diff --git a/.gitignore b/.gitignore index d9c893f..3912c13 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/freeipa-4.9.8.tar.gz +SOURCES/freeipa-4.9.10.tar.gz diff --git a/.ipa.metadata b/.ipa.metadata index 15ef586..81f398b 100644 --- a/.ipa.metadata +++ b/.ipa.metadata @@ -1 +1 @@ -38641a7f95779ba35089fcc10e25ec82a9b0248e SOURCES/freeipa-4.9.8.tar.gz +8f2b6a7f52348421fa7c67048dd5ae454f2642fb SOURCES/freeipa-4.9.10.tar.gz diff --git a/SOURCES/0001-ipa-otpd-Fix-build-on-older-versions-of-gcc.patch b/SOURCES/0001-ipa-otpd-Fix-build-on-older-versions-of-gcc.patch new file mode 100644 index 0000000..4852df8 --- /dev/null +++ b/SOURCES/0001-ipa-otpd-Fix-build-on-older-versions-of-gcc.patch @@ -0,0 +1,33 @@ +From ff54fe2fdfbab11e08a138cdfd0da900ee865e3d Mon Sep 17 00:00:00 2001 +From: Rafael Guterres Jeffman +Date: Fri, 17 Jun 2022 11:22:32 -0300 +Subject: [PATCH] ipa-otpd: Fix build on older versions of gcc. + +Older versions of gcc do not support unnamed parameters. + +This patch fixes the build on older gcc by applying the same idiom for +unsued parameters as used by other functions in the same module. + +Signed-off-by: Rafael Guterres Jeffman +--- + daemons/ipa-otpd/oauth2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/daemons/ipa-otpd/oauth2.c b/daemons/ipa-otpd/oauth2.c +index df1ffd50d..11d5c135f 100644 +--- a/daemons/ipa-otpd/oauth2.c ++++ b/daemons/ipa-otpd/oauth2.c +@@ -319,8 +319,9 @@ static int check_access_token_reply(struct child_ctx *child_ctx, + return ret; + } + +-static void oauth2_on_child_readable(verto_ctx *, verto_ev *ev) ++static void oauth2_on_child_readable(verto_ctx *vctx, verto_ev *ev) + { ++ (void)vctx; /* Unused */ + static char buf[10240]; + ssize_t io = 0; + struct child_ctx *child_ctx = NULL; +-- +2.36.1 + diff --git a/SOURCES/0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch b/SOURCES/0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch deleted file mode 100644 index f5f3cf3..0000000 --- a/SOURCES/0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch +++ /dev/null @@ -1,75 +0,0 @@ -From b9c42fed9b6f60801f908c368d0d97a2a69f7bb2 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Wed, 15 Dec 2021 10:47:02 +0100 -Subject: [PATCH] Config plugin: return EmptyModlist when no change is applied - -When ipa config-mod is called with the option --enable-sid, -the code needs to trap EmptyModlist exception (it is expected -that no LDAP attribute is modified by this operation). -The code had a flaw and was checking: - 'enable_sid' in options -instead of - options['enable_sid'] - -"'enable_sid' in options" always returns true as this option -is a Flag with a default value, hence always present even if -not specified on the command line. - -Fixes: https://pagure.io/freeipa/issue/9063 -Reviewed-By: Rob Crittenden ---- - ipaserver/plugins/config.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py -index eae401fc3..24446beb0 100644 ---- a/ipaserver/plugins/config.py -+++ b/ipaserver/plugins/config.py -@@ -707,7 +707,7 @@ class config_mod(LDAPUpdate): - if (isinstance(exc, errors.EmptyModlist) and - call_func.__name__ == 'update_entry' and - ('ca_renewal_master_server' in options or -- 'enable_sid' in options)): -+ options['enable_sid'])): - return - - super(config_mod, self).exc_callback( --- -2.34.1 - -From cd735099e86304294217147ed578ac902fcf3dd3 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Wed, 15 Dec 2021 10:51:05 +0100 -Subject: [PATCH] config plugin: add a test ensuring EmptyModlist is returned - -Add a test to test_config_plugin, that calls ipa config-mod -with the same value as already present in LDAP. -The call must return EmptyModlist. - -Related: https://pagure.io/freeipa/issue/9063 -Reviewed-By: Rob Crittenden ---- - ipatests/test_xmlrpc/test_config_plugin.py | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/ipatests/test_xmlrpc/test_config_plugin.py b/ipatests/test_xmlrpc/test_config_plugin.py -index e981bb4a0..a8ec9f0e5 100644 ---- a/ipatests/test_xmlrpc/test_config_plugin.py -+++ b/ipatests/test_xmlrpc/test_config_plugin.py -@@ -312,4 +312,13 @@ class test_config(Declarative): - 'value': None, - }, - ), -+ dict( -+ desc='Set the value to the already set value, no modifications', -+ command=( -+ 'config_mod', [], { -+ 'ipasearchrecordslimit': u'100', -+ }, -+ ), -+ expected=errors.EmptyModlist(), -+ ), - ] --- -2.34.1 - diff --git a/SOURCES/0002-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch b/SOURCES/0002-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch new file mode 100644 index 0000000..7928884 --- /dev/null +++ b/SOURCES/0002-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch @@ -0,0 +1,60 @@ +From 7807bcc55b4927fc327830d2237200772d2e1106 Mon Sep 17 00:00:00 2001 +From: Rafael Guterres Jeffman +Date: Fri, 17 Jun 2022 15:40:04 -0300 +Subject: [PATCH] webui IdP: Remove arrow notation due to uglify-js limitation. + +uglify-js 2.x series do not support ECMAScript 6 arrow notation ('=>') +for callback definition. + +This patch changes the arrow definition callbacks for regular anonymous +function definitions. +--- + install/ui/src/freeipa/idp.js | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/install/ui/src/freeipa/idp.js b/install/ui/src/freeipa/idp.js +index ada09c075..be3c4f0e6 100644 +--- a/install/ui/src/freeipa/idp.js ++++ b/install/ui/src/freeipa/idp.js +@@ -227,7 +227,7 @@ IPA.add_idp_policy = function() { + // For custom template we show custom fields + // and mark all of them required and passed to the RPC + // If show_custom is false, the opposite happens +- custom_fields.forEach(fname => { ++ custom_fields.forEach(function(fname) { + widget_f = that.container.fields.get_field(fname); + widget_f.set_required(show_custom); + widget_f.set_enabled(show_custom); +@@ -235,7 +235,7 @@ IPA.add_idp_policy = function() { + }); + + // For template fields we show them if custom aren't shown +- template_fields.forEach(fname => { ++ template_fields.forEach(function(fname) { + widget_f = that.container.fields.get_field(fname); + widget_f.set_enabled(!show_custom); + widget_f.widget.set_visible(!show_custom); +@@ -252,7 +252,7 @@ IPA.add_idp_policy = function() { + var value = prov_f.get_value()[0]; + + // First, clear template fields from the previous provider choice +- template_fields.forEach(fname => { ++ template_fields.forEach(function(fname) { + widget_f = that.container.fields.get_field(fname); + widget_f.widget.set_visible(false); + widget_f.set_required(false); +@@ -260,9 +260,9 @@ IPA.add_idp_policy = function() { + }); + + // Second, enable and get required template-specific fields +- idp.templates.forEach(idp_v => { ++ idp.templates.forEach(function(idp_v) { + if (idp_v['value'] == value) { +- idp_v['fields'].forEach(fname => { ++ idp_v['fields'].forEach(function(fname) { + widget_f = that.container.fields.get_field(fname); + widget_f.set_required(true); + widget_f.set_enabled(true); +-- +2.36.1 + diff --git a/SOURCES/0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch b/SOURCES/0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch deleted file mode 100644 index f6cf756..0000000 --- a/SOURCES/0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 653a7fe02880c168755984133ee143567cc7bb4e Mon Sep 17 00:00:00 2001 -From: Francisco Trivino -Date: Wed, 26 Jan 2022 15:43:39 +0100 -Subject: [PATCH] Custodia: use a stronger encryption algo when exporting keys - -The Custodia key export handler is using the default's OpenSSL encryption -scheme for PKCS#12. - -This represents an issue when performing a migration from CentOS Stream 8 (C8S) -to CentOS Steam 9 (C9S) where the Custodia client running in the new C9S -replica talks to the Custodia server on C8S source server. The later creates an -encrypted PKCS#12 file that contains the cert and the key using the OpenSSL's -default encryption scheme, which is no longer supported on C9S. - -This commit enforces a stronger encryption algorigthm by adding following -arguments to the Custodia server handler: - --keypbe AES-256-CBC -certpbe AES-256-CBC -macalg sha384 - -The new arguments enforce stronger PBEv2 instead of the insecure PBEv1. - -Fixes: https://pagure.io/freeipa/issue/9101 - -Signed-off-by: Francisco Trivino -Reviewed-By: Christian Heimes -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/secrets/handlers/pemfile.py | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/ipaserver/secrets/handlers/pemfile.py b/ipaserver/secrets/handlers/pemfile.py -index 4e8eff0e3..ad36bd020 100644 ---- a/ipaserver/secrets/handlers/pemfile.py -+++ b/ipaserver/secrets/handlers/pemfile.py -@@ -31,6 +31,9 @@ def export_key(args, tmpdir): - '-out', pk12file, - '-inkey', args.keyfile, - '-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile), -+ '-keypbe', 'AES-256-CBC', -+ '-certpbe', 'AES-256-CBC', -+ '-macalg', 'sha384', - ]) - - with open(pk12file, 'rb') as f: --- -2.34.1 - diff --git a/SOURCES/0003-Preserve-user-fix-the-confusing-summary_rhbz#2022028.patch b/SOURCES/0003-Preserve-user-fix-the-confusing-summary_rhbz#2022028.patch new file mode 100644 index 0000000..a7b9808 --- /dev/null +++ b/SOURCES/0003-Preserve-user-fix-the-confusing-summary_rhbz#2022028.patch @@ -0,0 +1,131 @@ +From ff4152539b96d309dcceaf854a3e0a49f435acff Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Mon, 20 Jun 2022 09:09:11 +0200 +Subject: [PATCH] Preserve user: fix the confusing summary + +When ipa user-del --preserve is called, the command output +prints a summary with: + Deleted user: user1 +although the user was preserved. +Replace the summary with + Preserved user: user1 +to reflect what was actually done. + +Fixes: https://pagure.io/freeipa/issue/9187 +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Michal Polovka +Reviewed-By: Rob Crittenden +--- + ipaserver/plugins/user.py | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py +index 25d2bb6aa..fa8a67d3d 100644 +--- a/ipaserver/plugins/user.py ++++ b/ipaserver/plugins/user.py +@@ -56,6 +56,7 @@ from .idviews import remove_ipaobject_overrides + from ipalib.plugable import Registry + from .baseldap import ( + LDAPObject, ++ pkey_to_unicode, + pkey_to_value, + LDAPCreate, + LDAPSearch, +@@ -701,6 +702,7 @@ class user_del(baseuser_del): + __doc__ = _('Delete a user.') + + msg_summary = _('Deleted user "%(value)s"') ++ msg_summary_preserved = _('Preserved user "%(value)s"') + + takes_options = baseuser_del.takes_options + ( + Bool('preserve?', +@@ -831,6 +833,8 @@ class user_del(baseuser_del): + failed.append(pkey_to_value(pkey, options)) + + val = dict(result=dict(failed=failed), value=preserved) ++ val['summary'] = self.msg_summary_preserved % dict( ++ value=pkey_to_unicode(preserved)) + return val + else: + return super(user_del, self).execute(*keys, **options) +-- +2.36.1 + +From 4984ff210a169129e4e56b10e54e9c795520855c Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Mon, 20 Jun 2022 09:12:14 +0200 +Subject: [PATCH] xmlrpc tests: updated expected output for preserved user + +Update the expected summary for the command +ipa user-del --preserve + +The command now displays: Preserved user: user1 +instead of Deleted user: user1 + +Related: https://pagure.io/freeipa/issue/9187 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Michal Polovka +Reviewed-By: Rob Crittenden +--- + ipatests/test_xmlrpc/test_stageuser_plugin.py | 5 ++++- + ipatests/test_xmlrpc/tracker/user_plugin.py | 7 ++++++- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py +index bc606b093..fd146876c 100644 +--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py ++++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py +@@ -479,11 +479,12 @@ class TestActive(XMLRPC_test): + + def test_delete_preserve(self, user): + user.ensure_exists() +- user.track_delete() ++ user.track_delete(preserve=True) + command = user.make_delete_command(no_preserve=False, preserve=True) + result = command() + user.check_delete(result) + ++ user.track_delete(preserve=False) + command = user.make_delete_command() + result = command() + user.check_delete(result) +@@ -622,6 +623,7 @@ class TestCustomAttr(XMLRPC_test): + assert 'BusinessCat' in result['result'][u'businesscategory'] + + # delete the user with --preserve ++ user_customattr.track_delete(preserve=True) + command = user_customattr.make_delete_command(no_preserve=False, + preserve=True) + result = command() +@@ -763,6 +765,7 @@ class TestGroups(XMLRPC_test): + result = command() + group.check_retrieve(result) + ++ user.track_delete(preserve=True) + command = user.make_delete_command(no_preserve=False, preserve=True) + result = command() + user.check_delete(result) +diff --git a/ipatests/test_xmlrpc/tracker/user_plugin.py b/ipatests/test_xmlrpc/tracker/user_plugin.py +index 03c106250..b04be4c19 100644 +--- a/ipatests/test_xmlrpc/tracker/user_plugin.py ++++ b/ipatests/test_xmlrpc/tracker/user_plugin.py +@@ -273,9 +273,14 @@ class UserTracker(CertmapdataMixin, KerberosAliasMixin, Tracker): + + def check_delete(self, result): + """ Check 'user-del' command result """ ++ if u'preserved' in self.attrs and self.attrs[u'preserved']: ++ summary = u'Preserved user "%s"' % self.uid ++ else: ++ summary = u'Deleted user "%s"' % self.uid ++ + assert_deepequal(dict( + value=[self.uid], +- summary=u'Deleted user "%s"' % self.uid, ++ summary=summary, + result=dict(failed=[]), + ), result) + +-- +2.36.1 + diff --git a/SOURCES/0004-Only-calculate-LDAP-password-grace-when-the-password_rhbz#782917.patch b/SOURCES/0004-Only-calculate-LDAP-password-grace-when-the-password_rhbz#782917.patch new file mode 100644 index 0000000..54da08a --- /dev/null +++ b/SOURCES/0004-Only-calculate-LDAP-password-grace-when-the-password_rhbz#782917.patch @@ -0,0 +1,56 @@ +From 3675bd1d7aca443832bb9bb2f521cc4d3a088aec Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Wed, 29 Jun 2022 13:25:55 +0000 +Subject: [PATCH] Only calculate LDAP password grace when the password is + expired + +The user's pwd expiration was retrieved but inadvertently was never +compared to current time. So any LDAP bind, including from the +IPA API, counted against the grace period. There is no need to go +through the graceperiod code for non-expired passwords. + +https://pagure.io/freeipa/issue/1539 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + .../ipa-graceperiod/ipa_graceperiod.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c +index 0860b5c20..a3f57cb4b 100644 +--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c ++++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c +@@ -359,7 +359,8 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb) + Slapi_ValueSet *values = NULL; + long grace_limit = 0; + int grace_user_time; +- char *pwd_expiration = NULL; ++ char *tmpstr = NULL; ++ time_t pwd_expiration; + int pwresponse_requested = 0; + Slapi_PBlock *pbtm = NULL; + Slapi_Mods *smods = NULL; +@@ -414,12 +415,17 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb) + } + slapi_value_free(&objectclass); + +- pwd_expiration = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration"); +- if (pwd_expiration == NULL) { ++ tmpstr = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration"); ++ if (tmpstr == NULL) { + /* No expiration means nothing to do */ + LOG_TRACE("No krbPasswordExpiration for %s, nothing to do\n", dn); + goto done; + } ++ pwd_expiration = ipapwd_gentime_to_time_t(tmpstr); ++ if (pwd_expiration > time(NULL)) { ++ /* Not expired, nothing to see here */ ++ goto done; ++ } + + ldrc = ipagraceperiod_getpolicy(target_entry, &policy_entry, + &values, &actual_type_name, +-- +2.36.1 + diff --git a/SOURCES/0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch b/SOURCES/0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch deleted file mode 100644 index 1e342e5..0000000 --- a/SOURCES/0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 6d70421f57d0eca066a922e09416ef7195ee96d4 Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Tue, 1 Feb 2022 16:43:09 +0100 -Subject: [PATCH] ipa-kdb: do not remove keys for hardened auth-enabled users - -Since 5d51ae5, principal keys were dropped in case user auth indicator -was not including password. Thereafter, the key removal behavior was -removed by 15ff9c8 in the context of the kdcpolicy plugin introduction. -Support for hardened pre-auth methods (FAST and SPAKE) was added in -d057040, and the removal of principal keys was restored afterwards by -f0d12b7, but not taking the new hardened auth indicator into account. - -Fixes: https://pagure.io/freeipa/issue/9065 -Related to: https://pagure.io/freeipa/issue/8001 - -Signed-off-by: Julien Rische -Reviewed-By: Alexander Bokovoy -Reviewed-By: Francisco Trivino ---- - daemons/ipa-kdb/ipa_kdb_principals.c | 23 ++++++++++++----------- - 1 file changed, 12 insertions(+), 11 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c -index 15f3df4fe..0d0d3748c 100644 ---- a/daemons/ipa-kdb/ipa_kdb_principals.c -+++ b/daemons/ipa-kdb/ipa_kdb_principals.c -@@ -788,17 +788,18 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, - &res_key_data, &result, &mkvno); - switch (ret) { - case 0: -- /* Only set a principal's key if password auth can be used. Otherwise -- * the KDC would add pre-authentication methods to the NEEDED_PREAUTH -- * reply for AS-REQs which indicate the password authentication is -- * available. This might confuse applications like e.g. SSSD which try -- * to determine suitable authentication methods and corresponding -- * prompts with the help of MIT Kerberos' responder interface which -- * acts on the returned pre-authentication methods. A typical example -- * is enforced OTP authentication where of course keys are available -- * for the first factor but password authentication should not be -- * advertised by the KDC. */ -- if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) { -+ /* Only set a principal's key if password or hardened auth can be used. -+ * Otherwise the KDC would add pre-authentication methods to the -+ * NEEDED_PREAUTH reply for AS-REQs which indicate the password -+ * authentication is available. This might confuse applications like -+ * e.g. SSSD which try to determine suitable authentication methods and -+ * corresponding prompts with the help of MIT Kerberos' responder -+ * interface which acts on the returned pre-authentication methods. A -+ * typical example is enforced OTP authentication where of course keys -+ * are available for the first factor but password authentication -+ * should not be advertised by the KDC. */ -+ if (!(ua & (IPADB_USER_AUTH_PASSWORD | IPADB_USER_AUTH_HARDENED)) && -+ (ua != IPADB_USER_AUTH_NONE)) { - /* This is the same behavior as ENOENT below. */ - ipa_krb5_free_key_data(res_key_data, result); - break; --- -2.34.1 - -From 294ae35a61e6ca8816b261c57508e4be21221864 Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Tue, 1 Feb 2022 19:38:29 +0100 -Subject: [PATCH] ipatests: add case for hardened-only ticket policy - -Signed-off-by: Julien Rische -Reviewed-By: Alexander Bokovoy -Reviewed-By: Francisco Trivino ---- - ipatests/test_integration/test_krbtpolicy.py | 30 ++++++++++++++++++-- - 1 file changed, 28 insertions(+), 2 deletions(-) - -diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py -index 63e75ae67..9489fbc97 100644 ---- a/ipatests/test_integration/test_krbtpolicy.py -+++ b/ipatests/test_integration/test_krbtpolicy.py -@@ -103,8 +103,8 @@ class TestPWPolicy(IntegrationTest): - result = master.run_command('klist | grep krbtgt') - assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True - -- def test_krbtpolicy_hardended(self): -- """Test a hardened kerberos ticket policy with 10 min tickets""" -+ def test_krbtpolicy_password_and_hardended(self): -+ """Test a pwd and hardened kerberos ticket policy with 10min tickets""" - master = self.master - master.run_command(['ipa', 'user-mod', USER1, - '--user-auth-type', 'password', -@@ -131,6 +131,32 @@ class TestPWPolicy(IntegrationTest): - result = master.run_command('klist | grep krbtgt') - assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True - -+ def test_krbtpolicy_hardended(self): -+ """Test a hardened kerberos ticket policy with 30min tickets""" -+ master = self.master -+ master.run_command(['ipa', 'user-mod', USER1, -+ '--user-auth-type', 'hardened']) -+ master.run_command(['ipa', 'config-mod', -+ '--user-auth-type', 'hardened']) -+ master.run_command(['ipa', 'krbtpolicy-mod', USER1, -+ '--hardened-maxlife', '1800']) -+ -+ tasks.kdestroy_all(master) -+ -+ master.run_command(['kinit', USER1], -+ stdin_text=PASSWORD + '\n') -+ result = master.run_command('klist | grep krbtgt') -+ assert maxlife_within_policy(result.stdout_text, 1800, -+ slush=1800) is True -+ -+ tasks.kdestroy_all(master) -+ -+ # Verify that the short policy only applies to USER1 -+ master.run_command(['kinit', USER2], -+ stdin_text=PASSWORD + '\n') -+ result = master.run_command('klist | grep krbtgt') -+ assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True -+ - def test_krbtpolicy_password(self): - """Test the kerberos ticket policy which issues 20 min tickets""" - master = self.master --- -2.34.1 - diff --git a/SOURCES/0005-Add-end-to-end-integration-tests-for-external-IdP.patch b/SOURCES/0005-Add-end-to-end-integration-tests-for-external-IdP.patch new file mode 100644 index 0000000..700df13 --- /dev/null +++ b/SOURCES/0005-Add-end-to-end-integration-tests-for-external-IdP.patch @@ -0,0 +1,346 @@ +From 857713c5a9c8e0b62c06dd92e69c09eeb34b2e99 Mon Sep 17 00:00:00 2001 +From: Anuja More +Date: Mon, 23 May 2022 12:26:34 +0530 +Subject: [PATCH] Add end to end integration tests for external IdP + +Added tests for HBAC and SUDO rule and other +test scenarios. + +Related : https://pagure.io/freeipa/issue/8805 +Related: https://pagure.io/freeipa/issue/8803 +Related: https://pagure.io/freeipa/issue/8804 + +Signed-off-by: Anuja More +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_idp.py | 260 ++++++++++++++++++++++---- + 1 file changed, 226 insertions(+), 34 deletions(-) + +diff --git a/ipatests/test_integration/test_idp.py b/ipatests/test_integration/test_idp.py +index 8f9e92e6a..2ffe6a208 100644 +--- a/ipatests/test_integration/test_idp.py ++++ b/ipatests/test_integration/test_idp.py +@@ -1,6 +1,8 @@ + from __future__ import absolute_import + + import time ++import pytest ++import re + + import textwrap + from ipaplatform.paths import paths +@@ -22,12 +24,12 @@ driver.get(verification_uri) + try: + element = WebDriverWait(driver, 90).until( + EC.presence_of_element_located((By.ID, "username"))) +- driver.find_element_by_id("username").send_keys("testuser1") +- driver.find_element_by_id("password").send_keys("{passwd}") +- driver.find_element_by_id("kc-login").click() ++ driver.find_element(By.ID, "username").send_keys("testuser1") ++ driver.find_element(By.ID, "password").send_keys("{passwd}") ++ driver.find_element(By.ID, "kc-login").click() + element = WebDriverWait(driver, 90).until( + EC.presence_of_element_located((By.ID, "kc-login"))) +- driver.find_element_by_id("kc-login").click() ++ driver.find_element(By.ID, "kc-login").click() + assert "Device Login Successful" in driver.page_source + finally: + now = datetime.now().strftime("%M-%S") +@@ -39,18 +41,12 @@ finally: + def add_user_code(host, verification_uri): + contents = user_code_script.format(uri=verification_uri, + passwd=host.config.admin_password) +- host.put_file_contents("/tmp/add_user_code.py", contents) +- tasks.run_repeatedly( +- host, ['python3', '/tmp/add_user_code.py']) +- +- +-def get_verification_uri(host, since, keycloak_server_name): +- command = textwrap.dedent(""" +- journalctl -u ipa-otpd\\* --since="%s" | grep "user_code:" | awk '{ print substr($7,2,9) }'""" % since) # noqa: E501 +- user_code = host.run_command(command).stdout_text.rstrip("\r\n") +- uri = ("https://{0}:8443/auth/realms/master/device?user_code={1}".format( +- keycloak_server_name, user_code)) +- return uri ++ try: ++ host.put_file_contents("/tmp/add_user_code.py", contents) ++ tasks.run_repeatedly( ++ host, ['python3', '/tmp/add_user_code.py']) ++ finally: ++ host.run_command(["rm", "-f", "/tmp/add_user_code.py"]) + + + def kinit_idp(host, user, keycloak_server): +@@ -58,11 +54,14 @@ def kinit_idp(host, user, keycloak_server): + tasks.kdestroy_all(host) + # create armor for FAST + host.run_command(["kinit", "-n", "-c", ARMOR]) +- since = time.strftime('%Y-%m-%d %H:%M:%S') + cmd = ["kinit", "-T", ARMOR, user] ++ + with host.spawn_expect(cmd, default_timeout=100) as e: +- e.expect('Authenticate at .+: ') +- uri = get_verification_uri(host, since, keycloak_server.hostname) ++ e.expect('Authenticate at (.+) and press ENTER.:') ++ prompt = e.get_last_output() ++ uri = re.search(r'Authenticate at (.*?) and press ENTER.:', prompt ++ ).group(1) ++ time.sleep(15) + if uri: + add_user_code(keycloak_server, uri) + e.sendline('\n') +@@ -74,21 +73,27 @@ def kinit_idp(host, user, keycloak_server): + + class TestIDPKeycloak(IntegrationTest): + +- num_replicas = 1 ++ num_replicas = 2 + topology = 'line' + + @classmethod + def install(cls, mh): +- tasks.install_master(cls.master, setup_dns=True) +- tasks.install_client(cls.master, cls.replicas[0]) +- content = cls.master.get_file_contents(paths.IPA_DEFAULT_CONF, +- encoding='utf-8') +- new_content = content + "\noidc_child_debug_level = 10" +- cls.master.put_file_contents(paths.IPA_DEFAULT_CONF, new_content) ++ cls.client = cls.replicas[0] ++ cls.replica = cls.replicas[1] ++ tasks.install_master(cls.master) ++ tasks.install_client(cls.master, cls.replicas[0], ++ extra_args=["--mkhomedir"]) ++ tasks.install_replica(cls.master, cls.replicas[1]) ++ for host in [cls.master, cls.replicas[0], cls.replicas[1]]: ++ content = host.get_file_contents(paths.IPA_DEFAULT_CONF, ++ encoding='utf-8') ++ new_content = content + "\noidc_child_debug_level = 10" ++ host.put_file_contents(paths.IPA_DEFAULT_CONF, new_content) + with tasks.remote_sssd_config(cls.master) as sssd_config: + sssd_config.edit_domain( + cls.master.domain, 'krb5_auth_timeout', 1100) + tasks.clear_sssd_cache(cls.master) ++ tasks.clear_sssd_cache(cls.replicas[0]) + tasks.kinit_admin(cls.master) + cls.master.run_command(["ipa", "config-mod", "--user-auth-type=idp", + "--user-auth-type=password"]) +@@ -97,20 +102,207 @@ class TestIDPKeycloak(IntegrationTest): + cls.replicas[0].run_command(xvfb) + + def test_auth_keycloak_idp(self): +- keycloak_srv = self.replicas[0] +- create_quarkus.setup_keycloakserver(keycloak_srv) ++ """ ++ Test case to check that OAuth 2.0 Device ++ Authorization Grant is working as ++ expected for user configured with external idp. ++ """ ++ create_quarkus.setup_keycloakserver(self.client) + time.sleep(60) +- create_quarkus.setup_keycloak_client(keycloak_srv) ++ create_quarkus.setup_keycloak_client(self.client) + tasks.kinit_admin(self.master) +- cmd = ["ipa", "idp-add", "keycloak", "--provider=keycloak", ++ cmd = ["ipa", "idp-add", "keycloakidp", "--provider=keycloak", + "--client-id=ipa_oidc_client", "--org=master", +- "--base-url={0}:8443/auth".format(keycloak_srv.hostname)] ++ "--base-url={0}:8443/auth".format(self.client.hostname)] + self.master.run_command(cmd, stdin_text="{0}\n{0}".format( +- keycloak_srv.config.admin_password)) ++ self.client.config.admin_password)) + tasks.user_add(self.master, 'keycloakuser', + extra_args=["--user-auth-type=idp", + "--idp-user-id=testuser1@ipa.test", +- "--idp=keycloak"] ++ "--idp=keycloakidp"] + ) ++ list_user = self.master.run_command( ++ ["ipa", "user-find", "--idp-user-id=testuser1@ipa.test"] ++ ) ++ assert "keycloakuser" in list_user.stdout_text ++ list_by_idp = self.master.run_command(["ipa", "user-find", ++ "--idp=keycloakidp"] ++ ) ++ assert "keycloakuser" in list_by_idp.stdout_text ++ list_by_user = self.master.run_command( ++ ["ipa", "user-find", "--idp-user-id=testuser1@ipa.test", "--all"] ++ ) ++ assert "keycloakidp" in list_by_user.stdout_text ++ tasks.clear_sssd_cache(self.master) ++ kinit_idp(self.master, 'keycloakuser', keycloak_server=self.client) ++ ++ @pytest.fixture ++ def hbac_setup_teardown(self): ++ # allow sshd only on given host ++ tasks.kinit_admin(self.master) ++ self.master.run_command(["ipa", "hbacrule-disable", "allow_all"]) ++ self.master.run_command(["ipa", "hbacrule-add", "rule1"]) ++ self.master.run_command(["ipa", "hbacrule-add-user", "rule1", ++ "--users=keycloakuser"] ++ ) ++ self.master.run_command(["ipa", "hbacrule-add-host", "rule1", ++ "--hosts", self.replica.hostname]) ++ self.master.run_command(["ipa", "hbacrule-add-service", "rule1", ++ "--hbacsvcs=sshd"] ++ ) ++ tasks.clear_sssd_cache(self.master) ++ tasks.clear_sssd_cache(self.replica) ++ yield ++ ++ # cleanup ++ tasks.kinit_admin(self.master) ++ self.master.run_command(["ipa", "hbacrule-enable", "allow_all"]) ++ self.master.run_command(["ipa", "hbacrule-del", "rule1"]) ++ ++ def test_auth_hbac(self, hbac_setup_teardown): ++ """ ++ Test case to check that hbacrule is working as ++ expected for user configured with external idp. ++ """ ++ kinit_idp(self.master, 'keycloakuser', keycloak_server=self.client) ++ ssh_cmd = "ssh -q -K -l keycloakuser {0} whoami" ++ valid_ssh = self.master.run_command( ++ ssh_cmd.format(self.replica.hostname)) ++ assert "keycloakuser" in valid_ssh.stdout_text ++ negative_ssh = self.master.run_command( ++ ssh_cmd.format(self.master.hostname), raiseonerr=False ++ ) ++ assert negative_ssh.returncode == 255 ++ ++ def test_auth_sudo_idp(self): ++ """ ++ Test case to check that sudorule is working as ++ expected for user configured with external idp. ++ """ ++ tasks.kdestroy_all(self.master) ++ tasks.kinit_admin(self.master) ++ # rule: keycloakuser are allowed to execute yum on ++ # the client machine as root. ++ cmdlist = [ ++ ["ipa", "sudocmd-add", "/usr/bin/yum"], ++ ["ipa", "sudorule-add", "sudorule"], ++ ['ipa', 'sudorule-add-user', '--users=keycloakuser', ++ 'sudorule'], ++ ['ipa', 'sudorule-add-host', '--hosts', ++ self.client.hostname, 'sudorule'], ++ ['ipa', 'sudorule-add-runasuser', ++ '--users=root', 'sudorule'], ++ ['ipa', 'sudorule-add-allow-command', ++ '--sudocmds=/usr/bin/yum', 'sudorule'], ++ ['ipa', 'sudorule-show', 'sudorule', '--all'], ++ ['ipa', 'sudorule-add-option', ++ 'sudorule', '--sudooption', "!authenticate"] ++ ] ++ for cmd in cmdlist: ++ self.master.run_command(cmd) ++ tasks.clear_sssd_cache(self.master) ++ tasks.clear_sssd_cache(self.client) ++ try: ++ cmd = 'sudo -ll -U keycloakuser' ++ test = self.client.run_command(cmd).stdout_text ++ assert "User keycloakuser may run the following commands" in test ++ assert "/usr/bin/yum" in test ++ kinit_idp(self.client, 'keycloakuser', self.client) ++ test_sudo = 'su -c "sudo yum list wget" keycloakuser' ++ self.client.run_command(test_sudo) ++ list_fail = self.master.run_command(cmd).stdout_text ++ assert "User keycloakuser is not allowed to run sudo" in list_fail ++ finally: ++ tasks.kinit_admin(self.master) ++ self.master.run_command(['ipa', 'sudorule-del', 'sudorule']) ++ self.master.run_command(["ipa", "sudocmd-del", "/usr/bin/yum"]) ++ ++ def test_auth_replica(self): ++ """ ++ Test case to check that OAuth 2.0 Device ++ Authorization is working as expected on replica. ++ """ ++ tasks.clear_sssd_cache(self.master) ++ tasks.clear_sssd_cache(self.replica) ++ tasks.kinit_admin(self.replica) ++ list_user = self.master.run_command( ++ ["ipa", "user-find", "--idp-user-id=testuser1@ipa.test"] ++ ) ++ assert "keycloakuser" in list_user.stdout_text ++ list_by_idp = self.replica.run_command(["ipa", "user-find", ++ "--idp=keycloakidp"] ++ ) ++ assert "keycloakuser" in list_by_idp.stdout_text ++ list_by_user = self.replica.run_command( ++ ["ipa", "user-find", "--idp-user-id=testuser1@ipa.test", "--all"] ++ ) ++ assert "keycloakidp" in list_by_user.stdout_text ++ kinit_idp(self.replica, 'keycloakuser', keycloak_server=self.client) ++ ++ def test_idp_with_services(self): ++ """ ++ Test case to check that services can be configured ++ auth indicator as idp. ++ """ + tasks.clear_sssd_cache(self.master) +- kinit_idp(self.master, 'keycloakuser', keycloak_srv) ++ tasks.kinit_admin(self.master) ++ domain = self.master.domain.name.upper() ++ services = [ ++ "DNS/{0}@{1}".format(self.master.hostname, domain), ++ "HTTP/{0}@{1}".format(self.client.hostname, domain), ++ "dogtag/{0}@{1}".format(self.master.hostname, domain), ++ "ipa-dnskeysyncd/{0}@{1}".format(self.master.hostname, domain) ++ ] ++ try: ++ for service in services: ++ test = self.master.run_command(["ipa", "service-mod", service, ++ "--auth-ind=idp"] ++ ) ++ assert "Authentication Indicators: idp" in test.stdout_text ++ finally: ++ for service in services: ++ self.master.run_command(["ipa", "service-mod", service, ++ "--auth-ind="]) ++ ++ def test_idp_backup_restore(self): ++ """ ++ Test case to check that after restore data is retrieved ++ with related idp configuration. ++ """ ++ tasks.kinit_admin(self.master) ++ user = "backupuser" ++ cmd = ["ipa", "idp-add", "testidp", "--provider=keycloak", ++ "--client-id=ipa_oidc_client", "--org=master", ++ "--base-url={0}:8443/auth".format(self.client.hostname)] ++ self.master.run_command(cmd, stdin_text="{0}\n{0}".format( ++ self.client.config.admin_password)) ++ ++ tasks.user_add(self.master, user, ++ extra_args=["--user-auth-type=idp", ++ "--idp-user-id=testuser1@ipa.test", ++ "--idp=testidp"] ++ ) ++ ++ backup_path = tasks.get_backup_dir(self.master) ++ # change data after backup ++ self.master.run_command(['ipa', 'user-del', user]) ++ self.master.run_command(['ipa', 'idp-del', 'testidp']) ++ dirman_password = self.master.config.dirman_password ++ self.master.run_command(['ipa-restore', backup_path], ++ stdin_text=dirman_password + '\nyes') ++ try: ++ list_user = self.master.run_command( ++ ['ipa', 'user-show', 'backupuser', '--all'] ++ ).stdout_text ++ assert "External IdP configuration: testidp" in list_user ++ assert "User authentication types: idp" in list_user ++ assert ("External IdP user identifier: " ++ "testuser1@ipa.test") in list_user ++ list_idp = self.master.run_command(['ipa', 'idp-find', 'testidp']) ++ assert "testidp" in list_idp.stdout_text ++ kinit_idp(self.master, user, self.client) ++ finally: ++ tasks.kdestroy_all(self.master) ++ tasks.kinit_admin(self.master) ++ self.master.run_command(["rm", "-rf", backup_path]) ++ self.master.run_command(["ipa", "idp-del", "testidp"]) +-- +2.36.1 + diff --git a/SOURCES/0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch b/SOURCES/0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch deleted file mode 100644 index 3ac05fa..0000000 --- a/SOURCES/0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 9bae5492270d8b695999cd82831cbee62b04626b Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Fri, 28 Jan 2022 16:58:42 +0100 -Subject: [PATCH] ipa-pki-proxy.conf: provide access to - /kra/admin/kra/getStatus - -The access to /kra/admin/kra/getStatus will be needed -in order to fix pki-healthcheck. -Note that this commit is a pre-requisite for the fix -to be done on PKI side. No test added since the full -integration test already exists in test_replica_promotion.py, -in TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica - -Fixes: https://pagure.io/freeipa/issue/9099 -Related: https://pagure.io/freeipa/issue/8582 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - install/share/ipa-pki-proxy.conf.template | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/install/share/ipa-pki-proxy.conf.template b/install/share/ipa-pki-proxy.conf.template -index 96708482c..7a46f20b9 100644 ---- a/install/share/ipa-pki-proxy.conf.template -+++ b/install/share/ipa-pki-proxy.conf.template -@@ -1,4 +1,4 @@ --# VERSION 16 - DO NOT REMOVE THIS LINE -+# VERSION 17 - DO NOT REMOVE THIS LINE - - ProxyRequests Off - -@@ -11,7 +11,7 @@ ProxyRequests Off - - - # matches for admin port and installer -- -+ - SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate - SSLVerifyClient none - ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET --- -2.34.1 - diff --git a/SOURCES/0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch b/SOURCES/0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch deleted file mode 100644 index 14d1f0c..0000000 --- a/SOURCES/0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch +++ /dev/null @@ -1,755 +0,0 @@ -From 0edf915efbb39fac45c784171dd715ec6b28861a Mon Sep 17 00:00:00 2001 -From: Sumedh Sidhaye -Date: Fri, 14 Jan 2022 19:55:13 +0530 -Subject: [PATCH] Added test automation for SHA384withRSA CSR support - -Scenario 1: -Setup master with --ca-signing-algorithm=SHA384withRSA -Run certutil and check Signing Algorithm - -Scenario 2: -Setup a master -Stop services -Modify default.params.signingAlg in CS.cfg -Restart services -Resubmit cert (Resubmitted cert should have new Algorithm) - -Pagure Link: https://pagure.io/freeipa/issue/8906 - -Signed-off-by: Sumedh Sidhaye -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden -Reviewed-By: Antonio Torres ---- - .../test_integration/test_installation.py | 63 +++++++++++++++++++ - 1 file changed, 63 insertions(+) - -diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py -index 0947241ae..f2d372c0c 100644 ---- a/ipatests/test_integration/test_installation.py -+++ b/ipatests/test_integration/test_installation.py -@@ -34,6 +34,7 @@ from ipatests.pytest_ipa.integration import tasks - from ipatests.pytest_ipa.integration.env_config import get_global_config - from ipatests.test_integration.base import IntegrationTest - from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup -+from ipatests.test_integration.test_cert import get_certmonger_fs_id - from ipaplatform import services - - -@@ -1916,3 +1917,65 @@ class TestInstallWithoutNamed(IntegrationTest): - tasks.install_replica( - self.master, self.replicas[0], setup_ca=False, setup_dns=False - ) -+ -+ -+class TestInstallwithSHA384withRSA(IntegrationTest): -+ num_replicas = 0 -+ -+ def test_install_master_withalgo_sha384withrsa(self, server_cleanup): -+ tasks.install_master( -+ self.master, -+ extra_args=['--ca-signing-algorithm=SHA384withRSA'], -+ ) -+ -+ # check Signing Algorithm post installation -+ dashed_domain = self.master.domain.realm.replace(".", '-') -+ cmd_args = ['certutil', '-L', '-d', -+ '/etc/dirsrv/slapd-{}/'.format(dashed_domain), -+ '-n', 'Server-Cert'] -+ result = self.master.run_command(cmd_args) -+ assert 'SHA-384 With RSA Encryption' in result.stdout_text -+ -+ def test_install_master_modify_existing(self, server_cleanup): -+ """ -+ Setup a master -+ Stop services -+ Modify default.params.signingAlg in CS.cfg -+ Restart services -+ Resubmit cert (Resubmitted cert should have new Algorithm) -+ """ -+ tasks.install_master(self.master) -+ self.master.run_command(['ipactl', 'stop']) -+ cs_cfg_content = self.master.get_file_contents(paths.CA_CS_CFG_PATH, -+ encoding='utf-8') -+ new_lines = [] -+ replace_str = "ca.signing.defaultSigningAlgorithm=SHA384withRSA" -+ ocsp_rep_str = "ca.ocsp_signing.defaultSigningAlgorithm=SHA384withRSA" -+ for line in cs_cfg_content.split('\n'): -+ if line.startswith('ca.signing.defaultSigningAlgorithm'): -+ new_lines.append(replace_str) -+ elif line.startswith('ca.ocsp_signing.defaultSigningAlgorithm'): -+ new_lines.append(ocsp_rep_str) -+ else: -+ new_lines.append(line) -+ self.master.put_file_contents(paths.CA_CS_CFG_PATH, -+ '\n'.join(new_lines)) -+ self.master.run_command(['ipactl', 'start']) -+ -+ cmd = ['getcert', 'list', '-f', paths.RA_AGENT_PEM] -+ result = self.master.run_command(cmd) -+ request_id = get_certmonger_fs_id(result.stdout_text) -+ -+ # resubmit RA Agent cert -+ cmd = ['getcert', 'resubmit', '-f', paths.RA_AGENT_PEM] -+ self.master.run_command(cmd) -+ -+ tasks.wait_for_certmonger_status(self.master, -+ ('CA_WORKING', 'MONITORING'), -+ request_id) -+ -+ cmd_args = ['openssl', 'x509', '-in', -+ paths.RA_AGENT_PEM, '-noout', '-text'] -+ result = self.master.run_command(cmd_args) -+ assert_str = 'Signature Algorithm: sha384WithRSAEncryption' -+ assert assert_str in result.stdout_text --- -2.34.1 - -From 8b22ee018c3bb7f58a1b6694a7fd611688f8e74f Mon Sep 17 00:00:00 2001 -From: Sumedh Sidhaye -Date: Thu, 25 Nov 2021 17:48:20 +0530 -Subject: [PATCH] Extend test to see if replica is not shown when running - `ipa-replica-manage list -v ` - -Related: https://pagure.io/freeipa/issue/8605 - -Signed-off-by: Sumedh Sidhaye -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_integration/test_simple_replication.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/ipatests/test_integration/test_simple_replication.py b/ipatests/test_integration/test_simple_replication.py -index 8de385144..17092a499 100644 ---- a/ipatests/test_integration/test_simple_replication.py -+++ b/ipatests/test_integration/test_simple_replication.py -@@ -111,5 +111,6 @@ class TestSimpleReplication(IntegrationTest): - # has to be run with --force, there is no --unattended - self.master.run_command(['ipa-replica-manage', 'del', - self.replicas[0].hostname, '--force']) -- result = self.master.run_command(['ipa-replica-manage', 'list']) -+ result = self.master.run_command( -+ ['ipa-replica-manage', 'list', '-v', self.master.hostname]) - assert self.replicas[0].hostname not in result.stdout_text --- -2.34.1 - -From ba7ec71ba96280da3841ebe47df2a6dc1cd6341e Mon Sep 17 00:00:00 2001 -From: Mohammad Rizwan -Date: Fri, 26 Nov 2021 12:11:21 +0530 -Subject: [PATCH] ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica - teardown - -Fixture `expire_certs` moves date back after renewing the certs. -This is causing the ipa-replica to fail. This fix first uninstalls -the server then moves back the date. - -Fixes: https://pagure.io/freeipa/issue/9052 - -Signed-off-by: Mohammad Rizwan -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_integration/test_ipa_cert_fix.py | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py -index 39904d5de..5b56054b4 100644 ---- a/ipatests/test_integration/test_ipa_cert_fix.py -+++ b/ipatests/test_integration/test_ipa_cert_fix.py -@@ -389,6 +389,12 @@ class TestCertFixReplica(IntegrationTest): - setup_dns=False, extra_args=['--no-ntp'] - ) - -+ @classmethod -+ def uninstall(cls, mh): -+ # Uninstall method is empty as the uninstallation is done in -+ # the fixture -+ pass -+ - @pytest.fixture - def expire_certs(self): - # move system date to expire certs -@@ -398,7 +404,8 @@ class TestCertFixReplica(IntegrationTest): - yield - - # move date back on replica and master -- for host in self.master, self.replicas[0]: -+ for host in self.replicas[0], self.master: -+ tasks.uninstall_master(host) - tasks.move_date(host, 'start', '-3years-1days') - - def test_renew_expired_cert_replica(self, expire_certs): --- -2.34.1 - -From 465f1669a6c5abc72da1ecaf9aefa8488f80806c Mon Sep 17 00:00:00 2001 -From: Anuja More -Date: Mon, 13 Dec 2021 17:37:05 +0530 -Subject: [PATCH] ipatests: Test default value of nsslapd-sizelimit. - -related : https://pagure.io/freeipa/issue/8962 - -Signed-off-by: Anuja More -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_integration/test_installation.py | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py -index 95cfaad54..0947241ae 100644 ---- a/ipatests/test_integration/test_installation.py -+++ b/ipatests/test_integration/test_installation.py -@@ -1067,6 +1067,19 @@ class TestInstallMaster(IntegrationTest): - ) - assert "nsslapd-db-locks" not in result.stdout_text - -+ def test_nsslapd_sizelimit(self): -+ """ Test for default value of nsslapd-sizelimit. -+ -+ Related : https://pagure.io/freeipa/issue/8962 -+ """ -+ result = tasks.ldapsearch_dm( -+ self.master, -+ "cn=config", -+ ["nsslapd-sizelimit"], -+ scope="base" -+ ) -+ assert "nsslapd-sizelimit: 100000" in result.stdout_text -+ - def test_admin_root_alias_CVE_2020_10747(self): - # Test for CVE-2020-10747 fix - # https://bugzilla.redhat.com/show_bug.cgi?id=1810160 --- -2.34.1 - -From cbd9ac6ab07dfb60f67da762fdd70856ad35c230 Mon Sep 17 00:00:00 2001 -From: Mohammad Rizwan -Date: Thu, 25 Nov 2021 13:10:05 +0530 -Subject: [PATCH] ipatests: Test empty cert request doesn't force certmonger to - segfault - -When empty cert request is submitted to certmonger, it goes to -segfault. This fix test that if something like this happens, -certmonger should gracefuly handle it - -and some PEP8 fixes - -related: https://pagure.io/certmonger/issue/191 - -Signed-off-by: Mohammad Rizwan ---- - ipatests/test_integration/test_cert.py | 79 +++++++++++++++++++++++++- - 1 file changed, 78 insertions(+), 1 deletion(-) - -diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py -index 5ffb8c608..0518d7954 100644 ---- a/ipatests/test_integration/test_cert.py -+++ b/ipatests/test_integration/test_cert.py -@@ -14,6 +14,7 @@ import random - import re - import string - import time -+import textwrap - - from ipaplatform.paths import paths - from ipapython.dn import DN -@@ -193,7 +194,7 @@ class TestInstallMasterClient(IntegrationTest): - tasks.kinit_admin(self.master) - tasks.user_add(self.master, user) - -- for id in (0,1): -+ for id in (0, 1): - csr_file = f'{id}.csr' - key_file = f'{id}.key' - cert_file = f'{id}.crt' -@@ -584,3 +585,79 @@ class TestCAShowErrorHandling(IntegrationTest): - error_msg = 'ipa: ERROR: The certificate for ' \ - '{} is not available on this server.'.format(lwca) - assert error_msg in result.stderr_text -+ -+ def test_certmonger_empty_cert_not_segfault(self): -+ """Test empty cert request doesn't force certmonger to segfault -+ -+ Test scenario: -+ create a cert request file in /var/lib/certmonger/requests which is -+ missing most of the required information, and ask request a new -+ certificate to certmonger. The wrong request file should not make -+ certmonger crash. -+ -+ related: https://pagure.io/certmonger/issue/191 -+ """ -+ empty_cert_req_content = textwrap.dedent(""" -+ id=dogtag-ipa-renew-agent -+ key_type=UNSPECIFIED -+ key_gen_type=UNSPECIFIED -+ key_size=0 -+ key_gen_size=0 -+ key_next_type=UNSPECIFIED -+ key_next_gen_type=UNSPECIFIED -+ key_next_size=0 -+ key_next_gen_size=0 -+ key_preserve=0 -+ key_storage_type=NONE -+ key_perms=0 -+ key_requested_count=0 -+ key_issued_count=0 -+ cert_storage_type=FILE -+ cert_perms=0 -+ cert_is_ca=0 -+ cert_ca_path_length=0 -+ cert_no_ocsp_check=0 -+ last_need_notify_check=19700101000000 -+ last_need_enroll_check=19700101000000 -+ template_is_ca=0 -+ template_ca_path_length=-1 -+ template_no_ocsp_check=0 -+ state=NEED_KEY_PAIR -+ autorenew=0 -+ monitor=0 -+ submitted=19700101000000 -+ """) -+ # stop certmonger service -+ self.master.run_command(['systemctl', 'stop', 'certmonger']) -+ -+ # place an empty cert request file to certmonger request dir -+ self.master.put_file_contents( -+ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'), -+ empty_cert_req_content -+ ) -+ -+ # start certmonger, it should not fail -+ self.master.run_command(['systemctl', 'start', 'certmonger']) -+ -+ # request a new cert, should succeed and certmonger doesn't goes -+ # to segfault -+ result = self.master.run_command([ -+ "ipa-getcert", "request", -+ "-f", os.path.join(paths.OPENSSL_CERTS_DIR, "test.pem"), -+ "-k", os.path.join(paths.OPENSSL_PRIVATE_DIR, "test.key"), -+ ]) -+ request_id = re.findall(r'\d+', result.stdout_text) -+ -+ # check if certificate is in MONITORING state -+ status = tasks.wait_for_request(self.master, request_id[0], 50) -+ assert status == "MONITORING" -+ -+ self.master.run_command( -+ ['ipa-getcert', 'stop-tracking', '-i', request_id[0]] -+ ) -+ self.master.run_command([ -+ 'rm', '-rf', -+ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'), -+ os.path.join(paths.OPENSSL_CERTS_DIR, 'test.pem'), -+ os.path.join(paths.OPENSSL_PRIVATE_DIR, 'test.key') -+ ]) --- -2.34.1 - -From edbd8f692a28fc999b92e9032614d366511db323 Mon Sep 17 00:00:00 2001 -From: Anuja More -Date: Mon, 6 Dec 2021 20:50:01 +0530 -Subject: [PATCH] ipatests: webui: Tests for subordinate ids. - -Added web-ui tests to verify where operations -using subordinate ids are working as expected. - -Related : https://pagure.io/freeipa/issue/8361 - -Signed-off-by: Anuja More -Reviewed-By: Michal Polovka -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_webui/test_subid.py | 141 ++++++++++++++++++++++++++++++ - ipatests/test_webui/ui_driver.py | 28 ++++++ - 2 files changed, 169 insertions(+) - create mode 100644 ipatests/test_webui/test_subid.py - -diff --git a/ipatests/test_webui/test_subid.py b/ipatests/test_webui/test_subid.py -new file mode 100644 -index 000000000..26decdba0 ---- /dev/null -+++ b/ipatests/test_webui/test_subid.py -@@ -0,0 +1,141 @@ -+ -+""" -+Tests for subordinateid. -+""" -+ -+from ipatests.test_webui.ui_driver import UI_driver -+import ipatests.test_webui.data_config as config_data -+import ipatests.test_webui.data_user as user_data -+from ipatests.test_webui.ui_driver import screenshot -+import re -+ -+ -+class test_subid(UI_driver): -+ -+ def add_user(self, pkey, name, surname): -+ self.add_record('user', { -+ 'pkey': pkey, -+ 'add': [ -+ ('textbox', 'uid', pkey), -+ ('textbox', 'givenname', name), -+ ('textbox', 'sn', surname), -+ ] -+ }) -+ -+ def set_default_subid(self): -+ self.navigate_to_entity(config_data.ENTITY) -+ self.check_option('ipauserdefaultsubordinateid', 'checked') -+ self.facet_button_click('save') -+ -+ def get_user_count(self, user_pkey): -+ self.navigate_to_entity('subid', facet='search') -+ self.apply_search_filter(user_pkey) -+ self.wait_for_request() -+ return self.get_rows() -+ -+ @screenshot -+ def test_set_defaultsubid(self): -+ """ -+ Test to verify that enable/disable is working for -+ adding subids to new users. -+ """ -+ self.init_app() -+ self.add_record(user_data.ENTITY, user_data.DATA2) -+ self.navigate_to_entity(config_data.ENTITY) -+ # test subid can be enabled/disabled. -+ self.set_default_subid() -+ assert self.get_field_checked('ipauserdefaultsubordinateid') -+ self.set_default_subid() -+ assert not self.get_field_checked('ipauserdefaultsubordinateid') -+ -+ @screenshot -+ def test_user_defaultsubid(self): -+ """ -+ Test to verify that subid is generated for new user. -+ """ -+ self.init_app() -+ user_pkey = "some-user" -+ -+ self.set_default_subid() -+ assert self.get_field_checked('ipauserdefaultsubordinateid') -+ -+ before_count = self.get_user_count(user_pkey) -+ assert len(before_count) == 0 -+ -+ self.add_user(user_pkey, 'Some', 'User') -+ after_count = self.get_user_count(user_pkey) -+ assert len(after_count) == 1 -+ -+ @screenshot -+ def test_user_subid_mod_desc(self): -+ """ -+ Test to verify that auto-assigned subid description is modified. -+ """ -+ self.init_app() -+ self.navigate_to_record("some-user") -+ self.switch_to_facet('memberof_subid') -+ rows = self.get_rows() -+ self.navigate_to_row_record(rows[-1]) -+ self.fill_textbox("description", "some-user-subid-desc") -+ self.facet_button_click('save') -+ -+ @screenshot -+ def test_admin_subid(self): -+ """ -+ Test to verify that subid range is created with owner admin. -+ """ -+ self.init_app() -+ self.navigate_to_entity('subid', facet='search') -+ self.facet_button_click('add') -+ self.select_combobox('ipaowner', 'admin') -+ self.dialog_button_click('add') -+ self.wait(0.3) -+ self.assert_no_error_dialog() -+ -+ @screenshot -+ def test_admin_subid_negative(self): -+ """ -+ Test to verify that readding the subid fails with error. -+ """ -+ self.init_app() -+ self.navigate_to_entity('subid', facet='search') -+ self.facet_button_click('add') -+ self.select_combobox('ipaowner', 'admin') -+ self.dialog_button_click('add') -+ self.wait(0.3) -+ err_dialog = self.get_last_error_dialog(dialog_name='error_dialog') -+ text = self.get_text('.modal-body div p', err_dialog) -+ text = text.strip() -+ pattern = r'Subordinate id with with name .* already exists.' -+ assert re.search(pattern, text) is not None -+ self.close_all_dialogs() -+ -+ @screenshot -+ def test_user_subid_add(self): -+ """ -+ Test to verify that subid range is created for given user. -+ """ -+ self.init_app() -+ self.navigate_to_entity('subid', facet='search') -+ before_count = self.get_rows() -+ self.facet_button_click('add') -+ self.select_combobox('ipaowner', user_data.PKEY2) -+ self.dialog_button_click('add') -+ self.wait(0.3) -+ self.assert_no_error_dialog() -+ after_count = self.get_rows() -+ assert len(before_count) < len(after_count) -+ -+ @screenshot -+ def test_subid_del(self): -+ """ -+ Test to remove subordinate id for given user. -+ """ -+ self.init_app() -+ self.navigate_to_entity('subid', facet='search') -+ user_uid = self.get_record_pkey("some-user", "ipaowner", -+ table_name="ipauniqueid") -+ before_count = self.get_rows() -+ self.delete_record(user_uid, table_name="ipauniqueid") -+ after_count = self.get_rows() -+ assert len(before_count) > len(after_count) -diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py -index 46fd512ae..77fd74e49 100644 ---- a/ipatests/test_webui/ui_driver.py -+++ b/ipatests/test_webui/ui_driver.py -@@ -1151,6 +1151,34 @@ class UI_driver: - return row - return None - -+ def get_row_by_column_value(self, key, column_name, parent=None, -+ table_name=None): -+ """ -+ Get the first matched row element of a search table with given key -+ matched against selected column. None if not found -+ """ -+ rows = self.get_rows(parent, table_name) -+ s = "td div[name='%s']" % column_name -+ for row in rows: -+ has = self.find(s, By.CSS_SELECTOR, row) -+ if has.text == key: -+ return row -+ return None -+ -+ def get_record_pkey(self, key, column, parent=None, table_name=None): -+ """ -+ Get record pkey if value of column is known -+ """ -+ row = self.get_row_by_column_value(key, -+ column_name=column, -+ parent=parent, -+ table_name=table_name) -+ val = None -+ if row: -+ el = self.find("td input", By.CSS_SELECTOR, row) -+ val = el.get_attribute("value") -+ return val -+ - def navigate_to_row_record(self, row, pkey_column=None): - """ - Navigate to record by clicking on a link. --- -2.34.1 - -From 419d7fd6e5a9ed2d356ad05eef1043309f5646ef Mon Sep 17 00:00:00 2001 -From: Michal Polovka -Date: Fri, 7 Jan 2022 12:12:26 +0100 -Subject: [PATCH] ipatests: webui: Use safe-loader for loading YAML - configuration file - -FullLoader class for YAML loader was introduced in version 5.1 which -also deprecated default loader. SafeLoader, however, stays consistent -across the versions and brings added security. - -This fix is necessary as PyYAML > 5.1 is not available in downstream. - -Related: https://pagure.io/freeipa/issue/9009 - -Signed-off-by: Michal Polovka -Reviewed-By: Rob Crittenden ---- - ipatests/test_webui/ui_driver.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py -index 77fd74e49..519efee9b 100644 ---- a/ipatests/test_webui/ui_driver.py -+++ b/ipatests/test_webui/ui_driver.py -@@ -192,7 +192,7 @@ class UI_driver: - if not NO_YAML and os.path.isfile(path): - try: - with open(path, 'r') as conf: -- cls.config = yaml.load(stream=conf, Loader=yaml.FullLoader) -+ cls.config = yaml.safe_load(stream=conf) - except yaml.YAMLError as e: - pytest.skip("Invalid Web UI config.\n%s" % e) - except IOError as e: --- -2.34.1 - -From 5444da016edc416c0c9481c660c013053dbb93b5 Mon Sep 17 00:00:00 2001 -From: Mohammad Rizwan -Date: Thu, 18 Nov 2021 18:43:22 +0530 -Subject: [PATCH] PEP8 Fixes - -Signed-off-by: Mohammad Rizwan ---- - .../test_integration/test_replica_promotion.py | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py -index 1a4e9bc12..c328b1a08 100644 ---- a/ipatests/test_integration/test_replica_promotion.py -+++ b/ipatests/test_integration/test_replica_promotion.py -@@ -138,7 +138,6 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase): - assert res.returncode == 1 - assert expected_err in res.stderr_text - -- - @replicas_cleanup - def test_one_command_installation(self): - """ -@@ -150,11 +149,11 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase): - Firewall(self.replicas[0]).enable_services(["freeipa-ldap", - "freeipa-ldaps"]) - self.replicas[0].run_command(['ipa-replica-install', '-w', -- self.master.config.admin_password, -- '-n', self.master.domain.name, -- '-r', self.master.domain.realm, -- '--server', self.master.hostname, -- '-U']) -+ self.master.config.admin_password, -+ '-n', self.master.domain.name, -+ '-r', self.master.domain.realm, -+ '--server', self.master.hostname, -+ '-U']) - # Ensure that pkinit is properly configured, test for 7566 - result = self.replicas[0].run_command(['ipa-pkinit-manage', 'status']) - assert "PKINIT is enabled" in result.stdout_text -@@ -321,7 +320,7 @@ class TestWrongClientDomain(IntegrationTest): - result1 = client.run_command(['ipa-replica-install', '-U', '-w', - self.master.config.dirman_password], - raiseonerr=False) -- assert(result1.returncode == 0), ( -+ assert (result1.returncode == 0), ( - 'Failed to promote the client installed with the upcase domain name') - - def test_client_rollback(self): -@@ -355,6 +354,7 @@ class TestWrongClientDomain(IntegrationTest): - assert("An error occurred while removing SSSD" not in - result.stdout_text) - -+ - class TestRenewalMaster(IntegrationTest): - - topology = 'star' --- -2.34.1 - -From 1d19b860d4cd3bd65a4b143b588425d9a64237fd Mon Sep 17 00:00:00 2001 -From: Mohammad Rizwan -Date: Thu, 18 Nov 2021 18:36:58 +0530 -Subject: [PATCH] Test cases for ipa-replica-conncheck command - -Following test cases would be checked: -- when called with --principal (it should then prompt for a password) -- when called with --principal / --password -- when called without principal and password but with a kerberos TGT, - kinit admin done before calling ipa-replica-conncheck -- when called without principal and password, and without any kerberos - TGT (it should default to principal=admin and prompt for a password) - -related: https://pagure.io/freeipa/issue/9047 - -Signed-off-by: Mohammad Rizwan ---- - .../test_replica_promotion.py | 70 +++++++++++++++++++ - 1 file changed, 70 insertions(+) - -diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py -index b9c56f775..1a4e9bc12 100644 ---- a/ipatests/test_integration/test_replica_promotion.py -+++ b/ipatests/test_integration/test_replica_promotion.py -@@ -437,6 +437,76 @@ class TestRenewalMaster(IntegrationTest): - self.assertCARenewalMaster(master, replica.hostname) - self.assertCARenewalMaster(replica, replica.hostname) - -+ def test_replica_concheck(self): -+ """Test cases for ipa-replica-conncheck command -+ -+ Following test cases would be checked: -+ - when called with --principal (it should then prompt for a password) -+ - when called with --principal / --password -+ - when called without principal and password but with a kerberos TGT, -+ kinit admin done before calling ipa-replica-conncheck -+ - when called without principal and password, and without any kerberos -+ TGT (it should default to principal=admin and prompt for a password) -+ -+ related: https://pagure.io/freeipa/issue/9047 -+ """ -+ exp_str1 = "Connection from replica to master is OK." -+ exp_str2 = "Connection from master to replica is OK" -+ tasks.kdestroy_all(self.replicas[0]) -+ # when called with --principal (it should then prompt for a password) -+ result = self.replicas[0].run_command( -+ ['ipa-replica-conncheck', '--auto-master-check', -+ '--master', self.master.hostname, -+ '-r', self.replicas[0].domain.realm, -+ '-p', self.replicas[0].config.admin_name], -+ stdin_text=self.master.config.admin_password -+ ) -+ assert result.returncode == 0 -+ assert ( -+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text -+ ) -+ -+ # when called with --principal / --password -+ result = self.replicas[0].run_command([ -+ 'ipa-replica-conncheck', '--auto-master-check', -+ '--master', self.master.hostname, -+ '-r', self.replicas[0].domain.realm, -+ '-p', self.replicas[0].config.admin_name, -+ '-w', self.master.config.admin_password -+ ]) -+ assert result.returncode == 0 -+ assert ( -+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text -+ ) -+ -+ # when called without principal and password, and without -+ # any kerberos TGT, it should default to principal=admin -+ # and prompt for a password -+ result = self.replicas[0].run_command( -+ ['ipa-replica-conncheck', '--auto-master-check', -+ '--master', self.master.hostname, -+ '-r', self.replicas[0].domain.realm], -+ stdin_text=self.master.config.admin_password -+ ) -+ assert result.returncode == 0 -+ assert ( -+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text -+ ) -+ -+ # when called without principal and password but with a kerberos TGT, -+ # kinit admin done before calling ipa-replica-conncheck -+ tasks.kinit_admin(self.replicas[0]) -+ result = self.replicas[0].run_command( -+ ['ipa-replica-conncheck', '--auto-master-check', -+ '--master', self.master.hostname, -+ '-r', self.replicas[0].domain.realm] -+ ) -+ assert result.returncode == 0 -+ assert ( -+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text -+ ) -+ tasks.kdestroy_all(self.replicas[0]) -+ - def test_automatic_renewal_master_transfer_ondelete(self): - # Test that after replica uninstallation, master overtakes the cert - # renewal master role from replica (which was previously set there) --- -2.34.1 - diff --git a/SOURCES/0006-webui-Do-not-allow-empty-pagination-size_rhbz#2094672.patch b/SOURCES/0006-webui-Do-not-allow-empty-pagination-size_rhbz#2094672.patch new file mode 100644 index 0000000..25e9f72 --- /dev/null +++ b/SOURCES/0006-webui-Do-not-allow-empty-pagination-size_rhbz#2094672.patch @@ -0,0 +1,67 @@ +From 991849cf58fa990ad4540a61214b5ab4fcd4baa1 Mon Sep 17 00:00:00 2001 +From: Armando Neto +Date: Fri, 8 Jul 2022 15:56:31 -0300 +Subject: [PATCH] webui: Do not allow empty pagination size + +Pagination size must be required, the current validators are triggered after +form is submitted, thus the only way for check if data is not empty is by making +the field required. + +Fixes: https://pagure.io/freeipa/issue/9192 + +Signed-off-by: Armando Neto +Reviewed-By: Florence Blanc-Renaud +--- + .../ui/src/freeipa/Application_controller.js | 1 + + ipatests/test_webui/test_misc_cases.py | 19 +++++++++++++++++++ + 2 files changed, 20 insertions(+) + +diff --git a/install/ui/src/freeipa/Application_controller.js b/install/ui/src/freeipa/Application_controller.js +index 46aabc9c4..140ee8fe0 100644 +--- a/install/ui/src/freeipa/Application_controller.js ++++ b/install/ui/src/freeipa/Application_controller.js +@@ -318,6 +318,7 @@ define([ + $type: 'text', + name: 'pagination_size', + label: '@i18n:customization.table_pagination', ++ required: true, + validators: ['positive_integer'] + } + ] +diff --git a/ipatests/test_webui/test_misc_cases.py b/ipatests/test_webui/test_misc_cases.py +index 5f7ffb54e..aca9e1a99 100644 +--- a/ipatests/test_webui/test_misc_cases.py ++++ b/ipatests/test_webui/test_misc_cases.py +@@ -11,6 +11,11 @@ from ipatests.test_webui.ui_driver import screenshot + import pytest + import re + ++try: ++ from selenium.webdriver.common.by import By ++except ImportError: ++ pass ++ + + @pytest.mark.tier1 + class TestMiscCases(UI_driver): +@@ -26,3 +31,17 @@ class TestMiscCases(UI_driver): + ver_re = re.compile('version: .*') + assert re.search(ver_re, about_text), 'Version not found' + self.dialog_button_click('ok') ++ ++ @screenshot ++ def test_customization_pagination_input_required(self): ++ """Test if 'pagination size' is required when submitting the form.""" ++ self.init_app() ++ ++ self.profile_menu_action('configuration') ++ self.fill_input('pagination_size', '') ++ self.dialog_button_click('save') ++ ++ pagination_size_elem = self.find( ++ ".widget[name='pagination_size']", By.CSS_SELECTOR) ++ ++ self.assert_field_validation_required(parent=pagination_size_elem) +-- +2.36.1 + diff --git a/SOURCES/0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch b/SOURCES/0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch deleted file mode 100644 index f8b3b9f..0000000 --- a/SOURCES/0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch +++ /dev/null @@ -1,104 +0,0 @@ -From edb216849e4f47d6cae95981edf0c3fe2653fd7a Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Fri, 28 Jan 2022 16:46:35 -0500 -Subject: [PATCH] Don't always override the port in import_included_profiles - -I can only guess to the original purpose of this override. I -believe it was because this is called in the installer prior -to Apache being set up. The expectation was that this would -only be called locally. It predates the RestClient class. - -RestClient will attempt to find an available service. In this -case, during a CA installation, the local server is not -considered available because it lacks an entry in -cn=masters. So it will never be returned as an option. - -So by overriding the port to 8443 the remote connection will -likely fail because we don't require that the port be open. - -So instead, instantiate a RestClient and see what happens. - -There are several use-cases: - -1. Installing an initial server. The RestClient connection - should fail, so we will fall back to the override port and - use the local server. If Apache happens to be running with - a globally-issued certificate then the RestClient will - succeed. In this case if the connected host and the local - hostname are the same, override in that case as well. - -2. Installing as a replica. In this case the local server should - be ignored in all cases and a remote CA will be picked with - no override done. - -3. Switching from CA-less to CA-ful. The web server will be - trusted but the RestClient login will fail with a 404. Fall - back to the override port in this case. - -The motivation for this is trying to install an EL 8.x replica -against an EL 7.9 server. 8.5+ includes the ACME service and -a new profile is needed which doesn't exist in 7. This was -failing because the RestClient determined that the local server -wasn't running a CA so tried the remote one (7.9) on the override -port 8443. Since this port isn't open: failure. - -Chances are that adding the profile is still going to fail -because again, 7.9 lacks ACME capabilities, but it will fail in -a way that allows the installation to continue. - -I suspect that all of the overrides can similarly handled, or -handled directly within the RestClient class, but for the sake -of "do no harm" I'm only changing this instance for now. - -https://pagure.io/freeipa/issue/9100 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/install/cainstance.py | 30 +++++++++++++++++++++++++++++- - 1 file changed, 29 insertions(+), 1 deletion(-) - -diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py -index 8c8bf1b3a..ad206aad4 100644 ---- a/ipaserver/install/cainstance.py -+++ b/ipaserver/install/cainstance.py -@@ -1953,7 +1953,35 @@ def import_included_profiles(): - cn=['certprofiles'], - ) - -- api.Backend.ra_certprofile.override_port = 8443 -+ # At this point Apache may or may not be running with a valid -+ # certificate. The local server is not yet recognized as a full -+ # CA yet so it isn't discoverable. So try to do some detection -+ # on what port to use, 443 (remote) or 8443 (local) for importing -+ # the profiles. -+ # -+ # api.Backend.ra_certprofile invokes the RestClient class -+ # which will discover and login to the CA REST API. We can -+ # use this information to detect where to import the profiles. -+ # -+ # If the login is successful (e.g. doesn't raise an exception) -+ # and it returns our hostname (it prefers the local host) then -+ # we override and talk locally. -+ # -+ # Otherwise a NetworkError means we can't connect on 443 (perhaps -+ # a firewall) or we get an HTTP error (valid TLS certificate on -+ # Apache but no CA, login fails with 404) so we override to the -+ # local server. -+ # -+ # When override port was always set to 8443 the RestClient could -+ # pick a remote server and since 8443 isn't in our firewall profile -+ # setting up a new server would fail. -+ try: -+ with api.Backend.ra_certprofile as profile_api: -+ if profile_api.ca_host == api.env.host: -+ api.Backend.ra_certprofile.override_port = 8443 -+ except (errors.NetworkError, errors.RemoteRetrieveError) as e: -+ logger.debug('Overriding CA port: %s', e) -+ api.Backend.ra_certprofile.override_port = 8443 - - for (profile_id, desc, store_issued) in dogtag.INCLUDED_PROFILES: - dn = DN(('cn', profile_id), --- -2.34.1 - diff --git a/SOURCES/0007-webui-Allow-grace-login-limit_rhbz#2109243.patch b/SOURCES/0007-webui-Allow-grace-login-limit_rhbz#2109243.patch new file mode 100644 index 0000000..93cfab9 --- /dev/null +++ b/SOURCES/0007-webui-Allow-grace-login-limit_rhbz#2109243.patch @@ -0,0 +1,56 @@ +From ade5093b08f92b279c200f341e96972a74f644d8 Mon Sep 17 00:00:00 2001 +From: Carla Martinez +Date: Fri, 29 Jul 2022 13:16:16 +0200 +Subject: [PATCH] webui: Allow grace login limit + +There was no support for setting the grace login limit on the WebUI. The +only way to so was only via CLI: + + `ipa pwpolicy-mod --gracelimit=2 global_policy` + +Thus, the grace login limit must be updated from the policy section and +this will reflect also on the user settings (under the 'Password Policy' +section) + +Fixes: https://pagure.io/freeipa/issue/9211 + +Signed-off-by: Carla Martinez +Reviewed-By: Florence Blanc-Renaud +--- + install/ui/src/freeipa/policy.js | 3 +++ + install/ui/src/freeipa/user.js | 5 +++++ + 2 files changed, 8 insertions(+) + +diff --git a/install/ui/src/freeipa/policy.js b/install/ui/src/freeipa/policy.js +index fa2028a52..7ec103636 100644 +--- a/install/ui/src/freeipa/policy.js ++++ b/install/ui/src/freeipa/policy.js +@@ -72,6 +72,9 @@ return { + { + name: 'cospriority', + required: true ++ }, ++ { ++ name: 'passwordgracelimit' + } + ] + }] +diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js +index a580db035..b47c97f72 100644 +--- a/install/ui/src/freeipa/user.js ++++ b/install/ui/src/freeipa/user.js +@@ -318,6 +318,11 @@ return { + label: '@mo-param:pwpolicy:krbpwdlockoutduration:label', + read_only: true, + measurement_unit: 'seconds' ++ }, ++ { ++ name: 'passwordgracelimit', ++ label: '@mo-param:pwpolicy:passwordgracelimit:label', ++ read_only: true + } + ] + }, +-- +2.37.2 + diff --git a/SOURCES/0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch b/SOURCES/0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch deleted file mode 100644 index e083b06..0000000 --- a/SOURCES/0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 7c5540bb47799b4db95673d22f61995ad5c56440 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 31 Jan 2022 17:31:50 -0500 -Subject: [PATCH] Remove ipa-join errors from behind the debug option - -This brings it inline with the previous XML-RPC output which -only hid the request and response from the output and not -any errors returned. - -https://pagure.io/freeipa/issue/9103 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Peter Keresztes Schmidt ---- - client/ipa-join.c | 27 +++++++++------------------ - 1 file changed, 9 insertions(+), 18 deletions(-) - -diff --git a/client/ipa-join.c b/client/ipa-join.c -index d98739a9a..5888a33bf 100644 ---- a/client/ipa-join.c -+++ b/client/ipa-join.c -@@ -743,8 +743,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response - - json_str = json_dumps(json, 0); - if (!json_str) { -- if (debug) -- fprintf(stderr, _("json_dumps() failed\n")); -+ fprintf(stderr, _("json_dumps() failed\n")); - - rval = 17; - goto cleanup; -@@ -758,8 +757,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response - CURLcode res = curl_easy_perform(curl); - if (res != CURLE_OK) - { -- if (debug) -- fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res)); -+ fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res)); - - rval = 17; - goto cleanup; -@@ -769,8 +767,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response - curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &resp_code); - - if (resp_code != 200) { -- if (debug) -- fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code); -+ fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code); - - if (!quiet && resp_code == 401) - fprintf(stderr, _("JSON-RPC call was unauthorized. Check your credentials.\n")); -@@ -848,8 +845,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) { - - j_root = json_loads(payload, 0, &j_error); - if (!j_root) { -- if (debug) -- fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text); -+ fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text); - - rval = 17; - goto cleanup; -@@ -864,8 +860,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) { - - *j_result_obj = json_object_get(j_root, "result"); - if (!*j_result_obj) { -- if (debug) -- fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n")); -+ fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n")); - - rval = 17; - goto cleanup; -@@ -897,8 +892,7 @@ jsonrpc_parse_join_response(const char *payload, join_info *join_i, bool quiet) - &tmp_hostdn, - "krbprincipalname", &tmp_princ, - "krblastpwdchange", &tmp_pwdch) != 0) { -- if (debug) -- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text); -+ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text); - - rval = 17; - goto cleanup; -@@ -941,8 +935,7 @@ join_krb5_jsonrpc(const char *ipaserver, const char *hostname, char **hostdn, co - "nshardwareplatform", uinfo.machine); - - if (!json_req) { -- if (debug) -- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text); -+ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text); - - rval = 17; - goto cleanup; -@@ -990,8 +983,7 @@ jsonrpc_parse_unenroll_response(const char *payload, bool* result, bool quiet) { - - if (json_unpack_ex(j_result_obj, &j_error, 0, "{s:b}", - "result", result) != 0) { -- if (debug) -- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text); -+ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text); - - rval = 20; - goto cleanup; -@@ -1021,8 +1013,7 @@ jsonrpc_unenroll_host(const char *ipaserver, const char *host, bool quiet) { - host); - - if (!json_req) { -- if (debug) -- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text); -+ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text); - - rval = 17; - goto cleanup; --- -2.34.1 - diff --git a/SOURCES/0008-check_repl_update-in-progress-is-a-boolean_rhbz#2117303.patch b/SOURCES/0008-check_repl_update-in-progress-is-a-boolean_rhbz#2117303.patch new file mode 100644 index 0000000..36629da --- /dev/null +++ b/SOURCES/0008-check_repl_update-in-progress-is-a-boolean_rhbz#2117303.patch @@ -0,0 +1,35 @@ +From 05a298f56485222583cb7dd4f6a3a4c5c77fc8cf Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Sun, 7 Aug 2022 12:44:47 +0200 +Subject: [PATCH] check_repl_update: in progress is a boolean + +With the fix for https://pagure.io/freeipa/issue/9171, +nsds5replicaUpdateInProgress is now handled as a boolean. +One remaining occurrence was still handling it as a string +and calling lower() on its value. + +Replace with direct boolean comparison. + +Fixes: https://pagure.io/freeipa/issue/9218 +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy +--- + ipaserver/install/replication.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py +index 16be3760c..9d9aa1c4b 100644 +--- a/ipaserver/install/replication.py ++++ b/ipaserver/install/replication.py +@@ -1152,7 +1152,7 @@ class ReplicationManager: + except (ValueError, TypeError, KeyError): + end = 0 + # incremental update is done if inprogress is false and end >= start +- done = inprogress and inprogress.lower() == 'false' and start <= end ++ done = inprogress is not None and not inprogress and start <= end + logger.info("Replication Update in progress: %s: status: %s: " + "start: %d: end: %d", + inprogress, status, start, end) +-- +2.37.2 + diff --git a/SOURCES/0009-Disabling-gracelimit-does-not-prevent-LDAP-binds_rhbz#2109236.patch b/SOURCES/0009-Disabling-gracelimit-does-not-prevent-LDAP-binds_rhbz#2109236.patch new file mode 100644 index 0000000..17088cf --- /dev/null +++ b/SOURCES/0009-Disabling-gracelimit-does-not-prevent-LDAP-binds_rhbz#2109236.patch @@ -0,0 +1,125 @@ +From 1316cd8b2252c2543cf2ef2186956a8833037b1e Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 21 Jul 2022 09:28:46 -0400 +Subject: [PATCH] Disabling gracelimit does not prevent LDAP binds + +Originally the code treated 0 as disabled. This was +changed during the review process to -1 but one remnant +was missed effetively allowing gracelimit 0 to also mean +disabled. + +Add explicit tests for testing with gracelimit = 0 and +gracelimit = -1. + +Also remove some extranous "str(self.master.domain.basedn)" +lines from some of the tests. + +Fixes: https://pagure.io/freeipa/issue/9206 + +Signed-off-by: Rob Crittenden +Reviewed-By: Francisco Trivino +--- + .../ipa-graceperiod/ipa_graceperiod.c | 2 +- + ipatests/test_integration/test_pwpolicy.py | 55 ++++++++++++++++++- + 2 files changed, 53 insertions(+), 4 deletions(-) + +diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c +index a3f57cb4b..345e1dee7 100644 +--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c ++++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c +@@ -479,7 +479,7 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb) + if (pwresponse_requested) { + slapi_pwpolicy_make_response_control(pb, -1, grace_limit - grace_user_time , -1); + } +- } else if ((grace_limit > 0) && (grace_user_time >= grace_limit)) { ++ } else if (grace_user_time >= grace_limit) { + LOG_TRACE("%s password is expired and out of grace limit\n", dn); + errstr = "Password is expired.\n"; + ret = LDAP_INVALID_CREDENTIALS; +diff --git a/ipatests/test_integration/test_pwpolicy.py b/ipatests/test_integration/test_pwpolicy.py +index 6d6698284..41d6e9070 100644 +--- a/ipatests/test_integration/test_pwpolicy.py ++++ b/ipatests/test_integration/test_pwpolicy.py +@@ -36,7 +36,7 @@ class TestPWPolicy(IntegrationTest): + cls.master.run_command(['ipa', 'group-add-member', POLICY, + '--users', USER]) + cls.master.run_command(['ipa', 'pwpolicy-add', POLICY, +- '--priority', '1']) ++ '--priority', '1', '--gracelimit', '-1']) + cls.master.run_command(['ipa', 'passwd', USER], + stdin_text='{password}\n{password}\n'.format( + password=PASSWORD +@@ -265,7 +265,6 @@ class TestPWPolicy(IntegrationTest): + + def test_graceperiod_expired(self): + """Test the LDAP bind grace period""" +- str(self.master.domain.basedn) + dn = "uid={user},cn=users,cn=accounts,{base_dn}".format( + user=USER, base_dn=str(self.master.domain.basedn)) + +@@ -308,7 +307,6 @@ class TestPWPolicy(IntegrationTest): + + def test_graceperiod_not_replicated(self): + """Test that the grace period is reset on password reset""" +- str(self.master.domain.basedn) + dn = "uid={user},cn=users,cn=accounts,{base_dn}".format( + user=USER, base_dn=str(self.master.domain.basedn)) + +@@ -341,3 +339,54 @@ class TestPWPolicy(IntegrationTest): + ) + assert 'passwordgraceusertime: 0' in result.stdout_text.lower() + self.reset_password(self.master) ++ ++ def test_graceperiod_zero(self): ++ """Test the LDAP bind with zero grace period""" ++ dn = "uid={user},cn=users,cn=accounts,{base_dn}".format( ++ user=USER, base_dn=str(self.master.domain.basedn)) ++ ++ self.master.run_command( ++ ["ipa", "pwpolicy-mod", POLICY, "--gracelimit", "0", ], ++ ) ++ ++ # Resetting the password will mark it as expired ++ self.reset_password(self.master) ++ ++ # Now grace is done and binds should fail. ++ result = self.master.run_command( ++ ["ldapsearch", "-e", "ppolicy", "-D", dn, ++ "-w", PASSWORD, "-b", dn], raiseonerr=False ++ ) ++ assert result.returncode == 49 ++ ++ assert 'Password is expired' in result.stderr_text ++ assert 'Password expired, 0 grace logins remain' in result.stderr_text ++ ++ def test_graceperiod_disabled(self): ++ """Test the LDAP bind with grace period disabled (-1)""" ++ str(self.master.domain.basedn) ++ dn = "uid={user},cn=users,cn=accounts,{base_dn}".format( ++ user=USER, base_dn=str(self.master.domain.basedn)) ++ ++ # This can fail if gracelimit is already -1 so ignore it ++ self.master.run_command( ++ ["ipa", "pwpolicy-mod", POLICY, "--gracelimit", "-1",], ++ raiseonerr=False, ++ ) ++ ++ # Ensure the password is expired ++ self.reset_password(self.master) ++ ++ result = self.kinit_as_user(self.master, PASSWORD, PASSWORD) ++ ++ for _i in range(0, 10): ++ result = self.master.run_command( ++ ["ldapsearch", "-e", "ppolicy", "-D", dn, ++ "-w", PASSWORD, "-b", dn] ++ ) ++ ++ # With graceperiod disabled it should not increment ++ result = tasks.ldapsearch_dm( ++ self.master, dn, ['passwordgraceusertime',], ++ ) ++ assert 'passwordgraceusertime: 0' in result.stdout_text.lower() +-- +2.37.2 + diff --git a/SOURCES/0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch b/SOURCES/0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch deleted file mode 100644 index ef581d8..0000000 --- a/SOURCES/0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch +++ /dev/null @@ -1,118 +0,0 @@ -From 9b6d0bb1245c4891ccc270f360d0f72a4b1444c1 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 7 Feb 2022 10:39:55 -0500 -Subject: [PATCH] Enable the ccache sweep timer during installation - -The timer was only being enabled during package installation -if IPA was configured. So effectively only on upgrade. - -Add as a separate installation step after the ccache directory -is configured. - -Fixes: https://pagure.io/freeipa/issue/9107 - -Signed-off-by: Rob Crittenden -Reviewed-By: Alexander Bokovoy ---- - ipaserver/install/httpinstance.py | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py -index 732bb58d4..50ccf5e50 100644 ---- a/ipaserver/install/httpinstance.py -+++ b/ipaserver/install/httpinstance.py -@@ -140,6 +140,8 @@ class HTTPInstance(service.Service): - self.step("publish CA cert", self.__publish_ca_cert) - self.step("clean up any existing httpd ccaches", - self.remove_httpd_ccaches) -+ self.step("enable ccache sweep", -+ self.enable_ccache_sweep) - self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd) - if not self.is_kdcproxy_configured(): - self.step("create KDC proxy config", self.create_kdcproxy_conf) -@@ -177,6 +179,11 @@ class HTTPInstance(service.Service): - [paths.SYSTEMD_TMPFILES, '--create', '--prefix', paths.IPA_CCACHES] - ) - -+ def enable_ccache_sweep(self): -+ ipautil.run( -+ [paths.SYSTEMCTL, 'enable', 'ipa-ccache-sweep.timer'] -+ ) -+ - def __configure_http(self): - self.update_httpd_service_ipa_conf() - self.update_httpd_wsgi_conf() --- -2.34.1 - -From 0d9eb3d515385412abefe9c33e0099ea14f33cbc Mon Sep 17 00:00:00 2001 -From: Mohammad Rizwan -Date: Wed, 9 Feb 2022 18:56:21 +0530 -Subject: [PATCH] Test ipa-ccache-sweep.timer enabled by default during - installation - -This test checks that ipa-ccache-sweep.timer is enabled by default -during the ipa installation. - -related: https://pagure.io/freeipa/issue/9107 - -Signed-off-by: Mohammad Rizwan -Reviewed-By: Alexander Bokovoy ---- - .../test_integration/test_installation.py | 19 +++++++++++++++++-- - 1 file changed, 17 insertions(+), 2 deletions(-) - -diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py -index f2d372c0c..63edbaa2b 100644 ---- a/ipatests/test_integration/test_installation.py -+++ b/ipatests/test_integration/test_installation.py -@@ -475,7 +475,7 @@ class TestInstallCA(IntegrationTest): - - # Tweak sysrestore.state to drop installation section - self.master.run_command( -- ['sed','-i', r's/\[installation\]/\[badinstallation\]/', -+ ['sed', '-i', r's/\[installation\]/\[badinstallation\]/', - os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)]) - - # Re-run installation check and it should fall back to old method -@@ -485,7 +485,7 @@ class TestInstallCA(IntegrationTest): - - # Restore installation section. - self.master.run_command( -- ['sed','-i', r's/\[badinstallation\]/\[installation\]/', -+ ['sed', '-i', r's/\[badinstallation\]/\[installation\]/', - os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)]) - - # Uninstall and confirm that the old method reports correctly -@@ -690,6 +690,7 @@ def get_pki_tomcatd_pid(host): - break - return(pid) - -+ - def get_ipa_services_pids(host): - ipa_services_name = [ - "krb5kdc", "kadmin", "named", "httpd", "ipa-custodia", -@@ -1309,6 +1310,20 @@ class TestInstallMasterKRA(IntegrationTest): - def test_install_master(self): - tasks.install_master(self.master, setup_dns=False, setup_kra=True) - -+ def test_ipa_ccache_sweep_timer_enabled(self): -+ """Test ipa-ccache-sweep.timer enabled by default during installation -+ -+ This test checks that ipa-ccache-sweep.timer is enabled by default -+ during the ipa installation. -+ -+ related: https://pagure.io/freeipa/issue/9107 -+ """ -+ result = self.master.run_command( -+ ['systemctl', 'is-enabled', 'ipa-ccache-sweep.timer'], -+ raiseonerr=False -+ ) -+ assert 'enabled' in result.stdout_text -+ - def test_install_dns(self): - tasks.install_dns(self.master) - --- -2.34.1 - diff --git a/SOURCES/0010-Set-passwordgracelimit-to-match-global-policy-on-group-pw-policies_rhbz#2115475.patch b/SOURCES/0010-Set-passwordgracelimit-to-match-global-policy-on-group-pw-policies_rhbz#2115475.patch new file mode 100644 index 0000000..952e49b --- /dev/null +++ b/SOURCES/0010-Set-passwordgracelimit-to-match-global-policy-on-group-pw-policies_rhbz#2115475.patch @@ -0,0 +1,230 @@ +From 434620ee342ac4767beccec647a318bfa7743dfa Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 18 Aug 2022 08:21:58 -0400 +Subject: [PATCH] doc: Update LDAP grace period design with default values + +New group password policies will get -1 (unlimited) on creation +by default. + +Existing group password policies will remain untouched and +those created prior will be treated as no BIND allowed. + +Fixes: https://pagure.io/freeipa/issue/9212 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + doc/designs/ldap_grace_period.md | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/doc/designs/ldap_grace_period.md b/doc/designs/ldap_grace_period.md +index 4b9db3424..e26aedda9 100644 +--- a/doc/designs/ldap_grace_period.md ++++ b/doc/designs/ldap_grace_period.md +@@ -51,7 +51,22 @@ The basic flow is: + + On successful password reset (by anyone) reset the user's passwordGraceUserTime to 0. + +-The default value on install/upgrade will be -1 to retail existing behavior. ++Range values for passwordgracelimit are: ++ ++-1 : password grace checking is disabled ++ 0 : no grace BIND are allowed at all post-expiration ++ 1..MAXINT: the number of BIND allowed post-expiration ++ ++The default value for the global policy on install/upgrade will be -1 to ++retain existing behavior. ++ ++New group password policies will default to -1 to retain previous ++behavior. ++ ++Existing group policies with no grace limit set are updated to use ++the default unlimited value, -1. This is done because lack of value in ++LDAP is treated as 0 so any existing group policies would not allow ++post-expiration BIND so this will avoid confusion. + + The per-user attempts will not be replicated. + +-- +2.37.2 + +From 497a57e7a6872fa30d1855a1d91a455bfdbf9300 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 4 Aug 2022 12:04:22 -0400 +Subject: [PATCH] Set default gracelimit on group password policies to -1 + +This will retain previous behavior of unlimited LDAP BIND +post-expiration. + +Fixes: https://pagure.io/freeipa/issue/9212 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + API.txt | 2 +- + ipaserver/plugins/pwpolicy.py | 2 ++ + ipatests/test_xmlrpc/test_pwpolicy_plugin.py | 2 ++ + 3 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/API.txt b/API.txt +index 5ba9add13..d7ea74f08 100644 +--- a/API.txt ++++ b/API.txt +@@ -4075,7 +4075,7 @@ option: Int('krbpwdlockoutduration?', cli_name='lockouttime') + option: Int('krbpwdmaxfailure?', cli_name='maxfail') + option: Int('krbpwdmindiffchars?', cli_name='minclasses') + option: Int('krbpwdminlength?', cli_name='minlength') +-option: Int('passwordgracelimit?', cli_name='gracelimit', default=-1) ++option: Int('passwordgracelimit?', autofill=True, cli_name='gracelimit', default=-1) + option: Flag('raw', autofill=True, cli_name='raw', default=False) + option: Str('setattr*', cli_name='setattr') + option: Str('version?') +diff --git a/ipaserver/plugins/pwpolicy.py b/ipaserver/plugins/pwpolicy.py +index 4428aede2..f4ebffd5c 100644 +--- a/ipaserver/plugins/pwpolicy.py ++++ b/ipaserver/plugins/pwpolicy.py +@@ -408,6 +408,7 @@ class pwpolicy(LDAPObject): + minvalue=-1, + maxvalue=Int.MAX_UINT32, + default=-1, ++ autofill=True, + ), + ) + +@@ -539,6 +540,7 @@ class pwpolicy_add(LDAPCreate): + keys[-1], krbpwdpolicyreference=dn, + cospriority=options.get('cospriority') + ) ++ + return dn + + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): +diff --git a/ipatests/test_xmlrpc/test_pwpolicy_plugin.py b/ipatests/test_xmlrpc/test_pwpolicy_plugin.py +index 8eee69c18..fc785223b 100644 +--- a/ipatests/test_xmlrpc/test_pwpolicy_plugin.py ++++ b/ipatests/test_xmlrpc/test_pwpolicy_plugin.py +@@ -387,6 +387,7 @@ class test_pwpolicy_mod_cospriority(Declarative): + krbpwdhistorylength=[u'10'], + krbpwdmindiffchars=[u'3'], + krbpwdminlength=[u'8'], ++ passwordgracelimit=[u'-1'], + objectclass=objectclasses.pwpolicy, + ), + summary=None, +@@ -417,6 +418,7 @@ class test_pwpolicy_mod_cospriority(Declarative): + krbpwdhistorylength=[u'10'], + krbpwdmindiffchars=[u'3'], + krbpwdminlength=[u'8'], ++ passwordgracelimit=[u'-1'], + ), + summary=None, + value=u'ipausers', +-- +2.37.2 + +From a4ddaaf3048c4e8d78a1807af7266ee40ab3a30b Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 4 Aug 2022 12:04:41 -0400 +Subject: [PATCH] Set default on group pwpolicy with no grace limit in upgrade + +If an existing group policy lacks a password grace limit +update it to -1 on upgrade. + +Fixes: https://pagure.io/freeipa/issue/9212 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + .../updates/90-post_upgrade_plugins.update | 1 + + ipaserver/install/plugins/update_pwpolicy.py | 66 +++++++++++++++++++ + 2 files changed, 67 insertions(+) + +diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update +index c7ec71d49..6fe91aa6c 100644 +--- a/install/updates/90-post_upgrade_plugins.update ++++ b/install/updates/90-post_upgrade_plugins.update +@@ -26,6 +26,7 @@ plugin: update_ra_cert_store + plugin: update_mapping_Guests_to_nobody + plugin: fix_kra_people_entry + plugin: update_pwpolicy ++plugin: update_pwpolicy_grace + + # last + # DNS version 1 +diff --git a/ipaserver/install/plugins/update_pwpolicy.py b/ipaserver/install/plugins/update_pwpolicy.py +index dca44ce43..4185f0343 100644 +--- a/ipaserver/install/plugins/update_pwpolicy.py ++++ b/ipaserver/install/plugins/update_pwpolicy.py +@@ -78,3 +78,69 @@ class update_pwpolicy(Updater): + return False, [] + + return False, [] ++ ++ ++@register() ++class update_pwpolicy_grace(Updater): ++ """ ++ Ensure all group policies have a grace period set. ++ """ ++ ++ def execute(self, **options): ++ ldap = self.api.Backend.ldap2 ++ ++ base_dn = DN(('cn', self.api.env.realm), ('cn', 'kerberos'), ++ self.api.env.basedn) ++ search_filter = ( ++ "(&(objectClass=krbpwdpolicy)(!(passwordgracelimit=*)))" ++ ) ++ ++ while True: ++ # Run the search in loop to avoid issues when LDAP limits are hit ++ # during update ++ ++ try: ++ (entries, truncated) = ldap.find_entries( ++ search_filter, ['objectclass'], base_dn, time_limit=0, ++ size_limit=0) ++ ++ except errors.EmptyResult: ++ logger.debug("update_pwpolicy: no policies without " ++ "passwordgracelimit set") ++ return False, [] ++ ++ except errors.ExecutionError as e: ++ logger.error("update_pwpolicy: cannot retrieve list " ++ "of policies missing passwordgracelimit: %s", e) ++ return False, [] ++ ++ logger.debug("update_pwpolicy: found %d " ++ "policies to update, truncated: %s", ++ len(entries), truncated) ++ ++ error = False ++ ++ for entry in entries: ++ # Set unlimited BIND by default ++ entry['passwordgracelimit'] = -1 ++ try: ++ ldap.update_entry(entry) ++ except (errors.EmptyModlist, errors.NotFound): ++ pass ++ except errors.ExecutionError as e: ++ logger.debug("update_pwpolicy: cannot " ++ "update policy: %s", e) ++ error = True ++ ++ if error: ++ # Exit loop to avoid infinite cycles ++ logger.error("update_pwpolicy: error(s) " ++ "detected during pwpolicy update") ++ return False, [] ++ ++ elif not truncated: ++ # All affected entries updated, exit the loop ++ logger.debug("update_pwpolicy: all policies updated") ++ return False, [] ++ ++ return False, [] +-- +2.37.2 + diff --git a/SOURCES/0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch b/SOURCES/0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch deleted file mode 100644 index c384f15..0000000 --- a/SOURCES/0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch +++ /dev/null @@ -1,31 +0,0 @@ -From b36bcf4ea5ed93baa4dc63f8e2be542d678211fb Mon Sep 17 00:00:00 2001 -From: Anuja More -Date: Thu, 10 Feb 2022 18:49:06 +0530 -Subject: [PATCH] ipatests: remove additional check for failed units. - -On RHEL tests are randomly failing because of this check -and the test doesn't need to check this. - -Related : https://pagure.io/freeipa/issue/9108 - -Signed-off-by: Anuja More -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_integration/test_otp.py | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py -index d8ce527ca..6e70ddcb3 100644 ---- a/ipatests/test_integration/test_otp.py -+++ b/ipatests/test_integration/test_otp.py -@@ -316,7 +316,6 @@ class TestOTPToken(IntegrationTest): - check_services = self.master.run_command( - ['systemctl', 'list-units', '--state=failed'] - ) -- assert "0 loaded units listed" in check_services.stdout_text - assert "ipa-otpd" not in check_services.stdout_text - # Be sure no services are running and failed units - self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False) --- -2.34.1 - diff --git a/SOURCES/0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch b/SOURCES/0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch deleted file mode 100644 index 3c8109e..0000000 --- a/SOURCES/0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 186ebe311bc9545d7a9860cd5e8c748131bbe41e Mon Sep 17 00:00:00 2001 -From: Francisco Trivino -Date: Thu, 10 Feb 2022 14:23:12 +0100 -Subject: [PATCH] ipa_cldap: fix memory leak - -ipa_cldap_encode_netlogon() allocates memory to store binary data as part of -berval (bv_val) when processing a CLDAP packet request from a worker. The -data is used by ipa_cldap_respond() but bv_val is not freed later on. - -This commit is adding the corresponding free() after ipa_cldap_respond() -is completed. - -Discovered by LeakSanitizer - -Fixes: https://pagure.io/freeipa/issue/9110 -Signed-off-by: Francisco Trivino -Reviewed-By: Alexander Bokovoy -Reviewed-By: Rob Crittenden -Reviewed-By: Thierry Bordaz ---- - daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c -index db4a3d061..252bcf647 100644 ---- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c -+++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c -@@ -287,6 +287,7 @@ done: - ipa_cldap_respond(ctx, req, &reply); - - ipa_cldap_free_kvps(&req->kvps); -+ free(reply.bv_val); - free(req); - return; - } --- -2.34.1 - diff --git a/SOURCES/0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch b/SOURCES/0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch deleted file mode 100644 index e7081cd..0000000 --- a/SOURCES/0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 4c54e9d6ddb72eab6f654bf3dc2d29f27498ac96 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Sun, 5 Dec 2021 17:38:58 +0100 -Subject: [PATCH] ipatests: fix - TestOTPToken::test_check_otpd_after_idle_timeout - -The test sets 389-ds nsslapd-idletimeout to 60s, then does a -kinit with an otp token (which makes ipa-otpd create a LDAP -connection), then sleeps for 60s. The expectation is that -ns-slapd will detect that the LDAP conn from ipa-otpd is idle -and close the connection. -According to 389ds doc, the idle timeout is enforced when the -connection table is walked. By doing a ldapsearch, the test -"wakes up" ns-slapd and forces the detection of ipa-otpd -idle connection. - -Fixes: https://pagure.io/freeipa/issue/9044 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Anuja More ---- - ipatests/test_integration/test_otp.py | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py -index 353470897..d8ce527ca 100644 ---- a/ipatests/test_integration/test_otp.py -+++ b/ipatests/test_integration/test_otp.py -@@ -354,6 +354,9 @@ class TestOTPToken(IntegrationTest): - otpvalue = totp.generate(int(time.time())).decode("ascii") - kinit_otp(self.master, USER, password=PASSWORD, otp=otpvalue) - time.sleep(60) -+ # ldapsearch will wake up slapd and force walking through -+ # the connection list, in order to spot the idle connections -+ tasks.ldapsearch_dm(self.master, "", ldap_args=[], scope="base") - - def test_cb(cmd_jornalctl): - # check if LDAP connection is timed out --- -2.34.1 - diff --git a/SOURCES/0013-Backport_test_fixes_in_python3_ipatests_rhbz#2057505.patch b/SOURCES/0013-Backport_test_fixes_in_python3_ipatests_rhbz#2057505.patch deleted file mode 100644 index fc37fb1..0000000 --- a/SOURCES/0013-Backport_test_fixes_in_python3_ipatests_rhbz#2057505.patch +++ /dev/null @@ -1,407 +0,0 @@ -From 6b70e3c49acc55b5553101cf850fc40978861979 Mon Sep 17 00:00:00 2001 -From: Anuja More -Date: Mon, 17 Jan 2022 16:57:52 +0530 -Subject: [PATCH] ipatests: Tests for Autoprivate group. - -Added tests using posix AD trust and non posix AD trust. -For option --auto-private-groups=[hybrid/true/false] - -Related : https://pagure.io/freeipa/issue/8807 - -Signed-off-by: Anuja More -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Anuja More ---- - .../nightly_ipa-4-9_latest.yaml | 2 +- - .../nightly_ipa-4-9_latest_selinux.yaml | 2 +- - .../nightly_ipa-4-9_previous.yaml | 2 +- - ipatests/test_integration/test_trust.py | 242 +++++++++++++++++- - 4 files changed, 240 insertions(+), 8 deletions(-) - -diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml -index 6817421b2..8b1f58c4d 100644 ---- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml -+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml -@@ -1627,7 +1627,7 @@ jobs: - build_url: '{fedora-latest-ipa-4-9/build_url}' - test_suite: test_integration/test_trust.py - template: *ci-ipa-4-9-latest -- timeout: 9000 -+ timeout: 10000 - topology: *adroot_adchild_adtree_master_1client - - fedora-latest-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust: -diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml -index 817329756..a11376ab8 100644 ---- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml -+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml -@@ -1743,7 +1743,7 @@ jobs: - selinux_enforcing: True - test_suite: test_integration/test_trust.py - template: *ci-ipa-4-9-latest -- timeout: 9000 -+ timeout: 10000 - topology: *adroot_adchild_adtree_master_1client - - fedora-latest-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust: -diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml -index 4196265c7..3f8ce8b76 100644 ---- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml -+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml -@@ -1627,7 +1627,7 @@ jobs: - build_url: '{fedora-previous-ipa-4-9/build_url}' - test_suite: test_integration/test_trust.py - template: *ci-ipa-4-9-previous -- timeout: 9000 -+ timeout: 10000 - topology: *adroot_adchild_adtree_master_1client - - fedora-previous-ipa-4-9/test_backup_and_restore_TestBackupAndRestoreTrust: -diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py -index 0634badbb..ff2dd9cc8 100644 ---- a/ipatests/test_integration/test_trust.py -+++ b/ipatests/test_integration/test_trust.py -@@ -62,11 +62,12 @@ class BaseTestTrust(IntegrationTest): - cls.check_sid_generation() - tasks.sync_time(cls.master, cls.ad) - -- cls.child_ad = cls.ad_subdomains[0] -- cls.ad_subdomain = cls.child_ad.domain.name -- cls.tree_ad = cls.ad_treedomains[0] -- cls.ad_treedomain = cls.tree_ad.domain.name -- -+ if cls.num_ad_subdomains > 0: -+ cls.child_ad = cls.ad_subdomains[0] -+ cls.ad_subdomain = cls.child_ad.domain.name -+ if cls.num_ad_treedomains > 0: -+ cls.tree_ad = cls.ad_treedomains[0] -+ cls.ad_treedomain = cls.tree_ad.domain.name - # values used in workaround for - # https://bugzilla.redhat.com/show_bug.cgi?id=1711958 - cls.srv_gc_record_name = \ -@@ -106,6 +107,63 @@ class BaseTestTrust(IntegrationTest): - expected_text = 'iparangetype: %s\n' % expected_type - assert expected_text in result.stdout_text - -+ def mod_idrange_auto_private_group( -+ self, option='false' -+ ): -+ """ -+ Set the auto-private-group option of the default trusted -+ AD domain range. -+ """ -+ tasks.kinit_admin(self.master) -+ rangename = self.ad_domain.upper() + '_id_range' -+ error_msg = "ipa: ERROR: no modifications to be performed" -+ cmd = ["ipa", "idrange-mod", rangename, -+ "--auto-private-groups", option] -+ result = self.master.run_command(cmd, raiseonerr=False) -+ if result.returncode != 0: -+ tasks.assert_error(result, error_msg) -+ tasks.clear_sssd_cache(self.master) -+ tasks.clear_sssd_cache(self.clients[0]) -+ test = self.master.run_command(["ipa", "idrange-show", rangename]) -+ assert "Auto private groups: {0}".format(option) in test.stdout_text -+ -+ def get_user_id(self, host, username): -+ """ -+ User uid gid is parsed from the output of id user command. -+ """ -+ tasks.clear_sssd_cache(self.master) -+ tasks.clear_sssd_cache(self.clients[0]) -+ self.master.run_command(["id", username]) -+ test_id = host.run_command(["id", username]) -+ regex = r"^uid=(?P\d+).*gid=(?P\d+).*groups=(?P\d+)" -+ match = re.match(regex, test_id.stdout_text) -+ uid = match.group('uid') -+ gid = match.group('gid') -+ return uid, gid -+ -+ @contextmanager -+ def set_idoverrideuser(self, user, uid, gid): -+ """ -+ Fixture to add/remove idoverrideuser for default idview, -+ also creates idm group with the provided gid because -+ gid overrides requires an existing group. -+ """ -+ tasks.clear_sssd_cache(self.master) -+ tasks.clear_sssd_cache(self.clients[0]) -+ tasks.kinit_admin(self.master) -+ try: -+ args = ["ipa", "idoverrideuser-add", "Default Trust View", -+ "--gid", gid, "--uid", uid, user] -+ self.master.run_command(args) -+ tasks.group_add(self.master, "idgroup", -+ extra_args=["--gid", gid]) -+ yield -+ finally: -+ self.master.run_command([ -+ "ipa", "idoverrideuser-del", "Default Trust View", user] -+ ) -+ self.master.run_command(["ipa", "group-del", "idgroup"]) -+ - def remove_trust(self, ad): - tasks.remove_trust_with_ad(self.master, - ad.domain.name, ad.hostname) -@@ -993,3 +1051,177 @@ class TestTrust(BaseTestTrust): - self.master.run_command(['rm', '-f', ad_zone_file]) - tasks.configure_dns_for_trust(self.master, self.ad) - self.remove_trust(self.ad) -+ -+ -+class TestNonPosixAutoPrivateGroup(BaseTestTrust): -+ """ -+ Tests for auto-private-groups option with non posix AD trust -+ Related : https://pagure.io/freeipa/issue/8807 -+ """ -+ topology = 'line' -+ num_ad_domains = 1 -+ num_clients = 1 -+ num_ad_subdomains = 0 -+ num_ad_treedomains = 0 -+ uid_override = "99999999" -+ gid_override = "78878787" -+ -+ def test_add_nonposix_trust(self): -+ tasks.configure_dns_for_trust(self.master, self.ad) -+ tasks.establish_trust_with_ad( -+ self.master, self.ad_domain, -+ extra_args=['--range-type', 'ipa-ad-trust']) -+ -+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) -+ def test_auto_private_groups_default_trusted_range(self, type): -+ """ -+ Modify existing range for default trusted AD domain range -+ with auto-private-groups set as true/hybrid/false and test -+ user with no posix attributes. -+ """ -+ self.mod_idrange_auto_private_group(type) -+ nonposixuser = "nonposixuser@%s" % self.ad_domain -+ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser) -+ if type == "true": -+ assert uid == gid -+ else: -+ test_group = self.clients[0].run_command(["id", nonposixuser]) -+ gid_str = "gid={0}(domain users@{1})".format(gid, self.ad_domain) -+ grp_str = "groups={0}(domain users@{1})".format(gid, -+ self.ad_domain) -+ assert gid_str in test_group.stdout_text -+ assert grp_str in test_group.stdout_text -+ assert uid != gid -+ -+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) -+ def test_idoverride_with_auto_private_group(self, type): -+ """ -+ Override ad trusted user in default trust view -+ and set auto-private-groups=[hybrid,true,false] -+ and ensure that overridden values takes effect. -+ """ -+ nonposixuser = "nonposixuser@%s" % self.ad_domain -+ with self.set_idoverrideuser(nonposixuser, -+ self.uid_override, -+ self.gid_override -+ ): -+ self.mod_idrange_auto_private_group(type) -+ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser) -+ assert (uid == self.uid_override and gid == self.gid_override) -+ test_group = self.clients[0].run_command( -+ ["id", nonposixuser]).stdout_text -+ assert "domain users@{0}".format(self.ad_domain) in test_group -+ -+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) -+ def test_nonposixuser_nondefault_primary_group(self, type): -+ """ -+ Test for non default primary group. -+ For hybrid/false gid corresponds to the group testgroup1. -+ """ -+ nonposixuser1 = "nonposixuser1@%s" % self.ad_domain -+ self.mod_idrange_auto_private_group(type) -+ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser1) -+ if type == "true": -+ assert uid == gid -+ else: -+ test_group = self.clients[0].run_command(["id", nonposixuser1]) -+ gid_str = "gid={0}(testgroup1@{1})".format(gid, self.ad_domain) -+ group = "groups={0}(testgroup1@{1})".format(gid, self.ad_domain) -+ assert (gid_str in test_group.stdout_text -+ and group in test_group.stdout_text) -+ -+ -+class TestPosixAutoPrivateGroup(BaseTestTrust): -+ """ -+ Tests for auto-private-groups option with posix AD trust -+ Related : https://pagure.io/freeipa/issue/8807 -+ """ -+ topology = 'line' -+ num_ad_domains = 1 -+ num_clients = 1 -+ num_ad_subdomains = 0 -+ num_ad_treedomains = 0 -+ uid_override = "99999999" -+ gid_override = "78878787" -+ -+ def test_add_posix_trust(self): -+ tasks.configure_dns_for_trust(self.master, self.ad) -+ tasks.establish_trust_with_ad( -+ self.master, self.ad_domain, -+ extra_args=['--range-type', 'ipa-ad-trust-posix']) -+ -+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) -+ def test_gidnumber_not_corresponding_existing_group(self, type): -+ """ -+ Test checks that sssd can resolve AD users which -+ contain posix attributes (uidNumber and gidNumber) -+ but there is no group with the corresponding gidNumber. -+ """ -+ posixuser = "testuser2@%s" % self.ad_domain -+ self.mod_idrange_auto_private_group(type) -+ if type != "true": -+ result = self.clients[0].run_command(['id', posixuser], -+ raiseonerr=False) -+ tasks.assert_error(result, "no such user") -+ else: -+ (uid, gid) = self.get_user_id(self.clients[0], posixuser) -+ assert uid == gid -+ assert uid == '10060' -+ -+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) -+ def test_only_uid_number_auto_private_group_default(self, type): -+ """ -+ Test checks that posix user with only uidNumber defined -+ and gidNumber not set, auto-private-group -+ is set to false/true/hybrid -+ """ -+ posixuser = "testuser1@%s" % self.ad_domain -+ self.mod_idrange_auto_private_group(type) -+ if type == "true": -+ (uid, gid) = self.get_user_id(self.clients[0], posixuser) -+ assert uid == gid -+ else: -+ for host in [self.master, self.clients[0]]: -+ result = host.run_command(['id', posixuser], raiseonerr=False) -+ tasks.assert_error(result, "no such user") -+ -+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) -+ def test_auto_private_group_primary_group(self, type): -+ """ -+ Test checks that AD users which contain posix attributes -+ (uidNumber and gidNumber) and there is primary group -+ with gid number defined. -+ """ -+ posixuser = "testuser@%s" % self.ad_domain -+ self.mod_idrange_auto_private_group(type) -+ (uid, gid) = self.get_user_id(self.clients[0], posixuser) -+ test_grp = self.clients[0].run_command(["id", posixuser]) -+ assert uid == '10042' -+ if type == "true": -+ assert uid == gid -+ groups = "groups=10042(testuser@{0}),10047(testgroup@{1})".format( -+ self.ad_domain, self.ad_domain) -+ assert groups in test_grp.stdout_text -+ else: -+ assert gid == '10047' -+ groups = "10047(testgroup@{0})".format(self.ad_domain) -+ assert groups in test_grp.stdout_text -+ -+ @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) -+ def test_idoverride_with_auto_private_group(self, type): -+ """ -+ Override ad trusted user in default trust view -+ and set auto-private-groups=[hybrid,true,false] -+ and ensure that overridden values takes effect. -+ """ -+ posixuser = "testuser@%s" % self.ad_domain -+ with self.set_idoverrideuser(posixuser, -+ self.uid_override, -+ self.gid_override): -+ self.mod_idrange_auto_private_group(type) -+ (uid, gid) = self.get_user_id(self.clients[0], posixuser) -+ assert(uid == self.uid_override -+ and gid == self.gid_override) -+ result = self.clients[0].run_command(['id', posixuser]) -+ assert "10047(testgroup@{0})".format( -+ self.ad_domain) in result.stdout_text --- -2.35.1 - -From 84381001d2e114b1f29fe89e16155c040b56b80f Mon Sep 17 00:00:00 2001 -From: Anuja More -Date: Thu, 10 Feb 2022 17:07:45 +0530 -Subject: [PATCH] mark xfail for - test_idoverride_with_auto_private_group[hybrid] - -Related : https://github.com/SSSD/sssd/issues/5989 - -Signed-off-by: Anuja More -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Anuja More ---- - ipatests/test_integration/test_trust.py | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py -index ff2dd9cc8..54bd15462 100644 ---- a/ipatests/test_integration/test_trust.py -+++ b/ipatests/test_integration/test_trust.py -@@ -15,6 +15,7 @@ from ipaplatform.paths import paths - from ipatests.test_integration.base import IntegrationTest - from ipatests.pytest_ipa.integration import tasks - from ipatests.pytest_ipa.integration import fips -+from ipatests.util import xfail_context - from ipapython.dn import DN - from collections import namedtuple - from contextlib import contextmanager -@@ -1110,7 +1111,11 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust): - assert (uid == self.uid_override and gid == self.gid_override) - test_group = self.clients[0].run_command( - ["id", nonposixuser]).stdout_text -- assert "domain users@{0}".format(self.ad_domain) in test_group -+ version = tasks.get_sssd_version(self.clients[0]) -+ with xfail_context(version <= tasks.parse_version('2.6.3') -+ and type == "hybrid", -+ 'https://github.com/SSSD/sssd/issues/5989'): -+ assert "domain users@{0}".format(self.ad_domain) in test_group - - @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) - def test_nonposixuser_nondefault_primary_group(self, type): --- -2.35.1 - -From 7ad500e5d3f7d9af81e8a3137158672c6fafb0b4 Mon Sep 17 00:00:00 2001 -From: Anuja More -Date: Thu, 10 Feb 2022 17:29:45 +0530 -Subject: [PATCH] Mark xfail - test_gidnumber_not_corresponding_existing_group[true,hybrid] - -Related : https://github.com/SSSD/sssd/issues/5988 - -Signed-off-by: Anuja More -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Anuja More ---- - ipatests/test_integration/test_trust.py | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py -index 54bd15462..c12837815 100644 ---- a/ipatests/test_integration/test_trust.py -+++ b/ipatests/test_integration/test_trust.py -@@ -1169,9 +1169,12 @@ class TestPosixAutoPrivateGroup(BaseTestTrust): - raiseonerr=False) - tasks.assert_error(result, "no such user") - else: -- (uid, gid) = self.get_user_id(self.clients[0], posixuser) -- assert uid == gid -- assert uid == '10060' -+ sssd_version = tasks.get_sssd_version(self.clients[0]) -+ with xfail_context(sssd_version <= tasks.parse_version('2.6.3'), -+ 'https://github.com/SSSD/sssd/issues/5988'): -+ (uid, gid) = self.get_user_id(self.clients[0], posixuser) -+ assert uid == gid -+ assert uid == '10060' - - @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) - def test_only_uid_number_auto_private_group_default(self, type): --- -2.35.1 - diff --git a/SOURCES/0014-fix-canonicalization-issue-in-Web-UI_rhbz#2133051.patch b/SOURCES/0014-fix-canonicalization-issue-in-Web-UI_rhbz#2133051.patch deleted file mode 100644 index 4fa0b23..0000000 --- a/SOURCES/0014-fix-canonicalization-issue-in-Web-UI_rhbz#2133051.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 109cd579e3b089b7fad4c92bf25594eba1af8a21 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Tue, 23 Aug 2022 16:58:07 +0300 -Subject: [PATCH] fix canonicalization issue in Web UI - -When Kerberos principal alias is used to login to a Web UI, we end up -with a request that is authenticated by a ticket issued in the alias -name but metadata processed for the canonical user name. This confuses -RPC layer of Web UI code and causes infinite loop to reload the page. - -Fix it by doing two things: - - - force use of canonicalization of an enterprise principal on server - side, not just specifying that the principal is an enterprise one; - - - recognize that a principal in the whoami()-returned object can have - aliases and the principal returned by the server in the JSON response - may be one of those aliases. - -Fixes: https://pagure.io/freeipa/issue/9226 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Armando Neto ---- - install/ui/src/freeipa/ipa.js | 8 +++++++- - ipaserver/rpcserver.py | 1 + - 2 files changed, 8 insertions(+), 1 deletion(-) - -diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js -index 758db1b00..a08d632e9 100644 ---- a/install/ui/src/freeipa/ipa.js -+++ b/install/ui/src/freeipa/ipa.js -@@ -271,7 +271,13 @@ var IPA = function () { - var cn = that.whoami.data.krbcanonicalname; - if (cn) that.principal = cn[0]; - if (!that.principal) { -- that.principal = that.whoami.data.krbprincipalname[0]; -+ var principal = data.principal; -+ var idx = that.whoami.data.krbprincipalname.indexOf(principal); -+ if (idx > -1) { -+ that.principal = principal; -+ } else { -+ that.principal = that.whoami.data.krbprincipalname[0]; -+ } - } - } else if (entity === 'idoverrideuser') { - that.principal = that.whoami.data.ipaoriginaluid[0]; -diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py -index 1f85e9898..4e8a08b66 100644 ---- a/ipaserver/rpcserver.py -+++ b/ipaserver/rpcserver.py -@@ -1109,6 +1109,7 @@ class login_password(Backend, KerberosSession): - ccache_name, - armor_ccache_name=armor_path, - enterprise=True, -+ canonicalize=True, - lifetime=self.api.env.kinit_lifetime) - - if armor_path: --- -2.37.3 - diff --git a/SOURCES/0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch b/SOURCES/1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch similarity index 95% rename from SOURCES/0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch rename to SOURCES/1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch index 943e986..e1a74ff 100644 --- a/SOURCES/0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch +++ b/SOURCES/1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch @@ -32,15 +32,15 @@ diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 7d21367ec..42a47f1df 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py -@@ -259,7 +259,7 @@ class BasePathNamespace: +@@ -259,7 +259,6 @@ class BasePathNamespace: IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key" IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader" IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running" - DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel" + DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11" +- DNSSEC_KEYFROMLABEL_9_17 = "/usr/bin/dnssec-keyfromlabel" GETSEBOOL = "/usr/sbin/getsebool" GROUPADD = "/usr/sbin/groupadd" - USERMOD = "/usr/sbin/usermod" diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py index 4e993c063..92a948966 100644 --- a/ipaplatform/fedora/paths.py @@ -50,8 +50,8 @@ index 4e993c063..92a948966 100644 if HAS_NFS_CONF: SYSCONFIG_NFS = '/etc/nfs.conf' + DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel" - - + + paths = FedoraPathNamespace() diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py index 0c79cc03d..a15c0e601 100644 @@ -65,6 +65,5 @@ index 0c79cc03d..a15c0e601 100644 '-K', workdir, '-a', attrs['idnsSecAlgorithm'][0], '-l', uri --- +-- 2.31.1 - diff --git a/SOURCES/1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch b/SOURCES/1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch deleted file mode 100644 index 48bb8e0..0000000 --- a/SOURCES/1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 7d93bda31ce0b4e0e22c6e464c9138800dcf8b1c Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 26 Nov 2021 11:13:51 +0200 -Subject: [PATCH] ipa-kdb: fix requester SID check according to MS-KILE and - MS-SFU updates - -New versions of MS-KILE and MS-SFU after Windows Server November 2021 -security updates add PAC_REQUESTER_SID buffer check behavior: - - - PAC_REQUESTER_SID should only be added for TGT requests - - - if PAC_REQUESTER_SID is present, KDC must verify that the cname on - the ticket resolves to the account with the same SID as the - PAC_REQUESTER_SID. If it doesn't KDC must respond with - KDC_ERR_TKT_REVOKED - -Change requester SID check to skip exact check for non-local -PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains -we know about. - -If requester SID is the same as in PAC, we already do cname vs PAC SID -verification. - -With these changes FreeIPA works against Windows Server 2019 with -November 2021 security fixes in cross-realm S4U2Self operations. - -Fixes: https://pagure.io/freeipa/issue/9031 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Rob Crittenden ---- - daemons/ipa-kdb/ipa_kdb_mspac.c | 47 ++++++++++++++++++++++++--------- - 1 file changed, 34 insertions(+), 13 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c -index 538cfbba9..1b972c167 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac.c -+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c -@@ -1697,7 +1697,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context, - "local [%s], PAC [%s]", - dom ? dom : "", - sid ? sid : ""); -- return KRB5KDC_ERR_POLICY; -+ return KRB5KDC_ERR_TGT_REVOKED; - } - } - -@@ -1709,7 +1709,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context, - kerr = ipadb_get_principal(context, client_princ, flags, &client_actual); - if (kerr != 0) { - krb5_klog_syslog(LOG_ERR, "PAC issue: ipadb_get_principal failed."); -- return KRB5KDC_ERR_POLICY; -+ return KRB5KDC_ERR_TGT_REVOKED; - } - - ied = (struct ipadb_e_data *)client_actual->e_data; -@@ -1743,7 +1743,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context, - "local [%s] vs PAC [%s]", - local_sid ? local_sid : "", - pac_sid ? pac_sid : ""); -- kerr = KRB5KDC_ERR_POLICY; -+ kerr = KRB5KDC_ERR_TGT_REVOKED; - goto done; - } - -@@ -2005,22 +2005,43 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context, - /* Check that requester SID is the same as in the PAC entry */ - if (requester_sid != NULL) { - struct dom_sid client_sid; -+ bool is_from_trusted_domain = false; - kerr = ipadb_get_sid_from_pac(tmpctx, info.info, &client_sid); - if (kerr) { - goto done; - } - result = dom_sid_check(&client_sid, requester_sid, true); - if (!result) { -- /* memctx is freed by the caller */ -- char *pac_sid = dom_sid_string(tmpctx, &client_sid); -- char *req_sid = dom_sid_string(tmpctx, requester_sid); -- krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID " -- "different from what PAC requester claims. " -- "PAC [%s] vs PAC requester [%s]", -- pac_sid ? pac_sid : "", -- req_sid ? req_sid : ""); -- kerr = KRB5KDC_ERR_POLICY; -- goto done; -+ struct ipadb_context *ipactx = ipadb_get_context(context); -+ if (!ipactx || !ipactx->mspac) { -+ return KRB5_KDB_DBNOTINITED; -+ } -+ /* In S4U case we might be dealing with the PAC issued by the trusted domain */ -+ if (is_s4u && (ipactx->mspac->trusts != NULL)) { -+ /* Iterate through list of trusts and check if this SID belongs to -+ * one of the domains we trust */ -+ for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) { -+ result = dom_sid_check(&ipactx->mspac->trusts[i].domsid, -+ requester_sid, false); -+ if (result) { -+ is_from_trusted_domain = true; -+ break; -+ } -+ } -+ } -+ -+ if (!is_from_trusted_domain) { -+ /* memctx is freed by the caller */ -+ char *pac_sid = dom_sid_string(tmpctx, &client_sid); -+ char *req_sid = dom_sid_string(tmpctx, requester_sid); -+ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID " -+ "different from what PAC requester claims. " -+ "PAC [%s] vs PAC requester [%s]", -+ pac_sid ? pac_sid : "", -+ req_sid ? req_sid : ""); -+ kerr = KRB5KDC_ERR_TGT_REVOKED; -+ goto done; -+ } - } - } - --- -2.31.1 - diff --git a/SOURCES/freeipa-4.9.10.tar.gz.asc b/SOURCES/freeipa-4.9.10.tar.gz.asc new file mode 100644 index 0000000..2804c24 --- /dev/null +++ b/SOURCES/freeipa-4.9.10.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmKp71wACgkQaYdvcqbi +008rbg/9G5w7KXgJcrhwBx5qqd4fqzSnwJdyN5oaBIEKNsAigMD7LIYawqgnO3g/ +/3FmJTbeCrOj9EoakvE1YNRT+75oxAO+rMFcRvFHlJyfMCa3r3lrS4LrlQiiyNwZ +IHovcXr0Q3fizhp/V3acyZqx2pbnSh24CK4q5a1CNUs8SPkEFcOfpAJIMQCHeH6t +ScfxuWOp8R1FnaNQc/9x3vy3ySQbHMxIWLSfJy7pk7FhLGAvgVNQBAz70Bg7BfR1 +R1V6syGeaPmqLOQw0jV05YMxyKwkbnSK/h2DlCg/iNQ/S71rXhOpuk01dDf73CI4 +Fu1H9TX50Indq31+4qbOlKZqDshhNzRRpn2m2qVvzeTfObHlZMbYNyVamovP9fEZ +pfJcppI8aNDURjqpf/sVy4G8mhI5FQS+Q7bKvv9C04iE3XpTutg8q5mLMXGwWekY +yeklBAmdygOKsY1uWb7BCH9eoWCVWKIwi4m5uYteZNxBt4aqsa/VFsxCE1P2T7/S ++yc1Jo7hXWW8v3wm+dIGJj+Lz9YlJxC9SAiC72a6kTwIe2gnKlxoYbqe/18hEWm6 +0jESl2LiXfBhXz0YQlv2HjcPWZMMrNuhSCGTMgzP8KfZB258mtxpbBTk5/e9Wgsk +29GCfaMWFUqZsrteG10HT/P6cotre6EVffQl9lNlPNQpX+DUKy4= +=azus +-----END PGP SIGNATURE----- diff --git a/SOURCES/freeipa-4.9.8.tar.gz.asc b/SOURCES/freeipa-4.9.8.tar.gz.asc deleted file mode 100644 index c14420c..0000000 --- a/SOURCES/freeipa-4.9.8.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmGf1XcACgkQaYdvcqbi -00/kMQ//Vano94V0/L3YsLaqKiFcGo/py5pTq1Os3wB9zzCYSuU0P/eajuHLBYNe -MfxecZihFFlmUdNooNWbewT4CE0ey1qFLwPfGXuLrse6fXVLLaYnAv2mkPUmDSpM -XfXO0PFU0BtdkMAUsdUATngPCpQzYjVUKsAMwPovi3UcLzFZ8tWJKMA55urhwC4q -E042wPLqzcX6Ee5JBSBkfNe35vG2LY7o3Ynh8SVCee2lBJvdWiuFT5XRhybXUsOp -q3eTsVPz68p7CvOrjlLSsWPP0nbGF1O1UQsN+oaDZAav1Nx8lTOlxUCUQXWbs2X6 -BTUAOmZ6VjYu61sNgNSj+BSHlHIT3uRJ55JO5nLH/hLm0Oxn6SGRTVMueqV376QA -CsIk7UrdcX9QUtu70eRxuu1aAWJ5eaF4GDWnFP+62wzd/d6LjWEE+9kXgvrcTF0C -UzjWrmbI8x23bB4kqcROHz8lryMsBpZ94QKPHVppMiPgapDKRkculYkSeRLboADi -q4mh2prkDSq9diWV4HvZTGwPU77oiLrQsvbGuvwD62PAlyQ4rZpfW3FllTL2Lcxy -urA8a9UnQWQtDOsZIyxmMJ7R04gjI5fZfDhq6S09L9MfjFEKjsqO4FzXamj+SbAo -w25sIp1qT0sV1vOt+/R/HYSIyggQyTZpQJu5UB34QLqpfDdUwFg= -=t9up ------END PGP SIGNATURE----- diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index d844e77..924263b 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -146,8 +146,8 @@ # RHEL 8.2+, F32+ has 3.58 %global nss_version 3.44.0-4 -# RHEL 8.3+, F32+ -%global sssd_version 2.4.0 +# RHEL 8.7+, F35+, adds IdP integration +%global sssd_version 2.7.0 %define krb5_base_version %(LC_ALL=C /usr/bin/pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version) %global kdcproxy_version 0.4-3 @@ -178,7 +178,7 @@ # Work-around fact that RPM SPEC parser does not accept # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement -%define IPA_VERSION 4.9.8 +%define IPA_VERSION 4.9.10 # Release candidate version -- uncomment with one percent for RC versions #%%global rc_version %%nil %define AT_SIGN @ @@ -191,7 +191,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 8%{?rc_version:.%rc_version}%{?dist} +Release: 6%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -211,25 +211,21 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers # RHEL spec file only: START %if %{NON_DEVELOPER_BUILD} %if 0%{?rhel} >= 8 -Patch0001: 0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch -Patch0002: 0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch -Patch0003: 0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch -Patch0004: 0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch -Patch0005: 0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch -Patch0006: 0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch -Patch0007: 0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch -Patch0008: 0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch -Patch0009: 0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch -Patch0010: 0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch -Patch0011: 0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch -Patch0012: 0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch -Patch0013: 0013-Backport_test_fixes_in_python3_ipatests_rhbz#2057505.patch -Patch0014: 0014-fix-canonicalization-issue-in-Web-UI_rhbz#2133051.patch +Patch0001: 0001-ipa-otpd-Fix-build-on-older-versions-of-gcc.patch +Patch0002: 0002-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch +Patch0003: 0003-Preserve-user-fix-the-confusing-summary_rhbz#2022028.patch +Patch0004: 0004-Only-calculate-LDAP-password-grace-when-the-password_rhbz#782917.patch +Patch0005: 0005-Add-end-to-end-integration-tests-for-external-IdP.patch +Patch0006: 0006-webui-Do-not-allow-empty-pagination-size_rhbz#2094672.patch +Patch0007: 0007-webui-Allow-grace-login-limit_rhbz#2109243.patch +Patch0008: 0008-check_repl_update-in-progress-is-a-boolean_rhbz#2117303.patch +Patch0009: 0009-Disabling-gracelimit-does-not-prevent-LDAP-binds_rhbz#2109236.patch +Patch0010: 0010-Set-passwordgracelimit-to-match-global-policy-on-group-pw-policies_rhbz#2115475.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch +Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch %endif %endif # RHEL spec file only: END -Patch1101: 1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch # For the timestamp trick in patch application BuildRequires: diffstat @@ -326,7 +322,9 @@ BuildRequires: python3-wheel %if %{with doc} BuildRequires: python3-sphinx -BuildRequires: python3-m2r +BuildRequires: plantum1 +BuildRequires: fontconfig +BuildRequires: google-noto-sans-vf-fonts %endif # @@ -475,6 +473,8 @@ Requires: libpwquality Requires: cracklib-dicts # NDR libraries are internal in Samba and change with version without changing SONAME Requires: samba-client-libs >= %{samba_version} +# Due to RHBZ#2100916, libvert-libev is required by ipa-otp. +Requires: libverto-libev >= 0.3.2-1 Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server @@ -649,7 +649,12 @@ Requires: python3-sssdconfig >= %{sssd_version} Requires: cyrus-sasl-gssapi%{?_isa} Requires: chrony Requires: krb5-workstation >= %{krb5_version} -Requires: authselect >= 0.4-2 +# authselect: sssd profile with-subid +%if 0%{?fedora} >= 36 +Requires: authselect >= 1.4.0 +%else +Requires: authselect >= 1.2.5 +%endif Requires: curl # NIS domain name config: /usr/lib/systemd/system/*-domainname.service # All Fedora 28+ and RHEL8+ contain the service in hostname package @@ -661,6 +666,7 @@ Requires: xmlrpc-c >= 1.27.4 Requires: jansson %endif Requires: sssd-ipa >= %{sssd_version} +Requires: sssd-idp >= %{sssd_version} Requires: certmonger >= %{certmonger_version} Requires: nss-tools >= %{nss_version} Requires: bind-utils @@ -1052,6 +1058,7 @@ rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la rm %{buildroot}/%{plugin_dir}/libipa_range_check.la rm %{buildroot}/%{plugin_dir}/libipa_otp_counter.la rm %{buildroot}/%{plugin_dir}/libipa_otp_lasttoken.la +rm %{buildroot}/%{plugin_dir}/libipa_graceperiod.la rm %{buildroot}/%{plugin_dir}/libtopology.la rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la @@ -1235,6 +1242,7 @@ if [ $1 -gt 1 ] ; then %{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1 %{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1 + chmod 0600 /var/log/ipaupgrade.lo SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config" if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF" @@ -1410,6 +1418,7 @@ fi %attr(755,root,root) %{plugin_dir}/libipa_sidgen.so %attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so %attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so +%attr(755,root,root) %{plugin_dir}/libipa_graceperiod.so %attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so %{_mandir}/man1/ipa-replica-conncheck.1* %{_mandir}/man1/ipa-replica-install.1* @@ -1713,11 +1722,59 @@ fi # with selinux %endif - %changelog -* Fri Oct 7 2022 Rafael Jeffman - 4.9.8-8 -- Fix canonicalization issue in Web UI - Resolves: RHBZ#2133051 +* Mon Aug 22 2022 Rafael Jeffman - 4.9.10-6 +- webui: Allow grace login limit + Resolves: RHBZ#2109243 +- check_repl_update: in progress is a boolean + Resolves: RHBZ#2117303 +- Disabling gracelimit does not prevent LDAP binds + Resolves: RHBZ#2109236 +- Set passwordgracelimit to match global policy on group pw policies + Resolves: RHBZ#2115475 + +* Tue Jul 19 2022 Rafael Jeffman - 4.9.10-5 +- webui: Do not allow empty pagination size + Resolves: RHBZ#2094672 + +* Tue Jul 12 2022 Rafael Jeffman - 4.9.10-4 +- Add end to end integration tests for external IdP + Resolves: RHBZ#2106346 + +* Thu Jul 07 2022 Rafael Jeffman - 4.9.10-3 +- Add explicit dependency for libvert-libev + Resolves: RHBZ#2104929 + +* Fri Jul 01 2022 Rafael Jeffman - 4.9.10-2 +- Preserve user: fix the confusing summary + Resolves: RHBZ#2022028 +- Only calculate LDAP password grace when the password is expired + Related: RHBZ#782917 + +* Wed Jun 15 2022 Rafael Jeffman - 4.9.10-1 +- Rebase to upstream release 4.9.10 + Remove upstream patches 0002 to 0016 that are part of version 4.9.10 + Remove patches 1101 that is part of version 4.9.10 + Rename patch 0001 to 1002 as it will be used in future RHEL 8 releases + Add patches 0001 and 0002 to fix build on RHEL 8.7 + Resolves: RHBZ#2079466 + Resolves: RHBZ#2063155 + Resolves: RHBZ#1958777 + Resolves: RHBZ#2068088 + Resolves: RHBZ#2004646 + Resolves: RHBZ#782917 + Resolves: RHBZ#2059396 + Resolves: RHBZ#2092015 + +* Tue Apr 5 2022 Rafael Jeffman - 4.9.8-8 +- Backport latest test fixes in python3-ipatests + Resolves: RHBZ#2060841 +- extdom: user getorigby{user|group}name if available + Resolves: RHBZ#2062379 +- Set the mode on ipaupgrade.log during RPM post snipppet + Resolves: RHBZ#2061957 +- test_krbtpolicy: skip SPAKE-related tests in FIPS mode + Resolves: RHBZ#1909630 * Thu Feb 24 2022 Rafael Jeffman - 4.9.8-7 - ipatests: Backport test fixes in python3-ipatests.