join_i, bool quiet)
|
||||||
|
&tmp_hostdn,
|
||||||
|
"krbprincipalname", &tmp_princ,
|
||||||
|
"krblastpwdchange", &tmp_pwdch) != 0) {
|
||||||
|
- if (debug)
|
||||||
|
- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
|
||||||
|
+ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
|
||||||
|
|
||||||
|
rval = 17;
|
||||||
|
goto cleanup;
|
||||||
|
@@ -941,8 +935,7 @@ join_krb5_jsonrpc(const char *ipaserver, const char *hostname, char **hostdn, co
|
||||||
|
"nshardwareplatform", uinfo.machine);
|
||||||
|
|
||||||
|
if (!json_req) {
|
||||||
|
- if (debug)
|
||||||
|
- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
|
||||||
|
+ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
|
||||||
|
|
||||||
|
rval = 17;
|
||||||
|
goto cleanup;
|
||||||
|
@@ -990,8 +983,7 @@ jsonrpc_parse_unenroll_response(const char *payload, bool* result, bool quiet) {
|
||||||
|
|
||||||
|
if (json_unpack_ex(j_result_obj, &j_error, 0, "{s:b}",
|
||||||
|
"result", result) != 0) {
|
||||||
|
- if (debug)
|
||||||
|
- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
|
||||||
|
+ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
|
||||||
|
|
||||||
|
rval = 20;
|
||||||
|
goto cleanup;
|
||||||
|
@@ -1021,8 +1013,7 @@ jsonrpc_unenroll_host(const char *ipaserver, const char *host, bool quiet) {
|
||||||
|
host);
|
||||||
|
|
||||||
|
if (!json_req) {
|
||||||
|
- if (debug)
|
||||||
|
- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
|
||||||
|
+ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
|
||||||
|
|
||||||
|
rval = 17;
|
||||||
|
goto cleanup;
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -1,41 +0,0 @@
|
|||||||
From 07e2bf732f54f936cccc4e0c7b468d77f97e911a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Date: Mon, 30 Aug 2021 18:40:24 +0200
|
|
||||||
Subject: [PATCH] selinux policy: allow custodia to access /proc/cpuinfo
|
|
||||||
|
|
||||||
On aarch64, custodia creates AVC when accessing /proc/cpuinfo.
|
|
||||||
|
|
||||||
According to gcrypt manual
|
|
||||||
(https://gnupg.org/documentation/manuals/gcrypt/Configuration.html),
|
|
||||||
/proc/cpuinfo is used on ARM architecture to read the hardware
|
|
||||||
capabilities of the CPU. This explains why the issue happens only
|
|
||||||
on aarch64.
|
|
||||||
|
|
||||||
audit2allow suggests to add the following:
|
|
||||||
allow ipa_custodia_t proc_t:file { getattr open read };
|
|
||||||
|
|
||||||
but this policy would be too broad. Instead, the patch is using
|
|
||||||
the interface kernel_read_system_state.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8972
|
|
||||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
||||||
---
|
|
||||||
selinux/ipa.te | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
|
||||||
index 68e109419..7492fca04 100644
|
|
||||||
--- a/selinux/ipa.te
|
|
||||||
+++ b/selinux/ipa.te
|
|
||||||
@@ -364,6 +364,7 @@ files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
|
|
||||||
|
|
||||||
kernel_dgram_send(ipa_custodia_t)
|
|
||||||
kernel_read_network_state(ipa_custodia_t)
|
|
||||||
+kernel_read_system_state(ipa_custodia_t)
|
|
||||||
|
|
||||||
auth_read_passwd(ipa_custodia_t)
|
|
||||||
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -0,0 +1,118 @@
|
|||||||
|
From 9b6d0bb1245c4891ccc270f360d0f72a4b1444c1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Mon, 7 Feb 2022 10:39:55 -0500
|
||||||
|
Subject: [PATCH] Enable the ccache sweep timer during installation
|
||||||
|
|
||||||
|
The timer was only being enabled during package installation
|
||||||
|
if IPA was configured. So effectively only on upgrade.
|
||||||
|
|
||||||
|
Add as a separate installation step after the ccache directory
|
||||||
|
is configured.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9107
|
||||||
|
|
||||||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
---
|
||||||
|
ipaserver/install/httpinstance.py | 7 +++++++
|
||||||
|
1 file changed, 7 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
|
||||||
|
index 732bb58d4..50ccf5e50 100644
|
||||||
|
--- a/ipaserver/install/httpinstance.py
|
||||||
|
+++ b/ipaserver/install/httpinstance.py
|
||||||
|
@@ -140,6 +140,8 @@ class HTTPInstance(service.Service):
|
||||||
|
self.step("publish CA cert", self.__publish_ca_cert)
|
||||||
|
self.step("clean up any existing httpd ccaches",
|
||||||
|
self.remove_httpd_ccaches)
|
||||||
|
+ self.step("enable ccache sweep",
|
||||||
|
+ self.enable_ccache_sweep)
|
||||||
|
self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
|
||||||
|
if not self.is_kdcproxy_configured():
|
||||||
|
self.step("create KDC proxy config", self.create_kdcproxy_conf)
|
||||||
|
@@ -177,6 +179,11 @@ class HTTPInstance(service.Service):
|
||||||
|
[paths.SYSTEMD_TMPFILES, '--create', '--prefix', paths.IPA_CCACHES]
|
||||||
|
)
|
||||||
|
|
||||||
|
+ def enable_ccache_sweep(self):
|
||||||
|
+ ipautil.run(
|
||||||
|
+ [paths.SYSTEMCTL, 'enable', 'ipa-ccache-sweep.timer']
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
def __configure_http(self):
|
||||||
|
self.update_httpd_service_ipa_conf()
|
||||||
|
self.update_httpd_wsgi_conf()
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
From 0d9eb3d515385412abefe9c33e0099ea14f33cbc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Date: Wed, 9 Feb 2022 18:56:21 +0530
|
||||||
|
Subject: [PATCH] Test ipa-ccache-sweep.timer enabled by default during
|
||||||
|
installation
|
||||||
|
|
||||||
|
This test checks that ipa-ccache-sweep.timer is enabled by default
|
||||||
|
during the ipa installation.
|
||||||
|
|
||||||
|
related: https://pagure.io/freeipa/issue/9107
|
||||||
|
|
||||||
|
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
---
|
||||||
|
.../test_integration/test_installation.py | 19 +++++++++++++++++--
|
||||||
|
1 file changed, 17 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
||||||
|
index f2d372c0c..63edbaa2b 100644
|
||||||
|
--- a/ipatests/test_integration/test_installation.py
|
||||||
|
+++ b/ipatests/test_integration/test_installation.py
|
||||||
|
@@ -475,7 +475,7 @@ class TestInstallCA(IntegrationTest):
|
||||||
|
|
||||||
|
# Tweak sysrestore.state to drop installation section
|
||||||
|
self.master.run_command(
|
||||||
|
- ['sed','-i', r's/\[installation\]/\[badinstallation\]/',
|
||||||
|
+ ['sed', '-i', r's/\[installation\]/\[badinstallation\]/',
|
||||||
|
os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
|
||||||
|
|
||||||
|
# Re-run installation check and it should fall back to old method
|
||||||
|
@@ -485,7 +485,7 @@ class TestInstallCA(IntegrationTest):
|
||||||
|
|
||||||
|
# Restore installation section.
|
||||||
|
self.master.run_command(
|
||||||
|
- ['sed','-i', r's/\[badinstallation\]/\[installation\]/',
|
||||||
|
+ ['sed', '-i', r's/\[badinstallation\]/\[installation\]/',
|
||||||
|
os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
|
||||||
|
|
||||||
|
# Uninstall and confirm that the old method reports correctly
|
||||||
|
@@ -690,6 +690,7 @@ def get_pki_tomcatd_pid(host):
|
||||||
|
break
|
||||||
|
return(pid)
|
||||||
|
|
||||||
|
+
|
||||||
|
def get_ipa_services_pids(host):
|
||||||
|
ipa_services_name = [
|
||||||
|
"krb5kdc", "kadmin", "named", "httpd", "ipa-custodia",
|
||||||
|
@@ -1309,6 +1310,20 @@ class TestInstallMasterKRA(IntegrationTest):
|
||||||
|
def test_install_master(self):
|
||||||
|
tasks.install_master(self.master, setup_dns=False, setup_kra=True)
|
||||||
|
|
||||||
|
+ def test_ipa_ccache_sweep_timer_enabled(self):
|
||||||
|
+ """Test ipa-ccache-sweep.timer enabled by default during installation
|
||||||
|
+
|
||||||
|
+ This test checks that ipa-ccache-sweep.timer is enabled by default
|
||||||
|
+ during the ipa installation.
|
||||||
|
+
|
||||||
|
+ related: https://pagure.io/freeipa/issue/9107
|
||||||
|
+ """
|
||||||
|
+ result = self.master.run_command(
|
||||||
|
+ ['systemctl', 'is-enabled', 'ipa-ccache-sweep.timer'],
|
||||||
|
+ raiseonerr=False
|
||||||
|
+ )
|
||||||
|
+ assert 'enabled' in result.stdout_text
|
||||||
|
+
|
||||||
|
def test_install_dns(self):
|
||||||
|
tasks.install_dns(self.master)
|
||||||
|
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -1,46 +0,0 @@
|
|||||||
From 4fca95751ca32a1ed16a6d8a4e557c5799ec5c78 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Wed, 25 Aug 2021 17:10:29 +0200
|
|
||||||
Subject: [PATCH] extdom: return LDAP_NO_SUCH_OBJECT if domains differ
|
|
||||||
|
|
||||||
If a client sends a request to lookup an object from a given trusted
|
|
||||||
domain by UID or GID and an object with matching ID is only found in a
|
|
||||||
different domain the extdom should return LDAP_NO_SUCH_OBJECT to
|
|
||||||
indicate to the client that the requested ID does not exists in the
|
|
||||||
given domain.
|
|
||||||
|
|
||||||
Resolves: https://pagure.io/freeipa/issue/8965
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
.../ipa-extdom-extop/ipa_extdom_common.c | 8 ++++++--
|
|
||||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
|
|
||||||
index 5d97ff613..6f646b9f4 100644
|
|
||||||
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
|
|
||||||
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
|
|
||||||
@@ -542,7 +542,9 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
|
|
||||||
if (strcasecmp(locat+1, domain_name) == 0 ) {
|
|
||||||
locat[0] = '\0';
|
|
||||||
} else {
|
|
||||||
- ret = LDAP_INVALID_SYNTAX;
|
|
||||||
+ /* The found object is from a different domain than requested,
|
|
||||||
+ * that means it does not exist in the requested domain */
|
|
||||||
+ ret = LDAP_NO_SUCH_OBJECT;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -655,7 +657,9 @@ int pack_ber_group(enum response_types response_type,
|
|
||||||
if (strcasecmp(locat+1, domain_name) == 0 ) {
|
|
||||||
locat[0] = '\0';
|
|
||||||
} else {
|
|
||||||
- ret = LDAP_INVALID_SYNTAX;
|
|
||||||
+ /* The found object is from a different domain than requested,
|
|
||||||
+ * that means it does not exist in the requested domain */
|
|
||||||
+ ret = LDAP_NO_SUCH_OBJECT;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -0,0 +1,31 @@
|
|||||||
|
From b36bcf4ea5ed93baa4dc63f8e2be542d678211fb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Anuja More <amore@redhat.com>
|
||||||
|
Date: Thu, 10 Feb 2022 18:49:06 +0530
|
||||||
|
Subject: [PATCH] ipatests: remove additional check for failed units.
|
||||||
|
|
||||||
|
On RHEL tests are randomly failing because of this check
|
||||||
|
and the test doesn't need to check this.
|
||||||
|
|
||||||
|
Related : https://pagure.io/freeipa/issue/9108
|
||||||
|
|
||||||
|
Signed-off-by: Anuja More <amore@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_otp.py | 1 -
|
||||||
|
1 file changed, 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
|
||||||
|
index d8ce527ca..6e70ddcb3 100644
|
||||||
|
--- a/ipatests/test_integration/test_otp.py
|
||||||
|
+++ b/ipatests/test_integration/test_otp.py
|
||||||
|
@@ -316,7 +316,6 @@ class TestOTPToken(IntegrationTest):
|
||||||
|
check_services = self.master.run_command(
|
||||||
|
['systemctl', 'list-units', '--state=failed']
|
||||||
|
)
|
||||||
|
- assert "0 loaded units listed" in check_services.stdout_text
|
||||||
|
assert "ipa-otpd" not in check_services.stdout_text
|
||||||
|
# Be sure no services are running and failed units
|
||||||
|
self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False)
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -1,37 +0,0 @@
|
|||||||
From 3c4f9e7347965ff9a887147df34e720224ffa7cc Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Date: Tue, 7 Sep 2021 17:06:53 +0200
|
|
||||||
Subject: [PATCH] migrate-ds: workaround to detect compat tree
|
|
||||||
|
|
||||||
Migrate-ds needs to check if compat tree is enabled before
|
|
||||||
migrating users and groups. The check is doing a base
|
|
||||||
search on cn=compat,$SUFFIX and considers the compat tree
|
|
||||||
enabled when the entry exists.
|
|
||||||
|
|
||||||
Due to a bug in slapi-nis, the base search may return NotFound
|
|
||||||
even though the compat tree is enabled. The workaround is to
|
|
||||||
perform a base search on cn=users,cn=compat,$SUFFIX instead.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8984
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/plugins/migration.py | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
|
|
||||||
index db5241915..6ee205fc8 100644
|
|
||||||
--- a/ipaserver/plugins/migration.py
|
|
||||||
+++ b/ipaserver/plugins/migration.py
|
|
||||||
@@ -922,7 +922,8 @@ migration process might be incomplete\n''')
|
|
||||||
# check whether the compat plugin is enabled
|
|
||||||
if not options.get('compat'):
|
|
||||||
try:
|
|
||||||
- ldap.get_entry(DN(('cn', 'compat'), (api.env.basedn)))
|
|
||||||
+ ldap.get_entry(DN(('cn', 'users'), ('cn', 'compat'),
|
|
||||||
+ (api.env.basedn)))
|
|
||||||
return dict(result={}, failed={}, enabled=True, compat=False)
|
|
||||||
except errors.NotFound:
|
|
||||||
pass
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -1,89 +0,0 @@
|
|||||||
From a3d71eb72a6125a80a9d7b698f34dcb95dc25184 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Anuja More <amore@redhat.com>
|
|
||||||
Date: Thu, 5 Aug 2021 20:03:21 +0530
|
|
||||||
Subject: [PATCH] ipatests: Test ldapsearch with base scope works with compat
|
|
||||||
tree.
|
|
||||||
|
|
||||||
Added test to verify that ldapsearch for compat tree
|
|
||||||
with scope base and sub is not failing.
|
|
||||||
|
|
||||||
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
|
|
||||||
|
|
||||||
Signed-off-by: Anuja More <amore@redhat.com>
|
|
||||||
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_commands.py | 13 +++++++++++++
|
|
||||||
1 file changed, 13 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
|
|
||||||
index 2035ced56..e3a0d867e 100644
|
|
||||||
--- a/ipatests/test_integration/test_commands.py
|
|
||||||
+++ b/ipatests/test_integration/test_commands.py
|
|
||||||
@@ -1558,6 +1558,19 @@ class TestIPACommandWithoutReplica(IntegrationTest):
|
|
||||||
# Run the command again after cache is removed
|
|
||||||
self.master.run_command(['ipa', 'user-show', 'ipauser1'])
|
|
||||||
|
|
||||||
+ def test_basesearch_compat_tree(self):
|
|
||||||
+ """Test ldapsearch against compat tree is working
|
|
||||||
+
|
|
||||||
+ This to ensure that ldapsearch with base scope is not failing.
|
|
||||||
+
|
|
||||||
+ related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
|
|
||||||
+ """
|
|
||||||
+ tasks.kinit_admin(self.master)
|
|
||||||
+ base_dn = str(self.master.domain.basedn)
|
|
||||||
+ base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn)
|
|
||||||
+ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='sub')
|
|
||||||
+ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='base')
|
|
||||||
+
|
|
||||||
|
|
||||||
class TestIPAautomount(IntegrationTest):
|
|
||||||
@classmethod
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
||||||
From d4062e407d242a72b9d4e32f4fdd6aed086ce005 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Anuja More <amore@redhat.com>
|
|
||||||
Date: Thu, 5 Aug 2021 20:23:15 +0530
|
|
||||||
Subject: [PATCH] ipatests: skip test_basesearch_compat_tree on fedora.
|
|
||||||
|
|
||||||
slapi-nis with fix is not part of fedora yet.
|
|
||||||
test requires with fix:
|
|
||||||
https://pagure.io/slapi-nis/c/61ea8f6a104da25329e301a8f56944f860de8177?
|
|
||||||
|
|
||||||
Signed-off-by: Anuja More <amore@redhat.com>
|
|
||||||
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_commands.py | 7 +++++++
|
|
||||||
1 file changed, 7 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
|
|
||||||
index e3a0d867e..4d9a81652 100644
|
|
||||||
--- a/ipatests/test_integration/test_commands.py
|
|
||||||
+++ b/ipatests/test_integration/test_commands.py
|
|
||||||
@@ -38,6 +38,7 @@ from ipatests.create_external_ca import ExternalCA
|
|
||||||
from ipatests.test_ipalib.test_x509 import good_pkcs7, badcert
|
|
||||||
from ipapython.ipautil import realm_to_suffix, ipa_generate_password
|
|
||||||
from ipaserver.install.installutils import realm_to_serverid
|
|
||||||
+from pkg_resources import parse_version
|
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
|
||||||
|
|
||||||
@@ -1565,6 +1566,12 @@ class TestIPACommandWithoutReplica(IntegrationTest):
|
|
||||||
|
|
||||||
related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
|
|
||||||
"""
|
|
||||||
+ version = self.master.run_command(
|
|
||||||
+ ["rpm", "-qa", "--qf", "%{VERSION}", "slapi-nis"]
|
|
||||||
+ )
|
|
||||||
+ if tasks.get_platform(self.master) == "fedora" and parse_version(
|
|
||||||
+ version.stdout_text) <= parse_version("0.56.7"):
|
|
||||||
+ pytest.skip("Test requires slapi-nis with fix on fedora")
|
|
||||||
tasks.kinit_admin(self.master)
|
|
||||||
base_dn = str(self.master.domain.basedn)
|
|
||||||
base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn)
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
38
SOURCES/0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch
Normal file
38
SOURCES/0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
From 186ebe311bc9545d7a9860cd5e8c748131bbe41e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Francisco Trivino <ftrivino@redhat.com>
|
||||||
|
Date: Thu, 10 Feb 2022 14:23:12 +0100
|
||||||
|
Subject: [PATCH] ipa_cldap: fix memory leak
|
||||||
|
|
||||||
|
ipa_cldap_encode_netlogon() allocates memory to store binary data as part of
|
||||||
|
berval (bv_val) when processing a CLDAP packet request from a worker. The
|
||||||
|
data is used by ipa_cldap_respond() but bv_val is not freed later on.
|
||||||
|
|
||||||
|
This commit is adding the corresponding free() after ipa_cldap_respond()
|
||||||
|
is completed.
|
||||||
|
|
||||||
|
Discovered by LeakSanitizer
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9110
|
||||||
|
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
||||||
|
---
|
||||||
|
daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
|
||||||
|
index db4a3d061..252bcf647 100644
|
||||||
|
--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
|
||||||
|
+++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
|
||||||
|
@@ -287,6 +287,7 @@ done:
|
||||||
|
ipa_cldap_respond(ctx, req, &reply);
|
||||||
|
|
||||||
|
ipa_cldap_free_kvps(&req->kvps);
|
||||||
|
+ free(reply.bv_val);
|
||||||
|
free(req);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -1,162 +0,0 @@
|
|||||||
From 4fdab0c94c4e17e42e5f38a0e671bea39bcc9b74 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Anuja More <amore@redhat.com>
|
|
||||||
Date: Mon, 9 Aug 2021 20:57:22 +0530
|
|
||||||
Subject: [PATCH] ipatests: Test unsecure nsupdate.
|
|
||||||
|
|
||||||
The test configures an external bind server on the ipa-server
|
|
||||||
(not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
|
|
||||||
|
|
||||||
When the IPA client is registered using ipa-client-install,
|
|
||||||
DNS records are added for the client in the bind server using nsupdate.
|
|
||||||
The first try is using GSS-TIG but fails as expected, and the client
|
|
||||||
installer then tries with unauthenticated nsupdate.
|
|
||||||
|
|
||||||
Related : https://pagure.io/freeipa/issue/8402
|
|
||||||
|
|
||||||
Signed-off-by: Anuja More <amore@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
---
|
|
||||||
.../test_installation_client.py | 118 ++++++++++++++++++
|
|
||||||
1 file changed, 118 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_installation_client.py b/ipatests/test_integration/test_installation_client.py
|
|
||||||
index fa59a5255..014b0f6ab 100644
|
|
||||||
--- a/ipatests/test_integration/test_installation_client.py
|
|
||||||
+++ b/ipatests/test_integration/test_installation_client.py
|
|
||||||
@@ -8,10 +8,15 @@ Module provides tests for various options of ipa-client-install.
|
|
||||||
|
|
||||||
from __future__ import absolute_import
|
|
||||||
|
|
||||||
+import pytest
|
|
||||||
+import re
|
|
||||||
import shlex
|
|
||||||
+import textwrap
|
|
||||||
|
|
||||||
+from ipaplatform.paths import paths
|
|
||||||
from ipatests.test_integration.base import IntegrationTest
|
|
||||||
from ipatests.pytest_ipa.integration import tasks
|
|
||||||
+from ipatests.pytest_ipa.integration.firewall import Firewall
|
|
||||||
|
|
||||||
|
|
||||||
class TestInstallClient(IntegrationTest):
|
|
||||||
@@ -70,3 +75,116 @@ class TestInstallClient(IntegrationTest):
|
|
||||||
extra_args=['--ssh-trust-dns'])
|
|
||||||
result = self.clients[0].run_command(['cat', '/etc/ssh/ssh_config'])
|
|
||||||
assert 'HostKeyAlgorithms' not in result.stdout_text
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+class TestClientInstallBind(IntegrationTest):
|
|
||||||
+ """
|
|
||||||
+ The test configures an external bind server on the ipa-server
|
|
||||||
+ (not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
|
|
||||||
+ When the IPA client is registered using ipa-client-install,
|
|
||||||
+ DNS records are added for the client in the bind server using nsupdate.
|
|
||||||
+ The first try is using GSS-TIG but fails as expected, and the client
|
|
||||||
+ installer then tries with unauthenticated nsupdate.
|
|
||||||
+ """
|
|
||||||
+
|
|
||||||
+ num_clients = 1
|
|
||||||
+
|
|
||||||
+ @classmethod
|
|
||||||
+ def install(cls, mh):
|
|
||||||
+ cls.client = cls.clients[0]
|
|
||||||
+
|
|
||||||
+ @pytest.fixture
|
|
||||||
+ def setup_bindserver(self):
|
|
||||||
+ bindserver = self.master
|
|
||||||
+ named_conf_backup = tasks.FileBackup(self.master, paths.NAMED_CONF)
|
|
||||||
+ # create a zone in the BIND server that is identical to the IPA
|
|
||||||
+ add_zone = textwrap.dedent("""
|
|
||||||
+ zone "{domain}" IN {{ type master;
|
|
||||||
+ file "{domain}.db"; allow-query {{ any; }};
|
|
||||||
+ allow-update {{ any; }}; }};
|
|
||||||
+ """).format(domain=bindserver.domain.name)
|
|
||||||
+
|
|
||||||
+ namedcfg = bindserver.get_file_contents(
|
|
||||||
+ paths.NAMED_CONF, encoding='utf-8')
|
|
||||||
+ namedcfg += '\n' + add_zone
|
|
||||||
+ bindserver.put_file_contents(paths.NAMED_CONF, namedcfg)
|
|
||||||
+
|
|
||||||
+ def update_contents(path, pattern, replace):
|
|
||||||
+ contents = bindserver.get_file_contents(path, encoding='utf-8')
|
|
||||||
+ namedcfg_query = re.sub(pattern, replace, contents)
|
|
||||||
+ bindserver.put_file_contents(path, namedcfg_query)
|
|
||||||
+
|
|
||||||
+ update_contents(paths.NAMED_CONF, 'localhost;', 'any;')
|
|
||||||
+ update_contents(paths.NAMED_CONF, "listen-on port 53 { 127.0.0.1; };",
|
|
||||||
+ "#listen-on port 53 { 127.0.0.1; };")
|
|
||||||
+ update_contents(paths.NAMED_CONF, "listen-on-v6 port 53 { ::1; };",
|
|
||||||
+ "#listen-on-v6 port 53 { ::1; };")
|
|
||||||
+
|
|
||||||
+ add_records = textwrap.dedent("""
|
|
||||||
+ @ IN SOA {fqdn}. root.{domain}. (
|
|
||||||
+ 1001 ;Serial
|
|
||||||
+ 3H ;Refresh
|
|
||||||
+ 15M ;Retry
|
|
||||||
+ 1W ;Expire
|
|
||||||
+ 1D ;Minimum 1D
|
|
||||||
+ )
|
|
||||||
+ @ IN NS {fqdn}.
|
|
||||||
+ ns1 IN A {bindserverip}
|
|
||||||
+ _kerberos.{domain}. IN TXT {zoneupper}
|
|
||||||
+ {fqdn}. IN A {bindserverip}
|
|
||||||
+ ipa-ca.{domain}. IN A {bindserverip}
|
|
||||||
+ _kerberos-master._tcp.{domain}. IN SRV 0 100 88 {fqdn}.
|
|
||||||
+ _kerberos-master._udp.{domain}. IN SRV 0 100 88 {fqdn}.
|
|
||||||
+ _kerberos._tcp.{domain}. IN SRV 0 100 88 {fqdn}.
|
|
||||||
+ _kerberos._udp.{domain}. IN SRV 0 100 88 {fqdn}.
|
|
||||||
+ _kpasswd._tcp.{domain}. IN SRV 0 100 464 {fqdn}.
|
|
||||||
+ _kpasswd._udp.{domain}. IN SRV 0 100 464 {fqdn}.
|
|
||||||
+ _ldap._tcp.{domain}. IN SRV 0 100 389 {fqdn}.
|
|
||||||
+ """).format(
|
|
||||||
+ fqdn=bindserver.hostname,
|
|
||||||
+ domain=bindserver.domain.name,
|
|
||||||
+ bindserverip=bindserver.ip,
|
|
||||||
+ zoneupper=bindserver.domain.name.upper()
|
|
||||||
+ )
|
|
||||||
+ bindserverdb = "/var/named/{0}.db".format(bindserver.domain.name)
|
|
||||||
+ bindserver.put_file_contents(bindserverdb, add_records)
|
|
||||||
+ bindserver.run_command(['systemctl', 'start', 'named'])
|
|
||||||
+ Firewall(bindserver).enable_services(["dns"])
|
|
||||||
+ yield
|
|
||||||
+ named_conf_backup.restore()
|
|
||||||
+ bindserver.run_command(['rm', '-rf', bindserverdb])
|
|
||||||
+
|
|
||||||
+ def test_client_nsupdate(self, setup_bindserver):
|
|
||||||
+ """Test secure nsupdate failed, then try unsecure nsupdate..
|
|
||||||
+
|
|
||||||
+ Test to verify when bind is configured with dynamic update policy,
|
|
||||||
+ and during client-install 'nsupdate -g' fails then it should run with
|
|
||||||
+ second call using unauthenticated nsupdate.
|
|
||||||
+
|
|
||||||
+ Related : https://pagure.io/freeipa/issue/8402
|
|
||||||
+ """
|
|
||||||
+ # with pre-configured bind server, install ipa-server without dns.
|
|
||||||
+ tasks.install_master(self.master, setup_dns=False)
|
|
||||||
+ self.client.resolver.backup()
|
|
||||||
+ self.client.resolver.setup_resolver(
|
|
||||||
+ self.master.ip, self.master.domain.name)
|
|
||||||
+ try:
|
|
||||||
+ self.client.run_command(['ipa-client-install', '-U',
|
|
||||||
+ '--domain', self.client.domain.name,
|
|
||||||
+ '--realm', self.client.domain.realm,
|
|
||||||
+ '-p', self.client.config.admin_name,
|
|
||||||
+ '-w', self.client.config.admin_password,
|
|
||||||
+ '--server', self.master.hostname])
|
|
||||||
+ # call unauthenticated nsupdate if GSS-TSIG nsupdate failed.
|
|
||||||
+ str1 = "nsupdate (GSS-TSIG) failed"
|
|
||||||
+ str2 = "'/usr/bin/nsupdate', '/etc/ipa/.dns_update.txt'"
|
|
||||||
+ client_log = self.client.get_file_contents(
|
|
||||||
+ paths.IPACLIENT_INSTALL_LOG, encoding='utf-8'
|
|
||||||
+ )
|
|
||||||
+ assert str1 in client_log and str2 in client_log
|
|
||||||
+ dig_after = self.client.run_command(
|
|
||||||
+ ['dig', '@{0}'.format(self.master.ip), self.client.hostname,
|
|
||||||
+ '-t', 'SSHFP'])
|
|
||||||
+ assert "ANSWER: 0" not in dig_after.stdout_text.strip()
|
|
||||||
+ finally:
|
|
||||||
+ self.client.resolver.restore()
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -0,0 +1,40 @@
|
|||||||
|
From 4c54e9d6ddb72eab6f654bf3dc2d29f27498ac96 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Sun, 5 Dec 2021 17:38:58 +0100
|
||||||
|
Subject: [PATCH] ipatests: fix
|
||||||
|
TestOTPToken::test_check_otpd_after_idle_timeout
|
||||||
|
|
||||||
|
The test sets 389-ds nsslapd-idletimeout to 60s, then does a
|
||||||
|
kinit with an otp token (which makes ipa-otpd create a LDAP
|
||||||
|
connection), then sleeps for 60s. The expectation is that
|
||||||
|
ns-slapd will detect that the LDAP conn from ipa-otpd is idle
|
||||||
|
and close the connection.
|
||||||
|
According to 389ds doc, the idle timeout is enforced when the
|
||||||
|
connection table is walked. By doing a ldapsearch, the test
|
||||||
|
"wakes up" ns-slapd and forces the detection of ipa-otpd
|
||||||
|
idle connection.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9044
|
||||||
|
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Anuja More <amore@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_otp.py | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
|
||||||
|
index 353470897..d8ce527ca 100644
|
||||||
|
--- a/ipatests/test_integration/test_otp.py
|
||||||
|
+++ b/ipatests/test_integration/test_otp.py
|
||||||
|
@@ -354,6 +354,9 @@ class TestOTPToken(IntegrationTest):
|
||||||
|
otpvalue = totp.generate(int(time.time())).decode("ascii")
|
||||||
|
kinit_otp(self.master, USER, password=PASSWORD, otp=otpvalue)
|
||||||
|
time.sleep(60)
|
||||||
|
+ # ldapsearch will wake up slapd and force walking through
|
||||||
|
+ # the connection list, in order to spot the idle connections
|
||||||
|
+ tasks.ldapsearch_dm(self.master, "", ldap_args=[], scope="base")
|
||||||
|
|
||||||
|
def test_cb(cmd_jornalctl):
|
||||||
|
# check if LDAP connection is timed out
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,407 @@
|
|||||||
|
From 6b70e3c49acc55b5553101cf850fc40978861979 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Anuja More <amore@redhat.com>
|
||||||
|
Date: Mon, 17 Jan 2022 16:57:52 +0530
|
||||||
|
Subject: [PATCH] ipatests: Tests for Autoprivate group.
|
||||||
|
|
||||||
|
Added tests using posix AD trust and non posix AD trust.
|
||||||
|
For option --auto-private-groups=[hybrid/true/false]
|
||||||
|
|
||||||
|
Related : https://pagure.io/freeipa/issue/8807
|
||||||
|
|
||||||
|
Signed-off-by: Anuja More <amore@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Anuja More <amore@redhat.com>
|
||||||
|
---
|
||||||
|
.../nightly_ipa-4-9_latest.yaml | 2 +-
|
||||||
|
.../nightly_ipa-4-9_latest_selinux.yaml | 2 +-
|
||||||
|
.../nightly_ipa-4-9_previous.yaml | 2 +-
|
||||||
|
ipatests/test_integration/test_trust.py | 242 +++++++++++++++++-
|
||||||
|
4 files changed, 240 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
||||||
|
index 6817421b2..8b1f58c4d 100644
|
||||||
|
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
||||||
|
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
||||||
|
@@ -1627,7 +1627,7 @@ jobs:
|
||||||
|
build_url: '{fedora-latest-ipa-4-9/build_url}'
|
||||||
|
test_suite: test_integration/test_trust.py
|
||||||
|
template: *ci-ipa-4-9-latest
|
||||||
|
- timeout: 9000
|
||||||
|
+ timeout: 10000
|
||||||
|
topology: *adroot_adchild_adtree_master_1client
|
||||||
|
|
||||||
|
fedora-latest-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust:
|
||||||
|
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
|
||||||
|
index 817329756..a11376ab8 100644
|
||||||
|
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
|
||||||
|
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
|
||||||
|
@@ -1743,7 +1743,7 @@ jobs:
|
||||||
|
selinux_enforcing: True
|
||||||
|
test_suite: test_integration/test_trust.py
|
||||||
|
template: *ci-ipa-4-9-latest
|
||||||
|
- timeout: 9000
|
||||||
|
+ timeout: 10000
|
||||||
|
topology: *adroot_adchild_adtree_master_1client
|
||||||
|
|
||||||
|
fedora-latest-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust:
|
||||||
|
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
||||||
|
index 4196265c7..3f8ce8b76 100644
|
||||||
|
--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
||||||
|
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
||||||
|
@@ -1627,7 +1627,7 @@ jobs:
|
||||||
|
build_url: '{fedora-previous-ipa-4-9/build_url}'
|
||||||
|
test_suite: test_integration/test_trust.py
|
||||||
|
template: *ci-ipa-4-9-previous
|
||||||
|
- timeout: 9000
|
||||||
|
+ timeout: 10000
|
||||||
|
topology: *adroot_adchild_adtree_master_1client
|
||||||
|
|
||||||
|
fedora-previous-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust:
|
||||||
|
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
|
||||||
|
index 0634badbb..ff2dd9cc8 100644
|
||||||
|
--- a/ipatests/test_integration/test_trust.py
|
||||||
|
+++ b/ipatests/test_integration/test_trust.py
|
||||||
|
@@ -62,11 +62,12 @@ class BaseTestTrust(IntegrationTest):
|
||||||
|
cls.check_sid_generation()
|
||||||
|
tasks.sync_time(cls.master, cls.ad)
|
||||||
|
|
||||||
|
- cls.child_ad = cls.ad_subdomains[0]
|
||||||
|
- cls.ad_subdomain = cls.child_ad.domain.name
|
||||||
|
- cls.tree_ad = cls.ad_treedomains[0]
|
||||||
|
- cls.ad_treedomain = cls.tree_ad.domain.name
|
||||||
|
-
|
||||||
|
+ if cls.num_ad_subdomains > 0:
|
||||||
|
+ cls.child_ad = cls.ad_subdomains[0]
|
||||||
|
+ cls.ad_subdomain = cls.child_ad.domain.name
|
||||||
|
+ if cls.num_ad_treedomains > 0:
|
||||||
|
+ cls.tree_ad = cls.ad_treedomains[0]
|
||||||
|
+ cls.ad_treedomain = cls.tree_ad.domain.name
|
||||||
|
# values used in workaround for
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1711958
|
||||||
|
cls.srv_gc_record_name = \
|
||||||
|
@@ -106,6 +107,63 @@ class BaseTestTrust(IntegrationTest):
|
||||||
|
expected_text = 'iparangetype: %s\n' % expected_type
|
||||||
|
assert expected_text in result.stdout_text
|
||||||
|
|
||||||
|
+ def mod_idrange_auto_private_group(
|
||||||
|
+ self, option='false'
|
||||||
|
+ ):
|
||||||
|
+ """
|
||||||
|
+ Set the auto-private-group option of the default trusted
|
||||||
|
+ AD domain range.
|
||||||
|
+ """
|
||||||
|
+ tasks.kinit_admin(self.master)
|
||||||
|
+ rangename = self.ad_domain.upper() + '_id_range'
|
||||||
|
+ error_msg = "ipa: ERROR: no modifications to be performed"
|
||||||
|
+ cmd = ["ipa", "idrange-mod", rangename,
|
||||||
|
+ "--auto-private-groups", option]
|
||||||
|
+ result = self.master.run_command(cmd, raiseonerr=False)
|
||||||
|
+ if result.returncode != 0:
|
||||||
|
+ tasks.assert_error(result, error_msg)
|
||||||
|
+ tasks.clear_sssd_cache(self.master)
|
||||||
|
+ tasks.clear_sssd_cache(self.clients[0])
|
||||||
|
+ test = self.master.run_command(["ipa", "idrange-show", rangename])
|
||||||
|
+ assert "Auto private groups: {0}".format(option) in test.stdout_text
|
||||||
|
+
|
||||||
|
+ def get_user_id(self, host, username):
|
||||||
|
+ """
|
||||||
|
+ User uid gid is parsed from the output of id user command.
|
||||||
|
+ """
|
||||||
|
+ tasks.clear_sssd_cache(self.master)
|
||||||
|
+ tasks.clear_sssd_cache(self.clients[0])
|
||||||
|
+ self.master.run_command(["id", username])
|
||||||
|
+ test_id = host.run_command(["id", username])
|
||||||
|
+ regex = r"^uid=(?P<uid>\d+).*gid=(?P<gid>\d+).*groups=(?P<groups>\d+)"
|
||||||
|
+ match = re.match(regex, test_id.stdout_text)
|
||||||
|
+ uid = match.group('uid')
|
||||||
|
+ gid = match.group('gid')
|
||||||
|
+ return uid, gid
|
||||||
|
+
|
||||||
|
+ @contextmanager
|
||||||
|
+ def set_idoverrideuser(self, user, uid, gid):
|
||||||
|
+ """
|
||||||
|
+ Fixture to add/remove idoverrideuser for default idview,
|
||||||
|
+ also creates idm group with the provided gid because
|
||||||
|
+ gid overrides requires an existing group.
|
||||||
|
+ """
|
||||||
|
+ tasks.clear_sssd_cache(self.master)
|
||||||
|
+ tasks.clear_sssd_cache(self.clients[0])
|
||||||
|
+ tasks.kinit_admin(self.master)
|
||||||
|
+ try:
|
||||||
|
+ args = ["ipa", "idoverrideuser-add", "Default Trust View",
|
||||||
|
+ "--gid", gid, "--uid", uid, user]
|
||||||
|
+ self.master.run_command(args)
|
||||||
|
+ tasks.group_add(self.master, "idgroup",
|
||||||
|
+ extra_args=["--gid", gid])
|
||||||
|
+ yield
|
||||||
|
+ finally:
|
||||||
|
+ self.master.run_command([
|
||||||
|
+ "ipa", "idoverrideuser-del", "Default Trust View", user]
|
||||||
|
+ )
|
||||||
|
+ self.master.run_command(["ipa", "group-del", "idgroup"])
|
||||||
|
+
|
||||||
|
def remove_trust(self, ad):
|
||||||
|
tasks.remove_trust_with_ad(self.master,
|
||||||
|
ad.domain.name, ad.hostname)
|
||||||
|
@@ -993,3 +1051,177 @@ class TestTrust(BaseTestTrust):
|
||||||
|
self.master.run_command(['rm', '-f', ad_zone_file])
|
||||||
|
tasks.configure_dns_for_trust(self.master, self.ad)
|
||||||
|
self.remove_trust(self.ad)
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+class TestNonPosixAutoPrivateGroup(BaseTestTrust):
|
||||||
|
+ """
|
||||||
|
+ Tests for auto-private-groups option with non posix AD trust
|
||||||
|
+ Related : https://pagure.io/freeipa/issue/8807
|
||||||
|
+ """
|
||||||
|
+ topology = 'line'
|
||||||
|
+ num_ad_domains = 1
|
||||||
|
+ num_clients = 1
|
||||||
|
+ num_ad_subdomains = 0
|
||||||
|
+ num_ad_treedomains = 0
|
||||||
|
+ uid_override = "99999999"
|
||||||
|
+ gid_override = "78878787"
|
||||||
|
+
|
||||||
|
+ def test_add_nonposix_trust(self):
|
||||||
|
+ tasks.configure_dns_for_trust(self.master, self.ad)
|
||||||
|
+ tasks.establish_trust_with_ad(
|
||||||
|
+ self.master, self.ad_domain,
|
||||||
|
+ extra_args=['--range-type', 'ipa-ad-trust'])
|
||||||
|
+
|
||||||
|
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
|
||||||
|
+ def test_auto_private_groups_default_trusted_range(self, type):
|
||||||
|
+ """
|
||||||
|
+ Modify existing range for default trusted AD domain range
|
||||||
|
+ with auto-private-groups set as true/hybrid/false and test
|
||||||
|
+ user with no posix attributes.
|
||||||
|
+ """
|
||||||
|
+ self.mod_idrange_auto_private_group(type)
|
||||||
|
+ nonposixuser = "nonposixuser@%s" % self.ad_domain
|
||||||
|
+ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser)
|
||||||
|
+ if type == "true":
|
||||||
|
+ assert uid == gid
|
||||||
|
+ else:
|
||||||
|
+ test_group = self.clients[0].run_command(["id", nonposixuser])
|
||||||
|
+ gid_str = "gid={0}(domain users@{1})".format(gid, self.ad_domain)
|
||||||
|
+ grp_str = "groups={0}(domain users@{1})".format(gid,
|
||||||
|
+ self.ad_domain)
|
||||||
|
+ assert gid_str in test_group.stdout_text
|
||||||
|
+ assert grp_str in test_group.stdout_text
|
||||||
|
+ assert uid != gid
|
||||||
|
+
|
||||||
|
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
|
||||||
|
+ def test_idoverride_with_auto_private_group(self, type):
|
||||||
|
+ """
|
||||||
|
+ Override ad trusted user in default trust view
|
||||||
|
+ and set auto-private-groups=[hybrid,true,false]
|
||||||
|
+ and ensure that overridden values takes effect.
|
||||||
|
+ """
|
||||||
|
+ nonposixuser = "nonposixuser@%s" % self.ad_domain
|
||||||
|
+ with self.set_idoverrideuser(nonposixuser,
|
||||||
|
+ self.uid_override,
|
||||||
|
+ self.gid_override
|
||||||
|
+ ):
|
||||||
|
+ self.mod_idrange_auto_private_group(type)
|
||||||
|
+ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser)
|
||||||
|
+ assert (uid == self.uid_override and gid == self.gid_override)
|
||||||
|
+ test_group = self.clients[0].run_command(
|
||||||
|
+ ["id", nonposixuser]).stdout_text
|
||||||
|
+ assert "domain users@{0}".format(self.ad_domain) in test_group
|
||||||
|
+
|
||||||
|
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
|
||||||
|
+ def test_nonposixuser_nondefault_primary_group(self, type):
|
||||||
|
+ """
|
||||||
|
+ Test for non default primary group.
|
||||||
|
+ For hybrid/false gid corresponds to the group testgroup1.
|
||||||
|
+ """
|
||||||
|
+ nonposixuser1 = "nonposixuser1@%s" % self.ad_domain
|
||||||
|
+ self.mod_idrange_auto_private_group(type)
|
||||||
|
+ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser1)
|
||||||
|
+ if type == "true":
|
||||||
|
+ assert uid == gid
|
||||||
|
+ else:
|
||||||
|
+ test_group = self.clients[0].run_command(["id", nonposixuser1])
|
||||||
|
+ gid_str = "gid={0}(testgroup1@{1})".format(gid, self.ad_domain)
|
||||||
|
+ group = "groups={0}(testgroup1@{1})".format(gid, self.ad_domain)
|
||||||
|
+ assert (gid_str in test_group.stdout_text
|
||||||
|
+ and group in test_group.stdout_text)
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+class TestPosixAutoPrivateGroup(BaseTestTrust):
|
||||||
|
+ """
|
||||||
|
+ Tests for auto-private-groups option with posix AD trust
|
||||||
|
+ Related : https://pagure.io/freeipa/issue/8807
|
||||||
|
+ """
|
||||||
|
+ topology = 'line'
|
||||||
|
+ num_ad_domains = 1
|
||||||
|
+ num_clients = 1
|
||||||
|
+ num_ad_subdomains = 0
|
||||||
|
+ num_ad_treedomains = 0
|
||||||
|
+ uid_override = "99999999"
|
||||||
|
+ gid_override = "78878787"
|
||||||
|
+
|
||||||
|
+ def test_add_posix_trust(self):
|
||||||
|
+ tasks.configure_dns_for_trust(self.master, self.ad)
|
||||||
|
+ tasks.establish_trust_with_ad(
|
||||||
|
+ self.master, self.ad_domain,
|
||||||
|
+ extra_args=['--range-type', 'ipa-ad-trust-posix'])
|
||||||
|
+
|
||||||
|
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
|
||||||
|
+ def test_gidnumber_not_corresponding_existing_group(self, type):
|
||||||
|
+ """
|
||||||
|
+ Test checks that sssd can resolve AD users which
|
||||||
|
+ contain posix attributes (uidNumber and gidNumber)
|
||||||
|
+ but there is no group with the corresponding gidNumber.
|
||||||
|
+ """
|
||||||
|
+ posixuser = "testuser2@%s" % self.ad_domain
|
||||||
|
+ self.mod_idrange_auto_private_group(type)
|
||||||
|
+ if type != "true":
|
||||||
|
+ result = self.clients[0].run_command(['id', posixuser],
|
||||||
|
+ raiseonerr=False)
|
||||||
|
+ tasks.assert_error(result, "no such user")
|
||||||
|
+ else:
|
||||||
|
+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
|
||||||
|
+ assert uid == gid
|
||||||
|
+ assert uid == '10060'
|
||||||
|
+
|
||||||
|
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
|
||||||
|
+ def test_only_uid_number_auto_private_group_default(self, type):
|
||||||
|
+ """
|
||||||
|
+ Test checks that posix user with only uidNumber defined
|
||||||
|
+ and gidNumber not set, auto-private-group
|
||||||
|
+ is set to false/true/hybrid
|
||||||
|
+ """
|
||||||
|
+ posixuser = "testuser1@%s" % self.ad_domain
|
||||||
|
+ self.mod_idrange_auto_private_group(type)
|
||||||
|
+ if type == "true":
|
||||||
|
+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
|
||||||
|
+ assert uid == gid
|
||||||
|
+ else:
|
||||||
|
+ for host in [self.master, self.clients[0]]:
|
||||||
|
+ result = host.run_command(['id', posixuser], raiseonerr=False)
|
||||||
|
+ tasks.assert_error(result, "no such user")
|
||||||
|
+
|
||||||
|
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
|
||||||
|
+ def test_auto_private_group_primary_group(self, type):
|
||||||
|
+ """
|
||||||
|
+ Test checks that AD users which contain posix attributes
|
||||||
|
+ (uidNumber and gidNumber) and there is primary group
|
||||||
|
+ with gid number defined.
|
||||||
|
+ """
|
||||||
|
+ posixuser = "testuser@%s" % self.ad_domain
|
||||||
|
+ self.mod_idrange_auto_private_group(type)
|
||||||
|
+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
|
||||||
|
+ test_grp = self.clients[0].run_command(["id", posixuser])
|
||||||
|
+ assert uid == '10042'
|
||||||
|
+ if type == "true":
|
||||||
|
+ assert uid == gid
|
||||||
|
+ groups = "groups=10042(testuser@{0}),10047(testgroup@{1})".format(
|
||||||
|
+ self.ad_domain, self.ad_domain)
|
||||||
|
+ assert groups in test_grp.stdout_text
|
||||||
|
+ else:
|
||||||
|
+ assert gid == '10047'
|
||||||
|
+ groups = "10047(testgroup@{0})".format(self.ad_domain)
|
||||||
|
+ assert groups in test_grp.stdout_text
|
||||||
|
+
|
||||||
|
+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
|
||||||
|
+ def test_idoverride_with_auto_private_group(self, type):
|
||||||
|
+ """
|
||||||
|
+ Override ad trusted user in default trust view
|
||||||
|
+ and set auto-private-groups=[hybrid,true,false]
|
||||||
|
+ and ensure that overridden values takes effect.
|
||||||
|
+ """
|
||||||
|
+ posixuser = "testuser@%s" % self.ad_domain
|
||||||
|
+ with self.set_idoverrideuser(posixuser,
|
||||||
|
+ self.uid_override,
|
||||||
|
+ self.gid_override):
|
||||||
|
+ self.mod_idrange_auto_private_group(type)
|
||||||
|
+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
|
||||||
|
+ assert(uid == self.uid_override
|
||||||
|
+ and gid == self.gid_override)
|
||||||
|
+ result = self.clients[0].run_command(['id', posixuser])
|
||||||
|
+ assert "10047(testgroup@{0})".format(
|
||||||
|
+ self.ad_domain) in result.stdout_text
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
||||||
|
From 84381001d2e114b1f29fe89e16155c040b56b80f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Anuja More <amore@redhat.com>
|
||||||
|
Date: Thu, 10 Feb 2022 17:07:45 +0530
|
||||||
|
Subject: [PATCH] mark xfail for
|
||||||
|
test_idoverride_with_auto_private_group[hybrid]
|
||||||
|
|
||||||
|
Related : https://github.com/SSSD/sssd/issues/5989
|
||||||
|
|
||||||
|
Signed-off-by: Anuja More <amore@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Anuja More <amore@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_trust.py | 7 ++++++-
|
||||||
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
|
||||||
|
index ff2dd9cc8..54bd15462 100644
|
||||||
|
--- a/ipatests/test_integration/test_trust.py
|
||||||
|
+++ b/ipatests/test_integration/test_trust.py
|
||||||
|
@@ -15,6 +15,7 @@ from ipaplatform.paths import paths
|
||||||
|
from ipatests.test_integration.base import IntegrationTest
|
||||||
|
from ipatests.pytest_ipa.integration import tasks
|
||||||
|
from ipatests.pytest_ipa.integration import fips
|
||||||
|
+from ipatests.util import xfail_context
|
||||||
|
from ipapython.dn import DN
|
||||||
|
from collections import namedtuple
|
||||||
|
from contextlib import contextmanager
|
||||||
|
@@ -1110,7 +1111,11 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust):
|
||||||
|
assert (uid == self.uid_override and gid == self.gid_override)
|
||||||
|
test_group = self.clients[0].run_command(
|
||||||
|
["id", nonposixuser]).stdout_text
|
||||||
|
- assert "domain users@{0}".format(self.ad_domain) in test_group
|
||||||
|
+ version = tasks.get_sssd_version(self.clients[0])
|
||||||
|
+ with xfail_context(version <= tasks.parse_version('2.6.3')
|
||||||
|
+ and type == "hybrid",
|
||||||
|
+ 'https://github.com/SSSD/sssd/issues/5989'):
|
||||||
|
+ assert "domain users@{0}".format(self.ad_domain) in test_group
|
||||||
|
|
||||||
|
@pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
|
||||||
|
def test_nonposixuser_nondefault_primary_group(self, type):
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
||||||
|
From 7ad500e5d3f7d9af81e8a3137158672c6fafb0b4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Anuja More <amore@redhat.com>
|
||||||
|
Date: Thu, 10 Feb 2022 17:29:45 +0530
|
||||||
|
Subject: [PATCH] Mark xfail
|
||||||
|
test_gidnumber_not_corresponding_existing_group[true,hybrid]
|
||||||
|
|
||||||
|
Related : https://github.com/SSSD/sssd/issues/5988
|
||||||
|
|
||||||
|
Signed-off-by: Anuja More <amore@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Anuja More <amore@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_trust.py | 9 ++++++---
|
||||||
|
1 file changed, 6 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
|
||||||
|
index 54bd15462..c12837815 100644
|
||||||
|
--- a/ipatests/test_integration/test_trust.py
|
||||||
|
+++ b/ipatests/test_integration/test_trust.py
|
||||||
|
@@ -1169,9 +1169,12 @@ class TestPosixAutoPrivateGroup(BaseTestTrust):
|
||||||
|
raiseonerr=False)
|
||||||
|
tasks.assert_error(result, "no such user")
|
||||||
|
else:
|
||||||
|
- (uid, gid) = self.get_user_id(self.clients[0], posixuser)
|
||||||
|
- assert uid == gid
|
||||||
|
- assert uid == '10060'
|
||||||
|
+ sssd_version = tasks.get_sssd_version(self.clients[0])
|
||||||
|
+ with xfail_context(sssd_version <= tasks.parse_version('2.6.3'),
|
||||||
|
+ 'https://github.com/SSSD/sssd/issues/5988'):
|
||||||
|
+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
|
||||||
|
+ assert uid == gid
|
||||||
|
+ assert uid == '10060'
|
||||||
|
|
||||||
|
@pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
|
||||||
|
def test_only_uid_number_auto_private_group_default(self, type):
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
@ -1,128 +0,0 @@
|
|||||||
From be1e3bbfc13aff9a583108376f245b81cc3666fb Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Date: Thu, 9 Sep 2021 15:26:55 -0400
|
|
||||||
Subject: [PATCH] Don't store entries with a usercertificate in the LDAP cache
|
|
||||||
|
|
||||||
usercertificate often has a subclass and both the plain and
|
|
||||||
subclassed (binary) values are queried. I'm concerned that
|
|
||||||
they are used more or less interchangably in places so not
|
|
||||||
caching these entries is the safest path forward for now until
|
|
||||||
we can dedicate the time to find all usages, determine their
|
|
||||||
safety and/or perhaps handle this gracefully within the cache
|
|
||||||
now.
|
|
||||||
|
|
||||||
What we see in this bug is that usercertificate;binary holds the
|
|
||||||
first certificate value but a user-mod is done with
|
|
||||||
setattr usercertificate=<new_cert>. Since there is no
|
|
||||||
usercertificate value (remember, it's usercertificate;binary)
|
|
||||||
a replace is done and 389-ds wipes the existing value as we've
|
|
||||||
asked it to.
|
|
||||||
|
|
||||||
I'm not comfortable with simply treating them the same because
|
|
||||||
in LDAP they are not.
|
|
||||||
|
|
||||||
https://pagure.io/freeipa/issue/8986
|
|
||||||
|
|
||||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
|
||||||
---
|
|
||||||
ipapython/ipaldap.py | 14 +++++++++++---
|
|
||||||
1 file changed, 11 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
|
|
||||||
index f94b784d6..ced8f1bd6 100644
|
|
||||||
--- a/ipapython/ipaldap.py
|
|
||||||
+++ b/ipapython/ipaldap.py
|
|
||||||
@@ -1821,9 +1821,17 @@ class LDAPCache(LDAPClient):
|
|
||||||
entry=None, exception=None):
|
|
||||||
# idnsname - caching prevents delete when mod value to None
|
|
||||||
# cospriority - in a Class of Service object, uncacheable
|
|
||||||
- # TODO - usercertificate was banned at one point and I don't remember
|
|
||||||
- # why...
|
|
||||||
- BANNED_ATTRS = {'idnsname', 'cospriority'}
|
|
||||||
+ # usercertificate* - caching subtypes is tricky, trade less
|
|
||||||
+ # complexity for performance
|
|
||||||
+ #
|
|
||||||
+ # TODO: teach the cache about subtypes
|
|
||||||
+
|
|
||||||
+ BANNED_ATTRS = {
|
|
||||||
+ 'idnsname',
|
|
||||||
+ 'cospriority',
|
|
||||||
+ 'usercertificate',
|
|
||||||
+ 'usercertificate;binary'
|
|
||||||
+ }
|
|
||||||
if not self._enable_cache:
|
|
||||||
return
|
|
||||||
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
||||||
From 86588640137562b2016fdb0f91142d00bc38e54a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Date: Fri, 10 Sep 2021 09:01:48 -0400
|
|
||||||
Subject: [PATCH] ipatests: Test that a user can be issued multiple
|
|
||||||
certificates
|
|
||||||
|
|
||||||
Prevent regressions in the LDAP cache layer that caused newly
|
|
||||||
issued certificates to overwrite existing ones.
|
|
||||||
|
|
||||||
https://pagure.io/freeipa/issue/8986
|
|
||||||
|
|
||||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_cert.py | 29 ++++++++++++++++++++++++++
|
|
||||||
1 file changed, 29 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
|
|
||||||
index 7d51b76ee..b4e85eadc 100644
|
|
||||||
--- a/ipatests/test_integration/test_cert.py
|
|
||||||
+++ b/ipatests/test_integration/test_cert.py
|
|
||||||
@@ -16,6 +16,7 @@ import string
|
|
||||||
import time
|
|
||||||
|
|
||||||
from ipaplatform.paths import paths
|
|
||||||
+from ipapython.dn import DN
|
|
||||||
from cryptography import x509
|
|
||||||
from cryptography.x509.oid import ExtensionOID
|
|
||||||
from cryptography.hazmat.backends import default_backend
|
|
||||||
@@ -183,6 +184,34 @@ class TestInstallMasterClient(IntegrationTest):
|
|
||||||
)
|
|
||||||
assert "profile: caServerCert" in result.stdout_text
|
|
||||||
|
|
||||||
+ def test_multiple_user_certificates(self):
|
|
||||||
+ """Test that a user may be issued multiple certificates"""
|
|
||||||
+ ldap = self.master.ldap_connect()
|
|
||||||
+
|
|
||||||
+ user = 'user1'
|
|
||||||
+
|
|
||||||
+ tasks.kinit_admin(self.master)
|
|
||||||
+ tasks.user_add(self.master, user)
|
|
||||||
+
|
|
||||||
+ for id in (0,1):
|
|
||||||
+ csr_file = f'{id}.csr'
|
|
||||||
+ key_file = f'{id}.key'
|
|
||||||
+ cert_file = f'{id}.crt'
|
|
||||||
+ openssl_cmd = [
|
|
||||||
+ 'openssl', 'req', '-newkey', 'rsa:2048', '-keyout', key_file,
|
|
||||||
+ '-nodes', '-out', csr_file, '-subj', '/CN=' + user]
|
|
||||||
+ self.master.run_command(openssl_cmd)
|
|
||||||
+
|
|
||||||
+ cmd_args = ['ipa', 'cert-request', '--principal', user,
|
|
||||||
+ '--certificate-out', cert_file, csr_file]
|
|
||||||
+ self.master.run_command(cmd_args)
|
|
||||||
+
|
|
||||||
+ # easier to count by pulling the LDAP entry
|
|
||||||
+ entry = ldap.get_entry(DN(('uid', user), ('cn', 'users'),
|
|
||||||
+ ('cn', 'accounts'), self.master.domain.basedn))
|
|
||||||
+
|
|
||||||
+ assert len(entry.get('usercertificate')) == 2
|
|
||||||
+
|
|
||||||
@pytest.fixture
|
|
||||||
def test_subca_certs(self):
|
|
||||||
"""
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -1,95 +0,0 @@
|
|||||||
From 6302769b83af75f267c76fe6f854d5b42b6b80f5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Date: Oct 21 2021 19:58:19 +0000
|
|
||||||
Subject: ipa-server-install uninstall: remove tdb files
|
|
||||||
|
|
||||||
|
|
||||||
ipa-server-install uninstaller must remove samba *.tdb files
|
|
||||||
in /var/lib/samba, /var/lib/samba/private and /var/lib/samba/lock.
|
|
||||||
The current code calls rm on the relative path filename
|
|
||||||
instead of building an absolute path filename,
|
|
||||||
resulting in failure to remove the tdb files.
|
|
||||||
|
|
||||||
Related: https://pagure.io/freeipa/issue/8687
|
|
||||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
|
|
||||||
index 24e90f3..e034fab 100644
|
|
||||||
--- a/ipaserver/install/adtrustinstance.py
|
|
||||||
+++ b/ipaserver/install/adtrustinstance.py
|
|
||||||
@@ -918,11 +918,18 @@ class ADTRUSTInstance(service.Service):
|
|
||||||
ipautil.remove_file(self.smb_conf)
|
|
||||||
|
|
||||||
# Remove samba's persistent and temporary tdb files
|
|
||||||
- if os.path.isdir(paths.SAMBA_DIR):
|
|
||||||
- tdb_files = [tdb_file for tdb_file in os.listdir(paths.SAMBA_DIR)
|
|
||||||
- if tdb_file.endswith(".tdb")]
|
|
||||||
- for tdb_file in tdb_files:
|
|
||||||
- ipautil.remove_file(tdb_file)
|
|
||||||
+ # in /var/lib/samba and /var/lib/samba/private
|
|
||||||
+ for smbpath in (paths.SAMBA_DIR,
|
|
||||||
+ os.path.join(paths.SAMBA_DIR, "private"),
|
|
||||||
+ os.path.join(paths.SAMBA_DIR, "lock")):
|
|
||||||
+ if os.path.isdir(smbpath):
|
|
||||||
+ tdb_files = [
|
|
||||||
+ os.path.join(smbpath, tdb_file)
|
|
||||||
+ for tdb_file in os.listdir(smbpath)
|
|
||||||
+ if tdb_file.endswith(".tdb")
|
|
||||||
+ ]
|
|
||||||
+ for tdb_file in tdb_files:
|
|
||||||
+ ipautil.remove_file(tdb_file)
|
|
||||||
|
|
||||||
# Remove our keys from samba's keytab
|
|
||||||
self.clean_samba_keytab()
|
|
||||||
|
|
||||||
From 82eaa2eac454aed75a498d2c6ccd9e921f9c8a89 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Date: Oct 21 2021 19:58:19 +0000
|
|
||||||
Subject: ipa-client-samba uninstall: remove tdb files
|
|
||||||
|
|
||||||
|
|
||||||
ipa-client-samba uninstaller must remove samba *.tdb files
|
|
||||||
in /var/lib/samba, /var/lib/samba/private and /var/lib/samba/lock.
|
|
||||||
The current code calls rm on the relative path filename
|
|
||||||
instead of building an absolute path filename,
|
|
||||||
resulting in failure to remove the tdb files.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8687
|
|
||||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/ipaclient/install/ipa_client_samba.py b/ipaclient/install/ipa_client_samba.py
|
|
||||||
index fd89e59..222ff31 100755
|
|
||||||
--- a/ipaclient/install/ipa_client_samba.py
|
|
||||||
+++ b/ipaclient/install/ipa_client_samba.py
|
|
||||||
@@ -446,13 +446,17 @@ def uninstall(fstore, statestore, options):
|
|
||||||
fstore.restore_file(paths.SMB_CONF)
|
|
||||||
|
|
||||||
# Remove samba's persistent and temporary tdb files
|
|
||||||
- tdb_files = [
|
|
||||||
- tdb_file
|
|
||||||
- for tdb_file in os.listdir(paths.SAMBA_DIR)
|
|
||||||
- if tdb_file.endswith(".tdb")
|
|
||||||
- ]
|
|
||||||
- for tdb_file in tdb_files:
|
|
||||||
- ipautil.remove_file(tdb_file)
|
|
||||||
+ # in /var/lib/samba and /var/lib/samba/private
|
|
||||||
+ for smbpath in (paths.SAMBA_DIR,
|
|
||||||
+ os.path.join(paths.SAMBA_DIR, "private"),
|
|
||||||
+ os.path.join(paths.SAMBA_DIR, "lock")):
|
|
||||||
+ tdb_files = [
|
|
||||||
+ os.path.join(smbpath, tdb_file)
|
|
||||||
+ for tdb_file in os.listdir(smbpath)
|
|
||||||
+ if tdb_file.endswith(".tdb")
|
|
||||||
+ ]
|
|
||||||
+ for tdb_file in tdb_files:
|
|
||||||
+ ipautil.remove_file(tdb_file)
|
|
||||||
|
|
||||||
# Remove our keys from samba's keytab
|
|
||||||
if os.path.exists(paths.SAMBA_KEYTAB):
|
|
||||||
|
|
@ -1,222 +0,0 @@
|
|||||||
From fe59e6a0b06926a3d71c6b6f361714d1422d5b0f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Thu, 11 Nov 2021 09:58:09 +0200
|
|
||||||
Subject: [PATCH 1/2] ipa-kdb: honor SID from the host or service entry
|
|
||||||
|
|
||||||
If the SID was explicitly set for the host or service entry, honor it
|
|
||||||
when issuing PAC. For normal services and hosts we don't allocate
|
|
||||||
individual SIDs but for cifs/... principals on domain members we do as
|
|
||||||
they need to login to Samba domain controller.
|
|
||||||
|
|
||||||
Related: https://pagure.io/freeipa/issue/9031
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
daemons/ipa-kdb/ipa_kdb_mspac.c | 46 ++++++++++++++++++++-------------
|
|
||||||
1 file changed, 28 insertions(+), 18 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
index 0e0ee3616..6f272f9fe 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
@@ -653,6 +653,28 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
* clear it after detecting the changes */
|
|
||||||
info3->base.acct_flags = ACB_USE_AES_KEYS;
|
|
||||||
|
|
||||||
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
||||||
+ "ipaNTSecurityIdentifier", &strres);
|
|
||||||
+ if (ret) {
|
|
||||||
+ /* SID is mandatory for all but host/services */
|
|
||||||
+ if (!(is_host || is_service)) {
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+ info3->base.rid = 0;
|
|
||||||
+ } else {
|
|
||||||
+ ret = ipadb_string_to_sid(strres, &sid);
|
|
||||||
+ free(strres);
|
|
||||||
+ if (ret) {
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+ ret = sid_split_rid(&sid, &info3->base.rid);
|
|
||||||
+ if (ret) {
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* If SID was present prefer using it even for hosts and services
|
|
||||||
+ * but we still need to set the account flags correctly */
|
|
||||||
if ((is_host || is_service)) {
|
|
||||||
/* it is either host or service, so get the hostname first */
|
|
||||||
char *sep = strchr(info3->base.account_name.string, '/');
|
|
||||||
@@ -661,29 +683,17 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
sep ? sep + 1 : info3->base.account_name.string);
|
|
||||||
if (is_master) {
|
|
||||||
/* Well known RID of domain controllers group */
|
|
||||||
- info3->base.rid = 516;
|
|
||||||
+ if (info3->base.rid == 0) {
|
|
||||||
+ info3->base.rid = 516;
|
|
||||||
+ }
|
|
||||||
info3->base.acct_flags |= ACB_SVRTRUST;
|
|
||||||
} else {
|
|
||||||
/* Well known RID of domain computers group */
|
|
||||||
- info3->base.rid = 515;
|
|
||||||
+ if (info3->base.rid == 0) {
|
|
||||||
+ info3->base.rid = 515;
|
|
||||||
+ }
|
|
||||||
info3->base.acct_flags |= ACB_WSTRUST;
|
|
||||||
}
|
|
||||||
- } else {
|
|
||||||
- ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
||||||
- "ipaNTSecurityIdentifier", &strres);
|
|
||||||
- if (ret) {
|
|
||||||
- /* SID is mandatory */
|
|
||||||
- return ret;
|
|
||||||
- }
|
|
||||||
- ret = ipadb_string_to_sid(strres, &sid);
|
|
||||||
- free(strres);
|
|
||||||
- if (ret) {
|
|
||||||
- return ret;
|
|
||||||
- }
|
|
||||||
- ret = sid_split_rid(&sid, &info3->base.rid);
|
|
||||||
- if (ret) {
|
|
||||||
- return ret;
|
|
||||||
- }
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
|
|
||||||
--
|
|
||||||
2.33.1
|
|
||||||
|
|
||||||
|
|
||||||
From 21af43550aa0a31e1ec5240578bd64fcbdd4ee24 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Thu, 11 Nov 2021 10:16:47 +0200
|
|
||||||
Subject: [PATCH 2/2] ipa-kdb: validate domain SID in incoming PAC for trusted
|
|
||||||
domains for S4U
|
|
||||||
|
|
||||||
Previously, ipadb_check_logon_info() was called only for cross-realm
|
|
||||||
case. Now we call it for both in-realm and cross-realm cases. In case of
|
|
||||||
the S4U2Proxy, we would be passed a PAC of the original caller which
|
|
||||||
might be a principal from the trusted realm. We cannot validate that PAC
|
|
||||||
against our local client DB entry because this is the proxy entry which
|
|
||||||
is guaranteed to have different SID.
|
|
||||||
|
|
||||||
In such case, validate the SID of the domain in PAC against our realm
|
|
||||||
and any trusted doman but skip an additional check of the DB entry in
|
|
||||||
the S4U2Proxy case.
|
|
||||||
|
|
||||||
Related: https://pagure.io/freeipa/issue/9031
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
daemons/ipa-kdb/ipa_kdb_mspac.c | 54 ++++++++++++++++++++++++++-------
|
|
||||||
1 file changed, 43 insertions(+), 11 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
index 6f272f9fe..6f7d1ac15 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
@@ -1637,11 +1637,13 @@ static void filter_logon_info_log_message_rid(struct dom_sid *sid, uint32_t rid)
|
|
||||||
static krb5_error_code check_logon_info_consistent(krb5_context context,
|
|
||||||
TALLOC_CTX *memctx,
|
|
||||||
krb5_const_principal client_princ,
|
|
||||||
+ krb5_boolean is_s4u,
|
|
||||||
struct PAC_LOGON_INFO_CTR *info)
|
|
||||||
{
|
|
||||||
krb5_error_code kerr = 0;
|
|
||||||
struct ipadb_context *ipactx;
|
|
||||||
bool result;
|
|
||||||
+ bool is_from_trusted_domain = false;
|
|
||||||
krb5_db_entry *client_actual = NULL;
|
|
||||||
struct ipadb_e_data *ied = NULL;
|
|
||||||
int flags = 0;
|
|
||||||
@@ -1671,14 +1673,36 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
|
|
||||||
result = dom_sid_check(&ipactx->mspac->domsid,
|
|
||||||
info->info->info3.base.domain_sid, true);
|
|
||||||
if (!result) {
|
|
||||||
- /* memctx is freed by the caller */
|
|
||||||
- char *sid = dom_sid_string(memctx, info->info->info3.base.domain_sid);
|
|
||||||
- char *dom = dom_sid_string(memctx, &ipactx->mspac->domsid);
|
|
||||||
- krb5_klog_syslog(LOG_ERR, "PAC issue: PAC record claims domain SID different "
|
|
||||||
- "to local domain SID: local [%s], PAC [%s]",
|
|
||||||
- dom ? dom : "<failed to display>",
|
|
||||||
- sid ? sid : "<failed to display>");
|
|
||||||
- return KRB5KDC_ERR_POLICY;
|
|
||||||
+ /* In S4U case we might be dealing with the PAC issued by the trusted domain */
|
|
||||||
+ if (is_s4u && (ipactx->mspac->trusts != NULL)) {
|
|
||||||
+ /* Iterate through list of trusts and check if this SID belongs to
|
|
||||||
+ * one of the domains we trust */
|
|
||||||
+ for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
|
|
||||||
+ result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
|
|
||||||
+ info->info->info3.base.domain_sid, true);
|
|
||||||
+ if (result) {
|
|
||||||
+ is_from_trusted_domain = true;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!result) {
|
|
||||||
+ /* memctx is freed by the caller */
|
|
||||||
+ char *sid = dom_sid_string(memctx, info->info->info3.base.domain_sid);
|
|
||||||
+ char *dom = dom_sid_string(memctx, &ipactx->mspac->domsid);
|
|
||||||
+ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC record claims domain SID different "
|
|
||||||
+ "to local domain SID or any trusted domain SID: "
|
|
||||||
+ "local [%s], PAC [%s]",
|
|
||||||
+ dom ? dom : "<failed to display>",
|
|
||||||
+ sid ? sid : "<failed to display>");
|
|
||||||
+ return KRB5KDC_ERR_POLICY;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (is_s4u && is_from_trusted_domain) {
|
|
||||||
+ /* If the PAC belongs to a user from the trusted domain, we cannot compare SIDs */
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
kerr = ipadb_get_principal(context, client_princ, flags, &client_actual);
|
|
||||||
@@ -1703,6 +1727,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+
|
|
||||||
kerr = ipadb_get_sid_from_pac(memctx, info->info, &client_sid);
|
|
||||||
if (kerr) {
|
|
||||||
goto done;
|
|
||||||
@@ -1956,6 +1981,7 @@ krb5_error_code filter_logon_info(krb5_context context,
|
|
||||||
static krb5_error_code ipadb_check_logon_info(krb5_context context,
|
|
||||||
krb5_const_principal client_princ,
|
|
||||||
krb5_boolean is_cross_realm,
|
|
||||||
+ krb5_boolean is_s4u,
|
|
||||||
krb5_data *pac_blob,
|
|
||||||
struct dom_sid *requester_sid)
|
|
||||||
{
|
|
||||||
@@ -1999,8 +2025,11 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context,
|
|
||||||
|
|
||||||
if (!is_cross_realm) {
|
|
||||||
/* For local realm case we need to check whether the PAC is for our user
|
|
||||||
- * but we don't need to process further */
|
|
||||||
- kerr = check_logon_info_consistent(context, tmpctx, client_princ, &info);
|
|
||||||
+ * but we don't need to process further. In S4U2Proxy case when the client
|
|
||||||
+ * is ours but operates on behalf of the cross-realm principal, we will
|
|
||||||
+ * search through the trusted domains but otherwise skip the exact SID check
|
|
||||||
+ * as we are not responsible for the principal from the trusted domain */
|
|
||||||
+ kerr = check_logon_info_consistent(context, tmpctx, client_princ, is_s4u, &info);
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -2251,7 +2280,10 @@ static krb5_error_code ipadb_verify_pac(krb5_context context,
|
|
||||||
#endif
|
|
||||||
|
|
||||||
kerr = ipadb_check_logon_info(context,
|
|
||||||
- client_princ, is_cross_realm, &pac_blob,
|
|
||||||
+ client_princ,
|
|
||||||
+ is_cross_realm,
|
|
||||||
+ (flags & KRB5_KDB_FLAGS_S4U),
|
|
||||||
+ &pac_blob,
|
|
||||||
requester_sid);
|
|
||||||
if (kerr != 0) {
|
|
||||||
goto done;
|
|
||||||
--
|
|
||||||
2.33.1
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -1,16 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmDbPRQACgkQRxniuKu/
|
|
||||||
Yhr7uBAAnpF70nH8Cn/HhKKpfafPoN3B9fDNIfAa+jsJ52OyeNMKVNi4MEob32iN
|
|
||||||
1aMGGFCJUMle/M7v1+w8WH59eiHs1jKHcFZnl2R4Ap5SxVtypYT+ewXbNnSHII2w
|
|
||||||
qWS5PvLkJwjh6Bw/HlyBwDRSrw9Yah4oZZbJt3zE06+Imr8BpB3IWqyhuAi7FjYO
|
|
||||||
J9hHCwCvtJvWK4yplZSXCt8OS1JA68/Djgjecm5lUSamuqKaBVhDb+ZAPLDJpBf5
|
|
||||||
Pz2JpUF/W/rplt+Q9wAFdhDB9iC0vd3MBkgs4KPsjuyS9+GGNu8LyXs0C1Wm/VgX
|
|
||||||
liX2pjZmpnTrhH3QQ2nufwH784ZpinXxS2fcbvCfX1Utgr77wNHjwqDt2NBffJl1
|
|
||||||
BM7JJr1ZwGOGSki6yjRDXbeSAsiEX9l7f2mv2t/8ZjHMRJ7mJmBbmh5Qhk5qsMou
|
|
||||||
BptNDE20cG77xcjBtTCDpii/UatETuNAyMd/l2smfe76z8y61fQrvScxRwOCHckw
|
|
||||||
u/ERChpBZOUlQt59Efj3ja313oXZMxXRw01n/72Hh5rnk+XZf75zQ1zUDBYnwzAr
|
|
||||||
4cdqyrfpFkQu1sRQvgjT8ZLkP8istjRdVEI/Oj61zb5+6+scQ/Zh/R/mYGCV4/h+
|
|
||||||
RzojBwUAXuwUMrj1jTbb5Lkz58+vY3Lk4xNOY2hSAc8rCcDVRZY=
|
|
||||||
=TQFs
|
|
||||||
-----END PGP SIGNATURE-----
|
|
16
SOURCES/freeipa-4.9.8.tar.gz.asc
Normal file
16
SOURCES/freeipa-4.9.8.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmGf1XcACgkQaYdvcqbi
|
||||||
|
00/kMQ//Vano94V0/L3YsLaqKiFcGo/py5pTq1Os3wB9zzCYSuU0P/eajuHLBYNe
|
||||||
|
MfxecZihFFlmUdNooNWbewT4CE0ey1qFLwPfGXuLrse6fXVLLaYnAv2mkPUmDSpM
|
||||||
|
XfXO0PFU0BtdkMAUsdUATngPCpQzYjVUKsAMwPovi3UcLzFZ8tWJKMA55urhwC4q
|
||||||
|
E042wPLqzcX6Ee5JBSBkfNe35vG2LY7o3Ynh8SVCee2lBJvdWiuFT5XRhybXUsOp
|
||||||
|
q3eTsVPz68p7CvOrjlLSsWPP0nbGF1O1UQsN+oaDZAav1Nx8lTOlxUCUQXWbs2X6
|
||||||
|
BTUAOmZ6VjYu61sNgNSj+BSHlHIT3uRJ55JO5nLH/hLm0Oxn6SGRTVMueqV376QA
|
||||||
|
CsIk7UrdcX9QUtu70eRxuu1aAWJ5eaF4GDWnFP+62wzd/d6LjWEE+9kXgvrcTF0C
|
||||||
|
UzjWrmbI8x23bB4kqcROHz8lryMsBpZ94QKPHVppMiPgapDKRkculYkSeRLboADi
|
||||||
|
q4mh2prkDSq9diWV4HvZTGwPU77oiLrQsvbGuvwD62PAlyQ4rZpfW3FllTL2Lcxy
|
||||||
|
urA8a9UnQWQtDOsZIyxmMJ7R04gjI5fZfDhq6S09L9MfjFEKjsqO4FzXamj+SbAo
|
||||||
|
w25sIp1qT0sV1vOt+/R/HYSIyggQyTZpQJu5UB34QLqpfDdUwFg=
|
||||||
|
=t9up
|
||||||
|
-----END PGP SIGNATURE-----
|
136
SPECS/ipa.spec
136
SPECS/ipa.spec
@ -68,8 +68,8 @@
|
|||||||
%global krb5_kdb_version 8.0
|
%global krb5_kdb_version 8.0
|
||||||
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
|
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
|
||||||
%global python_netaddr_version 0.7.19
|
%global python_netaddr_version 0.7.19
|
||||||
# Require 4.14.5-6 which brings CVE-2020-25717 fixes in RHEL 8.5.z
|
# Require 4.14.5-13 which brings CVE-2020-25717 fixes
|
||||||
%global samba_version 4.14.5-6
|
%global samba_version 4.14.5-13
|
||||||
%global selinux_policy_version 3.14.3-52
|
%global selinux_policy_version 3.14.3-52
|
||||||
%global slapi_nis_version 0.56.4
|
%global slapi_nis_version 0.56.4
|
||||||
%global python_ldap_version 3.1.0-1
|
%global python_ldap_version 3.1.0-1
|
||||||
@ -178,7 +178,7 @@
|
|||||||
|
|
||||||
# Work-around fact that RPM SPEC parser does not accept
|
# Work-around fact that RPM SPEC parser does not accept
|
||||||
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
|
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
|
||||||
%define IPA_VERSION 4.9.6
|
%define IPA_VERSION 4.9.8
|
||||||
# Release candidate version -- uncomment with one percent for RC versions
|
# Release candidate version -- uncomment with one percent for RC versions
|
||||||
#%%global rc_version %%nil
|
#%%global rc_version %%nil
|
||||||
%define AT_SIGN @
|
%define AT_SIGN @
|
||||||
@ -191,7 +191,7 @@
|
|||||||
|
|
||||||
Name: %{package_name}
|
Name: %{package_name}
|
||||||
Version: %{IPA_VERSION}
|
Version: %{IPA_VERSION}
|
||||||
Release: 12%{?rc_version:.%rc_version}%{?dist}
|
Release: 7%{?rc_version:.%rc_version}%{?dist}
|
||||||
Summary: The Identity, Policy and Audit system
|
Summary: The Identity, Policy and Audit system
|
||||||
|
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -211,30 +211,24 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
|
|||||||
# RHEL spec file only: START
|
# RHEL spec file only: START
|
||||||
%if %{NON_DEVELOPER_BUILD}
|
%if %{NON_DEVELOPER_BUILD}
|
||||||
%if 0%{?rhel} >= 8
|
%if 0%{?rhel} >= 8
|
||||||
Patch0001: 0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch
|
Patch0001: 0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
|
||||||
Patch0002: 0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch
|
Patch0002: 0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch
|
||||||
Patch0003: 0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch
|
Patch0003: 0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch
|
||||||
Patch0004: 0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch
|
Patch0004: 0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch
|
||||||
Patch0005: 0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch
|
Patch0005: 0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch
|
||||||
Patch0006: 0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch
|
Patch0006: 0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch
|
||||||
Patch0007: 0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch
|
Patch0007: 0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch
|
||||||
Patch0008: 0008-selinux-policy-allow-custodia-to-access-proc-cpuinfo_rhbz#1998129.patch
|
Patch0008: 0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch
|
||||||
Patch0009: 0009-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ_rhbz#2000263.patch
|
Patch0009: 0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch
|
||||||
Patch0010: 0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.patch
|
Patch0010: 0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch
|
||||||
Patch0011: 0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch
|
Patch0011: 0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch
|
||||||
Patch0012: 0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch
|
Patch0012: 0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch
|
||||||
Patch0013: 0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch
|
Patch0013: 0013-Backport_test_fixes_in_python3_ipatests_rhbz#2057505.patch
|
||||||
Patch0014: 0014-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2062404.patch
|
|
||||||
Patch0015: 0015-uninstall-remove-tdb-files_rhbz#2065719.patch
|
|
||||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||||
%endif
|
%endif
|
||||||
%endif
|
%endif
|
||||||
# RHEL spec file only: END
|
# RHEL spec file only: END
|
||||||
# SID hardening patches
|
Patch1101: 1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch
|
||||||
Patch1100: freeipa-4.9.6-bf.patch
|
|
||||||
Patch1101: freeipa-4.9.6-bf-2.patch
|
|
||||||
Patch1102: freeipa-4.9.6-bf-3.patch
|
|
||||||
|
|
||||||
|
|
||||||
# For the timestamp trick in patch application
|
# For the timestamp trick in patch application
|
||||||
BuildRequires: diffstat
|
BuildRequires: diffstat
|
||||||
@ -1379,6 +1373,7 @@ fi
|
|||||||
%{_libexecdir}/ipa/ipa-pki-wait-running
|
%{_libexecdir}/ipa/ipa-pki-wait-running
|
||||||
%{_libexecdir}/ipa/ipa-otpd
|
%{_libexecdir}/ipa/ipa-otpd
|
||||||
%{_libexecdir}/ipa/ipa-print-pac
|
%{_libexecdir}/ipa/ipa-print-pac
|
||||||
|
%{_libexecdir}/ipa/ipa-subids
|
||||||
%dir %{_libexecdir}/ipa/custodia
|
%dir %{_libexecdir}/ipa/custodia
|
||||||
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
|
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
|
||||||
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat
|
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat
|
||||||
@ -1719,46 +1714,75 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Fri Mar 18 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-12
|
* Thu Feb 24 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-7
|
||||||
- ipa-server-install uninstall: remove tdb files
|
- ipatests: Backport test fixes in python3-ipatests.
|
||||||
- ipa-client-samba uninstall: remove tdb files
|
Resolves: RHBZ#2057505
|
||||||
Resolves: RHBZ#2065719
|
|
||||||
|
|
||||||
* Tue Mar 15 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-11
|
* Mon Feb 14 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-6
|
||||||
- Custodia use a stronger encryption algo when exporting keys
|
- ipatests: fix TestOTPToken::test_check_otpd_after_idle_timeout
|
||||||
Resolves: RHBZ#2062404
|
Related: RHBZ#2053024
|
||||||
|
|
||||||
* Thu Nov 30 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-10
|
* Mon Feb 14 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-5
|
||||||
- Bump realease version due to build issue.
|
- ipatests: remove additional check for failed units.
|
||||||
Related: RHBZ#2021489
|
Resolves: RHBZ#2053024
|
||||||
|
- ipa-cldap: fix memory leak.
|
||||||
|
Resolves: RHBZ#2032738
|
||||||
|
|
||||||
* Thu Nov 30 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-9
|
* Thu Feb 10 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-4
|
||||||
- Hardening for CVE-2020-25717, part 3
|
- Don't always override the port in import_included_profiles
|
||||||
Related: RHBZ#2021489
|
Fixes: RHBZ#2022483
|
||||||
|
- Remove ipa-join errors from behind the debug option
|
||||||
|
Fixes: RHBZ#2048558
|
||||||
|
- Enable the ccache sweep timer during installation
|
||||||
|
Fixes: RHBZ#2051575
|
||||||
|
|
||||||
* Thu Nov 18 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-8
|
* Thu Feb 3 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-3
|
||||||
- Hardening for CVE-2020-25717, part 2
|
- Config plugin: return EmptyModlist when no change is applied.
|
||||||
- Related: RHBZ#2021171
|
Resolves: RHBZ#2031825
|
||||||
|
- Custodia: use a stronger encryption algo when exporting keys.
|
||||||
|
Resolves: RHBZ#2032806
|
||||||
|
- ipa-kdb: do not remove keys for hardened auth-enabled users.
|
||||||
|
Resolves: RHBZ#2033342
|
||||||
|
- ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus
|
||||||
|
Resolves: RHBZ#2049167
|
||||||
|
- Backport latest test fxes in python3 ipatests.
|
||||||
|
Resolves: RHBZ#2048509
|
||||||
|
- Removed unused patch files that were part of 4.9.8 rebase.
|
||||||
|
|
||||||
* Sun Nov 07 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-7
|
* Fri Dec 10 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-2
|
||||||
|
- Revert bind-pkcs11-utils configuration in freeipa.spec.
|
||||||
|
Resolves: RHBZ#2026732
|
||||||
|
|
||||||
|
* Tue Nov 30 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-1
|
||||||
|
- Upstream release FreeIPA 4.9.8
|
||||||
|
Related: RHBZ#2015607
|
||||||
- Hardening for CVE-2020-25717
|
- Hardening for CVE-2020-25717
|
||||||
- Related: RHBZ#2021171
|
|
||||||
|
|
||||||
* Fri Sep 17 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-6
|
* Fri Nov 12 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-9.1
|
||||||
- Don't store entries with a usercertificate in the LDAP cache
|
- Fix S4U2Self regression for cross-realm requester SID buffer
|
||||||
Resolves: RHBZ#1999893
|
- Related: RHBZ#2021443
|
||||||
|
|
||||||
* Mon Sep 13 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-5
|
* Fri Nov 12 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-9
|
||||||
- Catch and log errors when adding CA profiles
|
- Require samba 4.14.5-13 with IPA DC server role fixes
|
||||||
Resolves: RHBZ#1999142
|
- Related: RHBZ#2021443
|
||||||
- selinux policy: allow custodia to access /proc/cpuinfo
|
|
||||||
Resolves: RHBZ#1998129
|
* Fri Nov 12 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-8
|
||||||
- extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT
|
- Add versioned dependency of samba-client-libs to ipa-server
|
||||||
Resolves: RHBZ#2000263
|
- Related: RHBZ#2021443
|
||||||
- ipa migrate-ds command fails to warn when compat plugin is enabled
|
|
||||||
Resolves: RHBZ#1999992
|
* Thu Nov 11 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-7
|
||||||
- Backport latest test fixes in python3-ipatests
|
- Hardening for CVE-2020-25717
|
||||||
Resolves: RHBZ#2000553
|
- Harden processing of trusted domains' users in S4U operations
|
||||||
|
- Resolves: RHBZ#2021443
|
||||||
|
|
||||||
|
* Wed Nov 10 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-6
|
||||||
|
- Hardening for CVE-2020-25717
|
||||||
|
- Rebuild against samba-4.14.5-11.el8
|
||||||
|
- Resolves: RHBZ#2021443
|
||||||
|
|
||||||
|
* Sun Nov 07 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-5
|
||||||
|
- Hardening for CVE-2020-25717
|
||||||
|
- Related: RHBZ#2019668
|
||||||
|
|
||||||
* Thu Jul 22 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-4
|
* Thu Jul 22 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-4
|
||||||
- ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL
|
- ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL
|
||||||
|
Loading…
Reference in New Issue
Block a user