[Pkg-freeipa-devel] custodia: Changes to 'upstream'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Sat Dec 23 08:44:58 UTC 2017
.coveragerc | 2
.dockerignore | 9
.gitignore | 14
.travis.yml | 47 +
API.md | 41 +
MANIFEST.in | 20
Makefile | 205 +++++++-
README | 56 ++
README.md | 49 +-
bin/custodia | 25 +
bin/custodia-cli | 25 +
conftest.py | 1
contrib/config/README.txt | 17
contrib/config/custodia/custodia.conf | 32 +
contrib/config/systemd/system/custodia at .service | 19
contrib/config/systemd/system/custodia at .socket | 16
contrib/config/tmpfiles.d/custodia.conf | 1
contrib/docker/Dockerfile | 37 +
contrib/docker/demo.conf | 39 +
custodia.conf | 87 ++-
custodia.spec | 260 ++++++++++
custodia/custodia | 115 ----
custodia/httpd/authenticators.py | 63 --
custodia/httpd/authorizers.py | 48 -
custodia/httpd/consumer.py | 67 --
custodia/httpd/server.py | 317 -------------
custodia/log.py | 72 --
custodia/message/common.py | 63 --
custodia/message/formats.py | 63 --
custodia/message/kem.py | 404 ----------------
custodia/message/simple.py | 33 -
custodia/root.py | 16
custodia/secrets.py | 581 ------------------------
custodia/store/enclite.py | 37 -
custodia/store/interface.py | 30 -
custodia/store/sqlite.py | 205 --------
docs/Makefile | 5
docs/docs_requirements.txt | 6
docs/source/_static/.gitignore | 1
docs/source/api.rst | 198 ++++++++
docs/source/commands.rst | 18
docs/source/conf.py | 39 +
docs/source/config.rst | 164 ++++++
docs/source/container.rst | 80 +++
docs/source/examples/cfgparser.py | 152 ++++++
docs/source/examples/cfgparser.rst | 6
docs/source/examples/index.rst | 9
docs/source/examples/misc.rst | 38 +
docs/source/examples/yaml.rst | 6
docs/source/examples/yaml_ext.py | 44 +
docs/source/index.rst | 9
docs/source/plugins/authenticators.rst | 31 +
docs/source/plugins/authorizers.rst | 24
docs/source/plugins/baseclasses.rst | 38 +
docs/source/plugins/clients.rst | 24
docs/source/plugins/consumers.rst | 24
docs/source/plugins/index.rst | 66 ++
docs/source/plugins/stores.rst | 24
docs/source/quick.rst | 312 ++++++++++++
docs/source/readme.rst | 55 ++
docs/source/spelling_wordlist.txt | 70 ++
examples/enclite.db |binary
man/custodia.7 | 8
requirements.txt | 2
setup.cfg | 8
setup.py | 154 +++++-
src/custodia/__about__.py | 19
src/custodia/__init__.py | 3
src/custodia/cli/__init__.py | 326 +++++++++++++
src/custodia/cli/__main__.py | 7
src/custodia/client.py | 293 ++++++++++++
src/custodia/compat.py | 25 +
src/custodia/forwarder.py | 86 +++
src/custodia/httpd/authenticators.py | 134 +++++
src/custodia/httpd/authorizers.py | 80 +++
src/custodia/httpd/consumer.py | 13
src/custodia/httpd/server.py | 545 ++++++++++++++++++++++
src/custodia/log.py | 190 +++++++
src/custodia/message/common.py | 68 ++
src/custodia/message/formats.py | 64 ++
src/custodia/message/kem.py | 247 ++++++++++
src/custodia/message/simple.py | 42 +
src/custodia/plugin.py | 481 +++++++++++++++++++
src/custodia/root.py | 20
src/custodia/secrets.py | 400 ++++++++++++++++
src/custodia/server/__init__.py | 141 +++++
src/custodia/server/__main__.py | 7
src/custodia/server/args.py | 80 +++
src/custodia/server/config.py | 166 ++++++
src/custodia/store/encgen.py | 82 +++
src/custodia/store/enclite.py | 40 +
src/custodia/store/etcdstore.py | 122 +++++
src/custodia/store/interface.py | 12
src/custodia/store/sqlite.py | 145 +++++
tests/ca/.gitignore | 1
tests/ca/custodia-ca.conf | 95 +++
tests/ca/custodia-ca.key | 28 +
tests/ca/custodia-ca.pem | 83 +++
tests/ca/custodia-ca.sh | 63 ++
tests/ca/custodia-client.conf | 22
tests/ca/custodia-client.key | 28 +
tests/ca/custodia-client.pem | 82 +++
tests/ca/custodia-server.conf | 22
tests/ca/custodia-server.key | 28 +
tests/ca/custodia-server.pem | 85 +++
tests/client.py | 21
tests/conftest.py | 39 +
tests/custodia.py | 62 --
tests/empty.conf | 2
tests/empty.conf.d/root.conf | 2
tests/test_authenticators.py | 140 +++++
tests/test_cli.py | 97 ++++
tests/test_custodia.py | 482 +++++++++++++++++++
tests/test_message_kem.py | 203 ++++++++
tests/test_misc.py | 65 ++
tests/test_plugins.py | 50 ++
tests/test_secrets.py | 413 +++++++++++++++++
tests/test_server.py | 99 ++++
tests/test_store.py | 72 ++
tests/test_store_sqlite.py | 129 +++++
tests/tests.py | 19
tox.ini | 86 ++-
122 files changed, 8727 insertions(+), 2360 deletions(-)
New commits:
commit 6019cd361df693b963f16a6e7e8aad8d2be50be0
Author: Christian Heimes <cheimes at redhat.com>
Date: Wed May 10 17:59:47 2017 +0200
Release v0.5.0
Signed-off-by: Christian Heimes <cheimes at redhat.com>
diff --git a/src/custodia/__about__.py b/src/custodia/__about__.py
index 605305a..d81ab3b 100644
--- a/src/custodia/__about__.py
+++ b/src/custodia/__about__.py
@@ -9,7 +9,7 @@ __title__ = 'custodia'
__summary__ = 'A service to manage, retrieve and store secrets.'
__uri__ = 'https://github.com/latchset/custodia'
-__version_info__ = (0, 5, 'dev1')
+__version_info__ = (0, 5, 0)
__version__ = '.'.join(str(v) for v in __version_info__)
__author__ = 'Custodia project Contributors'
commit 2fa648801f1147eae2d5c4d9365fb6c0fc884a07
Author: Christian Heimes <cheimes at redhat.com>
Date: Wed May 10 17:42:01 2017 +0200
Prepare release and add make releasecheck
make releasecheck performs a couple of actions that ensure we are in a
good state for a new release.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
diff --git a/Makefile b/Makefile
index ba79953..56cb17b 100644
--- a/Makefile
+++ b/Makefile
@@ -82,7 +82,7 @@ docs: $(DOCS_DIR)/source/readme.rst
PYTHONPATH=$(CURDIR)/src \
$(MAKE) -C $(DOCS_DIR) html SPHINXBUILD="$(PYTHON) -m sphinx"
-.PHONY: install egg_info run packages release
+.PHONY: install egg_info run packages release releasecheck
install: clean_socket egg_info
$(PYTHON) setup.py install --root "$(PREFIX)"
install -d "$(PREFIX)/share/man/man7"
@@ -108,6 +108,18 @@ release: clean
@echo "* Upload source dist and wheel to PyPI:"
@echo " twine-3 upload dist/*.gz dist/*.whl"
+releasecheck: clean
+ @ # ensure README is rebuild
+ touch README.md
+ $(MAKE) README $(DOCS_DIR)/source/readme.rst
+ @ # check for version in spec
+ grep -q 'version $(VERSION)' custodia.spec || exit 1
+ @ # re-run tox
+ tox -r
+ $(MAKE) packages
+ $(MAKE) rpm
+ $(MAKE) dockerbuild
+
run: egg_info
$(PYTHON) $(CURDIR)/bin/custodia $(CONF)
diff --git a/README b/README
index 04ddfb8..a116a58 100644
--- a/README
+++ b/README
@@ -7,6 +7,8 @@ Custodia
A tool for managing secrets.
+See our `Quick Start Guide <docs/source/quick.rst>`__
+
Custodia is a project that aims to define an API for modern cloud
applications that allows to easily store and share passwords, tokens,
certificates and any other secret in a way that keeps data secure,
diff --git a/custodia.spec b/custodia.spec
index b01e2a8..e2b5bd4 100644
--- a/custodia.spec
+++ b/custodia.spec
@@ -3,7 +3,7 @@
%global with_etcdstore 1
%endif
-%{!?version: %define version 0.3.1}
+%{!?version: %define version 0.5.dev1}
Name: custodia
Version: %{version}
diff --git a/docs/source/readme.rst b/docs/source/readme.rst
index 2bfa3c6..e90120c 100644
--- a/docs/source/readme.rst
+++ b/docs/source/readme.rst
@@ -6,6 +6,8 @@ Custodia
A tool for managing secrets.
+See our `Quick Start Guide <docs/source/quick.rst>`__
+
Custodia is a project that aims to define an API for modern cloud
applications that allows to easily store and share passwords, tokens,
certificates and any other secret in a way that keeps data secure,
@@ -50,3 +52,4 @@ Some APIs are provisional and may change in the future.
- Command line interface in module ``custodia.cli``.
- The script custodia-cli.
+
commit b993228f76b16ba71556429d73fce6d9fd4c68da
Author: Christian Heimes <cheimes at redhat.com>
Date: Wed May 10 16:34:14 2017 +0200
Document makedirs and enable it in demo config
Signed-off-by: Christian Heimes <cheimes at redhat.com>
diff --git a/contrib/config/custodia/custodia.conf b/contrib/config/custodia/custodia.conf
index bded9ca..5e4b584 100644
--- a/contrib/config/custodia/custodia.conf
+++ b/contrib/config/custodia/custodia.conf
@@ -1,6 +1,7 @@
# /etc/custodia/custodia.conf
[global]
debug = true
+makedirs = true
[store:sqlite]
handler = SqliteStore
diff --git a/docs/source/config.rst b/docs/source/config.rst
index 8a65623..37e220c 100644
--- a/docs/source/config.rst
+++ b/docs/source/config.rst
@@ -34,6 +34,9 @@ server_string [str]
debug [bool, default=False]
enable debugging
+makedirs [bool, default=False]
+ Create *libdir*, *logdir*, *rundir*, and *socketdir*.
+
tls_certfile [str]
The filename of the server cert file and its intermediate certs. The server
cert file can also contain the private key. The option is required for
diff --git a/docs/source/spelling_wordlist.txt b/docs/source/spelling_wordlist.txt
index ff1e420..9a652d0 100644
--- a/docs/source/spelling_wordlist.txt
+++ b/docs/source/spelling_wordlist.txt
@@ -1,4 +1,3 @@
-
api
Args
auditable
@@ -43,6 +42,7 @@ kem
keyfile
libdir
logdir
+makedirs
metadata
mkdir
namespace
commit a1ac544567f829ac15bcd933697bffbdaec399fb
Author: Christian Heimes <cheimes at redhat.com>
Date: Wed May 10 13:53:35 2017 +0200
Add two-phase initialization API to plugins
The new API method finalize_init() allows plugins to be finalized in a
second step. In the second step the plugin is also able to access the
global configuration dict and all other plugin instances.
Closes: #155
Signed-off-by: Christian Heimes <cheimes at redhat.com>
diff --git a/docs/source/spelling_wordlist.txt b/docs/source/spelling_wordlist.txt
index 0197b9a..ff1e420 100644
--- a/docs/source/spelling_wordlist.txt
+++ b/docs/source/spelling_wordlist.txt
@@ -1,5 +1,6 @@
api
+Args
auditable
auth
authenticator
@@ -18,6 +19,7 @@ boolean
cafile
ccache
certfile
+cfgparser
cli
conf
confdpattern
diff --git a/src/custodia/plugin.py b/src/custodia/plugin.py
index 580db1a..4d90399 100644
--- a/src/custodia/plugin.py
+++ b/src/custodia/plugin.py
@@ -339,6 +339,33 @@ class CustodiaPlugin(object):
return origin, debug
+ def _attach_store(self, config, cfgparser, context):
+ """Attach nested store
+ """
+ if getattr(self, 'store', None) is not None:
+ # already attached
+ return
+ store_plugin = config['stores'].get(self.store_name)
+ if store_plugin is None:
+ raise ValueError(
+ "'{}' references non-existing store '{}'".format(
+ self.section, self.store_name))
+ # pylint: disable=attribute-defined-outside-init
+ self.store = store_plugin
+ # pylint: enable=attribute-defined-outside-init
+ store_plugin.finalize_init(config, cfgparser, context=self)
+
+ def finalize_init(self, config, cfgparser, context=None):
+ """Two-phase initialization
+
+ Args:
+ config: server config dictionary
+ cfgparser: configparser instance
+ context: initialization context (None for global)
+ """
+ if getattr(self, 'store_name', None) is not None:
+ self._attach_store(config, cfgparser, context)
+
class CSStore(CustodiaPlugin):
"""Base class for stores
diff --git a/src/custodia/server/__init__.py b/src/custodia/server/__init__.py
index 80b88f5..70791a9 100644
--- a/src/custodia/server/__init__.py
+++ b/src/custodia/server/__init__.py
@@ -118,11 +118,12 @@ def _load_plugins(config, cfgparser):
logger.debug("Plugin '%s' failed to load.", name, exc_info=True)
raise RuntimeError(menu, name, e)
- # Attach stores to other plugins
- attach_store('auth:', config['authenticators'], config['stores'])
- attach_store('authz:', config['authorizers'], config['stores'])
- attach_store('', config['consumers'], config['stores'])
- attach_store('store:', config['stores'], config['stores'])
+ # 2nd initialization stage
+ for menu in ['authenticators', 'authorizers', 'consumers', 'stores']:
+ plugins = config[menu]
+ for name in sorted(plugins):
+ plugin = plugins[name]
+ plugin.finalize_init(config, cfgparser, context=None)
def main(argparser=None):
commit 71fa1e9cfe26e7e899aac187fe4d5aa76a8a1d7c
Author: Christian Heimes <cheimes at redhat.com>
Date: Wed May 10 13:36:39 2017 +0200
Add section attribute to all plugin instances
For error logging and two-phase initialization it is useful to keep the
name of the config section around.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
diff --git a/src/custodia/plugin.py b/src/custodia/plugin.py
index 6c7839f..580db1a 100644
--- a/src/custodia/plugin.py
+++ b/src/custodia/plugin.py
@@ -292,6 +292,7 @@ class CustodiaPlugin(object):
def __init__(self, config, section=None):
origin, debug = self._configure(config, section)
self._auditlog = auditlog
+ self.section = section # plugin loader sets section for old plugins
self.origin = origin
self.logger = CustodiaLoggingAdapter(self, debug)
diff --git a/src/custodia/server/__init__.py b/src/custodia/server/__init__.py
index b2cac15..80b88f5 100644
--- a/src/custodia/server/__init__.py
+++ b/src/custodia/server/__init__.py
@@ -72,12 +72,14 @@ def _create_plugin(cfgparser, section, menu):
if handler._options is not None: # pylint: disable=protected-access
# new-style plugin with parser and section
- return handler(cfgparser, section)
+ plugin = handler(cfgparser, section)
else:
# old-style plugin with config dict
hconf.update(cfgparser.items(section))
hconf.pop('handler')
- return handler(hconf)
+ plugin = handler(hconf)
+ plugin.section = section
+ return plugin
def _load_plugins(config, cfgparser):
commit 38eaeaf42d076d427874d4289d379bcb0d7ddb5a
Author: Christian Heimes <cheimes at redhat.com>
Date: Wed May 10 13:33:03 2017 +0200
Rename parser argument to cfgparser
The argument name 'parser' is ambiguous. We have an argparser and a
configparser instance in the same module.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
diff --git a/src/custodia/server/__init__.py b/src/custodia/server/__init__.py
index fb73de0..b2cac15 100644
--- a/src/custodia/server/__init__.py
+++ b/src/custodia/server/__init__.py
@@ -56,11 +56,11 @@ def _load_plugin_class(menu, name):
raise ValueError("{}: {} not found".format(menu, name))
-def _create_plugin(parser, section, menu):
- if not parser.has_option(section, 'handler'):
+def _create_plugin(cfgparser, section, menu):
+ if not cfgparser.has_option(section, 'handler'):
raise ValueError('Invalid section, missing "handler"')
- handler_name = parser.get(section, 'handler')
+ handler_name = cfgparser.get(section, 'handler')
hconf = {'facility_name': section}
try:
handler = _load_plugin_class(menu, handler_name)
@@ -72,21 +72,21 @@ def _create_plugin(parser, section, menu):
if handler._options is not None: # pylint: disable=protected-access
# new-style plugin with parser and section
- return handler(parser, section)
+ return handler(cfgparser, section)
else:
# old-style plugin with config dict
- hconf.update(parser.items(section))
+ hconf.update(cfgparser.items(section))
hconf.pop('handler')
return handler(hconf)
-def _load_plugins(config, parser):
+def _load_plugins(config, cfgparser):
"""Load and initialize plugins
"""
# set umask before any plugin gets a chance to create a file
os.umask(config['umask'])
- for s in parser.sections():
+ for s in cfgparser.sections():
if s in {'ENV', 'global'}:
# ENV section is only used for interpolation
continue
@@ -111,7 +111,7 @@ def _load_plugins(config, parser):
raise ValueError('Invalid section name [%s].\n' % s)
try:
- config[menu][name] = _create_plugin(parser, s, menu)
+ config[menu][name] = _create_plugin(cfgparser, s, menu)
except Exception as e:
logger.debug("Plugin '%s' failed to load.", name, exc_info=True)
raise RuntimeError(menu, name, e)
commit fa255fef5667e1ecbe61efdff0c22a6ec72e1536
Author: Christian Heimes <cheimes at redhat.com>
Date: Tue May 9 22:04:53 2017 +0200
tox: don't recurse into dist directory
Signed-off-by: Christian Heimes <cheimes at redhat.com>
diff --git a/tox.ini b/tox.ini
index 082b04c..478e857 100644
--- a/tox.ini
+++ b/tox.ini
@@ -65,7 +65,7 @@ commands =
{envpython} -m sphinx -W -b spelling -d {envtmpdir}/doctrees docs/source {envtmpdir}/html
[pytest]
-norecursedirs = build .tox
+norecursedirs = dist build .tox
python_files = tests/*.py
markers =
# use tox -- --skip-servertests to skip server tests
commit f4f5fbda42d016710bc7d6afadcea87f34418d6e
Author: Christian Heimes <cheimes at redhat.com>
Date: Tue May 9 17:30:01 2017 +0200
Introduce bin/ file for in-tree scripts
pkg_resources, namespace packages and PYTHONPATH don't mix and mangle very
well. Under some yet-unknown conditions, pkg_resource and 'python -m'
prefer global installation of custodia over in-tree version. It's
probably related to nspkg.pth files.
The new scripts bin/custodia and bin/custodia-cli ensure that the
entry points and Python sources from ./src/custodia are used.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
diff --git a/MANIFEST.in b/MANIFEST.in
index f84f4db..4425ac1 100644
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -1,6 +1,7 @@
include setup.py setup.cfg
include Makefile LICENSE README
include *.md *.ini .coveragerc
+include bin/custodia bin/custodia-cli
include custodia.conf
recursive-include examples *.key *.db
diff --git a/Makefile b/Makefile
index c27a20b..ba79953 100644
--- a/Makefile
+++ b/Makefile
@@ -109,7 +109,7 @@ release: clean
@echo " twine-3 upload dist/*.gz dist/*.whl"
run: egg_info
- PYTHONPATH=$(CURDIR)/src $(PYTHON) -m custodia.server $(CONF)
+ $(PYTHON) $(CURDIR)/bin/custodia $(CONF)
.PHONY: rpmroot rpmfiles rpm
diff --git a/bin/custodia b/bin/custodia
new file mode 100755
index 0000000..ba2cfd0
--- /dev/null
+++ b/bin/custodia
@@ -0,0 +1,25 @@
+#!/usr/bin/python2.7
+import os
+import sys
+
+HERE = os.path.dirname(os.path.abspath(__file__))
+SRC = os.path.join(os.path.dirname(HERE), 'src')
+
+sys.path.insert(0, SRC)
+
+
+def main(dist='custodia', group='console_scripts', name='custodia'):
+ # delay pkg_resources after sys.path changes
+ import pkg_resources
+ pkg_resources.working_set.add_entry(SRC)
+ ep = pkg_resources.get_entry_info(dist, group, name)
+ if os.path.normpath(ep.dist.location) != os.path.normpath(SRC):
+ raise RuntimeError(ep.dist.location)
+ if hasattr(ep, 'resolve'):
+ func = ep.resolve()
+ else:
+ func = ep.load(require=False)
+ sys.exit(func())
+
+if __name__ == '__main__':
+ main()
diff --git a/bin/custodia-cli b/bin/custodia-cli
new file mode 100755
index 0000000..12bb493
--- /dev/null
+++ b/bin/custodia-cli
@@ -0,0 +1,25 @@
+#!/usr/bin/python2.7
+import os
+import sys
+
+HERE = os.path.dirname(os.path.abspath(__file__))
+SRC = os.path.join(os.path.dirname(HERE), 'src')
+
+sys.path.insert(0, SRC)
+
+
+def main(dist='custodia', group='console_scripts', name='custodia-cli'):
+ # delay pkg_resources after sys.path changes
+ import pkg_resources
+ pkg_resources.working_set.add_entry(SRC)
+ ep = pkg_resources.get_entry_info(dist, group, name)
+ if os.path.normpath(ep.dist.location) != os.path.normpath(SRC):
+ raise RuntimeError(ep.dist.location)
+ if hasattr(ep, 'resolve'):
+ func = ep.resolve()
+ else:
+ func = ep.load(require=False)
+ sys.exit(func())
+
+if __name__ == '__main__':
+ main()
diff --git a/custodia.conf b/custodia.conf
index 8fd5e27..3857d37 100644
--- a/custodia.conf
+++ b/custodia.conf
@@ -14,6 +14,7 @@ server_version = "Secret/0.0.7"
debug = True
#server_url = https://0.0.0.0:10443
server_socket = ./server_socket
+auditlog = ${configdir}/custodia.audit.log
tls_certfile = tests/ca/custodia-server.pem
tls_keyfile = tests/ca/custodia-server.key
tls_cafile = tests/ca/custodia-ca.pem
commit 5e91fc56bb9f3fdc657c7ba1bc151b39c6db900c
Author: Christian Heimes <cheimes at redhat.com>
Date: Tue May 9 17:43:45 2017 +0200
Revert to /path/logdir/audit.log
custodia.audit.log is only used for local test servers. The designated
name for the audit log file is simply audit.log. Let's keep it the
default setting.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
diff --git a/contrib/config/custodia/custodia.conf b/contrib/config/custodia/custodia.conf
index c1581e5..bded9ca 100644
--- a/contrib/config/custodia/custodia.conf
+++ b/contrib/config/custodia/custodia.conf
@@ -1,7 +1,6 @@
# /etc/custodia/custodia.conf
[global]
debug = true
-auditlog = ${logdir}/audit.log
[store:sqlite]
handler = SqliteStore
diff --git a/docs/source/config.rst b/docs/source/config.rst
index 55b1876..8a65623 100644
--- a/docs/source/config.rst
+++ b/docs/source/config.rst
@@ -139,7 +139,7 @@ empty config file::
socketdir = /var/run/custodia
[global]
- auditlog = /var/log/custodia/example/custodia.audit.log
+ auditlog = /var/log/custodia/example/audit.log
debug = False
server_socket = /var/run/custodia/example.sock
makedirs = True
diff --git a/src/custodia/server/config.py b/src/custodia/server/config.py
index 4c03858..2c62106 100644
--- a/src/custodia/server/config.py
+++ b/src/custodia/server/config.py
@@ -61,7 +61,7 @@ class CustodiaConfig(object):
# default globals
parser.add_section(u'global')
- parser.set(u'global', u'auditlog', u'${logdir}/custodia.audit.log')
+ parser.set(u'global', u'auditlog', u'${logdir}/audit.log')
parser.set(u'global', u'debug', u'false')
parser.set(u'global', u'umask', u'027')
parser.set(u'global', u'makedirs', u'false')
diff --git a/tests/test_server.py b/tests/test_server.py
index 654d692..cb29fb8 100644
--- a/tests/test_server.py
+++ b/tests/test_server.py
@@ -42,7 +42,7 @@ def test_parse_config(args):
assert parser.get(u'/', u'handler') == u'Root'
assert config == {
- 'auditlog': u'/var/log/custodia/custodia.audit.log',
+ 'auditlog': u'/var/log/custodia/audit.log',
'authenticators': {},
'authorizers': {},
'confdpattern': EMPTY_CONF + u'.d/*.conf',
@@ -74,7 +74,7 @@ def test_parse_config_instance(args_instance):
assert parser.get(u'/', u'handler') == u'Root'
assert config == {
- 'auditlog': u'/var/log/custodia/testing/custodia.audit.log',
+ 'auditlog': u'/var/log/custodia/testing/audit.log',
'authenticators': {},
'authorizers': {},
'confdpattern': EMPTY_CONF + u'.d/*.conf',
commit 0c4ddc79028cbaa53bbf967bf00f28b900f5ea21
Author: Christian Heimes <cheimes at redhat.com>
Date: Tue May 9 17:46:12 2017 +0200
Remove conflict with ipalib < 4.5
FreeIPA 4.4 will be compatible with recent custodia packages,
https://github.com/freeipa/freeipa/pull/760#issuecomment-300163978
Signed-off-by: Christian Heimes <cheimes at redhat.com>
diff --git a/custodia.spec b/custodia.spec
index ef5c8e9..b01e2a8 100644
--- a/custodia.spec
+++ b/custodia.spec
@@ -60,10 +60,6 @@ Requires: python3-custodia = %{version}-%{release}
Requires: python2-custodia = %{version}-%{release}
%endif
-# FreeIPA 4.3 and 4.4 are not compatible with custodia because the custodia
-# script now runs under Python 3.
-Conflicts: freeipa-server-common < 4.5
-Conflicts: ipa-server-common < 4.5
%global overview \
Custodia is a Secrets Service Provider, it stores or proxies access to \
@@ -91,7 +87,6 @@ Requires: python-jwcrypto
Requires: python2-requests
Requires: python2-setuptools
Requires: python2-systemd
-Conflicts: python2-ipalib < 4.5
%description -n python2-custodia
Sub-package with python custodia modules
@@ -118,7 +113,6 @@ Requires: python3-jwcrypto
Requires: python3-requests
Requires: python3-setuptools
Requires: python3-systemd
-Conflicts: python3-ipalib < 4.5
%description -n python3-custodia
Sub-package with python custodia modules
commit 9e4e7d6741e97ff904d01aab27368cb422e2baa2
Author: Christian Heimes <cheimes at redhat.com>
Date: Tue May 9 19:49:56 2017 +0200
Upgrade pip first
"pip install --upgrade pip setuptools codecov" breaks. Upgrade pip
first, then install/upgrade remaining packages with most recent pip.
https://github.com/kennethreitz/requests/issues/4006
Signed-off-by: Christian Heimes <cheimes at redhat.com>
diff --git a/.travis.yml b/.travis.yml
index 0745f38..344505e 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -29,9 +29,10 @@ matrix:
env: TOXENV=pep8py3
install:
- - pip install --upgrade pip setuptools codecov
+ - pip install --upgrade pip
+ - pip install --upgrade setuptools
- pip --version
- - pip install tox
+ - pip install --upgrade codecov tox
- tox --version
script:
commit 31901f4a7cb2e8375c3c4787c970b15744e60edf
Author: Christian Heimes <cheimes at redhat.com>
Date: Tue May 9 11:25:28 2017 +0200
Add named instance templates for systemd
Signed-off-by: Christian Heimes <cheimes at redhat.com>
diff --git a/Makefile b/Makefile
index 952668b..c27a20b 100644
--- a/Makefile
+++ b/Makefile
@@ -122,9 +122,9 @@ rpmroot:
rpmfiles: rpmroot packages
mv dist/custodia-$(VERSION).tar.gz* $(RPMBUILD)/SOURCES
- cp contrib/config/custodia/custodia.conf $(RPMBUILD)/SOURCES/custodia.conf
- cp contrib/config/systemd/system/custodia.service $(RPMBUILD)/SOURCES/custodia.service
- cp contrib/config/systemd/system/custodia.socket $(RPMBUILD)/SOURCES/custodia.socket
+ cp contrib/config/custodia/custodia.conf $(RPMBUILD)/SOURCES/
+ cp contrib/config/systemd/system/custodia at .service $(RPMBUILD)/SOURCES/
+ cp contrib/config/systemd/system/custodia at .socket $(RPMBUILD)/SOURCES/
cp contrib/config/tmpfiles.d/custodia.conf $(RPMBUILD)/SOURCES/custodia.tmpfiles.conf
rpm: clean rpmfiles egg_info
@@ -132,6 +132,7 @@ rpm: clean rpmfiles egg_info
--define "_topdir $(RPMBUILD)" \
--define "version $(VERSION)" \
-ba custodia.spec
+ echo "$(RPMBUILD)/RPMS"
.PHONY: dockerbuild dockerdemo dockerdemoinit dockershell dockerreleasebuild
diff --git a/contrib/config/custodia/custodia.conf b/contrib/config/custodia/custodia.conf
index 2e46309..c1581e5 100644
--- a/contrib/config/custodia/custodia.conf
+++ b/contrib/config/custodia/custodia.conf
@@ -1,13 +1,6 @@
# /etc/custodia/custodia.conf
-
-[DEFAULT]
-libdir = /var/lib/custodia
-logdir = /var/log/custodia
-rundir = /var/run/custodia
-
[global]
debug = true
-server_socket = ${rundir}/custodia.sock
auditlog = ${logdir}/audit.log
[store:sqlite]
diff --git a/contrib/config/systemd/system/custodia.service b/contrib/config/systemd/system/custodia.service
deleted file mode 100644
index ddd059d..0000000
--- a/contrib/config/systemd/system/custodia.service
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/systemd/system/custodia.service
-
-[Unit]
-Description=Custodia Secrets Service
-Documentation=https://github.com/latchset/custodia
-Requires=custodia.socket
-After=network.target
-
-[Service]
-Type=notify
-ExecStart=/usr/sbin/custodia /etc/custodia/custodia.conf
-User=custodia
-Group=custodia
-ProtectSystem=full
-ProtectHome=true
-NoNewPrivileges=true
-
-[Install]
-WantedBy=multi-user.target
diff --git a/contrib/config/systemd/system/custodia.socket b/contrib/config/systemd/system/custodia.socket
deleted file mode 100644
index 4a5f71d..0000000
--- a/contrib/config/systemd/system/custodia.socket
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/systemd/system/custodia.socket
-
-[Unit]
-Description=Custodia Socket
-Documentation=https://github.com/latchset/custodia
-
-[Socket]
-ListenStream=/var/run/custodia/custodia.sock
-RemoveOnStop=true
-SocketUser=custodia
-SocketGroup=custodia
-SocketMode=0666
-
-[Install]
-WantedBy=sockets.target
diff --git a/contrib/config/systemd/system/custodia at .service b/contrib/config/systemd/system/custodia at .service
new file mode 100644
index 0000000..1fba0cb
--- /dev/null
+++ b/contrib/config/systemd/system/custodia at .service
@@ -0,0 +1,19 @@
+# /etc/systemd/system/custodia at .service
+
+[Unit]
+Description=Custodia Secrets Service for %I
+Documentation=https://github.com/latchset/custodia
+Requires=custodia@%i.socket
+After=network.target
+
+[Service]
+Type=notify
+ExecStart=/usr/sbin/custodia --instance=%i /etc/custodia/%i.conf
+User=custodia
+Group=custodia
+ProtectSystem=full
+ProtectHome=true
+NoNewPrivileges=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/contrib/config/systemd/system/custodia at .socket b/contrib/config/systemd/system/custodia at .socket
new file mode 100644
index 0000000..b68f794
--- /dev/null
+++ b/contrib/config/systemd/system/custodia at .socket
@@ -0,0 +1,16 @@
+# /etc/systemd/system/custodia at .socket
+
+[Unit]
+Description=Custodia Socket for %i
+Documentation=https://github.com/latchset/custodia
+
+[Socket]
+ListenStream=/var/run/custodia/%i.sock
+Service=custodia@%i.service
+RemoveOnStop=true
+SocketUser=custodia
+SocketGroup=custodia
+SocketMode=0666
+
+[Install]
+WantedBy=sockets.target
diff --git a/custodia.spec b/custodia.spec
index a922e99..ef5c8e9 100644
--- a/custodia.spec
+++ b/custodia.spec
@@ -15,8 +15,8 @@ URL: https://github.com/latchset/%{name}
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz
Source1: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz.sha512sum.txt
Source2: custodia.conf
-Source3: custodia.service
-Source4: custodia.socket
+Source3: custodia at .service
+Source4: custodia at .socket
Source5: custodia.tmpfiles.conf
BuildArch: noarch
@@ -207,16 +207,16 @@ getent passwd custodia >/dev/null || \
exit 0
%post
-%systemd_post custodia.socket
-%systemd_post custodia.service
+%systemd_post custodia@\*.socket
+%systemd_post custodia@\*.service
%preun
-%systemd_preun custodia.socket
-%systemd_preun custodia.service
+%systemd_preun custodia@\*.socket
+%systemd_preun custodia@\*.service
%postun
-%systemd_postun custodia.socket
-%systemd_postun custodia.service
+%systemd_postun custodia@\*.socket
+%systemd_postun custodia@\*.service
%files
@@ -228,8 +228,8 @@ exit 0
%{_bindir}/custodia-cli
%dir %attr(0700,custodia,custodia) %{_sysconfdir}/custodia
%config(noreplace) %attr(600,custodia,custodia) %{_sysconfdir}/custodia/custodia.conf
-%attr(644,root,root) %{_unitdir}/custodia.socket
-%attr(644,root,root) %{_unitdir}/custodia.service
+%attr(644,root,root) %{_unitdir}/custodia at .socket
+%attr(644,root,root) %{_unitdir}/custodia at .service
%dir %attr(0700,custodia,custodia) %{_localstatedir}/lib/custodia
%dir %attr(0700,custodia,custodia) %{_localstatedir}/log/custodia
%dir %attr(0755,custodia,custodia) %{_localstatedir}/run/custodia
commit 57c25605d767fa89717e86bdc0207f582e850c91
Author: Christian Heimes <cheimes at redhat.com>
Date: Tue May 9 12:59:37 2017 +0200
Include test configs in sdist
Signed-off-by: Christian Heimes <cheimes at redhat.com>
diff --git a/MANIFEST.in b/MANIFEST.in
index 387bf85..f84f4db 100644
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -12,7 +12,8 @@ include man/custodia.7
recursive-include contrib *.txt *.conf *.service *.socket Dockerfile
recursive-include tests *.py
-recursive-include tests/ca *.conf *.key *.pem *.sh
+recursive-include tests *.conf
+recursive-include tests/ca *.key *.pem *.sh
prune tests/tmp
prune tests/ca/tmp
commit ab6838c7e6bf09ef73383444acc70e5807c3cef1
Author: Christian Heimes <cheimes at redhat.com>
Date: Tue May 9 11:30:38 2017 +0200
Improve diagnostics of Travis CI
Signed-off-by: Christian Heimes <cheimes at redhat.com>
More information about the Pkg-freeipa-devel
mailing list