From f3f63a05fa775fc5b715fb9160f76c8f109ba80eb8d26da21f80ef1a103339ec Mon Sep 17 00:00:00 2001 From: David Mulder Date: Mon, 12 Jul 2021 21:42:17 +0000 Subject: [PATCH] Accepting request 905902 from home:dmulder:branches:security:idm - v0.3.4: Allow overriding of parameters from the command line OBS-URL: https://build.opensuse.org/request/show/905902 OBS-URL: https://build.opensuse.org/package/show/security:idm/cepces?expand=0&rev=3 --- 0001-Added-Kerberos-delegation.patch | 25 ------ ...-of-server-auth-from-the-command-lin.patch | 84 ------------------- 0001-add-SELinux-permissions-for-RHEL-6.patch | 34 -------- _service | 4 +- cepces-0.3.3.tar.bz2 | 3 - cepces-0.3.4.tar.bz2 | 3 + cepces.changes | 5 ++ cepces.spec | 19 ++--- 8 files changed, 17 insertions(+), 160 deletions(-) delete mode 100644 0001-Added-Kerberos-delegation.patch delete mode 100644 0001-Allow-overriding-of-server-auth-from-the-command-lin.patch delete mode 100644 0001-add-SELinux-permissions-for-RHEL-6.patch delete mode 100644 cepces-0.3.3.tar.bz2 create mode 100644 cepces-0.3.4.tar.bz2 diff --git a/0001-Added-Kerberos-delegation.patch b/0001-Added-Kerberos-delegation.patch deleted file mode 100644 index 72ccac5..0000000 --- a/0001-Added-Kerberos-delegation.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 96b613e5fdb8c109a501a93a8b3f1bfa190054ec Mon Sep 17 00:00:00 2001 -From: Arthur Heijnen -Date: Fri, 21 May 2021 18:43:01 +0200 -Subject: [PATCH] Added Kerberos delegation - ---- - cepces/soap/auth.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/cepces/soap/auth.py b/cepces/soap/auth.py -index 14ba785..17f06ca 100644 ---- a/cepces/soap/auth.py -+++ b/cepces/soap/auth.py -@@ -114,7 +114,7 @@ class TransportKerberosAuthentication(Authentication): - os.environ["KRB5CCNAME"] = ccache_name - - def _init_transport(self): -- self._transport = HTTPKerberosAuth(principal=self._config['name']) -+ self._transport = HTTPKerberosAuth(principal=self._config['name'], delegate=True) - - @property - def transport(self): --- -2.31.1 - diff --git a/0001-Allow-overriding-of-server-auth-from-the-command-lin.patch b/0001-Allow-overriding-of-server-auth-from-the-command-lin.patch deleted file mode 100644 index 972b2a3..0000000 --- a/0001-Allow-overriding-of-server-auth-from-the-command-lin.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 2a14f639aa32948a505c0829344bfef65b8bf9b0 Mon Sep 17 00:00:00 2001 -From: David Mulder -Date: Wed, 30 Jun 2021 09:47:29 -0600 -Subject: [PATCH] Allow overriding of server/auth from the command line - -Allowing the overriding of the auth and server -parameters from the command line makes it -possible to enroll with multiple CAs. ---- - bin/cepces-submit | 20 +++++++++++++++++--- - cepces/config.py | 6 +++++- - 2 files changed, 22 insertions(+), 4 deletions(-) - -diff --git a/bin/cepces-submit b/bin/cepces-submit -index 1fd7b4b..6614db8 100755 ---- a/bin/cepces-submit -+++ b/bin/cepces-submit -@@ -27,9 +27,10 @@ from cepces.certmonger.operation import Operation - from cepces.config import Configuration - from cepces.core import Service - from cepces.log import init_logging -+import argparse - - --def main(): -+def main(global_overrides): - """Main function.""" - # Initialize logging. - init_logging() -@@ -58,7 +59,7 @@ def main(): - else: - try: - # Load the configuration and instantiate a service. -- config = Configuration.load() -+ config = Configuration.load(global_overrides=global_overrides) - service = Service(config) - - # Call the operation. -@@ -71,4 +72,17 @@ def main(): - - - if __name__ == '__main__': -- main() -+ parser = argparse.ArgumentParser(description='cepces submission helper for certmonger') -+ parser.add_argument('--server', help='Hostname of the issuing certification authority') -+ parser.add_argument('--auth', help='Authentication mechanism used for connecting to the service', -+ choices=['Anonymous', 'Kerberos', 'UsernamePassword', 'Certificate'], -+ default='Kerberos') -+ args = parser.parse_args() -+ if args.server is not None: -+ global_overrides = args.__dict__ -+ endpoint = 'https://%s/ADPolicyProvider_CEP_%s/service.svc/CEP' % (args.server, args.auth) -+ global_overrides['endpoint'] = endpoint -+ else: -+ global_overrides = {} -+ -+ main(global_overrides) -diff --git a/cepces/config.py b/cepces/config.py -index 427f38f..acecb6f 100644 ---- a/cepces/config.py -+++ b/cepces/config.py -@@ -84,7 +84,7 @@ class Configuration(Base): - return self._auth - - @classmethod -- def load(cls, files=None, dirs=None): -+ def load(cls, files=None, dirs=None, global_overrides={}): - """Load configuration files and directories and instantiate a new - Configuration.""" - name = '{}.{}'.format( -@@ -128,6 +128,10 @@ class Configuration(Base): - logger.debug('Reading: {0:s}'.format(path.__str__())) - config.read(path) - -+ # Override globals set from the command line -+ for key, val in global_overrides.items(): -+ config['global'][key] = val -+ - return Configuration.from_parser(config) - - @classmethod --- -2.31.1 - diff --git a/0001-add-SELinux-permissions-for-RHEL-6.patch b/0001-add-SELinux-permissions-for-RHEL-6.patch deleted file mode 100644 index 070d866..0000000 --- a/0001-add-SELinux-permissions-for-RHEL-6.patch +++ /dev/null @@ -1,34 +0,0 @@ -From f199d74088af35e5186c758aba249e88154e9644 Mon Sep 17 00:00:00 2001 -From: James Cassell -Date: Thu, 13 Feb 2020 06:57:56 -0500 -Subject: [PATCH] add SELinux permissions for RHEL 6 - ---- - selinux/cepces.te | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/selinux/cepces.te b/selinux/cepces.te -index 4a4d9da..c346dd0 100644 ---- a/selinux/cepces.te -+++ b/selinux/cepces.te -@@ -1,7 +1,9 @@ --policy_module(cepces, 0.3.1) -+policy_module(cepces, 0.3.2) - - require { - type certmonger_t; -+ type kernel_t; -+ type ldconfig_exec_t; - } - - type cepces_log_t; -@@ -9,3 +11,6 @@ logging_log_file(cepces_log_t) - - allow certmonger_t cepces_log_t:dir { add_name search write }; - allow certmonger_t cepces_log_t:file { create open }; -+ -+allow certmonger_t kernel_t:system module_request; -+allow certmonger_t ldconfig_exec_t:file { read execute open execute_no_trans }; --- -2.31.1 - diff --git a/_service b/_service index 77b173d..dbe0204 100644 --- a/_service +++ b/_service @@ -1,8 +1,8 @@ - https://github.com/ufven/cepces.git + https://github.com/openSUSE/cepces.git git - develop + master @PARENT_TAG@ v(.*) \1 diff --git a/cepces-0.3.3.tar.bz2 b/cepces-0.3.3.tar.bz2 deleted file mode 100644 index 62b970e..0000000 --- a/cepces-0.3.3.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:22a03ce3e124ba9b4bdea9e3719d76e497af445980fe449999ec93c27f432e66 -size 42434 diff --git a/cepces-0.3.4.tar.bz2 b/cepces-0.3.4.tar.bz2 new file mode 100644 index 0000000..db2028a --- /dev/null +++ b/cepces-0.3.4.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:59f4d56d98c64ecb7d57d063a47970482afe12b0fd3b2ad3aea22b736b48939b +size 42901 diff --git a/cepces.changes b/cepces.changes index 5a631f1..a3d5708 100644 --- a/cepces.changes +++ b/cepces.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Jul 12 16:24:51 UTC 2021 - David Mulder + +- v0.3.4: Allow overriding of parameters from the command line + ------------------------------------------------------------------- Tue Jun 29 16:31:16 UTC 2021 - David Mulder diff --git a/cepces.spec b/cepces.spec index 891dfac..516f87f 100644 --- a/cepces.spec +++ b/cepces.spec @@ -1,5 +1,5 @@ # -# spec file for package cepces +# spec file # # Copyright (c) 2021 SUSE LLC # @@ -15,26 +15,24 @@ # Please submit bugfixes or comments via https://bugs.opensuse.org/ # + %global app_name cepces %global selinux_variants targeted %global logdir %{_localstatedir}/log/%{app_name} Name: %{app_name} -Version: 0.3.3 -Release: 2%{?dist} +Version: 0.3.4 +Release: 0%{?dist} Summary: Certificate Enrollment through CEP/CES License: GPL-3.0-or-later URL: https://github.com/ufven/%{app_name} Source0: %{name}-%{version}.tar.bz2 -Patch0: 0001-Allow-overriding-of-server-auth-from-the-command-lin.patch -Patch1: 0001-add-SELinux-permissions-for-RHEL-6.patch -Patch2: 0001-Added-Kerberos-delegation.patch BuildArch: noarch -Requires: python3-%{app_name} == %{version} Requires: %{app_name}-certmonger == %{version} Requires: %{app_name}-selinux == %{version} +Requires: python3-%{app_name} == %{version} %description %{app_name} is an application for enrolling certificates through CEP and CES. @@ -43,11 +41,11 @@ It currently only operates through certmonger. %package -n python3-%{app_name} Summary: Python part of %{app_name} -BuildRequires: python3-devel -BuildRequires: python3-setuptools BuildRequires: python3-cryptography >= 1.2 +BuildRequires: python3-devel BuildRequires: python3-requests BuildRequires: python3-requests-kerberos >= 0.9 +BuildRequires: python3-setuptools Requires: python3-cryptography >= 1.2 Requires: python3-requests @@ -79,9 +77,6 @@ SELinux support for %{app_name} %prep %setup -q -n %{app_name}-%{version} -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 %build %py3_build