The Identity, Policy and Audit system
CentOS Sources
2017-09-05 b38368e5dbca9abdef17fc91626a20d016326ee0
import ipa-4.5.0-21.el7_4.1.2
15 files added
1 files deleted
5 files modified
1660 ■■■■■ changed files
SOURCES/0205-Add-CommonNameToSANDefault-to-default-cert-profile.patch 62 ●●●●● patch | view | raw | blame | history
SOURCES/0206-smart-card-advises-configure-systemwide-NSS-DB-also-.patch 131 ●●●●● patch | view | raw | blame | history
SOURCES/0207-smart-card-advises-add-steps-to-store-smart-card-sig.patch 125 ●●●●● patch | view | raw | blame | history
SOURCES/0208-Allow-to-pass-in-multiple-CA-cert-paths-to-the-smart.patch 150 ●●●●● patch | view | raw | blame | history
SOURCES/0209-add-a-class-that-tracks-the-indentation-in-the-gener.patch 77 ●●●●● patch | view | raw | blame | history
SOURCES/0210-delegate-the-indentation-handling-in-advises-to-dedi.patch 267 ●●●●● patch | view | raw | blame | history
SOURCES/0211-advise-add-an-infrastructure-for-formatting-Bash-com.patch 104 ●●●●● patch | view | raw | blame | history
SOURCES/0212-delegate-formatting-of-compound-Bash-statements-to-d.patch 93 ●●●●● patch | view | raw | blame | history
SOURCES/0213-Fix-indentation-of-statements-in-Smart-card-advises.patch 36 ●●●●● patch | view | raw | blame | history
SOURCES/0214-Use-the-compound-statement-formatting-API-for-config.patch 48 ●●●●● patch | view | raw | blame | history
SOURCES/0215-smart-card-advises-use-a-wrapper-around-Bash-for-loo.patch 121 ●●●●● patch | view | raw | blame | history
SOURCES/0216-smart-card-advise-use-password-when-changing-trust-f.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/0217-smart-card-advises-ensure-that-krb5-pkinit-is-instal.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/0218-NULL-LDAP-context-in-call-to-ldap_search_ext_s-durin.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0219-Restore-old-version-of-caIPAserviceCert-for-upgrade-.patch 187 ●●●●● patch | view | raw | blame | history
SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch 2 ●●● patch | view | raw | blame | history
SOURCES/1002-Package-copy-schema-to-ca.py.patch 6 ●●●● patch | view | raw | blame | history
SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch 2 ●●● patch | view | raw | blame | history
SOURCES/1004-Remove-csrgen.patch 4 ●●●● patch | view | raw | blame | history
SOURCES/ipa-centos-branding.patch 38 ●●●●● patch | view | raw | blame | history
SPECS/ipa.spec 74 ●●●● patch | view | raw | blame | history
SOURCES/0205-Add-CommonNameToSANDefault-to-default-cert-profile.patch
New file
@@ -0,0 +1,62 @@
From bf0a34b06e4a44b71b5a9b5f7b7537d3d99e0441 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 7 Jun 2017 19:41:26 +1000
Subject: [PATCH] Add CommonNameToSANDefault to default cert profile
The CommonNameToSANDefault component was added to Dogtag 10.4.  When
a profile is configured to use it, this profile copies the CN in the
certificate to the Subject Alternative Name extension as a dNSName
(if and only if it does look like a DNS name).
It is desirable that the default service profile use this component.
Add it to the default profile, for new installations only.  For
existing installations, until a proper profile update mechanism is
implemented, administrators who wish to use it must configure it via
the 'certprofile-mod' command.
Fixes: https://pagure.io/freeipa/issue/7007
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 freeipa.spec.in                             | 4 ++--
 install/share/profiles/caIPAserviceCert.cfg | 6 +++++-
 2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index d7f8d11ec553cfe299937e1e5f8cc27caed32b08..721e512039a4d7f9d2ed94d7620b083732c56304 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -291,8 +291,8 @@ Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base >= %{selinux_policy_version}
 Requires: slapi-nis >= %{slapi_nis_version}
-Requires: pki-ca >= 10.3.5-11
-Requires: pki-kra >= 10.3.5-11
+Requires: pki-ca >= 10.4.0-1
+Requires: pki-kra >= 10.4.0-1
 Requires(preun): python systemd-units
 Requires(postun): python systemd-units
 Requires: policycoreutils >= 2.1.12-5
diff --git a/install/share/profiles/caIPAserviceCert.cfg b/install/share/profiles/caIPAserviceCert.cfg
index 6c5102f0dbd6bd6c6eaf2fa22e87ed4a5f34553c..3bec9ed10c7c053a67271de52dd95e71fe1fb6b8 100644
--- a/install/share/profiles/caIPAserviceCert.cfg
+++ b/install/share/profiles/caIPAserviceCert.cfg
@@ -12,7 +12,7 @@ input.i2.class_id=submitterInfoInputImpl
 output.list=o1
 output.o1.class_id=certOutputImpl
 policyset.list=serverCertSet
-policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12
 policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
 policyset.serverCertSet.1.constraint.name=Subject Name Constraint
 policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
@@ -107,3 +107,7 @@ policyset.serverCertSet.11.constraint.name=No Constraint
 policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
 policyset.serverCertSet.11.default.name=User Supplied Extension Default
 policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
+policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.12.constraint.name=No Constraint
+policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl
+policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name
--
2.9.4
SOURCES/0206-smart-card-advises-configure-systemwide-NSS-DB-also-.patch
New file
@@ -0,0 +1,131 @@
From 57c93cb21d542e1d0eab52baa01ac60f30459dc7 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Wed, 21 Jun 2017 18:28:50 +0200
Subject: [PATCH] smart-card advises: configure systemwide NSS DB also on
 master
Previously the Smart card signing CA cert was uploaded to systemwide NSS
DB only on the client, but it need to be added also to the server.
Modify the advise plugins to allow for common configuration steps to
occur in both cases.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/advise/plugins/smart_card_auth.py | 59 +++++++++++++++++------------
 1 file changed, 35 insertions(+), 24 deletions(-)
diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
index 5859e350939fdba0a8b258de5285dd10c7b3bc23..0ee4808d47aa87a4b1b838d427e9958d98075a4a 100644
--- a/ipaserver/advise/plugins/smart_card_auth.py
+++ b/ipaserver/advise/plugins/smart_card_auth.py
@@ -10,8 +10,39 @@ from ipaserver.install.httpinstance import NSS_OCSP_ENABLED
 register = Registry()
+class common_smart_card_auth_config(Advice):
+    """
+    Common steps required to properly configure both server and client for
+    smart card auth
+    """
+
+    systemwide_nssdb = paths.NSS_DB_DIR
+    smart_card_ca_cert_variable_name = "SC_CA_CERT"
+
+    def check_and_set_ca_cert_path(self):
+        ca_path_variable = self.smart_card_ca_cert_variable_name
+        self.log.command("{}=$1".format(ca_path_variable))
+        self.log.exit_on_predicate(
+            '[ -z "${}" ]'.format(ca_path_variable),
+            ['You need to provide the path to the PEM file containing CA '
+             'signing the Smart Cards']
+        )
+        self.log.exit_on_predicate(
+            '[ ! -f "${}" ]'.format(ca_path_variable),
+            ['Invalid CA certificate filename: ${}'.format(ca_path_variable),
+             'Please check that the path exists and is a valid file']
+        )
+
+    def upload_smartcard_ca_certificate_to_systemwide_db(self):
+        self.log.command(
+            'certutil -d {} -A -i ${} -n "Smart Card CA" -t CT,C,C'.format(
+                self.systemwide_nssdb, self.smart_card_ca_cert_variable_name
+            )
+        )
+
+
 @register()
-class config_server_for_smart_card_auth(Advice):
+class config_server_for_smart_card_auth(common_smart_card_auth_config):
     """
     Configures smart card authentication via Kerberos (PKINIT) and for WebUI
     """
@@ -28,6 +59,7 @@ class config_server_for_smart_card_auth(Advice):
     def get_info(self):
         self.log.exit_on_nonroot_euid()
+        self.check_and_set_ca_cert_path()
         self.check_ccache_not_empty()
         self.check_hostname_is_in_masters()
         self.resolve_ipaca_records()
@@ -37,6 +69,7 @@ class config_server_for_smart_card_auth(Advice):
         self.record_httpd_ocsp_status()
         self.check_and_enable_pkinit()
         self.enable_ok_to_auth_as_delegate_on_http_principal()
+        self.upload_smartcard_ca_certificate_to_systemwide_db()
     def check_ccache_not_empty(self):
         self.log.comment('Check whether the credential cache is not empty')
@@ -162,11 +195,10 @@ class config_server_for_smart_card_auth(Advice):
 @register()
-class config_client_for_smart_card_auth(Advice):
+class config_client_for_smart_card_auth(common_smart_card_auth_config):
     """
     Configures smart card authentication on FreeIPA client
     """
-    smart_card_ca_cert_variable_name = "SC_CA_CERT"
     description = ("Instructions for enabling Smart Card authentication on "
                    " a single FreeIPA client. Configures Smart Card daemon, "
@@ -190,20 +222,6 @@ class config_client_for_smart_card_auth(Advice):
         self.run_authconfig_to_configure_smart_card_auth()
         self.restart_sssd()
-    def check_and_set_ca_cert_path(self):
-        ca_path_variable = self.smart_card_ca_cert_variable_name
-        self.log.command("{}=$1".format(ca_path_variable))
-        self.log.exit_on_predicate(
-            '[ -z "${}" ]'.format(ca_path_variable),
-            ['You need to provide the path to the PEM file containing CA '
-             'signing the Smart Cards']
-        )
-        self.log.exit_on_predicate(
-            '[ ! -f "${}" ]'.format(ca_path_variable),
-            ['Invalid CA certificate filename: ${}'.format(ca_path_variable),
-             'Please check that the path exists and is a valid file']
-        )
-
     def check_and_remove_pam_pkcs11(self):
         self.log.command('rpm -qi pam_pkcs11 > /dev/null')
         self.log.commands_on_predicate(
@@ -247,13 +265,6 @@ class config_client_for_smart_card_auth(Advice):
             ]
         )
-    def upload_smartcard_ca_certificate_to_systemwide_db(self):
-        self.log.command(
-            'certutil -d {} -A -i ${} -n "Smart Card CA" -t CT,C,C'.format(
-                self.systemwide_nssdb, self.smart_card_ca_cert_variable_name
-            )
-        )
-
     def run_authconfig_to_configure_smart_card_auth(self):
         self.log.exit_on_failed_command(
             'authconfig --enablesmartcard --smartcardmodule=sssd --updateall',
--
2.9.4
SOURCES/0207-smart-card-advises-add-steps-to-store-smart-card-sig.patch
New file
@@ -0,0 +1,125 @@
From 7bbf7dbc27d1bcde8bf3e4d0bb8fec65de2660c8 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Wed, 21 Jun 2017 18:52:57 +0200
Subject: [PATCH] smart-card advises: add steps to store smart card signing CA
 cert
On master, upload the CA certificate to IPA LDAP and NSS databases. On
both master and client run ipa-certupdate to update client-side CA
certificate bundles used as PKINIT anchors.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/advise/plugins/smart_card_auth.py | 46 +++++++++++++++++++++++------
 1 file changed, 37 insertions(+), 9 deletions(-)
diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
index 0ee4808d47aa87a4b1b838d427e9958d98075a4a..0217bd190778f1235981a49e7b0764b8b9cdf582 100644
--- a/ipaserver/advise/plugins/smart_card_auth.py
+++ b/ipaserver/advise/plugins/smart_card_auth.py
@@ -3,6 +3,7 @@
 #
 from ipalib.plugable import Registry
+from ipaplatform import services
 from ipaplatform.paths import paths
 from ipaserver.advise.base import Advice
 from ipaserver.install.httpinstance import NSS_OCSP_ENABLED
@@ -19,6 +20,16 @@ class common_smart_card_auth_config(Advice):
     systemwide_nssdb = paths.NSS_DB_DIR
     smart_card_ca_cert_variable_name = "SC_CA_CERT"
+    def check_ccache_not_empty(self):
+        self.log.comment('Check whether the credential cache is not empty')
+        self.log.exit_on_failed_command(
+            'klist',
+            [
+                "Credential cache is empty",
+                'Use kinit as privileged user to obtain Kerberos credentials'
+            ])
+
+
     def check_and_set_ca_cert_path(self):
         ca_path_variable = self.smart_card_ca_cert_variable_name
         self.log.command("{}=$1".format(ca_path_variable))
@@ -40,6 +51,20 @@ class common_smart_card_auth_config(Advice):
             )
         )
+    def install_smart_card_signing_ca_cert(self):
+        self.log.exit_on_failed_command(
+            'ipa-cacert-manage install ${} -t CT,C,C'.format(
+                self.smart_card_ca_cert_variable_name
+            ),
+            ['Failed to install external CA certificate to IPA']
+        )
+
+    def update_ipa_ca_certificate_store(self):
+        self.log.exit_on_failed_command(
+            'ipa-certupdate',
+            ['Failed to update IPA CA certificate database']
+        )
+
 @register()
 class config_server_for_smart_card_auth(common_smart_card_auth_config):
@@ -56,6 +81,7 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
     nss_conf = paths.HTTPD_NSS_CONF
     nss_ocsp_directive = 'NSSOCSP'
     nss_nickname_directive = 'NSSNickname'
+    kdc_service_name = services.knownservices.krb5kdc.systemd_name
     def get_info(self):
         self.log.exit_on_nonroot_euid()
@@ -70,15 +96,8 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
         self.check_and_enable_pkinit()
         self.enable_ok_to_auth_as_delegate_on_http_principal()
         self.upload_smartcard_ca_certificate_to_systemwide_db()
-
-    def check_ccache_not_empty(self):
-        self.log.comment('Check whether the credential cache is not empty')
-        self.log.exit_on_failed_command(
-            'klist',
-            [
-                "Credential cache is empty",
-                'Use kinit as privileged user to obtain Kerberos credentials'
-            ])
+        self.update_ipa_ca_certificate_store()
+        self.restart_kdc()
     def check_hostname_is_in_masters(self):
         self.log.comment('Check whether the host is IPA master')
@@ -193,6 +212,12 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
             ["Failed to set OK_AS_AUTH_AS_DELEGATE flag on HTTP principal"]
         )
+    def restart_kdc(self):
+        self.log.exit_on_failed_command(
+            'systemctl restart {}'.format(self.kdc_service_name),
+            ['Failed to restart KDC. Please restart the service manually.']
+        )
+
 @register()
 class config_client_for_smart_card_auth(common_smart_card_auth_config):
@@ -214,11 +239,14 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config):
     def get_info(self):
         self.log.exit_on_nonroot_euid()
         self.check_and_set_ca_cert_path()
+        self.check_ccache_not_empty()
         self.check_and_remove_pam_pkcs11()
         self.install_opensc_and_dconf_packages()
         self.start_enable_smartcard_daemon()
         self.add_pkcs11_module_to_systemwide_db()
         self.upload_smartcard_ca_certificate_to_systemwide_db()
+        self.install_smart_card_signing_ca_cert()
+        self.update_ipa_ca_certificate_store()
         self.run_authconfig_to_configure_smart_card_auth()
         self.restart_sssd()
--
2.9.4
SOURCES/0208-Allow-to-pass-in-multiple-CA-cert-paths-to-the-smart.patch
New file
@@ -0,0 +1,150 @@
From 6bfb11f2110f5fbaecc2d6a27d89289c58edc171 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Thu, 22 Jun 2017 10:06:21 +0200
Subject: [PATCH] Allow to pass in multiple CA cert paths to the smart card
 advises
If the user has a series of CA certificates required to verify smart
card certs (e.g. intermediary CAs and root CA) it is convenient to allow
for passing them to the advise scripts as a series of PEM files.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/advise/plugins/smart_card_auth.py | 69 +++++++++++++++++++----------
 1 file changed, 46 insertions(+), 23 deletions(-)
diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
index 0217bd190778f1235981a49e7b0764b8b9cdf582..16c01204444883ed949db73b2314ba5c404124df 100644
--- a/ipaserver/advise/plugins/smart_card_auth.py
+++ b/ipaserver/advise/plugins/smart_card_auth.py
@@ -18,7 +18,8 @@ class common_smart_card_auth_config(Advice):
     """
     systemwide_nssdb = paths.NSS_DB_DIR
-    smart_card_ca_cert_variable_name = "SC_CA_CERT"
+    smart_card_ca_certs_variable_name = "SC_CA_CERTS"
+    single_ca_cert_variable_name = 'ca_cert'
     def check_ccache_not_empty(self):
         self.log.comment('Check whether the credential cache is not empty')
@@ -29,35 +30,58 @@ class common_smart_card_auth_config(Advice):
                 'Use kinit as privileged user to obtain Kerberos credentials'
             ])
+    def check_and_set_ca_cert_paths(self):
+        ca_paths_variable = self.smart_card_ca_certs_variable_name
+        single_ca_path_variable = self.single_ca_cert_variable_name
-    def check_and_set_ca_cert_path(self):
-        ca_path_variable = self.smart_card_ca_cert_variable_name
-        self.log.command("{}=$1".format(ca_path_variable))
+        self.log.command("{}=$@".format(ca_paths_variable))
         self.log.exit_on_predicate(
-            '[ -z "${}" ]'.format(ca_path_variable),
-            ['You need to provide the path to the PEM file containing CA '
-             'signing the Smart Cards']
+            '[ -z "${}" ]'.format(ca_paths_variable),
+            ['You need to provide one or more paths to the PEM files '
+             'containing CAs signing the Smart Cards']
         )
+        self.log.command(
+            "for {} in ${}".format(
+                single_ca_path_variable, ca_paths_variable))
+        self.log.command("do")
         self.log.exit_on_predicate(
-            '[ ! -f "${}" ]'.format(ca_path_variable),
-            ['Invalid CA certificate filename: ${}'.format(ca_path_variable),
-             'Please check that the path exists and is a valid file']
+            '[ ! -f "${}" ]'.format(single_ca_path_variable),
+            ['Invalid CA certificate filename: ${}'.format(
+                single_ca_path_variable),
+             'Please check that the path exists and is a valid file'],
+            indent_spaces=2
         )
+        self.log.command("done")
-    def upload_smartcard_ca_certificate_to_systemwide_db(self):
+    def upload_smartcard_ca_certificates_to_systemwide_db(self):
+        self.log.command(
+            "for {} in ${}".format(
+                self.single_ca_cert_variable_name,
+                self.smart_card_ca_certs_variable_name))
+        self.log.command("do")
         self.log.command(
-            'certutil -d {} -A -i ${} -n "Smart Card CA" -t CT,C,C'.format(
-                self.systemwide_nssdb, self.smart_card_ca_cert_variable_name
-            )
+            'certutil -d {} -A -i ${} -n "Smart Card CA $(uuidgen)" '
+            '-t CT,C,C'.format(
+                self.systemwide_nssdb, self.single_ca_cert_variable_name
+            ),
+            indent_spaces=2
         )
+        self.log.command("done")
-    def install_smart_card_signing_ca_cert(self):
+    def install_smart_card_signing_ca_certs(self):
+        self.log.command(
+            "for {} in ${}".format(
+                self.single_ca_cert_variable_name,
+                self.smart_card_ca_certs_variable_name))
+        self.log.command("do")
         self.log.exit_on_failed_command(
             'ipa-cacert-manage install ${} -t CT,C,C'.format(
-                self.smart_card_ca_cert_variable_name
+                self.single_ca_cert_variable_name
             ),
-            ['Failed to install external CA certificate to IPA']
+            ['Failed to install external CA certificate to IPA'],
+            indent_spaces=2
         )
+        self.log.command("done")
     def update_ipa_ca_certificate_store(self):
         self.log.exit_on_failed_command(
@@ -85,7 +109,7 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
     def get_info(self):
         self.log.exit_on_nonroot_euid()
-        self.check_and_set_ca_cert_path()
+        self.check_and_set_ca_cert_paths()
         self.check_ccache_not_empty()
         self.check_hostname_is_in_masters()
         self.resolve_ipaca_records()
@@ -95,7 +119,8 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
         self.record_httpd_ocsp_status()
         self.check_and_enable_pkinit()
         self.enable_ok_to_auth_as_delegate_on_http_principal()
-        self.upload_smartcard_ca_certificate_to_systemwide_db()
+        self.upload_smartcard_ca_certificates_to_systemwide_db()
+        self.install_smart_card_signing_ca_certs()
         self.update_ipa_ca_certificate_store()
         self.restart_kdc()
@@ -234,18 +259,16 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config):
     pkcs11_shared_lib = '/usr/lib64/opensc-pkcs11.so'
     smart_card_service_file = 'pcscd.service'
     smart_card_socket = 'pcscd.socket'
-    systemwide_nssdb = paths.NSS_DB_DIR
     def get_info(self):
         self.log.exit_on_nonroot_euid()
-        self.check_and_set_ca_cert_path()
+        self.check_and_set_ca_cert_paths()
         self.check_ccache_not_empty()
         self.check_and_remove_pam_pkcs11()
         self.install_opensc_and_dconf_packages()
         self.start_enable_smartcard_daemon()
         self.add_pkcs11_module_to_systemwide_db()
-        self.upload_smartcard_ca_certificate_to_systemwide_db()
-        self.install_smart_card_signing_ca_cert()
+        self.upload_smartcard_ca_certificates_to_systemwide_db()
         self.update_ipa_ca_certificate_store()
         self.run_authconfig_to_configure_smart_card_auth()
         self.restart_sssd()
--
2.9.4
SOURCES/0209-add-a-class-that-tracks-the-indentation-in-the-gener.patch
New file
@@ -0,0 +1,77 @@
From bdf024c20213110306b2fcf3651f274c229aae29 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Thu, 22 Jun 2017 13:18:54 +0200
Subject: [PATCH] add a class that tracks the indentation in the generated
 advises
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/advise/base.py | 49 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py
index ba412b872472580cd32baf2a326a14edb951cab1..639fd1807f72f11f46136999c4ce4c6eec6b3698 100644
--- a/ipaserver/advise/base.py
+++ b/ipaserver/advise/base.py
@@ -76,6 +76,55 @@ As a result, you can redirect the advice's output directly to a script file.
 """
+class _IndentationTracker(object):
+    """
+    A simple wrapper that tracks the indentation level of the generated bash
+    commands
+    """
+    def __init__(self, spaces_per_indent=0):
+        if spaces_per_indent <= 0:
+            raise ValueError(
+                "Indentation increments cannot be zero or negative")
+        self.spaces_per_indent = spaces_per_indent
+        self._indentation_stack = []
+        self._total_indentation_level = 0
+
+    @property
+    def indentation_string(self):
+        """
+        return a string containing number of spaces corresponding to
+        indentation level
+        """
+        return " " * self._total_indentation_level
+
+    def indent(self):
+        """
+        track a single indentation of the generated code
+        """
+        self._indentation_stack.append(self.spaces_per_indent)
+        self._recompute_indentation_level()
+
+    def _recompute_indentation_level(self):
+        """
+        Track total indentation level of the generated code
+        """
+        self._total_indentation_level = sum(self._indentation_stack)
+
+    def dedent(self):
+        """
+        track a single dedentation of the generated code
+        dedents that would result in zero or negative indentation level will be
+        ignored
+        """
+        try:
+            self._indentation_stack.pop()
+        except IndexError:
+            # can not dedent any further
+            pass
+
+        self._recompute_indentation_level()
+
+
 class _AdviceOutput(object):
     def __init__(self):
--
2.9.4
SOURCES/0210-delegate-the-indentation-handling-in-advises-to-dedi.patch
New file
@@ -0,0 +1,267 @@
From 243f7ebf6a07fa54cbd5db6bf7f67fee04e4f14c Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Thu, 22 Jun 2017 13:20:05 +0200
Subject: [PATCH] delegate the indentation handling in advises to dedicated
 class
Indentation levels are now handled transparently by a dedicated class
and should not pollute the statement printing logic.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/advise/base.py                    | 106 +++++++++++++++++++---------
 ipaserver/advise/plugins/smart_card_auth.py |  45 ++++++------
 2 files changed, 93 insertions(+), 58 deletions(-)
diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py
index 639fd1807f72f11f46136999c4ce4c6eec6b3698..c320b002c83198cbb0fd73a5c158df07dd309242 100644
--- a/ipaserver/advise/base.py
+++ b/ipaserver/advise/base.py
@@ -19,6 +19,7 @@
 from __future__ import print_function
+from contextlib import contextmanager
 import os
 from textwrap import wrap
@@ -75,6 +76,8 @@ As a result, you can redirect the advice's output directly to a script file.
 # ./script.sh
 """
+DEFAULT_INDENTATION_INCREMENT = 2
+
 class _IndentationTracker(object):
     """
@@ -131,39 +134,77 @@ class _AdviceOutput(object):
         self.content = []
         self.prefix = '# '
         self.options = None
+        self._indentation_tracker = _IndentationTracker(
+            spaces_per_indent=DEFAULT_INDENTATION_INCREMENT)
+
+    def indent(self):
+        """
+        Indent the statements by one level
+        """
+        self._indentation_tracker.indent()
+
+    def dedent(self):
+        """
+        Dedent the statements by one level
+        """
+        self._indentation_tracker.dedent()
+
+    @contextmanager
+    def indented_block(self):
+        self.indent()
+        try:
+            yield
+        finally:
+            self.dedent()
     def comment(self, line, wrapped=True):
         if wrapped:
-            for wrapped_line in wrap(line, 70):
-                self.content.append(self.prefix + wrapped_line)
+            self.append_wrapped_and_indented_comment(line)
         else:
-            self.content.append(self.prefix + line)
+            self.append_comment(line)
+
+    def append_wrapped_and_indented_comment(self, line, character_limit=70):
+        """
+        append wrapped and indented comment to the output
+        """
+        for wrapped_indented_line in wrap(
+                self.indent_statement(line), character_limit):
+            self.append_comment(wrapped_indented_line)
+
+    def append_comment(self, line):
+        self.append_statement(self.prefix + line)
+
+    def append_statement(self, statement):
+        """
+        Append a line to the generated content indenting it by tracked number
+        of spaces
+        """
+        self.content.append(self.indent_statement(statement))
+
+    def indent_statement(self, statement):
+        return '{indent}{statement}'.format(
+            indent=self._indentation_tracker.indentation_string,
+            statement=statement)
     def debug(self, line):
         if self.options.verbose:
             self.comment('DEBUG: ' + line)
-    def command(self, line, indent_spaces=0):
-        self.content.append(
-            '{}{}'.format(self._format_indent(indent_spaces), line))
-
-    def _format_indent(self, num_spaces):
-        return ' ' * num_spaces
+    def command(self, line):
+        self.append_statement(line)
-    def echo_error(self, error_message, indent_spaces=0):
-        self.command(
-            self._format_error(error_message), indent_spaces=indent_spaces)
+    def echo_error(self, error_message):
+        self.command(self._format_error(error_message))
     def _format_error(self, error_message):
         return 'echo "{}" >&2'.format(error_message)
     def exit_on_failed_command(self, command_to_run,
-                               error_message_lines, indent_spaces=0):
-        self.command(command_to_run, indent_spaces=indent_spaces)
+                               error_message_lines):
+        self.command(command_to_run)
         self.exit_on_predicate(
             '[ "$?" -ne "0" ]',
-            error_message_lines,
-            indent_spaces=indent_spaces)
+            error_message_lines)
     def exit_on_nonroot_euid(self):
         self.exit_on_predicate(
@@ -171,8 +212,7 @@ class _AdviceOutput(object):
             ["This script has to be run as root user"]
         )
-    def exit_on_predicate(self, predicate, error_message_lines,
-                          indent_spaces=0):
+    def exit_on_predicate(self, predicate, error_message_lines):
         commands_to_run = [
             self._format_error(error_message_line)
             for error_message_line in error_message_lines]
@@ -180,30 +220,26 @@ class _AdviceOutput(object):
         commands_to_run.append('exit 1')
         self.commands_on_predicate(
             predicate,
-            commands_to_run,
-            indent_spaces=indent_spaces)
+            commands_to_run)
     def commands_on_predicate(self, predicate, commands_to_run_when_true,
-                              commands_to_run_when_false=None,
-                              indent_spaces=0):
+                              commands_to_run_when_false=None):
         if_command = 'if {}'.format(predicate)
-        self.command(if_command, indent_spaces=indent_spaces)
-        self.command('then', indent_spaces=indent_spaces)
-
-        indented_block_spaces = indent_spaces + 2
+        self.command(if_command)
+        self.command('then')
-        for command_to_run_when_true in commands_to_run_when_true:
-            self.command(
-                command_to_run_when_true, indent_spaces=indented_block_spaces)
+        with self.indented_block():
+            for command_to_run_when_true in commands_to_run_when_true:
+                self.command(
+                    command_to_run_when_true)
         if commands_to_run_when_false is not None:
-            self.command("else", indent_spaces=indent_spaces)
-            for command_to_run_when_false in commands_to_run_when_false:
-                self.command(
-                    command_to_run_when_false,
-                    indent_spaces=indented_block_spaces)
+            self.command("else")
+            with self.indented_block():
+                for command_to_run_when_false in commands_to_run_when_false:
+                    self.command(command_to_run_when_false)
-        self.command('fi', indent_spaces=indent_spaces)
+        self.command('fi')
 class Advice(Plugin):
diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
index 16c01204444883ed949db73b2314ba5c404124df..75efa6f854acd5f746111ea44957a538117381ae 100644
--- a/ipaserver/advise/plugins/smart_card_auth.py
+++ b/ipaserver/advise/plugins/smart_card_auth.py
@@ -44,13 +44,13 @@ class common_smart_card_auth_config(Advice):
             "for {} in ${}".format(
                 single_ca_path_variable, ca_paths_variable))
         self.log.command("do")
-        self.log.exit_on_predicate(
-            '[ ! -f "${}" ]'.format(single_ca_path_variable),
-            ['Invalid CA certificate filename: ${}'.format(
-                single_ca_path_variable),
-             'Please check that the path exists and is a valid file'],
-            indent_spaces=2
-        )
+        with self.log.indented_block():
+            self.log.exit_on_predicate(
+                '[ ! -f "${}" ]'.format(single_ca_path_variable),
+                ['Invalid CA certificate filename: ${}'.format(
+                    single_ca_path_variable),
+                 'Please check that the path exists and is a valid file']
+            )
         self.log.command("done")
     def upload_smartcard_ca_certificates_to_systemwide_db(self):
@@ -59,13 +59,13 @@ class common_smart_card_auth_config(Advice):
                 self.single_ca_cert_variable_name,
                 self.smart_card_ca_certs_variable_name))
         self.log.command("do")
-        self.log.command(
-            'certutil -d {} -A -i ${} -n "Smart Card CA $(uuidgen)" '
-            '-t CT,C,C'.format(
-                self.systemwide_nssdb, self.single_ca_cert_variable_name
-            ),
-            indent_spaces=2
-        )
+        with self.log.indented_block():
+            self.log.command(
+                'certutil -d {} -A -i ${} -n "Smart Card CA $(uuidgen)" '
+                '-t CT,C,C'.format(
+                    self.systemwide_nssdb, self.single_ca_cert_variable_name
+                ),
+            )
         self.log.command("done")
     def install_smart_card_signing_ca_certs(self):
@@ -74,13 +74,13 @@ class common_smart_card_auth_config(Advice):
                 self.single_ca_cert_variable_name,
                 self.smart_card_ca_certs_variable_name))
         self.log.command("do")
-        self.log.exit_on_failed_command(
-            'ipa-cacert-manage install ${} -t CT,C,C'.format(
-                self.single_ca_cert_variable_name
-            ),
-            ['Failed to install external CA certificate to IPA'],
-            indent_spaces=2
-        )
+        with self.log.indented_block():
+            self.log.exit_on_failed_command(
+                'ipa-cacert-manage install ${} -t CT,C,C'.format(
+                    self.single_ca_cert_variable_name
+                ),
+                ['Failed to install external CA certificate to IPA']
+            )
         self.log.command("done")
     def update_ipa_ca_certificate_store(self):
@@ -221,8 +221,7 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
         self.log.command('else')
         self.log.exit_on_failed_command(
             'ipa-pkinit-manage enable',
-            ['Failed to issue PKINIT certificates to local KDC'],
-            indent_spaces=2)
+            ['Failed to issue PKINIT certificates to local KDC'])
         self.log.command('fi')
     def enable_ok_to_auth_as_delegate_on_http_principal(self):
--
2.9.4
SOURCES/0211-advise-add-an-infrastructure-for-formatting-Bash-com.patch
New file
@@ -0,0 +1,104 @@
From 7e2702164e28576dfa64c0c9bbc83dc7dcb30ba7 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Thu, 22 Jun 2017 15:00:00 +0200
Subject: [PATCH] advise: add an infrastructure for formatting Bash compound
 statements
A series of context managers simplify formatting of common compound
statements such as `if`, `else if`, `else` blocks.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/advise/base.py | 73 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)
diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py
index c320b002c83198cbb0fd73a5c158df07dd309242..940d87ed4c1804326a46e2866381364e6f4f3f3e 100644
--- a/ipaserver/advise/base.py
+++ b/ipaserver/advise/base.py
@@ -128,6 +128,79 @@ class _IndentationTracker(object):
         self._recompute_indentation_level()
+class CompoundStatement(object):
+    """
+    Wrapper around indented blocks of Bash statements.
+
+    Override `begin_statement` and `end_statement` methods to issue
+    opening/closing commands using the passed in _AdviceOutput instance
+    """
+
+    def __init__(self, advice_output):
+        self.advice_output = advice_output
+
+    def __enter__(self):
+        self.begin_statement()
+        self.advice_output.indent()
+
+    def begin_statement(self):
+        pass
+
+    def __exit__(self, exc_type, exc_value, traceback):
+        self.advice_output.dedent()
+        self.end_statement()
+
+    def end_statement(self):
+        pass
+
+
+class IfBranch(CompoundStatement):
+    """
+    Base wrapper around `if` branch. The closing statement is empty so it
+    leaves trailing block that can be closed off or continued by else branches
+    """
+    def __init__(self, advice_output, conditional):
+        super(IfBranch, self).__init__(advice_output)
+        self.conditional = conditional
+
+    def begin_statement(self):
+        self.advice_output.command('if {}'.format(self.conditional))
+        self.advice_output.command('then')
+
+
+class ElseIfBranch(CompoundStatement):
+    """
+    Wrapper for `else if <CONDITIONAL>`
+    """
+    def __init__(self, advice_output, alternative_conditional):
+        super(ElseIfBranch, self).__init__(advice_output)
+        self.alternative_conditional = alternative_conditional
+
+    def begin_statement(self):
+        command = 'else if {}'.format(self.alternative_conditional)
+
+        self.advice_output.command(command)
+
+
+class ElseBranch(CompoundStatement):
+    """
+    Wrapper for final `else` block
+    """
+    def begin_statement(self):
+        self.advice_output.command('else')
+
+    def end_statement(self):
+        self.advice_output.command('fi')
+
+
+class UnbranchedIfStatement(IfBranch):
+    """
+    Plain `if` without branches
+    """
+    def end_statement(self):
+        self.advice_output.command('fi')
+
+
 class _AdviceOutput(object):
     def __init__(self):
--
2.9.4
SOURCES/0212-delegate-formatting-of-compound-Bash-statements-to-d.patch
New file
@@ -0,0 +1,93 @@
From d22e7953295f878950ca5be976d89bf9af8d36b1 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Thu, 22 Jun 2017 15:02:25 +0200
Subject: [PATCH] delegate formatting of compound Bash statements to dedicated
 classes
this simplifies handling compound statements using _AdviceOutput class.
The necessary statements are exposed as context managers and API for
most common constructs is provided.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/advise/base.py | 48 ++++++++++++++++++++++++++++++++++--------------
 1 file changed, 34 insertions(+), 14 deletions(-)
diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py
index 940d87ed4c1804326a46e2866381364e6f4f3f3e..581478fb75bc4f50b6bffe2e4cf9b51de46fa095 100644
--- a/ipaserver/advise/base.py
+++ b/ipaserver/advise/base.py
@@ -286,33 +286,53 @@ class _AdviceOutput(object):
         )
     def exit_on_predicate(self, predicate, error_message_lines):
-        commands_to_run = [
-            self._format_error(error_message_line)
-            for error_message_line in error_message_lines]
+        with self.unbranched_if(predicate):
+            for error_message_line in error_message_lines:
+                self.command(self._format_error(error_message_line))
-        commands_to_run.append('exit 1')
-        self.commands_on_predicate(
-            predicate,
-            commands_to_run)
+            self.command('exit 1')
+
+    @contextmanager
+    def unbranched_if(self, predicate):
+        with self._compound_statement(UnbranchedIfStatement, predicate):
+            yield
+
+    @contextmanager
+    def _compound_statement(self, statement_cls, *args):
+        with statement_cls(self, *args):
+            yield
     def commands_on_predicate(self, predicate, commands_to_run_when_true,
                               commands_to_run_when_false=None):
-        if_command = 'if {}'.format(predicate)
-        self.command(if_command)
-        self.command('then')
+        if commands_to_run_when_false is not None:
+            if_statement = self.if_branch
+        else:
+            if_statement = self.unbranched_if
-        with self.indented_block():
+        with if_statement(predicate):
             for command_to_run_when_true in commands_to_run_when_true:
                 self.command(
                     command_to_run_when_true)
         if commands_to_run_when_false is not None:
-            self.command("else")
-            with self.indented_block():
+            with self.else_branch():
                 for command_to_run_when_false in commands_to_run_when_false:
                     self.command(command_to_run_when_false)
-        self.command('fi')
+    @contextmanager
+    def if_branch(self, predicate):
+        with self._compound_statement(IfBranch, predicate):
+            yield
+
+    @contextmanager
+    def else_branch(self):
+        with self._compound_statement(ElseBranch):
+            yield
+
+    @contextmanager
+    def else_if_branch(self, predicate):
+        with self._compound_statement(ElseIfBranch, predicate):
+            yield
 class Advice(Plugin):
--
2.9.4
SOURCES/0213-Fix-indentation-of-statements-in-Smart-card-advises.patch
New file
@@ -0,0 +1,36 @@
From 5bf0faed2a4692d5ce2747c5036d3fca8b0f7b04 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Thu, 22 Jun 2017 15:03:45 +0200
Subject: [PATCH] Fix indentation of statements in Smart card advises
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/advise/plugins/smart_card_auth.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
index 75efa6f854acd5f746111ea44957a538117381ae..138a44316473f6b504a44a1b68d01fa4d5a58308 100644
--- a/ipaserver/advise/plugins/smart_card_auth.py
+++ b/ipaserver/advise/plugins/smart_card_auth.py
@@ -165,13 +165,13 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
             predicate,
             [
                 self._interpolate_ocsp_directive_file_into_command(
-                    "  sed -i.ipabkp -r "
+                    "sed -i.ipabkp -r "
                     "'s/^#*[[:space:]]*{directive}[[:space:]]+(on|off)$"
                     "/{directive} on/' {filename}")
             ],
             commands_to_run_when_false=[
                 self._interpolate_ocsp_directive_file_into_command(
-                    "  sed -i.ipabkp '/<\/VirtualHost>/i {directive} on' "
+                    "sed -i.ipabkp '/<\/VirtualHost>/i {directive} on' "
                     "{filename}")
             ]
         )
--
2.9.4
SOURCES/0214-Use-the-compound-statement-formatting-API-for-config.patch
New file
@@ -0,0 +1,48 @@
From c702bb6ca3742cf7ea156e062840623f95a001b7 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Thu, 22 Jun 2017 15:08:08 +0200
Subject: [PATCH] Use the compound statement formatting API for configuring
 PKINIT
Use `if_branch` and `else_branch` context managers instead of raw
`command` calls in the method that generates Bash snippet that
configures PKINIT on the master.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/advise/plugins/smart_card_auth.py | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
index 138a44316473f6b504a44a1b68d01fa4d5a58308..2dc9ddb25ce41a8c85aab827a92a1143784d9457 100644
--- a/ipaserver/advise/plugins/smart_card_auth.py
+++ b/ipaserver/advise/plugins/smart_card_auth.py
@@ -214,15 +214,13 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
     def check_and_enable_pkinit(self):
         self.log.comment('check whether PKINIT is configured on the master')
-        self.log.command(
-            "if ipa-pkinit-manage status | grep -q 'enabled'")
-        self.log.command('then')
-        self.log.command('  echo "PKINIT already enabled"')
-        self.log.command('else')
-        self.log.exit_on_failed_command(
-            'ipa-pkinit-manage enable',
-            ['Failed to issue PKINIT certificates to local KDC'])
-        self.log.command('fi')
+        with self.log.if_branch(
+                "ipa-pkinit-manage status | grep -q 'enabled'"):
+            self.log.command('echo "PKINIT already enabled"')
+        with self.log.else_branch():
+            self.log.exit_on_failed_command(
+                'ipa-pkinit-manage enable',
+                ['Failed to issue PKINIT certificates to local KDC'])
     def enable_ok_to_auth_as_delegate_on_http_principal(self):
         self.log.comment('Enable OK-AS-DELEGATE flag on the HTTP principal')
--
2.9.4
SOURCES/0215-smart-card-advises-use-a-wrapper-around-Bash-for-loo.patch
New file
@@ -0,0 +1,121 @@
From 4e6992f985ebfb6e6c3fb4a6fa7a2959d84ca243 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Thu, 22 Jun 2017 15:30:41 +0200
Subject: [PATCH] smart card advises: use a wrapper around Bash `for` loops
Replace the raw `command` calls constructing the for loops in some
methods by a wrapper hiding this detail.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/advise/base.py                    | 23 +++++++++++++++++++++++
 ipaserver/advise/plugins/smart_card_auth.py | 26 +++++++-------------------
 2 files changed, 30 insertions(+), 19 deletions(-)
diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py
index 581478fb75bc4f50b6bffe2e4cf9b51de46fa095..be7274417042fca521039b56af60831563f6952b 100644
--- a/ipaserver/advise/base.py
+++ b/ipaserver/advise/base.py
@@ -201,6 +201,24 @@ class UnbranchedIfStatement(IfBranch):
         self.advice_output.command('fi')
+class ForLoop(CompoundStatement):
+    """
+    Wrapper around the for loop
+    """
+    def __init__(self, advice_output, loop_variable, iterable):
+        super(ForLoop, self).__init__(advice_output)
+        self.loop_variable = loop_variable
+        self.iterable = iterable
+
+    def begin_statement(self):
+        self.advice_output.command(
+            'for {} in {}'.format(self.loop_variable, self.iterable))
+        self.advice_output.command('do')
+
+    def end_statement(self):
+        self.advice_output.command('done')
+
+
 class _AdviceOutput(object):
     def __init__(self):
@@ -334,6 +352,11 @@ class _AdviceOutput(object):
         with self._compound_statement(ElseIfBranch, predicate):
             yield
+    @contextmanager
+    def for_loop(self, loop_variable, iterable):
+        with self._compound_statement(ForLoop, loop_variable, iterable):
+            yield
+
 class Advice(Plugin):
     """
diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
index 2dc9ddb25ce41a8c85aab827a92a1143784d9457..3ff94be1e8b108668989602b1b406a39d23ff501 100644
--- a/ipaserver/advise/plugins/smart_card_auth.py
+++ b/ipaserver/advise/plugins/smart_card_auth.py
@@ -40,48 +40,36 @@ class common_smart_card_auth_config(Advice):
             ['You need to provide one or more paths to the PEM files '
              'containing CAs signing the Smart Cards']
         )
-        self.log.command(
-            "for {} in ${}".format(
-                single_ca_path_variable, ca_paths_variable))
-        self.log.command("do")
-        with self.log.indented_block():
+        with self.log.for_loop(single_ca_path_variable,
+                               '${}'.format(ca_paths_variable)):
             self.log.exit_on_predicate(
                 '[ ! -f "${}" ]'.format(single_ca_path_variable),
                 ['Invalid CA certificate filename: ${}'.format(
                     single_ca_path_variable),
                  'Please check that the path exists and is a valid file']
             )
-        self.log.command("done")
     def upload_smartcard_ca_certificates_to_systemwide_db(self):
-        self.log.command(
-            "for {} in ${}".format(
+        with self.log.for_loop(
                 self.single_ca_cert_variable_name,
-                self.smart_card_ca_certs_variable_name))
-        self.log.command("do")
-        with self.log.indented_block():
+                '${}'.format(self.smart_card_ca_certs_variable_name)):
             self.log.command(
                 'certutil -d {} -A -i ${} -n "Smart Card CA $(uuidgen)" '
                 '-t CT,C,C'.format(
                     self.systemwide_nssdb, self.single_ca_cert_variable_name
-                ),
+                )
             )
-        self.log.command("done")
     def install_smart_card_signing_ca_certs(self):
-        self.log.command(
-            "for {} in ${}".format(
+        with self.log.for_loop(
                 self.single_ca_cert_variable_name,
-                self.smart_card_ca_certs_variable_name))
-        self.log.command("do")
-        with self.log.indented_block():
+                '${}'.format(self.smart_card_ca_certs_variable_name)):
             self.log.exit_on_failed_command(
                 'ipa-cacert-manage install ${} -t CT,C,C'.format(
                     self.single_ca_cert_variable_name
                 ),
                 ['Failed to install external CA certificate to IPA']
             )
-        self.log.command("done")
     def update_ipa_ca_certificate_store(self):
         self.log.exit_on_failed_command(
--
2.9.4
SOURCES/0216-smart-card-advise-use-password-when-changing-trust-f.patch
New file
@@ -0,0 +1,54 @@
From 4a9ff573f1c9c91e1e2e1e2d7de70951b7333fb4 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Fri, 23 Jun 2017 15:47:48 +0200
Subject: [PATCH] smart card advise: use password when changing trust flags on
 HTTP cert
This is to prevent NSS asking for database password when operating in
FIPS 140 mode.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/advise/plugins/smart_card_auth.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
index 3ff94be1e8b108668989602b1b406a39d23ff501..5134db535e8f10e8cf850dbf0696b679aacec4f5 100644
--- a/ipaserver/advise/plugins/smart_card_auth.py
+++ b/ipaserver/advise/plugins/smart_card_auth.py
@@ -2,6 +2,8 @@
 # Copyright (C) 2017 FreeIPA Contributors see COPYING for license
 #
+import os
+
 from ipalib.plugable import Registry
 from ipaplatform import services
 from ipaplatform.paths import paths
@@ -172,6 +174,8 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
         return fmt_line.format(directive=directive, filename=filename)
     def mark_httpd_cert_as_trusted(self):
+        httpd_nss_database_pwd_file = os.path.join(
+            paths.HTTPD_ALIAS_DIR, 'pwdfile.txt')
         self.log.comment(
             'mark the HTTP certificate as trusted peer to avoid '
             'chicken-egg startup issue')
@@ -181,8 +185,9 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
                 " cut -f 2 -d ' ')"))
         self.log.exit_on_failed_command(
-            'certutil -M -n $http_cert_nick -d "{}" -t "Pu,u,u"'.format(
-                paths.HTTPD_ALIAS_DIR),
+            'certutil -M -n $http_cert_nick -d "{}" -f {} -t "Pu,u,u"'.format(
+                paths.HTTPD_ALIAS_DIR,
+                httpd_nss_database_pwd_file),
             ['Can not set trust flags on HTTP certificate'])
     def _interpolate_nssnickname_directive_file_into_command(self, fmt_line):
--
2.9.4
SOURCES/0217-smart-card-advises-ensure-that-krb5-pkinit-is-instal.patch
New file
@@ -0,0 +1,46 @@
From aa123edfdab1836c0915bb75f3bf82e46083b17f Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Wed, 28 Jun 2017 09:49:18 +0200
Subject: [PATCH] smart-card-advises: ensure that krb5-pkinit is installed on
 client
This library is a prerequisite for successful Smart Card authentication
on the client. The client-side advise should make sure this dependency
is present.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/advise/plugins/smart_card_auth.py | 7 +++++++
 1 file changed, 7 insertions(+)
diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
index 5134db535e8f10e8cf850dbf0696b679aacec4f5..fb328f29ca5051ad52c9c5e0000021ad5e8b94e8 100644
--- a/ipaserver/advise/plugins/smart_card_auth.py
+++ b/ipaserver/advise/plugins/smart_card_auth.py
@@ -256,6 +256,7 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config):
         self.check_ccache_not_empty()
         self.check_and_remove_pam_pkcs11()
         self.install_opensc_and_dconf_packages()
+        self.install_krb5_client_dependencies()
         self.start_enable_smartcard_daemon()
         self.add_pkcs11_module_to_systemwide_db()
         self.upload_smartcard_ca_certificates_to_systemwide_db()
@@ -281,6 +282,12 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config):
             ['Could not install OpenSC package']
         )
+    def install_krb5_client_dependencies(self):
+        self.log.exit_on_failed_command(
+            'yum install -y krb5-pkinit-openssl',
+            ['Failed to install Kerberos client PKINIT extensions.']
+        )
+
     def start_enable_smartcard_daemon(self):
         self.log.command(
             'systemctl start {service} {socket} '
--
2.9.4
SOURCES/0218-NULL-LDAP-context-in-call-to-ldap_search_ext_s-durin.patch
New file
@@ -0,0 +1,33 @@
From 0703a575b4e337e7ce41860956bd339c12cd44ea Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <tbordaz@redhat.com>
Date: Tue, 20 Jun 2017 18:22:33 +0200
Subject: [PATCH] NULL LDAP context in call to ldap_search_ext_s during search
    KDC crashes on quite random interval while trying to reach LDAP
    https://pagure.io/freeipa/issue/7017
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 daemons/ipa-kdb/ipa_kdb.c | 6 ++++++
 1 file changed, 6 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 050bfc90cef1bce4c932f54bb6050438c60ca79f..c0f1e276ca32ecb318add3a0d36f57acc3d17d51 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -465,6 +465,12 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
     ret = ipadb_reinit_mspac(ipactx, false);
     if (ret && ret != ENOENT) {
         /* TODO: log that there is an issue with adtrust settings */
+        if (ipactx->lcontext == NULL) {
+            /* for some reason ldap connection was reset in ipadb_reinit_mspac
+             * and is no longer established => failure of ipadb_get_connection
+             */
+            goto done;
+        }
     }
     ret = 0;
--
2.9.4
SOURCES/0219-Restore-old-version-of-caIPAserviceCert-for-upgrade-.patch
New file
@@ -0,0 +1,187 @@
From 533f2539cbc8fe5b4bb748982a6cfee7d73416e6 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 9 Aug 2017 12:55:57 +1000
Subject: [PATCH] Restore old version of caIPAserviceCert for upgrade only
The latest version of caIPAserviceCert profile includes a feature
that is not available before Dogtag 10.4, and this version of the
profile is intended for new installs only (otherwise, problems will
arise in topologies containing CA replicas at an earlier version).
But IPA versions before v4.2 did not use LDAP-based profiles, so the
new version of the profile gets imported when upgrading from
pre-v4.2 to v4.5 or later.
We do not yet have a proper version- and topology-aware profile
update mechanism, so to resolve this issue, ship the older version
of the profile alongside the newer version, and make sure we use the
older version when importing the profile in an upgrade context.
https://pagure.io/freeipa/issue/7097
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
 install/share/profiles/Makefile.am                 |   1 +
 .../share/profiles/caIPAserviceCert.UPGRADE.cfg    | 109 +++++++++++++++++++++
 ipaserver/install/cainstance.py                    |  18 +++-
 3 files changed, 126 insertions(+), 2 deletions(-)
 create mode 100644 install/share/profiles/caIPAserviceCert.UPGRADE.cfg
diff --git a/install/share/profiles/Makefile.am b/install/share/profiles/Makefile.am
index 640ca0a4a54c574da57b62b2b3c23f6db78df2fb..7f188e3fcac2ad80558399015d49216caa32c14b 100644
--- a/install/share/profiles/Makefile.am
+++ b/install/share/profiles/Makefile.am
@@ -3,6 +3,7 @@ NULL =
 appdir = $(IPA_DATA_DIR)/profiles
 app_DATA =                \
     caIPAserviceCert.cfg        \
+    caIPAserviceCert.UPGRADE.cfg    \
     IECUserRoles.cfg        \
     KDCs_PKINIT_Certs.cfg        \
     $(NULL)
diff --git a/install/share/profiles/caIPAserviceCert.UPGRADE.cfg b/install/share/profiles/caIPAserviceCert.UPGRADE.cfg
new file mode 100644
index 0000000000000000000000000000000000000000..1efd2066b9f75b4e26c390932353f20141d800b9
--- /dev/null
+++ b/install/share/profiles/caIPAserviceCert.UPGRADE.cfg
@@ -0,0 +1,109 @@
+profileId=caIPAserviceCert
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,8192
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.6.default.name=Key Usage Default
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
+policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.9.constraint.name=No Constraint
+policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
+policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
+policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
+policyset.serverCertSet.9.default.params.crlDistPointsNum=1
+policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
+policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER
+policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
+policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://$IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin
+policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
+policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
+policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.10.constraint.name=No Constraint
+policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default
+policyset.serverCertSet.10.default.params.critical=false
+policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.11.constraint.name=No Constraint
+policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
+policyset.serverCertSet.11.default.name=User Supplied Extension Default
+policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index b0e9e8757ec3e3c0d03ed930743ef5a1253b864a..62f79b28000b015edb66f4c39a270097ab3ed666 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1568,8 +1568,22 @@ def __get_profile_config(profile_id):
         CRL_ISSUER='CN=Certificate Authority,o=ipaca',
         SUBJECT_DN_O=dsinstance.DsInstance().find_subject_base(),
     )
-    return ipautil.template_file(
-        '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict)
+
+    # To work around lack of proper profile upgrade system, we ship
+    # two versions of some profiles - one for new installs only, and
+    # the other for upgrading to LDAP-based profiles in an existing
+    # deployment.
+    #
+    # Select UPGRADE version if we are in the 'updates' API context
+    # and an upgrade-specific version of the profile exists.
+    #
+    profile_filename = '/usr/share/ipa/profiles/{}.cfg'.format(profile_id)
+    profile_upg_filename = \
+        '/usr/share/ipa/profiles/{}.UPGRADE.cfg'.format(profile_id)
+    if api.env.context == 'updates' and os.path.isfile(profile_upg_filename):
+        profile_filename = profile_upg_filename
+
+    return ipautil.template_file(profile_filename, sub_dict)
 def import_included_profiles():
     server_id = installutils.realm_to_serverid(api.env.realm)
--
2.9.4
SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
@@ -1,4 +1,4 @@
From f7b0cbd43590be6255d61b55cf6b06ffa3904e79 Mon Sep 17 00:00:00 2001
From 27b4f549af4f55b95ff44b9c5a59b9174ab7ad2e Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Mar 2017 15:48:07 +0000
Subject: [PATCH] Change branding to IPA and Identity Management
SOURCES/1002-Package-copy-schema-to-ca.py.patch
@@ -1,4 +1,4 @@
From 9800e6fcc16455635e2d774a33009d6fb02646db Mon Sep 17 00:00:00 2001
From 85ac8d7f55b26f7d783844acbf942f5db99d0a37 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Mar 2017 16:07:15 +0000
Subject: [PATCH] Package copy-schema-to-ca.py
@@ -10,7 +10,7 @@
 2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index d7f8d11ec553cfe299937e1e5f8cc27caed32b08..a075cbb4e2bd6fb0fecfca96a1568c07a27080af 100644
index 721e512039a4d7f9d2ed94d7620b083732c56304..99e69d81dd4104063ac68a9429eeb53ee1d36245 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1285,6 +1285,7 @@ fi
@@ -22,7 +22,7 @@
 %{_usr}/share/ipa/*.uldif
 %{_usr}/share/ipa/*.template
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index b0e9e8757ec3e3c0d03ed930743ef5a1253b864a..b0d8208cc05b94f697b7b8c81caee9d311e2d0f0 100644
index 62f79b28000b015edb66f4c39a270097ab3ed666..d876c5b385a250f3bd9c2689f9794ef7f89720a6 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1311,9 +1311,11 @@ def replica_ca_install_check(config, promote):
SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
@@ -1,4 +1,4 @@
From 1c88c60dd72621e77fc2605e6bd4d670a3d65b1d Mon Sep 17 00:00:00 2001
From e419842024b0fc9a774988972fadcbaf4650c395 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 22 Jun 2016 13:53:46 +0200
Subject: [PATCH] Revert "Increased mod_wsgi socket-timeout"
SOURCES/1004-Remove-csrgen.patch
@@ -1,4 +1,4 @@
From c211f36d3cc765379ff0ae324dfb052d7ce13b99 Mon Sep 17 00:00:00 2001
From 12d2356795d64089ce2578031a1297d56c8048ce Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 16 Mar 2017 09:44:21 +0000
Subject: [PATCH] Remove csrgen
@@ -75,7 +75,7 @@
 delete mode 100644 ipatests/test_ipaclient/test_csrgen.py
diff --git a/freeipa.spec.in b/freeipa.spec.in
index a075cbb4e2bd6fb0fecfca96a1568c07a27080af..f4576927c9be3d7c7b7f971f0184cad3166083b7 100644
index 99e69d81dd4104063ac68a9429eeb53ee1d36245..3892e502c0c64cca25e2e50a0ff53a15a556d2f3 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -194,7 +194,6 @@ BuildRequires:  python-sssdconfig
SOURCES/ipa-centos-branding.patch
File was deleted
SPECS/ipa.spec
@@ -68,7 +68,7 @@
Name:           ipa
Version:        %{IPA_VERSION}
Release:        21%{?dist}
Release:        21%{?dist}.1.2
Summary:        The Identity, Policy and Audit system
Group:          System Environment/Base
@@ -76,10 +76,10 @@
URL:            http://www.freeipa.org/
Source0:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity Management
#Source1:        header-logo.png
#Source2:        login-screen-background.jpg
#Source3:        login-screen-logo.png
#Source4:        product-name.png
Source1:        header-logo.png
Source2:        login-screen-background.jpg
Source3:        login-screen-logo.png
Source4:        product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management
BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -288,6 +288,21 @@
Patch0202:      0202-ipa_pwd_extop-do-not-generate-NT-hashes-in-FIPS-mode.patch
Patch0203:      0203-Make-sure-we-check-ccaches-in-all-rpcserver-paths.patch
Patch0204:      0204-replica-install-drop-in-IPA-specific-config-to-tmpfi.patch
Patch0205:      0205-Add-CommonNameToSANDefault-to-default-cert-profile.patch
Patch0206:      0206-smart-card-advises-configure-systemwide-NSS-DB-also-.patch
Patch0207:      0207-smart-card-advises-add-steps-to-store-smart-card-sig.patch
Patch0208:      0208-Allow-to-pass-in-multiple-CA-cert-paths-to-the-smart.patch
Patch0209:      0209-add-a-class-that-tracks-the-indentation-in-the-gener.patch
Patch0210:      0210-delegate-the-indentation-handling-in-advises-to-dedi.patch
Patch0211:      0211-advise-add-an-infrastructure-for-formatting-Bash-com.patch
Patch0212:      0212-delegate-formatting-of-compound-Bash-statements-to-d.patch
Patch0213:      0213-Fix-indentation-of-statements-in-Smart-card-advises.patch
Patch0214:      0214-Use-the-compound-statement-formatting-API-for-config.patch
Patch0215:      0215-smart-card-advises-use-a-wrapper-around-Bash-for-loo.patch
Patch0216:      0216-smart-card-advise-use-password-when-changing-trust-f.patch
Patch0217:      0217-smart-card-advises-ensure-that-krb5-pkinit-is-instal.patch
Patch0218:      0218-NULL-LDAP-context-in-call-to-ldap_search_ext_s-durin.patch
Patch0219:      0219-Restore-old-version-of-caIPAserviceCert-for-upgrade-.patch
Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002:      1002-Package-copy-schema-to-ca.py.patch
@@ -514,8 +529,10 @@
Requires: selinux-policy >= %{selinux_policy_version}
Requires(post): selinux-policy-base >= %{selinux_policy_version}
Requires: slapi-nis >= %{slapi_nis_version}
Requires: pki-ca >= 10.3.5-11
Requires: pki-kra >= 10.3.5-11
# Required because of: https://bugzilla.redhat.com/show_bug.cgi?id=1475238
# related pki-core update: https://bugzilla.redhat.com/show_bug.cgi?id=1305993
Requires: pki-ca >= 10.4.0-1
Requires: pki-kra >= 10.4.0-1
Requires(preun): python systemd-units
Requires(postun): python systemd-units
Requires: policycoreutils >= 2.1.14-37
@@ -1087,10 +1104,10 @@
%endif # with_python3
# RHEL spec file only: START: Change branding to IPA and Identity Management
#cp %SOURCE1 install/ui/images/header-logo.png
#cp %SOURCE2 install/ui/images/login-screen-background.jpg
#cp %SOURCE3 install/ui/images/login-screen-logo.png
#cp %SOURCE4 install/ui/images/product-name.png
cp %SOURCE1 install/ui/images/header-logo.png
cp %SOURCE2 install/ui/images/login-screen-background.jpg
cp %SOURCE3 install/ui/images/login-screen-logo.png
cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management
@@ -1114,8 +1131,7 @@
%configure --with-vendor-suffix=-%{release} \
           %{enable_server_option} \
           %{with_ipatests_option} \
           %{linter_options} \
           --with-ipaplatform=rhel
           %{linter_options}
%make_build
@@ -1839,9 +1855,35 @@
%changelog
* Mon Jul 31 2017 CentOS Sources <bugs@centos.org> - 4.5.0-21.el7.centos
- Roll in CentOS Branding
- set ipaplatform to rhel for compatibilty for updates
* Wed Aug 16 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-21.el7.1.2
- Fixing issues reported by Errata tool
* Tue Aug 15 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-21.el7.1.1
- Resolves: #1477046 Use CommonNameToSANDefault in default profile
  (new installs only)
  - Restore old version of caIPAserviceCert for upgrade only
* Tue Aug 1 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-21.el7.1
- Resolves: #1473272 Provide a tooling automating the configuration
  of Smart Card authentication on a FreeIPA master
  - smart-card advises: configure systemwide NSS DB also on master
  - smart-card advises: add steps to store smart card signing CA cert
  - Allow to pass in multiple CA cert paths to the smart card advises
  - add a class that tracks the indentation in the generated advises
  - delegate the indentation handling in advises to dedicated class
  - advise: add an infrastructure for formatting Bash compound statements
  - delegate formatting of compound Bash statements to dedicated classes
  - Fix indentation of statements in Smart card advises
  - Use the compound statement formatting API for configuring PKINIT
  - smart card advises: use a wrapper around Bash `for` loops
  - smart card advise: use password when changing trust flags on HTTP cert
  - smart-card-advises: ensure that krb5-pkinit is installed on client
- Resolves: #1477046 Use CommonNameToSANDefault in default profile
  (new installs only)
  - Add CommonNameToSANDefault to default cert profile
- Resolves: #1475664 NULL LDAP context in call to ldap_search_ext_s
  during search in cn=ad,cn=trusts,dc=example,dc=com
  - NULL LDAP context in call to ldap_search_ext_s during search
* Wed Jul 12 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-21.el7
- Resolves: #1470125 Replica install fails to configure IPA-specific