pool/cepces
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 903556 from home:dmulder:certmonger

Browse Source 
This is a dependency of Samba's Certificate Auto Enrollment. It extends certmonger to support auto enrollment to a Microsoft CA.

OBS-URL: https://build.opensuse.org/request/show/903556
OBS-URL: https://build.opensuse.org/package/show/security:idm/cepces?expand=0&rev=1
This commit is contained in:
Neal Gompa 2021-07-02 10:43:16 +00:00 committed by Git OBS Bridge
commit 5d40dff8d5
9 changed files with 415 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

25
0001-Added-Kerberos-delegation.patch Normal file
View File

@ -0,0 +1,25 @@
From 96b613e5fdb8c109a501a93a8b3f1bfa190054ec Mon Sep 17 00:00:00 2001
From: Arthur Heijnen <arthur.heijnen@live.nl>
Date: Fri, 21 May 2021 18:43:01 +0200
Subject: [PATCH] Added Kerberos delegation
---
cepces/soap/auth.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cepces/soap/auth.py b/cepces/soap/auth.py
index 14ba785..17f06ca 100644
--- a/cepces/soap/auth.py
+++ b/cepces/soap/auth.py
@@ -114,7 +114,7 @@ class TransportKerberosAuthentication(Authentication):
os.environ["KRB5CCNAME"] = ccache_name
def _init_transport(self):
- self._transport = HTTPKerberosAuth(principal=self._config['name'])
+ self._transport = HTTPKerberosAuth(principal=self._config['name'], delegate=True)
@property
def transport(self):
--
2.31.1

84
0001-Allow-overriding-of-server-auth-from-the-command-lin.patch Normal file
View File

@ -0,0 +1,84 @@
From 2a14f639aa32948a505c0829344bfef65b8bf9b0 Mon Sep 17 00:00:00 2001
From: David Mulder <dmulder@suse.com>
Date: Wed, 30 Jun 2021 09:47:29 -0600
Subject: [PATCH] Allow overriding of server/auth from the command line
Allowing the overriding of the auth and server
parameters from the command line makes it
possible to enroll with multiple CAs.
---
bin/cepces-submit | 20 +++++++++++++++++---
cepces/config.py | 6 +++++-
2 files changed, 22 insertions(+), 4 deletions(-)
diff --git a/bin/cepces-submit b/bin/cepces-submit
index 1fd7b4b..6614db8 100755
--- a/bin/cepces-submit
+++ b/bin/cepces-submit
@@ -27,9 +27,10 @@ from cepces.certmonger.operation import Operation
from cepces.config import Configuration
from cepces.core import Service
from cepces.log import init_logging
+import argparse
-def main():
+def main(global_overrides):
"""Main function."""
# Initialize logging.
init_logging()
@@ -58,7 +59,7 @@ def main():
else:
try:
# Load the configuration and instantiate a service.
- config = Configuration.load()
+ config = Configuration.load(global_overrides=global_overrides)
service = Service(config)
# Call the operation.
@@ -71,4 +72,17 @@ def main():
if __name__ == '__main__':
- main()
+ parser = argparse.ArgumentParser(description='cepces submission helper for certmonger')
+ parser.add_argument('--server', help='Hostname of the issuing certification authority')
+ parser.add_argument('--auth', help='Authentication mechanism used for connecting to the service',
+ choices=['Anonymous', 'Kerberos', 'UsernamePassword', 'Certificate'],
+ default='Kerberos')
+ args = parser.parse_args()
+ if args.server is not None:
+ global_overrides = args.__dict__
+ endpoint = 'https://%s/ADPolicyProvider_CEP_%s/service.svc/CEP' % (args.server, args.auth)
+ global_overrides['endpoint'] = endpoint
+ else:
+ global_overrides = {}
+
+ main(global_overrides)
diff --git a/cepces/config.py b/cepces/config.py
index 427f38f..acecb6f 100644
--- a/cepces/config.py
+++ b/cepces/config.py
@@ -84,7 +84,7 @@ class Configuration(Base):
return self._auth
@classmethod
- def load(cls, files=None, dirs=None):
+ def load(cls, files=None, dirs=None, global_overrides={}):
"""Load configuration files and directories and instantiate a new
Configuration."""
name = '{}.{}'.format(
@@ -128,6 +128,10 @@ class Configuration(Base):
logger.debug('Reading: {0:s}'.format(path.__str__()))
config.read(path)
+ # Override globals set from the command line
+ for key, val in global_overrides.items():
+ config['global'][key] = val
+
return Configuration.from_parser(config)
@classmethod
--
2.31.1

34
0001-add-SELinux-permissions-for-RHEL-6.patch Normal file
View File

@ -0,0 +1,34 @@
From f199d74088af35e5186c758aba249e88154e9644 Mon Sep 17 00:00:00 2001
From: James Cassell <code@james.cassell.me>
Date: Thu, 13 Feb 2020 06:57:56 -0500
Subject: [PATCH] add SELinux permissions for RHEL 6
---
selinux/cepces.te | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/selinux/cepces.te b/selinux/cepces.te
index 4a4d9da..c346dd0 100644
--- a/selinux/cepces.te
+++ b/selinux/cepces.te
@@ -1,7 +1,9 @@
-policy_module(cepces, 0.3.1)
+policy_module(cepces, 0.3.2)
require {
type certmonger_t;
+ type kernel_t;
+ type ldconfig_exec_t;
}
type cepces_log_t;
@@ -9,3 +11,6 @@ logging_log_file(cepces_log_t)
allow certmonger_t cepces_log_t:dir { add_name search write };
allow certmonger_t cepces_log_t:file { create open };
+
+allow certmonger_t kernel_t:system module_request;
+allow certmonger_t ldconfig_exec_t:file { read execute open execute_no_trans };
--
2.31.1

29
_service Normal file
View File

@ -0,0 +1,29 @@
<services>
<service name="tar_scm" mode="disabled">
<param name="url">https://github.com/ufven/cepces.git</param>
<param name="scm">git</param>
<param name="revision">develop</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="versionrewrite-pattern">v(.*)</param>
<param name="versionrewrite-replacement">\1</param>
<param name="filename">cepces</param>
<param name="exclude">.git</param>
</service>
<service name="set_version" mode="disabled">
<param name="basename">cepces</param>
<param name="regex">^cepces-([^/]+)</param>
<param name="file">cepces.spec</param>
</service>
<service name="set_version" mode="disabled">
<param name="basename">cepces</param>
<param name="regex">^cepces-([^/]+)</param>
<param name="file">cepces.changes</param>
</service>
<service name="recompress" mode="disabled">
<param name="file">*.tar</param>
<param name="compression">bz2</param>
</service>
</services>

3
cepces-0.3.3.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:22a03ce3e124ba9b4bdea9e3719d76e497af445980fe449999ec93c27f432e66
size 42434

30
cepces.changes Normal file
View File

@ -0,0 +1,30 @@
-------------------------------------------------------------------
Tue Jun 29 16:31:16 UTC 2021 - David Mulder <dmulder@suse.com>
- v0.3.3: Initial submission of sources; (jsc#SLE-18457).
-------------------------------------------------------------------
Mon Jul 29 2019 - Daniel Uvehag <daniel.uvehag@gmail.com> - 0.3.3-2
- Add missing log directory
-------------------------------------------------------------------
Mon Jul 29 2019 - Daniel Uvehag <daniel.uvehag@gmail.com> - 0.3.3-1
- Update to version 0.3.3-1
-------------------------------------------------------------------
Mon Feb 05 2018 - Daniel Uvehag <daniel.uvehag@gmail.com> - 0.3.0-1
- Update to version 0.3.0-1
-------------------------------------------------------------------
Thu Feb 01 2018 - Daniel Uvehag <daniel.uvehag@gmail.com> - 0.2.1-1
- Update to version 0.2.1-1
-------------------------------------------------------------------
Mon Jun 27 2016 - Daniel Uvehag <daniel.uvehag@gmail.com> - 0.1.0-1
- Initial package.

186
cepces.spec Normal file
View File

@ -0,0 +1,186 @@
#
# spec file for package cepces
#
# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%global app_name cepces
%global selinux_variants targeted
%global logdir %{_localstatedir}/log/%{app_name}
Name: %{app_name}
Version: 0.3.3
Release: 2%{?dist}
Summary: Certificate Enrollment through CEP/CES
License: GPL-3.0-or-later
URL: https://github.com/ufven/%{app_name}
Source0: %{name}-%{version}.tar.bz2
Patch0: 0001-Allow-overriding-of-server-auth-from-the-command-lin.patch
Patch1: 0001-add-SELinux-permissions-for-RHEL-6.patch
Patch2: 0001-Added-Kerberos-delegation.patch
BuildArch: noarch
Requires: python3-%{app_name} == %{version}
Requires: %{app_name}-certmonger == %{version}
Requires: %{app_name}-selinux == %{version}
%description
%{app_name} is an application for enrolling certificates through CEP and CES.
It currently only operates through certmonger.
%package -n python3-%{app_name}
Summary: Python part of %{app_name}
BuildRequires: python3-devel
BuildRequires: python3-setuptools
BuildRequires: python3-cryptography >= 1.2
BuildRequires: python3-requests
BuildRequires: python3-requests-kerberos >= 0.9
Requires: python3-cryptography >= 1.2
Requires: python3-requests
Requires: python3-requests-kerberos >= 0.9
%description -n python3-%{app_name}
%{app_name} is an application for enrolling certificates through CEP and CES.
This package provides the Python part for CEP and CES interaction.
%package certmonger
Summary: certmonger integration for %{app_name}
Requires: certmonger
%description certmonger
%{app_name} is an application for enrolling certificates through CEP and CES.
This package provides the certmonger integration.
%package selinux
Summary: SELinux support for %{app_name}
BuildRequires: selinux-policy-devel
Requires: selinux-policy
Requires(post): selinux-policy-targeted
%description selinux
SELinux support for %{app_name}
%prep
%setup -q -n %{app_name}-%{version}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%build
%py3_build
# Build the SELinux module(s).
for SELINUXVARIANT in %{selinux_variants}; do
make -C selinux clean all
mv -v selinux/%{app_name}.pp selinux/%{app_name}-${SELINUXVARIANT}.pp
done
%install
%py3_install
install -d -m 0700 %{buildroot}%{logdir}
# Install the SELinux module(s).
rm -fv selinux-files.txt
for SELINUXVARIANT in %{selinux_variants}; do
install -d %{buildroot}%{_datadir}/selinux/${SELINUXVARIANT}
install -p -m 644 selinux/%{app_name}-${SELINUXVARIANT}.pp \
%{buildroot}%{_datadir}/selinux/${SELINUXVARIANT}/%{app_name}.pp
echo %{_datadir}/selinux/${SELINUXVARIANT}/%{app_name}.pp >> \
selinux-files.txt
done
# Install configuration files.
install -d %{buildroot}%{_sysconfdir}/%{app_name}
install -p -m 644 conf/cepces.conf.dist \
%{buildroot}%{_sysconfdir}/%{app_name}/cepces.conf
install -p -m 644 conf/logging.conf.dist \
%{buildroot}%{_sysconfdir}/%{app_name}/logging.conf
install -d %{buildroot}%{_libexecdir}/certmonger
install -p -m 755 bin/%{app_name}-submit \
%{buildroot}%{_libexecdir}/certmonger/%{app_name}-submit
# Remove unused executables and configuration files.
%{__rm} -rfv %{buildroot}/usr/local/etc
%{__rm} -rfv %{buildroot}/usr/local/libexec/certmonger
sed -i 's/\/usr\/bin\/env python3/\/usr\/bin\/python3/g' %{buildroot}%{_libexecdir}/certmonger/%{app_name}-submit
%post selinux
for SELINUXVARIANT in %{selinux_variants}; do
%{_sbindir}/semodule -n -s ${SELINUXVARIANT} \
-i %{_datadir}/selinux/${SELINUXVARIANT}/%{app_name}.pp
if %{_sbindir}/selinuxenabled; then
%{_sbindir}/load_policy
fi
done
%postun selinux
if [ $1 -eq 0 ]
then
for SELINUXVARIANT in %{selinux_variants}; do
%{_sbindir}/semodule -n -s ${SELINUXVARIANT} -r %{app_name} > /dev/null || :
if %{_sbindir}/selinuxenabled; then
%{_sbindir}/load_policy
fi
done
fi
%post certmonger
# Install the CA into certmonger.
if [[ "$1" == "1" ]]; then
getcert add-ca -c %{app_name} \
-e %{_libexecdir}/certmonger/%{app_name}-submit >/dev/null || :
fi
%preun certmonger
# Remove the CA from certmonger, unless it's an upgrade.
if [[ "$1" == "0" ]]; then
getcert remove-ca -c %{app_name} >/dev/null || :
fi
%check
%{__python3} setup.py test
%files
%doc LICENSE
%doc README.rst
%dir %{_sysconfdir}/%{app_name}/
%config(noreplace) %{_sysconfdir}/%{app_name}/%{app_name}.conf
%config(noreplace) %{_sysconfdir}/%{app_name}/logging.conf
%dir %{logdir}
%files -n python3-%{app_name}
%{python3_sitelib}/%{app_name}
%{python3_sitelib}/%{app_name}-%{version}-py?.?.egg-info
%files certmonger
%dir %{_libexecdir}/certmonger
%{_libexecdir}/certmonger/%{app_name}-submit
%files selinux -f selinux-files.txt
%defattr(0644,root,root,0755)
%changelog