ipa-hcc.spec.rpkg

%global package_name ipa-hcc

%if 0%{?rhel}
  # RHEL 8, 9
  %global ipa_name ipa

  # ipa-client-install supports PKINIT options since 4.9.11 (RHEL 8.8)
  # and 4.10.1 (RHEL 9.2).
  %if 0%{?rhel} >= 9
    # RHEL 9.2+ with PKINIT support in ipa-client-install
    %global ipa_version 4.10.1
    %global with_server 1
  %else
    # RHEL 8.8+ with PKINIT support in ipa-client-install
    %global ipa_version 4.9.11
    %global with_platform_python 1
    %global with_server 1
  %endif
%else
  # Fedora 37+ with PKINIT support in ipa-client-install
  %global ipa_name freeipa
  %global ipa_version 4.10.1
  %global with_server 1
%endif

# --without mockapi (enabled by default)
%bcond_without mockapi

# local development
%bcond_with devel

%if %{with platform_python}
  %global python /usr/libexec/platform-python
%else
  %global python %{__python3}
%endif
%global python_sitelib %{python3_sitelib}

Name:           %{package_name}
Version:        {{{ git_dir_version }}}
Release:        1%{?dist}
Summary:        Hybrid Cloud Console extension for IPA

BuildArch:      noarch

License:        GPLv3+
URL:            https://gitlab.cee.redhat.com/identity-management/idmocp/ipa-consoledot
VCS:            {{{ git_dir_vcs }}}
Source:         {{{ git_dir_pack }}}

BuildRequires: python3-devel
%if %{with server}
BuildRequires: python3-ipaserver >= %{ipa_version}
%else
BuildRequires: python3-ipaclient >= %{ipa_version}
%endif
BuildRequires: python3-dbus
BuildRequires: python3-gobject-base
BuildRequires: python3-requests
BuildRequires: python3-systemd
BuildRequires: python3-sssdconfig
BuildRequires: python3-jsonschema
BuildRequires: python3-jwcrypto
BuildRequires: make
BuildRequires: openssl
BuildRequires: systemd-devel
BuildRequires: selinux-policy-devel
%if %{with devel}
BuildRequires: ipa-client
BuildRequires: tox
BuildRequires: python3.6
BuildRequires: python3.9
BuildRequires: rpmlint
BuildRequires: npm
BuildRequires: openldap-devel
BuildRequires: openldap-compat
BuildRequires: gcc
BuildRequires: krb5-devel
BuildRequires: glib2-devel
BuildRequires: dbus-devel
BuildRequires: dbus-daemon
BuildRequires: gobject-introspection-devel
BuildRequires: cairo-devel
BuildRequires: cairo-gobject-devel
BuildRequires: python3-pyyaml
%endif

%description
An extension for IPA integration with Red Hat Hybrid Cloud Console.

%if %{with server}
%package server
Summary: Server plugin for IPA Hybrid Cloud Console extension
BuildArch: noarch

Provides: %{package_name}-common = %{version}
Conflicts: %{package_name}-common
Obsoletes: %{package_name}-common < %{version}
Provides: %{package_name}-server-plugin = %{version}
Conflicts: %{package_name}-server-plugin
Obsoletes: %{package_name}-server-plugin < %{version}
Provides: %{package_name}-registration-service = %{version}
Conflicts: %{package_name}-registration-service
Obsoletes: %{package_name}-registration-service < %{version}
Requires: %{ipa_name}-server >= %{ipa_version}
Requires(post): %{ipa_name}-server >= %{ipa_version}
Requires: httpd
Requires: mod_ssl
Requires: python3-mod_wsgi
Requires: python3-dbus
Requires: python3-gobject-base
Requires: python3-jsonschema
Requires: python3-jwcrypto
Requires: python3-requests
Requires: python3-systemd
Requires: selinux-policy
Requires(post): selinux-policy
%{?systemd_requires}

%description server
This package contains server plugins and WebUI for IPA Hybrid Cloud Console
extension.

%posttrans server
%{python} -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1

if [ $? -eq 0 ]; then
    /usr/sbin/ipa-ldap-updater --quiet \
        --schema-file=%{_datadir}/ipa/schema.d/85-hcc.ldif \
        %{_datadir}/ipa/updates/85-hcc.update \
        %{_datadir}/ipa/updates/86-hcc-registration-service.update

    # restart httpd if running
    /bin/systemctl try-restart gssproxy.service httpd.service >/dev/null 2>&1 || :
fi

%pre server
# create user account for service
getent passwd ipahcc >/dev/null || useradd -r -g ipaapi -s /sbin/nologin -d / -c "IPA Hybrid Cloud Console enrollment service" ipahcc

%post server
# SELinux context for cache dir
/usr/sbin/semanage fcontext -a -f a -s system_u -t httpd_cache_t -r 's0' '/var/cache/ipa-hcc(/.*)?' 2>/dev/null || :
/usr/sbin/restorecon -R /var/cache/ipa-hcc || :
# ipa-hcc-dbus.service and ipa-hcc-update.timer are started by ipactl
%systemd_post ipa-hcc-dbus.service
%systemd_post ipa-hcc-update.service
%systemd_post ipa-hcc-update.timer
/bin/systemctl daemon-reload

%preun server
%systemd_preun ipa-hcc-dbus.service
%systemd_preun ipa-hcc-update.service
%systemd_preun ipa-hcc-update.timer


%postun server
/usr/sbin/semanage fcontext -d '/var/cache/ipa-hcc(/.*)?' 2>/dev/null || :
# remove pkinit_anchors line from KRB5 KDC config
sed --in-place=.bak '/\/usr\/share\/ipa-hcc\/cacerts/d' /var/kerberos/krb5kdc/kdc.conf || :
%systemd_postun_with_restart ipa-hcc-dbus.service
%systemd_postun ipa-hcc-update.service
%systemd_postun ipa-hcc-update.timer

# server
%endif

%if %{with mockapi}
%package mockapi
Summary: Automatic IPA client enrollment: Mock API
BuildArch: noarch

Requires: %{package_name}-server = %{version}
%{?systemd_requires}


%description mockapi
This package contains a Mock API for testing of automatic enrollment service
of IPA clients.


%posttrans mockapi
/bin/systemctl try-restart httpd.service

# mockapi
%endif

%package client
Summary: Automatic IPA client enrollment for Hybrid Cloud Console
BuildArch: noarch

Provides:  %{package_name}-client-enrollment = %{version}
Conflicts: %{package_name}-client-enrollment
Obsoletes: %{package_name}-client-enrollment < %{version}
Requires: %{ipa_name}-client >= %{ipa_version}
# ipa-client RHEL 8.7, 9.1, and ealier, do not come with pkinit
Requires: krb5-pkinit-openssl
Recommends: rhc
Recommends: insights-client
%{?systemd_requires}

%description client
This package contains the automatic enrollment service for IPA clients.

%post client
%systemd_post ipa-hcc-auto-enrollment.service
/bin/systemctl daemon-reload

%preun client
%systemd_preun ipa-hcc-auto-enrollment.service

%postun client
%systemd_postun_with_restart ipa-hcc-auto-enrollment.service


%prep
{{{ git_dir_setup_macro }}}


%build
touch debugfiles.list


%check
export PYTHONPATH=%{buildroot}%{python_sitelib}
%{python} -Wignore -m unittest discover  -s tests/
# remove module after test run
rm -f  %{buildroot}/%{python_sitelib}/ipahcc_auto_enrollment.py
rm -rf %{buildroot}/%{python_sitelib}/__pycache__

%{buildroot}%{_libexecdir}/ipa-hcc/ipa-hcc-auto-enrollment --help >/dev/null
%{buildroot}%{_libexecdir}/ipa-hcc/ipa-hcc-auto-enrollment --version
%if %{with server}
%{buildroot}%{_sbindir}/ipa-hcc --help >/dev/null
%{buildroot}%{_libexecdir}/ipa-hcc/ipa-hcc-dbus --help >/dev/null
%endif

%install
rm -rf $RPM_BUILD_ROOT
export MAKEFLAGS="-j1"

%__make DEST=%{buildroot} PREFIX=%{_prefix} PYTHON=%{python} PYTHON_SITELIB=%{python_sitelib} VERSION=%{version} install_python install_client

%if %{with server}
%__make DEST=%{buildroot} PREFIX=%{_prefix} PYTHON=%{python} PYTHON_SITELIB=%{python_sitelib} VERSION=%{version} install_server_plugin install_registration_service
touch %{buildroot}%{_sharedstatedir}/ipa/gssproxy/hcc-enrollment.keytab
%else
rm -rf %{buildroot}/%{python_sitelib}/ipahcc
rm -rf %{buildroot}/%{python_sitelib}/ipaserver
rm -rf %{buildroot}/%{python_sitelib}/ipahcc*.egg-info
%endif

%if %{with mockapi}
%__make DEST=%{buildroot} PREFIX=%{_prefix} PYTHON=%{python} PYTHON_SITELIB=%{python_sitelib} VERSION=%{version} install_mockapi
%else
rm -rf %{buildroot}/%{python_sitelib}/ipahcc/mockapi
%endif


%if %{with server}
%files server
%doc README.md CONTRIBUTORS.txt
%license COPYING
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/hcc.conf
%{_sbindir}/ipa-hcc
%{_mandir}/man1/ipa-hcc.1*
%attr(0755,root,root) %{_libexecdir}/ipa-hcc/ipa-hcc-dbus
%dir %{_datadir}/ipa-hcc/
%{_datadir}/ipa-hcc/cacerts
%{_unitdir}/ipa-hcc-update.*
%{_unitdir}/ipa-hcc-dbus.service
%{_datadir}/dbus-1/system.d/com.redhat.console.ipahcc.conf
%{_datadir}/dbus-1/system-services/com.redhat.console.ipahcc.service
%{python_sitelib}/ipahcc*.egg-info
%{python_sitelib}/ipahcc/py.typed
%{python_sitelib}/ipahcc/*.py
%{python_sitelib}/ipahcc/server/*.py
%{python_sitelib}/ipahcc/server/schema/*.json
%{python_sitelib}/ipahcc/sign/*.py
%{python_sitelib}/ipaserver/plugins/*.py
%{python_sitelib}/ipaserver/install/plugins/update_hcc.py
%{python_sitelib}/ipahcc/__pycache__/*.pyc
%{python_sitelib}/ipahcc/server/__pycache__/*.pyc
%{python_sitelib}/ipahcc/sign/__pycache__/*.pyc
%{python_sitelib}/ipaserver/plugins/__pycache__/*.pyc
%{python_sitelib}/ipaserver/install/plugins/__pycache__/update_hcc.*.pyc
%{_datadir}/ipa/schema.d/85-hcc.ldif
%{_datadir}/ipa/updates/85-hcc.update
%{_datadir}/ipa/ui/js/plugins/*

# registration service
%attr(0750,ipahcc,root) %dir %{_sysconfdir}/ipa/hcc
%attr(0755,ipahcc,ipaapi) %dir %{_localstatedir}/cache/ipa-hcc
%{python_sitelib}/ipahcc/registration/*.py
%{python_sitelib}/ipaserver/install/plugins/update_hcc_enrollment_service.py
%{python_sitelib}/ipahcc/registration/__pycache__/*.pyc
%{python_sitelib}/ipaserver/install/plugins/__pycache__/update_hcc_enrollment_service.*.pyc
%{_datadir}/ipa-hcc/hcc_registration_service.py
%{_datadir}/ipa/updates/86-hcc-registration-service.update
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-hcc.conf
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/gssproxy/85-ipa-hcc.conf
%ghost %{_sharedstatedir}/ipa/gssproxy/hcc-enrollment.keytab
%endif


%if %{with mockapi}
%files mockapi
%doc README.md CONTRIBUTORS.txt
%license COPYING
%{python_sitelib}/ipahcc/mockapi/*.py
%{python_sitelib}/ipahcc/mockapi/__pycache__/*.pyc
%{_datadir}/ipa-hcc/hcc_mockapi.py
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-hcc-mockapi.conf
%endif


%files client
%doc README.md CONTRIBUTORS.txt
%license COPYING
%attr(0755,root,root) %{_libexecdir}/ipa-hcc/ipa-hcc-auto-enrollment
%attr(0644,root,root) %{_unitdir}/ipa-hcc-auto-enrollment.service
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ipa-hcc-auto-enrollment

%changelog
{{{ git_dir_changelog }}}