%global package_name ipa-hcc %if 0%{?rhel} # RHEL 8, 9 %global ipa_name ipa # ipa-client-install supports PKINIT options since 4.9.11 (RHEL 8.8) # and 4.10.1 (RHEL 9.2). %if 0%{?rhel} >= 9 # RHEL 9.2+ with PKINIT support in ipa-client-install %global ipa_version 4.10.1 %global include_client 1 %global with_pyproject_macros 1 %global selinux_policy_version 38.1.1-1 %else # RHEL 8.8+ with PKINIT support in ipa-client-install # NOTE: python3 macro points to platform-python %global ipa_version 4.9.11 %global include_client 1 # RHEL 8's build root does not provide pyproject-rpm-macros %global without_pyproject_macros 1 %global selinux_policy_version 3.14.3-107 %endif %else # Fedora 37+ with PKINIT support in ipa-client-install %global ipa_name freeipa %global ipa_version 4.10.1 # Fedora is missing rhc and insights-client %global include_client 0 %global with_pyproject_macros 1 %global selinux_policy_version 36.16-1 %endif # always include ipa-hcc-server package %global with_server 1 # --with client (enabled on RHEL, disabled on Fedora) # include ipa-hcc-client package # NOTE: RHEL8 does not define 'bcond()' helper %if %{include_client} %bcond_without client %else %bcond_with client %endif # --with mockapi (disabled by default) # include mockapi server and client prepare for Ephemeral %bcond_with mockapi %if %{with mockapi} && !%{with server} %{error:--with mockapi requires --with server} %endif # --with stageconsole (disabled by default) # setup system for internal stage console %bcond_with stageconsole # --without selinux (enabled by default) # SELinux rules for ipa-hcc-server %bcond_without selinux # --with devel (disabled by default) # local development depedencies %bcond_with devel %if %{with selinux} %global selinuxtype targeted %global modulename ipa-hcc %endif Name: %{package_name} Version: 0.0.git.386.711771ac Release: 1%{?dist} Summary: Hybrid Cloud Console extension for IPA BuildArch: noarch License: GPL-3.0-or-later URL: https://github.com/podengo-project/ipa-hcc VCS: git+https://github.com/pvoborni/ipa-hcc.git#711771ac69a142b0d62d2ba26663d831a9d46cc1: # tag names are generated by rpkg Source: ipa-hcc-711771ac.tar.gz Source1: ipa-hcc.sysusers BuildRequires: python3-devel %if %{with pyproject_macros} BuildRequires: pyproject-rpm-macros %endif # RHEL 8 buildroot does not have idm:DL1 module %if %{with server} && 0%{?rhel} != 8 BuildRequires: python3-ipaserver >= %{ipa_version} %else BuildRequires: python3-ipaclient >= %{ipa_version} %endif BuildRequires: python3-requests BuildRequires: python3-systemd BuildRequires: python3-sssdconfig BuildRequires: python3-jsonschema BuildRequires: python3-jwcrypto BuildRequires: make BuildRequires: openssl BuildRequires: systemd-devel BuildRequires: systemd-rpm-macros %if %{with selinux} BuildRequires: selinux-policy-devel >= %{selinux_policy_version} %endif BuildRequires: subscription-manager-rhsm-certificates %if %{with devel} BuildRequires: ipa-client BuildRequires: tox BuildRequires: python3.6 BuildRequires: python3.9 BuildRequires: rpmlint BuildRequires: nodejs-npm BuildRequires: openldap-devel BuildRequires: openldap-compat BuildRequires: gcc BuildRequires: krb5-devel BuildRequires: python3-pyyaml BuildRequires: python3-pip BuildRequires: python3-wheel BuildRequires: rpmdeplint BuildRequires: rpmlint %endif %description An extension for IPA integration with Red Hat Hybrid Cloud Console. %package -n python3-ipahcc Summary: Python libraries for ipa-hcc, IPA Hybrid Cloud Console integration BuildArch: noarch %{?python_provide:%python_provide python3-ipahcc} Requires: python3-ipalib >= %{ipa_version} Requires: python3-requests Recommends: python3-subscription-manager-rhsm Conflicts: %{package_name}-server <= 0.16-1 %description -n python3-ipahcc python3-ipahcc provides Python libraries that are used by ipa-hcc-client and ipa-hcc-server packages. %if %{with pyproject_macros} %pyproject_extras_subpkg -n python3-ipahcc server %endif %if %{with server} %package server Summary: IPA server plugin for Hybrid Cloud Console integration BuildArch: noarch %if %{with pyproject_macros} Requires: python3-ipahcc+server = %{version}-%{release} %else Requires: python3-ipahcc = %{version}-%{release} Requires: python3-cryptography Requires: python3-jsonschema Requires: python3-jwcrypto # pyproject_macros extra dependencies %endif Requires: %{ipa_name}-server >= %{ipa_version} Requires(post): %{ipa_name}-server >= %{ipa_version} Requires: httpd Requires: mod_ssl %if %{with selinux} Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base >= %{selinux_policy_version} Requires(post): (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype}) %endif %{?systemd_requires} %{?sysusers_requires_compat} %description server This package contains IPA server plugins, LDAP schema extension, WebUI extension, and registration agent for Hybrid Cloud Console integration. The extensions require an account on https://console.redhat.com/ and registration with subscription manager. %posttrans server %{python3} -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1 if [ $? -eq 0 ]; then /usr/sbin/ipa-ldap-updater --quiet \ --schema-file=%{_datadir}/ipa/schema.d/85-hcc.ldif \ %{_datadir}/ipa/updates/85-hcc.update \ %{_datadir}/ipa/updates/86-hcc-registration-service.update # restart httpd if running /bin/systemctl try-restart gssproxy.service httpd.service >/dev/null 2>&1 || : fi %pre server # create user account for service %if 0%{?sysusers_requires_compat:1} %sysusers_create_compat %{SOURCE1} %else # RHEL 8 getent passwd ipahcc >/dev/null || useradd -r -s /sbin/nologin -d /var/cache/ipa-hcc -c "IPA Hybrid Cloud Console enrollment service" ipahcc usermod -a -G ipaapi ipahcc %endif %post server # ipa-hcc-update.timer is started by ipactl %systemd_post ipa-hcc-update.service %systemd_post ipa-hcc-update.timer /bin/systemctl daemon-reload %preun server %systemd_preun ipa-hcc-update.service %systemd_preun ipa-hcc-update.timer %postun server # remove pkinit_anchors line from KRB5 KDC config sed --in-place=.bak '/\/usr\/share\/ipa-hcc\/cacerts/d' /var/kerberos/krb5kdc/kdc.conf || : /bin/systemctl try-restart krb5kdc.service || : %systemd_postun ipa-hcc-update.service %systemd_postun ipa-hcc-update.timer # with server %endif %if %{with mockapi} %package mockapi Summary: Automatic IPA client enrollment: Mock API BuildArch: noarch Requires: %{package_name}-server = %{version} %{?systemd_requires} %description mockapi This package contains a Mock API for testing of automatic enrollment service of IPA clients. %posttrans mockapi %{python3} -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1 if [ $? -eq 0 ]; then /usr/sbin/ipa-ldap-updater --quiet %{_datadir}/ipa/updates/87-hcc-mockapi.update # restart httpd if running /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || : fi %package ephemeral Summary: Automatic IPA client enrollment: Ephemeral client prepare BuildArch: noarch Requires: %{package_name}-client = %{version} %{?systemd_requires} %description ephemeral This package contains a systemd service that hooks into the auto enrollment process of IPA clients. It prepares the client for testing with Ephemeral environment. The package also enables ipa-hcc-auto-enrollment.service. %post ephemeral %systemd_post ipa-hcc-client-prepare.service /bin/systemctl daemon-reload %posttrans ephemeral /bin/systemctl enable ipa-hcc-client-prepare.service /bin/systemctl enable ipa-hcc-auto-enrollment.service %preun ephemeral %systemd_preun ipa-hcc-client-prepare.service %postun ephemeral %systemd_postun_with_restart ipa-hcc-client-prepare.service # with mockapi and ephemeral client-prepare %endif %if %{with stageconsole} %package stage-console Summary: IPA HCC: Stage Console configuration BuildArch: noarch Requires(post): python3 Requires(post): rhc Requires(post): insights-client %description stage-console This package configures subscription manager, rhc, insights-client, and ipa-hcc-auto-enrollment.service to use the internal Stage Console. The system is reconfigured during package installation. %posttrans stage-console /usr/libexec/ipa-hcc/ipa-hcc-stage-console --verbose stage.redhat.com # with stageconsole %endif %if %{with client} %package client Summary: Automatic IPA client enrollment for Hybrid Cloud Console BuildArch: noarch Requires: python3-ipahcc = %{version}-%{release} Requires: %{ipa_name}-client >= %{ipa_version} # ipa-client RHEL 8.7, 9.1, and ealier, do not come with pkinit Requires: krb5-pkinit-openssl Recommends: subscription-manager %if 0%{?rhel} # Recommend remote host configuration and Insights client on RHEL # The packages are not available on Fedora. We don't support Yggdrasil. Recommends: rhc Recommends: insights-client %endif %{?systemd_requires} %description client This package contains the automatic enrollment service for IPA clients (domain join on launch). %post client %systemd_post ipa-hcc-auto-enrollment.service /bin/systemctl daemon-reload %preun client %systemd_preun ipa-hcc-auto-enrollment.service %postun client %systemd_postun_with_restart ipa-hcc-auto-enrollment.service # with client %endif %if %{with selinux} %package selinux Summary: SELinux policy for ipa-hcc-server BuildArch: noarch Requires: selinux-policy-%{selinuxtype} >= %{selinux_policy_version} Requires(post): selinux-policy-%{selinuxtype} >= %{selinux_policy_version} %description selinux Custom SELinux policy module for ipa-hcc-server %pre selinux %selinux_relabel_pre -s %{selinuxtype} %post selinux %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 %postun selinux if [ $1 -eq 0 ]; then %selinux_modules_uninstall -s %{selinuxtype} %{modulename} fi %posttrans selinux %selinux_relabel_post -s %{selinuxtype} /usr/sbin/restorecon -R /var/cache/ipa-hcc || : # with selinux %endif %prep # tag names are generated by rpkg # Release 0.14 has tag name "ipa-hcc-0.14-1", which results in top level # directory "ipa-hcc-ipa-hcc-0.14-1". %setup -T -b 0 -q -n ipa-hcc %if %{with pyproject_macros} %generate_buildrequires %pyproject_buildrequires %endif %build %if %{with pyproject_macros} %pyproject_wheel %endif touch debugfiles.list %check %if %{without mockapi} # tests depend on ipahcc.mockapi ln -s $(pwd)/src/ipahcc/server/mockapi.py %{buildroot}%{python3_sitelib}/ipahcc/server/mockapi.py %endif # tests depend on ipahcc_ modules ln -s -t %{buildroot}%{python3_sitelib}/ $(pwd)/src/ipahcc_*.py export PYTHONPATH=%{buildroot}%{python3_sitelib} %{python3} -B -Wignore -m unittest discover -s tests/ # cleanup after tests rm -rf %{buildroot}%{python3_sitelib}/ipahcc_*.py %if %{without mockapi} rm %{buildroot}%{python3_sitelib}/ipahcc/server/mockapi.py rm -f %{buildroot}%{python3_sitelib}/ipahcc/server/__pycache__/mockapi*.pyc %endif %if %{with client} %{buildroot}%{_libexecdir}/ipa-hcc/ipa-hcc-auto-enrollment --help >/dev/null %{buildroot}%{_libexecdir}/ipa-hcc/ipa-hcc-auto-enrollment --version %endif %if %{with server} %{buildroot}%{_sbindir}/ipa-hcc --help >/dev/null %endif %if %{with mockapi} %{buildroot}%{_libexecdir}/ipa-hcc/ipa-hcc-client-prepare --help >/dev/null %{buildroot}%{_libexecdir}/ipa-hcc/ipa-hcc-client-prepare --version %endif %if %{with stageconsole} %{buildroot}%{_libexecdir}/ipa-hcc/ipa-hcc-stage-console --help >/dev/null %{buildroot}%{_libexecdir}/ipa-hcc/ipa-hcc-stage-console --version %endif %install %global make %__make -j1 DEST=%{buildroot} PREFIX=%{_prefix} PYTHON=%{python3} PYTHON_SITELIB=%{python3_sitelib} VERSION=%{version} %{__mkdir_p} %{buildroot}%{_libexecdir}/ipa-hcc %if %{with server} # ghost config %{__mkdir_p} %{buildroot}%{_sysconfdir}/ipa touch %{buildroot}%{_sysconfdir}/ipa/hcc.conf %if %{with pyproject_macros} %pyproject_install %else %make install_python %endif %make install_server_plugin install_registration_service %{__mkdir_p} %{buildroot}%{_sbindir} mv %{buildroot}%{_bindir}/ipa-hcc %{buildroot}%{_sbindir}/ipa-hcc %py3_shebang_fix %{buildroot}%{_sbindir}/ipa-hcc %{__mkdir_p} %{buildroot}%{_sharedstatedir}/gssproxy touch %{buildroot}%{_sharedstatedir}/gssproxy/hcc-enrollment.keytab %else rm -rf %{buildroot}%{python3_sitelib}/ipaserver rm -rf %{buildroot}%{python3_sitelib}/ipahcc*.dist-info rm -rf %{buildroot}%{python3_sitelib}/ipahcc*.egg-info # with server %endif %if %{with client} %make install_client mv %{buildroot}%{_bindir}/ipa-hcc-auto-enrollment %{buildroot}%{_libexecdir}/ipa-hcc/ %py3_shebang_fix %{buildroot}%{_libexecdir}/ipa-hcc/ipa-hcc-auto-enrollment %else rm %{buildroot}%{_bindir}/ipa-hcc-auto-enrollment %endif %if %{with mockapi} %make install_mockapi install_client_prepare mv %{buildroot}%{_bindir}/ipa-hcc-client-prepare %{buildroot}%{_libexecdir}/ipa-hcc/ %py3_shebang_fix %{buildroot}%{_libexecdir}/ipa-hcc/ipa-hcc-client-prepare %{__mkdir_p} %{buildroot}%{_sysconfdir}/ipa/hcc %else rm %{buildroot}%{_bindir}/ipa-hcc-client-prepare rm %{buildroot}%{python3_sitelib}/ipahcc/server/mockapi.py rm -f %{buildroot}%{python3_sitelib}/ipahcc/server/__pycache__/mockapi*.pyc rm %{buildroot}%{python3_sitelib}/ipaserver/install/plugins/update_hcc_mockapi.py rm -f %{buildroot}%{python3_sitelib}/ipaserver/install/plugins/__pycache__/update_hcc_mockapi.*.pyc %endif %if %{with stageconsole} mv %{buildroot}%{_bindir}/ipa-hcc-stage-console %{buildroot}%{_libexecdir}/ipa-hcc/ %py3_shebang_fix %{buildroot}%{_libexecdir}/ipa-hcc/ipa-hcc-stage-console %else rm %{buildroot}%{_bindir}/ipa-hcc-stage-console %endif %if %{with selinux} %make install_selinux SELINUXTYPE=%{selinuxtype} SELINUX_MODULENAME=%{modulename} %endif %if 0%{?sysusers_requires_compat:1} install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/ipa-hcc.conf %endif %files -n python3-ipahcc %doc README.md CONTRIBUTORS.txt %license COPYING %{python3_sitelib}/ipahcc %if %{with pyproject_macros} %{python3_sitelib}/ipahcc*.dist-info %else %{python3_sitelib}/ipahcc*.egg-info %endif # exclude files that are in mockapi package %if %{with mockapi} %exclude %{python3_sitelib}/ipahcc/server/mockapi.py %exclude %{python3_sitelib}/ipahcc/server/__pycache__/mockapi*.pyc %endif %if %{with server} %files server %doc README.md CONTRIBUTORS.txt %license COPYING %ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/hcc.conf %{_sbindir}/ipa-hcc %{_mandir}/man1/ipa-hcc.1* %dir %{_datadir}/ipa-hcc %{_datadir}/ipa-hcc/cacerts %{_datadir}/ipa-hcc/hcc.conf.example %{_unitdir}/ipa-hcc-update.* # exclude files that are in mockapi package %if %{with mockapi} %exclude %{python3_sitelib}/ipaserver/install/plugins/update_hcc_mockapi.py %exclude %{python3_sitelib}/ipaserver/install/plugins/__pycache__/update_hcc_mockapi.*.pyc %endif %{python3_sitelib}/ipaserver/plugins/*.py %{python3_sitelib}/ipaserver/plugins/__pycache__/*.pyc %{python3_sitelib}/ipaserver/install/plugins/*.py %{python3_sitelib}/ipaserver/install/plugins/__pycache__/*.pyc %{_datadir}/ipa/schema.d/85-hcc.ldif %{_datadir}/ipa/updates/85-hcc.update %{_datadir}/ipa/ui/js/plugins/* # registration service # non-standard uid and gid %attr(0755,ipahcc,ipaapi) %dir %{_localstatedir}/cache/ipa-hcc %{_datadir}/ipa-hcc/hcc_registration_service.py %{_datadir}/ipa/updates/86-hcc-registration-service.update %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-hcc.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/gssproxy/85-ipa-hcc.conf %ghost %{_sharedstatedir}/gssproxy/hcc-enrollment.keytab %endif %if 0%{?sysusers_requires_compat:1} %{_sysusersdir}/ipa-hcc.conf %endif %if %{with mockapi} %files mockapi %doc README.md CONTRIBUTORS.txt %license COPYING %{python3_sitelib}/ipahcc/server/mockapi.py %{python3_sitelib}/ipahcc/server/__pycache__/mockapi*.pyc %{_datadir}/ipa-hcc/hcc_mockapi.py %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-hcc-mockapi.conf %{python3_sitelib}/ipaserver/install/plugins/update_hcc_mockapi.py %{python3_sitelib}/ipaserver/install/plugins/__pycache__/update_hcc_mockapi.*.pyc %{_datadir}/ipa/updates/87-hcc-mockapi.update # non-standard ownership and permission to restrict the directory to ipahcc:root %attr(0750,ipahcc,root) %dir %{_sysconfdir}/ipa/hcc %files ephemeral %doc README.md CONTRIBUTORS.txt %license COPYING %attr(0755,root,root) %{_libexecdir}/ipa-hcc/ipa-hcc-client-prepare %attr(0644,root,root) %{_unitdir}/ipa-hcc-client-prepare.service %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ipa-hcc-client-prepare # with mockapi %endif %if %{with stageconsole} %files stage-console %doc README.md CONTRIBUTORS.txt %license COPYING %attr(0755,root,root) %{_libexecdir}/ipa-hcc/ipa-hcc-stage-console # with stageconsole %endif %if %{with client} %files client %doc README.md CONTRIBUTORS.txt %license COPYING %attr(0755,root,root) %{_libexecdir}/ipa-hcc/ipa-hcc-auto-enrollment %attr(0644,root,root) %{_unitdir}/ipa-hcc-auto-enrollment.service %attr(0644,root,root) %{_presetdir}/80-ipa-hcc-auto-enrollment.preset %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ipa-hcc-auto-enrollment %endif %if %{with selinux} %files selinux %doc README.md CONTRIBUTORS.txt %license COPYING %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* # with selinux %endif %changelog