From 84ae8987aafe404c72b8057ad86b3a07d22de319 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Nov 15 2022 15:36:47 +0000
Subject: import ipa-4.10.0-7.el9_1


---

diff --git a/README.debrand b/README.debrand
deleted file mode 100644
index 01c46d2..0000000
--- a/README.debrand
+++ /dev/null
@@ -1,2 +0,0 @@
-Warning: This package was configured for automatic debranding, but the changes
-failed to apply.
diff --git a/SOURCES/0015-fix-canonicalization-issue-in-Web-UI.patch b/SOURCES/0015-fix-canonicalization-issue-in-Web-UI.patch
new file mode 100644
index 0000000..6ca8590
--- /dev/null
+++ b/SOURCES/0015-fix-canonicalization-issue-in-Web-UI.patch
@@ -0,0 +1,62 @@
+From a0928fe164712303a7c24ee61500ac7326bd9e4a Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 23 Aug 2022 16:58:07 +0300
+Subject: [PATCH] fix canonicalization issue in Web UI
+
+When Kerberos principal alias is used to login to a Web UI, we end up
+with a request that is authenticated by a ticket issued in the alias
+name but metadata processed for the canonical user name. This confuses
+RPC layer of Web UI code and causes infinite loop to reload the page.
+
+Fix it by doing two things:
+
+ - force use of canonicalization of an enterprise principal on server
+   side, not just specifying that the principal is an enterprise one;
+
+ - recognize that a principal in the whoami()-returned object can have
+   aliases and the principal returned by the server in the JSON response
+   may be one of those aliases.
+
+Fixes: https://pagure.io/freeipa/issue/9226
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Armando Neto <abiagion@redhat.com>
+---
+ install/ui/src/freeipa/ipa.js | 8 +++++++-
+ ipaserver/rpcserver.py        | 1 +
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
+index 758db1b00..a08d632e9 100644
+--- a/install/ui/src/freeipa/ipa.js
++++ b/install/ui/src/freeipa/ipa.js
+@@ -271,7 +271,13 @@ var IPA = function () {
+                             var cn = that.whoami.data.krbcanonicalname;
+                             if (cn) that.principal = cn[0];
+                             if (!that.principal) {
+-                                that.principal = that.whoami.data.krbprincipalname[0];
++                                var principal = data.principal;
++                                var idx = that.whoami.data.krbprincipalname.indexOf(principal);
++                                if (idx > -1) {
++                                    that.principal = principal;
++                                } else {
++                                    that.principal = that.whoami.data.krbprincipalname[0];
++                                }
+                             }
+                         } else if (entity === 'idoverrideuser') {
+                             that.principal = that.whoami.data.ipaoriginaluid[0];
+diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
+index 1f85e9898..4e8a08b66 100644
+--- a/ipaserver/rpcserver.py
++++ b/ipaserver/rpcserver.py
+@@ -1109,6 +1109,7 @@ class login_password(Backend, KerberosSession):
+                 ccache_name,
+                 armor_ccache_name=armor_path,
+                 enterprise=True,
++                canonicalize=True,
+                 lifetime=self.api.env.kinit_lifetime)
+ 
+             if armor_path:
+-- 
+2.37.3
+
diff --git a/SPECS/freeipa.spec b/SPECS/freeipa.spec
index a386ef9..fe340ad 100644
--- a/SPECS/freeipa.spec
+++ b/SPECS/freeipa.spec
@@ -198,7 +198,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        6%{?rc_version:.%rc_version}%{?dist}
+Release:        7%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -232,6 +232,7 @@ Patch0011:      0011-ipatests-Fix-expected-object-classes.patch
 Patch0012:      0012-doc-Update-LDAP-grace-period-design-with-default-val.patch
 Patch0013:      0013-Set-default-gracelimit-on-group-password-policies-to.patch
 Patch0014:      0014-Set-default-on-group-pwpolicy-with-no-grace-limit-in.patch
+Patch0015:      0015-fix-canonicalization-issue-in-Web-UI.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 %endif
 %endif
@@ -1740,6 +1741,10 @@ fi
 %endif
 
 %changelog
+* Tue Oct 25 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.10.0-7
+- Resolves: rhbz#2124547 Attempt to log in as "root" user with admin's password in Web UI does not properly fail
+- Resolves: rhbz#2137555 Attempt to log in as "root" user with admin's password in Web UI does not properly fail [rhel-9.1.0.z]
+
 * Fri Aug 19 2022 Florence Blanc-Renaud <flo@redhat.com> - 4.10.0-6
 - Resolves: rhbz#2110014 ldap bind occurs when admin user changes password with gracelimit=0
 - Resolves: rhbz#2112901 RFE: Allow grace login limit to be set in IPA WebUI