Merge branch 'c9' into a9
This commit is contained in:
commit
fc20c59e4a
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/freeipa-4.10.2.tar.gz
|
||||
SOURCES/freeipa-4.11.0.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
17d580b7dccb1586898aa46c7ecdd2bd2754ee5f SOURCES/freeipa-4.10.2.tar.gz
|
||||
991d8a605a9547e1dbdbbdf283f6eb20f759de4d SOURCES/freeipa-4.11.0.tar.gz
|
||||
|
44
SOURCES/0001-ipatests-fix-healthcheck-test-without-DNS.patch
Normal file
44
SOURCES/0001-ipatests-fix-healthcheck-test-without-DNS.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From 4c8512168f6a9f224277a4db055f5432af37a552 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Thu, 28 Sep 2023 17:39:32 +0200
|
||||
Subject: [PATCH] ipatests: fix healthcheck test without DNS
|
||||
|
||||
ipa-healthcheck has added a new check for ipa-ca record
|
||||
missing. The test needs to be adapted to handle the new check.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9459
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_ipahealthcheck.py | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
index 6e01642f36a3d39ac7b3c2721664b21356bf424b..822f550d2ee241a9dd14c99d75199e6207b78e9c 100644
|
||||
--- a/ipatests/test_integration/test_ipahealthcheck.py
|
||||
+++ b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
@@ -1640,13 +1640,19 @@ class TestIpaHealthCheckWithoutDNS(IntegrationTest):
|
||||
"Got {count} ipa-ca AAAA records, expected {expected}",
|
||||
"Expected URI record missing",
|
||||
}
|
||||
- else:
|
||||
+ elif (parse_version(version) < parse_version('0.13')):
|
||||
expected_msgs = {
|
||||
"Expected SRV record missing",
|
||||
"Unexpected ipa-ca address {ipaddr}",
|
||||
"expected ipa-ca to contain {ipaddr} for {server}",
|
||||
"Expected URI record missing",
|
||||
}
|
||||
+ else:
|
||||
+ expected_msgs = {
|
||||
+ "Expected SRV record missing",
|
||||
+ "Expected URI record missing",
|
||||
+ "missing IP address for ipa-ca server {server}",
|
||||
+ }
|
||||
|
||||
tasks.install_packages(self.master, HEALTHCHECK_PKG)
|
||||
returncode, data = run_healthcheck(
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,35 +0,0 @@
|
||||
From 4f6ebb5fdf6d2514d4683247e5d1bfc6022a500e Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Tue, 6 Jun 2023 09:04:48 +0200
|
||||
Subject: [PATCH] webuitests: close notification which hides Add button
|
||||
|
||||
The webui test test_service.py::test_service::test_arbitrary_certificates
|
||||
randomly fails.
|
||||
The test is creating a new service then navigates to the Service page
|
||||
and clicks on the Add Certificate button.
|
||||
The notification area may still be present and hide the button, with
|
||||
the message "Service successfully added".
|
||||
Close all notifications before navigating to the Service page.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9389
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||
---
|
||||
ipatests/test_webui/test_service.py | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/ipatests/test_webui/test_service.py b/ipatests/test_webui/test_service.py
|
||||
index f1d9a9d624bc587634e03a86050627a648feb26d..e2976d73acd1f574f1164828be9d8e871b737d7f 100644
|
||||
--- a/ipatests/test_webui/test_service.py
|
||||
+++ b/ipatests/test_webui/test_service.py
|
||||
@@ -296,6 +296,7 @@ class test_service(sevice_tasks):
|
||||
cert_widget_sel = "div.certificate-widget"
|
||||
|
||||
self.add_record(ENTITY, data)
|
||||
+ self.close_notifications()
|
||||
self.navigate_to_record(pkey)
|
||||
|
||||
# check whether certificate section is present
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,48 +0,0 @@
|
||||
From 8d34f453fb139c4cef055a4963f307a760316a73 Mon Sep 17 00:00:00 2001
|
||||
From: Anuja More <amore@redhat.com>
|
||||
Date: Thu, 11 May 2023 12:50:10 +0530
|
||||
Subject: [PATCH] ipatests: Check that SSSD_PUBCONF_KRB5_INCLUDE_D_DIR is not
|
||||
included in krb5.conf
|
||||
|
||||
SSSD already provides a config snippet which includes
|
||||
SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java.
|
||||
Test checks that krb5.conf does not include
|
||||
SSSD_PUBCONF_KRB5_INCLUDE_D_DIR.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9267
|
||||
|
||||
Signed-off-by: Anuja More <amore@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
.../test_integration/test_installation_client.py | 15 +++++++++++++++
|
||||
1 file changed, 15 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_installation_client.py b/ipatests/test_integration/test_installation_client.py
|
||||
index 014b0f6ab34dd92c00c0187c2c86b8bfbaa70e81..56e1593bfcfa3eb7f9918fc6f2993d836884ea38 100644
|
||||
--- a/ipatests/test_integration/test_installation_client.py
|
||||
+++ b/ipatests/test_integration/test_installation_client.py
|
||||
@@ -76,6 +76,21 @@ class TestInstallClient(IntegrationTest):
|
||||
result = self.clients[0].run_command(['cat', '/etc/ssh/ssh_config'])
|
||||
assert 'HostKeyAlgorithms' not in result.stdout_text
|
||||
|
||||
+ def test_client_install_with_krb5(self):
|
||||
+ """Test that SSSD_PUBCONF_KRB5_INCLUDE_D_DIR is not added in krb5.conf
|
||||
+
|
||||
+ SSSD already provides a config snippet which includes
|
||||
+ SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java.
|
||||
+ Test checks that krb5.conf does not include
|
||||
+ SSSD_PUBCONF_KRB5_INCLUDE_D_DIR.
|
||||
+
|
||||
+ related: https://pagure.io/freeipa/issue/9267
|
||||
+ """
|
||||
+ krb5_cfg = self.master.get_file_contents(paths.KRB5_CONF)
|
||||
+ assert 'includedir {dir}'.format(
|
||||
+ dir=paths.SSSD_PUBCONF_KRB5_INCLUDE_D_DIR
|
||||
+ ).encode() not in krb5_cfg
|
||||
+
|
||||
|
||||
class TestClientInstallBind(IntegrationTest):
|
||||
"""
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,47 @@
|
||||
From ca4ac6c06dd37deab5ba7c4df8789acf9e45d03e Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Thu, 28 Sep 2023 12:48:37 +0200
|
||||
Subject: [PATCH] ipatests: fix healthcheck test for --indent option
|
||||
|
||||
ipa-healthcheck --indent option expects an integer. The error
|
||||
message changed with ipa-healthcheck 0.13.
|
||||
Recent versions also check that the value is in the range 0-32.
|
||||
|
||||
The test must be compatible with old and new versions.
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_ipahealthcheck.py | 13 ++++++++++---
|
||||
1 file changed, 10 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
index 822f550d2ee241a9dd14c99d75199e6207b78e9c..35fcfe10508589ded021207a4eba4fb0143495b4 100644
|
||||
--- a/ipatests/test_integration/test_ipahealthcheck.py
|
||||
+++ b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
@@ -2412,12 +2412,19 @@ class TestIpaHealthCLI(IntegrationTest):
|
||||
cmd = self.base_cmd + ["--indent", option]
|
||||
result = self.master.run_command(cmd, raiseonerr=False)
|
||||
assert result.returncode == 2
|
||||
- assert 'invalid int value' in result.stderr_text
|
||||
+ assert ('invalid int value' in result.stderr_text
|
||||
+ or 'is not an integer' in result.stderr_text)
|
||||
|
||||
- # unusual success, arguably odd but not invalid :-)
|
||||
+ version = tasks.get_healthcheck_version(self.master)
|
||||
for option in ('-1', '5000'):
|
||||
cmd = self.base_cmd + ["--indent", option]
|
||||
- result = self.master.run_command(cmd)
|
||||
+ result = self.master.run_command(cmd, raiseonerr=False)
|
||||
+ if parse_version(version) >= parse_version('0.13'):
|
||||
+ assert result.returncode == 2
|
||||
+ assert 'is not in the range 0-32' in result.stderr_text
|
||||
+ else:
|
||||
+ # Older versions did not check for a given allowed range
|
||||
+ assert result.returncode == 0
|
||||
|
||||
def test_severity(self):
|
||||
"""
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,103 +0,0 @@
|
||||
From 276138087158c6b2ea76b43c754084144e543c0b Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Wed, 7 Jun 2023 11:32:21 -0400
|
||||
Subject: [PATCH] Revert "Use the OpenSSL certificate parser in cert-find"
|
||||
|
||||
This reverts commit 191880bc9f77c3e8a3cecc82e6eea33ab5ad03e4.
|
||||
|
||||
The problem isn't with python-cryptography, it is with the
|
||||
IPACertificate class which does way more work on a certificate
|
||||
than is necessary in cert-find.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9331
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
freeipa.spec.in | 2 --
|
||||
ipaserver/plugins/cert.py | 26 +++-----------------------
|
||||
2 files changed, 3 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||
index 3e23bbfe9d054a3a9febf468de0bcb4a6e81bb32..bec9780a82fe0d9bc5a50a93bdce8aa7e27a9f30 100755
|
||||
--- a/freeipa.spec.in
|
||||
+++ b/freeipa.spec.in
|
||||
@@ -412,7 +412,6 @@ BuildRequires: python3-pylint
|
||||
BuildRequires: python3-pytest-multihost
|
||||
BuildRequires: python3-pytest-sourceorder
|
||||
BuildRequires: python3-qrcode-core >= 5.0.0
|
||||
-BuildRequires: python3-pyOpenSSL
|
||||
BuildRequires: python3-samba
|
||||
BuildRequires: python3-six
|
||||
BuildRequires: python3-sss
|
||||
@@ -884,7 +883,6 @@ Requires: python3-netifaces >= 0.10.4
|
||||
Requires: python3-pyasn1 >= 0.3.2-2
|
||||
Requires: python3-pyasn1-modules >= 0.3.2-2
|
||||
Requires: python3-pyusb
|
||||
-Requires: python3-pyOpenSSL
|
||||
Requires: python3-qrcode-core >= 5.0.0
|
||||
Requires: python3-requests
|
||||
Requires: python3-six
|
||||
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
|
||||
index 400b1b3cec0aba82e699a4a981516e121f3e0c77..2e32f4ecd50ac92c28bcaffcebe9c2c87557858a 100644
|
||||
--- a/ipaserver/plugins/cert.py
|
||||
+++ b/ipaserver/plugins/cert.py
|
||||
@@ -30,7 +30,6 @@ import cryptography.x509
|
||||
from cryptography.hazmat.primitives import hashes, serialization
|
||||
from dns import resolver, reversename
|
||||
import six
|
||||
-import sys
|
||||
|
||||
from ipalib import Command, Str, Int, Flag, StrEnum, SerialNumber
|
||||
from ipalib import api
|
||||
@@ -1618,19 +1617,7 @@ class cert_find(Search, CertMethod):
|
||||
)
|
||||
|
||||
def _get_cert_key(self, cert):
|
||||
- # for cert-find with a certificate value
|
||||
- if isinstance(cert, x509.IPACertificate):
|
||||
- return (DN(cert.issuer), cert.serial_number)
|
||||
-
|
||||
- issuer = []
|
||||
- for oid, value in cert.get_issuer().get_components():
|
||||
- issuer.append(
|
||||
- '{}={}'.format(oid.decode('utf-8'), value.decode('utf-8'))
|
||||
- )
|
||||
- issuer = ','.join(issuer)
|
||||
- # Use this to flip from OpenSSL reverse to X500 ordering
|
||||
- issuer = DN(issuer).x500_text()
|
||||
- return (DN(issuer), cert.get_serial_number())
|
||||
+ return (DN(cert.issuer), cert.serial_number)
|
||||
|
||||
def _cert_search(self, pkey_only, **options):
|
||||
result = collections.OrderedDict()
|
||||
@@ -1750,11 +1737,6 @@ class cert_find(Search, CertMethod):
|
||||
return result, False, complete
|
||||
|
||||
def _ldap_search(self, all, pkey_only, no_members, **options):
|
||||
- # defer import of the OpenSSL module to not affect the requests
|
||||
- # module which will use pyopenssl if this is available.
|
||||
- if sys.modules.get('OpenSSL.SSL', False) is None:
|
||||
- del sys.modules["OpenSSL.SSL"]
|
||||
- import OpenSSL.crypto
|
||||
ldap = self.api.Backend.ldap2
|
||||
|
||||
filters = []
|
||||
@@ -1813,14 +1795,12 @@ class cert_find(Search, CertMethod):
|
||||
ca_enabled = getattr(context, 'ca_enabled')
|
||||
for entry in entries:
|
||||
for attr in ('usercertificate', 'usercertificate;binary'):
|
||||
- for der in entry.raw.get(attr, []):
|
||||
- cert = OpenSSL.crypto.load_certificate(
|
||||
- OpenSSL.crypto.FILETYPE_ASN1, der)
|
||||
+ for cert in entry.get(attr, []):
|
||||
cert_key = self._get_cert_key(cert)
|
||||
try:
|
||||
obj = result[cert_key]
|
||||
except KeyError:
|
||||
- obj = {'serial_number': cert.get_serial_number()}
|
||||
+ obj = {'serial_number': cert.serial_number}
|
||||
if not pkey_only and (all or not ca_enabled):
|
||||
# Retrieving certificate details is now deferred
|
||||
# until after all certificates are collected.
|
||||
--
|
||||
2.41.0
|
||||
|
35
SOURCES/0003-ipatests-fix-test_ipactl_scenario_check.patch
Normal file
35
SOURCES/0003-ipatests-fix-test_ipactl_scenario_check.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From 8ffcce91c694d83f6698a0539b970f41ea056e2d Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Thu, 21 Sep 2023 10:32:41 +0200
|
||||
Subject: [PATCH] ipatests: fix test_ipactl_scenario_check
|
||||
|
||||
The test is comparing the PID of services before and after
|
||||
calling ipactl start, expecting to have the same value.
|
||||
It should not compare the pid for ipa-dnskeysyncd as this service
|
||||
is automatically restarted upon failure.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9415
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_installation.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
||||
index 39fbff2b674296b0696defa7bac3efe35c89e0b7..68a442a9cd7746eec728ee38fda34dbc5361c59b 100644
|
||||
--- a/ipatests/test_integration/test_installation.py
|
||||
+++ b/ipatests/test_integration/test_installation.py
|
||||
@@ -695,7 +695,7 @@ def get_pki_tomcatd_pid(host):
|
||||
def get_ipa_services_pids(host):
|
||||
ipa_services_name = [
|
||||
"krb5kdc", "kadmin", "named", "httpd", "ipa-custodia",
|
||||
- "pki_tomcatd", "ipa-dnskeysyncd"
|
||||
+ "pki_tomcatd"
|
||||
]
|
||||
pids_of_ipa_services = {}
|
||||
for name in ipa_services_name:
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,32 +0,0 @@
|
||||
From d83a4b0babdc7beb124d3748b5815ce309739eb7 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Tue, 13 Jun 2023 17:01:49 -0400
|
||||
Subject: [PATCH] Revert "cert_find: fix call with --all"
|
||||
|
||||
This reverts commit 1f30cc65276a532e7288217f216b72a2b0628c8f.
|
||||
|
||||
The problem isn't with python-cryptography, it is with the
|
||||
IPACertificate class which does way more work on a certificate
|
||||
than is necessary in cert-find.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9331
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
ipaserver/plugins/cert.py | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
|
||||
index 2e32f4ecd50ac92c28bcaffcebe9c2c87557858a..36a0e8cb31b4dbdd9bff09165d1d8aa203936d37 100644
|
||||
--- a/ipaserver/plugins/cert.py
|
||||
+++ b/ipaserver/plugins/cert.py
|
||||
@@ -1807,7 +1807,6 @@ class cert_find(Search, CertMethod):
|
||||
# For the case of CA-less we need to keep
|
||||
# the certificate because getting it again later
|
||||
# would require unnecessary LDAP searches.
|
||||
- cert = cert.to_cryptography()
|
||||
obj['certificate'] = (
|
||||
base64.b64encode(
|
||||
cert.public_bytes(x509.Encoding.DER))
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,88 @@
|
||||
From d9ad56155e76f97ad9326d5c1bcc6e19eea3a0da Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Mon, 9 Oct 2023 13:54:17 +0200
|
||||
Subject: [PATCH] ipalib: fix the IPACertificate validity dates
|
||||
|
||||
The class IPACertificate builds objects from x509 Certificate
|
||||
objects and creates the not_valid_before and not_valid_after values
|
||||
by converting to a timestamp + applying timezone delta to UTC + reading
|
||||
from the timestamp. This results in applying twice the delta.
|
||||
|
||||
Use a simpler method that replaces the timezone info with UTC in the
|
||||
datetime object.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9462
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipalib/x509.py | 6 ++----
|
||||
ipatests/test_ipalib/test_x509.py | 25 +++++++++++++++++++++++++
|
||||
2 files changed, 27 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/ipalib/x509.py b/ipalib/x509.py
|
||||
index 7396688ae60cff76069c7325bab69441babfb8a7..769d480077e0d167646424627f252c336336f531 100644
|
||||
--- a/ipalib/x509.py
|
||||
+++ b/ipalib/x509.py
|
||||
@@ -266,13 +266,11 @@ class IPACertificate(crypto_x509.Certificate):
|
||||
|
||||
@property
|
||||
def not_valid_before(self):
|
||||
- return datetime.datetime.fromtimestamp(
|
||||
- self._cert.not_valid_before.timestamp(), tz=datetime.timezone.utc)
|
||||
+ return self._cert.not_valid_before.replace(tzinfo=datetime.timezone.utc)
|
||||
|
||||
@property
|
||||
def not_valid_after(self):
|
||||
- return datetime.datetime.fromtimestamp(
|
||||
- self._cert.not_valid_after.timestamp(), tz=datetime.timezone.utc)
|
||||
+ return self._cert.not_valid_after.replace(tzinfo=datetime.timezone.utc)
|
||||
|
||||
@property
|
||||
def tbs_certificate_bytes(self):
|
||||
diff --git a/ipatests/test_ipalib/test_x509.py b/ipatests/test_ipalib/test_x509.py
|
||||
index c25e8a0b5b6b918e50b155890fe20cfdd4d747c4..74287c84a581a800fa1c2700ad749fcacbc9d249 100644
|
||||
--- a/ipatests/test_ipalib/test_x509.py
|
||||
+++ b/ipatests/test_ipalib/test_x509.py
|
||||
@@ -26,6 +26,7 @@ from binascii import hexlify
|
||||
from configparser import RawConfigParser
|
||||
import datetime
|
||||
from io import StringIO
|
||||
+import os
|
||||
import pickle
|
||||
|
||||
import pytest
|
||||
@@ -253,6 +254,30 @@ class test_x509:
|
||||
b'+\x06\x01\x05\x05\x07\x03\x01'
|
||||
)
|
||||
|
||||
+ def test_cert_with_timezone(self):
|
||||
+ """
|
||||
+ Test the not_before and not_after values in a diffent timezone
|
||||
+
|
||||
+ Test for https://pagure.io/freeipa/issue/9462
|
||||
+ """
|
||||
+ # Store initial timezone, then set to New York
|
||||
+ tz = os.environ.get('TZ', None)
|
||||
+ os.environ['TZ'] = 'America/New_York'
|
||||
+ # Load the cert, extract not before and not after
|
||||
+ cert = x509.load_pem_x509_certificate(goodcert_headers)
|
||||
+ not_before = datetime.datetime(2010, 6, 25, 13, 0, 42, 0,
|
||||
+ datetime.timezone.utc)
|
||||
+ not_after = datetime.datetime(2015, 6, 25, 13, 0, 42, 0,
|
||||
+ datetime.timezone.utc)
|
||||
+ # Reset timezone to previous value
|
||||
+ if tz:
|
||||
+ os.environ['TZ'] = tz
|
||||
+ else:
|
||||
+ del os.environ['TZ']
|
||||
+ # ensure the timezone doesn't mess with not_before and not_after
|
||||
+ assert cert.not_valid_before == not_before
|
||||
+ assert cert.not_valid_after == not_after
|
||||
+
|
||||
def test_load_pkcs7_pem(self):
|
||||
certlist = x509.pkcs7_to_certs(good_pkcs7, datatype=x509.PEM)
|
||||
assert len(certlist) == 1
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,135 @@
|
||||
From 9b0b723a0e62f18d41be53900ab8a3e710708563 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 18 May 2023 09:23:32 -0400
|
||||
Subject: [PATCH] Allow password policy minlength to be removed like other
|
||||
values
|
||||
|
||||
This is a side-effect of adding the libpwquality options. It
|
||||
imposes its own hardcoded minimum password length so some care
|
||||
was needed to ensure that it isn't set too low.
|
||||
|
||||
So if there are no libpwquality options used then it's fine to
|
||||
have no minlength in the policy.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9297
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
ipaserver/plugins/pwpolicy.py | 10 +++--
|
||||
ipatests/test_integration/test_pwpolicy.py | 45 +++++++++++++++++++++-
|
||||
2 files changed, 50 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/ipaserver/plugins/pwpolicy.py b/ipaserver/plugins/pwpolicy.py
|
||||
index 5ea3e6b78c9ee98d204b8382fbed9e21edf51d10..15cfef45b69743c852e43d58b7428976b9e55681 100644
|
||||
--- a/ipaserver/plugins/pwpolicy.py
|
||||
+++ b/ipaserver/plugins/pwpolicy.py
|
||||
@@ -462,6 +462,7 @@ class pwpolicy(LDAPObject):
|
||||
return False
|
||||
|
||||
has_pwquality_value = False
|
||||
+ min_length = 0
|
||||
if not add:
|
||||
if len(keys) > 0:
|
||||
existing_entry = self.api.Command.pwpolicy_show(
|
||||
@@ -470,14 +471,15 @@ class pwpolicy(LDAPObject):
|
||||
existing_entry = self.api.Command.pwpolicy_show(
|
||||
all=True,)['result']
|
||||
existing_entry.update(entry_attrs)
|
||||
- min_length = int(get_val(existing_entry, 'krbpwdminlength'))
|
||||
-
|
||||
+ if existing_entry.get('krbpwdminlength'):
|
||||
+ min_length = int(get_val(existing_entry, 'krbpwdminlength'))
|
||||
has_pwquality_value = has_pwquality_set(existing_entry)
|
||||
else:
|
||||
- min_length = int(get_val(entry_attrs, 'krbpwdminlength'))
|
||||
+ if entry_attrs.get('krbpwdminlength'):
|
||||
+ min_length = int(get_val(entry_attrs, 'krbpwdminlength'))
|
||||
has_pwquality_value = has_pwquality_set(entry_attrs)
|
||||
|
||||
- if min_length and min_length < 6 and has_pwquality_value:
|
||||
+ if min_length < 6 and has_pwquality_value:
|
||||
raise errors.ValidationError(
|
||||
name='minlength',
|
||||
error=_('Minimum length must be >= 6 if maxrepeat, '
|
||||
diff --git a/ipatests/test_integration/test_pwpolicy.py b/ipatests/test_integration/test_pwpolicy.py
|
||||
index 41d6e9070a90c2bde7b3182ad6ecf1a923bba203..652c95e47bdab8bbe137f660d0b2ea2c0496c53e 100644
|
||||
--- a/ipatests/test_integration/test_pwpolicy.py
|
||||
+++ b/ipatests/test_integration/test_pwpolicy.py
|
||||
@@ -36,7 +36,9 @@ class TestPWPolicy(IntegrationTest):
|
||||
cls.master.run_command(['ipa', 'group-add-member', POLICY,
|
||||
'--users', USER])
|
||||
cls.master.run_command(['ipa', 'pwpolicy-add', POLICY,
|
||||
- '--priority', '1', '--gracelimit', '-1'])
|
||||
+ '--priority', '1',
|
||||
+ '--gracelimit', '-1',
|
||||
+ '--minlength', '6'])
|
||||
cls.master.run_command(['ipa', 'passwd', USER],
|
||||
stdin_text='{password}\n{password}\n'.format(
|
||||
password=PASSWORD
|
||||
@@ -92,6 +94,12 @@ class TestPWPolicy(IntegrationTest):
|
||||
"--minlength", "0",
|
||||
"--minclasses", "0",],
|
||||
)
|
||||
+ # minlength => 6 is required for any of the libpwquality settings
|
||||
+ self.master.run_command(
|
||||
+ ["ipa", "pwpolicy-mod", POLICY,
|
||||
+ "--minlength", "6"],
|
||||
+ raiseonerr=False,
|
||||
+ )
|
||||
|
||||
@pytest.fixture
|
||||
def reset_pwpolicy(self):
|
||||
@@ -212,6 +220,7 @@ class TestPWPolicy(IntegrationTest):
|
||||
assert 'Password is too simple' in \
|
||||
result.stdout_text
|
||||
|
||||
+ self.reset_password(self.master)
|
||||
# test with valid password
|
||||
for valid in ('Passw0rd', 'password1!', 'Password!'):
|
||||
self.kinit_as_user(self.master, PASSWORD, valid)
|
||||
@@ -252,6 +261,40 @@ class TestPWPolicy(IntegrationTest):
|
||||
assert result.returncode != 0
|
||||
assert 'minlength' in result.stderr_text
|
||||
|
||||
+ def test_minlength_empty(self, reset_pwpolicy):
|
||||
+ """Test that the pwpolicy minlength can be blank
|
||||
+ """
|
||||
+ # Ensure it is set to a non-zero value to avoid EmptyModlist
|
||||
+ self.master.run_command(
|
||||
+ ["ipa", "pwpolicy-mod", POLICY,
|
||||
+ "--minlength", "10",]
|
||||
+ )
|
||||
+ # Enable one of the libpwquality options, removing minlength
|
||||
+ # should fail.
|
||||
+ self.master.run_command(
|
||||
+ ["ipa", "pwpolicy-mod", POLICY,
|
||||
+ "--maxrepeat", "4",]
|
||||
+ )
|
||||
+ result = self.master.run_command(
|
||||
+ ["ipa", "pwpolicy-mod", POLICY,
|
||||
+ "--minlength", "",], raiseonerr=False
|
||||
+ )
|
||||
+ assert result.returncode != 0
|
||||
+
|
||||
+ # Remove the blocking value
|
||||
+ self.master.run_command(
|
||||
+ ["ipa", "pwpolicy-mod", POLICY,
|
||||
+ "--maxrepeat", "",]
|
||||
+ )
|
||||
+
|
||||
+ # Now erase it
|
||||
+ result = self.master.run_command(
|
||||
+ ["ipa", "pwpolicy-mod", POLICY,
|
||||
+ "--minlength", "",]
|
||||
+ )
|
||||
+ assert result.returncode == 0
|
||||
+ assert 'minlength' not in result.stderr_text
|
||||
+
|
||||
def test_minlength_add(self):
|
||||
"""Test that adding a new policy with minlength is caught.
|
||||
"""
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,115 +0,0 @@
|
||||
From d9aa75459d650e5282a160a3eef09ed175dc5b51 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Wed, 7 Jun 2023 11:44:05 -0400
|
||||
Subject: [PATCH] Use the python-cryptography parser directly in cert-find
|
||||
|
||||
cert-find is a rather complex beast because it not only
|
||||
looks for certificates in the optional CA but within the
|
||||
IPA LDAP database as well. It has a process to deduplicate
|
||||
the certificates since any PKI issued certificates will
|
||||
also be associated with an IPA record.
|
||||
|
||||
In order to obtain the data to deduplicate the certificates
|
||||
the cert from LDAP must be parser for issuer and serial number.
|
||||
ipaldap has automation to determine the datatype of an
|
||||
attribute and will use the ipalib.x509 IPACertificate class to
|
||||
decode a certificate automatically if you access
|
||||
entry['usercertificate'].
|
||||
|
||||
The downside is that this is comparatively slow. Here is the
|
||||
parse time in microseconds:
|
||||
|
||||
cryptography 0.0081
|
||||
OpenSSL.crypto 0.2271
|
||||
ipalib.x509 2.6814
|
||||
|
||||
Since only issuer and subject are required there is no need to
|
||||
make the expensive IPACertificate call.
|
||||
|
||||
The IPACertificate parsing time is fine if you're parsing one
|
||||
certificate but if the LDAP search returns a lot of certificates,
|
||||
say in the thousands, then those microseconds add up quickly.
|
||||
In testing it took ~17 seconds to parse 5k certificates (excluding
|
||||
transmission overhead, etc).
|
||||
|
||||
cert-find when there are a lot of certificates has been
|
||||
historically slow. It isn't related to the CA which returns
|
||||
large sets (well, 5k anyway) in a second or two. It was the
|
||||
LDAP comparision adding tens of seconds to the runtime.
|
||||
|
||||
When searching with the default sizelimit of 100 the time is
|
||||
~10s without this patch. With it the time is 1.5s.
|
||||
|
||||
CLI times from before and after searching for all certs:
|
||||
|
||||
original:
|
||||
|
||||
-------------------------------
|
||||
Number of entries returned 5038
|
||||
-------------------------------
|
||||
real 0m15.507s
|
||||
user 0m0.828s
|
||||
sys 0m0.241s
|
||||
|
||||
using cryptography:
|
||||
|
||||
real 0m4.037s
|
||||
user 0m0.816s
|
||||
sys 0m0.193s
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9331
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
ipaserver/plugins/cert.py | 3 ++-
|
||||
ipatests/test_xmlrpc/test_cert_plugin.py | 12 +++++++++++-
|
||||
2 files changed, 13 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
|
||||
index 36a0e8cb31b4dbdd9bff09165d1d8aa203936d37..4fb85069a835d94969c9d05789714345ecc60e2e 100644
|
||||
--- a/ipaserver/plugins/cert.py
|
||||
+++ b/ipaserver/plugins/cert.py
|
||||
@@ -1795,7 +1795,8 @@ class cert_find(Search, CertMethod):
|
||||
ca_enabled = getattr(context, 'ca_enabled')
|
||||
for entry in entries:
|
||||
for attr in ('usercertificate', 'usercertificate;binary'):
|
||||
- for cert in entry.get(attr, []):
|
||||
+ for der in entry.raw.get(attr, []):
|
||||
+ cert = cryptography.x509.load_der_x509_certificate(der)
|
||||
cert_key = self._get_cert_key(cert)
|
||||
try:
|
||||
obj = result[cert_key]
|
||||
diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py
|
||||
index 433cebcd79f792e5c97307c6d599e50855ff4151..583c67fd942a61f42e578cc51a0e456cacf9a5e5 100644
|
||||
--- a/ipatests/test_xmlrpc/test_cert_plugin.py
|
||||
+++ b/ipatests/test_xmlrpc/test_cert_plugin.py
|
||||
@@ -254,6 +254,16 @@ class test_cert(BaseCert):
|
||||
result = _emails_are_valid(email_addrs, [])
|
||||
assert not result
|
||||
|
||||
+ def test_00012_cert_find_all(self):
|
||||
+ """
|
||||
+ Test that cert-find --all returns successfully.
|
||||
+
|
||||
+ We don't know how many we'll get but there should be at least 10
|
||||
+ by default.
|
||||
+ """
|
||||
+ res = api.Command['cert_find'](all=True)
|
||||
+ assert 'count' in res and res['count'] >= 10
|
||||
+
|
||||
def test_99999_cleanup(self):
|
||||
"""
|
||||
Clean up cert test data
|
||||
@@ -283,7 +293,7 @@ class test_cert_find(XMLRPC_test):
|
||||
|
||||
short = api.env.host.split('.', maxsplit=1)[0]
|
||||
|
||||
- def test_0001_find_all(self):
|
||||
+ def test_0001_find_all_certs(self):
|
||||
"""
|
||||
Search for all certificates.
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,38 +0,0 @@
|
||||
From f25003a730c0e28c22fae5fce607df734b55525c Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Mon, 19 Jun 2023 19:01:25 +0200
|
||||
Subject: [PATCH] Upgrade: add PKI drop-in file if missing
|
||||
|
||||
During the installation of IPA server, the installer adds a drop-in
|
||||
file in /etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf
|
||||
that ensures the CA is reachable before the start command returns.
|
||||
If the file is missing (for instance because the server was installed
|
||||
with an old version before this drop-in was created), the upgrade
|
||||
should add the file.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9381
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipaserver/install/server/upgrade.py | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
|
||||
index f8701c8a0d43c7c1c1090e8576976b1c370b0104..8f3d57353605f28103c69cb0a34bf1c16fc4ae19 100644
|
||||
--- a/ipaserver/install/server/upgrade.py
|
||||
+++ b/ipaserver/install/server/upgrade.py
|
||||
@@ -1742,6 +1742,10 @@ def upgrade_configuration():
|
||||
os.path.join(paths.USR_SHARE_IPA_DIR,
|
||||
"ipa-kdc-proxy.conf.template"))
|
||||
if ca.is_configured():
|
||||
+ # Ensure that the drop-in file is present
|
||||
+ if not os.path.isfile(paths.SYSTEMD_PKI_TOMCAT_IPA_CONF):
|
||||
+ ca.add_ipa_wait()
|
||||
+
|
||||
# Handle upgrade of AJP connector configuration
|
||||
rewrite = ca.secure_ajp_connector()
|
||||
if ca.ajp_secret:
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,70 @@
|
||||
From cfb8748b23e93f84c2a6b03cc55d1116d7d1332e Mon Sep 17 00:00:00 2001
|
||||
From: Sudhir Menon <sumenon@redhat.com>
|
||||
Date: Tue, 10 Oct 2023 15:22:27 +0530
|
||||
Subject: [PATCH] ipatests: Skip the test failing due to FIPS policy
|
||||
|
||||
1. test_certmonger_reads_token_HSM test in test_installaton.py
|
||||
is failing in FIPS/STIG mode with the below error.
|
||||
|
||||
SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.
|
||||
Error attempting to import private key in STIG mode
|
||||
|
||||
2. Adding the posfix config change, because there was a crash
|
||||
seen in smtpd in FIPS mode.
|
||||
|
||||
ie. postconf -e smtpd_tls_fingerprint_digest=sha256
|
||||
|
||||
KCS: https://access.redhat.com/solutions/6958957
|
||||
|
||||
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_epn.py | 4 +++-
|
||||
ipatests/test_integration/test_installation.py | 2 ++
|
||||
2 files changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
|
||||
index 8ea79cefbdd067b148ef0b7050c9fc803339371a..b391e32219bb0a799c8d75c113af5da24aa58b46 100644
|
||||
--- a/ipatests/test_integration/test_epn.py
|
||||
+++ b/ipatests/test_integration/test_epn.py
|
||||
@@ -180,7 +180,6 @@ def configure_starttls(host):
|
||||
postconf(host, 'smtpd_tls_session_cache_timeout = 3600s')
|
||||
# announce STARTTLS support to remote SMTP clients, not require
|
||||
postconf(host, 'smtpd_tls_security_level = may')
|
||||
-
|
||||
host.run_command(["systemctl", "restart", "postfix"])
|
||||
|
||||
|
||||
@@ -208,6 +207,9 @@ def configure_ssl_client_cert(host):
|
||||
# CA certificates of root CAs trusted to sign remote SMTP client cert
|
||||
postconf(host, f"smtpd_tls_CAfile = {paths.IPA_CA_CRT}")
|
||||
|
||||
+ if host.is_fips_mode:
|
||||
+ postconf(host, 'smtpd_tls_fingerprint_digest = sha256')
|
||||
+
|
||||
host.run_command(["systemctl", "restart", "postfix"])
|
||||
|
||||
|
||||
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
||||
index 68a442a9cd7746eec728ee38fda34dbc5361c59b..bf4163abc0f138ed42c639eee3e95df52da43a71 100644
|
||||
--- a/ipatests/test_integration/test_installation.py
|
||||
+++ b/ipatests/test_integration/test_installation.py
|
||||
@@ -35,6 +35,7 @@ from ipatests.pytest_ipa.integration.env_config import get_global_config
|
||||
from ipatests.test_integration.base import IntegrationTest
|
||||
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
|
||||
from ipatests.test_integration.test_cert import get_certmonger_fs_id
|
||||
+from ipatests.pytest_ipa.integration import skip_if_fips
|
||||
from ipaplatform import services
|
||||
|
||||
|
||||
@@ -298,6 +299,7 @@ class TestInstallCA(IntegrationTest):
|
||||
tasks.install_replica(self.master, self.replicas[1], setup_ca=False)
|
||||
tasks.install_ca(self.replicas[1], extra_args=["--skip-schema-check"])
|
||||
|
||||
+ @skip_if_fips()
|
||||
def test_certmonger_reads_token_HSM(self):
|
||||
"""Test if certmonger reads the token in HSM
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,53 +0,0 @@
|
||||
From 392e60e3fa0e39a2e364268a21d869a2f3a85905 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Mon, 19 Jun 2023 19:04:32 +0200
|
||||
Subject: [PATCH] Integration test: add a test for upgrade and PKI drop-in file
|
||||
|
||||
Add an upgrade test with the following scenario:
|
||||
- remove PKI drop-in file (to simulate an upgrade from an old
|
||||
version)
|
||||
- remove caECServerCertWithSCT profile from LDAP
|
||||
- launch the ipa-server-upgrade command
|
||||
- check that the upgrade added the file
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9381
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_upgrade.py | 22 ++++++++++++++++++++++
|
||||
1 file changed, 22 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py
|
||||
index 9203503cdccf4478f9864bd487e458761e9a2a2f..182e3b5da3c758cc10913ad4eed119b0983fcc23 100644
|
||||
--- a/ipatests/test_integration/test_upgrade.py
|
||||
+++ b/ipatests/test_integration/test_upgrade.py
|
||||
@@ -455,3 +455,25 @@ class TestUpgrade(IntegrationTest):
|
||||
assert 'tXTRecord' in location_krb_rec
|
||||
assert len(location_krb_rec['tXTRecord']) == 1
|
||||
assert location_krb_rec['tXTRecord'][0] == f'"{realm}"'
|
||||
+
|
||||
+ def test_pki_dropin_file(self):
|
||||
+ """Test that upgrade adds the drop-in file if missing
|
||||
+
|
||||
+ Test for ticket 9381
|
||||
+ Simulate an update from a version that didn't provide
|
||||
+ /etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf,
|
||||
+ remove one of the certificate profiles from LDAP and check that upgrade
|
||||
+ completes successfully and adds the missing file.
|
||||
+ When the drop-in file is missing, the upgrade tries to login to
|
||||
+ PKI in order to migrate the profile and fails because PKI failed to
|
||||
+ start.
|
||||
+ """
|
||||
+ self.master.run_command(["rm", "-f", paths.SYSTEMD_PKI_TOMCAT_IPA_CONF])
|
||||
+ ldif = textwrap.dedent("""
|
||||
+ dn: cn=caECServerCertWithSCT,ou=certificateProfiles,ou=ca,o=ipaca
|
||||
+ changetype: delete
|
||||
+ """)
|
||||
+ tasks.ldapmodify_dm(self.master, ldif)
|
||||
+ self.master.run_command(['ipa-server-upgrade'])
|
||||
+ assert self.master.transport.file_exists(
|
||||
+ paths.SYSTEMD_PKI_TOMCAT_IPA_CONF)
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,50 @@
|
||||
From d4271391adc45c781092db0fb89b802743a9dda8 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 11 Sep 2023 21:37:05 +0000
|
||||
Subject: [PATCH] The PKI JSON API the revocation reason key may be
|
||||
case-sensitive
|
||||
|
||||
PKI 11.4.0 changed the reason keyword in the REST API from lower-case
|
||||
to camel-case in https://github.com/dogtagpki/pki/commit/926eb221ce6
|
||||
|
||||
Use Reason instead of reason as the keyword for revocations
|
||||
for PKI 11.4.0+
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9345
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
||||
---
|
||||
ipaserver/plugins/dogtag.py | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
|
||||
index 1c2c51824eecb71cfa8146ceb30435c5ad5d79c7..0036803c86652b557ebeb3cd048877bc01a6b71a 100644
|
||||
--- a/ipaserver/plugins/dogtag.py
|
||||
+++ b/ipaserver/plugins/dogtag.py
|
||||
@@ -274,6 +274,8 @@ if six.PY3:
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
+pki_version = pki.util.Version(pki.specification_version())
|
||||
+
|
||||
# These are general status return values used when
|
||||
# CMSServlet.outputError() is invoked.
|
||||
CMS_SUCCESS = 0
|
||||
@@ -1130,7 +1132,11 @@ class ra(rabase.rabase, RestClient):
|
||||
serial_number = int(serial_number, 0)
|
||||
|
||||
path = 'agent/certs/{}/revoke'.format(serial_number)
|
||||
- data = '{{"reason":"{}"}}'.format(reasons[revocation_reason])
|
||||
+ if pki_version < pki.util.Version("11.4.0"):
|
||||
+ keyword = "reason"
|
||||
+ else:
|
||||
+ keyword = "Reason"
|
||||
+ data = '{{"{}":"{}"}}'.format(keyword, reasons[revocation_reason])
|
||||
|
||||
http_status, _http_headers, http_body = self._ssldo(
|
||||
'POST', path,
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,129 +0,0 @@
|
||||
From f93a6d3ff52247ce5e582816fec689b8901fc984 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Wed, 14 Jun 2023 15:12:39 +0200
|
||||
Subject: [PATCH] Uninstaller: uninstall PKI before shutting down services
|
||||
|
||||
The uninstaller is stopping all the services before
|
||||
calling pkidestroy to uninstall the CA.
|
||||
With PKI 11.4+ this sequence fails as pkidestroy tries
|
||||
to connect to PKI server in order to unregister from the
|
||||
security domain. The error interrupts the full completion
|
||||
of pkidestroy, is logged but doesn't make ipa uninstallation
|
||||
fail.
|
||||
The issue is that trying to re-install later on would fail because
|
||||
pkidestroy did not completely uninstall the CA.
|
||||
|
||||
To avoid this, call pkidestroy before shutting down the services.
|
||||
Also add an uninstall_check method that restarts IPA if it is
|
||||
not running, and use pkidestroy --force to make sure that PKI
|
||||
is uninstalled even if restart failed.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9330
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipaserver/install/ca.py | 18 ++++++++++++++++++
|
||||
ipaserver/install/dogtaginstance.py | 2 +-
|
||||
ipaserver/install/kra.py | 2 ++
|
||||
ipaserver/install/server/install.py | 8 +++++---
|
||||
4 files changed, 26 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
|
||||
index be0e732e8ff6966ccc0077d9339f9f0bc66ae6ec..c93ae1fce4c8848d493677eafee7952740e51631 100644
|
||||
--- a/ipaserver/install/ca.py
|
||||
+++ b/ipaserver/install/ca.py
|
||||
@@ -169,6 +169,24 @@ def print_ca_configuration(options):
|
||||
|
||||
|
||||
def uninstall_check(options):
|
||||
+ """IPA needs to be running so pkidestroy can unregister CA"""
|
||||
+ ca = cainstance.CAInstance(api.env.realm)
|
||||
+ if not ca.is_installed():
|
||||
+ return
|
||||
+
|
||||
+ result = ipautil.run([paths.IPACTL, 'status'],
|
||||
+ raiseonerr=False)
|
||||
+
|
||||
+ if result.returncode not in [0, 4]:
|
||||
+ try:
|
||||
+ logger.info(
|
||||
+ "Starting services to unregister CA from security domain")
|
||||
+ ipautil.run([paths.IPACTL, 'start'])
|
||||
+ except Exception:
|
||||
+ logger.info("Re-starting IPA failed, continuing uninstall")
|
||||
+
|
||||
+
|
||||
+def uninstall_crl_check(options):
|
||||
"""Check if the host is CRL generation master"""
|
||||
# Skip the checks if the host is not a CA instance
|
||||
ca = cainstance.CAInstance(api.env.realm)
|
||||
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
|
||||
index c2c6b3f49243f096448c178fafd09f429f0f46c8..4967aca01807e58dfcc3157af10b92eff5dba206 100644
|
||||
--- a/ipaserver/install/dogtaginstance.py
|
||||
+++ b/ipaserver/install/dogtaginstance.py
|
||||
@@ -305,7 +305,7 @@ class DogtagInstance(service.Service):
|
||||
self.print_msg("Unconfiguring %s" % self.subsystem)
|
||||
|
||||
args = [paths.PKIDESTROY,
|
||||
- "-i", "pki-tomcat",
|
||||
+ "-i", "pki-tomcat", "--force",
|
||||
"-s", self.subsystem]
|
||||
|
||||
# specify --log-file <path> on PKI 11.0.0 or later
|
||||
diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
|
||||
index 857c5165b808baee3f0815e78828fb899eb78a2d..59cbda812a853997752f7d932e0690e3a950aa1f 100644
|
||||
--- a/ipaserver/install/kra.py
|
||||
+++ b/ipaserver/install/kra.py
|
||||
@@ -132,6 +132,8 @@ def uninstall_check(options):
|
||||
|
||||
if result.returncode not in [0, 4]:
|
||||
try:
|
||||
+ logger.info(
|
||||
+ "Starting services to unregister KRA from security domain")
|
||||
ipautil.run([paths.IPACTL, 'start'])
|
||||
except Exception:
|
||||
logger.info("Re-starting IPA failed, continuing uninstall")
|
||||
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
|
||||
index 4e4076410f1c1af188a0ab3606ef13be39702b7d..ccb958232935de2166f2d4867b626f59d7ba5333 100644
|
||||
--- a/ipaserver/install/server/install.py
|
||||
+++ b/ipaserver/install/server/install.py
|
||||
@@ -1110,6 +1110,7 @@ def uninstall_check(installer):
|
||||
raise ScriptError("Aborting uninstall operation.")
|
||||
|
||||
kra.uninstall_check(options)
|
||||
+ ca.uninstall_check(options)
|
||||
|
||||
try:
|
||||
api.Backend.ldap2.connect(autobind=True)
|
||||
@@ -1132,7 +1133,7 @@ def uninstall_check(installer):
|
||||
else:
|
||||
dns.uninstall_check(options)
|
||||
|
||||
- ca.uninstall_check(options)
|
||||
+ ca.uninstall_crl_check(options)
|
||||
|
||||
cleanup_dogtag_server_specific_data()
|
||||
|
||||
@@ -1181,6 +1182,9 @@ def uninstall(installer):
|
||||
# Uninstall the KRA prior to shutting the services down so it
|
||||
# can un-register with the CA.
|
||||
kra.uninstall()
|
||||
+ # Uninstall the CA priori to shutting the services down so it
|
||||
+ # can unregister from the security domain
|
||||
+ ca.uninstall()
|
||||
|
||||
print("Shutting down all IPA services")
|
||||
try:
|
||||
@@ -1194,8 +1198,6 @@ def uninstall(installer):
|
||||
|
||||
restore_time_sync(sstore, fstore)
|
||||
|
||||
- ca.uninstall()
|
||||
-
|
||||
dns.uninstall()
|
||||
|
||||
httpinstance.HTTPInstance(fstore).uninstall()
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,102 @@
|
||||
From 0539d97f3e9d2b7d80549ff08d78fe55afcc2dbb Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 26 Oct 2023 13:59:21 -0400
|
||||
Subject: [PATCH] WIP: Get the PKI version from the remote to determine the
|
||||
argument
|
||||
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
|
||||
---
|
||||
ipaserver/plugins/dogtag.py | 55 ++++++++++++++++++++++++++++++++-----
|
||||
1 file changed, 48 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
|
||||
index 0036803c86652b557ebeb3cd048877bc01a6b71a..7cd51ae58ae0edfe69f0ac7fa190290e2669b0d2 100644
|
||||
--- a/ipaserver/plugins/dogtag.py
|
||||
+++ b/ipaserver/plugins/dogtag.py
|
||||
@@ -274,8 +274,6 @@ if six.PY3:
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
-pki_version = pki.util.Version(pki.specification_version())
|
||||
-
|
||||
# These are general status return values used when
|
||||
# CMSServlet.outputError() is invoked.
|
||||
CMS_SUCCESS = 0
|
||||
@@ -1059,6 +1057,39 @@ class ra(rabase.rabase, RestClient):
|
||||
|
||||
return cmd_result
|
||||
|
||||
+ def get_pki_version(self):
|
||||
+ """
|
||||
+ Retrieve the version of a remote PKI server.
|
||||
+
|
||||
+ The REST API request is a GET to the info URI:
|
||||
+ GET /pki/rest/info HTTP/1.1
|
||||
+
|
||||
+ The response is: {"Version":"11.5.0","Attributes":{"Attribute":[]}}
|
||||
+ """
|
||||
+ path = "/pki/rest/info"
|
||||
+ logger.debug('%s.get_pki_version()', type(self).__name__)
|
||||
+ http_status, _http_headers, http_body = self._ssldo(
|
||||
+ 'GET', path,
|
||||
+ headers={
|
||||
+ 'Content-Type': 'application/json',
|
||||
+ 'Accept': 'application/json',
|
||||
+ },
|
||||
+ use_session=False,
|
||||
+ )
|
||||
+ if http_status != 200:
|
||||
+ self.raise_certificate_operation_error('get_pki_version',
|
||||
+ detail=http_status)
|
||||
+
|
||||
+ try:
|
||||
+ response = json.loads(ipautil.decode_json(http_body))
|
||||
+ except ValueError as e:
|
||||
+ logger.debug("Response from CA was not valid JSON: %s", e)
|
||||
+ raise errors.RemoteRetrieveError(
|
||||
+ reason=_("Response from CA was not valid JSON")
|
||||
+ )
|
||||
+
|
||||
+ return response.get('Version')
|
||||
+
|
||||
|
||||
def revoke_certificate(self, serial_number, revocation_reason=0):
|
||||
"""
|
||||
@@ -1125,6 +1156,20 @@ class ra(rabase.rabase, RestClient):
|
||||
detail='7 is not a valid revocation reason'
|
||||
)
|
||||
|
||||
+ # dogtag changed the argument case for revocation from
|
||||
+ # "reason" to "Reason" in PKI 11.4.0. Detect that change
|
||||
+ # based on the remote version and pass the expected value
|
||||
+ # in.
|
||||
+ pki_version = pki.util.Version(self.get_pki_version())
|
||||
+ if pki_version is None:
|
||||
+ self.raise_certificate_operation_error('revoke_certificate',
|
||||
+ detail="Remove version not "
|
||||
+ "detected")
|
||||
+ if pki_version < pki.util.Version("11.4.0"):
|
||||
+ reason = "reason"
|
||||
+ else:
|
||||
+ reason = "Reason"
|
||||
+
|
||||
# Convert serial number to integral type from string to properly handle
|
||||
# radix issues. Note: the int object constructor will properly handle
|
||||
# large magnitude integral values by returning a Python long type
|
||||
@@ -1132,11 +1177,7 @@ class ra(rabase.rabase, RestClient):
|
||||
serial_number = int(serial_number, 0)
|
||||
|
||||
path = 'agent/certs/{}/revoke'.format(serial_number)
|
||||
- if pki_version < pki.util.Version("11.4.0"):
|
||||
- keyword = "reason"
|
||||
- else:
|
||||
- keyword = "Reason"
|
||||
- data = '{{"{}":"{}"}}'.format(keyword, reasons[revocation_reason])
|
||||
+ data = '{{"{}":"{}"}}'.format(reason, reasons[revocation_reason])
|
||||
|
||||
http_status, _http_headers, http_body = self._ssldo(
|
||||
'POST', path,
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,44 +0,0 @@
|
||||
From b9a07b1e97ee4e310b50860103872685da540da4 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Mon, 19 Jun 2023 15:40:39 +0200
|
||||
Subject: [PATCH] Detection of PKI subsystem
|
||||
|
||||
In order to know if ca/kra is installed locally, the code
|
||||
is calling pki-server subsystem-show _subsystem_
|
||||
and ensures that "Enabled: True" is in the output.
|
||||
|
||||
If a subsystem fails to start, the command returns
|
||||
"Enabled: False" but it doesn't mean that the subsystem
|
||||
is not installed, it just means that it is not active
|
||||
right now.
|
||||
Same output if the subsystem has been disabled with
|
||||
pki-server subsystem-disable _subsystem_.
|
||||
|
||||
The correct way to check if a subsystem is installed is to
|
||||
ensure that subsystem-show does not exit on error and
|
||||
contains "Enabled: ", whatever the value.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9330
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipaserver/install/dogtaginstance.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
|
||||
index 4967aca01807e58dfcc3157af10b92eff5dba206..7fdf2e0ed0f3ed99a6672f527d38dda0ce5ef8bb 100644
|
||||
--- a/ipaserver/install/dogtaginstance.py
|
||||
+++ b/ipaserver/install/dogtaginstance.py
|
||||
@@ -184,7 +184,7 @@ class DogtagInstance(service.Service):
|
||||
['pki-server', 'subsystem-show', self.subsystem.lower()],
|
||||
capture_output=True)
|
||||
# parse the command output
|
||||
- return 'Enabled: True' in result.output
|
||||
+ return 'Enabled: ' in result.output
|
||||
except ipautil.CalledProcessError:
|
||||
return False
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,48 @@
|
||||
From 411107e1d1fa64b15978b7c69522613fbf3aa827 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Fri, 29 Sep 2023 10:31:00 +0200
|
||||
Subject: [PATCH] ipatests: fix expected output for
|
||||
ipahealthcheck.meta.services
|
||||
|
||||
ipa-healthcheck commit 31be12b introduced a change in the output
|
||||
message when pki-tomcatd is not running.
|
||||
With versions <= 0.12, the service name is displayed as
|
||||
pki_tomcatd (with an underscore), but with 0.13+ it is
|
||||
pki-tomcatd (with a dash).
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9460
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_ipahealthcheck.py | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
index 35fcfe10508589ded021207a4eba4fb0143495b4..5d79f2b529e819a291228776c4cc278463f02e59 100644
|
||||
--- a/ipatests/test_integration/test_ipahealthcheck.py
|
||||
+++ b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
@@ -454,6 +454,11 @@ class TestIpaHealthCheck(IntegrationTest):
|
||||
assert data[0]["result"] == "SUCCESS"
|
||||
assert data[0]["kw"]["status"] is True
|
||||
|
||||
+ version = tasks.get_healthcheck_version(self.master)
|
||||
+ # With healthcheck newer versions, the error msg for PKI tomcat
|
||||
+ # contains the string pki-tomcatd instead of pki_tomcatd
|
||||
+ always_replace = parse_version(version) >= parse_version("0.13")
|
||||
+
|
||||
for service in svc_list:
|
||||
restart_service(self.master, service)
|
||||
returncode, data = run_healthcheck(
|
||||
@@ -466,7 +471,7 @@ class TestIpaHealthCheck(IntegrationTest):
|
||||
for check in data:
|
||||
if check["check"] != service:
|
||||
continue
|
||||
- if service != 'pki_tomcatd':
|
||||
+ if service != 'pki_tomcatd' or always_replace:
|
||||
service = service.replace('_', '-')
|
||||
assert check["result"] == "ERROR"
|
||||
assert check["kw"]["msg"] == "%s: not running" % service
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,164 +0,0 @@
|
||||
From ad77c4c6512f82019d1970d910647761b60aaedb Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Mon, 19 Jun 2023 10:36:29 +0200
|
||||
Subject: [PATCH] Upgrade: fix replica agreement
|
||||
|
||||
The upgrade checks the replication agreements to ensure that
|
||||
some attributes are excluded from replication. The agreements
|
||||
are stored in entries like
|
||||
cn=serverToreplica,cn=replica,cn=_suffix_,cn=mapping tree,cn=config
|
||||
but those entries are managed by the replication topology plugin
|
||||
and should not be updated directly. The consequence is that the update
|
||||
of the attributes fails and ipa-server-update prints an error message:
|
||||
|
||||
Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling
|
||||
to perform: Entry and attributes are managed by topology plugin.No direct
|
||||
modifications allowed.
|
||||
Error caught updating nsDS5ReplicatedAttributeListTotal: Server is
|
||||
unwilling to perform: Entry and attributes are managed by topology
|
||||
plugin.No direct modifications allowed.
|
||||
|
||||
The upgrade continues but the replication is not excluding
|
||||
passwordgraceusertime.
|
||||
|
||||
Instead of editing the agreements, perform the modifications on
|
||||
the topology segments.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9385
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
.../install/plugins/fix_replica_agreements.py | 80 +++++++++----------
|
||||
1 file changed, 38 insertions(+), 42 deletions(-)
|
||||
|
||||
diff --git a/ipaserver/install/plugins/fix_replica_agreements.py b/ipaserver/install/plugins/fix_replica_agreements.py
|
||||
index c0cdd3eb19c486121f727476360ce421b1d82728..d963753d0bf9ee65285a86fa9a249198c28a66e2 100644
|
||||
--- a/ipaserver/install/plugins/fix_replica_agreements.py
|
||||
+++ b/ipaserver/install/plugins/fix_replica_agreements.py
|
||||
@@ -22,6 +22,7 @@ import logging
|
||||
from ipaserver.install import replication
|
||||
from ipalib import Registry
|
||||
from ipalib import Updater
|
||||
+from ipalib import errors
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
@@ -41,35 +42,42 @@ class update_replica_attribute_lists(Updater):
|
||||
def execute(self, **options):
|
||||
# We need an LDAPClient connection to the backend
|
||||
logger.debug("Start replication agreement exclude list update task")
|
||||
- conn = self.api.Backend.ldap2
|
||||
|
||||
- repl = replication.ReplicationManager(self.api.env.realm,
|
||||
- self.api.env.host,
|
||||
- None, conn=conn)
|
||||
-
|
||||
- # We need to update only IPA replica agreements, not winsync
|
||||
- ipa_replicas = repl.find_ipa_replication_agreements()
|
||||
-
|
||||
- logger.debug("Found %d agreement(s)", len(ipa_replicas))
|
||||
-
|
||||
- for replica in ipa_replicas:
|
||||
- for desc in replica.get('description', []):
|
||||
- logger.debug('%s', desc)
|
||||
-
|
||||
- self._update_attr(repl, replica,
|
||||
- 'nsDS5ReplicatedAttributeList',
|
||||
- replication.EXCLUDES, template=EXCLUDE_TEMPLATE)
|
||||
- self._update_attr(repl, replica,
|
||||
- 'nsDS5ReplicatedAttributeListTotal',
|
||||
- replication.TOTAL_EXCLUDES, template=EXCLUDE_TEMPLATE)
|
||||
- self._update_attr(repl, replica,
|
||||
- 'nsds5ReplicaStripAttrs', replication.STRIP_ATTRS)
|
||||
+ # Find suffixes
|
||||
+ suffixes = self.api.Command.topologysuffix_find()['result']
|
||||
+ for suffix in suffixes:
|
||||
+ suffix_name = suffix['cn'][0]
|
||||
+ # Find segments
|
||||
+ sgmts = self.api.Command.topologysegment_find(
|
||||
+ suffix_name, all=True)['result']
|
||||
+ for segment in sgmts:
|
||||
+ updates = {}
|
||||
+ updates = self._update_attr(
|
||||
+ segment, updates,
|
||||
+ 'nsds5replicatedattributelist',
|
||||
+ replication.EXCLUDES, template=EXCLUDE_TEMPLATE)
|
||||
+ updates = self._update_attr(
|
||||
+ segment, updates,
|
||||
+ 'nsds5replicatedattributelisttotal',
|
||||
+ replication.TOTAL_EXCLUDES, template=EXCLUDE_TEMPLATE)
|
||||
+ updates = self._update_attr(
|
||||
+ segment, updates,
|
||||
+ 'nsds5replicastripattrs', replication.STRIP_ATTRS)
|
||||
+ if updates:
|
||||
+ try:
|
||||
+ self.api.Command.topologysegment_mod(
|
||||
+ suffix_name, segment['cn'][0],
|
||||
+ **updates)
|
||||
+ except errors.EmptyModlist:
|
||||
+ # No update done
|
||||
+ logger.debug("No update required for the segment %s",
|
||||
+ segment['cn'][0])
|
||||
|
||||
logger.debug("Done updating agreements")
|
||||
|
||||
return False, [] # No restart, no updates
|
||||
|
||||
- def _update_attr(self, repl, replica, attribute, values, template='%s'):
|
||||
+ def _update_attr(self, segment, updates, attribute, values, template='%s'):
|
||||
"""Add or update an attribute of a replication agreement
|
||||
|
||||
If the attribute doesn't already exist, it is added and set to
|
||||
@@ -77,27 +85,21 @@ class update_replica_attribute_lists(Updater):
|
||||
If the attribute does exist, `values` missing from it are just
|
||||
appended to the end, also space-separated.
|
||||
|
||||
- :param repl: Replication manager
|
||||
- :param replica: Replica agreement
|
||||
+ :param: updates: dict containing the updates
|
||||
+ :param segment: dict containing segment information
|
||||
:param attribute: Attribute to add or update
|
||||
:param values: List of values the attribute should hold
|
||||
:param template: Template to use when adding attribute
|
||||
"""
|
||||
- attrlist = replica.single_value.get(attribute)
|
||||
+ attrlist = segment.get(attribute)
|
||||
if attrlist is None:
|
||||
logger.debug("Adding %s", attribute)
|
||||
|
||||
# Need to add it altogether
|
||||
- replica[attribute] = [template % " ".join(values)]
|
||||
-
|
||||
- try:
|
||||
- repl.conn.update_entry(replica)
|
||||
- logger.debug("Updated")
|
||||
- except Exception as e:
|
||||
- logger.error("Error caught updating replica: %s", str(e))
|
||||
+ updates[attribute] = template % " ".join(values)
|
||||
|
||||
else:
|
||||
- attrlist_normalized = attrlist.lower().split()
|
||||
+ attrlist_normalized = attrlist[0].lower().split()
|
||||
missing = [a for a in values
|
||||
if a.lower() not in attrlist_normalized]
|
||||
|
||||
@@ -105,14 +107,8 @@ class update_replica_attribute_lists(Updater):
|
||||
logger.debug("%s needs updating (missing: %s)", attribute,
|
||||
', '.join(missing))
|
||||
|
||||
- replica[attribute] = [
|
||||
- '%s %s' % (attrlist, ' '.join(missing))]
|
||||
+ updates[attribute] = '%s %s' % (attrlist[0], ' '.join(missing))
|
||||
|
||||
- try:
|
||||
- repl.conn.update_entry(replica)
|
||||
- logger.debug("Updated %s", attribute)
|
||||
- except Exception as e:
|
||||
- logger.error("Error caught updating %s: %s",
|
||||
- attribute, str(e))
|
||||
else:
|
||||
logger.debug("%s: No update necessary", attribute)
|
||||
+ return updates
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,8 +1,8 @@
|
||||
From 9bc582a2d78fd3ff9e70fa927b87ab06dcb7c9ae Mon Sep 17 00:00:00 2001
|
||||
From 7e76329f76b7605ac6ec255c53b3c15d368a63f7 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Nov 17 2023 09:08:44 +0000
|
||||
Subject: ipatests: ignore nsslapd-accesslog-logbuffering WARN in healthcheck
|
||||
|
||||
Date: Mon, 13 Nov 2023 09:48:09 -0500
|
||||
Subject: [PATCH] ipatests: ignore nsslapd-accesslog-logbuffering WARN in
|
||||
healthcheck
|
||||
|
||||
Log buffering is disabled in the integration tests so we can have all
|
||||
the logs at the end. This is causing a warning to show in the 389-ds
|
||||
@ -19,15 +19,18 @@ Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||
---
|
||||
.../test_integration/test_ipahealthcheck.py | 28 +++++++++++++++++++
|
||||
.../test_replica_promotion.py | 5 +++-
|
||||
2 files changed, 32 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
index 5d79f2b..278f75a 100644
|
||||
index 5d79f2b529e819a291228776c4cc278463f02e59..278f75abdd772a59178a61e2ab63e3178fef2518 100644
|
||||
--- a/ipatests/test_integration/test_ipahealthcheck.py
|
||||
+++ b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
@@ -10,6 +10,7 @@ from __future__ import absolute_import
|
||||
|
||||
from configparser import RawConfigParser, NoOptionError
|
||||
from datetime import datetime, timedelta
|
||||
from datetime import datetime, timedelta, timezone
|
||||
UTC = timezone.utc
|
||||
+import io
|
||||
import json
|
||||
import os
|
||||
@ -102,7 +105,7 @@ index 5d79f2b..278f75a 100644
|
||||
def test_indent(self):
|
||||
"""
|
||||
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
|
||||
index d477c3a..b71f2d5 100644
|
||||
index d477c3a20df80f16d47a55c9359ce165049dd907..b71f2d5d7e1517ab73d79b62477a3377839b0b7a 100644
|
||||
--- a/ipatests/test_integration/test_replica_promotion.py
|
||||
+++ b/ipatests/test_integration/test_replica_promotion.py
|
||||
@@ -13,7 +13,7 @@ import pytest
|
||||
@ -124,4 +127,6 @@ index d477c3a..b71f2d5 100644
|
||||
def _check_dnsrecords(self, hosts_expected, hosts_unexpected=()):
|
||||
domain = DNSName(self.master.domain.name).make_absolute()
|
||||
rset = [
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,69 +0,0 @@
|
||||
From 3b58487c7b2f8ac133e37e8f90f85ff2fb05bf34 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Mon, 19 Jun 2023 10:36:59 +0200
|
||||
Subject: [PATCH] Integration tests: add a test to ipa-server-upgrade
|
||||
|
||||
Add an integration test ensuring that the upgrade
|
||||
properly updates the attributes to be excluded from
|
||||
replication.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9385
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
.../test_simple_replication.py | 30 +++++++++++++++++++
|
||||
1 file changed, 30 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_simple_replication.py b/ipatests/test_integration/test_simple_replication.py
|
||||
index 17092a49966e61d5a4a9b04c15abcb1de8be9683..d1e65ef7cc3e748670f2cdebe2a5cb7172af27f0 100644
|
||||
--- a/ipatests/test_integration/test_simple_replication.py
|
||||
+++ b/ipatests/test_integration/test_simple_replication.py
|
||||
@@ -23,8 +23,10 @@ import pytest
|
||||
|
||||
from ipaplatform.paths import paths
|
||||
from ipapython.dn import DN
|
||||
+from ipaserver.install.replication import EXCLUDES
|
||||
from ipatests.pytest_ipa.integration import tasks
|
||||
from ipatests.test_integration.base import IntegrationTest
|
||||
+from ipatests.test_integration.test_topology import find_segment
|
||||
|
||||
|
||||
def check_replication(source_host, dest_host, login):
|
||||
@@ -104,6 +106,34 @@ class TestSimpleReplication(IntegrationTest):
|
||||
[paths.IPA_CUSTODIA_CHECK, self.master.hostname]
|
||||
)
|
||||
|
||||
+ def test_fix_agreements(self):
|
||||
+ """Test that upgrade fixes the list of attributes excluded from repl
|
||||
+
|
||||
+ Test for ticket 9385
|
||||
+ """
|
||||
+ # Prepare the server by removing some values from
|
||||
+ # from the nsDS5ReplicatedAttributeList
|
||||
+ segment = find_segment(self.master, self.replicas[0], "domain")
|
||||
+ self.master.run_command([
|
||||
+ "ipa", "topologysegment-mod", "domain", segment,
|
||||
+ "--replattrs",
|
||||
+ "(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn"])
|
||||
+ # Run the upgrade
|
||||
+ result = self.master.run_command(["ipa-server-upgrade"])
|
||||
+ # Ensure that the upgrade updated the attribute without error
|
||||
+ errmsg = "Error caught updating nsDS5ReplicatedAttributeList"
|
||||
+ assert errmsg not in result.stdout_text
|
||||
+ # Check the updated value
|
||||
+ suffix = DN(self.master.domain.basedn)
|
||||
+ dn = DN(('cn', str(suffix)), ('cn', 'mapping tree'), ('cn', 'config'))
|
||||
+ result = tasks.ldapsearch_dm(self.master, str(dn),
|
||||
+ ["nsDS5ReplicatedAttributeList"])
|
||||
+ output = result.stdout_text.lower()
|
||||
+
|
||||
+ template = 'nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE %s'
|
||||
+ expected_value = template % " ".join(EXCLUDES)
|
||||
+ assert expected_value.lower() in output
|
||||
+
|
||||
def test_replica_removal(self):
|
||||
"""Test replica removal"""
|
||||
result = self.master.run_command(['ipa-replica-manage', 'list'])
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,45 @@
|
||||
From faf8be455a6ab4f5b1bed00a611e655535ed31e7 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Tue, 14 Nov 2023 13:21:30 -0500
|
||||
Subject: [PATCH] ipatests: fix expected output for ipahealthcheck.ipa.host
|
||||
|
||||
ipa-healthcheck commit e69589d5 changed the output when a service
|
||||
keytab is missing to not report the GSSAPI error but to report
|
||||
that the keytab doesn't exist at all. This distinguishes from real
|
||||
Kerberos issues like kvno.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9482
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_ipahealthcheck.py | 12 +++++++++---
|
||||
1 file changed, 9 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
index 278f75abdd772a59178a61e2ab63e3178fef2518..785e9abbae3b807f100a3d875e0c0b23f868be83 100644
|
||||
--- a/ipatests/test_integration/test_ipahealthcheck.py
|
||||
+++ b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
@@ -635,9 +635,15 @@ class TestIpaHealthCheck(IntegrationTest):
|
||||
ipahealthcheck.ipa.host when GSSAPI credentials cannot be obtained
|
||||
from host's keytab.
|
||||
"""
|
||||
- msg = (
|
||||
- "Minor (2529639107): No credentials cache found"
|
||||
- )
|
||||
+ version = tasks.get_healthcheck_version(self.master)
|
||||
+ if parse_version(version) >= parse_version("0.15"):
|
||||
+ msg = (
|
||||
+ "Service {service} keytab {path} does not exist."
|
||||
+ )
|
||||
+ else:
|
||||
+ msg = (
|
||||
+ "Minor (2529639107): No credentials cache found"
|
||||
+ )
|
||||
|
||||
with tasks.FileBackup(self.master, paths.KRB5_KEYTAB):
|
||||
self.master.run_command(["rm", "-f", paths.KRB5_KEYTAB])
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,38 @@
|
||||
From bc69177ef80d1873026ad91a6e449b9cf20028b9 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Thu, 19 Oct 2023 12:47:03 +0200
|
||||
Subject: [PATCH] group-add-member fails with an external member
|
||||
|
||||
The command ipa group-add-member --external aduser@addomain.test
|
||||
fails with an internal error when used with samba 4.19.
|
||||
|
||||
The command internally calls samba.security.dom_sid(sid) which
|
||||
used to raise a TypeError but now raises a ValueError
|
||||
(commit 9abdd67 on https://github.com/samba-team/samba).
|
||||
|
||||
IPA source code needs to handle properly both exception types.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9466
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipaserver/dcerpc.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
|
||||
index 741f0608f93449f5a3959a47734f965ab484a1e5..7e585c87639db093222fe2cebca5c9094a22d7ce 100644
|
||||
--- a/ipaserver/dcerpc.py
|
||||
+++ b/ipaserver/dcerpc.py
|
||||
@@ -303,7 +303,7 @@ class DomainValidator:
|
||||
# Parse sid string to see if it is really in a SID format
|
||||
try:
|
||||
test_sid = security.dom_sid(sid)
|
||||
- except TypeError:
|
||||
+ except (TypeError, ValueError):
|
||||
raise errors.ValidationError(name='sid',
|
||||
error=_('SID is not valid'))
|
||||
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,55 +0,0 @@
|
||||
From 5e291da42898cc646f699c21a44b03b833d346e8 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Tue, 27 Jun 2023 15:30:08 +0200
|
||||
Subject: [PATCH] tests: fix backup-restore scenario with replica
|
||||
|
||||
The test TestBackupAndRestoreWithReplica is simulating a
|
||||
master crash in order to check the behavior after ipa-restore.
|
||||
|
||||
Since commit 67a33e5, the uninstaller restarts the services in
|
||||
order to unregister the server from PKI security domain. An
|
||||
indirect consequence is that master/replica communication is re-
|
||||
established and operations removing entries (done by the uninstaller)
|
||||
are replicated to the replica.
|
||||
This means that the scenario does not really simulate a server crash.
|
||||
|
||||
To make sure that no replication happens during this "crash", stop
|
||||
the replica first, then uninstall the master, and finally restart
|
||||
the replica before calling the ipa-restore command on the master.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9404
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_backup_and_restore.py | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py
|
||||
index 390c065f373e9a8a667f228a09eebd9ac033a19f..83b6a6b44d805fb0615e2128d4be984c6f858bf9 100644
|
||||
--- a/ipatests/test_integration/test_backup_and_restore.py
|
||||
+++ b/ipatests/test_integration/test_backup_and_restore.py
|
||||
@@ -602,6 +602,12 @@ class TestBackupAndRestoreWithReplica(IntegrationTest):
|
||||
tasks.user_add(self.replica1, 'test2_replica')
|
||||
|
||||
# simulate master crash
|
||||
+ # the replica is stopped to make sure master uninstallation
|
||||
+ # does not delete any entry on the replica. In case of a
|
||||
+ # real master crash there would not be any communication between
|
||||
+ # master and replica
|
||||
+ self.replica1.run_command(['ipactl', 'stop'])
|
||||
+
|
||||
self.master.run_command(['ipactl', 'stop'])
|
||||
tasks.uninstall_master(self.master, clean=False)
|
||||
|
||||
@@ -612,6 +618,7 @@ class TestBackupAndRestoreWithReplica(IntegrationTest):
|
||||
self.master.run_command([
|
||||
"systemctl", "disable", "oddjobd"
|
||||
])
|
||||
+ self.replica1.run_command(['ipactl', 'start'])
|
||||
|
||||
self.master.run_command(['ipa-restore', '-U', backup_path])
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,41 @@
|
||||
From c6623f9ce4e1bde729ed6f729da5981c9f26c728 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Fri, 20 Oct 2023 10:20:57 +0200
|
||||
Subject: [PATCH] Handle samba changes in samba.security.dom_sid()
|
||||
|
||||
samba.security.dom_sid() in 4.19 now raises ValueError instead of
|
||||
TypeError. Fix the expected exception.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9466
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
ipaserver/dcerpc.py | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
|
||||
index 7e585c87639db093222fe2cebca5c9094a22d7ce..675572c036e4ea5434d2c6808dd301b425229b38 100644
|
||||
--- a/ipaserver/dcerpc.py
|
||||
+++ b/ipaserver/dcerpc.py
|
||||
@@ -97,7 +97,7 @@ logger = logging.getLogger(__name__)
|
||||
def is_sid_valid(sid):
|
||||
try:
|
||||
security.dom_sid(sid)
|
||||
- except TypeError:
|
||||
+ except (TypeError, ValueError):
|
||||
return False
|
||||
else:
|
||||
return True
|
||||
@@ -457,7 +457,7 @@ class DomainValidator:
|
||||
try:
|
||||
test_sid = security.dom_sid(sid)
|
||||
return unicode(test_sid)
|
||||
- except TypeError:
|
||||
+ except (TypeError, ValueError):
|
||||
raise errors.ValidationError(name=_('trusted domain object'),
|
||||
error=_('Trusted domain did not '
|
||||
'return a valid SID for '
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,54 +0,0 @@
|
||||
From 631dd72369385b0793e5bc0e019c088b4f1e2bb3 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Mon, 26 Jun 2023 18:24:46 +0200
|
||||
Subject: [PATCH] OTP: fix data type to avoid endianness issue
|
||||
|
||||
When 389-ds process an OTP authentication, the ipa-pwd-extop
|
||||
plugin reads a buffer to extract the authentication type.
|
||||
The type is stored in an int but the data is a ber_tag_t.
|
||||
|
||||
On big endian machines the type cast does not cause any issue
|
||||
but on s390x the buffer that should return 128 is seen as 0.
|
||||
|
||||
As a consequence, the plugin considers that the method is not
|
||||
LDAP_AUTH_SIMPLE and exits early, without processing the OTP.
|
||||
|
||||
The fix is simple and consists in using the right type
|
||||
(ber_tag_t is an unsigned long).
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9402
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
index 937594117956d57540d4cf4eabeef6d22860aec8..45626523ffa1030cdff4f3e0ccdfa1618a51ccaf 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
@@ -1433,7 +1433,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
|
||||
Slapi_DN *target_sdn = NULL;
|
||||
Slapi_DN *sdn = NULL;
|
||||
const char *dn = NULL;
|
||||
- int method = 0;
|
||||
+ ber_tag_t method = 0;
|
||||
bool syncreq;
|
||||
bool otpreq;
|
||||
int ret = 0;
|
||||
@@ -1454,8 +1454,10 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
|
||||
}
|
||||
|
||||
/* We're only interested in simple authentication. */
|
||||
- if (method != LDAP_AUTH_SIMPLE || credentials->bv_len == 0)
|
||||
+ if (method != LDAP_AUTH_SIMPLE || credentials->bv_len == 0) {
|
||||
+ LOG("Not handled (not simple bind or NULL dn/credentials)\n");
|
||||
return 0;
|
||||
+ }
|
||||
|
||||
/* Retrieve the user's entry. */
|
||||
sdn = slapi_sdn_dup(target_sdn);
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,42 +0,0 @@
|
||||
From 1e8352486cd5f77ff79e18798f04f406baf0a9a1 Mon Sep 17 00:00:00 2001
|
||||
From: Mohammad Rizwan <myusuf@redhat.com>
|
||||
Date: Wed, 14 Jun 2023 17:32:02 +0530
|
||||
Subject: [PATCH] ipatests: enable firewall rule for http service on acme
|
||||
client
|
||||
|
||||
when system hardning done i.e in case of STIG, sometimes http challanges
|
||||
can't be validated by CA if port 80 is not open. This fix enable it to facilitate
|
||||
the communication.
|
||||
|
||||
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_acme.py | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
|
||||
index 9718c408b7f48dd78dc2abae32fb9ecb85445dfb..cca20983e65f99d5ba0bb7bc6dc2b5684a6f37d9 100644
|
||||
--- a/ipatests/test_integration/test_acme.py
|
||||
+++ b/ipatests/test_integration/test_acme.py
|
||||
@@ -10,6 +10,7 @@ import pytest
|
||||
|
||||
from ipalib.constants import IPA_CA_RECORD
|
||||
from ipatests.test_integration.base import IntegrationTest
|
||||
+from ipatests.pytest_ipa.integration.firewall import Firewall
|
||||
from ipatests.pytest_ipa.integration import tasks
|
||||
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
|
||||
from ipatests.test_integration.test_random_serial_numbers import (
|
||||
@@ -85,6 +86,9 @@ def prepare_acme_client(master, client):
|
||||
acme_host = f'{IPA_CA_RECORD}.{master.domain.name}'
|
||||
acme_server = f'https://{acme_host}/acme/directory'
|
||||
|
||||
+ # enable firewall rule on client
|
||||
+ Firewall(client).enable_services(["http", "https"])
|
||||
+
|
||||
# install acme client packages
|
||||
if not skip_certbot_tests:
|
||||
tasks.install_packages(client, ['certbot'])
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,43 @@
|
||||
From c7f999599efe9f3f237f8ad3b7c739714051e3e9 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Thu, 7 Dec 2023 08:35:45 +0100
|
||||
Subject: [PATCH] test_install: restart services after date change
|
||||
|
||||
The test TestKRAinstallAfterCertRenew is moving the
|
||||
date in the future in order to reach the grace period where
|
||||
certmonger detects some certificates need to be renewed.
|
||||
Restart the services after the date change.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9405
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_installation.py | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
||||
index bf4163abc0f138ed42c639eee3e95df52da43a71..02fa5bc56d63421c28a5dd1fa02f9f75d305e7bf 100644
|
||||
--- a/ipatests/test_integration/test_installation.py
|
||||
+++ b/ipatests/test_integration/test_installation.py
|
||||
@@ -1569,6 +1569,8 @@ class TestKRAinstallAfterCertRenew(IntegrationTest):
|
||||
grace_date = cert_expiry - timedelta(days=10)
|
||||
grace_date = datetime.strftime(grace_date, "%Y-%m-%d %H:%M:%S")
|
||||
self.master.run_command(['date', '-s', grace_date])
|
||||
+ # restart service after date change
|
||||
+ self.master.run_command(['ipactl', 'restart'])
|
||||
|
||||
# get the count of certs track by certmonger
|
||||
cmd = self.master.run_command(['getcert', 'list'])
|
||||
@@ -1591,6 +1593,8 @@ class TestKRAinstallAfterCertRenew(IntegrationTest):
|
||||
cert_expiry = cert_expiry + timedelta(days=3)
|
||||
cert_expiry = datetime.strftime(cert_expiry, "%Y-%m-%d %H:%M:%S")
|
||||
self.master.run_command(['date', '-s', cert_expiry])
|
||||
+ # restart service after date change
|
||||
+ self.master.run_command(['ipactl', 'restart'])
|
||||
|
||||
passwd = "{passwd}\n{passwd}\n{passwd}".format(passwd=admin_pass)
|
||||
self.master.run_command(['kinit', 'admin'], stdin_text=passwd)
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,40 @@
|
||||
From eabdbbc00613963deffe42ea17dfb0a690c62e3f Mon Sep 17 00:00:00 2001
|
||||
From: Mark Reynolds <mreynolds@redhat.com>
|
||||
Date: Tue, 12 Dec 2023 08:34:44 -0500
|
||||
Subject: [PATCH] Issue 9497 - Add new password policy logging function
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9497
|
||||
|
||||
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
daemons/ipa-slapi-plugins/common/util.h | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/daemons/ipa-slapi-plugins/common/util.h b/daemons/ipa-slapi-plugins/common/util.h
|
||||
index 1eaf47facb717fe6a95d89fe02311205eabc3e96..db7cf7181ceaf710a5a082c4e80eb66567180be5 100644
|
||||
--- a/daemons/ipa-slapi-plugins/common/util.h
|
||||
+++ b/daemons/ipa-slapi-plugins/common/util.h
|
||||
@@ -30,7 +30,7 @@
|
||||
* Program may make changes or additions to the list of Approved
|
||||
* Interfaces.
|
||||
*
|
||||
- * Copyright (C) 2010 Red Hat, Inc.
|
||||
+ * Copyright (C) 2010-2023 Red Hat, Inc.
|
||||
* All rights reserved.
|
||||
* END COPYRIGHT BLOCK **/
|
||||
|
||||
@@ -67,6 +67,10 @@
|
||||
"[file %s, line %d]: " fmt, \
|
||||
__FILE__, __LINE__, ##__VA_ARGS__)
|
||||
|
||||
+#define LOG_PWDPOLICY(fmt, ...) \
|
||||
+ slapi_log_error(SLAPI_LOG_PWDPOLICY, log_func, fmt, ##__VA_ARGS__)
|
||||
+
|
||||
+/* "Trace" logging is very expensive and should be avoided/replaced. TBD */
|
||||
#define LOG_TRACE(fmt, ...) \
|
||||
slapi_log_error(SLAPI_LOG_TRACE, log_func, fmt, ##__VA_ARGS__)
|
||||
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,79 +0,0 @@
|
||||
From 387873080f1bc14aeaad89311b06dc46934be1ab Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Wed, 19 Jul 2023 13:24:55 +0200
|
||||
Subject: [PATCH] User plugin: improve error related to non existing idp
|
||||
|
||||
The user and stageuser commands return the following error
|
||||
when the user is created/updated with a non existing idp:
|
||||
$ ipa user-add testuser --first test --last user --idp dummy
|
||||
ipa: ERROR: no such entry
|
||||
|
||||
The error is not descriptive enough and has been modified to
|
||||
display instead:
|
||||
$ ipa user-add testuser --first test --last user --idp dummy
|
||||
ipa: ERROR: External IdP configuration dummy not found
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9416
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipaserver/plugins/baseuser.py | 6 +++++-
|
||||
ipaserver/plugins/stageuser.py | 6 +++++-
|
||||
ipaserver/plugins/user.py | 6 +++++-
|
||||
3 files changed, 15 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
|
||||
index 73b76d328a88639afd40bd261c8a35f324ec865b..ba5f9b7763662b32f238c0fb0ca548ff2f07db0d 100644
|
||||
--- a/ipaserver/plugins/baseuser.py
|
||||
+++ b/ipaserver/plugins/baseuser.py
|
||||
@@ -708,7 +708,11 @@ class baseuser_mod(LDAPUpdate):
|
||||
if 'ipaidpuser' not in obj_classes:
|
||||
entry_attrs['objectclass'].append('ipaidpuser')
|
||||
|
||||
- answer = self.api.Object['idp'].get_dn_if_exists(cl)
|
||||
+ try:
|
||||
+ answer = self.api.Object['idp'].get_dn_if_exists(cl)
|
||||
+ except errors.NotFound:
|
||||
+ reason = "External IdP configuration {} not found"
|
||||
+ raise errors.NotFound(reason=_(reason).format(cl))
|
||||
entry_attrs['ipaidpconfiglink'] = answer
|
||||
|
||||
# Note: we could have used the method add_missing_object_class
|
||||
diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py
|
||||
index 51438a83a95d15fb320148d2934a52f13a38f390..852e51b0eb0d757940b84721a6f01e43c5f36dd2 100644
|
||||
--- a/ipaserver/plugins/stageuser.py
|
||||
+++ b/ipaserver/plugins/stageuser.py
|
||||
@@ -404,7 +404,11 @@ class stageuser_add(baseuser_add):
|
||||
if 'ipaidpuser' not in entry_attrs['objectclass']:
|
||||
entry_attrs['objectclass'].append('ipaidpuser')
|
||||
|
||||
- answer = self.api.Object['idp'].get_dn_if_exists(cl)
|
||||
+ try:
|
||||
+ answer = self.api.Object['idp'].get_dn_if_exists(cl)
|
||||
+ except errors.NotFound:
|
||||
+ reason = "External IdP configuration {} not found"
|
||||
+ raise errors.NotFound(reason=_(reason).format(cl))
|
||||
entry_attrs['ipaidpconfiglink'] = answer
|
||||
|
||||
self.pre_common_callback(ldap, dn, entry_attrs, attrs_list, *keys,
|
||||
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
|
||||
index 643b44f141e3add76f95cbeec6e90fec0ad4c9ad..a337e1fc7b44ef41ad16e18bd965b7af0a767d05 100644
|
||||
--- a/ipaserver/plugins/user.py
|
||||
+++ b/ipaserver/plugins/user.py
|
||||
@@ -638,7 +638,11 @@ class user_add(baseuser_add):
|
||||
if 'ipaidpuser' not in entry_attrs['objectclass']:
|
||||
entry_attrs['objectclass'].append('ipaidpuser')
|
||||
|
||||
- answer = self.api.Object['idp'].get_dn_if_exists(rcl)
|
||||
+ try:
|
||||
+ answer = self.api.Object['idp'].get_dn_if_exists(rcl)
|
||||
+ except errors.NotFound:
|
||||
+ reason = "External IdP configuration {} not found"
|
||||
+ raise errors.NotFound(reason=_(reason).format(rcl))
|
||||
entry_attrs['ipaidpconfiglink'] = answer
|
||||
|
||||
self.pre_common_callback(ldap, dn, entry_attrs, attrs_list, *keys,
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,68 @@
|
||||
From 7e31f111c83bed966157b0660e9640e18450b1a2 Mon Sep 17 00:00:00 2001
|
||||
From: Mark Reynolds <mreynolds@redhat.com>
|
||||
Date: Tue, 12 Dec 2023 08:36:49 -0500
|
||||
Subject: [PATCH] Issue 9497 - Update logging in ipa_enrollment
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9497
|
||||
|
||||
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
.../ipa-enrollment/ipa_enrollment.c | 13 +++++++------
|
||||
1 file changed, 7 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
|
||||
index 26cbb69d713767909fd62fb77e7defdd323ec7ac..b72ad5ef1c81997d89b2f94528da516b5df3d285 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
|
||||
@@ -30,7 +30,7 @@
|
||||
* Program may make changes or additions to the list of Approved
|
||||
* Interfaces.
|
||||
*
|
||||
- * Copyright (C) 2005 Red Hat, Inc.
|
||||
+ * Copyright (C) 2005-2023 Red Hat, Inc.
|
||||
* All rights reserved.
|
||||
* END COPYRIGHT BLOCK **/
|
||||
|
||||
@@ -132,7 +132,8 @@ ipa_join(Slapi_PBlock *pb)
|
||||
Slapi_DN *sdn;
|
||||
Slapi_Backend *be;
|
||||
Slapi_Entry **es = NULL;
|
||||
- int rc=0, ret=0, res, i;
|
||||
+ int rc=0, ret=0, res;
|
||||
+ size_t i;
|
||||
int is_root=0;
|
||||
char *krbLastPwdChange = NULL;
|
||||
char *fqdn = NULL;
|
||||
@@ -204,7 +205,7 @@ ipa_join(Slapi_PBlock *pb)
|
||||
|
||||
/* if there is none or more than one, freak out */
|
||||
if (i != 1) {
|
||||
- LOG_TRACE("Too many entries, or entry no found (%d)", i);
|
||||
+ LOG_TRACE("Too many entries, or entry no found (%lu)\n", i);
|
||||
if (i == 0)
|
||||
errMesg = "Host not found.\n";
|
||||
else
|
||||
@@ -217,7 +218,7 @@ ipa_join(Slapi_PBlock *pb)
|
||||
/* Is this host already enrolled? */
|
||||
krbLastPwdChange = slapi_entry_attr_get_charptr(targetEntry, "krbLastPwdChange");
|
||||
if (NULL != krbLastPwdChange) {
|
||||
- LOG_TRACE("Host already enrolled");
|
||||
+ LOG_TRACE("Host already enrolled\n");
|
||||
errMesg = "Host already enrolled.\n";
|
||||
rc = LDAP_OPERATIONS_ERROR;
|
||||
goto free_and_return;
|
||||
@@ -313,8 +314,8 @@ done:
|
||||
ret = slapi_pblock_set(pb, SLAPI_EXT_OP_RET_OID, JOIN_OID);
|
||||
if (!ret) ret = slapi_pblock_set(pb, SLAPI_EXT_OP_RET_VALUE, &retbval);
|
||||
if (ret) {
|
||||
- errMesg = "Could not set return values";
|
||||
- LOG("%s\n", errMesg);
|
||||
+ errMesg = "Could not set return values\n";
|
||||
+ LOG("%s", errMesg);
|
||||
rc = SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
|
||||
}
|
||||
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,122 +0,0 @@
|
||||
From caacccc6b92c08f510fba2e31d9c56eb372abddc Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Wed, 19 Jul 2023 13:28:43 +0200
|
||||
Subject: [PATCH] xmlrpc tests: add a test for user plugin with non-existing
|
||||
idp
|
||||
|
||||
Add new tests checking the error returned for
|
||||
ipa user-add ... --idp nonexistingidp
|
||||
ipa user-mod ... --idp nonexistingidp
|
||||
ipa stageuser-add ... --idp nonexistingidp
|
||||
ipa stageuser-mod ... --idp nonexistingidp
|
||||
|
||||
The expected error message is:
|
||||
ipa: ERROR: External IdP configuration nonexistingidp not found
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9416
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipatests/test_xmlrpc/test_stageuser_plugin.py | 20 +++++++++++++++
|
||||
ipatests/test_xmlrpc/test_user_plugin.py | 25 +++++++++++++++++++
|
||||
2 files changed, 45 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
|
||||
index 394015f87f9f4bd275a15bab930e28f16b299274..9ae5561dfa4e0d54fe1231501bfea3c0ba261849 100644
|
||||
--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
|
||||
+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
|
||||
@@ -39,6 +39,8 @@ gid = u'456'
|
||||
invalidrealm1 = u'suser1@NOTFOUND.ORG'
|
||||
invalidrealm2 = u'suser1@BAD@NOTFOUND.ORG'
|
||||
|
||||
+nonexistentidp = 'IdPDoesNotExist'
|
||||
+
|
||||
invaliduser1 = u'+tuser1'
|
||||
invaliduser2 = u'tuser1234567890123456789012345678901234567890'
|
||||
|
||||
@@ -431,6 +433,15 @@ class TestCreateInvalidAttributes(XMLRPC_test):
|
||||
invalidrealm2))):
|
||||
command()
|
||||
|
||||
+ def test_create_invalid_idp(self, stageduser):
|
||||
+ stageduser.ensure_missing()
|
||||
+ command = stageduser.make_create_command(
|
||||
+ options={u'ipaidpconfiglink': nonexistentidp})
|
||||
+ with raises_exact(errors.NotFound(
|
||||
+ reason="External IdP configuration {} not found".format(
|
||||
+ nonexistentidp))):
|
||||
+ command()
|
||||
+
|
||||
|
||||
@pytest.mark.tier1
|
||||
class TestUpdateInvalidAttributes(XMLRPC_test):
|
||||
@@ -466,6 +477,15 @@ class TestUpdateInvalidAttributes(XMLRPC_test):
|
||||
message=u'invalid \'gidnumber\': must be at least 1')):
|
||||
command()
|
||||
|
||||
+ def test_update_invalididp(self, stageduser):
|
||||
+ stageduser.ensure_exists()
|
||||
+ command = stageduser.make_update_command(
|
||||
+ updates={u'ipaidpconfiglink': nonexistentidp})
|
||||
+ with raises_exact(errors.NotFound(
|
||||
+ reason="External IdP configuration {} not found".format(
|
||||
+ nonexistentidp))):
|
||||
+ command()
|
||||
+
|
||||
|
||||
@pytest.mark.tier1
|
||||
class TestActive(XMLRPC_test):
|
||||
diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
|
||||
index 8ac19a4f9ce4f341838282ecd3ed1bb491ac7004..baa28672e7552140a703ecdfa5772b445298cb37 100644
|
||||
--- a/ipatests/test_xmlrpc/test_user_plugin.py
|
||||
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
|
||||
@@ -86,6 +86,8 @@ expired_expiration_string = "1991-12-07T19:54:13Z"
|
||||
# Date in ISO format (2013-12-10T12:00:00)
|
||||
isodate_re = re.compile(r'^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z$')
|
||||
|
||||
+nonexistentidp = 'IdPDoesNotExist'
|
||||
+
|
||||
|
||||
@pytest.fixture(scope='class')
|
||||
def user_min(request, xmlrpc_setup):
|
||||
@@ -542,6 +544,18 @@ class TestUpdate(XMLRPC_test):
|
||||
command()
|
||||
user.delete()
|
||||
|
||||
+ def test_update_invalid_idp(self, user):
|
||||
+ """ Test user-mod --idp with a non-existent idp """
|
||||
+ user.ensure_exists()
|
||||
+ command = user.make_update_command(
|
||||
+ updates=dict(ipaidpconfiglink=nonexistentidp)
|
||||
+ )
|
||||
+ with raises_exact(errors.NotFound(
|
||||
+ reason="External IdP configuration {} not found".format(
|
||||
+ nonexistentidp)
|
||||
+ )):
|
||||
+ command()
|
||||
+
|
||||
|
||||
@pytest.mark.tier1
|
||||
class TestCreate(XMLRPC_test):
|
||||
@@ -770,6 +784,17 @@ class TestCreate(XMLRPC_test):
|
||||
user_radius.check_create(result)
|
||||
user_radius.delete()
|
||||
|
||||
+ def test_create_with_invalididp(self):
|
||||
+ testuser = UserTracker(
|
||||
+ name='idpuser', givenname='idp', sn='user',
|
||||
+ ipaidpconfiglink=nonexistentidp
|
||||
+ )
|
||||
+ with raises_exact(errors.NotFound(
|
||||
+ reason="External IdP configuration {} not found".format(
|
||||
+ nonexistentidp)
|
||||
+ )):
|
||||
+ testuser.create()
|
||||
+
|
||||
|
||||
@pytest.mark.tier1
|
||||
class TestUserWithGroup(XMLRPC_test):
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,117 +0,0 @@
|
||||
From 421e8e9ac886c50b4bb463a62b8ad5de8da94f31 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 26 Jun 2023 13:06:51 -0400
|
||||
Subject: [PATCH] Fix memory leak in the OTP last token plugin
|
||||
|
||||
Three memory leaks are addressed:
|
||||
|
||||
1. String values retrieved from the pblock need to be manually
|
||||
freed.
|
||||
|
||||
2. The list of objectclasses retreived from the pblock need to be
|
||||
freed.
|
||||
|
||||
3. Internal search results need to be freed.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9403
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
.../ipa-otp-lasttoken/ipa_otp_lasttoken.c | 38 +++++++++++++------
|
||||
daemons/ipa-slapi-plugins/libotp/otp_token.c | 1 +
|
||||
2 files changed, 27 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
|
||||
index b7a2ba7f012fdbf90284ee6605788e196aa4793b..11106b239f9de9074125979cfae7c02e434936e1 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
|
||||
@@ -54,7 +54,7 @@ void *ipa_otp_lasttoken_plugin_id;
|
||||
|
||||
static bool entry_is_token(Slapi_Entry *entry)
|
||||
{
|
||||
- char **ocls;
|
||||
+ char **ocls = NULL;
|
||||
|
||||
ocls = slapi_entry_attr_get_charray(entry, SLAPI_ATTR_OBJECTCLASS);
|
||||
for (size_t i = 0; ocls != NULL && ocls[i] != NULL; i++) {
|
||||
@@ -64,6 +64,7 @@ static bool entry_is_token(Slapi_Entry *entry)
|
||||
}
|
||||
}
|
||||
|
||||
+ slapi_ch_array_free(ocls);
|
||||
return false;
|
||||
}
|
||||
|
||||
@@ -138,7 +139,8 @@ static bool is_pwd_enabled(const char *user_dn)
|
||||
static bool is_allowed(Slapi_PBlock *pb, Slapi_Entry *entry)
|
||||
{
|
||||
Slapi_DN *target_sdn = NULL;
|
||||
- const char *bind_dn;
|
||||
+ char *bind_dn;
|
||||
+ bool rv = false;
|
||||
|
||||
/* Ignore internal operations. */
|
||||
if (slapi_op_internal(pb))
|
||||
@@ -147,23 +149,35 @@ static bool is_allowed(Slapi_PBlock *pb, Slapi_Entry *entry)
|
||||
/* Load parameters. */
|
||||
(void) slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn);
|
||||
(void) slapi_pblock_get(pb, SLAPI_CONN_DN, &bind_dn);
|
||||
- if (target_sdn == NULL || bind_dn == NULL) {
|
||||
- LOG_FATAL("Missing parameters!\n");
|
||||
- return false;
|
||||
+ if (bind_dn == NULL) {
|
||||
+ LOG_FATAL("bind_dn parameter missing!\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+ if (target_sdn == NULL) {
|
||||
+ LOG_FATAL("target_sdn parameter missing!\n");
|
||||
+ goto done;
|
||||
}
|
||||
|
||||
if (entry != NULL
|
||||
? !entry_is_token(entry)
|
||||
- : !sdn_in_otp_container(target_sdn))
|
||||
- return true;
|
||||
+ : !sdn_in_otp_container(target_sdn)) {
|
||||
+ rv = true;
|
||||
+ goto done;
|
||||
+ }
|
||||
|
||||
- if (!sdn_is_only_enabled_token(target_sdn, bind_dn))
|
||||
- return true;
|
||||
+ if (!sdn_is_only_enabled_token(target_sdn, bind_dn)) {
|
||||
+ rv = true;
|
||||
+ goto done;
|
||||
+ }
|
||||
|
||||
- if (is_pwd_enabled(bind_dn))
|
||||
- return true;
|
||||
+ if (is_pwd_enabled(bind_dn)) {
|
||||
+ rv = true;
|
||||
+ goto done;
|
||||
+ }
|
||||
|
||||
- return false;
|
||||
+done:
|
||||
+ slapi_ch_free_string(&bind_dn);
|
||||
+ return rv;
|
||||
}
|
||||
|
||||
static inline int send_error(Slapi_PBlock *pb, int rc, const char *errstr)
|
||||
diff --git a/daemons/ipa-slapi-plugins/libotp/otp_token.c b/daemons/ipa-slapi-plugins/libotp/otp_token.c
|
||||
index a3cbfb0621c071f8addb29f7ce02f870a807c61d..4be4ede07cbbd0d26bcc9952ef4d84d777076ae7 100644
|
||||
--- a/daemons/ipa-slapi-plugins/libotp/otp_token.c
|
||||
+++ b/daemons/ipa-slapi-plugins/libotp/otp_token.c
|
||||
@@ -398,6 +398,7 @@ static struct otp_token **find(const struct otp_config *cfg, const char *user_dn
|
||||
}
|
||||
|
||||
error:
|
||||
+ slapi_free_search_results_internal(pb);
|
||||
slapi_pblock_destroy(pb);
|
||||
return tokens;
|
||||
}
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,47 @@
|
||||
From e4aebc121c9242390da86fe6bda3e8c28edfb746 Mon Sep 17 00:00:00 2001
|
||||
From: Mark Reynolds <mreynolds@redhat.com>
|
||||
Date: Tue, 12 Dec 2023 08:37:41 -0500
|
||||
Subject: [PATCH] Issue 9497 - update debug logging in ipa_graceperiod
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9497
|
||||
|
||||
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
|
||||
index 345e1dee7d163167373ca82dedb1e827f0e1bc8c..7a2d4f2aaea677d1fb3553fe49e6aa17c3e7a38c 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
|
||||
@@ -30,7 +30,7 @@
|
||||
* Program may make changes or additions to the list of Approved
|
||||
* Interfaces.
|
||||
*
|
||||
- * Copyright (C) 2022 Red Hat, Inc.
|
||||
+ * Copyright (C) 2022-2023 Red Hat, Inc.
|
||||
* All rights reserved.
|
||||
* END COPYRIGHT BLOCK **/
|
||||
|
||||
@@ -447,7 +447,7 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
|
||||
LOG_TRACE("grace limit disabled, skipping\n");
|
||||
goto done;
|
||||
} else if (grace_limit < -1) {
|
||||
- LOG_FATAL("Invalid passwordGraceLimit value %d\n", grace_limit);
|
||||
+ LOG_FATAL("Invalid passwordGraceLimit value %ld\n", grace_limit);
|
||||
return LDAP_OPERATIONS_ERROR;
|
||||
}
|
||||
|
||||
@@ -480,7 +480,7 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
|
||||
slapi_pwpolicy_make_response_control(pb, -1, grace_limit - grace_user_time , -1);
|
||||
}
|
||||
} else if (grace_user_time >= grace_limit) {
|
||||
- LOG_TRACE("%s password is expired and out of grace limit\n", dn);
|
||||
+ LOG_PWDPOLICY("%s password is expired and out of grace limit\n", dn);
|
||||
errstr = "Password is expired.\n";
|
||||
ret = LDAP_INVALID_CREDENTIALS;
|
||||
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,46 @@
|
||||
From be805c1150fd0c2e6ac2276f8535b14d57557aad Mon Sep 17 00:00:00 2001
|
||||
From: Mark Reynolds <mreynolds@redhat.com>
|
||||
Date: Tue, 12 Dec 2023 08:38:47 -0500
|
||||
Subject: [PATCH] Issue 9497 - update debug logging in ipa_lockout
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9497
|
||||
|
||||
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
|
||||
index a8095ccd371bfd29e3148ab2ad8c982a08f0b7e0..366018094bdc42c914d7743a89519ba1e1a6e124 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
|
||||
@@ -30,7 +30,7 @@
|
||||
* Program may make changes or additions to the list of Approved
|
||||
* Interfaces.
|
||||
*
|
||||
- * Copyright (C) 2010 Red Hat, Inc.
|
||||
+ * Copyright (C) 2010-2023 Red Hat, Inc.
|
||||
* All rights reserved.
|
||||
* END COPYRIGHT BLOCK **/
|
||||
|
||||
@@ -823,13 +823,15 @@ static int ipalockout_preop(Slapi_PBlock *pb)
|
||||
if (failedcount >= max_fail) {
|
||||
if (lockout_duration == 0) {
|
||||
errstr = "Entry permanently locked.\n";
|
||||
+ LOG_PWDPOLICY("Entry '%s' is permanently locked.\n", dn);
|
||||
ret = LDAP_UNWILLING_TO_PERFORM;
|
||||
goto done;
|
||||
}
|
||||
|
||||
if (time_now < last_failed + lockout_duration) {
|
||||
/* Too many failures */
|
||||
- LOG_TRACE("Too many failed logins. %lu out of %d\n", failedcount, max_fail);
|
||||
+ LOG_PWDPOLICY("Too many failed logins for '%s'. %lu out of %d\n",
|
||||
+ dn, failedcount, max_fail);
|
||||
errstr = "Too many failed logins.\n";
|
||||
ret = LDAP_UNWILLING_TO_PERFORM;
|
||||
}
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,136 +0,0 @@
|
||||
From 4b02322fc786ee9caaa0380659507a2cec0d4101 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 25 May 2023 18:24:29 -0400
|
||||
Subject: [PATCH] Prevent the admin user from being deleted
|
||||
|
||||
admin is required for trust operations
|
||||
|
||||
Note that testing for removing the last member is now
|
||||
irrelevant because admin must always exist so the test
|
||||
for it was removed, but the code check remains. It is done
|
||||
after the protected member check.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8878
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
ipaserver/plugins/user.py | 19 +++++++++--
|
||||
ipatests/test_xmlrpc/test_user_plugin.py | 40 ++++++++++++------------
|
||||
2 files changed, 37 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
|
||||
index a337e1fc7b44ef41ad16e18bd965b7af0a767d05..6f5e34917e1b838a463dee146a4e9390f20c130a 100644
|
||||
--- a/ipaserver/plugins/user.py
|
||||
+++ b/ipaserver/plugins/user.py
|
||||
@@ -138,14 +138,23 @@ MEMBEROF_ADMINS = "(memberOf={})".format(
|
||||
)
|
||||
|
||||
NOT_MEMBEROF_ADMINS = '(!{})'.format(MEMBEROF_ADMINS)
|
||||
+PROTECTED_USERS = ('admin',)
|
||||
|
||||
|
||||
def check_protected_member(user, protected_group_name=u'admins'):
|
||||
'''
|
||||
- Ensure the last enabled member of a protected group cannot be deleted or
|
||||
- disabled by raising LastMemberError.
|
||||
+ Ensure admin and the last enabled member of a protected group cannot
|
||||
+ be deleted or disabled by raising ProtectedEntryError or
|
||||
+ LastMemberError as appropriate.
|
||||
'''
|
||||
|
||||
+ if user in PROTECTED_USERS:
|
||||
+ raise errors.ProtectedEntryError(
|
||||
+ label=_("user"),
|
||||
+ key=user,
|
||||
+ reason=_("privileged user"),
|
||||
+ )
|
||||
+
|
||||
# Get all users in the protected group
|
||||
result = api.Command.user_find(in_group=protected_group_name)
|
||||
|
||||
@@ -868,6 +877,12 @@ class user_mod(baseuser_mod):
|
||||
|
||||
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
|
||||
dn, oc = self.obj.get_either_dn(*keys, **options)
|
||||
+ if options.get('rename') and keys[-1] in PROTECTED_USERS:
|
||||
+ raise errors.ProtectedEntryError(
|
||||
+ label=_("user"),
|
||||
+ key=keys[-1],
|
||||
+ reason=_("privileged user"),
|
||||
+ )
|
||||
if 'objectclass' not in entry_attrs and 'rename' not in options:
|
||||
entry_attrs.update({'objectclass': oc})
|
||||
self.pre_common_callback(ldap, dn, entry_attrs, attrs_list, *keys,
|
||||
diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
|
||||
index baa28672e7552140a703ecdfa5772b445298cb37..df105a23529b29944411a6418e5db55d56e2c72a 100644
|
||||
--- a/ipatests/test_xmlrpc/test_user_plugin.py
|
||||
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
|
||||
@@ -978,22 +978,32 @@ class TestManagers(XMLRPC_test):
|
||||
|
||||
@pytest.mark.tier1
|
||||
class TestAdmins(XMLRPC_test):
|
||||
- def test_remove_original_admin(self):
|
||||
- """ Try to remove the only admin """
|
||||
+ def test_delete_admin(self):
|
||||
+ """ Try to delete the protected admin user """
|
||||
tracker = Tracker()
|
||||
- command = tracker.make_command('user_del', [admin1])
|
||||
+ command = tracker.make_command('user_del', admin1)
|
||||
|
||||
- with raises_exact(errors.LastMemberError(
|
||||
- key=admin1, label=u'group', container=admin_group)):
|
||||
+ with raises_exact(errors.ProtectedEntryError(label=u'user',
|
||||
+ key=admin1, reason='privileged user')):
|
||||
+ command()
|
||||
+
|
||||
+ def test_rename_admin(self):
|
||||
+ """ Try to rename the admin user """
|
||||
+ tracker = Tracker()
|
||||
+ command = tracker.make_command('user_mod', admin1,
|
||||
+ **dict(rename=u'newadmin'))
|
||||
+
|
||||
+ with raises_exact(errors.ProtectedEntryError(label=u'user',
|
||||
+ key=admin1, reason='privileged user')):
|
||||
command()
|
||||
|
||||
def test_disable_original_admin(self):
|
||||
- """ Try to disable the only admin """
|
||||
+ """ Try to disable the original admin """
|
||||
tracker = Tracker()
|
||||
command = tracker.make_command('user_disable', admin1)
|
||||
|
||||
- with raises_exact(errors.LastMemberError(
|
||||
- key=admin1, label=u'group', container=admin_group)):
|
||||
+ with raises_exact(errors.ProtectedEntryError(label=u'user',
|
||||
+ key=admin1, reason='privileged user')):
|
||||
command()
|
||||
|
||||
def test_create_admin2(self, admin2):
|
||||
@@ -1011,21 +1021,11 @@ class TestAdmins(XMLRPC_test):
|
||||
admin2.disable()
|
||||
tracker = Tracker()
|
||||
|
||||
- with raises_exact(errors.LastMemberError(
|
||||
- key=admin1, label=u'group', container=admin_group)):
|
||||
+ with raises_exact(errors.ProtectedEntryError(label=u'user',
|
||||
+ key=admin1, reason='privileged user')):
|
||||
tracker.run_command('user_disable', admin1)
|
||||
- with raises_exact(errors.LastMemberError(
|
||||
- key=admin1, label=u'group', container=admin_group)):
|
||||
- tracker.run_command('user_del', admin1)
|
||||
admin2.delete()
|
||||
|
||||
- with raises_exact(errors.LastMemberError(
|
||||
- key=admin1, label=u'group', container=admin_group)):
|
||||
- tracker.run_command('user_disable', admin1)
|
||||
- with raises_exact(errors.LastMemberError(
|
||||
- key=admin1, label=u'group', container=admin_group)):
|
||||
- tracker.run_command('user_del', admin1)
|
||||
-
|
||||
|
||||
@pytest.mark.tier1
|
||||
class TestPreferredLanguages(XMLRPC_test):
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,56 @@
|
||||
From 473b1e465ba93ec313bc7cea62bb8d545f37e8bd Mon Sep 17 00:00:00 2001
|
||||
From: Mark Reynolds <mreynolds@redhat.com>
|
||||
Date: Tue, 12 Dec 2023 08:39:14 -0500
|
||||
Subject: [PATCH] Issue 9497 - update debug logging in ipa_modrdn
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9497
|
||||
|
||||
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c b/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c
|
||||
index 6cec5f242b7d23d3752e5bc30c67e034abc96abb..8be192a5e94211f94a7f3a8a62409250b723ddb5 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c
|
||||
@@ -30,7 +30,7 @@
|
||||
* Program may make changes or additions to the list of Approved
|
||||
* Interfaces.
|
||||
*
|
||||
- * Copyright (C) 2010 Red Hat, Inc.
|
||||
+ * Copyright (C) 2010-2023 Red Hat, Inc.
|
||||
* All rights reserved.
|
||||
* END COPYRIGHT BLOCK **/
|
||||
|
||||
@@ -350,7 +350,6 @@ ipamodrdn_load_plugin_config(void)
|
||||
{
|
||||
int status = EOK;
|
||||
int result;
|
||||
- int i;
|
||||
Slapi_PBlock *search_pb;
|
||||
Slapi_Entry **entries = NULL;
|
||||
|
||||
@@ -379,7 +378,7 @@ ipamodrdn_load_plugin_config(void)
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
- for (i = 0; (entries[i] != NULL); i++) {
|
||||
+ for (size_t i = 0; (entries[i] != NULL); i++) {
|
||||
/* We don't care about the status here because we may have
|
||||
* some invalid config entries, but we just want to continue
|
||||
* looking for valid ones. */
|
||||
@@ -680,7 +679,8 @@ ipamodrdn_change_attr(struct configEntry *cfgentry,
|
||||
slapi_modify_internal_pb(mod_pb);
|
||||
slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &ret);
|
||||
if (ret != LDAP_SUCCESS) {
|
||||
- LOG_FATAL("Failed to change attribute with error %d\n", ret);
|
||||
+ LOG_FATAL("Failed to change attribute '%s' in '%s' with error %d\n",
|
||||
+ cfgentry->tattr, targetdn, ret);
|
||||
ret = EFAIL;
|
||||
}
|
||||
ret = EOK;
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,87 +0,0 @@
|
||||
From fd32e6a3d95f28d2d11d41ee5dabb0d563cb5d51 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Mon, 31 Jul 2023 11:26:43 +0200
|
||||
Subject: [PATCH] ipa-kdb: fix error handling of is_master_host()
|
||||
|
||||
Adding proper error handling to the is_master_host() function to allow
|
||||
it to make the difference between the absence of a master host object
|
||||
and a connection failure. This will keep the krb5kdc daemon from
|
||||
continuing to run with a NULL LDAP context.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9422
|
||||
|
||||
Signed-off-by: Julien Rische <jrische@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
daemons/ipa-kdb/ipa_kdb_mspac.c | 41 +++++++++++++++++++--------------
|
||||
1 file changed, 24 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
index 83b507cb422c735f933edaebfc7b903b8fa908e4..1558e2bead288d9d00014e9b3b059934e80b54e4 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
@@ -401,27 +401,29 @@ static krb5_error_code ipadb_add_asserted_identity(struct ipadb_context *ipactx,
|
||||
return 0;
|
||||
}
|
||||
|
||||
-static bool is_master_host(struct ipadb_context *ipactx, const char *fqdn)
|
||||
+static krb5_error_code
|
||||
+is_master_host(struct ipadb_context *ipactx, const char *fqdn, bool *result)
|
||||
{
|
||||
- int ret;
|
||||
+ int err;
|
||||
char *master_host_base = NULL;
|
||||
- LDAPMessage *result = NULL;
|
||||
- krb5_error_code err;
|
||||
+ LDAPMessage *ldap_res = NULL;
|
||||
|
||||
- ret = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s",
|
||||
+ err = asprintf(&master_host_base, "cn=%s,cn=masters,cn=ipa,cn=etc,%s",
|
||||
fqdn, ipactx->base);
|
||||
- if (ret == -1) {
|
||||
- return false;
|
||||
- }
|
||||
+ if (err == -1)
|
||||
+ return ENOMEM;
|
||||
+
|
||||
err = ipadb_simple_search(ipactx, master_host_base, LDAP_SCOPE_BASE,
|
||||
- NULL, NULL, &result);
|
||||
+ NULL, NULL, &ldap_res);
|
||||
free(master_host_base);
|
||||
- ldap_msgfree(result);
|
||||
- if (err == 0) {
|
||||
- return true;
|
||||
- }
|
||||
+ ldap_msgfree(ldap_res);
|
||||
+ if (err != KRB5_KDB_NOENTRY && err != 0)
|
||||
+ return err;
|
||||
+
|
||||
+ if (result)
|
||||
+ *result = err != KRB5_KDB_NOENTRY;
|
||||
|
||||
- return false;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
||||
@@ -692,9 +694,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
||||
if ((is_host || is_service)) {
|
||||
/* it is either host or service, so get the hostname first */
|
||||
char *sep = strchr(info3->base.account_name.string, '/');
|
||||
- bool is_master = is_master_host(
|
||||
- ipactx,
|
||||
- sep ? sep + 1 : info3->base.account_name.string);
|
||||
+ bool is_master;
|
||||
+
|
||||
+ ret = is_master_host(ipactx,
|
||||
+ sep ? sep + 1 : info3->base.account_name.string,
|
||||
+ &is_master);
|
||||
+ if (ret)
|
||||
+ return ret;
|
||||
+
|
||||
if (is_master) {
|
||||
/* Well known RID of domain controllers group */
|
||||
if (info3->base.rid == 0) {
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,82 @@
|
||||
From 0f78feeca51a7abe49fbabf22991bf89eba7b12a Mon Sep 17 00:00:00 2001
|
||||
From: Mark Reynolds <mreynolds@redhat.com>
|
||||
Date: Tue, 12 Dec 2023 08:39:47 -0500
|
||||
Subject: [PATCH] Issue 9497 - update debug logging in ipa_otp_counter
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9497
|
||||
|
||||
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
.../ipa-otp-counter/ipa_otp_counter.c | 13 +++++++++----
|
||||
daemons/ipa-slapi-plugins/ipa-otp-counter/ldapmod.h | 4 +++-
|
||||
2 files changed, 12 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-otp-counter/ipa_otp_counter.c b/daemons/ipa-slapi-plugins/ipa-otp-counter/ipa_otp_counter.c
|
||||
index da047d7dc58e27b37ad29c39bde44e33602ab4c5..5e03450c5164ee450736fc61b40ef769bc4572dd 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-otp-counter/ipa_otp_counter.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-otp-counter/ipa_otp_counter.c
|
||||
@@ -33,7 +33,7 @@
|
||||
* Authors:
|
||||
* Nathaniel McCallum <npmccallum@redhat.com>
|
||||
*
|
||||
- * Copyright (C) 2014 Red Hat, Inc.
|
||||
+ * Copyright (C) 2014-2023 Red Hat, Inc.
|
||||
* All rights reserved.
|
||||
* END COPYRIGHT BLOCK **/
|
||||
|
||||
@@ -295,14 +295,16 @@ preop_mod(Slapi_PBlock *pb)
|
||||
}
|
||||
|
||||
if (!simulate(mods, attr, cpre, &cpost) && repl == 0) {
|
||||
- msg = slapi_ch_smprintf("Invalid operation sequence on %s", attr);
|
||||
+ msg = slapi_ch_smprintf("Invalid operation sequence on %s (%s)",
|
||||
+ attr, slapi_entry_get_dn_const(epre));
|
||||
goto error;
|
||||
}
|
||||
|
||||
if (cpost < cpre) {
|
||||
if (repl == 0) {
|
||||
- msg = slapi_ch_smprintf("Will not %s %s",
|
||||
- cpost == COUNTER_UNSET ? "delete" : "decrement", attr);
|
||||
+ msg = slapi_ch_smprintf("Will not %s %s (%s)",
|
||||
+ cpost == COUNTER_UNSET ? "delete" : "decrement",
|
||||
+ attr, slapi_entry_get_dn_const(epre));
|
||||
goto error;
|
||||
}
|
||||
|
||||
@@ -321,6 +323,9 @@ preop_mod(Slapi_PBlock *pb)
|
||||
|
||||
error:
|
||||
rc = LDAP_UNWILLING_TO_PERFORM;
|
||||
+ if (msg) {
|
||||
+ LOG("%s - error %d\n", msg, rc);
|
||||
+ }
|
||||
slapi_send_ldap_result(pb, rc, NULL, msg, 0, NULL);
|
||||
if (slapi_pblock_set(pb, SLAPI_RESULT_CODE, &rc)) {
|
||||
LOG_FATAL("slapi_pblock_set failed!\n");
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-otp-counter/ldapmod.h b/daemons/ipa-slapi-plugins/ipa-otp-counter/ldapmod.h
|
||||
index 45f43904b2288a97802ad2d698a30be972e2d8b7..324107c487f53e11774c51f248b00043e44b0bcc 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-otp-counter/ldapmod.h
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-otp-counter/ldapmod.h
|
||||
@@ -33,7 +33,7 @@
|
||||
* Authors:
|
||||
* Nathaniel McCallum <npmccallum@redhat.com>
|
||||
*
|
||||
- * Copyright (C) 2014 Red Hat, Inc.
|
||||
+ * Copyright (C) 2014-2023 Red Hat, Inc.
|
||||
* All rights reserved.
|
||||
* END COPYRIGHT BLOCK **/
|
||||
|
||||
@@ -41,6 +41,8 @@
|
||||
|
||||
#include <slapi-plugin.h>
|
||||
|
||||
+#define IPA_PLUGIN_NAME "ipa-otp-counter"
|
||||
+
|
||||
long long
|
||||
ldapmod_get_value(const LDAPMod *mod, long long def);
|
||||
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,38 +0,0 @@
|
||||
From 13d5e88eb4ebb7a0132cbb050a9d230304ecbcff Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Wed, 2 Aug 2023 15:41:57 +0200
|
||||
Subject: [PATCH] ipatests: update expected webui msg for admin deletion
|
||||
|
||||
The deletion of the admin is now forbidden (even if it is
|
||||
not the last member of the admins group) and the error
|
||||
message has changed from "admin cannot be deleted or
|
||||
disabled because it is the last member of group admins"
|
||||
to " user admin cannot be deleted/modified: privileged user".
|
||||
|
||||
Update the expected message in the webui test.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/8878
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
ipatests/test_webui/test_user.py | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_webui/test_user.py b/ipatests/test_webui/test_user.py
|
||||
index 8d44fbdb9380c94058307b02a96299d0e178cdc7..a8a92d00c7e1f40ef10eb9133cea8752daafe730 100644
|
||||
--- a/ipatests/test_webui/test_user.py
|
||||
+++ b/ipatests/test_webui/test_user.py
|
||||
@@ -50,8 +50,7 @@ INV_FIRSTNAME = ("invalid 'first': Leading and trailing spaces are "
|
||||
FIELD_REQ = 'Required field'
|
||||
ERR_INCLUDE = 'may only include letters, numbers, _, -, . and $'
|
||||
ERR_MISMATCH = 'Passwords must match'
|
||||
-ERR_ADMIN_DEL = ('admin cannot be deleted or disabled because it is the last '
|
||||
- 'member of group admins')
|
||||
+ERR_ADMIN_DEL = ('user admin cannot be deleted/modified: privileged user')
|
||||
USR_EXIST = 'user with name "{}" already exists'
|
||||
ENTRY_EXIST = 'This entry already exists'
|
||||
ACTIVE_ERR = 'active user with name "{}" already exists'
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,96 @@
|
||||
From 5eb6af01873d0f70ff5b02c972867877da8e7c50 Mon Sep 17 00:00:00 2001
|
||||
From: Mark Reynolds <mreynolds@redhat.com>
|
||||
Date: Tue, 12 Dec 2023 08:40:13 -0500
|
||||
Subject: [PATCH] Issue 9497 - update debug logging in ipa_otp_lasttoken
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9497
|
||||
|
||||
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
.../ipa-otp-lasttoken/ipa_otp_lasttoken.c | 25 ++++++++++++-------
|
||||
1 file changed, 16 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
|
||||
index 11106b239f9de9074125979cfae7c02e434936e1..c1318f8eb19a5ff7da016eb145eece2f56925235 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
|
||||
@@ -33,7 +33,7 @@
|
||||
* Authors:
|
||||
* Nathaniel McCallum <npmccallum@redhat.com>
|
||||
*
|
||||
- * Copyright (C) 2013 Red Hat, Inc.
|
||||
+ * Copyright (C) 2013-2023 Red Hat, Inc.
|
||||
* All rights reserved.
|
||||
* END COPYRIGHT BLOCK **/
|
||||
|
||||
@@ -46,7 +46,7 @@
|
||||
|
||||
#include "util.h"
|
||||
|
||||
-#define PLUGIN_NAME "ipa-otp-lasttoken"
|
||||
+#define IPA_PLUGIN_NAME "ipa-otp-lasttoken"
|
||||
#define OTP_CONTAINER "cn=otp,%s"
|
||||
|
||||
static struct otp_config *otp_config;
|
||||
@@ -191,9 +191,14 @@ static inline int send_error(Slapi_PBlock *pb, int rc, const char *errstr)
|
||||
|
||||
static int preop_del(Slapi_PBlock *pb)
|
||||
{
|
||||
+ char *dn = NULL;
|
||||
+
|
||||
if (is_allowed(pb, NULL))
|
||||
return 0;
|
||||
|
||||
+ slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn);
|
||||
+ LOG("Can't delete last active token (%s)", dn);
|
||||
+
|
||||
return send_error(pb, LDAP_UNWILLING_TO_PERFORM,
|
||||
"Can't delete last active token");
|
||||
}
|
||||
@@ -221,10 +226,12 @@ static int preop_mod(Slapi_PBlock *pb)
|
||||
return 0;
|
||||
|
||||
/* If a protected attribute is modified, deny. */
|
||||
- for (int i = 0; mods != NULL && mods[i] != NULL; i++) {
|
||||
- for (int j = 0; errors[j].attr != NULL; j++) {
|
||||
- if (strcasecmp(mods[i]->mod_type, errors[j].attr) == 0)
|
||||
+ for (size_t i = 0; mods != NULL && mods[i] != NULL; i++) {
|
||||
+ for (size_t j = 0; errors[j].attr != NULL; j++) {
|
||||
+ if (strcasecmp(mods[i]->mod_type, errors[j].attr) == 0) {
|
||||
+ LOG("%s (%s)", errors[j].msg, slapi_entry_get_dn_const(entry));
|
||||
return send_error(pb, LDAP_UNWILLING_TO_PERFORM, errors[j].msg);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -284,7 +291,7 @@ static int ipa_otp_lasttoken_start(Slapi_PBlock *pb)
|
||||
int ipa_otp_lasttoken_init(Slapi_PBlock *pb)
|
||||
{
|
||||
static const Slapi_PluginDesc preop_desc = {
|
||||
- PLUGIN_NAME,
|
||||
+ IPA_PLUGIN_NAME,
|
||||
"FreeIPA",
|
||||
"FreeIPA/1.0",
|
||||
"Protect the user's last active token"
|
||||
@@ -297,14 +304,14 @@ int ipa_otp_lasttoken_init(Slapi_PBlock *pb)
|
||||
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01);
|
||||
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, (void *) &preop_desc);
|
||||
ret |= slapi_register_plugin("betxnpreoperation", 1, __func__, preop_init,
|
||||
- PLUGIN_NAME " betxnpreoperation", NULL,
|
||||
+ IPA_PLUGIN_NAME " betxnpreoperation", NULL,
|
||||
ipa_otp_lasttoken_plugin_id);
|
||||
ret |= slapi_register_plugin("postoperation", 1, __func__, postop_init,
|
||||
- PLUGIN_NAME " postoperation", NULL,
|
||||
+ IPA_PLUGIN_NAME " postoperation", NULL,
|
||||
ipa_otp_lasttoken_plugin_id);
|
||||
ret |= slapi_register_plugin("internalpostoperation", 1, __func__,
|
||||
intpostop_init,
|
||||
- PLUGIN_NAME " internalpostoperation", NULL,
|
||||
+ IPA_PLUGIN_NAME " internalpostoperation", NULL,
|
||||
ipa_otp_lasttoken_plugin_id);
|
||||
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN,
|
||||
(void *)ipa_otp_lasttoken_start);
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,70 +0,0 @@
|
||||
From ff6cfcacd67a0461a0341e17854732cbe301f1d6 Mon Sep 17 00:00:00 2001
|
||||
From: Mohammad Rizwan <myusuf@redhat.com>
|
||||
Date: Wed, 2 Aug 2023 12:48:40 +0530
|
||||
Subject: [PATCH] ipatests: remove fixture call and wait to get things settle
|
||||
|
||||
system date moved in order to expire the certs. Sometime it
|
||||
is observed that subsequent operation fails with 500 error for CA,
|
||||
hence restart the services after moving date and wait for sometime
|
||||
to get things settle.
|
||||
|
||||
Also the tests was calling fixture which is not required for it, hence
|
||||
removed it as well.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9348
|
||||
|
||||
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_acme.py | 14 ++++++++++++--
|
||||
1 file changed, 12 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
|
||||
index cca20983e65f99d5ba0bb7bc6dc2b5684a6f37d9..c7389732cd067d49541cd04ea6687a6b95b4669f 100644
|
||||
--- a/ipatests/test_integration/test_acme.py
|
||||
+++ b/ipatests/test_integration/test_acme.py
|
||||
@@ -606,6 +606,11 @@ def issue_and_expire_acme_cert():
|
||||
tasks.kdestroy_all(host)
|
||||
tasks.move_date(host, 'stop', '+90days+60minutes')
|
||||
|
||||
+ # restart ipa services as date moved and wait to get things settle
|
||||
+ time.sleep(10)
|
||||
+ master.run_command(['ipactl', 'restart'])
|
||||
+ time.sleep(10)
|
||||
+
|
||||
tasks.get_kdcinfo(master)
|
||||
# Note raiseonerr=False:
|
||||
# the assert is located after kdcinfo retrieval.
|
||||
@@ -627,6 +632,11 @@ def issue_and_expire_acme_cert():
|
||||
for host in hosts:
|
||||
tasks.move_date(host, 'start', '-90days-60minutes')
|
||||
|
||||
+ # restart ipa services as date moved and wait to get things settle
|
||||
+ time.sleep(10)
|
||||
+ hosts[0].run_command(['ipactl', 'restart'])
|
||||
+ time.sleep(10)
|
||||
+
|
||||
|
||||
class TestACMERenew(IntegrationTest):
|
||||
|
||||
@@ -960,7 +970,7 @@ class TestACMEPrune(IntegrationTest):
|
||||
)
|
||||
assert f'Number of entries returned {no_of_cert - search_size_limit}'
|
||||
|
||||
- def test_prune_config_show(self, issue_and_expire_acme_cert):
|
||||
+ def test_prune_config_show(self):
|
||||
"""Test to check config-show command shows set param"""
|
||||
if (tasks.get_pki_version(self.master)
|
||||
< tasks.parse_version('11.3.0')):
|
||||
@@ -1001,7 +1011,7 @@ class TestACMEPrune(IntegrationTest):
|
||||
assert 'Request Search Time Limit: 0' in result.stdout_text
|
||||
assert 'cron Schedule: 0 0 1 * *' in result.stdout_text
|
||||
|
||||
- def test_prune_disable(self, issue_and_expire_acme_cert):
|
||||
+ def test_prune_disable(self):
|
||||
"""Test prune command throw error after disabling the pruning"""
|
||||
if (tasks.get_pki_version(self.master)
|
||||
< tasks.parse_version('11.3.0')):
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,766 @@
|
||||
From 3a8fe8c3a9de8d0e17ab4064ac689bce2b4b5042 Mon Sep 17 00:00:00 2001
|
||||
From: Mark Reynolds <mreynolds@redhat.com>
|
||||
Date: Tue, 12 Dec 2023 08:41:10 -0500
|
||||
Subject: [PATCH] Issue 9497 - update debug logging in ipa-pwd-extop
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9497
|
||||
|
||||
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
.../ipa-slapi-plugins/ipa-pwd-extop/common.c | 25 +++--
|
||||
.../ipa-pwd-extop/encoding.c | 5 +-
|
||||
.../ipa-pwd-extop/ipa_pwd_extop.c | 106 ++++++++++--------
|
||||
.../ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 59 +++++-----
|
||||
4 files changed, 105 insertions(+), 90 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
|
||||
index 5251713c68855e10b0980af71696d944e683ae90..d30764bb2a05c7ca4a33ea114a2dc19af39e216f 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
|
||||
@@ -33,7 +33,7 @@
|
||||
* Authors:
|
||||
* Simo Sorce <ssorce@redhat.com>
|
||||
*
|
||||
- * Copyright (C) 2007-2010 Red Hat, Inc.
|
||||
+ * Copyright (C) 2007-2023 Red Hat, Inc.
|
||||
* All rights reserved.
|
||||
* END COPYRIGHT BLOCK **/
|
||||
|
||||
@@ -81,7 +81,8 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
|
||||
char **encsalts;
|
||||
char **tmparray;
|
||||
char *tmpstr;
|
||||
- int i, ret;
|
||||
+ int ret;
|
||||
+ size_t i;
|
||||
|
||||
config = calloc(1, sizeof(struct ipapwd_krbcfg));
|
||||
if (!config) {
|
||||
@@ -327,7 +328,8 @@ int ipapwd_getPolicy(const char *dn,
|
||||
"ipaPwdUserCheck", NULL};
|
||||
Slapi_Entry **es = NULL;
|
||||
Slapi_Entry *pe = NULL;
|
||||
- int ret, res, scope, i;
|
||||
+ int ret, res, scope;
|
||||
+ size_t i;
|
||||
int buffer_flags=0;
|
||||
Slapi_ValueSet* results = NULL;
|
||||
char *actual_type_name = NULL;
|
||||
@@ -545,7 +547,7 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
|
||||
}
|
||||
sdn = slapi_sdn_new_dn_byref(dn);
|
||||
if (!sdn) {
|
||||
- LOG_FATAL("Unable to convert dn to sdn %s", dn ? dn : "<NULL>");
|
||||
+ LOG_FATAL("Unable to convert dn to sdn %s\n", dn ? dn : "<NULL>");
|
||||
*errMesg = "Internal Error";
|
||||
rc = LDAP_OPERATIONS_ERROR;
|
||||
goto done;
|
||||
@@ -564,7 +566,7 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
|
||||
/* get the kerberos context and master key */
|
||||
*config = ipapwd_getConfig();
|
||||
if (NULL == *config) {
|
||||
- LOG_FATAL("Error Retrieving Master Key");
|
||||
+ LOG_FATAL("Error Retrieving Master Key\n");
|
||||
*errMesg = "Fatal Internal Error";
|
||||
rc = LDAP_OPERATIONS_ERROR;
|
||||
}
|
||||
@@ -594,7 +596,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
|
||||
/* Find the entry with the password policy */
|
||||
ret = ipapwd_getPolicy(data->dn, data->target, &pol);
|
||||
if (ret) {
|
||||
- LOG_TRACE("No password policy, use defaults");
|
||||
+ LOG_TRACE("No password policy, use defaults\n");
|
||||
}
|
||||
break;
|
||||
case IPA_CHANGETYPE_ADMIN:
|
||||
@@ -620,14 +622,14 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
|
||||
*/
|
||||
ret = ipapwd_getPolicy(data->dn, data->target, &tmppol);
|
||||
if (ret) {
|
||||
- LOG_TRACE("No password policy, use defaults");
|
||||
+ LOG_TRACE("No password policy, use defaults\n");
|
||||
} else {
|
||||
pol.max_pwd_life = tmppol.max_pwd_life;
|
||||
pol.history_length = tmppol.history_length;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
- LOG_TRACE("Unknown password change type, use defaults");
|
||||
+ LOG_TRACE("Unknown password change type, use defaults\n");
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -860,7 +862,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
|
||||
case IPA_CHANGETYPE_DSMGR:
|
||||
case IPA_CHANGETYPE_ADMIN:
|
||||
/* Mark as administratively reset which will unlock acct */
|
||||
- ret = ipapwd_setdate(data->target, smods,
|
||||
+ ret = ipapwd_setdate(data->target, smods,
|
||||
"krbLastAdminUnlock",
|
||||
data->timeNow, false);
|
||||
if (ret != LDAP_SUCCESS)
|
||||
@@ -951,7 +953,7 @@ Slapi_Value **ipapwd_setPasswordHistory(Slapi_Mods *smods,
|
||||
char **new_pwd_history = NULL;
|
||||
int n = 0;
|
||||
int ret;
|
||||
- int i;
|
||||
+ size_t i;
|
||||
|
||||
pwd_history = slapi_entry_attr_get_charray(data->target,
|
||||
"passwordHistory");
|
||||
@@ -1083,10 +1085,9 @@ int ipapwd_set_extradata(const char *dn,
|
||||
void ipapwd_free_slapi_value_array(Slapi_Value ***svals)
|
||||
{
|
||||
Slapi_Value **sv = *svals;
|
||||
- int i;
|
||||
|
||||
if (sv) {
|
||||
- for (i = 0; sv[i]; i++) {
|
||||
+ for (size_t i = 0; sv[i]; i++) {
|
||||
slapi_value_free(&sv[i]);
|
||||
}
|
||||
}
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
|
||||
index 7b2f341229b4f3bf48105c3856c0d6778da154a5..43ae6f0a645c8f3ff0fa2d147891f93efff0eb20 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
|
||||
@@ -33,7 +33,7 @@
|
||||
* Authors:
|
||||
* Simo Sorce <ssorce@redhat.com>
|
||||
*
|
||||
- * Copyright (C) 2007-2010 Red Hat, Inc.
|
||||
+ * Copyright (C) 2007-2023 Red Hat, Inc.
|
||||
* All rights reserved.
|
||||
* END COPYRIGHT BLOCK **/
|
||||
|
||||
@@ -231,7 +231,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
|
||||
|
||||
if (!*svals) {
|
||||
/* errMesg should have been set in encrypt_encode_key() */
|
||||
- LOG_FATAL("key encryption/encoding failed\n");
|
||||
+ LOG_FATAL("key encryption/encoding failed (%s)\n", *errMesg);
|
||||
rc = LDAP_OPERATIONS_ERROR;
|
||||
goto done;
|
||||
}
|
||||
@@ -267,6 +267,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
|
||||
}
|
||||
(*ntvals)[0] = slapi_value_new();
|
||||
if (slapi_value_set((*ntvals)[0], nt_key, 16) == NULL) {
|
||||
+ LOG("Failed to set value for nt_key");
|
||||
rc = LDAP_OPERATIONS_ERROR;
|
||||
goto done;
|
||||
}
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
|
||||
index 0d630ca04c38b739bb0d8bf22c162af9d3e15566..43c31becae45c1c91c7c2adf498aedbd05af9a69 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
|
||||
@@ -33,7 +33,7 @@
|
||||
* Authors:
|
||||
* Simo Sorce <ssorce@redhat.com>
|
||||
*
|
||||
- * Copyright (C) 2007-2010 Red Hat, Inc.
|
||||
+ * Copyright (C) 2007-2023 Red Hat, Inc.
|
||||
* All rights reserved.
|
||||
* END COPYRIGHT BLOCK **/
|
||||
|
||||
@@ -108,7 +108,7 @@ static void filter_keys(struct ipapwd_krbcfg *krbcfg,
|
||||
struct ipapwd_keyset *kset,
|
||||
bool allow_nthash)
|
||||
{
|
||||
- int i, j;
|
||||
+ size_t i, j;
|
||||
|
||||
for (i = 0; i < kset->num_keys; i++) {
|
||||
for (j = 0; j < krbcfg->num_supp_encsalts; j++) {
|
||||
@@ -151,11 +151,11 @@ static void filter_enctypes(struct ipapwd_krbcfg *krbcfg,
|
||||
bool allow_nthash)
|
||||
{
|
||||
/* first filter for duplicates */
|
||||
- for (int i = 0; i + 1 < *num_kenctypes; i++) {
|
||||
- for (int j = i + 1; j < *num_kenctypes; j++) {
|
||||
+ for (size_t i = 0; i + 1 < *num_kenctypes; i++) {
|
||||
+ for (size_t j = i + 1; j < *num_kenctypes; j++) {
|
||||
if (kenctypes[i].ks_enctype == kenctypes[j].ks_enctype) {
|
||||
/* duplicate, filter out */
|
||||
- for (int k = j; k + 1 < *num_kenctypes; k++) {
|
||||
+ for (size_t k = j; k + 1 < *num_kenctypes; k++) {
|
||||
kenctypes[k].ks_enctype = kenctypes[k + 1].ks_enctype;
|
||||
kenctypes[k].ks_salttype = kenctypes[k + 1].ks_salttype;
|
||||
}
|
||||
@@ -166,8 +166,8 @@ static void filter_enctypes(struct ipapwd_krbcfg *krbcfg,
|
||||
}
|
||||
|
||||
/* then filter for supported */
|
||||
- for (int i = 0; i < *num_kenctypes; i++) {
|
||||
- int j;
|
||||
+ for (size_t i = 0; i < *num_kenctypes; i++) {
|
||||
+ size_t j;
|
||||
|
||||
/* Check if supported */
|
||||
for (j = 0; j < krbcfg->num_supp_encsalts; j++) {
|
||||
@@ -184,7 +184,7 @@ static void filter_enctypes(struct ipapwd_krbcfg *krbcfg,
|
||||
}
|
||||
if (j == krbcfg->num_supp_encsalts) {
|
||||
/* Unsupported, filter out */
|
||||
- for (int k = i; k + 1 < *num_kenctypes; k++) {
|
||||
+ for (size_t k = i; k + 1 < *num_kenctypes; k++) {
|
||||
kenctypes[k].ks_enctype = kenctypes[k + 1].ks_enctype;
|
||||
kenctypes[k].ks_salttype = kenctypes[k + 1].ks_salttype;
|
||||
}
|
||||
@@ -344,6 +344,8 @@ parse_req_done:
|
||||
|
||||
rc = ipapwd_check_max_pwd_len(strlen(newPasswd), &errMesg);
|
||||
if (rc) {
|
||||
+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
|
||||
+ bindDN, errMesg);
|
||||
goto free_and_return;
|
||||
}
|
||||
|
||||
@@ -456,7 +458,7 @@ parse_req_done:
|
||||
char *cur_pw;
|
||||
|
||||
if (oldPasswd == NULL || *oldPasswd == '\0') {
|
||||
- LOG_FATAL("Old password was not provided!\n");
|
||||
+ LOG_FATAL("Old password was not provided for '%s'!\n", dn);
|
||||
rc = LDAP_INVALID_CREDENTIALS;
|
||||
goto free_and_return;
|
||||
}
|
||||
@@ -466,7 +468,7 @@ parse_req_done:
|
||||
cur_pw = slapi_entry_attr_get_charptr(targetEntry,
|
||||
"userPassword");
|
||||
if (!cur_pw) {
|
||||
- LOG_FATAL("User has no current password?\n");
|
||||
+ LOG_FATAL("User '%s' does not have a current password?\n", dn);
|
||||
rc = LDAP_UNWILLING_TO_PERFORM;
|
||||
goto free_and_return;
|
||||
}
|
||||
@@ -485,7 +487,7 @@ parse_req_done:
|
||||
slapi_value_free(&pw);
|
||||
|
||||
if (ret != 0) {
|
||||
- LOG_TRACE("Invalid password!\n");
|
||||
+ LOG_TRACE("Invalid password for '%s'!\n", dn);
|
||||
rc = LDAP_INVALID_CREDENTIALS;
|
||||
goto free_and_return;
|
||||
}
|
||||
@@ -579,11 +581,9 @@ parse_req_done:
|
||||
/* special cases */
|
||||
if ((strcasecmp(dn, bindDN) != 0) &&
|
||||
(strcasecmp(ipa_changepw_principal_dn, bindDN) != 0)) {
|
||||
- int i;
|
||||
-
|
||||
pwdata.changetype = IPA_CHANGETYPE_ADMIN;
|
||||
|
||||
- for (i = 0; i < krbcfg->num_passsync_mgrs; i++) {
|
||||
+ for (size_t i = 0; i < krbcfg->num_passsync_mgrs; i++) {
|
||||
if (strcasecmp(krbcfg->passsync_mgrs[i], bindDN) == 0) {
|
||||
pwdata.changetype = IPA_CHANGETYPE_DSMGR;
|
||||
break;
|
||||
@@ -606,6 +606,8 @@ parse_req_done:
|
||||
errMesg = ipapwd_error2string(ret);
|
||||
ret = ipapwd_to_ldap_pwpolicy_error(ret);
|
||||
slapi_pwpolicy_make_response_control(pb, -1, -1, ret);
|
||||
+ LOG_PWDPOLICY("Failed to set password credentials for"
|
||||
+ " '%s': %s\n", dn, errMesg);
|
||||
rc = LDAP_CONSTRAINT_VIOLATION;
|
||||
goto free_and_return;
|
||||
}
|
||||
@@ -666,7 +668,7 @@ free_and_return:
|
||||
if (targetEntry) slapi_entry_free(targetEntry);
|
||||
if (ber) ber_free(ber, 1);
|
||||
|
||||
- LOG("%s", errMesg ? errMesg : "success");
|
||||
+ LOG("%s\n", errMesg ? errMesg : "success");
|
||||
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
|
||||
|
||||
return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
|
||||
@@ -732,7 +734,8 @@ static Slapi_Entry *get_entry_by_principal(const char *principal)
|
||||
"krbCanonicalName",
|
||||
"enrolledBy", NULL };
|
||||
Slapi_Entry **es = NULL;
|
||||
- int res, ret, i;
|
||||
+ int res, ret;
|
||||
+ size_t i;
|
||||
Slapi_Entry *entry = NULL;
|
||||
|
||||
/* Find ancestor base DN */
|
||||
@@ -774,7 +777,7 @@ static Slapi_Entry *get_entry_by_principal(const char *principal)
|
||||
|
||||
/* if there is none or more than one, freak out */
|
||||
if (i != 1) {
|
||||
- LOG_TRACE("Too many entries, or entry no found (%d)", i);
|
||||
+ LOG_TRACE("Too many entries, or entry no found (%ld)\n", i);
|
||||
goto free_and_return;
|
||||
}
|
||||
entry = slapi_entry_dup(es[0]);
|
||||
@@ -809,7 +812,7 @@ static bool is_allowed_to_access_attr(Slapi_PBlock *pb, char *bindDN,
|
||||
*/
|
||||
be = get_realm_backend();
|
||||
if (!be) {
|
||||
- LOG_FATAL("Could not fetch REALM backend!");
|
||||
+ LOG_FATAL("Could not fetch REALM backend!\n");
|
||||
return false;
|
||||
}
|
||||
if (slapi_pblock_set(pb, SLAPI_BACKEND, be)) {
|
||||
@@ -868,7 +871,8 @@ static void remove_user_password(Slapi_Mods *smods,
|
||||
if ((NULL != pw) && (NULL == krbLastPwdChange)) {
|
||||
slapi_mods_add_mod_values(smods, LDAP_MOD_DELETE,
|
||||
"userPassword", NULL);
|
||||
- LOG_TRACE("Removing userPassword from host entry\n");
|
||||
+ LOG_TRACE("Removing userPassword from host entry '%s'\n",
|
||||
+ slapi_entry_get_dn_const(targetEntry));
|
||||
}
|
||||
}
|
||||
if (krbLastPwdChange) slapi_ch_free_string(&krbLastPwdChange);
|
||||
@@ -891,8 +895,9 @@ static int store_new_keys(Slapi_Entry *target, char *svcname, char *bind_dn,
|
||||
rc = set_krbLastPwdChange(smods, time_now);
|
||||
if (rc) {
|
||||
rc = LDAP_OPERATIONS_ERROR;
|
||||
- LOG_FATAL("Failed to set krbLastPwdChange");
|
||||
- err_msg = "Internal error while storing keytab data\n";
|
||||
+ LOG_FATAL("Failed to set krbLastPwdChange for target '%s'\n",
|
||||
+ slapi_entry_get_dn_const(target));
|
||||
+ err_msg = "Internal error while storing keytab data";
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -905,8 +910,9 @@ static int store_new_keys(Slapi_Entry *target, char *svcname, char *bind_dn,
|
||||
rc = ipapwd_apply_mods(slapi_entry_get_dn_const(target), smods);
|
||||
if (rc != LDAP_SUCCESS) {
|
||||
rc = LDAP_OPERATIONS_ERROR;
|
||||
- LOG_FATAL("Failed to apply mods");
|
||||
- err_msg = "Internal error while saving keys\n";
|
||||
+ LOG_FATAL("Failed to apply mods to target '%s'\n",
|
||||
+ slapi_entry_get_dn_const(target));
|
||||
+ err_msg = "Internal error while saving keys";
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -914,8 +920,9 @@ static int store_new_keys(Slapi_Entry *target, char *svcname, char *bind_dn,
|
||||
svcname, time_now);
|
||||
if (rc != LDAP_SUCCESS) {
|
||||
rc = LDAP_OPERATIONS_ERROR;
|
||||
- LOG_FATAL("Failed to set extradata");
|
||||
- err_msg = "Internal error while saving keytab extradata\n";
|
||||
+ LOG_FATAL("Failed to set extradata for target '%s'\n",
|
||||
+ slapi_entry_get_dn_const(target));
|
||||
+ err_msg = "Internal error while saving keytab extradata";
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -1003,7 +1010,7 @@ static int decode_setkeytab_request(krb5_context krbctx,
|
||||
kset->mkvno = mkvno;
|
||||
|
||||
rtag = ber_peek_tag(ber, &tlen);
|
||||
- for (int i = 0; rtag == LBER_SEQUENCE; i++) {
|
||||
+ for (size_t i = 0; rtag == LBER_SEQUENCE; i++) {
|
||||
krb5_key_data *newset;
|
||||
ber_tag_t ctag;
|
||||
ber_int_t type;
|
||||
@@ -1181,29 +1188,29 @@ static int encode_setkeytab_reply(struct ipapwd_keyset *kset,
|
||||
rc = ber_printf(ber, "{i{", (ber_int_t)kset->keys[0].key_data_kvno);
|
||||
if (rc == -1) {
|
||||
rc = LDAP_OPERATIONS_ERROR;
|
||||
- LOG_FATAL("Failed to ber_printf the kvno");
|
||||
+ LOG_FATAL("Failed to ber_printf the kvno\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
- for (int i = 0; i < kset->num_keys; i++) {
|
||||
+ for (size_t i = 0; i < kset->num_keys; i++) {
|
||||
rc = ber_printf(ber, "{i}", (ber_int_t)kset->keys[i].key_data_type[0]);
|
||||
if (rc == -1) {
|
||||
rc = LDAP_OPERATIONS_ERROR;
|
||||
- LOG_FATAL("Failed to ber_printf the enctype");
|
||||
+ LOG_FATAL("Failed to ber_printf the enctype\n");
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
rc = ber_printf(ber, "}}");
|
||||
if (rc == -1) {
|
||||
rc = LDAP_OPERATIONS_ERROR;
|
||||
- LOG_FATAL("Failed to ber_printf the termination");
|
||||
+ LOG_FATAL("Failed to ber_printf the termination\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
rc = ber_flatten(ber, &bvp);
|
||||
if (rc == -1) {
|
||||
rc = LDAP_OPERATIONS_ERROR;
|
||||
- LOG_FATAL("Failed to ber_flatten the buffer");
|
||||
+ LOG_FATAL("Failed to ber_flatten the buffer\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -1306,7 +1313,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
|
||||
|
||||
/* get next kvno for entry (will be 1 if this is new) and fix keyset */
|
||||
kvno = ipapwd_get_cur_kvno(targetEntry) + 1;
|
||||
- for (int i = 0; i < kset->num_keys; i++) {
|
||||
+ for (size_t i = 0; i < kset->num_keys; i++) {
|
||||
kset->keys[i].key_data_kvno = kvno;
|
||||
}
|
||||
|
||||
@@ -1352,7 +1359,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
|
||||
|
||||
rc = encode_setkeytab_reply(kset, &bvp);
|
||||
if (rc) {
|
||||
- errMesg = "Internal Error.\n";
|
||||
+ errMesg = "Internal Error.";
|
||||
goto free_and_return;
|
||||
}
|
||||
|
||||
@@ -1372,7 +1379,7 @@ free_and_return:
|
||||
if (targetEntry) slapi_entry_free(targetEntry);
|
||||
|
||||
if (svals) {
|
||||
- for (int i = 0; svals[i]; i++) {
|
||||
+ for (size_t i = 0; svals[i]; i++) {
|
||||
slapi_value_free(&svals[i]);
|
||||
}
|
||||
free(svals);
|
||||
@@ -1382,7 +1389,7 @@ free_and_return:
|
||||
|
||||
if (rc == LDAP_SUCCESS)
|
||||
errMesg = NULL;
|
||||
- LOG("%s", errMesg ? errMesg : "success");
|
||||
+ LOG("%s\n", errMesg ? errMesg : "success");
|
||||
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
|
||||
|
||||
return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
|
||||
@@ -1403,7 +1410,6 @@ static int decode_getkeytab_request(struct berval *extop, bool *wantold,
|
||||
krb5_key_salt_tuple *enctypes = NULL;
|
||||
bool newkt;
|
||||
bool ret;
|
||||
- int i;
|
||||
|
||||
ret = ipaasn1_dec_getkt(extop->bv_val, extop->bv_len, &newkt,
|
||||
&svcname, &password, &etypes, &numtypes);
|
||||
@@ -1423,7 +1429,7 @@ static int decode_getkeytab_request(struct berval *extop, bool *wantold,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- for (i = 0; i < numtypes; i++) {
|
||||
+ for (size_t i = 0; i < numtypes; i++) {
|
||||
enctypes[i].ks_enctype = etypes[i];
|
||||
enctypes[i].ks_salttype = KRB5_KDB_SALTTYPE_NORMAL;
|
||||
}
|
||||
@@ -1466,7 +1472,7 @@ static int encode_getkeytab_reply(krb5_context krbctx,
|
||||
/* uses last key kvno */
|
||||
kvno = keys[num_keys-1].key_data_kvno;
|
||||
|
||||
- for (int i = 0; i < num_keys; i++) {
|
||||
+ for (size_t i = 0; i < num_keys; i++) {
|
||||
krb5_enc_data cipher = { 0 };
|
||||
krb5_data plain = { 0 };
|
||||
krb5_int16 plen;
|
||||
@@ -1516,7 +1522,7 @@ static int encode_getkeytab_reply(krb5_context krbctx,
|
||||
rc = LDAP_SUCCESS;
|
||||
|
||||
done:
|
||||
- for (int i = 0; i < ksc.nkeys; i ++) {
|
||||
+ for (size_t i = 0; i < ksc.nkeys; i++) {
|
||||
free(ksc.ksdata[i].key.contents);
|
||||
}
|
||||
if (rc != LDAP_SUCCESS) {
|
||||
@@ -1632,7 +1638,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
|
||||
* this operation. */
|
||||
if (bind_dn == NULL || *bind_dn == '\0') {
|
||||
/* Refuse the operation because they're bound anonymously */
|
||||
- err_msg = "Anonymous Binds are not allowed.\n";
|
||||
+ err_msg = "Anonymous Binds are not allowed.";
|
||||
rc = LDAP_INSUFFICIENT_ACCESS;
|
||||
goto free_and_return;
|
||||
}
|
||||
@@ -1648,7 +1654,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
|
||||
slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value);
|
||||
if (!extop_value) {
|
||||
LOG_FATAL("Failed to retrieve extended op value from pblock\n");
|
||||
- err_msg = "Failed to retrieve extended operation value\n";
|
||||
+ err_msg = "Failed to retrieve extended operation value";
|
||||
rc = LDAP_OPERATIONS_ERROR;
|
||||
goto free_and_return;
|
||||
}
|
||||
@@ -1674,7 +1680,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
|
||||
/* get Entry by krbPrincipalName */
|
||||
target_entry = get_entry_by_principal(service_name);
|
||||
if (!target_entry) {
|
||||
- err_msg = "PrincipalName not found.\n";
|
||||
+ err_msg = "PrincipalName not found.";
|
||||
rc = LDAP_NO_SUCH_OBJECT;
|
||||
goto free_and_return;
|
||||
}
|
||||
@@ -1690,7 +1696,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
|
||||
if (!acl_ok) {
|
||||
LOG_FATAL("Not allowed to retrieve keytab on [%s] as user [%s]!\n",
|
||||
service_name, bind_dn);
|
||||
- err_msg = "Insufficient access rights\n";
|
||||
+ err_msg = "Insufficient access rights";
|
||||
rc = LDAP_INSUFFICIENT_ACCESS;
|
||||
goto free_and_return;
|
||||
}
|
||||
@@ -1701,6 +1707,8 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
|
||||
/* if password was passed-in, check its length */
|
||||
rc = ipapwd_check_max_pwd_len(strlen(password), &err_msg);
|
||||
if (rc) {
|
||||
+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
|
||||
+ bind_dn, err_msg);
|
||||
goto free_and_return;
|
||||
}
|
||||
}
|
||||
@@ -1712,7 +1720,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
|
||||
if (!acl_ok) {
|
||||
LOG_FATAL("Not allowed to set keytab on [%s]!\n",
|
||||
service_name);
|
||||
- err_msg = "Insufficient access rights\n";
|
||||
+ err_msg = "Insufficient access rights";
|
||||
rc = LDAP_INSUFFICIENT_ACCESS;
|
||||
goto free_and_return;
|
||||
}
|
||||
@@ -1745,7 +1753,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
|
||||
if (!svals) {
|
||||
rc = LDAP_OPERATIONS_ERROR;
|
||||
LOG_FATAL("encrypt_encode_keys failed!\n");
|
||||
- err_msg = "Internal error while encrypting keys\n";
|
||||
+ err_msg = "Internal error while encrypting keys";
|
||||
goto free_and_return;
|
||||
}
|
||||
|
||||
@@ -1765,7 +1773,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
|
||||
rc = encode_getkeytab_reply(krbctx, krbcfg->kmkey, mkvno,
|
||||
keys, num_keys, &bvp);
|
||||
if (rc != LDAP_SUCCESS) {
|
||||
- err_msg = "Internal Error.\n";
|
||||
+ err_msg = "Internal Error.";
|
||||
goto free_and_return;
|
||||
}
|
||||
|
||||
@@ -1776,7 +1784,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
|
||||
|
||||
free_and_return:
|
||||
if (rc == LDAP_SUCCESS) err_msg = NULL;
|
||||
- LOG("%s", err_msg ? err_msg : "success");
|
||||
+ LOG("%s\n", err_msg ? err_msg : "success");
|
||||
slapi_send_ldap_result(pb, rc, NULL, err_msg, 0, NULL);
|
||||
|
||||
/* Free anything that we allocated above */
|
||||
@@ -1787,7 +1795,7 @@ free_and_return:
|
||||
if (target_entry) slapi_entry_free(target_entry);
|
||||
if (keys) ipa_krb5_free_key_data(keys, num_keys);
|
||||
if (svals) {
|
||||
- for (int i = 0; svals[i]; i++) {
|
||||
+ for (size_t i = 0; svals[i]; i++) {
|
||||
slapi_value_free(&svals[i]);
|
||||
}
|
||||
free(svals);
|
||||
@@ -2031,7 +2039,7 @@ int ipapwd_init( Slapi_PBlock *pb )
|
||||
"ipapwd_post_init_betxn", ipapwd_post_init_betxn,
|
||||
"IPA pwd post ops betxn", NULL,
|
||||
ipapwd_plugin_id);
|
||||
- }
|
||||
+ }
|
||||
|
||||
slapi_register_plugin("preoperation", 1,
|
||||
"ipapwd_pre_init", ipapwd_pre_init,
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
index 45626523ffa1030cdff4f3e0ccdfa1618a51ccaf..6898e6596e1cbbb2cc69ba592401619ce86899d8 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
@@ -33,7 +33,7 @@
|
||||
* Authors:
|
||||
* Simo Sorce <ssorce@redhat.com>
|
||||
*
|
||||
- * Copyright (C) 2007-2010 Red Hat, Inc.
|
||||
+ * Copyright (C) 2007-2023 Red Hat, Inc.
|
||||
* All rights reserved.
|
||||
* END COPYRIGHT BLOCK **/
|
||||
|
||||
@@ -248,6 +248,13 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ /* Get target DN */
|
||||
+ ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
|
||||
+ if (ret) {
|
||||
+ rc = LDAP_OPERATIONS_ERROR;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
/* Ok this is interesting,
|
||||
* Check this is a clear text password, or refuse operation */
|
||||
if ('{' == userpw[0]) {
|
||||
@@ -280,6 +287,8 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
|
||||
} else {
|
||||
rc = ipapwd_check_max_pwd_len(strlen(userpw_clear), &errMesg);
|
||||
if (rc) {
|
||||
+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
|
||||
+ slapi_sdn_get_dn(sdn), errMesg);
|
||||
goto done;
|
||||
}
|
||||
userpw = slapi_ch_strdup(userpw_clear);
|
||||
@@ -329,13 +338,6 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- /* Get target DN */
|
||||
- ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
|
||||
- if (ret) {
|
||||
- rc = LDAP_OPERATIONS_ERROR;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
/* time to get the operation handler */
|
||||
ret = slapi_pblock_get(pb, SLAPI_OPERATION, &op);
|
||||
if (ret != 0) {
|
||||
@@ -359,7 +361,6 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
|
||||
pwdop->pwdata.changetype = IPA_CHANGETYPE_DSMGR;
|
||||
} else {
|
||||
char *binddn;
|
||||
- int i;
|
||||
|
||||
pwdop->pwdata.changetype = IPA_CHANGETYPE_ADMIN;
|
||||
|
||||
@@ -367,7 +368,7 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
|
||||
slapi_pblock_get(pb, SLAPI_CONN_DN, &binddn);
|
||||
|
||||
/* if it is a passsync manager we also need to skip resets */
|
||||
- for (i = 0; i < krbcfg->num_passsync_mgrs; i++) {
|
||||
+ for (size_t i = 0; i < krbcfg->num_passsync_mgrs; i++) {
|
||||
if (strcasecmp(krbcfg->passsync_mgrs[i], binddn) == 0) {
|
||||
pwdop->pwdata.changetype = IPA_CHANGETYPE_DSMGR;
|
||||
break;
|
||||
@@ -385,6 +386,8 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
|
||||
if ((pwdop->pwdata.changetype != IPA_CHANGETYPE_DSMGR) &&
|
||||
(ret != 0) ) {
|
||||
errMesg = ipapwd_error2string(ret);
|
||||
+ LOG_PWDPOLICY("Failed to add password credentials for '%s': %s\n",
|
||||
+ slapi_sdn_get_dn(sdn), errMesg);
|
||||
rc = LDAP_CONSTRAINT_VIOLATION;
|
||||
goto done;
|
||||
}
|
||||
@@ -507,6 +510,13 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ /* Get target DN */
|
||||
+ ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
|
||||
+ if (ret) {
|
||||
+ rc = LDAP_OPERATIONS_ERROR;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
/* grab the mods - we'll put them back later with
|
||||
* our modifications appended
|
||||
*/
|
||||
@@ -568,6 +578,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
|
||||
|
||||
rc = ipapwd_check_max_pwd_len(bv->bv_len, &errMesg);
|
||||
if (rc) {
|
||||
+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
|
||||
+ slapi_sdn_get_dn(sdn), errMesg);
|
||||
goto done;
|
||||
}
|
||||
slapi_ch_free_string(&unhashedpw);
|
||||
@@ -591,14 +603,6 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
|
||||
|
||||
/* OK we have something interesting here, start checking for
|
||||
* pre-requisites */
|
||||
-
|
||||
- /* Get target DN */
|
||||
- ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
|
||||
- if (ret) {
|
||||
- rc = LDAP_OPERATIONS_ERROR;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
tmp_sdn = slapi_sdn_dup(sdn);
|
||||
if (tmp_sdn) {
|
||||
/* xxxPAR: Ideally SLAPI_MODIFY_EXISTING_ENTRY should be
|
||||
@@ -795,6 +799,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
|
||||
const char *userpw_clear = &userpw[strlen("{CLEAR}")];
|
||||
rc = ipapwd_check_max_pwd_len(strlen(userpw_clear), &errMesg);
|
||||
if (rc) {
|
||||
+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
|
||||
+ slapi_sdn_get_dn(sdn), errMesg);
|
||||
goto done;
|
||||
}
|
||||
unhashedpw = slapi_ch_strdup(userpw_clear);
|
||||
@@ -806,9 +812,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
|
||||
slapi_ch_free_string(&userpw);
|
||||
|
||||
} else if (slapi_is_encoded(userpw)) {
|
||||
-
|
||||
- LOG("Pre-Encoded passwords are not valid\n");
|
||||
- errMesg = "Pre-Encoded passwords are not valid\n";
|
||||
+ errMesg = "Pre-Encoded passwords are not valid";
|
||||
+ LOG("%s (%s)\n", errMesg, slapi_sdn_get_dn(sdn));
|
||||
rc = LDAP_CONSTRAINT_VIOLATION;
|
||||
goto done;
|
||||
}
|
||||
@@ -843,7 +848,6 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
|
||||
} else {
|
||||
char *binddn;
|
||||
Slapi_DN *bdn, *tdn;
|
||||
- int i;
|
||||
|
||||
/* Check Bind DN */
|
||||
slapi_pblock_get(pb, SLAPI_CONN_DN, &binddn);
|
||||
@@ -857,18 +861,16 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
|
||||
pwdop->pwdata.changetype = IPA_CHANGETYPE_ADMIN;
|
||||
|
||||
/* if it is a passsync manager we also need to skip resets */
|
||||
- for (i = 0; i < krbcfg->num_passsync_mgrs; i++) {
|
||||
+ for (size_t i = 0; i < krbcfg->num_passsync_mgrs; i++) {
|
||||
if (strcasecmp(krbcfg->passsync_mgrs[i], binddn) == 0) {
|
||||
pwdop->pwdata.changetype = IPA_CHANGETYPE_DSMGR;
|
||||
break;
|
||||
}
|
||||
}
|
||||
-
|
||||
}
|
||||
|
||||
slapi_sdn_free(&bdn);
|
||||
slapi_sdn_free(&tdn);
|
||||
-
|
||||
}
|
||||
|
||||
pwdop->pwdata.dn = slapi_ch_strdup(slapi_sdn_get_dn(sdn));
|
||||
@@ -884,6 +886,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
|
||||
if ((pwdop->pwdata.changetype != IPA_CHANGETYPE_DSMGR) &&
|
||||
(ret != 0)) {
|
||||
errMesg = ipapwd_error2string(ret);
|
||||
+ LOG_PWDPOLICY("Check Password Policy failed for (%s) - %s/n",
|
||||
+ pwdop->pwdata.dn, errMesg);
|
||||
rc = LDAP_CONSTRAINT_VIOLATION;
|
||||
goto done;
|
||||
}
|
||||
@@ -976,7 +980,6 @@ static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods,
|
||||
int num_keys;
|
||||
int mkvno;
|
||||
int ret;
|
||||
- int i;
|
||||
|
||||
ret = slapi_entry_attr_find(entry, "ipaNTHash", &attr);
|
||||
if (ret == 0) {
|
||||
@@ -1008,7 +1011,7 @@ static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods,
|
||||
|
||||
ret = LDAP_UNWILLING_TO_PERFORM;
|
||||
|
||||
- for (i = 0; i < num_keys; i++) {
|
||||
+ for (size_t i = 0; i < num_keys; i++) {
|
||||
char nthash[16];
|
||||
krb5_enc_data cipher;
|
||||
krb5_data plain;
|
||||
@@ -1511,6 +1514,8 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
|
||||
} else {
|
||||
rc = ipapwd_check_max_pwd_len(credentials->bv_len, &errMesg);
|
||||
if (rc) {
|
||||
+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
|
||||
+ slapi_sdn_get_dn(sdn), errMesg);
|
||||
goto invalid_creds;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,60 +0,0 @@
|
||||
From 1278e614dd93bf0ac3d6e0c36cb9c277808afb2c Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Fri, 11 Aug 2023 08:01:18 +0200
|
||||
Subject: [PATCH] ipatests: fix test_topology
|
||||
|
||||
The test TestTopologyOptions::test_add_remove_segment is
|
||||
randomly failing downstream. Test scenario:
|
||||
- create a line topology master <-> repl1 <-> repl2
|
||||
- create user on master
|
||||
- wait for repl success on master
|
||||
- check that the user is seen on repl2
|
||||
|
||||
The test waits for replication to complete on the master but
|
||||
it should also wait for the replication to complete on repl1
|
||||
before checking the user presence on repl2.
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Anuja More <amore@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_topology.py | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_topology.py b/ipatests/test_integration/test_topology.py
|
||||
index 8a240fa3c081a05b8f4501fe48694e01086003a1..618c9d5dcce994cd0359a291b044eb2cf0bddc74 100644
|
||||
--- a/ipatests/test_integration/test_topology.py
|
||||
+++ b/ipatests/test_integration/test_topology.py
|
||||
@@ -124,6 +124,9 @@ class TestTopologyOptions(IntegrationTest):
|
||||
self.replicas[0],
|
||||
self.replicas[1])
|
||||
assert err == "", err
|
||||
+ # At this point we have replicas[1] <-> master <-> replicas[0]
|
||||
+ # ^--------------------------^
|
||||
+
|
||||
# Make sure the new segment is shown by `ipa topologysegment-find`
|
||||
result1 = self.master.run_command(['ipa', 'topologysegment-find',
|
||||
DOMAIN_SUFFIX_NAME]).stdout_text
|
||||
@@ -137,9 +140,12 @@ class TestTopologyOptions(IntegrationTest):
|
||||
deleteme = find_segment(self.master, self.replicas[1])
|
||||
returncode, error = tasks.destroy_segment(self.master, deleteme)
|
||||
assert returncode == 0, error
|
||||
+ # At this point we have master <-> replicas[0] <-> replicas[1]
|
||||
+
|
||||
# Wait till replication ends and make sure replica1 does not have
|
||||
# segment that was deleted on master
|
||||
master_ldap = self.master.ldap_connect()
|
||||
+ repl_ldap = self.replicas[0].ldap_connect()
|
||||
tasks.wait_for_replication(master_ldap)
|
||||
result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find',
|
||||
DOMAIN_SUFFIX_NAME]).stdout_text
|
||||
@@ -150,6 +156,7 @@ class TestTopologyOptions(IntegrationTest):
|
||||
'--first', 'test',
|
||||
'--last', 'user'])
|
||||
tasks.wait_for_replication(master_ldap)
|
||||
+ tasks.wait_for_replication(repl_ldap)
|
||||
result4 = self.replicas[1].run_command(['ipa', 'user-find'])
|
||||
assert('someuser' in result4.stdout_text), 'User not found: someuser'
|
||||
# We end up having a line topology: master <-> replica1 <-> replica2
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,47 @@
|
||||
From a2fcfb9e17c4e7f2b4c57fa1eccdfe27d0c085d3 Mon Sep 17 00:00:00 2001
|
||||
From: Mark Reynolds <mreynolds@redhat.com>
|
||||
Date: Tue, 12 Dec 2023 08:41:43 -0500
|
||||
Subject: [PATCH] Issue 9497 - update debug logging in ipa_uuid
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9497
|
||||
|
||||
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
|
||||
index 87d8be2d88d9ff9bbf7d47eab57b765063f7a230..2fa84f5167341667050e3cfd4bda4c4a4991d06d 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
|
||||
@@ -30,7 +30,7 @@
|
||||
* Program may make changes or additions to the list of Approved
|
||||
* Interfaces.
|
||||
*
|
||||
- * Copyright (C) 2010 Red Hat, Inc.
|
||||
+ * Copyright (C) 2010-2023 Red Hat, Inc.
|
||||
* All rights reserved.
|
||||
* END COPYRIGHT BLOCK **/
|
||||
|
||||
@@ -1185,7 +1185,7 @@ static int ipauuid_pre_op(Slapi_PBlock *pb, int modtype)
|
||||
* enforce is enabled. */
|
||||
errstr = slapi_ch_smprintf("Only the Directory Manager "
|
||||
"can set arbitrary values "
|
||||
- "for %s\n", cfgentry->attr);
|
||||
+ "for %s", cfgentry->attr);
|
||||
ret = LDAP_INSUFFICIENT_ACCESS;
|
||||
goto done;
|
||||
}
|
||||
@@ -1221,7 +1221,7 @@ done:
|
||||
}
|
||||
|
||||
if (ret) {
|
||||
- LOG("operation failure [%d]\n", ret);
|
||||
+ LOG("operation failure [%d] - %s\n", ret, errstr);
|
||||
slapi_send_ldap_result(pb, ret, NULL, errstr, 0, NULL);
|
||||
slapi_ch_free((void **)&errstr);
|
||||
ret = EFAIL;
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,560 +0,0 @@
|
||||
From ac6a2172f5dcb46701148c7b096ffa1b44076816 Mon Sep 17 00:00:00 2001
|
||||
From: Sudhir Menon <sumenon@redhat.com>
|
||||
Date: Thu, 27 Jul 2023 14:33:08 +0530
|
||||
Subject: [PATCH] ipatests: idm api related tests.
|
||||
|
||||
IDM API related tests are automated in the
|
||||
above PR
|
||||
Ref: https://freeipa.readthedocs.io/en/latest/api/basic_usage.html
|
||||
|
||||
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_idm_api.py | 534 ++++++++++++++++++++++
|
||||
1 file changed, 534 insertions(+)
|
||||
create mode 100644 ipatests/test_integration/test_idm_api.py
|
||||
|
||||
diff --git a/ipatests/test_integration/test_idm_api.py b/ipatests/test_integration/test_idm_api.py
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..eafef5dd8526bc14725d6bc32819cb5c7387f868
|
||||
--- /dev/null
|
||||
+++ b/ipatests/test_integration/test_idm_api.py
|
||||
@@ -0,0 +1,534 @@
|
||||
+#
|
||||
+# Copyright (C) 2018 FreeIPA Contributors see COPYING for license
|
||||
+#
|
||||
+from __future__ import absolute_import
|
||||
+
|
||||
+from ipatests.test_integration.base import IntegrationTest
|
||||
+import textwrap
|
||||
+
|
||||
+API_INIT = """
|
||||
+ from ipalib import api, errors
|
||||
+ api.bootstrap_with_global_options(context="server")
|
||||
+ api.finalize()
|
||||
+ api.Backend.ldap2.connect()
|
||||
+ """
|
||||
+
|
||||
+CERT = (
|
||||
+ b"MIIEkDCCAvigAwIBAgIBCzANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKD\n"
|
||||
+ b"A5URVNUUkVBTE0uVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG\n"
|
||||
+ b"9yaXR5MB4XDTIzMDcyODE3MTIxOVoXDTI1MDcyODE3MTIxOVowKjEXMBU\n"
|
||||
+ b"GA1UECgwOVEVTVFJFQUxNLlRFU1QxDzANBgNVBAMMBmpzbWl0aDCCASIw\n"
|
||||
+ b"DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOF0XFrdVXmKp95AVZW5o\n"
|
||||
+ b"BWcij6vJPqeU3UpzTLbM+fROhNaKMX9S+yXrJHifOmhCOuNA8TtptKVJx\n"
|
||||
+ b"CIDZ1/5KwPBk4vrnwOBtVMCftHj87MabBqV/nmQQrCiKTcJu4aQEDI9Qh\n"
|
||||
+ b"yza09EJKvG8KkpnyuShtkP2LgkUxIqkjBg4DLV7grO+I+aG17QTuQxUTy\n"
|
||||
+ b"icfYDBnzD4hTKPLf7d9KNyG+sEeyN0gceLFMUYaQ4lyapcSzYJwOSAc2B\n"
|
||||
+ b"EU73tLaJlQORHL7HmhxrjD1IgZyxFjp/ofLVZFFoJAqjz2FWzOxmQw+bc\n"
|
||||
+ b"0WTzQjeSTGx+l3htj7MmhIRBMqr3Um6zXkLKMCAwEAAaOCATAwggEsMB8\n"
|
||||
+ b"GA1UdIwQYMBaAFCIXu6QtsiBVo1yZQZ7MMHTl5Wj6MEAGCCsGAQUFBwEB\n"
|
||||
+ b"BDQwMjAwBggrBgEFBQcwAYYkaHR0cDovL2lwYS1jYS50ZXN0cmVhbG0ud\n"
|
||||
+ b"GVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBg\n"
|
||||
+ b"EFBQcDAQYIKwYBBQUHAwIweQYDVR0fBHIwcDBuoDagNIYyaHR0cDovL2l\n"
|
||||
+ b"wYS1jYS50ZXN0cmVhbG0udGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6i\n"
|
||||
+ b"NKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0Z\n"
|
||||
+ b"SBBdXRob3JpdHkwHQYDVR0OBBYEFNwQNQAG8MsKQPwMFyGzRiMzRAa5MA\n"
|
||||
+ b"0GCSqGSIb3DQEBCwUAA4IBgQB2g0mS8XAPI+aRBa5q7Vbp1245CvMP0Eq\n"
|
||||
+ b"Cz6gvCNwtxW0UDKnB++d/YQ13ft+x9Xj3rB/M2YXxdxTpQnQQv34CUcyh\n"
|
||||
+ b"PQKJthAsbKBpdusCGrbS54zKFR0MjxwOwIIDHuI6eu2AoSpsmYs5UGzQm\n"
|
||||
+ b"oCfQhbImK7iGLy0rOHaON1cWAFmC6lzJ2TFELc4N3eLYGVZy2ZtyZTgA3\n"
|
||||
+ b"l97rBCwbDDFF1JWoOByIq8Ij99ksyMXws++sNUpo/1l8Jt0Gn6RBiidZB\n"
|
||||
+ b"ef4+kJN+t6RAAwRQ / 3cmEggXcFoV13KZ70PeMXeX6CKMwXIwt3q7A78\n"
|
||||
+ b"Wc/0OIBREZLhXpkmogCzWCuatdzeBIhMhx0vDEzaxlhf32ZWfN5pFMpgq\n"
|
||||
+ b"wLZsdwMf6J65kGbE5Pg3Yxk7OiByxZJnR8UlvbU3r6RhMWutD6C0aqqNt\n"
|
||||
+ b"o3us5gTmfRc8Mf1l/BUgDqkBKOTU8FHREGemG1HoklBym/Pbua0VMUA+s\n"
|
||||
+ b"0nECR4LLM/o9PCJ2Y3QPBZy8Hg=\n"
|
||||
+)
|
||||
+
|
||||
+
|
||||
+class TestAPIScenario(IntegrationTest):
|
||||
+ """
|
||||
+ Tests for IDM API scenarios
|
||||
+ """
|
||||
+
|
||||
+ topology = "line"
|
||||
+
|
||||
+ def create_and_run_script(self, filename, user_code_script):
|
||||
+ self.master.put_file_contents(filename, user_code_script)
|
||||
+ self.master.run_command(["python3", filename])
|
||||
+ self.master.run_command(["rm", filename])
|
||||
+
|
||||
+ def test_idm_user_add(self):
|
||||
+ """
|
||||
+ This test checks that ipa user using api.Command["user_add"]
|
||||
+ and then checks that user is displayed using
|
||||
+ api.Command["user_show"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ api.Command["user_add"]("jsmith", givenname="John", sn="Smith",
|
||||
+ ipauserauthtype="otp")
|
||||
+ cmd = api.Command["user_show"]("jsmith", all=True)["result"]
|
||||
+ assert 'otp' in cmd['ipauserauthtype']
|
||||
+ assert 'John Smith' in cmd['cn']
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/user_add.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_idm_user_find(self):
|
||||
+ """
|
||||
+ This test checks that user is displayed
|
||||
+ using api.Command["user_find"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ cmd = api.Command["user_find"]("jsmith")
|
||||
+ assert '1 user matched' in cmd['summary']
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/user_find.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_idm_user_mod(self):
|
||||
+ """
|
||||
+ This test checks that user attribute is modified
|
||||
+ using api.Command["user_mod"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ cmd = api.Command["user_mod"]("jsmith",
|
||||
+ mail="jsmith@example.org")["result"]
|
||||
+ assert 'jsmith@example.org' in cmd['mail']
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/user_mod.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_disable_user(self):
|
||||
+ """
|
||||
+ This test checks that user is disabled
|
||||
+ using api.Command["user_disable"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ cmd = api.Command["user_disable"]("jsmith")
|
||||
+ assert 'Disabled user account "jsmith"' in cmd['summary']
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/disable_user.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_enable_user(self):
|
||||
+ """
|
||||
+ This test checks that user is enabled
|
||||
+ using api.Command["user_enable"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ cmd = api.Command["user_enable"]("jsmith")
|
||||
+ assert 'Enabled user account "jsmith"' in cmd['summary']
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/enable_user.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_create_ipa_group(self):
|
||||
+ """
|
||||
+ This test checks that group is created
|
||||
+ using api.Command["group_add"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ cmd = api.Command["group_add"]("developers", gidnumber=500,
|
||||
+ description="Developers")
|
||||
+ assert 'Added group "developers"' in cmd['summary']
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/create_group.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_show_ipa_group(self):
|
||||
+ """
|
||||
+ This test checks that group is displayed
|
||||
+ using api.Command["group_show"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ cmd = api.Command["group_show"]("developers")
|
||||
+ assert 'developers' in cmd['result']['cn']
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/group_show.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_ipa_group_mod(self):
|
||||
+ """
|
||||
+ This test checks that group description is modified
|
||||
+ using api.Command["group_mod"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ cmd = api.Command["group_mod"]("developers", description='developer')
|
||||
+ ["result"]
|
||||
+ assert 'Modified group "developers"' in cmd['summary']
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/group_mod.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_add_members_to_ipa_group(self):
|
||||
+ """
|
||||
+ This test checks that member is added to group
|
||||
+ using api.Command["group_add_member"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ cmd = api.Command["group_add_member"]("developers",
|
||||
+ user='jsmith')["result"]
|
||||
+ assert 'jsmith' in cmd['member_user']
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/create_group_members.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_ipa_group_find(self):
|
||||
+ """
|
||||
+ This test checks that group is displayed
|
||||
+ using api.Command["group_find"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ cmd = api.Command["group_find"]("developers")
|
||||
+ assert '1 group matched' in cmd['summary']
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/group_find.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_remove_member_group(self):
|
||||
+ """
|
||||
+ This test checks that group member is removed
|
||||
+ using api.Command["group_remove_member"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ cmd = api.Command["group_remove_member"]("developers",
|
||||
+ user="jsmith")
|
||||
+ assert 'member_user' not in cmd
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/remove_member_group.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_add_permission(self):
|
||||
+ """
|
||||
+ This test checks that permission is added
|
||||
+ using api.Command["permission_add"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ cmd = api.Command["permission_add"]("Create users",
|
||||
+ ipapermright='add', type='user')
|
||||
+ assert 'Added permission "Create users"' in cmd['summary']
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/add_perm.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_create_hbac_rule(self):
|
||||
+ """
|
||||
+ This test checks that hbac rule is added
|
||||
+ using api.Command["hbacrule_add"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ cmd = api.Command["hbacrule_add"]("sshd_rule")
|
||||
+ assert 'Added HBAC rule "sshd_rule"' in cmd['summary']
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/add_hbac_rule.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_add_hbac_service(self):
|
||||
+ """
|
||||
+ This test checks that hbac service is added using
|
||||
+ api.Command["hbacsvc_add"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ cmd = api.Command["hbacsvc_add"]("chronyd")
|
||||
+ assert 'Added HBAC service "chronyd"' in cmd['summary']
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/add_hbac_svc.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_enable_hbac_rule(self):
|
||||
+ """
|
||||
+ This test checks that hbac rule is enabled using
|
||||
+ api.Command["hbacrule_enable"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ cmd = api.Command["hbacrule_enable"]("sshd_rule")
|
||||
+ assert 'Enabled HBAC rule "sshd_rule"' in cmd['summary']
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/enable_hbacrule.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_create_sudo_rule(self):
|
||||
+ """
|
||||
+ This test checks that sudo rule is created using
|
||||
+ api.Command["sudorule_add"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ cmd = api.Command["sudorule_add"]("timechange")
|
||||
+ assert 'Added Sudo Rule "timechange"' in cmd['summary']
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/create_sudos.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_add_user_certificate(self):
|
||||
+ """
|
||||
+ This test checks user certificate is added using
|
||||
+ api.Command["user_add_cert"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ msg = 'Added certificates to user "jsmith"'
|
||||
+ cmd = api.Command["user_add_cert"]("jsmith", usercertificate={CERT})
|
||||
+ assert msg in cmd["summary"]
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/add_cert.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_remove_user_certificate(self):
|
||||
+ """
|
||||
+ This test checks that user certificate is removed
|
||||
+ using api.Command["user_remove_cert"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ msg = 'Removed certificates from user "jsmith"'
|
||||
+ cmd = api.Command["user_remove_cert"]("jsmith", usercertificate={CERT})
|
||||
+ assert msg in cmd["summary"]
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/remove_cert.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_certmaprule_add(self):
|
||||
+ """
|
||||
+ This test checks that certmap rule is added using
|
||||
+ api.Command["certmaprule_add"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ msg = ('Added Certificate Identity Mapping Rule "testrule"')
|
||||
+ cmd = api.Command["certmaprule_add"]("testrule")
|
||||
+ assert msg in cmd['summary']
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/certmap_rule_add.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_certmaprule_enable(self):
|
||||
+ """
|
||||
+ This test checks that certmap rule is enabled
|
||||
+ using api.Command["certmaprule_enable"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ msg = ('Enabled Certificate Identity Mapping Rule "testrule"')
|
||||
+ cmd = api.Command["certmaprule_enable"]("testrule")
|
||||
+ assert msg in cmd["summary"]
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/certmap_rule_enable.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_certmaprule_disable(self):
|
||||
+ """
|
||||
+ This test checks that certmap rule is disabled using
|
||||
+ api.Command["certmaprule_disable"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ msg = ('Disabled Certificate Identity Mapping Rule "testrule"')
|
||||
+ cmd = api.Command["certmaprule_disable"]("testrule")
|
||||
+ assert msg in cmd["summary"]
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/certmap_rule_disable.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_certmaprule_del(self):
|
||||
+ """
|
||||
+ This test checks that certmap rule is deleted using
|
||||
+ api.Command["certmaprule_del"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ msg = ('Deleted Certificate Identity Mapping Rule "testrule"')
|
||||
+ cmd = api.Command["certmaprule_del"]("testrule")
|
||||
+ assert msg in cmd['summary']
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/certmap_rule_del.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_add_role(self):
|
||||
+ """
|
||||
+ This test checks that role and privilege is added using
|
||||
+ api.Command["role_add"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ cmd1 = api.Command["role_add"]("junioradmin",
|
||||
+ description="Junior admin")
|
||||
+ assert 'Added role "junioradmin"' in cmd1["summary"]
|
||||
+ cmd2 = api.Command.role_add_privilege("junioradmin",
|
||||
+ privilege="Vault Administrators")["result"]
|
||||
+ assert 'Vault Administrators' in cmd2["memberof_privilege"]
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/add_role.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_add_subid(self):
|
||||
+ """
|
||||
+ This test checks that subid is added for IPA user
|
||||
+ using api.Command["subid_add"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ cmd = api.Command["subid_add"](ipaowner="jsmith")
|
||||
+ assert 'Added subordinate id ' in cmd['summary']
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/add_subid.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_add_otptoken(self):
|
||||
+ """
|
||||
+ This test checks that otp token is added for IPA user
|
||||
+ using api.Command["otptoken_add"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ cmd = api.Command["otptoken_add"](
|
||||
+ type='HOTP', description='testotp',
|
||||
+ ipatokenotpalgorithm='sha512', ipatokenowner='jsmith',
|
||||
+ ipatokenotpdigits='6')
|
||||
+ assert 'Added OTP token' in cmd['summary']
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/add_otptoken.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_user_del(self):
|
||||
+ """
|
||||
+ This test checks that user is deleted
|
||||
+ using api.Command["user_del"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ cmd = api.Command["user_del"]("jsmith")
|
||||
+ assert 'Deleted user "jsmith"' in cmd['summary']
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/user_del.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_remove_ipa_group(self):
|
||||
+ """
|
||||
+ This test checks that group is removed
|
||||
+ using api.Command["group_del"]
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ cmd = api.Command["group_del"]("developers")
|
||||
+ assert 'Deleted group "developers"' in cmd['summary']
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/show_group.py", user_code_script
|
||||
+ )
|
||||
+
|
||||
+ def test_batch_command(self):
|
||||
+ """
|
||||
+ This test checks that batch commands
|
||||
+ can be run using api.
|
||||
+ """
|
||||
+ user_code_script = textwrap.dedent(
|
||||
+ f"""
|
||||
+ {API_INIT}
|
||||
+ batch_args = []
|
||||
+ for i in range(5):
|
||||
+ user_id = "user%i" % i
|
||||
+ args = [user_id]
|
||||
+ kw = {{'givenname' : user_id, 'sn' : user_id}}
|
||||
+ batch_args.append({{'method' : 'user_add', 'params' : [args, kw]}})
|
||||
+ api.Command["batch"](*batch_args)
|
||||
+ """
|
||||
+ )
|
||||
+ self.create_and_run_script(
|
||||
+ "/tmp/batch.py", user_code_script
|
||||
+ )
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,82 @@
|
||||
From 9e950f89bedeb83267369d60b4a83c77f89e71d6 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 27 Nov 2023 16:11:08 -0500
|
||||
Subject: [PATCH] hbactest was not collecting or returning messages
|
||||
|
||||
hbactest does a number of internal searches, one of which
|
||||
can exceed the configured sizelimit: hbacrule-find
|
||||
|
||||
Collect any messages returned from thsi call and display them
|
||||
to the user on the cli.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9486
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
ipaclient/plugins/hbactest.py | 2 ++
|
||||
ipaserver/plugins/hbactest.py | 14 +++++++++++---
|
||||
2 files changed, 13 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/ipaclient/plugins/hbactest.py b/ipaclient/plugins/hbactest.py
|
||||
index 1b54530b236cf654bc8ece7ab4e329850f5a6815..e0f93b9c265a176cb872fcf2728dbb3a66a264d9 100644
|
||||
--- a/ipaclient/plugins/hbactest.py
|
||||
+++ b/ipaclient/plugins/hbactest.py
|
||||
@@ -38,6 +38,8 @@ class hbactest(CommandOverride):
|
||||
# Note that we don't actually use --detail below to see if details need
|
||||
# to be printed as our execute() method will return None for corresponding
|
||||
# entries and None entries will be skipped.
|
||||
+ self.log_messages(output)
|
||||
+
|
||||
for o in self.output:
|
||||
if o == 'value':
|
||||
continue
|
||||
diff --git a/ipaserver/plugins/hbactest.py b/ipaserver/plugins/hbactest.py
|
||||
index 887a35b7e67b257a2e54d51990af953ff8fbb316..568c13174ba617f2742b8f42c11b36dbde549cc2 100644
|
||||
--- a/ipaserver/plugins/hbactest.py
|
||||
+++ b/ipaserver/plugins/hbactest.py
|
||||
@@ -24,6 +24,8 @@ from ipalib import Command, Str, Flag, Int
|
||||
from ipalib import _
|
||||
from ipapython.dn import DN
|
||||
from ipalib.plugable import Registry
|
||||
+from ipalib.messages import VersionMissing
|
||||
+
|
||||
if api.env.in_server:
|
||||
try:
|
||||
import ipaserver.dcerpc
|
||||
@@ -323,6 +325,9 @@ class hbactest(Command):
|
||||
# 2. Required options are (user, target host, service)
|
||||
# 3. Options: rules to test (--rules, --enabled, --disabled), request for detail output
|
||||
rules = []
|
||||
+ result = {
|
||||
+ 'warning':None, 'matched':None, 'notmatched':None, 'error':None
|
||||
+ }
|
||||
|
||||
# Use all enabled IPA rules by default
|
||||
all_enabled = True
|
||||
@@ -351,8 +356,12 @@ class hbactest(Command):
|
||||
|
||||
hbacset = []
|
||||
if len(testrules) == 0:
|
||||
- hbacset = self.api.Command.hbacrule_find(
|
||||
- sizelimit=sizelimit, no_members=False)['result']
|
||||
+ hbacrules = self.api.Command.hbacrule_find(
|
||||
+ sizelimit=sizelimit, no_members=False)
|
||||
+ hbacset = hbacrules['result']
|
||||
+ for message in hbacrules['messages']:
|
||||
+ if message['code'] != VersionMissing.errno:
|
||||
+ result.setdefault('messages', []).append(message)
|
||||
else:
|
||||
for rule in testrules:
|
||||
try:
|
||||
@@ -469,7 +478,6 @@ class hbactest(Command):
|
||||
error_rules = []
|
||||
warning_rules = []
|
||||
|
||||
- result = {'warning':None, 'matched':None, 'notmatched':None, 'error':None}
|
||||
if not options['nodetail']:
|
||||
# Validate runs rules one-by-one and reports failed ones
|
||||
for ipa_rule in rules:
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,45 +0,0 @@
|
||||
From f816b4d9e6ff7a47b0da1a368d2454add78af07c Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Fri, 11 Aug 2023 09:10:30 +0200
|
||||
Subject: [PATCH] ipatests: fixture can produce IndexError
|
||||
|
||||
The fixture issue_and_expire_acme_cert returns a function
|
||||
that fills the hosts array. If the function is not called in
|
||||
the test (for instance because a test is skipped, as in
|
||||
TestACMEPrune::test_prune_cert_search_size_limit), hosts = []
|
||||
and hosts[0] raises an IndexError.
|
||||
|
||||
Fix the fixture to check first that hosts is not empty.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9348
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_acme.py | 10 +++++++---
|
||||
1 file changed, 7 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
|
||||
index c7389732cd067d49541cd04ea6687a6b95b4669f..bc989a9a2a00b0ac68b9dcffd4ccea269314961b 100644
|
||||
--- a/ipatests/test_integration/test_acme.py
|
||||
+++ b/ipatests/test_integration/test_acme.py
|
||||
@@ -633,9 +633,13 @@ def issue_and_expire_acme_cert():
|
||||
tasks.move_date(host, 'start', '-90days-60minutes')
|
||||
|
||||
# restart ipa services as date moved and wait to get things settle
|
||||
- time.sleep(10)
|
||||
- hosts[0].run_command(['ipactl', 'restart'])
|
||||
- time.sleep(10)
|
||||
+ # if the internal fixture was not called (for instance because the test
|
||||
+ # was skipped), hosts = [] and hosts[0] would produce an IndexError
|
||||
+ # exception.
|
||||
+ if hosts:
|
||||
+ time.sleep(10)
|
||||
+ hosts[0].run_command(['ipactl', 'restart'])
|
||||
+ time.sleep(10)
|
||||
|
||||
|
||||
class TestACMERenew(IntegrationTest):
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,42 +0,0 @@
|
||||
From 4a62a21499a4884f0db55d01966a6ff532a4ed1e Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Mon, 14 Aug 2023 10:53:05 +0200
|
||||
Subject: [PATCH] Installer: activate nss and pam services in sssd.conf
|
||||
|
||||
If there is already a sssd.conf file before the installer is
|
||||
executed, the nss and pam services may not be enabled by the
|
||||
installer. This happens for instance if the machine is hardened
|
||||
for STIG and sssd.conf does not define services=... in the
|
||||
[sssd] section.
|
||||
|
||||
The consequence is that trust cannot be established with an AD
|
||||
domain.
|
||||
|
||||
The installer must enable nss and pam services even if there is
|
||||
a pre-existing sssd.conf file.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9427
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
ipaclient/install/client.py | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
|
||||
index ef29a2c8a3f673860cb22e0e6953853fd96a8572..07d62a748f77e990a38e28e3675abb05eef0da8d 100644
|
||||
--- a/ipaclient/install/client.py
|
||||
+++ b/ipaclient/install/client.py
|
||||
@@ -969,6 +969,9 @@ def configure_sssd_conf(
|
||||
nss_service.set_option('memcache_timeout', 600)
|
||||
sssdconfig.save_service(nss_service)
|
||||
|
||||
+ sssd_enable_service(sssdconfig, 'nss')
|
||||
+ sssd_enable_service(sssdconfig, 'pam')
|
||||
+
|
||||
domain.set_option('ipa_domain', cli_domain)
|
||||
domain.set_option('ipa_hostname', client_hostname)
|
||||
if cli_domain.lower() != cli_realm.lower():
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,56 @@
|
||||
From e8810696a38b70af286a2a2aae464ba4294e1fb5 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Tue, 28 Nov 2023 13:35:13 -0500
|
||||
Subject: [PATCH] ipatests: Verify that hbactest will return messages
|
||||
|
||||
Limit the sizelimit of the hbactest request to confirm that
|
||||
the output includes a SearchResultTruncated message.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9486
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
ipatests/test_xmlrpc/test_hbactest_plugin.py | 19 ++++++++++++++++++-
|
||||
1 file changed, 18 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipatests/test_xmlrpc/test_hbactest_plugin.py b/ipatests/test_xmlrpc/test_hbactest_plugin.py
|
||||
index 73c4ce232066dd7e45bc9a636f9fd955d50d6818..e2e66c759ab4bd1ac3e6dd2ab380c6359fc90042 100644
|
||||
--- a/ipatests/test_xmlrpc/test_hbactest_plugin.py
|
||||
+++ b/ipatests/test_xmlrpc/test_hbactest_plugin.py
|
||||
@@ -134,6 +134,7 @@ class test_hbactest(XMLRPC_test):
|
||||
assert ret['value']
|
||||
assert ret['error'] is None
|
||||
assert ret['matched'] is None
|
||||
+ assert 'messages' not in ret
|
||||
assert ret['notmatched'] is None
|
||||
|
||||
def test_c_hbactest_check_rules_enabled_detail(self):
|
||||
@@ -200,7 +201,23 @@ class test_hbactest(XMLRPC_test):
|
||||
nodetail=True
|
||||
)
|
||||
|
||||
- def test_g_hbactest_clear_testing_data(self):
|
||||
+ def test_g_hbactest_searchlimit_message(self):
|
||||
+ """
|
||||
+ Test running 'ipa hbactest' with limited --sizelimit
|
||||
+
|
||||
+ We know there are at least 6 rules, 4 created here + 2 default.
|
||||
+ """
|
||||
+ ret = api.Command['hbactest'](
|
||||
+ user=self.test_user,
|
||||
+ targethost=self.test_host,
|
||||
+ service=self.test_service,
|
||||
+ nodetail=True,
|
||||
+ sizelimit=2,
|
||||
+ )
|
||||
+
|
||||
+ assert ret['messages'] is not None
|
||||
+
|
||||
+ def test_h_hbactest_clear_testing_data(self):
|
||||
"""
|
||||
Clear data for HBAC test plugin testing.
|
||||
"""
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,126 @@
|
||||
From c90ba9478b663bd5bcac9bb3af4272ee1406816b Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Fri, 24 Nov 2023 11:46:19 +0200
|
||||
Subject: [PATCH] ipa-kdb: add better detection of allowed user auth type
|
||||
|
||||
If default user authentication type is set to a list that does not
|
||||
include a password or a hardened credential, the resulting configuration
|
||||
might be incorrect for special service principals, including a krbtgt/..
|
||||
one.
|
||||
|
||||
Add detection of special principals to avoid these situations and always
|
||||
allow password or hardened for services.
|
||||
|
||||
Special handling is needed for the following principals:
|
||||
|
||||
- krbtgt/.. -- TGT service principals
|
||||
- K/M -- master key principal
|
||||
- kadmin/changepw -- service for changing passwords
|
||||
- kadmin/kadmin -- kadmin service principal
|
||||
- kadmin/history -- key used to encrypt history
|
||||
|
||||
Additionally, implicitly allow password or hardened credential use for
|
||||
IPA services and IPA hosts since applications typically use keytabs for
|
||||
that purpose.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9485
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
||||
---
|
||||
daemons/ipa-kdb/ipa_kdb.c | 62 ++++++++++++++++++++++++++++++++++-----
|
||||
1 file changed, 54 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
|
||||
index 06d511c762006f6a1e6e7a0ec663bc059489cf64..dbb98dba6d6d273e86e39e8ca8b8877d13f4299b 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb.c
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb.c
|
||||
@@ -26,6 +26,7 @@
|
||||
#include "ipa_kdb.h"
|
||||
#include "ipa_krb5.h"
|
||||
#include "ipa_hostname.h"
|
||||
+#include <kadm5/admin.h>
|
||||
|
||||
#define IPADB_GLOBAL_CONFIG_CACHE_TIME 60
|
||||
|
||||
@@ -207,6 +208,19 @@ static const struct {
|
||||
{ "idp", IPADB_USER_AUTH_IDP },
|
||||
{ "passkey", IPADB_USER_AUTH_PASSKEY },
|
||||
{ }
|
||||
+},
|
||||
+ objclass_table[] = {
|
||||
+ { "ipaservice", IPADB_USER_AUTH_PASSWORD },
|
||||
+ { "ipahost", IPADB_USER_AUTH_PASSWORD },
|
||||
+ { }
|
||||
+},
|
||||
+ princname_table[] = {
|
||||
+ { KRB5_TGS_NAME, IPADB_USER_AUTH_PASSWORD },
|
||||
+ { KRB5_KDB_M_NAME, IPADB_USER_AUTH_PASSWORD },
|
||||
+ { KADM5_ADMIN_SERVICE, IPADB_USER_AUTH_PASSWORD },
|
||||
+ { KADM5_CHANGEPW_SERVICE, IPADB_USER_AUTH_PASSWORD },
|
||||
+ { KADM5_HIST_PRINCIPAL, IPADB_USER_AUTH_PASSWORD },
|
||||
+ { }
|
||||
};
|
||||
|
||||
void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le,
|
||||
@@ -217,17 +231,49 @@ void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le,
|
||||
|
||||
*userauth = IPADB_USER_AUTH_NONE;
|
||||
vals = ldap_get_values_len(lcontext, le, IPA_USER_AUTH_TYPE);
|
||||
- if (!vals)
|
||||
- return;
|
||||
-
|
||||
- for (i = 0; vals[i]; i++) {
|
||||
- for (j = 0; userauth_table[j].name; j++) {
|
||||
- if (strcasecmp(vals[i]->bv_val, userauth_table[j].name) == 0) {
|
||||
- *userauth |= userauth_table[j].flag;
|
||||
- break;
|
||||
+ if (!vals) {
|
||||
+ /* if there is no explicit ipaUserAuthType set, use objectclass */
|
||||
+ vals = ldap_get_values_len(lcontext, le, "objectclass");
|
||||
+ if (!vals)
|
||||
+ return;
|
||||
+
|
||||
+ for (i = 0; vals[i]; i++) {
|
||||
+ for (j = 0; objclass_table[j].name; j++) {
|
||||
+ if (strcasecmp(vals[i]->bv_val, objclass_table[j].name) == 0) {
|
||||
+ *userauth |= objclass_table[j].flag;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ } else {
|
||||
+ for (i = 0; vals[i]; i++) {
|
||||
+ for (j = 0; userauth_table[j].name; j++) {
|
||||
+ if (strcasecmp(vals[i]->bv_val, userauth_table[j].name) == 0) {
|
||||
+ *userauth |= userauth_table[j].flag;
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
}
|
||||
+
|
||||
+ /* If neither ipaUserAuthType nor objectClass were definitive,
|
||||
+ * check the krbPrincipalName to see if it is krbtgt/ or K/M one */
|
||||
+ if (*userauth == IPADB_USER_AUTH_NONE) {
|
||||
+ ldap_value_free_len(vals);
|
||||
+ vals = ldap_get_values_len(lcontext, le, "krbprincipalname");
|
||||
+ if (!vals)
|
||||
+ return;
|
||||
+ for (i = 0; vals[i]; i++) {
|
||||
+ for (j = 0; princname_table[j].name; j++) {
|
||||
+ if (strncmp(vals[i]->bv_val, princname_table[j].name,
|
||||
+ strlen(princname_table[j].name)) == 0) {
|
||||
+ *userauth |= princname_table[j].flag;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ }
|
||||
/* If password auth is enabled, enable hardened policy too. */
|
||||
if (*userauth & IPADB_USER_AUTH_PASSWORD) {
|
||||
*userauth |= IPADB_USER_AUTH_HARDENED;
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,41 @@
|
||||
From 1fb026105ef397612a504722b2bcac29fbc69676 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Fri, 24 Nov 2023 11:54:04 +0200
|
||||
Subject: [PATCH] ipa-kdb: when applying ticket policy, do not deny PKINIT
|
||||
|
||||
PKINIT differs from other pre-authentication methods by the fact that it
|
||||
can be matched indepedently of the user authentication types via certmap
|
||||
plugin in KDC.
|
||||
|
||||
Since PKINIT is a strong authentication method, allow its authentication
|
||||
indicator and only apply the ticket policy.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9485
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
||||
---
|
||||
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 7 ++-----
|
||||
1 file changed, 2 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
||||
index 436ee0e62665594062e7be37e5b7925f76e921a0..2802221c79fe63ab4bd33bfbe4859517f3d91ec5 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
||||
@@ -119,11 +119,8 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
|
||||
pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_RADIUS]);
|
||||
} else if (strcmp(auth_indicator, "pkinit") == 0) {
|
||||
valid_auth_indicators++;
|
||||
- if (!(ua & IPADB_USER_AUTH_PKINIT)) {
|
||||
- *status = "PKINIT pre-authentication not allowed for this user.";
|
||||
- kerr = KRB5KDC_ERR_POLICY;
|
||||
- goto done;
|
||||
- }
|
||||
+ /* allow PKINIT unconditionally -- it has passed already at this
|
||||
+ * point so some certificate was useful, only apply the limits */
|
||||
pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_PKINIT]);
|
||||
} else if (strcmp(auth_indicator, "hardened") == 0) {
|
||||
valid_auth_indicators++;
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,31 @@
|
||||
From fab08337dac0eb6322dc5ebe730b2541f4bb6111 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Fri, 24 Nov 2023 12:20:55 +0200
|
||||
Subject: [PATCH] ipa-kdb: clarify user auth table mapping use of
|
||||
_AUTH_PASSWORD
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9485
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
||||
---
|
||||
daemons/ipa-kdb/ipa_kdb.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
|
||||
index dbb98dba6d6d273e86e39e8ca8b8877d13f4299b..4e6cacf24e27b05538db2c95ab85400bb83e3d58 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb.c
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb.c
|
||||
@@ -195,6 +195,9 @@ done:
|
||||
return base;
|
||||
}
|
||||
|
||||
+/* In this table all _AUTH_PASSWORD entries will be
|
||||
+ * expanded to include _AUTH_HARDENED in ipadb_parse_user_auth()
|
||||
+ * which means there is no need to explicitly add it here */
|
||||
static const struct {
|
||||
const char *name;
|
||||
enum ipadb_user_auth flag;
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,39 +0,0 @@
|
||||
From f123b01d81696c52e9a4008d46e549864e4a8069 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Wed, 3 May 2023 10:47:19 +0300
|
||||
Subject: [PATCH] updates: add ACIs for RBCD self-management
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9354
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Julien Rische <jrische@redhat.com>
|
||||
---
|
||||
install/updates/73-service-rbcd.update | 5 +++++
|
||||
install/updates/Makefile.am | 1 +
|
||||
2 files changed, 6 insertions(+)
|
||||
create mode 100644 install/updates/73-service-rbcd.update
|
||||
|
||||
diff --git a/install/updates/73-service-rbcd.update b/install/updates/73-service-rbcd.update
|
||||
new file mode 100644
|
||||
index 00000000000..08a8b0f84a7
|
||||
--- /dev/null
|
||||
+++ b/install/updates/73-service-rbcd.update
|
||||
@@ -0,0 +1,5 @@
|
||||
+dn: $SUFFIX
|
||||
+add:aci: (targetattr = "memberPrincipal")(targattrfilters="add=objectclass:(objectclass=resourcedelegation)")(version 3.0;acl "permission:RBCD:Kerberos principals can manage resource-based constrained delegation for themselves";allow (write) userdn = "ldap:///self";)
|
||||
+add:aci: (targetattr = "memberPrincipal")(targattrfilters="add=objectclass:(objectclass=resourcedelegation)")(version 3.0;acl "permission:RBCD:Managing principals can manage resource-based constrained delegation for other principals";allow (write) userattr = "managedby#GROUPDN" or userattr = "managedby#USERDN";)
|
||||
+add:aci: (targetattr = "memberPrincipal")(targattrfilters="add=objectclass:(objectclass=resourcedelegation)")(version 3.0;acl "permission:RBCD:Delegated permission to manage resource-based constrained delegation for other principals";allow (write) userattr="ipaAllowedToPerform;write_delegation#GROUPDN" or userattr="ipaAllowedToPerform;write_delegation#USERDN" ;)
|
||||
+
|
||||
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
|
||||
index fbc1b76ae4e..fd96831d8fd 100644
|
||||
--- a/install/updates/Makefile.am
|
||||
+++ b/install/updates/Makefile.am
|
||||
@@ -66,6 +66,7 @@ app_DATA = \
|
||||
73-subid.update \
|
||||
73-winsync.update \
|
||||
73-certmap.update \
|
||||
+ 73-service-rbcd.update \
|
||||
75-user-trust-attributes.update \
|
||||
80-schema_compat.update \
|
||||
81-externalmembers.update \
|
@ -0,0 +1,71 @@
|
||||
From 02b17c8560a6aabb4be1109a3a794412f527c83c Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Fri, 24 Nov 2023 13:00:48 +0200
|
||||
Subject: [PATCH] ipatests: make sure PKINIT enrollment works with a strict
|
||||
policy
|
||||
|
||||
Previously, for a global policy which does not include
|
||||
'password', krb5kdc restart was failing. Now it should succeed.
|
||||
|
||||
We set admin user authentication type to PASSWORD to simplify
|
||||
configuration in the test.
|
||||
|
||||
What matters here is that global policy does not include PKINIT and that
|
||||
means a code in the ticket policy check will allow PKINIT implicitly
|
||||
rather than explicitly.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9485
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
||||
---
|
||||
.../test_integration/test_pkinit_install.py | 26 +++++++++++++++++++
|
||||
1 file changed, 26 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_pkinit_install.py b/ipatests/test_integration/test_pkinit_install.py
|
||||
index caa0e6a34dc7e50359a41314e419a0d5be0c3aa8..5c2e7af0231677d4653ea2f82fa3dffed711a10d 100644
|
||||
--- a/ipatests/test_integration/test_pkinit_install.py
|
||||
+++ b/ipatests/test_integration/test_pkinit_install.py
|
||||
@@ -23,6 +23,24 @@ class TestPkinitClientInstall(IntegrationTest):
|
||||
def install(cls, mh):
|
||||
tasks.install_master(cls.master)
|
||||
|
||||
+ def enforce_password_and_otp(self):
|
||||
+ """enforce otp by default and password for admin """
|
||||
+ self.master.run_command(
|
||||
+ [
|
||||
+ "ipa",
|
||||
+ "config-mod",
|
||||
+ "--user-auth-type=otp",
|
||||
+ ]
|
||||
+ )
|
||||
+ self.master.run_command(
|
||||
+ [
|
||||
+ "ipa",
|
||||
+ "user-mod",
|
||||
+ "admin",
|
||||
+ "--user-auth-type=password",
|
||||
+ ]
|
||||
+ )
|
||||
+
|
||||
def add_certmaperule(self):
|
||||
"""add certmap rule to map SAN dNSName to host entry"""
|
||||
self.master.run_command(
|
||||
@@ -86,6 +104,14 @@ class TestPkinitClientInstall(IntegrationTest):
|
||||
cabundle = self.master.get_file_contents(paths.KDC_CA_BUNDLE_PEM)
|
||||
client.put_file_contents(self.tmpbundle, cabundle)
|
||||
|
||||
+ def test_restart_krb5kdc(self):
|
||||
+ tasks.kinit_admin(self.master)
|
||||
+ self.enforce_password_and_otp()
|
||||
+ self.master.run_command(['systemctl', 'stop', 'krb5kdc.service'])
|
||||
+ self.master.run_command(['systemctl', 'start', 'krb5kdc.service'])
|
||||
+ self.master.run_command(['systemctl', 'stop', 'kadmin.service'])
|
||||
+ self.master.run_command(['systemctl', 'start', 'kadmin.service'])
|
||||
+
|
||||
def test_client_install_pkinit(self):
|
||||
tasks.kinit_admin(self.master)
|
||||
self.add_certmaperule()
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,33 +0,0 @@
|
||||
From 2bbfd1454fc69c5975826d1a3f39b301d135abb5 Mon Sep 17 00:00:00 2001
|
||||
From: Mohammad Rizwan <myusuf@redhat.com>
|
||||
Date: Sep 20 2023 06:05:00 +0000
|
||||
Subject: ipatests: restart ipa services after moving date
|
||||
|
||||
|
||||
When system date is moved into future, it have unprecedented
|
||||
behavior i.e CA becomes irresponsive or unexpected certificcate
|
||||
state. Hence restart the ipa service after moving the date to
|
||||
gracefully serve the request.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9379
|
||||
|
||||
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
|
||||
---
|
||||
|
||||
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||
index 77076e7..ec9456e 100644
|
||||
--- a/ipatests/test_integration/test_ipa_cert_fix.py
|
||||
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||
@@ -408,6 +408,9 @@ class TestCertFixReplica(IntegrationTest):
|
||||
# move system date to expire certs
|
||||
for host in self.master, self.replicas[0]:
|
||||
tasks.move_date(host, 'stop', '+3years+1days')
|
||||
+ host.run_command(
|
||||
+ ['ipactl', 'restart', '--ignore-service-failures']
|
||||
+ )
|
||||
|
||||
yield
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 363fd5de98e883800ac08b2760e8c3150783e7e2 Mon Sep 17 00:00:00 2001
|
||||
From 2c52a7dfd26ac561786e72e4304acbf9585698b6 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Fri, 6 Oct 2023 20:16:29 +0000
|
||||
Subject: [PATCH 1/3] Check the HTTP Referer header on all requests
|
||||
Subject: [PATCH] Check the HTTP Referer header on all requests
|
||||
|
||||
The referer was only checked in WSGIExecutioner classes:
|
||||
|
||||
@ -18,13 +18,12 @@ against CSRF attacks.
|
||||
CVE-2023-5455
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
(cherry picked from commit 63f76159b0fe5ab779206a28e07a49500fc1fdbe)
|
||||
---
|
||||
ipaserver/rpcserver.py | 34 +++++++++++++++++++++++++++++++---
|
||||
1 file changed, 31 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
|
||||
index b7116469d..198fc9e7d 100644
|
||||
index b7116469d73f9a8595dbb2d1a3f39abe851f4fc3..198fc9e7dbae281f797dcccf96d21d475ff31e8c 100644
|
||||
--- a/ipaserver/rpcserver.py
|
||||
+++ b/ipaserver/rpcserver.py
|
||||
@@ -156,6 +156,19 @@ _success_template = """<html>
|
||||
@ -118,5 +117,5 @@ index b7116469d..198fc9e7d 100644
|
||||
|
||||
# Redirect to /ipa/xml if no Kerberos credentials
|
||||
--
|
||||
2.27.0
|
||||
2.43.0
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 48ec350051ead9c17e58a91405b3ab6935347f1b Mon Sep 17 00:00:00 2001
|
||||
From 14720c7690bda2b538dfc1d742eb4eb152dfd8a2 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 12 Oct 2023 20:34:01 +0000
|
||||
Subject: [PATCH 2/3] Integration tests for verifying Referer header in the UI
|
||||
Subject: [PATCH] Integration tests for verifying Referer header in the UI
|
||||
|
||||
Validate that the change_password and login_password endpoints
|
||||
verify the HTTP Referer header. There is some overlap in the
|
||||
@ -31,7 +31,6 @@ expected.
|
||||
CVE-2023-5455
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
(cherry picked from commit ef158764a97490211b9fe2e53f40826c3acfb19b)
|
||||
---
|
||||
ipatests/test_ipaserver/httptest.py | 7 +-
|
||||
ipatests/test_ipaserver/test_changepw.py | 12 +-
|
||||
@ -43,7 +42,7 @@ Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
create mode 100644 ipatests/test_ipaserver/test_referer.py
|
||||
|
||||
diff --git a/ipatests/test_ipaserver/httptest.py b/ipatests/test_ipaserver/httptest.py
|
||||
index 6cd034a71..8924798fc 100644
|
||||
index 6cd034a719690646ee9238a5c6061e791e1c6fb5..8924798fc93c14e45beaf232a958d22398f61954 100644
|
||||
--- a/ipatests/test_ipaserver/httptest.py
|
||||
+++ b/ipatests/test_ipaserver/httptest.py
|
||||
@@ -36,7 +36,7 @@ class Unauthorized_HTTP_test:
|
||||
@ -68,7 +67,7 @@ index 6cd034a71..8924798fc 100644
|
||||
headers = {'Content-Type': self.content_type,
|
||||
'Accept-Language': self.accept_language,
|
||||
diff --git a/ipatests/test_ipaserver/test_changepw.py b/ipatests/test_ipaserver/test_changepw.py
|
||||
index c3a47ab26..df38ddb3d 100644
|
||||
index c3a47ab265f08db11ddfee2182401ccba90cf8df..df38ddb3d9e74baf908372be0780fcefbb258a5d 100644
|
||||
--- a/ipatests/test_ipaserver/test_changepw.py
|
||||
+++ b/ipatests/test_ipaserver/test_changepw.py
|
||||
@@ -53,10 +53,11 @@ class test_changepw(XMLRPC_test, Unauthorized_HTTP_test):
|
||||
@ -102,7 +101,7 @@ index c3a47ab26..df38ddb3d 100644
|
||||
|
||||
diff --git a/ipatests/test_ipaserver/test_login_password.py b/ipatests/test_ipaserver/test_login_password.py
|
||||
new file mode 100644
|
||||
index 000000000..9425cb797
|
||||
index 0000000000000000000000000000000000000000..9425cb7977fbc87210bf91464e0257830a938baf
|
||||
--- /dev/null
|
||||
+++ b/ipatests/test_ipaserver/test_login_password.py
|
||||
@@ -0,0 +1,88 @@
|
||||
@ -196,7 +195,7 @@ index 000000000..9425cb797
|
||||
+ assert response.getheader('X-IPA-Rejection-Reason') is None
|
||||
diff --git a/ipatests/test_ipaserver/test_referer.py b/ipatests/test_ipaserver/test_referer.py
|
||||
new file mode 100644
|
||||
index 000000000..4eade8bba
|
||||
index 0000000000000000000000000000000000000000..4eade8bbaf304c48bf71c16892858d899b43cf88
|
||||
--- /dev/null
|
||||
+++ b/ipatests/test_ipaserver/test_referer.py
|
||||
@@ -0,0 +1,136 @@
|
||||
@ -337,7 +336,7 @@ index 000000000..4eade8bba
|
||||
+
|
||||
+ assert_equal(response.status, 400, self.app_uri)
|
||||
diff --git a/ipatests/util.py b/ipatests/util.py
|
||||
index 929c3e899..61af0c40d 100644
|
||||
index 929c3e899c3317acf59f2030b069898f4b282abc..61af0c40d07b31ef9e8ce1f069b05b2088605231 100644
|
||||
--- a/ipatests/util.py
|
||||
+++ b/ipatests/util.py
|
||||
@@ -163,12 +163,12 @@ class ExceptionNotRaised(Exception):
|
||||
@ -356,5 +355,5 @@ index 929c3e899..61af0c40d 100644
|
||||
|
||||
def assert_not_equal(val1, val2):
|
||||
--
|
||||
2.27.0
|
||||
2.43.0
|
||||
|
@ -1,8 +1,7 @@
|
||||
From 96dd277ad960f57c36c38820a7b0542c97f9e67d Mon Sep 17 00:00:00 2001
|
||||
From 8bdfbe8d2b203c64444390985011b2372f3bc08e Mon Sep 17 00:00:00 2001
|
||||
From: Sudhir Menon <sumenon@redhat.com>
|
||||
Date: Jan 11 2024 22:26:57 +0000
|
||||
Subject: ipatests: Skip ds_encryption tests on RHEL9 SUT.
|
||||
|
||||
Date: Wed, 20 Dec 2023 18:42:25 +0530
|
||||
Subject: [PATCH] ipatests: Skip ds_encryption tests on RHEL9 SUT.
|
||||
|
||||
test_ipahealthcheck_ds_encryption tests are failing
|
||||
in RHEL9 SUT because in this test tls protocol version
|
||||
@ -15,11 +14,12 @@ Hence the test is skipped to be run on RHEL9.0 SUT.
|
||||
|
||||
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
|
||||
---
|
||||
ipatests/test_integration/test_ipahealthcheck.py | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
index 785e9ab..40c8489 100644
|
||||
index 785e9abbae3b807f100a3d875e0c0b23f868be83..40c84898894681d8daf386b522118a6a7f793227 100644
|
||||
--- a/ipatests/test_integration/test_ipahealthcheck.py
|
||||
+++ b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
@@ -158,7 +158,6 @@ TOMCAT_CONFIG_FILES = (
|
||||
@ -41,4 +41,6 @@ index 785e9ab..40c8489 100644
|
||||
def test_ipahealthcheck_ds_encryption(self, modify_tls):
|
||||
"""
|
||||
This testcase modifies the default TLS version of
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,61 @@
|
||||
From b465cf6ea596907a2845c38df9c2446efe8e65ae Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 4 Jan 2024 17:32:45 -0500
|
||||
Subject: [PATCH] ACME: Don't treat pki-server ca-config-show failures as fatal
|
||||
|
||||
Up to PKI 11.5.0 even when a pki-server call failed it had a
|
||||
return value of 0. This was fixed in 11.5.0 which breaks
|
||||
ipa-acme-manage pruning. If a configuration value is not set
|
||||
then the call fails and the tool gives up with an error like:
|
||||
|
||||
ERROR: No such parameter: jobsScheduler.job.pruning.certRetentionUnit
|
||||
|
||||
In previous versions this resulted in an empty string so the tool
|
||||
displayed the default value.
|
||||
|
||||
So now upon failure look in the stderr output for "No such parameter"
|
||||
and return an empty string so the behavior is consistent between
|
||||
both old and new PKI server versions.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9503
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
ipaserver/install/ipa_acme_manage.py | 12 ++++++++----
|
||||
1 file changed, 8 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/ipaserver/install/ipa_acme_manage.py b/ipaserver/install/ipa_acme_manage.py
|
||||
index e7c35ff6fb5b7a30ac9e2c0c18f8db805cf06ee9..dc2359f49dfdd5c8f44ab96ee11a7240f8937e11 100644
|
||||
--- a/ipaserver/install/ipa_acme_manage.py
|
||||
+++ b/ipaserver/install/ipa_acme_manage.py
|
||||
@@ -261,8 +261,13 @@ class IPAACMEManage(AdminTool):
|
||||
result = run(args, raiseonerr=False, capture_output=True,
|
||||
capture_error=True)
|
||||
if result.returncode != 0:
|
||||
+ # See if the parameter doesn't exist. If not then no
|
||||
+ # user-specified value has been set.
|
||||
+ # ERROR: No such parameter: jobsScheduler...
|
||||
+ if 'No such parameter' in result.error_output:
|
||||
+ return ''
|
||||
raise RuntimeError(result.error_output)
|
||||
- return result
|
||||
+ return result.output.strip()
|
||||
|
||||
def ca_config_set(directive, value,
|
||||
prefix='jobsScheduler.job.pruning'):
|
||||
@@ -274,9 +279,8 @@ class IPAACMEManage(AdminTool):
|
||||
raise RuntimeError('Updating %s failed' % directive)
|
||||
|
||||
def ca_config_show(directive):
|
||||
- result = run_pki_server('ca-config-show', directive,
|
||||
- prefix='jobsScheduler.job.pruning')
|
||||
- return result.output.strip()
|
||||
+ return run_pki_server('ca-config-show', directive,
|
||||
+ prefix='jobsScheduler.job.pruning')
|
||||
|
||||
def config_show():
|
||||
status = ca_config_show('enabled')
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,125 @@
|
||||
From 6340e88341b09b06391b35e50e8c4d7619b12dab Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Fri, 1 Dec 2023 08:51:05 -0500
|
||||
Subject: [PATCH] Fix ipa-client-automount install/uninstall with new install
|
||||
states
|
||||
|
||||
Issue 8384 introduced a new installation state for the statestore
|
||||
to identify when client/server installation is completely finished
|
||||
rather than relying on has_files().
|
||||
|
||||
The problem is that ipa-client-automount may be called during
|
||||
ipa-client-install and since installation is not complete at that
|
||||
point the automount install was failing with "IPA client not
|
||||
configured".
|
||||
|
||||
Add a new state, 'automount', to designate that automount installation
|
||||
is in process. If check_client_configuration() fails it checks to
|
||||
see if [installation] automount is True. If so it continues with the
|
||||
installation.
|
||||
|
||||
This also addresses an issue where the filestore and statestore are
|
||||
shared between the client and automount installers but the client
|
||||
wasn't refreshing state after automount completed. This resulted in
|
||||
an incomplete state and index file of backed-up files which caused
|
||||
files to not be restored on uninstall and the state file to be
|
||||
orphaned.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9487
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
ipaclient/install/client.py | 14 ++++++++++++--
|
||||
ipaclient/install/ipa_client_automount.py | 14 ++++++++------
|
||||
2 files changed, 20 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
|
||||
index 7e3adee351ae31ed9fcbba422fcc03a1f904e1f9..976d3821dd6d66b5b7653298c628a2bc267fa8c6 100644
|
||||
--- a/ipaclient/install/client.py
|
||||
+++ b/ipaclient/install/client.py
|
||||
@@ -1273,7 +1273,7 @@ def create_sshd_ipa_config(options):
|
||||
logger.info('Configured %s', paths.SSHD_IPA_CONFIG)
|
||||
|
||||
|
||||
-def configure_automount(options):
|
||||
+def configure_automount(options, statestore):
|
||||
logger.info('\nConfiguring automount:')
|
||||
|
||||
args = [
|
||||
@@ -1286,12 +1286,15 @@ def configure_automount(options):
|
||||
if not options.sssd:
|
||||
args.append('--no-sssd')
|
||||
|
||||
+ statestore.backup_state('installation', 'automount', True)
|
||||
try:
|
||||
result = run(args)
|
||||
except Exception as e:
|
||||
logger.error('Automount configuration failed: %s', str(e))
|
||||
else:
|
||||
logger.info('%s', result.output_log)
|
||||
+ finally:
|
||||
+ statestore.delete_state('installation', 'automount')
|
||||
|
||||
|
||||
def configure_nisdomain(options, domain, statestore):
|
||||
@@ -3305,7 +3308,11 @@ def _install(options, tdict):
|
||||
configure_sshd_config(fstore, options)
|
||||
|
||||
if options.location:
|
||||
- configure_automount(options)
|
||||
+ configure_automount(options, statestore)
|
||||
+
|
||||
+ # Reload the state as automount install may have modified it
|
||||
+ fstore._load()
|
||||
+ statestore._load()
|
||||
|
||||
if options.configure_firefox:
|
||||
configure_firefox(options, statestore, cli_domain)
|
||||
@@ -3368,12 +3375,15 @@ def uninstall(options):
|
||||
fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
|
||||
statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE)
|
||||
|
||||
+ statestore.backup_state('installation', 'automount', True)
|
||||
try:
|
||||
run([paths.IPA_CLIENT_AUTOMOUNT, "--uninstall", "--debug"])
|
||||
except CalledProcessError as e:
|
||||
if e.returncode != CLIENT_NOT_CONFIGURED:
|
||||
logger.error(
|
||||
"Unconfigured automount client failed: %s", str(e))
|
||||
+ finally:
|
||||
+ statestore.delete_state('installation', 'automount')
|
||||
|
||||
# Reload the state as automount unconfigure may have modified it
|
||||
fstore._load()
|
||||
diff --git a/ipaclient/install/ipa_client_automount.py b/ipaclient/install/ipa_client_automount.py
|
||||
index b4b3387530afa9e80d13dd69e9d80080702f9e07..ee27872868b9ceaffdc58a9cf3fa89938e045526 100644
|
||||
--- a/ipaclient/install/ipa_client_automount.py
|
||||
+++ b/ipaclient/install/ipa_client_automount.py
|
||||
@@ -340,14 +340,16 @@ def configure_nfs(fstore, statestore, options):
|
||||
|
||||
|
||||
def configure_automount():
|
||||
- try:
|
||||
- check_client_configuration()
|
||||
- except ScriptError as e:
|
||||
- print(e.msg)
|
||||
- sys.exit(e.rval)
|
||||
+ statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE)
|
||||
+ if not statestore.get_state('installation', 'automount'):
|
||||
+ # not called from ipa-client-install
|
||||
+ try:
|
||||
+ check_client_configuration()
|
||||
+ except ScriptError as e:
|
||||
+ print(e.msg)
|
||||
+ sys.exit(e.rval)
|
||||
|
||||
fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
|
||||
- statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE)
|
||||
|
||||
options, _args = parse_options()
|
||||
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,73 @@
|
||||
From 18764964b72ba237eba5f7b1078185b2f0393d72 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Fri, 1 Dec 2023 10:47:24 -0500
|
||||
Subject: [PATCH] ipatests: Test client install/uninstall with automount
|
||||
enabled
|
||||
|
||||
The automount installation was failing. Confirm that it is fixed.
|
||||
|
||||
The uninstall was not restoring all files/configuration. Verify
|
||||
that the index and state files are gone which means that all state
|
||||
and files were restored.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9487
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
.../test_installation_client.py | 25 +++++++++++++++++++
|
||||
1 file changed, 25 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_installation_client.py b/ipatests/test_integration/test_installation_client.py
|
||||
index 56e1593bfcfa3eb7f9918fc6f2993d836884ea38..f8567b39eead4dffd522aad504fa72a086969257 100644
|
||||
--- a/ipatests/test_integration/test_installation_client.py
|
||||
+++ b/ipatests/test_integration/test_installation_client.py
|
||||
@@ -8,12 +8,14 @@ Module provides tests for various options of ipa-client-install.
|
||||
|
||||
from __future__ import absolute_import
|
||||
|
||||
+import os
|
||||
import pytest
|
||||
import re
|
||||
import shlex
|
||||
import textwrap
|
||||
|
||||
from ipaplatform.paths import paths
|
||||
+from ipalib.sysrestore import SYSRESTORE_STATEFILE, SYSRESTORE_INDEXFILE
|
||||
from ipatests.test_integration.base import IntegrationTest
|
||||
from ipatests.pytest_ipa.integration import tasks
|
||||
from ipatests.pytest_ipa.integration.firewall import Firewall
|
||||
@@ -90,6 +92,29 @@ class TestInstallClient(IntegrationTest):
|
||||
assert 'includedir {dir}'.format(
|
||||
dir=paths.SSSD_PUBCONF_KRB5_INCLUDE_D_DIR
|
||||
).encode() not in krb5_cfg
|
||||
+ tasks.uninstall_client(self.clients[0])
|
||||
+
|
||||
+ def test_install_with_automount(self):
|
||||
+ """Test that installation with automount is successful"""
|
||||
+ tasks.install_client(self.master, self.clients[0],
|
||||
+ extra_args=['--automount-location', 'default'])
|
||||
+
|
||||
+ def test_uninstall_with_automount(self):
|
||||
+ """Test that uninstall with automount is successful and complete"""
|
||||
+ tasks.uninstall_client(self.clients[0])
|
||||
+ index = os.path.join(
|
||||
+ paths.IPA_CLIENT_SYSRESTORE, SYSRESTORE_INDEXFILE
|
||||
+ )
|
||||
+ state = os.path.join(
|
||||
+ paths.IPA_CLIENT_SYSRESTORE, SYSRESTORE_STATEFILE
|
||||
+ )
|
||||
+ for filepath in (index, state):
|
||||
+ try:
|
||||
+ self.clients[0].get_file_contents(filepath)
|
||||
+ except IOError:
|
||||
+ pass
|
||||
+ else:
|
||||
+ pytest.fail("The client file %s was not removed" % filepath)
|
||||
|
||||
|
||||
class TestClientInstallBind(IntegrationTest):
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,66 @@
|
||||
From 526147ec9362124191a54c9ae8debd0234af3d49 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Fri, 1 Dec 2023 09:08:48 -0500
|
||||
Subject: [PATCH] ipa-client-automount: Don't use deprecated
|
||||
ipadiscovery.IPADiscovery
|
||||
|
||||
This class was moved to ipaclient/discovery.py in e6d560af66 to make
|
||||
it available to PyPI.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9487
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
ipaclient/install/ipa_client_automount.py | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/ipaclient/install/ipa_client_automount.py b/ipaclient/install/ipa_client_automount.py
|
||||
index ee27872868b9ceaffdc58a9cf3fa89938e045526..297a784c4e1b6f1d29d51b6d3fd4b91d05672b9c 100644
|
||||
--- a/ipaclient/install/ipa_client_automount.py
|
||||
+++ b/ipaclient/install/ipa_client_automount.py
|
||||
@@ -36,7 +36,7 @@ from six.moves.urllib.parse import urlsplit
|
||||
|
||||
from optparse import OptionParser # pylint: disable=deprecated-module
|
||||
from ipapython import ipachangeconf
|
||||
-from ipaclient.install import ipadiscovery
|
||||
+from ipaclient import discovery
|
||||
from ipaclient.install.client import (
|
||||
CLIENT_NOT_CONFIGURED,
|
||||
CLIENT_ALREADY_CONFIGURED,
|
||||
@@ -384,12 +384,12 @@ def configure_automount():
|
||||
sys.exit(CLIENT_ALREADY_CONFIGURED)
|
||||
|
||||
autodiscover = False
|
||||
- ds = ipadiscovery.IPADiscovery()
|
||||
+ ds = discovery.IPADiscovery()
|
||||
if not options.server:
|
||||
print("Searching for IPA server...")
|
||||
ret = ds.search(ca_cert_path=ca_cert_path)
|
||||
logger.debug('Executing DNS discovery')
|
||||
- if ret == ipadiscovery.NO_LDAP_SERVER:
|
||||
+ if ret == discovery.NO_LDAP_SERVER:
|
||||
logger.debug('Autodiscovery did not find LDAP server')
|
||||
s = urlsplit(api.env.xmlrpc_uri)
|
||||
server = [s.netloc]
|
||||
@@ -409,14 +409,14 @@ def configure_automount():
|
||||
server = options.server
|
||||
logger.debug("Verifying that %s is an IPA server", server)
|
||||
ldapret = ds.ipacheckldap(server, api.env.realm, ca_cert_path)
|
||||
- if ldapret[0] == ipadiscovery.NO_ACCESS_TO_LDAP:
|
||||
+ if ldapret[0] == discovery.NO_ACCESS_TO_LDAP:
|
||||
print("Anonymous access to the LDAP server is disabled.")
|
||||
print("Proceeding without strict verification.")
|
||||
print(
|
||||
"Note: This is not an error if anonymous access has been "
|
||||
"explicitly restricted."
|
||||
)
|
||||
- elif ldapret[0] == ipadiscovery.NO_TLS_LDAP:
|
||||
+ elif ldapret[0] == discovery.NO_TLS_LDAP:
|
||||
logger.warning("Unencrypted access to LDAP is not supported.")
|
||||
elif ldapret[0] != 0:
|
||||
sys.exit('Unable to confirm that %s is an IPA server' % server)
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,98 @@
|
||||
From d2ffa10df62bba45aa63232d3ad9a5ebf7158eea Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Tue, 5 Dec 2023 14:34:31 -0500
|
||||
Subject: [PATCH] Server affinity: Retain user-requested remote server
|
||||
|
||||
We want to avoid splitting a replica server installation between
|
||||
two hosts where possible so if a CA or KRA is requested then
|
||||
we only try to install against a remote server that also provides
|
||||
those capabilities. This avoids race conditions.
|
||||
|
||||
If a CA or KRA is not requested and the user has provided a
|
||||
server to install against then use that instead of overriding it.
|
||||
|
||||
Extend the logic of picking the remote Custodia mode
|
||||
(KRA, CA, *MASTER*) to include considering whether the
|
||||
CA and KRA services are requested. If the service(s) are
|
||||
not requested the the associated hostname may not be
|
||||
reliable.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9491
|
||||
Related: https://pagure.io/freeipa/issue/9289
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
ipaserver/install/server/replicainstall.py | 19 +++++++++----------
|
||||
1 file changed, 9 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
|
||||
index 27fbdef8ec9aa5ae343352ebf3c61d74d65c8958..8096b6accb4c94fefdfcc06f19584c63c24d7baf 100644
|
||||
--- a/ipaserver/install/server/replicainstall.py
|
||||
+++ b/ipaserver/install/server/replicainstall.py
|
||||
@@ -782,6 +782,7 @@ def promotion_check_host_principal_auth_ind(conn, hostdn):
|
||||
|
||||
|
||||
def remote_connection(config):
|
||||
+ logger.debug("Creating LDAP connection to %s", config.master_host_name)
|
||||
ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
|
||||
xmlrpc_uri = 'https://{}/ipa/xml'.format(
|
||||
ipautil.format_netloc(config.master_host_name))
|
||||
@@ -1087,7 +1088,7 @@ def promote_check(installer):
|
||||
'CA', conn, preferred_cas
|
||||
)
|
||||
if ca_host is not None:
|
||||
- if config.master_host_name != ca_host:
|
||||
+ if options.setup_ca and config.master_host_name != ca_host:
|
||||
conn.disconnect()
|
||||
del remote_api
|
||||
config.master_host_name = ca_host
|
||||
@@ -1096,8 +1097,7 @@ def promote_check(installer):
|
||||
conn = remote_api.Backend.ldap2
|
||||
conn.connect(ccache=installer._ccache)
|
||||
config.ca_host_name = ca_host
|
||||
- config.master_host_name = ca_host
|
||||
- ca_enabled = True
|
||||
+ ca_enabled = True # There is a CA somewhere in the topology
|
||||
if options.dirsrv_cert_files:
|
||||
logger.error("Certificates could not be provided when "
|
||||
"CA is present on some master.")
|
||||
@@ -1135,7 +1135,7 @@ def promote_check(installer):
|
||||
'KRA', conn, preferred_kras
|
||||
)
|
||||
if kra_host is not None:
|
||||
- if config.master_host_name != kra_host:
|
||||
+ if options.setup_kra and config.master_host_name != kra_host:
|
||||
conn.disconnect()
|
||||
del remote_api
|
||||
config.master_host_name = kra_host
|
||||
@@ -1143,10 +1143,9 @@ def promote_check(installer):
|
||||
installer._remote_api = remote_api
|
||||
conn = remote_api.Backend.ldap2
|
||||
conn.connect(ccache=installer._ccache)
|
||||
- config.kra_host_name = kra_host
|
||||
- config.ca_host_name = kra_host
|
||||
- config.master_host_name = kra_host
|
||||
- kra_enabled = True
|
||||
+ config.kra_host_name = kra_host
|
||||
+ config.ca_host_name = kra_host
|
||||
+ kra_enabled = True # There is a KRA somewhere in the topology
|
||||
if options.setup_kra and options.server and \
|
||||
kra_host != options.server:
|
||||
# Installer was provided with a specific master
|
||||
@@ -1372,10 +1371,10 @@ def install(installer):
|
||||
otpd.create_instance('OTPD', config.host_name,
|
||||
ipautil.realm_to_suffix(config.realm_name))
|
||||
|
||||
- if kra_enabled:
|
||||
+ if options.setup_kra and kra_enabled:
|
||||
# A KRA peer always provides a CA, too.
|
||||
mode = custodiainstance.CustodiaModes.KRA_PEER
|
||||
- elif ca_enabled:
|
||||
+ elif options.setup_ca and ca_enabled:
|
||||
mode = custodiainstance.CustodiaModes.CA_PEER
|
||||
else:
|
||||
mode = custodiainstance.CustodiaModes.MASTER_PEER
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,120 @@
|
||||
From 95b066d629de935bfb52e732ce52026e18e9c64d Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Wed, 10 Jan 2024 16:45:12 -0500
|
||||
Subject: [PATCH] get_directive: don't error out on substring mismatch
|
||||
|
||||
This function is designed to retrieve a value from an
|
||||
ini-like file. In particular PKI CS.cfg.
|
||||
|
||||
In an attempt to be more efficient a substring search,
|
||||
using startswith(), is used before calling a regular
|
||||
expression match.
|
||||
|
||||
The problem is that if the requested directive is a
|
||||
substring of a different one then it will pass the
|
||||
startswith() and fail the regular expression match
|
||||
with a ValueError, assuming it is malformed.
|
||||
|
||||
There is no need for this. The caller must be able to
|
||||
handle None as a response anyway. So continue if
|
||||
no match is found.
|
||||
|
||||
This was seen when PKI dropped storing certificate blobs
|
||||
in CS.cfg. The CA certificate is stored in ca.signing.cert.
|
||||
If it isn't present then ca.signing.certnickname will match
|
||||
the substring but not the directive. This should not be
|
||||
treated as an error.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9506
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
ipapython/directivesetter.py | 5 ++-
|
||||
.../test_ipapython/test_directivesetter.py | 33 +++++++++++++++++++
|
||||
2 files changed, 37 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipapython/directivesetter.py b/ipapython/directivesetter.py
|
||||
index f4e496c7f0f785a909bfb5b8196582fb5dd865ea..732e1c239ca375e6ec08882e4731f97cb1ff58a9 100644
|
||||
--- a/ipapython/directivesetter.py
|
||||
+++ b/ipapython/directivesetter.py
|
||||
@@ -182,6 +182,9 @@ def get_directive(filename, directive, separator=' '):
|
||||
if separator == ' ':
|
||||
separator = '[ \t]+'
|
||||
|
||||
+ if directive is None:
|
||||
+ return None
|
||||
+
|
||||
result = None
|
||||
with open(filename, "r") as fd:
|
||||
for line in fd:
|
||||
@@ -193,7 +196,7 @@ def get_directive(filename, directive, separator=' '):
|
||||
if match:
|
||||
value = match.group(1)
|
||||
else:
|
||||
- raise ValueError("Malformed directive: {}".format(line))
|
||||
+ continue
|
||||
|
||||
result = unquote_directive_value(value.strip(), '"')
|
||||
result = result.strip(' ')
|
||||
diff --git a/ipatests/test_ipapython/test_directivesetter.py b/ipatests/test_ipapython/test_directivesetter.py
|
||||
index 08a30124b12c3bd8edf8fa7930377faf7b181f5d..ff86559e0a3eb018e4a26a489c190a0da380ce1f 100644
|
||||
--- a/ipatests/test_ipapython/test_directivesetter.py
|
||||
+++ b/ipatests/test_ipapython/test_directivesetter.py
|
||||
@@ -18,6 +18,10 @@ WHITESPACE_CONFIG = [
|
||||
'foobar\t2\n',
|
||||
]
|
||||
|
||||
+SUBSTRING_CONFIG = [
|
||||
+ 'foobar=2\n',
|
||||
+]
|
||||
+
|
||||
|
||||
class test_set_directive_lines:
|
||||
def test_remove_directive(self):
|
||||
@@ -88,6 +92,7 @@ class test_set_directive:
|
||||
|
||||
class test_get_directive:
|
||||
def test_get_directive(self, tmpdir):
|
||||
+ """Test retrieving known values from a config file"""
|
||||
configfile = tmpdir.join('config')
|
||||
configfile.write(''.join(EXAMPLE_CONFIG))
|
||||
|
||||
@@ -97,6 +102,34 @@ class test_get_directive:
|
||||
assert '2' == directivesetter.get_directive(str(configfile),
|
||||
'foobar',
|
||||
separator='=')
|
||||
+ assert None is directivesetter.get_directive(str(configfile),
|
||||
+ 'notfound',
|
||||
+ separator='=')
|
||||
+
|
||||
+ def test_get_directive_substring(self, tmpdir):
|
||||
+ """Test retrieving values from a config file where there is
|
||||
+ a similar substring that is not present.
|
||||
+ """
|
||||
+ configfile = tmpdir.join('config')
|
||||
+ configfile.write(''.join(SUBSTRING_CONFIG))
|
||||
+
|
||||
+ assert None is directivesetter.get_directive(str(configfile),
|
||||
+ 'foo',
|
||||
+ separator='=')
|
||||
+ assert '2' == directivesetter.get_directive(str(configfile),
|
||||
+ 'foobar',
|
||||
+ separator='=')
|
||||
+
|
||||
+ def test_get_directive_none(self, tmpdir):
|
||||
+ """Test retrieving a value from a config file where the
|
||||
+ directive is None. i.e. don't fail.
|
||||
+ """
|
||||
+ configfile = tmpdir.join('config')
|
||||
+ configfile.write(''.join(EXAMPLE_CONFIG))
|
||||
+
|
||||
+ assert None is directivesetter.get_directive(str(configfile),
|
||||
+ None,
|
||||
+ separator='=')
|
||||
|
||||
|
||||
class test_get_directive_whitespace:
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,101 @@
|
||||
From 3842116185de6ae8714f30b57bd75c7eddde53d8 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Thu, 21 Dec 2023 09:38:57 +0200
|
||||
Subject: [PATCH] host: update System: Manage Host Keytab permission
|
||||
|
||||
Since commit 5c0e7a5fb420377dcc06a956695afdcb35196444, a new extended
|
||||
operation to get a keytab is supposed to be used. This keytab
|
||||
setting/retrieval extended operation checks access rights of the bound
|
||||
DN to write to a virtual attribute 'ipaProtectedOperation;write_keys'.
|
||||
|
||||
If the write isn't allowed, the operation is rejected and ipa-getkeytab
|
||||
tool falls back to an older code that generates the keytab on the client
|
||||
and forcibly sets to the LDAP entry. For the latter, a check is done to
|
||||
make sure the bound DN is allowed to write to 'krbPrincipalKey' attribute.
|
||||
|
||||
This fallback should never happen for newer deployments. When enrollemnt
|
||||
operation is delegated to non-administrative user with the help of 'Host
|
||||
Enrollment' role, a host can be pre-created or created at enrollment
|
||||
time, if this non-administrative user has 'Host Administrators' role. In
|
||||
the latter case a system permission 'System: Manage Host Keytab' grants
|
||||
write access to 'krbPrincipalKey' attribute but lacks any access to the
|
||||
virtual attributes expected by the new extended operation.
|
||||
|
||||
There is a second virtual attribute, 'ipaProtectedOperation;read_keys',
|
||||
that allows to retrieve existing keys for a host. However, during
|
||||
initial enrollment we do not allow to retrieve and reuse existing
|
||||
Kerberos key: while 'ipa-getkeytab -r' would give ability to retrieve
|
||||
the existing key, 'ipa-join' has no way to trigger that operation.
|
||||
Hence, permission 'System: Manage Host Keytab' will not grant the right
|
||||
to read the Kerberos key via extended operation used by 'ipa-getkeytab
|
||||
-r'. Such operation can be done later by utilizing 'ipa
|
||||
service/host-allow-retrieve-keytab' commands.
|
||||
|
||||
Fix 'System: Manage Host Keytab' permission and extend a permission test
|
||||
to see that we do not fallback to the old extended operation.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9496
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ACI.txt | 2 +-
|
||||
ipaserver/plugins/host.py | 3 ++-
|
||||
ipatests/test_integration/test_user_permissions.py | 7 +++++++
|
||||
3 files changed, 10 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ACI.txt b/ACI.txt
|
||||
index e6d6e3d1586c098f528d17fe940a1364b415654f..236bb43677bd9d84798a7ab418412b337fbf5c59 100644
|
||||
--- a/ACI.txt
|
||||
+++ b/ACI.txt
|
||||
@@ -147,7 +147,7 @@ aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipahost)")(ve
|
||||
dn: cn=computers,cn=accounts,dc=ipa,dc=example
|
||||
aci: (targetattr = "userpassword")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Enrollment Password";allow (write) groupdn = "ldap:///cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=computers,cn=accounts,dc=ipa,dc=example
|
||||
-aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(&(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))(objectclass=ipahost))")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
+aci: (targetattr = "ipaprotectedoperation;write_keys || krblastpwdchange || krbprincipalkey")(targetfilter = "(&(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))(objectclass=ipahost))")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=computers,cn=accounts,dc=ipa,dc=example
|
||||
aci: (targetattr = "createtimestamp || entryusn || ipaallowedtoperform;read_keys || ipaallowedtoperform;write_keys || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab Permissions";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Manage Host Keytab Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=computers,cn=accounts,dc=ipa,dc=example
|
||||
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
|
||||
index 3ef510edc77a07ad504f07614d0c5524a3c34646..b02c8b55fde037c5fa0a9c73575b22e3c7177806 100644
|
||||
--- a/ipaserver/plugins/host.py
|
||||
+++ b/ipaserver/plugins/host.py
|
||||
@@ -409,7 +409,8 @@ class host(LDAPObject):
|
||||
api.env.container_hostgroup,
|
||||
api.env.basedn),
|
||||
],
|
||||
- 'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey'},
|
||||
+ 'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey',
|
||||
+ 'ipaprotectedoperation;write_keys'},
|
||||
'replaces': [
|
||||
'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)',
|
||||
],
|
||||
diff --git a/ipatests/test_integration/test_user_permissions.py b/ipatests/test_integration/test_user_permissions.py
|
||||
index 3333a4f6b961961aea7dadf2eb36d7ed3b31e410..cd1096ff3582f9c0cfdb16b5ed876164139f1a1b 100644
|
||||
--- a/ipatests/test_integration/test_user_permissions.py
|
||||
+++ b/ipatests/test_integration/test_user_permissions.py
|
||||
@@ -277,6 +277,9 @@ class TestInstallClientNoAdmin(IntegrationTest):
|
||||
self.master.run_command(['ipa', 'privilege-add-permission',
|
||||
'--permissions', 'System: Add Hosts',
|
||||
'Add Hosts'])
|
||||
+ self.master.run_command(['ipa', 'privilege-add-permission',
|
||||
+ '--permissions', 'System: Manage Host Keytab',
|
||||
+ 'Add Hosts'])
|
||||
|
||||
self.master.run_command(['ipa', 'role-add-privilege', 'useradmin',
|
||||
'--privileges', 'Host Enrollment'])
|
||||
@@ -301,6 +304,10 @@ class TestInstallClientNoAdmin(IntegrationTest):
|
||||
encoding='utf-8')
|
||||
assert msg in install_log
|
||||
|
||||
+ # Make sure we do not fallback to an old keytab retrieval method anymore
|
||||
+ msg = "Retrying with pre-4.0 keytab retrieval method..."
|
||||
+ assert msg not in install_log
|
||||
+
|
||||
# check that user is able to request a host cert, too
|
||||
result = tasks.run_certutil(client, ['-L'], paths.IPA_NSSDB_DIR)
|
||||
assert 'Local IPA host' in result.stdout_text
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,8 +1,8 @@
|
||||
From 3baa30ad3f6ee563089839a5ef56d5ac6eb43959 Mon Sep 17 00:00:00 2001
|
||||
From eab52d3cda9bbec716008c040551bd11facd0e11 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Jan 18 2024 09:05:30 +0000
|
||||
Subject: adtrustinstance: make sure NetBIOS name defaults are set properly
|
||||
|
||||
Date: Wed, 17 Jan 2024 12:27:26 +0200
|
||||
Subject: [PATCH] adtrustinstance: make sure NetBIOS name defaults are set
|
||||
properly
|
||||
|
||||
Some tools may pass None as NetBIOS name if not put explicitly by a
|
||||
user. This meant to use default NetBIOS name generator based on the
|
||||
@ -13,11 +13,12 @@ Fixes: https://pagure.io/freeipa/issue/9514
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
|
||||
---
|
||||
ipaserver/install/adtrustinstance.py | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
|
||||
index d55ba84..2ff68df 100644
|
||||
index d55ba849157bee8e335e2e0772514fc15ec11193..2ff68dfb46371a6118eb67515347eb762a37e1ec 100644
|
||||
--- a/ipaserver/install/adtrustinstance.py
|
||||
+++ b/ipaserver/install/adtrustinstance.py
|
||||
@@ -189,6 +189,8 @@ class ADTRUSTInstance(service.Service):
|
||||
@ -29,4 +30,6 @@ index d55ba84..2ff68df 100644
|
||||
|
||||
self.suffix = ipautil.realm_to_suffix(self.realm)
|
||||
self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,54 @@
|
||||
From 851ce93ac07044172a7db56d54ab9e1d7c7ec79f Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 15 Jan 2024 09:05:58 -0500
|
||||
Subject: [PATCH] Server affinity: Don't rely just on [ca|kra]_enabled for
|
||||
installs
|
||||
|
||||
ca_enable and kra_enabled are intended to be used to identify that
|
||||
a CA or KRA is available in the topology. It was also being used
|
||||
to determine whether a CA or KRA service is desired on a replica
|
||||
install, rather than options.setup_[ca|kra]
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9510
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
ipaserver/install/server/replicainstall.py | 7 ++++---
|
||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
|
||||
index 8096b6accb4c94fefdfcc06f19584c63c24d7baf..191913ddb973b94bcd8ad920570edcee27349ffd 100644
|
||||
--- a/ipaserver/install/server/replicainstall.py
|
||||
+++ b/ipaserver/install/server/replicainstall.py
|
||||
@@ -1143,7 +1143,8 @@ def promote_check(installer):
|
||||
installer._remote_api = remote_api
|
||||
conn = remote_api.Backend.ldap2
|
||||
conn.connect(ccache=installer._ccache)
|
||||
- config.kra_host_name = kra_host
|
||||
+ config.kra_host_name = kra_host
|
||||
+ if options.setup_kra: # only reset ca_host if KRA is requested
|
||||
config.ca_host_name = kra_host
|
||||
kra_enabled = True # There is a KRA somewhere in the topology
|
||||
if options.setup_kra and options.server and \
|
||||
@@ -1381,7 +1382,7 @@ def install(installer):
|
||||
custodia = custodiainstance.get_custodia_instance(config, mode)
|
||||
custodia.create_instance()
|
||||
|
||||
- if ca_enabled:
|
||||
+ if options.setup_ca and ca_enabled:
|
||||
options.realm_name = config.realm_name
|
||||
options.domain_name = config.domain_name
|
||||
options.host_name = config.host_name
|
||||
@@ -1397,7 +1398,7 @@ def install(installer):
|
||||
service.print_msg("Finalize replication settings")
|
||||
ds.finalize_replica_config()
|
||||
|
||||
- if kra_enabled:
|
||||
+ if options.setup_kra and kra_enabled:
|
||||
kra.install(api, config, options, custodia=custodia)
|
||||
|
||||
service.print_msg("Restarting the KDC")
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,8 +1,7 @@
|
||||
From 257b2b470b4e3f83a0cbc476d54dc74ddf2cf311 Mon Sep 17 00:00:00 2001
|
||||
From 3b2f3d41e4de0bcb78bfaecb32e06cbd22b809c2 Mon Sep 17 00:00:00 2001
|
||||
From: Masahiro Matsuya <mmatsuya@redhat.com>
|
||||
Date: Jan 24 2024 16:42:45 +0000
|
||||
Subject: ipatests: wait for replica update in test_dns_locations
|
||||
|
||||
Date: Tue, 9 Jan 2024 23:12:11 +0900
|
||||
Subject: [PATCH] ipatests: wait for replica update in test_dns_locations
|
||||
|
||||
test_ipa_ca_records and test_adtrust_system_records can fail with
|
||||
NXDOMAIN, because it doesn't wait enough for the update on replica.
|
||||
@ -10,11 +9,12 @@ It can be resolved by waiting for the update with wait_for_replication.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9504
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
|
||||
---
|
||||
ipatests/test_integration/test_dns_locations.py | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_dns_locations.py b/ipatests/test_integration/test_dns_locations.py
|
||||
index 44900af..89a3108 100644
|
||||
index 44900af8015ff62728f64bc626eedfcead41e214..89a310892954cbee88d1cf38683e80a2e47122ef 100644
|
||||
--- a/ipatests/test_integration/test_dns_locations.py
|
||||
+++ b/ipatests/test_integration/test_dns_locations.py
|
||||
@@ -534,6 +534,9 @@ class TestDNSLocations(IntegrationTest):
|
||||
@ -37,4 +37,6 @@ index 44900af..89a3108 100644
|
||||
for ip in (self.master.ip, self.replicas[0].ip, self.replicas[1].ip):
|
||||
self._test_SRV_rec_against_server(
|
||||
ip, self.domain, expected_servers,
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,69 @@
|
||||
From 5dbb3101cee7a96ec8eef40be8e802d456c0d06c Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 22 Jan 2024 08:36:27 -0500
|
||||
Subject: [PATCH] Server affinity: call ca.install() if there is a CA in the
|
||||
topology
|
||||
|
||||
This should not have been gated on options.setup_ca because we need
|
||||
the RA agent on all servers if there is a CA in the topology otherwise
|
||||
the non-CA servers won't be able to communicate with the CA.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9510
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
ipaserver/install/ca.py | 7 ++++---
|
||||
ipaserver/install/server/replicainstall.py | 7 +++++--
|
||||
2 files changed, 9 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
|
||||
index c93ae1fce4c8848d493677eafee7952740e51631..187f8032b6190799027135d5d3932dbdee4dea8a 100644
|
||||
--- a/ipaserver/install/ca.py
|
||||
+++ b/ipaserver/install/ca.py
|
||||
@@ -387,9 +387,10 @@ def install_step_0(standalone, replica_config, options, custodia):
|
||||
promote = False
|
||||
else:
|
||||
cafile = os.path.join(replica_config.dir, 'cacert.p12')
|
||||
- custodia.get_ca_keys(
|
||||
- cafile,
|
||||
- replica_config.dirman_password)
|
||||
+ if replica_config.setup_ca:
|
||||
+ custodia.get_ca_keys(
|
||||
+ cafile,
|
||||
+ replica_config.dirman_password)
|
||||
|
||||
ca_signing_algorithm = None
|
||||
ca_type = None
|
||||
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
|
||||
index 191913ddb973b94bcd8ad920570edcee27349ffd..b3fd27e6a15db298f9a97d514d24662c83141013 100644
|
||||
--- a/ipaserver/install/server/replicainstall.py
|
||||
+++ b/ipaserver/install/server/replicainstall.py
|
||||
@@ -1382,11 +1382,13 @@ def install(installer):
|
||||
custodia = custodiainstance.get_custodia_instance(config, mode)
|
||||
custodia.create_instance()
|
||||
|
||||
- if options.setup_ca and ca_enabled:
|
||||
+ if ca_enabled:
|
||||
options.realm_name = config.realm_name
|
||||
options.domain_name = config.domain_name
|
||||
options.host_name = config.host_name
|
||||
options.dm_password = config.dirman_password
|
||||
+ # Always call ca.install() if there is a CA in the topology
|
||||
+ # to ensure the RA agent is present.
|
||||
ca.install(False, config, options, custodia=custodia)
|
||||
|
||||
# configure PKINIT now that all required services are in place
|
||||
@@ -1398,7 +1400,8 @@ def install(installer):
|
||||
service.print_msg("Finalize replication settings")
|
||||
ds.finalize_replica_config()
|
||||
|
||||
- if options.setup_kra and kra_enabled:
|
||||
+ if kra_enabled:
|
||||
+ # The KRA installer checks for itself the status of setup_kra
|
||||
kra.install(api, config, options, custodia=custodia)
|
||||
|
||||
service.print_msg("Restarting the KDC")
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,8 +1,7 @@
|
||||
From 2e649b26d1d8ec988ec64477af73cd1f033731fd Mon Sep 17 00:00:00 2001
|
||||
From 33638de180a8157e369ad6c61f9e3406d9e85404 Mon Sep 17 00:00:00 2001
|
||||
From: Stanislav Levin <slev@altlinux.org>
|
||||
Date: Jan 30 2024 15:07:56 +0000
|
||||
Subject: ipapython: Clean up krb5_error
|
||||
|
||||
Date: Tue, 23 Jan 2024 19:12:53 +0300
|
||||
Subject: [PATCH] ipapython: Clean up krb5_error
|
||||
|
||||
`krb5_error` has different definition in MIT krb.
|
||||
https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/types/krb5_error.html
|
||||
@ -31,11 +30,12 @@ To prevent confusion of types `krb5_error` was replaced with
|
||||
Fixes: https://pagure.io/freeipa/issue/9519
|
||||
Signed-off-by: Stanislav Levin <slev@altlinux.org>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
|
||||
---
|
||||
ipapython/session_storage.py | 25 ++++++++++++-------------
|
||||
1 file changed, 12 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
|
||||
index c43ef7d..371cf15 100644
|
||||
index c43ef7d4e8ef5931f6d74d360be131fe46159dc7..371cf152472d54c9a59b60bece9559323ede78b7 100644
|
||||
--- a/ipapython/session_storage.py
|
||||
+++ b/ipapython/session_storage.py
|
||||
@@ -111,7 +111,7 @@ class KRB5Error(Exception):
|
||||
@ -139,4 +139,6 @@ index c43ef7d..371cf15 100644
|
||||
krb5_unparse_name.errcheck = krb5_errcheck
|
||||
|
||||
krb5_free_unparsed_name = LIBKRB5.krb5_free_unparsed_name
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,8 +1,7 @@
|
||||
From 59f010774d13ea6a0148235db2ff05a3f3c93c7b Mon Sep 17 00:00:00 2001
|
||||
From f8a616dc6196324145372713da772fe9b2352e53 Mon Sep 17 00:00:00 2001
|
||||
From: Stanislav Levin <slev@altlinux.org>
|
||||
Date: Jan 30 2024 15:07:56 +0000
|
||||
Subject: ipapython: Correct return type of krb5_free_cred_contents
|
||||
|
||||
Date: Tue, 23 Jan 2024 19:19:43 +0300
|
||||
Subject: [PATCH] ipapython: Correct return type of krb5_free_cred_contents
|
||||
|
||||
According to https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_free_cred_contents.html
|
||||
|
||||
@ -25,11 +24,12 @@ function doesn't.
|
||||
Fixes: https://pagure.io/freeipa/issue/9519
|
||||
Signed-off-by: Stanislav Levin <slev@altlinux.org>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
|
||||
---
|
||||
ipapython/session_storage.py | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
|
||||
index 371cf15..dc36f54 100644
|
||||
index 371cf152472d54c9a59b60bece9559323ede78b7..dc36f54939a838bcb933dfb0089410d9b00f9e4d 100644
|
||||
--- a/ipapython/session_storage.py
|
||||
+++ b/ipapython/session_storage.py
|
||||
@@ -200,8 +200,7 @@ krb5_cc_end_seq_get.errcheck = krb5_errcheck
|
||||
@ -42,4 +42,6 @@ index 371cf15..dc36f54 100644
|
||||
|
||||
krb5_principal_compare = LIBKRB5.krb5_principal_compare
|
||||
krb5_principal_compare.argtypes = (krb5_context, krb5_principal,
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,8 +1,7 @@
|
||||
From e69d98add55f25641459fc1dfb973260e85f9b95 Mon Sep 17 00:00:00 2001
|
||||
From 59b8a9fb7169561c7ba9168fe84f47ae94e5ce23 Mon Sep 17 00:00:00 2001
|
||||
From: Stanislav Levin <slev@altlinux.org>
|
||||
Date: Jan 30 2024 15:07:56 +0000
|
||||
Subject: ipapython: Propagate KRB5Error exceptions on iterating ccache
|
||||
|
||||
Date: Tue, 23 Jan 2024 19:52:34 +0300
|
||||
Subject: [PATCH] ipapython: Propagate KRB5Error exceptions on iterating ccache
|
||||
|
||||
`ipapython.session_storage.get_data` iterates over
|
||||
credentials in a credential cache till `krb5_cc_next_cred` returns
|
||||
@ -17,11 +16,12 @@ error as it was supposed to be.
|
||||
Fixes: https://pagure.io/freeipa/issue/9519
|
||||
Signed-off-by: Stanislav Levin <slev@altlinux.org>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
|
||||
---
|
||||
ipapython/session_storage.py | 10 ++++++----
|
||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
|
||||
index dc36f54..e890dc9 100644
|
||||
index dc36f54939a838bcb933dfb0089410d9b00f9e4d..e890dc9b11475cc26d212ccbe040df3cfbfba6e8 100644
|
||||
--- a/ipapython/session_storage.py
|
||||
+++ b/ipapython/session_storage.py
|
||||
@@ -312,8 +312,12 @@ def get_data(princ_name, key):
|
||||
@ -48,4 +48,6 @@ index dc36f54..e890dc9 100644
|
||||
finally:
|
||||
krb5_cc_end_seq_get(context, ccache, ctypes.byref(cursor))
|
||||
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,8 +1,7 @@
|
||||
From e831416320fdc73a18fba7716209edec76681721 Mon Sep 17 00:00:00 2001
|
||||
From 34b58d8ee93ab385c1f3ba1166377fc1008a9c17 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Jan 30 2024 15:16:22 +0000
|
||||
Subject: ipa-kdb: Fix memory leak during PAC verification
|
||||
|
||||
Date: Wed, 24 Jan 2024 15:50:17 +0100
|
||||
Subject: [PATCH] ipa-kdb: Fix memory leak during PAC verification
|
||||
|
||||
Commit 0022bd70d93708d325855d5271516d6cd894d6e8 introduced a memory leak
|
||||
during the copy of some PAC buffers, because of an unfreed memory
|
||||
@ -12,11 +11,12 @@ Fixes: https://pagure.io/freeipa/issue/9520
|
||||
|
||||
Signed-off-by: Julien Rische <jrische@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
|
||||
---
|
||||
daemons/ipa-kdb/ipa_kdb_mspac.c | 28 +++++++++++++---------------
|
||||
1 file changed, 13 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
index 1558e2b..2866304 100644
|
||||
index 1558e2bead288d9d00014e9b3b059934e80b54e4..2866304e1e374fb6a8dc3400dd1f56583d9d9197 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
@@ -2316,6 +2316,7 @@ krb5_error_code ipadb_common_verify_pac(krb5_context context,
|
||||
@ -86,4 +86,6 @@ index 1558e2b..2866304 100644
|
||||
krb5_free_data_contents(context, &pac_blob);
|
||||
free(types);
|
||||
return kerr;
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,8 +1,7 @@
|
||||
From d4008aece36569131b6e81192cc7d7dfa9f9af2b Mon Sep 17 00:00:00 2001
|
||||
From 37dfe80132d665b1fced67540457362c3ee00a7b Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Jan 31 2024 08:33:17 +0000
|
||||
Subject: sidgen: ignore staged users when generating SIDs
|
||||
|
||||
Date: Tue, 23 Jan 2024 14:47:50 +0200
|
||||
Subject: [PATCH] sidgen: ignore staged users when generating SIDs
|
||||
|
||||
Staged users have
|
||||
|
||||
@ -24,11 +23,13 @@ Fixes: https://pagure.io/freeipa/issue/9517
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
||||
|
||||
---
|
||||
daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h | 2 ++
|
||||
.../ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c | 12 ++++++++++++
|
||||
2 files changed, 14 insertions(+)
|
||||
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
|
||||
index 0feff7e..bd46982 100644
|
||||
index 0feff7eec9999a76bf950b8b9fc9fa25b3a2fa88..bd46982d06b3272874f256a8b0c2293fa4829f5b 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
|
||||
@@ -45,6 +45,8 @@
|
||||
@ -41,7 +42,7 @@ index 0feff7e..bd46982 100644
|
||||
#define DOMAIN_ID_RANGE_FILTER OBJECTCLASS"=ipadomainidrange"
|
||||
#define POSIX_ACCOUNT "posixaccount"
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
|
||||
index 6f78480..cb763eb 100644
|
||||
index 6f784804cd39acdf88ceceb0e21b272a04fa13fc..cb763ebf8c733e50483c23856a248eb536c796f1 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
|
||||
@@ -454,6 +454,7 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry,
|
||||
@ -77,4 +78,6 @@ index 6f78480..cb763eb 100644
|
||||
slapi_ch_free_string(&sid);
|
||||
slapi_pblock_destroy(mod_pb);
|
||||
slapi_mods_free(&smods);
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,17 +1,17 @@
|
||||
From e6f96a9f2edd55ef335eb430b8dd8f6c9faf008f Mon Sep 17 00:00:00 2001
|
||||
From a1f42f0258d9e84928a112e4c39419aad0cebb3b Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Jan 31 2024 08:33:17 +0000
|
||||
Subject: sidgen: fix missing prototypes
|
||||
|
||||
Date: Tue, 23 Jan 2024 14:53:39 +0200
|
||||
Subject: [PATCH] sidgen: fix missing prototypes
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
||||
|
||||
---
|
||||
daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
|
||||
index bd46982..aec8627 100644
|
||||
index bd46982d06b3272874f256a8b0c2293fa4829f5b..aec862796a8364de84e26fbca96a270a8fb508fc 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
|
||||
@@ -106,3 +106,6 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry,
|
||||
@ -21,4 +21,6 @@ index bd46982..aec8627 100644
|
||||
+
|
||||
+int sidgen_task_init(Slapi_PBlock *pb);
|
||||
+int ipa_sidgen_init(Slapi_PBlock *pb);
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,8 +1,8 @@
|
||||
From 196d63109730666f547f99814a54a5b2cd72c80e Mon Sep 17 00:00:00 2001
|
||||
From d09acb5869c5d0faa35b8784c1fea1c1be3f014f Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Jan 31 2024 08:33:17 +0000
|
||||
Subject: kdb: PAC generator: do not fail if canonical principal is missing
|
||||
|
||||
Date: Fri, 26 Jan 2024 20:53:39 +0200
|
||||
Subject: [PATCH] kdb: PAC generator: do not fail if canonical principal is
|
||||
missing
|
||||
|
||||
krbCanonicalName is mandatory for services but IPA services created
|
||||
before commit e6ff83e (FreeIPA 4.4.0, ~2016) had no normalization done
|
||||
@ -16,11 +16,12 @@ Fixes: https://pagure.io/freeipa/issue/9465
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
||||
|
||||
---
|
||||
daemons/ipa-kdb/ipa_kdb_mspac.c | 12 ++++++++++--
|
||||
1 file changed, 10 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
index 2866304..16374a5 100644
|
||||
index 2866304e1e374fb6a8dc3400dd1f56583d9d9197..16374a59468975ebaea5ce18ac6445ec577e5e6a 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
@@ -496,8 +496,16 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
||||
@ -42,4 +43,6 @@ index 2866304..16374a5 100644
|
||||
}
|
||||
|
||||
ret = krb5_parse_name(ipactx->kcontext, strres, &princ);
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,65 @@
|
||||
From 8c1f56dbab5de1c06fc424f3c58d366274d70688 Mon Sep 17 00:00:00 2001
|
||||
From: Sudhir Menon <sumenon@redhat.com>
|
||||
Date: Mon, 29 Jan 2024 22:07:43 +0530
|
||||
Subject: [PATCH] ipatests: Skip tests for ipahealtcheck tests for specific pki
|
||||
version
|
||||
|
||||
CADogtagCertsConfigCheck is no more available on RHEL9, hence the
|
||||
respective tests are skipped.
|
||||
|
||||
Check 'CADogtagCertsConfigCheck' not found in Source 'pki.server.healthcheck.meta.csconfig'
|
||||
|
||||
Ref: https://issues.redhat.com/browse/RHEL-21367
|
||||
|
||||
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
.../test_integration/test_ipahealthcheck.py | 23 +++++++++++++++----
|
||||
1 file changed, 18 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
index 28200e0961a23996935c7b1c2b76f2b4b127e066..7323b073273bd95d7b62d19fd5afe03edb2a21da 100644
|
||||
--- a/ipatests/test_integration/test_ipahealthcheck.py
|
||||
+++ b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
@@ -507,6 +507,11 @@ class TestIpaHealthCheck(IntegrationTest):
|
||||
Testcase checks behaviour of check DogtagCertsConfigCheck in
|
||||
ipahealthcheck.dogtag.ca when tomcat config file is removed
|
||||
"""
|
||||
+ version = tasks.get_pki_version(self.master)
|
||||
+ if version >= parse_version("11.5"):
|
||||
+ pytest.skip("Skipping test for 11.5 pki version, since the "
|
||||
+ "check CADogtagCertsConfigCheck itself is skipped "
|
||||
+ "See ipa-healthcheck ticket 317")
|
||||
returncode, data = run_healthcheck(
|
||||
self.master,
|
||||
"ipahealthcheck.dogtag.ca",
|
||||
@@ -1453,13 +1458,21 @@ class TestIpaHealthCheck(IntegrationTest):
|
||||
This testcase checks that CADogtagCertsConfigCheck can handle
|
||||
cert renewal, when there can be two certs with the same nickname
|
||||
"""
|
||||
- if (tasks.get_pki_version(self.master) < tasks.parse_version('11.4.0')):
|
||||
+ if (tasks.get_pki_version(
|
||||
+ self.master) < tasks.parse_version('11.4.0')):
|
||||
raise pytest.skip("PKI known issue #2022561")
|
||||
- self.master.run_command(['ipa-cacert-manage', 'renew', '--self-signed'])
|
||||
+ elif (tasks.get_pki_version(
|
||||
+ self.master) >= tasks.parse_version('11.5.0')):
|
||||
+ raise pytest.skip("Skipping test for 11.5 pki version, since "
|
||||
+ "check CADogtagCertsConfigCheck is "
|
||||
+ "not present in source "
|
||||
+ "pki.server.healthcheck.meta.csconfig")
|
||||
+ self.master.run_command(
|
||||
+ ['ipa-cacert-manage', 'renew', '--self-signed']
|
||||
+ )
|
||||
returncode, data = run_healthcheck(
|
||||
- self.master,
|
||||
- "pki.server.healthcheck.meta.csconfig",
|
||||
- "CADogtagCertsConfigCheck",
|
||||
+ self.master, "pki.server.healthcheck.meta.csconfig",
|
||||
+ "CADogtagCertsConfigCheck"
|
||||
)
|
||||
assert returncode == 0
|
||||
for check in data:
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,42 @@
|
||||
From b00fd308831428400b96442290ec7bc90bde348f Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Tue, 30 Jan 2024 10:43:00 +0100
|
||||
Subject: [PATCH] ipatests: remove xfail thanks to sssd 2.9.4
|
||||
|
||||
SSSD 2.9.4 fixes some issues related to auto-private-group
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9295
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Anuja More <amore@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_trust.py | 7 +++++--
|
||||
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
|
||||
index 12f000c1ad1cbce2710900b0e364a501ed6b8e52..3b9f0fbd51f11ff2c97fed50f7bb61a67326b183 100644
|
||||
--- a/ipatests/test_integration/test_trust.py
|
||||
+++ b/ipatests/test_integration/test_trust.py
|
||||
@@ -1155,7 +1155,8 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust):
|
||||
):
|
||||
self.mod_idrange_auto_private_group(type)
|
||||
sssd_version = tasks.get_sssd_version(self.clients[0])
|
||||
- bad_version = sssd_version >= tasks.parse_version("2.8.2")
|
||||
+ bad_version = (tasks.parse_version("2.8.2") <= sssd_version
|
||||
+ < tasks.parse_version("2.9.4"))
|
||||
cond = (type == 'hybrid') and bad_version
|
||||
with xfail_context(condition=cond,
|
||||
reason="https://pagure.io/freeipa/issue/9295"):
|
||||
@@ -1237,7 +1238,9 @@ class TestPosixAutoPrivateGroup(BaseTestTrust):
|
||||
self.mod_idrange_auto_private_group(type)
|
||||
if type == "true":
|
||||
sssd_version = tasks.get_sssd_version(self.clients[0])
|
||||
- with xfail_context(sssd_version >= tasks.parse_version("2.8.2"),
|
||||
+ bad_version = (tasks.parse_version("2.8.2") <= sssd_version
|
||||
+ < tasks.parse_version("2.9.4"))
|
||||
+ with xfail_context(bad_version,
|
||||
"https://pagure.io/freeipa/issue/9295"):
|
||||
(uid, gid) = self.get_user_id(self.clients[0], posixuser)
|
||||
assert uid == gid
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,52 @@
|
||||
From ed2a8eb0cefadfe0544074114facfef381349ae0 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Fri, 9 Feb 2024 10:42:59 +0100
|
||||
Subject: [PATCH] ipatests: add xfail for autoprivate group test with override
|
||||
|
||||
Because of SSSD issue 7169, secondary groups are not
|
||||
retrieved when autoprivate group is set and an idoverride
|
||||
replaces the user's primary group.
|
||||
Mark the known issues as xfail.
|
||||
|
||||
Related: https://github.com/SSSD/sssd/issues/7169
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Anuja More <amore@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_trust.py | 16 ++++++++++++----
|
||||
1 file changed, 12 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
|
||||
index 3b9f0fbd51f11ff2c97fed50f7bb61a67326b183..2b945140dbc477f8bcd0d3b26513000d2006fa82 100644
|
||||
--- a/ipatests/test_integration/test_trust.py
|
||||
+++ b/ipatests/test_integration/test_trust.py
|
||||
@@ -1164,8 +1164,12 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust):
|
||||
assert (uid == self.uid_override and gid == self.gid_override)
|
||||
test_group = self.clients[0].run_command(
|
||||
["id", nonposixuser]).stdout_text
|
||||
- with xfail_context(type == "hybrid",
|
||||
- 'https://github.com/SSSD/sssd/issues/5989'):
|
||||
+ cond2 = ((type == 'false'
|
||||
+ and sssd_version >= tasks.parse_version("2.9.4"))
|
||||
+ or type == 'hybrid')
|
||||
+ with xfail_context(cond2,
|
||||
+ 'https://github.com/SSSD/sssd/issues/5989 '
|
||||
+ 'and 7169'):
|
||||
assert "domain users@{0}".format(self.ad_domain) in test_group
|
||||
|
||||
@pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
|
||||
@@ -1287,5 +1291,9 @@ class TestPosixAutoPrivateGroup(BaseTestTrust):
|
||||
assert(uid == self.uid_override
|
||||
and gid == self.gid_override)
|
||||
result = self.clients[0].run_command(['id', posixuser])
|
||||
- assert "10047(testgroup@{0})".format(
|
||||
- self.ad_domain) in result.stdout_text
|
||||
+ sssd_version = tasks.get_sssd_version(self.clients[0])
|
||||
+ bad_version = sssd_version >= tasks.parse_version("2.9.4")
|
||||
+ with xfail_context(bad_version and type in ('false', 'hybrid'),
|
||||
+ "https://github.com/SSSD/sssd/issues/7169"):
|
||||
+ assert "10047(testgroup@{0})".format(
|
||||
+ self.ad_domain) in result.stdout_text
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,8 +1,7 @@
|
||||
From 278c2cbb193496302f8c0abc4ce502ec83f47a12 Mon Sep 17 00:00:00 2001
|
||||
From 7f1142504d41a821357168acd2484c7cb7c1a4c2 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Feb 14 2024 12:23:15 +0000
|
||||
Subject: ipatests: fix tasks.wait_for_replication method
|
||||
|
||||
Date: Tue, 13 Feb 2024 13:30:15 +0100
|
||||
Subject: [PATCH] ipatests: fix tasks.wait_for_replication method
|
||||
|
||||
With the fix for https://pagure.io/freeipa/issue/9171, the
|
||||
method entry.single_value['nsds5replicaupdateinprogress'] now
|
||||
@ -15,11 +14,12 @@ Fixes: https://pagure.io/freeipa/issue/9530
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
|
||||
---
|
||||
ipatests/pytest_ipa/integration/tasks.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
|
||||
index 3dd32cf..9c73ac4 100755
|
||||
index ee6dec7a1d2416b442a6ce20e41b09d84f43b5c7..418c63f2c17e4fc0a2f625bca9a02879c1a1566f 100755
|
||||
--- a/ipatests/pytest_ipa/integration/tasks.py
|
||||
+++ b/ipatests/pytest_ipa/integration/tasks.py
|
||||
@@ -1520,7 +1520,7 @@ def wait_for_replication(ldap, timeout=30,
|
||||
@ -31,4 +31,6 @@ index 3dd32cf..9c73ac4 100755
|
||||
msg = 'Replication not finished'
|
||||
logger.debug(msg)
|
||||
elif wrong_statuses:
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,8 +1,7 @@
|
||||
From 7b7f5c3f806e53ff883865c7b7f4d17453d63ce6 Mon Sep 17 00:00:00 2001
|
||||
From febfd9c64d748a435a9d0756d4710898a0e2aa49 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Feb 16 2024 11:58:21 +0000
|
||||
Subject: ipa-kdb: Rework ipadb_reinit_mspac()
|
||||
|
||||
Date: Wed, 14 Feb 2024 17:47:00 +0100
|
||||
Subject: [PATCH] ipa-kdb: Rework ipadb_reinit_mspac()
|
||||
|
||||
Modify ipadb_reinit_mspac() to allocate and initialize ipactx->mspac
|
||||
only if all its attributes can be set. If not, ipactx->mspac is set to
|
||||
@ -17,14 +16,21 @@ Fixes: https://pagure.io/freeipa/issue/9535
|
||||
|
||||
Signed-off-by: Julien Rische <jrische@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
|
||||
|
||||
---
|
||||
daemons/ipa-kdb/ipa_kdb.c | 14 +-
|
||||
daemons/ipa-kdb/ipa_kdb.h | 4 +-
|
||||
daemons/ipa-kdb/ipa_kdb_mspac.c | 342 +++++++++++++-----------
|
||||
daemons/ipa-kdb/ipa_kdb_mspac_private.h | 2 +-
|
||||
daemons/ipa-kdb/ipa_kdb_mspac_v6.c | 5 +-
|
||||
daemons/ipa-kdb/ipa_kdb_mspac_v9.c | 16 +-
|
||||
daemons/ipa-kdb/ipa_kdb_principals.c | 6 +-
|
||||
7 files changed, 219 insertions(+), 170 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
|
||||
index a60f16c..f17cb11 100644
|
||||
index 4e6cacf24e27b05538db2c95ab85400bb83e3d58..903e19e83bbe383b878a3b9261dd501f96058d51 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb.c
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb.c
|
||||
@@ -448,6 +448,7 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
|
||||
@@ -449,6 +449,7 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
|
||||
struct timeval tv = { 5, 0 };
|
||||
LDAPMessage *res = NULL;
|
||||
LDAPMessage *first;
|
||||
@ -32,7 +38,7 @@ index a60f16c..f17cb11 100644
|
||||
int ret;
|
||||
int v3;
|
||||
|
||||
@@ -527,16 +528,9 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
|
||||
@@ -528,16 +529,9 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
|
||||
}
|
||||
|
||||
/* get adtrust options using default refresh interval */
|
||||
@ -53,10 +59,10 @@ index a60f16c..f17cb11 100644
|
||||
ret = 0;
|
||||
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
|
||||
index 7b7c03b..3647ecd 100644
|
||||
index 59484d8bb69236a4ef59aeefdf9658a71c8cd520..8459ab8e0bb76c8da5c18101b0521bea86e8aecc 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb.h
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb.h
|
||||
@@ -369,7 +369,9 @@ krb5_error_code ipadb_v9_issue_pac(krb5_context context, unsigned int flags,
|
||||
@@ -371,7 +371,9 @@ krb5_error_code ipadb_v9_issue_pac(krb5_context context, unsigned int flags,
|
||||
krb5_data ***auth_indicators);
|
||||
#endif
|
||||
|
||||
@ -68,7 +74,7 @@ index 7b7c03b..3647ecd 100644
|
||||
void ipadb_mspac_struct_free(struct ipadb_mspac **mspac);
|
||||
krb5_error_code ipadb_check_transited_realms(krb5_context kcontext,
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
index 16374a5..b0eb332 100644
|
||||
index 16374a59468975ebaea5ce18ac6445ec577e5e6a..b0eb3324bf4b7d8eeb7b332c39de4023784f6337 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
@@ -793,16 +793,16 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
||||
@ -600,7 +606,7 @@ index 16374a5..b0eb332 100644
|
||||
bool result = false;
|
||||
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
|
||||
index 7f0ca7a..e650cfa 100644
|
||||
index 7f0ca7a7966ff159828f81283f8d067476abc594..e650cfa73c558c53b28f75de26d83132e8c4b234 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
|
||||
@@ -31,7 +31,7 @@ struct ipadb_mspac {
|
||||
@ -613,7 +619,7 @@ index 7f0ca7a..e650cfa 100644
|
||||
time_t last_update;
|
||||
};
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_v6.c b/daemons/ipa-kdb/ipa_kdb_mspac_v6.c
|
||||
index faf47ad..96cd50e 100644
|
||||
index faf47ad1b9b979a9acb8020eff5d663124b250ac..96cd50e4c8afe141880dd7e2e9472623cef667d8 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac_v6.c
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac_v6.c
|
||||
@@ -233,6 +233,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
|
||||
@ -636,7 +642,7 @@ index faf47ad..96cd50e 100644
|
||||
kerr = ipadb_get_pac(context, flags, client, server, NULL, authtime, &pac);
|
||||
if (kerr != 0 && kerr != ENOENT) {
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_v9.c b/daemons/ipa-kdb/ipa_kdb_mspac_v9.c
|
||||
index 3badd5b..60db048 100644
|
||||
index 3badd5b088b3f017546d5df3cecbf7427fedd59d..60db048e1f328c3a31b58d2a3b17d9cac615467c 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac_v9.c
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac_v9.c
|
||||
@@ -46,6 +46,7 @@ ipadb_v9_issue_pac(krb5_context context, unsigned int flags,
|
||||
@ -672,10 +678,10 @@ index 3badd5b..60db048 100644
|
||||
client, server, replaced_reply_key,
|
||||
authtime, &new_pac);
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||
index 00387d4..ffc0fd8 100644
|
||||
index 139f091aa9f920af14a9ba91f4d83151e23a6a20..16a15748fb94ff31d91aa656532a7b40fa4f195a 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||
@@ -1567,6 +1567,7 @@ static krb5_error_code dbget_alias(krb5_context kcontext,
|
||||
@@ -1598,6 +1598,7 @@ static krb5_error_code dbget_alias(krb5_context kcontext,
|
||||
-1,
|
||||
};
|
||||
size_t i = 0;
|
||||
@ -683,7 +689,7 @@ index 00387d4..ffc0fd8 100644
|
||||
|
||||
/* For TGS-REQ server principal lookup, KDC asks with KRB5_KDB_FLAG_REFERRAL_OK
|
||||
* and client usually asks for an KRB5_NT_PRINCIPAL type principal. */
|
||||
@@ -1654,8 +1655,11 @@ static krb5_error_code dbget_alias(krb5_context kcontext,
|
||||
@@ -1685,8 +1686,11 @@ static krb5_error_code dbget_alias(krb5_context kcontext,
|
||||
if (kerr == KRB5_KDB_NOENTRY) {
|
||||
/* If no trusted realm found, refresh trusted domain data and try again
|
||||
* because it might be a freshly added trust to AD */
|
||||
@ -696,4 +702,6 @@ index 00387d4..ffc0fd8 100644
|
||||
kerr = KRB5_KDB_NOENTRY;
|
||||
goto done;
|
||||
}
|
||||
--
|
||||
2.43.0
|
||||
|
126
SOURCES/0056-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch
Normal file
126
SOURCES/0056-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch
Normal file
@ -0,0 +1,126 @@
|
||||
From b1390d1ad7e94256148a6b26431ff1e97fb8b7b3 Mon Sep 17 00:00:00 2001
|
||||
From: Francisco Trivino <ftrivino@redhat.com>
|
||||
Date: Fri, 27 May 2022 17:31:40 +0200
|
||||
Subject: [PATCH] Vault: add support for RSA-OAEP wrapping algo
|
||||
|
||||
None of the FIPS certified modules in RHEL support PKCS#1 v1.5 as FIPS
|
||||
approved mechanism. This commit adds support for RSA-OAEP padding as a
|
||||
fallback.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9191
|
||||
|
||||
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipaclient/plugins/vault.py | 57 ++++++++++++++++++++++++++++++--------
|
||||
1 file changed, 45 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
|
||||
index bdd988ad186c1d773b454608e63c585c332af22a..a29bd6e5f437d9d07f2d995d7bc884e7f2419c27 100644
|
||||
--- a/ipaclient/plugins/vault.py
|
||||
+++ b/ipaclient/plugins/vault.py
|
||||
@@ -119,8 +119,8 @@ def encrypt(data, symmetric_key=None, public_key=None):
|
||||
return public_key_obj.encrypt(
|
||||
data,
|
||||
padding.OAEP(
|
||||
- mgf=padding.MGF1(algorithm=hashes.SHA1()),
|
||||
- algorithm=hashes.SHA1(),
|
||||
+ mgf=padding.MGF1(algorithm=hashes.SHA256()),
|
||||
+ algorithm=hashes.SHA256(),
|
||||
label=None
|
||||
)
|
||||
)
|
||||
@@ -154,8 +154,8 @@ def decrypt(data, symmetric_key=None, private_key=None):
|
||||
return private_key_obj.decrypt(
|
||||
data,
|
||||
padding.OAEP(
|
||||
- mgf=padding.MGF1(algorithm=hashes.SHA1()),
|
||||
- algorithm=hashes.SHA1(),
|
||||
+ mgf=padding.MGF1(algorithm=hashes.SHA256()),
|
||||
+ algorithm=hashes.SHA256(),
|
||||
label=None
|
||||
)
|
||||
)
|
||||
@@ -703,14 +703,39 @@ class ModVaultData(Local):
|
||||
return transport_cert, wrapping_algo
|
||||
|
||||
def _do_internal(self, algo, transport_cert, raise_unexpected,
|
||||
- *args, **options):
|
||||
+ use_oaep=False, *args, **options):
|
||||
public_key = transport_cert.public_key()
|
||||
|
||||
# wrap session key with transport certificate
|
||||
- wrapped_session_key = public_key.encrypt(
|
||||
- algo.key,
|
||||
- padding.PKCS1v15()
|
||||
- )
|
||||
+ # KRA may be configured using either the default PKCS1v15 or RSA-OAEP.
|
||||
+ # there is no way to query this info using the REST interface.
|
||||
+ if not use_oaep:
|
||||
+ # PKCS1v15() causes an OpenSSL exception when FIPS is enabled
|
||||
+ # if so, we fallback to RSA-OAEP
|
||||
+ try:
|
||||
+ wrapped_session_key = public_key.encrypt(
|
||||
+ algo.key,
|
||||
+ padding.PKCS1v15()
|
||||
+ )
|
||||
+ except ValueError:
|
||||
+ wrapped_session_key = public_key.encrypt(
|
||||
+ algo.key,
|
||||
+ padding.OAEP(
|
||||
+ mgf=padding.MGF1(algorithm=hashes.SHA256()),
|
||||
+ algorithm=hashes.SHA256(),
|
||||
+ label=None
|
||||
+ )
|
||||
+ )
|
||||
+ else:
|
||||
+ wrapped_session_key = public_key.encrypt(
|
||||
+ algo.key,
|
||||
+ padding.OAEP(
|
||||
+ mgf=padding.MGF1(algorithm=hashes.SHA256()),
|
||||
+ algorithm=hashes.SHA256(),
|
||||
+ label=None
|
||||
+ )
|
||||
+ )
|
||||
+
|
||||
options['session_key'] = wrapped_session_key
|
||||
|
||||
name = self.name + '_internal'
|
||||
@@ -721,7 +746,7 @@ class ModVaultData(Local):
|
||||
errors.ExecutionError,
|
||||
errors.GenericError):
|
||||
_kra_config_cache.remove(self.api.env.domain)
|
||||
- if raise_unexpected:
|
||||
+ if raise_unexpected and use_oaep:
|
||||
raise
|
||||
return None
|
||||
|
||||
@@ -731,15 +756,23 @@ class ModVaultData(Local):
|
||||
"""
|
||||
# try call with cached transport certificate
|
||||
result = self._do_internal(algo, transport_cert, False,
|
||||
- *args, **options)
|
||||
+ False, *args, **options)
|
||||
if result is not None:
|
||||
return result
|
||||
|
||||
# retrieve transport certificate (cached by vaultconfig_show)
|
||||
transport_cert = self._get_vaultconfig(force_refresh=True)[0]
|
||||
+
|
||||
# call with the retrieved transport certificate
|
||||
+ result = self._do_internal(algo, transport_cert, True,
|
||||
+ False, *args, **options)
|
||||
+
|
||||
+ if result is not None:
|
||||
+ return result
|
||||
+
|
||||
+ # call and use_oaep this time, last attempt
|
||||
return self._do_internal(algo, transport_cert, True,
|
||||
- *args, **options)
|
||||
+ True, *args, **options)
|
||||
|
||||
|
||||
@register(no_fail=True)
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,87 @@
|
||||
From c6f79e0453c9d417173ca7ecfbd5e233c6a89a9f Mon Sep 17 00:00:00 2001
|
||||
From: Francisco Trivino <ftrivino@redhat.com>
|
||||
Date: Fri, 19 Jan 2024 18:15:28 +0100
|
||||
Subject: [PATCH] Vault: improve vault server archival/retrieval calls error
|
||||
handling
|
||||
|
||||
If a vault operation fails, the error message just says "InternalError". This commit
|
||||
improves error handling of key archival and retrieval calls by catching the PKIException
|
||||
error and raising it as an IPA error.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9191
|
||||
|
||||
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipaserver/plugins/vault.py | 40 +++++++++++++++++++++++++-------------
|
||||
1 file changed, 26 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py
|
||||
index a47cf7bd306154b24fd6dc0223718faf55440489..0bcc2a1ce4bb5f61b3a69fd0cc8d2b4516e20b63 100644
|
||||
--- a/ipaserver/plugins/vault.py
|
||||
+++ b/ipaserver/plugins/vault.py
|
||||
@@ -45,6 +45,7 @@ if api.env.in_server:
|
||||
import pki.key
|
||||
from pki.crypto import DES_EDE3_CBC_OID
|
||||
from pki.crypto import AES_128_CBC_OID
|
||||
+ from pki import PKIException
|
||||
|
||||
if six.PY3:
|
||||
unicode = str
|
||||
@@ -1096,16 +1097,21 @@ class vault_archive_internal(PKQuery):
|
||||
pki.key.KeyClient.KEY_STATUS_INACTIVE)
|
||||
|
||||
# forward wrapped data to KRA
|
||||
- kra_client.keys.archive_encrypted_data(
|
||||
- client_key_id,
|
||||
- pki.key.KeyClient.PASS_PHRASE_TYPE,
|
||||
- wrapped_vault_data,
|
||||
- wrapped_session_key,
|
||||
- algorithm_oid=algorithm_oid,
|
||||
- nonce_iv=nonce,
|
||||
- )
|
||||
-
|
||||
- kra_account.logout()
|
||||
+ try:
|
||||
+ kra_client.keys.archive_encrypted_data(
|
||||
+ client_key_id,
|
||||
+ pki.key.KeyClient.PASS_PHRASE_TYPE,
|
||||
+ wrapped_vault_data,
|
||||
+ wrapped_session_key,
|
||||
+ algorithm_oid=algorithm_oid,
|
||||
+ nonce_iv=nonce,
|
||||
+ )
|
||||
+ except PKIException as e:
|
||||
+ kra_account.logout()
|
||||
+ raise errors.EncodingError(
|
||||
+ message=_("Unable to archive key: %s") % e)
|
||||
+ finally:
|
||||
+ kra_account.logout()
|
||||
|
||||
response = {
|
||||
'value': args[-1],
|
||||
@@ -1176,11 +1182,17 @@ class vault_retrieve_internal(PKQuery):
|
||||
kra_client.keys.encrypt_alg_oid = algorithm_oid
|
||||
|
||||
# retrieve encrypted data from KRA
|
||||
- key = kra_client.keys.retrieve_key(
|
||||
- key_info.get_key_id(),
|
||||
- wrapped_session_key)
|
||||
+ try:
|
||||
|
||||
- kra_account.logout()
|
||||
+ key = kra_client.keys.retrieve_key(
|
||||
+ key_info.get_key_id(),
|
||||
+ wrapped_session_key)
|
||||
+ except PKIException as e:
|
||||
+ kra_account.logout()
|
||||
+ raise errors.EncodingError(
|
||||
+ message=_("Unable to retrieve key: %s") % e)
|
||||
+ finally:
|
||||
+ kra_account.logout()
|
||||
|
||||
response = {
|
||||
'value': args[-1],
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,97 @@
|
||||
From 601de6985ce0efdd701bfd8361cea72c4b87f39b Mon Sep 17 00:00:00 2001
|
||||
From: Francisco Trivino <ftrivino@redhat.com>
|
||||
Date: Fri, 19 Jan 2024 17:12:07 +0100
|
||||
Subject: [PATCH] kra: set RSA-OAEP as default wrapping algo when FIPS is
|
||||
enabled
|
||||
|
||||
Vault uses PKCS1v15 as default padding wrapping algo, which is not an approved
|
||||
FIPS algorithm. This commit ensures that KRA is installed with RSA-OAEP if FIPS
|
||||
is enabled. It also handles upgrade path.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9191
|
||||
|
||||
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
install/share/ipaca_default.ini | 3 +++
|
||||
ipaserver/install/dogtaginstance.py | 4 +++-
|
||||
ipaserver/install/krainstance.py | 12 ++++++++++++
|
||||
ipaserver/install/server/upgrade.py | 12 ++++++++++++
|
||||
4 files changed, 30 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/install/share/ipaca_default.ini b/install/share/ipaca_default.ini
|
||||
index 62e0729d1b6332fce142cd1d85ccc461539d06ae..44cda15920176c9eebb9a3d16f089210ff17dcdd 100644
|
||||
--- a/install/share/ipaca_default.ini
|
||||
+++ b/install/share/ipaca_default.ini
|
||||
@@ -166,3 +166,6 @@ pki_audit_signing_subject_dn=cn=KRA Audit,%(ipa_subject_base)s
|
||||
# We will use the dbuser created for the CA.
|
||||
pki_share_db=True
|
||||
pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=ipaca
|
||||
+
|
||||
+# KRA padding, set RSA-OAEP in FIPS mode
|
||||
+pki_use_oaep_rsa_keywrap=%(fips_use_oaep_rsa_keywrap)s
|
||||
\ No newline at end of file
|
||||
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
|
||||
index 7fdf2e0ed0f3ed99a6672f527d38dda0ce5ef8bb..e0aa129ad3b0114afc4d1eae7f1ed76bb41276ae 100644
|
||||
--- a/ipaserver/install/dogtaginstance.py
|
||||
+++ b/ipaserver/install/dogtaginstance.py
|
||||
@@ -1020,7 +1020,9 @@ class PKIIniLoader:
|
||||
# for softhsm2 testing
|
||||
softhsm2_so=paths.LIBSOFTHSM2_SO,
|
||||
# Configure a more secure AJP password by default
|
||||
- ipa_ajp_secret=ipautil.ipa_generate_password(special=None)
|
||||
+ ipa_ajp_secret=ipautil.ipa_generate_password(special=None),
|
||||
+ # in FIPS mode use RSA-OAEP wrapping padding algo as default
|
||||
+ fips_use_oaep_rsa_keywrap=tasks.is_fips_enabled()
|
||||
)
|
||||
|
||||
@classmethod
|
||||
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
|
||||
index d0636a56c3d2c09a5c83c08cc1fc12768212ac3e..0fd148697dadd59ad87eb401528761010a1555de 100644
|
||||
--- a/ipaserver/install/krainstance.py
|
||||
+++ b/ipaserver/install/krainstance.py
|
||||
@@ -284,6 +284,18 @@ class KRAInstance(DogtagInstance):
|
||||
|
||||
# A restart is required
|
||||
|
||||
+ def enable_oaep_wrap_algo(self):
|
||||
+ """
|
||||
+ Enable KRA OAEP key wrap algorithm
|
||||
+ """
|
||||
+ with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'):
|
||||
+ directivesetter.set_directive(
|
||||
+ self.config,
|
||||
+ 'keyWrap.useOAEP',
|
||||
+ 'true', quotes=False, separator='=')
|
||||
+
|
||||
+ # A restart is required
|
||||
+
|
||||
def update_cert_config(self, nickname, cert):
|
||||
"""
|
||||
When renewing a KRA subsystem certificate the configuration file
|
||||
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
|
||||
index f42faea049c720c931ce7ea865e3c35acbc08b5d..31d4f8398cfb0251cc59ada909eb55635b83e960 100644
|
||||
--- a/ipaserver/install/server/upgrade.py
|
||||
+++ b/ipaserver/install/server/upgrade.py
|
||||
@@ -1794,6 +1794,18 @@ def upgrade_configuration():
|
||||
else:
|
||||
logger.info('ephemeralRequest is already enabled')
|
||||
|
||||
+ if tasks.is_fips_enabled():
|
||||
+ logger.info('[Ensuring KRA OAEP wrap algo is enabled in FIPS]')
|
||||
+ value = directivesetter.get_directive(
|
||||
+ paths.KRA_CS_CFG_PATH,
|
||||
+ 'keyWrap.useOAEP',
|
||||
+ separator='=')
|
||||
+ if value is None or value.lower() != 'true':
|
||||
+ logger.info('Use the OAEP key wrap algo')
|
||||
+ kra.enable_oaep_wrap_algo()
|
||||
+ else:
|
||||
+ logger.info('OAEP key wrap algo is already enabled')
|
||||
+
|
||||
# several upgrade steps require running CA. If CA is configured,
|
||||
# always run ca.start() because we need to wait until CA is really ready
|
||||
# by checking status using http
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,18 +1,18 @@
|
||||
From f1efe4490c1e33b81178ba887600a3a5826c11c2 Mon Sep 17 00:00:00 2001
|
||||
From ac44c3d0a69aa2b3f8230c3ab13dca5ab5a78dd0 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Feb 20 2024 18:12:39 +0000
|
||||
Subject: ipa-kdb: Fix double free in ipadb_reinit_mspac()
|
||||
|
||||
Date: Tue, 20 Feb 2024 15:14:24 +0100
|
||||
Subject: [PATCH] ipa-kdb: Fix double free in ipadb_reinit_mspac()
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9535
|
||||
|
||||
Signed-off-by: Julien Rische <jrische@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
|
||||
---
|
||||
daemons/ipa-kdb/ipa_kdb_mspac.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
index b0eb332..9723103 100644
|
||||
index b0eb3324bf4b7d8eeb7b332c39de4023784f6337..9723103d8a77294ed7457d9b48bfc0d98b9ccef1 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
@@ -3087,6 +3087,7 @@ ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit,
|
||||
@ -23,4 +23,6 @@ index b0eb332..9723103 100644
|
||||
|
||||
flat_server_name = get_server_netbios_name(ipactx);
|
||||
if (!flat_server_name) {
|
||||
--
|
||||
2.43.0
|
||||
|
@ -0,0 +1,233 @@
|
||||
From 8b598814d1e51466ebbe3e0a392af92370d0c93b Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Wed, 7 Feb 2024 13:09:54 +0200
|
||||
Subject: [PATCH] rpcserver: validate Kerberos principal name before running
|
||||
kinit
|
||||
|
||||
Do minimal validation of the Kerberos principal name when passing it to
|
||||
kinit command line tool. Also pass it as the final argument to prevent
|
||||
option injection.
|
||||
|
||||
Accepted Kerberos principals are:
|
||||
- user names, using the following regexp
|
||||
(username with optional @realm, no spaces or slashes in the name):
|
||||
"(?!^[0-9]+$)^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?@?[a-zA-Z0-9.-]*$"
|
||||
|
||||
- service names (with slash in the name but no spaces). Validation of
|
||||
the hostname is done. There is no validation of the service name.
|
||||
|
||||
The regular expression above also covers cases where a principal name
|
||||
starts with '-'. This prevents option injection as well.
|
||||
|
||||
This fixes CVE-2024-1481
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9541
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
ipalib/install/kinit.py | 47 ++++++++++++++++++-
|
||||
ipaserver/rpcserver.py | 9 ++--
|
||||
ipatests/setup.py | 1 +
|
||||
ipatests/test_ipalib_install/__init__.py | 0
|
||||
ipatests/test_ipalib_install/test_kinit.py | 29 ++++++++++++
|
||||
5 files changed, 80 insertions(+), 6 deletions(-)
|
||||
create mode 100644 ipatests/test_ipalib_install/__init__.py
|
||||
create mode 100644 ipatests/test_ipalib_install/test_kinit.py
|
||||
|
||||
diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
|
||||
index cc839ec38d1dbcb1cf3b0334592d04baf0dba23b..4ad4eaa1c30f2fb0ab02be411917e304eb527d32 100644
|
||||
--- a/ipalib/install/kinit.py
|
||||
+++ b/ipalib/install/kinit.py
|
||||
@@ -6,12 +6,16 @@ from __future__ import absolute_import
|
||||
|
||||
import logging
|
||||
import os
|
||||
+import re
|
||||
import time
|
||||
|
||||
import gssapi
|
||||
|
||||
from ipaplatform.paths import paths
|
||||
from ipapython.ipautil import run
|
||||
+from ipalib.constants import PATTERN_GROUPUSER_NAME
|
||||
+from ipalib.util import validate_hostname
|
||||
+from ipalib import api
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
@@ -21,6 +25,40 @@ KRB5_KDC_UNREACH = 2529639068
|
||||
# A service is not available that s required to process the request
|
||||
KRB5KDC_ERR_SVC_UNAVAILABLE = 2529638941
|
||||
|
||||
+PATTERN_REALM = '@?([a-zA-Z0-9.-]*)$'
|
||||
+PATTERN_PRINCIPAL = '(' + PATTERN_GROUPUSER_NAME[:-1] + ')' + PATTERN_REALM
|
||||
+PATTERN_SERVICE = '([a-zA-Z0-9.-]+)/([a-zA-Z0-9.-]+)' + PATTERN_REALM
|
||||
+
|
||||
+user_pattern = re.compile(PATTERN_PRINCIPAL)
|
||||
+service_pattern = re.compile(PATTERN_SERVICE)
|
||||
+
|
||||
+
|
||||
+def validate_principal(principal):
|
||||
+ if not isinstance(principal, str):
|
||||
+ raise RuntimeError('Invalid principal: not a string')
|
||||
+ if ('/' in principal) and (' ' in principal):
|
||||
+ raise RuntimeError('Invalid principal: bad spacing')
|
||||
+ else:
|
||||
+ realm = None
|
||||
+ match = user_pattern.match(principal)
|
||||
+ if match is None:
|
||||
+ match = service_pattern.match(principal)
|
||||
+ if match is None:
|
||||
+ raise RuntimeError('Invalid principal: cannot parse')
|
||||
+ else:
|
||||
+ # service = match[1]
|
||||
+ hostname = match[2]
|
||||
+ realm = match[3]
|
||||
+ try:
|
||||
+ validate_hostname(hostname)
|
||||
+ except ValueError as e:
|
||||
+ raise RuntimeError(str(e))
|
||||
+ else: # user match, validate realm
|
||||
+ # username = match[1]
|
||||
+ realm = match[2]
|
||||
+ if realm and 'realm' in api.env and realm != api.env.realm:
|
||||
+ raise RuntimeError('Invalid principal: realm mismatch')
|
||||
+
|
||||
|
||||
def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
|
||||
"""
|
||||
@@ -29,6 +67,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
|
||||
The optional parameter 'attempts' specifies how many times the credential
|
||||
initialization should be attempted in case of non-responsive KDC.
|
||||
"""
|
||||
+ validate_principal(principal)
|
||||
errors_to_retry = {KRB5KDC_ERR_SVC_UNAVAILABLE,
|
||||
KRB5_KDC_UNREACH}
|
||||
logger.debug("Initializing principal %s using keytab %s",
|
||||
@@ -65,6 +104,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
|
||||
|
||||
return None
|
||||
|
||||
+
|
||||
def kinit_password(principal, password, ccache_name, config=None,
|
||||
armor_ccache_name=None, canonicalize=False,
|
||||
enterprise=False, lifetime=None):
|
||||
@@ -73,8 +113,9 @@ def kinit_password(principal, password, ccache_name, config=None,
|
||||
web-based authentication, use armor_ccache_path to specify http service
|
||||
ccache.
|
||||
"""
|
||||
+ validate_principal(principal)
|
||||
logger.debug("Initializing principal %s using password", principal)
|
||||
- args = [paths.KINIT, principal, '-c', ccache_name]
|
||||
+ args = [paths.KINIT, '-c', ccache_name]
|
||||
if armor_ccache_name is not None:
|
||||
logger.debug("Using armor ccache %s for FAST webauth",
|
||||
armor_ccache_name)
|
||||
@@ -91,6 +132,7 @@ def kinit_password(principal, password, ccache_name, config=None,
|
||||
logger.debug("Using enterprise principal")
|
||||
args.append('-E')
|
||||
|
||||
+ args.extend(['--', principal])
|
||||
env = {'LC_ALL': 'C'}
|
||||
if config is not None:
|
||||
env['KRB5_CONFIG'] = config
|
||||
@@ -154,6 +196,7 @@ def kinit_pkinit(
|
||||
|
||||
:raises: CalledProcessError if PKINIT fails
|
||||
"""
|
||||
+ validate_principal(principal)
|
||||
logger.debug(
|
||||
"Initializing principal %s using PKINIT %s", principal, user_identity
|
||||
)
|
||||
@@ -168,7 +211,7 @@ def kinit_pkinit(
|
||||
assert pkinit_anchor.startswith(("FILE:", "DIR:", "ENV:"))
|
||||
args.extend(["-X", f"X509_anchors={pkinit_anchor}"])
|
||||
args.extend(["-X", f"X509_user_identity={user_identity}"])
|
||||
- args.append(principal)
|
||||
+ args.extend(['--', principal])
|
||||
|
||||
# this workaround enables us to capture stderr and put it
|
||||
# into the raised exception in case of unsuccessful authentication
|
||||
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
|
||||
index 198fc9e7dbae281f797dcccf96d21d475ff31e8c..4f65b7e057c3d184ffadd4f28872ec3cceb73077 100644
|
||||
--- a/ipaserver/rpcserver.py
|
||||
+++ b/ipaserver/rpcserver.py
|
||||
@@ -1135,10 +1135,6 @@ class login_password(Backend, KerberosSession):
|
||||
canonicalize=True,
|
||||
lifetime=self.api.env.kinit_lifetime)
|
||||
|
||||
- if armor_path:
|
||||
- logger.debug('Cleanup the armor ccache')
|
||||
- ipautil.run([paths.KDESTROY, '-A', '-c', armor_path],
|
||||
- env={'KRB5CCNAME': armor_path}, raiseonerr=False)
|
||||
except RuntimeError as e:
|
||||
if ('kinit: Cannot read password while '
|
||||
'getting initial credentials') in str(e):
|
||||
@@ -1156,6 +1152,11 @@ class login_password(Backend, KerberosSession):
|
||||
raise KrbPrincipalWrongFAST(principal=principal)
|
||||
raise InvalidSessionPassword(principal=principal,
|
||||
message=unicode(e))
|
||||
+ finally:
|
||||
+ if armor_path:
|
||||
+ logger.debug('Cleanup the armor ccache')
|
||||
+ ipautil.run([paths.KDESTROY, '-A', '-c', armor_path],
|
||||
+ env={'KRB5CCNAME': armor_path}, raiseonerr=False)
|
||||
|
||||
|
||||
class change_password(Backend, HTTP_Status):
|
||||
diff --git a/ipatests/setup.py b/ipatests/setup.py
|
||||
index 6217a1ba5d82ba7fa79cc4c073270abe307cd2ed..0aec4a70dbd75d416e4288e1204130daf46bda94 100644
|
||||
--- a/ipatests/setup.py
|
||||
+++ b/ipatests/setup.py
|
||||
@@ -41,6 +41,7 @@ if __name__ == '__main__':
|
||||
"ipatests.test_integration",
|
||||
"ipatests.test_ipaclient",
|
||||
"ipatests.test_ipalib",
|
||||
+ "ipatests.test_ipalib_install",
|
||||
"ipatests.test_ipaplatform",
|
||||
"ipatests.test_ipapython",
|
||||
"ipatests.test_ipaserver",
|
||||
diff --git a/ipatests/test_ipalib_install/__init__.py b/ipatests/test_ipalib_install/__init__.py
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
|
||||
diff --git a/ipatests/test_ipalib_install/test_kinit.py b/ipatests/test_ipalib_install/test_kinit.py
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..f89ea17d7874c28bad2524ebf456d2caeafddd1f
|
||||
--- /dev/null
|
||||
+++ b/ipatests/test_ipalib_install/test_kinit.py
|
||||
@@ -0,0 +1,29 @@
|
||||
+#
|
||||
+# Copyright (C) 2024 FreeIPA Contributors see COPYING for license
|
||||
+#
|
||||
+"""Tests for ipalib.install.kinit module
|
||||
+"""
|
||||
+
|
||||
+import pytest
|
||||
+
|
||||
+from ipalib.install.kinit import validate_principal
|
||||
+
|
||||
+
|
||||
+# None means no exception is expected
|
||||
+@pytest.mark.parametrize('principal, exception', [
|
||||
+ ('testuser', None),
|
||||
+ ('testuser@EXAMPLE.TEST', None),
|
||||
+ ('test/ipa.example.test', None),
|
||||
+ ('test/ipa.example.test@EXAMPLE.TEST', None),
|
||||
+ ('test/ipa@EXAMPLE.TEST', RuntimeError),
|
||||
+ ('test/-ipa.example.test@EXAMPLE.TEST', RuntimeError),
|
||||
+ ('test/ipa.1example.test@EXAMPLE.TEST', RuntimeError),
|
||||
+ ('test /ipa.example,test', RuntimeError),
|
||||
+ ('testuser@OTHER.TEST', RuntimeError),
|
||||
+ ('test/ipa.example.test@OTHER.TEST', RuntimeError),
|
||||
+])
|
||||
+def test_validate_principal(principal, exception):
|
||||
+ try:
|
||||
+ validate_principal(principal)
|
||||
+ except Exception as e:
|
||||
+ assert e.__class__ == exception
|
||||
--
|
||||
2.44.0
|
||||
|
@ -0,0 +1,89 @@
|
||||
From 5781369e78fd83cee64a4d306198423c7a126ba0 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 22 Feb 2024 08:29:31 -0500
|
||||
Subject: [PATCH] validate_principal: Don't try to verify that the realm is
|
||||
known
|
||||
|
||||
The actual value is less important than whether it matches the
|
||||
regular expression. A number of legal but difficult to know in
|
||||
context realms could be passed in here (trust for example).
|
||||
|
||||
This fixes CVE-2024-1481
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9541
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
ipalib/install/kinit.py | 12 ++++--------
|
||||
ipatests/test_ipalib_install/test_kinit.py | 9 ++++++---
|
||||
2 files changed, 10 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
|
||||
index 4ad4eaa1c30f2fb0ab02be411917e304eb527d32..d5fb56bf041c6f61515fc3ce4cc1ca1cfbcdbab7 100644
|
||||
--- a/ipalib/install/kinit.py
|
||||
+++ b/ipalib/install/kinit.py
|
||||
@@ -15,7 +15,6 @@ from ipaplatform.paths import paths
|
||||
from ipapython.ipautil import run
|
||||
from ipalib.constants import PATTERN_GROUPUSER_NAME
|
||||
from ipalib.util import validate_hostname
|
||||
-from ipalib import api
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
@@ -39,7 +38,9 @@ def validate_principal(principal):
|
||||
if ('/' in principal) and (' ' in principal):
|
||||
raise RuntimeError('Invalid principal: bad spacing')
|
||||
else:
|
||||
- realm = None
|
||||
+ # For a user match in the regex
|
||||
+ # username = match[1]
|
||||
+ # realm = match[2]
|
||||
match = user_pattern.match(principal)
|
||||
if match is None:
|
||||
match = service_pattern.match(principal)
|
||||
@@ -48,16 +49,11 @@ def validate_principal(principal):
|
||||
else:
|
||||
# service = match[1]
|
||||
hostname = match[2]
|
||||
- realm = match[3]
|
||||
+ # realm = match[3]
|
||||
try:
|
||||
validate_hostname(hostname)
|
||||
except ValueError as e:
|
||||
raise RuntimeError(str(e))
|
||||
- else: # user match, validate realm
|
||||
- # username = match[1]
|
||||
- realm = match[2]
|
||||
- if realm and 'realm' in api.env and realm != api.env.realm:
|
||||
- raise RuntimeError('Invalid principal: realm mismatch')
|
||||
|
||||
|
||||
def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
|
||||
diff --git a/ipatests/test_ipalib_install/test_kinit.py b/ipatests/test_ipalib_install/test_kinit.py
|
||||
index f89ea17d7874c28bad2524ebf456d2caeafddd1f..8289c4b75c9de3b17748a6abffe0538d08f2698f 100644
|
||||
--- a/ipatests/test_ipalib_install/test_kinit.py
|
||||
+++ b/ipatests/test_ipalib_install/test_kinit.py
|
||||
@@ -17,13 +17,16 @@ from ipalib.install.kinit import validate_principal
|
||||
('test/ipa.example.test@EXAMPLE.TEST', None),
|
||||
('test/ipa@EXAMPLE.TEST', RuntimeError),
|
||||
('test/-ipa.example.test@EXAMPLE.TEST', RuntimeError),
|
||||
- ('test/ipa.1example.test@EXAMPLE.TEST', RuntimeError),
|
||||
+ ('test/ipa.1example.test@EXAMPLE.TEST', None),
|
||||
('test /ipa.example,test', RuntimeError),
|
||||
- ('testuser@OTHER.TEST', RuntimeError),
|
||||
- ('test/ipa.example.test@OTHER.TEST', RuntimeError),
|
||||
+ ('testuser@OTHER.TEST', None),
|
||||
+ ('test/ipa.example.test@OTHER.TEST', None)
|
||||
])
|
||||
def test_validate_principal(principal, exception):
|
||||
try:
|
||||
validate_principal(principal)
|
||||
except Exception as e:
|
||||
assert e.__class__ == exception
|
||||
+ else:
|
||||
+ if exception is not None:
|
||||
+ raise RuntimeError('Test should have failed')
|
||||
--
|
||||
2.44.0
|
||||
|
@ -0,0 +1,45 @@
|
||||
From ca561f72d05b937e727db76c42d807ba07661494 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Fri, 1 Mar 2024 15:12:33 -0500
|
||||
Subject: [PATCH] Vault: add additional fallback to RSA-OAEP wrapping algo
|
||||
|
||||
There is a fallback when creating the wrapping key but one was missing
|
||||
when trying to use the cached transport_cert.
|
||||
|
||||
This allows, along with forcing keyWrap.useOAEP=true, vault creation
|
||||
on an nCipher HSM.
|
||||
|
||||
This can be seen in HSMs where the device doesn't support the
|
||||
PKCS#1 v1.5 mechanism. It will error out with either "invalid
|
||||
algorithm" or CKR_FUNCTION_FAILED.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9191
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
ipaclient/plugins/vault.py | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
|
||||
index a29bd6e5f437d9d07f2d995d7bc884e7f2419c27..96edf09a2060e7b39e1e96c6fa65ae095ec18e73 100644
|
||||
--- a/ipaclient/plugins/vault.py
|
||||
+++ b/ipaclient/plugins/vault.py
|
||||
@@ -755,8 +755,12 @@ class ModVaultData(Local):
|
||||
Calls the internal counterpart of the command.
|
||||
"""
|
||||
# try call with cached transport certificate
|
||||
- result = self._do_internal(algo, transport_cert, False,
|
||||
- False, *args, **options)
|
||||
+ try:
|
||||
+ result = self._do_internal(algo, transport_cert, False,
|
||||
+ False, *args, **options)
|
||||
+ except errors.EncodingError:
|
||||
+ result = self._do_internal(algo, transport_cert, False,
|
||||
+ True, *args, **options)
|
||||
if result is not None:
|
||||
return result
|
||||
|
||||
--
|
||||
2.44.0
|
||||
|
@ -0,0 +1,294 @@
|
||||
From 82eca6c0a994c4db8f85ea0d5c012cd4d80edefe Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Tue, 30 Jan 2024 11:17:27 +0200
|
||||
Subject: [PATCH] ipa-pwd-extop: allow enforcing 2FA-only over LDAP bind
|
||||
|
||||
When authentication indicators were introduced in 2016, ipa-pwd-extop
|
||||
plugin gained ability to reject LDAP BIND when an LDAP client insists
|
||||
the authentication must use an OTP token. This is used by ipa-otpd to
|
||||
ensure Kerberos authentication using OTP method is done with at least
|
||||
two factors (the token and the password).
|
||||
|
||||
This enfrocement is only possible when an LDAP client sends the LDAP
|
||||
control. There are cases when LDAP clients cannot be configured to send
|
||||
a custom LDAP control during BIND operation. For these clients an LDAP
|
||||
BIND against an account that only has password and no valid token would
|
||||
succeed even if admins intend it to fail.
|
||||
|
||||
Ability to do LDAP BIND without a token was added to allow users to add
|
||||
their own OTP tokens securely. If administrators require full
|
||||
enforcement over LDAP BIND, it is cannot be achieved with LDAP without
|
||||
sending the LDAP control to do so.
|
||||
|
||||
Add IPA configuration string, EnforceLDAPOTP, to allow administrators to
|
||||
prevent LDAP BIND with a password only if user is required to have OTP
|
||||
tokens. With this configuration enabled, it will be not possible for
|
||||
users to add OTP token if one is missing, thus ensuring no user can
|
||||
authenticate without OTP and admins will have to add initial OTP tokens
|
||||
to users explicitly.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/5169
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
API.txt | 2 +-
|
||||
.../ipa-slapi-plugins/ipa-pwd-extop/common.c | 47 +++++++++++++------
|
||||
.../ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h | 2 +
|
||||
.../ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 14 ++++++
|
||||
doc/api/config_mod.md | 2 +-
|
||||
ipaserver/plugins/config.py | 3 +-
|
||||
ipatests/test_integration/test_otp.py | 46 ++++++++++++++++++
|
||||
7 files changed, 98 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/API.txt b/API.txt
|
||||
index 7d91077fc340ababee5c9a4b8a695290728b9135..5ed1f5327d9154bf2b301a781b723213c7677ed9 100644
|
||||
--- a/API.txt
|
||||
+++ b/API.txt
|
||||
@@ -1082,7 +1082,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False)
|
||||
option: Str('ca_renewal_master_server?', autofill=False)
|
||||
option: Str('delattr*', cli_name='delattr')
|
||||
option: Flag('enable_sid?', autofill=True, default=False)
|
||||
-option: StrEnum('ipaconfigstring*', autofill=False, cli_name='ipaconfigstring', values=[u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout', u'KDC:Disable Default Preauth for SPNs'])
|
||||
+option: StrEnum('ipaconfigstring*', autofill=False, cli_name='ipaconfigstring', values=[u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout', u'KDC:Disable Default Preauth for SPNs', u'EnforceLDAPOTP'])
|
||||
option: Str('ipadefaultemaildomain?', autofill=False, cli_name='emaildomain')
|
||||
option: Str('ipadefaultloginshell?', autofill=False, cli_name='defaultshell')
|
||||
option: Str('ipadefaultprimarygroup?', autofill=False, cli_name='defaultgroup')
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
|
||||
index d30764bb2a05c7ca4a33ea114a2dc19af39e216f..1355f20d3ab990c81b5b41875d659a9bc9f97085 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
|
||||
@@ -83,6 +83,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
|
||||
char *tmpstr;
|
||||
int ret;
|
||||
size_t i;
|
||||
+ bool fips_enabled = false;
|
||||
|
||||
config = calloc(1, sizeof(struct ipapwd_krbcfg));
|
||||
if (!config) {
|
||||
@@ -241,28 +242,35 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
|
||||
config->allow_nt_hash = false;
|
||||
if (ipapwd_fips_enabled()) {
|
||||
LOG("FIPS mode is enabled, NT hashes are not allowed.\n");
|
||||
+ fips_enabled = true;
|
||||
+ }
|
||||
+
|
||||
+ sdn = slapi_sdn_new_dn_byval(ipa_etc_config_dn);
|
||||
+ ret = ipapwd_getEntry(sdn, &config_entry, NULL);
|
||||
+ slapi_sdn_free(&sdn);
|
||||
+ if (ret != LDAP_SUCCESS) {
|
||||
+ LOG_FATAL("No config Entry?\n");
|
||||
+ goto free_and_error;
|
||||
} else {
|
||||
- sdn = slapi_sdn_new_dn_byval(ipa_etc_config_dn);
|
||||
- ret = ipapwd_getEntry(sdn, &config_entry, NULL);
|
||||
- slapi_sdn_free(&sdn);
|
||||
- if (ret != LDAP_SUCCESS) {
|
||||
- LOG_FATAL("No config Entry?\n");
|
||||
- goto free_and_error;
|
||||
- } else {
|
||||
- tmparray = slapi_entry_attr_get_charray(config_entry,
|
||||
- "ipaConfigString");
|
||||
- for (i = 0; tmparray && tmparray[i]; i++) {
|
||||
+ tmparray = slapi_entry_attr_get_charray(config_entry,
|
||||
+ "ipaConfigString");
|
||||
+ for (i = 0; tmparray && tmparray[i]; i++) {
|
||||
+ if (strcasecmp(tmparray[i], "EnforceLDAPOTP") == 0) {
|
||||
+ config->enforce_ldap_otp = true;
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (!fips_enabled) {
|
||||
if (strcasecmp(tmparray[i], "AllowNThash") == 0) {
|
||||
config->allow_nt_hash = true;
|
||||
continue;
|
||||
}
|
||||
}
|
||||
- if (tmparray) slapi_ch_array_free(tmparray);
|
||||
}
|
||||
-
|
||||
- slapi_entry_free(config_entry);
|
||||
+ if (tmparray) slapi_ch_array_free(tmparray);
|
||||
}
|
||||
|
||||
+ slapi_entry_free(config_entry);
|
||||
+
|
||||
return config;
|
||||
|
||||
free_and_error:
|
||||
@@ -571,6 +579,13 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
|
||||
rc = LDAP_OPERATIONS_ERROR;
|
||||
}
|
||||
|
||||
+ /* do not return the master key if asked */
|
||||
+ if (check_flags & IPAPWD_CHECK_ONLY_CONFIG) {
|
||||
+ free((*config)->kmkey->contents);
|
||||
+ free((*config)->kmkey);
|
||||
+ (*config)->kmkey = NULL;
|
||||
+ }
|
||||
+
|
||||
done:
|
||||
return rc;
|
||||
}
|
||||
@@ -1103,8 +1118,10 @@ void free_ipapwd_krbcfg(struct ipapwd_krbcfg **cfg)
|
||||
|
||||
krb5_free_default_realm(c->krbctx, c->realm);
|
||||
krb5_free_context(c->krbctx);
|
||||
- free(c->kmkey->contents);
|
||||
- free(c->kmkey);
|
||||
+ if (c->kmkey) {
|
||||
+ free(c->kmkey->contents);
|
||||
+ free(c->kmkey);
|
||||
+ }
|
||||
free(c->supp_encsalts);
|
||||
free(c->pref_encsalts);
|
||||
slapi_ch_array_free(c->passsync_mgrs);
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
|
||||
index 79606a8c795d166590c4655f9021aa414c3684d9..97697000674d8fbbe3a924af63261482db173852 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
|
||||
@@ -70,6 +70,7 @@
|
||||
|
||||
#define IPAPWD_CHECK_CONN_SECURE 0x00000001
|
||||
#define IPAPWD_CHECK_DN 0x00000002
|
||||
+#define IPAPWD_CHECK_ONLY_CONFIG 0x00000004
|
||||
|
||||
#define IPA_CHANGETYPE_NORMAL 0
|
||||
#define IPA_CHANGETYPE_ADMIN 1
|
||||
@@ -109,6 +110,7 @@ struct ipapwd_krbcfg {
|
||||
char **passsync_mgrs;
|
||||
int num_passsync_mgrs;
|
||||
bool allow_nt_hash;
|
||||
+ bool enforce_ldap_otp;
|
||||
};
|
||||
|
||||
int ipapwd_entry_checks(Slapi_PBlock *pb, struct slapi_entry *e,
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
index 6898e6596e1cbbb2cc69ba592401619ce86899d8..69023515018d522651bccb984ddd8e9174c22f59 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
@@ -1431,6 +1431,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
|
||||
"krbPasswordExpiration", "krblastpwchange",
|
||||
NULL
|
||||
};
|
||||
+ struct ipapwd_krbcfg *krbcfg = NULL;
|
||||
struct berval *credentials = NULL;
|
||||
Slapi_Entry *entry = NULL;
|
||||
Slapi_DN *target_sdn = NULL;
|
||||
@@ -1505,6 +1506,18 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
|
||||
/* Try to do OTP first. */
|
||||
syncreq = otpctrl_present(pb, OTP_SYNC_REQUEST_OID);
|
||||
otpreq = otpctrl_present(pb, OTP_REQUIRED_OID);
|
||||
+ if (!syncreq && !otpreq) {
|
||||
+ ret = ipapwd_gen_checks(pb, &errMesg, &krbcfg, IPAPWD_CHECK_ONLY_CONFIG);
|
||||
+ if (ret != 0) {
|
||||
+ LOG_FATAL("ipapwd_gen_checks failed!?\n");
|
||||
+ slapi_entry_free(entry);
|
||||
+ slapi_sdn_free(&sdn);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if (krbcfg->enforce_ldap_otp) {
|
||||
+ otpreq = true;
|
||||
+ }
|
||||
+ }
|
||||
if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials, otpreq))
|
||||
goto invalid_creds;
|
||||
|
||||
@@ -1543,6 +1556,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
|
||||
return 0;
|
||||
|
||||
invalid_creds:
|
||||
+ free_ipapwd_krbcfg(&krbcfg);
|
||||
slapi_entry_free(entry);
|
||||
slapi_sdn_free(&sdn);
|
||||
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
|
||||
diff --git a/doc/api/config_mod.md b/doc/api/config_mod.md
|
||||
index c479a034416068c72c0d70deabb149acf8002e44..b3203c350605af5a386544c858a9a5f7f724342f 100644
|
||||
--- a/doc/api/config_mod.md
|
||||
+++ b/doc/api/config_mod.md
|
||||
@@ -27,7 +27,7 @@ No arguments.
|
||||
* ipauserobjectclasses : :ref:`Str<Str>`
|
||||
* ipapwdexpadvnotify : :ref:`Int<Int>`
|
||||
* ipaconfigstring : :ref:`StrEnum<StrEnum>`
|
||||
- * Values: ('AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout', 'KDC:Disable Default Preauth for SPNs')
|
||||
+ * Values: ('AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout', 'KDC:Disable Default Preauth for SPNs', 'EnforceLDAPOTP')
|
||||
* ipaselinuxusermaporder : :ref:`Str<Str>`
|
||||
* ipaselinuxusermapdefault : :ref:`Str<Str>`
|
||||
* ipakrbauthzdata : :ref:`StrEnum<StrEnum>`
|
||||
diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
|
||||
index eface545def441d1a6fe9bdb054ab62eaa6589d3..45bd0c108dc958e3e141055901ea3872bc30d511 100644
|
||||
--- a/ipaserver/plugins/config.py
|
||||
+++ b/ipaserver/plugins/config.py
|
||||
@@ -247,7 +247,8 @@ class config(LDAPObject):
|
||||
doc=_('Extra hashes to generate in password plug-in'),
|
||||
values=(u'AllowNThash',
|
||||
u'KDC:Disable Last Success', u'KDC:Disable Lockout',
|
||||
- u'KDC:Disable Default Preauth for SPNs'),
|
||||
+ u'KDC:Disable Default Preauth for SPNs',
|
||||
+ u'EnforceLDAPOTP'),
|
||||
),
|
||||
Str('ipaselinuxusermaporder',
|
||||
label=_('SELinux user map order'),
|
||||
diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
|
||||
index 8e2ea563f1190e39fab0cab2f54da1f382c29356..d2dfca4cbf8c60955e888b6f92bd88a2608bb265 100644
|
||||
--- a/ipatests/test_integration/test_otp.py
|
||||
+++ b/ipatests/test_integration/test_otp.py
|
||||
@@ -21,6 +21,9 @@ from ipaplatform.paths import paths
|
||||
from ipatests.pytest_ipa.integration import tasks
|
||||
from ipapython.dn import DN
|
||||
|
||||
+from ldap.controls.simple import BooleanControl
|
||||
+
|
||||
+from ipalib import errors
|
||||
|
||||
PASSWORD = "DummyPassword123"
|
||||
USER = "opttestuser"
|
||||
@@ -450,3 +453,46 @@ class TestOTPToken(IntegrationTest):
|
||||
assert "ipa-otpd" not in failed_services.stdout_text
|
||||
finally:
|
||||
del_otptoken(self.master, otpuid)
|
||||
+
|
||||
+ def test_totp_ldap(self):
|
||||
+ master = self.master
|
||||
+ basedn = master.domain.basedn
|
||||
+ USER1 = 'user-forced-otp'
|
||||
+ binddn = DN(f"uid={USER1},cn=users,cn=accounts,{basedn}")
|
||||
+
|
||||
+ tasks.create_active_user(master, USER1, PASSWORD)
|
||||
+ tasks.kinit_admin(master)
|
||||
+ # Enforce use of OTP token for this user
|
||||
+ master.run_command(['ipa', 'user-mod', USER1,
|
||||
+ '--user-auth-type=otp'])
|
||||
+ try:
|
||||
+ conn = master.ldap_connect()
|
||||
+ # First, attempt authenticating with a password but without LDAP
|
||||
+ # control to enforce OTP presence and without server-side
|
||||
+ # enforcement of the OTP presence check.
|
||||
+ conn.simple_bind(binddn, f"{PASSWORD}")
|
||||
+ # Add an OTP token now
|
||||
+ otpuid, totp = add_otptoken(master, USER1, otptype="totp")
|
||||
+ # Next, enforce Password+OTP for a user with OTP token
|
||||
+ master.run_command(['ipa', 'config-mod', '--addattr',
|
||||
+ 'ipaconfigstring=EnforceLDAPOTP'])
|
||||
+ # Next, authenticate with Password+OTP and with the LDAP control
|
||||
+ # this operation should succeed
|
||||
+ otpvalue = totp.generate(int(time.time())).decode("ascii")
|
||||
+ conn.simple_bind(binddn, f"{PASSWORD}{otpvalue}",
|
||||
+ client_controls=[
|
||||
+ BooleanControl(
|
||||
+ controlType="2.16.840.1.113730.3.8.10.7",
|
||||
+ booleanValue=True)])
|
||||
+ # Remove token
|
||||
+ del_otptoken(self.master, otpuid)
|
||||
+ # Now, try to authenticate without otp and without control
|
||||
+ # this operation should fail
|
||||
+ try:
|
||||
+ conn.simple_bind(binddn, f"{PASSWORD}")
|
||||
+ except errors.ACIError:
|
||||
+ pass
|
||||
+ master.run_command(['ipa', 'config-mod', '--delattr',
|
||||
+ 'ipaconfigstring=EnforceLDAPOTP'])
|
||||
+ finally:
|
||||
+ master.run_command(['ipa', 'user-del', USER1])
|
||||
--
|
||||
2.44.0
|
||||
|
@ -0,0 +1,63 @@
|
||||
From a319811747b44dc9b06294df0270b17dbd2b2026 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Sat, 2 Mar 2024 09:31:46 +0200
|
||||
Subject: [PATCH] ipa-pwd-extop: add MFA note in case of a successful LDAP bind
|
||||
with OTP
|
||||
|
||||
In case there is a successful OTP authentication attempt, register it as
|
||||
an operation note on the BIND operation in LDAP. 389-ds then will print
|
||||
a multi-factor authentication note in both access and security logs
|
||||
according to https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/5169
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 10 ++++++++++
|
||||
server.m4 | 8 ++++++++
|
||||
2 files changed, 18 insertions(+)
|
||||
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
index 69023515018d522651bccb984ddd8e9174c22f59..43a7f54778382edd66da8f18c20de443ed98ab3d 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
@@ -1551,6 +1551,16 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
|
||||
/* Attempt to write out kerberos keys for the user. */
|
||||
ipapwd_write_krb_keys(pb, discard_const(dn), entry, credentials);
|
||||
|
||||
+#ifdef USE_OP_NOTE_MFA_AUTH
|
||||
+ /* If it was a successful authentication with OTP required, mark it
|
||||
+ * for access log to notice multi-factor authentication has happened
|
||||
+ * https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html
|
||||
+ */
|
||||
+ if (!syncreq && otpreq) {
|
||||
+ slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_MFA_AUTH);
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
slapi_entry_free(entry);
|
||||
slapi_sdn_free(&sdn);
|
||||
return 0;
|
||||
diff --git a/server.m4 b/server.m4
|
||||
index f97ceddea0388067f4353fd9a03a5e5d27b1672b..4918edc762ef9987625a10348bd4bad59ed9beb3 100644
|
||||
--- a/server.m4
|
||||
+++ b/server.m4
|
||||
@@ -31,6 +31,14 @@ PKG_CHECK_MODULES([DIRSRV], [dirsrv >= 1.3.0])
|
||||
# slapi-plugin.h includes nspr.h
|
||||
DIRSRV_CFLAGS="$DIRSRV_CFLAGS $NSPR_CFLAGS"
|
||||
|
||||
+bck_cflags="$CFLAGS"
|
||||
+CFLAGS="$CFLAGS $DIRSRV_CFLAGS"
|
||||
+AC_CHECK_DECL([SLAPI_OP_NOTE_MFA_AUTH], [
|
||||
+ AC_DEFINE(USE_OP_NOTE_MFA_AUTH,1,
|
||||
+ [Use LDAP operation note for multi-factor LDAP BIND])],
|
||||
+ [], [[#include <dirsrv/slapi-plugin.h>]])
|
||||
+CFLAGS="$bck_cflags"
|
||||
+
|
||||
dnl -- sss_idmap is needed by the extdom exop --
|
||||
PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap])
|
||||
PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap >= 1.15.2])
|
||||
--
|
||||
2.44.0
|
||||
|
@ -0,0 +1,42 @@
|
||||
From db804280eff7ab7dea50c797c3c951ae790af2e2 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Thu, 14 Mar 2024 12:19:12 +0200
|
||||
Subject: [PATCH] ipa-pwd-extop: declare operation notes support from 389-ds
|
||||
locally
|
||||
|
||||
The function slapi_pblock_set_flag_operation_notes(); is defined in
|
||||
ldap/servers/slapd/pblock.c in 389-ds but is only available through
|
||||
slapi-private.h header, not through slapi-plugin.h public API.
|
||||
|
||||
It was introduced in ~1.4.1.7 (~2019) via https://pagure.io/389-ds-base/issue/50349.
|
||||
|
||||
Since we only use it with an MFA note, all versions of the 389-ds that
|
||||
will support MFA note will have this function.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9554
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
index 43a7f54778382edd66da8f18c20de443ed98ab3d..cc170fc4b81f8ecad88f4ff4401b5651c43aaf55 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
@@ -1414,6 +1414,11 @@ done:
|
||||
}
|
||||
|
||||
|
||||
+#ifdef USE_OP_NOTE_MFA_AUTH
|
||||
+/* defined in ldap/servers/slapd/pblock.c in 389-ds but not exposed via slapi-plugin.h */
|
||||
+extern void slapi_pblock_set_flag_operation_notes(Slapi_PBlock *pb, uint32_t opflag);
|
||||
+#endif
|
||||
+
|
||||
/* PRE BIND Operation
|
||||
*
|
||||
* Used for:
|
||||
--
|
||||
2.44.0
|
||||
|
@ -0,0 +1,53 @@
|
||||
From e95201fe2f816fc5cc795793782ea71642994a94 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Mon, 11 Mar 2024 11:48:01 +0200
|
||||
Subject: [PATCH] dcerpc: invalidate forest trust info cache when filtering out
|
||||
realm domains
|
||||
|
||||
When get_realmdomains() method is called, it will filter out subdomains
|
||||
of the IPA primary domain. This is required because Active Directory
|
||||
domain controllers are assuming subdomains already covered by the main
|
||||
domain namespace.
|
||||
|
||||
[MS-LSAD] 3.1.4.7.16.1, 'Forest Trust Collision Generation' defines the
|
||||
method of validating the forest trust information. They are the same as
|
||||
rules in [MS-ADTS] section 6.1.6. Specifically,
|
||||
|
||||
- A top-level name must not be superior to an enabled top-level name
|
||||
for another trusted domain object, unless the current trusted domain
|
||||
object has a corresponding exclusion record.
|
||||
|
||||
In practice, we filtered those subdomains already but the code wasn't
|
||||
invalidating a previously retrieved forest trust information.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9551
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
ipaserver/dcerpc.py | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
|
||||
index ed9f0c0469d5f43da198c8447138530fb32c03c6..691da0332d60f51cd4e21e99625aa273be566baf 100644
|
||||
--- a/ipaserver/dcerpc.py
|
||||
+++ b/ipaserver/dcerpc.py
|
||||
@@ -1103,6 +1103,7 @@ class TrustDomainInstance:
|
||||
|
||||
info.count = len(ftinfo_records)
|
||||
info.entries = ftinfo_records
|
||||
+ another_domain.ftinfo_data = info
|
||||
return info
|
||||
|
||||
def clear_ftinfo_conflict(self, another_domain, cinfo):
|
||||
@@ -1778,6 +1779,7 @@ class TrustDomainJoins:
|
||||
return
|
||||
|
||||
self.local_domain.ftinfo_records = []
|
||||
+ self.local_domain.ftinfo_data = None
|
||||
|
||||
realm_domains = self.api.Command.realmdomains_show()['result']
|
||||
# Use realmdomains' modification timestamp
|
||||
--
|
||||
2.44.0
|
||||
|
@ -0,0 +1,68 @@
|
||||
From a1aa66dc59b55fef641dcf0539de0d3602f6a8a0 Mon Sep 17 00:00:00 2001
|
||||
From: Sudhir Menon <sumenon@redhat.com>
|
||||
Date: Wed, 20 Mar 2024 14:29:46 +0530
|
||||
Subject: [PATCH] ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation
|
||||
testcases.
|
||||
|
||||
Currently the test is using IPA_NSSDB_PWDFILE_TXT which is /etc/ipa/nssdb/pwdfile.txt
|
||||
which causes error in STIG mode.
|
||||
|
||||
[root@master slapd-TESTRELM-TEST]# certutil -M -n 'TESTRELM.TEST IPA CA' -t ',,' -d . -f /etc/ipa/nssdb/pwdfile.txt
|
||||
Incorrect password/PIN entered.
|
||||
|
||||
Hence modified the test to include paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE/pwd.txt.
|
||||
|
||||
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_ipahealthcheck.py | 11 ++++++-----
|
||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
index 7323b073273bd95d7b62d19fd5afe03edb2a21da..7e8f7da3664a88f927ff80ae222780156676c40b 100644
|
||||
--- a/ipatests/test_integration/test_ipahealthcheck.py
|
||||
+++ b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
@@ -2766,17 +2766,18 @@ class TestIpaHealthCheckWithExternalCA(IntegrationTest):
|
||||
Fixture to remove Server cert and revert the change.
|
||||
"""
|
||||
instance = realm_to_serverid(self.master.domain.realm)
|
||||
+ instance_dir = paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
|
||||
self.master.run_command(
|
||||
[
|
||||
"certutil",
|
||||
"-L",
|
||||
"-d",
|
||||
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance,
|
||||
+ instance_dir,
|
||||
"-n",
|
||||
"Server-Cert",
|
||||
"-a",
|
||||
"-o",
|
||||
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
|
||||
+ instance_dir
|
||||
+ "/Server-Cert.pem",
|
||||
]
|
||||
)
|
||||
@@ -2795,15 +2796,15 @@ class TestIpaHealthCheckWithExternalCA(IntegrationTest):
|
||||
[
|
||||
"certutil",
|
||||
"-d",
|
||||
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance,
|
||||
+ instance_dir,
|
||||
"-A",
|
||||
"-i",
|
||||
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
|
||||
+ instance_dir
|
||||
+ "/Server-Cert.pem",
|
||||
"-t",
|
||||
"u,u,u",
|
||||
"-f",
|
||||
- paths.IPA_NSSDB_PWDFILE_TXT,
|
||||
+ "%s/pwdfile.txt" % instance_dir,
|
||||
"-n",
|
||||
"Server-Cert",
|
||||
]
|
||||
--
|
||||
2.44.0
|
||||
|
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmR+6S4ACgkQaYdvcqbi
|
||||
008kvQ/9HuW6rWRJPY9/bqfaaeTKAT9JPCdq6jwDj7rSxpzJRE2r8vuwL3XxvXEa
|
||||
8qW3qwx4qcBV3hrOPX3annilCgfyUN0ayF72rfDxGmVzTifooEVd0mmaDJOd9JHy
|
||||
wLVYbImvsitC59luFF/XTIx5Xgo8Msu7BtAC5Tf5+mws0/i6ZxmyufYBPEmydgVM
|
||||
jdpVSZfq4hd4HwfYH0Ej5c8sWfv2OTTENyBWn5x9LiWvC6rJi42u7ubcnWoCi6If
|
||||
kXzJCRf7JTDzDvmMDVZMoTJCQa0EwlST7Yr9V7rLJViUGDwqxVO7VoeQi2WoV5PN
|
||||
zDSoLoCVEgLdDt0EAYRlBxPzoe65kNBdGFhC3eT0uIO676NZuTMVEXaRtId1wfnU
|
||||
o52xx3r5OPvRrjRLhKsAsMSiqX0Cr/wgH1L8QuSpriM1gMO6jZTkFpGtjD1XEvWd
|
||||
VsiSVqR0y+E8U3bkLOTHvByPvWk9QlmN0e6WDyV0FvGPaPlD2VCGNLqraldeEKvr
|
||||
wQxVvMWMqX+CKs2ZWYlzfgzFd0ZlUfsYhTcDaliJIh5Tcn5Ow+CSX/vWMXS6Msyh
|
||||
80fS5k7NswIsa3bA0QSoFpAcSkNxxovKyIWpXamL/MgX/nqZqJE74aUtchANl9jd
|
||||
j5yAU2s4eUuvbTMQkQjEJHl97a/jjGCGKnCunF/RO3WLaGdi9Dk=
|
||||
=Bq0h
|
||||
-----END PGP SIGNATURE-----
|
16
SOURCES/freeipa-4.11.0.tar.gz.asc
Normal file
16
SOURCES/freeipa-4.11.0.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmUcDfoACgkQaYdvcqbi
|
||||
00+tSA/8DjMUZ1P21qxTpPzybT6tx54X1wzAK+mSB+pC2gSLcv932lVERUvNmTC6
|
||||
vXtTiI2xWlkcw0VQdtmN0ncdPYuFsC9EeClnWXSH3ayDXP/EguF9uWZDO6zsK4yP
|
||||
pLVgJKvCX1O5EUN+l9pKtPAnyphSEkcd5rWqzEmfQV6+mILdVS3W8BVOuq8oY4xq
|
||||
J/1HmbV6b78rrsH9CW9TjFVKlNsOYKTS2dDCYSbidjE69hsvdS8yD8eH9WgVPR2z
|
||||
X2zidVLIRv7D9Ayy59+rfEfuehhG2FD4lL54DWqUqlw87prN7a1aH7jgs6o+1XCK
|
||||
2pBDcC6oac+mtCTAGNaMnormzbR55RLgYKpwoyv/OvspuRzsHDfgQy91+YvIBqFV
|
||||
EW0oB5TG4GeDn3jUPPyehtpRm+TUTeCQiBTcbeksEYDol4xxePKqIC3X313zm/fc
|
||||
IKYQ2XwZTyrxGOtVmvAncHzwkyVgyDA6aJNApxsu0EdcpFBm/qhuAeadxrLR1v4+
|
||||
j90yAaUlKduviX5XE1XGCHqvwHXttLmB1npxPmzSPe6MYlmzXRcen8SFPK/dquyC
|
||||
Vi+CykIR1jelqBvHObIbU4Q8ss0irQhSbHGpHxkup1cmO2b/YILzVrOkE3TIUbps
|
||||
g1zb4lryzWkXU1q8qPHsS3Fh1HEfuZCWk6Eg6xmmhxENdAsTCeo=
|
||||
=iHBW
|
||||
-----END PGP SIGNATURE-----
|
@ -87,8 +87,8 @@
|
||||
%global httpd_version 2.4.37-21
|
||||
%global bind_version 9.11.20-6
|
||||
|
||||
# Fix for https://github.com/SSSD/sssd/issues/6331
|
||||
%global sssd_version 2.8.0
|
||||
# support for passkey
|
||||
%global sssd_version 2.9.0
|
||||
|
||||
%else
|
||||
# Fedora
|
||||
@ -148,8 +148,8 @@
|
||||
# F35+, adds IdP integration
|
||||
%global sssd_version 2.7.0
|
||||
%else
|
||||
# Fix for https://github.com/SSSD/sssd/issues/6331
|
||||
%global sssd_version 2.8.0
|
||||
# Support for passkey
|
||||
%global sssd_version 2.9.0
|
||||
%endif
|
||||
|
||||
# Fedora
|
||||
@ -210,7 +210,7 @@
|
||||
|
||||
# Work-around fact that RPM SPEC parser does not accept
|
||||
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
|
||||
%define IPA_VERSION 4.10.2
|
||||
%define IPA_VERSION 4.11.0
|
||||
# Release candidate version -- uncomment with one percent for RC versions
|
||||
#%%global rc_version %%nil
|
||||
%define AT_SIGN @
|
||||
@ -223,7 +223,7 @@
|
||||
|
||||
Name: %{package_name}
|
||||
Version: %{IPA_VERSION}
|
||||
Release: 8%{?rc_version:.%rc_version}%{?dist}.alma.1
|
||||
Release: 10%{?rc_version:.%rc_version}%{?dist}
|
||||
Summary: The Identity, Policy and Audit system
|
||||
|
||||
License: GPL-3.0-or-later
|
||||
@ -247,70 +247,73 @@ Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||
Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
|
||||
%endif
|
||||
%if 0%{?rhel} == 9
|
||||
Patch0001: 0001-webuitests-close-notification-which-hides-Add-button.patch
|
||||
Patch0002: 0002-ipatests-Check-that-SSSD_PUBCONF_KRB5_INCLUDE_D_DIR-.patch
|
||||
Patch0003: 0003-Revert-Use-the-OpenSSL-certificate-parser-in-cert-fi.patch
|
||||
Patch0004: 0004-Revert-cert_find-fix-call-with-all.patch
|
||||
Patch0005: 0005-Use-the-python-cryptography-parser-directly-in-cert-.patch
|
||||
Patch0006: 0006-Upgrade-add-PKI-drop-in-file-if-missing.patch
|
||||
Patch0007: 0007-Integration-test-add-a-test-for-upgrade-and-PKI-drop.patch
|
||||
Patch0008: 0008-Uninstaller-uninstall-PKI-before-shutting-down-servi.patch
|
||||
Patch0009: 0009-Detection-of-PKI-subsystem.patch
|
||||
Patch0010: 0010-Upgrade-fix-replica-agreement.patch
|
||||
Patch0011: 0011-Integration-tests-add-a-test-to-ipa-server-upgrade.patch
|
||||
Patch0012: 0012-tests-fix-backup-restore-scenario-with-replica.patch
|
||||
Patch0013: 0013-OTP-fix-data-type-to-avoid-endianness-issue.patch
|
||||
Patch0014: 0014-ipatests-enable-firewall-rule-for-http-service-on-ac.patch
|
||||
Patch0015: 0015-User-plugin-improve-error-related-to-non-existing-id.patch
|
||||
Patch0016: 0016-xmlrpc-tests-add-a-test-for-user-plugin-with-non-exi.patch
|
||||
Patch0017: 0017-Fix-memory-leak-in-the-OTP-last-token-plugin.patch
|
||||
Patch0018: 0018-Prevent-the-admin-user-from-being-deleted.patch
|
||||
Patch0019: 0019-ipa-kdb-fix-error-handling-of-is_master_host.patch
|
||||
Patch0020: 0020-ipatests-update-expected-webui-msg-for-admin-deletio.patch
|
||||
Patch0021: 0021-ipatests-remove-fixture-call-and-wait-to-get-things-.patch
|
||||
Patch0022: 0022-ipatests-fix-test_topology.patch
|
||||
Patch0023: 0023-ipatests-idm-api-related-tests.patch
|
||||
Patch0024: 0024-ipatests-fixture-can-produce-IndexError.patch
|
||||
Patch0025: 0025-Installer-activate-nss-and-pam-services-in-sssd.conf.patch
|
||||
|
||||
# Patches were taken from:
|
||||
# https://github.com/freeipa/freeipa/commit/363fd5de98e883800ac08b2760e8c3150783e7e2
|
||||
Patch0026: 0026-Check-the-HTTP-Referer-header-on-all-requests.patch
|
||||
# https://github.com/freeipa/freeipa/commit/48ec350051ead9c17e58a91405b3ab6935347f1b
|
||||
Patch0027: 0027-Integration-tests-for-verifying-Referer-header-in-th.patch
|
||||
# https://github.com/freeipa/freeipa/commit/f123b01d81696c52e9a4008d46e549864e4a8069
|
||||
Patch0028: 0028-updates-add-ACIs-for-RBCD-self-management.patch
|
||||
# https://pagure.io/freeipa/c/2bbfd1454fc69c5975826d1a3f39b301d135abb5
|
||||
Patch0029: 0029-ipatests-restart-ipa-services-after-moving-date.patch
|
||||
# https://pagure.io/freeipa/c/9bc582a2d78fd3ff9e70fa927b87ab06dcb7c9ae
|
||||
Patch0030: 0030-ipatests-ignore-nsslapd-accesslog-logbuffering-WARN-in-healthcheck.patch
|
||||
# https://pagure.io/freeipa/c/96dd277ad960f57c36c38820a7b0542c97f9e67d
|
||||
Patch0031: 0031-ipatests-Skip-ds_encryption-tests-on-RHEL9-SUT.patch
|
||||
# https://pagure.io/freeipa/c/3baa30ad3f6ee563089839a5ef56d5ac6eb43959
|
||||
Patch0032: 0032-adtrustinstance-make-sure-NetBIOS-name-defaults-are-set-properly.patch
|
||||
# https://pagure.io/freeipa/c/257b2b470b4e3f83a0cbc476d54dc74ddf2cf311
|
||||
Patch0033: 0033-ipatests-wait-for-replica-update-in-test_dns_locations.patch
|
||||
# https://pagure.io/freeipa/c/2e649b26d1d8ec988ec64477af73cd1f033731fd
|
||||
Patch0034: 0034-ipapython-Clean-up-krb5_error.patch
|
||||
# https://pagure.io/freeipa/c/59f010774d13ea6a0148235db2ff05a3f3c93c7b
|
||||
Patch0035: 0035-ipapython-Correct-return-type-of-krb5_free_cred_contents.patch
|
||||
# https://pagure.io/freeipa/c/e69d98add55f25641459fc1dfb973260e85f9b95
|
||||
Patch0036: 0036-ipapython-Propagate-KRB5Error-exceptions-on-iterating-ccache.patch
|
||||
# https://pagure.io/freeipa/c/e831416320fdc73a18fba7716209edec76681721
|
||||
Patch0037: 0037-ipa-kdb-Fix-memory-leak-during-PAC-verification.patch
|
||||
# https://pagure.io/freeipa/c/d4008aece36569131b6e81192cc7d7dfa9f9af2b
|
||||
Patch0038: 0038-sidgen-ignore-staged-users-when-generating-SIDs.patch
|
||||
# https://pagure.io/freeipa/c/e6f96a9f2edd55ef335eb430b8dd8f6c9faf008f
|
||||
Patch0039: 0039-sidgen-fix-missing-prototypes.patch
|
||||
# https://pagure.io/freeipa/c/196d63109730666f547f99814a54a5b2cd72c80e
|
||||
Patch0040: 0040-kdb-PAC-generator-do-not-fail-if-canonical-principal-is-missing.patch
|
||||
# https://pagure.io/freeipa/c/278c2cbb193496302f8c0abc4ce502ec83f47a12
|
||||
Patch0041: 0041-ipatests-fix-tasks.wait_for_replication-method.patch
|
||||
# https://pagure.io/freeipa/c/7b7f5c3f806e53ff883865c7b7f4d17453d63ce6
|
||||
Patch0042: 0042-ipa-kdb-Rework-ipadb_reinit_mspac.patch
|
||||
# https://pagure.io/freeipa/c/f1efe4490c1e33b81178ba887600a3a5826c11c2
|
||||
Patch0043: 0043-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch
|
||||
|
||||
Patch0001: 0001-ipatests-fix-healthcheck-test-without-DNS.patch
|
||||
Patch0002: 0002-ipatests-fix-healthcheck-test-for-indent-option.patch
|
||||
Patch0003: 0003-ipatests-fix-test_ipactl_scenario_check.patch
|
||||
Patch0004: 0004-ipalib-fix-the-IPACertificate-validity-dates.patch
|
||||
Patch0005: 0005-Allow-password-policy-minlength-to-be-removed-like-o.patch
|
||||
Patch0006: 0006-ipatests-Skip-the-test-failing-due-to-FIPS-policy.patch
|
||||
Patch0007: 0007-The-PKI-JSON-API-the-revocation-reason-key-may-be-ca.patch
|
||||
Patch0008: 0008-WIP-Get-the-PKI-version-from-the-remote-to-determine.patch
|
||||
Patch0009: 0009-ipatests-fix-expected-output-for-ipahealthcheck.meta.patch
|
||||
Patch0010: 0010-ipatests-ignore-nsslapd-accesslog-logbuffering-WARN-.patch
|
||||
Patch0011: 0011-ipatests-fix-expected-output-for-ipahealthcheck.ipa..patch
|
||||
Patch0012: 0012-group-add-member-fails-with-an-external-member.patch
|
||||
Patch0013: 0013-Handle-samba-changes-in-samba.security.dom_sid.patch
|
||||
Patch0014: 0014-test_install-restart-services-after-date-change.patch
|
||||
Patch0015: 0015-Issue-9497-Add-new-password-policy-logging-function.patch
|
||||
Patch0016: 0016-Issue-9497-Update-logging-in-ipa_enrollment.patch
|
||||
Patch0017: 0017-Issue-9497-update-debug-logging-in-ipa_graceperiod.patch
|
||||
Patch0018: 0018-Issue-9497-update-debug-logging-in-ipa_lockout.patch
|
||||
Patch0019: 0019-Issue-9497-update-debug-logging-in-ipa_modrdn.patch
|
||||
Patch0020: 0020-Issue-9497-update-debug-logging-in-ipa_otp_counter.patch
|
||||
Patch0021: 0021-Issue-9497-update-debug-logging-in-ipa_otp_lasttoken.patch
|
||||
Patch0022: 0022-Issue-9497-update-debug-logging-in-ipa-pwd-extop.patch
|
||||
Patch0023: 0023-Issue-9497-update-debug-logging-in-ipa_uuid.patch
|
||||
Patch0024: 0024-hbactest-was-not-collecting-or-returning-messages.patch
|
||||
Patch0025: 0025-ipatests-Verify-that-hbactest-will-return-messages.patch
|
||||
Patch0026: 0026-ipa-kdb-add-better-detection-of-allowed-user-auth-ty.patch
|
||||
Patch0027: 0027-ipa-kdb-when-applying-ticket-policy-do-not-deny-PKIN.patch
|
||||
Patch0028: 0028-ipa-kdb-clarify-user-auth-table-mapping-use-of-_AUTH.patch
|
||||
Patch0029: 0029-ipatests-make-sure-PKINIT-enrollment-works-with-a-st.patch
|
||||
Patch0030: 0030-Check-the-HTTP-Referer-header-on-all-requests.patch
|
||||
Patch0031: 0031-Integration-tests-for-verifying-Referer-header-in-th.patch
|
||||
Patch0032: 0032-ipatests-Skip-ds_encryption-tests-on-RHEL9-SUT.patch
|
||||
Patch0033: 0033-ACME-Don-t-treat-pki-server-ca-config-show-failures-.patch
|
||||
Patch0034: 0034-Fix-ipa-client-automount-install-uninstall-with-new-.patch
|
||||
Patch0035: 0035-ipatests-Test-client-install-uninstall-with-automoun.patch
|
||||
Patch0036: 0036-ipa-client-automount-Don-t-use-deprecated-ipadiscove.patch
|
||||
Patch0037: 0037-Server-affinity-Retain-user-requested-remote-server.patch
|
||||
Patch0038: 0038-get_directive-don-t-error-out-on-substring-mismatch.patch
|
||||
Patch0039: 0039-host-update-System-Manage-Host-Keytab-permission.patch
|
||||
Patch0040: 0040-adtrustinstance-make-sure-NetBIOS-name-defaults-are-.patch
|
||||
Patch0041: 0041-Server-affinity-Don-t-rely-just-on-ca-kra-_enabled-f.patch
|
||||
Patch0042: 0042-ipatests-wait-for-replica-update-in-test_dns_locatio.patch
|
||||
Patch0043: 0043-Server-affinity-call-ca.install-if-there-is-a-CA-in-.patch
|
||||
Patch0044: 0044-ipapython-Clean-up-krb5_error.patch
|
||||
Patch0045: 0045-ipapython-Correct-return-type-of-krb5_free_cred_cont.patch
|
||||
Patch0046: 0046-ipapython-Propagate-KRB5Error-exceptions-on-iteratin.patch
|
||||
Patch0047: 0047-ipa-kdb-Fix-memory-leak-during-PAC-verification.patch
|
||||
Patch0048: 0048-sidgen-ignore-staged-users-when-generating-SIDs.patch
|
||||
Patch0049: 0049-sidgen-fix-missing-prototypes.patch
|
||||
Patch0050: 0050-kdb-PAC-generator-do-not-fail-if-canonical-principal.patch
|
||||
Patch0051: 0051-ipatests-Skip-tests-for-ipahealtcheck-tests-for-spec.patch
|
||||
Patch0052: 0052-ipatests-remove-xfail-thanks-to-sssd-2.9.4.patch
|
||||
Patch0053: 0053-ipatests-add-xfail-for-autoprivate-group-test-with-o.patch
|
||||
Patch0054: 0054-ipatests-fix-tasks.wait_for_replication-method.patch
|
||||
Patch0055: 0055-ipa-kdb-Rework-ipadb_reinit_mspac.patch
|
||||
Patch0056: 0056-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch
|
||||
Patch0057: 0057-Vault-improve-vault-server-archival-retrieval-calls-.patch
|
||||
Patch0058: 0058-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch
|
||||
Patch0059: 0059-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch
|
||||
Patch0060: 0060-rpcserver-validate-Kerberos-principal-name-before-ru.patch
|
||||
Patch0061: 0061-validate_principal-Don-t-try-to-verify-that-the-real.patch
|
||||
Patch0062: 0062-Vault-add-additional-fallback-to-RSA-OAEP-wrapping-a.patch
|
||||
Patch0063: 0063-ipa-pwd-extop-allow-enforcing-2FA-only-over-LDAP-bin.patch
|
||||
Patch0064: 0064-ipa-pwd-extop-add-MFA-note-in-case-of-a-successful-L.patch
|
||||
Patch0065: 0065-ipa-pwd-extop-declare-operation-notes-support-from-3.patch
|
||||
Patch0066: 0066-dcerpc-invalidate-forest-trust-info-cache-when-filte.patch
|
||||
Patch0067: 0067-ipatests-Fixes-for-test_ipahealthcheck_ipansschainva.patch
|
||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||
%endif
|
||||
%endif
|
||||
@ -620,12 +623,8 @@ Requires: python3-pyasn1 >= 0.3.2-2
|
||||
Requires: python3-sssdconfig >= %{sssd_version}
|
||||
Requires: python3-psutil
|
||||
Requires: rpm-libs
|
||||
# Indirect dependency: use newer urllib3 with TLS 1.3 PHA support
|
||||
%if 0%{?rhel}
|
||||
Requires: python3-urllib3 >= 1.24.2-3
|
||||
%else
|
||||
Requires: python3-urllib3 >= 1.25.7
|
||||
%endif
|
||||
# For urllib3.util.ssl_match_hostname
|
||||
Requires: python3-urllib3 >= 1.25.8
|
||||
|
||||
%description -n python3-ipaserver
|
||||
IPA is an integrated solution to provide centrally managed Identity (users,
|
||||
@ -778,6 +777,9 @@ Recommends: libsss_sudo
|
||||
Recommends: sudo
|
||||
Requires: (libsss_sudo if sudo)
|
||||
|
||||
# Passkey support
|
||||
Recommends: sssd-passkey
|
||||
|
||||
Provides: %{alt_name}-client = %{version}
|
||||
Conflicts: %{alt_name}-client
|
||||
Obsoletes: %{alt_name}-client < %{version}
|
||||
@ -948,6 +950,8 @@ Requires: platform-python-setuptools
|
||||
%else
|
||||
Requires: python3-setuptools
|
||||
%endif
|
||||
# For urllib3.util.ssl_match_hostname
|
||||
Requires: python3-urllib3 >= 1.25.8
|
||||
|
||||
%description -n python3-ipalib
|
||||
IPA is an integrated solution to provide centrally managed Identity (users,
|
||||
@ -1802,28 +1806,59 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Mar 15 2024 Eduard Abdullin <eabdullin@almalinux.org> - 4.10.2-8.alma.1
|
||||
- ipatests: restart ipa services after moving date
|
||||
- ipatests: ignore nsslapd-accesslog-logbuffering WARN in healthcheck
|
||||
- ipatests: Skip ds_encryption tests on RHEL9 SUT.
|
||||
- adtrustinstance: make sure NetBIOS name defaults are set properly
|
||||
- ipatests: wait for replica update in test_dns_locations
|
||||
- ipapython: Clean up krb5_error
|
||||
- ipapython: Correct return type of krb5_free_cred_contents
|
||||
- ipapython: Propagate KRB5Error exceptions on iterating ccache
|
||||
- ipa-kdb: Fix memory leak during PAC verification
|
||||
- sidgen: ignore staged users when generating SIDs
|
||||
- sidgen: fix missing prototypes
|
||||
- kdb: PAC generator: do not fail if canonical principal is missing
|
||||
- ipatests: fix tasks.wait_for_replication method
|
||||
- ipa-kdb: Rework ipadb_reinit_mspac()
|
||||
- ipa-kdb: Fix double free in ipadb_reinit_mspac()
|
||||
* Fri Mar 29 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.11.0-10
|
||||
- Resolves: RHEL-23377 Enforce OTP for ldap bind (in some scenarios)
|
||||
- Resolves: RHEL-29745 Unable to re-add broken AD trust - NT_STATUS_INVALID_PARAMETER
|
||||
- Resolves: RHEL-30905 Backport latest test fixes in ipa
|
||||
|
||||
* Thu Jan 11 2024 Andrew Lukoshko <alukoshko@almalinux.org> - 4.10.2-5.alma.1
|
||||
- Resolves: Invalid CSRF protection (CVE-2023-5455)
|
||||
* Thu Mar 07 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.11.0-9
|
||||
- Resolves: RHEL-28258 vault fails on non-fips client if server is in FIPS mode
|
||||
- Resolves: RHEL-26154 ipa: freeipa: specially crafted HTTP requests potentially lead to DoS or data exposure
|
||||
|
||||
* Tue Nov 07 2023 Eduard Abdullin <eabdullin@almalinux.org> - 4.10.2-4.1.alma.1
|
||||
- updates: add ACIs for RBCD self-management
|
||||
* Tue Feb 20 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.11.0-8
|
||||
- Resolves: RHEL-12143 'ipa vault-add is failing with ipa: ERROR: an internal error has occurred in FIPS mode
|
||||
- Resolves: RHEL-25738 ipa-kdb: Cannot determine if PAC generator is available
|
||||
|
||||
* Fri Feb 16 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.11.0-7
|
||||
- Resolves: RHEL-25260 tier-1-upstream-dns-locations failed on RHEL8.8 gating
|
||||
- Resolves: RHEL-25738 ipa-kdb: Cannot determine if PAC generator is available
|
||||
- Resolves: RHEL-25815 Backport latest test fixes in python3-ipatests
|
||||
|
||||
* Fri Feb 09 2024 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.11.0-6
|
||||
- Resolves: RHEL-23627 IPA stops working if HTTP/... service principal was created before FreeIPA 4.4.0 and never modified
|
||||
- Resolves: RHEL-23625 sidgen plugin does not ignore staged users
|
||||
- Resolves: RHEL-23621 session cookie can't be read
|
||||
- Resolves: RHEL-22372 Gating-DL1 test failure in test_integration/test_dns_locations.py::TestDNSLocations::()::test_ipa_ca_records
|
||||
- Resolves: RHEL-21809 CA less servers are failing to be added in topology segment for domain suffix
|
||||
- Resolves: RHEL-17996 Memory leak in IdM's KDC
|
||||
|
||||
* Thu Jan 18 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.11.0-5
|
||||
- Resolves: RHEL-12589 ipa: Invalid CSRF protection
|
||||
- Resolves: RHEL-19748 ipa hbac-test did not report that it hit an arbitrary search limit
|
||||
- Resolves: RHEL-21059 'DogtagCertsConfigCheck' fails, displaying the error message 'Malformed directive: ca.signing.certnickname=caSigningCert cert-pki-ca'
|
||||
- Resolves: RHEL-21804 ipa client 4.10.2 - Failed to obtain host TGT
|
||||
- Resolves: RHEL-21809 CA less servers are failing to be added in topology segment for domain suffix
|
||||
- Resolves: RHEL-21810 ipa-client-install --automount-location does not work
|
||||
- Resolves: RHEL-21811 Handle change in behavior of pki-server ca-config-show in pki 11.5.0
|
||||
- Resolves: RHEL-21812 Backport latest test fixes in ipa
|
||||
- Resolves: RHEL-21813 krb5kdc fails to start when pkinit and otp auth type is enabled in ipa
|
||||
- Resolves: RHEL-21815 IPA 389ds plugins need to have better logging and tracing
|
||||
- Resolves: RHEL-21937 Make sure a default NetBIOS name is set if not passed in by ADTrust instance constructor
|
||||
|
||||
* Fri Dec 1 2023 Florence Blanc-Renaud <flo@redhat.com> - 4.11.0-4
|
||||
- Resolves: RHEL-16985 Handle samba 4.19 changes in samba.security.dom_sid()
|
||||
|
||||
* Mon Nov 20 2023 Florence Blanc-Renaud <flo@redhat.com> - 4.11.0-3
|
||||
- Resolves: RHEL-14428 healthcheck reports nsslapd-accesslog-logbuffering is set to 'off'
|
||||
|
||||
* Mon Nov 6 2023 Florence Blanc-Renaud <flo@redhat.com> - 4.11.0-2
|
||||
- Resolves: RHEL-14292 Backport latest test fixes in python3-ipatests
|
||||
- Resolves: RHEL-15443 Server install: failure to install with externally signed CA because of timezone issue
|
||||
- Resolves: RHEL-15444 Minimum length parameter in pwpolicy cannot be removed with empty string
|
||||
- Resolves: RHEL-14842 Upstream xmlrpc tests are failing in RHEL9.4
|
||||
|
||||
* Fri Oct 06 2023 Florence Blanc-Renaud <flo@redhat.com> - 4.11.0-1
|
||||
- Resolves: RHEL-11652 Rebase ipa to latest 4.11.x version for RHEL 9.4
|
||||
|
||||
* Thu Aug 17 2023 Florence Blanc-Renaud <flo@redhat.com> - 4.10.2-4
|
||||
- Resolves: rhbz#2231847 RHEL 8.8 & 9.2 fails to create AD trust with STIG applied
|
||||
|
Loading…
Reference in New Issue
Block a user