From ac084a71fe75924cbea3007a6009b62311225b47 Mon Sep 17 00:00:00 2001 From: Ding-Yi Chen Date: Fri, 5 Aug 2022 09:48:03 +1000 Subject: [PATCH] Initial import --- .gitignore | 1 + 16.patch | 23 +++++ 18.patch | 46 ++++++++++ 19.patch | 51 +++++++++++ cepces.spec | 240 ++++++++++++++++++++++++++++++++++++++++++++++++++++ sources | 1 + 6 files changed, 362 insertions(+) create mode 100644 .gitignore create mode 100644 16.patch create mode 100644 18.patch create mode 100644 19.patch create mode 100644 cepces.spec create mode 100644 sources diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..645ad94 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/cepces-0.3.5.tar.gz diff --git a/16.patch b/16.patch new file mode 100644 index 0000000..384f814 --- /dev/null +++ b/16.patch @@ -0,0 +1,23 @@ +From c985686b9f80c363c1f24d00bfa0e381a918813b Mon Sep 17 00:00:00 2001 +From: Ding-Yi Chen +Date: Tue, 14 Jun 2022 18:14:50 +1000 +Subject: [PATCH] Fixes #15 cepces.conf.dist: server should be pointed to + actual CEP host + +--- + conf/cepces.conf.dist | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/conf/cepces.conf.dist b/conf/cepces.conf.dist +index fe3a5a1..34f9c97 100644 +--- a/conf/cepces.conf.dist ++++ b/conf/cepces.conf.dist +@@ -1,6 +1,6 @@ + [global] +-# Hostname of the issuing certification authority. This is an optional setting +-# and is only used to construct the URL to the Policy Provider endpoint. ++# Hostname of the Certificate Enrollment Policy (CEP) Server. ++# Used to construct the URL to the CEP endpoint. + # + # Default: ca + server=ca diff --git a/18.patch b/18.patch new file mode 100644 index 0000000..07f69be --- /dev/null +++ b/18.patch @@ -0,0 +1,46 @@ +From b68b7a713a2acbbb6e0ce7bc9b8ef43fb913a2a8 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 23 Jun 2022 19:13:25 +0200 +Subject: [PATCH] Replace old requests_kerberos with requests_gssapi + +Signed-off-by: Andreas Schneider +--- + cepces/soap/auth.py | 8 +++++--- + requirements.txt | 2 +- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/cepces/soap/auth.py b/cepces/soap/auth.py +index bb5536d..26f549e 100644 +--- a/cepces/soap/auth.py ++++ b/cepces/soap/auth.py +@@ -21,7 +21,8 @@ + """This module contains SOAP related authentication.""" + from abc import ABCMeta, abstractmethod, abstractproperty + import os +-from requests_kerberos import HTTPKerberosAuth ++import gssapi ++from requests_gssapi import HTTPSPNEGOAuth + from cepces import Base + from cepces.krb5 import types as ktypes + from cepces.krb5.core import Context, Keytab, Principal +@@ -117,8 +118,9 @@ def _init_ccache(self): + os.environ["KRB5CCNAME"] = ccache_name + + def _init_transport(self): +- self._transport = HTTPKerberosAuth(principal=self._config['name'], +- delegate=True) ++ name = gssapi.Name(self._config['name'], gssapi.NameType.user) ++ creds = gssapi.Credentials(name=name, usage="initiate") ++ self._transport = HTTPSPNEGOAuth(creds=creds, delegate=True) + + @property + def transport(self): +diff --git a/requirements.txt b/requirements.txt +index e111f9d..eb560d3 100644 +--- a/requirements.txt ++++ b/requirements.txt +@@ -1,3 +1,3 @@ + cryptography>=1.2 + requests +-requests_kerberos>=0.9 ++requests_gssapi>=1.2.2 diff --git a/19.patch b/19.patch new file mode 100644 index 0000000..6bc88f7 --- /dev/null +++ b/19.patch @@ -0,0 +1,51 @@ +From 569860e9cfc083785f18033cd96d24c453b25d09 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 11 Jul 2022 16:37:48 +0200 +Subject: [PATCH 1/2] setup: Do not install example configs + +Packagers should take care of installing them correctly. +--- + setup.py | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/setup.py b/setup.py +index 480e30f..65c5ebc 100755 +--- a/setup.py ++++ b/setup.py +@@ -69,13 +69,6 @@ + + data_files=[ + ('/usr/local/libexec/certmonger', ['bin/cepces-submit']), +- ( +- '/usr/local/etc/cepces', +- [ +- 'conf/cepces.conf.dist', +- 'conf/logging.conf.dist', +- ] +- ), + ], + + install_requires=[], + +From 0d6401a1912370010e81943c81737b4276615a26 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 11 Jul 2022 16:38:31 +0200 +Subject: [PATCH 2/2] setup: Respect the prefix the user specifies + +--- + setup.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/setup.py b/setup.py +index 65c5ebc..b0718d2 100755 +--- a/setup.py ++++ b/setup.py +@@ -68,7 +68,7 @@ + ], + + data_files=[ +- ('/usr/local/libexec/certmonger', ['bin/cepces-submit']), ++ ('libexec/certmonger', ['bin/cepces-submit']), + ], + + install_requires=[], diff --git a/cepces.spec b/cepces.spec new file mode 100644 index 0000000..4819292 --- /dev/null +++ b/cepces.spec @@ -0,0 +1,240 @@ +%global selinux_variants targeted +%global logdir %{_localstatedir}/log/%{name} +%global modulename %{name} +%global selinux_package_dir %{_datadir}/selinux/packages + +Name: cepces +Version: 0.3.5 +Release: 6%{?dist} +Summary: Certificate Enrollment through CEP/CES + +License: GPLv3+ +URL: https://github.com/openSUSE/%{name} +Source0: https://github.com/openSUSE/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz + +# cepces.conf.dist: server should be pointed to actual CEP host +# https://github.com/openSUSE/cepces/issues/15 +# Merged to master after ver 0.3.5 +Patch0: https://patch-diff.githubusercontent.com/raw/openSUSE/%{name}/pull/16.patch + +# Replace old requests_kerberos with requests_gssapi +Patch1: https://patch-diff.githubusercontent.com/raw/openSUSE/%{name}/pull/18.patch + +# Cleanup for installing the project +Patch2: https://patch-diff.githubusercontent.com/raw/openSUSE/%{name}/pull/19.patch + +BuildArch: noarch + +Requires: python%{python3_pkgversion}-%{name} = %{version}-%{release} + +Recommends: logrotate +Supplements: %{name}-certmonger%{?_isa} = %{version}-%{release} +Supplements: %{name}-selinux%{?_isa} = %{version}-%{release} + +%description +cepces is an application for enrolling certificates through CEP and CES. +It requires certmonger to operate. + +Only simple deployments using Microsoft Active Directory Certificate Services +have been tested. + +%package -n python%{python3_pkgversion}-%{name} +Summary: Python part of %{name} + +BuildRequires: python3dist(setuptools) +BuildRequires: python3dist(cryptography) >= 1.2 +BuildRequires: python3dist(requests) +BuildRequires: python3dist(gssapi) +BuildRequires: python3dist(requests-gssapi) +BuildRequires: python3-devel + +Requires: python3dist(setuptools) +Requires: python3dist(cryptography) >= 1.2 +Requires: python3dist(requests) +Requires: python3dist(gssapi) +Requires: python3dist(requests-gssapi) + +%description -n python%{python3_pkgversion}-%{name} +%{name} is an application for enrolling certificates through CEP and CES. +This package provides the Python part for CEP and CES interaction. + +%package certmonger +Summary: certmonger integration for %{name} + + +Requires: %{name} = %{version}-%{release} +Requires: certmonger + +%description certmonger +Installing %{name}-certmonger adds %{name} as a CA configuration. +Uninstall revert the action. + +%package selinux +Summary: SELinux support for %{name} + +BuildRequires: selinux-policy-devel + +Requires: %{name} = %{version}-%{release} +Requires: selinux-policy +Requires(post): selinux-policy-targeted + +%description selinux +SELinux support for %{name} + +%prep +%autosetup -p1 + +%build +%py3_build + +# Build the SELinux module(s). +for SELINUXVARIANT in %{selinux_variants}; do + make %{?_smp_mflags} -C selinux clean all + mv -v selinux/%{name}.pp selinux/%{name}-${SELINUXVARIANT}.pp +done + +%install +%py3_install + +install -d %{buildroot}%{logdir} + +# Install the SELinux module(s). +rm -fv selinux-files.txt + +for SELINUXVARIANT in %{selinux_variants}; do + install -d -m 755 %{buildroot}%{selinux_package_dir}/${SELINUXVARIANT} + bzip2 selinux/%{name}-${SELINUXVARIANT}.pp + MODULE_PATH=%{selinux_package_dir}/${SELINUXVARIANT}/%{modulename}.pp.bz2 + install -p -m 644 selinux/%{name}-${SELINUXVARIANT}.pp.bz2 \ + %{buildroot}$MODULE_PATH + + echo $MODULE_PATH >> selinux-files.txt +done + +# Configuration files +install -d -m 0755 %{buildroot}%{_sysconfdir}/%{name}/ +install -m 644 conf/cepces.conf.dist %{buildroot}%{_sysconfdir}/%{name}/cepces.conf +install -m 644 conf/logging.conf.dist %{buildroot}%{_sysconfdir}/%{name}/logging.conf + +# Default logrotate file +install -d -m 0755 %{buildroot}%{_sysconfdir}/logrotate.d +cat <%{buildroot}%{_sysconfdir}/logrotate.d/%{name} +/var/log/%{name}/*.log { + compress + delaycompress + missingok + rotate 4 +} +EOF + +%check +# Create a symlink so test can locate cepces_test +ln -s tests/cepces_test . +%{__python3} setup.py test + +%pre selinux +for SELINUXVARIANT in %{selinux_variants}; do + %selinux_relabel_pre -s %{SELINUXVARIANT} +done + +%post selinux +semodule -d %{modulename} &> /dev/null || true; +for SELINUXVARIANT in %{selinux_variants}; do + MODULE_PATH=%{selinux_package_dir}/${SELINUXVARIANT}/%{modulename}.pp.bz2 + %selinux_modules_install -s %{SELINUXVARIANT} ${MODULE_PATH} +done + +%postun selinux +if [ $1 -eq 0 ]; then + for SELINUXVARIANT in %{selinux_variants}; do + %selinux_modules_uninstall -s %{SELINUXVARIANT} %{modulename} + semodule -e %{modulename} &> /dev/null || true; + done +fi + +%posttrans selinux +for SELINUXVARIANT in %{selinux_variants}; do + %selinux_relabel_post -s %{SELINUXVARIANT} +done + +%post certmonger +# Install the CA into certmonger. +if [[ "$1" == "1" ]]; then + getcert add-ca -c %{name} \ + -e %{_libexecdir}/certmonger/%{name}-submit >/dev/null || : +fi + +%preun certmonger +# Remove the CA from certmonger, unless it's an upgrade. +if [[ "$1" == "0" ]]; then + getcert remove-ca -c %{name} >/dev/null || : +fi + +%files +%doc README.rst +%dir %{_sysconfdir}/%{name}/ +%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf +%config(noreplace) %{_sysconfdir}/%{name}/logging.conf +%attr(0700,-,-) %dir %{logdir} +%dir %{_sysconfdir}/logrotate.d +%config(noreplace) %{_sysconfdir}/logrotate.d/%{name} + +%files -n python%{python3_pkgversion}-%{name} +%license LICENSE +%{python3_sitelib}/%{name} +%{python3_sitelib}/%{name}-%{version}-py?.*.egg-info + +%files certmonger +%{_libexecdir}/certmonger/%{name}-submit + +%files selinux -f selinux-files.txt + +%changelog +* Sun Jul 24 2022 Ding-Yi Chen - 0.3.5-6 +- Review comment #16 addressed +- It make more sense that -selinux and -certmonger depends on main package, + Not the other round +- Recommends: logrotate +- Supplements: -selinux, -certmonger + +* Wed Jul 20 2022 Ding-Yi Chen - 0.3.5-5 +- Add Pull request #19 +- Remove Pull request #17 as it is not accepted +- Review comment #13, #14 addressed + +* Mon Jun 27 2022 Ding-Yi Chen - 0.3.5-4 +- Add Pull request #18 +- Replaces kerberos with gssapi +- Replaces requests_kerberos with requests_gssapi + +* Fri Jun 24 2022 Ding-Yi Chen - 0.3.5-3 +- Review comment #4, #7 addressed + +* Wed Jun 22 2022 Ding-Yi Chen - 0.3.5-2 +- Review comment #1 addressed + +* Thu Jun 16 2022 Ding-Yi Chen - 0.3.5-1 +- Initial import to Fedora +- Add logrotate +- Applied patch for https://github.com/openSUSE/cepces/issues/15 + +* Fri Oct 01 2021 Daniel Uvehag - 0.3.4-1 +- Fix collections deprecation + +* Fri Oct 01 2021 Daniel Uvehag - 0.3.4-1 +- Fix collections deprecation + +* Mon Jul 29 2019 Daniel Uvehag - 0.3.3-2 +- Add missing log directory + +* Mon Jul 29 2019 Daniel Uvehag - 0.3.3-1 +- Update to version 0.3.3-1 + +* Mon Feb 05 2018 Daniel Uvehag - 0.3.0-1 +- Update to version 0.3.0-1 + +* Thu Feb 01 2018 Daniel Uvehag - 0.2.1-1 +- Update to version 0.2.1-1 + +* Mon Jun 27 2016 Daniel Uvehag - 0.1.0-1 +- Initial package. diff --git a/sources b/sources new file mode 100644 index 0000000..9ac170c --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (cepces-0.3.5.tar.gz) = 335c0aa6dcd24563a66f651e856f8cad0cd724bb10c099c0b8b11900ec1ae20ff42fd475f2d02aeb6aa532f9004d3820b5f840514721b6be64a30142ca28bed7