SOURCES/0023-rpcserver-validate-Kerberos-principal-name-before-running-kinit_rhel#26153.patch

@@ -0,0 +1,392 @@
+From b039f3087a13de3f34b230dbe29a7cfb1965700d Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Feb 23 2024 09:49:27 +0000
+Subject: rpcserver: validate Kerberos principal name before running kinit
+
+
+Do minimal validation of the Kerberos principal name when passing it to
+kinit command line tool. Also pass it as the final argument to prevent
+option injection.
+
+Accepted Kerberos principals are:
+ - user names, using the following regexp
+   (username with optional @realm, no spaces or slashes in the name):
+   "(?!^[0-9]+$)^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?@?[a-zA-Z0-9.-]*$"
+
+ - service names (with slash in the name but no spaces). Validation of
+   the hostname is done. There is no validation of the service name.
+
+The regular expression above also covers cases where a principal name
+starts with '-'. This prevents option injection as well.
+
+This fixes CVE-2024-1481
+
+Fixes: https://pagure.io/freeipa/issue/9541
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+
+---
+
+diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
+index cc839ec..4ad4eaa 100644
+--- a/ipalib/install/kinit.py
++++ b/ipalib/install/kinit.py
+@@ -6,12 +6,16 @@ from __future__ import absolute_import
+ 
+ import logging
+ import os
++import re
+ import time
+ 
+ import gssapi
+ 
+ from ipaplatform.paths import paths
+ from ipapython.ipautil import run
++from ipalib.constants import PATTERN_GROUPUSER_NAME
++from ipalib.util import validate_hostname
++from ipalib import api
+ 
+ logger = logging.getLogger(__name__)
+ 
+@@ -21,6 +25,40 @@ KRB5_KDC_UNREACH = 2529639068
+ # A service is not available that s required to process the request
+ KRB5KDC_ERR_SVC_UNAVAILABLE = 2529638941
+ 
++PATTERN_REALM = '@?([a-zA-Z0-9.-]*)$'
++PATTERN_PRINCIPAL = '(' + PATTERN_GROUPUSER_NAME[:-1] + ')' + PATTERN_REALM
++PATTERN_SERVICE = '([a-zA-Z0-9.-]+)/([a-zA-Z0-9.-]+)' + PATTERN_REALM
++
++user_pattern = re.compile(PATTERN_PRINCIPAL)
++service_pattern = re.compile(PATTERN_SERVICE)
++
++
++def validate_principal(principal):
++    if not isinstance(principal, str):
++        raise RuntimeError('Invalid principal: not a string')
++    if ('/' in principal) and (' ' in principal):
++        raise RuntimeError('Invalid principal: bad spacing')
++    else:
++        realm = None
++        match = user_pattern.match(principal)
++        if match is None:
++            match = service_pattern.match(principal)
++            if match is None:
++                raise RuntimeError('Invalid principal: cannot parse')
++            else:
++                # service = match[1]
++                hostname = match[2]
++                realm = match[3]
++                try:
++                    validate_hostname(hostname)
++                except ValueError as e:
++                    raise RuntimeError(str(e))
++        else:  # user match, validate realm
++            # username = match[1]
++            realm = match[2]
++        if realm and 'realm' in api.env and realm != api.env.realm:
++            raise RuntimeError('Invalid principal: realm mismatch')
++
+ 
+ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
+     """
+@@ -29,6 +67,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
+     The optional parameter 'attempts' specifies how many times the credential
+     initialization should be attempted in case of non-responsive KDC.
+     """
++    validate_principal(principal)
+     errors_to_retry = {KRB5KDC_ERR_SVC_UNAVAILABLE,
+                        KRB5_KDC_UNREACH}
+     logger.debug("Initializing principal %s using keytab %s",
+@@ -65,6 +104,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
+ 
+         return None
+ 
++
+ def kinit_password(principal, password, ccache_name, config=None,
+                    armor_ccache_name=None, canonicalize=False,
+                    enterprise=False, lifetime=None):
+@@ -73,8 +113,9 @@ def kinit_password(principal, password, ccache_name, config=None,
+     web-based authentication, use armor_ccache_path to specify http service
+     ccache.
+     """
++    validate_principal(principal)
+     logger.debug("Initializing principal %s using password", principal)
+-    args = [paths.KINIT, principal, '-c', ccache_name]
++    args = [paths.KINIT, '-c', ccache_name]
+     if armor_ccache_name is not None:
+         logger.debug("Using armor ccache %s for FAST webauth",
+                      armor_ccache_name)
+@@ -91,6 +132,7 @@ def kinit_password(principal, password, ccache_name, config=None,
+         logger.debug("Using enterprise principal")
+         args.append('-E')
+ 
++    args.extend(['--', principal])
+     env = {'LC_ALL': 'C'}
+     if config is not None:
+         env['KRB5_CONFIG'] = config
+@@ -154,6 +196,7 @@ def kinit_pkinit(
+ 
+     :raises: CalledProcessError if PKINIT fails
+     """
++    validate_principal(principal)
+     logger.debug(
+         "Initializing principal %s using PKINIT %s", principal, user_identity
+     )
+@@ -168,7 +211,7 @@ def kinit_pkinit(
+             assert pkinit_anchor.startswith(("FILE:", "DIR:", "ENV:"))
+             args.extend(["-X", f"X509_anchors={pkinit_anchor}"])
+     args.extend(["-X", f"X509_user_identity={user_identity}"])
+-    args.append(principal)
++    args.extend(['--', principal])
+ 
+     # this workaround enables us to capture stderr and put it
+     # into the raised exception in case of unsuccessful authentication
+diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
+index 3555014..60bfa61 100644
+--- a/ipaserver/rpcserver.py
++++ b/ipaserver/rpcserver.py
+@@ -1134,10 +1134,6 @@ class login_password(Backend, KerberosSession):
+                 canonicalize=True,
+                 lifetime=self.api.env.kinit_lifetime)
+ 
+-            if armor_path:
+-                logger.debug('Cleanup the armor ccache')
+-                ipautil.run([paths.KDESTROY, '-A', '-c', armor_path],
+-                            env={'KRB5CCNAME': armor_path}, raiseonerr=False)
+         except RuntimeError as e:
+             if ('kinit: Cannot read password while '
+                     'getting initial credentials') in str(e):
+@@ -1155,6 +1151,11 @@ class login_password(Backend, KerberosSession):
+                 raise KrbPrincipalWrongFAST(principal=principal)
+             raise InvalidSessionPassword(principal=principal,
+                                          message=unicode(e))
++        finally:
++            if armor_path:
++                logger.debug('Cleanup the armor ccache')
++                ipautil.run([paths.KDESTROY, '-A', '-c', armor_path],
++                            env={'KRB5CCNAME': armor_path}, raiseonerr=False)
+ 
+ 
+ class change_password(Backend, HTTP_Status):
+diff --git a/ipatests/prci_definitions/gating.yaml b/ipatests/prci_definitions/gating.yaml
+index 91be057..400a248 100644
+--- a/ipatests/prci_definitions/gating.yaml
++++ b/ipatests/prci_definitions/gating.yaml
+@@ -310,3 +310,15 @@ jobs:
+         template: *ci-ipa-4-9-latest
+         timeout: 3600
+         topology: *master_1repl_1client
++
++  fedora-latest-ipa-4-9/test_ipalib_install:
++    requires: [fedora-latest-ipa-4-9/build]
++    priority: 100
++    job:
++      class: RunPytest
++      args:
++        build_url: '{fedora-latest-ipa-4-9/build_url}'
++        test_suite: test_ipalib_install/test_kinit.py
++        template: *ci-ipa-4-9-latest
++        timeout: 600
++        topology: *master_1repl
+diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
+index b2ab765..7c03a48 100644
+--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
++++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
+@@ -1801,3 +1801,15 @@ jobs:
+         template: *ci-ipa-4-9-latest
+         timeout: 5000
+         topology: *master_2repl_1client
++
++  fedora-latest-ipa-4-9/test_ipalib_install:
++    requires: [fedora-latest-ipa-4-9/build]
++    priority: 50
++    job:
++      class: RunPytest
++      args:
++        build_url: '{fedora-latest-ipa-4-9/build_url}'
++        test_suite: test_ipalib_install/test_kinit.py
++        template: *ci-ipa-4-9-latest
++        timeout: 600
++        topology: *master_1repl
+diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
+index b7b3d3b..802bd2a 100644
+--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
++++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
+@@ -1944,3 +1944,16 @@ jobs:
+         template: *ci-ipa-4-9-latest
+         timeout: 5000
+         topology: *master_2repl_1client
++
++  fedora-latest-ipa-4-9/test_ipalib_install:
++    requires: [fedora-latest-ipa-4-9/build]
++    priority: 50
++    job:
++      class: RunPytest
++      args:
++        build_url: '{fedora-latest-ipa-4-9/build_url}'
++        selinux_enforcing: True
++        test_suite: test_ipalib_install/test_kinit.py
++        template: *ci-ipa-4-9-latest
++        timeout: 600
++        topology: *master_1repl
+diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
+index eb3849e..1e1adb8 100644
+--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
++++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
+@@ -1801,3 +1801,15 @@ jobs:
+         template: *ci-ipa-4-9-previous
+         timeout: 5000
+         topology: *master_2repl_1client
++
++  fedora-previous-ipa-4-9/test_ipalib_install:
++    requires: [fedora-previous-ipa-4-9/build]
++    priority: 50
++    job:
++      class: RunPytest
++      args:
++        build_url: '{fedora-previous-ipa-4-9/build_url}'
++        test_suite: test_ipalib_install/test_kinit.py
++        template: *ci-ipa-4-9-previous
++        timeout: 600
++        topology: *master_1repl
+diff --git a/ipatests/setup.py b/ipatests/setup.py
+index 6217a1b..0aec4a7 100644
+--- a/ipatests/setup.py
++++ b/ipatests/setup.py
+@@ -41,6 +41,7 @@ if __name__ == '__main__':
+             "ipatests.test_integration",
+             "ipatests.test_ipaclient",
+             "ipatests.test_ipalib",
++            "ipatests.test_ipalib_install",
+             "ipatests.test_ipaplatform",
+             "ipatests.test_ipapython",
+             "ipatests.test_ipaserver",
+diff --git a/ipatests/test_ipalib_install/__init__.py b/ipatests/test_ipalib_install/__init__.py
+new file mode 100644
+index 0000000..e69de29
+--- /dev/null
++++ b/ipatests/test_ipalib_install/__init__.py
+diff --git a/ipatests/test_ipalib_install/test_kinit.py b/ipatests/test_ipalib_install/test_kinit.py
+new file mode 100644
+index 0000000..f89ea17
+--- /dev/null
++++ b/ipatests/test_ipalib_install/test_kinit.py
+@@ -0,0 +1,29 @@
++#
++# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
++#
++"""Tests for ipalib.install.kinit module
++"""
++
++import pytest
++
++from ipalib.install.kinit import validate_principal
++
++
++# None means no exception is expected
++@pytest.mark.parametrize('principal, exception', [
++    ('testuser', None),
++    ('testuser@EXAMPLE.TEST', None),
++    ('test/ipa.example.test', None),
++    ('test/ipa.example.test@EXAMPLE.TEST', None),
++    ('test/ipa@EXAMPLE.TEST', RuntimeError),
++    ('test/-ipa.example.test@EXAMPLE.TEST', RuntimeError),
++    ('test/ipa.1example.test@EXAMPLE.TEST', RuntimeError),
++    ('test /ipa.example,test', RuntimeError),
++    ('testuser@OTHER.TEST', RuntimeError),
++    ('test/ipa.example.test@OTHER.TEST', RuntimeError),
++])
++def test_validate_principal(principal, exception):
++    try:
++        validate_principal(principal)
++    except Exception as e:
++        assert e.__class__ == exception
+
+From 96a478bbedd49c31e0f078f00f2d1cb55bb952fd Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Feb 23 2024 09:49:27 +0000
+Subject: validate_principal: Don't try to verify that the realm is known
+
+
+The actual value is less important than whether it matches the
+regular expression. A number of legal but difficult to know in
+context realms could be passed in here (trust for example).
+
+This fixes CVE-2024-1481
+
+Fixes: https://pagure.io/freeipa/issue/9541
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+
+---
+
+diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
+index 4ad4eaa..d5fb56b 100644
+--- a/ipalib/install/kinit.py
++++ b/ipalib/install/kinit.py
+@@ -15,7 +15,6 @@ from ipaplatform.paths import paths
+ from ipapython.ipautil import run
+ from ipalib.constants import PATTERN_GROUPUSER_NAME
+ from ipalib.util import validate_hostname
+-from ipalib import api
+ 
+ logger = logging.getLogger(__name__)
+ 
+@@ -39,7 +38,9 @@ def validate_principal(principal):
+     if ('/' in principal) and (' ' in principal):
+         raise RuntimeError('Invalid principal: bad spacing')
+     else:
+-        realm = None
++        # For a user match in the regex
++        # username = match[1]
++        # realm = match[2]
+         match = user_pattern.match(principal)
+         if match is None:
+             match = service_pattern.match(principal)
+@@ -48,16 +49,11 @@ def validate_principal(principal):
+             else:
+                 # service = match[1]
+                 hostname = match[2]
+-                realm = match[3]
++                # realm = match[3]
+                 try:
+                     validate_hostname(hostname)
+                 except ValueError as e:
+                     raise RuntimeError(str(e))
+-        else:  # user match, validate realm
+-            # username = match[1]
+-            realm = match[2]
+-        if realm and 'realm' in api.env and realm != api.env.realm:
+-            raise RuntimeError('Invalid principal: realm mismatch')
+ 
+ 
+ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
+diff --git a/ipatests/test_ipalib_install/test_kinit.py b/ipatests/test_ipalib_install/test_kinit.py
+index f89ea17..8289c4b 100644
+--- a/ipatests/test_ipalib_install/test_kinit.py
++++ b/ipatests/test_ipalib_install/test_kinit.py
+@@ -17,13 +17,16 @@ from ipalib.install.kinit import validate_principal
+     ('test/ipa.example.test@EXAMPLE.TEST', None),
+     ('test/ipa@EXAMPLE.TEST', RuntimeError),
+     ('test/-ipa.example.test@EXAMPLE.TEST', RuntimeError),
+-    ('test/ipa.1example.test@EXAMPLE.TEST', RuntimeError),
++    ('test/ipa.1example.test@EXAMPLE.TEST', None),
+     ('test /ipa.example,test', RuntimeError),
+-    ('testuser@OTHER.TEST', RuntimeError),
+-    ('test/ipa.example.test@OTHER.TEST', RuntimeError),
++    ('testuser@OTHER.TEST', None),
++    ('test/ipa.example.test@OTHER.TEST', None)
+ ])
+ def test_validate_principal(principal, exception):
+     try:
+         validate_principal(principal)
+     except Exception as e:
+         assert e.__class__ == exception
++    else:
++        if exception is not None:
++            raise RuntimeError('Test should have failed')
+

SOURCES/0024-Vault-add-additional-fallback-to-RSA-OAEP-wrapping-algo_rhel#28259.patch

@@ -0,0 +1,43 @@
+From d7c1ba0672fc8964f7674a526f3019429a551372 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mar 06 2024 08:34:57 +0000
+Subject: Vault: add additional fallback to RSA-OAEP wrapping algo
+
+
+There is a fallback when creating the wrapping key but one was missing
+when trying to use the cached transport_cert.
+
+This allows, along with forcing keyWrap.useOAEP=true, vault creation
+on an nCipher HSM.
+
+This can be seen in HSMs where the device doesn't support the
+PKCS#1 v1.5 mechanism. It will error out with either "invalid
+algorithm" or CKR_FUNCTION_FAILED.
+
+Related: https://pagure.io/freeipa/issue/9191
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+
+---
+
+diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
+index ed16c73..1523187 100644
+--- a/ipaclient/plugins/vault.py
++++ b/ipaclient/plugins/vault.py
+@@ -757,8 +757,12 @@ class ModVaultData(Local):
+         Calls the internal counterpart of the command.
+         """
+         # try call with cached transport certificate
+-        result = self._do_internal(algo, transport_cert, False,
+-                                   False, *args, **options)
++        try:
++            result = self._do_internal(algo, transport_cert, False,
++                                       False, *args, **options)
++        except errors.EncodingError:
++            result = self._do_internal(algo, transport_cert, False,
++                                       True, *args, **options)
+         if result is not None:
+             return result
+ 
+

SOURCES/0025-dcerpc-invalidate-forest-trust-intfo-cache-when-filtering-out-realm-domains_rhel#28559.patch

@@ -0,0 +1,50 @@
+From 656a11ae961f8d1afad54567cfe8ccb53e084a67 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Mar 20 2024 10:06:07 +0000
+Subject: dcerpc: invalidate forest trust info cache when filtering out realm domains
+
+
+When get_realmdomains() method is called, it will filter out subdomains
+of the IPA primary domain. This is required because Active Directory
+domain controllers are assuming subdomains already covered by the main
+domain namespace.
+
+[MS-LSAD] 3.1.4.7.16.1, 'Forest Trust Collision Generation' defines the
+method of validating the forest trust information. They are the same as
+rules in [MS-ADTS] section 6.1.6. Specifically,
+
+  - A top-level name must not be superior to an enabled top-level name
+    for another trusted domain object, unless the current trusted domain
+    object has a corresponding exclusion record.
+
+In practice, we filtered those subdomains already but the code wasn't
+invalidating a previously retrieved forest trust information.
+
+Fixes: https://pagure.io/freeipa/issue/9551
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+
+---
+
+diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
+index b6139db..7ee553d 100644
+--- a/ipaserver/dcerpc.py
++++ b/ipaserver/dcerpc.py
+@@ -1103,6 +1103,7 @@ class TrustDomainInstance:
+ 
+         info.count = len(ftinfo_records)
+         info.entries = ftinfo_records
++        another_domain.ftinfo_data = info
+         return info
+ 
+     def clear_ftinfo_conflict(self, another_domain, cinfo):
+@@ -1778,6 +1779,7 @@ class TrustDomainJoins:
+             return
+ 
+         self.local_domain.ftinfo_records = []
++        self.local_domain.ftinfo_data = None
+ 
+         realm_domains = self.api.Command.realmdomains_show()['result']
+         # Use realmdomains' modification timestamp
+

SOURCES/0026-backport-test-fixes_rhel#29908.patch

@@ -0,0 +1,335 @@
+From 3bba254ccdcf9b62fdd8a6d71baecf37c97c300c Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Mon, 3 Apr 2023 08:37:28 +0200
+Subject: [PATCH] ipatests: mark known failures for autoprivategroup
+
+Two tests have known issues in test_trust.py with sssd 2.8.2+:
+- TestNonPosixAutoPrivateGroup::test_idoverride_with_auto_private_group
+(when called with the "hybrid" parameter)
+- TestPosixAutoPrivateGroup::test_only_uid_number_auto_private_group_default
+(when called with the "true" parameter)
+
+Related: https://pagure.io/freeipa/issue/9295
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipatests/test_integration/test_trust.py | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
+index 0d5b71cb0..12f000c1a 100644
+--- a/ipatests/test_integration/test_trust.py
++++ b/ipatests/test_integration/test_trust.py
+@@ -1154,11 +1154,15 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust):
+                                      self.gid_override
+                                      ):
+             self.mod_idrange_auto_private_group(type)
+-            (uid, gid) = self.get_user_id(self.clients[0], nonposixuser)
+-            assert (uid == self.uid_override and gid == self.gid_override)
++            sssd_version = tasks.get_sssd_version(self.clients[0])
++            bad_version = sssd_version >= tasks.parse_version("2.8.2")
++            cond = (type == 'hybrid') and bad_version
++            with xfail_context(condition=cond,
++                               reason="https://pagure.io/freeipa/issue/9295"):
++                (uid, gid) = self.get_user_id(self.clients[0], nonposixuser)
++                assert (uid == self.uid_override and gid == self.gid_override)
+             test_group = self.clients[0].run_command(
+                 ["id", nonposixuser]).stdout_text
+-            # version = tasks.get_sssd_version(self.clients[0])
+             with xfail_context(type == "hybrid",
+                                'https://github.com/SSSD/sssd/issues/5989'):
+                 assert "domain users@{0}".format(self.ad_domain) in test_group
+@@ -1232,8 +1236,11 @@ class TestPosixAutoPrivateGroup(BaseTestTrust):
+         posixuser = "testuser1@%s" % self.ad_domain
+         self.mod_idrange_auto_private_group(type)
+         if type == "true":
+-            (uid, gid) = self.get_user_id(self.clients[0], posixuser)
+-            assert uid == gid
++            sssd_version = tasks.get_sssd_version(self.clients[0])
++            with xfail_context(sssd_version >= tasks.parse_version("2.8.2"),
++                 "https://pagure.io/freeipa/issue/9295"):
++                (uid, gid) = self.get_user_id(self.clients[0], posixuser)
++                assert uid == gid
+         else:
+             for host in [self.master, self.clients[0]]:
+                 result = host.run_command(['id', posixuser], raiseonerr=False)
+-- 
+2.44.0
+
+From ed2a8eb0cefadfe0544074114facfef381349ae0 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Feb 12 2024 10:43:39 +0000
+Subject: ipatests: add xfail for autoprivate group test with override
+
+
+Because of SSSD issue 7169, secondary groups are not
+retrieved when autoprivate group is set and an idoverride
+replaces the user's primary group.
+Mark the known issues as xfail.
+
+Related: https://github.com/SSSD/sssd/issues/7169
+
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Anuja More <amore@redhat.com>
+
+---
+
+diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
+index 3b9f0fb..2b94514 100644
+--- a/ipatests/test_integration/test_trust.py
++++ b/ipatests/test_integration/test_trust.py
+@@ -1164,8 +1164,12 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust):
+                 assert (uid == self.uid_override and gid == self.gid_override)
+             test_group = self.clients[0].run_command(
+                 ["id", nonposixuser]).stdout_text
+-            with xfail_context(type == "hybrid",
+-                               'https://github.com/SSSD/sssd/issues/5989'):
++            cond2 = ((type == 'false'
++                      and sssd_version >= tasks.parse_version("2.9.4"))
++                     or type == 'hybrid')
++            with xfail_context(cond2,
++                               'https://github.com/SSSD/sssd/issues/5989 '
++                               'and 7169'):
+                 assert "domain users@{0}".format(self.ad_domain) in test_group
+ 
+     @pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
+@@ -1287,5 +1291,9 @@ class TestPosixAutoPrivateGroup(BaseTestTrust):
+             assert(uid == self.uid_override
+                    and gid == self.gid_override)
+             result = self.clients[0].run_command(['id', posixuser])
+-            assert "10047(testgroup@{0})".format(
+-                self.ad_domain) in result.stdout_text
++            sssd_version = tasks.get_sssd_version(self.clients[0])
++            bad_version = sssd_version >= tasks.parse_version("2.9.4")
++            with xfail_context(bad_version and type in ('false', 'hybrid'),
++                 "https://github.com/SSSD/sssd/issues/7169"):
++                assert "10047(testgroup@{0})".format(
++                    self.ad_domain) in result.stdout_text
+
+From d5392300d77170ea3202ee80690ada8bf81b60b5 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Feb 12 2024 10:44:47 +0000
+Subject: ipatests: remove xfail thanks to sssd 2.9.4
+
+
+SSSD 2.9.4 fixes some issues related to auto-private-group
+
+Related: https://pagure.io/freeipa/issue/9295
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Anuja More <amore@redhat.com>
+
+---
+
+diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
+index 12f000c..3b9f0fb 100644
+--- a/ipatests/test_integration/test_trust.py
++++ b/ipatests/test_integration/test_trust.py
+@@ -1155,7 +1155,8 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust):
+                                      ):
+             self.mod_idrange_auto_private_group(type)
+             sssd_version = tasks.get_sssd_version(self.clients[0])
+-            bad_version = sssd_version >= tasks.parse_version("2.8.2")
++            bad_version = (tasks.parse_version("2.8.2") <= sssd_version
++                           < tasks.parse_version("2.9.4"))
+             cond = (type == 'hybrid') and bad_version
+             with xfail_context(condition=cond,
+                                reason="https://pagure.io/freeipa/issue/9295"):
+@@ -1237,7 +1238,9 @@ class TestPosixAutoPrivateGroup(BaseTestTrust):
+         self.mod_idrange_auto_private_group(type)
+         if type == "true":
+             sssd_version = tasks.get_sssd_version(self.clients[0])
+-            with xfail_context(sssd_version >= tasks.parse_version("2.8.2"),
++            bad_version = (tasks.parse_version("2.8.2") <= sssd_version
++                           < tasks.parse_version("2.9.4"))
++            with xfail_context(bad_version,
+                  "https://pagure.io/freeipa/issue/9295"):
+                 (uid, gid) = self.get_user_id(self.clients[0], posixuser)
+                 assert uid == gid
+
+From 34d048ede0c439b3a53e02f8ace96ff91aa1609d Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Mar 14 2023 16:50:25 +0000
+Subject: ipatests: adapt for new automembership fixup behavior
+
+
+The automembership fixup task now needs to be called
+with --cleanup argument when the user expects automember
+to remove user/hosts from automember groups.
+Update the test to call create a cleanup task equivalent to
+dsconf plugin automember fixup --cleanup
+when it is needed.
+
+Fixes: https://pagure.io/freeipa/issue/9313
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+
+---
+
+diff --git a/ipatests/test_integration/test_automember.py b/ipatests/test_integration/test_automember.py
+index 7acd0d7..8b27f4d 100644
+--- a/ipatests/test_integration/test_automember.py
++++ b/ipatests/test_integration/test_automember.py
+@@ -4,6 +4,7 @@
+ """This covers tests for automemberfeature."""
+ 
+ from __future__ import absolute_import
++import uuid
+ 
+ from ipapython.dn import DN
+ 
+@@ -211,11 +212,27 @@ class TestAutounmembership(IntegrationTest):
+             # Running automember-build so that user is part of correct group
+             result = self.master.run_command(['ipa', 'automember-rebuild',
+                                               '--users=%s' % user2])
++            assert msg in result.stdout_text
++
++            # The additional --cleanup argument is required
++            cleanup_ldif = (
++                "dn: cn={cn},cn=automember rebuild membership,"
++                "cn=tasks,cn=config\n"
++                "changetype: add\n"
++                "objectclass: top\n"
++                "objectclass: extensibleObject\n"
++                "basedn: cn=users,cn=accounts,{suffix}\n"
++                "filter: (uid={user})\n"
++                "cleanup: yes\n"
++                "scope: sub"
++            ).format(cn=str(uuid.uuid4()),
++                     suffix=str(self.master.domain.basedn),
++                     user=user2)
++            tasks.ldapmodify_dm(self.master, cleanup_ldif)
++
+             assert self.is_user_member_of_group(user2, group2)
+             assert not self.is_user_member_of_group(user2, group1)
+ 
+-            assert msg in result.stdout_text
+-
+         finally:
+             # testcase cleanup
+             self.remove_user_automember(user2, raiseonerr=False)
+@@ -248,11 +265,27 @@ class TestAutounmembership(IntegrationTest):
+             result = self.master.run_command(
+                 ['ipa', 'automember-rebuild', '--hosts=%s' % host2]
+             )
++            assert msg in result.stdout_text
++
++            # The additional --cleanup argument is required
++            cleanup_ldif = (
++                "dn: cn={cn},cn=automember rebuild membership,"
++                "cn=tasks,cn=config\n"
++                "changetype: add\n"
++                "objectclass: top\n"
++                "objectclass: extensibleObject\n"
++                "basedn: cn=computers,cn=accounts,{suffix}\n"
++                "filter: (fqdn={fqdn})\n"
++                "cleanup: yes\n"
++                "scope: sub"
++            ).format(cn=str(uuid.uuid4()),
++                     suffix=str(self.master.domain.basedn),
++                     fqdn=host2)
++            tasks.ldapmodify_dm(self.master, cleanup_ldif)
++
+             assert self.is_host_member_of_hostgroup(host2, hostgroup2)
+             assert not self.is_host_member_of_hostgroup(host2, hostgroup1)
+ 
+-            assert msg in result.stdout_text
+-
+         finally:
+             # testcase cleanup
+             self.remove_host_automember(host2, raiseonerr=False)
+
+From 9b777390fbb6d4c683bf7d3e5f74d5443209b1d5 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Fri, 24 Mar 2023 08:15:00 +0200
+Subject: [PATCH] test_xmlrpc: adopt to automember plugin message changes in
+ 389-ds
+
+Another change in automember plugin messaging that breaks FreeIPA tests.
+Use common substring to match.
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipatests/test_xmlrpc/xmlrpc_test.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipatests/test_xmlrpc/xmlrpc_test.py b/ipatests/test_xmlrpc/xmlrpc_test.py
+index cf11721bfca..5fe1245dc65 100644
+--- a/ipatests/test_xmlrpc/xmlrpc_test.py
++++ b/ipatests/test_xmlrpc/xmlrpc_test.py
+@@ -64,7 +64,7 @@ def test(xs):
+ 
+ # Matches an automember task finish message
+ fuzzy_automember_message = Fuzzy(
+-    r'^Automember rebuild task finished\. Processed \(\d+\) entries\.$'
++    r'^Automember rebuild task finished\. Processed \(\d+\) entries'
+ )
+ 
+ # Matches trusted domain GUID, like u'463bf2be-3456-4a57-979e-120304f2a0eb'
+From 8e8b97a2251329aec9633a5c7c644bc5034bc8c2 Mon Sep 17 00:00:00 2001
+From: Sudhir Menon <sumenon@redhat.com>
+Date: Wed, 20 Mar 2024 14:29:46 +0530
+Subject: [PATCH] ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation
+ testcases.
+
+Currently the test is using IPA_NSSDB_PWDFILE_TXT which is /etc/ipa/nssdb/pwdfile.txt
+which causes error in STIG mode.
+
+[root@master slapd-TESTRELM-TEST]# certutil -M -n 'TESTRELM.TEST IPA CA' -t ',,' -d . -f /etc/ipa/nssdb/pwdfile.txt
+Incorrect password/PIN entered.
+
+Hence modified the test to include paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE/pwd.txt.
+
+Signed-off-by: Sudhir Menon <sumenon@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipatests/test_integration/test_ipahealthcheck.py | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
+index 8aae9fad776..a96de7088aa 100644
+--- a/ipatests/test_integration/test_ipahealthcheck.py
++++ b/ipatests/test_integration/test_ipahealthcheck.py
+@@ -2731,17 +2731,18 @@ def remove_server_cert(self):
+         Fixture to remove Server cert and revert the change.
+         """
+         instance = realm_to_serverid(self.master.domain.realm)
++        instance_dir = paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
+         self.master.run_command(
+             [
+                 "certutil",
+                 "-L",
+                 "-d",
+-                paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance,
++                instance_dir,
+                 "-n",
+                 "Server-Cert",
+                 "-a",
+                 "-o",
+-                paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
++                instance_dir
+                 + "/Server-Cert.pem",
+             ]
+         )
+@@ -2760,15 +2761,15 @@ def remove_server_cert(self):
+             [
+                 "certutil",
+                 "-d",
+-                paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance,
++                instance_dir,
+                 "-A",
+                 "-i",
+-                paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
++                instance_dir
+                 + "/Server-Cert.pem",
+                 "-t",
+                 "u,u,u",
+                 "-f",
+-                paths.IPA_NSSDB_PWDFILE_TXT,
++                "%s/pwdfile.txt" % instance_dir,
+                 "-n",
+                 "Server-Cert",
+             ]

SPECS/ipa.spec

@@ -81,7 +81,8 @@
 
 # Fix for TLS 1.3 PHA, RHBZ#1775158
 %global httpd_version 2.4.37-21
-%global bind_version 9.11.20-6
+# Fix for RHEL-25649
+%global bind_version 9.11.36-14
 
 %else
 # Fedora
@@ -189,7 +190,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        7%{?rc_version:.%rc_version}%{?dist}
+Release:        9%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -230,6 +231,10 @@ Patch0019:      0019-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch
 Patch0020:      0020-Vault-improve-vault-server-archival-retrieval-calls-.patch
 Patch0021:      0021-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch
 Patch0022:      0022-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch
+Patch0023:      0023-rpcserver-validate-Kerberos-principal-name-before-running-kinit_rhel#26153.patch
+Patch0024:      0024-Vault-add-additional-fallback-to-RSA-OAEP-wrapping-algo_rhel#28259.patch
+Patch0025:      0025-dcerpc-invalidate-forest-trust-intfo-cache-when-filtering-out-realm-domains_rhel#28559.patch
+Patch0026:      0026-backport-test-fixes_rhel#29908.patch
 %if 0%{?rhel} >= 8
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 Patch1002:      1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
@@ -1745,6 +1750,23 @@ fi
 %endif
 
 %changelog
+* Fri Apr 12 2024 Rafael Jeffman <rjeffman@redhat.com> - 9.4.13-9
+- dcerpc: invalidate forest trust intfo cache when filtering out realm domains
+  Resolves: RHEL-28559
+- Backport latests test fixes in python3-tests
+  ipatests: add xfail for autoprivate group test with override
+  ipatests: remove xfail thanks to sssd 2.9.4
+  ipatests: adapt for new automembership fixup behavior
+  ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation testcases
+  test_xmlrpc: adopt to automember plugin message changes in 389-ds
+  Resolves: RHEL-29908
+
+* Thu Mar 07 2024 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-8
+- rpcserver: validate Kerberos principal name before running kinit
+  Resolves: RHEL-26153
+- Vault: add additional fallback to RSA-OAEP wrapping algo
+  Resolves: RHEL-28259
+
 * Tue Feb 20 2024 Julien Rische <jrische@redhat.com> - 4.9.13-7
 - ipa-kdb: Fix double free in ipadb_reinit_mspac()
   Resolves: RHEL-25742