From b39a248d1c804b9334b32bef4001ec26f8cebe8b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 09 2021 09:56:20 +0000 Subject: import ipa-4.9.6-6.module+el8.5.0+12661+bab6f12d --- diff --git a/.gitignore b/.gitignore index 01d0ddf..34c1a4e 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/freeipa-4.9.2.tar.gz +SOURCES/freeipa-4.9.6.tar.gz diff --git a/.ipa.metadata b/.ipa.metadata index 13b7ab7..ab790ce 100644 --- a/.ipa.metadata +++ b/.ipa.metadata @@ -1 +1 @@ -c7b37727ffbdebe311990f7d31ae3b8bf2d06792 SOURCES/freeipa-4.9.2.tar.gz +b7b91082908db35e4acbcd0221b8df4044913dc1 SOURCES/freeipa-4.9.6.tar.gz diff --git a/README.debrand b/README.debrand deleted file mode 100644 index 01c46d2..0000000 --- a/README.debrand +++ /dev/null @@ -1,2 +0,0 @@ -Warning: This package was configured for automatic debranding, but the changes -failed to apply. diff --git a/SOURCES/0001-ipatests_libsss_sudo_and_sudo_pagure#8530_rhbz#1932289.patch b/SOURCES/0001-ipatests_libsss_sudo_and_sudo_pagure#8530_rhbz#1932289.patch deleted file mode 100644 index 5935601..0000000 --- a/SOURCES/0001-ipatests_libsss_sudo_and_sudo_pagure#8530_rhbz#1932289.patch +++ /dev/null @@ -1,381 +0,0 @@ -From b590dcef10680b4ea3181ae1caec183e5967562b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= -Date: Fri, 11 Dec 2020 07:35:59 +0200 -Subject: [PATCH] ipatests: add TestInstallWithoutSudo -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Test IPA servers and clients behavior when sudo is not installed. - -Fixes: https://pagure.io/freeipa/issue/8530 -Signed-off-by: François Cami -Reviewed-By: Alexander Bokovoy -Reviewed-By: Armando Neto -Reviewed-By: Michal Polovka -Reviewed-By: Alexander Bokovoy -Reviewed-By: Armando Neto -Reviewed-By: Michal Polovka -Reviewed-By: Florence Blanc-Renaud ---- - .../nightly_ipa-4-9_latest.yaml | 12 ++++ - .../nightly_ipa-4-9_latest_selinux.yaml | 13 ++++ - .../nightly_ipa-4-9_previous.yaml | 12 ++++ - .../test_integration/test_installation.py | 66 +++++++++++++++++++ - 4 files changed, 103 insertions(+) - -diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml -index 3acd6a13c..d91b16cab 100644 ---- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml -+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml -@@ -535,6 +535,18 @@ jobs: - timeout: 10800 - topology: *master_1repl - -+ fedora-latest-ipa-4-9/test_installation_TestInstallWithoutSudo: -+ requires: [fedora-latest-ipa-4-9/build] -+ priority: 50 -+ job: -+ class: RunPytest -+ args: -+ build_url: '{fedora-latest-ipa-4-9/build_url}' -+ test_suite: test_integration/test_installation.py::TestInstallWithoutSudo -+ template: *ci-ipa-4-9-latest -+ timeout: 4800 -+ topology: *master_1repl_1client -+ - fedora-latest-ipa-4-9/test_idviews: - requires: [fedora-latest-ipa-4-9/build] - priority: 50 -diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml -index c01192cf5..8adb06d0c 100644 ---- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml -+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml -@@ -575,6 +575,19 @@ jobs: - timeout: 10800 - topology: *master_1repl - -+ fedora-latest-ipa-4-9/test_installation_TestInstallWithoutSudo: -+ requires: [fedora-latest-ipa-4-9/build] -+ priority: 50 -+ job: -+ class: RunPytest -+ args: -+ build_url: '{fedora-latest-ipa-4-9/build_url}' -+ selinux_enforcing: True -+ test_suite: test_integration/test_installation.py::TestInstallWithoutSudo -+ template: *ci-ipa-4-9-latest -+ timeout: 4800 -+ topology: *master_1repl_1client -+ - fedora-latest-ipa-4-9/test_idviews: - requires: [fedora-latest-ipa-4-9/build] - priority: 50 -diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml -index a6ea24f6a..2b5d4fd5e 100644 ---- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml -+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml -@@ -535,6 +535,18 @@ jobs: - timeout: 10800 - topology: *master_1repl - -+ fedora-previous-ipa-4-9/test_installation_TestInstallWithoutSudo: -+ requires: [fedora-previous-ipa-4-9/build] -+ priority: 50 -+ job: -+ class: RunPytest -+ args: -+ build_url: '{fedora-previous-ipa-4-9/build_url}' -+ test_suite: test_integration/test_installation.py::TestInstallWithoutSudo -+ template: *ci-ipa-4-9-previous -+ timeout: 4800 -+ topology: *master_1repl_1client -+ - fedora-previous-ipa-4-9/test_idviews: - requires: [fedora-previous-ipa-4-9/build] - priority: 50 -diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py -index eb6f7d78e..6e8af024c 100644 ---- a/ipatests/test_integration/test_installation.py -+++ b/ipatests/test_integration/test_installation.py -@@ -1537,3 +1537,69 @@ class TestInstallReplicaAgainstSpecificServer(IntegrationTest): - self.replicas[0].hostname], - stdin_text=dirman_password) - assert self.replicas[0].hostname not in cmd.stdout_text -+ -+ -+class TestInstallWithoutSudo(IntegrationTest): -+ -+ num_clients = 1 -+ num_replicas = 1 -+ no_sudo_str = "The sudo binary does not seem to be present on this" -+ -+ @classmethod -+ def install(cls, mh): -+ pass -+ -+ def test_sudo_removal(self): -+ # ipa-client makes sudo depend on libsss_sudo. -+ -+ # --nodeps is mandatory because dogtag uses sudo at install -+ # time until commit 49585867207922479644a03078c29548de02cd03 -+ # which is scheduled to land in 10.10. -+ -+ # This also means sudo+libsss_sudo cannot be uninstalled on -+ # IPA servers with a CA. -+ assert tasks.is_package_installed(self.clients[0], 'sudo') -+ assert tasks.is_package_installed(self.clients[0], 'libsss_sudo') -+ tasks.uninstall_packages( -+ self.clients[0], ['sudo', 'libsss_sudo'], nodeps=True -+ ) -+ -+ def test_ipa_installation_without_sudo(self): -+ # FixMe: When Dogtag 10.10 is out, test installation without sudo -+ tasks.install_master(self.master, setup_dns=True) -+ -+ def test_replica_installation_without_sudo(self): -+ # FixMe: When Dogtag 10.10 is out, test replica installation -+ # without sudo and with CA -+ tasks.uninstall_packages( -+ self.replicas[0], ['sudo', 'libsss_sudo'], nodeps=True -+ ) -+ # One-step install is needed. -+ # With promote=True, two-step install is done and that only captures -+ # the ipa-replica-install stdout/stderr, not ipa-client-install's. -+ result = tasks.install_replica( -+ self.master, self.replicas[0], promote=False, -+ setup_dns=True, setup_ca=False -+ ) -+ assert self.no_sudo_str in result.stderr_text -+ -+ def test_client_installation_without_sudo(self): -+ result = tasks.install_client(self.master, self.clients[0]) -+ assert self.no_sudo_str in result.stderr_text -+ -+ def test_remove_sudo_on_ipa(self): -+ tasks.uninstall_packages( -+ self.master, ['sudo', 'libsss_sudo'], nodeps=True -+ ) -+ self.master.run_command( -+ ['ipactl', 'restart'] -+ ) -+ -+ def test_install_sudo_on_client(self): -+ """ Check that installing sudo pulls libsss_sudo in""" -+ for pkg in ('sudo', 'libsss_sudo'): -+ assert tasks.is_package_installed(self.clients[0], pkg) is False -+ tasks.uninstall_client(self.clients[0]) -+ tasks.install_packages(self.clients[0], ['sudo']) -+ for pkg in ('sudo', 'libsss_sudo'): -+ assert tasks.is_package_installed(self.clients[0], pkg) --- -2.29.2 - -From 0c2741af9f353d2fbb21a5768e6433c0e99da0e9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= -Date: Thu, 10 Dec 2020 08:35:12 +0200 -Subject: [PATCH] ipatests: tasks: handle uninstalling packages with nodeps -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Handle package removal without taking dependencies into account. -E.g. add frontends for rpm -e --nodeps. - -Related: ipatests/pytest_ipa/integration/tasks.py -Signed-off-by: François Cami -Reviewed-By: Alexander Bokovoy -Reviewed-By: Armando Neto -Reviewed-By: Michal Polovka -Reviewed-By: Alexander Bokovoy -Reviewed-By: Armando Neto -Reviewed-By: Michal Polovka -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/pytest_ipa/integration/tasks.py | 51 +++++++++++++++++++----- - 1 file changed, 41 insertions(+), 10 deletions(-) - -diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py -index b91859816..2fe78367f 100755 ---- a/ipatests/pytest_ipa/integration/tasks.py -+++ b/ipatests/pytest_ipa/integration/tasks.py -@@ -29,6 +29,7 @@ import re - import collections - import itertools - import shutil -+import shlex - import copy - import subprocess - import tempfile -@@ -2381,20 +2382,33 @@ def download_packages(host, pkgs): - return tmpdir - - --def uninstall_packages(host, pkgs): -+def uninstall_packages(host, pkgs, nodeps=False): - """Uninstall packages on a remote host. -- :param host: the host where the uninstallation takes place -- :param pkgs: packages to uninstall, provided as a list of strings -+ :param host: the host where the uninstallation takes place. -+ :param pkgs: packages to uninstall, provided as a list of strings. -+ :param nodeps: ignore dependencies (dangerous!). - """ - platform = get_platform(host) -- # Only supports RHEL 8+ and Fedora for now -- if platform in ('rhel', 'fedora'): -- install_cmd = ['/usr/bin/dnf', 'remove', '-y'] -- elif platform in ('ubuntu'): -- install_cmd = ['apt-get', 'remove', '-y'] -+ if platform not in ('rhel', 'fedora', 'ubuntu'): -+ raise ValueError('uninstall_packages: unknown platform %s' % platform) -+ if nodeps: -+ if platform in ('rhel', 'fedora'): -+ cmd = "rpm -e --nodeps" -+ elif platform in ('ubuntu'): -+ cmd = "dpkg -P --force-depends" -+ for package in pkgs: -+ uninstall_cmd = shlex.split(cmd) -+ uninstall_cmd.append(package) -+ # keep raiseonerr=True here. --fcami -+ host.run_command(uninstall_cmd) - else: -- raise ValueError('install_packages: unknown platform %s' % platform) -- host.run_command(install_cmd + pkgs, raiseonerr=False) -+ if platform in ('rhel', 'fedora'): -+ cmd = "/usr/bin/dnf remove -y" -+ elif platform in ('ubuntu'): -+ cmd = "apt-get remove -y" -+ uninstall_cmd = shlex.split(cmd) -+ uninstall_cmd.extend(pkgs) -+ host.run_command(uninstall_cmd, raiseonerr=False) - - - def wait_for_request(host, request_id, timeout=120): -@@ -2649,3 +2663,20 @@ def run_ssh_cmd( - assert "Authentication succeeded" not in stderr - assert "No more authentication methods to try." in stderr - return (return_code, stdout, stderr) -+ -+ -+def is_package_installed(host, pkg): -+ platform = get_platform(host) -+ if platform in ('rhel', 'fedora'): -+ result = host.run_command( -+ ['rpm', '-q', pkg], raiseonerr=False -+ ) -+ elif platform in ['ubuntu']: -+ result = host.run_command( -+ ['dpkg', '-s', pkg], raiseonerr=False -+ ) -+ else: -+ raise ValueError( -+ 'is_package_installed: unknown platform %s' % platform -+ ) -+ return result.returncode == 0 --- -2.29.2 - -From fe157ca349e3146a53884e90e6e588efb4e97eeb Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= -Date: Thu, 10 Dec 2020 08:15:22 +0200 -Subject: [PATCH] ipa-client-install: output a warning if sudo is not present -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Fixes: https://pagure.io/freeipa/issue/8530 -Signed-off-by: François Cami -Reviewed-By: Alexander Bokovoy -Reviewed-By: Armando Neto -Reviewed-By: Michal Polovka -Reviewed-By: Alexander Bokovoy -Reviewed-By: Armando Neto -Reviewed-By: Michal Polovka -Reviewed-By: Florence Blanc-Renaud ---- - ipaclient/install/client.py | 14 +++++++++++++- - 1 file changed, 13 insertions(+), 1 deletion(-) - -diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py -index 8acfa0cd1..0e478fa26 100644 ---- a/ipaclient/install/client.py -+++ b/ipaclient/install/client.py -@@ -24,6 +24,7 @@ import re - import SSSDConfig - import shutil - import socket -+import subprocess - import sys - import tempfile - import textwrap -@@ -2200,7 +2201,18 @@ def install_check(options): - "authentication resources", - rval=CLIENT_INSTALL_ERROR) - -- # when installing with '--no-sssd' option, check whether nss-ldap is -+ # When installing without the "--no-sudo" option, check whether sudo is -+ # available. -+ if options.conf_sudo: -+ try: -+ subprocess.Popen(['sudo -V']) -+ except FileNotFoundError: -+ logger.info( -+ "The sudo binary does not seem to be present on this " -+ "system. Please consider installing sudo if required." -+ ) -+ -+ # when installing with the '--no-sssd' option, check whether nss-ldap is - # installed - if not options.sssd: - if not os.path.exists(paths.PAM_KRB5_SO): --- -2.29.2 - -From ee0ba2df41cf545b82d3d26e7e7e42447bb0f63e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= -Date: Thu, 10 Dec 2020 07:55:16 +0200 -Subject: [PATCH] freeipa.spec: client: depend on libsss_sudo and sudo -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -On 10.10+ releases of Dogtag, the PKI installer will not depend -on sudo anymore. This opens the possibility of creating IPA servers -without a properly configured sudo. -In fact, even IPA clients should have sudo and libsss_sudo installed -in most cases, so add a weak dependency on both of them to the client -subpackage. -Also make sure libsss_sudo is installed if sudo is present. - -Fixes: https://pagure.io/freeipa/issue/8530 -Signed-off-by: François Cami -Reviewed-By: Alexander Bokovoy -Reviewed-By: Armando Neto -Reviewed-By: Michal Polovka -Reviewed-By: Alexander Bokovoy -Reviewed-By: Armando Neto -Reviewed-By: Michal Polovka -Reviewed-By: Florence Blanc-Renaud ---- - freeipa.spec.in | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/freeipa.spec.in b/freeipa.spec.in -index ba52a3834..93e473ac4 100755 ---- a/freeipa.spec.in -+++ b/freeipa.spec.in -@@ -640,6 +640,11 @@ Requires: nfs-utils - Requires: sssd-tools >= %{sssd_version} - Requires(post): policycoreutils - -+# https://pagure.io/freeipa/issue/8530 -+Recommends: libsss_sudo -+Recommends: sudo -+Requires: (libsss_sudo if sudo) -+ - Provides: %{alt_name}-client = %{version} - Conflicts: %{alt_name}-client - Obsoletes: %{alt_name}-client < %{version} --- -2.29.2 - diff --git a/SOURCES/0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch b/SOURCES/0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch new file mode 100644 index 0000000..22f37ad --- /dev/null +++ b/SOURCES/0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch @@ -0,0 +1,136 @@ +From e713c227bb420a841ce3ae146bca55a84a1b0dbf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= +Date: Tue, 22 Jun 2021 14:36:51 +0200 +Subject: [PATCH] paths: add IPA_SERVER_CONF +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Related: https://pagure.io/freeipa/issue/8891 +Signed-off-by: François Cami +Reviewed-By: Stanislav Levin +Reviewed-By: Rob Crittenden +--- + ipaplatform/base/paths.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py +index 91423b332..de217d9ef 100644 +--- a/ipaplatform/base/paths.py ++++ b/ipaplatform/base/paths.py +@@ -71,6 +71,7 @@ class BasePathNamespace: + IPA_DEFAULT_CONF = "/etc/ipa/default.conf" + IPA_DNSKEYSYNCD_KEYTAB = "/etc/ipa/dnssec/ipa-dnskeysyncd.keytab" + IPA_ODS_EXPORTER_KEYTAB = "/etc/ipa/dnssec/ipa-ods-exporter.keytab" ++ IPA_SERVER_CONF = "/etc/ipa/server.conf" + DNSSEC_OPENSSL_CONF = "/etc/ipa/dnssec/openssl.cnf" + DNSSEC_SOFTHSM2_CONF = "/etc/ipa/dnssec/softhsm2.conf" + DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so" +-- +2.31.1 + +From ee4be290e1583834a573c3896ee1d97b3fbb6c24 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= +Date: Tue, 22 Jun 2021 14:45:49 +0200 +Subject: [PATCH] ipatests: smoke test for server debug mode. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add a smoke test to make sure the server can be set in debug mode +without issue. + +Related: https://pagure.io/freeipa/issue/8891 +Signed-off-by: François Cami +Reviewed-By: Stanislav Levin +Reviewed-By: Rob Crittenden +--- + .../test_integration/test_installation.py | 27 +++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py +index 301767b8d..0c96536f0 100644 +--- a/ipatests/test_integration/test_installation.py ++++ b/ipatests/test_integration/test_installation.py +@@ -703,6 +703,33 @@ class TestInstallMaster(IntegrationTest): + def test_install_master(self): + tasks.install_master(self.master, setup_dns=False) + ++ @pytest.mark.skip_if_platform( ++ "debian", reason="This test hardcodes the httpd service name" ++ ) ++ def test_smoke_test_for_debug_mode(self): ++ """Test if an IPA server works in debug mode. ++ Related: https://pagure.io/freeipa/issue/8891 ++ ++ Note: this test hardcodes the "httpd" service name. ++ """ ++ ++ target_fname = paths.IPA_SERVER_CONF ++ assert not self.master.transport.file_exists(target_fname) ++ ++ # set the IPA server in debug mode ++ server_conf = "[global]\ndebug=True" ++ self.master.put_file_contents(target_fname, server_conf) ++ self.master.run_command(["systemctl", "restart", "httpd"]) ++ ++ # smoke test in debug mode ++ tasks.kdestroy_all(self.master) ++ tasks.kinit_admin(self.master) ++ self.master.run_command(["ipa", "user-show", "admin"]) ++ ++ # rollback ++ self.master.run_command(["rm", target_fname]) ++ self.master.run_command(["systemctl", "restart", "httpd"]) ++ + def test_schema_compat_attribute_and_tree_disable(self): + """Test if schema-compat-entry-attribute is set + +-- +2.31.1 + +From 1539c7383116647ad9c5b125b343f972e9c9653b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= +Date: Wed, 23 Jun 2021 06:35:19 +0200 +Subject: [PATCH] rpcserver.py: perf_counter_ns is Python 3.7+ +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +perf_counter_ns is only available in Python 3.7 and later. +Define a lambda for 3.6 and lower. + +Fixes: https://pagure.io/freeipa/issue/8891 +Signed-off-by: François Cami +Reviewed-By: Stanislav Levin +Reviewed-By: Rob Crittenden +--- + ipaserver/rpcserver.py | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py +index b121316bf..e612528e0 100644 +--- a/ipaserver/rpcserver.py ++++ b/ipaserver/rpcserver.py +@@ -31,6 +31,7 @@ import os + import time + import traceback + from io import BytesIO ++from sys import version_info + from urllib.parse import parse_qs + from xmlrpc.client import Fault + +@@ -72,6 +73,10 @@ from requests.auth import AuthBase + if six.PY3: + unicode = str + ++# time.perf_counter_ns appeared in Python 3.7. ++if version_info < (3, 7): ++ time.perf_counter_ns = lambda: int(time.perf_counter() * 10**9) ++ + logger = logging.getLogger(__name__) + + HTTP_STATUS_SUCCESS = '200 Success' +-- +2.31.1 + diff --git a/SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch b/SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch new file mode 100644 index 0000000..81b6c45 --- /dev/null +++ b/SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch @@ -0,0 +1,272 @@ +From a5d2857297cfcf87ed8973df96e89ebcef22850d Mon Sep 17 00:00:00 2001 +From: Antonio Torres +Date: Mon, 8 Mar 2021 18:15:50 +0100 +Subject: [PATCH] Add checks to prevent adding auth indicators to internal IPA + services + +Authentication indicators should not be enforced against internal +IPA services, since not all users of those services are able to produce +Kerberos tickets with all the auth indicator options. This includes +host, ldap, HTTP and cifs in IPA server and cifs in IPA clients. +If a client that is being promoted to replica has an auth indicator +in its host principal then the promotion is aborted. + +Fixes: https://pagure.io/freeipa/issue/8206 +Signed-off-by: Antonio Torres +--- + ipaserver/install/server/replicainstall.py | 13 ++++++++++++ + ipaserver/plugins/host.py | 5 ++++- + ipaserver/plugins/service.py | 24 ++++++++++++++++++++++ + 3 files changed, 41 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py +index 73967a224..f1fb91036 100644 +--- a/ipaserver/install/server/replicainstall.py ++++ b/ipaserver/install/server/replicainstall.py +@@ -770,6 +770,15 @@ def promotion_check_ipa_domain(master_ldap_conn, basedn): + )) + + ++def promotion_check_host_principal_auth_ind(conn, hostdn): ++ entry = conn.get_entry(hostdn, ['krbprincipalauthind']) ++ if 'krbprincipalauthind' in entry: ++ raise RuntimeError( ++ "Client cannot be promoted to a replica if the host principal " ++ "has an authentication indicator set." ++ ) ++ ++ + @common_cleanup + @preserve_enrollment_state + def promote_check(installer): +@@ -956,6 +965,10 @@ def promote_check(installer): + config.master_host_name, None) + + promotion_check_ipa_domain(conn, remote_api.env.basedn) ++ hostdn = DN(('fqdn', api.env.host), ++ api.env.container_host, ++ api.env.basedn) ++ promotion_check_host_principal_auth_ind(conn, hostdn) + + # Make sure that domain fulfills minimal domain level + # requirement +diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py +index eb1f8ef04..41fa933e2 100644 +--- a/ipaserver/plugins/host.py ++++ b/ipaserver/plugins/host.py +@@ -38,7 +38,7 @@ from .baseldap import (LDAPQuery, LDAPObject, LDAPCreate, + LDAPAddAttributeViaOption, + LDAPRemoveAttributeViaOption) + from .service import ( +- validate_realm, normalize_principal, ++ validate_realm, validate_auth_indicator, normalize_principal, + set_certificate_attrs, ticket_flags_params, update_krbticketflags, + set_kerberos_attrs, rename_ipaallowedtoperform_from_ldap, + rename_ipaallowedtoperform_to_ldap, revoke_certs) +@@ -735,6 +735,8 @@ class host_add(LDAPCreate): + update_krbticketflags(ldap, entry_attrs, attrs_list, options, False) + if 'krbticketflags' in entry_attrs: + entry_attrs['objectclass'].append('krbticketpolicyaux') ++ validate_auth_indicator(entry_attrs) ++ + return dn + + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): +@@ -993,6 +995,7 @@ class host_mod(LDAPUpdate): + if 'krbprincipalaux' not in (item.lower() for item in + entry_attrs['objectclass']): + entry_attrs['objectclass'].append('krbprincipalaux') ++ validate_auth_indicator(entry_attrs) + + add_sshpubkey_to_attrs_pre(self.context, attrs_list) + +diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py +index 1c9347804..cfbbff3c6 100644 +--- a/ipaserver/plugins/service.py ++++ b/ipaserver/plugins/service.py +@@ -201,6 +201,28 @@ def validate_realm(ugettext, principal): + raise errors.RealmMismatch() + + ++def validate_auth_indicator(entry): ++ new_value = entry.get('krbprincipalauthind', None) ++ if not new_value: ++ return ++ # The following services are considered internal IPA services ++ # and shouldn't be allowed to have auth indicators. ++ # https://pagure.io/freeipa/issue/8206 ++ pkey = api.Object['service'].get_primary_key_from_dn(entry.dn) ++ principal = kerberos.Principal(pkey) ++ server = api.Command.server_find(principal.hostname)['result'] ++ if server: ++ prefixes = ("host", "cifs", "ldap", "HTTP") ++ else: ++ prefixes = ("cifs",) ++ if principal.service_name in prefixes: ++ raise errors.ValidationError( ++ name='krbprincipalauthind', ++ error=_('authentication indicators not allowed ' ++ 'in service "%s"' % principal.service_name) ++ ) ++ ++ + def normalize_principal(value): + """ + Ensure that the name in the principal is lower-case. The realm is +@@ -652,6 +674,7 @@ class service_add(LDAPCreate): + hostname) + + self.obj.validate_ipakrbauthzdata(entry_attrs) ++ validate_auth_indicator(entry_attrs) + + if not options.get('force', False): + # We know the host exists if we've gotten this far but we +@@ -846,6 +869,7 @@ class service_mod(LDAPUpdate): + assert isinstance(dn, DN) + + self.obj.validate_ipakrbauthzdata(entry_attrs) ++ validate_auth_indicator(entry_attrs) + + # verify certificates + certs = entry_attrs.get('usercertificate') or [] +-- +2.31.1 + +From 28484c3dee225662e41acc691bfe6b1c1cee99c8 Mon Sep 17 00:00:00 2001 +From: Antonio Torres +Date: Mon, 8 Mar 2021 18:20:35 +0100 +Subject: [PATCH] ipatests: ensure auth indicators can't be added to internal + IPA services + +Authentication indicators should not be added to internal IPA services, +since this can lead to a broken IPA setup. In case a client with +an auth indicator set in its host principal, promoting it to a replica +should fail. + +Related: https://pagure.io/freeipa/issue/8206 +Signed-off-by: Antonio Torres +--- + .../test_replica_promotion.py | 38 +++++++++++++++++++ + ipatests/test_xmlrpc/test_host_plugin.py | 10 +++++ + ipatests/test_xmlrpc/test_service_plugin.py | 21 ++++++++++ + 3 files changed, 69 insertions(+) + +diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py +index 0a137dbdc..b9c56f775 100644 +--- a/ipatests/test_integration/test_replica_promotion.py ++++ b/ipatests/test_integration/test_replica_promotion.py +@@ -101,6 +101,44 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase): + assert result.returncode == 1 + assert expected_err in result.stderr_text + ++ @replicas_cleanup ++ def test_install_with_host_auth_ind_set(self): ++ """ A client shouldn't be able to be promoted if it has ++ any auth indicator set in the host principal. ++ https://pagure.io/freeipa/issue/8206 ++ """ ++ ++ client = self.replicas[0] ++ # Configure firewall first ++ Firewall(client).enable_services(["freeipa-ldap", ++ "freeipa-ldaps"]) ++ ++ client.run_command(['ipa-client-install', '-U', ++ '--domain', self.master.domain.name, ++ '--realm', self.master.domain.realm, ++ '-p', 'admin', ++ '-w', self.master.config.admin_password, ++ '--server', self.master.hostname, ++ '--force-join']) ++ ++ tasks.kinit_admin(client) ++ ++ client.run_command(['ipa', 'host-mod', '--auth-ind=otp', ++ client.hostname]) ++ ++ res = client.run_command(['ipa-replica-install', '-U', '-w', ++ self.master.config.dirman_password], ++ raiseonerr=False) ++ ++ client.run_command(['ipa', 'host-mod', '--auth-ind=', ++ client.hostname]) ++ ++ expected_err = ("Client cannot be promoted to a replica if the host " ++ "principal has an authentication indicator set.") ++ assert res.returncode == 1 ++ assert expected_err in res.stderr_text ++ ++ + @replicas_cleanup + def test_one_command_installation(self): + """ +diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py +index c66bbc865..9cfde3565 100644 +--- a/ipatests/test_xmlrpc/test_host_plugin.py ++++ b/ipatests/test_xmlrpc/test_host_plugin.py +@@ -605,6 +605,16 @@ class TestProtectedMaster(XMLRPC_test): + error=u'An IPA master host cannot be deleted or disabled')): + command() + ++ def test_try_add_auth_ind_master(self, this_host): ++ command = this_host.make_update_command({ ++ u'krbprincipalauthind': u'radius'}) ++ with raises_exact(errors.ValidationError( ++ name='krbprincipalauthind', ++ error=u'authentication indicators not allowed ' ++ 'in service "host"' ++ )): ++ command() ++ + + @pytest.mark.tier1 + class TestValidation(XMLRPC_test): +diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py +index 4c845938c..ed634a045 100644 +--- a/ipatests/test_xmlrpc/test_service_plugin.py ++++ b/ipatests/test_xmlrpc/test_service_plugin.py +@@ -25,6 +25,7 @@ from ipalib import api, errors + from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash + from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer + from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test ++from ipatests.test_xmlrpc.xmlrpc_test import raises_exact + from ipatests.test_xmlrpc import objectclasses + from ipatests.test_xmlrpc.testcert import get_testcert, subject_base + from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn +@@ -1552,6 +1553,15 @@ def indicators_host(request): + return tracker.make_fixture(request) + + ++@pytest.fixture(scope='function') ++def this_host(request): ++ """Fixture for the current master""" ++ tracker = HostTracker(name=api.env.host.partition('.')[0], ++ fqdn=api.env.host) ++ tracker.exists = True ++ return tracker ++ ++ + @pytest.fixture(scope='function') + def indicators_service(request): + tracker = ServiceTracker( +@@ -1587,6 +1597,17 @@ class TestAuthenticationIndicators(XMLRPC_test): + expected_updates={u'krbprincipalauthind': [u'radius']} + ) + ++ def test_update_indicator_internal_service(self, this_host): ++ command = this_host.make_command('service_mod', ++ 'ldap/' + this_host.fqdn, ++ **dict(krbprincipalauthind='otp')) ++ with raises_exact(errors.ValidationError( ++ name='krbprincipalauthind', ++ error=u'authentication indicators not allowed ' ++ 'in service "ldap"' ++ )): ++ command() ++ + + @pytest.fixture(scope='function') + def managing_host(request): +-- +2.31.1 + diff --git a/SOURCES/0002-ipatests-error-message-check-in-uninstall-log-for-KR_rhbz#1932289.patch b/SOURCES/0002-ipatests-error-message-check-in-uninstall-log-for-KR_rhbz#1932289.patch deleted file mode 100644 index 62e3fef..0000000 --- a/SOURCES/0002-ipatests-error-message-check-in-uninstall-log-for-KR_rhbz#1932289.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 6b25cd3241a5609b4d903d5697b8947fab403c90 Mon Sep 17 00:00:00 2001 -From: Kaleemullah Siddiqui -Date: Wed, 17 Feb 2021 19:43:00 +0530 -Subject: [PATCH] ipatests: error message check in uninstall log for KRA - -This test checks that there is no error message in uninstall -log for KRA instance when IPA was installed with KRA. - -related: https://pagure.io/freeipa/issue/8550 - -Signed-off-by: Kaleemullah Siddiqui -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - .../test_backup_and_restore.py | 22 ++++++++++++++++--- - 1 file changed, 19 insertions(+), 3 deletions(-) - -diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py -index f13dfb5cb..6890ef201 100644 ---- a/ipatests/test_integration/test_backup_and_restore.py -+++ b/ipatests/test_integration/test_backup_and_restore.py -@@ -451,9 +451,11 @@ class BaseBackupAndRestoreWithKRA(IntegrationTest): - - backup_path = tasks.get_backup_dir(self.master) - -- self.master.run_command(['ipa-server-install', -- '--uninstall', -- '-U']) -+ # check that no error message in uninstall log for KRA instance -+ cmd = self.master.run_command(['ipa-server-install', -+ '--uninstall', -+ '-U']) -+ assert "failed to uninstall KRA" not in cmd.stderr_text - - if reinstall: - tasks.install_master(self.master, setup_dns=True) -@@ -482,6 +484,20 @@ class TestBackupReinstallRestoreWithKRA(BaseBackupAndRestoreWithKRA): - """backup, uninstall, reinstall, restore""" - self._full_backup_restore_with_vault(reinstall=True) - -+ def test_no_error_message_with_uninstall_ipa_with_kra(self): -+ """Test there is no error message in uninstall log for KRA instance -+ -+ There was error message in uninstall log when IPA with KRA was -+ uninstalled. This test check that there is no error message in -+ uninstall log for kra instance. -+ -+ related: https://pagure.io/freeipa/issue/8550 -+ """ -+ cmd = self.master.run_command(['ipa-server-install', -+ '--uninstall', -+ '-U']) -+ assert "failed to uninstall KRA" not in cmd.stderr_text -+ - - class TestBackupAndRestoreWithReplica(IntegrationTest): - """Regression tests for issues 7234 and 7455 --- -2.29.2 - diff --git a/SOURCES/0003-ipatests-skip-tests-for-AD-trust-with-shared-secret-_rhbz#1932289.patch b/SOURCES/0003-ipatests-skip-tests-for-AD-trust-with-shared-secret-_rhbz#1932289.patch deleted file mode 100644 index 151805c..0000000 --- a/SOURCES/0003-ipatests-skip-tests-for-AD-trust-with-shared-secret-_rhbz#1932289.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 6d7b2d7d1b4711255ea72d62d27b5c5f4ec7c6e1 Mon Sep 17 00:00:00 2001 -From: Sergey Orlov -Date: Tue, 16 Feb 2021 12:32:55 +0100 -Subject: [PATCH] ipatests: skip tests for AD trust with shared secret in FIPS - mode - -Related to https://pagure.io/freeipa/issue/8715 - -Reviewed-By: Alexander Bokovoy ---- - ipatests/test_integration/test_trust.py | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py -index 3e522617d..c8a348212 100644 ---- a/ipatests/test_integration/test_trust.py -+++ b/ipatests/test_integration/test_trust.py -@@ -5,6 +5,7 @@ from __future__ import absolute_import - import re - import textwrap - import time -+import functools - - import pytest - -@@ -13,6 +14,7 @@ from ipaplatform.paths import paths - - from ipatests.test_integration.base import IntegrationTest - from ipatests.pytest_ipa.integration import tasks -+from ipatests.pytest_ipa.integration import fips - from ipapython.dn import DN - from collections import namedtuple - from contextlib import contextmanager -@@ -20,6 +22,18 @@ from contextlib import contextmanager - TestDataRule = namedtuple('TestDataRule', - ['name', 'ruletype', 'user', 'subject']) - -+ -+def skip_in_fips_mode_due_to_issue_8715(test_method): -+ @functools.wraps(test_method) -+ def wrapper(instance): -+ if fips.is_fips_enabled(instance.master): -+ pytest.skip('Skipping in FIPS mode due to ' -+ 'https://pagure.io/freeipa/issue/8715') -+ else: -+ test_method(instance) -+ return wrapper -+ -+ - class BaseTestTrust(IntegrationTest): - num_clients = 1 - topology = 'line' -@@ -751,6 +765,7 @@ class TestTrust(BaseTestTrust): - - # Test for one-way forest trust with shared secret - -+ @skip_in_fips_mode_due_to_issue_8715 - def test_establish_forest_trust_with_shared_secret(self): - tasks.configure_dns_for_trust(self.master, self.ad) - tasks.configure_windows_dns_for_trust(self.ad, self.master) -@@ -775,6 +790,7 @@ class TestTrust(BaseTestTrust): - tasks.establish_trust_with_ad( - self.master, self.ad_domain, shared_secret=self.shared_secret) - -+ @skip_in_fips_mode_due_to_issue_8715 - def test_trustdomains_found_in_forest_trust_with_shared_secret(self): - result = self.master.run_command( - ['ipa', 'trust-fetch-domains', self.ad.domain.name], -@@ -783,6 +799,7 @@ class TestTrust(BaseTestTrust): - self.check_trustdomains( - self.ad_domain, [self.ad_domain, self.ad_subdomain]) - -+ @skip_in_fips_mode_due_to_issue_8715 - def test_user_gid_uid_resolution_in_forest_trust_with_shared_secret(self): - """Check that user has SID-generated UID""" - # Using domain name since it is lowercased realm name for AD domains -@@ -801,6 +818,7 @@ class TestTrust(BaseTestTrust): - assert re.search( - testuser_regex, result.stdout_text), result.stdout_text - -+ @skip_in_fips_mode_due_to_issue_8715 - def test_remove_forest_trust_with_shared_secret(self): - ps_cmd = ( - '[System.DirectoryServices.ActiveDirectory.Forest]' -@@ -823,6 +841,7 @@ class TestTrust(BaseTestTrust): - - # Test for one-way external trust with shared secret - -+ @skip_in_fips_mode_due_to_issue_8715 - def test_establish_external_trust_with_shared_secret(self): - tasks.configure_dns_for_trust(self.master, self.ad) - tasks.configure_windows_dns_for_trust(self.ad, self.master) -@@ -838,6 +857,7 @@ class TestTrust(BaseTestTrust): - self.master, self.ad_domain, shared_secret=self.shared_secret, - extra_args=['--range-type', 'ipa-ad-trust', '--external=True']) - -+ @skip_in_fips_mode_due_to_issue_8715 - def test_trustdomains_found_in_external_trust_with_shared_secret(self): - result = self.master.run_command( - ['ipa', 'trust-fetch-domains', self.ad.domain.name], -@@ -846,6 +866,7 @@ class TestTrust(BaseTestTrust): - self.check_trustdomains( - self.ad_domain, [self.ad_domain]) - -+ @skip_in_fips_mode_due_to_issue_8715 - def test_user_uid_resolution_in_external_trust_with_shared_secret(self): - """Check that user has SID-generated UID""" - # Using domain name since it is lowercased realm name for AD domains -@@ -864,6 +885,7 @@ class TestTrust(BaseTestTrust): - assert re.search( - testuser_regex, result.stdout_text), result.stdout_text - -+ @skip_in_fips_mode_due_to_issue_8715 - def test_remove_external_trust_with_shared_secret(self): - self.ad.run_command( - ['netdom.exe', 'trust', self.master.domain.name, --- -2.29.2 - diff --git a/SOURCES/0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch b/SOURCES/0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch new file mode 100644 index 0000000..7934afd --- /dev/null +++ b/SOURCES/0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch @@ -0,0 +1,89 @@ +From 06468b2f604c56b02231904072cb57412966a701 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Mon, 5 Jul 2021 09:51:41 +0200 +Subject: [PATCH] stageuser: add ipauserauthtypeclass when required + +The command +ipa stageuser-add --user-auth-type=xxx +is currently failing because the objectclass ipauserauthtypeclass +is missing from the created entry. + +There is code adding the missing objectclass in the +pre_common_callback method of user_add, and this code should +be common to user_add and stageuser_add. In order to avoid code +duplication, it makes more sense to move the existing code to +pre_common_callback of baseuser_add, that is called by both +classes. + +Fixes: https://pagure.io/freeipa/issue/8909 +Reviewed-By: Rob Crittenden +Reviewed-By: Alexander Bokovoy +--- + ipaserver/plugins/baseuser.py | 3 +++ + ipaserver/plugins/user.py | 4 ---- + 2 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py +index ae16a978a..6035228f1 100644 +--- a/ipaserver/plugins/baseuser.py ++++ b/ipaserver/plugins/baseuser.py +@@ -539,6 +539,9 @@ class baseuser_add(LDAPCreate): + if entry_attrs.get('ipatokenradiususername', None): + add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn, + entry_attrs, update=False) ++ if entry_attrs.get('ipauserauthtype', None): ++ add_missing_object_class(ldap, u'ipauserauthtypeclass', dn, ++ entry_attrs, update=False) + + def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) +diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py +index 6f7facb53..e4ee572b2 100644 +--- a/ipaserver/plugins/user.py ++++ b/ipaserver/plugins/user.py +@@ -617,10 +617,6 @@ class user_add(baseuser_add): + 'ipauser' not in entry_attrs['objectclass']: + entry_attrs['objectclass'].append('ipauser') + +- if 'ipauserauthtype' in entry_attrs and \ +- 'ipauserauthtypeclass' not in entry_attrs['objectclass']: +- entry_attrs['objectclass'].append('ipauserauthtypeclass') +- + rcl = entry_attrs.get('ipatokenradiusconfiglink', None) + if rcl: + if 'ipatokenradiusproxyuser' not in entry_attrs['objectclass']: +-- +2.31.1 + +From 4a5a0fe7d25209a41a2eadd159f7f4c771e5d7fc Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Mon, 5 Jul 2021 10:22:31 +0200 +Subject: [PATCH] XMLRPC test: add a test for stageuser-add --user-auth-type + +Related: https://pagure.io/freeipa/issue/8909 +Reviewed-By: Rob Crittenden +Reviewed-By: Alexander Bokovoy +--- + ipatests/test_xmlrpc/test_stageuser_plugin.py | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py +index 5586fc607..bc606b093 100644 +--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py ++++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py +@@ -343,6 +343,12 @@ class TestStagedUser(XMLRPC_test): + result = command() + assert result['count'] == 1 + ++ def test_create_withuserauthtype(self, stageduser): ++ stageduser.ensure_missing() ++ command = stageduser.make_create_command( ++ options={u'ipauserauthtype': u'password'}) ++ command() ++ + + @pytest.mark.tier1 + class TestCreateInvalidAttributes(XMLRPC_test): +-- +2.31.1 + diff --git a/SOURCES/0004-ipatests-ipa-cert-fix_pagure#8600_rhbz#1932289.patch b/SOURCES/0004-ipatests-ipa-cert-fix_pagure#8600_rhbz#1932289.patch deleted file mode 100644 index fe28854..0000000 --- a/SOURCES/0004-ipatests-ipa-cert-fix_pagure#8600_rhbz#1932289.patch +++ /dev/null @@ -1,347 +0,0 @@ -From a0626e09b3eaf5d030982e2ff03e95841ad1b4b9 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Wed, 3 Feb 2021 15:52:05 -0500 -Subject: [PATCH] ipa-cert-fix: Don't hardcode the NSS certificate nickname - -The nickname of the 389-ds certificate was hardcoded as -Server-Cert which failed if the user had installed a -third-party certificate using ipa-server-certinstall. - -Instead pull the nickname from the DS configuration and -retrieve it based on that. - -https://pagure.io/freeipa/issue/8600 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/install/ipa_cert_fix.py | 17 +++++++++++------ - 1 file changed, 11 insertions(+), 6 deletions(-) - -diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py -index 2f2c15613..29af89cd5 100644 ---- a/ipaserver/install/ipa_cert_fix.py -+++ b/ipaserver/install/ipa_cert_fix.py -@@ -203,9 +203,12 @@ def expired_ipa_certs(now): - certs.append((IPACertType.HTTPS, cert)) - - # LDAPS -- ds_dbdir = dsinstance.config_dirname(realm_to_serverid(api.env.realm)) -+ serverid = realm_to_serverid(api.env.realm) -+ ds = dsinstance.DsInstance(realm_name=api.env.realm) -+ ds_dbdir = dsinstance.config_dirname(serverid) -+ ds_nickname = ds.get_server_cert_nickname(serverid) - db = NSSDatabase(nssdir=ds_dbdir) -- cert = db.get_cert('Server-Cert') -+ cert = db.get_cert(ds_nickname) - if cert.not_valid_after <= now: - certs.append((IPACertType.LDAPS, cert)) - -@@ -344,11 +347,13 @@ def install_ipa_certs(subject_base, ca_subject_dn, certs): - elif certtype is IPACertType.HTTPS: - shutil.copyfile(cert_path, paths.HTTPD_CERT_FILE) - elif certtype is IPACertType.LDAPS: -- ds_dbdir = dsinstance.config_dirname( -- realm_to_serverid(api.env.realm)) -+ serverid = realm_to_serverid(api.env.realm) -+ ds = dsinstance.DsInstance(realm_name=api.env.realm) -+ ds_dbdir = dsinstance.config_dirname(serverid) - db = NSSDatabase(nssdir=ds_dbdir) -- db.delete_cert('Server-Cert') -- db.import_pem_cert('Server-Cert', EMPTY_TRUST_FLAGS, cert_path) -+ ds_nickname = ds.get_server_cert_nickname(serverid) -+ db.delete_cert(ds_nickname) -+ db.import_pem_cert(ds_nickname, EMPTY_TRUST_FLAGS, cert_path) - elif certtype is IPACertType.KDC: - shutil.copyfile(cert_path, paths.KDC_CERT) - --- -2.29.2 - -From 660507fda2394b17d709c47a05ce5df548a47990 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 4 Feb 2021 08:25:48 -0500 -Subject: [PATCH] ipatests: test third-party 389-ds cert with ipa-cert-fix - -ipa-cert-fix was hardcoded to use Server-Cert as the nickname -so would fail if a third-party certificate was installed for DS. - -https://pagure.io/freeipa/issue/8600 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - .../test_integration/test_ipa_cert_fix.py | 57 +++++++++++++++++++ - 1 file changed, 57 insertions(+) - -diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py -index 2f7de5526..f9e5fe6e2 100644 ---- a/ipatests/test_integration/test_ipa_cert_fix.py -+++ b/ipatests/test_integration/test_ipa_cert_fix.py -@@ -11,6 +11,17 @@ import time - from ipaplatform.paths import paths - from ipatests.pytest_ipa.integration import tasks - from ipatests.test_integration.base import IntegrationTest -+from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup -+ -+ -+def server_install_teardown(func): -+ def wrapped(*args): -+ master = args[0].master -+ try: -+ func(*args) -+ finally: -+ ipa_certs_cleanup(master) -+ return wrapped - - - class TestIpaCertFix(IntegrationTest): -@@ -94,3 +105,49 @@ class TestIpaCertFix(IntegrationTest): - else: - # timeout - raise AssertionError('Timeout: Failed to renew all the certs') -+ -+ -+class TestIpaCertFixThirdParty(CALessBase): -+ """ -+ Test that ipa-cert-fix works with an installation with custom certs. -+ """ -+ -+ @classmethod -+ def install(cls, mh): -+ cls.nickname = 'ca1/server' -+ -+ super(TestIpaCertFixThirdParty, cls).install(mh) -+ tasks.install_master(cls.master, setup_dns=True) -+ -+ @server_install_teardown -+ def test_third_party_certs(self): -+ self.create_pkcs12(self.nickname, -+ password=self.cert_password, -+ filename='server.p12') -+ self.prepare_cacert('ca1') -+ -+ # We have a chain length of one. If this is extended then the -+ # additional cert names will need to be calculated. -+ nick_chain = self.nickname.split('/') -+ ca_cert = '%s.crt' % nick_chain[0] -+ -+ # Add the CA to the IPA store -+ self.copy_cert(self.master, ca_cert) -+ self.master.run_command(['ipa-cacert-manage', 'install', ca_cert]) -+ -+ # Apply the new cert chain otherwise ipa-server-certinstall will fail -+ self.master.run_command(['ipa-certupdate']) -+ -+ # Install the updated certs and restart the world -+ self.copy_cert(self.master, 'server.p12') -+ args = ['ipa-server-certinstall', -+ '-p', self.master.config.dirman_password, -+ '--pin', self.master.config.admin_password, -+ '-d', 'server.p12'] -+ self.master.run_command(args) -+ self.master.run_command(['ipactl', 'restart',]) -+ -+ # Run ipa-cert-fix. This is basically a no-op but tests that -+ # the DS nickname is used and not a hardcoded value. -+ result = self.master.run_command(['ipa-cert-fix', '-v'],) -+ assert self.nickname in result.stderr_text --- -2.29.2 - -From 4cb6f0ba0df928eea60b20892a6fc85373627946 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Fri, 5 Feb 2021 09:00:54 -0500 -Subject: [PATCH] Set pki-core dependency to 10.3.3 for pki-server cert-fix bug - -Related: https://github.com/dogtagpki/pki/issues/3387 -Reviewed-By: Florence Blanc-Renaud ---- - freeipa.spec.in | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/freeipa.spec.in b/freeipa.spec.in -index 93e473ac4..0e261285b 100755 ---- a/freeipa.spec.in -+++ b/freeipa.spec.in -@@ -128,11 +128,11 @@ - %if 0%{?rhel} == 8 - # PKIConnection has been modified to always validate certs. - # https://pagure.io/freeipa/issue/8379 --%global pki_version 10.9.0-0.4 -+%global pki_version 10.10.4-1 - %else - # New KRA profile, ACME support - # https://pagure.io/freeipa/issue/8545 --%global pki_version 10.10.0-2 -+%global pki_version 10.10.3-1 - %endif - - # RHEL 8.3+, F32+ has 0.79.13 --- -2.29.2 - -From f3463728f2196589d36e14cedccb26c03730a7c0 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Wed, 10 Feb 2021 16:07:13 -0500 -Subject: [PATCH] Don't renew non-IPA issued certs in ipa-cert-fix - -If the Apache, 389-ds or KDC certificate was issued by -a third party there is nothing we can do, regardless of -whether it is expired or not. - -Report which certificates will not be renewed so the -admin can manually do do (likely in the event of a -third-party certificate). - -https://pagure.io/freeipa/issue/8600 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/install/ipa_cert_fix.py | 53 +++++++++++++++++++++++++------ - 1 file changed, 43 insertions(+), 10 deletions(-) - -diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py -index 29af89cd5..210cf80f1 100644 ---- a/ipaserver/install/ipa_cert_fix.py -+++ b/ipaserver/install/ipa_cert_fix.py -@@ -43,6 +43,7 @@ from ipapython.certdb import NSSDatabase, EMPTY_TRUST_FLAGS - from ipapython.dn import DN - from ipapython.ipaldap import realm_to_serverid - from ipaserver.install import ca, cainstance, dsinstance -+from ipaserver.install.certs import is_ipa_issued_cert - from ipapython import directivesetter - from ipapython import ipautil - -@@ -104,6 +105,13 @@ class IPACertFix(AdminTool): - - api.bootstrap(in_server=True, confdir=paths.ETC_IPA) - api.finalize() -+ -+ if not dsinstance.is_ds_running(realm_to_serverid(api.env.realm)): -+ print( -+ "The LDAP server is not running; cannot proceed." -+ ) -+ return 1 -+ - api.Backend.ldap2.connect() # ensure DS is up - - subject_base = dsinstance.DsInstance().find_subject_base() -@@ -113,7 +121,7 @@ class IPACertFix(AdminTool): - ca_subject_dn = ca.lookup_ca_subject(api, subject_base) - - now = datetime.datetime.now() + datetime.timedelta(weeks=2) -- certs, extra_certs = expired_certs(now) -+ certs, extra_certs, non_renewed = expired_certs(now) - - if not certs and not extra_certs: - print("Nothing to do.") -@@ -121,7 +129,7 @@ class IPACertFix(AdminTool): - - print(msg) - -- print_intentions(certs, extra_certs) -+ print_intentions(certs, extra_certs, non_renewed) - - response = ipautil.user_input('Enter "yes" to proceed') - if response.lower() != 'yes': -@@ -133,7 +141,10 @@ class IPACertFix(AdminTool): - fix_certreq_directives(certs) - run_cert_fix(certs, extra_certs) - except ipautil.CalledProcessError: -- if any(x[0] is IPACertType.LDAPS for x in extra_certs): -+ if any( -+ x[0] is IPACertType.LDAPS -+ for x in extra_certs + non_renewed -+ ): - # The DS cert was expired. This will cause - # 'pki-server cert-fix' to fail at the final - # restart. Therefore ignore the CalledProcessError -@@ -152,13 +163,15 @@ class IPACertFix(AdminTool): - print("Becoming renewal master.") - cainstance.CAInstance().set_renewal_master() - -+ print("Restarting IPA") - ipautil.run(['ipactl', 'restart'], raiseonerr=True) - - return 0 - - - def expired_certs(now): -- return expired_dogtag_certs(now), expired_ipa_certs(now) -+ expired_ipa, non_renew_ipa = expired_ipa_certs(now) -+ return expired_dogtag_certs(now), expired_ipa, non_renew_ipa - - - def expired_dogtag_certs(now): -@@ -191,6 +204,7 @@ def expired_ipa_certs(now): - - """ - certs = [] -+ non_renewed = [] - - # IPA RA - cert = x509.load_certificate_from_file(paths.RA_AGENT_PEM) -@@ -200,7 +214,10 @@ def expired_ipa_certs(now): - # Apache HTTPD - cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE) - if cert.not_valid_after <= now: -- certs.append((IPACertType.HTTPS, cert)) -+ if not is_ipa_issued_cert(api, cert): -+ non_renewed.append((IPACertType.HTTPS, cert)) -+ else: -+ certs.append((IPACertType.HTTPS, cert)) - - # LDAPS - serverid = realm_to_serverid(api.env.realm) -@@ -210,18 +227,24 @@ def expired_ipa_certs(now): - db = NSSDatabase(nssdir=ds_dbdir) - cert = db.get_cert(ds_nickname) - if cert.not_valid_after <= now: -- certs.append((IPACertType.LDAPS, cert)) -+ if not is_ipa_issued_cert(api, cert): -+ non_renewed.append((IPACertType.LDAPS, cert)) -+ else: -+ certs.append((IPACertType.LDAPS, cert)) - - # KDC - cert = x509.load_certificate_from_file(paths.KDC_CERT) - if cert.not_valid_after <= now: -- certs.append((IPACertType.KDC, cert)) -+ if not is_ipa_issued_cert(api, cert): -+ non_renewed.append((IPACertType.HTTPS, cert)) -+ else: -+ certs.append((IPACertType.KDC, cert)) - -- return certs -+ return certs, non_renewed - - --def print_intentions(dogtag_certs, ipa_certs): -- print("The following certificates will be renewed: ") -+def print_intentions(dogtag_certs, ipa_certs, non_renewed): -+ print("The following certificates will be renewed:") - print() - - for certid, cert in dogtag_certs: -@@ -230,6 +253,16 @@ def print_intentions(dogtag_certs, ipa_certs): - for certtype, cert in ipa_certs: - print_cert_info("IPA", certtype.value, cert) - -+ if non_renewed: -+ print( -+ "The following certificates will NOT be renewed because " -+ "they were not issued by the IPA CA:" -+ ) -+ print() -+ -+ for certtype, cert in non_renewed: -+ print_cert_info("IPA", certtype.value, cert) -+ - - def print_cert_info(context, desc, cert): - print("{} {} certificate:".format(context, desc)) --- -2.29.2 - diff --git a/SOURCES/0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch b/SOURCES/0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch new file mode 100644 index 0000000..83182ce --- /dev/null +++ b/SOURCES/0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch @@ -0,0 +1,35 @@ +From 195035cef51a132b2b80df57ed50f2fe620244e6 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Wed, 7 Jul 2021 14:11:40 +0200 +Subject: [PATCH] man page: update ipa-server-upgrade.1 + +The man page needs to clarify in which case the command needs +to be run. + +Fixes: https://pagure.io/freeipa/issue/8913 +Reviewed-By: Francois Cami +--- + install/tools/man/ipa-server-upgrade.1 | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/install/tools/man/ipa-server-upgrade.1 b/install/tools/man/ipa-server-upgrade.1 +index 3db19b0f1..f01e21c6b 100644 +--- a/install/tools/man/ipa-server-upgrade.1 ++++ b/install/tools/man/ipa-server-upgrade.1 +@@ -8,7 +8,12 @@ ipa\-server\-upgrade \- upgrade IPA server + .SH "SYNOPSIS" + ipa\-server\-upgrade [options] + .SH "DESCRIPTION" +-ipa\-server\-upgrade is used to upgrade IPA server when the IPA packages are being updated. It is not intended to be executed by end\-users. ++ipa\-server\-upgrade is executed automatically to upgrade IPA server when ++the IPA packages are being updated. It is not intended to be executed by ++end\-users, unless the automatic execution reports an error. In this case, ++the administrator needs to identify and fix the issue that is causing the ++upgrade failure (with the help of /var/log/ipaupgrade.log) ++and manually re\-run ipa\-server\-upgrade. + + ipa\-server\-upgrade will: + +-- +2.31.1 + diff --git a/SOURCES/0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch b/SOURCES/0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch new file mode 100644 index 0000000..069d106 --- /dev/null +++ b/SOURCES/0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch @@ -0,0 +1,69 @@ +From 8ad535b618d60fa016061212ff85d0ad28ccae59 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 12 Jul 2021 11:02:10 -0400 +Subject: [PATCH] Fall back to krbprincipalname when validating host auth + indicators + +When adding a new host the principal cannot be determined because it +relies on either: + +a) an entry to already exist +b) krbprincipalname be a component of the dn + +As a result the full dn is being passed into ipapython.Kerberos +which can't parse it. + +Look into the entry in validate_validate_auth_indicator() for +krbprincipalname in this case. + +https://pagure.io/freeipa/issue/8206 + +Signed-off-by: Rob Crittenden +Reviewed-By: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/plugins/service.py | 5 +++++ + ipatests/test_xmlrpc/test_host_plugin.py | 11 +++++++++++ + 2 files changed, 16 insertions(+) + +diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py +index cfbbff3c6..498f5e444 100644 +--- a/ipaserver/plugins/service.py ++++ b/ipaserver/plugins/service.py +@@ -209,6 +209,11 @@ def validate_auth_indicator(entry): + # and shouldn't be allowed to have auth indicators. + # https://pagure.io/freeipa/issue/8206 + pkey = api.Object['service'].get_primary_key_from_dn(entry.dn) ++ if pkey == str(entry.dn): ++ # krbcanonicalname may not be set yet if this is a host entry, ++ # try krbprincipalname ++ if 'krbprincipalname' in entry: ++ pkey = entry['krbprincipalname'] + principal = kerberos.Principal(pkey) + server = api.Command.server_find(principal.hostname)['result'] + if server: +diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py +index 9cfde3565..ff50e796c 100644 +--- a/ipatests/test_xmlrpc/test_host_plugin.py ++++ b/ipatests/test_xmlrpc/test_host_plugin.py +@@ -615,6 +615,17 @@ class TestProtectedMaster(XMLRPC_test): + )): + command() + ++ def test_add_non_master_with_auth_ind(self, host5): ++ host5.ensure_missing() ++ command = host5.make_command( ++ 'host_add', host5.fqdn, krbprincipalauthind=['radius'], ++ force=True ++ ) ++ result = command() ++ # The fact that the command succeeds exercises the change but ++ # let's check the indicator as well. ++ assert result['result']['krbprincipalauthind'] == ('radius',) ++ + + @pytest.mark.tier1 + class TestValidation(XMLRPC_test): +-- +2.31.1 + diff --git a/SOURCES/0005-ipatests-test-Samba-mount-with-NTLM-authentication_rhbz#1932289.patch b/SOURCES/0005-ipatests-test-Samba-mount-with-NTLM-authentication_rhbz#1932289.patch deleted file mode 100644 index ed56ec8..0000000 --- a/SOURCES/0005-ipatests-test-Samba-mount-with-NTLM-authentication_rhbz#1932289.patch +++ /dev/null @@ -1,135 +0,0 @@ -From 80ccac79b9d123e158a5ba60f9853611d0854188 Mon Sep 17 00:00:00 2001 -From: Sergey Orlov -Date: Wed, 17 Feb 2021 16:48:33 +0100 -Subject: [PATCH] ipatests: test Samba mount with NTLM authentication - -Related to https://pagure.io/freeipa/issue/8636 - -Reviewed-By: Alexander Bokovoy ---- - ipatests/pytest_ipa/integration/__init__.py | 17 ++++++ - ipatests/test_integration/test_smb.py | 63 +++++++++++++++++++++ - 2 files changed, 80 insertions(+) - -diff --git a/ipatests/pytest_ipa/integration/__init__.py b/ipatests/pytest_ipa/integration/__init__.py -index 55291ae8b..f62b667bd 100644 ---- a/ipatests/pytest_ipa/integration/__init__.py -+++ b/ipatests/pytest_ipa/integration/__init__.py -@@ -28,12 +28,14 @@ import os - import tempfile - import shutil - import re -+import functools - - import pytest - from pytest_multihost import make_multihost_fixture - - from ipapython import ipautil - from ipaplatform.paths import paths -+from . import fips - from .config import Config - from .env_config import get_global_config - from . import tasks -@@ -478,3 +480,18 @@ def del_compat_attrs(cls): - del cls.ad_subdomains - del cls.ad_treedomains - del cls.ad_domains -+ -+ -+def skip_if_fips(reason='Not supported in FIPS mode', host='master'): -+ if callable(reason): -+ raise TypeError('Invalid decorator usage, add "()"') -+ -+ def decorator(test_method): -+ @functools.wraps(test_method) -+ def wrapper(instance, *args, **kwargs): -+ if fips.is_fips_enabled(getattr(instance, host)): -+ pytest.skip(reason) -+ else: -+ test_method(instance, *args, **kwargs) -+ return wrapper -+ return decorator -diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py -index 37725ab15..749a96325 100644 ---- a/ipatests/test_integration/test_smb.py -+++ b/ipatests/test_integration/test_smb.py -@@ -19,6 +19,7 @@ from ipatests.test_integration.base import IntegrationTest - from ipatests.pytest_ipa.integration import tasks - from ipaplatform.osinfo import osinfo - from ipaplatform.paths import paths -+from ipatests.pytest_ipa.integration import skip_if_fips - - - def wait_smbd_functional(host): -@@ -378,6 +379,68 @@ class TestSMB(IntegrationTest): - finally: - self.cleanup_mount(mountpoint) - -+ def check_repeated_smb_mount(self, options): -+ mountpoint = '/mnt/smb' -+ unc = '//{}/homes'.format(self.smbserver.hostname) -+ test_file = 'ntlm_test' -+ test_file_server_path = '/home/{}/{}'.format(self.ipa_user1, test_file) -+ test_file_client_path = '{}/{}'.format(mountpoint, test_file) -+ -+ self.smbclient.run_command(['mkdir', '-p', mountpoint]) -+ self.smbserver.put_file_contents(test_file_server_path, '') -+ try: -+ for i in [1, 2]: -+ res = self.smbclient.run_command([ -+ 'mount', '-t', 'cifs', unc, mountpoint, '-o', options], -+ raiseonerr=False) -+ assert res.returncode == 0, ( -+ 'Mount failed at iteration {}. Output: {}' -+ .format(i, res.stdout_text + res.stderr_text)) -+ assert self.smbclient.transport.file_exists( -+ test_file_client_path) -+ self.smbclient.run_command(['umount', mountpoint]) -+ finally: -+ self.cleanup_mount(mountpoint) -+ self.smbserver.run_command(['rm', '-f', test_file_server_path]) -+ -+ @skip_if_fips() -+ def test_ntlm_authentication_with_auto_domain(self): -+ """Repeatedly try to authenticate with username and password with -+ automatic domain discovery. -+ -+ This is a regression test for https://pagure.io/freeipa/issue/8636 -+ """ -+ tasks.kdestroy_all(self.smbclient) -+ -+ mount_options = 'user={user},pass={password},domainauto'.format( -+ user=self.ipa_user1, -+ password=self.ipa_user1_password -+ ) -+ -+ self.check_repeated_smb_mount(mount_options) -+ -+ @skip_if_fips() -+ def test_ntlm_authentication_with_upn_with_lowercase_domain(self): -+ tasks.kdestroy_all(self.smbclient) -+ -+ mount_options = 'user={user}@{domain},pass={password}'.format( -+ user=self.ipa_user1, -+ password=self.ipa_user1_password, -+ domain=self.master.domain.name.lower() -+ ) -+ self.check_repeated_smb_mount(mount_options) -+ -+ @skip_if_fips() -+ def test_ntlm_authentication_with_upn_with_uppercase_domain(self): -+ tasks.kdestroy_all(self.smbclient) -+ -+ mount_options = 'user={user}@{domain},pass={password}'.format( -+ user=self.ipa_user1, -+ password=self.ipa_user1_password, -+ domain=self.master.domain.name.upper() -+ ) -+ self.check_repeated_smb_mount(mount_options) -+ - def test_uninstall_samba(self): - self.smbserver.run_command(['ipa-client-samba', '--uninstall', '-U']) - res = self.smbserver.run_command( --- -2.29.2 - diff --git a/SOURCES/0006-ipatests_do_not_ignore_zonemgr_pagure#8718_rhbz#1932289.patch b/SOURCES/0006-ipatests_do_not_ignore_zonemgr_pagure#8718_rhbz#1932289.patch deleted file mode 100644 index 8663740..0000000 --- a/SOURCES/0006-ipatests_do_not_ignore_zonemgr_pagure#8718_rhbz#1932289.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 20bb855a57080145d0d5555294381c890ef605bb Mon Sep 17 00:00:00 2001 -From: Antonio Torres -Date: Tue, 16 Feb 2021 16:53:24 +0100 -Subject: [PATCH] ipaserver: don't ignore zonemgr option on install - -Fix zonemgr option in ipaserver install being -ignored because of an incorrect condition. - -Fixes: https://pagure.io/freeipa/issue/8718 -Signed-off-by: Antonio Torres -Reviewed-By: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/install/bindinstance.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py -index 3b446ce76..19941cd00 100644 ---- a/ipaserver/install/bindinstance.py -+++ b/ipaserver/install/bindinstance.py -@@ -355,7 +355,7 @@ def add_zone(name, zonemgr=None, dns_backup=None, ns_hostname=None, - else: - update_policy = get_dns_forward_zone_update_policy(api.env.realm) - -- if zonemgr is None: -+ if not zonemgr: - zonemgr = 'hostmaster.%s' % name - - if ns_hostname: -@@ -682,7 +682,7 @@ class BindInstance(service.Service): - self.forward_policy = forward_policy - self.reverse_zones = reverse_zones - -- if zonemgr is not None: -+ if not zonemgr: - self.zonemgr = 'hostmaster.%s' % normalize_zone(self.domain) - else: - self.zonemgr = normalize_zonemgr(zonemgr) --- -2.29.2 - -From 82043e1fd052618608d3b7786473a632478795ee Mon Sep 17 00:00:00 2001 -From: Antonio Torres -Date: Tue, 16 Feb 2021 18:24:26 +0100 -Subject: [PATCH] ipatests: check that zonemgr is set correctly during server - install - -Add test to check that zonemgr is correctly -set when installing IPA server. - -Related: https://pagure.io/freeipa/issue/8718 -Signed-off-by: Antonio Torres -Reviewed-By: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_integration/test_installation.py | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py -index 6e8af024c..18c5bd243 100644 ---- a/ipatests/test_integration/test_installation.py -+++ b/ipatests/test_integration/test_installation.py -@@ -1171,6 +1171,13 @@ class TestInstallMasterDNS(IntegrationTest): - extra_args=['--zonemgr', 'me@example.org'], - ) - -+ tasks.kinit_admin(self.master) -+ result = self.master.run_command( -+ ['ipa', 'dnszone-show', self.master.domain.name] -+ ).stdout_text -+ -+ assert "Administrator e-mail address: me.example.org" in result -+ - def test_server_install_lock_bind_recursion(self): - """Test if server installer lock Bind9 recursion - --- -2.29.2 - diff --git a/SOURCES/0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch b/SOURCES/0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch new file mode 100644 index 0000000..3f83c40 --- /dev/null +++ b/SOURCES/0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch @@ -0,0 +1,30 @@ +From 1a5159b216455070eb51b6a11ceaf0033fc8ce4c Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 16 Jul 2021 09:20:33 +0300 +Subject: [PATCH] rhel platform: add a named crypto-policy support + +RHEL 8+ provides bind system-wide crypto policy support, enable it. + +Fixes: https://pagure.io/freeipa/issue/8925 +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Anuja More +--- + ipaplatform/rhel/paths.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ipaplatform/rhel/paths.py b/ipaplatform/rhel/paths.py +index c081ada32..3631550eb 100644 +--- a/ipaplatform/rhel/paths.py ++++ b/ipaplatform/rhel/paths.py +@@ -30,6 +30,7 @@ from ipaplatform.rhel.constants import HAS_NFS_CONF + + + class RHELPathNamespace(RedHatPathNamespace): ++ NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config" + if HAS_NFS_CONF: + SYSCONFIG_NFS = '/etc/nfs.conf' + +-- +2.31.1 + diff --git a/SOURCES/0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch b/SOURCES/0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch new file mode 100644 index 0000000..34b33c7 --- /dev/null +++ b/SOURCES/0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch @@ -0,0 +1,53 @@ +From a6e708ab4006d6623c37de1692de5362fcdb5dd6 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 30 Aug 2021 16:44:47 -0400 +Subject: [PATCH] Catch and log errors when adding CA profiles + +Rather than stopping the installer entirely, catch and report +errors adding new certificate profiles, and remove the +broken profile entry from LDAP so it may be re-added later. + +It was discovered that installing a newer IPA that has the +ACME profile which requires sanToCNDefault will fail when +installing a new server against a very old one that lacks +this class. + +Running ipa-server-upgrade post-install will add the profile +and generate the missing ipa-ca SAN record so that ACME +can work. + +https://pagure.io/freeipa/issue/8974 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/install/cainstance.py | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index 9e842b33e..8c8bf1b3a 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -1973,8 +1973,17 @@ def import_included_profiles(): + + # Create the profile, replacing any existing profile of same name + profile_data = __get_profile_config(profile_id) +- _create_dogtag_profile(profile_id, profile_data, overwrite=True) +- logger.debug("Imported profile '%s'", profile_id) ++ try: ++ _create_dogtag_profile(profile_id, profile_data, ++ overwrite=True) ++ except errors.HTTPRequestError as e: ++ logger.warning("Failed to import profile '%s': %s. Running " ++ "ipa-server-upgrade when installation is " ++ "completed may resolve this issue.", ++ profile_id, e) ++ conn.delete_entry(entry) ++ else: ++ logger.debug("Imported profile '%s'", profile_id) + else: + logger.debug( + "Profile '%s' is already in LDAP; skipping", profile_id +-- +2.31.1 + diff --git a/SOURCES/0007-ipatests_ipa-cert-fix_renews_pagure#7885_rhbz#1932289.patch b/SOURCES/0007-ipatests_ipa-cert-fix_renews_pagure#7885_rhbz#1932289.patch deleted file mode 100644 index 0531b15..0000000 --- a/SOURCES/0007-ipatests_ipa-cert-fix_renews_pagure#7885_rhbz#1932289.patch +++ /dev/null @@ -1,318 +0,0 @@ -From 7f30ddb1b7e30c22f9b7d14d2658b58a0ea6b459 Mon Sep 17 00:00:00 2001 -From: Mohammad Rizwan -Date: Tue, 2 Feb 2021 17:33:57 +0530 -Subject: [PATCH] ipatests: Test if ipa-cert-fix renews expired certs - -Test moves system date to expire certs. Then calls ipa-cert-fix -to renew them. This certs include subsystem, audit-signing, -OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs. - -related: https://pagure.io/freeipa/issue/7885 - -Signed-off-by: Mohammad Rizwan -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Anuja More -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Anuja More ---- - .../test_integration/test_ipa_cert_fix.py | 60 +++++++++++++++++++ - 1 file changed, 60 insertions(+) - -diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py -index f9e5fe6e2..da68af573 100644 ---- a/ipatests/test_integration/test_ipa_cert_fix.py -+++ b/ipatests/test_integration/test_ipa_cert_fix.py -@@ -8,12 +8,16 @@ Module provides tests for ipa-cert-fix CLI. - import pytest - import time - -+import logging - from ipaplatform.paths import paths - from ipatests.pytest_ipa.integration import tasks - from ipatests.test_integration.base import IntegrationTest - from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup - - -+logger = logging.getLogger(__name__) -+ -+ - def server_install_teardown(func): - def wrapped(*args): - master = args[0].master -@@ -24,6 +28,26 @@ def server_install_teardown(func): - return wrapped - - -+def check_status(host, cert_count, state, timeout=600): -+ """Helper method to check that if all the certs are in given state -+ :param host: the host -+ :param cert_count: no of cert to look for -+ :param state: state to check for -+ :param timeout: max time in seconds to wait for the state -+ """ -+ for _i in range(0, timeout, 10): -+ result = host.run_command(['getcert', 'list']) -+ count = result.stdout_text.count(f"status: {state}") -+ logger.info("cert count in %s state : %s", state, count) -+ if int(count) == cert_count: -+ break -+ time.sleep(10) -+ else: -+ raise RuntimeError("request timed out") -+ -+ return count -+ -+ - class TestIpaCertFix(IntegrationTest): - @classmethod - def uninstall(cls, mh): -@@ -106,6 +130,42 @@ class TestIpaCertFix(IntegrationTest): - # timeout - raise AssertionError('Timeout: Failed to renew all the certs') - -+ def test_renew_expired_cert_on_master(self, expire_cert_critical): -+ """Test if ipa-cert-fix renews expired certs -+ -+ Test moves system date to expire certs. Then calls ipa-cert-fix -+ to renew them. This certs include subsystem, audit-signing, -+ OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs. -+ -+ related: https://pagure.io/freeipa/issue/7885 -+ """ -+ # wait for cert expiry -+ check_status(self.master, 8, "CA_UNREACHABLE") -+ -+ self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n') -+ -+ check_status(self.master, 9, "MONITORING") -+ -+ # second iteration of ipa-cert-fix -+ result = self.master.run_command( -+ ['ipa-cert-fix', '-v'], -+ stdin_text='yes\n' -+ ) -+ assert "Nothing to do" in result.stdout_text -+ check_status(self.master, 9, "MONITORING") -+ -+ def test_ipa_cert_fix_non_ipa(self): -+ """Test ipa-cert-fix doesn't work on non ipa system -+ -+ ipa-cert-fix tool should not work on non ipa system. -+ -+ related: https://pagure.io/freeipa/issue/7885 -+ """ -+ result = self.master.run_command(['ipa-cert-fix', '-v'], -+ stdin_text='yes\n', -+ raiseonerr=False) -+ assert result.returncode == 2 -+ - - class TestIpaCertFixThirdParty(CALessBase): - """ --- -2.29.2 - -From 36a60dbb35cb4429f00528f79bec8b7982a30c74 Mon Sep 17 00:00:00 2001 -From: Mohammad Rizwan -Date: Thu, 11 Feb 2021 16:54:22 +0530 -Subject: [PATCH] Move fixture outside the class and add setup_kra capability - -Moved fixture to use across multiple classes. Added capability -to install the KRA to the fixture - -Signed-off-by: Mohammad Rizwan -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Anuja More -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Anuja More ---- - .../test_integration/test_ipa_cert_fix.py | 46 ++++++++++++------- - 1 file changed, 30 insertions(+), 16 deletions(-) - -diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py -index da68af573..591dc5031 100644 ---- a/ipatests/test_integration/test_ipa_cert_fix.py -+++ b/ipatests/test_integration/test_ipa_cert_fix.py -@@ -48,6 +48,33 @@ def check_status(host, cert_count, state, timeout=600): - return count - - -+@pytest.fixture -+def expire_cert_critical(): -+ """ -+ Fixture to expire the certs by moving the system date using -+ date -s command and revert it back -+ """ -+ -+ hosts = dict() -+ -+ def _expire_cert_critical(host, setup_kra=False): -+ hosts['host'] = host -+ # Do not install NTP as the test plays with the date -+ tasks.install_master(host, setup_dns=False, -+ extra_args=['--no-ntp']) -+ if setup_kra: -+ tasks.install_kra(host) -+ host.run_command(['systemctl', 'stop', 'chronyd']) -+ host.run_command(['date', '-s', '+3Years+1day']) -+ -+ yield _expire_cert_critical -+ -+ host = hosts.pop('host') -+ tasks.uninstall_master(host) -+ host.run_command(['date', '-s', '-3Years-1day']) -+ host.run_command(['systemctl', 'start', 'chronyd']) -+ -+ - class TestIpaCertFix(IntegrationTest): - @classmethod - def uninstall(cls, mh): -@@ -55,22 +82,6 @@ class TestIpaCertFix(IntegrationTest): - # the fixture - pass - -- @pytest.fixture -- def expire_cert_critical(self): -- """ -- Fixture to expire the certs by moving the system date using -- date -s command and revert it back -- """ -- # Do not install NTP as the test plays with the date -- tasks.install_master(self.master, setup_dns=False, -- extra_args=['--no-ntp']) -- self.master.run_command(['systemctl', 'stop', 'chronyd']) -- self.master.run_command(['date','-s', '+3Years+1day']) -- yield -- tasks.uninstall_master(self.master) -- self.master.run_command(['date','-s', '-3Years-1day']) -- self.master.run_command(['systemctl', 'start', 'chronyd']) -- - def test_missing_csr(self, expire_cert_critical): - """ - Test that ipa-cert-fix succeeds when CSR is missing from CS.cfg -@@ -82,6 +93,7 @@ class TestIpaCertFix(IntegrationTest): - - call getcert resubmit in order to create the CSR in certmonger file - - use ipa-cert-fix, no issue should be seen - """ -+ expire_cert_critical(self.master) - # pki must be stopped in order to edit CS.cfg - self.master.run_command(['ipactl', 'stop']) - self.master.run_command(['sed', '-i', r'/ca\.sslserver\.certreq=/d', -@@ -139,6 +151,8 @@ class TestIpaCertFix(IntegrationTest): - - related: https://pagure.io/freeipa/issue/7885 - """ -+ expire_cert_critical(self.master) -+ - # wait for cert expiry - check_status(self.master, 8, "CA_UNREACHABLE") - --- -2.29.2 - -From c84e0547e1a693ba0e9edbfeea7bafdb2fb2b4a2 Mon Sep 17 00:00:00 2001 -From: Mohammad Rizwan -Date: Thu, 11 Feb 2021 16:59:53 +0530 -Subject: [PATCH] ipatests: Test if ipa-cert-fix renews expired certs with kra - installed - -This test check if ipa-cert-fix renews certs with kra -certificate installed. - -related: https://pagure.io/freeipa/issue/7885 - -Signed-off-by: Mohammad Rizwan -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Anuja More -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Anuja More ---- - .../test_integration/test_ipa_cert_fix.py | 25 +++++++++++++++++++ - 1 file changed, 25 insertions(+) - -diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py -index 591dc5031..b2e92d4dc 100644 ---- a/ipatests/test_integration/test_ipa_cert_fix.py -+++ b/ipatests/test_integration/test_ipa_cert_fix.py -@@ -225,3 +225,28 @@ class TestIpaCertFixThirdParty(CALessBase): - # the DS nickname is used and not a hardcoded value. - result = self.master.run_command(['ipa-cert-fix', '-v'],) - assert self.nickname in result.stderr_text -+ -+ -+class TestCertFixKRA(IntegrationTest): -+ @classmethod -+ def uninstall(cls, mh): -+ # Uninstall method is empty as the uninstallation is done in -+ # the fixture -+ pass -+ -+ def test_renew_expired_cert_with_kra(self, expire_cert_critical): -+ """Test if ipa-cert-fix renews expired certs with kra installed -+ -+ This test check if ipa-cert-fix renews certs with kra -+ certificate installed. -+ -+ related: https://pagure.io/freeipa/issue/7885 -+ """ -+ expire_cert_critical(self.master, setup_kra=True) -+ -+ # check if all subsystem cert expired -+ check_status(self.master, 11, "CA_UNREACHABLE") -+ -+ self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n') -+ -+ check_status(self.master, 12, "MONITORING") --- -2.29.2 - -From 260fbcb03297ef1ed5418b16c0df0587d2989b22 Mon Sep 17 00:00:00 2001 -From: Mohammad Rizwan -Date: Tue, 2 Mar 2021 11:42:36 +0530 -Subject: [PATCH] ipatests: update nightly definition for ipa_cert_fix suite - -Signed-off-by: Mohammad Rizwan -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Anuja More ---- - ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml | 2 +- - ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml | 2 +- - ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml -index ebd539246..8a88698eb 100644 ---- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml -+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml -@@ -1687,5 +1687,5 @@ jobs: - build_url: '{fedora-latest-ipa-4-9/build_url}' - test_suite: test_integration/test_ipa_cert_fix.py - template: *ci-ipa-4-9-latest -- timeout: 3600 -+ timeout: 7200 - topology: *master_1repl -diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml -index d4b597d6e..14f0c4292 100644 ---- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml -+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml -@@ -1821,5 +1821,5 @@ jobs: - selinux_enforcing: True - test_suite: test_integration/test_ipa_cert_fix.py - template: *ci-ipa-4-9-latest -- timeout: 3600 -+ timeout: 7200 - topology: *master_1repl -diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml -index 1fd589e6a..b7f8d2b3e 100644 ---- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml -+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml -@@ -1687,5 +1687,5 @@ jobs: - build_url: '{fedora-previous-ipa-4-9/build_url}' - test_suite: test_integration/test_ipa_cert_fix.py - template: *ci-ipa-4-9-previous -- timeout: 3600 -+ timeout: 7200 - topology: *master_1repl --- -2.29.2 - diff --git a/SOURCES/0008-ipatests-use-whole-date-when-calling-journalctl-sinc_rhbz#1932289.patch b/SOURCES/0008-ipatests-use-whole-date-when-calling-journalctl-sinc_rhbz#1932289.patch deleted file mode 100644 index a4e36a9..0000000 --- a/SOURCES/0008-ipatests-use-whole-date-when-calling-journalctl-sinc_rhbz#1932289.patch +++ /dev/null @@ -1,37 +0,0 @@ -From caf748860860293e010e695d72f6b3b3d8509f8a Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Tue, 2 Mar 2021 08:44:35 +0100 -Subject: [PATCH] ipatests: use whole date when calling journalctl --since - -The test test_commands.py::TestIPACommand::test_ssh_key_connection -is checking the content of the journal using journalctl --since ... -but provides only the time, not the whole date with year-month-day. -As a consequence, if the test is executed around midnight it may -find nothing in the journal because it's looking for logs after 11:50PM, -which is a date in the future. - -The fix provides a complete date with year-month-day hours:min:sec. - -Fixes: https://pagure.io/freeipa/issue/8728 -Reviewed-By: Francois Cami ---- - ipatests/test_integration/test_commands.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py -index 45f642bf2..b7ffb926f 100644 ---- a/ipatests/test_integration/test_commands.py -+++ b/ipatests/test_integration/test_commands.py -@@ -642,7 +642,8 @@ class TestIPACommand(IntegrationTest): - # start to look at logs a bit before "now" - # https://pagure.io/freeipa/issue/8432 - since = time.strftime( -- '%H:%M:%S', (datetime.now() - timedelta(seconds=10)).timetuple() -+ '%Y-%m-%d %H:%M:%S', -+ (datetime.now() - timedelta(seconds=10)).timetuple() - ) - - tasks.run_ssh_cmd( --- -2.29.2 - diff --git a/SOURCES/0008-selinux-policy-allow-custodia-to-access-proc-cpuinfo_rhbz#1998129.patch b/SOURCES/0008-selinux-policy-allow-custodia-to-access-proc-cpuinfo_rhbz#1998129.patch new file mode 100644 index 0000000..14a8b03 --- /dev/null +++ b/SOURCES/0008-selinux-policy-allow-custodia-to-access-proc-cpuinfo_rhbz#1998129.patch @@ -0,0 +1,41 @@ +From 07e2bf732f54f936cccc4e0c7b468d77f97e911a Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Mon, 30 Aug 2021 18:40:24 +0200 +Subject: [PATCH] selinux policy: allow custodia to access /proc/cpuinfo + +On aarch64, custodia creates AVC when accessing /proc/cpuinfo. + +According to gcrypt manual +(https://gnupg.org/documentation/manuals/gcrypt/Configuration.html), +/proc/cpuinfo is used on ARM architecture to read the hardware +capabilities of the CPU. This explains why the issue happens only +on aarch64. + +audit2allow suggests to add the following: +allow ipa_custodia_t proc_t:file { getattr open read }; + +but this policy would be too broad. Instead, the patch is using +the interface kernel_read_system_state. + +Fixes: https://pagure.io/freeipa/issue/8972 +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Christian Heimes +--- + selinux/ipa.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/selinux/ipa.te b/selinux/ipa.te +index 68e109419..7492fca04 100644 +--- a/selinux/ipa.te ++++ b/selinux/ipa.te +@@ -364,6 +364,7 @@ files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file }) + + kernel_dgram_send(ipa_custodia_t) + kernel_read_network_state(ipa_custodia_t) ++kernel_read_system_state(ipa_custodia_t) + + auth_read_passwd(ipa_custodia_t) + +-- +2.31.1 + diff --git a/SOURCES/0009-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ_rhbz#2000263.patch b/SOURCES/0009-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ_rhbz#2000263.patch new file mode 100644 index 0000000..e88902d --- /dev/null +++ b/SOURCES/0009-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ_rhbz#2000263.patch @@ -0,0 +1,46 @@ +From 4fca95751ca32a1ed16a6d8a4e557c5799ec5c78 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 25 Aug 2021 17:10:29 +0200 +Subject: [PATCH] extdom: return LDAP_NO_SUCH_OBJECT if domains differ + +If a client sends a request to lookup an object from a given trusted +domain by UID or GID and an object with matching ID is only found in a +different domain the extdom should return LDAP_NO_SUCH_OBJECT to +indicate to the client that the requested ID does not exists in the +given domain. + +Resolves: https://pagure.io/freeipa/issue/8965 +Reviewed-By: Rob Crittenden +--- + .../ipa-extdom-extop/ipa_extdom_common.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +index 5d97ff613..6f646b9f4 100644 +--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c ++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +@@ -542,7 +542,9 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx, + if (strcasecmp(locat+1, domain_name) == 0 ) { + locat[0] = '\0'; + } else { +- ret = LDAP_INVALID_SYNTAX; ++ /* The found object is from a different domain than requested, ++ * that means it does not exist in the requested domain */ ++ ret = LDAP_NO_SUCH_OBJECT; + goto done; + } + } +@@ -655,7 +657,9 @@ int pack_ber_group(enum response_types response_type, + if (strcasecmp(locat+1, domain_name) == 0 ) { + locat[0] = '\0'; + } else { +- ret = LDAP_INVALID_SYNTAX; ++ /* The found object is from a different domain than requested, ++ * that means it does not exist in the requested domain */ ++ ret = LDAP_NO_SUCH_OBJECT; + goto done; + } + } +-- +2.31.1 + diff --git a/SOURCES/0009-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1932784.patch b/SOURCES/0009-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1932784.patch deleted file mode 100644 index 128c9c4..0000000 --- a/SOURCES/0009-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1932784.patch +++ /dev/null @@ -1,594 +0,0 @@ -From 2832810891acfaca68142df7271d6f0a50a588eb Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 19 Feb 2021 15:37:47 +0200 -Subject: [PATCH] ipa-kdb: do not use OpenLDAP functions with NULL LDAP context - -Calling to ipadb_get_connection() will remove LDAP context if any error -happens. This means upper layers must always verify that LDAP context -exists after such calls. - -ipadb_get_user_auth() may re-read global configuration and that may fail -and cause IPA context to have NULL LDAP context. - -Fixes: https://pagure.io/freeipa/issue/8681 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Robbie Harwood -Reviewed-By: Rob Crittenden ---- - daemons/ipa-kdb/ipa_kdb.c | 1 + - daemons/ipa-kdb/ipa_kdb_mspac.c | 32 +++++++++++++++------------- - daemons/ipa-kdb/ipa_kdb_principals.c | 26 ++++++++++++++++------ - 3 files changed, 37 insertions(+), 22 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c -index 43ba955ac..6e1e3e351 100644 ---- a/daemons/ipa-kdb/ipa_kdb.c -+++ b/daemons/ipa-kdb/ipa_kdb.c -@@ -57,6 +57,7 @@ static void ipadb_context_free(krb5_context kcontext, - /* ldap free lcontext */ - if ((*ctx)->lcontext) { - ldap_unbind_ext_s((*ctx)->lcontext, NULL, NULL); -+ (*ctx)->lcontext = NULL; - } - free((*ctx)->supp_encs); - free((*ctx)->def_encs); -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c -index 31f617129..81a8fd483 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac.c -+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c -@@ -418,7 +418,6 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, - krb5_timestamp authtime, - struct netr_SamInfo3 *info3) - { -- LDAP *lcontext = ipactx->lcontext; - LDAPDerefRes *deref_results = NULL; - struct dom_sid sid; - gid_t prigid = -1; -@@ -435,7 +434,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, - bool is_idobject = false; - krb5_principal princ; - -- ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "objectClass", -+ ret = ipadb_ldap_attr_to_strlist(ipactx->lcontext, lentry, "objectClass", - &objectclasses); - if (ret == 0 && objectclasses != NULL) { - for (c = 0; objectclasses[c] != NULL; c++) { -@@ -472,13 +471,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, - } - - if (is_host) { -- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "fqdn", &strres); -+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "fqdn", &strres); - if (ret) { - /* fqdn is mandatory for hosts */ - return ret; - } - } else if (is_service) { -- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbCanonicalName", &strres); -+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, -+ "krbCanonicalName", &strres); - if (ret) { - /* krbCanonicalName is mandatory for services */ - return ret; -@@ -498,7 +498,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, - return ENOENT; - } - } else { -- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "uid", &strres); -+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "uid", &strres); - if (ret) { - /* uid is mandatory */ - return ret; -@@ -511,7 +511,8 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, - if (is_host || is_service) { - prigid = 515; /* Well known RID for domain computers group */ - } else { -- ret = ipadb_ldap_attr_to_int(lcontext, lentry, "gidNumber", &intres); -+ ret = ipadb_ldap_attr_to_int(ipactx->lcontext, lentry, -+ "gidNumber", &intres); - if (ret) { - /* gidNumber is mandatory */ - return ret; -@@ -544,7 +545,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, - info3->base.kickoff_time = INT64_MAX; - #endif - -- ret = ipadb_ldap_attr_to_time_t(lcontext, lentry, -+ ret = ipadb_ldap_attr_to_time_t(ipactx->lcontext, lentry, - "krbLastPwdChange", &timeres); - switch (ret) { - case 0: -@@ -562,7 +563,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, - info3->base.allow_password_change = info3->base.last_password_change; - info3->base.force_password_change = INT64_MAX; - -- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "cn", &strres); -+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "cn", &strres); - switch (ret) { - case 0: - info3->base.full_name.string = talloc_strdup(memctx, strres); -@@ -575,7 +576,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, - return ret; - } - -- ret = ipadb_ldap_attr_to_str(lcontext, lentry, -+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, - "ipaNTLogonScript", &strres); - switch (ret) { - case 0: -@@ -589,7 +590,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, - return ret; - } - -- ret = ipadb_ldap_attr_to_str(lcontext, lentry, -+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, - "ipaNTProfilePath", &strres); - switch (ret) { - case 0: -@@ -603,7 +604,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, - return ret; - } - -- ret = ipadb_ldap_attr_to_str(lcontext, lentry, -+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, - "ipaNTHomeDirectory", &strres); - switch (ret) { - case 0: -@@ -617,7 +618,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, - return ret; - } - -- ret = ipadb_ldap_attr_to_str(lcontext, lentry, -+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, - "ipaNTHomeDirectoryDrive", &strres); - switch (ret) { - case 0: -@@ -648,7 +649,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, - info3->base.rid = 515; - } - } else { -- ret = ipadb_ldap_attr_to_str(lcontext, lentry, -+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, - "ipaNTSecurityIdentifier", &strres); - if (ret) { - /* SID is mandatory */ -@@ -665,7 +666,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, - } - } - -- ret = ipadb_ldap_deref_results(lcontext, lentry, &deref_results); -+ ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results); - switch (ret) { - LDAPDerefRes *dres; - LDAPDerefVal *dval; -@@ -2511,7 +2512,7 @@ static void ipadb_free_sid_blacklists(char ***sid_blocklist_incoming, char ***si - krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) - { - struct ipadb_adtrusts *t; -- LDAP *lc = ipactx->lcontext; -+ LDAP *lc = NULL; - char *attrs[] = { "cn", "ipaNTTrustPartner", "ipaNTFlatName", - "ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming", - "ipaNTSIDBlacklistOutgoing", "ipaNTAdditionalSuffixes", NULL }; -@@ -2545,6 +2546,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) - goto done; - } - -+ lc = ipactx->lcontext; - for (le = ldap_first_entry(lc, res); le; le = ldap_next_entry(lc, le)) { - dnstr = ldap_get_dn(lc, le); - -diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c -index d1fa51578..cf1b4f53e 100644 ---- a/daemons/ipa-kdb/ipa_kdb_principals.c -+++ b/daemons/ipa-kdb/ipa_kdb_principals.c -@@ -333,6 +333,11 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx, - if (gcfg != NULL) - gua = gcfg->user_auth; - -+ /* lcontext == NULL means ipadb_get_global_config() failed to load -+ * global config and cleared the ipactx */ -+ if (ipactx->lcontext == NULL) -+ return IPADB_USER_AUTH_NONE; -+ - /* Get the user's user_auth settings if not disabled. */ - if ((gua & IPADB_USER_AUTH_DISABLED) == 0) - ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua); -@@ -607,8 +612,16 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, - free(entry); - return KRB5_KDB_DBNOTINITED; - } -- lcontext = ipactx->lcontext; -- if (!lcontext) { -+ -+ entry->magic = KRB5_KDB_MAGIC_NUMBER; -+ entry->len = KRB5_KDB_V1_BASE_LENGTH; -+ -+ /* Get User Auth configuration. */ -+ ua = ipadb_get_user_auth(ipactx, lentry); -+ -+ /* ipadb_get_user_auth() calls into ipadb_get_global_config() -+ * and that might fail, causing lcontext to become NULL */ -+ if (!ipactx->lcontext) { - krb5_klog_syslog(LOG_INFO, - "No LDAP connection in ipadb_parse_ldap_entry(); retrying...\n"); - ret = ipadb_get_connection(ipactx); -@@ -620,11 +633,10 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, - } - } - -- entry->magic = KRB5_KDB_MAGIC_NUMBER; -- entry->len = KRB5_KDB_V1_BASE_LENGTH; -- -- /* Get User Auth configuration. */ -- ua = ipadb_get_user_auth(ipactx, lentry); -+ /* If any code below would result in invalidating ipactx->lcontext, -+ * lcontext must be updated with the new ipactx->lcontext value. -+ * We rely on the fact that none of LDAP-parsing helpers does it. */ -+ lcontext = ipactx->lcontext; - - /* ignore mask for now */ - --- -2.29.2 - -From 0da9de495ca41a1bf0926aef7c9c75c3e53dcd63 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Tue, 23 Feb 2021 10:06:25 +0200 -Subject: [PATCH] ipa-kdb: fix compiler warnings - -There are few fields in KDB structures that have 'conflicting' types but -need to be compared. They come from MIT Kerberos and we have no choice -here. - -In the same way, SID structures have own requirements. - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Robbie Harwood -Reviewed-By: Rob Crittenden ---- - daemons/ipa-kdb/ipa_kdb_audit_as.c | 4 ++-- - daemons/ipa-kdb/ipa_kdb_mspac.c | 6 +++--- - daemons/ipa-kdb/ipa_kdb_principals.c | 6 +++--- - daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 2 +- - 4 files changed, 9 insertions(+), 9 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c -index ed48ea758..ec2046bfe 100644 ---- a/daemons/ipa-kdb/ipa_kdb_audit_as.c -+++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c -@@ -112,13 +112,13 @@ void ipadb_audit_as_req(krb5_context kcontext, - - if (krb5_ts_after(krb5_ts_incr(client->last_failed, - ied->pol->lockout_duration), authtime) && -- (client->fail_auth_count >= ied->pol->max_fail && -+ (client->fail_auth_count >= (krb5_kvno) ied->pol->max_fail && - ied->pol->max_fail != 0)) { - /* client already locked, nothing more to do */ - break; - } - if (ied->pol->max_fail == 0 || -- client->fail_auth_count < ied->pol->max_fail) { -+ client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) { - /* let's increase the fail counter */ - client->fail_auth_count++; - client->mask |= KMASK_FAIL_AUTH_COUNT; -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c -index 81a8fd483..9691b14f6 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac.c -+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c -@@ -148,9 +148,9 @@ int string_to_sid(const char *str, struct dom_sid *sid) - - char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid) - { -- size_t c; -+ int8_t c; - size_t len; -- int ofs; -+ size_t ofs; - uint32_t ia; - char *buf; - -@@ -2612,7 +2612,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) - - t[n].upn_suffixes_len = NULL; - if (t[n].upn_suffixes != NULL) { -- size_t len = 0; -+ int len = 0; - - for (; t[n].upn_suffixes[len] != NULL; len++); - -diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c -index cf1b4f53e..0a98ff054 100644 ---- a/daemons/ipa-kdb/ipa_kdb_principals.c -+++ b/daemons/ipa-kdb/ipa_kdb_principals.c -@@ -494,7 +494,7 @@ static krb5_error_code ipadb_get_ldap_auth_ind(krb5_context kcontext, - l = len; - for (i = 0; i < count; i++) { - ret = snprintf(ap, l, "%s ", authinds[i]); -- if (ret <= 0 || ret > l) { -+ if (ret <= 0 || ret > (int) l) { - ret = ENOMEM; - goto cleanup; - } -@@ -2086,7 +2086,7 @@ static krb5_error_code ipadb_get_ldap_mod_auth_ind(krb5_context kcontext, - char *s = NULL; - size_t ai_size = 0; - int cnt = 0; -- int i = 0; -+ size_t i = 0; - - ret = krb5_dbe_get_string(kcontext, entry, "require_auth", &ais); - if (ret) { -@@ -2467,7 +2467,7 @@ static krb5_error_code ipadb_entry_default_attrs(struct ipadb_mods *imods) - { - krb5_error_code kerr; - LDAPMod *m = NULL; -- int i; -+ size_t i; - - kerr = ipadb_mods_new(imods, &m); - if (kerr) { -diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c -index 4965e6d7f..6f21ef867 100644 ---- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c -+++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c -@@ -361,7 +361,7 @@ krb5_error_code ipadb_check_policy_as(krb5_context kcontext, - } - - if (ied->pol->max_fail == 0 || -- client->fail_auth_count < ied->pol->max_fail) { -+ client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) { - /* still within allowed failures range */ - return 0; - } --- -2.29.2 - -From c7ce801b590e29263e9b1904995c603735007771 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Wed, 24 Feb 2021 20:51:40 +0200 -Subject: [PATCH] ipa-kdb: add missing prototypes - -On Fedora 33 GCC defaults to -Wmissing-prototypes and emits warnings -about function prototypes missing. If -Werror is specified, this breaks -compilation. - -We also default to -Werror=implicit-function-declaration - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Robbie Harwood -Reviewed-By: Rob Crittenden ---- - daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 4 ++++ - daemons/ipa-kdb/ipa_kdb_mspac.c | 20 ++++++++++++-------- - daemons/ipa-kdb/ipa_kdb_mspac_private.h | 4 ++++ - 3 files changed, 20 insertions(+), 8 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -index a89f8bbda..aa61a2d1b 100644 ---- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -@@ -14,6 +14,10 @@ - #define ONE_DAY_SECONDS (24 * 60 * 60) - #define JITTER_WINDOW_SECONDS (1 * 60 * 60) - -+krb5_error_code kdcpolicy_ipakdb_initvt(krb5_context context, -+ int maj_ver, int min_ver, -+ krb5_plugin_vtable vtable); -+ - static void - jitter(krb5_deltat baseline, krb5_deltat *lifetime_out) - { -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c -index 9691b14f6..47b12a16f 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac.c -+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c -@@ -2408,9 +2408,10 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac) - *mspac = NULL; - } - --krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist, -- struct dom_sid **result_sids, -- int *result_length) -+static krb5_error_code -+ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist, -+ struct dom_sid **result_sids, -+ int *result_length) - { - int len, i; - char **source; -@@ -2441,9 +2442,10 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist, - return 0; - } - --krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust, -- char **sid_blocklist_incoming, -- char **sid_blocklist_outgoing) -+static krb5_error_code -+ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust, -+ char **sid_blocklist_incoming, -+ char **sid_blocklist_outgoing) - { - krb5_error_code kerr; - -@@ -2464,7 +2466,8 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrus - return 0; - } - --krb5_error_code ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx) -+static krb5_error_code -+ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx) - { - char *attrs[] = { NULL }; - char *filter = "(objectclass=ipaNTTrustedDomain)"; -@@ -2509,7 +2512,8 @@ static void ipadb_free_sid_blacklists(char ***sid_blocklist_incoming, char ***si - } - } - --krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) -+static krb5_error_code -+ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) - { - struct ipadb_adtrusts *t; - LDAP *lc = NULL; -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h -index d23a14a0b..8c8a3a001 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h -+++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h -@@ -53,3 +53,7 @@ struct ipadb_adtrusts { - - int string_to_sid(const char *str, struct dom_sid *sid); - char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid); -+krb5_error_code filter_logon_info(krb5_context context, TALLOC_CTX *memctx, -+ krb5_data realm, struct PAC_LOGON_INFO_CTR *info); -+void get_authz_data_types(krb5_context context, krb5_db_entry *entry, -+ bool *_with_pac, bool *_with_pad); -\ No newline at end of file --- -2.29.2 - -From f340baa4283c76957d9e0a85896c7fa3a994bba6 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Wed, 24 Feb 2021 20:52:15 +0200 -Subject: [PATCH] ipa-kdb: reformat ipa_kdb_certauth - -Add prototype to the exported function - -Replace few tabs by spaces and mark static code as static. - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Robbie Harwood -Reviewed-By: Rob Crittenden ---- - daemons/ipa-kdb/ipa_kdb_certauth.c | 25 ++++++++++++++----------- - 1 file changed, 14 insertions(+), 11 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c -index bc6b26578..3a3060c92 100644 ---- a/daemons/ipa-kdb/ipa_kdb_certauth.c -+++ b/daemons/ipa-kdb/ipa_kdb_certauth.c -@@ -71,10 +71,13 @@ struct krb5_certauth_moddata_st { - time_t valid_until; - }; - --void ipa_certmap_debug(void *private, -- const char *file, long line, -- const char *function, -- const char *format, ...) -+krb5_error_code certauth_ipakdb_initvt(krb5_context context, -+ int maj_ver, int min_ver, -+ krb5_plugin_vtable vtable); -+ -+static void ipa_certmap_debug(void *private, const char *file, long line, -+ const char *function, -+ const char *format, ...) - { - va_list ap; - char str[255] = { 0 }; -@@ -354,12 +357,12 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context, - * so there is nothing more to add here. */ - auth_inds = calloc(2, sizeof(char *)); - if (auth_inds != NULL) { -- ret = asprintf(&auth_inds[0], "pkinit"); -- if (ret != -1) { -+ ret = asprintf(&auth_inds[0], "pkinit"); -+ if (ret != -1) { - auth_inds[1] = NULL; - *authinds_out = auth_inds; -- } else { -- free(auth_inds); -+ } else { -+ free(auth_inds); - } - } - -@@ -404,12 +407,12 @@ static void ipa_certauth_free_indicator(krb5_context context, - size_t i = 0; - - if ((authinds == NULL) || (moddata == NULL)) { -- return; -+ return; - } - - for(i=0; authinds[i]; i++) { -- free(authinds[i]); -- authinds[i] = NULL; -+ free(authinds[i]); -+ authinds[i] = NULL; - } - - free(authinds); --- -2.29.2 - -From 2968609fd9f8f91b704dc8167d39ecc67beb8ddd Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Wed, 24 Feb 2021 20:55:41 +0200 -Subject: [PATCH] ipa-kdb: mark test functions as static - -No need to define missing prototypes to single use test functions. - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Robbie Harwood -Reviewed-By: Rob Crittenden ---- - daemons/ipa-kdb/tests/ipa_kdb_tests.c | 13 +++++-------- - 1 file changed, 5 insertions(+), 8 deletions(-) - -diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c -index 2a174ce6b..0b51ffb96 100644 ---- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c -+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c -@@ -181,7 +181,7 @@ extern krb5_error_code filter_logon_info(krb5_context context, - krb5_data realm, - struct PAC_LOGON_INFO_CTR *info); - --void test_filter_logon_info(void **state) -+static void test_filter_logon_info(void **state) - { - krb5_error_code kerr; - krb5_data realm = {KV5M_DATA, REALM_LEN, REALM}; -@@ -316,10 +316,7 @@ void test_filter_logon_info(void **state) - - } - --extern void get_authz_data_types(krb5_context context, krb5_db_entry *entry, -- bool *with_pac, bool *with_pad); -- --void test_get_authz_data_types(void **state) -+static void test_get_authz_data_types(void **state) - { - bool with_pac; - bool with_pad; -@@ -437,7 +434,7 @@ void test_get_authz_data_types(void **state) - krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ); - } - --void test_string_to_sid(void **state) -+static void test_string_to_sid(void **state) - { - int ret; - struct dom_sid sid; -@@ -469,7 +466,7 @@ void test_string_to_sid(void **state) - assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid)); - } - --void test_dom_sid_string(void **state) -+static void test_dom_sid_string(void **state) - { - struct test_ctx *test_ctx; - char *str_sid; -@@ -495,7 +492,7 @@ void test_dom_sid_string(void **state) - } - - --void test_check_trusted_realms(void **state) -+static void test_check_trusted_realms(void **state) - { - struct test_ctx *test_ctx; - krb5_error_code kerr = 0; --- -2.29.2 - diff --git a/SOURCES/0010-ipa-client-install-output-a-warning-if-sudo-is-not-p_rhbz#1939371.patch b/SOURCES/0010-ipa-client-install-output-a-warning-if-sudo-is-not-p_rhbz#1939371.patch deleted file mode 100644 index 06b42e5..0000000 --- a/SOURCES/0010-ipa-client-install-output-a-warning-if-sudo-is-not-p_rhbz#1939371.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 061e0b63ef3a72ba3261b42ec5f2ce290070c613 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= -Date: Mon, 15 Mar 2021 16:55:08 +0100 -Subject: [PATCH] ipa-client-install: output a warning if sudo is not present - (2) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Fixes: https://pagure.io/freeipa/issue/8530 -Signed-off-by: François Cami -Reviewed-By: Armando Neto ---- - ipaclient/install/client.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py -index 0e478fa26..9bdfbddaf 100644 ---- a/ipaclient/install/client.py -+++ b/ipaclient/install/client.py -@@ -2205,7 +2205,7 @@ def install_check(options): - # available. - if options.conf_sudo: - try: -- subprocess.Popen(['sudo -V']) -+ subprocess.Popen(['sudo', '-V']) - except FileNotFoundError: - logger.info( - "The sudo binary does not seem to be present on this " --- -2.30.2 - -From 4b917833fdd62cce2fd72809fd5c963194efba3e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= -Date: Mon, 15 Mar 2021 17:00:05 +0100 -Subject: [PATCH] ipatests: check for the "no sudo present" string absence -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When sudo is installed, no warning should be output about sudo not -being available (obviously). Check that the relevant string is -not present. - -Fixes: https://pagure.io/freeipa/issue/8530 -Signed-off-by: François Cami -Reviewed-By: Armando Neto ---- - ipatests/test_integration/test_installation.py | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py -index a50a59f1a..a5ff17a0d 100644 ---- a/ipatests/test_integration/test_installation.py -+++ b/ipatests/test_integration/test_installation.py -@@ -1620,3 +1620,5 @@ class TestInstallWithoutSudo(IntegrationTest): - tasks.install_packages(self.clients[0], ['sudo']) - for pkg in ('sudo', 'libsss_sudo'): - assert tasks.is_package_installed(self.clients[0], pkg) -+ result = tasks.install_client(self.master, self.clients[0]) -+ assert self.no_sudo_str not in result.stderr_text --- -2.30.2 - diff --git a/SOURCES/0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.patch b/SOURCES/0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.patch new file mode 100644 index 0000000..8ea12a5 --- /dev/null +++ b/SOURCES/0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.patch @@ -0,0 +1,37 @@ +From 3c4f9e7347965ff9a887147df34e720224ffa7cc Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Tue, 7 Sep 2021 17:06:53 +0200 +Subject: [PATCH] migrate-ds: workaround to detect compat tree + +Migrate-ds needs to check if compat tree is enabled before +migrating users and groups. The check is doing a base +search on cn=compat,$SUFFIX and considers the compat tree +enabled when the entry exists. + +Due to a bug in slapi-nis, the base search may return NotFound +even though the compat tree is enabled. The workaround is to +perform a base search on cn=users,cn=compat,$SUFFIX instead. + +Fixes: https://pagure.io/freeipa/issue/8984 +Reviewed-By: Alexander Bokovoy +--- + ipaserver/plugins/migration.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py +index db5241915..6ee205fc8 100644 +--- a/ipaserver/plugins/migration.py ++++ b/ipaserver/plugins/migration.py +@@ -922,7 +922,8 @@ migration process might be incomplete\n''') + # check whether the compat plugin is enabled + if not options.get('compat'): + try: +- ldap.get_entry(DN(('cn', 'compat'), (api.env.basedn))) ++ ldap.get_entry(DN(('cn', 'users'), ('cn', 'compat'), ++ (api.env.basedn))) + return dict(result={}, failed={}, enabled=True, compat=False) + except errors.NotFound: + pass +-- +2.31.1 + diff --git a/SOURCES/0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch b/SOURCES/0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch new file mode 100644 index 0000000..450a75e --- /dev/null +++ b/SOURCES/0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch @@ -0,0 +1,89 @@ +From a3d71eb72a6125a80a9d7b698f34dcb95dc25184 Mon Sep 17 00:00:00 2001 +From: Anuja More +Date: Thu, 5 Aug 2021 20:03:21 +0530 +Subject: [PATCH] ipatests: Test ldapsearch with base scope works with compat + tree. + +Added test to verify that ldapsearch for compat tree +with scope base and sub is not failing. + +Related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909 + +Signed-off-by: Anuja More +Reviewed-By: Mohammad Rizwan +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_commands.py | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py +index 2035ced56..e3a0d867e 100644 +--- a/ipatests/test_integration/test_commands.py ++++ b/ipatests/test_integration/test_commands.py +@@ -1558,6 +1558,19 @@ class TestIPACommandWithoutReplica(IntegrationTest): + # Run the command again after cache is removed + self.master.run_command(['ipa', 'user-show', 'ipauser1']) + ++ def test_basesearch_compat_tree(self): ++ """Test ldapsearch against compat tree is working ++ ++ This to ensure that ldapsearch with base scope is not failing. ++ ++ related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909 ++ """ ++ tasks.kinit_admin(self.master) ++ base_dn = str(self.master.domain.basedn) ++ base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn) ++ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='sub') ++ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='base') ++ + + class TestIPAautomount(IntegrationTest): + @classmethod +-- +2.31.1 + +From d4062e407d242a72b9d4e32f4fdd6aed086ce005 Mon Sep 17 00:00:00 2001 +From: Anuja More +Date: Thu, 5 Aug 2021 20:23:15 +0530 +Subject: [PATCH] ipatests: skip test_basesearch_compat_tree on fedora. + +slapi-nis with fix is not part of fedora yet. +test requires with fix: +https://pagure.io/slapi-nis/c/61ea8f6a104da25329e301a8f56944f860de8177? + +Signed-off-by: Anuja More +Reviewed-By: Mohammad Rizwan +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_commands.py | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py +index e3a0d867e..4d9a81652 100644 +--- a/ipatests/test_integration/test_commands.py ++++ b/ipatests/test_integration/test_commands.py +@@ -38,6 +38,7 @@ from ipatests.create_external_ca import ExternalCA + from ipatests.test_ipalib.test_x509 import good_pkcs7, badcert + from ipapython.ipautil import realm_to_suffix, ipa_generate_password + from ipaserver.install.installutils import realm_to_serverid ++from pkg_resources import parse_version + + logger = logging.getLogger(__name__) + +@@ -1565,6 +1566,12 @@ class TestIPACommandWithoutReplica(IntegrationTest): + + related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909 + """ ++ version = self.master.run_command( ++ ["rpm", "-qa", "--qf", "%{VERSION}", "slapi-nis"] ++ ) ++ if tasks.get_platform(self.master) == "fedora" and parse_version( ++ version.stdout_text) <= parse_version("0.56.7"): ++ pytest.skip("Test requires slapi-nis with fix on fedora") + tasks.kinit_admin(self.master) + base_dn = str(self.master.domain.basedn) + base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn) +-- +2.31.1 + diff --git a/SOURCES/0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch b/SOURCES/0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch new file mode 100644 index 0000000..a223c94 --- /dev/null +++ b/SOURCES/0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch @@ -0,0 +1,162 @@ +From 4fdab0c94c4e17e42e5f38a0e671bea39bcc9b74 Mon Sep 17 00:00:00 2001 +From: Anuja More +Date: Mon, 9 Aug 2021 20:57:22 +0530 +Subject: [PATCH] ipatests: Test unsecure nsupdate. + +The test configures an external bind server on the ipa-server +(not the IPA-embedded DNS server) that allows unauthenticated nsupdates. + +When the IPA client is registered using ipa-client-install, +DNS records are added for the client in the bind server using nsupdate. +The first try is using GSS-TIG but fails as expected, and the client +installer then tries with unauthenticated nsupdate. + +Related : https://pagure.io/freeipa/issue/8402 + +Signed-off-by: Anuja More +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + .../test_installation_client.py | 118 ++++++++++++++++++ + 1 file changed, 118 insertions(+) + +diff --git a/ipatests/test_integration/test_installation_client.py b/ipatests/test_integration/test_installation_client.py +index fa59a5255..014b0f6ab 100644 +--- a/ipatests/test_integration/test_installation_client.py ++++ b/ipatests/test_integration/test_installation_client.py +@@ -8,10 +8,15 @@ Module provides tests for various options of ipa-client-install. + + from __future__ import absolute_import + ++import pytest ++import re + import shlex ++import textwrap + ++from ipaplatform.paths import paths + from ipatests.test_integration.base import IntegrationTest + from ipatests.pytest_ipa.integration import tasks ++from ipatests.pytest_ipa.integration.firewall import Firewall + + + class TestInstallClient(IntegrationTest): +@@ -70,3 +75,116 @@ class TestInstallClient(IntegrationTest): + extra_args=['--ssh-trust-dns']) + result = self.clients[0].run_command(['cat', '/etc/ssh/ssh_config']) + assert 'HostKeyAlgorithms' not in result.stdout_text ++ ++ ++class TestClientInstallBind(IntegrationTest): ++ """ ++ The test configures an external bind server on the ipa-server ++ (not the IPA-embedded DNS server) that allows unauthenticated nsupdates. ++ When the IPA client is registered using ipa-client-install, ++ DNS records are added for the client in the bind server using nsupdate. ++ The first try is using GSS-TIG but fails as expected, and the client ++ installer then tries with unauthenticated nsupdate. ++ """ ++ ++ num_clients = 1 ++ ++ @classmethod ++ def install(cls, mh): ++ cls.client = cls.clients[0] ++ ++ @pytest.fixture ++ def setup_bindserver(self): ++ bindserver = self.master ++ named_conf_backup = tasks.FileBackup(self.master, paths.NAMED_CONF) ++ # create a zone in the BIND server that is identical to the IPA ++ add_zone = textwrap.dedent(""" ++ zone "{domain}" IN {{ type master; ++ file "{domain}.db"; allow-query {{ any; }}; ++ allow-update {{ any; }}; }}; ++ """).format(domain=bindserver.domain.name) ++ ++ namedcfg = bindserver.get_file_contents( ++ paths.NAMED_CONF, encoding='utf-8') ++ namedcfg += '\n' + add_zone ++ bindserver.put_file_contents(paths.NAMED_CONF, namedcfg) ++ ++ def update_contents(path, pattern, replace): ++ contents = bindserver.get_file_contents(path, encoding='utf-8') ++ namedcfg_query = re.sub(pattern, replace, contents) ++ bindserver.put_file_contents(path, namedcfg_query) ++ ++ update_contents(paths.NAMED_CONF, 'localhost;', 'any;') ++ update_contents(paths.NAMED_CONF, "listen-on port 53 { 127.0.0.1; };", ++ "#listen-on port 53 { 127.0.0.1; };") ++ update_contents(paths.NAMED_CONF, "listen-on-v6 port 53 { ::1; };", ++ "#listen-on-v6 port 53 { ::1; };") ++ ++ add_records = textwrap.dedent(""" ++ @ IN SOA {fqdn}. root.{domain}. ( ++ 1001 ;Serial ++ 3H ;Refresh ++ 15M ;Retry ++ 1W ;Expire ++ 1D ;Minimum 1D ++ ) ++ @ IN NS {fqdn}. ++ ns1 IN A {bindserverip} ++ _kerberos.{domain}. IN TXT {zoneupper} ++ {fqdn}. IN A {bindserverip} ++ ipa-ca.{domain}. IN A {bindserverip} ++ _kerberos-master._tcp.{domain}. IN SRV 0 100 88 {fqdn}. ++ _kerberos-master._udp.{domain}. IN SRV 0 100 88 {fqdn}. ++ _kerberos._tcp.{domain}. IN SRV 0 100 88 {fqdn}. ++ _kerberos._udp.{domain}. IN SRV 0 100 88 {fqdn}. ++ _kpasswd._tcp.{domain}. IN SRV 0 100 464 {fqdn}. ++ _kpasswd._udp.{domain}. IN SRV 0 100 464 {fqdn}. ++ _ldap._tcp.{domain}. IN SRV 0 100 389 {fqdn}. ++ """).format( ++ fqdn=bindserver.hostname, ++ domain=bindserver.domain.name, ++ bindserverip=bindserver.ip, ++ zoneupper=bindserver.domain.name.upper() ++ ) ++ bindserverdb = "/var/named/{0}.db".format(bindserver.domain.name) ++ bindserver.put_file_contents(bindserverdb, add_records) ++ bindserver.run_command(['systemctl', 'start', 'named']) ++ Firewall(bindserver).enable_services(["dns"]) ++ yield ++ named_conf_backup.restore() ++ bindserver.run_command(['rm', '-rf', bindserverdb]) ++ ++ def test_client_nsupdate(self, setup_bindserver): ++ """Test secure nsupdate failed, then try unsecure nsupdate.. ++ ++ Test to verify when bind is configured with dynamic update policy, ++ and during client-install 'nsupdate -g' fails then it should run with ++ second call using unauthenticated nsupdate. ++ ++ Related : https://pagure.io/freeipa/issue/8402 ++ """ ++ # with pre-configured bind server, install ipa-server without dns. ++ tasks.install_master(self.master, setup_dns=False) ++ self.client.resolver.backup() ++ self.client.resolver.setup_resolver( ++ self.master.ip, self.master.domain.name) ++ try: ++ self.client.run_command(['ipa-client-install', '-U', ++ '--domain', self.client.domain.name, ++ '--realm', self.client.domain.realm, ++ '-p', self.client.config.admin_name, ++ '-w', self.client.config.admin_password, ++ '--server', self.master.hostname]) ++ # call unauthenticated nsupdate if GSS-TSIG nsupdate failed. ++ str1 = "nsupdate (GSS-TSIG) failed" ++ str2 = "'/usr/bin/nsupdate', '/etc/ipa/.dns_update.txt'" ++ client_log = self.client.get_file_contents( ++ paths.IPACLIENT_INSTALL_LOG, encoding='utf-8' ++ ) ++ assert str1 in client_log and str2 in client_log ++ dig_after = self.client.run_command( ++ ['dig', '@{0}'.format(self.master.ip), self.client.hostname, ++ '-t', 'SSHFP']) ++ assert "ANSWER: 0" not in dig_after.stdout_text.strip() ++ finally: ++ self.client.resolver.restore() +-- +2.31.1 + diff --git a/SOURCES/0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch b/SOURCES/0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch new file mode 100644 index 0000000..739e7c3 --- /dev/null +++ b/SOURCES/0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch @@ -0,0 +1,128 @@ +From be1e3bbfc13aff9a583108376f245b81cc3666fb Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 9 Sep 2021 15:26:55 -0400 +Subject: [PATCH] Don't store entries with a usercertificate in the LDAP cache + +usercertificate often has a subclass and both the plain and +subclassed (binary) values are queried. I'm concerned that +they are used more or less interchangably in places so not +caching these entries is the safest path forward for now until +we can dedicate the time to find all usages, determine their +safety and/or perhaps handle this gracefully within the cache +now. + +What we see in this bug is that usercertificate;binary holds the +first certificate value but a user-mod is done with +setattr usercertificate=. Since there is no +usercertificate value (remember, it's usercertificate;binary) +a replace is done and 389-ds wipes the existing value as we've +asked it to. + +I'm not comfortable with simply treating them the same because +in LDAP they are not. + +https://pagure.io/freeipa/issue/8986 + +Signed-off-by: Rob Crittenden +Reviewed-By: Francois Cami +Reviewed-By: Fraser Tweedale +--- + ipapython/ipaldap.py | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py +index f94b784d6..ced8f1bd6 100644 +--- a/ipapython/ipaldap.py ++++ b/ipapython/ipaldap.py +@@ -1821,9 +1821,17 @@ class LDAPCache(LDAPClient): + entry=None, exception=None): + # idnsname - caching prevents delete when mod value to None + # cospriority - in a Class of Service object, uncacheable +- # TODO - usercertificate was banned at one point and I don't remember +- # why... +- BANNED_ATTRS = {'idnsname', 'cospriority'} ++ # usercertificate* - caching subtypes is tricky, trade less ++ # complexity for performance ++ # ++ # TODO: teach the cache about subtypes ++ ++ BANNED_ATTRS = { ++ 'idnsname', ++ 'cospriority', ++ 'usercertificate', ++ 'usercertificate;binary' ++ } + if not self._enable_cache: + return + +-- +2.31.1 + +From 86588640137562b2016fdb0f91142d00bc38e54a Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Fri, 10 Sep 2021 09:01:48 -0400 +Subject: [PATCH] ipatests: Test that a user can be issued multiple + certificates + +Prevent regressions in the LDAP cache layer that caused newly +issued certificates to overwrite existing ones. + +https://pagure.io/freeipa/issue/8986 + +Signed-off-by: Rob Crittenden +Reviewed-By: Francois Cami +Reviewed-By: Fraser Tweedale +--- + ipatests/test_integration/test_cert.py | 29 ++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py +index 7d51b76ee..b4e85eadc 100644 +--- a/ipatests/test_integration/test_cert.py ++++ b/ipatests/test_integration/test_cert.py +@@ -16,6 +16,7 @@ import string + import time + + from ipaplatform.paths import paths ++from ipapython.dn import DN + from cryptography import x509 + from cryptography.x509.oid import ExtensionOID + from cryptography.hazmat.backends import default_backend +@@ -183,6 +184,34 @@ class TestInstallMasterClient(IntegrationTest): + ) + assert "profile: caServerCert" in result.stdout_text + ++ def test_multiple_user_certificates(self): ++ """Test that a user may be issued multiple certificates""" ++ ldap = self.master.ldap_connect() ++ ++ user = 'user1' ++ ++ tasks.kinit_admin(self.master) ++ tasks.user_add(self.master, user) ++ ++ for id in (0,1): ++ csr_file = f'{id}.csr' ++ key_file = f'{id}.key' ++ cert_file = f'{id}.crt' ++ openssl_cmd = [ ++ 'openssl', 'req', '-newkey', 'rsa:2048', '-keyout', key_file, ++ '-nodes', '-out', csr_file, '-subj', '/CN=' + user] ++ self.master.run_command(openssl_cmd) ++ ++ cmd_args = ['ipa', 'cert-request', '--principal', user, ++ '--certificate-out', cert_file, csr_file] ++ self.master.run_command(cmd_args) ++ ++ # easier to count by pulling the LDAP entry ++ entry = ldap.get_entry(DN(('uid', user), ('cn', 'users'), ++ ('cn', 'accounts'), self.master.domain.basedn)) ++ ++ assert len(entry.get('usercertificate')) == 2 ++ + @pytest.fixture + def test_subca_certs(self): + """ +-- +2.31.1 + diff --git a/SOURCES/freeipa-4.9.2.tar.gz.asc b/SOURCES/freeipa-4.9.2.tar.gz.asc deleted file mode 100644 index b84ced9..0000000 --- a/SOURCES/freeipa-4.9.2.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmAqwW4ACgkQRxniuKu/ -YhoqEw/+J2+fMEF4qYDnb6LPs0h/xbiMU+WG5SI0Ybcy6FUrCp2utFqO6N8r7K3J -k9WTcAXweqwEO5aP1fjvbQiIc55lQgN1rlJc+GtnBbPPKabrJB0xgx2VpP2MI8Jl -JRSAdSNvSghaR1v0MYL3ly7GPRLUrb1+Avln+eJIHRfAuUjf9j4MWh7VNDsSp7pQ -vMqz8OHEvSSRQYGKyJ5vQlcHRQNot2pZoWHVfEcRXMD6qn2N7yUU4o9wNOYvJMw8 -YEyInE24D13UV33F9K5QrLEaJ7lpIwJ9lmhAFuZoDUC81s5aAmLtNzUWcdwlOSzk -tY4T+ucpq+0eH1gUiDm6bME7Uw87nc9KuNS3+Q+P2Y7RdUrrbLj8BIsz30VSk8n1 -rH2DZo/1NOFwQ5qDN92QjTeGotqCjwK/j+uRB12HkRgOHkouoZjqwcYRfdxmBhKd -wk6BdDtvSP4voqqoeuZNCbeOKCYsqE2HlGZE9YiLbBAQs081Ir9Tajpn8sgMVURi -7kQN7Xq9/jEl7sQ14VkRMQP8A+rRkmLM1sW3vqhMFDSOyi+qQNnzAnR28qxDBXC3 -4gG/yFGgqX7mSXsfvTVrjhcVEO6IsqkkPAcFR3Xivpy146LoONSlIGgtA8mGMIeO -Zd3awH4T8kAt3d9RBI+R34sZm//uKQgOKDrAx0VjekFkK0tj2qU= -=XC/f ------END PGP SIGNATURE----- diff --git a/SOURCES/freeipa-4.9.6.tar.gz.asc b/SOURCES/freeipa-4.9.6.tar.gz.asc new file mode 100644 index 0000000..f71d351 --- /dev/null +++ b/SOURCES/freeipa-4.9.6.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmDbPRQACgkQRxniuKu/ +Yhr7uBAAnpF70nH8Cn/HhKKpfafPoN3B9fDNIfAa+jsJ52OyeNMKVNi4MEob32iN +1aMGGFCJUMle/M7v1+w8WH59eiHs1jKHcFZnl2R4Ap5SxVtypYT+ewXbNnSHII2w +qWS5PvLkJwjh6Bw/HlyBwDRSrw9Yah4oZZbJt3zE06+Imr8BpB3IWqyhuAi7FjYO +J9hHCwCvtJvWK4yplZSXCt8OS1JA68/Djgjecm5lUSamuqKaBVhDb+ZAPLDJpBf5 +Pz2JpUF/W/rplt+Q9wAFdhDB9iC0vd3MBkgs4KPsjuyS9+GGNu8LyXs0C1Wm/VgX +liX2pjZmpnTrhH3QQ2nufwH784ZpinXxS2fcbvCfX1Utgr77wNHjwqDt2NBffJl1 +BM7JJr1ZwGOGSki6yjRDXbeSAsiEX9l7f2mv2t/8ZjHMRJ7mJmBbmh5Qhk5qsMou +BptNDE20cG77xcjBtTCDpii/UatETuNAyMd/l2smfe76z8y61fQrvScxRwOCHckw +u/ERChpBZOUlQt59Efj3ja313oXZMxXRw01n/72Hh5rnk+XZf75zQ1zUDBYnwzAr +4cdqyrfpFkQu1sRQvgjT8ZLkP8istjRdVEI/Oj61zb5+6+scQ/Zh/R/mYGCV4/h+ +RzojBwUAXuwUMrj1jTbb5Lkz58+vY3Lk4xNOY2hSAc8rCcDVRZY= +=TQFs +-----END PGP SIGNATURE----- diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 99de2e5..d45b5f0 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -2,7 +2,7 @@ %bcond_without ipatests # default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml # On RHEL 8 we should use --with ipa_join_xml -%bcond_without ipa_join_xml +%bcond_with ipa_join_xml # Linting is disabled by default, needed for upstream testing %bcond_with lint @@ -49,9 +49,9 @@ # lint is not executed during rpmbuild # %%global with_lint 1 %if %{with lint} - %global linter_options --enable-pylint --with-jslint + %global linter_options --enable-pylint --without-jslint --enable-rpmlint %else - %global linter_options --disable-pylint --without-jslint + %global linter_options --disable-pylint --without-jslint --disable-rpmlint %endif # Include SELinux subpackage @@ -73,10 +73,13 @@ %global selinux_policy_version 3.14.3-52 %global slapi_nis_version 0.56.4 %global python_ldap_version 3.1.0-1 -# python3-lib389 -# Fix for "Installation fails: Replica Busy" -# https://pagure.io/389-ds-base/issue/49818 -%global ds_version 1.4.2.4-6 +%if 0%{?rhel} < 9 +# Bug 1929067 - PKI instance creation failed with new 389-ds-base build +%global ds_version 1.4.3.16-12 +%else +%global ds_version 2.0.3-3 +%endif + # Fix for TLS 1.3 PHA, RHBZ#1775158 %global httpd_version 2.4.37-21 %global bind_version 9.11.20-6 @@ -101,9 +104,13 @@ # fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324 %global python_ldap_version 3.1.0-1 -# 1.4.3 moved nsslapd-db-locks to cn=bdb sub-entry -# https://pagure.io/freeipa/issue/8515 -%global ds_version 1.4.3 + +# Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4609 +%if 0%{?fedora} < 34 +%global ds_version %{lua: local v={}; v['32']='1.4.3.20-2'; v['33']='1.4.4.13-2'; print(v[rpm.expand('%{fedora}')])} +%else +%global ds_version 2.0.4-1 +%endif # Fix for TLS 1.3 PHA, RHBZ#1775146 %global httpd_version 2.4.41-9 @@ -126,13 +133,11 @@ %endif %if 0%{?rhel} == 8 -# PKIConnection has been modified to always validate certs. -# https://pagure.io/freeipa/issue/8379 -%global pki_version 10.9.0-0.4 +# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609 +%global pki_version 10.10.5 %else -# New KRA profile, ACME support -# https://pagure.io/freeipa/issue/8545 -%global pki_version 10.10.0-2 +# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609 +%global pki_version 10.10.5 %endif # RHEL 8.3+, F32+ has 0.79.13 @@ -155,6 +160,16 @@ %global systemd_version 239 %endif +# augeas support for new chrony options +# see https://pagure.io/freeipa/issue/8676 +# Note: will need to be updated for RHEL9 when a fix is available for +# https://bugzilla.redhat.com/show_bug.cgi?id=1931787 +%if 0%{?fedora} >= 33 +%global augeas_version 1.12.0-6 +%else +%global augeas_version 1.12.0-3 +%endif + %global plugin_dir %{_libdir}/dirsrv/plugins %global etc_systemd_dir %{_sysconfdir}/systemd/system %global gettext_domain ipa @@ -163,7 +178,7 @@ # Work-around fact that RPM SPEC parser does not accept # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement -%define IPA_VERSION 4.9.2 +%define IPA_VERSION 4.9.6 # Release candidate version -- uncomment with one percent for RC versions #%%global rc_version %%nil %define AT_SIGN @ @@ -176,7 +191,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 3%{?rc_version:.%rc_version}%{?dist} +Release: 6%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -196,22 +211,24 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers # RHEL spec file only: START %if %{NON_DEVELOPER_BUILD} %if 0%{?rhel} >= 8 -Patch0001: 0001-ipatests_libsss_sudo_and_sudo_pagure#8530_rhbz#1932289.patch -Patch0002: 0002-ipatests-error-message-check-in-uninstall-log-for-KR_rhbz#1932289.patch -Patch0003: 0003-ipatests-skip-tests-for-AD-trust-with-shared-secret-_rhbz#1932289.patch -Patch0004: 0004-ipatests-ipa-cert-fix_pagure#8600_rhbz#1932289.patch -Patch0005: 0005-ipatests-test-Samba-mount-with-NTLM-authentication_rhbz#1932289.patch -Patch0006: 0006-ipatests_do_not_ignore_zonemgr_pagure#8718_rhbz#1932289.patch -Patch0007: 0007-ipatests_ipa-cert-fix_renews_pagure#7885_rhbz#1932289.patch -Patch0008: 0008-ipatests-use-whole-date-when-calling-journalctl-sinc_rhbz#1932289.patch -Patch0009: 0009-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1932784.patch -Patch0010: 0010-ipa-client-install-output-a-warning-if-sudo-is-not-p_rhbz#1939371.patch +Patch0001: 0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch +Patch0002: 0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch +Patch0003: 0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch +Patch0004: 0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch +Patch0005: 0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch +Patch0006: 0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch +Patch0007: 0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch +Patch0008: 0008-selinux-policy-allow-custodia-to-access-proc-cpuinfo_rhbz#1998129.patch +Patch0009: 0009-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ_rhbz#2000263.patch +Patch0010: 0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.patch +Patch0011: 0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch +Patch0012: 0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch +Patch0013: 0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif # RHEL spec file only: END - # For the timestamp trick in patch application BuildRequires: diffstat @@ -315,7 +332,10 @@ BuildRequires: python3-m2r # %if %{with lint} BuildRequires: git +%if 0%{?fedora} < 34 +# jsl is orphaned in Fedora 34+ BuildRequires: jsl +%endif BuildRequires: nss-tools BuildRequires: rpmlint BuildRequires: softhsm @@ -347,12 +367,8 @@ BuildRequires: python3-polib BuildRequires: python3-pyasn1 BuildRequires: python3-pyasn1-modules BuildRequires: python3-pycodestyle -%if 0%{?fedora} || 0%{?rhel} > 8 -# https://bugzilla.redhat.com/show_bug.cgi?id=1648299 -BuildRequires: python3-pylint >= 2.1.1-2 -%else -BuildRequires: python3-pylint >= 1.7 -%endif +# .wheelconstraints.in limits pylint version in Azure and tox tests +BuildRequires: python3-pylint BuildRequires: python3-pytest-multihost BuildRequires: python3-pytest-sourceorder BuildRequires: python3-qrcode-core >= 5.0.0 @@ -439,7 +455,12 @@ Requires(pre): certmonger >= %{certmonger_version} Requires(pre): 389-ds-base >= %{ds_version} Requires: fontawesome-fonts Requires: open-sans-fonts +%if 0%{?fedora} >= 32 || 0%{?rhel} >= 9 +# https://pagure.io/freeipa/issue/8632 +Requires: openssl > 1.1.1i +%else Requires: openssl +%endif Requires: softhsm >= 2.0.0rc1-1 Requires: p11-kit Requires: %{etc_systemd_dir} @@ -491,6 +512,7 @@ Requires: %{name}-common = %{version}-%{release} # we need pre-requires since earlier versions may break upgrade Requires(pre): python3-ldap >= %{python_ldap_version} Requires: python3-augeas +Requires: augeas-libs >= %{augeas_version} Requires: python3-custodia >= 0.3.1 Requires: python3-dbus Requires: python3-dns >= 1.15 @@ -526,8 +548,8 @@ Requires: %{name}-client-common = %{version}-%{release} Requires: httpd >= %{httpd_version} Requires: systemd-units >= %{systemd_version} Requires: custodia >= 0.3.1 -%if 0%{?rhel} >= 8 -Requires: redhat-logos-ipa >= 80.4 +%if 0%{?rhel} >= 8 && ! 0%{?eln} +Requires: system-logos-ipa >= 80.4 %endif Provides: %{alt_name}-server-common = %{version} @@ -581,6 +603,7 @@ Requires: %{name}-common = %{version}-%{release} Requires: samba >= %{samba_version} Requires: samba-winbind +Requires: sssd-winbind-idmap Requires: libsss_idmap %if 0%{?rhel} Obsoletes: ipa-idoverride-memberof-plugin <= 0.1 @@ -645,6 +668,11 @@ Requires: nfs-utils Requires: sssd-tools >= %{sssd_version} Requires(post): policycoreutils +# https://pagure.io/freeipa/issue/8530 +Recommends: libsss_sudo +Recommends: sudo +Requires: (libsss_sudo if sudo) + Provides: %{alt_name}-client = %{version} Conflicts: %{alt_name}-client Obsoletes: %{alt_name}-client < %{version} @@ -709,6 +737,7 @@ Requires: %{name}-client-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python3-ipalib = %{version}-%{release} Requires: python3-augeas +Requires: augeas-libs >= %{augeas_version} Requires: python3-dns >= 1.15 Requires: python3-jinja2 @@ -803,7 +832,7 @@ Requires: python3-requests Requires: python3-six Requires: python3-sss-murmur Requires: python3-yubico >= 1.3.2-7 -%if 0%{?rhel} && 0%{?rhel} >= 8 +%if 0%{?rhel} && 0%{?rhel} == 8 Requires: platform-python-setuptools %else Requires: python3-setuptools @@ -1680,16 +1709,76 @@ fi %changelog -* Fri Mar 19 2021 Thomas Woerner - 4.9.2-3 -- ipa-client-install displays false message - 'sudo binary does not seem to be present on this system' - Resolves: RHBZ#1939371 - -* Thu Mar 4 2021 Thomas Woerner - 4.9.2-2 -- Sync ipatests from upstream to RHEL packages for FreeIPA 4.9 branch - Resolves: RHBZ#1932289 -- Fix krb5kdc is crashing intermittently on IPA server - Resolves: RHBZ#1932784 +* Fri Sep 17 2021 Thomas Woerner - 4.9.6-6 +- Don't store entries with a usercertificate in the LDAP cache + Resolves: RHBZ#1999893 + +* Mon Sep 13 2021 Thomas Woerner - 4.9.6-5 +- Catch and log errors when adding CA profiles + Resolves: RHBZ#1999142 +- selinux policy: allow custodia to access /proc/cpuinfo + Resolves: RHBZ#1998129 +- extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT + Resolves: RHBZ#2000263 +- ipa migrate-ds command fails to warn when compat plugin is enabled + Resolves: RHBZ#1999992 +- Backport latest test fixes in python3-ipatests + Resolves: RHBZ#2000553 + +* Thu Jul 22 2021 Thomas Woerner - 4.9.6-4 +- ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL + Resolves: RHBZ#1982956 + +* Thu Jul 15 2021 Thomas Woerner - 4.9.6-3 +- man page: update ipa-server-upgrade.1 + Resolves: RHBZ#1973273 +- Fall back to krbprincipalname when validating host auth indicators + Resolves: RHBZ#1979625 +- Add dependency for sssd-winbind-idmap to server-trust-ad + Resolves: RHBZ#1982211 + +* Thu Jul 8 2021 Thomas Woerner - 4.9.6-2 +- IPA server in debug mode fails to run because time.perf_counter_ns is + Python 3.7+ + Resolves: RHBZ#1974822 +- Add checks to prevent assigning authentication indicators to internal IPA + services + Resolves: RHBZ#1979625 +- Unable to set ipaUserAuthType with stageuser-add + Resolves: RHBZ#1979605 + +* Thu Jul 1 2021 Thomas Woerner - 4.9.6-1 +- Upstream release FreeIPA 4.9.6 + Related: RHBZ#1945038 +- Revise PKINIT upgrade code + Resolves: RHBZ#1886837 +- ipa-cert-fix man page: add note about certmonger renewal + Resolves: RHBZ#1780317 +- Certificate Serial Number issue + Resolves: RHBZ#1919384 + +* Mon Jun 14 2021 Thomas Woerner - 4.9.5-1 +- Upstream release FreeIPA 4.9.5 + Related: RHBZ#1945038 +- IPA to allow setting a new range type + Resolves: RHBZ#1688267 +- ipa-server-install displays debug output when --debug output is not + specified. + Resolves: RHBZ#1943151 +- ACME fails to generate a cert on migrated RHEL8.4 server + Resolves: RHBZ#1934991 +- Switch ipa-client to use the JSON API + Resolves: RHBZ#1937856 +- IDM - Allow specifying permanent logging settings for BIND + Resolves: RHBZ#1951511 +- Cache LDAP data within a request + Resolves: RHBZ#1953656 +- ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4 + Resolves: RHBZ#1957768 + +* Wed Mar 31 2021 Thomas Woerner - 4.9.3-1 +- Upstream release FreeIPA 4.9.3 + Resolves: RHBZ#1945038 * Mon Feb 15 2021 Alexander Bokovoy - 4.9.2-1 - Upstream release FreeIPA 4.9.2