commit 5d40dff8d5a87a36b09e79ee021db0ba7a0c01066c3c51e83e6526c055ae477e Author: Neal Gompa Date: Fri Jul 2 10:43:16 2021 +0000 Accepting request 903556 from home:dmulder:certmonger This is a dependency of Samba's Certificate Auto Enrollment. It extends certmonger to support auto enrollment to a Microsoft CA. OBS-URL: https://build.opensuse.org/request/show/903556 OBS-URL: https://build.opensuse.org/package/show/security:idm/cepces?expand=0&rev=1 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/0001-Added-Kerberos-delegation.patch b/0001-Added-Kerberos-delegation.patch new file mode 100644 index 0000000..72ccac5 --- /dev/null +++ b/0001-Added-Kerberos-delegation.patch @@ -0,0 +1,25 @@ +From 96b613e5fdb8c109a501a93a8b3f1bfa190054ec Mon Sep 17 00:00:00 2001 +From: Arthur Heijnen +Date: Fri, 21 May 2021 18:43:01 +0200 +Subject: [PATCH] Added Kerberos delegation + +--- + cepces/soap/auth.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cepces/soap/auth.py b/cepces/soap/auth.py +index 14ba785..17f06ca 100644 +--- a/cepces/soap/auth.py ++++ b/cepces/soap/auth.py +@@ -114,7 +114,7 @@ class TransportKerberosAuthentication(Authentication): + os.environ["KRB5CCNAME"] = ccache_name + + def _init_transport(self): +- self._transport = HTTPKerberosAuth(principal=self._config['name']) ++ self._transport = HTTPKerberosAuth(principal=self._config['name'], delegate=True) + + @property + def transport(self): +-- +2.31.1 + diff --git a/0001-Allow-overriding-of-server-auth-from-the-command-lin.patch b/0001-Allow-overriding-of-server-auth-from-the-command-lin.patch new file mode 100644 index 0000000..972b2a3 --- /dev/null +++ b/0001-Allow-overriding-of-server-auth-from-the-command-lin.patch @@ -0,0 +1,84 @@ +From 2a14f639aa32948a505c0829344bfef65b8bf9b0 Mon Sep 17 00:00:00 2001 +From: David Mulder +Date: Wed, 30 Jun 2021 09:47:29 -0600 +Subject: [PATCH] Allow overriding of server/auth from the command line + +Allowing the overriding of the auth and server +parameters from the command line makes it +possible to enroll with multiple CAs. +--- + bin/cepces-submit | 20 +++++++++++++++++--- + cepces/config.py | 6 +++++- + 2 files changed, 22 insertions(+), 4 deletions(-) + +diff --git a/bin/cepces-submit b/bin/cepces-submit +index 1fd7b4b..6614db8 100755 +--- a/bin/cepces-submit ++++ b/bin/cepces-submit +@@ -27,9 +27,10 @@ from cepces.certmonger.operation import Operation + from cepces.config import Configuration + from cepces.core import Service + from cepces.log import init_logging ++import argparse + + +-def main(): ++def main(global_overrides): + """Main function.""" + # Initialize logging. + init_logging() +@@ -58,7 +59,7 @@ def main(): + else: + try: + # Load the configuration and instantiate a service. +- config = Configuration.load() ++ config = Configuration.load(global_overrides=global_overrides) + service = Service(config) + + # Call the operation. +@@ -71,4 +72,17 @@ def main(): + + + if __name__ == '__main__': +- main() ++ parser = argparse.ArgumentParser(description='cepces submission helper for certmonger') ++ parser.add_argument('--server', help='Hostname of the issuing certification authority') ++ parser.add_argument('--auth', help='Authentication mechanism used for connecting to the service', ++ choices=['Anonymous', 'Kerberos', 'UsernamePassword', 'Certificate'], ++ default='Kerberos') ++ args = parser.parse_args() ++ if args.server is not None: ++ global_overrides = args.__dict__ ++ endpoint = 'https://%s/ADPolicyProvider_CEP_%s/service.svc/CEP' % (args.server, args.auth) ++ global_overrides['endpoint'] = endpoint ++ else: ++ global_overrides = {} ++ ++ main(global_overrides) +diff --git a/cepces/config.py b/cepces/config.py +index 427f38f..acecb6f 100644 +--- a/cepces/config.py ++++ b/cepces/config.py +@@ -84,7 +84,7 @@ class Configuration(Base): + return self._auth + + @classmethod +- def load(cls, files=None, dirs=None): ++ def load(cls, files=None, dirs=None, global_overrides={}): + """Load configuration files and directories and instantiate a new + Configuration.""" + name = '{}.{}'.format( +@@ -128,6 +128,10 @@ class Configuration(Base): + logger.debug('Reading: {0:s}'.format(path.__str__())) + config.read(path) + ++ # Override globals set from the command line ++ for key, val in global_overrides.items(): ++ config['global'][key] = val ++ + return Configuration.from_parser(config) + + @classmethod +-- +2.31.1 + diff --git a/0001-add-SELinux-permissions-for-RHEL-6.patch b/0001-add-SELinux-permissions-for-RHEL-6.patch new file mode 100644 index 0000000..070d866 --- /dev/null +++ b/0001-add-SELinux-permissions-for-RHEL-6.patch @@ -0,0 +1,34 @@ +From f199d74088af35e5186c758aba249e88154e9644 Mon Sep 17 00:00:00 2001 +From: James Cassell +Date: Thu, 13 Feb 2020 06:57:56 -0500 +Subject: [PATCH] add SELinux permissions for RHEL 6 + +--- + selinux/cepces.te | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/selinux/cepces.te b/selinux/cepces.te +index 4a4d9da..c346dd0 100644 +--- a/selinux/cepces.te ++++ b/selinux/cepces.te +@@ -1,7 +1,9 @@ +-policy_module(cepces, 0.3.1) ++policy_module(cepces, 0.3.2) + + require { + type certmonger_t; ++ type kernel_t; ++ type ldconfig_exec_t; + } + + type cepces_log_t; +@@ -9,3 +11,6 @@ logging_log_file(cepces_log_t) + + allow certmonger_t cepces_log_t:dir { add_name search write }; + allow certmonger_t cepces_log_t:file { create open }; ++ ++allow certmonger_t kernel_t:system module_request; ++allow certmonger_t ldconfig_exec_t:file { read execute open execute_no_trans }; +-- +2.31.1 + diff --git a/_service b/_service new file mode 100644 index 0000000..77b173d --- /dev/null +++ b/_service @@ -0,0 +1,29 @@ + + + https://github.com/ufven/cepces.git + git + develop + @PARENT_TAG@ + v(.*) + \1 + cepces + .git + + + + cepces + ^cepces-([^/]+) + cepces.spec + + + + cepces + ^cepces-([^/]+) + cepces.changes + + + + *.tar + bz2 + + diff --git a/cepces-0.3.3.tar.bz2 b/cepces-0.3.3.tar.bz2 new file mode 100644 index 0000000..62b970e --- /dev/null +++ b/cepces-0.3.3.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:22a03ce3e124ba9b4bdea9e3719d76e497af445980fe449999ec93c27f432e66 +size 42434 diff --git a/cepces.changes b/cepces.changes new file mode 100644 index 0000000..5a631f1 --- /dev/null +++ b/cepces.changes @@ -0,0 +1,30 @@ +------------------------------------------------------------------- +Tue Jun 29 16:31:16 UTC 2021 - David Mulder + +- v0.3.3: Initial submission of sources; (jsc#SLE-18457). + +------------------------------------------------------------------- +Mon Jul 29 2019 - Daniel Uvehag - 0.3.3-2 + +- Add missing log directory + +------------------------------------------------------------------- +Mon Jul 29 2019 - Daniel Uvehag - 0.3.3-1 + +- Update to version 0.3.3-1 + +------------------------------------------------------------------- +Mon Feb 05 2018 - Daniel Uvehag - 0.3.0-1 + +- Update to version 0.3.0-1 + +------------------------------------------------------------------- +Thu Feb 01 2018 - Daniel Uvehag - 0.2.1-1 + +- Update to version 0.2.1-1 + +------------------------------------------------------------------- +Mon Jun 27 2016 - Daniel Uvehag - 0.1.0-1 + +- Initial package. + diff --git a/cepces.spec b/cepces.spec new file mode 100644 index 0000000..891dfac --- /dev/null +++ b/cepces.spec @@ -0,0 +1,186 @@ +# +# spec file for package cepces +# +# Copyright (c) 2021 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + +%global app_name cepces +%global selinux_variants targeted +%global logdir %{_localstatedir}/log/%{app_name} + +Name: %{app_name} +Version: 0.3.3 +Release: 2%{?dist} +Summary: Certificate Enrollment through CEP/CES + +License: GPL-3.0-or-later +URL: https://github.com/ufven/%{app_name} +Source0: %{name}-%{version}.tar.bz2 +Patch0: 0001-Allow-overriding-of-server-auth-from-the-command-lin.patch +Patch1: 0001-add-SELinux-permissions-for-RHEL-6.patch +Patch2: 0001-Added-Kerberos-delegation.patch +BuildArch: noarch + +Requires: python3-%{app_name} == %{version} +Requires: %{app_name}-certmonger == %{version} +Requires: %{app_name}-selinux == %{version} + +%description +%{app_name} is an application for enrolling certificates through CEP and CES. +It currently only operates through certmonger. + +%package -n python3-%{app_name} +Summary: Python part of %{app_name} + +BuildRequires: python3-devel +BuildRequires: python3-setuptools +BuildRequires: python3-cryptography >= 1.2 +BuildRequires: python3-requests +BuildRequires: python3-requests-kerberos >= 0.9 + +Requires: python3-cryptography >= 1.2 +Requires: python3-requests +Requires: python3-requests-kerberos >= 0.9 + +%description -n python3-%{app_name} +%{app_name} is an application for enrolling certificates through CEP and CES. +This package provides the Python part for CEP and CES interaction. + +%package certmonger +Summary: certmonger integration for %{app_name} + +Requires: certmonger + +%description certmonger +%{app_name} is an application for enrolling certificates through CEP and CES. +This package provides the certmonger integration. + +%package selinux +Summary: SELinux support for %{app_name} + +BuildRequires: selinux-policy-devel + +Requires: selinux-policy +Requires(post): selinux-policy-targeted + +%description selinux +SELinux support for %{app_name} + +%prep +%setup -q -n %{app_name}-%{version} +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 + +%build +%py3_build + +# Build the SELinux module(s). +for SELINUXVARIANT in %{selinux_variants}; do + make -C selinux clean all + mv -v selinux/%{app_name}.pp selinux/%{app_name}-${SELINUXVARIANT}.pp +done + +%install +%py3_install + +install -d -m 0700 %{buildroot}%{logdir} + +# Install the SELinux module(s). +rm -fv selinux-files.txt + +for SELINUXVARIANT in %{selinux_variants}; do + install -d %{buildroot}%{_datadir}/selinux/${SELINUXVARIANT} + install -p -m 644 selinux/%{app_name}-${SELINUXVARIANT}.pp \ + %{buildroot}%{_datadir}/selinux/${SELINUXVARIANT}/%{app_name}.pp + + echo %{_datadir}/selinux/${SELINUXVARIANT}/%{app_name}.pp >> \ + selinux-files.txt +done + +# Install configuration files. +install -d %{buildroot}%{_sysconfdir}/%{app_name} +install -p -m 644 conf/cepces.conf.dist \ + %{buildroot}%{_sysconfdir}/%{app_name}/cepces.conf +install -p -m 644 conf/logging.conf.dist \ + %{buildroot}%{_sysconfdir}/%{app_name}/logging.conf + +install -d %{buildroot}%{_libexecdir}/certmonger +install -p -m 755 bin/%{app_name}-submit \ + %{buildroot}%{_libexecdir}/certmonger/%{app_name}-submit + +# Remove unused executables and configuration files. +%{__rm} -rfv %{buildroot}/usr/local/etc +%{__rm} -rfv %{buildroot}/usr/local/libexec/certmonger + +sed -i 's/\/usr\/bin\/env python3/\/usr\/bin\/python3/g' %{buildroot}%{_libexecdir}/certmonger/%{app_name}-submit + +%post selinux +for SELINUXVARIANT in %{selinux_variants}; do + %{_sbindir}/semodule -n -s ${SELINUXVARIANT} \ + -i %{_datadir}/selinux/${SELINUXVARIANT}/%{app_name}.pp + + if %{_sbindir}/selinuxenabled; then + %{_sbindir}/load_policy + fi +done + +%postun selinux +if [ $1 -eq 0 ] +then + for SELINUXVARIANT in %{selinux_variants}; do + %{_sbindir}/semodule -n -s ${SELINUXVARIANT} -r %{app_name} > /dev/null || : + + if %{_sbindir}/selinuxenabled; then + %{_sbindir}/load_policy + fi + done +fi + +%post certmonger +# Install the CA into certmonger. +if [[ "$1" == "1" ]]; then + getcert add-ca -c %{app_name} \ + -e %{_libexecdir}/certmonger/%{app_name}-submit >/dev/null || : +fi + +%preun certmonger +# Remove the CA from certmonger, unless it's an upgrade. +if [[ "$1" == "0" ]]; then + getcert remove-ca -c %{app_name} >/dev/null || : +fi + +%check +%{__python3} setup.py test + +%files +%doc LICENSE +%doc README.rst +%dir %{_sysconfdir}/%{app_name}/ +%config(noreplace) %{_sysconfdir}/%{app_name}/%{app_name}.conf +%config(noreplace) %{_sysconfdir}/%{app_name}/logging.conf +%dir %{logdir} + +%files -n python3-%{app_name} +%{python3_sitelib}/%{app_name} +%{python3_sitelib}/%{app_name}-%{version}-py?.?.egg-info + +%files certmonger +%dir %{_libexecdir}/certmonger +%{_libexecdir}/certmonger/%{app_name}-submit + +%files selinux -f selinux-files.txt +%defattr(0644,root,root,0755) + +%changelog