diff --git a/SOURCES/0001-WebUI-Fix-IPA-Error-3007-RequirmentError-while-addin_rhbz#1757045.patch b/SOURCES/0001-WebUI-Fix-IPA-Error-3007-RequirmentError-while-addin_rhbz#1757045.patch index 0f0d3a5..34580fe 100644 --- a/SOURCES/0001-WebUI-Fix-IPA-Error-3007-RequirmentError-while-addin_rhbz#1757045.patch +++ b/SOURCES/0001-WebUI-Fix-IPA-Error-3007-RequirmentError-while-addin_rhbz#1757045.patch @@ -291,3 +291,119 @@ index 5f2b1fdc2..7622e65dc 100644 -- 2.26.2 +From f6c460aee8542d4d81cd9970d71051c240156973 Mon Sep 17 00:00:00 2001 +From: Serhii Tsymbaliuk +Date: Thu, 16 Jul 2020 18:52:24 +0200 +Subject: [PATCH] WebUI: Fix error "unknown command + 'idoverrideuser_add_member'" + +There was wrong IPA.associator class used for 'Groups' -> 'User ID overrides' association, +as a result a wrong command was sent to the server. + +Ticket: https://pagure.io/freeipa/issue/8416 + +Signed-off-by: Serhii Tsymbaliuk +Reviewed-By: Petr Vobornik +Reviewed-By: Alexander Bokovoy +--- + install/ui/src/freeipa/group.js | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/install/ui/src/freeipa/group.js b/install/ui/src/freeipa/group.js +index 2984bd4b2..61c19a82f 100644 +--- a/install/ui/src/freeipa/group.js ++++ b/install/ui/src/freeipa/group.js +@@ -209,7 +209,6 @@ return { + { + $type: 'association', + name: 'member_idoverrideuser', +- associator: IPA.serial_associator, + add_title: '@i18n:objects.group.add_idoverride_user', + remove_title: '@i18n:objects.group.remove_idoverride_users', + columns: [ +-- +2.26.2 + +From e35739b7e9f6bb016b37abbd92bdaee71a59a288 Mon Sep 17 00:00:00 2001 +From: Serhii Tsymbaliuk +Date: Wed, 29 Jul 2020 09:41:36 +0200 +Subject: [PATCH] WebUI tests: Add test case to cover user ID override feature + +The test case includes adding an user ID override to Default Trust View +and adding the ID override to some IPA group. + +Ticket: https://pagure.io/freeipa/issue/8416 + +Signed-off-by: Serhii Tsymbaliuk +Reviewed-By: Petr Vobornik +Reviewed-By: Alexander Bokovoy +--- + ipatests/test_webui/test_trust.py | 41 +++++++++++++++++++++++++++++++ + 1 file changed, 41 insertions(+) + +diff --git a/ipatests/test_webui/test_trust.py b/ipatests/test_webui/test_trust.py +index c04c2fcd8..605f8a2a7 100644 +--- a/ipatests/test_webui/test_trust.py ++++ b/ipatests/test_webui/test_trust.py +@@ -21,6 +21,8 @@ + Trust tests + """ + ++import ipatests.test_webui.data_group as group ++import ipatests.test_webui.data_idviews as idview + from ipatests.test_webui.ui_driver import UI_driver + from ipatests.test_webui.ui_driver import screenshot + from ipatests.test_webui.task_range import range_tasks +@@ -29,6 +31,8 @@ import pytest + ENTITY = 'trust' + CONFIG_ENTITY = 'trustconfig' + ++DEFAULT_TRUST_VIEW = 'Default Trust View' ++ + CONFIG_DATA = { + 'mod': [ + ['combobox', 'ipantfallbackprimarygroup', 'admins'], +@@ -164,3 +168,40 @@ class test_trust(trust_tasks): + + self.mod_record(CONFIG_ENTITY, CONFIG_DATA) + self.mod_record(CONFIG_ENTITY, CONFIG_DATA2) ++ ++ @screenshot ++ def test_group_member_idoverrideuser(self): ++ ++ self.init_app() ++ ++ # Create new trust ++ data = self.get_data() ++ self.add_record(ENTITY, data) ++ ++ # Create an user ID override ++ ad_domain = self.config.get('ad_domain') ++ ad_admin = self.config.get('ad_admin') ++ idoverrideuser_pkey = '{}@{}'.format(ad_admin, ad_domain).lower() ++ ++ self.navigate_to_record(DEFAULT_TRUST_VIEW, entity=idview.ENTITY) ++ self.add_record(idview.ENTITY, { ++ 'pkey': idoverrideuser_pkey, ++ 'add': [ ++ ('textbox', 'ipaanchoruuid_default', idoverrideuser_pkey), ++ ], ++ }, facet='idoverrideuser') ++ ++ # Create new group and add the user ID override there ++ self.navigate_to_entity(group.ENTITY) ++ self.add_record(group.ENTITY, group.DATA) ++ self.navigate_to_record(group.PKEY) ++ self.add_associations([idoverrideuser_pkey], ++ facet='member_idoverrideuser', delete=True) ++ ++ # Clean up data ++ self.navigate_to_entity(group.ENTITY) ++ self.delete_record(group.PKEY) ++ self.navigate_to_record(DEFAULT_TRUST_VIEW, entity=idview.ENTITY) ++ self.delete_record(idoverrideuser_pkey) ++ self.navigate_to_entity(ENTITY) ++ self.delete_record(ad_domain) +-- +2.26.2 + diff --git a/SOURCES/0005-selinux-don-t-audit-rules-deny-fetching-trust-topology_rhbz#1845596.patch b/SOURCES/0005-selinux-don-t-audit-rules-deny-fetching-trust-topology_rhbz#1845596.patch new file mode 100644 index 0000000..b67d1ef --- /dev/null +++ b/SOURCES/0005-selinux-don-t-audit-rules-deny-fetching-trust-topology_rhbz#1845596.patch @@ -0,0 +1,93 @@ +From 42dd1628a1211363c860917e474ecc5b9c1fdb84 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 2 Jul 2020 15:50:00 +0300 +Subject: [PATCH] selinux: allow oddjobd to set up ipa_helper_t context for + execution + +On Fedora 32+ and RHEL 8.3.0+ execution of ipa_helper_t context requires +SELinux policy permission to use 'noatsecure'. This comes most likely +from execve() setup by glibc. + +Add SELinux interface ipa_helper_noatsecure() that can be called by +oddjob's SELinux policy definition. + +In addition, if ipa_helper_t runs ipa-getkeytab, libkrb5 will attempt to +access SELinux configuration and produce AVC for that. Allow reading +general userspace SELinux configuration. + +Fixes: https://pagure.io/freeipa/issue/8395 +Signed-off-by: Alexander Bokovoy +Reviewed-By: Christian Heimes +--- + selinux/ipa.if | 18 ++++++++++++++++++ + selinux/ipa.te | 1 + + 2 files changed, 19 insertions(+) + +diff --git a/selinux/ipa.if b/selinux/ipa.if +index ea971b8fa..783db8b78 100644 +--- a/selinux/ipa.if ++++ b/selinux/ipa.if +@@ -419,3 +419,21 @@ ifndef(`dirsrv_systemctl',` + ps_process_pattern($1, dirsrv_t) + ') + ') ++ ++ ++######################################## ++## ++## Allow ipa_helper noatsecure ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipa_helper_noatsecure',` ++ gen_require(` ++ type ipa_helper_t; ++ ') ++ allow $1 ipa_helper_t:process { noatsecure }; ++') +diff --git a/selinux/ipa.te b/selinux/ipa.te +index 587e5e585..383979094 100644 +--- a/selinux/ipa.te ++++ b/selinux/ipa.te +@@ -115,6 +115,7 @@ optional_policy(` + + + allow ipa_helper_t self:capability { net_admin dac_read_search dac_override chown }; ++seutil_read_config(ipa_helper_t); + + #kernel bug + dontaudit ipa_helper_t self:capability2 block_suspend; +-- +2.26.2 + +From 0d70addbbf2a99e7398a518bc98d5fe109469bb5 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 3 Jul 2020 17:20:49 +0300 +Subject: [PATCH] selinux: support running ipa-custodia with PrivateTmp=yes + +Related: https://pagure.io/freeipa/issue/8395 +Signed-off-by: Alexander Bokovoy +Reviewed-By: Christian Heimes +--- + selinux/ipa.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/selinux/ipa.te b/selinux/ipa.te +index 383979094..a3381217a 100644 +--- a/selinux/ipa.te ++++ b/selinux/ipa.te +@@ -390,3 +390,7 @@ optional_policy(` + sssd_search_lib(ipa_custodia_t) + sssd_stream_connect(ipa_custodia_t) + ') ++ ++optional_policy(` ++ systemd_private_tmp(ipa_custodia_tmp_t) ++') +-- +2.26.2 + diff --git a/SOURCES/0006-fix-iPAddress-cert-issuance-for-1-host-service_rhbz#1846352.patch b/SOURCES/0006-fix-iPAddress-cert-issuance-for-1-host-service_rhbz#1846352.patch new file mode 100644 index 0000000..c1c7764 --- /dev/null +++ b/SOURCES/0006-fix-iPAddress-cert-issuance-for-1-host-service_rhbz#1846352.patch @@ -0,0 +1,180 @@ +From 128500198d3782a76616cf1d971d5aeb17e8c1da Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Thu, 11 Jun 2020 22:42:38 +1000 +Subject: [PATCH] fix iPAddress cert issuance for >1 host/service + +The 'cert_request' command accumulates DNS names from the CSR, +before checking that all IP addresses in the CSR are reachable from +those DNS names. Before adding a DNS name to the set, we check that +that it corresponds to the FQDN of a known host/service principal +(including principal aliases). When a DNS name maps to a +"alternative" principal (i.e. not the one given via the 'principal' +argument), this check was not being performed correctly. +Specifically, we were looking for the 'krbprincipalname' field on +the RPC response object directly, instead of its 'result' field. + +To resolve the issue, dereference the RPC response to its 'result' +field before invoking the '_dns_name_matches_principal' subroutine. + +Fixes: https://pagure.io/freeipa/issue/8368 +Reviewed-By: Rob Crittenden +--- + ipaserver/plugins/cert.py | 6 +- + .../test_cert_request_ip_address.py | 62 +++++++++++++++++-- + 2 files changed, 61 insertions(+), 7 deletions(-) + +diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py +index d353bc3ea..fe7ea34f5 100644 +--- a/ipaserver/plugins/cert.py ++++ b/ipaserver/plugins/cert.py +@@ -827,13 +827,13 @@ class cert_request(Create, BaseCertMethod, VirtualCommand): + try: + if principal_type == HOST: + alt_principal_obj = api.Command['host_show']( +- name, all=True) ++ name, all=True)['result'] + elif principal_type == KRBTGT: + alt_principal = kerberos.Principal( + (u'host', name), principal.realm) + elif principal_type == SERVICE: + alt_principal_obj = api.Command['service_show']( +- alt_principal, all=True) ++ alt_principal, all=True)['result'] + except errors.NotFound: + # We don't want to issue any certificates referencing + # machines we don't know about. Nothing is stored in this +@@ -866,7 +866,7 @@ class cert_request(Create, BaseCertMethod, VirtualCommand): + pass + + # Now check write access and caacl +- altdn = alt_principal_obj['result']['dn'] ++ altdn = alt_principal_obj['dn'] + if not ldap.can_write(altdn, "usercertificate"): + raise errors.ACIError(info=_( + "Insufficient privilege to create a certificate " +diff --git a/ipatests/test_xmlrpc/test_cert_request_ip_address.py b/ipatests/test_xmlrpc/test_cert_request_ip_address.py +index bf4de05bf..c0475d30d 100644 +--- a/ipatests/test_xmlrpc/test_cert_request_ip_address.py ++++ b/ipatests/test_xmlrpc/test_cert_request_ip_address.py +@@ -28,10 +28,16 @@ from ipatests.test_xmlrpc.tracker.host_plugin import HostTracker + from ipatests.test_xmlrpc.tracker.user_plugin import UserTracker + from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test + +-host_fqdn = f'iptest.{api.env.domain}' ++host_shortname = 'iptest' ++host_fqdn = f'{host_shortname}.{api.env.domain}' + host_princ = f'host/{host_fqdn}' + host_ptr = f'{host_fqdn}.' + ++host2_shortname = 'iptest2' ++host2_fqdn = f'{host2_shortname}.{api.env.domain}' ++host2_princ = f'host/{host2_fqdn}' ++host2_ptr = f'{host2_fqdn}.' ++ + other_fqdn = f'other.{api.env.domain}' + other_ptr = f'{other_fqdn}.' + +@@ -39,6 +45,10 @@ ipv4_address = '169.254.0.42' + ipv4_revzone_s = '0.254.169.in-addr.arpa.' + ipv4_revrec_s = '42' + ++host2_ipv4_address = '169.254.0.43' ++host2_ipv4_revzone_s = '0.254.169.in-addr.arpa.' ++host2_ipv4_revrec_s = '43' ++ + ipv6_address = 'fe80::8f18:bdab:4299:95fa' + ipv6_revzone_s = '0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa.' + ipv6_revrec_s = 'a.f.5.9.9.9.2.4.b.a.d.b.8.1.f.8' +@@ -46,7 +56,13 @@ ipv6_revrec_s = 'a.f.5.9.9.9.2.4.b.a.d.b.8.1.f.8' + + @pytest.fixture(scope='class') + def host(request, xmlrpc_setup): +- tr = HostTracker('iptest') ++ tr = HostTracker(host_shortname) ++ return tr.make_fixture(request) ++ ++ ++@pytest.fixture(scope='class') ++def host2(request, xmlrpc_setup): ++ tr = HostTracker(host2_shortname) + return tr.make_fixture(request) + + +@@ -88,6 +104,12 @@ def ipv6_revzone(host): + yield from _zone_setup(host, ipv6_revzone_s) + + ++@pytest.fixture(scope='class') ++def host2_ipv4_ptr(host2, ipv4_revzone): ++ yield from _record_setup( ++ host2, ipv4_revzone, host2_ipv4_revrec_s, ptrrecord=host2_ptr) ++ ++ + @pytest.fixture(scope='class') + def ipv4_ptr(host, ipv4_revzone): + yield from _record_setup( +@@ -100,16 +122,22 @@ def ipv6_ptr(host, ipv6_revzone): + host, ipv6_revzone, ipv6_revrec_s, ptrrecord=host_ptr) + + ++@pytest.fixture(scope='class') ++def host2_ipv4_a(host2): ++ yield from _record_setup( ++ host2, api.env.domain, host2_shortname, arecord=host2_ipv4_address) ++ ++ + @pytest.fixture(scope='class') + def ipv4_a(host): + yield from _record_setup( +- host, api.env.domain, 'iptest', arecord=ipv4_address) ++ host, api.env.domain, host_shortname, arecord=ipv4_address) + + + @pytest.fixture(scope='class') + def ipv6_aaaa(host): + yield from _record_setup( +- host, api.env.domain, 'iptest', aaaarecord=ipv6_address) ++ host, api.env.domain, host_shortname, aaaarecord=ipv6_address) + + + @pytest.fixture(scope='class') +@@ -210,6 +238,12 @@ csr_cname2 = csr([ + x509.DNSName(f'cname2.{api.env.domain}'), + x509.IPAddress(ipaddress.ip_address(ipv4_address)), + ]) ++csr_two_dnsname_two_ip = csr([ ++ x509.DNSName(host_fqdn), ++ x509.IPAddress(ipaddress.ip_address(ipv4_address)), ++ x509.DNSName(host2_fqdn), ++ x509.IPAddress(ipaddress.ip_address(host2_ipv4_address)), ++]) + + + @pytest.fixture +@@ -449,3 +483,23 @@ class TestIPAddressCNAME(XMLRPC_test): + def test_two_levels(self, host, csr_cname2): + with pytest.raises(errors.ValidationError, match=PAT_FWD): + host.run_command('cert_request', csr_cname2, principal=host_princ) ++ ++ ++@pytest.mark.tier1 ++class TestTwoHostsTwoIPAddresses(XMLRPC_test): ++ """ ++ Test certificate issuance with CSR containing two hosts ++ and two IP addresses (one for each host). ++ ++ """ ++ def test_host_exists( ++ self, host, host2, ipv4_a, ipv4_ptr, host2_ipv4_a, host2_ipv4_ptr, ++ ): ++ # for convenience, this test also establishes the DNS ++ # record fixtures, which have class scope ++ host.ensure_exists() ++ host2.ensure_exists() ++ ++ def test_issuance(self, host, csr_two_dnsname_two_ip): ++ host.run_command( ++ 'cert_request', csr_two_dnsname_two_ip, principal=host_princ) +-- +2.26.2 + diff --git a/SOURCES/0007-Specify-cert_paths-when-calling-PKIConnection_rhbz#1849155.patch b/SOURCES/0007-Specify-cert_paths-when-calling-PKIConnection_rhbz#1849155.patch new file mode 100644 index 0000000..72a73cb --- /dev/null +++ b/SOURCES/0007-Specify-cert_paths-when-calling-PKIConnection_rhbz#1849155.patch @@ -0,0 +1,118 @@ +From 9ded9e2573a00c388533f2a09365c499a4e2961e Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Fri, 19 Jun 2020 08:48:56 -0400 +Subject: [PATCH] Specify cert_paths when calling PKIConnection + +PKIConnection now defaults to specifying verify=True. We've introduced +a new parameter, cert_paths, to specify additional paths (directories or +files) to load as certificates. Specify the IPA CA certificate file so +we can guarantee connections succeed and validate the peer's certificate. + +Point to IPA CA certificate during pkispawn + +Bump pki_version to 10.9.0-0.4 (aka -b2) + +Fixes: https://pagure.io/freeipa/issue/8379 +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849155 +Related: https://github.com/dogtagpki/pki/pull/443 +Related: https://bugzilla.redhat.com/show_bug.cgi?id=1426572 +Signed-off-by: Alexander Scheel +Signed-off-by: Christian Heimes +Reviewed-By: Christian Heimes +--- + freeipa.spec.in | 6 +++--- + install/tools/ipa-pki-wait-running.in | 3 ++- + ipaserver/install/cainstance.py | 7 +++++++ + ipaserver/install/dogtaginstance.py | 3 ++- + ipaserver/plugins/dogtag.py | 11 +++++------ + 5 files changed, 19 insertions(+), 11 deletions(-) + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index 74e752ea5..d00b9d640 100755 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -112,9 +112,9 @@ + # Fedora + %endif + +-# 10.7.3 supports LWCA key replication using AES +-# https://pagure.io/freeipa/issue/8020 +-%global pki_version 10.7.3-1 ++# PKIConnection has been modified to always validate certs. ++# https://pagure.io/freeipa/issue/8379 ++%global pki_version 10.9.0-0.4 + + # https://pagure.io/certmonger/issue/90 + %global certmonger_version 0.79.7-1 +diff --git a/install/tools/ipa-pki-wait-running.in b/install/tools/ipa-pki-wait-running.in +index 69f5ec296..4f0f2f34a 100644 +--- a/install/tools/ipa-pki-wait-running.in ++++ b/install/tools/ipa-pki-wait-running.in +@@ -59,7 +59,8 @@ def get_conn(hostname, subsystem): + """ + conn = PKIConnection( + hostname=hostname, +- subsystem=subsystem ++ subsystem=subsystem, ++ cert_paths=paths.IPA_CA_CRT + ) + logger.info( + "Created connection %s://%s:%s/%s", +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index 706bc28cc..9294f1dba 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -509,6 +509,13 @@ class CAInstance(DogtagInstance): + else: + pki_pin = None + ++ # When spawning a CA instance, always point to IPA_CA_CRT if it ++ # exists. Later, when we're performing step 2 of an external CA ++ # installation, we'll overwrite this key to point to the real ++ # external CA. ++ if os.path.exists(paths.IPA_CA_CRT): ++ cfg['pki_cert_chain_path'] = paths.IPA_CA_CRT ++ + if self.clone: + if self.no_db_setup: + cfg.update( +diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py +index 361d80a8c..7e295665c 100644 +--- a/ipaserver/install/dogtaginstance.py ++++ b/ipaserver/install/dogtaginstance.py +@@ -70,7 +70,8 @@ def get_security_domain(): + connection = PKIConnection( + protocol='https', + hostname=api.env.ca_host, +- port='8443' ++ port='8443', ++ cert_paths=paths.IPA_CA_CRT + ) + domain_client = pki.system.SecurityDomainClient(connection) + info = domain_client.get_security_domain_info() +diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py +index 4de26d76f..b300f6b18 100644 +--- a/ipaserver/plugins/dogtag.py ++++ b/ipaserver/plugins/dogtag.py +@@ -2082,13 +2082,12 @@ class kra(Backend): + 'https', + self.kra_host, + str(self.kra_port), +- 'kra') ++ 'kra', ++ cert_paths=paths.IPA_CA_CRT ++ ) + +- connection.session.cert = (paths.RA_AGENT_PEM, paths.RA_AGENT_KEY) +- # uncomment the following when this commit makes it to release +- # https://git.fedorahosted.org/cgit/pki.git/commit/?id=71ae20c +- # connection.set_authentication_cert(paths.RA_AGENT_PEM, +- # paths.RA_AGENT_KEY) ++ connection.set_authentication_cert(paths.RA_AGENT_PEM, ++ paths.RA_AGENT_KEY) + + try: + yield KRAClient(connection, crypto) +-- +2.26.2 + diff --git a/SOURCES/0008-Add-missing-SELinux-rule-for-ipa-custodia.sock_rhbz#1857157.patch b/SOURCES/0008-Add-missing-SELinux-rule-for-ipa-custodia.sock_rhbz#1857157.patch new file mode 100644 index 0000000..c94ebee --- /dev/null +++ b/SOURCES/0008-Add-missing-SELinux-rule-for-ipa-custodia.sock_rhbz#1857157.patch @@ -0,0 +1,34 @@ +From d83b760d1f76a3ba8e527dd27551e51a600b22c0 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Wed, 15 Jul 2020 10:23:35 +0200 +Subject: [PATCH] Add missing SELinux rule for ipa-custodia.sock + +A SELinux rule for ipa_custodia_stream_connect(httpd_t) was not copied +from upstream rules. It breaks installations on systems that don't have +ipa_custodia_stream_connect in SELinux domain for apache, e.g. RHEL 8.3. + +Fixes: https://pagure.io/freeipa/issue/8412 +Signed-off-by: Christian Heimes +Reviewed-By: Thomas Woerner +--- + selinux/ipa.te | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/selinux/ipa.te b/selinux/ipa.te +index a3381217a4..c4c3fa805e 100644 +--- a/selinux/ipa.te ++++ b/selinux/ipa.te +@@ -378,6 +378,13 @@ optional_policy(` + ipa_search_lib(ipa_custodia_t) + ') + ++optional_policy(` ++ gen_require(` ++ type httpd_t; ++ ') ++ ipa_custodia_stream_connect(httpd_t) ++') ++ + optional_policy(` + pki_manage_tomcat_etc_rw(ipa_custodia_t) + pki_read_tomcat_cert(ipa_custodia_t) diff --git a/SOURCES/0009-ipa-client-install-use-the-authselect-backup-during_rhbz#1810179.patch b/SOURCES/0009-ipa-client-install-use-the-authselect-backup-during_rhbz#1810179.patch new file mode 100644 index 0000000..5a96294 --- /dev/null +++ b/SOURCES/0009-ipa-client-install-use-the-authselect-backup-during_rhbz#1810179.patch @@ -0,0 +1,189 @@ +From ca880cfb117fc870a6e2710b9e31b2f67d5651e1 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Wed, 29 Jul 2020 13:35:49 +0200 +Subject: [PATCH] ipa-client-install: use the authselect backup during + uninstall + +When ipa-client-install is run on a system with no existing +authselect configuration (for instance a fedora 31 new install), +uninstallation is picking sssd profile but this may lead to +a configuration with differences compared to the pre-ipa-client +state. + +Now that authselect provides an option to backup the existing +configuration prior to setting a profile, the client install +can save the backup name and uninstall is able to apply the +backup in order to go back to the pre-ipa-client state. + +Fixes: https://pagure.io/freeipa/issue/8189 +Reviewed-By: Francois Cami +Reviewed-By: Michal Polovka +--- + ipaplatform/redhat/authconfig.py | 37 ++++++++++++++------------------ + 1 file changed, 16 insertions(+), 21 deletions(-) + +diff --git a/ipaplatform/redhat/authconfig.py b/ipaplatform/redhat/authconfig.py +index 758376f2b..89f452d66 100644 +--- a/ipaplatform/redhat/authconfig.py ++++ b/ipaplatform/redhat/authconfig.py +@@ -27,6 +27,7 @@ from ipaplatform.paths import paths + from ipapython import ipautil + from ipapython.admintool import ScriptError + import os ++import time + + FILES_TO_NOT_BACKUP = ['passwd', 'group', 'shadow', 'gshadow'] + +@@ -103,28 +104,16 @@ class RedHatAuthSelect(RedHatAuthToolBase): + def configure(self, sssd, mkhomedir, statestore, sudo=True): + # In the statestore, the following keys are used for the + # 'authselect' module: ++ # Old method: + # profile: name of the profile configured pre-installation + # features_list: list of features configured pre-installation + # mkhomedir: True if installation was called with --mkhomedir + # profile and features_list are used when reverting to the + # pre-install state +- cfg = self._parse_authselect_output() +- if cfg: +- statestore.backup_state('authselect', 'profile', cfg[0]) +- statestore.backup_state( +- 'authselect', 'features_list', " ".join(cfg[1])) +- else: +- # cfg = None means that the current conf is not managed by +- # authselect but by authconfig. +- # As we are using authselect to configure the host, +- # it will not be possible to revert to a custom authconfig +- # configuration later (during uninstall) +- # Best thing to do will be to use sssd profile at this time +- logger.warning( +- "WARNING: The configuration pre-client installation is not " +- "managed by authselect and cannot be backed up. " +- "Uninstallation may not be able to revert to the original " +- "state.") ++ # New method: ++ # backup: name of the authselect backup ++ backup_name = "pre_ipaclient_{}".format(time.strftime("%Y%m%d%H%M%S")) ++ statestore.backup_state('authselect', 'backup', backup_name) + + cmd = [paths.AUTHSELECT, "select", "sssd"] + if mkhomedir: +@@ -133,6 +122,7 @@ class RedHatAuthSelect(RedHatAuthToolBase): + if sudo: + cmd.append("with-sudo") + cmd.append("--force") ++ cmd.append("--backup={}".format(backup_name)) + + ipautil.run(cmd) + +@@ -179,10 +169,15 @@ class RedHatAuthSelect(RedHatAuthToolBase): + else: + features = [] + +- cmd = [paths.AUTHSELECT, "select", profile] +- cmd.extend(features) +- cmd.append("--force") +- ipautil.run(cmd) ++ backup = statestore.restore_state('authselect', 'backup') ++ if backup: ++ cmd = [paths.AUTHSELECT, "backup-restore", backup] ++ ipautil.run(cmd) ++ else: ++ cmd = [paths.AUTHSELECT, "select", profile] ++ cmd.extend(features) ++ cmd.append("--force") ++ ipautil.run(cmd) + + def backup(self, path): + current = self._get_authselect_current_output() +-- +2.26.2 + +# Not needed for 4.7.8 release +# +#From 3eaab97e317584bc47d4a27a607267ed90df7ff7 Mon Sep 17 00:00:00 2001 +#From: Florence Blanc-Renaud +#Date: Wed, 29 Jul 2020 13:40:26 +0200 +#Subject: [PATCH] ipatests: remove the xfail for test_nfs.py +# +#Related: https://pagure.io/freeipa/issue/8189 +#Reviewed-By: Francois Cami +#Reviewed-By: Michal Polovka +#--- +# ipatests/test_integration/test_nfs.py | 4 ---- +# 1 file changed, 4 deletions(-) +# +#diff --git a/ipatests/test_integration/test_nfs.py b/ipatests/test_integration/test_nfs.py +#index 7272b0d44..832c56cca 100644 +#--- a/ipatests/test_integration/test_nfs.py +#+++ b/ipatests/test_integration/test_nfs.py +#@@ -363,10 +363,6 @@ class TestIpaClientAutomountFileRestore(IntegrationTest): +# cmd = self.clients[0].run_command(sha256nsswitch_cmd) +# assert cmd.stdout_text == orig_sha256 +# +#- @pytest.mark.xfail( +#- reason="https://pagure.io/freeipa/issue/8189", +#- strict=True +#- ) +# def test_nsswitch_backup_restore_sssd(self): +# self.nsswitch_backup_restore() +# +#-- +#2.26.2 + +From 4baf6b292f28481ece483bb8ecbd6a0807d9d45a Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Wed, 29 Jul 2020 17:57:53 +0200 +Subject: [PATCH] ipatests: fix test_authselect + +Before the code fix, install/uninstall on a config without +any authselect profile was not able to restore the exact +state but configured sssd profile instead. + +Now that the code is doing a pre-install backup, uninstall +restores the exact state and the test needs to be updated +accordingly. + +Related: https://pagure.io/freeipa/issue/8189 +Reviewed-By: Francois Cami +Reviewed-By: Michal Polovka +--- + ipatests/test_integration/test_authselect.py | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/ipatests/test_integration/test_authselect.py b/ipatests/test_integration/test_authselect.py +index bdf7d9f77..cba23e707 100644 +--- a/ipatests/test_integration/test_authselect.py ++++ b/ipatests/test_integration/test_authselect.py +@@ -100,7 +100,9 @@ class TestClientInstallation(IntegrationTest): + ['rm', '-f', '/etc/authselect/authselect.conf']) + result = self._install_client() + assert result.returncode == 0 +- assert self.msg_warn_install in result.stderr_text ++ # With the fix for 8189, there is no warning any more ++ # because install is performing a pre-install backup ++ assert self.msg_warn_install not in result.stderr_text + # Client installation must configure the 'sssd' profile + # with sudo + check_authselect_profile(self.client, default_profile, ('with-sudo',)) +@@ -109,12 +111,13 @@ class TestClientInstallation(IntegrationTest): + """ + Test client un-installation when there was no authselect profile + """ +- # As the client did not have any authselect profile before install, +- # uninstall must print a warning about restoring 'sssd' profile +- # by default ++ # The client did not have any authselect profile before install, ++ # but uninstall must be able to restore the backup ++ # Check that no profile is configured after uninstall + result = self._uninstall_client() + assert result.returncode == 0 +- check_authselect_profile(self.client, default_profile) ++ assert not self.client.transport.file_exists( ++ '/etc/authselect/authselect.conf') + + def test_install_client_preconfigured_profile(self): + """ +-- +2.26.2 + diff --git a/SOURCES/0010-Replace-SSLCertVerificationError-with-CertificateErr_rhbz#1858318.patch b/SOURCES/0010-Replace-SSLCertVerificationError-with-CertificateErr_rhbz#1858318.patch new file mode 100644 index 0000000..4144d57 --- /dev/null +++ b/SOURCES/0010-Replace-SSLCertVerificationError-with-CertificateErr_rhbz#1858318.patch @@ -0,0 +1,32 @@ +From 66a5a0efd538e31a190ca6ecb775bc1dfc4ee232 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Wed, 29 Jul 2020 13:42:43 -0400 +Subject: [PATCH] Replace SSLCertVerificationError with CertificateError for + py36 + +This exception was added in python 3.7. Use CertificateError +instead which is an alias and will work with older python releases. + +https://bugzilla.redhat.com/show_bug.cgi?id=1858318 + +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/install/server/upgrade.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index 2c36bc0e2..2c1517865 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -667,7 +667,7 @@ def http_certificate_ensure_ipa_ca_dnsname(http): + + try: + cert.match_hostname(expect) +- except ssl.SSLCertVerificationError: ++ except ssl.CertificateError: + if certs.is_ipa_issued_cert(api, cert): + request_id = certmonger.get_request_id( + {'cert-file': paths.HTTPD_CERT_FILE}) +-- +2.26.2 + diff --git a/SOURCES/0011-Fix-AVC-denial-during-ipa-adtrust-install---add-agents_rhbz#1859213.patch b/SOURCES/0011-Fix-AVC-denial-during-ipa-adtrust-install---add-agents_rhbz#1859213.patch new file mode 100644 index 0000000..1298351 --- /dev/null +++ b/SOURCES/0011-Fix-AVC-denial-during-ipa-adtrust-install---add-agents_rhbz#1859213.patch @@ -0,0 +1,103 @@ +From c72ef1ed965aca79da4576d9579dec5459e14b99 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Fri, 8 May 2020 15:27:01 +0200 +Subject: [PATCH] SELinux: Backport dirsrv_systemctl interface + +Signed-off-by: Christian Heimes +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Christian Heimes +--- + selinux/ipa.if | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/selinux/ipa.if b/selinux/ipa.if +index cefae5d90..ea971b8fa 100644 +--- a/selinux/ipa.if ++++ b/selinux/ipa.if +@@ -392,3 +392,30 @@ ifndef(`apache_manage_pid_files',` + manage_sock_files_pattern($1, httpd_var_run_t, httpd_var_run_t) + ') + ') ++ ++######################################## ++## ++## Execute dirsrv server in the dirsrv domain. ++## Backport from https://github.com/fedora-selinux/selinux-policy-contrib/pull/241 ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++ifndef(`dirsrv_systemctl',` ++ interface(`dirsrv_systemctl',` ++ gen_require(` ++ type dirsrv_unit_file_t; ++ type dirsrv_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ init_reload_services($1) ++ allow $1 dirsrv_unit_file_t:file read_file_perms; ++ allow $1 dirsrv_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, dirsrv_t) ++ ') ++') +-- +2.26.2 + +From f76c56c6072418c78f138678b1c4dd917fea6ee1 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 7 May 2020 16:17:12 +0200 +Subject: [PATCH] Allow ipa-adtrust-install restart sssd and dirsrv services + +Allow ipa_helper_t connect to init using /run/systemd/private socket. +Allow ipa_helper_t read init process state. +Allow ipa_helper_t manage sssd and dirsrv units. + +See: https://bugzilla.redhat.com/show_bug.cgi?id=1820298 +See: https://github.com/fedora-selinux/selinux-policy-contrib/pull/241 +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Christian Heimes +--- + selinux/ipa.te | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/selinux/ipa.te b/selinux/ipa.te +index b1e29c8e2..587e5e585 100644 +--- a/selinux/ipa.te ++++ b/selinux/ipa.te +@@ -147,6 +147,9 @@ auth_use_nsswitch(ipa_helper_t) + + files_list_tmp(ipa_helper_t) + ++init_read_state(ipa_helper_t) ++init_stream_connect(ipa_helper_t) ++ + ipa_manage_pid_files(ipa_helper_t) + ipa_read_lib(ipa_helper_t) + +@@ -156,6 +159,10 @@ optional_policy(` + dirsrv_stream_connect(ipa_helper_t) + ') + ++optional_policy(` ++ dirsrv_systemctl(ipa_helper_t) ++') ++ + optional_policy(` + ldap_stream_connect(ipa_helper_t) + ') +@@ -182,6 +189,7 @@ optional_policy(` + + optional_policy(` + sssd_manage_lib_files(ipa_helper_t) ++ sssd_systemctl(ipa_helper_t) + ') + + ######################################## +-- +2.26.2 + diff --git a/SOURCES/0012-CAless-installation-set-the-perms-on-KDC-cert-file_rhbz#1863616.patch b/SOURCES/0012-CAless-installation-set-the-perms-on-KDC-cert-file_rhbz#1863616.patch new file mode 100644 index 0000000..ac9ddfe --- /dev/null +++ b/SOURCES/0012-CAless-installation-set-the-perms-on-KDC-cert-file_rhbz#1863616.patch @@ -0,0 +1,84 @@ +From 81c955e561dd42ab70a39bf636c90e82a9d7d899 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Mon, 3 Aug 2020 18:52:07 +0200 +Subject: [PATCH] CAless installation: set the perms on KDC cert file + +In CA less installation, the KDC certificate file does not have +the expected 644 permissions. As a consequence, WebUI login +fails. + +The fix makes sure that the KDC cert file is saved with 644 perms. + +Fixes: https://pagure.io/freeipa/issue/8440 +Reviewed-By: Rob Crittenden +--- + ipaserver/install/krbinstance.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py +index 09d14693c..1910ff374 100644 +--- a/ipaserver/install/krbinstance.py ++++ b/ipaserver/install/krbinstance.py +@@ -536,6 +536,8 @@ class KrbInstance(service.Service): + certs.install_pem_from_p12(self.pkcs12_info[0], + self.pkcs12_info[1], + paths.KDC_CERT) ++ # The KDC cert needs to be readable by everyone ++ os.chmod(paths.KDC_CERT, 0o644) + certs.install_key_from_p12(self.pkcs12_info[0], + self.pkcs12_info[1], + paths.KDC_KEY) +-- +2.26.2 + +From 295dd4235f693b7b4b4270b46a28cb6e7b3d00b4 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Mon, 3 Aug 2020 18:53:47 +0200 +Subject: [PATCH] ipatests: check KDC cert permissions in CA less install + +The KDC certificate file must be stored with 644 permissions. +Add a test checking the file permissions on server + replica. + +Related: https://pagure.io/freeipa/issue/8440 +Reviewed-By: Rob Crittenden +--- + ipatests/test_integration/test_caless.py | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py +index a7b2cbbbc..1ea7d9896 100644 +--- a/ipatests/test_integration/test_caless.py ++++ b/ipatests/test_integration/test_caless.py +@@ -1527,6 +1527,13 @@ class TestCertInstall(CALessBase): + assert result.returncode == 0 + + ++def verify_kdc_cert_perms(host): ++ """Verify that the KDC cert pem file has 0644 perms""" ++ cmd = host.run_command(['stat', '-c', ++ '"%a %G:%U"', paths.KDC_CERT]) ++ assert "644 root:root" in cmd.stdout_text ++ ++ + class TestPKINIT(CALessBase): + """Install master and replica with PKINIT""" + num_replicas = 1 +@@ -1540,6 +1547,7 @@ class TestPKINIT(CALessBase): + result = cls.install_server(pkinit_pkcs12_exists=True, + pkinit_pin=_DEFAULT) + assert result.returncode == 0 ++ verify_kdc_cert_perms(cls.master) + + @replica_install_teardown + def test_server_replica_install_pkinit(self): +@@ -1549,6 +1557,7 @@ class TestPKINIT(CALessBase): + pkinit_pin=_DEFAULT) + assert result.returncode == 0 + self.verify_installation() ++ verify_kdc_cert_perms(self.replicas[0]) + + + class TestServerReplicaCALessToCAFull(CALessBase): +-- +2.26.2 + diff --git a/SOURCES/0013-IPA-EPN-Use-a-helper-to-retrieve-LDAP-attributes-fro_rhbz#1866938.patch b/SOURCES/0013-IPA-EPN-Use-a-helper-to-retrieve-LDAP-attributes-fro_rhbz#1866938.patch new file mode 100644 index 0000000..b2655a8 --- /dev/null +++ b/SOURCES/0013-IPA-EPN-Use-a-helper-to-retrieve-LDAP-attributes-fro_rhbz#1866938.patch @@ -0,0 +1,145 @@ +From b95817e35716bbab000633043817202e17d7c53e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= +Date: Thu, 6 Aug 2020 17:07:36 +0200 +Subject: [PATCH] IPA-EPN: Use a helper to retrieve LDAP attributes from an + entry + +Allow for empty attributes. + +Reviewed-By: Francois Cami +--- + ipaclient/install/ipa_epn.py | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py +index 65f9f3d47..0d1ae2add 100644 +--- a/ipaclient/install/ipa_epn.py ++++ b/ipaclient/install/ipa_epn.py +@@ -122,22 +122,30 @@ class EPNUserList: + """Return len(self).""" + return len(self._expiring_password_user_dq) + ++ def get_ldap_attr(self, entry, attr): ++ """Get a single value from a multi-valued attr in a safe way""" ++ return str(entry.get(attr, [""]).pop(0)) ++ + def add(self, entry): + """Parses and appends an LDAP user entry with the uid, cn, + givenname, sn, krbpasswordexpiration and mail attributes. + """ + try: + self._sorted = False ++ if entry.get("mail") is None: ++ logger.error("IPA-EPN: No mail address defined for: %s", ++ entry.dn) ++ return + self._expiring_password_user_dq.append( + dict( +- uid=str(entry["uid"].pop(0)), +- cn=str(entry["cn"].pop(0)), +- givenname=str(entry["givenname"].pop(0)), +- sn=str(entry["sn"].pop(0)), +- krbpasswordexpiration=str( +- entry["krbpasswordexpiration"].pop(0) ++ uid=self.get_ldap_attr(entry, "uid"), ++ cn=self.get_ldap_attr(entry, "cn"), ++ givenname=self.get_ldap_attr(entry, "givenname"), ++ sn=self.get_ldap_attr(entry, "sn"), ++ krbpasswordexpiration=( ++ self.get_ldap_attr(entry,"krbpasswordexpiration") + ), +- mail=str(entry["mail"]), ++ mail=str(entry.get("mail")), + ) + ) + except IndexError as e: +-- +2.26.2 + +From 8e810d8cf38ec60d76178bd673e218fb05d56c8e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= +Date: Thu, 6 Aug 2020 17:13:19 +0200 +Subject: [PATCH] IPA-EPN: fix configuration file typo +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: François Cami +Reviewed-By: Francois Cami +--- + client/share/epn.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/client/share/epn.conf b/client/share/epn.conf +index 0e590dfc3..e3645801c 100644 +--- a/client/share/epn.conf ++++ b/client/share/epn.conf +@@ -23,7 +23,7 @@ smtp_port = 25 + # Default None (empty value). + # smtp_password = + +-# pecifies the number of seconds to wait for SMTP to respond. ++# Specifies the number of seconds to wait for SMTP to respond. + smtp_timeout = 60 + + # Specifies the type of secure connection to make. Options are: none, +-- +2.26.2 + +From 1b1dbcbe9d83ba35f3cfdd01399f123816ec6e5b Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 6 Aug 2020 18:57:10 -0400 +Subject: [PATCH] IPA-EPN: Test that users without givenname and/or mail are + handled + +The admin user does not have a givenname by default, allow for that. + +Report errors for users without a default e-mail address. + +Update the SHA256 hash with the typo fix. + +Reviewed-By: Francois Cami +--- + ipatests/test_integration/test_epn.py | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py +index 18f73c722..c5c73835a 100644 +--- a/ipatests/test_integration/test_epn.py ++++ b/ipatests/test_integration/test_epn.py +@@ -240,7 +240,7 @@ class TestEPN(IntegrationTest): + assert epn_conf in cmd1.stdout_text + assert epn_template in cmd1.stdout_text + cmd2 = self.master.run_command(["sha256sum", epn_conf]) +- ck = "4c207b5c9c760c36db0d3b2b93da50ea49edcc4002d6d1e7383601f0ec30b957" ++ ck = "192481b52fb591112afd7b55b12a44c6618fdbc7e05a3b1866fd67ec579c51df" + assert cmd2.stdout_text.find(ck) == 0 + + def test_EPN_smoketest_1(self): +@@ -591,3 +591,23 @@ class TestEPN(IntegrationTest): + self.master.put_file_contents('/etc/ipa/epn.conf', epn_conf) + result = tasks.ipa_epn(self.master, raiseonerr=False) + assert "smtp_delay cannot be less than zero" in result.stderr_text ++ ++ def test_EPN_admin(self): ++ """The admin user is special and has no givenName by default ++ It also doesn't by default have an e-mail address ++ Check --dry-run output. ++ """ ++ epn_conf = textwrap.dedent(''' ++ [global] ++ ''') ++ self.master.put_file_contents('/etc/ipa/epn.conf', epn_conf) ++ self.master.run_command( ++ ['ipa', 'user-mod', 'admin', '--password-expiration', ++ datetime_to_generalized_time( ++ datetime.datetime.utcnow() + datetime.timedelta(days=7) ++ )] ++ ) ++ (unused, stderr_text, _unused) = self._check_epn_output( ++ self.master, dry_run=True ++ ) ++ assert "uid=admin" in stderr_text +-- +2.26.2 + diff --git a/SOURCES/0014-IPA-EPN-enhance-input-validation_rhbz#1866291.patch b/SOURCES/0014-IPA-EPN-enhance-input-validation_rhbz#1866291.patch new file mode 100644 index 0000000..b905262 --- /dev/null +++ b/SOURCES/0014-IPA-EPN-enhance-input-validation_rhbz#1866291.patch @@ -0,0 +1,404 @@ +From 9479a393a71fe1de7d62ca2b50a7d3d8698d4ba1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= +Date: Tue, 4 Aug 2020 11:05:31 +0200 +Subject: [PATCH] ipatests: tasks.py: fix ipa-epn invocation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +tasks.py::ipa_epn would previously fail to invoke ipa-epn with +from_nbdays=0. + +Related: https://pagure.io/freeipa/issue/8449 +Signed-off-by: François Cami +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/pytest_ipa/integration/tasks.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py +index a3f7cc838..c0a592750 100755 +--- a/ipatests/pytest_ipa/integration/tasks.py ++++ b/ipatests/pytest_ipa/integration/tasks.py +@@ -1470,9 +1470,9 @@ def ipa_epn( + cmd.append("--dry-run") + if mailtest: + cmd.append("--mail-test") +- if from_nbdays: ++ if from_nbdays is not None: + cmd.extend(("--from-nbdays", str(from_nbdays))) +- if to_nbdays: ++ if to_nbdays is not None: + cmd.extend(("--to-nbdays", str(to_nbdays))) + return host.run_command(cmd, raiseonerr=raiseonerr) + +-- +2.26.2 + +From 3b8fdd87760cfb8ec739c67298f012cf0bd3ac39 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= +Date: Wed, 5 Aug 2020 10:02:31 +0200 +Subject: [PATCH] ipatests: test_epn: test_EPN_nbdays enhancements +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Enhance test_EPN_nbdays so that it checks: +* that no emails get sent when using --dry-run +* that --from-nbdays implies --dry-run +* that --to-nbdays requires --from-nbdays +* illegal inputs for nbdays: +** from-nbdays > to-nbdays +** non-numerical input +** decimal input + +Fixes: https://pagure.io/freeipa/issue/8449 +Signed-off-by: François Cami +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_epn.py | 130 +++++++++++++++++++++++--- + 1 file changed, 117 insertions(+), 13 deletions(-) + +diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py +index f4c123c6d..18f73c722 100644 +--- a/ipatests/test_integration/test_epn.py ++++ b/ipatests/test_integration/test_epn.py +@@ -15,6 +15,13 @@ + # You should have received a copy of the GNU General Public License + # along with this program. If not, see . + ++###### ++# This test suite will _expectedly_ fail if run at the end of the UTC day ++# because users would be created during day N and then EPN output checked ++# during day N+1. This is expected and should be ignored as it does not ++# reflect a product bug. -- fcami ++###### ++ + from __future__ import print_function, absolute_import + + import base64 +@@ -178,12 +185,14 @@ class TestEPN(IntegrationTest): + from_nbdays=None, + to_nbdays=None, + raiseonerr=True, ++ validatejson=True + ): + result = tasks.ipa_epn(host, raiseonerr=raiseonerr, dry_run=dry_run, + from_nbdays=from_nbdays, + to_nbdays=to_nbdays) +- json.dumps(json.loads(result.stdout_text), ensure_ascii=False) +- return (result.stdout_text, result.stderr_text) ++ if validatejson: ++ json.dumps(json.loads(result.stdout_text), ensure_ascii=False) ++ return (result.stdout_text, result.stderr_text, result.returncode) + + @classmethod + def install(cls, mh): +@@ -244,12 +253,12 @@ class TestEPN(IntegrationTest): + ''') + self.master.put_file_contents('/etc/ipa/epn.conf', epn_conf) + # check EPN on client (LDAP+GSSAPI) +- (stdout_text, unused) = self._check_epn_output( ++ (stdout_text, unused, _unused) = self._check_epn_output( + self.clients[0], dry_run=True + ) + assert len(json.loads(stdout_text)) == 0 + # check EPN on master (LDAPI) +- (stdout_text, unused) = self._check_epn_output( ++ (stdout_text, unused, _unused) = self._check_epn_output( + self.master, dry_run=True + ) + assert len(json.loads(stdout_text)) == 0 +@@ -292,10 +301,10 @@ class TestEPN(IntegrationTest): + ), + ], + ) +- (stdout_text_client, unused) = self._check_epn_output( ++ (stdout_text_client, unused, _unused) = self._check_epn_output( + self.clients[0], dry_run=True + ) +- (stdout_text_master, unused) = self._check_epn_output( ++ (stdout_text_master, unused, _unused) = self._check_epn_output( + self.master, dry_run=True + ) + assert stdout_text_master == stdout_text_client +@@ -331,10 +340,10 @@ class TestEPN(IntegrationTest): + password=None, + ) + +- (stdout_text_client, unused) = self._check_epn_output( ++ (stdout_text_client, unused, _unused) = self._check_epn_output( + self.clients[0], dry_run=True + ) +- (stdout_text_master, unused) = self._check_epn_output( ++ (stdout_text_master, unused, _unused) = self._check_epn_output( + self.master, dry_run=True + ) + assert stdout_text_master == stdout_text_client +@@ -344,22 +353,117 @@ class TestEPN(IntegrationTest): + expected_users = ["user1", "user3", "user7", "user14", "user28"] + assert sorted(user_lst) == sorted(expected_users) + +- def test_EPN_nbdays(self): ++ def test_EPN_nbdays_0(self, cleanupmail): + """Test the to/from nbdays options (implies --dry-run) + + We have a set of users installed with varying expiration + dates. Confirm that to/from nbdays finds them. ++ ++ Make sure --dry-run does not accidentally send emails. + """ + +- # Compare the notify_ttls values ++ # Use the notify_ttls values with a 1-day sliding window + for i in self.notify_ttls: + user_list = [] +- (stdout_text_client, unused) = self._check_epn_output( +- self.clients[0], from_nbdays=i, to_nbdays=i + 1, dry_run=True) ++ (stdout_text_client, unused, _unused) = self._check_epn_output( ++ self.clients[0], from_nbdays=i, to_nbdays=i + 1, dry_run=True ++ ) + for user in json.loads(stdout_text_client): + user_list.append(user["uid"]) + assert len(user_list) == 1 +- assert user_list[0] == "user%d" % i ++ userid = "user{id}".format(id=i) ++ assert user_list[0] == userid ++ ++ # Check that the user list is expected for any given notify_ttls. ++ (stdout_text_client, unused, _unused) = self._check_epn_output( ++ self.clients[0], to_nbdays=i ++ ) ++ user_list = [user["uid"] for user in json.loads(stdout_text_client)] ++ assert len(user_list) == 1 ++ assert user_list[0] == "user{id}".format(id=i - 1) ++ ++ # make sure no emails were sent ++ result = self.clients[0].run_command(['ls', '-lha', '/var/mail/']) ++ assert userid not in result.stdout_text ++ ++ def test_EPN_nbdays_1(self, cleanupmail): ++ """Test that for a given range, we find the users in that range""" ++ ++ # Use hardcoded date ranges for now ++ for date_range in [(0, 5), (7, 15), (1, 20)]: ++ expected_user_list = ["user{i}".format(i=i) ++ for i in range(date_range[0], date_range[1])] ++ (stdout_text_client, unused, _unused) = self._check_epn_output( ++ self.clients[0], ++ from_nbdays=date_range[0], ++ to_nbdays=date_range[1] ++ ) ++ user_list = [user["uid"] for user in json.loads(stdout_text_client)] ++ for user in expected_user_list: ++ assert user in user_list ++ for user in user_list: ++ assert user in expected_user_list ++ ++ # Test the to/from nbdays options behavior with illegal input ++ ++ def test_EPN_nbdays_input_0(self): ++ """Make sure that --to-nbdays implies --dry-run ; ++ therefore check that the output is valid JSON and contains the ++ expected user. ++ """ ++ ++ (stdout_text_client, unused, _unused) = self._check_epn_output( ++ self.clients[0], to_nbdays=5, dry_run=False ++ ) ++ assert len(json.loads(stdout_text_client)) == 1 ++ assert json.loads(stdout_text_client)[0]["uid"] == "user4" ++ ++ def test_EPN_nbdays_input_1(self): ++ """Make sure that --from-nbdays cannot be used without --to-nbdays""" ++ ++ (unused, stderr_text_client, rc) = \ ++ self._check_epn_output( ++ self.clients[0], from_nbdays=3, ++ raiseonerr=False, validatejson=False ++ ) ++ assert "You cannot specify --from-nbdays without --to-nbdays" \ ++ in stderr_text_client ++ assert rc > 0 ++ ++ @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True) ++ def test_EPN_nbdays_input_2(self): ++ """alpha input""" ++ ++ (unused, stderr, rc) = self._check_epn_output( ++ self.clients[0], to_nbdays="abc", ++ raiseonerr=False, validatejson=False ++ ) ++ assert "error: --to-nbdays must be an integer." in stderr ++ assert rc > 0 ++ ++ @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True) ++ def test_EPN_nbdays_input_3(self): ++ """from_nbdays > to_nbdays""" ++ ++ (unused, stderr, rc) = self._check_epn_output( ++ self.clients[0], from_nbdays=9, to_nbdays=7, ++ raiseonerr=False, validatejson=False ++ ) ++ assert "error: --from-nbdays must be smaller than --to-nbdays." in \ ++ stderr ++ assert rc > 0 ++ ++ @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True) ++ def test_EPN_nbdays_input_4(self): ++ """decimal input""" ++ ++ (unused, stderr, rc) = self._check_epn_output( ++ self.clients[0], to_nbdays=7.3, ++ raiseonerr=False, validatejson=False ++ ) ++ logger.info(stderr) ++ assert rc > 0 ++ assert "error: --to-nbdays must be an integer." in stderr + + # From here the tests build on one another: + # 1) add auth +-- +2.26.2 + +From b4266023e04729db12de2f7e0de4da9e1d00db38 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= +Date: Fri, 7 Aug 2020 19:08:39 +0200 +Subject: [PATCH] ipatests: test_epn: update error messages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Update error messages in the test. + +Fixes: https://pagure.io/freeipa/issue/8449 +Signed-off-by: François Cami +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_epn.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py +index e03521193..af662140a 100644 +--- a/ipatests/test_integration/test_epn.py ++++ b/ipatests/test_integration/test_epn.py +@@ -458,7 +458,7 @@ class TestEPN(IntegrationTest): + self.clients[0], to_nbdays="abc", + raiseonerr=False, validatejson=False + ) +- assert "error: --to-nbdays must be an integer." in stderr ++ assert "error: --to-nbdays must be a positive integer." in stderr + assert rc > 0 + + @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True) +@@ -483,7 +483,7 @@ class TestEPN(IntegrationTest): + ) + logger.info(stderr) + assert rc > 0 +- assert "error: --to-nbdays must be an integer." in stderr ++ assert "error: --to-nbdays must be a positive integer." in stderr + + # From here the tests build on one another: + # 1) add auth +-- +2.26.2 + +From 2809084a44e3b174fa48a611e79f04358e1d6dca Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= +Date: Wed, 5 Aug 2020 09:05:31 +0200 +Subject: [PATCH] IPA-EPN: enhance input validation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Enhance input validation: +* make sure --from-nbdays and --to-nbdays are integer +* make sure --from-nbdays < --to-nbdays + +Fixes: https://pagure.io/freeipa/issue/8444 +Signed-off-by: François Cami +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + ipaclient/install/ipa_epn.py | 28 +++++++++++++++++++++++++-- + ipatests/test_integration/test_epn.py | 3 --- + 2 files changed, 26 insertions(+), 5 deletions(-) + +diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py +index 82d7b3f57..88c926e88 100644 +--- a/ipaclient/install/ipa_epn.py ++++ b/ipaclient/install/ipa_epn.py +@@ -246,9 +246,33 @@ class EPN(admintool.AdminTool): + + def validate_options(self): + super(EPN, self).validate_options(needs_root=True) +- if self.options.to_nbdays: ++ if self.options.to_nbdays is not None: ++ try: ++ if int(self.options.to_nbdays) < 0: ++ raise RuntimeError('Input is negative.') ++ except Exception as e: ++ self.option_parser.error( ++ "--to-nbdays must be a positive integer. " ++ "{error}".format(error=e) ++ ) + self.options.dry_run = True +- if self.options.from_nbdays and not self.options.to_nbdays: ++ if self.options.from_nbdays is not None: ++ try: ++ if int(self.options.from_nbdays) < 0: ++ raise RuntimeError('Input is negative.') ++ except Exception as e: ++ self.option_parser.error( ++ "--from-nbdays must be a positive integer. " ++ "{error}".format(error=e) ++ ) ++ if self.options.from_nbdays is not None and \ ++ self.options.to_nbdays is not None: ++ if int(self.options.from_nbdays) >= int(self.options.to_nbdays): ++ self.option_parser.error( ++ "--from-nbdays must be smaller than --to-nbdays." ++ ) ++ if self.options.from_nbdays is not None and \ ++ self.options.to_nbdays is None: + self.option_parser.error( + "You cannot specify --from-nbdays without --to-nbdays" + ) +diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py +index af662140a..fc26888cb 100644 +--- a/ipatests/test_integration/test_epn.py ++++ b/ipatests/test_integration/test_epn.py +@@ -450,7 +450,6 @@ class TestEPN(IntegrationTest): + in stderr_text_client + assert rc > 0 + +- @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True) + def test_EPN_nbdays_input_2(self): + """alpha input""" + +@@ -461,7 +460,6 @@ class TestEPN(IntegrationTest): + assert "error: --to-nbdays must be a positive integer." in stderr + assert rc > 0 + +- @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True) + def test_EPN_nbdays_input_3(self): + """from_nbdays > to_nbdays""" + +@@ -473,7 +471,6 @@ class TestEPN(IntegrationTest): + stderr + assert rc > 0 + +- @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True) + def test_EPN_nbdays_input_4(self): + """decimal input""" + +-- +2.26.2 + diff --git a/SOURCES/0015-IPA-EPN-Fix-SMTP-connection-error-handling_rhbz#1863079.patch b/SOURCES/0015-IPA-EPN-Fix-SMTP-connection-error-handling_rhbz#1863079.patch new file mode 100644 index 0000000..3871c56 --- /dev/null +++ b/SOURCES/0015-IPA-EPN-Fix-SMTP-connection-error-handling_rhbz#1863079.patch @@ -0,0 +1,141 @@ +From 3cf7fb1014ae40fd5a5278f27577a8196a4af051 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= +Date: Fri, 7 Aug 2020 07:51:53 +0200 +Subject: [PATCH] ipatests: test_epn: add test_EPN_connection_refused +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add a test for EPN behavior when the configured SMTP does not +accept connections. + +Fixes: https://pagure.io/freeipa/issue/8445 +Signed-off-by: François Cami +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +--- + ipatests/test_integration/test_epn.py | 27 ++++++++++++++++++++++++--- + 1 file changed, 24 insertions(+), 3 deletions(-) + +diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py +index c5c73835a..1a25d3710 100644 +--- a/ipatests/test_integration/test_epn.py ++++ b/ipatests/test_integration/test_epn.py +@@ -182,14 +182,20 @@ class TestEPN(IntegrationTest): + self, + host, + dry_run=False, ++ mailtest=False, + from_nbdays=None, + to_nbdays=None, + raiseonerr=True, + validatejson=True + ): +- result = tasks.ipa_epn(host, raiseonerr=raiseonerr, dry_run=dry_run, +- from_nbdays=from_nbdays, +- to_nbdays=to_nbdays) ++ result = tasks.ipa_epn( ++ host, ++ from_nbdays=from_nbdays, ++ to_nbdays=to_nbdays, ++ mailtest=mailtest, ++ dry_run=dry_run, ++ raiseonerr=raiseonerr ++ ) + if validatejson: + json.dumps(json.loads(result.stdout_text), ensure_ascii=False) + return (result.stdout_text, result.stderr_text, result.returncode) +@@ -243,6 +249,21 @@ class TestEPN(IntegrationTest): + ck = "192481b52fb591112afd7b55b12a44c6618fdbc7e05a3b1866fd67ec579c51df" + assert cmd2.stdout_text.find(ck) == 0 + ++ @pytest.mark.xfail(reason='freeipa ticket 8445', strict=True) ++ def test_EPN_connection_refused(self): ++ """Test EPN behavior when the configured SMTP is down ++ """ ++ ++ self.master.run_command(["systemctl", "stop", "postfix"]) ++ (unused, stderr_text, rc) = self._check_epn_output( ++ self.master, mailtest=True, ++ raiseonerr=False, validatejson=False ++ ) ++ self.master.run_command(["systemctl", "start", "postfix"]) ++ assert "IPA-EPN: Could not connect to the configured SMTP server" in \ ++ stderr_text ++ assert rc > 0 ++ + def test_EPN_smoketest_1(self): + """No users except admin. Check --dry-run output. + With the default configuration, the result should be an empty list. +-- +2.26.2 + +From 53f330b053740b169d211aa16b3b36fb61157bbd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= +Date: Fri, 7 Aug 2020 06:19:31 +0200 +Subject: [PATCH] IPA-EPN: Fix SMTP connection error handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Enhance error message when SMTP is down. + +Fixes: https://pagure.io/freeipa/issue/8445 +Signed-off-by: François Cami +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +--- + ipaclient/install/ipa_epn.py | 17 ++++++++++------- + ipatests/test_integration/test_epn.py | 1 - + 2 files changed, 10 insertions(+), 8 deletions(-) + +diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py +index 0d1ae2add..82d7b3f57 100644 +--- a/ipaclient/install/ipa_epn.py ++++ b/ipaclient/install/ipa_epn.py +@@ -38,6 +38,7 @@ from email.mime.multipart import MIMEMultipart + from email.mime.text import MIMEText + from email.header import Header + from email.utils import make_msgid ++from socket import error as socketerror + + from ipaplatform.paths import paths + from ipalib import api, errors +@@ -640,13 +641,15 @@ class MTAClient: + port=self._smtp_port, + timeout=self._smtp_timeout, + ) +- except smtplib.SMTPException as e: +- logger.error( +- "IPA-EPN: Unable to connect to %s:%s: %s", +- self._smtp_hostname, +- self._smtp_port, +- e, +- ) ++ except (socketerror, smtplib.SMTPException) as e: ++ msg = \ ++ "IPA-EPN: Could not connect to the configured SMTP server: " \ ++ "{host}:{port}: {error}".format( ++ host=self._smtp_hostname, ++ port=self._smtp_port, ++ error=e ++ ) ++ raise admintool.ScriptError(msg) + + try: + self._conn.ehlo() +diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py +index 1a25d3710..e03521193 100644 +--- a/ipatests/test_integration/test_epn.py ++++ b/ipatests/test_integration/test_epn.py +@@ -249,7 +249,6 @@ class TestEPN(IntegrationTest): + ck = "192481b52fb591112afd7b55b12a44c6618fdbc7e05a3b1866fd67ec579c51df" + assert cmd2.stdout_text.find(ck) == 0 + +- @pytest.mark.xfail(reason='freeipa ticket 8445', strict=True) + def test_EPN_connection_refused(self): + """Test EPN behavior when the configured SMTP is down + """ +-- +2.26.2 + diff --git a/SOURCES/0016-Set-mode-of-etc-ipa-ca.crt-to-0644-in-CA-less-instal_rhbz#1870202.patch b/SOURCES/0016-Set-mode-of-etc-ipa-ca.crt-to-0644-in-CA-less-instal_rhbz#1870202.patch new file mode 100644 index 0000000..8f8c1df --- /dev/null +++ b/SOURCES/0016-Set-mode-of-etc-ipa-ca.crt-to-0644-in-CA-less-instal_rhbz#1870202.patch @@ -0,0 +1,110 @@ +From 4a97145c3a76a4d9ebf52b3905410a0bd7bec856 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 4 Aug 2020 15:09:56 -0400 +Subject: [PATCH] Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations + +It was previously being set to 0444 which triggered a warning +in freeipa-healthcheck. + +Even root needs DAC_OVERRIDE capability to write to a 0o444 file +which may not be available in some environments. + +https://pagure.io/freeipa/issue/8441 + +Reviewed-By: Alexander Bokovoy +--- + ipaserver/install/certs.py | 2 +- + ipaserver/install/server/install.py | 5 ++--- + 2 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py +index 22ee79bd1..51d9f9221 100644 +--- a/ipaserver/install/certs.py ++++ b/ipaserver/install/certs.py +@@ -329,7 +329,7 @@ class CertDB: + ipautil.backup_file(cacert_fname) + root_nicknames = self.find_root_cert(nickname)[:-1] + with open(cacert_fname, "w") as f: +- os.fchmod(f.fileno(), stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH) ++ os.fchmod(f.fileno(), 0o644) + for root in root_nicknames: + result = self.run_certutil(["-L", "-n", root, "-a"], + capture_output=True) +diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py +index b53c58e2a..6a593602f 100644 +--- a/ipaserver/install/server/install.py ++++ b/ipaserver/install/server/install.py +@@ -891,9 +891,8 @@ def install(installer): + + ca.install_step_0(False, None, options, custodia=custodia) + else: +- # Put the CA cert where other instances expect it +- x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT) +- os.chmod(paths.IPA_CA_CRT, 0o444) ++ # /etc/ipa/ca.crt is created as a side-effect of ++ # dsinstance::enable_ssl() via export_ca_cert() + + if not options.no_pkinit: + x509.write_certificate(http_ca_cert, paths.KDC_CA_BUNDLE_PEM) +-- +2.26.2 + +From da2079ce2cc841aec56da872131112eb24326f81 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 4 Aug 2020 15:12:20 -0400 +Subject: [PATCH] ipatests: Check permissions of /etc/ipa/ca.crt new + installations + +It should be 0644 root:root for both CA-ful and CA-less installs. + +https://pagure.io/freeipa/issue/8441 + +Reviewed-By: Alexander Bokovoy +--- + ipatests/test_integration/test_caless.py | 8 ++++++++ + ipatests/test_integration/test_installation.py | 10 ++++++++++ + 2 files changed, 18 insertions(+) + +diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py +index 1ea7d9896..16dfbb320 100644 +--- a/ipatests/test_integration/test_caless.py ++++ b/ipatests/test_integration/test_caless.py +@@ -394,6 +394,14 @@ class CALessBase(IntegrationTest): + host, cert_from_ldap.public_bytes(x509.Encoding.PEM)) + assert cert_from_ldap == expected_cacrt + ++ result = host.run_command( ++ ["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT] ++ ) ++ (owner, group, mode) = result.stdout_text.strip().split(':') ++ assert owner == "root" ++ assert group == "root" ++ assert mode == "644" ++ + # Verify certmonger was not started + result = host.run_command(['getcert', 'list'], raiseonerr=False) + assert result.returncode == 0 +diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py +index 100a5a766..fb1990083 100644 +--- a/ipatests/test_integration/test_installation.py ++++ b/ipatests/test_integration/test_installation.py +@@ -346,6 +346,16 @@ class TestInstallCA(IntegrationTest): + status = tasks.wait_for_request(self.master, request_id[0], 300) + assert status == "MONITORING" + ++ def test_ipa_ca_crt_permissions(self): ++ """Verify that /etc/ipa/ca.cert is mode 0644 root:root""" ++ result = self.master.run_command( ++ ["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT] ++ ) ++ out = str(result.stdout_text.strip()) ++ (owner, group, mode) = out.split(':') ++ assert mode == "644" ++ assert owner == "root" ++ assert group == "root" + + class TestInstallWithCA_KRA1(InstallTestBase1): + +-- +2.26.2 + diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 137df90..ef6b018 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -53,7 +53,7 @@ %endif # Include SELinux subpackage -%if 0%{?fedora} >= 30 || 0%{?rhel} > 8 +%if 0%{?fedora} >= 30 || 0%{?rhel} >= 8 %global with_selinux 1 %global selinuxtype targeted %global modulename ipa @@ -67,11 +67,11 @@ # 0.7.16: https://github.com/drkjam/netaddr/issues/71 %global python_netaddr_version 0.7.19 # Require 4.7.0 which brings Python 3 bindings -%global samba_version 4.12.3-0 +%global samba_version 4.12.3-12 %global slapi_nis_version 0.56.4 # Require 3.14.3-24 - Allow ipa_ods_exporter_t domain to read krb5_keytab files # SELinux context for /etc/named directory, RHBZ#1759495 -%global selinux_policy_version 3.14.3-43 +%global selinux_policy_version 3.14.3-52 %global slapi_nis_version 0.56.1-4 %global python_ldap_version 3.1.0-1 # python3-lib389 @@ -112,11 +112,9 @@ # Fedora %endif -# Require Dogtag PKI 10.6.8-3 (10.6.7 was never pushed to stable) -# 10.6.7 fixes UpdateNumberRange clone installation issue -# https://pagure.io/freeipa/issue/7654 and empty token issue -# and https://pagure.io/dogtagpki/issue/3073 -%global pki_version 10.8.0 +# PKIConnection has been modified to always validate certs. +# https://pagure.io/freeipa/issue/8379 +%global pki_version 10.9.0-0.4 # https://pagure.io/certmonger/issue/90 %global certmonger_version 0.79.7-3 @@ -151,7 +149,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 4%{?dist} +Release: 10%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -170,6 +168,18 @@ Patch0001: 0001-WebUI-Fix-IPA-Error-3007-RequirmentError-while-addin_rhbz#1 Patch0002: 0002-EPN-does-not-ship-its-default-configuration_rhbz#1847999.patch Patch0003: 0003-Use-256-bit-AJP-secret_rhbz#1849914.patch Patch0004: 0004-baseuser-fix-ipanthomedirectorydrive-option-name_rhbz#1851411.patch +Patch0005: 0005-selinux-don-t-audit-rules-deny-fetching-trust-topology_rhbz#1845596.patch +Patch0006: 0006-fix-iPAddress-cert-issuance-for-1-host-service_rhbz#1846352.patch +Patch0007: 0007-Specify-cert_paths-when-calling-PKIConnection_rhbz#1849155.patch +Patch0008: 0008-Add-missing-SELinux-rule-for-ipa-custodia.sock_rhbz#1857157.patch +Patch0009: 0009-ipa-client-install-use-the-authselect-backup-during_rhbz#1810179.patch +Patch0010: 0010-Replace-SSLCertVerificationError-with-CertificateErr_rhbz#1858318.patch +Patch0011: 0011-Fix-AVC-denial-during-ipa-adtrust-install---add-agents_rhbz#1859213.patch +Patch0012: 0012-CAless-installation-set-the-perms-on-KDC-cert-file_rhbz#1863616.patch +Patch0013: 0013-IPA-EPN-Use-a-helper-to-retrieve-LDAP-attributes-fro_rhbz#1866938.patch +Patch0014: 0014-IPA-EPN-enhance-input-validation_rhbz#1866291.patch +Patch0015: 0015-IPA-EPN-Fix-SMTP-connection-error-handling_rhbz#1863079.patch +Patch0016: 0016-Set-mode-of-etc-ipa-ca.crt-to-0644-in-CA-less-instal_rhbz#1870202.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-4.8.0-Remove-csrgen.patch Patch1003: 1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch @@ -497,7 +507,7 @@ Requires: %{name}-common = %{version}-%{release} Requires: samba >= %{samba_version} Requires: samba-winbind Requires: libsss_idmap -Obsoletes: ipa-idoverride-memberof-plugin +Obsoletes: ipa-idoverride-memberof-plugin <= 0.1 Requires(post): python3 Requires: python3-samba @@ -565,6 +575,9 @@ Obsoletes: %{alt_name}-admintools < 4.4.1 Obsoletes: %{name}-admintools < 4.4.1 Provides: %{name}-admintools = %{version}-%{release} +# Conflict with crypto-policies < 20200629-1 to get AD-SUPPORT policy module +Conflicts: crypto-policies < 20200629-1 + %description client IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization @@ -1517,6 +1530,55 @@ fi %changelog +* Wed Aug 19 2020 Thomas Woerner - 4.8.7-10 +- Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations + Resolves: RHBZ#1870202 + +* Mon Aug 17 2020 Thomas Woerner - 4.8.7-9 +- CAless installation: set the perms on KDC cert file + Resolves: RHBZ#1863616 +- EPN: handle empty attributes + Resolves: RHBZ#1866938 +- IPA-EPN: enhance input validation + Resolves: RHBZ#1866291 +- EPN: enhance input validation + Resolves: RHBZ#1863079 +- Require new samba build 4.12.3-52 + Related: RHBZ#1868558 +- Require new selinux-policy build 3.14.3-52 + Related: RHBZ#1869311 + +* Fri Jul 31 2020 Thomas Woerner - 4.8.7-8 +- [WebUI] IPA Error 3007: RequirmentError" while adding members in + "User ID overrides" tab (updated) + Resolves: RHBZ#1757045 +- ipa-client-install: use the authselect backup during uninstall + Resolves: RHBZ#1810179 +- Replace SSLCertVerificationError with CertificateError for py36 + Resolves: RHBZ#1858318 +- Fix AVC denial during ipa-adtrust-install --add-agents + Resolves: RHBZ#1859213 + +* Wed Jul 15 2020 Thomas Woerner - 4.8.7-7 +- replica install failing with avc denial for custodia component + Resolves: RHBZ#1857157 + +* Tue Jul 14 2020 Thomas Woerner - 4.8.7-6 +- selinux don't audit rules deny fetching trust topology + Resolves: RHBZ#1845596 +- fix iPAddress cert issuance for >1 host/service + Resolves: RHBZ#1846352 +- Specify cert_paths when calling PKIConnection + Resolves: RHBZ#1849155 +- Update crypto policy to allow AD-SUPPORT when installing IPA + Resolves: RHBZ#1851139 +- Add version to ipa-idoverride-memberof obsoletes + Related: RHBZ#1846434 + +* Thu Jul 02 2020 Thomas Woerner - 4.8.7-5 +- Add missing ipa-selinux package + Resolves: RHBZ#1853263 + * Mon Jun 29 2020 Thomas Woerner - 4.8.7-4 - Remove client-epn left over files for ONLY_CLIENT Related: RHBZ#1847999