pool/cepces
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 905902 from home:dmulder:branches:security:idm

Browse Source 
- v0.3.4: Allow overriding of parameters from the command line

OBS-URL: https://build.opensuse.org/request/show/905902
OBS-URL: https://build.opensuse.org/package/show/security:idm/cepces?expand=0&rev=3
This commit is contained in:
David Mulder 2021-07-12 21:42:17 +00:00 committed by Git OBS Bridge
parent f2d75510ac
commit f3f63a05fa
8 changed files with 17 additions and 160 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
0001-Added-Kerberos-delegation.patch
View File

@ -1,25 +0,0 @@
From 96b613e5fdb8c109a501a93a8b3f1bfa190054ec Mon Sep 17 00:00:00 2001
From: Arthur Heijnen <arthur.heijnen@live.nl>
Date: Fri, 21 May 2021 18:43:01 +0200
Subject: [PATCH] Added Kerberos delegation
---
cepces/soap/auth.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cepces/soap/auth.py b/cepces/soap/auth.py
index 14ba785..17f06ca 100644
--- a/cepces/soap/auth.py
+++ b/cepces/soap/auth.py
@@ -114,7 +114,7 @@ class TransportKerberosAuthentication(Authentication):
os.environ["KRB5CCNAME"] = ccache_name
def _init_transport(self):
- self._transport = HTTPKerberosAuth(principal=self._config['name'])
+ self._transport = HTTPKerberosAuth(principal=self._config['name'], delegate=True)
@property
def transport(self):
--
2.31.1

84
0001-Allow-overriding-of-server-auth-from-the-command-lin.patch
View File

@ -1,84 +0,0 @@
From 2a14f639aa32948a505c0829344bfef65b8bf9b0 Mon Sep 17 00:00:00 2001
From: David Mulder <dmulder@suse.com>
Date: Wed, 30 Jun 2021 09:47:29 -0600
Subject: [PATCH] Allow overriding of server/auth from the command line
Allowing the overriding of the auth and server
parameters from the command line makes it
possible to enroll with multiple CAs.
---
bin/cepces-submit | 20 +++++++++++++++++---
cepces/config.py | 6 +++++-
2 files changed, 22 insertions(+), 4 deletions(-)
diff --git a/bin/cepces-submit b/bin/cepces-submit
index 1fd7b4b..6614db8 100755
--- a/bin/cepces-submit
+++ b/bin/cepces-submit
@@ -27,9 +27,10 @@ from cepces.certmonger.operation import Operation
from cepces.config import Configuration
from cepces.core import Service
from cepces.log import init_logging
+import argparse
-def main():
+def main(global_overrides):
"""Main function."""
# Initialize logging.
init_logging()
@@ -58,7 +59,7 @@ def main():
else:
try:
# Load the configuration and instantiate a service.
- config = Configuration.load()
+ config = Configuration.load(global_overrides=global_overrides)
service = Service(config)
# Call the operation.
@@ -71,4 +72,17 @@ def main():
if __name__ == '__main__':
- main()
+ parser = argparse.ArgumentParser(description='cepces submission helper for certmonger')
+ parser.add_argument('--server', help='Hostname of the issuing certification authority')
+ parser.add_argument('--auth', help='Authentication mechanism used for connecting to the service',
+ choices=['Anonymous', 'Kerberos', 'UsernamePassword', 'Certificate'],
+ default='Kerberos')
+ args = parser.parse_args()
+ if args.server is not None:
+ global_overrides = args.__dict__
+ endpoint = 'https://%s/ADPolicyProvider_CEP_%s/service.svc/CEP' % (args.server, args.auth)
+ global_overrides['endpoint'] = endpoint
+ else:
+ global_overrides = {}
+
+ main(global_overrides)
diff --git a/cepces/config.py b/cepces/config.py
index 427f38f..acecb6f 100644
--- a/cepces/config.py
+++ b/cepces/config.py
@@ -84,7 +84,7 @@ class Configuration(Base):
return self._auth
@classmethod
- def load(cls, files=None, dirs=None):
+ def load(cls, files=None, dirs=None, global_overrides={}):
"""Load configuration files and directories and instantiate a new
Configuration."""
name = '{}.{}'.format(
@@ -128,6 +128,10 @@ class Configuration(Base):
logger.debug('Reading: {0:s}'.format(path.__str__()))
config.read(path)
+ # Override globals set from the command line
+ for key, val in global_overrides.items():
+ config['global'][key] = val
+
return Configuration.from_parser(config)
@classmethod
--
2.31.1

34
0001-add-SELinux-permissions-for-RHEL-6.patch
View File

@ -1,34 +0,0 @@
From f199d74088af35e5186c758aba249e88154e9644 Mon Sep 17 00:00:00 2001
From: James Cassell <code@james.cassell.me>
Date: Thu, 13 Feb 2020 06:57:56 -0500
Subject: [PATCH] add SELinux permissions for RHEL 6
---
selinux/cepces.te | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/selinux/cepces.te b/selinux/cepces.te
index 4a4d9da..c346dd0 100644
--- a/selinux/cepces.te
+++ b/selinux/cepces.te
@@ -1,7 +1,9 @@
-policy_module(cepces, 0.3.1)
+policy_module(cepces, 0.3.2)
require {
type certmonger_t;
+ type kernel_t;
+ type ldconfig_exec_t;
}
type cepces_log_t;
@@ -9,3 +11,6 @@ logging_log_file(cepces_log_t)
allow certmonger_t cepces_log_t:dir { add_name search write };
allow certmonger_t cepces_log_t:file { create open };
+
+allow certmonger_t kernel_t:system module_request;
+allow certmonger_t ldconfig_exec_t:file { read execute open execute_no_trans };
--
2.31.1

4
_service
View File

@ -1,8 +1,8 @@
<services>
<service name="tar_scm" mode="disabled">
<param name="url">https://github.com/ufven/cepces.git</param>
<param name="url">https://github.com/openSUSE/cepces.git</param>
<param name="scm">git</param>
<param name="revision">develop</param>
<param name="revision">master</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="versionrewrite-pattern">v(.*)</param>
<param name="versionrewrite-replacement">\1</param>

3
cepces-0.3.3.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:22a03ce3e124ba9b4bdea9e3719d76e497af445980fe449999ec93c27f432e66
size 42434

3
cepces-0.3.4.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:59f4d56d98c64ecb7d57d063a47970482afe12b0fd3b2ad3aea22b736b48939b
size 42901

5
cepces.changes
View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Mon Jul 12 16:24:51 UTC 2021 - David Mulder <dmulder@suse.com>
- v0.3.4: Allow overriding of parameters from the command line
-------------------------------------------------------------------
Tue Jun 29 16:31:16 UTC 2021 - David Mulder <dmulder@suse.com>

19
cepces.spec
View File

@ -1,5 +1,5 @@
#
# spec file for package cepces
# spec file
#
# Copyright (c) 2021 SUSE LLC
#
@ -15,26 +15,24 @@
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%global app_name cepces
%global selinux_variants targeted
%global logdir %{_localstatedir}/log/%{app_name}
Name: %{app_name}
Version: 0.3.3
Release: 2%{?dist}
Version: 0.3.4
Release: 0%{?dist}
Summary: Certificate Enrollment through CEP/CES
License: GPL-3.0-or-later
URL: https://github.com/ufven/%{app_name}
Source0: %{name}-%{version}.tar.bz2
Patch0: 0001-Allow-overriding-of-server-auth-from-the-command-lin.patch
Patch1: 0001-add-SELinux-permissions-for-RHEL-6.patch
Patch2: 0001-Added-Kerberos-delegation.patch
BuildArch: noarch
Requires: python3-%{app_name} == %{version}
Requires: %{app_name}-certmonger == %{version}
Requires: %{app_name}-selinux == %{version}
Requires: python3-%{app_name} == %{version}
%description
%{app_name} is an application for enrolling certificates through CEP and CES.
@ -43,11 +41,11 @@ It currently only operates through certmonger.
%package -n python3-%{app_name}
Summary: Python part of %{app_name}
BuildRequires: python3-devel
BuildRequires: python3-setuptools
BuildRequires: python3-cryptography >= 1.2
BuildRequires: python3-devel
BuildRequires: python3-requests
BuildRequires: python3-requests-kerberos >= 0.9
BuildRequires: python3-setuptools
Requires: python3-cryptography >= 1.2
Requires: python3-requests
@ -79,9 +77,6 @@ SELinux support for %{app_name}
%prep
%setup -q -n %{app_name}-%{version}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%build
%py3_build