diff --git a/SOURCES/pki-core-rhel-7-9-rhcs-9-7-bu-10.patch b/SOURCES/pki-core-rhel-7-9-rhcs-9-7-bu-10.patch new file mode 100644 index 0000000..a70a242 --- /dev/null +++ b/SOURCES/pki-core-rhel-7-9-rhcs-9-7-bu-10.patch @@ -0,0 +1,320 @@ +From 14e4011027214bd2c33ef4975a3ed43486e4de70 Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Sat, 23 Oct 2021 23:19:57 -0600 +Subject: [PATCH 1/3] Fixes gleaned from the following DOGTAG_10_5_COMMITS: + +commit 68ef0c8a4208b9deea819c41d65639edd6de8e8c +Author: Chris Kelley +Date: Tue Aug 31 12:41:06 2021 +0100 + + Fix navigation buttons in CA EE list certs page + +commit 64e6acd3e035ecb0eb84d8fe47cd513eb8eaeb3b +Author: Jon Parrish +Date: Thu Oct 7 16:39:38 2021 +0000 + + Close table so that top navigation is at the top +--- + base/ca/shared/webapps/ca/ee/ca/queryCert.template | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/base/ca/shared/webapps/ca/ee/ca/queryCert.template b/base/ca/shared/webapps/ca/ee/ca/queryCert.template +index 878e3be..65718e1 100644 +--- a/base/ca/shared/webapps/ca/ee/ca/queryCert.template ++++ b/base/ca/shared/webapps/ca/ee/ca/queryCert.template +@@ -336,7 +336,7 @@ if (result.recordSet.length == 0) { + ); + + document.write("\n"+ +- "
\n"); ++ "
\n"); + displayNextForm(); + + document.write( +@@ -370,7 +370,7 @@ document.write("\n"); + } + + document.write("\n"+ +- "
\n"); ++ "
\n"); + + if (result.header.revokeAll != null && result.header.totalRecordCount > 1) { + displayRevokeAllForm(result.header.totalRecordCount); +@@ -407,7 +407,7 @@ function renderNextButtonElement(name, label, disabled) + result.innerText = label; + result.width = 72; + result.disabled = disabled ? true : false; +- result.onClick = () => doNext(result); ++ result.onclick = () => doNext(result); + return result; + } + +-- +1.8.3.1 + + +From 33fd6ff7de3c847939269ca1307d5854af258d4c Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Mon, 11 Oct 2021 16:26:19 -0700 +Subject: [PATCH 2/3] Bug2007405-pkispawn bails out too easily in + validate_system_cert + +For pkispawn, in def validate_system_cert, it appears some unexpected +conditions could happen that would trigger failur to + pki-server subsystem-cert-validate + +Some of these conditions probably could have been resolved manually +if installation were allowed to complete. + +This patch is to print out the result as information then allow the +installation to continue. It doesn't necessarily mean that the +installation will succeed, but it will at least go further to allow +for better investigation. + +fixes https://bugzilla.redhat.com/show_bug.cgi?id=2007405 + +(cherry picked from commit 656d3426cc3ace5cac3624384e05c4233caae022) +--- + base/server/python/pki/server/__init__.py | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py +index 3512e94..3856c85 100644 +--- a/base/server/python/pki/server/__init__.py ++++ b/base/server/python/pki/server/__init__.py +@@ -450,9 +450,12 @@ class PKISubsystem(object): + + logger.debug('Command: %s', ' '.join(cmd)) + +- subprocess.check_output( +- cmd, +- stderr=subprocess.STDOUT) ++ try: ++ print(subprocess.check_output( ++ cmd, ++ stderr=subprocess.STDOUT)) ++ except subprocess.CalledProcessError as v: ++ print("pki-server subsystem-cert-validate stdout output:\n", v.output) + + def export_system_cert( + self, +-- +1.8.3.1 + + +From 82a3f261c83c33c395f4ee720b3cb09c9007580c Mon Sep 17 00:00:00 2001 +From: Andrew Wnuk <92763627+ajwnuk@users.noreply.github.com> +Date: Thu, 21 Oct 2021 15:17:55 -0700 +Subject: [PATCH 3/3] Authentication issue #3629 (#3787) + +Co-authored-by: Andrew Wnuk +(cherry picked from commit cf3fb92a029991da029ba81b5f68e254e44532d7) +--- + .../authentication/UserPwdDirAuthentication.java | 150 +++++++++++++++++++++ + 1 file changed, 150 insertions(+) + +diff --git a/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java +index ead8650..faaefb6 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java +@@ -18,12 +18,21 @@ + package com.netscape.cms.authentication; + + // ldap java sdk ++import java.util.ArrayList; + import java.util.Enumeration; ++import java.util.HashMap; + import java.util.Locale; ++import java.util.Map; + import java.util.Vector; + ++ + import netscape.ldap.LDAPConnection; + import netscape.ldap.LDAPException; ++import netscape.ldap.LDAPAttribute; ++import netscape.ldap.LDAPConnection; ++import netscape.ldap.LDAPEntry; ++import netscape.ldap.LDAPSearchResults; ++import netscape.ldap.LDAPv2; + + import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.authentication.AuthToken; +@@ -44,6 +53,8 @@ import com.netscape.certsrv.profile.IProfileAuthenticator; + import com.netscape.certsrv.property.Descriptor; + import com.netscape.certsrv.property.IDescriptor; + import com.netscape.certsrv.request.IRequest; ++import com.netscape.certsrv.usrgrp.IUGSubsystem; ++import com.netscape.certsrv.usrgrp.IUser; + // cert server x509 imports + // java sdk imports. + +@@ -65,6 +76,12 @@ public class UserPwdDirAuthentication extends DirBasedAuthentication + + protected String mAttrName = null; + protected String mAttrDesc = null; ++ protected String mMemberAttrName = null; ++ protected String mMemberAttrValue = null; ++ protected String mInternalGroup = null; ++ protected boolean mInternalUserRequired = false; ++ protected IUGSubsystem mUGS = null; ++ protected String mAttrs[] = null; + + /* Holds configuration parameters accepted by this implementation. + * This list is passed to the configuration console so configuration +@@ -82,6 +99,10 @@ public class UserPwdDirAuthentication extends DirBasedAuthentication + "ldap.basedn", + "ldap.attrName", + "ldap.attrDesc", ++ "ldap.memberAttrName", ++ "ldap.memberAttrValue", ++ "ldap.internalUserRequired", ++ "ldap.internalGroup", + "ldap.minConns", + "ldap.maxConns", + }; +@@ -138,6 +159,36 @@ public class UserPwdDirAuthentication extends DirBasedAuthentication + } + CMS.debug("UserPwdDirAuthentication init mAttr=" + mAttr + + " mAttrName=" + mAttrName + " mAttrDesc=" + mAttrDesc); ++ ++ // Optional attribute, which presence and value have to be checked if included in configuration ++ mMemberAttrName = mLdapConfig.getString("memberAttrName", null); ++ mMemberAttrName = (mMemberAttrName != null)? mMemberAttrName.trim(): mMemberAttrName; ++ if (mMemberAttrName != null && mMemberAttrName.length() > 0) { ++ mMemberAttrValue = mLdapConfig.getString("memberAttrValue", null); ++ mMemberAttrValue = (mMemberAttrValue != null)? mMemberAttrValue.trim(): mMemberAttrValue; ++ CMS.debug("UserPwdDirAuthentication init mMemberAttrName=" + mMemberAttrName + " mMemberAttrValue=" + mMemberAttrValue); ++ } ++ // Optional attribute, which indicates local user entry presence that have to be checked if included in configuration ++ mInternalUserRequired = mLdapConfig.getBoolean("internalUserRequired", false); ++ CMS.debug("UserPwdDirAuthentication init mInternalUserRequired=" + mInternalUserRequired); ++ mInternalGroup = mLdapConfig.getString("internalGroup", null); ++ mInternalGroup = (mInternalGroup != null)? mInternalGroup.trim(): mInternalGroup; ++ if (mInternalGroup != null && mInternalGroup.length() > 0) { ++ mInternalUserRequired = true; ++ CMS.debug("UserPwdDirAuthentication init mInternalGroup=" + mInternalGroup); ++ } ++ if (mInternalUserRequired) { ++ mUGS = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); ++ } ++ ++ ArrayList attrList = new ArrayList<>(); ++ if (mInternalUserRequired) { ++ attrList.add(CRED_UID); ++ } ++ if (mMemberAttrName != null && mMemberAttrName.length() > 0 && !mMemberAttrName.equalsIgnoreCase(CRED_UID)) { ++ attrList.add(mMemberAttrName); ++ } ++ mAttrs = (String[])attrList.toArray(new String[attrList.size()]); + } + + /** +@@ -182,6 +233,105 @@ public class UserPwdDirAuthentication extends DirBasedAuthentication + // bind as user dn and pwd - authenticates user with pwd. + conn.authenticate(userdn, pwd); + CMS.debug("Authenticated: userdn=" + userdn); ++ ++ LDAPEntry entry = null; ++ Map entryAttributes = new HashMap(); ++ if (mAttrs != null && mAttrs.length > 0) { ++ LDAPSearchResults results = conn.search(userdn, LDAPConnection.SCOPE_BASE, null, mAttrs, false); ++ if (results != null && results.hasMoreElements()) { ++ entry = results.next(); ++ if (entry != null) { ++ CMS.debug("Reviewing entry: " + entry.getDN()); ++ for (int i = 0; i < mAttrs.length; i++) { ++ LDAPAttribute memberAttribute = entry.getAttribute(mAttrs[i]); ++ if (memberAttribute != null) { ++ String[] values = memberAttribute.getStringValueArray(); ++ if (values != null && values.length > 0) { ++ entryAttributes.put(mAttrs[i], values); ++ } ++ } ++ } ++ } ++ } ++ } ++ if (mAttrs != null && mAttrs.length > 0 && (entry == null || entryAttributes.size() == 0)) { ++ CMS.debug("Failed to obtain data required for verification."); ++ throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); ++ } ++ ++ if (mMemberAttrName != null && mMemberAttrName.length() > 0) { ++ CMS.debug("Authenticating: memberAttribute=" + mMemberAttrName); ++ String[] values = entryAttributes.get(mMemberAttrName); ++ boolean verified = false; ++ if (values != null && values.length > 0) { ++ if (mMemberAttrValue != null && mMemberAttrValue.length() > 0) { ++ for (int i = 0; i < values.length; i++) { ++ if (mMemberAttrValue.equalsIgnoreCase(values[i])) { ++ verified = true; ++ } ++ } ++ } else { ++ verified = true; ++ } ++ } ++ if (!verified) { ++ CMS.debug("Failed to verify memberAttribute"); ++ throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); ++ } ++ ++ if (mInternalUserRequired) { ++ values = entryAttributes.get(CRED_UID); ++ verified = false; ++ if (values != null && values.length > 0) { ++ for (int i = 0; i < values.length; i++) { ++ IUser user = mUGS.getUser(values[i]); ++ if (user != null) { ++ if (mInternalGroup != null && mInternalGroup.length() > 0) { ++ if (mUGS.isMemberOf(values[i], mInternalGroup)) { ++ verified = true; ++ CMS.debug("Authenticated: user='" + user.getUserDN() + "' is member of '" + mInternalGroup + "'"); ++ } ++ } else { ++ verified = true; ++ CMS.debug("Authenticated: user='" + user.getUserDN() + "'"); ++ } ++ } ++ } ++ } ++ if (!verified) { ++ CMS.debug("Failed to verify userAttribute"); ++ throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); ++ } ++ } ++ ++ } else { ++ if (mInternalUserRequired) { ++ String userAttr = (mAttr.equalsIgnoreCase(CRED_UID))? attr: entryAttributes.get(CRED_UID)[0]; ++ if (userAttr != null && userAttr.length() > 0) { ++ CMS.debug("Authenticating: InternalUser: '" + CRED_UID + "=" + userAttr + "'"); ++ IUser user = mUGS.getUser(userAttr); ++ if (user != null) { ++ if (mInternalGroup != null && mInternalGroup.length() > 0) { ++ if (mUGS.isMemberOf(userAttr, mInternalGroup)) { ++ CMS.debug("Authenticated: user='" + user.getUserDN() + "' is member of '" + mInternalGroup + "'"); ++ } else { ++ CMS.debug("Authenticated: user='" + user.getUserDN() + "' is NOT member of '" + mInternalGroup + "'"); ++ throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); ++ } ++ } else { ++ CMS.debug("Authenticated: user='" + user.getUserDN() + "'"); ++ } ++ } else { ++ CMS.debug("Missing InternalUser='" + userAttr + "'"); ++ throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); ++ } ++ } else { ++ CMS.debug("Incorrect attribute requested: '" + mAttr + "' instead of '" + CRED_UID + "'"); ++ throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); ++ } ++ } ++ } ++ + // set attr in the token. + token.set(mAttr, attr); + +-- +1.8.3.1 + diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec index bf67920..420db36 100644 --- a/SPECS/pki-core.spec +++ b/SPECS/pki-core.spec @@ -65,13 +65,13 @@ Name: pki-core %if 0%{?rhel} Version: 10.5.18 -%define redhat_release 17 +%define redhat_release 18 %define redhat_stage 0 #%define default_release %{redhat_release}.%{redhat_stage} %define default_release %{redhat_release} %else Version: 10.5.18 -%define fedora_release 17 +%define fedora_release 18 %define fedora_stage 0 #%define default_release %{fedora_release}.%{fedora_stage} %define default_release %{fedora_release} @@ -222,6 +222,7 @@ Patch12: pki-core-rhel-7-9-rhcs-9-7-bu-6.1.patch Patch13: pki-core-rhel-7-9-rhcs-9-7-bu-7.patch Patch14: pki-core-rhel-7-9-rhcs-9-7-bu-8.patch Patch15: pki-core-rhel-7-9-rhcs-9-7-bu-9.patch +Patch16: pki-core-rhel-7-9-rhcs-9-7-bu-10.patch # Obtain version phase number (e. g. - used by "alpha", "beta", etc.) # @@ -838,6 +839,7 @@ This package is a part of the PKI Core used by the Certificate System. %patch13 -p1 %patch14 -p1 %patch15 -p1 +%patch16 -p1 %clean %{__rm} -rf %{buildroot} @@ -1375,9 +1377,26 @@ fi %endif # %{with server} %changelog +* Sat Oct 23 2021 Dogtag Team 10.5.18-18 +- ########################################################################## +- # RHEL 7.9 (Batch Update 10): +- ########################################################################## +- Bugzillla Bug 1978345 - End Entity's List Certificates Page Back/Forward + Buttons are Broken (ckelley, jonahon.d.parrish@mail.mil, mharmsen) +- Bugzilla Bug 2008707 - pkispawn bails out too easily for things that could + have been worked around after installation [RHEL 7.9.z] (cfu) +- Bugzilla Bug 2016773 - Directory authentication plugin requires directory + admin password just for user authentication (rhel-7.9.z) + (awnuk@purestorage.com, jmagne) +- ########################################################################## +- # RHCS 9.7: +- ########################################################################## +- Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and + pki-console to 10.5.18 in RHCS 9.7 (Batch Update 7) + * Wed Sep 15 2021 Dogtag Team 10.5.18-17 - ########################################################################## -- # RHEL 7.9 (Batch Update 8): +- # RHEL 7.9 (Batch Update 9): - ########################################################################## - Bugzilla Bug 1958788 - ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500 [ftweedal, ckelley]