There is 1 open security issue in trixie.
There is 1 open security issue in sid.
There are 4 open security issues in buster.
There is 1 open security issue in bookworm.
commit 0dd17533353470f1d582732e3e8ee3dcab85aceb Author: Timo Aaltonen <tjaalton@debian.org> Date: Wed Oct 18 15:09:24 2023 +0300 control: Add sssd-passkey to freeipa-client Recommends. commit 64a84900ae276328d7d14e772f5dcb0d1483108b Author: Timo Aaltonen <tjaalton@debian.org> Date: Wed Oct 18 14:34:23 2023 +0300 version bump commit a2a2e561ce8a7821b65f4ff9c877a6bf6723af50 Merge: f4a4785 032d79d Author: Timo Aaltonen <tjaalton@debian.org> Date: Wed Oct 18 14:32:44 2023 +0300 Merge branch 'master' into m commit f4a4785138bce7ba066886a2173bd32cf09ecbea Merge: 63f5e57 2fd9cbb Author: Timo Aaltonen <tjaalton@debian.org> Date: Tue Oct 17 14:20:44 2023 +0300 Merge tag 'release-4-10-2' into m tagging IPA 4.10.2 commit 63f5e576856d339a408c170461604f271cd03a5d Author: Antonio Torres <antorres@redhat.com> Date: Tue Oct 3 14:45:56 2023 +0200 Become IPA 4.11.0 Signed-off-by: Antonio Torres <antorres@redhat.com> commit 50c555c5ea721360bb614f9b33bfd8a3a71e47c4 Author: Antonio Torres <antorres@redhat.com> Date: Tue Oct 3 14:43:19 2023 +0200 Update contributors list Signed-off-by: Antonio Torres <antorres@redhat.com> commit f35d168ff3e165f7dbf2bdd6846231e29e4d2168 Author: Antonio Torres <antorres@redhat.com> Date: Tue Oct 3 14:40:40 2023 +0200 Update translations to FreeIPA ipa-4-11 state Signed-off-by: Antonio Torres <antorres@redhat.com> commit cb14a30a1523305606d3bfbf7211cda1e197c9e9 Author: Florence Blanc-Renaud <flo@redhat.com> Date: Tue Sep 26 10:21:29 2023 +0200 Covscan issues: deadcode and Use after free Covscan detected an unused value in ipa_kdb_principals.c and a use-after-free in ipa-print-pac.c. Fixes: https://pagure.io/freeipa/issue/9431 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> commit ed094e11ec59409c6cb361fa871e9b5e3da02172 Author: Christian Heimes <cheimes@redhat.com> Date: Wed Sep 13 11:40:11 2023 +0200 Add context manager to ipalib.API `ipalib.API` instances like `ipalib.api` now provide a context manager that connects and disconnects the API object. Users no longer have to deal with different types of backends or finalize the API correctly. ```python import ipalib with ipalib.api as api: api.Commands.ping() ``` See: https://pagure.io/freeipa/issue/9443 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> commit 305912e46703dc1441a018f74caa8bcc9b2a296a Author: Alexander Bokovoy <abokovoy@redhat.com> Date: Thu Sep 28 10:34:58 2023 +0300 Use datetime.timezone.utc instead of newer datetime.UTC alias datetime.UTC alias was added in Python 3.11: https://docs.python.org/3/library/datetime.html#datetime.UTC datetime.timezone.utc was present since Python 3.2. Since RHEL 9 is using Python 3.9, use more compatible variant. Fixes: https://pagure.io/freeipa/issue/9454 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> commit fd01b234e3c2e011a441750e8a44c9b293f8086a Author: Francisco Trivino <ftrivino@redhat.com> Date: Tue Aug 22 21:24:12 2023 +0200 Workshop: fix broken Sphinx cross-references. Many of the workshop pages links are directing to URLs that end with ".rst" instead of ".html", as a result, these links are broken. This commit introduces explicit targets and references to ensure that the pages are correctly linked. Signed-off-by: Francisco Trivino <ftrivino@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> commit 9c10d7ee2c7a7f1f2c2643e19e3a3b8cf8a211be Author: Mohammad Rizwan <myusuf@redhat.com> Date: Fri Sep 15 12:16:06 2023 +0530 ipatests: restart ipa services after moving date When system date is moved into future, it have unprecedented behavior i.e CA becomes irresponsive or unexpected certificcate state. Hence restart the ipa service after moving the date to gracefully serve the request. Fixes: https://pagure.io/freeipa/issue/9379 Signed-off-by: Mohammad Rizwan <myusuf@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> commit bc9385d15cf7a975063754572eb65556a1df9c8a Author: Christian Heimes <cheimes@redhat.com> Date: Fri Sep 1 12:11:35 2023 +0200 Use find_spec() in meta importer The `find_module()` method of meta importers has been deprecated for a long time. Python 3.12 no longer falls back to `find_module()`. See: https://docs.python.org/3.12/whatsnew/3.12.html#removed Related: https://pagure.io/freeipa/issue/9437 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com> commit 637ccae0b4b0ecd36756b4540c666724a73f4633 Author: Alexander Bokovoy <abokovoy@redhat.com> Date: Fri Sep 15 10:12:16 2023 +0300 Allow ipa-otpd to access USB devices for passkeys Main SELinux policy will allow transition of passkey_child (SSSD) to ipa_otpd_t context to perform FIDO2 operations with USB devices. This means ipa-otpd will need to be able to read data from sysfs and connect to USB devices. Add required permissions to IPA subpolicy as well. See rhbz#2238224 for discussion. Related: https://pagure.io/freeipa/issue/9434 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Zdenek Pytela <zpytela@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> commit 169f9abb6b9fdc11dc5d3e4ec8e6e9c3ef4dfd4f Author: Rob Crittenden <rcritten@redhat.com> Date: Tue Sep 12 18:30:05 2023 +0000 Don't assume KRB5CCNAME is in the environment in replica install The replica install was unilaterally removing KRB5CCNAME from os.environ in some cases. Instead check first to see if it is present and only remove in that case. Fixes: https://pagure.io/freeipa/issue/9446 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> commit 54a251bceaabfaf82d0a18b2614c261e2bded0c0 Author: Rob Crittenden <rcritten@redhat.com> Date: Thu Apr 20 13:51:41 2023 -0400 Configure affinity during server installation Write a new krb5.conf in case any values changed finding the right server to configure against (e.g. for CA, KRA) and ensure the API connection is to the remote server that will be installed against. When finding a CA or KRA during initial replica installation set the remote master as well. The order is: - existing server value in /etc/ipa/default.conf - the chosen CA host if the server doesn't provide one - the chosen KRA host if the server doesn't provide one This is more or less heirarchical. If a server is provided then that is considered first. If it provides all the optional services needed (CA and/or KRA) then it will be used. Otherwise it will fall back to a server that provides all the required services. In short, providing --server either at client install or with ipa-replica-install is no guarantee that it will define all topology. This may be unexpected behavior. For the case of adding a CA or KRA things are effectively unchanged. This type of install does not appear to be impacted by affinity issues. Fixes: https://pagure.io/freeipa/issue/9289 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> commit 2220f72321dc6af8a7a94e1fad1c6980ee4cf522 Author: Alexander Bokovoy <abokovoy@redhat.com> Date: Tue Sep 12 17:07:52 2023 +0300 Restore selinux states if they exist at uninstall time Related: https://pagure.io/freeipa/issue/9434 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Francisco Trivino <ftrivino@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> commit d62be1da4542e91521b44595f2d41b557ba7a49e Author: Alexander Bokovoy <abokovoy@redhat.com> Date: Tue Aug 29 12:37:57 2023 +0300 ipa-client-install: enable SELinux for SSSD For passkeys (FIDO2) support, SSSD uses libfido2 library which needs access to USB devices. Add SELinux booleans handling to ipa-client-install so that correct SELinux booleans can be enabled and disabled during install and uninstall. Ignore and record a warning when SELinux policy does not support the boolean. Fixes: https://pagure.io/freeipa/issue/9434 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Francisco Trivino <ftrivino@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> commit f7422b7812e6c2bed0a7ff7c4d93f64cd863810f Author: Alexandra Nikandrova <alexnik@redhat.com> Date: Tue Sep 5 13:43:33 2023 +0200 doc: typo in basic_usage.md Reviewed-By: Antonio Torres <antorres@redhat.com> commit fc9b527dee2652c8056eb99080d9a050a7e648ff Author: Alexander Bokovoy <abokovoy@redhat.com> Date: Wed May 3 10:47:19 2023 +0300 updates: add ACIs for RBCD self-management Fixes: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Julien Rische <jrische@redhat.com> commit 47463294097e01e08b0df3a51f3e2ccc9df9e309 Author: Antonio Torres <antorres@redhat.com> Date: Thu Sep 7 14:14:58 2023 +0200 ipatests: rename 'ipatuura' directory to 'scim' in bridge tests A recent commit [1] in ipa-tuura project renamed the 'ipatuura' django app to 'scim'. Change it in IPA side as well to fix tests. [1]: https://github.com/freeipa/ipa-tuura/commit/f12592cea496818af782f953e0e9643c9ea440b5 Fixes: https://pagure.io/freeipa/issue/9447 Signed-off-by: Antonio Torres <antorres@redhat.com> Reviewed-By: Francisco Trivino <ftrivino@redhat.com> commit 3f874eece90741cd3951578b15fd78fae9d50750 Author: Viktor Ashirov <vashirov@redhat.com> Date: Tue Aug 29 15:51:29 2023 +0200 BDB tuning should be applied only when BDB backend is used 389DS supports BDB and LMDB backends. FreeIPA installation fails with LMDB backend since it tries to apply tuning for BDB backend. Instead, tuning for BDB should be applied only when 389DS uses BDB backend. Fixes: https://pagure.io/freeipa/issue/9435 Signed-off-by: Viktor Ashirov <vashirov@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> commit f16b6e3e0a1f3dc507c3150c347276255f3b3e72 Author: Florence Blanc-Renaud <flo@redhat.com> Date: Fri Aug 25 15:34:22 2023 +0200 idp: add the ipaidpuser objectclass when needed The ipaidpuser objectclass is required for the attribute ipaidpsub. When a user is created or modified with --idp-user-id, the operation must ensure that the objectclass is added if missing. Add a test for user creation and user modification with --idp-user-id. Fixes: https://pagure.io/freeipa/issue/9433 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> commit 37b433d4a79ae3f9160a27b6a03a58f371d2bd34 Author: Rob Crittenden <rcritten@redhat.com> Date: Tue Aug 1 17:06:36 2023 -0400 Adjust test to handle revocation reason REMOVE_FROM_CRL The dogtag REST API has a change of behavior regarding revocation reason 8, REMOVE_FROM_CRL. The XML interface accepts it blindly and marks the certifiate as revoked. This is complicated within RFC 5280 but the jist is that it only affects a certificate on hold and only for delta CRLs. So this modifies the behavior of revocation 8 so that the certificate is put on hold (6) first. Fixes: https://pagure.io/freeipa/issue/9345 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> commit 0b870694f62701534a32fdb4cbdd5c06a3ea4559 Author: Rob Crittenden <rcritten@redhat.com> Date: Thu Jul 20 14:22:34 2023 -0400 Use the PKI REST API wherever possible instead of XML The XML API is already deprecated and will be removed in some future release. All but the updateCRL API has an equivalent in REST. The upstream dogtag project documents most of the API at https://github.com/dogtagpki/pki/wiki/REST-API . I say most because not every API includes sample input/output. The pki ca-cert command is a good substitute for seeing how the API is used by their own tooling. This changes no pre-existing conventions. All serial numbers are converted to decimal prior to transmission and are treated as strings to avoid previous limitations with sizing (which would have been exacerbated by random serial numbers). Fixes: https://pagure.io/freeipa/issue/9345 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> commit b13b8fbb472ec24dfe35a690147e43aea363f3e4 Author: Mohammad Rizwan <myusuf@redhat.com> Date: Mon Aug 21 12:51:13 2023 +0530 ipatests: accommodate DST in ACME cert expiry There is one hour time difference between expiry of ACME cert if the certificate is issued while daylight saving is start and expires after DST ends. For 2023 daylight saving time start at Sunday 12 March and ends at Sunday 5 November. Every certificate which is expiring after November 5th will have 1 hour difference in expiry. Fix is to use 90days+2hours to expire the cert. Fixes: https://pagure.io/freeipa/issue/9428 Signed-off-by: Mohammad Rizwan <myusuf@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> commit 4b1c5a5a83e4e5d667218e1b1b32322e7a0e29de Author: Antonio Torres <antorres@redhat.com> Date: Mon Aug 21 16:55:10 2023 +0200 Back to git snapshots Signed-off-by: Antonio Torres <antorres@redhat.com> commit cb351476ed57d8199299832d19dd9d16c6a46db4 Author: Antonio Torres <antorres@redhat.com> Date: Mon Aug 21 16:45:13 2023 +0200 Become IPA 4.11.0beta1 Signed-off-by: Antonio Torres <antorres@redhat.com> commit ef955c90150d7d1df145b16b1f17940769d42f56 Author: Alexander Bokovoy <abokovoy@redhat.com> Date: Tue Jun 13 15:10:27 2023 +0300 support more DateTime attributes in LDAP searches in IPA API LDAPSearch class constructs a filter from a set of attributes and their values passed in by the command. During this construction process a limited set of attributes gets converted to a special form, the rest is simply taken as a string and escaped according to LDAP rules. This means DateTime class would simply be converted to string using str(DateTime) and that uses default formatting method. For LDAP we need to apply a specific formatting method instead. Following LDAP attributes now handled as datetime.datetime: ( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) ( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) ( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) ( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChange' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) ( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccessfulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) ( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) ( 2.16.840.1.113730.3.8.16.1.3 NAME 'ipatokenNotBefore' DESC 'Token validity date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA OTP') ( 2.16.840.1.113730.3.8.16.1.4 NAME 'ipatokenNotAfter' DESC 'Token expiration date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA OTP') Fixes: https://pagure.io/freeipa/issue/9395 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Antonio Torres <antorres@redhat.com> commit d5ae5e18848b499f7b329cb3dd84dbbe2d4d51c5 Author: Antonio Torres <antorres@redhat.com> Date: Mon Aug 21 14:57:34 2023 +0200 Update list of contributors Signed-off-by: Antonio Torres <antorres@redhat.com> commit 73c8aa4dc4be55305c2c6cd4ac5e5007352eae69 Author: Antonio Torres <antorres@redhat.com> Date: Mon Aug 21 14:55:59 2023 +0200 Update translations to FreeIPA master state Signed-off-by: Antonio Torres <antorres@redhat.com> commit d98d5e475133ad5fae0af3d08beca8b01950427f Author: Rob Crittenden <rcritten@redhat.com> Date: Tue Jun 27 11:44:12 2023 -0400 Remove all references to deleted indirect map from parent map An attempt to do this was already coded but the wrong argument was used. It was passing in the location name and not the map name so the map wouldn't be completely removed. Include a test to verify that the map is gone after removing it by calling automountlocation-tofiles which will fail if the map wasn't properly removed. Fixes: https://pagure.io/freeipa/issue/9397 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> commit 82b129fe765ad32328df540be2ec4d27fc33df0a Author: Rafael Guterres Jeffman <rjeffman@redhat.com> Date: Wed Jul 19 17:47:54 2023 -0300 Fix typo in "Subordinate ID Selfservice User" role The description of "Subordinate ID Selfservice User" role had 'subordiante' instead of 'subordinate'. This patch corrects the default value and adds a replace to fix existing deployments. Related: https://pagure.io/freeipa/issue/9418 Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> commit 33549183effa3a880f2d79955939b25142e72ff9 Author: Florence Blanc-Renaud <flo@redhat.com> Date: Thu Aug 10 16:51:22 2023 +0200 ipa-server-guard: make the lock timezone aware ipa-server-guard reads a lock file in order to check if the lock is still taken by comparing the stored value, for instance: expire = 20230810155452589311 with the current datetime. The expire value needs to be timezone-aware in order to be compared with "now" which is also tz aware. Related: https://pagure.io/freeipa/issue/9425 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> commit 0f16b72bcb86764aaffa69a9ccad4011e811f856 Author: Florence Blanc-Renaud <flo@redhat.com> Date: Thu Aug 10 14:45:56 2023 +0200 ipa-cert-fix: use timezone-aware datetime ipa-cert-fix compares the current datetime with the value obtained from a cert.not_valid_after. With the fix for #9425, not_valid_after is timezone aware and cannot be compared to a naive datetime. Make the datetime "now" timezone aware. Related: https://pagure.io/freeipa/issue/9425 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> commit 59e68f79e48e5eaa18c60f3dc418d0bf516684ab Author: Florence Blanc-Renaud <flo@redhat.com> Date: Thu Aug 10 11:31:26 2023 +0200 ipa-epn: include timezone info ipa-epn is using timezone-aware timestamps for "now" but converts krbpasswordexpiration attribute into a naive datetime object that is missing the tzinfo. It is not possible to substract timezone aware and naive values. Convert krbpasswordexpiration attribute into an UTC value before doing the substration. Related: https://pagure.io/freeipa/issue/9425 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> commit 7796b7b9585e9459bb44b8ea92c50eb2592319cf Author: Florence Blanc-Renaud <flo@redhat.com> Date: Mon Aug 14 10:53:05 2023 +0200 Installer: activate nss and pam services in sssd.conf If there is already a sssd.conf file before the installer is executed, the nss and pam services may not be enabled by the installer. This happens for instance if the machine is hardened for STIG and sssd.conf does not define services=... in the [sssd] section. The consequence is that trust cannot be established with an AD domain. The installer must enable nss and pam services even if there is a pre-existing sssd.conf file. Fixes: https://pagure.io/freeipa/issue/9427 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> commit a6f01115cf2abbf6be5570d96fa607e716ba7ba9 Author: Florence Blanc-Renaud <flo@redhat.com> Date: Fri Aug 11 09:10:30 2023 +0200 ipatests: fixture can produce IndexError The fixture issue_and_expire_acme_cert returns a function that fills the hosts array. If the function is not called in the test (for instance because a test is skipped, as in TestACMEPrune::test_prune_cert_search_size_limit), hosts = [] and hosts[0] raises an IndexError. Fix the fixture to check first that hosts is not empty. Related: https://pagure.io/freeipa/issue/9348 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com> commit 33c2740d82634654da6a1e047fd638512083c3f0 Author: Endi S. Dewata <edewata@redhat.com> Date: Fri Aug 11 19:40:08 2023 -0500 Remove default values for pki_ca_signing_*_path In the future pkispawn will validate all path params so the default values for pki_ca_signing_csr_path and pki_ca_signing_cert_path need to be removed since they point to non-existent files. When the params are actually used for installing an external CA, CAInstance.__spawn_instance() will initialize them with the correct paths. Signed-off-by: Endi Sukma Dewata <edewata@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> commit 6f5fe80de0ee9a5474fdfa5ae7880910b7384a62 Author: Florence Blanc-Renaud <flo@redhat.com> Date: Fri Aug 11 08:01:18 2023 +0200 ipatests: fix test_topology The test TestTopologyOptions::test_add_remove_segment is randomly failing downstream. Test scenario: - create a line topology master <-> repl1 <-> repl2 - create user on master - wait for repl success on master - check that the user is seen on repl2 The test waits for replication to complete on the master but it should also wait for the replication to complete on repl1 before checking the user presence on repl2. Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Anuja More <amore@redhat.com> commit 8e142bc1d48183674859d3e63144d71a89ce1836 Author: Sudhir Menon <sumenon@redhat.com> Date: Thu Jul 27 14:33:08 2023 +0530 ipatests: idm api related tests. IDM API related tests are automated in the above PR Ref: https://freeipa.readthedocs.io/en/latest/api/basic_usage.html Signed-off-by: Sudhir Menon <sumenon@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> commit a9ee2adec38b23d7d957d503d79e20b2174cc512 Author: Endi S. Dewata <edewata@redhat.com> Date: Tue Aug 8 12:25:06 2023 -0500 Remove non-existent default pki_cert_chain_path In the future pkispawn will validate all path params so the default value for pki_cert_chain_path needs to be removed since it points to a non-existent file. When the param is actually used (e.g. for installing with an external CA) CAInstance.__spawn_instance() will configure the param to point to the actual cert chain. Signed-off-by: Endi Sukma Dewata <edewata@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> commit 7233944e741b2659889429c2a768ef227f4a3a2d Author: Endi S. Dewata <edewata@redhat.com> Date: Tue Aug 8 13:49:27 2023 -0500 Add pki_share_dbuser_dn for CA In the future the default value for pki_share_dbuser_dn might change. To ensure that CA and KRA in IPA will use the same database user, the pki_share_dbuser_dn needs to be defined for CA to match the same param for KRA. Signed-off-by: Endi Sukma Dewata <edewata@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> commit cfc4f47a10c13a50fcd04115db65936568ea4409 Author: Endi S. Dewata <edewata@redhat.com> Date: Wed Aug 9 15:39:37 2023 -0500 Remove unused subsystem.count The subsystem.count param has actually been removed since PKI 10.10 so it doesn't need to be set in renew_ca_cert.in. Signed-off-by: Endi Sukma Dewata <edewata@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> commit 8173e5df2d0e8dac48f26882ff16979d0da325b5 Author: Alexander Bokovoy <abokovoy@redhat.com> Date: Mon Aug 7 13:46:08 2023 +0300 ipa-epn: don't use too general exception When modifying ipa-epn code, a warning was issued: -------------- Python 3.11.4 (main, Jun 7 2023, 00:00:00) [GCC 13.1.1 20230511 (Red Hat 13.1.1-2)] ************* Module ipaclient.install.ipa_epn ipaclient/install/ipa_epn.py:89: [W0719(broad-exception-raised), drop_privileges] Raising too general exception: Exception) -------------- Use 'RequiresRoot' exception class and clarify the message: ipalib.errors.RequiresRoot: Cannot drop privileges! Related: https://pagure.io/freeipa/issue/9425 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> commit 09497d2df0fbd4bb5ad798e5c0798a0faa632f11 Author: Alexander Bokovoy <abokovoy@redhat.com> Date: Mon Aug 7 13:40:34 2023 +0300 python 3.12: utcnow function is deprecated The following warning is displayed on a system running with Python 3.12: ------------------- /usr/lib/python3.12/site-packages/ipalib/rpc.py:925: DeprecationWarning: datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.now(datetime.UTC). timestamp=datetime.datetime.utcnow()) ------------------- Fixes: https://pagure.io/freeipa/issue/9425 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> commit bbb53a12711f864601a9d7c024145603c9c596a1 Author: Mohammad Rizwan <myusuf@redhat.com> Date: Wed Aug 2 12:48:40 2023 +0530 ipatests: remove fixture call and wait to get things settle system date moved in order to expire the certs. Sometime it is observed that subsequent operation fails with 500 error for CA, hence restart the services after moving date and wait for sometime to get things settle. Also the tests was calling fixture which is not required for it, hence removed it as well. Fixes: https://pagure.io/freeipa/issue/9348 Signed-off-by: Mohammad Rizwan <myusuf@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> commit e49ec1048db85f514e2db5960f773e5d56fa0cec Author: Florence Blanc-Renaud <flo@redhat.com> Date: Wed Aug 2 15:41:57 2023 +0200 ipatests: update expected webui msg for admin deletion The deletion of the admin is now forbidden (even if it is not the last member of the admins group) and the error message has changed from "admin cannot be deleted or disabled because it is the last member of group admins" to " user admin cannot be deleted/modified: privileged user". Update the expected message in the webui test. Related: https://pagure.io/freeipa/issue/8878 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> commit dea35922cd086883c0699646ec39fdef8f0ba579 Author: Rob Crittenden <rcritten@redhat.com> Date: Thu May 25 18:24:29 2023 -0400 Prevent the admin user from being deleted admin is required for trust operations Note that testing for removing the last member is now irrelevant because admin must always exist so the test for it was removed, but the code check remains. It is done after the protected member check. Fixes: https://pagure.io/freeipa/issue/8878 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> commit 69e4397421d16fad7d16b2f5d53d2bd9316407a1 Author: Alexander Bokovoy <abokovoy@redhat.com> Date: Fri Jul 28 14:40:21 2023 +0300 idp: when adding an IdP allow to override IdP options Use of 'ipa idp-add --provider' was supposed to allow override scope and other IdP options. The defaults are provided by the IdP template and were actually not overridden. Fix this. Fixes: https://pagure.io/freeipa/issue/9421 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> commit c84c59c66f1b22ebc671960cae90088a024d2d62 Author: Julien Rische <jrische@redhat.com> Date: Mon Jul 31 11:26:43 2023 +0200 ipa-kdb: fix error handling of is_master_host() Adding proper error handling to the is_master_host() function to allow it to make the difference between the absence of a master host object and a connection failure. This will keep the krb5kdc daemon from continuing to run with a NULL LDAP context. Fixes: https://pagure.io/freeipa/issue/9422 Signed-off-by: Julien Rische <jrische@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> commit 089907b4853207ea70c7ca02896b84718251cf6f Author: Rob Crittenden <rcritten@redhat.com> Date: Mon Jun 26 13:06:51 2023 -0400 Fix memory leak in the OTP last token plugin Three memory leaks are addressed: 1. String values retrieved from the pblock need to be manually freed. 2. The list of objectclasses retreived from the pblock need to be freed. 3. Internal search results need to be freed. Fixes: https://pagure.io/freeipa/issue/9403 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> commit 7c5ee21a18fa6c18785ce5f214dd4e25620816ce Author: Florence Blanc-Renaud <flo@redhat.com> Date: Thu Jul 27 09:17:37 2023 +0200 ipatests: update expected cksum for epn.conf The test test_epn.py::TestEPN::test_EPN_config_file ensures that /etc/ipa/epn.conf is installed and compares its checksum with an expected value. Commit fcad9c9 has changed the content of the file and the cksum must be updated to reflect the new content. Fixes: https://pagure.io/freeipa/issue/9419 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Anuja More <amore@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> commit fcad9c9aa76b5e027ca247941620c4e6a4be991e Author: Simon Nussbaum <simon.nussbaum@adfinis.com> Date: Fri Feb 24 16:08:14 2023 +0100 component: mail_from_realname config setting added to IPA-EPN Adding mail_from_realname setting to configuration so that the real name of the sender of the password expiration notification can be customized. This addition does not affect existing configurations. Fixes: https://pagure.io/freeipa/issue/9336 Signed-off-by: Simon Nussbaum <simon.nussbaum@adfinis.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Among the 2 debian patches available in version 4.10.2-2 of the package, we noticed the following issues: