[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][master] 81 commits: Return to git snapshots

Timo Aaltonen gitlab at salsa.debian.org
Mon Sep 28 11:29:09 BST 2020



Timo Aaltonen pushed to branch master at FreeIPA packaging / freeipa


Commits:
e058c4d4 by Alexander Bokovoy at 2020-08-20T13:34:58+03:00
Return to git snapshots

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
8c7414a5 by Stanislav Levin at 2020-08-24T09:58:24+03:00
pylint: Teach pylint about more RRs types

There are many types of RRs which are provided by dnspython.
This is not all, but enough for now to fix linting errors
caused by new dnspython 2.0.

Fixes: https://pagure.io/freeipa/issue/8468
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a283196b by Stanislav Levin at 2020-08-24T09:58:24+03:00
pylint: Fix warning W0612(unused-variable)

New warnings were found by new pylint (2.5.3).

Fixes: https://pagure.io/freeipa/issue/8468
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
31e16f72 by Stanislav Levin at 2020-08-24T09:58:24+03:00
pylint: Ignore `super-with-arguments`

Pylint 2.6.0 added new check:
> Add super-with-arguments check for flagging instances of Python 2
style super calls.

According to PEP 3135 this form of `super` is syntactic sugar and
is not mandatory. Right now there are 566 affected `super`s.

http://pylint.pycqa.org/en/latest/whatsnew/changelog.html#what-s-new-in-pylint-2-6-0
https://www.python.org/dev/peps/pep-3135/

Fixes: https://pagure.io/freeipa/issue/8468
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
ffbbc301 by Stanislav Levin at 2020-08-24T09:58:24+03:00
pylint: Ignore `raise-missing-from`

Pylint 2.6.0 introduces new check:
> Add raise-missing-from check for exceptions that should have a
cause.

According to PEP 3134 the implicit exception chaining is valid and
can be used.

http://pylint.pycqa.org/en/latest/whatsnew/changelog.html#what-s-new-in-pylint-2-6-0
https://www.python.org/dev/peps/pep-3134/

Fixes: https://pagure.io/freeipa/issue/8468
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
32b12425 by Mohammad Rizwan at 2020-08-24T11:26:16+03:00
ipatests: Add PTR record for IP SAN

If PTR record is missing for an IP address then cert request
with SAN option throws an error. This fix is to add the PTR
record so that cert request doesn't throw an error.

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>

- - - - -
6b0f0657 by Mohammad Rizwan at 2020-08-24T11:26:16+03:00
ipatests: add --skip-overlap-check option to prepare_reverse_zone()

add --skip-overlap-check in case it overlap with an existing zone
or with dnszone outside of IPA.

Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>

- - - - -
19ec19c0 by Mohammad Rizwan at 2020-08-24T11:26:16+03:00
PEP8 fixes

PEP8 fixes for visual indent, line > 79, blank line required etc

Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>

- - - - -
6662f5fd by Sumedh Sidhaye at 2020-08-24T17:05:03+02:00
This is a manual backport of https://github.com/freeipa/freeipa/pull/5053/

Increase test_cert.py timeout from 3600 to 5400
to accomodate newly added tests that need more time
to execute

Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
fc9840d8 by Alexander Bokovoy at 2020-08-24T17:07:29+02:00
test_smb: make sure both smbserver and smbclient use IPA master for DNS

test_smb test suite sets up IPA master, AD forest, and two clients.
The clients are used as an SMB server and an SMB client and they need to
resolve and authenticate AD users with Kerberos.

Previously, the test only configured SMB client to use IPA master as its
DNS server. SMB server wasn't using IPA master and thus any attempt to
resolve SRV records from AD DNS zone was failing.

Make sure that both SMB client's and SMB server's DNS resolution is set
up in the same way.

Fixes: https://pagure.io/freeipa/issue/8344

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
57ea534c by Armando Neto at 2020-08-24T17:09:11+02:00
ipatests: Bump PR-CI templates

New template images for ci-ipa-4-8-f32 to include latest packages.

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
6f4f7c61 by Rob Crittenden at 2020-08-25T12:38:11-04:00
ipatests: Add option/arg parsing tests for the cli

A typo in passing in options would result in an exception.

For example -verbose was treated as: -v -e rbose

-v and -e are valid options. rbose on its own has no value in the
name-value pair so an exception would result.

https://pagure.io/freeipa/issue/6115

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
dce5b1c8 by Rob Crittenden at 2020-08-25T12:38:11-04:00
cli: When parsing options require name/value pairs

If single-option values are combined together with invalid options
an exception would be raised.

For example -verbose was treated as -v -e rbose. Since rbose isn't
a name/value pair things would blow up. This is now caught and
a somewhat more reable error returned. The -v and -e are consumed,
not much we can do about that, but at least a more usable error is
returned.

https://pagure.io/freeipa/issue/6115

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
fe783b63 by Rob Crittenden at 2020-08-26T11:12:07+03:00
Fall back to old server installation detection when needed

If there is no installation section the the install pre-dated
this new method of detecting a successful installation, fall back
to that.

https://pagure.io/freeipa/issue/8458

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
774bbb17 by Rob Crittenden at 2020-08-26T11:12:07+03:00
Use is_ipa_configured from ipalib.facts

A couple of places still used the deprecated installutils version.

https://pagure.io/freeipa/issue/8458

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
2057b330 by Rob Crittenden at 2020-08-26T11:12:07+03:00
ipatests: Add test for is_ipa_configured

Validate that is_ipa_configured() returns True when using either
the original and the new configuration methods. This will allow
older installs to successfully upgrade.

https://pagure.io/freeipa/issue/8458

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d5605055 by Sergey Orlov at 2020-08-27T10:45:21+03:00
ipatests: refactor test for login using cifs alias principal

The test had two problems:
* if it was failing,  samba services were not started and all other
tests also failed
* Utility for copying keys obscured fatal problems i.e. if file does not
exist or can not be parsed.

Fixed by moving the check to separate test and raising exceptions in
KerberosKeyCopier on any unexpected problem.

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
f3c6fb3a by Sergey Orlov at 2020-08-27T10:45:21+03:00
ipatests: simplify fixture

Fixture enable_smb_client_dns_lookup_kdc had an unobvious structure
"contextmanage inside pytest fixture". Replaced with simple pytest
fixture.

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
2ce880e9 by Florence Blanc-Renaud at 2020-08-31T09:41:02+03:00
ipatests: run test_ipahealthcheck.py::TestIpaHealthCheck separately

The test is changing the date back and forth. Due to PRCI
infra issue, chronyd is not able to connect to the default
NTP servers from the fedora pool, and the date is not
synchronized any more after this test.

To avoid polluting other tests, run this one separately.

Fixes: https://pagure.io/freeipa/issue/8472
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ab6811a1 by Florence Blanc-Renaud at 2020-08-31T09:41:02+03:00
ipatests: add missing healthcheck test in PRCI nightlies

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
5d13ef9b by Stanislav Levin at 2020-09-01T17:25:54+03:00
Azure: Add Rawhide definitions

- allow override variables template file with an externally
provided one. This allows to add new Azure Pipeline which will
point to a custom platform definition. Note: Azure's WebUI
variables are runtime variables and not available at parsing time,
that's why it's impossible to override template from WebUI in
this case.

- add Rawhide templates

- add Dockerfile for build Rawhie Docker image for tests phase
Note: 'fedora:rawhide' is too old, use for now
'registry.fedoraproject.org/fedora:rawhide'.
See, https://bugzilla.redhat.com/show_bug.cgi?id=1869612

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
ae219dff by Stanislav Levin at 2020-09-01T17:25:54+03:00
Azure: Drop dependency on UsePythonVersion task

Python is provided by the Docker container image and it's no
longer needed to bind mount host's Python into container.

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
0ff6b6ee by Stanislav Levin at 2020-09-01T17:25:54+03:00
Azure: base: Collect both install and uninstall logs

Some applications remove their logs on uninstallation.
As a result of this, Azure lost `install` logs.

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
0a8997ff by Stanislav Levin at 2020-09-01T17:25:54+03:00
nss: Raise exception earlier on unsupported DB type

For now FreeIPA handles explicit migration of NSS DB (dbm->sql).
But Mozilla's NSS can be built without the support of legacy database
(DBM). This implies that neither implicit nor explicit DB migration
to SQL will work. So, eventually, this support will be removed from
FreeIPA.

With this patch, the instantiation of NSS with legacy db(if not
supported by NSS) is forbidden.

Fixes: https://pagure.io/freeipa/issue/8474
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
ee661dc7 by Stanislav Levin at 2020-09-01T17:25:54+03:00
deps: Require `nss-tools` for make's fasttest target

Otherwise, tests fail with:
```
E               FileNotFoundError: [Errno 2] No such file or directory: '/usr/bin/certutil'
...
=================================== short test summary info ===================================
FAILED test_ipapython/test_certdb.py::test_dbm_tmp - FileNotFoundError: [Errno 2] No such fi...
FAILED test_ipapython/test_certdb.py::test_sql_tmp - FileNotFoundError: [Errno 2] No such fi...
FAILED test_ipapython/test_certdb.py::test_convert_db - FileNotFoundError: [Errno 2] No such...
FAILED test_ipapython/test_certdb.py::test_convert_db_nokey - FileNotFoundError: [Errno 2] N...
FAILED test_ipapython/test_certdb.py::test_auto_db - FileNotFoundError: [Errno 2] No such fi...
FAILED test_ipapython/test_certdb.py::test_delete_cert_and_key - FileNotFoundError: [Errno 2...
FAILED test_ipapython/test_certdb.py::test_check_validity - FileNotFoundError: [Errno 2] No ...
...
```

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
428373f1 by Stanislav Levin at 2020-09-01T17:25:54+03:00
Azure: Increase verbosity for Tox task

This allows to debug issues happened during packages installation:

> -v, --verbose     increase verbosity of reporting output.
-vv mode turns off output redirection for package installation,
above level two verbosity flags are passed through to pip (with two less
level) (default: 0)

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
76502144 by Stanislav Levin at 2020-09-01T17:25:54+03:00
tox: Don't expand symlinks

`virtualenv` < 20.0.0 copies system python binary into virt
environment and then links `python` to it. While
`virtualenv` >= 20.0.0 directly links `python` to system python
binary (without copying).

`realpath` by default expands symlinks. Thereby, pip attempts to
install packages into the system's site-packages and
fails with 'Permission denied' (non-privileged user).

Fixes: https://pagure.io/freeipa/issue/8475
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
ae8b723c by Stanislav Levin at 2020-09-01T17:25:54+03:00
dnspython: Add compatibility shim

`dnspython` 2.0.0 has many changes and several deprecations like:

```
> dns.resolver.resolve() has been added, allowing control of whether
search lists are used. dns.resolver.query() is retained for backwards
compatibility, but deprecated. The default for search list behavior can
be set at in the resolver object with the use_search_by_default
parameter. The default is False.

> dns.resolver.resolve_address() has been added, allowing easy
address-to-name lookups.
```

The new class `DNSResolver`:
- provides the compatibility layer
- defaults the previous behavior (the search list configured in the
  system's resolver configuration is used for relative names)
- defaults lifetime to 15sec (determines the number of seconds
  to spend trying to get an answer to the question)

Fixes: https://pagure.io/freeipa/issue/8383
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
656aa912 by Stanislav Levin at 2020-09-03T13:54:04+02:00
dns: Make use of `resolve_address` of a current resolver instead of the global one

For now, `resolve_address` for dnspython < 2.0.0 is actually
the instance method of the global DNSResolver object and is not
the instance method of the corresponding object from which it was
called. This can result in unexpected behavior.

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
0a7fc535 by Sudhir Menon at 2020-09-04T08:41:39+02:00
ipatests: Install healthcheck pkg for TestIpaHealthCheckWithADtrust

Tests for TestIpaHealthCheckWithADtrust are failing since
package is not installed, this patch installs
healthcheck pkg on the IPA Master.

Patch to install healthcheck package for TestIpaHealthCheckWithExternalCA

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
43828547 by François Cami at 2020-09-10T08:58:26+02:00
SELinux Policy: let custodia replicate keys

Enhance the SELinux policy so that custodia can replicate sub-CA keys
and certificates:
allow ipa_custodia_t self:tcp_socket { bind create };
allow ipa_custodia_t node_t:tcp_socket node_bind;
allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
allow ipa_custodia_t pki_tomcat_cert_t:file create;
allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
allow ipa_custodia_t self:process execmem;

Found by: test_replica_promotion::TestSubCAkeyReplication

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
fefaeb4b by Florence Blanc-Renaud at 2020-09-10T11:32:03+02:00
dnsforwardzone-add: support dnspython 2.0

The command dnsforwardzone-add is assuming that the dns.rrset.RRset
type stores "items" as a list. With dnspython 2.0 this is not true
as a dict is used instead.

As a consequence, in order to get the first record, it is not possible
to use items[0]. As dict and list are both iterables, next(iter(items))
can be used in order to be compatible with dnspython 1.16 and 2.0.

Fixes: https://pagure.io/freeipa/issue/8481
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
099ab6c7 by Rob Crittenden at 2020-09-10T12:14:33+02:00
ipatests: test ipa_server_certinstall with an IPA-issued cert

ipa-server-certinstall takes a slightly different code path if
the replacement certificate is IPA-issued so exercise that path.

This replaces the Apache cert with itself which is a bit of a no-op
but it still goes through the motions.

https://pagure.io/freeipa/issue/8204

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
2a5a2a0b by Rob Crittenden at 2020-09-10T12:14:33+02:00
Set the certmonger subject with a string, not an object

ipa-server-certinstall goes through a slightly different code path
if the replacement certificate is issued by IPA. This was setting
the subject using cert.subject which is a Name object and not the
string representation of that object. This was failing in the
dbus call to certmonger.

https://pagure.io/freeipa/issue/8204

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
fe9f4a86 by Armando Neto at 2020-09-10T18:37:37+02:00
ipatests: Bump PR-CI templates

New templates with a previously working version of `geckodriver`.

Issue: https://pagure.io/freeipa/issue/8473

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
ec8a5603 by Alexander Bokovoy at 2020-09-10T15:34:00-04:00
ipa-kdb: support getprincs request in kadmin.local

kadmin.local getprincs command results in passing '*' as a principal to
KDB driver function that looks up the principals.

The whole filter looks like this

 (&(|
    (objectclass=krbprincipalaux)
    (objectclass=krbprincipal)
    (objectclass=ipakrbprincipal))
   (|(ipakrbprincipalalias=*)
     (krbprincipalname:caseIgnoreIA5Match:=*)))

There are two parts of the LDAP filter we use to look up principals, the
part with 'krbprincipalname' uses extensible filter syntax of RFC 4515
section 3:

      extensible     = ( attr [dnattrs]
                           [matchingrule] COLON EQUALS assertionvalue )
                       / ( [dnattrs]
                            matchingrule COLON EQUALS assertionvalue )

In case we've got a principal name as '*' we have to follow RFC 4515
section 3 and reencode it using <valueencoding> rule from RFC 4511
section 4.1.6 but only to the part of the filter that does use assertion
value.

Fixes: https://pagure.io/freeipa/issue/8490

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
f316d011 by Alexander Bokovoy at 2020-09-10T15:34:00-04:00
ipa-kdb: test kadmin.local getprincs command

Fixes: https://pagure.io/freeipa/issue/8490
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
be7efc4d by Christian Heimes at 2020-09-11T15:55:30-04:00
Only restart DS when duplicate cacrt was found

The update_fix_duplicate_cacrt_in_ldap plugin no longer restarts DS when
CA is disabled or no duplicate cacrt entry was dedected.

Related: https://pagure.io/freeipa/issue/7125
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
93fff042 by Alexander Bokovoy at 2020-09-14T13:03:56-04:00
Specify memory limits as strings for docker compose

Fixes the following error in Azure Pipelines CI after upgrade of Docker
setup:

[2020-09-14 06:50:07] The Compose file './docker-compose.yml' is invalid because:
[2020-09-14 06:50:07] services.client.mem_limit contains an invalid type, it should be a string

Fixes: https://pagure.io/freeipa/issue/8494
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
2a0c00c3 by Rob Crittenden at 2020-09-14T17:57:39-04:00
Don't allow both a zone name and --name-from-ip to be provided

--name-from-ip will generate a zone name so there is no point in
the user providing one. If one is provided and doesn't match the
generated name then a validation exception is raised.

https://pagure.io/freeipa/issue/8446

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>

- - - - -
8f19411a by Rob Crittenden at 2020-09-14T17:57:39-04:00
ipatests: test that a zone name and name-from-ip will be rejected

If a zone name is provided then name-from-ip makes little sense,
don't allow it.

https://pagure.io/freeipa/issue/8446

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>

- - - - -
1fd4440a by Rob Crittenden at 2020-09-14T17:58:49-04:00
Require at least 1.6Gb of available RAM to install the server

Verify that there is at least 1.6Gb of usable RAM on the system. Swap
is not considered. While swap would allow a user to minimally install
IPA it would not be a great experience.

Using any proc-based method to check for available RAM does not
work in containers unless /proc is re-mounted so use cgroups
instead. This also handles the case if the container has memory
constraints on it (-m).

There are envs which mount 'proc' with enabled hidepid option 1
so don't assume that is readable.

Add a switch to skip this memory test if the user is sure they
know what they are doing.

is_hidepid() contributed by Stanislav Levin <slev at altlinux.org>

https://pagure.io/freeipa/issue/8404

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
9fa534c9 by Rob Crittenden at 2020-09-14T17:58:49-04:00
ipatests: Add tests for checking available memory

The tests always force container or no container so they should
run the same in any environment.

The following cases are handled:

- container, no cgroups
- container, insufficent RAM
- container, sufficient RAM for no CA
- container, insufficient RAM with CA
- non-container, sufficient RAM
- non-container, insufficient RAM

https://pagure.io/freeipa/issue/8404

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
4e5ba24b by Rob Crittenden at 2020-09-14T19:01:37-04:00
De-duplicate ACI attributes and permissions

Ensure uniqueuess in attributes and permissions in the ACI class.

A set() is not used because it doesn't guarantee order which ends up
causing cascading and unpredictable test failures. Since all we
really need is de-duplication and not a true mathematical set iterating
through the list is sufficiently fast, particularly since the number
of elements will always be low.

https://pagure.io/freeipa/issue/8443

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
939a72f4 by Rob Crittenden at 2020-09-14T19:01:37-04:00
Use ACI class set_permissions() method to set permissions

This will ensure uniqueuess and that the ACI has the right
datatype without the caller worrying about it.

https://pagure.io/freeipa/issue/8443

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a572df96 by Rob Crittenden at 2020-09-14T19:01:37-04:00
ipatests: Add test for ACI attribute and permission uniqueness

https://pagure.io/freeipa/issue/8443

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
53a952f0 by Rob Crittenden at 2020-09-14T19:02:22-04:00
Add index for more trust-related attributes

Add index for ipaNTTrustPartner, ipaNTSecurityIdentifier and
krbprincipalname

https://pagure.io/freeipa/issue/8491

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
02698275 by Armando Neto at 2020-09-15T14:59:37-03:00
ipatests: Add nightly definitions for enforcing mode

Duplicates the scenario for nightly_ipa-4-8_latest.yaml and
sets `selinux_enforcing` parameter as True.

Indentation for all definitions have been fixed.

Issue: freeipa/freeipa-pr-ci#391

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
672fe14d by Christian Heimes at 2020-09-16T11:17:54+02:00
Add krbPrincipalName pres index correctly

See: 20b55f4017ab42113f1ced829a4b4afa17839b55
See: https://pagure.io/freeipa/issue/8491
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
d1c860e5 by François Cami at 2020-09-17T18:43:24+02:00
ipatests: check that pkispawn log is not empty

Since commits:
https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e
pkispawn will not honor the pki_log_level configuration item.
All 10.9 Dogtag versions have these commits.
This affects FreeIPA in that it makes debugging Dogtag installation issues next
to impossible.
Adding --debug to the pkispawn CLI is required to revert to the previous
behavior.
Therefore check that the log is not empty and contains DEBUG+INFO lines.

Fixes: https://pagure.io/freeipa/issue/8503
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
97c6d2d2 by François Cami at 2020-09-17T18:43:24+02:00
dogtaginstance.py: add --debug to pkispawn

Since commits:
https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e
pkispawn will not honor the pki_log_level configuration item.
All 10.9 Dogtag versions have these commits.
This affects FreeIPA in that it makes debugging Dogtag installation issues next
to impossible.
Adding --debug to the pkispawn CLI is required to revert to the previous
behavior.

Fixes: https://pagure.io/freeipa/issue/8503
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
d7f39287 by Christian Heimes at 2020-09-21T18:11:00-04:00
Duplicate CA CRT: ignore expected cert

When search for duplicate CA certs ignore the one expected entry.

Related: https://pagure.io/freeipa/issue/7125
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
707823a3 by Florence Blanc-Renaud at 2020-09-22T08:39:57+02:00
test_smb: skip test_smb_service_s4u2self for fed31

The test test_integration/test_smb.py::TestSMB::test_smb_service_s4u2self
is expected to fail in Fedora <= 31 as it requires krb >= 1.18
that is shipped from fedora 32 only.

Skip the test depending on the fedora version.

Fixes: https://pagure.io/freeipa/issue/8505
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
52929cba by François Cami at 2020-09-22T23:41:35+02:00
ipatests: enhance TestSubCAkeyReplication

enhance the test suite so that it covers:
- deleting subCAs (disabling them first)
- checking what happens when creating a dozen+ subCAs at a time
- adding a subCA that already exists and expect failure

Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
5a596242 by François Cami at 2020-09-22T23:41:35+02:00
SELinux: Add dedicated policy for ipa-pki-retrieve-key

Add proper labeling, transition and policy for ipa-pki-retrieve-key.
Make sure tomcat_t can execute ipa-pki-retrieve-key.

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
c126610e by François Cami at 2020-09-22T23:41:35+02:00
SELinux Policy: let custodia_t map custodia_tmp_t

This is used by the JVM perf counters.

Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
310dbd6e by François Cami at 2020-09-22T23:41:35+02:00
SELinux Policy: ipa_pki_retrieve_key_exec_t => ipa_pki_retrieve_key_t

Grant pki_manage_tomcat_etc_rw to ipa_pki_retrieve_key_t instead of
ipa_pki_retrieve_key_exec_t.
As suggested by Ondrej Mosnáček.

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
0518c637 by François Cami at 2020-09-22T23:41:35+02:00
SELinux Policy: ipa_custodia_pki_tomcat_exec_t => ipa_custodia_pki_tomcat_t

ipa_custodia_pki_tomcat_exec_t was granted java_exec by mistake ; replace by
ipa_custodia_pki_tomcat_t.
As suggested by Ondrej Mosnáček.

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
25cf7af0 by François Cami at 2020-09-22T23:41:35+02:00
SELinux Policy: flag ipa_pki_retrieve_key_exec_t as domain_type

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
7ad04841 by François Cami at 2020-09-22T23:41:35+02:00
SELinux Policy: make interfaces for kernel modules non-optional

Interfaces for kernel modules do not need to be in an optional module.
Also make sure ipa_custodia_t can log.
Suggested by Lukas Vrabec.

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
6a31605c by François Cami at 2020-09-22T23:41:35+02:00
SELinux Policy: Allow tomcat_t to read kerberos keytabs

This is required to fix:
avc: denied  { search } for  pid=1930 comm="ipa-pki-retriev" name="krb5" dev="dm-0" ino=8620822 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0

Macros suggested by: Ondrej Mosnacek

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
80f66b75 by Rob Crittenden at 2020-09-22T22:50:15-04:00
Require a matching server package for the selinux subpackage

Ensure that the selinux subpackage is upgraded along with the
rest of IPA if it is built.

https://pagure.io/freeipa/issue/8511

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
58c3343a by François Cami at 2020-09-23T18:37:35+02:00
SELinux: do not double-define node_t and pki_tomcat_cert_t

node_t and pki_tomcat_cert_t are defined in other modules.
Do not double-define them.

Fixes: https://pagure.io/freeipa/issue/8513
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
c029eb7e by Zdenek Pytela at 2020-09-23T21:48:05+02:00
Add ipa_pki_retrieve_key_exec() interface

The ipa_pki_retrieve_key_exec() interface is needed to allow other
domains execute ipa-pki-retrieve-key.

Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
43917063 by Christian Heimes at 2020-09-24T08:15:35+02:00
Make git a build requirement

FreeIPA uses git in its build process. In the past git was automatically
pulled in. On Fedora 33 builds are failing because git is missing.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
202d7da8 by Christian Heimes at 2020-09-24T08:22:18+02:00
Delay import of psutil to avoid AVC

Commit cfad7af35dd5a2cdd4081d1e9ac7c245f47f1dce added a check to ensure a
system has sufficient amount of memory. The feature uses psutil to get
available memory. On import psutil opens files in /proc which can result in
an SELinux violations and Python exception.

     PermissionError: [Errno 13] Permission denied: '/proc/stat'

Fixes: https://pagure.io/freeipa/issue/8512
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
489ddc6d by Christian Heimes at 2020-09-24T09:04:01+02:00
Add helpers for resolve1 and nameservers

detect_resolve1_resolv_conf() detects if systemd-resolved is enabled and
manages /etc/resolv.conf.

get_resolve1_nameservers() gets upstream DNS servers from
systemd-resolved's D-Bus interface.

get_dnspython_nameservers() gets upstream DNS servers from
/etc/resolv.conf via dns.python.

get_nameservers() gets a list of unique, non-loopback DNS server IP
addresses.

Also fixes setup.py to include D-Bus for ipalib instead of ipapython.

See: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d6827f52 by Christian Heimes at 2020-09-24T09:04:01+02:00
Configure NetworkManager to use systemd-resolved

zzz-ipa.conf now enables NetworkManager's systemd-resolved plugin when
systemd-resolved is detected.

See: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
6dc5566c by Christian Heimes at 2020-09-24T09:04:01+02:00
Use new API for auto-forwarders

Auto-forwarders and manual configuration now use the new API to get a
list of DNS servers. Manual installer refuses loopback, too.

See: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
c67aba23 by Christian Heimes at 2020-09-24T09:04:01+02:00
Configure systemd-resolved to use IPA's BIND

IPA installer now instructs systemd-resolved to use IPA's BIND DNS
server as primary DNS server.

Fixes: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
3b3cb99d by Christian Heimes at 2020-09-24T09:04:01+02:00
Create systemd-resolved configuration on update

Create systemd-resolved drop-in and restart the service when the drop-in
config file is missing and /etc/resolv.conf points to stub resolver
config file.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
8255bc7b by Rob Crittenden at 2020-09-24T10:38:42+02:00
Reduce the memory requirement from 1.6 to 1.2 GB

We know from practical experience in PR-CI and Azure that 1.2
is the absolute minimum necessary for a base installation.

https://pagure.io/freeipa/issue/8404

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
ade428f5 by Rob Crittenden at 2020-09-24T11:35:32+02:00
Clean up entire /run/ipa/ccaches directory not just files

If there are any sub-directories in the ccaches directory
then cleaning it up will fail.

Instead remove the whole directory and allow systemd-tmpfiles
to re-create it.

https://pagure.io/freeipa/issue/8248

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
7cfd03db by Rob Crittenden at 2020-09-24T11:35:32+02:00
Test that ccaches are cleaned up during installation

Create a random file and directory in the ccaches directory
prior to installation then confirm that they were removed.

https://pagure.io/freeipa/issue/8248

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
87e5c050 by Christian Heimes at 2020-09-24T18:07:55+02:00
Fix nsslapd-db-lock tuning of BDB backend

nsslapd-db-lock was moved from cn=config,cn=ldbm database,cn=plugins,cn=config
entry to cn=bdb subentry. Manual patching of dse.ldif was no longer
working. Installations with 389-DS 1.4.3 and newer are affected.

Low lock count can affect performance during high load, e.g. mass-import
of users or lots of concurrent connections.

Bump minimal DS version to 1.4.3. Fedora 32 and RHEL 8.3 have 1.4.3.

Fixes: https://pagure.io/freeipa/issue/8515
See: https://pagure.io/freeipa/issue/5914
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
090a2228 by Serhii Tsymbaliuk at 2020-09-24T20:39:55+02:00
WebUI: Fix jQuery DOM manipulation issues

The commit includes the following jQuery patches:
- Manipulation: Make jQuery.htmlPrefilter an identity function
  (https://github.com/jquery/jquery/pull/4642)
- Manipulation: Skip the select wrapper for <option> outside of IE 9
  (https://github.com/jquery/jquery/pull/4647)

In addition there is included a script that helps to patch and build
the new version of jQuery:

  $ install/ui/util/make-jquery.js 3.4.1

Ticket: https://pagure.io/freeipa/issue/8507

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a44bb2e0 by Alexander Bokovoy at 2020-09-26T10:57:07+03:00
Become IPA 4.8.10

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
ee25a47c by Timo Aaltonen at 2020-09-28T11:04:33+03:00
Merge branch 'upstream'

- - - - -
e8987b4b by Timo Aaltonen at 2020-09-28T11:05:05+03:00
bump the version

- - - - -
b47b82b9 by Timo Aaltonen at 2020-09-28T11:42:37+03:00
refresh pkcs11-openssl-for-bind.diff

- - - - -
0d0ccc77 by Timo Aaltonen at 2020-09-28T13:12:34+03:00
releasing package freeipa version 4.8.10-1

- - - - -


30 changed files:

- .tox-install.sh
- VERSION.m4
- daemons/ipa-kdb/ipa_kdb_principals.c
- debian/changelog
- debian/patches/pkcs11-openssl-for-bind.diff
- freeipa.spec.in
- install/share/Makefile.am
- install/share/indices.ldif
- + install/share/ldbm-tuning.ldif
- install/ui/src/libs/jquery.js
- + install/ui/util/jquery-patches/3.4.1/gh-4642.patch
- + install/ui/util/jquery-patches/3.4.1/gh-4647.patch
- + install/ui/util/make-jquery.sh
- + install/updates/10-db-locks.update
- install/updates/20-indices.update
- install/updates/Makefile.am
- ipaclient/discovery.py
- ipaclient/install/client.py
- ipalib/aci.py
- ipalib/facts.py
- + ipalib/install/dnsforwarders.py
- ipalib/plugable.py
- ipalib/setup.py
- ipalib/util.py
- ipaplatform/base/paths.py
- ipaplatform/base/services.py
- ipaplatform/base/tasks.py
- ipaplatform/redhat/tasks.py
- ipapython/certdb.py
- ipapython/dnsutil.py


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/1b34abd605c4a1cd3751539440e7b7bb90f078a0...0d0ccc773c06bcfb07c0ab295f0840cba5a38768

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/1b34abd605c4a1cd3751539440e7b7bb90f078a0...0d0ccc773c06bcfb07c0ab295f0840cba5a38768
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20200928/405b6e16/attachment-0001.html>


More information about the Pkg-freeipa-devel mailing list