Skip to content
Commits on Source (49)
Show whitespace changes
Inline Side-by-side
.gitignore
View file @ ce98e954
......@@ -16,3 +16,8 @@ custodia.audit.log
secrets.db
server_socket
vol
/docs/source/quick/quick.audit.log
/docs/source/quick/quick.db
/docs/source/quick/quick.key
/docs/source/quick/quick
.travis.yml
View file @ ce98e954
sudo: false
sudo: required
dist: trusty
language: python
......@@ -12,22 +14,28 @@ addons:
matrix:
include:
- python: 2.7
env: TOXENV=py27
- python: 3.4
env: TOXENV=py34
env: TOXENV=py27-extras
- python: 2.7
env: TOXENV=py27-noextras
- python: 3.5
env: TOXENV=py35
env: TOXENV=py35-extras
- python: 3.6
env: TOXENV=py36-extras
- python: 3.6
env: TOXENV=py36-noextras
- python: 3.6
env: TOXENV=py36
- python: 3.5
env: TOXENV=doc
- python: 3.5
- python: 3.6
env: TOXENV=lint
- python: 2.7
env: TOXENV=pep8py2
- python: 3.5
- python: 3.6
env: TOXENV=pep8py3
before_install:
- sudo apt-get -qq update
- sudo apt-get install -y python-pip python-virtualenv python-dev gcc krb5-user libkrb5-dev libffi-dev libnss3-dev libldap2-dev libsasl2-dev libssl-dev
install:
- pip install --upgrade pip
- pip install --upgrade setuptools
......
API.md
View file @ ce98e954
......@@ -196,13 +196,13 @@ POST /secrets/mycontainer/
Default containers may be automatically created by an implementation.
Returns:
- 200 if the container already exists
- 201 in case of success.
- 400 if the request format is invalid
- 401 if authentication is necessary
- 403 if access to the key is forbidden
- 404 one of the elements of the path is not a valid container
- 406 not acceptable, type unknown/not permitted
- 409 if the container already exists
- 501 if the API is not supported
......
MANIFEST.in
View file @ ce98e954
......@@ -6,7 +6,7 @@ include bin/custodia bin/custodia-cli
include custodia.conf
recursive-include examples *.key *.db
recursive-include docs *.py *.rst
recursive-include docs *.conf *.py *.rst
include docs/Makefile
include man/custodia.7
......
Makefile
View file @ ce98e954
......@@ -4,6 +4,8 @@ PYTHON := python3
TOX := $(PYTHON) -m tox --sitepackages
DOCS_DIR = docs
SERVER_SOCKET = $(CURDIR)/server_socket
QUICK_GUIDE = docs/source/quick
QUICK_SOCKET = $(QUICK_GUIDE)/quick
RPMBUILD = $(CURDIR)/dist/rpmbuild
......@@ -35,7 +37,7 @@ all: clean_socket lint pep8 test docs
echo "All tests passed"
clean_socket:
rm -f $(SERVER_SOCKET) $(CONTAINER_SOCKET)
rm -f $(SERVER_SOCKET) $(CONTAINER_SOCKET) $(QUICK_SOCKET)
clean_coverage:
rm -f .coverage .coverage.*
......@@ -55,15 +57,17 @@ clean: clean_socket clean_coverage
find ./ -depth -name __pycache__ -exec rm -rf {} \;
rm -rf tests/tmp
rm -rf vol
rm -f $(QUICK_GUIDE)/quick.audit.log \
$(QUICK_GUIDE)/quick.db \
$(QUICK_GUIDE)/quick.key
cscope:
git ls-files | xargs pycscope
test: clean_socket clean_coverage
$(TOX) --skip-missing-interpreters -e py27
$(TOX) --skip-missing-interpreters -e py34
$(TOX) --skip-missing-interpreters -e py35
$(TOX) --skip-missing-interpreters -e py36
$(TOX) --skip-missing-interpreters -e py27-extra,py27-noextra
$(TOX) --skip-missing-interpreters -e py35-extra,py35-noextra
$(TOX) --skip-missing-interpreters -e py36-extra,py36-noextra
$(TOX) --skip-missing-interpreters -e doc
$(TOX) -e coverage-report
......@@ -82,7 +86,7 @@ docs: $(DOCS_DIR)/source/readme.rst
PYTHONPATH=$(CURDIR)/src \
$(MAKE) -C $(DOCS_DIR) html SPHINXBUILD="$(PYTHON) -m sphinx"
.PHONY: install egg_info run packages release releasecheck
.PHONY: install egg_info run quickrun packages release releasecheck
install: clean_socket egg_info
$(PYTHON) setup.py install --root "$(PREFIX)"
install -d "$(PREFIX)/share/man/man7"
......@@ -123,6 +127,10 @@ releasecheck: clean
run: egg_info
$(PYTHON) $(CURDIR)/bin/custodia $(CONF)
quickrun: egg_info
@ # sed -n -e 's/.*\$$ \(alias\|curl\)/\1/p' docs/source/quick.rst
@ # sed 's,./quick,$(QUICK_SOCKET),g'
$(PYTHON) bin/custodia $(QUICK_GUIDE)/quick.conf
.PHONY: rpmroot rpmfiles rpm
rpmroot:
......
README
View file @ ce98e954
......@@ -38,14 +38,38 @@ Runtime
- requests
- six
Installation and testing
~~~~~~~~~~~~~~~~~~~~~~~~
Testing
~~~~~~~
- pip
- setuptools >= 18.0
- tox >= 2.3.1
- wheel
custodia.ipa depends on several binary extensions and shared libraries
for e.g. python-cryptography, python-gssapi, python-ldap, and
python-nss. For testing and installation in a virtual environment, a C
compiler and several development packages are required.
Fedora
^^^^^^
::
$ sudo dnf install python2 python-pip python-virtualenv python-devel \
gcc redhat-rpm-config krb5-workstation krb5-devel libffi-devel \
nss-devel openldap-devel cyrus-sasl-devel openssl-devel
Debian / Ubuntu
^^^^^^^^^^^^^^^
::
$ sudo apt-get update
$ sudo apt-get install -y python2.7 python-pip python-virtualenv python-dev \
gcc krb5-user libkrb5-dev libffi-dev libnss3-dev libldap2-dev \
libsasl2-dev libssl-dev
API stability
-------------
......@@ -53,6 +77,221 @@ Some APIs are provisional and may change in the future.
- Command line interface in module ``custodia.cli``.
- The script custodia-cli.
- *custodia.ipa* plugins
--------------
custodia.ipa — IPA plugins for Custodia
=======================================
**WARNING** *custodia.ipa is a tech preview with a provisional API.*
custodia.ipa is a collection of plugins for
`Custodia <https://custodia.readthedocs.io/>`__. It provides integration
with `FreeIPA <http://www.freeipa.org>`__. The *IPAVault* plugin is an
interface to `FreeIPA
vault <https://www.freeipa.org/page/V4/Password_Vault>`__. Secrets are
encrypted and stored in `Dogtag <http://www.dogtagpki.org>`__'s Key
Recovery Agent. The *IPACertRequest* plugin creates private key and
signed certificates on-demand. Finally the *IPAInterface* plugin is a
helper plugin that wraps ipalib and GSSAPI authentication.
custodia.ipa requirements
-------------------------
- ipalib >= 4.5.0
- ipaclient >= 4.5.0
- Python 2.7 (Python 3 support in IPA vault is unstable.)
ipalib and ipaclient are not pulled in and install by default. The
packages depend on additional OS packages for Kerberos/GSSAPI, LDAP and
NSS crypto library. The dependencies are listed under *testing*
requirements above.
::
$ pip install custodia[ipa]
custodia.ipa requires an IPA-enrolled host and a Kerberos TGT for
authentication. It is recommended to provide credentials with a keytab
file or GSS-Proxy. Furthermore *IPAVault* depends on Key Recovery Agent
service (``ipa-kra-install``).
--------------
Example configuration
---------------------
Create directories
::
$ sudo mkdir /etc/custodia /var/lib/custodia /var/log/custodia /var/run/custodia
$ sudo chown USER:GROUP /var/lib/custodia /var/log/custodia /var/run/custodia
$ sudo chmod 750 /var/lib/custodia /var/log/custodia
Create service account and keytab
::
$ kinit admin
$ ipa service-add custodia/$HOSTNAME
$ ipa service-allow-create-keytab custodia/$HOSTNAME --users=admin
$ mkdir -p /etc/custodia
$ ipa-getkeytab -p custodia/$HOSTNAME -k /etc/custodia/ipa.keytab
$ chown custodia:custodia /etc/custodia/ipa.keytab
The IPA cert request plugin needs additional permissions
::
$ ipa privilege-add \
--desc="Create and request service certs with Custodia" \
"Custodia Service Certs"
$ ipa privilege-add-permission \
--permissions="Retrieve Certificates from the CA" \
--permissions="Request Certificate" \
--permissions="Revoke Certificate" \
--permissions="System: Modify Services" \
"Custodia Service Certs"
# for add_principal=True
$ ipa privilege-add-permission \
--permissions="System: Add Services" \
"Custodia Service Certs"
$ ipa role-add \
--desc="Create and request service certs with Custodia" \
"Custodia Service Cert Adminstrator"
$ ipa role-add-privilege \
--privileges="Custodia Service Certs" \
"Custodia Service Cert Adminstrator"
$ ipa role-add-member \
--services="custodia/$HOSTNAME" \
"Custodia Service Cert Adminstrator"
Create ``/etc/custodia/ipa.conf``
::
# /etc/custodia/ipa.conf
[global]
debug = true
makedirs = true
[auth:ipa]
handler = IPAInterface
keytab = ${configdir}/${instance}.keytab
ccache = FILE:${rundir}/ccache
[auth:creds]
handler = SimpleCredsAuth
uid = root
gid = root
[authz:paths]
handler = SimplePathAuthz
paths = /. /secrets
[store:vault]
handler = IPAVault
[store:cert]
handler = IPACertRequest
backing_store = vault
[/]
handler = Root
[/secrets]
handler = Secrets
store = vault
[/secrets/certs]
handler = Secrets
store = cert
Create ``/etc/systemd/system/custodia@ipa.service.d/override.conf``
On Fedora 26 and newer, the Custodia service file defaults to Python 3.
Although FreeIPA 4.5 has support for Python 3, it's not stable yet.
Therefore it is necessary to run the ``custodia.ipa`` plugins with
Python 2.7. You can either use ``systemctl edit custodia@py2.service``
to create an override or copy the file manually. Don't forget to run
``systemctl daemon-reload`` in the latter case.
::
[Service]
ExecStart=
ExecStart=/usr/sbin/custodia-2 --instance=%i /etc/custodia/%i.conf
Run Custodia server
::
$ systemctl start custodia@ipa.socket
IPA cert request
----------------
The *IPACertRequest* store plugin generates or revokes certificates on
the fly. It uses a backing store to cache certs and private keys. The
plugin can create service principal automatically. However the host must
already exist. The *IPACertRequest* does not create host entries on
demand.
A request like ``GET /path/to/store/HTTP/client1.ipa.example`` generates
a private key and CSR for the service ``HTTP/client1.ipa.example`` with
DNS subject alternative name ``client1.ipa.example``. The CSR is then
forwarded to IPA and signed by Dogtag. The resulting cert and its trust
chain is returned together with the private key as a PEM bundle.
::
$ export CUSTODIA_INSTANCE=ipa
$ custodia-cli get /certs/HTTP/client1.ipa.example
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
Issuer: organizationName=IPA.EXAMPLE, commonName=Certificate Authority
Subject: organizationName=IPA.EXAMPLE, commonName=client1.ipa.example
Serial Number: 22
Validity:
Not Before: 2017-04-27 09:44:20
Not After: 2019-04-28 09:44:20
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Issuer: organizationName=IPA.EXAMPLE, commonName=Certificate Authority
Issuer: organizationName=IPA.EXAMPLE, commonName=Certificate Authority
Serial Number: 1
Validity:
Not Before: 2017-04-26 08:24:11
Not After: 2037-04-26 08:24:11
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
A DELETE request removes the cert/key pair from the backing store and
revokes the cert at the same time.
Automatic renewal of revoked or expired certificates is not implemented
yet.
FreeIPA 4.4 support
~~~~~~~~~~~~~~~~~~~
The default settings and permissions are tuned for FreeIPA >= 4.5. For
4.4, the plugin must be configured with ``chain=False``. The additional
permission ``Request Certificate with SubjectAltName`` is required, too.
::
ipa privilege-add-permission \
--permissions="Request Certificate with SubjectAltName" \
"Custodia Service Certs"
.. |Build Status| image:: https://travis-ci.org/latchset/custodia.svg?branch=master
:target: https://travis-ci.org/latchset/custodia
README.md
View file @ ce98e954
......@@ -33,16 +33,247 @@ https://custodia.readthedocs.io
* requests
* six
### Installation and testing
### Testing
* pip
* setuptools >= 18.0
* tox >= 2.3.1
* wheel
custodia.ipa depends on several binary extensions and shared libraries for
e.g. python-cryptography, python-gssapi, python-ldap, and python-nss. For
testing and installation in a virtual environment, a C compiler and
several development packages are required.
#### Fedora
```
$ sudo dnf install python2 python-pip python-virtualenv python-devel \
gcc redhat-rpm-config krb5-workstation krb5-devel libffi-devel \
nss-devel openldap-devel cyrus-sasl-devel openssl-devel
```
#### Debian / Ubuntu
```
$ sudo apt-get update
$ sudo apt-get install -y python2.7 python-pip python-virtualenv python-dev \
gcc krb5-user libkrb5-dev libffi-dev libnss3-dev libldap2-dev \
libsasl2-dev libssl-dev
```
## API stability
Some APIs are provisional and may change in the future.
* Command line interface in module ```custodia.cli```.
* The script custodia-cli.
* *custodia.ipa* plugins
---
# custodia.ipa — IPA plugins for Custodia
**WARNING** *custodia.ipa is a tech preview with a provisional API.*
custodia.ipa is a collection of plugins for
[Custodia](https://custodia.readthedocs.io/). It provides integration with
[FreeIPA](http://www.freeipa.org). The *IPAVault* plugin is an interface to
[FreeIPA vault](https://www.freeipa.org/page/V4/Password_Vault). Secrets are
encrypted and stored in [Dogtag](http://www.dogtagpki.org)'s Key Recovery
Agent. The *IPACertRequest* plugin creates private key and signed certificates
on-demand. Finally the *IPAInterface* plugin is a helper plugin that wraps
ipalib and GSSAPI authentication.
## custodia.ipa requirements
* ipalib >= 4.5.0
* ipaclient >= 4.5.0
* Python 2.7 (Python 3 support in IPA vault is unstable.)
ipalib and ipaclient are not pulled in and install by default. The packages
depend on additional OS packages for Kerberos/GSSAPI, LDAP and NSS crypto
library. The dependencies are listed under *testing* requirements above.
```
$ pip install custodia[ipa]
```
custodia.ipa requires an IPA-enrolled host and a Kerberos TGT for
authentication. It is recommended to provide credentials with a keytab file or
GSS-Proxy. Furthermore *IPAVault* depends on Key Recovery Agent service
(``ipa-kra-install``).
---
## Example configuration
Create directories
```
$ sudo mkdir /etc/custodia /var/lib/custodia /var/log/custodia /var/run/custodia
$ sudo chown USER:GROUP /var/lib/custodia /var/log/custodia /var/run/custodia
$ sudo chmod 750 /var/lib/custodia /var/log/custodia
```
Create service account and keytab
```
$ kinit admin
$ ipa service-add custodia/$HOSTNAME
$ ipa service-allow-create-keytab custodia/$HOSTNAME --users=admin
$ mkdir -p /etc/custodia
$ ipa-getkeytab -p custodia/$HOSTNAME -k /etc/custodia/ipa.keytab
$ chown custodia:custodia /etc/custodia/ipa.keytab
```
The IPA cert request plugin needs additional permissions
```
$ ipa privilege-add \
--desc="Create and request service certs with Custodia" \
"Custodia Service Certs"
$ ipa privilege-add-permission \
--permissions="Retrieve Certificates from the CA" \
--permissions="Request Certificate" \
--permissions="Revoke Certificate" \
--permissions="System: Modify Services" \
"Custodia Service Certs"
# for add_principal=True
$ ipa privilege-add-permission \
--permissions="System: Add Services" \
"Custodia Service Certs"
$ ipa role-add \
--desc="Create and request service certs with Custodia" \
"Custodia Service Cert Adminstrator"
$ ipa role-add-privilege \
--privileges="Custodia Service Certs" \
"Custodia Service Cert Adminstrator"
$ ipa role-add-member \
--services="custodia/$HOSTNAME" \
"Custodia Service Cert Adminstrator"
```
Create ```/etc/custodia/ipa.conf```
```
# /etc/custodia/ipa.conf
[global]
debug = true
makedirs = true
[auth:ipa]
handler = IPAInterface
keytab = ${configdir}/${instance}.keytab
ccache = FILE:${rundir}/ccache
[auth:creds]
handler = SimpleCredsAuth
uid = root
gid = root
[authz:paths]
handler = SimplePathAuthz
paths = /. /secrets
[store:vault]
handler = IPAVault
[store:cert]
handler = IPACertRequest
backing_store = vault
[/]
handler = Root
[/secrets]
handler = Secrets
store = vault
[/secrets/certs]
handler = Secrets
store = cert
```
Create ``/etc/systemd/system/custodia@ipa.service.d/override.conf``
On Fedora 26 and newer, the Custodia service file defaults to Python 3.
Although FreeIPA 4.5 has support for Python 3, it's not stable yet. Therefore
it is necessary to run the ``custodia.ipa`` plugins with Python 2.7. You
can either use ``systemctl edit custodia@py2.service`` to create an override
or copy the file manually. Don't forget to run ``systemctl daemon-reload`` in
the latter case.
```
[Service]
ExecStart=
ExecStart=/usr/sbin/custodia-2 --instance=%i /etc/custodia/%i.conf
```
Run Custodia server
```
$ systemctl start custodia@ipa.socket
```
## IPA cert request
The *IPACertRequest* store plugin generates or revokes certificates on the
fly. It uses a backing store to cache certs and private keys. The plugin can
create service principal automatically. However the host must already exist.
The *IPACertRequest* does not create host entries on demand.
A request like ```GET /path/to/store/HTTP/client1.ipa.example```
generates a private key and CSR for the service
```HTTP/client1.ipa.example``` with DNS subject alternative name
```client1.ipa.example```. The CSR is then forwarded to IPA and signed by
Dogtag. The resulting cert and its trust chain is returned together with the
private key as a PEM bundle.
```
$ export CUSTODIA_INSTANCE=ipa
$ custodia-cli get /certs/HTTP/client1.ipa.example
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
Issuer: organizationName=IPA.EXAMPLE, commonName=Certificate Authority
Subject: organizationName=IPA.EXAMPLE, commonName=client1.ipa.example
Serial Number: 22
Validity:
Not Before: 2017-04-27 09:44:20
Not After: 2019-04-28 09:44:20
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Issuer: organizationName=IPA.EXAMPLE, commonName=Certificate Authority
Issuer: organizationName=IPA.EXAMPLE, commonName=Certificate Authority
Serial Number: 1
Validity:
Not Before: 2017-04-26 08:24:11
Not After: 2037-04-26 08:24:11
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
```
A DELETE request removes the cert/key pair from
the backing store and revokes the cert at the same time.
Automatic renewal of revoked or expired certificates is not implemented yet.
### FreeIPA 4.4 support
The default settings and permissions are tuned for FreeIPA >= 4.5. For 4.4,
the plugin must be configured with ```chain=False```. The additional
permission ```Request Certificate with SubjectAltName``` is required, too.
```
ipa privilege-add-permission \
--permissions="Request Certificate with SubjectAltName" \
"Custodia Service Certs"
```
contrib/config/custodia/ipa.conf 0 → 100644
View file @ ce98e954
# /etc/custodia/ipa.conf
[global]
debug = true
makedirs = true
[auth:ipa]
handler = IPAInterface
keytab = ${configdir}/${instance}.keytab
ccache = FILE:${rundir}/ccache
[auth:creds]
handler = SimpleCredsAuth
uid = root
gid = root
[authz:paths]
handler = SimplePathAuthz
paths = /. /secrets
[store:vault]
handler = IPAVault
[store:cert]
handler = IPACertRequest
backing_store = vault
[/]
handler = Root
[/secrets]
handler = Secrets
store = vault
[/secrets/certs]
handler = Secrets
store = cert
contrib/docker/Dockerfile
View file @ ce98e954
FROM fedora:25
MAINTAINER Christian Heimes <cheimes@redhat.com>
FROM registry.fedoraproject.org/fedora:27
LABEL \
name="latchset/custodia" \
maintainer="Christian Heimes <cheimes@redhat.com>" \
url="https://latchset.github.io/"
RUN dnf -y update && dnf clean all
# install Custodia dependencies
RUN dnf -y install \
# install updates and custodia dependencies
RUN dnf -y update \
&& dnf -y install \
python3 python3-pip python3-wheel \
python3-requests python3-six python3-jwcrypto \
python3-ipaclient \
&& dnf clean all
# Create Custodia user and group
......
custodia.spec
View file @ ce98e954
%if 0%{?fedora}
%global with_python3 1
%global with_etcdstore 1
%endif
%{!?version: %define version 0.5.dev1}
%{!?version: %define version 0.6.0}
# FreeIPA up to 4.4.4 are not compatible with custodia because the custodia
# script now runs under Python 3. FreeIPA 4.4.5 and 4.4.4-2 on F26 are fixed.
# ipa_conflict is used with '<' version comparison.
%if 0%{?fedora} >= 26
%global ipa_conflict 4.4.4-2
%else
%global ipa_conflict 4.4.5
%endif
Name: custodia
Version: %{version}
Release: 3%{?dist}
Release: 0%{?dist}
Summary: A service to manage, retrieve and store secrets for other processes
License: GPLv3+
URL: https://github.com/latchset/%{name}
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz
Source1: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz.sha512sum.txt
Source2: custodia.conf
Source3: custodia@.service
Source4: custodia@.socket
......@@ -23,42 +30,40 @@ BuildArch: noarch
BuildRequires: systemd
BuildRequires: python2-devel
BuildRequires: python-jwcrypto
BuildRequires: python2-jwcrypto >= 0.4.2
BuildRequires: python2-requests
BuildRequires: python2-setuptools >= 18
BuildRequires: python2-coverage
BuildRequires: python-tox >= 2.3.1
BuildRequires: python2-tox >= 2.3.1
BuildRequires: python2-pytest
BuildRequires: python-docutils
BuildRequires: python2-docutils
BuildRequires: python2-configparser
BuildRequires: python2-systemd
%if 0%{?with_etcdstore}
BuildRequires: python2-python-etcd
%if 0%{?with_python3}
BuildRequires: python%{python3_pkgversion}-devel
BuildRequires: python%{python3_pkgversion}-jwcrypto >= 0.4.2
BuildRequires: python%{python3_pkgversion}-requests
BuildRequires: python%{python3_pkgversion}-setuptools > 18
BuildRequires: python%{python3_pkgversion}-coverage
BuildRequires: python%{python3_pkgversion}-tox >= 2.3.1
BuildRequires: python%{python3_pkgversion}-pytest
BuildRequires: python%{python3_pkgversion}-docutils
BuildRequires: python%{python3_pkgversion}-systemd
%endif
%if 0%{?with_python3}
BuildRequires: python3-devel
BuildRequires: python3-jwcrypto
BuildRequires: python3-requests
BuildRequires: python3-setuptools > 18
BuildRequires: python3-coverage
BuildRequires: python3-tox >= 2.3.1
BuildRequires: python3-pytest
BuildRequires: python3-python-etcd
BuildRequires: python3-docutils
BuildRequires: python3-systemd
Requires: python%{python3_pkgversion}-custodia = %{version}-%{release}
%else
Requires: python2-custodia = %{version}-%{release}
%endif
Requires(pre): shadow-utils
Requires(preun): systemd-units
Requires(postun): systemd-units
Requires(post): systemd-units
%if 0%{?with_python3}
Requires: python3-custodia = %{version}-%{release}
%else
Requires: python2-custodia = %{version}-%{release}
%endif
Conflicts: freeipa-server-common < %{ipa_conflict}
Conflicts: ipa-server-common < %{ipa_conflict}
%global overview \
......@@ -80,83 +85,60 @@ A service to manage, retrieve and store secrets for other processes
%package -n python2-custodia
Summary: Sub-package with python2 custodia modules
Provides: python-custodia = %{version}-%{release}
Obsoletes: python-custodia <= 0.1.0
%{?python_provide:%python_provide python2-%{name}}
Requires: python2-configparser
Requires: python-jwcrypto
Requires: python2-jwcrypto > 0.4.2
Requires: python2-requests
Requires: python2-setuptools
Requires: python2-systemd
Conflicts: python2-ipalib < %{ipa_conflict}
%description -n python2-custodia
Sub-package with python custodia modules
%{overview}
%if 0%{?with_etcdstore}
%package -n python2-custodia-etcdstore
Summary: Sub-package with python2 custodia etcdstore
Requires: python2-python-etcd
Requires: python2-custodia = %{version}-%{release}
Obsoletes: python2-custodia-extras <= 0.3.1
%description -n python2-custodia-etcdstore
Sub-package with python2 custodia etcdstore plugin
%{overview}
%endif # with_etcdstore
%if 0%{?with_python3}
%package -n python3-custodia
%package -n python%{python3_pkgversion}-custodia
Summary: Sub-package with python3 custodia modules
Requires: python3-jwcrypto
Requires: python3-requests
Requires: python3-setuptools
Requires: python3-systemd
%description -n python3-custodia
%{?python_provide:%python_provide python3-%{name}}
Requires: python%{python3_pkgversion}-jwcrypto >= 0.4.2
Requires: python%{python3_pkgversion}-requests
Requires: python%{python3_pkgversion}-setuptools
Requires: python%{python3_pkgversion}-systemd
Conflicts: python%{python3_pkgversion}-ipalib < %{ipa_conflict}
%description -n python%{python3_pkgversion}-custodia
Sub-package with python custodia modules
%{overview}
%if 0%{?with_etcdstore}
%package -n python3-custodia-etcdstore
Summary: Sub-package with python3 custodia etcdstoore
Requires: python3-python-etcd
Requires: python3-custodia = %{version}-%{release}
Obsoletes: python3-custodia-extras <= 0.3.1
%description -n python3-custodia-etcdstore
Sub-package with python3 custodia extra etcdstore plugin
%{overview}
%endif # with_etcdstore
%endif # with_python3
%prep
grep `sha512sum %{SOURCE0}` %{SOURCE1} || (echo "Checksum invalid!" && exit 1)
%autosetup
%build
%{__python2} setup.py egg_info build
%py2_build
%if 0%{?with_python3}
%{__python3} setup.py egg_info build
%py3_build
%endif
%check
# don't download packages
export PIP_INDEX_URL=http://host.invalid./
# Don't try to download dnspython3. The package is provided by python3-dns
# Don't try to download dnspython3. The package is provided by python%{python3_pkgversion}-dns
export PIP_NO_DEPS=yes
# Ignore all install packages to enforce installation of sdist. Otherwise tox
# may pick up this package from global site-packages instead of source dist.
export PIP_IGNORE_INSTALLED=yes
tox --sitepackages -e py27 -- --skip-servertests
tox --sitepackages -e py%{python2_version_nodots} -- --skip-servertests
%if 0%{?with_python3}
TOXENV=$(%{__python3} -c 'import sys; print("py{0.major}{0.minor}".format(sys.version_info))')
tox --sitepackages -e $TOXENV -- --skip-servertests
tox --sitepackages -e py%{python3_version_nodots} -- --skip-servertests
%endif
......@@ -172,7 +154,7 @@ mkdir -p %{buildroot}/%{_localstatedir}/lib/custodia
mkdir -p %{buildroot}/%{_localstatedir}/log/custodia
mkdir -p %{buildroot}/%{_localstatedir}/run/custodia
%{__python2} setup.py install --skip-build --root %{buildroot}
%py2_install
mv %{buildroot}/%{_bindir}/custodia %{buildroot}/%{_sbindir}/custodia
cp %{buildroot}/%{_sbindir}/custodia %{buildroot}/%{_sbindir}/custodia-2
cp %{buildroot}/%{_bindir}/custodia-cli %{buildroot}/%{_bindir}/custodia-cli-2
......@@ -186,7 +168,7 @@ install -m 644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/custodia.conf
%if 0%{?with_python3}
# overrides /usr/bin/custodia-cli and /usr/sbin/custodia with Python 3 shebang
%{__python3} setup.py install --skip-build --root %{buildroot}
%py3_install
mv %{buildroot}/%{_bindir}/custodia %{buildroot}/%{_sbindir}/custodia
cp %{buildroot}/%{_sbindir}/custodia %{buildroot}/%{_sbindir}/custodia-3
cp %{buildroot}/%{_bindir}/custodia-cli %{buildroot}/%{_bindir}/custodia-cli-3
......@@ -200,14 +182,17 @@ getent passwd custodia >/dev/null || \
-c "User for custodia" custodia
exit 0
%post
%systemd_post custodia@\*.socket
%systemd_post custodia@\*.service
%preun
%systemd_preun custodia@\*.socket
%systemd_preun custodia@\*.service
%postun
%systemd_postun custodia@\*.socket
%systemd_postun custodia@\*.service
......@@ -231,30 +216,19 @@ exit 0
%files -n python2-custodia
%license LICENSE
%exclude %{python2_sitelib}/custodia/store/etcdstore.py*
%{python2_sitelib}/*
%{python2_sitelib}/%{name}
%{python2_sitelib}/%{name}-%{version}-py%{python2_version}.egg-info
%{python2_sitelib}/%{name}-%{version}-py%{python2_version}-nspkg.pth
%{_sbindir}/custodia-2
%{_bindir}/custodia-cli-2
%if 0%{?with_etcdstore}
%files -n python2-custodia-etcdstore
%license LICENSE
%{python2_sitelib}/custodia/store/etcdstore.py*
%endif # with_etcdstore
%if 0%{?with_python3}
%files -n python3-custodia
%files -n python%{python3_pkgversion}-custodia
%license LICENSE
%exclude %{python3_sitelib}/custodia/store/etcdstore.py
%exclude %{python3_sitelib}/custodia/store/__pycache__/etcdstore.*
%{python3_sitelib}/*
%{python3_sitelib}/%{name}
%{python3_sitelib}/%{name}-%{version}-py%{python3_version}.egg-info
%{python3_sitelib}/%{name}-%{version}-py%{python3_version}-nspkg.pth
%{_sbindir}/custodia-3
%{_bindir}/custodia-cli-3
%if 0%{?with_etcdstore}
%files -n python3-custodia-etcdstore
%license LICENSE
%{python3_sitelib}/custodia/store/etcdstore.py
%{python3_sitelib}/custodia/store/__pycache__/etcdstore.*
%endif # with_etcdstore
%endif # with_python3
debian/changelog
View file @ ce98e954
custodia (0.6.0-1) UNRELEASED; urgency=medium
* New upstream release.
* Bump dh to 11.
* control: Update maintainer list address.
* control: Update vcs urls.
* control: Drop pylint3 from build-depends for now, it's not
installable.
* Add content to custodia, including daemon, cli script, systemd
service files etc.
-- Timo Aaltonen <tjaalton@debian.org> Sat, 04 Aug 2018 11:24:01 +0300
custodia (0.5.0-3) unstable; urgency=medium
* control: Drop configparser from python3-custodia Depends, it's
......
debian/control
View file @ ce98e954
Source: custodia
Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>
Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>
Uploaders: Timo Aaltonen <tjaalton@debian.org>
Section: admin
Priority: optional
Build-Depends:
debhelper (>= 10),
debhelper (>= 11),
dh-python,
pep8,
pylint,
pylint3,
# pylint3,
python-all (>= 2.6.6-3),
python-coverage,
python-flake8,
......@@ -31,8 +31,8 @@ Build-Depends:
python3-systemd,
tox,
Standards-Version: 4.1.2
Vcs-Git: https://anonscm.debian.org/git/pkg-freeipa/custodia.git
Vcs-Browser: https://anonscm.debian.org/cgit/pkg-freeipa/custodia.git
Vcs-Git: https://salsa.debian.org/freeipa-team/custodia.git
Vcs-Browser: https://salsa.debian.org/freeipa-team/custodia
Homepage: https://github.com/latchset/custodia
Package: custodia
......
debian/custodia.conf 0 → 100644
View file @ ce98e954
# /etc/custodia/custodia.conf
[global]
debug = true
makedirs = true
[store:sqlite]
handler = SqliteStore
dburi = ${libdir}/secrets.db
table = secrets
[store:encrypted_sqlite]
handler = EncryptedOverlay
backing_store = sqlite
master_key = ${libdir}/secrets.key
master_enctype = A128CBC-HS256
autogen_master_key = true
[auth:creds]
handler = SimpleCredsAuth
uid = root
gid = root
[authz:paths]
handler = SimplePathAuthz
paths = /. /secrets
[/]
handler = Root
[/secrets]
handler = Secrets
store = encrypted_sqlite
debian/custodia.dirs 0 → 100644
View file @ ce98e954
var/lib/custodia
var/log/custodia
debian/custodia.install 0 → 100644
View file @ ce98e954
debian/custodia.conf etc/custodia/custodia.conf
custodia.conf usr/share/doc/custodia/examples
man/custodia.7 usr/share/man/man7
usr/bin/custodia-cli
usr/sbin/custodia
debian/custodia.postinst 0 → 100644
View file @ ce98e954
#!/bin/sh
set -e
. /usr/share/debconf/confmodule
OUT=/dev/null
if [ "$1" = configure ]; then
# lets give them a user/group in all cases.
if ! getent passwd custodia > $OUT; then
adduser --quiet --system --home /var/lib/custodia \
--disabled-password --group \
--gecos "Custodia user" \
--no-create-home \
custodia > $OUT
fi
chown -R custodia:custodia /etc/custodia /var/lib/custodia /var/log/custodia /var/run/custodia > $OUT || true
chmod 600 /etc/custodia/custodia.conf > $OUT || true
chmod 700 /etc/custodia /var/lib/custodia /var/log/custodia > $OUT || true
chmod 755 /var/run/custodia > $OUT || true
fi
#DEBHELPER#
debian/custodia.tmpfile 0 → 100644
View file @ ce98e954
d /run/custodia 0755 custodia custodia
debian/custodia@.service 0 → 100644
View file @ ce98e954
[Unit]
Description=Custodia Secrets Service for %I
Documentation=https://github.com/latchset/custodia
Requires=custodia@%i.socket
After=network.target
[Service]
Type=notify
ExecStart=/usr/sbin/custodia --instance=%i /etc/custodia/%i.conf
User=custodia
Group=custodia
ProtectSystem=full
ProtectHome=true
NoNewPrivileges=true
Restart=on-failure
RestartSec=30s
[Install]
WantedBy=multi-user.target