Initial import

2022-08-05 09:48:03 +10:00 · 2022-08-05 09:48:03 +10:00 · ac084a71fe
commit ac084a71fe
parent ef75d097f4
6 changed files with 362 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+/cepces-0.3.5.tar.gz
--- a/16.patch
+++ b/16.patch
@ -0,0 +1,23 @@
+From c985686b9f80c363c1f24d00bfa0e381a918813b Mon Sep 17 00:00:00 2001
+From: Ding-Yi Chen <dchen@redhat.com>
+Date: Tue, 14 Jun 2022 18:14:50 +1000
+Subject: [PATCH] Fixes #15 cepces.conf.dist: server should be pointed to
+ actual CEP host
+
+---
+ conf/cepces.conf.dist | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/conf/cepces.conf.dist b/conf/cepces.conf.dist
+index fe3a5a1..34f9c97 100644
+--- a/conf/cepces.conf.dist
+++ b/conf/cepces.conf.dist
+@@ -1,6 +1,6 @@
+ [global]
+-# Hostname of the issuing certification authority. This is an optional setting
+-# and is only used to construct the URL to the Policy Provider endpoint.
+# Hostname of the Certificate Enrollment Policy (CEP) Server.
+# Used to construct the URL to the CEP endpoint.
+ #
+ # Default: ca
+ server=ca
--- a/18.patch
+++ b/18.patch
@ -0,0 +1,46 @@
+From b68b7a713a2acbbb6e0ce7bc9b8ef43fb913a2a8 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Thu, 23 Jun 2022 19:13:25 +0200
+Subject: [PATCH] Replace old requests_kerberos with requests_gssapi
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ cepces/soap/auth.py | 8 +++++---
+ requirements.txt    | 2 +-
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/cepces/soap/auth.py b/cepces/soap/auth.py
+index bb5536d..26f549e 100644
+--- a/cepces/soap/auth.py
+++ b/cepces/soap/auth.py
+@@ -21,7 +21,8 @@
+ """This module contains SOAP related authentication."""
+ from abc import ABCMeta, abstractmethod, abstractproperty
+ import os
+-from requests_kerberos import HTTPKerberosAuth
+import gssapi
+from requests_gssapi import HTTPSPNEGOAuth
+ from cepces import Base
+ from cepces.krb5 import types as ktypes
+ from cepces.krb5.core import Context, Keytab, Principal
+@@ -117,8 +118,9 @@ def _init_ccache(self):
+         os.environ["KRB5CCNAME"] = ccache_name
+ 
+     def _init_transport(self):
+-        self._transport = HTTPKerberosAuth(principal=self._config['name'],
+-                                           delegate=True)
+        name = gssapi.Name(self._config['name'], gssapi.NameType.user)
+        creds = gssapi.Credentials(name=name, usage="initiate")
+        self._transport = HTTPSPNEGOAuth(creds=creds, delegate=True)
+ 
+     @property
+     def transport(self):
+diff --git a/requirements.txt b/requirements.txt
+index e111f9d..eb560d3 100644
+--- a/requirements.txt
+++ b/requirements.txt
+@@ -1,3 +1,3 @@
+ cryptography>=1.2
+ requests
+-requests_kerberos>=0.9
+requests_gssapi>=1.2.2
--- a/19.patch
+++ b/19.patch
@ -0,0 +1,51 @@
+From 569860e9cfc083785f18033cd96d24c453b25d09 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Mon, 11 Jul 2022 16:37:48 +0200
+Subject: [PATCH 1/2] setup: Do not install example configs
+
+Packagers should take care of installing them correctly.
+---
+ setup.py | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/setup.py b/setup.py
+index 480e30f..65c5ebc 100755
+--- a/setup.py
+++ b/setup.py
+@@ -69,13 +69,6 @@
+ 
+     data_files=[
+         ('/usr/local/libexec/certmonger', ['bin/cepces-submit']),
+-        (
+-            '/usr/local/etc/cepces',
+-            [
+-                'conf/cepces.conf.dist',
+-                'conf/logging.conf.dist',
+-            ]
+-        ),
+     ],
+ 
+     install_requires=[],
+
+From 0d6401a1912370010e81943c81737b4276615a26 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Mon, 11 Jul 2022 16:38:31 +0200
+Subject: [PATCH 2/2] setup: Respect the prefix the user specifies
+
+---
+ setup.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/setup.py b/setup.py
+index 65c5ebc..b0718d2 100755
+--- a/setup.py
+++ b/setup.py
+@@ -68,7 +68,7 @@
+     ],
+ 
+     data_files=[
+-        ('/usr/local/libexec/certmonger', ['bin/cepces-submit']),
+        ('libexec/certmonger', ['bin/cepces-submit']),
+     ],
+ 
+     install_requires=[],
--- a/cepces.spec
+++ b/cepces.spec
@ -0,0 +1,240 @@
+%global selinux_variants targeted
+%global logdir %{_localstatedir}/log/%{name}
+%global modulename %{name}
+%global selinux_package_dir %{_datadir}/selinux/packages
+
+Name:           cepces
+Version:        0.3.5
+Release:        6%{?dist}
+Summary:        Certificate Enrollment through CEP/CES
+
+License:        GPLv3+
+URL:            https://github.com/openSUSE/%{name}
+Source0:        https://github.com/openSUSE/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
+
+# cepces.conf.dist: server should be pointed to actual CEP host
+# https://github.com/openSUSE/cepces/issues/15
+# Merged to master after ver 0.3.5
+Patch0:         https://patch-diff.githubusercontent.com/raw/openSUSE/%{name}/pull/16.patch
+
+# Replace old requests_kerberos with requests_gssapi
+Patch1:         https://patch-diff.githubusercontent.com/raw/openSUSE/%{name}/pull/18.patch
+
+# Cleanup for installing the project
+Patch2:         https://patch-diff.githubusercontent.com/raw/openSUSE/%{name}/pull/19.patch
+
+BuildArch:      noarch
+
+Requires:       python%{python3_pkgversion}-%{name} = %{version}-%{release}
+
+Recommends:     logrotate
+Supplements:    %{name}-certmonger%{?_isa} = %{version}-%{release}
+Supplements:    %{name}-selinux%{?_isa} = %{version}-%{release}
+
+%description
+cepces is an application for enrolling certificates through CEP and CES.
+It requires certmonger to operate.
+
+Only simple deployments using Microsoft Active Directory Certificate Services
+have been tested.
+
+%package -n python%{python3_pkgversion}-%{name}
+Summary:        Python part of %{name}
+
+BuildRequires:  python3dist(setuptools)
+BuildRequires:  python3dist(cryptography) >= 1.2
+BuildRequires:  python3dist(requests)
+BuildRequires:  python3dist(gssapi)
+BuildRequires:  python3dist(requests-gssapi)
+BuildRequires:  python3-devel
+
+Requires:       python3dist(setuptools)
+Requires:       python3dist(cryptography) >= 1.2
+Requires:       python3dist(requests)
+Requires:       python3dist(gssapi)
+Requires:       python3dist(requests-gssapi)
+
+%description -n python%{python3_pkgversion}-%{name}
+%{name} is an application for enrolling certificates through CEP and CES.
+This package provides the Python part for CEP and CES interaction.
+
+%package certmonger
+Summary:        certmonger integration for %{name}
+
+
+Requires:       %{name} = %{version}-%{release}
+Requires:       certmonger
+
+%description certmonger
+Installing %{name}-certmonger adds %{name} as a CA configuration.
+Uninstall revert the action.
+
+%package selinux
+Summary:        SELinux support for %{name}
+
+BuildRequires:  selinux-policy-devel
+
+Requires:       %{name} = %{version}-%{release}
+Requires:       selinux-policy
+Requires(post): selinux-policy-targeted
+
+%description selinux
+SELinux support for %{name}
+
+%prep
+%autosetup -p1
+
+%build
+%py3_build
+
+# Build the SELinux module(s).
+for SELINUXVARIANT in %{selinux_variants}; do
+  make %{?_smp_mflags} -C selinux clean all
+  mv -v selinux/%{name}.pp selinux/%{name}-${SELINUXVARIANT}.pp
+done
+
+%install
+%py3_install
+
+install -d  %{buildroot}%{logdir}
+
+# Install the SELinux module(s).
+rm -fv selinux-files.txt
+
+for SELINUXVARIANT in %{selinux_variants}; do
+  install -d -m 755 %{buildroot}%{selinux_package_dir}/${SELINUXVARIANT}
+  bzip2 selinux/%{name}-${SELINUXVARIANT}.pp
+  MODULE_PATH=%{selinux_package_dir}/${SELINUXVARIANT}/%{modulename}.pp.bz2
+  install -p -m 644 selinux/%{name}-${SELINUXVARIANT}.pp.bz2 \
+    %{buildroot}$MODULE_PATH
+
+  echo $MODULE_PATH >> selinux-files.txt
+done
+
+# Configuration files
+install -d -m 0755 %{buildroot}%{_sysconfdir}/%{name}/
+install -m 644  conf/cepces.conf.dist  %{buildroot}%{_sysconfdir}/%{name}/cepces.conf
+install -m 644  conf/logging.conf.dist %{buildroot}%{_sysconfdir}/%{name}/logging.conf
+
+# Default logrotate file
+install -d -m 0755 %{buildroot}%{_sysconfdir}/logrotate.d
+cat <<EOF>%{buildroot}%{_sysconfdir}/logrotate.d/%{name}
+/var/log/%{name}/*.log {
+    compress
+    delaycompress
+    missingok
+    rotate 4
+}
+EOF
+
+%check
+# Create a symlink so test can locate cepces_test
+ln -s tests/cepces_test .
+%{__python3} setup.py test
+
+%pre selinux
+for SELINUXVARIANT in %{selinux_variants}; do
+  %selinux_relabel_pre -s %{SELINUXVARIANT}
+done
+
+%post selinux
+semodule -d %{modulename} &> /dev/null || true;
+for SELINUXVARIANT in %{selinux_variants}; do
+  MODULE_PATH=%{selinux_package_dir}/${SELINUXVARIANT}/%{modulename}.pp.bz2
+  %selinux_modules_install -s %{SELINUXVARIANT} ${MODULE_PATH}
+done
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+  for SELINUXVARIANT in %{selinux_variants}; do
+    %selinux_modules_uninstall -s %{SELINUXVARIANT} %{modulename}
+    semodule -e %{modulename}  &> /dev/null || true;
+  done
+fi
+
+%posttrans selinux
+for SELINUXVARIANT in %{selinux_variants}; do
+  %selinux_relabel_post -s %{SELINUXVARIANT}
+done
+
+%post certmonger
+# Install the CA into certmonger.
+if [[ "$1" == "1" ]]; then
+  getcert add-ca -c %{name} \
+    -e %{_libexecdir}/certmonger/%{name}-submit >/dev/null || :
+fi
+
+%preun certmonger
+# Remove the CA from certmonger, unless it's an upgrade.
+if [[ "$1" == "0" ]]; then
+  getcert remove-ca -c %{name} >/dev/null || :
+fi
+
+%files
+%doc README.rst
+%dir %{_sysconfdir}/%{name}/
+%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
+%config(noreplace) %{_sysconfdir}/%{name}/logging.conf
+%attr(0700,-,-) %dir %{logdir}
+%dir %{_sysconfdir}/logrotate.d
+%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
+
+%files -n python%{python3_pkgversion}-%{name}
+%license LICENSE
+%{python3_sitelib}/%{name}
+%{python3_sitelib}/%{name}-%{version}-py?.*.egg-info
+
+%files certmonger
+%{_libexecdir}/certmonger/%{name}-submit
+
+%files selinux -f selinux-files.txt
+
+%changelog
+* Sun Jul 24 2022 Ding-Yi Chen <dchen@redhat.com> - 0.3.5-6
+- Review comment #16 addressed
+- It make more sense that -selinux and -certmonger depends on main package,
+  Not the other round
+- Recommends: logrotate
+- Supplements: -selinux, -certmonger
+
+* Wed Jul 20 2022 Ding-Yi Chen <dchen@redhat.com> - 0.3.5-5
+- Add Pull request #19
+- Remove Pull request #17 as it is not accepted
+- Review comment #13, #14 addressed
+
+* Mon Jun 27 2022 Ding-Yi Chen <dchen@redhat.com> - 0.3.5-4
+- Add Pull request #18
+- Replaces kerberos with gssapi
+- Replaces requests_kerberos with requests_gssapi
+
+* Fri Jun 24 2022 Ding-Yi Chen <dchen@redhat.com> - 0.3.5-3
+- Review comment #4, #7 addressed
+
+* Wed Jun 22 2022 Ding-Yi Chen <dchen@redhat.com> - 0.3.5-2
+- Review comment #1 addressed
+
+* Thu Jun 16 2022 Ding-Yi Chen <dchen@redhat.com> - 0.3.5-1
+- Initial import to Fedora
+- Add logrotate
+- Applied patch for https://github.com/openSUSE/cepces/issues/15
+
+* Fri Oct 01 2021 Daniel Uvehag <daniel.uvehag@gmail.com> - 0.3.4-1
+- Fix collections deprecation
+
+* Fri Oct 01 2021 Daniel Uvehag <daniel.uvehag@gmail.com> - 0.3.4-1
+- Fix collections deprecation
+
+* Mon Jul 29 2019 Daniel Uvehag <daniel.uvehag@gmail.com> - 0.3.3-2
+- Add missing log directory
+
+* Mon Jul 29 2019 Daniel Uvehag <daniel.uvehag@gmail.com> - 0.3.3-1
+- Update to version 0.3.3-1
+
+* Mon Feb 05 2018 Daniel Uvehag <daniel.uvehag@gmail.com> - 0.3.0-1
+- Update to version 0.3.0-1
+
+* Thu Feb 01 2018 Daniel Uvehag <daniel.uvehag@gmail.com> - 0.2.1-1
+- Update to version 0.2.1-1
+
+* Mon Jun 27 2016 Daniel Uvehag <daniel.uvehag@gmail.com> - 0.1.0-1
+- Initial package.
--- a/1
+++ b/1
@ -0,0 +1 @@
+SHA512 (cepces-0.3.5.tar.gz) = 335c0aa6dcd24563a66f651e856f8cad0cd724bb10c099c0b8b11900ec1ae20ff42fd475f2d02aeb6aa532f9004d3820b5f840514721b6be64a30142ca28bed7
				`@ -0,0 +1 @@`
				`SHA512 (cepces-0.3.5.tar.gz) = 335c0aa6dcd24563a66f651e856f8cad0cd724bb10c099c0b8b11900ec1ae20ff42fd475f2d02aeb6aa532f9004d3820b5f840514721b6be64a30142ca28bed7`