Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cepces for openSUSE:Factory checked in at 2021-07-16 22:12:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cepces (Old) and /work/SRC/openSUSE:Factory/.cepces.new.2632 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cepces" Fri Jul 16 22:12:52 2021 rev:2 rq:906537 version:0.3.4 Changes: -------- --- /work/SRC/openSUSE:Factory/cepces/cepces.changes 2021-07-08 22:49:53.243789196 +0200 +++ /work/SRC/openSUSE:Factory/.cepces.new.2632/cepces.changes 2021-07-16 22:13:25.426541212 +0200 @@ -1,0 +2,8 @@ +Mon Jul 12 16:24:51 UTC 2021 - David Mulder <dmul...@suse.com> + +- v0.3.4: Allow overriding of parameters from the command line + - Removed upstreamed patch 0001-Added-Kerberos-delegation.patch + - Removed upstreamed patch 0001-Allow-overriding-of-server-auth-from-the-command-lin.patch + - Removed upstreamed patch 0001-add-SELinux-permissions-for-RHEL-6.patch + +------------------------------------------------------------------- Old: ---- 0001-Added-Kerberos-delegation.patch 0001-Allow-overriding-of-server-auth-from-the-command-lin.patch 0001-add-SELinux-permissions-for-RHEL-6.patch cepces-0.3.3.tar.bz2 New: ---- cepces-0.3.4.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cepces.spec ++++++ --- /var/tmp/diff_new_pack.czmTNA/_old 2021-07-16 22:13:25.934537623 +0200 +++ /var/tmp/diff_new_pack.czmTNA/_new 2021-07-16 22:13:25.938537594 +0200 @@ -1,5 +1,5 @@ # -# spec file for package cepces +# spec file # # Copyright (c) 2021 SUSE LLC # @@ -15,26 +15,24 @@ # Please submit bugfixes or comments via https://bugs.opensuse.org/ # + %global app_name cepces %global selinux_variants targeted %global logdir %{_localstatedir}/log/%{app_name} Name: %{app_name} -Version: 0.3.3 -Release: 2%{?dist} +Version: 0.3.4 +Release: 0%{?dist} Summary: Certificate Enrollment through CEP/CES License: GPL-3.0-or-later URL: https://github.com/ufven/%{app_name} Source0: %{name}-%{version}.tar.bz2 -Patch0: 0001-Allow-overriding-of-server-auth-from-the-command-lin.patch -Patch1: 0001-add-SELinux-permissions-for-RHEL-6.patch -Patch2: 0001-Added-Kerberos-delegation.patch BuildArch: noarch -Requires: python3-%{app_name} == %{version} Requires: %{app_name}-certmonger == %{version} Requires: %{app_name}-selinux == %{version} +Requires: python3-%{app_name} == %{version} %description %{app_name} is an application for enrolling certificates through CEP and CES. @@ -43,11 +41,11 @@ %package -n python3-%{app_name} Summary: Python part of %{app_name} -BuildRequires: python3-devel -BuildRequires: python3-setuptools BuildRequires: python3-cryptography >= 1.2 +BuildRequires: python3-devel BuildRequires: python3-requests BuildRequires: python3-requests-kerberos >= 0.9 +BuildRequires: python3-setuptools Requires: python3-cryptography >= 1.2 Requires: python3-requests @@ -79,9 +77,6 @@ %prep %setup -q -n %{app_name}-%{version} -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 %build %py3_build ++++++ _service ++++++ --- /var/tmp/diff_new_pack.czmTNA/_old 2021-07-16 22:13:25.970537368 +0200 +++ /var/tmp/diff_new_pack.czmTNA/_new 2021-07-16 22:13:25.970537368 +0200 @@ -1,8 +1,8 @@ <services> <service name="tar_scm" mode="disabled"> - <param name="url">https://github.com/ufven/cepces.git</param> + <param name="url">https://github.com/openSUSE/cepces.git</param> <param name="scm">git</param> - <param name="revision">develop</param> + <param name="revision">master</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="versionrewrite-replacement">\1</param> ++++++ cepces-0.3.3.tar.bz2 -> cepces-0.3.4.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cepces-0.3.3/README.rst new/cepces-0.3.4/README.rst --- old/cepces-0.3.3/README.rst 2020-05-27 17:22:09.000000000 +0200 +++ new/cepces-0.3.4/README.rst 2021-07-14 21:44:47.000000000 +0200 @@ -3,14 +3,13 @@ ============================== ``cepces`` is an application for enrolling certificates through CEP and CES. It -currently requires `certmonger`_ to operate, but may eventually be extended to -a standalone application +requires `certmonger`_ to operate. Only simple deployments using Microsoft Active Directory Certificate Services -has been tested. +have been tested. For more up-to-date information and further documentation, please visit the -project's home page at: https://github.com/ufven/cepces +project's home page at: https://github.com/openSUSE/cepces Requirements ============ @@ -56,6 +55,13 @@ extension by either copying (or renaming) the file (i.e. ``cepces.conf.dist`` should be named ``cepces.conf``). +Alternatively, some configuration options can be specified from the command +line when adding a CA to `certmonger`_. For example: + +.. code-block:: bash + + getcert add-ca -c CA-name -e '/usr/libexec/certmonger/cepces-submit --server=ca-dns-name.suse.de --keytab=/etc/krb5.keytab --principals=MY-HOST$@SUSE.DE' + cepces.conf ----------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cepces-0.3.3/bin/cepces-submit new/cepces-0.3.4/bin/cepces-submit --- old/cepces-0.3.3/bin/cepces-submit 2020-05-27 17:22:09.000000000 +0200 +++ new/cepces-0.3.4/bin/cepces-submit 2021-07-14 21:44:47.000000000 +0200 @@ -21,7 +21,9 @@ import logging import os +import sys import traceback +import argparse from cepces.certmonger.core import Result from cepces.certmonger.operation import Operation from cepces.config import Configuration @@ -29,7 +31,7 @@ from cepces.log import init_logging -def main(): +def main(global_overrides, krb5_overrides): """Main function.""" # Initialize logging. init_logging() @@ -42,7 +44,7 @@ if 'CERTMONGER_OPERATION' not in os.environ: logger.error('Missing environment variable: CERTMONGER_OPERATION') - exit(Result.UNDERCONFIGURED) + sys.exit(Result.UNDERCONFIGURED) # Find all supported certmonger operations. for subclass in Operation.__subclasses__(): @@ -58,7 +60,8 @@ else: try: # Load the configuration and instantiate a service. - config = Configuration.load() + config = Configuration.load(global_overrides, + krb5_overrides) service = Service(config) # Call the operation. @@ -67,8 +70,34 @@ except Exception: logger.error(traceback.format_exc()) - exit(result) + sys.exit(result) if __name__ == '__main__': - main() + parser = argparse.ArgumentParser( + description='cepces submission helper for certmonger') + parser.add_argument('--server', + help='Hostname of the issuing certification authority') + parser.add_argument('--auth', + help='Authentication mechanism used for connecting to the service', + choices=['Anonymous', 'Kerberos', + 'UsernamePassword', 'Certificate'], + default='Kerberos') + parser.add_argument('--keytab', help='Use the specified keytab') + parser.add_argument('--principals', + help='A list of principals to try when requesting a ticket') + args = parser.parse_args() + if args.server is not None: + g_overrides = { 'server': args.server, 'auth': args.auth } + endpoint = 'https://%s/ADPolicyProvider_CEP_%s/service.svc/CEP' % \ + (args.server, args.auth) + g_overrides['endpoint'] = endpoint + else: + g_overrides = {} + k_overrides = {} + if args.keytab is not None: + k_overrides['keytab'] = args.keytab + if args.principals is not None: + k_overrides['principals'] = args.principals + + main(g_overrides, k_overrides) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cepces-0.3.3/cepces/__init__.py new/cepces-0.3.4/cepces/__init__.py --- old/cepces-0.3.3/cepces/__init__.py 2020-05-27 17:22:09.000000000 +0200 +++ new/cepces-0.3.4/cepces/__init__.py 2021-07-14 21:44:47.000000000 +0200 @@ -23,14 +23,14 @@ __title__ = 'cepces' __description__ = 'CEP/CES library.' __url__ = 'https://github.com/ufven/cepces/' -__version__ = '0.3.3' +__version__ = '0.3.4' __author__ = 'Daniel Uvehag' __author_email__ = 'daniel.uve...@gmail.com' __license__ = 'GPLv3' __copyright__ = 'Copyright 2017 Daniel Uvehag' -class Base(object): +class Base(): """Base for most classes. This class contains common behaviour for all classes used within the diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cepces-0.3.3/cepces/auth.py new/cepces-0.3.4/cepces/auth.py --- old/cepces-0.3.3/cepces/auth.py 2020-05-27 17:22:09.000000000 +0200 +++ new/cepces-0.3.4/cepces/auth.py 2021-07-14 21:44:47.000000000 +0200 @@ -32,7 +32,6 @@ @abstractmethod def handle(self): """Constructs and returns a SOAPAuth authentication handler.""" - pass class AnonymousAuthenticationHandler(AuthenticationHandler): @@ -66,10 +65,10 @@ try: etypes.append(KerberosEncryptionType[etype]) - except KeyError: + except KeyError as e: raise RuntimeError( 'Unknown encryption type: {}'.format(enctype), - ) + ) from e # Figure out which principal to use. auth = None diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cepces-0.3.3/cepces/config.py new/cepces-0.3.4/cepces/config.py --- old/cepces-0.3.3/cepces/config.py 2020-05-27 17:22:09.000000000 +0200 +++ new/cepces-0.3.4/cepces/config.py 2021-07-14 21:44:47.000000000 +0200 @@ -84,7 +84,8 @@ return self._auth @classmethod - def load(cls, files=None, dirs=None): + def load(cls, files=None, dirs=None, global_overrides=None, + krb5_overrides=None): """Load configuration files and directories and instantiate a new Configuration.""" name = '{}.{}'.format( @@ -128,6 +129,14 @@ logger.debug('Reading: {0:s}'.format(path.__str__())) config.read(path) + # Override globals set from the command line + if global_overrides is not None: + for key, val in global_overrides.items(): + config['global'][key] = val + if krb5_overrides is not None: + for key, val in krb5_overrides.items(): + config['kerberos'][key] = val + return Configuration.from_parser(config) @classmethod diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cepces-0.3.3/cepces/core.py new/cepces-0.3.4/cepces/core.py --- old/cepces-0.3.3/cepces/core.py 2020-05-27 17:22:09.000000000 +0200 +++ new/cepces-0.3.4/cepces/core.py 2021-07-14 21:44:47.000000000 +0200 @@ -135,7 +135,7 @@ ), ) - return [x for x in sorted(endpoints, key=lambda x: x.priority)] + return sorted(endpoints, key=lambda x: x.priority) @property def certificate_chain(self, index=0): @@ -177,8 +177,7 @@ r.token = cert return r - else: - return None + return None def _request_cep(self, csr, renew=False): """Request a certificate with a CSR through a CEP endpoint.""" @@ -232,8 +231,7 @@ r.token = cert return r - else: - return None + return None def _verify_certificate_signature(self, cert, issuer): """Verify that the certificate is signed. @@ -328,11 +326,11 @@ if parent: result.extend(parent) - except x509.ExtensionNotFound: - raise PartialChainError('Missing AIA', result) + except x509.ExtensionNotFound as e: + raise PartialChainError('Missing AIA', result) from e except requests.exceptions.RequestException as e: - raise PartialChainError(e, result) + raise PartialChainError(e, result) from e except InvalidSignature as e: - raise PartialChainError(e, result) + raise PartialChainError(e, result) from e return result diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cepces-0.3.3/cepces/krb5/types.py new/cepces-0.3.4/cepces/krb5/types.py --- old/cepces-0.3.3/cepces/krb5/types.py 2020-05-27 17:22:09.000000000 +0200 +++ new/cepces-0.3.4/cepces/krb5/types.py 2021-07-14 21:44:47.000000000 +0200 @@ -103,12 +103,10 @@ # prevents that behaviour. class c_char_p_n(ctypes.c_char_p): """Opaque class for a character pointer.""" - pass class _krb5_context(ctypes.Structure): """Opaque structure for a Kerberos context.""" - pass krb5_context = ctypes.POINTER(_krb5_context) @@ -116,7 +114,6 @@ class _krb5_kt(ctypes.Structure): """Opaque structure for a Kerberos keytab.""" - pass krb5_keytab = ctypes.POINTER(_krb5_kt) @@ -124,7 +121,6 @@ class krb5_principal_data(ctypes.Structure): """Opaque structure for a Kerberos principal data.""" - pass krb5_principal = ctypes.POINTER(krb5_principal_data) @@ -169,7 +165,6 @@ class _krb5_ccache(ctypes.Structure): """Opaque structure for a Kerberos credential cache.""" - pass krb5_ccache = ctypes.POINTER(_krb5_ccache) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cepces-0.3.3/cepces/soap/auth.py new/cepces-0.3.4/cepces/soap/auth.py --- old/cepces-0.3.3/cepces/soap/auth.py 2020-05-27 17:22:09.000000000 +0200 +++ new/cepces-0.3.4/cepces/soap/auth.py 2021-07-14 21:44:47.000000000 +0200 @@ -21,11 +21,11 @@ """This module contains SOAP related authentication.""" from abc import ABCMeta, abstractmethod, abstractproperty import os +from requests_kerberos import HTTPKerberosAuth from cepces import Base from cepces.krb5 import types as ktypes from cepces.krb5.core import Context, Keytab, Principal from cepces.krb5.core import CredentialOptions, Credentials, CredentialCache -from requests_kerberos import HTTPKerberosAuth class Authentication(Base, metaclass=ABCMeta): @@ -34,12 +34,10 @@ def transport(self): """Property containing authentication mechanism for the transport layer (i.e. requests).""" - pass @abstractmethod def post_process(self, envelope): """Method for securing (post processing) a SOAP envelope.""" - pass class AnonymousAuthentication(Authentication): @@ -114,7 +112,8 @@ os.environ["KRB5CCNAME"] = ccache_name def _init_transport(self): - self._transport = HTTPKerberosAuth(principal=self._config['name']) + self._transport = HTTPKerberosAuth(principal=self._config['name'], + delegate=True) @property def transport(self): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cepces-0.3.3/cepces/xml/binding.py new/cepces-0.3.4/cepces/xml/binding.py --- old/cepces-0.3.3/cepces/xml/binding.py 2020-05-27 17:22:09.000000000 +0200 +++ new/cepces-0.3.4/cepces/xml/binding.py 2021-07-14 21:44:47.000000000 +0200 @@ -75,7 +75,7 @@ `XMLDescriptor` properties in their declared order. """ - def __new__(mcs, name, bases, class_dict): + def __new__(cls, name, bases, class_dict): def is_member(member): """Checks if a member is an XMLDescriptor.""" # Only return members that are instances of XMLDescriptor. @@ -83,7 +83,7 @@ return result # Create a new class. - klass = type.__new__(mcs, name, bases, class_dict) + klass = type.__new__(cls, name, bases, class_dict) members = inspect.getmembers(klass, is_member) klass.__listing__ = sorted(members, key=lambda i: i[1]._index) @@ -483,3 +483,4 @@ instance._bindings[hash(self)] = binder return binder + return None diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cepces-0.3.3/cepces/xml/converter.py new/cepces-0.3.4/cepces/xml/converter.py --- old/cepces-0.3.3/cepces/xml/converter.py 2020-05-27 17:22:09.000000000 +0200 +++ new/cepces-0.3.4/cepces/xml/converter.py 2021-07-14 21:44:47.000000000 +0200 @@ -22,7 +22,7 @@ import textwrap -class Converter(object): +class Converter(): """A base class for any value converter. It is responsible for converting an arbitrary input to and from a string @@ -77,7 +77,7 @@ StringConverter = Converter -class BooleanConverter(object): +class BooleanConverter(): """Boolean Converter""" MAP = { 'true': True, @@ -120,7 +120,7 @@ return None -class IntegerConverter(object): +class IntegerConverter(): """Converts to and from integers.""" @staticmethod def from_string(value): @@ -150,7 +150,7 @@ return Converter.to_string(value, int) -class RangedIntegerConverter(object): +class RangedIntegerConverter(): """Converts to and from integers with a range constraint.""" @staticmethod @@ -393,7 +393,7 @@ ) -class CertificateConverter(object): +class CertificateConverter(): """Converts to and from PEM certificates.""" @staticmethod def from_string(value): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cepces-0.3.3/conf/cepces.conf.dist new/cepces-0.3.4/conf/cepces.conf.dist --- old/cepces-0.3.3/conf/cepces.conf.dist 2020-05-27 17:22:09.000000000 +0200 +++ new/cepces-0.3.4/conf/cepces.conf.dist 2021-07-14 21:44:47.000000000 +0200 @@ -68,6 +68,7 @@ # # Default: <empty list> principals= + ${shortname}$$ ${SHORTNAME}$$ host/${SHORTNAME} host/${fqdn} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cepces-0.3.3/selinux/cepces.te new/cepces-0.3.4/selinux/cepces.te --- old/cepces-0.3.3/selinux/cepces.te 2020-05-27 17:22:09.000000000 +0200 +++ new/cepces-0.3.4/selinux/cepces.te 2021-07-14 21:44:47.000000000 +0200 @@ -1,7 +1,9 @@ -policy_module(cepces, 0.3.1) +policy_module(cepces, 0.3.4) require { type certmonger_t; + type kernel_t; + type ldconfig_exec_t; } type cepces_log_t; @@ -9,3 +11,6 @@ allow certmonger_t cepces_log_t:dir { add_name search write }; allow certmonger_t cepces_log_t:file { create open }; + +allow certmonger_t kernel_t:system module_request; +allow certmonger_t ldconfig_exec_t:file { read execute open execute_no_trans };
