Update spec file

- add python2-custodia-ipa with custodia.ipa plugins - ship /etc/custodia/ipa.conf - check RPMs with rpmlint - remove check for python-etcd on PPC, 0.4.5-5 no longer depends on etcd - use %tmpfiles_create macro to create /var/run/custodia in %post hook - simplify conflict with freeipa-server w/o Python 3 fix - drop workaround for Fedora 25 Signed-off-by: Christian Heimes <[email protected]>
latchset · Aug 14, 2017 · 732b358 · 732b358
1 parent a76747b
commit 732b358
Show file tree

Hide file tree

Showing 3 changed files with 105 additions and 49 deletions.
diff --git a/Makefile b/Makefile
@@ -123,7 +123,9 @@ releasecheck: clean
 	tox -r
 	$(MAKE) packages
 	$(MAKE) rpm
+	$(MAKE) rpmlint
 	$(MAKE) dockerbuild
+	@echo "Release check passed"
 
 run: egg_info
 	$(PYTHON) $(CURDIR)/bin/custodia $(CONF)
@@ -143,7 +145,7 @@ rpmroot:
 
 rpmfiles: rpmroot packages
 	mv dist/custodia-$(VERSION).tar.gz* $(RPMBUILD)/SOURCES
-	cp contrib/config/custodia/custodia.conf $(RPMBUILD)/SOURCES/
+	cp contrib/config/custodia/{custodia,ipa}.conf $(RPMBUILD)/SOURCES/
 	cp contrib/config/systemd/system/[email protected] $(RPMBUILD)/SOURCES/
 	cp contrib/config/systemd/system/[email protected] $(RPMBUILD)/SOURCES/
 	cp contrib/config/tmpfiles.d/custodia.conf $(RPMBUILD)/SOURCES/custodia.tmpfiles.conf
@@ -155,6 +157,8 @@ rpm: clean rpmfiles egg_info
 	    -ba custodia.spec
 	echo "$(RPMBUILD)/RPMS"
 
+rpmlint:
+	rpmlint -f contrib/rpmlint $(RPMBUILD)/RPMS
 
 .PHONY: dockerbuild dockerdemo dockerdemoinit dockershell dockerreleasebuild
 dockerbuild:

diff --git a/contrib/rpmlint b/contrib/rpmlint
@@ -0,0 +1,32 @@
+addFilter('spelling-error.*etcdstore')
+
+addFilter('non-readable /etc/custodia/custodia.conf')
+addFilter('non-readable /etc/custodia/ipa.conf')
+addFilter('non-standard-dir-perm /etc/custodia')
+addFilter('non-standard-uid /etc/custodia')
+addFilter('non-standard-gid /etc/custodia')
+addFilter('non-standard-dir-perm /var/lib/custodia')
+addFilter('non-standard-uid /var/lib/custodia')
+addFilter('non-standard-gid /var/lib/custodia')
+addFilter('non-standard-dir-perm /var/log/custodia')
+addFilter('non-standard-uid /var/log/custodia')
+addFilter('non-standard-gid /var/log/custodia')
+addFilter('non-standard-uid /var/run/custodia')
+addFilter('non-standard-gid /var/run/custodia')
+
+# provided by dependencies
+addFilter('dangling-relative-symlink /usr/bin/custodia-cli')
+addFilter('dangling-relative-symlink /usr/sbin/custodia')
+
+# https://github.com/latchset/custodia/issues/228
+addFilter('no-manual-page-for-binary custodia-cli')
+addFilter('no-manual-page-for-binary custodia-cli-2')
+addFilter('no-manual-page-for-binary custodia-cli-3')
+addFilter('no-manual-page-for-binary custodia-2')
+addFilter('no-manual-page-for-binary custodia-3')
+
+# systemd_postun is defined as '%{nil}'
+addFilter('empty-%postun')
+
+# upstream specfile has no changelog
+addFilter('no-changelogname-tag')
diff --git a/custodia.spec b/custodia.spec
@@ -1,25 +1,12 @@
-%if 0%{?fedora}
-%global with_python3 1
-%endif
-
 %{!?version: %define version 0.6.dev1}
 
-# Workaround for python-etcd issue on PPC64. Although it's a noarch package
-# it depends on etcd for testing. Go does not support PPC64 yet.
-%ifarch ppc64
-%global with_etcd 0
-%else
-%global with_etcd 1
+%if 0%{?fedora}
+%global with_python3 1
 %endif
 
 # FreeIPA up to 4.4.4 are not compatible with custodia because the custodia
 # script now runs under Python 3. FreeIPA 4.4.5 and 4.4.4-2 on F26 are fixed.
-# ipa_conflict is used with '<' version comparison.
-%if 0%{?fedora} >= 26
-%global ipa_conflict 4.4.4-2
-%else
-%global ipa_conflict 4.4.5
-%endif
+%global ipa_version 4.4.4-2
 
 Name:           custodia
 Version:        %{version}
@@ -33,6 +20,7 @@ Source2:        custodia.conf
 Source3:        [email protected]
 Source4:        [email protected]
 Source5:        custodia.tmpfiles.conf
+Source6:        ipa.conf
 
 BuildArch:      noarch
 
@@ -44,12 +32,12 @@ BuildRequires:      python2-setuptools >= 18
 BuildRequires:      python2-coverage
 BuildRequires:      python2-tox >= 2.3.1
 BuildRequires:      python2-pytest
-%if %{?with_etcd}
+BuildRequires:      python2-mock
 BuildRequires:      python2-python-etcd
-%endif
 BuildRequires:      python2-docutils
 BuildRequires:      python2-configparser
 BuildRequires:      python2-systemd
+BuildRequires:      python2-ipaclient >= %{ipa_version}
 
 %if 0%{?with_python3}
 BuildRequires:      python%{python3_pkgversion}-devel
@@ -59,27 +47,23 @@ BuildRequires:      python%{python3_pkgversion}-setuptools > 18
 BuildRequires:      python%{python3_pkgversion}-coverage
 BuildRequires:      python%{python3_pkgversion}-tox >= 2.3.1
 BuildRequires:      python%{python3_pkgversion}-pytest
-%if %{?with_etcd}
+BuildRequires:      python%{python3_pkgversion}-mock
 BuildRequires:      python%{python3_pkgversion}-python-etcd
-%endif
 BuildRequires:      python%{python3_pkgversion}-docutils
 BuildRequires:      python%{python3_pkgversion}-systemd
-%endif
+BuildRequires:      python%{python3_pkgversion}-ipaclient >= %{ipa_version}
+%endif  # with_python3
 
 %if 0%{?with_python3}
 Requires:           python%{python3_pkgversion}-custodia = %{version}-%{release}
 %else
 Requires:           python2-custodia = %{version}-%{release}
-%endif
-
+%endif  # with_python3
+Conflicts:          freeipa-server < %{ipa_version}
 Requires(preun):    systemd-units
 Requires(postun):   systemd-units
 Requires(post):     systemd-units
 
-Conflicts:          freeipa-server-common < %{ipa_conflict}
-Conflicts:          ipa-server-common < %{ipa_conflict}
-
-
 %global overview                                                           \
 Custodia is a Secrets Service Provider, it stores or proxies access to     \
 keys, password, and secret material in general. Custodia is built to       \
@@ -101,18 +85,17 @@ A service to manage, retrieve and store secrets for other processes
 Summary:    Sub-package with python2 custodia modules
 %{?python_provide:%python_provide python2-%{name}}
 Requires:   python2-configparser
-Requires:   python2-jwcrypto > 0.4.2
+Requires:   python2-jwcrypto >= 0.4.2
 Requires:   python2-requests
 Requires:   python2-setuptools
 Requires:   python2-systemd
-Conflicts:  python2-ipalib < %{ipa_conflict}
+
 
 %description -n python2-custodia
 Sub-package with python custodia modules
 
 %{overview}
 
-%if %{?with_etcd}
 %package -n python2-custodia-extra
 Summary:    Sub-package with python2 custodia extra modules
 Requires:   python2-python-etcd
@@ -123,7 +106,16 @@ Sub-package with python2 custodia extra modules (etcdstore)
 
 %{overview}
 
-%endif  # with_etcd
+%package -n python2-custodia-ipa
+Summary:    Sub-package with python2 custodia.ipa modules
+%{?python_provide:%python_provide python2-custodia-ipa}
+Requires:   python2-custodia = %{version}-%{release}
+Requires:   python2-ipaclient >= %{ipa_version}
+
+%description -n python2-custodia-ipa
+custodia.ipa is a storage plugin for Custodia. It provides integration
+with FreeIPA's vault facility. Secrets are encrypted and stored in
+Dogtag's Key Recovery Agent.
 
 %if 0%{?with_python3}
 %package -n python%{python3_pkgversion}-custodia
@@ -133,14 +125,12 @@ Requires:   python%{python3_pkgversion}-jwcrypto >= 0.4.2
 Requires:   python%{python3_pkgversion}-requests
 Requires:   python%{python3_pkgversion}-setuptools
 Requires:   python%{python3_pkgversion}-systemd
-Conflicts:  python%{python3_pkgversion}-ipalib < %{ipa_conflict}
 
 %description -n python%{python3_pkgversion}-custodia
 Sub-package with python custodia modules
 
 %{overview}
 
-%if %{?with_etcd}
 %package -n python%{python3_pkgversion}-custodia-extra
 Summary:    Sub-package with python3 custodia extra modules
 Requires:   python%{python3_pkgversion}-python-etcd
@@ -151,7 +141,19 @@ Sub-package with python3 custodia extra modules (etcdstore)
 
 %{overview}
 
-%endif  # with_etcd
+%if 0%{?with_ipa_python3}
+%package -n python%{python3_pkgversion}-custodia-ipa
+Summary:    Sub-package with python3 custodia.ipa modules
+%{?python_provide:%python_provide python%{python3_pkgversion}-custodia-ipa}
+Requires:   python%{python3_pkgversion}-custodia = %{version}-%{release}
+Requires:   python%{python3_pkgversion}-ipaclient >= %{ipa_version}
+
+%description -n python%{python3_pkgversion}-custodia-ipa
+custodia.ipa is a storage plugin for Custodia. It provides integration
+with FreeIPA's vault facility. Secrets are encrypted and stored in
+Dogtag's Key Recovery Agent.
+
+%endif  # wit_ipa_python3
 %endif  # with_python3
 
 
@@ -169,7 +171,7 @@ Sub-package with python3 custodia extra modules (etcdstore)
 %check
 # don't download packages
 export PIP_INDEX_URL=http://host.invalid./
-# Don't try to download dnspython3. The package is provided by python%{python3_pkgversion}-dns
+# Don't try to download dnspython3. The package is provided by python3-dns
 export PIP_NO_DEPS=yes
 # Ignore all install packages to enforce installation of sdist. Otherwise tox
 # may pick up this package from global site-packages instead of source dist.
@@ -191,27 +193,35 @@ mkdir -p %{buildroot}/%{_unitdir}
 mkdir -p %{buildroot}/%{_tmpfilesdir}
 mkdir -p %{buildroot}/%{_localstatedir}/lib/custodia
 mkdir -p %{buildroot}/%{_localstatedir}/log/custodia
-mkdir -p %{buildroot}/%{_localstatedir}/run/custodia
 
 %py2_install
-mv %{buildroot}/%{_bindir}/custodia %{buildroot}/%{_sbindir}/custodia
-cp %{buildroot}/%{_sbindir}/custodia %{buildroot}/%{_sbindir}/custodia-2
-cp %{buildroot}/%{_bindir}/custodia-cli %{buildroot}/%{_bindir}/custodia-cli-2
+mv %{buildroot}/%{_bindir}/custodia %{buildroot}/%{_sbindir}/custodia-2
+mv %{buildroot}/%{_bindir}/custodia-cli %{buildroot}/%{_bindir}/custodia-cli-2
 install -m 644 -t "%{buildroot}/%{_mandir}/man7" man/custodia.7
 install -m 644 -t "%{buildroot}/%{_defaultdocdir}/custodia" README API.md
 install -m 644 -t "%{buildroot}/%{_defaultdocdir}/custodia/examples" custodia.conf
 install -m 600 %{SOURCE2} %{buildroot}%{_sysconfdir}/custodia
 install -m 644 %{SOURCE3} %{buildroot}%{_unitdir}
 install -m 644 %{SOURCE4} %{buildroot}%{_unitdir}
 install -m 644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/custodia.conf
+install -m 600 %{SOURCE6} %{buildroot}%{_sysconfdir}/custodia
 
 %if 0%{?with_python3}
 # overrides /usr/bin/custodia-cli and /usr/sbin/custodia with Python 3 shebang
 %py3_install
-mv %{buildroot}/%{_bindir}/custodia %{buildroot}/%{_sbindir}/custodia
-cp %{buildroot}/%{_sbindir}/custodia %{buildroot}/%{_sbindir}/custodia-3
-cp %{buildroot}/%{_bindir}/custodia-cli %{buildroot}/%{_bindir}/custodia-cli-3
-%endif
+
+%if ! 0%{?with_ipa_python3}
+rm -rf %{buildroot}%{python3_sitelib}/custodia/ipa
+%endif  # with_ipa_python3
+
+mv %{buildroot}/%{_bindir}/custodia %{buildroot}/%{_sbindir}/custodia-3
+mv %{buildroot}/%{_bindir}/custodia-cli %{buildroot}/%{_bindir}/custodia-cli-3
+ln -sr %{buildroot}/%{_sbindir}/custodia-3 %{buildroot}/%{_sbindir}/custodia
+ln -sr %{buildroot}/%{_bindir}/custodia-cli-3 %{buildroot}/%{_bindir}/custodia-cli
+%else
+ln -sr %{buildroot}/%{_sbindir}/custodia-2 %{buildroot}/%{_sbindir}/custodia
+ln -sr %{buildroot}/%{_bindir}/custodia-cli-2 %{buildroot}/%{_bindir}/custodia-cli
+%endif # with_python3
 
 
 %pre
@@ -225,6 +235,7 @@ exit 0
 %post
 %systemd_post custodia@\*.socket
 %systemd_post custodia@\*.service
+%tmpfiles_create custodia.conf
 
 
 %preun
@@ -246,31 +257,35 @@ exit 0
 %{_bindir}/custodia-cli
 %dir %attr(0700,custodia,custodia) %{_sysconfdir}/custodia
 %config(noreplace) %attr(600,custodia,custodia) %{_sysconfdir}/custodia/custodia.conf
+%config(noreplace) %attr(600,custodia,custodia) %{_sysconfdir}/custodia/ipa.conf
 %attr(644,root,root)  %{_unitdir}/[email protected]
 %attr(644,root,root)  %{_unitdir}/[email protected]
 %dir %attr(0700,custodia,custodia) %{_localstatedir}/lib/custodia
 %dir %attr(0700,custodia,custodia) %{_localstatedir}/log/custodia
-%dir %attr(0755,custodia,custodia) %{_localstatedir}/run/custodia
 %{_tmpfilesdir}/custodia.conf
 
 %files -n python2-custodia
 %license LICENSE
+%exclude %{python2_sitelib}/custodia/ipa
 %exclude %{python2_sitelib}/custodia/store/etcdstore.py*
 %{python2_sitelib}/%{name}
 %{python2_sitelib}/%{name}-%{version}-py%{python2_version}.egg-info
 %{python2_sitelib}/%{name}-%{version}-py%{python2_version}-nspkg.pth
 %{_sbindir}/custodia-2
 %{_bindir}/custodia-cli-2
 
-%if %{?with_etcd}
 %files -n python2-custodia-extra
 %license LICENSE
 %{python2_sitelib}/custodia/store/etcdstore.py*
-%endif  # with_etcd
+
+%files -n python2-custodia-ipa
+%license LICENSE
+%{python2_sitelib}/custodia/ipa
 
 %if 0%{?with_python3}
 %files -n python%{python3_pkgversion}-custodia
 %license LICENSE
+%exclude %{python3_sitelib}/custodia/ipa
 %exclude %{python3_sitelib}/custodia/store/etcdstore.py
 %exclude %{python3_sitelib}/custodia/store/__pycache__/etcdstore.*
 %{python3_sitelib}/%{name}
@@ -279,10 +294,15 @@ exit 0
 %{_sbindir}/custodia-3
 %{_bindir}/custodia-cli-3
 
-%if %{?with_etcd}
 %files -n python%{python3_pkgversion}-custodia-extra
 %license LICENSE
 %{python3_sitelib}/custodia/store/etcdstore.py
 %{python3_sitelib}/custodia/store/__pycache__/etcdstore.*
-%endif  # with_etcd
+
+%if 0%{?with_ipa_python3}
+%files -n python%{python3_pkgversion}-custodia-ipa
+%license LICENSE
+%{python3_sitelib}/custodia/ipa
+%endif  # with_ipa_python3
+
 %endif  # with_python3