diff --git a/SOURCES/0046-Find-orphan-automember-rules.patch b/SOURCES/0046-Find-orphan-automember-rules.patch new file mode 100644 index 0000000..66d5136 --- /dev/null +++ b/SOURCES/0046-Find-orphan-automember-rules.patch @@ -0,0 +1,214 @@ +From b78abe934c6c0038f74dd9e52309f61854d86469 Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Mon, 1 Oct 2018 11:58:26 +0100 +Subject: [PATCH] Find orphan automember rules + +If groups or hostgroups have been removed after automember rules have been +created using them, then automember-rebuild, automember-add, host-add and +more commands could fail. + +A new command has been added to the ipa tool: + + ipa automember-find-orphans --type={hostgroup,group} [--remove] + +This command retuns the list of orphan automember rules in the same way as +automember-find. With the --remove option the orphan rules are also removed. + +The IPA API version has been increased and a test case has been added. + +Using ideas from a patch by: Rob Crittenden + +See: https://pagure.io/freeipa/issue/6476 +Signed-off-by: Thomas Woerner +Reviewed-By: Christian Heimes +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Florence Blanc-Renaud +--- + API.txt | 15 +++++ + VERSION.m4 | 4 +- + ipaserver/plugins/automember.py | 60 +++++++++++++++++++ + .../test_xmlrpc/test_automember_plugin.py | 48 +++++++++++++++ + 4 files changed, 125 insertions(+), 2 deletions(-) + +diff --git a/API.txt b/API.txt +index 0e09e58a6ecaa4f724fb0c92b4faaf64df9fab5a..b9dc35fb5752ce04f58aa8c4c3e89c7299f34cd7 100644 +--- a/API.txt ++++ b/API.txt +@@ -186,6 +186,20 @@ output: Output('count', type=[]) + output: ListOfEntries('result') + output: Output('summary', type=[, ]) + output: Output('truncated', type=[]) ++command: automember_find_orphans/1 ++args: 1,7,4 ++arg: Str('criteria?') ++option: Flag('all', autofill=True, cli_name='all', default=False) ++option: Str('description?', autofill=False, cli_name='desc') ++option: Flag('pkey_only?', autofill=True, default=False) ++option: Flag('raw', autofill=True, cli_name='raw', default=False) ++option: Flag('remove?', autofill=True, default=False) ++option: StrEnum('type', values=[u'group', u'hostgroup']) ++option: Str('version?') ++output: Output('count', type=[]) ++output: ListOfEntries('result') ++output: Output('summary', type=[, ]) ++output: Output('truncated', type=[]) + command: automember_mod/1 + args: 1,9,3 + arg: Str('cn', cli_name='automember_rule') +@@ -6498,6 +6512,7 @@ default: automember_default_group_set/1 + default: automember_default_group_show/1 + default: automember_del/1 + default: automember_find/1 ++default: automember_find_orphans/1 + default: automember_mod/1 + default: automember_rebuild/1 + default: automember_remove_condition/1 +diff --git a/VERSION.m4 b/VERSION.m4 +index 81e671ed60f2ada0766b06db879c706cf7c4c77a..7ebf3410c8a688577f1fabc37d65b128e47418a6 100644 +--- a/VERSION.m4 ++++ b/VERSION.m4 +@@ -82,8 +82,8 @@ define(IPA_DATA_VERSION, 20100614120000) + # # + ######################################################## + define(IPA_API_VERSION_MAJOR, 2) +-define(IPA_API_VERSION_MINOR, 229) +-# Last change: Added the Certificate parameter ++define(IPA_API_VERSION_MINOR, 230) ++# Last change: Added `automember-find-orphans' command + + + ######################################################## +diff --git a/ipaserver/plugins/automember.py b/ipaserver/plugins/automember.py +index 1e29f365784695c2cf1947f62351d99d7da0515d..3f48769f588f8db03caf65e7bc1206047796f63e 100644 +--- a/ipaserver/plugins/automember.py ++++ b/ipaserver/plugins/automember.py +@@ -116,6 +116,11 @@ EXAMPLES: + """) + _(""" + Find all of the automember rules: + ipa automember-find ++""") + _(""" ++ Find all of the orphan automember rules: ++ ipa automember-find-orphans --type=hostgroup ++ Find all of the orphan automember rules and remove them: ++ ipa automember-find-orphans --type=hostgroup --remove + """) + _(""" + Display a automember rule: + ipa automember-show --type=hostgroup webservers +@@ -820,3 +825,58 @@ class automember_rebuild(Method): + result=result, + summary=unicode(summary), + value=pkey_to_value(None, options)) ++ ++ ++@register() ++class automember_find_orphans(LDAPSearch): ++ __doc__ = _(""" ++ Search for orphan automember rules. The command might need to be run as ++ a privileged user user to get all orphan rules. ++ """) ++ takes_options = group_type + ( ++ Flag( ++ 'remove?', ++ doc=_("Remove orphan automember rules"), ++ ), ++ ) ++ ++ msg_summary = ngettext( ++ '%(count)d rules matched', '%(count)d rules matched', 0 ++ ) ++ ++ def execute(self, *keys, **options): ++ results = super(automember_find_orphans, self).execute(*keys, ++ **options) ++ ++ remove_option = options.get('remove') ++ pkey_only = options.get('pkey_only', False) ++ ldap = self.obj.backend ++ orphans = [] ++ for entry in results["result"]: ++ am_dn_entry = entry['automembertargetgroup'][0] ++ # Make DN for --raw option ++ if not isinstance(am_dn_entry, DN): ++ am_dn_entry = DN(am_dn_entry) ++ try: ++ ldap.get_entry(am_dn_entry) ++ except errors.NotFound: ++ if pkey_only: ++ # For pkey_only remove automembertargetgroup ++ del(entry['automembertargetgroup']) ++ orphans.append(entry) ++ if remove_option: ++ ldap.delete_entry(entry['dn']) ++ ++ results["result"][:] = orphans ++ results["count"] = len(orphans) ++ return results ++ ++ def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, ++ **options): ++ assert isinstance(base_dn, DN) ++ scope = ldap.SCOPE_SUBTREE ++ ndn = DN(('cn', options['type']), base_dn) ++ if options.get('pkey_only', False): ++ # For pkey_only add automembertargetgroup ++ attrs_list.append('automembertargetgroup') ++ return filters, ndn, scope +diff --git a/ipatests/test_xmlrpc/test_automember_plugin.py b/ipatests/test_xmlrpc/test_automember_plugin.py +index ffbc91104ab504a98099babb024f9edab114ac5b..c83e11ac9410ce07a431f818bda79a34fcc3b180 100644 +--- a/ipatests/test_xmlrpc/test_automember_plugin.py ++++ b/ipatests/test_xmlrpc/test_automember_plugin.py +@@ -715,3 +715,51 @@ class TestMultipleAutomemberConditions(XMLRPC_test): + + defaultgroup1.ensure_missing() + defaulthostgroup1.ensure_missing() ++ ++ ++@pytest.mark.tier1 ++class TestAutomemberFindOrphans(XMLRPC_test): ++ def test_create_deps_for_find_orphans(self, hostgroup1, host1, ++ automember_hostgroup): ++ """ Create host, hostgroup, and automember tracker for this class ++ of tests. """ ++ ++ # Create hostgroup1 and automember rule with condition ++ hostgroup1.ensure_exists() ++ host1.ensure_exists() ++ ++ # Manually create automember rule and condition, racker will try to ++ # remove the automember rule in the end, which is failing as the rule ++ # is already removed ++ api.Command['automember_add'](hostgroup1.cn, type=u'hostgroup') ++ api.Command['automember_add_condition']( ++ hostgroup1.cn, ++ key=u'fqdn', type=u'hostgroup', ++ automemberinclusiveregex=[hostgroup_include_regex] ++ ) ++ ++ hostgroup1.retrieve() ++ ++ def test_find_orphan_automember_rules(self, hostgroup1): ++ """ Remove hostgroup1, find and remove obsolete automember rules. """ ++ # Remove hostgroup1 ++ ++ hostgroup1.ensure_missing() ++ ++ # Find obsolete automember rules ++ result = api.Command['automember_find_orphans'](type=u'hostgroup') ++ assert result['count'] == 1 ++ ++ # Find and remove obsolete automember rules ++ result = api.Command['automember_find_orphans'](type=u'hostgroup', ++ remove=True) ++ assert result['count'] == 1 ++ ++ # Find obsolete automember rules ++ result = api.Command['automember_find_orphans'](type=u'hostgroup') ++ assert result['count'] == 0 ++ ++ # Final cleanup of automember rule if it still exists ++ with raises_exact(errors.NotFound( ++ reason=u'%s: Automember rule not found' % hostgroup1.cn)): ++ api.Command['automember_del'](hostgroup1.cn, type=u'hostgroup') +-- +2.17.2 + diff --git a/SOURCES/0047-Add-a-shared-vault-retrieve-test.patch b/SOURCES/0047-Add-a-shared-vault-retrieve-test.patch new file mode 100644 index 0000000..ba6a17b --- /dev/null +++ b/SOURCES/0047-Add-a-shared-vault-retrieve-test.patch @@ -0,0 +1,113 @@ +From 107e20a158c867a52eadb0d65982ce2f7f3ce699 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= +Date: Tue, 20 Nov 2018 17:05:30 +0100 +Subject: [PATCH] Add a shared-vault-retrieve test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add a shared-vault-retrieve test when: +* master has KRA installed +* replica has no KRA +This currently fails because of issue#7691 + +Related-to: https://pagure.io/freeipa/issue/7691 +Signed-off-by: François Cami +Reviewed-By: Christian Heimes +--- + ipatests/test_integration/test_vault.py | 65 ++++++++++++++++++++++++- + 1 file changed, 64 insertions(+), 1 deletion(-) + +diff --git a/ipatests/test_integration/test_vault.py b/ipatests/test_integration/test_vault.py +index 496ccb1bbdd06407e9b356ac210f639436312a22..c3465799ff933ae175684ade83b4bf276b921a96 100644 +--- a/ipatests/test_integration/test_vault.py ++++ b/ipatests/test_integration/test_vault.py +@@ -20,14 +20,17 @@ class TestInstallKRA(IntegrationTest): + + vault_password = "password" + vault_data = "SSBsb3ZlIENJIHRlc3RzCg==" ++ vault_user = "vault_user" ++ vault_user_password = "vault_user_password" + vault_name_master = "ci_test_vault_master" + vault_name_master2 = "ci_test_vault_master2" + vault_name_master3 = "ci_test_vault_master3" + vault_name_replica_without_KRA = "ci_test_vault_replica_without_kra" ++ shared_vault_name_replica_without_KRA = ("ci_test_shared" ++ "_vault_replica_without_kra") + vault_name_replica_with_KRA = "ci_test_vault_replica_with_kra" + vault_name_replica_KRA_uninstalled = "ci_test_vault_replica_KRA_uninstalled" + +- + @classmethod + def install(cls, mh): + tasks.install_master(cls.master, setup_kra=True) +@@ -89,6 +92,66 @@ class TestInstallKRA(IntegrationTest): + + self._retrieve_secret([self.vault_name_replica_without_KRA]) + ++ def test_create_and_retrieve_shared_vault_replica_without_kra(self): ++ # create vault ++ self.replicas[0].run_command([ ++ "ipa", "vault-add", ++ self.shared_vault_name_replica_without_KRA, ++ "--shared", ++ "--type", "standard", ++ ]) ++ ++ # archive secret ++ self.replicas[0].run_command([ ++ "ipa", "vault-archive", ++ self.shared_vault_name_replica_without_KRA, ++ "--shared", ++ "--data", self.vault_data, ++ ]) ++ time.sleep(WAIT_AFTER_ARCHIVE) ++ ++ # add non-admin user ++ self.replicas[0].run_command([ ++ 'ipa', 'user-add', self.vault_user, ++ '--first', self.vault_user, ++ '--last', self.vault_user, ++ '--password'], ++ stdin_text=self.vault_user_password) ++ ++ # add it to vault ++ self.replicas[0].run_command([ ++ "ipa", "vault-add-member", ++ self.shared_vault_name_replica_without_KRA, ++ "--shared", ++ "--users", self.vault_user, ++ ]) ++ ++ self.replicas[0].run_command([ ++ 'kdestroy', '-A']) ++ ++ user_kinit = "%s\n%s\n%s\n" % (self.vault_user_password, ++ self.vault_user_password, ++ self.vault_user_password) ++ ++ self.replicas[0].run_command([ ++ 'kinit', self.vault_user], ++ stdin_text=user_kinit) ++ ++ # TODO: possibly refactor with: ++ # self._retrieve_secret([self.vault_name_replica_without_KRA]) ++ ++ self.replicas[0].run_command([ ++ "ipa", "vault-retrieve", ++ "--shared", ++ self.shared_vault_name_replica_without_KRA, ++ "--out=test.txt"]) ++ ++ self.replicas[0].run_command([ ++ 'kdestroy', '-A']) ++ ++ tasks.kinit_admin(self.replicas[0]) ++ ++ + def test_create_and_retrieve_vault_replica_with_kra(self): + + # install KRA on replica +-- +2.17.2 + diff --git a/SOURCES/0048-Add-a-Find-enabled-services-ACI-in-20-aci.update-so-.patch b/SOURCES/0048-Add-a-Find-enabled-services-ACI-in-20-aci.update-so-.patch new file mode 100644 index 0000000..26f61fb --- /dev/null +++ b/SOURCES/0048-Add-a-Find-enabled-services-ACI-in-20-aci.update-so-.patch @@ -0,0 +1,35 @@ +From 93b58fdbcf1da0a952386e6c8f4e20c344db903c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= +Date: Wed, 21 Nov 2018 00:01:02 +0100 +Subject: [PATCH] Add a "Find enabled services" ACI in 20-aci.update so that + all users can find IPA servers and services. ACI suggested by Christian + Heimes. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: https://pagure.io/freeipa/issue/7691 +Signed-off-by: François Cami +Reviewed-By: Christian Heimes +--- + install/updates/20-aci.update | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update +index 184749d78106c30fdf542c1fe1c52cb11b53a83e..7650cb48101d866b3a094ec9ab11378de4f68232 100644 +--- a/install/updates/20-aci.update ++++ b/install/updates/20-aci.update +@@ -36,6 +36,10 @@ remove:aci:(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny rea + dn: cn=masters,cn=ipa,cn=etc,$SUFFIX + add:aci:(targetfilter="(objectclass=nsContainer)")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";) + ++# Allow users to discover enabled services ++dn: cn=masters,cn=ipa,cn=etc,$SUFFIX ++add:aci:(targetfilter = "(ipaConfigString=enabledService)")(targetattrs = "ipaConfigString")(version 3.0; acl "Find enabled services"; allow(read, search, compare) userdn = "ldap:///all";) ++ + # Allow hosts to read masters service configuration + dn: cn=masters,cn=ipa,cn=etc,$SUFFIX + add:aci:(targetfilter = "(objectclass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Allow hosts to read masters service configuration"; allow(read, search, compare) userdn = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";) +-- +2.17.2 + diff --git a/SOURCES/0049-ipaldap.py-fix-method-creating-a-ldap-filter-for-IPA.patch b/SOURCES/0049-ipaldap.py-fix-method-creating-a-ldap-filter-for-IPA.patch new file mode 100644 index 0000000..0959ec1 --- /dev/null +++ b/SOURCES/0049-ipaldap.py-fix-method-creating-a-ldap-filter-for-IPA.patch @@ -0,0 +1,48 @@ +From 896c438f1dd7e4aa316503fbf68fef13963d7463 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Thu, 22 Nov 2018 18:31:38 +0100 +Subject: [PATCH] ipaldap.py: fix method creating a ldap filter for + IPACertificate + +ipa user-find --certificate and ipa host-find --certificate +fail to return matching entries, because the method transforming +the attribute into a LDAP filter does not properly handle +IPACertificate objects. +Directory Server logs show a filter with +(usercertificate=ipalib.x509.IPACertificate object at 0x7fc0a5575b90>) + +When the attribute contains a cryptography.x509.Certificate, +the method needs to extract the public bytes instead of calling str(value). + +Fixes https://pagure.io/freeipa/issue/7770 + +Reviewed-By: Christian Heimes +Reviewed-By: Christian Heimes +--- + ipapython/ipaldap.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py +index 53fdf4967868961effea7f3f64dfb3c0edfc75f3..a44246e3ee0de5a78de77a593718ecad1aaa0f67 100644 +--- a/ipapython/ipaldap.py ++++ b/ipapython/ipaldap.py +@@ -36,6 +36,7 @@ from six.moves.urllib.parse import urlparse + # pylint: enable=import-error + + from cryptography import x509 as crypto_x509 ++from cryptography.hazmat.primitives import serialization + + import ldap + import ldap.sasl +@@ -1276,6 +1277,8 @@ class LDAPClient(object): + ] + return cls.combine_filters(flts, rules) + elif value is not None: ++ if isinstance(value, crypto_x509.Certificate): ++ value = value.public_bytes(serialization.Encoding.DER) + if isinstance(value, bytes): + value = binascii.hexlify(value).decode('ascii') + # value[-2:0] is empty string for the initial '\\' +-- +2.17.2 + diff --git a/SOURCES/0050-ipatests-add-xmlrpc-test-for-user-host-find-certific.patch b/SOURCES/0050-ipatests-add-xmlrpc-test-for-user-host-find-certific.patch new file mode 100644 index 0000000..0e5cfd3 --- /dev/null +++ b/SOURCES/0050-ipatests-add-xmlrpc-test-for-user-host-find-certific.patch @@ -0,0 +1,86 @@ +From 489ac5a5da034394c09043d6c26700e4ae049b78 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Fri, 23 Nov 2018 10:23:40 +0100 +Subject: [PATCH] ipatests: add xmlrpc test for user|host-find --certificate + +There were no xmlrpc tests for ipa user-find --certificate +or ipa host-find --certificate. +The commit adds tests for these commands. + +Related to https://pagure.io/freeipa/issue/7770 + +Reviewed-By: Christian Heimes +Reviewed-By: Christian Heimes +--- + ipatests/test_xmlrpc/test_host_plugin.py | 5 ++++ + ipatests/test_xmlrpc/test_user_plugin.py | 31 ++++++++++++++++++++++++ + 2 files changed, 36 insertions(+) + +diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py +index 8255296d1794bfa19c1f4642bb4bfb9212567b1e..1bcc90b0c48c811356ec93813834d6aa6805a921 100644 +--- a/ipatests/test_xmlrpc/test_host_plugin.py ++++ b/ipatests/test_xmlrpc/test_host_plugin.py +@@ -251,6 +251,11 @@ class TestCRUD(XMLRPC_test): + valid_not_after=fuzzy_date, + )) + host.retrieve() ++ # test host-find with --certificate ++ command = host.make_find_command( ++ fqdn=host.fqdn, usercertificate=host_cert) ++ res = command()['result'] ++ assert len(res) == 1 + + def test_try_rename(self, host): + host.ensure_exists() +diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py +index af825f79daf21720e164dd8cd01576167fb440c4..8e54d04bd79888c447368250c3a2e182029a3b44 100644 +--- a/ipatests/test_xmlrpc/test_user_plugin.py ++++ b/ipatests/test_xmlrpc/test_user_plugin.py +@@ -25,6 +25,7 @@ Test the `ipaserver/plugins/user.py` module. + """ + + import pytest ++import base64 + import datetime + import ldap + import re +@@ -220,6 +221,36 @@ class TestUser(XMLRPC_test): + user.check_update(result) + user.delete() + ++ def test_find_cert(self, user): ++ """ Add a usercertificate and perform a user-find --certificate """ ++ user_cert = ( ++ u"MIICszCCAZugAwIBAgICM24wDQYJKoZIhvcNAQELBQAwIzEUMBIGA1UEChML\r\n" ++ "RVhBTVBMRS5PUkcxCzAJBgNVBAMTAkNBMB4XDTE3MDExOTEwMjUyOVoXDTE3M\r\n" ++ "DQxOTEwMjUyOVowFjEUMBIGA1UEAxMLc3RhZ2V1c2VyLTEwggEiMA0GCSqGSI\r\n" ++ "b3DQEBAQUAA4IBDwAwggEKAoIBAQCq03FRQQBvq4HwYMKP8USLZuOkKzuIs2V\r\n" ++ "Pt8k/+nO1dADrzMogKDiUDjCwYoG2UM/sj6P+PJUUCNDLh5eRRI+aR5VE5y2a\r\n" ++ "K95iCsj1ByDWrugAUXgr8GUUr+UbaGc0XxHCMnQBkYhzbXY3u91KYRRh5l3lx\r\n" ++ "RSICcVeJFJ/tiMS14Vsor1DWykHGz1wm0Zjwg1XDV3oea+uwrSz5Pa6RNPlgC\r\n" ++ "+GGW6B7+8qC2XdSSEwvY7y1SAGgqyOxN/FLwvqqMDNU0uX7fww587uZ57IfYz\r\n" ++ "b8Xn5DAprRFNk40FDc46rMlkPBT+Tij1I0jedD8h2e6WEa7JRU6SGToYDbRm4\r\n" ++ "RL9xAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHqm1jXzYer9oSjYs9qh1jWpM\r\n" ++ "vTcN+0/z1uuX++Wezh3lG7IzYtypbZNxlXDECyrkUh+9oxzMJqdlZ562ko2br\r\n" ++ "uK6X5csbbM9uVsUva8NCsPPfZXDhrYaMKFvQGFY4pO3uhFGhccob037VN5Ifm\r\n" ++ "aKGM8aJ40cw2PQh38QPDdemizyVCThQ9Pcr+WgWKiG+t2Gd9NldJRLEhky0bW\r\n" ++ "2fc4zWZVbGq5nFXy1k+d/bgkHbVzf255eFZOKKy0NgZwig+uSlhVWPJjS4Z1w\r\n" ++ "LbpBKxTZp/xD0yEARs0u1ZcCELO/BkgQM50EDKmahIM4mdCs/7j1B/DdWs2i3\r\n" ++ "5lnbjxYYiUiyA=") ++ user.ensure_exists() ++ user.update(dict(usercertificate=user_cert), ++ expected_updates=dict( ++ usercertificate=[base64.b64decode(user_cert)]) ++ ) ++ command = user.make_find_command(uid=user.name, ++ usercertificate=user_cert) ++ res = command()['result'] ++ assert len(res) == 1 ++ user.delete() ++ + + @pytest.mark.tier1 + class TestFind(XMLRPC_test): +-- +2.17.2 + diff --git a/SOURCES/0051-ipa-upgrade-handle-double-encoded-certificates.patch b/SOURCES/0051-ipa-upgrade-handle-double-encoded-certificates.patch new file mode 100644 index 0000000..193aaa0 --- /dev/null +++ b/SOURCES/0051-ipa-upgrade-handle-double-encoded-certificates.patch @@ -0,0 +1,51 @@ +From 086611271c4dfbbf47e76e666142327bf950a9ca Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Mon, 26 Nov 2018 14:15:12 +0100 +Subject: [PATCH] ipa upgrade: handle double-encoded certificates + +Issue is linked to the ticket + #3477 LDAP upload CA cert sometimes double-encodes the value +In old FreeIPA releases (< 3.2), the upgrade plugin was encoding twice +the value of the certificate in cn=cacert,cn=ipa,cn=etc,$BASEDN. + +The fix for 3477 is only partial as it prevents double-encoding when a +new cert is uploaded but does not fix wrong values already present in LDAP. + +With this commit, the code first tries to read a der cert. If it fails, +it logs a debug message and re-writes the value caCertificate;binary +to repair the entry. + +Fixes https://pagure.io/freeipa/issue/7775 +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Christian Heimes +--- + ipaserver/install/plugins/upload_cacrt.py | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py +index 68d43caa76eb67093745658d20a39700adbd16c6..dc58f0863182ccb92d9fed6aa5f1c2546404b598 100644 +--- a/ipaserver/install/plugins/upload_cacrt.py ++++ b/ipaserver/install/plugins/upload_cacrt.py +@@ -115,7 +115,18 @@ class update_upload_cacrt(Updater): + entry.single_value['cACertificate;binary'] = ca_cert + ldap.add_entry(entry) + else: +- if b'' in entry['cACertificate;binary']: ++ force_write = False ++ try: ++ _cert_bin = entry['cACertificate;binary'] ++ except ValueError: ++ # BZ 1644874 ++ # sometimes the cert is badly stored, twice encoded ++ # force write to fix the value ++ logger.debug('Fixing the value of cACertificate;binary ' ++ 'in entry %s', entry.dn) ++ force_write = True ++ ++ if force_write or b'' in entry['cACertificate;binary']: + entry.single_value['cACertificate;binary'] = ca_cert + ldap.update_entry(entry) + +-- +2.17.2 + diff --git a/SOURCES/0052-ipatests-add-upgrade-test-for-double-encoded-cacert.patch b/SOURCES/0052-ipatests-add-upgrade-test-for-double-encoded-cacert.patch new file mode 100644 index 0000000..874c3f2 --- /dev/null +++ b/SOURCES/0052-ipatests-add-upgrade-test-for-double-encoded-cacert.patch @@ -0,0 +1,76 @@ +From 57a473bd41fbd3520871dbd7ed7dc9524946a48e Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Thu, 29 Nov 2018 15:41:33 +0100 +Subject: [PATCH] ipatests: add upgrade test for double-encoded cacert + +Create a test for upgrade with the following scenario: +- install master +- write a double-encoded cert in the entry +cn=cacert,,cn=ipa,cn=etc,$basedn +to simulate bug 7775 +- call ipa-server-upgrade +- check that the upgrade fixed the value + +The upgrade should finish successfully and repair +the double-encoded cert. + +Related to https://pagure.io/freeipa/issue/7775 + +Reviewed-By: Christian Heimes +--- + ipatests/test_integration/test_upgrade.py | 35 +++++++++++++++++++++++ + 1 file changed, 35 insertions(+) + +diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py +index 951747b0b37cd62459a241255190baebdf0f728a..7dbe52d57052d3c640df644705fc3e22fab14334 100644 +--- a/ipatests/test_integration/test_upgrade.py ++++ b/ipatests/test_integration/test_upgrade.py +@@ -6,6 +6,9 @@ + Module provides tests to verify that the upgrade script works. + """ + ++import base64 ++from cryptography.hazmat.primitives import serialization ++from ipapython.dn import DN + from ipatests.test_integration.base import IntegrationTest + from ipatests.pytest_plugins.integration import tasks + +@@ -19,3 +22,35 @@ class TestUpgrade(IntegrationTest): + cmd = self.master.run_command(['ipa-server-upgrade'], + raiseonerr=False) + assert cmd.returncode == 0 ++ ++ def test_double_encoded_cacert(self): ++ """Test for BZ 1644874 ++ ++ In old IPA version, the entry cn=CAcert,cn=ipa,cn=etc,$basedn ++ could contain a double-encoded cert, which leads to ipa-server-upgrade ++ failure. ++ Force a double-encoded value then call upgrade to check the fix. ++ """ ++ # Read the current entry from LDAP ++ ldap = self.master.ldap_connect() ++ basedn = self.master.domain.basedn # pylint: disable=no-member ++ dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'), basedn) ++ entry = ldap.get_entry(dn) # pylint: disable=no-member ++ # Extract the certificate as DER then double-encode ++ cacert = entry['cacertificate;binary'][0] ++ cacert_der = cacert.public_bytes(serialization.Encoding.DER) ++ cacert_b64 = base64.b64encode(cacert_der) ++ # overwrite the value with double-encoded cert ++ entry.single_value['cACertificate;binary'] = cacert_b64 ++ ldap.update_entry(entry) # pylint: disable=no-member ++ ++ # try the upgrade ++ self.master.run_command(['ipa-server-upgrade']) ++ ++ # read the value after upgrade, should be fixed ++ entry = ldap.get_entry(dn) # pylint: disable=no-member ++ try: ++ _cacert = entry['cacertificate;binary'] ++ except ValueError: ++ raise AssertionError('%s contains a double-encoded cert' ++ % entry.dn) +-- +2.17.2 + diff --git a/SOURCES/0053-ipatests-fix-TestUpgrade-test_double_encoded_cacert.patch b/SOURCES/0053-ipatests-fix-TestUpgrade-test_double_encoded_cacert.patch new file mode 100644 index 0000000..ee850b4 --- /dev/null +++ b/SOURCES/0053-ipatests-fix-TestUpgrade-test_double_encoded_cacert.patch @@ -0,0 +1,32 @@ +From 840f9cfe17737c9ef1899b9923682a5df53ff4b6 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Tue, 4 Dec 2018 16:44:54 +0100 +Subject: [PATCH] ipatests: fix TestUpgrade::test_double_encoded_cacert + +The test is using a stale ldap connection to the master +(obtained before calling upgrade, and the upgrade stops +and starts 389-ds, breaking the connection). + +The fix re-connects before using the ldap handle. + +Related to https://pagure.io/freeipa/issue/7775 +--- + ipatests/test_integration/test_upgrade.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py +index 7dbe52d57052d3c640df644705fc3e22fab14334..b03109f7c3bb0f037c8fd6554e3e5420bc557684 100644 +--- a/ipatests/test_integration/test_upgrade.py ++++ b/ipatests/test_integration/test_upgrade.py +@@ -47,6 +47,8 @@ class TestUpgrade(IntegrationTest): + # try the upgrade + self.master.run_command(['ipa-server-upgrade']) + ++ # reconnect to the master (upgrade stops 389-ds) ++ ldap = self.master.ldap_connect() + # read the value after upgrade, should be fixed + entry = ldap.get_entry(dn) # pylint: disable=no-member + try: +-- +2.17.2 + diff --git a/SOURCES/0054-ipatest-add-test-for-ipa-pkinit-manage-enable-disabl.patch b/SOURCES/0054-ipatest-add-test-for-ipa-pkinit-manage-enable-disabl.patch new file mode 100644 index 0000000..8dd6196 --- /dev/null +++ b/SOURCES/0054-ipatest-add-test-for-ipa-pkinit-manage-enable-disabl.patch @@ -0,0 +1,145 @@ +From 3e0e8c309c70a0d379b985189c23f1bacd62a96e Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Fri, 30 Nov 2018 15:46:25 +0100 +Subject: [PATCH] ipatest: add test for ipa-pkinit-manage enable|disable + +Add a test for ipa-pkinit-manage with the following scenario: +- install master with option --no-pkinit +- call ipa-pkinit-manage enable +- call ipa-pkinit-manage disable +- call ipa-pkinit-manage enable + +At each step, check that the PKINIT cert is consistent with the +expectations: when pkinit is enabled, the cert is signed by IPA +CA and tracked by 'IPA' ca helper, but when pkinit is disabled, +the cert is self-signed and tracked by 'SelfSign' CA helper. + +Related to https://pagure.io/freeipa/issue/7200 + +Reviewed-By: Alexander Bokovoy +Reviewed-By: Christian Heimes +--- + .../test_integration/test_pkinit_manage.py | 111 ++++++++++++++++++ + 1 file changed, 111 insertions(+) + create mode 100644 ipatests/test_integration/test_pkinit_manage.py + +diff --git a/ipatests/test_integration/test_pkinit_manage.py b/ipatests/test_integration/test_pkinit_manage.py +new file mode 100644 +index 0000000000000000000000000000000000000000..bc1d9e338cdf4e7a503b3c83ac12792894eecce2 +--- /dev/null ++++ b/ipatests/test_integration/test_pkinit_manage.py +@@ -0,0 +1,111 @@ ++# ++# Copyright (C) 2018 FreeIPA Contributors see COPYING for license ++# ++ ++""" ++Module provides tests for the ipa-pkinit-manage command. ++""" ++ ++from __future__ import absolute_import ++ ++from ipalib import x509 ++from ipaplatform.paths import paths ++from ipapython.dn import DN ++from ipatests.test_integration.base import IntegrationTest ++from ipatests.pytest_ipa.integration import tasks ++ ++ ++SELFSIGNED_CA_HELPER = 'SelfSign' ++IPA_CA_HELPER = 'IPA' ++PKINIT_STATUS_ENABLED = 'enabled' ++PKINIT_STATUS_DISABLED = 'disabled' ++ ++ ++def check_pkinit_status(host, status): ++ """Ensures that ipa-pkinit-manage status returns the expected state""" ++ result = host.run_command(['ipa-pkinit-manage', 'status'], ++ raiseonerr=False) ++ assert result.returncode == 0 ++ assert 'PKINIT is {}'.format(status) in result.stdout_text ++ ++ ++def check_pkinit_tracking(host, ca_helper): ++ """Ensures that the PKINIT cert is tracked by the expected helper""" ++ result = host.run_command(['getcert', 'list', '-f', paths.KDC_CERT], ++ raiseonerr=False) ++ assert result.returncode == 0 ++ # Make sure that only one request exists ++ assert result.stdout_text.count('Request ID') == 1 ++ # Make sure that the right CA helper is used to track the cert ++ assert 'CA: {}'.format(ca_helper) in result.stdout_text ++ ++ ++def check_pkinit_cert_issuer(host, issuer): ++ """Ensures that the PKINIT cert is signed by the expected issuer""" ++ data = host.get_file_contents(paths.KDC_CERT) ++ pkinit_cert = x509.load_pem_x509_certificate(data) ++ # Make sure that the issuer is the expected one ++ assert DN(pkinit_cert.issuer) == DN(issuer) ++ ++ ++def check_pkinit(host, enabled=True): ++ """Checks that PKINIT is configured as expected ++ ++ If enabled: ++ ipa-pkinit-manage status must return 'PKINIT is enabled' ++ the certificate must be tracked by IPA CA helper ++ the certificate must be signed by IPA CA ++ If disabled: ++ ipa-pkinit-manage status must return 'PKINIT is disabled' ++ the certificate must be tracked by SelfSign CA helper ++ the certificate must be self-signed ++ """ ++ if enabled: ++ # When pkinit is enabled: ++ # cert is tracked by IPA CA helper ++ # cert is signed by IPA CA ++ check_pkinit_status(host, PKINIT_STATUS_ENABLED) ++ check_pkinit_tracking(host, IPA_CA_HELPER) ++ check_pkinit_cert_issuer( ++ host, ++ 'CN=Certificate Authority,O={}'.format(host.domain.realm)) ++ else: ++ # When pkinit is disabled ++ # cert is tracked by 'SelfSign' CA helper ++ # cert is self-signed ++ check_pkinit_status(host, PKINIT_STATUS_DISABLED) ++ check_pkinit_tracking(host, SELFSIGNED_CA_HELPER) ++ check_pkinit_cert_issuer( ++ host, ++ 'CN={},O={}'.format(host.hostname, host.domain.realm)) ++ ++ ++class TestPkinitManage(IntegrationTest): ++ """Tests the ipa-pkinit-manage command. ++ ++ ipa-pkinit-manage can be used to enable, disable or check ++ the status of PKINIT. ++ When pkinit is enabled, the kerberos server is using a certificate ++ signed either externally or by IPA CA. In the latter case, certmonger ++ is tracking the cert with IPA helper. ++ When pkinit is disabled, the kerberos server is using a self-signed ++ certificate that is tracked by certmonger with the SelfSigned helper. ++ """ ++ ++ @classmethod ++ def install(cls, mh): ++ # Install the master with PKINIT disabled ++ tasks.install_master(cls.master, extra_args=['--no-pkinit']) ++ check_pkinit(cls.master, enabled=False) ++ ++ def test_pkinit_enable(self): ++ self.master.run_command(['ipa-pkinit-manage', 'enable']) ++ check_pkinit(self.master, enabled=True) ++ ++ def test_pkinit_disable(self): ++ self.master.run_command(['ipa-pkinit-manage', 'disable']) ++ check_pkinit(self.master, enabled=False) ++ ++ def test_pkinit_reenable(self): ++ self.master.run_command(['ipa-pkinit-manage', 'enable']) ++ check_pkinit(self.master, enabled=True) +-- +2.17.2 + diff --git a/SOURCES/0055-PKINIT-fix-ipa-pkinit-manage-enable-disable.patch b/SOURCES/0055-PKINIT-fix-ipa-pkinit-manage-enable-disable.patch new file mode 100644 index 0000000..8a02d74 --- /dev/null +++ b/SOURCES/0055-PKINIT-fix-ipa-pkinit-manage-enable-disable.patch @@ -0,0 +1,78 @@ +From 977a01a67318a9b0ce01f7803b1126a310bf4140 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Fri, 30 Nov 2018 15:49:20 +0100 +Subject: [PATCH] PKINIT: fix ipa-pkinit-manage enable|disable + +The command ipa-pkinit-manage enable|disable is reporting +success even though the PKINIT cert is not re-issued. +The command triggers the request of a new certificate +(signed by IPA CA when state=enable, selfsigned when disabled), +but as the cert file is still present, certmonger does not create +a new request and the existing certificate is kept. + +The fix consists in deleting the cert and key file before calling +certmonger to request a new cert. + +There was also an issue in the is_pkinit_enabled() function: +if no tracking request was found for the PKINIT cert, +is_pkinit_enabled() was returning True while it should not. + +Fixes https://pagure.io/freeipa/issue/7200 + +Reviewed-By: Alexander Bokovoy +Reviewed-By: Christian Heimes +--- + ipaserver/install/ipa_pkinit_manage.py | 2 ++ + ipaserver/install/krbinstance.py | 9 ++++++--- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/ipaserver/install/ipa_pkinit_manage.py b/ipaserver/install/ipa_pkinit_manage.py +index 4a79bba5d1b636827a7a031965b49cf7b34c6330..86bd1baf00178a629864b210ca9f4786668149df 100644 +--- a/ipaserver/install/ipa_pkinit_manage.py ++++ b/ipaserver/install/ipa_pkinit_manage.py +@@ -72,6 +72,8 @@ class PKINITManage(AdminTool): + if ca_enabled: + logger.warning( + "Failed to stop tracking certificates: %s", e) ++ # remove the cert and key ++ krb.delete_pkinit_cert() + + krb.enable_ssl() + +diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py +index a3079bd6304a41116f9aa5e78b6c6c71d72d7aa6..6221f3f61338308afb406e23d62566b12d8c131d 100644 +--- a/ipaserver/install/krbinstance.py ++++ b/ipaserver/install/krbinstance.py +@@ -77,7 +77,7 @@ def is_pkinit_enabled(): + if os.path.exists(paths.KDC_CERT): + pkinit_request_ca = get_pkinit_request_ca() + +- if pkinit_request_ca != "SelfSign": ++ if pkinit_request_ca and pkinit_request_ca != "SelfSign": + return True + + return False +@@ -591,6 +591,10 @@ class KrbInstance(service.Service): + def stop_tracking_certs(self): + certmonger.stop_tracking(certfile=paths.KDC_CERT) + ++ def delete_pkinit_cert(self): ++ installutils.remove_file(paths.KDC_CERT) ++ installutils.remove_file(paths.KDC_KEY) ++ + def uninstall(self): + if self.is_configured(): + self.print_msg("Unconfiguring %s" % self.service_name) +@@ -616,8 +620,7 @@ class KrbInstance(service.Service): + # stop tracking and remove certificates + self.stop_tracking_certs() + installutils.remove_file(paths.CACERT_PEM) +- installutils.remove_file(paths.KDC_CERT) +- installutils.remove_file(paths.KDC_KEY) ++ self.delete_pkinit_cert() + + if running: + self.restart() +-- +2.17.2 + diff --git a/SOURCES/0056-replication-check-remote-ds-version-before-editing-a.patch b/SOURCES/0056-replication-check-remote-ds-version-before-editing-a.patch new file mode 100644 index 0000000..7777371 --- /dev/null +++ b/SOURCES/0056-replication-check-remote-ds-version-before-editing-a.patch @@ -0,0 +1,87 @@ +From e879ca9b693a10f456f03d3c471afa49321516f9 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Thu, 13 Dec 2018 14:54:07 +0100 +Subject: [PATCH] replication: check remote ds version before editing + attributes + +When the remote server has an old DS version, update of the +replication attributes nsds5ReplicaReleaseTimeout nsds5ReplicaBackoffMax +and nsDS5ReplicaBindDnGroupCheckInterval fails even if the remote +schema has been updated. + +Check first the remote server version and update the attributes only if +the version is high enough. +A previous fix was already performing this check (commit 02f4a7a), +but not in all the cases. This fix also handles when the remote server +already has a cn=replica entry (for instance because it has already +established replication with another host). + +Fixes https://pagure.io/freeipa/issue/7796 + +Reviewed-By: Christian Heimes +Reviewed-By: Christian Heimes +--- + ipaserver/install/replication.py | 33 ++++++++++++++++++++++++++------ + 1 file changed, 27 insertions(+), 6 deletions(-) + +diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py +index 92a99cd9482f86d6820230479bf94c871669572e..70629b4528f033908c584bfaf0793cfa4ce259d4 100644 +--- a/ipaserver/install/replication.py ++++ b/ipaserver/install/replication.py +@@ -215,6 +215,22 @@ def wait_for_entry(connection, dn, timeout, attr=None, attrvalue='*', + time.sleep(1) + + ++def get_ds_version(conn): ++ """Returns the DS version ++ ++ Retrieves the DS version from the vendorVersion attribute stored in LDAP. ++ :param conn: LDAP connection established and authenticated to the server ++ for which we need the version ++ :return: a tuple containing the DS version ++ """ ++ # Find which 389-ds is installed ++ rootdse = conn.get_entry(DN(''), ['vendorVersion']) ++ version = rootdse.single_value.get('vendorVersion') ++ mo = re.search(r'(\d+)\.(\d+)\.(\d+)[\.\d]*', version) ++ vendor_version = tuple(int(v) for v in mo.groups()) ++ return vendor_version ++ ++ + class ReplicationManager(object): + """Manage replication agreements + +@@ -527,8 +543,16 @@ class ReplicationManager(object): + # Add the new replication manager + binddns.append(replica_binddn) + +- for key, value in REPLICA_CREATION_SETTINGS.items(): +- entry[key] = value ++ # If the remote server has 389-ds < 1.3, it does not ++ # support the attributes we are trying to set. ++ # Find which 389-ds is installed ++ vendor_version = get_ds_version(conn) ++ if vendor_version >= (1, 3, 0): ++ for key, value in REPLICA_CREATION_SETTINGS.items(): ++ entry[key] = value ++ else: ++ logger.debug("replication attributes not supported " ++ "on remote master, skipping update.") + + try: + conn.update_entry(entry) +@@ -604,10 +628,7 @@ class ReplicationManager(object): + # If the remote server has 389-ds < 1.3, it does not + # support the attributes we are trying to set. + # Find which 389-ds is installed +- rootdse = r_conn.get_entry(DN(''), ['vendorVersion']) +- version = rootdse.single_value.get('vendorVersion') +- mo = re.search(r'(\d+)\.(\d+)\.(\d+)[\.\d]*', version) +- vendor_version = tuple(int(v) for v in mo.groups()) ++ vendor_version = get_ds_version(r_conn) + if vendor_version >= (1, 3, 0): + # 389-ds understands the replication attributes, + # we can safely modify them +-- +2.17.2 + diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch index 6e66d45..df4ee0b 100644 --- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch +++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch @@ -1,4 +1,4 @@ -From e94346d8c3d588056f04af1c1916617c962be4bc Mon Sep 17 00:00:00 2001 +From e443dc9390ead872bfa0c7ae35323023f21cebc9 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 15:48:07 +0000 Subject: [PATCH] Change branding to IPA and Identity Management @@ -46,12 +46,12 @@ Subject: [PATCH] Change branding to IPA and Identity Management install/tools/man/ipactl.8 | 2 +- install/ui/css/patternfly.css | 2 +- install/ui/index.html | 2 +- - install/ui/less/brand.less | 103 ++++++++++++++--------------- - install/ui/less/patternfly.less | 48 ++++++++++++++ + install/ui/less/brand.less | 103 ++++++++++----------- + install/ui/less/patternfly.less | 48 ++++++++++ install/ui/reset_password.html | 2 +- install/ui/src/freeipa/widgets/App.js | 2 +- install/ui/sync_otp.html | 2 +- - ipaserver/advise/plugins/legacy_clients.py | 8 +-- + ipaserver/advise/plugins/legacy_clients.py | 8 +- ipaserver/install/dns.py | 2 +- ipaserver/install/ipa_kra_install.py | 4 +- ipaserver/install/server/install.py | 2 +- @@ -280,7 +280,7 @@ index 19e3e6832bea774244bc949ce44a27f5ebebaed0..2a92ec6aebeb0932b58dd092ba4188e1 You may place your schema files in a subdirectory too, the code that loads schema files processes recursively all subdirectories of schema.d. diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install -index d4e5d4c09cf6b7c1521bcecb79bb6fd7235fc799..e6618ef2e78e26f0cb74fadff214f564d000677c 100755 +index a870d136e242affe6627cd4c44a173a80a9ab1c6..f0e72b3adaa5ef27a11c11feb787019b6db71e62 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -141,11 +141,11 @@ def main(): @@ -344,7 +344,7 @@ index 4c494aab90fe307bf0a2bf82677efda4b5e67e3e..515bbddbe4de8a38a2797d6aa5e95c1a \ No newline at end of file +1 if an error occurred diff --git a/install/tools/man/ipa-backup.1 b/install/tools/man/ipa-backup.1 -index ff9759ec77d54f32532c4ececfa5081daab9ec15..476f9b534d514b03200369212807fc6d001c70b8 100644 +index 9e2900f770880d3a554df5cd5d0430716e3bf70e..747fc12f71c12be9ddcd69bdb86354a3e0237944 100644 --- a/install/tools/man/ipa-backup.1 +++ b/install/tools/man/ipa-backup.1 @@ -16,7 +16,7 @@ @@ -940,10 +940,10 @@ index 7916965dddfec7e4c2aa34b081d4c1ba6fc953a7..c0d6c73f4f3d55ac3eb3636273f47541 'are all Red Hat based platforms.') diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py -index e14b353e9cb655a6e7ef228d47dfc7a1badd7286..1cd851625f225538856b9b627b3d8190ccfa47dc 100644 +index e4f73ac025dfe8aa19ef99c8d0ab9379caa32610..897c40a6c02899bfe60228dd73e5c71c0b59c3be 100644 --- a/ipaserver/install/dns.py +++ b/ipaserver/install/dns.py -@@ -149,7 +149,7 @@ def install_check(standalone, api, replica, options, hostname): +@@ -150,7 +150,7 @@ def install_check(standalone, api, replica, options, hostname): if standalone: print("==============================================================================") @@ -953,7 +953,7 @@ index e14b353e9cb655a6e7ef228d47dfc7a1badd7286..1cd851625f225538856b9b627b3d8190 print("This includes:") print(" * Configure DNS (bind)") diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py -index 07e11ea69ded8832015dd69ea43ff338c5f9df95..76492c1dd9bf02d3e80ec5876214441d697e9765 100644 +index b536685f5f1f3fccab07fd37aa001958e2d38420..1a0b96b000a4c4166054dee9d63b6f239741b40f 100644 --- a/ipaserver/install/ipa_kra_install.py +++ b/ipaserver/install/ipa_kra_install.py @@ -90,7 +90,7 @@ class KRAInstall(admintool.AdminTool): @@ -975,7 +975,7 @@ index 07e11ea69ded8832015dd69ea43ff338c5f9df95..76492c1dd9bf02d3e80ec5876214441d ''' diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py -index e96ae97c74ee1598683d1ef3f2570e8de93c9943..b5290817e4b0f849ef77353d33bc6753a7c8b42d 100644 +index a341408f78f24055d807ae49c8a0cda81bfb3ec4..eeeb2977a98790585b8b8d4467ee4ad0e6c2f217 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -377,7 +377,7 @@ def install_check(installer): @@ -988,10 +988,10 @@ index e96ae97c74ee1598683d1ef3f2570e8de93c9943..b5290817e4b0f849ef77353d33bc6753 print("This includes:") if setup_ca: diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py -index 33f3ae9e616b34a3ab0ff8e4257552855e817e7c..356d17cf9a2d507e98952ae0477e473562a356e2 100644 +index eb354f81ba6e4cbc3848f9c24338fb85cc7639ae..7e9a1ce5d8c2b8a6fe445148afd66e61553b0e07 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py -@@ -616,7 +616,7 @@ def check_domain_level_is_supported(current): +@@ -621,7 +621,7 @@ def check_domain_level_is_supported(current): above_upper_bound = current > constants.MAX_DOMAIN_LEVEL if under_lower_bound or above_upper_bound: @@ -1023,5 +1023,5 @@ index 6037938330f13a30d0ccfbedcaac59c567bda0d6..b8a0c82d394edb8744de34394895b86f """) + _(""" To enable the binddn run the following command to set the password: -- -2.14.4 +2.17.2 diff --git a/SOURCES/1002-Package-copy-schema-to-ca.py.patch b/SOURCES/1002-Package-copy-schema-to-ca.py.patch index d412892..1579d1d 100644 --- a/SOURCES/1002-Package-copy-schema-to-ca.py.patch +++ b/SOURCES/1002-Package-copy-schema-to-ca.py.patch @@ -1,4 +1,4 @@ -From 5b587502716f71c9c71cd63e32d6b837613bc8dc Mon Sep 17 00:00:00 2001 +From ddd951ba70e11fb6332f57e94a3b1a22ded08a39 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 16:07:15 +0000 Subject: [PATCH] Package copy-schema-to-ca.py @@ -22,10 +22,10 @@ index 93f996c5be670e0ae374a12a85c2465b8e740927..70482ceb65639465d60b0c48fd2ccd6e %{_usr}/share/ipa/*.ldif %{_usr}/share/ipa/*.uldif diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py -index b58fbb4c881d247d6b5fb661f4085ec82c3cc811..cf6247a4b12e3fecc7c784c9d803670442c56fd5 100644 +index d6e467097808594756d947fa721b8cf10fe7d043..a52336fd71ffb44e3f7dfcc95656bd82065f41cd 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py -@@ -1384,9 +1384,11 @@ def replica_ca_install_check(config, promote): +@@ -1416,9 +1416,11 @@ def replica_ca_install_check(config, promote): else: logger.critical( 'The master CA directory server does not have necessary schema. ' @@ -40,5 +40,5 @@ index b58fbb4c881d247d6b5fb661f4085ec82c3cc811..cf6247a4b12e3fecc7c784c9d8036704 -- -2.14.4 +2.17.2 diff --git a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch index a7566d3..aa68b30 100644 --- a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch +++ b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch @@ -1,4 +1,4 @@ -From fa0db6fe2c7343d2ba86fadd55e9f4db78ec9f8a Mon Sep 17 00:00:00 2001 +From 6f6d25da7a5e93de9f8c80e7fe3419d4b0c60a72 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 22 Jun 2016 13:53:46 +0200 Subject: [PATCH] Revert "Increased mod_wsgi socket-timeout" @@ -24,5 +24,5 @@ index 912a63c2240e0681dfbeeac223a902b15b304716..c5fc518f803d379287043b405efeb46d WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py -- -2.14.4 +2.17.2 diff --git a/SOURCES/1004-Remove-csrgen.patch b/SOURCES/1004-Remove-csrgen.patch index fc26b09..5f47da2 100644 --- a/SOURCES/1004-Remove-csrgen.patch +++ b/SOURCES/1004-Remove-csrgen.patch @@ -1,4 +1,4 @@ -From b7082747c2b6bbe2e857bd4fa20af443073dbd02 Mon Sep 17 00:00:00 2001 +From bbe70ea811007cf8426ac14565e7da47b3ae1ced Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 16 Mar 2017 09:44:21 +0000 Subject: [PATCH] Remove csrgen @@ -19,17 +19,17 @@ This reverts commits: https://bugzilla.redhat.com/show_bug.cgi?id=1432630 --- - freeipa.spec.in | 18 ----- - ipaclient/csrgen/profiles/caIPAserviceCert.json | 15 ---- - ipaclient/csrgen/profiles/userCert.json | 15 ---- - ipaclient/csrgen/templates/openssl_macros.tmpl | 29 -------- - ipaclient/plugins/cert.py | 82 +--------------------- - ipaclient/setup.py | 7 -- - ipalib/errors.py | 28 -------- - ipatests/setup.py | 2 - - ipatests/test_ipaclient/__init__.py | 7 -- - .../data/test_csrgen/profiles/profile.json | 8 --- - .../data/test_csrgen/templates/identity_base.tmpl | 1 - + freeipa.spec.in | 18 ---- + .../csrgen/profiles/caIPAserviceCert.json | 15 ---- + ipaclient/csrgen/profiles/userCert.json | 15 ---- + .../csrgen/templates/openssl_macros.tmpl | 29 ------- + ipaclient/plugins/cert.py | 82 +------------------ + ipaclient/setup.py | 7 -- + ipalib/errors.py | 28 ------- + ipatests/setup.py | 2 - + ipatests/test_ipaclient/__init__.py | 7 -- + .../data/test_csrgen/profiles/profile.json | 8 -- + .../test_csrgen/templates/identity_base.tmpl | 1 - 11 files changed, 1 insertion(+), 211 deletions(-) delete mode 100644 ipaclient/csrgen/profiles/caIPAserviceCert.json delete mode 100644 ipaclient/csrgen/profiles/userCert.json @@ -403,5 +403,5 @@ index 79111ab686b4fe25227796509b3cd3fcb54af728..00000000000000000000000000000000 @@ -1 +0,0 @@ -{{ options|join(";") }} -- -2.14.4 +2.17.2 diff --git a/SOURCES/1005-Removing-filesystem-encoding-check.patch b/SOURCES/1005-Removing-filesystem-encoding-check.patch index 18fca0b..4ebfa79 100644 --- a/SOURCES/1005-Removing-filesystem-encoding-check.patch +++ b/SOURCES/1005-Removing-filesystem-encoding-check.patch @@ -1,4 +1,4 @@ -From 5f659d56bea124335d1813ae32c809cbc8582fb6 Mon Sep 17 00:00:00 2001 +From eaa2dd2de04147dbca127673d3c2473955b9289c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= Date: Fri, 10 Aug 2018 13:16:38 +0200 Subject: [PATCH] Removing filesystem encoding check @@ -123,5 +123,5 @@ index 8211c03515bf70b681da49d27ae11a4e8cb3b44d..a40b5d45ff8406c3ebbb69465e8d71d7 - assert p.returncode > 0, (out, err) - assert b'System encoding must be UTF-8' in err, (out, err) -- -2.17.1 +2.17.2 diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch deleted file mode 100644 index 673cd2f..0000000 --- a/SOURCES/ipa-centos-branding.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001 -From: Jim Perrin -Date: Wed, 11 Mar 2015 10:37:03 -0500 -Subject: [PATCH] update for new ntp server method - ---- - ipaplatform/base/paths.py | 1 + - ipaserver/install/ntpinstance.py | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index af50262..5090062 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -99,6 +99,7 @@ class BasePathNamespace(object): - PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/" - PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf" - ETC_REDHAT_RELEASE = "/etc/redhat-release" -+ ETC_CENTOS_RELEASE = "/etc/centos-release" - RESOLV_CONF = "/etc/resolv.conf" - SAMBA_KEYTAB = "/etc/samba/samba.keytab" - SMB_CONF = "/etc/samba/smb.conf" -diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py -index c653525..4b0578b 100644 ---- a/ipaserver/install/ntpinstance.py -+++ b/ipaserver/install/ntpinstance.py -@@ -44,6 +44,8 @@ class NTPInstance(service.Service): - os = "" - if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): - os = "fedora" -+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE): -+ os = "centos" - elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): - os = "rhel" - --- -1.8.3.1 - diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 8be3b2a..296a45c 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -93,7 +93,7 @@ Name: ipa Version: %{IPA_VERSION} -Release: 10%{?dist} +Release: 10%{?dist}.2 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -101,10 +101,10 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source3: login-screen-logo.png -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source3: login-screen-logo.png +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -154,12 +154,22 @@ Patch0042: 0042-Ensure-that-public-cert-and-CA-bundle-are-readable.patch Patch0043: 0043-Always-make-ipa.p11-kit-world-readable.patch Patch0044: 0044-Make-etc-httpd-alias-world-readable-executable.patch Patch0045: 0045-Fix-permission-of-public-files-in-upgrader.patch +Patch0046: 0046-Find-orphan-automember-rules.patch +Patch0047: 0047-Add-a-shared-vault-retrieve-test.patch +Patch0048: 0048-Add-a-Find-enabled-services-ACI-in-20-aci.update-so-.patch +Patch0049: 0049-ipaldap.py-fix-method-creating-a-ldap-filter-for-IPA.patch +Patch0050: 0050-ipatests-add-xmlrpc-test-for-user-host-find-certific.patch +Patch0051: 0051-ipa-upgrade-handle-double-encoded-certificates.patch +Patch0052: 0052-ipatests-add-upgrade-test-for-double-encoded-cacert.patch +Patch0053: 0053-ipatests-fix-TestUpgrade-test_double_encoded_cacert.patch +Patch0054: 0054-ipatest-add-test-for-ipa-pkinit-manage-enable-disabl.patch +Patch0055: 0055-PKINIT-fix-ipa-pkinit-manage-enable-disable.patch +Patch0056: 0056-replication-check-remote-ds-version-before-editing-a.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Package-copy-schema-to-ca.py.patch Patch1003: 1003-Revert-Increased-mod_wsgi-socket-timeout.patch Patch1004: 1004-Remove-csrgen.patch Patch1005: 1005-Removing-filesystem-encoding-check.patch -Patch1006: ipa-centos-branding.patch # RHEL spec file only: END BuildRequires: libtool, automake, autoconf @@ -965,10 +975,10 @@ cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3 %endif # with_python3 # RHEL spec file only: START: Change branding to IPA and Identity Management -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE3 install/ui/images/login-screen-logo.png -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE3 install/ui/images/login-screen-logo.png +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management @@ -1729,8 +1739,24 @@ fi %changelog -* Tue Oct 30 2018 CentOS Sources - 4.6.4-10.el7.centos -- Roll in CentOS Branding +* Tue Dec 18 2018 Florence Blanc-Renaud - 4.6.4-10.el7_6.2 +- Resolves: 1659492 searching for ipa users by certificate fails + - ipaldap.py: fix method creating a ldap filter for IPACertificate + - ipatests: add xmlrpc test for user|host-find --certificate +- Resolves: 1659509 IPA Upgrade failed with "unable to convert the attribute u'cACertificate;binary'" + - ipa upgrade: handle double-encoded certificates + - ipatests: add upgrade test for double-encoded cacert + - ipatests: fix TestUpgrade::test_double_encoded_cacert +- Resolves: 1659500 'ipa vault-retrieve' is failing with "ipa: ERROR: an internal error has occurred" + - Add a shared-vault-retrieve test + - Add a "Find enabled services" ACI in 20-aci.update so that all users can find IPA servers and services. ACI suggested by Christian Heimes. +- Resolves: 1659511 ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not. + - ipatest: add test for ipa-pkinit-manage enable|disable + - PKINIT: fix ipa-pkinit-manage enable|disable +- Resolves: 1659499 automember-rebuild crashes + - Find orphan automember rules +- Resolves: 1660389 ipa-replica-install fails migrating RHEL 6 to 7 + - replication: check remote ds version before editing attributes * Tue Sep 18 2018 Florence Blanc-Renaud - 4.6.4-10.el7 - Resolves: 1630361 PKINIT fails in FIPS mode