%global package_name ipa-hcc %if 0%{?rhel} # RHEL 8, 9 %global ipa_name ipa # ipa-client-install supports PKINIT options since 4.9.11 (RHEL 8.8) # and 4.10.1 (RHEL 9.2). %if 0%{?rhel} >= 9 # RHEL 9.2+ with PKINIT support in ipa-client-install %global ipa_version 4.10.1 %global with_server 1 %else # RHEL 8.8+ with PKINIT support in ipa-client-install %global ipa_version 4.9.11 %global with_platform_python 1 %global with_server 1 %endif %else # Fedora 37+ with PKINIT support in ipa-client-install %global ipa_name freeipa %global ipa_version 4.10.1 %global with_server 1 %endif # --without mockapi (enabled by default) # includes mockapi server and client prepare for Ephemeral %bcond_without mockapi # --without stage_console (enabled by default) # setup system for internal stage console %bcond_without stage_console # local development %bcond_with devel %if %{with platform_python} %global python /usr/libexec/platform-python %else %global python %{__python3} %endif %global python_sitelib %{python3_sitelib} Name: %{package_name} Version: 0.13.git.6.2f863817 Release: 1%{?dist} Summary: Hybrid Cloud Console extension for IPA BuildArch: noarch License: GPLv3+ URL: https://github.com/podengo-project/ipa-hcc VCS: git+https://github.com/podengo-project/ipa-hcc.git#2f8638175ae07fd2f25c59c9dc63e960531e32a0: Source: ipa-hcc-2f863817.tar.gz BuildRequires: python3-devel %if %{with server} BuildRequires: python3-ipaserver >= %{ipa_version} %else BuildRequires: python3-ipaclient >= %{ipa_version} %endif BuildRequires: python3-requests BuildRequires: python3-systemd BuildRequires: python3-sssdconfig BuildRequires: python3-jsonschema BuildRequires: python3-jwcrypto BuildRequires: make BuildRequires: openssl BuildRequires: systemd-devel BuildRequires: selinux-policy-devel BuildRequires: subscription-manager-rhsm-certificates %if %{with devel} BuildRequires: ipa-client BuildRequires: tox BuildRequires: python3.6 BuildRequires: python3.9 BuildRequires: rpmlint BuildRequires: nodejs-npm BuildRequires: openldap-devel BuildRequires: openldap-compat BuildRequires: gcc BuildRequires: krb5-devel BuildRequires: python3-pyyaml %endif %description An extension for IPA integration with Red Hat Hybrid Cloud Console. %if %{with server} %package server Summary: Server plugin for IPA Hybrid Cloud Console extension BuildArch: noarch Provides: %{package_name}-common = %{version} Conflicts: %{package_name}-common Obsoletes: %{package_name}-common < %{version} Provides: %{package_name}-server-plugin = %{version} Conflicts: %{package_name}-server-plugin Obsoletes: %{package_name}-server-plugin < %{version} Provides: %{package_name}-registration-service = %{version} Conflicts: %{package_name}-registration-service Obsoletes: %{package_name}-registration-service < %{version} Requires: %{ipa_name}-server >= %{ipa_version} Requires(post): %{ipa_name}-server >= %{ipa_version} Requires: httpd Requires: mod_ssl Requires: python3-requests Requires: selinux-policy Requires(post): selinux-policy %{?systemd_requires} %description server This package contains server plugins and WebUI for IPA Hybrid Cloud Console extension. %posttrans server %{python} -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1 if [ $? -eq 0 ]; then /usr/sbin/ipa-ldap-updater --quiet \ --schema-file=%{_datadir}/ipa/schema.d/85-hcc.ldif \ %{_datadir}/ipa/updates/85-hcc.update \ %{_datadir}/ipa/updates/86-hcc-registration-service.update # restart httpd if running /bin/systemctl try-restart gssproxy.service httpd.service >/dev/null 2>&1 || : fi %pre server # create user account for service getent passwd ipahcc >/dev/null || useradd -r -g ipaapi -s /sbin/nologin -d / -c "IPA Hybrid Cloud Console enrollment service" ipahcc %post server # SELinux context for cache dir /usr/sbin/semanage fcontext -a -f a -s system_u -t httpd_cache_t -r 's0' '/var/cache/ipa-hcc(/.*)?' 2>/dev/null || : /usr/sbin/restorecon -R /var/cache/ipa-hcc || : # ipa-hcc-update.timer is started by ipactl %systemd_post ipa-hcc-update.service %systemd_post ipa-hcc-update.timer /bin/systemctl daemon-reload %preun server %systemd_preun ipa-hcc-update.service %systemd_preun ipa-hcc-update.timer %postun server /usr/sbin/semanage fcontext -d '/var/cache/ipa-hcc(/.*)?' 2>/dev/null || : # remove pkinit_anchors line from KRB5 KDC config sed --in-place=.bak '/\/usr\/share\/ipa-hcc\/cacerts/d' /var/kerberos/krb5kdc/kdc.conf || : %systemd_postun ipa-hcc-update.service %systemd_postun ipa-hcc-update.timer # server %endif %if %{with mockapi} %package mockapi Summary: Automatic IPA client enrollment: Mock API BuildArch: noarch Requires: %{package_name}-server = %{version} %{?systemd_requires} %description mockapi This package contains a Mock API for testing of automatic enrollment service of IPA clients. %posttrans mockapi %{python} -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1 if [ $? -eq 0 ]; then /usr/sbin/ipa-ldap-updater --quiet %{_datadir}/ipa/updates/87-hcc-mockapi.update # restart httpd if running /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || : fi %package ephemeral Summary: Automatic IPA client enrollment: Ephemeral client prepare BuildArch: noarch Requires: %{package_name}-client = %{version} %{?systemd_requires} %description ephemeral This package contains a systemd service that hooks into the auto enrollment process of IPA clients. It prepares the client for testing with Ephemeral environment. The package also enables ipa-hcc-auto-enrollment.service. %post ephemeral %systemd_post ipa-hcc-client-prepare.service /bin/systemctl daemon-reload %posttrans ephemeral /bin/systemctl enable ipa-hcc-client-prepare.service /bin/systemctl enable ipa-hcc-auto-enrollment.service %preun ephemeral %systemd_preun ipa-hcc-client-prepare.service %postun ephemeral %systemd_postun_with_restart ipa-hcc-client-prepare.service # mockapi and ephemeral client-prepare %endif %if %{with stage_console} %package stage-console Summary: IPA HCC: Stage Console configuration BuildArch: noarch Requires(post): python3 Requires(post): rhc Requires(post): insights-client %description stage-console This package configures subscription manager, rhc, insights-client, and ipa-hcc-auto-enrollment.service to use the internal Stage Console. The system is reconfigured during package installation. %posttrans stage-console /usr/libexec/ipa-hcc/ipa-hcc-stage-console --verbose stage.redhat.com # stage_console %endif %package client Summary: Automatic IPA client enrollment for Hybrid Cloud Console BuildArch: noarch Provides: %{package_name}-client-enrollment = %{version} Conflicts: %{package_name}-client-enrollment Obsoletes: %{package_name}-client-enrollment < %{version} Requires: %{ipa_name}-client >= %{ipa_version} # ipa-client RHEL 8.7, 9.1, and ealier, do not come with pkinit Requires: krb5-pkinit-openssl Recommends: rhc Recommends: insights-client %{?systemd_requires} %description client This package contains the automatic enrollment service for IPA clients. %post client %systemd_post ipa-hcc-auto-enrollment.service /bin/systemctl daemon-reload %preun client %systemd_preun ipa-hcc-auto-enrollment.service %postun client %systemd_postun_with_restart ipa-hcc-auto-enrollment.service %prep %setup -T -b 0 -q -n ipa-hcc %build touch debugfiles.list %check export PYTHONPATH=%{buildroot}%{python_sitelib} %{python} -Wignore -m unittest discover -s tests/ # remove module after test run rm -f %{buildroot}/%{python_sitelib}/ipahcc_auto_enrollment.py rm -f %{buildroot}/%{python_sitelib}/ipahcc_client_prepare.py rm -rf %{buildroot}/%{python_sitelib}/__pycache__ %{buildroot}%{_libexecdir}/ipa-hcc/ipa-hcc-auto-enrollment --help >/dev/null %{buildroot}%{_libexecdir}/ipa-hcc/ipa-hcc-auto-enrollment --version %if %{with server} %{buildroot}%{_sbindir}/ipa-hcc --help >/dev/null %endif %if %{with mockapi} %{buildroot}%{_libexecdir}/ipa-hcc/ipa-hcc-client-prepare --help >/dev/null %{buildroot}%{_libexecdir}/ipa-hcc/ipa-hcc-client-prepare --version %endif %install rm -rf $RPM_BUILD_ROOT export MAKEFLAGS="-j1" %__make DEST=%{buildroot} PREFIX=%{_prefix} PYTHON=%{python} PYTHON_SITELIB=%{python_sitelib} VERSION=%{version} install_python install_client %if %{with server} %__make DEST=%{buildroot} PREFIX=%{_prefix} PYTHON=%{python} PYTHON_SITELIB=%{python_sitelib} VERSION=%{version} install_server_plugin install_registration_service mkdir -p %{buildroot}%{_sharedstatedir}/gssproxy touch %{buildroot}%{_sharedstatedir}/gssproxy/hcc-enrollment.keytab %else rm -rf %{buildroot}/%{python_sitelib}/ipahcc rm -rf %{buildroot}/%{python_sitelib}/ipaserver rm -rf %{buildroot}/%{python_sitelib}/ipahcc*.egg-info %endif %if %{with mockapi} %__make DEST=%{buildroot} PREFIX=%{_prefix} PYTHON=%{python} PYTHON_SITELIB=%{python_sitelib} VERSION=%{version} install_mockapi install_client_prepare %else rm -rf %{buildroot}/%{python_sitelib}/ipahcc/mockapi rm %{buildroot}/%{python_sitelib}/ipaserver/install/plugins/update_hcc_mockapi.py rm %{buildroot}/%{python_sitelib}/ipaserver/install/plugins/__pycache__/update_hcc_mockapi.*.pyc %endif %if %{with stage_console} %__make DEST=%{buildroot} PREFIX=%{_prefix} PYTHON=%{python} PYTHON_SITELIB=%{python_sitelib} VERSION=%{version} install_stage_console %endif %if %{with server} %files server %doc README.md CONTRIBUTORS.txt %license COPYING %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/hcc.conf %{_sbindir}/ipa-hcc %{_mandir}/man1/ipa-hcc.1* %dir %{_datadir}/ipa-hcc/ %{_datadir}/ipa-hcc/cacerts %{_unitdir}/ipa-hcc-update.* %{python_sitelib}/ipahcc*.egg-info %{python_sitelib}/ipahcc/py.typed %{python_sitelib}/ipahcc/*.py %{python_sitelib}/ipahcc/server/*.py %{python_sitelib}/ipahcc/server/schema/*.json %{python_sitelib}/ipahcc/sign/*.py %{python_sitelib}/ipaserver/plugins/*.py %{python_sitelib}/ipaserver/install/plugins/update_hcc.py %{python_sitelib}/ipahcc/__pycache__/*.pyc %{python_sitelib}/ipahcc/server/__pycache__/*.pyc %{python_sitelib}/ipahcc/sign/__pycache__/*.pyc %{python_sitelib}/ipaserver/plugins/__pycache__/*.pyc %{python_sitelib}/ipaserver/install/plugins/__pycache__/update_hcc.*.pyc %{_datadir}/ipa/schema.d/85-hcc.ldif %{_datadir}/ipa/updates/85-hcc.update %{_datadir}/ipa/ui/js/plugins/* # registration service %attr(0750,ipahcc,root) %dir %{_sysconfdir}/ipa/hcc %attr(0755,ipahcc,ipaapi) %dir %{_localstatedir}/cache/ipa-hcc %{python_sitelib}/ipahcc/registration/*.py %{python_sitelib}/ipaserver/install/plugins/update_hcc_enrollment_service.py %{python_sitelib}/ipahcc/registration/__pycache__/*.pyc %{python_sitelib}/ipaserver/install/plugins/__pycache__/update_hcc_enrollment_service.*.pyc %{_datadir}/ipa-hcc/hcc_registration_service.py %{_datadir}/ipa/updates/86-hcc-registration-service.update %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-hcc.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/gssproxy/85-ipa-hcc.conf %ghost %{_sharedstatedir}/gssproxy/hcc-enrollment.keytab %endif %if %{with mockapi} %files mockapi %doc README.md CONTRIBUTORS.txt %license COPYING %{python_sitelib}/ipahcc/mockapi/*.py %{python_sitelib}/ipahcc/mockapi/__pycache__/*.pyc %{_datadir}/ipa-hcc/hcc_mockapi.py %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-hcc-mockapi.conf %{python_sitelib}/ipaserver/install/plugins/update_hcc_mockapi.py %{python_sitelib}/ipaserver/install/plugins/__pycache__/update_hcc_mockapi.*.pyc %{_datadir}/ipa/updates/87-hcc-mockapi.update %files ephemeral %doc README.md CONTRIBUTORS.txt %license COPYING %attr(0755,root,root) %{_libexecdir}/ipa-hcc/ipa-hcc-client-prepare %attr(0644,root,root) %{_unitdir}/ipa-hcc-client-prepare.service %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ipa-hcc-client-prepare # with mockapi %endif %if %{with stage_console} %files stage-console %doc README.md CONTRIBUTORS.txt %license COPYING %attr(0755,root,root) %{_libexecdir}/ipa-hcc/ipa-hcc-stage-console # with stage_console %endif %files client %doc README.md CONTRIBUTORS.txt %license COPYING %attr(0755,root,root) %{_libexecdir}/ipa-hcc/ipa-hcc-auto-enrollment %attr(0644,root,root) %{_unitdir}/ipa-hcc-auto-enrollment.service %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ipa-hcc-auto-enrollment %changelog * Tue Dec 05 2023 Christian Heimes 0.13-1 - feat: Enhance reporting and logging - feat: Check remote status with HCC - refactor: Use context="hcc" in IPA API - infra: Log JSON error information - infra: Refresh cache and config file - fix: Use LDAP for public JWKs - refactor: Run ipa-client-automount - fix: Replace legacy with modern Insights API - fix: Limit hostname to 63 characters - fix: Use UEP CA to access prod cert-api - fix: Don't create global DNSResolver - feat: Add ipahcc-client-prepare - fix: Fake headers can use org_id/cn from RHSM cert - refactor: Change to --idmsvc-api-url - HMS-2348 feat: Add ephemeral fake header to auto-enrollment - test: Run CI on Fedora 39, drop 37 - fix: Better error reporting for missing RHSM cert - fix: Fix typo fdqn -> fqdn - Fix: Keycloak SSO provider requires openid scope - doc: Add test instructions and hcc.conf info - HMS-2814 feat: IPA client installer and automount - test: idm-ci now requires local cloud auth - feat: Add sso.rh.c IdP provider definitions - HMS-2694 fix: Update JWST issuer and docs - HMS-2595 feat: Extend ipa-hcc to retrieve+store JWKs - test: Fix and improve coverage - fix: Update spec file URL - fix: Update git repo URL - HMS-2594: IPA plugin for HCC JWKs - test: Do not install KRA - HMS-2532 fix: attach to api commit - HMS-2491 test: Enable backend tests again - HMS-2491 test: Allow backend test to fail - HMS-2491 refactor: Separate GET signing keys - HMS-2491 test: Update test infra for DRT - HMS-2491 feat: Remove old domain registration - HMS-2491 feat: Update for domain token workflow - refactor: Remove env patching - HMS-2446 feat: New domain reg token - fix: Use gssproxy client keytab - HMS-2446 refactor: Move IPA API to WSGI framework - tests: Add test for deserialize() - tests: Check that serializing compact form gives a ValueError - feat: Add additional check json deserialization and update docs - feat: Rename deserialize_json to deserialize - feat: Do not allow compact serialization for MultiJWST - test: Enable mypy checker for tests - feat: Add domain token to mockapi - test: Run CI with Fedora 37 and 38 - HMS-2070 feat: Remove D-Bus service * Mon Aug 14 2023 Christian Heimes 0.12-1 - fix: use new Quay org for CI images - HMS-1789 tests: use @podengo/ipa-hcc COPR - fix: Support latest tox on Fedora 38 - fix: Allow non-compact JWT serialization - fix: use OpenAPI from public GitHub repo - test: Build SRPM and RPMs on GHA - test: update packages in containers - fix: Don't hard-code inventory url - doc: Add documentation for developers - HMS-2195: fix: Use idmsvc as API slug - feat: update locations - fix: Fix typo in automember rule - HMS-2147 fix: use HostConfIpa schema in HostConfResponse - refactor: Use setuptools to install Python code - fix: store public JWK in separate file - HMS-1857 feat: signed assertion for host registration - HMS-1857 feat: Add multi-sig and host token - HMS-1289 fix: Remove inventory_id from HostConfResponse - HMS-1857 feat: Add JWK abstraction and helpers - feat: Update JSON schema from latest OpenAPI - HMS-2038 test: Smoke tests with idm-domains-backend - HMS-2068: Drop support for RHEL without PKINIT * Mon Jul 03 2023 Christian Heimes 0.11-1 - HMS-2052 build: Use OpenAPI schema from idm-domains-api - HMS-2038 test: catch metadata misconfiguration early - fix: Move rpkg output out of .tox directory - HMS-2041 fix: Represent org id as string, not int - HMS-2038 test: Improve testing with backend compose - HMS-1991 fix: Tighten OpenAPI schema - HMS-2008 feat: Adopt JSON API error objects - Add definitions for missing JSON schemas - HMS-1991 feat: Generate schema JSON files from OpenAPI - HMS-1991: Refactor JSON schema - Add project and build definitions to pyproject.toml - HMS-1898: Fix and validate error response - HMS-1975: Remove check-host API endpoint - Improve CI and test with Python 3.9 (RHEL 9) - register: prompt for confirmation - HMS-1926: Friendly D-Bus error message - ipa-hcc CLI: print human-readable messages - Document how to configure for ephemeral - logging: pretty print API response - Reconcile JSON schema with idm-domains-backend OpenAPI - Add verbose logging to ipa-hcc - Prepare release 0.11 - Ephemeral env support with fake headers - Improve Makefile and tox runner - yamllint: don't apply truthy test to map keys - Rename field 'cacerts' to 'ca_certs' - Reconcile domain response schema - Reconcile register/update domain schema - Document how to install build and test deps - HMS-1898 Reconcile error result schema - Ruff: silence F811 redefined-while-unused * Wed May 17 2023 Christian Heimes 0.10-1 - [HMS-1788] Add simple GH CI workflow - [HMS-1779] Move secrets and settings to CI/CD variables - [HMS-1645] Replace bandit/flake8 with ruff linter - Add infrastructure for mypy type checks - [HMS-1645] Drop IPA 4.6 compatibility workarounds - [HMS-1645] Drop Python 2 compatibility - Run integration tests in FIPS mode - [HMS-1645] Drop support for RHEL 7 * Wed Apr 19 2023 Christian Heimes 0.9-1 - Last version with RHEL 7 / Python 2.7 support - [HMS-1607] Use inventory_id in API routes - [HMS-1607] Move common WSGI code into module - Include os-release id and version in HTTP header - [HMS-1479] Implement status check - Drop bundle file, add more ipaserver tests - Detect and block auto-enrollment with FQDN localhost - [HMS-1472] Switch from admintool to D-Bus CLI - Add tests for dbus service, fix hccapi - Move cert parsing into common function - Validate insights registration state * Wed Mar 29 2023 Christian Heimes 0.8-1 - Fold common and registration-service into ipa-hcc-server - Default to stage - Add title and description to JSON schema - Use D-Bus service and simplify config - Download PKINIT chain from registration service - Add mock tests for mockapi service, refactor code - [HMS-1485] Add --location to auto-enrollment script - Verify with pylint and fix violations - Use server role to indicate presence of ipa-hcc plugin - [HMS-1485] Add IPA location information to domain - Add D-Bus service for checking host in HBI - [HMS-1475] Add tests for registration WSGI server - [HMS-1475] Refactor and test auto enrollment client - Test with RHEL 7.9 server - Remove dependency on requests - Rename smid -> rhsm_id, drop redundant rhsm_id from body - Move API handler in separate module, add JSON schema * Wed Mar 15 2023 Christian Heimes 0.7-1 - Fix config_mod(hcc_update_server_server) API call - Improve idm-ci - Refactor project structure - Add timeout option - Remove unused cert info and detect_environment - Split ipa_hcc_cli into CLI interface and logic - Add systemd timer service - Add global hccDomainId, use domain_id in PUT request - Add HCC update role and register/update subcommands - Add ipa-hcc to register/update domain with HCC - Update rhsm_id in server's host entry - - Add server role for HCC enrollment service - Fix deployment and rhc connect in stage environment - Test on RHEL 9.2, 8.8 - Add mockapi with test API endpoints * Tue Feb 21 2023 Christian Heimes 0.6-1 - Add metadata to deploy with local builds - build and deploy RPMs from current checkout - Add QEW test and metadata file - Add idm-ci playbook and metadata - Add tox CI with custom image - Fix stage env support - Add 1minutetip and virt-builder scripts - More validation of PKINIT options - Write custom krb5.conf, handle missing domain better, more arg checks - Drop 'not krbprincipalkey' check for testing - Mention SHA-1 PKINIT issue on old RHEL 7 and 8.6 servers * Mon Feb 06 2023 Christian Heimes 0.5-1 - Fallback to kinit with PKINIT + ipa-getkeytab on systems without PKINIT support ipa-client-install - Add support for IPA 4.6 on RHEL 7 with Python 2.7 and mod_nss - Handle platform-python on RHEL 8 - Sleep longer - Relax dependency on SELinux - Move keytab installation into auto enrollment - Basic tests for WSGI - Move /etc/ipa/hcc dir to registration-service RPM - Move scripts into ipaclient.hcc package * Thu Feb 02 2023 Christian Heimes 0.4-1 - Detect stage/prod from rhsm.conf - Move refresh_token to /etc/ipa/hcc/refresh_token - Move more configuration into hccplatform - Remove keytab file on error - Add service with force=True option - Update permissions before adding privileges - Use ipa-ldap-updater instead of slow ipa-server-upgrade - Split server plugin and registration service updates * Tue Jan 31 2023 Christian Heimes 0.3-1 - Rename package to ipa-hcc - Replace term 'consoleDot' with 'Hybrid Cloud Console' * Tue Jan 31 2023 Christian Heimes 0.2-1 - Update CA chain to official RH certs with new SHA-256 Candlepin cert - Wait until host appears in ConsoleDot inventory - Always disconnect to get a fresh Kerberos ticket and connection - Add ipa-consoledot-consoledot.service - Remove old test data * Tue Jan 31 2023 Christian Heimes 0.1-1 - Handle outdated keytab, autoconfig org id - Remove pkinit_anchors line on uninstall - Workaround for missing IdM features - Fix spec file dependencies - Automate ipa-getkeytab with update plugin - Move some files around, automate service and keytab - Update spec, add KRB5 snippet with anchors - Use more persistent connections - Add caching and logging to WSGI app - Add link from search facet to consoleDot inventory - Lookup host in consoleDot inventory - Regenerate certs with C=US instead of CN=US - Return shell script with certs - Add cross-signed certs - Add script to generate cross-signed Candlepin CA - Update README with more instructions - Require known CA issuer - Add WSGI service, roles, and cert mapping - Add test scripts - Add notes about cache and certmap-match - Add test data and instructions - Fix error reporting when global org id is missing - Use lower number for updates/schema so we can use 89 for test data - explain unique index - Add write permission - Add enrolled hosts to a hostgroup