.gitignore

@@ -1 +1,7 @@
-SOURCES/RELEASE_1_0.tar.gz
+/keycloak-httpd-client-install-0.3.tar.gz
+/keycloak-httpd-client-install-0.4.tar.gz
+/keycloak-httpd-client-install-0.5.tar.gz
+/keycloak-httpd-client-install-0.6.tar.gz
+/keycloak-httpd-client-install-0.8.tar.gz
+/RELEASE_1_1.tar.gz
+/keycloak-httpd-client-install-1.3.tar.gz

.keycloak-httpd-client-install.metadata

@@ -1 +0,0 @@
-50e2b29a2dd8a150dd8259491449ea31a13b86b8 SOURCES/RELEASE_1_0.tar.gz

SOURCES/0001-doc-Fix-a-typo-in-oidc-redirect-uri-description.patch

@@ -1,25 +0,0 @@
-From d4b703761cc52d25e82d8bdf7fb860ccedaa15a2 Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Fri, 28 Jun 2019 21:18:45 +0200
-Subject: [PATCH 1/4] doc: Fix a typo in --oidc-redirect-uri description
-
----
- doc/keycloak-httpd-client-install.8 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/doc/keycloak-httpd-client-install.8 b/doc/keycloak-httpd-client-install.8
-index f67c227..734e837 100644
---- a/doc/keycloak-httpd-client-install.8
-+++ b/doc/keycloak-httpd-client-install.8
-@@ -205,7 +205,7 @@ Common root ancestor for all protected locations
- .B mod_auth_oidc OIDC RP Client Options
- 
- .TP
--.BR \-\-oidc\-redirect\--uri " " \fIOIDC_REDIRECT_URI\fR
-+.BR \-\-oidc\-redirect\-uri " " \fIOIDC_REDIRECT_URI\fR
- The OIDC redirect_uri. Must be an antecedent (i.e. child) of one of the
- protected locations.
- (default: The first protected location appened with "/redirect_uri")
--- 
-2.20.1
-

SOURCES/0002-Add-a-new-oidc-logout-uri-command-line-option.patch

@@ -1,93 +0,0 @@
-From 1428515ecb6297b9ccc074210aa6f466fbae30d8 Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Mon, 1 Jul 2019 15:33:05 +0200
-Subject: [PATCH 2/4] Add a new --oidc-logout-uri command line option
-
-This patch adds a new command line option, unset by default, which if
-set, is added as an additional redirectUri when the keycloak client is
-being created.
-
-This option might be useful to add an extra allowed redirect for logout
-pages.
-
-The mod_auth_openidc wiki:
-    https://github.com/zmartzone/mod_auth_openidc/wiki#9-how-do-i-logout-users
-says:
-   By redirecting the user to the OIDCRedirectURI with a parameter named
-   logout. The value of that parameter contains the (URL-encoded) URL where
-   the user will be redirected to after the session has been killed.
-and also:
-   make sure that the (URL-encoded) callback URL passed in the logout
-   parameter points to a location that is not protected by
-   mod_auth_openidc or else the login process will be started again.
----
- bin/keycloak-httpd-client-install        | 5 +++++
- doc/keycloak-httpd-client-install.8      | 8 ++++++++
- templates/oidc-client-registration.tpl   | 3 +++
- templates/oidc-client-representation.tpl | 3 +++
- 4 files changed, 19 insertions(+)
-
-diff --git a/bin/keycloak-httpd-client-install b/bin/keycloak-httpd-client-install
-index f211a4d..128f962 100755
---- a/bin/keycloak-httpd-client-install
-+++ b/bin/keycloak-httpd-client-install
-@@ -886,6 +886,11 @@ def main():
-                        help='claim used when setting the REMOTE_USER variable, '
-                        'default="sub"')
- 
-+    group.add_argument('--oidc-logout-uri',
-+                       help='Should not be a child of one of the protected '
-+                       'locations. When set, adds the argument as a valid '
-+                       'redirectUri for Keycloak')
-+
-     # ---- Argument Group "Mellon SP"  ----
- 
-     group = parser.add_argument_group('Mellon SP')
-diff --git a/doc/keycloak-httpd-client-install.8 b/doc/keycloak-httpd-client-install.8
-index 734e837..ead8717 100644
---- a/doc/keycloak-httpd-client-install.8
-+++ b/doc/keycloak-httpd-client-install.8
-@@ -210,6 +210,14 @@ The OIDC redirect_uri. Must be an antecedent (i.e. child) of one of the
- protected locations.
- (default: The first protected location appened with "/redirect_uri")
- 
-+.TP
-+.BR \-\-oidc\-logout\-uri " " \fIOIDC_REDIRECT_URI\fR
-+Can be used to add the location the user is redirected to after logout as
-+an additional redirectUri value in Keycloak's client representation. The
-+location should not be nested under any of the protected locations,
-+otherwise the login process would start again.
-+(default: None)
-+
- .TP
- .BR \-\-oidc\-client\-secret " " \fIOIDC_CLIENT_SECRET\fR
- OIDC client secret
-diff --git a/templates/oidc-client-registration.tpl b/templates/oidc-client-registration.tpl
-index 3c45c09..fd6cd38 100644
---- a/templates/oidc-client-registration.tpl
-+++ b/templates/oidc-client-registration.tpl
-@@ -2,5 +2,8 @@
-     "client_name": "{{ clientid }}",
-     "redirect_uris": [
-         "{{ client_https_url }}{{ oidc_redirect_uri }}"
-+        {% if oidc_logout_uri %}
-+        ,"{{ client_https_url }}{{ oidc_logout_uri }}",
-+        {% endif %}
-     ]
- }
-diff --git a/templates/oidc-client-representation.tpl b/templates/oidc-client-representation.tpl
-index 2bbf66a..1f4a496 100644
---- a/templates/oidc-client-representation.tpl
-+++ b/templates/oidc-client-representation.tpl
-@@ -6,5 +6,8 @@
-     "clientAuthenticatorType": "client-secret",
-     "redirectUris": [
-         "{{ client_https_url }}{{ oidc_redirect_uri }}"
-+        {% if oidc_logout_uri %}
-+        ,"{{ client_https_url }}{{ oidc_logout_uri }}"
-+        {% endif %}
-     ]
- }
--- 
-2.20.1
-

SPECS/keycloak-httpd-client-install.spec

@@ -1,146 +0,0 @@
-%global srcname keycloak-httpd-client-install
-%global summary Tools to configure Apache HTTPD as Keycloak client
-
-%bcond_without python2
-%bcond_with python3
-
-Name:           %{srcname}
-Version:        1.0
-Release:        2%{?dist}
-Summary:        %{summary}
-
-%global git_tag RELEASE_%(r=%{version}; echo $r | tr '.' '_')
-
-License:        GPLv3
-URL:            https://github.com/jdennis/keycloak-httpd-client-install
-Source0:        https://github.com/jdennis/keycloak-httpd-client-install/archive/%{git_tag}.tar.gz
-
-Patch0001:      0001-doc-Fix-a-typo-in-oidc-redirect-uri-description.patch
-Patch0002:      0002-Add-a-new-oidc-logout-uri-command-line-option.patch
-
-BuildArch:      noarch
-
-BuildRequires:  python3-devel
-
-Requires:       %{_bindir}/keycloak-httpd-client-install
-
-%description
-Keycloak is a federated Identity Provider (IdP). Apache HTTPD supports
-a variety of authentication modules which can be configured to utilize
-a Keycloak IdP to perform authentication. This package contains
-libraries and tools which can automate and simplify configuring an
-Apache HTTPD authentication module and registering as a client of a
-Keycloak IdP.
-
-%package -n python3-%{srcname}
-Summary:        %{summary}
-
-%{?python_provide:%python_provide python3-%{srcname}}
-
-Requires:       %{name} = %{version}-%{release}
-Requires:       python3-requests
-Requires:       python3-requests-oauthlib
-Requires:       python3-jinja2
-
-%description -n python3-%{srcname}
-Keycloak is an authentication server. This package contains libraries and
-programs which can invoke the Keycloak REST API and configure clients
-of a Keycloak server.
-
-%prep
-%autosetup -n %{srcname}-%{git_tag} -p1
-
-%build
-%py3_build
-
-%install
-%py3_install
-
-install -d -m 755 %{buildroot}/%{_mandir}/man8
-install -c -m 644 doc/keycloak-httpd-client-install.8 %{buildroot}/%{_mandir}/man8
-
-%files
-%license LICENSE.txt
-%doc README.md doc/ChangeLog
-%{_datadir}/%{srcname}/
-
-%files -n python3-%{srcname}
-%{python3_sitelib}/*
-%{_bindir}/keycloak-httpd-client-install
-%{_bindir}/keycloak-rest
-%{_mandir}/man8/*
-
-%changelog
-* Wed Jul  3 2019 Jakub Hrozek <jhrozek@redhat.com> - 1.0-2
-- Backport upstream patches to adds the --oidc-logout-uri option
-  and fix OIDC-related man page issues
-- Related: rhbz#1553890 - [RFE] Add mod_auth_openidc support
-
-* Fri Jun 14 2019 Jakub Hrozek <jhrozek@redhat.com> - 1.0-1
-- New upstream release
-- Resolves: rhbz#1553890 - [RFE] Add mod_auth_openidc support
-
-* Fri Jul 27 2018  <jdennis@redhat.com> - 0.8-7
-- fix SOURCE0, it was pointing to github repo archive instead of release tarball
-
-* Tue Jul 10 2018  <jdennis@redhat.com> - 0.8-6
-- Restore use of bcond for python conditionals
-
-* Mon Jul  9 2018  <jdennis@redhat.com> - 0.8-5
-- Share same spec file with Fedora
-
-* Mon Jun 11 2018 Charalampos Stratakis <cstratak@redhat.com> - 0.8-4
-- Conditionalize the python2 subpackage
-
-* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.8-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
-
-* Mon Jan 15 2018 Iryna Shcherbina <ishcherb@redhat.com> - 0.8-2
-- Update Python 2 dependency declarations to new packaging standards
-  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
-
-* Wed Jan 10 2018 John Dennis <jdennis@redhat.com> - 0.8-1
-- Upgrade to upstream 0,8, includes:
-- CVE-2017-15112 unsafe use of -p/--admin-password on command line
-- CVE-2017-15111 unsafe /tmp log file in --log-file option in keycloak_cli.py
-
-* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.6-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
-
-* Wed Mar  1 2017 John Dennis <jdennis@redhat.com> - 0.6-1
-- Resolves: rhbz#1427720, if --mellon-root is not supplied and defaults to /
-  you end up with double slashes in entityId and endpoints
-- add --tls-verify option to control python-requests behavor when
-  using tls to connect. With this option you can use a self-signed
-  cert or point to a CA bundle.
-- Fix warnings and checks when using client originate method
-  'registration' with 'anonymous' authentication.
-
-* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
-
-* Fri Jan  6 2017 John Dennis <jdennis@redhat.com> - 0.5-1
-- Fix default port bug
-  Strip the port from the URL if it matches the scheme (e.g. 80 for
-  http and 443 for https)
-
-* Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com> - 0.4-3
-- Rebuild for Python 3.6
-
-* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.4-2
-- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
-
-* Mon Jun 27 2016 John Dennis <jdennis@redhat.com> - 0.4-1
-- new upstream
-  See ChangeLog for details
-
-* Fri May 20 2016 John Dennis <jdennis@redhat.com> - 0.3-1
-- new upstream
-  See ChangeLog for details
-
-* Tue May 17 2016 John Dennis <jdennis@redhat.com> - 0.2-1
-- new upstream
-- Add keycloak-httpd-client-install.8 man page
-
-* Fri May 13 2016 John Dennis <jdennis@redhat.com> - 0.1-1
-- Initial version

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

keycloak-httpd-client-install.spec

@@ -0,0 +1,243 @@
+%global srcname keycloak-httpd-client-install
+%global summary Tools to configure Apache HTTPD as Keycloak client
+
+%if (0%{?fedora} > 0 && 0%{?fedora} < 30) || (0%{?rhel} > 0 && 0%{?rhel} <= 7)
+  %bcond_without python2
+  %bcond_without python3
+%endif
+
+%if 0%{?fedora} >= 30 || 0%{?rhel} >= 8
+  %bcond_with python2
+  %bcond_without python3
+%endif
+
+Name:           %{srcname}
+Version:        1.3
+Release:        1%{?dist}
+Summary:        %{summary}
+
+License:        GPL-3.0-or-later
+URL:            https://github.com/latchset/keycloak-httpd-client-install
+Source0:        https://github.com/latchset/keycloak-httpd-client-install/releases/download/v%{version}/%{name}-%{version}.tar.gz
+
+BuildArch:      noarch
+
+%if %{with python2}
+BuildRequires:  python2-devel
+%endif # with_python2
+
+%if 0%{?with_python3}
+BuildRequires:  python3-devel
+%endif
+
+Requires:       %{_bindir}/keycloak-httpd-client-install
+
+%description
+Keycloak is a federated Identity Provider (IdP). Apache HTTPD supports
+a variety of authentication modules which can be configured to utilize
+a Keycloak IdP to perform authentication. This package contains
+libraries and tools which can automate and simplify configuring an
+Apache HTTPD authentication module and registering as a client of a
+Keycloak IdP.
+
+%if %{with python2}
+%package -n python2-%{srcname}
+Summary:        %{summary}
+
+%{?python_provide:%python_provide python2-%{srcname}}
+
+Requires:       %{name} = %{version}-%{release}
+Requires:       python2-requests
+Requires:       python2-requests-oauthlib
+Requires:       python2-jinja2
+Requires:       %{_bindir}/keycloak-httpd-client-install
+
+%description -n python2-%{srcname}
+Keycloak is an authentication server. This package contains libraries and
+programs which can invoke the Keycloak REST API and configure clients
+of a Keycloak server.
+%endif # with_python2
+
+%if 0%{?with_python3}
+%package -n python3-%{srcname}
+Summary:        %{summary}
+
+%{?python_provide:%python_provide python3-%{srcname}}
+
+Requires:       %{name} = %{version}-%{release}
+Requires:       python3-requests
+Requires:       python3-requests-oauthlib
+Requires:       python3-jinja2
+
+%description -n python3-%{srcname}
+Keycloak is an authentication server. This package contains libraries and
+programs which can invoke the Keycloak REST API and configure clients
+of a Keycloak server.
+
+%endif
+
+%prep
+%autosetup -n %{name}-%{version} -p1
+
+%build
+%if %{with python2}
+%py2_build
+%endif # with_python2
+
+%if 0%{?with_python3}
+%py3_build
+%endif
+
+%install
+%if %{with python2}
+# Must do the python2 install first because the scripts in /usr/bin are
+# overwritten with every setup.py install, and in general we want the
+# python3 version to be the default.
+%py2_install
+%endif # with_python2
+
+%if 0%{?with_python3}
+# py3_install won't overwrite files if they have a timestamp greater-than
+# or equal to the py2 installed files. If both the py2 and py3 builds execute
+# quickly the files end up with the same timestamps thus leaving the py2
+# version in the py3 install. Therefore remove any files susceptible to this.
+%if %{with python2}
+rm %{buildroot}%{_bindir}/keycloak-httpd-client-install
+%endif # with_python2
+%py3_install
+%endif
+
+install -d -m 755 %{buildroot}/%{_mandir}/man8
+install -c -m 644 doc/keycloak-httpd-client-install.8 %{buildroot}/%{_mandir}/man8
+
+%files
+%license LICENSE.txt
+%doc README.md doc/ChangeLog
+%{_datadir}/%{srcname}/
+
+%if %{with python2}
+# Note that there is no %%files section for the unversioned python module if we are building for several python runtimes
+%files -n python2-%{srcname}
+%{python2_sitelib}/*
+
+%if ! 0%{?with_python3}
+%{_bindir}/keycloak-httpd-client-install
+%{_bindir}/keycloak-rest
+%{_mandir}/man8/*
+%endif
+%endif # with_python2
+
+%if 0%{?with_python3}
+%files -n python3-%{srcname}
+%{python3_sitelib}/*
+%{_bindir}/keycloak-httpd-client-install
+%{_bindir}/keycloak-rest
+%{_mandir}/man8/*
+%endif
+
+%changelog
+* Fri Sep 20 2024 Tomas Halman <thalman@redhat.com> - 1.3-1
+- Rebase to version 1.3
+- Resolves: RHEL-3336 - khci won't work with Quarkus-based Keycloak due to missing /auth path
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.1-10
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.1-9
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 1.1-6
+- Rebuilt for Python 3.9
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 1.1-4
+- Rebuilt for Python 3.8.0rc1 (#1748018)
+
+* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 1.1-3
+- Rebuilt for Python 3.8
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri Jun 28 2019 Jakub Hrozek <jhrozek@redhat.com> - 1.1-1
+- New upstream release 1.1
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.8-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Thu Nov 29 2018 Miro Hrončok <mhroncok@redhat.com> - 0.8-8
+- Remove python2 subpackage from Fedora 30+ (#1627398)
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.8-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Tue Jul 10 2018  <jdennis@redhat.com> - 0.8-6
+- Restore use of bcond for python conditionals
+
+* Mon Jul  9 2018  <jdennis@redhat.com> - 0.8-5
+- Share same spec file with RHEL
+
+* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 0.8-4
+- Rebuilt for Python 3.7
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.8-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Mon Jan 15 2018 Iryna Shcherbina <ishcherb@redhat.com> - 0.8-2
+- Update Python 2 dependency declarations to new packaging standards
+  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
+
+* Wed Jan 10 2018 John Dennis <jdennis@redhat.com> - 0.8-1
+- Upgrade to upstream 0,8, includes:
+- CVE-2017-15112 unsafe use of -p/--admin-password on command line
+- CVE-2017-15111 unsafe /tmp log file in --log-file option in keycloak_cli.py
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Wed Mar  1 2017 John Dennis <jdennis@redhat.com> - 0.6-1
+- Resolves: rhbz#1427720, if --mellon-root is not supplied and defaults to /
+  you end up with double slashes in entityId and endpoints
+- add --tls-verify option to control python-requests behavor when
+  using tls to connect. With this option you can use a self-signed
+  cert or point to a CA bundle.
+- Fix warnings and checks when using client originate method
+  'registration' with 'anonymous' authentication.
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Fri Jan  6 2017 John Dennis <jdennis@redhat.com> - 0.5-1
+- Fix default port bug
+  Strip the port from the URL if it matches the scheme (e.g. 80 for
+  http and 443 for https)
+
+* Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com> - 0.4-3
+- Rebuild for Python 3.6
+
+* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.4-2
+- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
+
+* Mon Jun 27 2016 John Dennis <jdennis@redhat.com> - 0.4-1
+- new upstream
+  See ChangeLog for details
+
+* Fri May 20 2016 John Dennis <jdennis@redhat.com> - 0.3-1
+- new upstream
+  See ChangeLog for details
+
+* Tue May 17 2016 John Dennis <jdennis@redhat.com> - 0.2-1
+- new upstream
+- Add keycloak-httpd-client-install.8 man page
+
+* Fri May 13 2016 John Dennis <jdennis@redhat.com> - 0.1-1
+- Initial version

sources

@@ -0,0 +1 @@
+SHA512 (keycloak-httpd-client-install-1.3.tar.gz) = 3bb301e71a6500f1bcde3507d3fdbde3ac98c9381bd67b8f1efa50ced2bfe27c7c994d1a08592812d2ea33ef4f96a30edf1e0a035574d5dcf5c395fdb04b78f6

tests/.fmf/version

@@ -0,0 +1 @@
+1

tests/provision.fmf

@@ -0,0 +1,5 @@
+---
+standard-inventory-qcow2:
+  qemu:
+    m: 3G
+    smp: 2

tests/scripts/run_tests.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+export GIT_SSL_NO_VERIFY=true
+git clone https://github.com/latchset/federation_testing.git
+
+cd federation_testing
+if [ ! -d /tmp/artifacts ]; then
+    mkdir -p /tmp/artifacts
+fi
+
+./setup.sh
+./test_khci.sh

tests/tests.yml

@@ -0,0 +1,12 @@
+- hosts: localhost
+  roles:
+  - role: standard-test-basic
+    tags:
+    - classic
+    tests:
+    - mod_auth_mellon:
+        dir: scripts
+        run: ./run_tests.sh
+    required_packages:
+    - git
+