diff --git a/SOURCES/0205-Add-CommonNameToSANDefault-to-default-cert-profile.patch b/SOURCES/0205-Add-CommonNameToSANDefault-to-default-cert-profile.patch new file mode 100644 index 0000000..73b0c6d --- /dev/null +++ b/SOURCES/0205-Add-CommonNameToSANDefault-to-default-cert-profile.patch @@ -0,0 +1,62 @@ +From bf0a34b06e4a44b71b5a9b5f7b7537d3d99e0441 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Wed, 7 Jun 2017 19:41:26 +1000 +Subject: [PATCH] Add CommonNameToSANDefault to default cert profile + +The CommonNameToSANDefault component was added to Dogtag 10.4. When +a profile is configured to use it, this profile copies the CN in the +certificate to the Subject Alternative Name extension as a dNSName +(if and only if it does look like a DNS name). + +It is desirable that the default service profile use this component. +Add it to the default profile, for new installations only. For +existing installations, until a proper profile update mechanism is +implemented, administrators who wish to use it must configure it via +the 'certprofile-mod' command. + +Fixes: https://pagure.io/freeipa/issue/7007 +Reviewed-By: Jan Cholasta +--- + freeipa.spec.in | 4 ++-- + install/share/profiles/caIPAserviceCert.cfg | 6 +++++- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index d7f8d11ec553cfe299937e1e5f8cc27caed32b08..721e512039a4d7f9d2ed94d7620b083732c56304 100644 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -291,8 +291,8 @@ Requires(post): systemd-units + Requires: selinux-policy >= %{selinux_policy_version} + Requires(post): selinux-policy-base >= %{selinux_policy_version} + Requires: slapi-nis >= %{slapi_nis_version} +-Requires: pki-ca >= 10.3.5-11 +-Requires: pki-kra >= 10.3.5-11 ++Requires: pki-ca >= 10.4.0-1 ++Requires: pki-kra >= 10.4.0-1 + Requires(preun): python systemd-units + Requires(postun): python systemd-units + Requires: policycoreutils >= 2.1.12-5 +diff --git a/install/share/profiles/caIPAserviceCert.cfg b/install/share/profiles/caIPAserviceCert.cfg +index 6c5102f0dbd6bd6c6eaf2fa22e87ed4a5f34553c..3bec9ed10c7c053a67271de52dd95e71fe1fb6b8 100644 +--- a/install/share/profiles/caIPAserviceCert.cfg ++++ b/install/share/profiles/caIPAserviceCert.cfg +@@ -12,7 +12,7 @@ input.i2.class_id=submitterInfoInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=serverCertSet +-policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 ++policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12 + policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl + policyset.serverCertSet.1.constraint.name=Subject Name Constraint + policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +@@ -107,3 +107,7 @@ policyset.serverCertSet.11.constraint.name=No Constraint + policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl + policyset.serverCertSet.11.default.name=User Supplied Extension Default + policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17 ++policyset.serverCertSet.12.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.12.constraint.name=No Constraint ++policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl ++policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name +-- +2.9.4 + diff --git a/SOURCES/0206-smart-card-advises-configure-systemwide-NSS-DB-also-.patch b/SOURCES/0206-smart-card-advises-configure-systemwide-NSS-DB-also-.patch new file mode 100644 index 0000000..f83b0f2 --- /dev/null +++ b/SOURCES/0206-smart-card-advises-configure-systemwide-NSS-DB-also-.patch @@ -0,0 +1,131 @@ +From 57c93cb21d542e1d0eab52baa01ac60f30459dc7 Mon Sep 17 00:00:00 2001 +From: Martin Babinsky +Date: Wed, 21 Jun 2017 18:28:50 +0200 +Subject: [PATCH] smart-card advises: configure systemwide NSS DB also on + master + +Previously the Smart card signing CA cert was uploaded to systemwide NSS +DB only on the client, but it need to be added also to the server. +Modify the advise plugins to allow for common configuration steps to +occur in both cases. + +https://pagure.io/freeipa/issue/7036 + +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy +--- + ipaserver/advise/plugins/smart_card_auth.py | 59 +++++++++++++++++------------ + 1 file changed, 35 insertions(+), 24 deletions(-) + +diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py +index 5859e350939fdba0a8b258de5285dd10c7b3bc23..0ee4808d47aa87a4b1b838d427e9958d98075a4a 100644 +--- a/ipaserver/advise/plugins/smart_card_auth.py ++++ b/ipaserver/advise/plugins/smart_card_auth.py +@@ -10,8 +10,39 @@ from ipaserver.install.httpinstance import NSS_OCSP_ENABLED + register = Registry() + + ++class common_smart_card_auth_config(Advice): ++ """ ++ Common steps required to properly configure both server and client for ++ smart card auth ++ """ ++ ++ systemwide_nssdb = paths.NSS_DB_DIR ++ smart_card_ca_cert_variable_name = "SC_CA_CERT" ++ ++ def check_and_set_ca_cert_path(self): ++ ca_path_variable = self.smart_card_ca_cert_variable_name ++ self.log.command("{}=$1".format(ca_path_variable)) ++ self.log.exit_on_predicate( ++ '[ -z "${}" ]'.format(ca_path_variable), ++ ['You need to provide the path to the PEM file containing CA ' ++ 'signing the Smart Cards'] ++ ) ++ self.log.exit_on_predicate( ++ '[ ! -f "${}" ]'.format(ca_path_variable), ++ ['Invalid CA certificate filename: ${}'.format(ca_path_variable), ++ 'Please check that the path exists and is a valid file'] ++ ) ++ ++ def upload_smartcard_ca_certificate_to_systemwide_db(self): ++ self.log.command( ++ 'certutil -d {} -A -i ${} -n "Smart Card CA" -t CT,C,C'.format( ++ self.systemwide_nssdb, self.smart_card_ca_cert_variable_name ++ ) ++ ) ++ ++ + @register() +-class config_server_for_smart_card_auth(Advice): ++class config_server_for_smart_card_auth(common_smart_card_auth_config): + """ + Configures smart card authentication via Kerberos (PKINIT) and for WebUI + """ +@@ -28,6 +59,7 @@ class config_server_for_smart_card_auth(Advice): + + def get_info(self): + self.log.exit_on_nonroot_euid() ++ self.check_and_set_ca_cert_path() + self.check_ccache_not_empty() + self.check_hostname_is_in_masters() + self.resolve_ipaca_records() +@@ -37,6 +69,7 @@ class config_server_for_smart_card_auth(Advice): + self.record_httpd_ocsp_status() + self.check_and_enable_pkinit() + self.enable_ok_to_auth_as_delegate_on_http_principal() ++ self.upload_smartcard_ca_certificate_to_systemwide_db() + + def check_ccache_not_empty(self): + self.log.comment('Check whether the credential cache is not empty') +@@ -162,11 +195,10 @@ class config_server_for_smart_card_auth(Advice): + + + @register() +-class config_client_for_smart_card_auth(Advice): ++class config_client_for_smart_card_auth(common_smart_card_auth_config): + """ + Configures smart card authentication on FreeIPA client + """ +- smart_card_ca_cert_variable_name = "SC_CA_CERT" + + description = ("Instructions for enabling Smart Card authentication on " + " a single FreeIPA client. Configures Smart Card daemon, " +@@ -190,20 +222,6 @@ class config_client_for_smart_card_auth(Advice): + self.run_authconfig_to_configure_smart_card_auth() + self.restart_sssd() + +- def check_and_set_ca_cert_path(self): +- ca_path_variable = self.smart_card_ca_cert_variable_name +- self.log.command("{}=$1".format(ca_path_variable)) +- self.log.exit_on_predicate( +- '[ -z "${}" ]'.format(ca_path_variable), +- ['You need to provide the path to the PEM file containing CA ' +- 'signing the Smart Cards'] +- ) +- self.log.exit_on_predicate( +- '[ ! -f "${}" ]'.format(ca_path_variable), +- ['Invalid CA certificate filename: ${}'.format(ca_path_variable), +- 'Please check that the path exists and is a valid file'] +- ) +- + def check_and_remove_pam_pkcs11(self): + self.log.command('rpm -qi pam_pkcs11 > /dev/null') + self.log.commands_on_predicate( +@@ -247,13 +265,6 @@ class config_client_for_smart_card_auth(Advice): + ] + ) + +- def upload_smartcard_ca_certificate_to_systemwide_db(self): +- self.log.command( +- 'certutil -d {} -A -i ${} -n "Smart Card CA" -t CT,C,C'.format( +- self.systemwide_nssdb, self.smart_card_ca_cert_variable_name +- ) +- ) +- + def run_authconfig_to_configure_smart_card_auth(self): + self.log.exit_on_failed_command( + 'authconfig --enablesmartcard --smartcardmodule=sssd --updateall', +-- +2.9.4 + diff --git a/SOURCES/0207-smart-card-advises-add-steps-to-store-smart-card-sig.patch b/SOURCES/0207-smart-card-advises-add-steps-to-store-smart-card-sig.patch new file mode 100644 index 0000000..344a96c --- /dev/null +++ b/SOURCES/0207-smart-card-advises-add-steps-to-store-smart-card-sig.patch @@ -0,0 +1,125 @@ +From 7bbf7dbc27d1bcde8bf3e4d0bb8fec65de2660c8 Mon Sep 17 00:00:00 2001 +From: Martin Babinsky +Date: Wed, 21 Jun 2017 18:52:57 +0200 +Subject: [PATCH] smart-card advises: add steps to store smart card signing CA + cert + +On master, upload the CA certificate to IPA LDAP and NSS databases. On +both master and client run ipa-certupdate to update client-side CA +certificate bundles used as PKINIT anchors. + +https://pagure.io/freeipa/issue/7036 + +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy +--- + ipaserver/advise/plugins/smart_card_auth.py | 46 +++++++++++++++++++++++------ + 1 file changed, 37 insertions(+), 9 deletions(-) + +diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py +index 0ee4808d47aa87a4b1b838d427e9958d98075a4a..0217bd190778f1235981a49e7b0764b8b9cdf582 100644 +--- a/ipaserver/advise/plugins/smart_card_auth.py ++++ b/ipaserver/advise/plugins/smart_card_auth.py +@@ -3,6 +3,7 @@ + # + + from ipalib.plugable import Registry ++from ipaplatform import services + from ipaplatform.paths import paths + from ipaserver.advise.base import Advice + from ipaserver.install.httpinstance import NSS_OCSP_ENABLED +@@ -19,6 +20,16 @@ class common_smart_card_auth_config(Advice): + systemwide_nssdb = paths.NSS_DB_DIR + smart_card_ca_cert_variable_name = "SC_CA_CERT" + ++ def check_ccache_not_empty(self): ++ self.log.comment('Check whether the credential cache is not empty') ++ self.log.exit_on_failed_command( ++ 'klist', ++ [ ++ "Credential cache is empty", ++ 'Use kinit as privileged user to obtain Kerberos credentials' ++ ]) ++ ++ + def check_and_set_ca_cert_path(self): + ca_path_variable = self.smart_card_ca_cert_variable_name + self.log.command("{}=$1".format(ca_path_variable)) +@@ -40,6 +51,20 @@ class common_smart_card_auth_config(Advice): + ) + ) + ++ def install_smart_card_signing_ca_cert(self): ++ self.log.exit_on_failed_command( ++ 'ipa-cacert-manage install ${} -t CT,C,C'.format( ++ self.smart_card_ca_cert_variable_name ++ ), ++ ['Failed to install external CA certificate to IPA'] ++ ) ++ ++ def update_ipa_ca_certificate_store(self): ++ self.log.exit_on_failed_command( ++ 'ipa-certupdate', ++ ['Failed to update IPA CA certificate database'] ++ ) ++ + + @register() + class config_server_for_smart_card_auth(common_smart_card_auth_config): +@@ -56,6 +81,7 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config): + nss_conf = paths.HTTPD_NSS_CONF + nss_ocsp_directive = 'NSSOCSP' + nss_nickname_directive = 'NSSNickname' ++ kdc_service_name = services.knownservices.krb5kdc.systemd_name + + def get_info(self): + self.log.exit_on_nonroot_euid() +@@ -70,15 +96,8 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config): + self.check_and_enable_pkinit() + self.enable_ok_to_auth_as_delegate_on_http_principal() + self.upload_smartcard_ca_certificate_to_systemwide_db() +- +- def check_ccache_not_empty(self): +- self.log.comment('Check whether the credential cache is not empty') +- self.log.exit_on_failed_command( +- 'klist', +- [ +- "Credential cache is empty", +- 'Use kinit as privileged user to obtain Kerberos credentials' +- ]) ++ self.update_ipa_ca_certificate_store() ++ self.restart_kdc() + + def check_hostname_is_in_masters(self): + self.log.comment('Check whether the host is IPA master') +@@ -193,6 +212,12 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config): + ["Failed to set OK_AS_AUTH_AS_DELEGATE flag on HTTP principal"] + ) + ++ def restart_kdc(self): ++ self.log.exit_on_failed_command( ++ 'systemctl restart {}'.format(self.kdc_service_name), ++ ['Failed to restart KDC. Please restart the service manually.'] ++ ) ++ + + @register() + class config_client_for_smart_card_auth(common_smart_card_auth_config): +@@ -214,11 +239,14 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config): + def get_info(self): + self.log.exit_on_nonroot_euid() + self.check_and_set_ca_cert_path() ++ self.check_ccache_not_empty() + self.check_and_remove_pam_pkcs11() + self.install_opensc_and_dconf_packages() + self.start_enable_smartcard_daemon() + self.add_pkcs11_module_to_systemwide_db() + self.upload_smartcard_ca_certificate_to_systemwide_db() ++ self.install_smart_card_signing_ca_cert() ++ self.update_ipa_ca_certificate_store() + self.run_authconfig_to_configure_smart_card_auth() + self.restart_sssd() + +-- +2.9.4 + diff --git a/SOURCES/0208-Allow-to-pass-in-multiple-CA-cert-paths-to-the-smart.patch b/SOURCES/0208-Allow-to-pass-in-multiple-CA-cert-paths-to-the-smart.patch new file mode 100644 index 0000000..612e334 --- /dev/null +++ b/SOURCES/0208-Allow-to-pass-in-multiple-CA-cert-paths-to-the-smart.patch @@ -0,0 +1,150 @@ +From 6bfb11f2110f5fbaecc2d6a27d89289c58edc171 Mon Sep 17 00:00:00 2001 +From: Martin Babinsky +Date: Thu, 22 Jun 2017 10:06:21 +0200 +Subject: [PATCH] Allow to pass in multiple CA cert paths to the smart card + advises + +If the user has a series of CA certificates required to verify smart +card certs (e.g. intermediary CAs and root CA) it is convenient to allow +for passing them to the advise scripts as a series of PEM files. + +https://pagure.io/freeipa/issue/7036 + +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy +--- + ipaserver/advise/plugins/smart_card_auth.py | 69 +++++++++++++++++++---------- + 1 file changed, 46 insertions(+), 23 deletions(-) + +diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py +index 0217bd190778f1235981a49e7b0764b8b9cdf582..16c01204444883ed949db73b2314ba5c404124df 100644 +--- a/ipaserver/advise/plugins/smart_card_auth.py ++++ b/ipaserver/advise/plugins/smart_card_auth.py +@@ -18,7 +18,8 @@ class common_smart_card_auth_config(Advice): + """ + + systemwide_nssdb = paths.NSS_DB_DIR +- smart_card_ca_cert_variable_name = "SC_CA_CERT" ++ smart_card_ca_certs_variable_name = "SC_CA_CERTS" ++ single_ca_cert_variable_name = 'ca_cert' + + def check_ccache_not_empty(self): + self.log.comment('Check whether the credential cache is not empty') +@@ -29,35 +30,58 @@ class common_smart_card_auth_config(Advice): + 'Use kinit as privileged user to obtain Kerberos credentials' + ]) + ++ def check_and_set_ca_cert_paths(self): ++ ca_paths_variable = self.smart_card_ca_certs_variable_name ++ single_ca_path_variable = self.single_ca_cert_variable_name + +- def check_and_set_ca_cert_path(self): +- ca_path_variable = self.smart_card_ca_cert_variable_name +- self.log.command("{}=$1".format(ca_path_variable)) ++ self.log.command("{}=$@".format(ca_paths_variable)) + self.log.exit_on_predicate( +- '[ -z "${}" ]'.format(ca_path_variable), +- ['You need to provide the path to the PEM file containing CA ' +- 'signing the Smart Cards'] ++ '[ -z "${}" ]'.format(ca_paths_variable), ++ ['You need to provide one or more paths to the PEM files ' ++ 'containing CAs signing the Smart Cards'] + ) ++ self.log.command( ++ "for {} in ${}".format( ++ single_ca_path_variable, ca_paths_variable)) ++ self.log.command("do") + self.log.exit_on_predicate( +- '[ ! -f "${}" ]'.format(ca_path_variable), +- ['Invalid CA certificate filename: ${}'.format(ca_path_variable), +- 'Please check that the path exists and is a valid file'] ++ '[ ! -f "${}" ]'.format(single_ca_path_variable), ++ ['Invalid CA certificate filename: ${}'.format( ++ single_ca_path_variable), ++ 'Please check that the path exists and is a valid file'], ++ indent_spaces=2 + ) ++ self.log.command("done") + +- def upload_smartcard_ca_certificate_to_systemwide_db(self): ++ def upload_smartcard_ca_certificates_to_systemwide_db(self): ++ self.log.command( ++ "for {} in ${}".format( ++ self.single_ca_cert_variable_name, ++ self.smart_card_ca_certs_variable_name)) ++ self.log.command("do") + self.log.command( +- 'certutil -d {} -A -i ${} -n "Smart Card CA" -t CT,C,C'.format( +- self.systemwide_nssdb, self.smart_card_ca_cert_variable_name +- ) ++ 'certutil -d {} -A -i ${} -n "Smart Card CA $(uuidgen)" ' ++ '-t CT,C,C'.format( ++ self.systemwide_nssdb, self.single_ca_cert_variable_name ++ ), ++ indent_spaces=2 + ) ++ self.log.command("done") + +- def install_smart_card_signing_ca_cert(self): ++ def install_smart_card_signing_ca_certs(self): ++ self.log.command( ++ "for {} in ${}".format( ++ self.single_ca_cert_variable_name, ++ self.smart_card_ca_certs_variable_name)) ++ self.log.command("do") + self.log.exit_on_failed_command( + 'ipa-cacert-manage install ${} -t CT,C,C'.format( +- self.smart_card_ca_cert_variable_name ++ self.single_ca_cert_variable_name + ), +- ['Failed to install external CA certificate to IPA'] ++ ['Failed to install external CA certificate to IPA'], ++ indent_spaces=2 + ) ++ self.log.command("done") + + def update_ipa_ca_certificate_store(self): + self.log.exit_on_failed_command( +@@ -85,7 +109,7 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config): + + def get_info(self): + self.log.exit_on_nonroot_euid() +- self.check_and_set_ca_cert_path() ++ self.check_and_set_ca_cert_paths() + self.check_ccache_not_empty() + self.check_hostname_is_in_masters() + self.resolve_ipaca_records() +@@ -95,7 +119,8 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config): + self.record_httpd_ocsp_status() + self.check_and_enable_pkinit() + self.enable_ok_to_auth_as_delegate_on_http_principal() +- self.upload_smartcard_ca_certificate_to_systemwide_db() ++ self.upload_smartcard_ca_certificates_to_systemwide_db() ++ self.install_smart_card_signing_ca_certs() + self.update_ipa_ca_certificate_store() + self.restart_kdc() + +@@ -234,18 +259,16 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config): + pkcs11_shared_lib = '/usr/lib64/opensc-pkcs11.so' + smart_card_service_file = 'pcscd.service' + smart_card_socket = 'pcscd.socket' +- systemwide_nssdb = paths.NSS_DB_DIR + + def get_info(self): + self.log.exit_on_nonroot_euid() +- self.check_and_set_ca_cert_path() ++ self.check_and_set_ca_cert_paths() + self.check_ccache_not_empty() + self.check_and_remove_pam_pkcs11() + self.install_opensc_and_dconf_packages() + self.start_enable_smartcard_daemon() + self.add_pkcs11_module_to_systemwide_db() +- self.upload_smartcard_ca_certificate_to_systemwide_db() +- self.install_smart_card_signing_ca_cert() ++ self.upload_smartcard_ca_certificates_to_systemwide_db() + self.update_ipa_ca_certificate_store() + self.run_authconfig_to_configure_smart_card_auth() + self.restart_sssd() +-- +2.9.4 + diff --git a/SOURCES/0209-add-a-class-that-tracks-the-indentation-in-the-gener.patch b/SOURCES/0209-add-a-class-that-tracks-the-indentation-in-the-gener.patch new file mode 100644 index 0000000..e6ac4ed --- /dev/null +++ b/SOURCES/0209-add-a-class-that-tracks-the-indentation-in-the-gener.patch @@ -0,0 +1,77 @@ +From bdf024c20213110306b2fcf3651f274c229aae29 Mon Sep 17 00:00:00 2001 +From: Martin Babinsky +Date: Thu, 22 Jun 2017 13:18:54 +0200 +Subject: [PATCH] add a class that tracks the indentation in the generated + advises + +https://pagure.io/freeipa/issue/7036 + +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy +--- + ipaserver/advise/base.py | 49 ++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 49 insertions(+) + +diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py +index ba412b872472580cd32baf2a326a14edb951cab1..639fd1807f72f11f46136999c4ce4c6eec6b3698 100644 +--- a/ipaserver/advise/base.py ++++ b/ipaserver/advise/base.py +@@ -76,6 +76,55 @@ As a result, you can redirect the advice's output directly to a script file. + """ + + ++class _IndentationTracker(object): ++ """ ++ A simple wrapper that tracks the indentation level of the generated bash ++ commands ++ """ ++ def __init__(self, spaces_per_indent=0): ++ if spaces_per_indent <= 0: ++ raise ValueError( ++ "Indentation increments cannot be zero or negative") ++ self.spaces_per_indent = spaces_per_indent ++ self._indentation_stack = [] ++ self._total_indentation_level = 0 ++ ++ @property ++ def indentation_string(self): ++ """ ++ return a string containing number of spaces corresponding to ++ indentation level ++ """ ++ return " " * self._total_indentation_level ++ ++ def indent(self): ++ """ ++ track a single indentation of the generated code ++ """ ++ self._indentation_stack.append(self.spaces_per_indent) ++ self._recompute_indentation_level() ++ ++ def _recompute_indentation_level(self): ++ """ ++ Track total indentation level of the generated code ++ """ ++ self._total_indentation_level = sum(self._indentation_stack) ++ ++ def dedent(self): ++ """ ++ track a single dedentation of the generated code ++ dedents that would result in zero or negative indentation level will be ++ ignored ++ """ ++ try: ++ self._indentation_stack.pop() ++ except IndexError: ++ # can not dedent any further ++ pass ++ ++ self._recompute_indentation_level() ++ ++ + class _AdviceOutput(object): + + def __init__(self): +-- +2.9.4 + diff --git a/SOURCES/0210-delegate-the-indentation-handling-in-advises-to-dedi.patch b/SOURCES/0210-delegate-the-indentation-handling-in-advises-to-dedi.patch new file mode 100644 index 0000000..901dd54 --- /dev/null +++ b/SOURCES/0210-delegate-the-indentation-handling-in-advises-to-dedi.patch @@ -0,0 +1,267 @@ +From 243f7ebf6a07fa54cbd5db6bf7f67fee04e4f14c Mon Sep 17 00:00:00 2001 +From: Martin Babinsky +Date: Thu, 22 Jun 2017 13:20:05 +0200 +Subject: [PATCH] delegate the indentation handling in advises to dedicated + class + +Indentation levels are now handled transparently by a dedicated class +and should not pollute the statement printing logic. + +https://pagure.io/freeipa/issue/7036 + +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy +--- + ipaserver/advise/base.py | 106 +++++++++++++++++++--------- + ipaserver/advise/plugins/smart_card_auth.py | 45 ++++++------ + 2 files changed, 93 insertions(+), 58 deletions(-) + +diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py +index 639fd1807f72f11f46136999c4ce4c6eec6b3698..c320b002c83198cbb0fd73a5c158df07dd309242 100644 +--- a/ipaserver/advise/base.py ++++ b/ipaserver/advise/base.py +@@ -19,6 +19,7 @@ + + from __future__ import print_function + ++from contextlib import contextmanager + import os + from textwrap import wrap + +@@ -75,6 +76,8 @@ As a result, you can redirect the advice's output directly to a script file. + # ./script.sh + """ + ++DEFAULT_INDENTATION_INCREMENT = 2 ++ + + class _IndentationTracker(object): + """ +@@ -131,39 +134,77 @@ class _AdviceOutput(object): + self.content = [] + self.prefix = '# ' + self.options = None ++ self._indentation_tracker = _IndentationTracker( ++ spaces_per_indent=DEFAULT_INDENTATION_INCREMENT) ++ ++ def indent(self): ++ """ ++ Indent the statements by one level ++ """ ++ self._indentation_tracker.indent() ++ ++ def dedent(self): ++ """ ++ Dedent the statements by one level ++ """ ++ self._indentation_tracker.dedent() ++ ++ @contextmanager ++ def indented_block(self): ++ self.indent() ++ try: ++ yield ++ finally: ++ self.dedent() + + def comment(self, line, wrapped=True): + if wrapped: +- for wrapped_line in wrap(line, 70): +- self.content.append(self.prefix + wrapped_line) ++ self.append_wrapped_and_indented_comment(line) + else: +- self.content.append(self.prefix + line) ++ self.append_comment(line) ++ ++ def append_wrapped_and_indented_comment(self, line, character_limit=70): ++ """ ++ append wrapped and indented comment to the output ++ """ ++ for wrapped_indented_line in wrap( ++ self.indent_statement(line), character_limit): ++ self.append_comment(wrapped_indented_line) ++ ++ def append_comment(self, line): ++ self.append_statement(self.prefix + line) ++ ++ def append_statement(self, statement): ++ """ ++ Append a line to the generated content indenting it by tracked number ++ of spaces ++ """ ++ self.content.append(self.indent_statement(statement)) ++ ++ def indent_statement(self, statement): ++ return '{indent}{statement}'.format( ++ indent=self._indentation_tracker.indentation_string, ++ statement=statement) + + def debug(self, line): + if self.options.verbose: + self.comment('DEBUG: ' + line) + +- def command(self, line, indent_spaces=0): +- self.content.append( +- '{}{}'.format(self._format_indent(indent_spaces), line)) +- +- def _format_indent(self, num_spaces): +- return ' ' * num_spaces ++ def command(self, line): ++ self.append_statement(line) + +- def echo_error(self, error_message, indent_spaces=0): +- self.command( +- self._format_error(error_message), indent_spaces=indent_spaces) ++ def echo_error(self, error_message): ++ self.command(self._format_error(error_message)) + + def _format_error(self, error_message): + return 'echo "{}" >&2'.format(error_message) + + def exit_on_failed_command(self, command_to_run, +- error_message_lines, indent_spaces=0): +- self.command(command_to_run, indent_spaces=indent_spaces) ++ error_message_lines): ++ self.command(command_to_run) + self.exit_on_predicate( + '[ "$?" -ne "0" ]', +- error_message_lines, +- indent_spaces=indent_spaces) ++ error_message_lines) + + def exit_on_nonroot_euid(self): + self.exit_on_predicate( +@@ -171,8 +212,7 @@ class _AdviceOutput(object): + ["This script has to be run as root user"] + ) + +- def exit_on_predicate(self, predicate, error_message_lines, +- indent_spaces=0): ++ def exit_on_predicate(self, predicate, error_message_lines): + commands_to_run = [ + self._format_error(error_message_line) + for error_message_line in error_message_lines] +@@ -180,30 +220,26 @@ class _AdviceOutput(object): + commands_to_run.append('exit 1') + self.commands_on_predicate( + predicate, +- commands_to_run, +- indent_spaces=indent_spaces) ++ commands_to_run) + + def commands_on_predicate(self, predicate, commands_to_run_when_true, +- commands_to_run_when_false=None, +- indent_spaces=0): ++ commands_to_run_when_false=None): + if_command = 'if {}'.format(predicate) +- self.command(if_command, indent_spaces=indent_spaces) +- self.command('then', indent_spaces=indent_spaces) +- +- indented_block_spaces = indent_spaces + 2 ++ self.command(if_command) ++ self.command('then') + +- for command_to_run_when_true in commands_to_run_when_true: +- self.command( +- command_to_run_when_true, indent_spaces=indented_block_spaces) ++ with self.indented_block(): ++ for command_to_run_when_true in commands_to_run_when_true: ++ self.command( ++ command_to_run_when_true) + + if commands_to_run_when_false is not None: +- self.command("else", indent_spaces=indent_spaces) +- for command_to_run_when_false in commands_to_run_when_false: +- self.command( +- command_to_run_when_false, +- indent_spaces=indented_block_spaces) ++ self.command("else") ++ with self.indented_block(): ++ for command_to_run_when_false in commands_to_run_when_false: ++ self.command(command_to_run_when_false) + +- self.command('fi', indent_spaces=indent_spaces) ++ self.command('fi') + + + class Advice(Plugin): +diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py +index 16c01204444883ed949db73b2314ba5c404124df..75efa6f854acd5f746111ea44957a538117381ae 100644 +--- a/ipaserver/advise/plugins/smart_card_auth.py ++++ b/ipaserver/advise/plugins/smart_card_auth.py +@@ -44,13 +44,13 @@ class common_smart_card_auth_config(Advice): + "for {} in ${}".format( + single_ca_path_variable, ca_paths_variable)) + self.log.command("do") +- self.log.exit_on_predicate( +- '[ ! -f "${}" ]'.format(single_ca_path_variable), +- ['Invalid CA certificate filename: ${}'.format( +- single_ca_path_variable), +- 'Please check that the path exists and is a valid file'], +- indent_spaces=2 +- ) ++ with self.log.indented_block(): ++ self.log.exit_on_predicate( ++ '[ ! -f "${}" ]'.format(single_ca_path_variable), ++ ['Invalid CA certificate filename: ${}'.format( ++ single_ca_path_variable), ++ 'Please check that the path exists and is a valid file'] ++ ) + self.log.command("done") + + def upload_smartcard_ca_certificates_to_systemwide_db(self): +@@ -59,13 +59,13 @@ class common_smart_card_auth_config(Advice): + self.single_ca_cert_variable_name, + self.smart_card_ca_certs_variable_name)) + self.log.command("do") +- self.log.command( +- 'certutil -d {} -A -i ${} -n "Smart Card CA $(uuidgen)" ' +- '-t CT,C,C'.format( +- self.systemwide_nssdb, self.single_ca_cert_variable_name +- ), +- indent_spaces=2 +- ) ++ with self.log.indented_block(): ++ self.log.command( ++ 'certutil -d {} -A -i ${} -n "Smart Card CA $(uuidgen)" ' ++ '-t CT,C,C'.format( ++ self.systemwide_nssdb, self.single_ca_cert_variable_name ++ ), ++ ) + self.log.command("done") + + def install_smart_card_signing_ca_certs(self): +@@ -74,13 +74,13 @@ class common_smart_card_auth_config(Advice): + self.single_ca_cert_variable_name, + self.smart_card_ca_certs_variable_name)) + self.log.command("do") +- self.log.exit_on_failed_command( +- 'ipa-cacert-manage install ${} -t CT,C,C'.format( +- self.single_ca_cert_variable_name +- ), +- ['Failed to install external CA certificate to IPA'], +- indent_spaces=2 +- ) ++ with self.log.indented_block(): ++ self.log.exit_on_failed_command( ++ 'ipa-cacert-manage install ${} -t CT,C,C'.format( ++ self.single_ca_cert_variable_name ++ ), ++ ['Failed to install external CA certificate to IPA'] ++ ) + self.log.command("done") + + def update_ipa_ca_certificate_store(self): +@@ -221,8 +221,7 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config): + self.log.command('else') + self.log.exit_on_failed_command( + 'ipa-pkinit-manage enable', +- ['Failed to issue PKINIT certificates to local KDC'], +- indent_spaces=2) ++ ['Failed to issue PKINIT certificates to local KDC']) + self.log.command('fi') + + def enable_ok_to_auth_as_delegate_on_http_principal(self): +-- +2.9.4 + diff --git a/SOURCES/0211-advise-add-an-infrastructure-for-formatting-Bash-com.patch b/SOURCES/0211-advise-add-an-infrastructure-for-formatting-Bash-com.patch new file mode 100644 index 0000000..297b114 --- /dev/null +++ b/SOURCES/0211-advise-add-an-infrastructure-for-formatting-Bash-com.patch @@ -0,0 +1,104 @@ +From 7e2702164e28576dfa64c0c9bbc83dc7dcb30ba7 Mon Sep 17 00:00:00 2001 +From: Martin Babinsky +Date: Thu, 22 Jun 2017 15:00:00 +0200 +Subject: [PATCH] advise: add an infrastructure for formatting Bash compound + statements + +A series of context managers simplify formatting of common compound +statements such as `if`, `else if`, `else` blocks. + +https://pagure.io/freeipa/issue/7036 + +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy +--- + ipaserver/advise/base.py | 73 ++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 73 insertions(+) + +diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py +index c320b002c83198cbb0fd73a5c158df07dd309242..940d87ed4c1804326a46e2866381364e6f4f3f3e 100644 +--- a/ipaserver/advise/base.py ++++ b/ipaserver/advise/base.py +@@ -128,6 +128,79 @@ class _IndentationTracker(object): + self._recompute_indentation_level() + + ++class CompoundStatement(object): ++ """ ++ Wrapper around indented blocks of Bash statements. ++ ++ Override `begin_statement` and `end_statement` methods to issue ++ opening/closing commands using the passed in _AdviceOutput instance ++ """ ++ ++ def __init__(self, advice_output): ++ self.advice_output = advice_output ++ ++ def __enter__(self): ++ self.begin_statement() ++ self.advice_output.indent() ++ ++ def begin_statement(self): ++ pass ++ ++ def __exit__(self, exc_type, exc_value, traceback): ++ self.advice_output.dedent() ++ self.end_statement() ++ ++ def end_statement(self): ++ pass ++ ++ ++class IfBranch(CompoundStatement): ++ """ ++ Base wrapper around `if` branch. The closing statement is empty so it ++ leaves trailing block that can be closed off or continued by else branches ++ """ ++ def __init__(self, advice_output, conditional): ++ super(IfBranch, self).__init__(advice_output) ++ self.conditional = conditional ++ ++ def begin_statement(self): ++ self.advice_output.command('if {}'.format(self.conditional)) ++ self.advice_output.command('then') ++ ++ ++class ElseIfBranch(CompoundStatement): ++ """ ++ Wrapper for `else if ` ++ """ ++ def __init__(self, advice_output, alternative_conditional): ++ super(ElseIfBranch, self).__init__(advice_output) ++ self.alternative_conditional = alternative_conditional ++ ++ def begin_statement(self): ++ command = 'else if {}'.format(self.alternative_conditional) ++ ++ self.advice_output.command(command) ++ ++ ++class ElseBranch(CompoundStatement): ++ """ ++ Wrapper for final `else` block ++ """ ++ def begin_statement(self): ++ self.advice_output.command('else') ++ ++ def end_statement(self): ++ self.advice_output.command('fi') ++ ++ ++class UnbranchedIfStatement(IfBranch): ++ """ ++ Plain `if` without branches ++ """ ++ def end_statement(self): ++ self.advice_output.command('fi') ++ ++ + class _AdviceOutput(object): + + def __init__(self): +-- +2.9.4 + diff --git a/SOURCES/0212-delegate-formatting-of-compound-Bash-statements-to-d.patch b/SOURCES/0212-delegate-formatting-of-compound-Bash-statements-to-d.patch new file mode 100644 index 0000000..59b6b5b --- /dev/null +++ b/SOURCES/0212-delegate-formatting-of-compound-Bash-statements-to-d.patch @@ -0,0 +1,93 @@ +From d22e7953295f878950ca5be976d89bf9af8d36b1 Mon Sep 17 00:00:00 2001 +From: Martin Babinsky +Date: Thu, 22 Jun 2017 15:02:25 +0200 +Subject: [PATCH] delegate formatting of compound Bash statements to dedicated + classes + +this simplifies handling compound statements using _AdviceOutput class. +The necessary statements are exposed as context managers and API for +most common constructs is provided. + +https://pagure.io/freeipa/issue/7036 + +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy +--- + ipaserver/advise/base.py | 48 ++++++++++++++++++++++++++++++++++-------------- + 1 file changed, 34 insertions(+), 14 deletions(-) + +diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py +index 940d87ed4c1804326a46e2866381364e6f4f3f3e..581478fb75bc4f50b6bffe2e4cf9b51de46fa095 100644 +--- a/ipaserver/advise/base.py ++++ b/ipaserver/advise/base.py +@@ -286,33 +286,53 @@ class _AdviceOutput(object): + ) + + def exit_on_predicate(self, predicate, error_message_lines): +- commands_to_run = [ +- self._format_error(error_message_line) +- for error_message_line in error_message_lines] ++ with self.unbranched_if(predicate): ++ for error_message_line in error_message_lines: ++ self.command(self._format_error(error_message_line)) + +- commands_to_run.append('exit 1') +- self.commands_on_predicate( +- predicate, +- commands_to_run) ++ self.command('exit 1') ++ ++ @contextmanager ++ def unbranched_if(self, predicate): ++ with self._compound_statement(UnbranchedIfStatement, predicate): ++ yield ++ ++ @contextmanager ++ def _compound_statement(self, statement_cls, *args): ++ with statement_cls(self, *args): ++ yield + + def commands_on_predicate(self, predicate, commands_to_run_when_true, + commands_to_run_when_false=None): +- if_command = 'if {}'.format(predicate) +- self.command(if_command) +- self.command('then') ++ if commands_to_run_when_false is not None: ++ if_statement = self.if_branch ++ else: ++ if_statement = self.unbranched_if + +- with self.indented_block(): ++ with if_statement(predicate): + for command_to_run_when_true in commands_to_run_when_true: + self.command( + command_to_run_when_true) + + if commands_to_run_when_false is not None: +- self.command("else") +- with self.indented_block(): ++ with self.else_branch(): + for command_to_run_when_false in commands_to_run_when_false: + self.command(command_to_run_when_false) + +- self.command('fi') ++ @contextmanager ++ def if_branch(self, predicate): ++ with self._compound_statement(IfBranch, predicate): ++ yield ++ ++ @contextmanager ++ def else_branch(self): ++ with self._compound_statement(ElseBranch): ++ yield ++ ++ @contextmanager ++ def else_if_branch(self, predicate): ++ with self._compound_statement(ElseIfBranch, predicate): ++ yield + + + class Advice(Plugin): +-- +2.9.4 + diff --git a/SOURCES/0213-Fix-indentation-of-statements-in-Smart-card-advises.patch b/SOURCES/0213-Fix-indentation-of-statements-in-Smart-card-advises.patch new file mode 100644 index 0000000..452b7df --- /dev/null +++ b/SOURCES/0213-Fix-indentation-of-statements-in-Smart-card-advises.patch @@ -0,0 +1,36 @@ +From 5bf0faed2a4692d5ce2747c5036d3fca8b0f7b04 Mon Sep 17 00:00:00 2001 +From: Martin Babinsky +Date: Thu, 22 Jun 2017 15:03:45 +0200 +Subject: [PATCH] Fix indentation of statements in Smart card advises + +https://pagure.io/freeipa/issue/7036 + +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy +--- + ipaserver/advise/plugins/smart_card_auth.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py +index 75efa6f854acd5f746111ea44957a538117381ae..138a44316473f6b504a44a1b68d01fa4d5a58308 100644 +--- a/ipaserver/advise/plugins/smart_card_auth.py ++++ b/ipaserver/advise/plugins/smart_card_auth.py +@@ -165,13 +165,13 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config): + predicate, + [ + self._interpolate_ocsp_directive_file_into_command( +- " sed -i.ipabkp -r " ++ "sed -i.ipabkp -r " + "'s/^#*[[:space:]]*{directive}[[:space:]]+(on|off)$" + "/{directive} on/' {filename}") + ], + commands_to_run_when_false=[ + self._interpolate_ocsp_directive_file_into_command( +- " sed -i.ipabkp '/<\/VirtualHost>/i {directive} on' " ++ "sed -i.ipabkp '/<\/VirtualHost>/i {directive} on' " + "{filename}") + ] + ) +-- +2.9.4 + diff --git a/SOURCES/0214-Use-the-compound-statement-formatting-API-for-config.patch b/SOURCES/0214-Use-the-compound-statement-formatting-API-for-config.patch new file mode 100644 index 0000000..6c24663 --- /dev/null +++ b/SOURCES/0214-Use-the-compound-statement-formatting-API-for-config.patch @@ -0,0 +1,48 @@ +From c702bb6ca3742cf7ea156e062840623f95a001b7 Mon Sep 17 00:00:00 2001 +From: Martin Babinsky +Date: Thu, 22 Jun 2017 15:08:08 +0200 +Subject: [PATCH] Use the compound statement formatting API for configuring + PKINIT + +Use `if_branch` and `else_branch` context managers instead of raw +`command` calls in the method that generates Bash snippet that +configures PKINIT on the master. + +https://pagure.io/freeipa/issue/7036 + +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy +--- + ipaserver/advise/plugins/smart_card_auth.py | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py +index 138a44316473f6b504a44a1b68d01fa4d5a58308..2dc9ddb25ce41a8c85aab827a92a1143784d9457 100644 +--- a/ipaserver/advise/plugins/smart_card_auth.py ++++ b/ipaserver/advise/plugins/smart_card_auth.py +@@ -214,15 +214,13 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config): + + def check_and_enable_pkinit(self): + self.log.comment('check whether PKINIT is configured on the master') +- self.log.command( +- "if ipa-pkinit-manage status | grep -q 'enabled'") +- self.log.command('then') +- self.log.command(' echo "PKINIT already enabled"') +- self.log.command('else') +- self.log.exit_on_failed_command( +- 'ipa-pkinit-manage enable', +- ['Failed to issue PKINIT certificates to local KDC']) +- self.log.command('fi') ++ with self.log.if_branch( ++ "ipa-pkinit-manage status | grep -q 'enabled'"): ++ self.log.command('echo "PKINIT already enabled"') ++ with self.log.else_branch(): ++ self.log.exit_on_failed_command( ++ 'ipa-pkinit-manage enable', ++ ['Failed to issue PKINIT certificates to local KDC']) + + def enable_ok_to_auth_as_delegate_on_http_principal(self): + self.log.comment('Enable OK-AS-DELEGATE flag on the HTTP principal') +-- +2.9.4 + diff --git a/SOURCES/0215-smart-card-advises-use-a-wrapper-around-Bash-for-loo.patch b/SOURCES/0215-smart-card-advises-use-a-wrapper-around-Bash-for-loo.patch new file mode 100644 index 0000000..7102db1 --- /dev/null +++ b/SOURCES/0215-smart-card-advises-use-a-wrapper-around-Bash-for-loo.patch @@ -0,0 +1,121 @@ +From 4e6992f985ebfb6e6c3fb4a6fa7a2959d84ca243 Mon Sep 17 00:00:00 2001 +From: Martin Babinsky +Date: Thu, 22 Jun 2017 15:30:41 +0200 +Subject: [PATCH] smart card advises: use a wrapper around Bash `for` loops + +Replace the raw `command` calls constructing the for loops in some +methods by a wrapper hiding this detail. + +https://pagure.io/freeipa/issue/7036 + +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy +--- + ipaserver/advise/base.py | 23 +++++++++++++++++++++++ + ipaserver/advise/plugins/smart_card_auth.py | 26 +++++++------------------- + 2 files changed, 30 insertions(+), 19 deletions(-) + +diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py +index 581478fb75bc4f50b6bffe2e4cf9b51de46fa095..be7274417042fca521039b56af60831563f6952b 100644 +--- a/ipaserver/advise/base.py ++++ b/ipaserver/advise/base.py +@@ -201,6 +201,24 @@ class UnbranchedIfStatement(IfBranch): + self.advice_output.command('fi') + + ++class ForLoop(CompoundStatement): ++ """ ++ Wrapper around the for loop ++ """ ++ def __init__(self, advice_output, loop_variable, iterable): ++ super(ForLoop, self).__init__(advice_output) ++ self.loop_variable = loop_variable ++ self.iterable = iterable ++ ++ def begin_statement(self): ++ self.advice_output.command( ++ 'for {} in {}'.format(self.loop_variable, self.iterable)) ++ self.advice_output.command('do') ++ ++ def end_statement(self): ++ self.advice_output.command('done') ++ ++ + class _AdviceOutput(object): + + def __init__(self): +@@ -334,6 +352,11 @@ class _AdviceOutput(object): + with self._compound_statement(ElseIfBranch, predicate): + yield + ++ @contextmanager ++ def for_loop(self, loop_variable, iterable): ++ with self._compound_statement(ForLoop, loop_variable, iterable): ++ yield ++ + + class Advice(Plugin): + """ +diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py +index 2dc9ddb25ce41a8c85aab827a92a1143784d9457..3ff94be1e8b108668989602b1b406a39d23ff501 100644 +--- a/ipaserver/advise/plugins/smart_card_auth.py ++++ b/ipaserver/advise/plugins/smart_card_auth.py +@@ -40,48 +40,36 @@ class common_smart_card_auth_config(Advice): + ['You need to provide one or more paths to the PEM files ' + 'containing CAs signing the Smart Cards'] + ) +- self.log.command( +- "for {} in ${}".format( +- single_ca_path_variable, ca_paths_variable)) +- self.log.command("do") +- with self.log.indented_block(): ++ with self.log.for_loop(single_ca_path_variable, ++ '${}'.format(ca_paths_variable)): + self.log.exit_on_predicate( + '[ ! -f "${}" ]'.format(single_ca_path_variable), + ['Invalid CA certificate filename: ${}'.format( + single_ca_path_variable), + 'Please check that the path exists and is a valid file'] + ) +- self.log.command("done") + + def upload_smartcard_ca_certificates_to_systemwide_db(self): +- self.log.command( +- "for {} in ${}".format( ++ with self.log.for_loop( + self.single_ca_cert_variable_name, +- self.smart_card_ca_certs_variable_name)) +- self.log.command("do") +- with self.log.indented_block(): ++ '${}'.format(self.smart_card_ca_certs_variable_name)): + self.log.command( + 'certutil -d {} -A -i ${} -n "Smart Card CA $(uuidgen)" ' + '-t CT,C,C'.format( + self.systemwide_nssdb, self.single_ca_cert_variable_name +- ), ++ ) + ) +- self.log.command("done") + + def install_smart_card_signing_ca_certs(self): +- self.log.command( +- "for {} in ${}".format( ++ with self.log.for_loop( + self.single_ca_cert_variable_name, +- self.smart_card_ca_certs_variable_name)) +- self.log.command("do") +- with self.log.indented_block(): ++ '${}'.format(self.smart_card_ca_certs_variable_name)): + self.log.exit_on_failed_command( + 'ipa-cacert-manage install ${} -t CT,C,C'.format( + self.single_ca_cert_variable_name + ), + ['Failed to install external CA certificate to IPA'] + ) +- self.log.command("done") + + def update_ipa_ca_certificate_store(self): + self.log.exit_on_failed_command( +-- +2.9.4 + diff --git a/SOURCES/0216-smart-card-advise-use-password-when-changing-trust-f.patch b/SOURCES/0216-smart-card-advise-use-password-when-changing-trust-f.patch new file mode 100644 index 0000000..c49524c --- /dev/null +++ b/SOURCES/0216-smart-card-advise-use-password-when-changing-trust-f.patch @@ -0,0 +1,54 @@ +From 4a9ff573f1c9c91e1e2e1e2d7de70951b7333fb4 Mon Sep 17 00:00:00 2001 +From: Martin Babinsky +Date: Fri, 23 Jun 2017 15:47:48 +0200 +Subject: [PATCH] smart card advise: use password when changing trust flags on + HTTP cert + +This is to prevent NSS asking for database password when operating in +FIPS 140 mode. + +https://pagure.io/freeipa/issue/7036 + +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy +--- + ipaserver/advise/plugins/smart_card_auth.py | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py +index 3ff94be1e8b108668989602b1b406a39d23ff501..5134db535e8f10e8cf850dbf0696b679aacec4f5 100644 +--- a/ipaserver/advise/plugins/smart_card_auth.py ++++ b/ipaserver/advise/plugins/smart_card_auth.py +@@ -2,6 +2,8 @@ + # Copyright (C) 2017 FreeIPA Contributors see COPYING for license + # + ++import os ++ + from ipalib.plugable import Registry + from ipaplatform import services + from ipaplatform.paths import paths +@@ -172,6 +174,8 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config): + return fmt_line.format(directive=directive, filename=filename) + + def mark_httpd_cert_as_trusted(self): ++ httpd_nss_database_pwd_file = os.path.join( ++ paths.HTTPD_ALIAS_DIR, 'pwdfile.txt') + self.log.comment( + 'mark the HTTP certificate as trusted peer to avoid ' + 'chicken-egg startup issue') +@@ -181,8 +185,9 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config): + " cut -f 2 -d ' ')")) + + self.log.exit_on_failed_command( +- 'certutil -M -n $http_cert_nick -d "{}" -t "Pu,u,u"'.format( +- paths.HTTPD_ALIAS_DIR), ++ 'certutil -M -n $http_cert_nick -d "{}" -f {} -t "Pu,u,u"'.format( ++ paths.HTTPD_ALIAS_DIR, ++ httpd_nss_database_pwd_file), + ['Can not set trust flags on HTTP certificate']) + + def _interpolate_nssnickname_directive_file_into_command(self, fmt_line): +-- +2.9.4 + diff --git a/SOURCES/0217-smart-card-advises-ensure-that-krb5-pkinit-is-instal.patch b/SOURCES/0217-smart-card-advises-ensure-that-krb5-pkinit-is-instal.patch new file mode 100644 index 0000000..66e090e --- /dev/null +++ b/SOURCES/0217-smart-card-advises-ensure-that-krb5-pkinit-is-instal.patch @@ -0,0 +1,46 @@ +From aa123edfdab1836c0915bb75f3bf82e46083b17f Mon Sep 17 00:00:00 2001 +From: Martin Babinsky +Date: Wed, 28 Jun 2017 09:49:18 +0200 +Subject: [PATCH] smart-card-advises: ensure that krb5-pkinit is installed on + client + +This library is a prerequisite for successful Smart Card authentication +on the client. The client-side advise should make sure this dependency +is present. + +https://pagure.io/freeipa/issue/7036 + +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy +--- + ipaserver/advise/plugins/smart_card_auth.py | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py +index 5134db535e8f10e8cf850dbf0696b679aacec4f5..fb328f29ca5051ad52c9c5e0000021ad5e8b94e8 100644 +--- a/ipaserver/advise/plugins/smart_card_auth.py ++++ b/ipaserver/advise/plugins/smart_card_auth.py +@@ -256,6 +256,7 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config): + self.check_ccache_not_empty() + self.check_and_remove_pam_pkcs11() + self.install_opensc_and_dconf_packages() ++ self.install_krb5_client_dependencies() + self.start_enable_smartcard_daemon() + self.add_pkcs11_module_to_systemwide_db() + self.upload_smartcard_ca_certificates_to_systemwide_db() +@@ -281,6 +282,12 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config): + ['Could not install OpenSC package'] + ) + ++ def install_krb5_client_dependencies(self): ++ self.log.exit_on_failed_command( ++ 'yum install -y krb5-pkinit-openssl', ++ ['Failed to install Kerberos client PKINIT extensions.'] ++ ) ++ + def start_enable_smartcard_daemon(self): + self.log.command( + 'systemctl start {service} {socket} ' +-- +2.9.4 + diff --git a/SOURCES/0218-NULL-LDAP-context-in-call-to-ldap_search_ext_s-durin.patch b/SOURCES/0218-NULL-LDAP-context-in-call-to-ldap_search_ext_s-durin.patch new file mode 100644 index 0000000..d4ac0c7 --- /dev/null +++ b/SOURCES/0218-NULL-LDAP-context-in-call-to-ldap_search_ext_s-durin.patch @@ -0,0 +1,33 @@ +From 0703a575b4e337e7ce41860956bd339c12cd44ea Mon Sep 17 00:00:00 2001 +From: Thierry Bordaz +Date: Tue, 20 Jun 2017 18:22:33 +0200 +Subject: [PATCH] NULL LDAP context in call to ldap_search_ext_s during search + + KDC crashes on quite random interval while trying to reach LDAP + https://pagure.io/freeipa/issue/7017 + +Reviewed-By: Alexander Bokovoy +--- + daemons/ipa-kdb/ipa_kdb.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c +index 050bfc90cef1bce4c932f54bb6050438c60ca79f..c0f1e276ca32ecb318add3a0d36f57acc3d17d51 100644 +--- a/daemons/ipa-kdb/ipa_kdb.c ++++ b/daemons/ipa-kdb/ipa_kdb.c +@@ -465,6 +465,12 @@ int ipadb_get_connection(struct ipadb_context *ipactx) + ret = ipadb_reinit_mspac(ipactx, false); + if (ret && ret != ENOENT) { + /* TODO: log that there is an issue with adtrust settings */ ++ if (ipactx->lcontext == NULL) { ++ /* for some reason ldap connection was reset in ipadb_reinit_mspac ++ * and is no longer established => failure of ipadb_get_connection ++ */ ++ goto done; ++ } + } + + ret = 0; +-- +2.9.4 + diff --git a/SOURCES/0219-Restore-old-version-of-caIPAserviceCert-for-upgrade-.patch b/SOURCES/0219-Restore-old-version-of-caIPAserviceCert-for-upgrade-.patch new file mode 100644 index 0000000..0c35b69 --- /dev/null +++ b/SOURCES/0219-Restore-old-version-of-caIPAserviceCert-for-upgrade-.patch @@ -0,0 +1,187 @@ +From 533f2539cbc8fe5b4bb748982a6cfee7d73416e6 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Wed, 9 Aug 2017 12:55:57 +1000 +Subject: [PATCH] Restore old version of caIPAserviceCert for upgrade only + +The latest version of caIPAserviceCert profile includes a feature +that is not available before Dogtag 10.4, and this version of the +profile is intended for new installs only (otherwise, problems will +arise in topologies containing CA replicas at an earlier version). +But IPA versions before v4.2 did not use LDAP-based profiles, so the +new version of the profile gets imported when upgrading from +pre-v4.2 to v4.5 or later. + +We do not yet have a proper version- and topology-aware profile +update mechanism, so to resolve this issue, ship the older version +of the profile alongside the newer version, and make sure we use the +older version when importing the profile in an upgrade context. + +https://pagure.io/freeipa/issue/7097 + +Reviewed-By: Florence Blanc-Renaud +--- + install/share/profiles/Makefile.am | 1 + + .../share/profiles/caIPAserviceCert.UPGRADE.cfg | 109 +++++++++++++++++++++ + ipaserver/install/cainstance.py | 18 +++- + 3 files changed, 126 insertions(+), 2 deletions(-) + create mode 100644 install/share/profiles/caIPAserviceCert.UPGRADE.cfg + +diff --git a/install/share/profiles/Makefile.am b/install/share/profiles/Makefile.am +index 640ca0a4a54c574da57b62b2b3c23f6db78df2fb..7f188e3fcac2ad80558399015d49216caa32c14b 100644 +--- a/install/share/profiles/Makefile.am ++++ b/install/share/profiles/Makefile.am +@@ -3,6 +3,7 @@ NULL = + appdir = $(IPA_DATA_DIR)/profiles + app_DATA = \ + caIPAserviceCert.cfg \ ++ caIPAserviceCert.UPGRADE.cfg \ + IECUserRoles.cfg \ + KDCs_PKINIT_Certs.cfg \ + $(NULL) +diff --git a/install/share/profiles/caIPAserviceCert.UPGRADE.cfg b/install/share/profiles/caIPAserviceCert.UPGRADE.cfg +new file mode 100644 +index 0000000000000000000000000000000000000000..1efd2066b9f75b4e26c390932353f20141d800b9 +--- /dev/null ++++ b/install/share/profiles/caIPAserviceCert.UPGRADE.cfg +@@ -0,0 +1,109 @@ ++profileId=caIPAserviceCert ++classId=caEnrollImpl ++desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. ++visible=false ++enable=true ++enableBy=admin ++auth.instance_id=raCertAuth ++name=IPA-RA Agent-Authenticated Server Certificate Enrollment ++input.list=i1,i2 ++input.i1.class_id=certReqInputImpl ++input.i2.class_id=submitterInfoInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=serverCertSet ++policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 ++policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl ++policyset.serverCertSet.1.constraint.name=Subject Name Constraint ++policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ ++policyset.serverCertSet.1.constraint.params.accept=true ++policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl ++policyset.serverCertSet.1.default.name=Subject Name Default ++policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O ++policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.serverCertSet.2.constraint.name=Validity Constraint ++policyset.serverCertSet.2.constraint.params.range=740 ++policyset.serverCertSet.2.constraint.params.notBeforeCheck=false ++policyset.serverCertSet.2.constraint.params.notAfterCheck=false ++policyset.serverCertSet.2.default.class_id=validityDefaultImpl ++policyset.serverCertSet.2.default.name=Validity Default ++policyset.serverCertSet.2.default.params.range=731 ++policyset.serverCertSet.2.default.params.startTime=0 ++policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.serverCertSet.3.constraint.name=Key Constraint ++policyset.serverCertSet.3.constraint.params.keyType=RSA ++policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,8192 ++policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.serverCertSet.3.default.name=Key Default ++policyset.serverCertSet.4.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.4.constraint.name=No Constraint ++policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.serverCertSet.4.default.name=Authority Key Identifier Default ++policyset.serverCertSet.5.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.5.constraint.name=No Constraint ++policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.serverCertSet.5.default.name=AIA Extension Default ++policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp ++policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.serverCertSet.5.default.params.authInfoAccessCritical=false ++policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.serverCertSet.6.constraint.params.keyUsageCritical=true ++policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true ++policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false ++policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.serverCertSet.6.default.name=Key Usage Default ++policyset.serverCertSet.6.default.params.keyUsageCritical=true ++policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true ++policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false ++policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.serverCertSet.6.default.params.keyUsageCrlSign=false ++policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.serverCertSet.7.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.7.constraint.name=No Constraint ++policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.serverCertSet.7.default.params.exKeyUsageCritical=false ++policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 ++policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl ++policyset.serverCertSet.8.constraint.name=No Constraint ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl ++policyset.serverCertSet.8.default.name=Signing Alg ++policyset.serverCertSet.8.default.params.signingAlg=- ++policyset.serverCertSet.9.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.9.constraint.name=No Constraint ++policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl ++policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default ++policyset.serverCertSet.9.default.params.crlDistPointsCritical=false ++policyset.serverCertSet.9.default.params.crlDistPointsNum=1 ++policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true ++policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER ++policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName ++policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://$IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin ++policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName ++policyset.serverCertSet.9.default.params.crlDistPointsReasons_0= ++policyset.serverCertSet.10.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.10.constraint.name=No Constraint ++policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl ++policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default ++policyset.serverCertSet.10.default.params.critical=false ++policyset.serverCertSet.11.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.11.constraint.name=No Constraint ++policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl ++policyset.serverCertSet.11.default.name=User Supplied Extension Default ++policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17 +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index b0e9e8757ec3e3c0d03ed930743ef5a1253b864a..62f79b28000b015edb66f4c39a270097ab3ed666 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -1568,8 +1568,22 @@ def __get_profile_config(profile_id): + CRL_ISSUER='CN=Certificate Authority,o=ipaca', + SUBJECT_DN_O=dsinstance.DsInstance().find_subject_base(), + ) +- return ipautil.template_file( +- '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict) ++ ++ # To work around lack of proper profile upgrade system, we ship ++ # two versions of some profiles - one for new installs only, and ++ # the other for upgrading to LDAP-based profiles in an existing ++ # deployment. ++ # ++ # Select UPGRADE version if we are in the 'updates' API context ++ # and an upgrade-specific version of the profile exists. ++ # ++ profile_filename = '/usr/share/ipa/profiles/{}.cfg'.format(profile_id) ++ profile_upg_filename = \ ++ '/usr/share/ipa/profiles/{}.UPGRADE.cfg'.format(profile_id) ++ if api.env.context == 'updates' and os.path.isfile(profile_upg_filename): ++ profile_filename = profile_upg_filename ++ ++ return ipautil.template_file(profile_filename, sub_dict) + + def import_included_profiles(): + server_id = installutils.realm_to_serverid(api.env.realm) +-- +2.9.4 + diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch index f44dd1f..3eb1df2 100644 --- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch +++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch @@ -1,4 +1,4 @@ -From f7b0cbd43590be6255d61b55cf6b06ffa3904e79 Mon Sep 17 00:00:00 2001 +From 27b4f549af4f55b95ff44b9c5a59b9174ab7ad2e Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 15:48:07 +0000 Subject: [PATCH] Change branding to IPA and Identity Management diff --git a/SOURCES/1002-Package-copy-schema-to-ca.py.patch b/SOURCES/1002-Package-copy-schema-to-ca.py.patch index b6534aa..3972454 100644 --- a/SOURCES/1002-Package-copy-schema-to-ca.py.patch +++ b/SOURCES/1002-Package-copy-schema-to-ca.py.patch @@ -1,4 +1,4 @@ -From 9800e6fcc16455635e2d774a33009d6fb02646db Mon Sep 17 00:00:00 2001 +From 85ac8d7f55b26f7d783844acbf942f5db99d0a37 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 16:07:15 +0000 Subject: [PATCH] Package copy-schema-to-ca.py @@ -10,7 +10,7 @@ This reverts commit f4c7f1dd8a9ce530a8291219a904686ee47e59c7. 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in -index d7f8d11ec553cfe299937e1e5f8cc27caed32b08..a075cbb4e2bd6fb0fecfca96a1568c07a27080af 100644 +index 721e512039a4d7f9d2ed94d7620b083732c56304..99e69d81dd4104063ac68a9429eeb53ee1d36245 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1285,6 +1285,7 @@ fi @@ -22,7 +22,7 @@ index d7f8d11ec553cfe299937e1e5f8cc27caed32b08..a075cbb4e2bd6fb0fecfca96a1568c07 %{_usr}/share/ipa/*.uldif %{_usr}/share/ipa/*.template diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py -index b0e9e8757ec3e3c0d03ed930743ef5a1253b864a..b0d8208cc05b94f697b7b8c81caee9d311e2d0f0 100644 +index 62f79b28000b015edb66f4c39a270097ab3ed666..d876c5b385a250f3bd9c2689f9794ef7f89720a6 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1311,9 +1311,11 @@ def replica_ca_install_check(config, promote): diff --git a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch index 2ec7313..8f4863a 100644 --- a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch +++ b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch @@ -1,4 +1,4 @@ -From 1c88c60dd72621e77fc2605e6bd4d670a3d65b1d Mon Sep 17 00:00:00 2001 +From e419842024b0fc9a774988972fadcbaf4650c395 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 22 Jun 2016 13:53:46 +0200 Subject: [PATCH] Revert "Increased mod_wsgi socket-timeout" diff --git a/SOURCES/1004-Remove-csrgen.patch b/SOURCES/1004-Remove-csrgen.patch index b917a5a..a532876 100644 --- a/SOURCES/1004-Remove-csrgen.patch +++ b/SOURCES/1004-Remove-csrgen.patch @@ -1,4 +1,4 @@ -From c211f36d3cc765379ff0ae324dfb052d7ce13b99 Mon Sep 17 00:00:00 2001 +From 12d2356795d64089ce2578031a1297d56c8048ce Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 16 Mar 2017 09:44:21 +0000 Subject: [PATCH] Remove csrgen @@ -75,7 +75,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1432630 delete mode 100644 ipatests/test_ipaclient/test_csrgen.py diff --git a/freeipa.spec.in b/freeipa.spec.in -index a075cbb4e2bd6fb0fecfca96a1568c07a27080af..f4576927c9be3d7c7b7f971f0184cad3166083b7 100644 +index 99e69d81dd4104063ac68a9429eeb53ee1d36245..3892e502c0c64cca25e2e50a0ff53a15a556d2f3 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -194,7 +194,6 @@ BuildRequires: python-sssdconfig diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch deleted file mode 100644 index 673cd2f..0000000 --- a/SOURCES/ipa-centos-branding.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001 -From: Jim Perrin -Date: Wed, 11 Mar 2015 10:37:03 -0500 -Subject: [PATCH] update for new ntp server method - ---- - ipaplatform/base/paths.py | 1 + - ipaserver/install/ntpinstance.py | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index af50262..5090062 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -99,6 +99,7 @@ class BasePathNamespace(object): - PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/" - PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf" - ETC_REDHAT_RELEASE = "/etc/redhat-release" -+ ETC_CENTOS_RELEASE = "/etc/centos-release" - RESOLV_CONF = "/etc/resolv.conf" - SAMBA_KEYTAB = "/etc/samba/samba.keytab" - SMB_CONF = "/etc/samba/smb.conf" -diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py -index c653525..4b0578b 100644 ---- a/ipaserver/install/ntpinstance.py -+++ b/ipaserver/install/ntpinstance.py -@@ -44,6 +44,8 @@ class NTPInstance(service.Service): - os = "" - if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): - os = "fedora" -+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE): -+ os = "centos" - elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): - os = "rhel" - --- -1.8.3.1 - diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 5c7b789..183b97d 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -68,7 +68,7 @@ Name: ipa Version: %{IPA_VERSION} -Release: 21%{?dist} +Release: 21%{?dist}.1.2 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -76,10 +76,10 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source3: login-screen-logo.png -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source3: login-screen-logo.png +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -288,6 +288,21 @@ Patch0201: 0201-ipa-sam-replace-encode_nt_key-with-E_md4hash.patch Patch0202: 0202-ipa_pwd_extop-do-not-generate-NT-hashes-in-FIPS-mode.patch Patch0203: 0203-Make-sure-we-check-ccaches-in-all-rpcserver-paths.patch Patch0204: 0204-replica-install-drop-in-IPA-specific-config-to-tmpfi.patch +Patch0205: 0205-Add-CommonNameToSANDefault-to-default-cert-profile.patch +Patch0206: 0206-smart-card-advises-configure-systemwide-NSS-DB-also-.patch +Patch0207: 0207-smart-card-advises-add-steps-to-store-smart-card-sig.patch +Patch0208: 0208-Allow-to-pass-in-multiple-CA-cert-paths-to-the-smart.patch +Patch0209: 0209-add-a-class-that-tracks-the-indentation-in-the-gener.patch +Patch0210: 0210-delegate-the-indentation-handling-in-advises-to-dedi.patch +Patch0211: 0211-advise-add-an-infrastructure-for-formatting-Bash-com.patch +Patch0212: 0212-delegate-formatting-of-compound-Bash-statements-to-d.patch +Patch0213: 0213-Fix-indentation-of-statements-in-Smart-card-advises.patch +Patch0214: 0214-Use-the-compound-statement-formatting-API-for-config.patch +Patch0215: 0215-smart-card-advises-use-a-wrapper-around-Bash-for-loo.patch +Patch0216: 0216-smart-card-advise-use-password-when-changing-trust-f.patch +Patch0217: 0217-smart-card-advises-ensure-that-krb5-pkinit-is-instal.patch +Patch0218: 0218-NULL-LDAP-context-in-call-to-ldap_search_ext_s-durin.patch +Patch0219: 0219-Restore-old-version-of-caIPAserviceCert-for-upgrade-.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Package-copy-schema-to-ca.py.patch @@ -514,8 +529,10 @@ Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base >= %{selinux_policy_version} Requires: slapi-nis >= %{slapi_nis_version} -Requires: pki-ca >= 10.3.5-11 -Requires: pki-kra >= 10.3.5-11 +# Required because of: https://bugzilla.redhat.com/show_bug.cgi?id=1475238 +# related pki-core update: https://bugzilla.redhat.com/show_bug.cgi?id=1305993 +Requires: pki-ca >= 10.4.0-1 +Requires: pki-kra >= 10.4.0-1 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: policycoreutils >= 2.1.14-37 @@ -1087,10 +1104,10 @@ cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3 %endif # with_python3 # RHEL spec file only: START: Change branding to IPA and Identity Management -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE3 install/ui/images/login-screen-logo.png -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE3 install/ui/images/login-screen-logo.png +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management @@ -1114,8 +1131,7 @@ find \ %configure --with-vendor-suffix=-%{release} \ %{enable_server_option} \ %{with_ipatests_option} \ - %{linter_options} \ - --with-ipaplatform=rhel + %{linter_options} %make_build @@ -1839,9 +1855,35 @@ fi %changelog -* Mon Jul 31 2017 CentOS Sources - 4.5.0-21.el7.centos -- Roll in CentOS Branding -- set ipaplatform to rhel for compatibilty for updates +* Wed Aug 16 2017 Pavel Vomacka - 4.5.0-21.el7.1.2 +- Fixing issues reported by Errata tool + +* Tue Aug 15 2017 Pavel Vomacka - 4.5.0-21.el7.1.1 +- Resolves: #1477046 Use CommonNameToSANDefault in default profile + (new installs only) + - Restore old version of caIPAserviceCert for upgrade only + +* Tue Aug 1 2017 Pavel Vomacka - 4.5.0-21.el7.1 +- Resolves: #1473272 Provide a tooling automating the configuration + of Smart Card authentication on a FreeIPA master + - smart-card advises: configure systemwide NSS DB also on master + - smart-card advises: add steps to store smart card signing CA cert + - Allow to pass in multiple CA cert paths to the smart card advises + - add a class that tracks the indentation in the generated advises + - delegate the indentation handling in advises to dedicated class + - advise: add an infrastructure for formatting Bash compound statements + - delegate formatting of compound Bash statements to dedicated classes + - Fix indentation of statements in Smart card advises + - Use the compound statement formatting API for configuring PKINIT + - smart card advises: use a wrapper around Bash `for` loops + - smart card advise: use password when changing trust flags on HTTP cert + - smart-card-advises: ensure that krb5-pkinit is installed on client +- Resolves: #1477046 Use CommonNameToSANDefault in default profile + (new installs only) + - Add CommonNameToSANDefault to default cert profile +- Resolves: #1475664 NULL LDAP context in call to ldap_search_ext_s + during search in cn=ad,cn=trusts,dc=example,dc=com + - NULL LDAP context in call to ldap_search_ext_s during search * Wed Jul 12 2017 Pavel Vomacka - 4.5.0-21.el7 - Resolves: #1470125 Replica install fails to configure IPA-specific