diff --git a/.gitignore b/.gitignore index e69de29..d8b3c1a 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,8 @@ +/custodia-0.1.0.tar.gz +/custodia-0.2.0.tar.gz +/custodia-0.3.0.tar.gz +/custodia-0.3.0.tar.gz.sha512sum.txt +/custodia-0.3.1.tar.gz +/custodia-0.3.1.tar.gz.sha512sum.txt +/custodia-0.5.0.tar.gz +/custodia-0.6.0.tar.gz diff --git a/.rpmlint b/.rpmlint new file mode 100644 index 0000000..be76fa6 --- /dev/null +++ b/.rpmlint @@ -0,0 +1,5 @@ +addFilter('spelling-error.*etcdstore') +addFilter('non-readable /etc/custodia/custodia.conf') +addFilter('non-standard-dir-perm /etc/custodia') +addFilter('non-standard-dir-perm /var/lib/custodia') +addFilter('non-standard-dir-perm /var/log/custodia') diff --git a/0001-Replace-use-of-pytest-get_marker.patch b/0001-Replace-use-of-pytest-get_marker.patch new file mode 100644 index 0000000..0ff1cb5 --- /dev/null +++ b/0001-Replace-use-of-pytest-get_marker.patch @@ -0,0 +1,32 @@ +From 3d0faa10762a803d4a75e658956b5aa72bef39be Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Wed, 10 Jul 2019 10:46:59 -0400 +Subject: [PATCH] Replace use of pytest get_marker + +get_marker has been removed in pytest 4, so replace it with theiur +suggested work around. + +Signed-off-by: Simo Sorce +--- + tests/conftest.py | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/tests/conftest.py b/tests/conftest.py +index c25e302..2dc7158 100644 +--- a/tests/conftest.py ++++ b/tests/conftest.py +@@ -34,6 +34,8 @@ def pytest_addoption(parser): + + def pytest_runtest_setup(item): + skip_servertest = item.config.getoption(SKIP_SERVERTEST) +- if skip_servertest and item.get_marker("servertest") is not None: +- # args has --skip-servertests and test is marked as servertest +- pytest.skip("Skip integration test") ++ if skip_servertest: ++ for marker in item.iter_markers(): ++ if marker.name == "servertest": ++ # args has --skip-servertests and test is marked as servertest ++ pytest.skip("Skip integration test") +-- +2.21.0 + diff --git a/custodia.conf b/custodia.conf new file mode 100644 index 0000000..5e4b584 --- /dev/null +++ b/custodia.conf @@ -0,0 +1,32 @@ +# /etc/custodia/custodia.conf +[global] +debug = true +makedirs = true + +[store:sqlite] +handler = SqliteStore +dburi = ${libdir}/secrets.db +table = secrets + +[store:encrypted_sqlite] +handler = EncryptedOverlay +backing_store = sqlite +master_key = ${libdir}/secrets.key +master_enctype = A128CBC-HS256 +autogen_master_key = true + +[auth:creds] +handler = SimpleCredsAuth +uid = root +gid = root + +[authz:paths] +handler = SimplePathAuthz +paths = /. /secrets + +[/] +handler = Root + +[/secrets] +handler = Secrets +store = encrypted_sqlite diff --git a/custodia.spec b/custodia.spec new file mode 100644 index 0000000..dedbd96 --- /dev/null +++ b/custodia.spec @@ -0,0 +1,375 @@ +%if 0%{?fedora} || 0%{?rhel} > 7 +# Enable python3 build by default +%bcond_without python3 +%else +%bcond_with python3 +%endif + +%if 0%{?fedora} > 29 || 0%{?rhel} > 7 +# Disable python2 build by default +%bcond_with python2 +%else +%bcond_without python2 +%endif + +%{!?python3_pkgversion:%global python3_pkgversion 3} + +Name: custodia +Version: 0.6.0 +Release: 13%{?dist} +Summary: A service to manage, retrieve and store secrets for other processes + +License: GPLv3+ +URL: https://github.com/latchset/%{name} +Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz +Source2: custodia.conf +Source3: custodia@.service +Source4: custodia@.socket +Source5: custodia.tmpfiles.conf + +Patch1: nonfatal_deprecation.patch +Patch2: 0001-Replace-use-of-pytest-get_marker.patch + +BuildArch: noarch + +BuildRequires: systemd + +%if 0%{?with_python2} +BuildRequires: python2-devel +BuildRequires: python2-jwcrypto >= 0.4.2 +BuildRequires: python2-requests +BuildRequires: python2-setuptools >= 18 +BuildRequires: python2-coverage +BuildRequires: python2-pytest +BuildRequires: python2-docutils +BuildRequires: python2-configparser +BuildRequires: python2-systemd +BuildRequires: tox >= 2.3.1 +%endif + +%if 0%{?with_python3} +BuildRequires: python%{python3_pkgversion}-devel +BuildRequires: python%{python3_pkgversion}-jwcrypto >= 0.4.2 +BuildRequires: python%{python3_pkgversion}-requests +BuildRequires: python%{python3_pkgversion}-setuptools > 18 +BuildRequires: python%{python3_pkgversion}-coverage +BuildRequires: python%{python3_pkgversion}-pytest +BuildRequires: python%{python3_pkgversion}-docutils +BuildRequires: python%{python3_pkgversion}-systemd +%endif + +%if 0%{?with_python3} +Requires: python%{python3_pkgversion}-custodia = %{version}-%{release} +%else +Requires: python2-custodia = %{version}-%{release} +%endif + +Requires(preun): systemd-units +Requires(postun): systemd-units +Requires(post): systemd-units + + +%global overview \ +Custodia is a Secrets Service Provider, it stores or proxies access to \ +keys, password, and secret material in general. Custodia is built to \ +use the HTTP protocol and a RESTful API as an IPC mechanism over a local \ +Unix Socket. It can also be exposed to a network via a Reverse Proxy \ +service assuming proper authentication and header validation is \ +implemented in the Proxy. \ + \ +Custodia is modular, the configuration file controls how authentication, \ +authorization, storage and API plugins are combined and exposed. + + +%description +A service to manage, retrieve and store secrets for other processes + +%{overview} + +%if 0%{?with_python2} +%package -n python2-custodia +Summary: Sub-package with python2 custodia modules +%{?python_provide:%python_provide python2-%{name}} +Requires: python2-configparser +Requires: python2-jwcrypto >= 0.4.2 +Requires: python2-requests +Requires: python2-setuptools +Requires: python2-systemd +Conflicts: python2-custodia-extra < %{version} + +%description -n python2-custodia +Sub-package with python custodia modules + +%{overview} +%endif + +%if 0%{?with_python3} +%package -n python%{python3_pkgversion}-custodia +Summary: Sub-package with python3 custodia modules +%{?python_provide:%python_provide python3-%{name}} +Requires: python%{python3_pkgversion}-jwcrypto >= 0.4.2 +Requires: python%{python3_pkgversion}-requests +Requires: python%{python3_pkgversion}-setuptools +Requires: python%{python3_pkgversion}-systemd +Conflicts: python%{python3_pkgversion}-custodia-extra < %{version} + +%description -n python%{python3_pkgversion}-custodia +Sub-package with python custodia modules + +%{overview} + +%endif # with_python3 + + +%prep +%autosetup -p1 + + +%build +%if 0%{?with_python2} +%py2_build +%endif +%if 0%{?with_python3} +%py3_build +%endif + + +%check +# don't download packages +export PIP_INDEX_URL=http://host.invalid./ +# Don't try to download dnspython3. The package is provided by python%{python3_pkgversion}-dns +export PIP_NO_DEPS=yes +# Ignore all install packages to enforce installation of sdist. Otherwise tox +# may pick up this package from global site-packages instead of source dist. +export PIP_IGNORE_INSTALLED=yes + +%if 0%{?with_python2} +tox --sitepackages -e py%{python2_version_nodots} -- --skip-servertests +%endif + +%if 0%{?with_python3} +# Test custodia in a virtual environment +%{__python3} -m venv --system-site-packages testenv +testenv/bin/pip install . +testenv/bin/python -m pytest --capture=no --strict --skip-servertests +%endif + + +%install +mkdir -p %{buildroot}/%{_sbindir} +mkdir -p %{buildroot}/%{_mandir}/man7 +mkdir -p %{buildroot}/%{_defaultdocdir}/custodia +mkdir -p %{buildroot}/%{_defaultdocdir}/custodia/examples +mkdir -p %{buildroot}/%{_sysconfdir}/custodia +mkdir -p %{buildroot}/%{_unitdir} +mkdir -p %{buildroot}/%{_tmpfilesdir} +mkdir -p %{buildroot}/%{_localstatedir}/lib/custodia +mkdir -p %{buildroot}/%{_localstatedir}/log/custodia +mkdir -p %{buildroot}/%{_localstatedir}/run/custodia + +%if 0%{?with_python2} +%py2_install +mv %{buildroot}/%{_bindir}/custodia %{buildroot}/%{_sbindir}/custodia +cp %{buildroot}/%{_sbindir}/custodia %{buildroot}/%{_sbindir}/custodia-2 +cp %{buildroot}/%{_bindir}/custodia-cli %{buildroot}/%{_bindir}/custodia-cli-2 +%endif + +%if 0%{?with_python3} +# overrides /usr/bin/custodia-cli and /usr/sbin/custodia with Python 3 shebang +%py3_install +mv %{buildroot}/%{_bindir}/custodia %{buildroot}/%{_sbindir}/custodia +cp %{buildroot}/%{_sbindir}/custodia %{buildroot}/%{_sbindir}/custodia-3 +cp %{buildroot}/%{_bindir}/custodia-cli %{buildroot}/%{_bindir}/custodia-cli-3 +%endif + +install -m 644 -t "%{buildroot}/%{_mandir}/man7" man/custodia.7 +install -m 644 -t "%{buildroot}/%{_defaultdocdir}/custodia" README API.md +install -m 644 -t "%{buildroot}/%{_defaultdocdir}/custodia/examples" custodia.conf +install -m 600 %{SOURCE2} %{buildroot}%{_sysconfdir}/custodia +install -m 644 %{SOURCE3} %{buildroot}%{_unitdir} +install -m 644 %{SOURCE4} %{buildroot}%{_unitdir} +install -m 644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/custodia.conf + + + +%pre +getent group custodia >/dev/null || groupadd -r custodia +getent passwd custodia >/dev/null || \ + useradd -r -g custodia -d / -s /sbin/nologin \ + -c "User for custodia" custodia +exit 0 + + +%post +%systemd_post custodia@\*.socket +%systemd_post custodia@\*.service + + +%preun +%systemd_preun custodia@\*.socket +%systemd_preun custodia@\*.service + + +%postun +%systemd_postun custodia@\*.socket +%systemd_postun custodia@\*.service + + +%files +%doc README API.md +%doc %{_defaultdocdir}/custodia/examples/custodia.conf +%license LICENSE +%{_mandir}/man7/custodia* +%{_sbindir}/custodia +%{_bindir}/custodia-cli +%dir %attr(0700,custodia,custodia) %{_sysconfdir}/custodia +%config(noreplace) %attr(600,custodia,custodia) %{_sysconfdir}/custodia/custodia.conf +%attr(644,root,root) %{_unitdir}/custodia@.socket +%attr(644,root,root) %{_unitdir}/custodia@.service +%dir %attr(0700,custodia,custodia) %{_localstatedir}/lib/custodia +%dir %attr(0700,custodia,custodia) %{_localstatedir}/log/custodia +%dir %attr(0755,custodia,custodia) %{_localstatedir}/run/custodia +%{_tmpfilesdir}/custodia.conf + +%if 0%{?with_python2} +%files -n python2-custodia +%license LICENSE +%{python2_sitelib}/%{name} +%{python2_sitelib}/%{name}-%{version}-py%{python2_version}.egg-info +%{python2_sitelib}/%{name}-%{version}-py%{python2_version}-nspkg.pth +%{_sbindir}/custodia-2 +%{_bindir}/custodia-cli-2 +%endif + +%if 0%{?with_python3} +%files -n python%{python3_pkgversion}-custodia +%license LICENSE +%{python3_sitelib}/%{name} +%{python3_sitelib}/%{name}-%{version}-py%{python3_version}.egg-info +%{python3_sitelib}/%{name}-%{version}-py%{python3_version}-nspkg.pth +%{_sbindir}/custodia-3 +%{_bindir}/custodia-cli-3 + +%endif # with_python3 + + +%changelog +* Mon Jul 27 2020 Fedora Release Engineering - 0.6.0-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue May 26 2020 Miro Hrončok - 0.6.0-12 +- Rebuilt for Python 3.9 + +* Tue Jan 28 2020 Fedora Release Engineering - 0.6.0-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Oct 03 2019 Miro Hrončok - 0.6.0-10 +- Rebuilt for Python 3.8.0rc1 (#1748018) + +* Mon Aug 19 2019 Miro Hrončok - 0.6.0-9 +- Rebuilt for Python 3.8 + +* Wed Jul 24 2019 Fedora Release Engineering - 0.6.0-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Wed Jul 10 2019 Simo Sorce - 0.6.0-7 +- Add patch to deal with pytest4 upgrade in future fedora + +* Thu Jan 31 2019 Fedora Release Engineering - 0.6.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Jan 09 2019 Miro Hrončok - 0.6.0-5 +- Drop Python 2 package from Fedora 30+ + +* Thu Jul 12 2018 Fedora Release Engineering - 0.6.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Jun 29 2018 Christian Heimes - 0.6.0-3 +- Don't turn deprecation warnings into fatal errors + +* Thu Jun 28 2018 Christian Heimes - 0.6.0-2 +- Rebuild for Python 3.7 + +* Mon Jun 25 2018 Christian Heimes - 0.6.0-1 +- New upstream release 0.6.0 +- Remove etcd support +- Remove unnecesary conflict with old FreeIPA +- Make Python 2 optional + +* Tue Jun 19 2018 Miro Hrončok - 0.5.0-13 +- Rebuilt for Python 3.7 + +* Mon May 07 2018 Miro Hrončok - 0.5.0-12 +- Fix BuildRequires to require the tox command and not the python2 module + +* Fri Feb 09 2018 Igor Gnatenko - 0.5.0-11 +- Escape macros in %%changelog + +* Wed Feb 07 2018 Fedora Release Engineering - 0.5.0-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Mon Aug 07 2017 Christian Heimes - 0.5.0-9 +- freeipa 4.4.4-2.fc26 and newer are compatible with custodia 0.5 +- Fix dependency to python2-jwcrypto >= 0.4.2 + +* Wed Aug 02 2017 Christian Heimes - 0.5.0-8 +- Add PIP_IGNORE_INSTALLED + +* Tue Aug 01 2017 Christian Heimes - 0.5.0-7 +- Modernize spec + +* Tue Aug 01 2017 Christian Heimes - 0.5.0-6 +- Require latest python-jwcrypto with Python 3 fix +- Use python2 prefix for all Python 2 dependencies + +* Tue Aug 01 2017 Christian Heimes - 0.5.0-5 +- Add custodia user and named systemd instances + +* Wed Jul 26 2017 Fedora Release Engineering - 0.5.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Jun 20 2017 Christian Heimes - 0.5.0-3 +- Add systemd build requirement for tmpfilesdir and unitdir macros + +* Mon Jun 19 2017 Christian Heimes - 0.5.0-2 +- Skip etcd store on PPC64 +- Add missing pre/post install hooks for systemd service +- Custodia 0.5 is compatible with FreeIPA 4.4.5 and newer +- Drop custodia user from tmpfiles.d conf + +* Tue May 16 2017 Simo Sorce - 0.5.0-1 +- New Custodia version +- Drop checks on sha512sum, these checks are already done by dist-git + +* Tue Apr 11 2017 Christian Heimes - 0.3.1-3 +- Run Python 3 tests with correct Python version + +* Fri Apr 07 2017 Christian Heimes - 0.3.1-2 +- Add conflict with FreeIPA < 4.5 + +* Mon Mar 27 2017 Christian Heimes - 0.3.1-1 +- Upstream release 0.3.1 + +* Thu Mar 16 2017 Christian Heimes - 0.3.0-3 +- Provide custodia-2 and custodia-3 scripts + +* Thu Mar 02 2017 Christian Heimes - 0.3.0-2 +- Run Custodia daemon with Python 3 +- Resolves: Bug 1426737 - custodia: Provide a Python 3 subpackage + +* Wed Mar 01 2017 Christian Heimes - 0.3.0-1 +- Update to custodia 0.3.0 +- Run tests with global site packages +- Add tmpfiles.d config for /run/custodia + +* Wed Feb 22 2017 Christian Heimes - 0.2.0-4 +- Add missing runtime requirement on python[23]-systemd. +- Drop unnecesary build dependency on python%%{python3_pkgversion}-configparser. +- Fix tests, don't try to download dnspython3. + +* Fri Feb 10 2017 Fedora Release Engineering - 0.2.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Dec 22 2016 Miro Hrončok - 0.2.0-2 +- Rebuild for Python 3.6 + diff --git a/custodia.tmpfiles.conf b/custodia.tmpfiles.conf new file mode 100644 index 0000000..cacc039 --- /dev/null +++ b/custodia.tmpfiles.conf @@ -0,0 +1 @@ +d /run/custodia 0755 custodia custodia diff --git a/custodia@.service b/custodia@.service new file mode 100644 index 0000000..ef539f9 --- /dev/null +++ b/custodia@.service @@ -0,0 +1,21 @@ +# /etc/systemd/system/custodia@.service + +[Unit] +Description=Custodia Secrets Service for %I +Documentation=https://github.com/latchset/custodia +Requires=custodia@%i.socket +After=network.target + +[Service] +Type=notify +ExecStart=/usr/sbin/custodia --instance=%i /etc/custodia/%i.conf +User=custodia +Group=custodia +ProtectSystem=full +ProtectHome=true +NoNewPrivileges=true +Restart=on-failure +RestartSec=30s + +[Install] +WantedBy=multi-user.target diff --git a/custodia@.socket b/custodia@.socket new file mode 100644 index 0000000..fbd0fab --- /dev/null +++ b/custodia@.socket @@ -0,0 +1,18 @@ +# /etc/systemd/system/custodia@.socket + +[Unit] +Description=Custodia Socket for %i +Documentation=https://github.com/latchset/custodia + +[Socket] +ListenStream=/var/run/custodia/%i.sock +Service=custodia@%i.service +RemoveOnStop=true +SocketUser=custodia +SocketGroup=custodia +SocketMode=0666 +PassCredentials=true +PassSecurity=true + +[Install] +WantedBy=sockets.target diff --git a/nonfatal_deprecation.patch b/nonfatal_deprecation.patch new file mode 100644 index 0000000..12fbb7f --- /dev/null +++ b/nonfatal_deprecation.patch @@ -0,0 +1,11 @@ +--- a/tests/conftest.py.orig 2018-06-29 18:06:51.296810334 +0200 ++++ b/tests/conftest.py 2018-06-29 18:06:58.691767950 +0200 +@@ -9,7 +9,7 @@ + from custodia.log import ProvisionalWarning, setup_logging + + # deprecated APIs raise an exception +-warnings.simplefilter('error', category=DeprecationWarning) ++# warnings.simplefilter('error', category=DeprecationWarning) + # ignore pytest warnings + warnings.filterwarnings('ignore', category=DeprecationWarning, + module=r'_pytest\..*') diff --git a/sources b/sources new file mode 100644 index 0000000..6ed26a6 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (custodia-0.6.0.tar.gz) = 1938f4020240a759963b888bc45fa67969da712675e20360d9ad6e2e420da40a95d49e93a72e2278a21154a910eb702b5c45c184879c472e32fbf79a3f88ca21