The Identity, Policy and Audit system
CentOS Sources
2016-06-23 db5969ef1d220eb0c817ef53f22d74d97c0a0108
import ipa-4.2.0-15.el7_2.17
3 files added
1 files deleted
1 files modified
350 ■■■■ changed files
SOURCES/0202-Prevent-replica-install-from-overwriting-cert-profil.patch 70 ●●●●● patch | view | raw | blame | history
SOURCES/0203-Detect-and-repair-incorrect-caIPAserviceCert-config.patch 118 ●●●●● patch | view | raw | blame | history
SOURCES/0204-replica-install-do-not-set-CA-renewal-master-flag.patch 89 ●●●●● patch | view | raw | blame | history
SOURCES/ipa-centos-branding.patch 38 ●●●●● patch | view | raw | blame | history
SPECS/ipa.spec 35 ●●●●● patch | view | raw | blame | history
SOURCES/0202-Prevent-replica-install-from-overwriting-cert-profil.patch
New file
@@ -0,0 +1,70 @@
From 81d5888a2dc512cd0295b860cf8f408dea2e46a0 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 11 May 2016 16:13:51 +1000
Subject: [PATCH] Prevent replica install from overwriting cert profiles
An earlier change that unconditionally triggers import of file-based
profiles to LDAP during server or replica install results in
replicas overwriting FreeIPA-managed profiles with profiles of the
same name shipped with Dogtag. ('caIPAserviceCert' is the affected
profile).
Avoid this situation by never overwriting existing profiles during
the LDAP import.
Fixes: https://fedorahosted.org/freeipa/ticket/5881
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/cainstance.py | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index b06760308865aa42afac79d6750f4a422a5c8f95..50ca5d3aeb9be24d8e1e80ad408191fca76a459c 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1763,7 +1763,9 @@ def import_included_profiles():
             conn.add_entry(entry)
             profile_data = ipautil.template_file(
                 '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict)
-            _create_dogtag_profile(profile_id, profile_data)
+
+            # Create the profile, replacing any existing profile of same name
+            _create_dogtag_profile(profile_id, profile_data, overwrite=True)
             root_logger.info("Imported profile '%s'", profile_id)
     api.Backend.ra_certprofile.override_port = None
@@ -1815,12 +1817,17 @@ def migrate_profiles_to_ldap(dogtag_constants):
                 profile_data += '\n'
             profile_data += 'profileId={}\n'.format(profile_id)
             profile_data += 'classId={}\n'.format(class_id)
-            _create_dogtag_profile(profile_id, profile_data)
+
+            # Import the profile, but do not replace it if it already exists.
+            # This prevents replicas from replacing IPA-managed profiles with
+            # Dogtag default profiles of same name.
+            #
+            _create_dogtag_profile(profile_id, profile_data, overwrite=False)
     api.Backend.ra_certprofile.override_port = None
-def _create_dogtag_profile(profile_id, profile_data):
+def _create_dogtag_profile(profile_id, profile_data, overwrite):
     with api.Backend.ra_certprofile as profile_api:
         # import the profile
         try:
@@ -1831,9 +1838,8 @@ def _create_dogtag_profile(profile_id, profile_data):
             root_logger.debug("Error migrating '{}': {}".format(
                 profile_id, e))
-            # conflicting profile; replace it if we are
-            # installing IPA, but keep it for upgrades
-            if api.env.context == 'installer':
+            # profile already exists
+            if overwrite:
                 try:
                     profile_api.disable_profile(profile_id)
                 except errors.RemoteRetrieveError:
--
2.5.5
SOURCES/0203-Detect-and-repair-incorrect-caIPAserviceCert-config.patch
New file
@@ -0,0 +1,118 @@
From 1eb9cc7556357b1b8d6d826321cb38b1f96c1b7e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 18 May 2016 14:10:39 +1000
Subject: [PATCH] Detect and repair incorrect caIPAserviceCert config
A regression caused replica installation to replace the FreeIPA
version of caIPAserviceCert with the version shipped by Dogtag.
During upgrade, detect and repair occurrences of this problem.
Part of: https://fedorahosted.org/freeipa/ticket/5881
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/cainstance.py     | 49 ++++++++++++++++++++++++++++++++++---
 ipaserver/install/server/upgrade.py |  3 +++
 2 files changed, 49 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 50ca5d3aeb9be24d8e1e80ad408191fca76a459c..a8a57c4ffdbec453c76a01b88a7d4a188c03be33 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1717,14 +1717,18 @@ def configure_profiles_acl():
     conn.disconnect()
     return updated
-def import_included_profiles():
+
+def __get_profile_config(profile_id):
     sub_dict = dict(
         DOMAIN=ipautil.format_netloc(api.env.domain),
         IPA_CA_RECORD=IPA_CA_RECORD,
         CRL_ISSUER='CN=Certificate Authority,o=ipaca',
         SUBJECT_DN_O=dsinstance.DsInstance().find_subject_base(),
     )
+    return ipautil.template_file(
+        '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict)
+def import_included_profiles():
     server_id = installutils.realm_to_serverid(api.env.realm)
     dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
     conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)
@@ -1761,10 +1765,9 @@ def import_included_profiles():
                 ipacertprofilestoreissued=['TRUE' if store_issued else 'FALSE'],
             )
             conn.add_entry(entry)
-            profile_data = ipautil.template_file(
-                '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict)
             # Create the profile, replacing any existing profile of same name
+            profile_data = __get_profile_config(profile_id)
             _create_dogtag_profile(profile_id, profile_data, overwrite=True)
             root_logger.info("Imported profile '%s'", profile_id)
@@ -1772,6 +1775,46 @@ def import_included_profiles():
     conn.disconnect()
+def repair_profile_caIPAserviceCert():
+    """
+    A regression caused replica installation to replace the FreeIPA
+    version of caIPAserviceCert with the version shipped by Dogtag.
+
+    This function detects and repairs occurrences of this problem.
+
+    """
+    api.Backend.ra_certprofile._read_password()
+    api.Backend.ra_certprofile.override_port = 8443
+
+    profile_id = 'caIPAserviceCert'
+
+    with api.Backend.ra_certprofile as profile_api:
+        try:
+            cur_config = profile_api.read_profile(profile_id).splitlines()
+        except errors.RemoteRetrieveError as e:
+            # no profile there to check/repair
+            api.Backend.ra_certprofile.override_port = None
+            return
+
+    indicators = [
+        "policyset.serverCertSet.1.default.params.name="
+            "CN=$request.req_subject_name.cn$, OU=pki-ipa, O=IPA ",
+        "policyset.serverCertSet.9.default.params.crlDistPointsPointName_0="
+            "https://ipa.example.com/ipa/crl/MasterCRL.bin",
+        ]
+    need_repair = all(l in cur_config for l in indicators)
+
+    if need_repair:
+        root_logger.debug(
+            "Detected that profile '{}' has been replaced with "
+            "incorrect version; begin repair.".format(profile_id))
+        _create_dogtag_profile(
+            profile_id, __get_profile_config(profile_id), overwrite=True)
+        root_logger.debug("Repair of profile '{}' complete.".format(profile_id))
+
+    api.Backend.ra_certprofile.override_port = None
+
+
 def migrate_profiles_to_ldap(dogtag_constants):
     """Migrate profiles from filesystem to LDAP.
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index c53b19a937d559b25da256670a5205ab40e0cadb..b0cd789d58408f720774adb276843a1b6ab6007d 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1554,6 +1554,9 @@ def upgrade_configuration():
     ca_import_included_profiles(ca)
     add_default_caacl(ca)
+    if ca.is_configured():
+        cainstance.repair_profile_caIPAserviceCert()
+
     set_sssd_domain_option('ipa_server_mode', 'True')
     if ds_running and not ds.is_running():
--
2.5.5
SOURCES/0204-replica-install-do-not-set-CA-renewal-master-flag.patch
New file
@@ -0,0 +1,89 @@
From d279db85dbf455a6cbdacc48cbbc2081a9be5252 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Mon, 23 May 2016 16:18:02 +0200
Subject: [PATCH] replica install: do not set CA renewal master flag
The CA renewal master flag was uncoditionally set on every replica during
replica install. This causes the Dogtag certificates initially shared
among all replicas to differ after renewal.
Do not set the CA renewal master flag in replica install anymore. On
upgrade, remove the flag from all but one IPA masters.
https://fedorahosted.org/freeipa/ticket/5902
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipaserver/install/ca.py                        |  6 +++++-
 ipaserver/install/plugins/ca_renewal_master.py | 24 ++++++++++++++++++++++--
 2 files changed, 27 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index b4db8dcbfad9d482e7106cd06b3d497ccf8954f0..aa3fe991bd958c59dc369f41d4bd6fdfceee9370 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -191,7 +191,11 @@ def install_step_1(standalone, replica_config, options):
         ca.stop(ca.dogtag_constants.PKI_INSTANCE_NAME)
     # We need to ldap_enable the CA now that DS is up and running
-    ca.ldap_enable('CA', host_name, dm_password, basedn, ['caRenewalMaster'])
+    if replica_config is None:
+        config = ['caRenewalMaster']
+    else:
+        config = []
+    ca.ldap_enable('CA', host_name, dm_password, basedn, config)
     # This is done within stopped_service context, which restarts CA
     ca.enable_client_auth_to_db(dogtag_constants.CS_CFG_PATH)
diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py
index dae976f02dc7f963736ca57344345135dbc1fe3b..c0c655c912a6b02da11d0feb333716f7653768ed 100644
--- a/ipaserver/install/plugins/ca_renewal_master.py
+++ b/ipaserver/install/plugins/ca_renewal_master.py
@@ -42,6 +42,7 @@ class update_ca_renewal_master(Updater):
         ldap = self.api.Backend.ldap2
         base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
                      self.api.env.basedn)
+        dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
         filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))'
         try:
             entries = ldap.get_entries(base_dn=base_dn, filter=filter,
@@ -50,7 +51,27 @@ class update_ca_renewal_master(Updater):
             pass
         else:
             self.debug("found CA renewal master %s", entries[0].dn[1].value)
-            return False, []
+
+            master = False
+            updates = []
+
+            for entry in entries:
+                if entry.dn == dn:
+                    master = True
+                    continue
+
+                updates.append({
+                    'dn': entry.dn,
+                    'updates': [
+                        dict(action='remove', attr='ipaConfigString',
+                             value='caRenewalMaster')
+                    ],
+                })
+
+            if master:
+                return False, updates
+            else:
+                return False, []
         criteria = {
             'cert-database': paths.HTTPD_ALIAS_DIR,
@@ -96,7 +117,6 @@ class update_ca_renewal_master(Updater):
                     "assuming local CA is renewal slave", config)
                 return (False, False, [])
-        dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
         update = {
                 'dn': dn,
                 'updates': [
--
2.5.5
SOURCES/ipa-centos-branding.patch
File was deleted
SPECS/ipa.spec
@@ -35,7 +35,7 @@
Name:           ipa
Version:        4.2.0
Release:        15%{?dist}.15
Release:        15%{?dist}.17
Summary:        The Identity, Policy and Audit system
Group:          System Environment/Base
@@ -43,10 +43,10 @@
URL:            http://www.freeipa.org/
Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity-Management
#Source1:        header-logo.png
#Source2:        login-screen-background.jpg
#Source3:        login-screen-logo.png
#Source4:        product-name.png
Source1:        header-logo.png
Source2:        login-screen-background.jpg
Source3:        login-screen-logo.png
Source4:        product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity-Management
BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -252,6 +252,9 @@
Patch0199:      0199-Fix-broken-trust-warnings.patch
Patch0200:      0200-replica-install-improvements-in-the-handling-of-CA-r.patch
Patch0201:      0201-certdb-never-use-the-r-option-of-certutil.patch
Patch0202:      0202-Prevent-replica-install-from-overwriting-cert-profil.patch
Patch0203:      0203-Detect-and-repair-incorrect-caIPAserviceCert-config.patch
Patch0204:      0204-replica-install-do-not-set-CA-renewal-master-flag.patch
Patch1001:      1001-Hide-pkinit-functionality-from-production-version.patch
Patch1002:      1002-Remove-pkinit-plugin.patch
@@ -263,7 +266,6 @@
Patch1008:      1008-RCUE.patch
Patch1009:      1009-Do-not-allow-installation-in-FIPS-mode.patch
Patch1010:      1010-WebUI-add-API-browser-is-experimental-warning.patch
Patch1011:      ipa-centos-branding.patch
# RHEL spec file only: END
%if ! %{ONLY_CLIENT}
@@ -398,7 +400,7 @@
Requires: %{etc_systemd_dir}
Requires: gzip
# RHEL spec file only: START
# Requires: redhat-access-plugin-ipa
Requires: redhat-access-plugin-ipa
# RHEL spec file only: END
Conflicts: %{alt_name}-server
@@ -607,10 +609,10 @@
done
# Red Hat's Identity Management branding
#cp %SOURCE1 install/ui/images/header-logo.png
#cp %SOURCE2 install/ui/images/login-screen-background.jpg
#cp %SOURCE3 install/ui/images/login-screen-logo.png
#cp %SOURCE4 install/ui/images/product-name.png
cp %SOURCE1 install/ui/images/header-logo.png
cp %SOURCE2 install/ui/images/login-screen-background.jpg
cp %SOURCE3 install/ui/images/login-screen-logo.png
cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END
%build
@@ -1207,8 +1209,15 @@
# RHEL spec file only: DELETED: Do not build tests
%changelog
* Thu May 12 2016 CentOS Sources <bugs@centos.org> - 4.2.0-15.el7.centos.15
- Roll in CentOS Branding
* Tue May 24 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.17
- Resolves: #1339304 CA installed on replica is always marked as renewal master
  - replica install: do not set CA renewal master flag
* Fri May 20 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.16
- Resolves: #1337820 URI details missing and OCSP-URI details are incorrectly
  displayed when certificate generated using IPA on RHEL 7.2up2.
  - Prevent replica install from overwriting cert profiles
  - Detect and repair incorrect caIPAserviceCert config
* Mon Apr 18 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.15
- Related: #1327197 Crash during IPA upgrade due to slapd