diff --git a/.gitignore b/.gitignore index 76101d0..bcc0b54 100644 --- a/.gitignore +++ b/.gitignore @@ -24,10 +24,23 @@ /pki-11.0.0-alpha2.tar.gz /pki-11.0.0-beta1.tar.gz /pki-11.0.0.tar.gz +/pki-11.0.1.tar.gz +/pki-11.0.3.tar.gz /pki-11.1.0-alpha2.tar.gz /pki-11.1.0.tar.gz /pki-11.2.0-beta1.tar.gz /pki-11.2.0-beta2.tar.gz +/pki-11.2.0-beta3.tar.gz /pki-11.2.0.tar.gz +/pki-11.2.1.tar.gz +/pki-11.3.0-beta1.tar.gz +/pki-11.3.0.tar.gz /pki-11.3.1.tar.gz +/pki-11.4.2.tar.gz /pki-11.4.3.tar.gz +/pki-11.5.0-alpha4.tar.gz +/pki-11.5.0-alpha5.tar.gz +/pki-11.5.0-alpha6.tar.gz +/pki-11.5.0-alpha7.tar.gz +/pki-11.5.0-alpha8.tar.gz +/pki-11.5.0.tar.gz diff --git a/0001-Handle-removal-of-ConfigParser.readfp-in-Python-3.12.patch b/0001-Handle-removal-of-ConfigParser.readfp-in-Python-3.12.patch deleted file mode 100644 index 53ff4bc..0000000 --- a/0001-Handle-removal-of-ConfigParser.readfp-in-Python-3.12.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 584e9f2c07b6e23e92c09a34b0a3cb8107d696da Mon Sep 17 00:00:00 2001 -From: Adam Williamson -Date: Tue, 4 Jul 2023 16:02:41 -0700 -Subject: [PATCH] Handle removal of ConfigParser.readfp() in Python 3.12 - -Per https://docs.python.org/3.12/whatsnew/3.12.html#removed , -configparser.ConfigParser.readfp() is removed in Python 3.12. -Assuming we still want to keep Python 2 compatibility, since -there are still a bunch of uses of six in the codebase, I've -changed this to do it the same way as it's done in freeipa -ipaserver/install/certs.py, using readfp on Python 2 and -read_file on Python 3. - -Signed-off-by: Adam Williamson ---- - base/server/python/pki/server/deployment/pkiparser.py | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py -index 25322cbf4..d8143237f 100644 ---- a/base/server/python/pki/server/deployment/pkiparser.py -+++ b/base/server/python/pki/server/deployment/pkiparser.py -@@ -29,6 +29,7 @@ import logging - import os - import string - -+import six - from six.moves import input # pylint: disable=W0622,F0401 - from six.moves import configparser # pylint: disable=F0401 - from six.moves.urllib.parse import urlparse # pylint: disable=F0401,E0611 -@@ -342,7 +343,10 @@ class PKIConfigParser: - self.deployer.user_config.optionxform = str - - with open(config.default_deployment_cfg, encoding='utf-8') as f: -- self.deployer.main_config.readfp(f) -+ if six.PY2: -+ self.deployer.main_config.readfp(f) -+ else: -+ self.deployer.main_config.read_file(f) - - self.deployer.flatten_master_dict() - --- -2.41.0 - diff --git a/dogtag-pki.rpmlintrc b/dogtag-pki.rpmlintrc index d32e066..58373b6 100644 --- a/dogtag-pki.rpmlintrc +++ b/dogtag-pki.rpmlintrc @@ -1 +1,4 @@ addFilter('W: spelling-error') +addFilter('W: dangling-symlink') +addFilter('W: no-manual-page-for-binary') +addFilter('W: log-files-without-logrotate') diff --git a/dogtag-pki.spec b/dogtag-pki.spec index 543f848..ae63b92 100644 --- a/dogtag-pki.spec +++ b/dogtag-pki.spec @@ -2,19 +2,19 @@ Name: dogtag-pki ################################################################################ -%global product_name Dogtag PKI -%global product_id dogtag-pki -%global theme dogtag +%global product_name IDM PKI +%global product_id idm-pki +%undefine theme # Upstream version number: %global major_version 11 -%global minor_version 4 -%global update_version 3 +%global minor_version 5 +%global update_version 0 # Downstream release number: # - development/stabilization (unsupported): 0. where n >= 1 # - GA/update (supported): where n >= 1 -%global release_number 2 +%global release_number 1 # Development phase: # - development (unsupported): alpha where n >= 1 @@ -30,7 +30,7 @@ URL: https://www.dogtagpki.org # The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2 License: GPL-2.0-only and LGPL-2.0-only Version: %{major_version}.%{minor_version}.%{update_version} -Release: %{release_number}%{?phase:.}%{?phase}%{?timestamp:.}%{?timestamp}%{?commit_id:.}%{?commit_id}%{?dist}.4 +Release: %{release_number}%{?phase:.}%{?phase}%{?timestamp:.}%{?timestamp}%{?commit_id:.}%{?commit_id}%{?dist} # To create a tarball from a version tag: # $ git archive \ @@ -47,11 +47,7 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?phase:-}%{?phase} # > pki-VERSION-RELEASE.patch # Patch: pki-VERSION-RELEASE.patch -# https://github.com/dogtagpki/pki/pull/4494 -# Fix pkiparser.py to work with Python 3.12 -Patch0: 0001-Handle-removal-of-ConfigParser.readfp-in-Python-3.12.patch - -%if 0%{?fedora} > 35 || 0%{?rhel} > 9 +%if 0%{?java_arches:1} ExclusiveArch: %{java_arches} %else ExcludeArch: i686 @@ -63,12 +59,6 @@ ExcludeArch: i686 %global p11_kit_trust /usr/lib64/pkcs11/p11-kit-trust.so -################################################################################ -# Python -################################################################################ - -%global python_executable /usr/bin/python3 - ################################################################################ # Java ################################################################################ @@ -91,6 +81,8 @@ ExcludeArch: i686 %bcond_without test # Build the package unless --without is specified. +# For idm-pki do not build the following packages: +# ocsp, tks, tps, javadoc, theme, tests, debug %bcond_without base %bcond_without server @@ -98,25 +90,14 @@ ExcludeArch: i686 %bcond_without ca %bcond_without est %bcond_without kra -%if 0%{?rhel} %bcond_with ocsp %bcond_with tks %bcond_with tps %bcond_with javadoc %bcond_with theme -%bcond_with meta -%bcond_with tests -%bcond_with debug -%else -%bcond_without ocsp -%bcond_without tks -%bcond_without tps -%bcond_without javadoc -%bcond_without theme %bcond_without meta -%bcond_without tests +%bcond_with tests %bcond_without debug -%endif # Don't build console unless --with console is specified. %bcond_with console @@ -188,17 +169,23 @@ BuildRequires: mvn(org.apache.commons:commons-lang3) BuildRequires: mvn(commons-logging:commons-logging) BuildRequires: mvn(commons-net:commons-net) BuildRequires: mvn(org.slf4j:slf4j-api) -BuildRequires: mvn(org.slf4j:slf4j-jdk14) -BuildRequires: mvn(junit:junit) -BuildRequires: pki-resteasy >= 3.0.26 -BuildRequires: jss = 5.4 -BuildRequires: tomcatjss = 8.4 -BuildRequires: ldapjdk = 5.4 - -BuildRequires: tomcat >= 1:9.0.31 +BuildRequires: mvn(xml-apis:xml-apis) +BuildRequires: mvn(xml-resolver:xml-resolver) +BuildRequires: mvn(org.junit.jupiter:junit-jupiter-api) +BuildRequires: mvn(org.jboss.resteasy:resteasy-client) +BuildRequires: mvn(org.jboss.resteasy:resteasy-jackson2-provider) +BuildRequires: mvn(org.jboss.resteasy:resteasy-jaxrs) +BuildRequires: mvn(org.jboss.resteasy:resteasy-servlet-initializer) +BuildRequires: mvn(org.apache.tomcat:tomcat-catalina) >= 9.0.62 +BuildRequires: mvn(org.apache.tomcat:tomcat-servlet-api) >= 9.0.62 +BuildRequires: mvn(org.apache.tomcat:tomcat-jaspic-api) >= 9.0.62 +BuildRequires: mvn(org.apache.tomcat:tomcat-util-scan) >= 9.0.62 +BuildRequires: mvn(org.dogtagpki.jss:jss-base) >= 5.5.0 +BuildRequires: mvn(org.dogtagpki.jss:jss-tomcat) >= 5.5.0 +BuildRequires: mvn(org.dogtagpki.ldap-sdk:ldapjdk) >= 5.5.0 # Python build dependencies -BuildRequires: python3 >= 3.9 +BuildRequires: python3 >= 3.6 BuildRequires: python3-devel BuildRequires: python3-setuptools BuildRequires: python3-cryptography @@ -235,8 +222,8 @@ BuildRequires: freeipa-healthcheck-core BuildRequires: nss-tools BuildRequires: openssl -# description for top-level package (if there is no separate meta package) -%if %{without meta} +# description for top-level package (if there is a separate meta package) +%if "%{name}" != "%{product_id}" %description %{product_name} is an enterprise software system designed @@ -252,8 +239,9 @@ to manage enterprise Public Key Infrastructure deployments. * Automatic Certificate Management Environment (ACME) Responder * Enrollment over Secure Transport (EST) Responder -%else +%endif +%if %{with meta} %if "%{name}" != "%{product_id}" ################################################################################ %package -n %{product_id} @@ -268,26 +256,69 @@ Obsoletes: pki-console < %{version} Obsoletes: pki-console-theme < %{version} Obsoletes: idm-console-framework < 2.0 -# Make certain that this 'meta' package requires the latest version(s) -# of ALL PKI theme packages -Requires: %{product_id}-theme = %{version}-%{release} +%if %{with base} +Requires: %{product_id}-base = %{version}-%{release} +Requires: python3-%{product_id} = %{version}-%{release} +Requires: %{product_id}-java = %{version}-%{release} +Requires: %{product_id}-tools = %{version}-%{release} +%endif -# Make certain that this 'meta' package requires the latest version(s) -# of ALL PKI core packages +%if %{with server} +Requires: %{product_id}-server = %{version}-%{release} +%endif + +%if %{with acme} Requires: %{product_id}-acme = %{version}-%{release} -Requires: %{product_id}-ca = %{version}-%{release} -Requires: %{product_id}-est = %{version}-%{release} -Requires: %{product_id}-kra = %{version}-%{release} -Requires: %{product_id}-ocsp = %{version}-%{release} -Requires: %{product_id}-tks = %{version}-%{release} -Requires: %{product_id}-tps = %{version}-%{release} +%endif +%if %{with ca} +Requires: %{product_id}-ca = %{version}-%{release} +%endif + +%if %{with est} +Requires: %{product_id}-est = %{version}-%{release} +%endif + +%if %{with kra} +Requires: %{product_id}-kra = %{version}-%{release} +%endif + +%if %{with ocsp} +Requires: %{product_id}-ocsp = %{version}-%{release} +%endif + +%if %{with tks} +Requires: %{product_id}-tks = %{version}-%{release} +%endif + +%if %{with tps} +Requires: %{product_id}-tps = %{version}-%{release} +%endif + +%if %{with javadoc} Requires: %{product_id}-javadoc = %{version}-%{release} +%endif + +%if %{with console} +Requires: %{product_id}-console = %{version}-%{release} +%endif + +%if %{with theme} +Requires: %{product_id}-theme = %{version}-%{release} +%if %{with console} +Requires: %{product_id}-console-theme = %{version}-%{release} +%endif +%endif + +%if %{with tests} +Requires: %{product_id}-tests = %{version}-%{release} +%endif # Make certain that this 'meta' package requires the latest version(s) # of ALL PKI clients -- except for s390/s390x where 'esc' is not built +# and for idm-pki. %ifnarch s390 s390x -Requires: esc >= 1.1.1 +#Requires: esc >= 1.1.1 %endif # description for top-level package (unless there is a separate meta package) @@ -353,7 +384,7 @@ Provides: pki-base-python3 = %{version}-%{release} %{?python_provide:%python_provide python3-pki} Requires: %{product_id}-base = %{version}-%{release} -Requires: python3 >= 3.9 +Requires: python3 >= 3.6 Requires: python3-cryptography Requires: python3-ldap Requires: python3-lxml @@ -385,10 +416,12 @@ Requires: mvn(commons-logging:commons-logging) Requires: mvn(commons-net:commons-net) Requires: mvn(org.slf4j:slf4j-api) Requires: mvn(org.slf4j:slf4j-jdk14) -Requires: jss = 5.4 -Requires: ldapjdk = 5.4 +Requires: mvn(org.jboss.resteasy:resteasy-client) +Requires: mvn(org.jboss.resteasy:resteasy-jackson2-provider) +Requires: mvn(org.jboss.resteasy:resteasy-jaxrs) +Requires: mvn(org.dogtagpki.jss:jss-base) >= 5.5.0 +Requires: mvn(org.dogtagpki.ldap-sdk:ldapjdk) >= 5.5.0 Requires: %{product_id}-base = %{version}-%{release} -Requires: pki-resteasy >= 3.0.26 %description -n %{product_id}-java This package provides common and client libraries for Java. @@ -440,6 +473,8 @@ Requires: openldap-clients Requires: openssl Requires: %{product_id}-tools = %{version}-%{release} +Requires: %{java_devel} + Requires: keyutils Requires: policycoreutils-python-utils @@ -450,13 +485,14 @@ Requires: python3-policycoreutils Requires: selinux-policy-targeted >= 3.13.1-159 -Requires: tomcat >= 1:9.0.31 +Requires: mvn(org.jboss.resteasy:resteasy-servlet-initializer) +Requires: tomcat >= 1:9.0.62 +Requires: mvn(org.dogtagpki.jss:jss-tomcat) >= 5.5.0 Requires: systemd Requires(post): systemd-units Requires(postun): systemd-units Requires(pre): shadow-utils -Requires: tomcatjss = 8.4 # pki-healthcheck depends on the following library %if 0%{?rhel} @@ -729,12 +765,12 @@ This package provides %{product_name} API documentation. Summary: %{product_name} Console Package BuildArch: noarch -BuildRequires: idm-console-framework >= 2.0 +BuildRequires: mvn(org.dogtagpki.console-framework:console-framework) >= 2.1.0 Obsoletes: pki-console < %{version}-%{release} Provides: pki-console = %{version}-%{release} -Requires: idm-console-framework >= 2.0 +Requires: mvn(org.dogtagpki.console-framework:console-framework) >= 2.1.0 Requires: %{product_id}-java = %{version}-%{release} Requires: %{product_id}-console-theme = %{version}-%{release} @@ -758,9 +794,11 @@ Provides: pki-server-theme = %{version}-%{release} Obsoletes: %{product_id}-server-theme < %{version}-%{release} Provides: %{product_id}-server-theme = %{version}-%{release} -%if 0%{?fedora} > 38 || 0%{?rhel} > 9 +%if 0%{?fedora} > 38 +BuildRequires: fontawesome4-fonts-web Requires: fontawesome4-fonts-web %else +BuildRequires: fontawesome-fonts-web Requires: fontawesome-fonts-web %endif @@ -823,6 +861,91 @@ This package provides test suite for %{product_name}. %autosetup -n pki-%{version}%{?phase:-}%{?phase} -p 1 +%if ! %{with base} +%pom_disable_module common base +%pom_disable_module tools base +%endif + +%if ! %{with server} +%pom_disable_module tomcat base +%pom_disable_module tomcat-9.0 base +%pom_disable_module server base +%pom_disable_module server-webapp base +%endif + +%if ! %{with ca} +%pom_disable_module ca base +%endif + +%if ! %{with kra} +%pom_disable_module kra base +%endif + +%if ! %{with ocsp} +%pom_disable_module ocsp base +%endif + +%if ! %{with tks} +%pom_disable_module tks base +%endif + +%if ! %{with tps} +%pom_disable_module tps base +%endif + +%if ! %{with acme} +%pom_disable_module acme base +%endif + +%if ! %{with est} +%pom_disable_module est base +%endif + +%if ! %{with console} +%pom_disable_module console base +%endif + +# flatten-maven-plugin is not available in RPM +%pom_remove_plugin org.codehaus.mojo:flatten-maven-plugin + +# specify Maven artifact locations +%mvn_file org.dogtagpki.pki:pki-common pki/pki-common +%mvn_file org.dogtagpki.pki:pki-tools pki/pki-tools +%mvn_file org.dogtagpki.pki:pki-server pki/pki-server +%mvn_file org.dogtagpki.pki:pki-server-webapp pki/pki-server-webapp +%mvn_file org.dogtagpki.pki:pki-tomcat pki/pki-tomcat +%mvn_file org.dogtagpki.pki:pki-tomcat-9.0 pki/pki-tomcat-9.0 +%mvn_file org.dogtagpki.pki:pki-ca pki/pki-ca +%mvn_file org.dogtagpki.pki:pki-kra pki/pki-kra +%mvn_file org.dogtagpki.pki:pki-ocsp pki/pki-ocsp +%mvn_file org.dogtagpki.pki:pki-tks pki/pki-tks +%mvn_file org.dogtagpki.pki:pki-tps pki/pki-tps +%mvn_file org.dogtagpki.pki:pki-acme pki/pki-acme +%mvn_file org.dogtagpki.pki:pki-est pki/pki-est + +%if %{with console} +%mvn_file org.dogtagpki.pki:pki-console pki/pki-console +%endif + +# specify Maven artifact packages +%mvn_package org.dogtagpki.pki:pki-common pki-java +%mvn_package org.dogtagpki.pki:pki-tools pki-tools +%mvn_package org.dogtagpki.pki:pki-server pki-server +%mvn_package org.dogtagpki.pki:pki-server-webapp pki-server +%mvn_package org.dogtagpki.pki:pki-tomcat pki-server +%mvn_package org.dogtagpki.pki:pki-tomcat-9.0 pki-server +%mvn_package org.dogtagpki.pki:pki-ca pki-ca +%mvn_package org.dogtagpki.pki:pki-kra pki-kra +%mvn_package org.dogtagpki.pki:pki-ocsp pki-ocsp +%mvn_package org.dogtagpki.pki:pki-tks pki-tks +%mvn_package org.dogtagpki.pki:pki-tps pki-tps +%mvn_package org.dogtagpki.pki:pki-acme pki-acme +%mvn_package org.dogtagpki.pki:pki-est pki-est + +%if %{with console} +%mvn_package org.dogtagpki.pki:pki-console pki-console +%endif + ################################################################################ %build ################################################################################ @@ -831,6 +954,81 @@ This package provides test suite for %{product_name}. # (see /usr/lib/rpm/macros.d/macros.cmake) %set_build_flags +export JAVA_HOME=%{java_home} + +# build Java binaries and run unit tests with Maven +%mvn_build %{!?with_test:-f} -j + +# create links to Maven-built JAR files for CMake +mkdir -p %{_vpath_builddir}/dist +pushd %{_vpath_builddir}/dist + +%if %{with base} +ln -sf ../../base/common/target/pki-common.jar +ln -sf ../../base/tools/target/pki-tools.jar +%endif + +%if %{with server} +ln -sf ../../base/tomcat/target/pki-tomcat.jar +ln -sf ../../base/tomcat-9.0/target/pki-tomcat-9.0.jar +ln -sf ../../base/server/target/pki-server.jar +ln -sf ../../base/server-webapp/target/pki-server-webapp.jar +%endif + +%if %{with ca} +ln -sf ../../base/ca/target/pki-ca.jar +%endif + +%if %{with kra} +ln -sf ../../base/kra/target/pki-kra.jar +%endif + +%if %{with ocsp} +ln -sf ../../base/ocsp/target/pki-ocsp.jar +%endif + +%if %{with tks} +ln -sf ../../base/tks/target/pki-tks.jar +%endif + +%if %{with tps} +ln -sf ../../base/tps/target/pki-tps.jar +%endif + +%if %{with acme} +ln -sf ../../base/acme/target/pki-acme.jar +%endif + +%if %{with est} +ln -sf ../../base/est/target/pki-est.jar +%endif + +%if %{with console} +ln -sf ../../base/console/target/pki-console.jar +%endif + +popd + +# Remove all symbol table and relocation information from the executable. +C_FLAGS="-s" + +%if 0%{?fedora} +# https://sourceware.org/annobin/annobin.html/Test-gaps.html +C_FLAGS="$C_FLAGS -fplugin=annobin" + +# https://sourceware.org/annobin/annobin.html/Test-cf-protection.html +C_FLAGS="$C_FLAGS -fcf-protection=full" + +# https://sourceware.org/annobin/annobin.html/Test-optimization.html +C_FLAGS="$C_FLAGS -O2" + +# https://sourceware.org/annobin/annobin.html/Test-glibcxx-assertions.html +C_FLAGS="$C_FLAGS -D_GLIBCXX_ASSERTIONS" + +# https://sourceware.org/annobin/annobin.html/Test-lto.html +C_FLAGS="$C_FLAGS -fno-lto" +%endif + pkgs=base\ %{?with_server:,server}\ %{?with_ca:,ca}\ @@ -846,6 +1044,7 @@ pkgs=base\ %{?with_tests:,tests}\ %{?with_debug:,debug} +# build PKI console, Javadoc, and native binaries with CMake ./build.sh \ %{?_verbose:-v} \ --product-name="%{product_name}" \ @@ -860,36 +1059,32 @@ pkgs=base\ --sysconf-dir=%{_sysconfdir} \ --share-dir=%{_datadir} \ --cmake=%{__cmake} \ + --c-flags="$C_FLAGS" \ --java-home=%{java_home} \ --jni-dir=%{_jnidir} \ --unit-dir=%{_unitdir} \ --python=%{python3} \ --python-dir=%{python3_sitelib} \ + --without-java \ --with-pkgs=$pkgs \ %{?with_console:--with-console} \ - %{!?with_test:--without-test} \ + --without-test \ dist ################################################################################ %install ################################################################################ +# install Java binaries +%mvn_install + +# install PKI console, Javadoc, and native binaries ./build.sh \ %{?_verbose:-v} \ --work-dir=%{_vpath_builddir} \ --install-dir=%{buildroot} \ install -# Unbundle the FontAwesome fonts -rm %{buildroot}%{_datadir}/pki/common-ui/fonts/fontawesome-webfont.woff -%if 0%{?fedora} > 38 || 0%{?rhel} > 9 -ln -s ../../../fonts/fontawesome4/fontawesome-webfont.woff \ - %{buildroot}%{_datadir}/pki/common-ui/fonts/fontawesome-webfont.woff -%else -ln -s ../../../fonts/fontawesome/fontawesome-webfont.woff \ - %{buildroot}%{_datadir}/pki/common-ui/fonts/fontawesome-webfont.woff -%endif - %if %{with server} %pre -n %{product_id}-server @@ -942,16 +1137,36 @@ then systemctl daemon-reload fi +# Update the fapolicy rules for each PKI server instance +for instance in $(ls /var/lib/pki) +do + target="/etc/fapolicyd/rules.d/61-pki-$instance.rules" + + sed -e "s/\[WORK_DIR\]/\/var\/lib\/pki\/$instance\/work/g" \ + /usr/share/pki/server/etc/fapolicy.rules \ + > $target + + chown root:fapolicyd $target + chmod 644 $target +done + +# Restart fapolicy daemon if it's active +status=$(systemctl is-active fapolicyd) +if [ "$status" = "active" ] +then + systemctl restart fapolicyd +fi + # with server %endif %if %{with meta} %if "%{name}" != "%{product_id}" ################################################################################ -%files -n %{product_id} +%files -n %{product_id} -f .mfiles ################################################################################ %else -%files +%files -f .mfiles %endif %doc %{_datadir}/doc/pki/README @@ -987,15 +1202,13 @@ fi %{_mandir}/man8/pki-upgrade.8.gz ################################################################################ -%files -n %{product_id}-java +%files -n %{product_id}-java -f .mfiles-pki-java ################################################################################ %license base/common/LICENSE %license base/common/LICENSE.LESSER %{_datadir}/pki/examples/java/ %{_datadir}/pki/lib/*.jar -%dir %{_javadir}/pki -%{_javadir}/pki/pki-common.jar ################################################################################ %files -n python3-%{product_id} @@ -1009,7 +1222,7 @@ fi %{python3_sitelib}/pki ################################################################################ -%files -n %{product_id}-tools +%files -n %{product_id}-tools -f .mfiles-pki-tools ################################################################################ %license base/tools/LICENSE @@ -1032,7 +1245,6 @@ fi %{_bindir}/CMCRevoke %{_bindir}/CMCSharedToken %{_bindir}/CRMFPopClient -%{_bindir}/DRMTool %{_bindir}/ExtJoiner %{_bindir}/GenExtKeyUsage %{_bindir}/GenIssuerAltNameExt @@ -1046,10 +1258,8 @@ fi %{_bindir}/PrettyPrintCert %{_bindir}/PrettyPrintCrl %{_bindir}/TokenInfo -%{_javadir}/pki/pki-tools.jar %{_datadir}/pki/tools/ %{_datadir}/pki/lib/p11-kit-trust.so -%{_libdir}/tps/libtps.so %{_mandir}/man1/AtoB.1.gz %{_mandir}/man1/AuditVerify.1.gz %{_mandir}/man1/BtoA.1.gz @@ -1057,7 +1267,6 @@ fi %{_mandir}/man1/CMCRequest.1.gz %{_mandir}/man1/CMCSharedToken.1.gz %{_mandir}/man1/CMCResponse.1.gz -%{_mandir}/man1/DRMTool.1.gz %{_mandir}/man1/KRATool.1.gz %{_mandir}/man1/PrettyPrintCert.1.gz %{_mandir}/man1/PrettyPrintCrl.1.gz @@ -1087,7 +1296,7 @@ fi %if %{with server} ################################################################################ -%files -n %{product_id}-server +%files -n %{product_id}-server -f .mfiles-pki-server ################################################################################ %license base/common/THIRD_PARTY_LICENSES @@ -1116,8 +1325,6 @@ fi %dir %{_sysconfdir}/systemd/system/pki-tomcatd-nuxwdog.target.wants %attr(644,-,-) %{_unitdir}/pki-tomcatd-nuxwdog@.service %attr(644,-,-) %{_unitdir}/pki-tomcatd-nuxwdog.target -%{_javadir}/pki/pki-server.jar -%{_javadir}/pki/pki-tomcat.jar %dir %{_sharedstatedir}/pki %{_mandir}/man1/pkidaemon.1.gz %{_mandir}/man5/pki_default.cfg.5.gz @@ -1142,20 +1349,15 @@ fi %{_mandir}/man8/pki-healthcheck.8.gz %{_datadir}/pki/setup/ %{_datadir}/pki/server/ -%if %{without theme} -%exclude %{_datadir}/pki/CS_SERVER_VERSION -%exclude %{_datadir}/pki/common-ui/ -%endif # with server %endif %if %{with acme} ################################################################################ -%files -n %{product_id}-acme +%files -n %{product_id}-acme -f .mfiles-pki-acme ################################################################################ -%{_javadir}/pki/pki-acme.jar %{_datadir}/pki/acme/ # with acme @@ -1163,11 +1365,10 @@ fi %if %{with ca} ################################################################################ -%files -n %{product_id}-ca +%files -n %{product_id}-ca -f .mfiles-pki-ca ################################################################################ %license base/ca/LICENSE -%{_javadir}/pki/pki-ca.jar %{_datadir}/pki/ca/ # with ca @@ -1175,10 +1376,9 @@ fi %if %{with est} ################################################################################ -%files -n %{product_id}-est +%files -n %{product_id}-est -f .mfiles-pki-est ################################################################################ -%{_javadir}/pki/pki-est.jar %{_datadir}/pki/est/ # with est @@ -1186,11 +1386,10 @@ fi %if %{with kra} ################################################################################ -%files -n %{product_id}-kra +%files -n %{product_id}-kra -f .mfiles-pki-kra ################################################################################ %license base/kra/LICENSE -%{_javadir}/pki/pki-kra.jar %{_datadir}/pki/kra/ # with kra @@ -1198,11 +1397,10 @@ fi %if %{with ocsp} ################################################################################ -%files -n %{product_id}-ocsp +%files -n %{product_id}-ocsp -f .mfiles-pki-ocsp ################################################################################ %license base/ocsp/LICENSE -%{_javadir}/pki/pki-ocsp.jar %{_datadir}/pki/ocsp/ # with ocsp @@ -1210,11 +1408,10 @@ fi %if %{with tks} ################################################################################ -%files -n %{product_id}-tks +%files -n %{product_id}-tks -f .mfiles-pki-tks ################################################################################ %license base/tks/LICENSE -%{_javadir}/pki/pki-tks.jar %{_datadir}/pki/tks/ # with tks @@ -1222,11 +1419,10 @@ fi %if %{with tps} ################################################################################ -%files -n %{product_id}-tps +%files -n %{product_id}-tps -f .mfiles-pki-tps ################################################################################ %license base/tps/LICENSE -%{_javadir}/pki/pki-tps.jar %{_datadir}/pki/tps/ %{_mandir}/man5/pki-tps-connector.5.gz %{_mandir}/man5/pki-tps-profile.5.gz @@ -1246,12 +1442,11 @@ fi %if %{with console} ################################################################################ -%files -n %{product_id}-console +%files -n %{product_id}-console -f .mfiles-pki-console ################################################################################ %license base/console/LICENSE %{_bindir}/pkiconsole -%{_javadir}/pki/pki-console.jar # with console %endif @@ -1263,6 +1458,8 @@ fi %license themes/%{theme}/common-ui/LICENSE %dir %{_datadir}/pki + +%if %{with server} %{_datadir}/pki/CS_SERVER_VERSION %{_datadir}/pki/common-ui/ %{_datadir}/pki/server/webapps/pki/ca @@ -1275,6 +1472,9 @@ fi %{_datadir}/pki/server/webapps/pki/pki.properties %{_datadir}/pki/server/webapps/pki/tks +# with server +%endif + %if %{with console} ################################################################################ %files -n %{product_id}-console-theme @@ -1301,79 +1501,5 @@ fi ################################################################################ %changelog -* Wed Jan 24 2024 Fedora Release Engineering - 11.4.3-2.4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Fri Jan 19 2024 Fedora Release Engineering - 11.4.3-2.3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Wed Nov 29 2023 Yaakov Selkowitz - 11.4.3-2.2 -- Disable unwanted components in RHEL builds -- Update conditionals for RHEL 10 - -* Wed Jul 19 2023 Fedora Release Engineering - 11.4.3-2.1 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Tue Jul 04 2023 Adam Williamson - 11.4.3-2.fc39 -- Backport PR #4494 to fix pkiparser.py with Python 3.12 - -* Wed Jun 28 2023 Python Maint - 11.4.3-1.fc39.1 -- Rebuilt for Python 3.12 - -* Mon Feb 27 2023 Jerry James - 11.3.1-2 -- Unbundle the FontAwesome font - -* Tue Feb 07 2023 Dogtag PKI Team - 11.3.1-1 -- Rebase to PKI 11.3.1 - -* Fri Jan 20 2023 Marian Koncek - 11.2.0-3 -- Resolve jar paths using xmvn - -* Thu Jan 19 2023 Fedora Release Engineering - 11.2.0-2.1 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Fri Jul 29 2022 Adam Williamson - 11.2.0-2 -- Backport fix to work with python-ldap 3.4.2 (#2112243) - -* Thu Jul 21 2022 Fedora Release Engineering - 11.2.0-1.1 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Fri Jul 01 2022 Dogtag PKI Team - 11.2.0-1 -- Rebase to PKI 11.2.0 - -* Thu Jun 16 2022 Python Maint - 11.2.0-0.3.beta2.1 -- Rebuilt for Python 3.11 - -* Mon May 02 2022 Dogtag PKI Team - 11.2.0-0.3.beta2 -- Rebase to PKI 11.2.0-beta2 - -* Tue Apr 12 2022 Dogtag PKI Team - 11.2.0-0.2.beta1 -- Rebase to PKI 11.2.0-beta1 - -* Mon Feb 14 2022 Dogtag PKI Team - 11.1.0-1 -- Rebase to PKI 11.1.0 - -* Sat Feb 05 2022 Jiri Vanek - 11.1.0-0.3.alpha2 -- Rebuilt for java-17-openjdk as system jdk - -* Thu Jan 20 2022 Fedora Release Engineering - 11.1.0-0.2.alpha2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Fri Nov 26 2021 Dogtag PKI Team - 11.1.0-0.1.alpha2 -- Rebase to PKI 11.1.0-alpha2 - -* Thu Sep 30 2021 Dogtag PKI Team - 11.0.0-1 -- Rebase to PKI 11.0.0 -- Bug #1999052 - pki instance creation fails for IPA server - -* Fri Sep 03 2021 Dogtag PKI Team - 11.0.0-0.4.beta1 -- Rebase to PKI 11.0.0-beta1 - -* Thu Aug 12 2021 Dogtag PKI Team - 11.0.0-0.3.alpha2 -- Rebase to PKI 11.0.0-alpha2 - -* Wed Jul 21 2021 Fedora Release Engineering - 11.0.0-0.2.alpha1 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Tue Jun 22 2021 Dogtag PKI Team - 11.0.0-0.1.alpha1 -- Rebase to PKI 11.0.0-alpha1 +* Thu Apr 25 2024 Red Hat PKI Team - 11.5.0-1 +- Rebase to PKI 11.5.0 diff --git a/gating.yaml b/gating.yaml new file mode 100644 index 0000000..366e5ab --- /dev/null +++ b/gating.yaml @@ -0,0 +1,8 @@ +# recipients: rhcs-team +--- !Policy +product_versions: + - rhel-9 +decision_context: osci_compose_gate +rules: + - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional} + - !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional} diff --git a/rpminspect.yaml b/rpminspect.yaml new file mode 100644 index 0000000..343cd05 --- /dev/null +++ b/rpminspect.yaml @@ -0,0 +1,8 @@ +--- +specname: + match: suffix +runpath: + allowed_paths: + - /usr/lib64/tps +inspections: + javabytecode: off diff --git a/sources b/sources index 8618204..e4e8cf5 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (pki-11.4.3.tar.gz) = 0d078ba1021c845bc73e31a50b55d43ab9d82bbbcd9a22663dee04c8fa643eb1ee36dacbafe9da2d58dd91114600d1ea70a3375443e90f1598d3fec2fab1f401 +SHA512 (pki-11.5.0.tar.gz) = 28b4099abd59b6fb5c510fff39fe7b2258f663f3fc21c973243a9615f5f601a18b763722ee6ea033afe76a094464d4fdce5cd0af45f9126566badf89e3a69923 diff --git a/tests/roles/Test_Setup/files/ca.cfg b/tests/roles/Test_Setup/files/ca.cfg new file mode 100644 index 0000000..158c1d5 --- /dev/null +++ b/tests/roles/Test_Setup/files/ca.cfg @@ -0,0 +1,25 @@ +[DEFAULT] +pki_server_database_password=Secret.123 + +[CA] +pki_admin_email=caadmin@example.com +pki_admin_name=caadmin +pki_admin_nickname=caadmin +pki_admin_password=Secret.123 +pki_admin_uid=caadmin + +pki_client_database_password=Secret.123 +pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com +pki_ds_database=ca +pki_ds_password=Secret.123 + +pki_security_domain_name=EXAMPLE + +pki_ca_signing_nickname=ca_signing +pki_ocsp_signing_nickname=ca_ocsp_signing +pki_audit_signing_nickname=ca_audit_signing +pki_sslserver_nickname=sslserver +pki_subsystem_nickname=subsystem diff --git a/tests/roles/Test_Setup/files/ds-create.sh b/tests/roles/Test_Setup/files/ds-create.sh new file mode 100644 index 0000000..825d83f --- /dev/null +++ b/tests/roles/Test_Setup/files/ds-create.sh @@ -0,0 +1,24 @@ +#!/bin/bash -ex + +# This command needs to be executed as it pulls the machine name +# dynamically. +dscreate create-template /tmp/test_dir/ds.inf + +sed -i \ + -e "s/;instance_name = .*/instance_name = localhost/g" \ + -e "s/;root_password = .*/root_password = Secret.123/g" \ + -e "s/;suffix = .*/suffix = dc=example,dc=com/g" \ + -e "s/;self_sign_cert = .*/self_sign_cert = False/g" \ + /tmp/test_dir/ds.inf + +dscreate from-file /tmp/test_dir/ds.inf + +ldapadd -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF +dn: dc=example,dc=com +objectClass: domain +dc: example + +dn: dc=pki,dc=example,dc=com +objectClass: domain +dc: pki +EOF diff --git a/tests/roles/Test_Setup/files/kra.cfg b/tests/roles/Test_Setup/files/kra.cfg new file mode 100644 index 0000000..d93f4bb --- /dev/null +++ b/tests/roles/Test_Setup/files/kra.cfg @@ -0,0 +1,27 @@ +[DEFAULT] +pki_server_database_password=Secret.123 + +[KRA] +pki_admin_email=kraadmin@example.com +pki_admin_name=kraadmin +pki_admin_nickname=kraadmin +pki_admin_password=Secret.123 +pki_admin_uid=kraadmin + +pki_client_database_password=Secret.123 +pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com +pki_ds_database=kra +pki_ds_password=Secret.123 + +pki_security_domain_name=EXAMPLE +pki_security_domain_user=caadmin +pki_security_domain_password=Secret.123 + +pki_storage_nickname=kra_storage +pki_transport_nickname=kra_transport +pki_audit_signing_nickname=kra_audit_signing +pki_sslserver_nickname=sslserver +pki_subsystem_nickname=subsystem diff --git a/tests/roles/Test_Setup/tasks/main.yml b/tests/roles/Test_Setup/tasks/main.yml new file mode 100644 index 0000000..53c4b23 --- /dev/null +++ b/tests/roles/Test_Setup/tasks/main.yml @@ -0,0 +1,21 @@ +--- + +- name: Install required packages + dnf: + name: > + 389-ds-base, pki-ca, pki-kra + +- name: Creates directory + file: path=/tmp/test_files state=directory + +- name: Copying templates to /tmp folder + copy : src=. dest=/tmp/test_dir + +- name: Setup DS Service + shell: sh /tmp/test_dir/ds-create.sh + +- name: Install CA subsystem + shell: pkispawn -f /tmp/test_dir/ca.cfg -s CA -v + +- name: Install KRA subsystem + shell: pkispawn -f /tmp/test_dir/kra.cfg -s KRA -v diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..0271ac3 --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,29 @@ +- hosts: localhost + remote_user: root + tags: + - classic + roles: + - role: Test_Setup + - role: standard-test-basic + tests: + - verify_spawn_ca: + dir: . + run: "curl http://localhost:8080/ca/admin/ca/getStatus | grep '\"Status\" : \"running\"'" + - verify_spawn_kra: + dir: . + run: "curl http://localhost:8080/kra/admin/kra/getStatus | grep '\"Status\" : \"running\"'" + - destroy_kra: + dir: . + run: "pkidestroy -i pki-tomcat -s KRA && sleep 5" + - verify_destroy_kra: + dir: . + run: "curl http://localhost:8080/kra/admin/kra/getStatus | grep 'HTTP Status 404'" + - destroy_ca: + dir: . + run: "pkidestroy -i pki-tomcat -s CA" + - verify_destroy_ca: + dir: . + run: "curl http://localhost:8080/ca/admin/ca/getStatus &> testfile.log || true && grep 'Connection refused' testfile.log" + required_packages: + - pki-ca + - pki-kra