File openstack-barbican.spec of Package openstack-barbican

Overview Repositories Revisions Requests Users Attributes Meta

File openstack-barbican.spec of Package openstack-barbican

#
# spec file for package openstack-barbican
#
# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via https://bugs.opensuse.org/
#

%define component barbican
%define groupname %{component}
%define username %{component}

%define version_unconverted 5.0.2.dev3

Name:           openstack-%{component}
Version:        5.0.2~dev3
Release:        0
Summary:        OpenStack key and secret management (Barbican)
License:        Apache-2.0
Group:          System/Management
URL:            https://launchpad.net/barbican
Source0:        http://tarballs.openstack.org/barbican/barbican-stable-pike.tar.gz
Source1:        %{name}.logrotate
Source2:        %{component}-api.conf.sample
Source3:        %{name}-rpmlintrc
Source5:        %name.conf
# systemd service files
Source10:       %{name}-worker.service
Source11:       %{name}-keystone-listener.service
Source12:       %{name}-retry.service
Source50:       README.config
# PATCH-FIX-OPENSUSE fix-barbican-api.patch
Patch1:         fix-barbican-api.patch
# PATCH-FIX-UPSTREAM 0001-Fix-start-task.patch -- https://review.openstack.org/#/c/485755/
Patch2:         0001-Fix-start-task.patch
Patch4:         0002-Handle-URL-reconstruction-in-PEP333-compatible-fashi.patch
# PATCH-FIX-UPSTREAM 0001-Fix-duplicate-paths-in-secret-hrefs.patch -- https://review.openstack.org/#/c/544557/
Patch5:         0001-Fix-duplicate-paths-in-secret-hrefs.patch
# PATCH-FIX-UPSTREAM CVE-2022-3100.patch -- https://review.opendev.org/c/openstack/barbican/+/859847
Patch6:         CVE-2022-3100.patch
BuildRequires:  apache2
BuildRequires:  fdupes
BuildRequires:  openstack-suse-macros
BuildRequires:  python-base
BuildRequires:  python-oslo.concurrency
BuildRequires:  python-oslo.config
BuildRequires:  python-oslo.db
BuildRequires:  python-pecan
BuildRequires:  python-pyOpenSSL
BuildRequires:  python-setuptools
BuildRequires:  python-six
# Documentation build requirements:
BuildRequires:  crudini
BuildRequires:  python-Babel
BuildRequires:  python-Paste
BuildRequires:  python-PasteDeploy
BuildRequires:  python-PyKMIP
BuildRequires:  python-Sphinx
BuildRequires:  python-WebOb
BuildRequires:  python-argparse
BuildRequires:  python-eventlet
BuildRequires:  python-fixtures
BuildRequires:  python-mock
BuildRequires:  python-neutronclient
BuildRequires:  python-openstackdocstheme
BuildRequires:  python-oslo.i18n
BuildRequires:  python-oslo.log
BuildRequires:  python-oslo.messaging
BuildRequires:  python-oslo.policy
BuildRequires:  python-oslo.utils
BuildRequires:  python-pbr
BuildRequires:  python-sqlalchemy
BuildRequires:  python-stevedore
BuildRequires:  python-testtools
BuildRequires:  systemd-rpm-macros
%{?systemd_requires}
Requires:       logrotate
Requires:       python >= 2.7
Requires:       python-barbican = %{version}
Requires(pre):  pwdutils
BuildRoot:      %{_tmppath}/%{name}-%{version}-build
BuildArch:      noarch

%description
Barbican is a REST API designed for the secure storage, provisioning and
management of secrets. It is aimed at being useful for all environments,
including large ephemeral Clouds.

%package -n python-barbican
Summary:        OpenStack key and secret management (Barbican) - Python module
Group:          Development/Languages/Python
Requires:       python >= 2.7
Requires:       python-Babel >= 2.3.4
Requires:       python-Paste
Requires:       python-PasteDeploy >= 1.5.0
Requires:       python-PyKMIP >= 0.5.0
Requires:       python-SQLAlchemy >= 1.0.10
Requires:       python-WebOb >= 1.7.1
Requires:       python-alembic >= 0.8.10
Requires:       python-cffi
Requires:       python-cryptography >= 1.6
Requires:       python-eventlet >= 0.18.2
Requires:       python-jsonschema >= 2.0.0
Requires:       python-keystoneclient >= 3.8.0
Requires:       python-keystonemiddleware >= 4.12.0
Requires:       python-ldap3 >= 1.0.2
Requires:       python-oslo.config >= 4.0.0
Requires:       python-oslo.context >= 2.14.0
Requires:       python-oslo.db >= 4.24.0
Requires:       python-oslo.i18n >= 2.1.0
Requires:       python-oslo.log >= 3.22.0
Requires:       python-oslo.messaging >= 5.24.2
Requires:       python-oslo.middleware >= 3.27.0
Requires:       python-oslo.policy >= 1.23.0
Requires:       python-oslo.serialization >= 1.10.0
Requires:       python-oslo.service >= 1.10.0
Requires:       python-oslo.utils >= 3.20.0
Requires:       python-pbr >= 2.0.0
Requires:       python-pecan >= 1.0.0
Requires:       python-pyOpenSSL >= 0.14
Requires:       python-pycrypto >= 2.6
Requires:       python-requests >= 2.14.2
Requires:       python-six >= 1.9.0
Requires:       python-stevedore >= 1.20.0

%description -n python-barbican
Barbican is a REST API designed for the secure storage, provisioning and
management of secrets. It is aimed at being useful for all environments,
including large ephemeral Clouds.
This package contains the core Python module of OpenStack Barbican.

%package api
Summary:        OpenStack key and secret management (Barbican) - API
Group:          Development/Languages/Python
Requires:       %{name} = %{version}
Requires:       apache2
Requires:       apache2-mod_wsgi

%description api
Barbican is a REST API designed for the secure storage, provisioning and
management of secrets. It is aimed at being useful for all environments,
including large ephemeral Clouds.
This package contains the OpenStack Barbican API (WSGI only).

%package worker
Summary:        OpenStack key and secret management (Barbican) - Worker
Group:          Development/Languages/Python
Requires:       %{name} = %{version}

%description worker
Barbican is a REST API designed for the secure storage, provisioning and
management of secrets. It is aimed at being useful for all environments,
including large ephemeral Clouds.
This package contains the OpenStack Barbican Worker service.

%package keystone-listener
Summary:        OpenStack key and secret management (Barbican) - keystone listener
Group:          Development/Languages/Python
Requires:       %{name} = %{version}

%description keystone-listener
Barbican is a REST API designed for the secure storage, provisioning and
management of secrets. It is aimed at being useful for all environments,
including large ephemeral Clouds.
This package contains the OpenStack Barbican Keystone Listener service.

# TODO(aplanas): This package will be droped from master
%package retry
Summary:        OpenStack key and secret management (Barbican) - Retry Scheduler
Group:          Development/Languages/Python
Requires:       %{name} = %{version}

%description retry
Barbican is a REST API designed for the secure storage, provisioning and
management of secrets. It is aimed at being useful for all environments,
including large ephemeral Clouds.
This package contains the OpenStack Barbican Retry Scheduler service.

%package test
Summary:        OpenStack key and secret management (Barbican) - Testsuite
Group:          Development/Languages/Python
Requires:       %{name} = %{version}
Requires:       git-core
Requires:       python-WebTest >= 2.0
Requires:       python-ddt >= 1.0.1
Requires:       python-fixtures >= 3.0.0
Requires:       python-mock >= 2.0
Requires:       python-os-testr >= 0.4.1
Requires:       python-oslotest >= 1.10.0
Requires:       python-pbr >= 2.0.0
Requires:       python-python-subunit >= 0.0.18
Requires:       python-testrepository >= 0.0.18
Requires:       python-testtools >= 1.4.0

%description test
Barbican is a REST API designed for the secure storage, provisioning and
management of secrets. It is aimed at being useful for all environments,
including large ephemeral Clouds.
This package contains the OpenStack Barbican testsuite.

%prep
%setup -q -n %{component}-%{version_unconverted}
%openstack_cleanup_prep
%patch1 -p1
%patch2 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1

%build
python setup.py build
python setup.py build_sphinx -b man

### configuration files
PYTHONPATH=. oslo-config-generator --config-file etc/oslo-config-generator/barbican.conf --output-file etc/barbican.conf.sample
PYTHONPATH=. oslopolicy-sample-generator --config-file=etc/oslo-config-generator/policy.conf

%install
python setup.py install --skip-build --prefix=%{_prefix} --root=%{buildroot}

### directories
install -d -m 750 %{buildroot}%{_localstatedir}/{lib,log}/%{component}
install -d -m 750 %{buildroot}%{_localstatedir}/cache/%{component}
install -d -m 700 %{buildroot}%{_localstatedir}/run/%{component}
install -D -m 644 %{SOURCE5} %{buildroot}/%_tmpfilesdir/%name.conf
install -d -m 755 %{buildroot}%{_sysconfdir}/%{component}
install -d -m 755 %{buildroot}%{_sysconfdir}/%{component}/%{component}.conf.d/
install -p -D -m 640 %{SOURCE50} %{buildroot}%{_sysconfdir}/%{component}/README.config
install -d -m 755 %{buildroot}/srv/www/%{component}-api

### Copy the Barbican WSGI app to DocumentRoot
install -p -D -m 644 %{buildroot}/%{_bindir}/barbican-wsgi-api %{buildroot}/srv/www/%{component}-api/app.wsgi

### configuration files
install -p -D -m 644 etc/%{component}.conf.sample %{buildroot}%{_sysconfdir}/%{component}/%{component}.conf
install -p -D -m 644  etc/barbican/{policy.json,barbican-functional.conf,barbican-api-paste.ini,api_audit_map.conf} %{buildroot}%{_sysconfdir}/%{component}/
# policy.yaml is not yet working!
#install -p -D -m 640 etc/%{component}/policy.yaml.sample %{buildroot}%{_sysconfdir}/%{component}/policy.yaml
install -d %{buildroot}%{_sysconfdir}/apache2/vhosts.d

# bash-completion/logrotate/etc.
install -p -D -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}

# Install systemd unit services
mkdir -p %{buildroot}%{_sbindir} %{buildroot}%{_unitdir}
install -p -D -m 444 %{SOURCE10} %{buildroot}%{_unitdir}/%{name}-worker.service
install -p -D -m 444 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}-keystone-listener.service
install -p -D -m 444 %{SOURCE12} %{buildroot}%{_unitdir}/%{name}-retry.service
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}-worker
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}-keystone-listener
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}-retry

### documentation
install -d %{buildroot}%{_mandir}/man1
install -m 644 doc/build/man/*.1 %{buildroot}%{_mandir}/man1

### test subpackage
%openstack_test_package_install
%fdupes %{buildroot}%{_localstatedir}/lib/%{name}-test

### misc
%fdupes %{buildroot}%{python_sitelib}/%{component}

### set default configuration
%define barbican_conf %{buildroot}%{_sysconfdir}/%{component}/%{component}.conf.d/010-%{component}.conf
crudini --set %{barbican_conf} DEFAULT log_dir /var/log/barbican
crudini --set %{barbican_conf} DEFAULT state_path /var/lib/barbican
crudini --set %{barbican_conf} oslo_concurrency lock_path /var/run/barbican

# adjust the default config file
sed -i 's/enabled_certificate_plugins = snakeoil_ca/#enabled_certificate_plugins = snakeoil_ca/' %{buildroot}%{_sysconfdir}/%{component}/%{component}.conf

install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/apache2/vhosts.d/

%pre
%openstack_pre_user_group_create %{username} %{groupname}

%post
%tmpfiles_create %{_tmpfilesdir}/%{name}.conf

%pre worker
%service_add_pre %{name}-worker.service

%post worker
%service_add_post %{name}-worker.service

%preun worker
%service_del_preun %{name}-worker.service

%postun worker
%restart_on_update %{name}-worker.service
%service_del_postun %{name}-worker.service

%pre keystone-listener
%service_add_pre %{name}-keystone-listener.service

%post keystone-listener
%service_add_post %{name}-keystone-listener.service

%preun keystone-listener
%service_del_preun %{name}-keystone-listener.service

%postun keystone-listener
%restart_on_update %{name}-keystone-listener.service
%service_del_postun %{name}-keystone-listener.service

%pre retry
%service_add_pre %{name}-retry.service

%post retry
%service_add_post %{name}-retry.service

%preun retry
%service_del_preun %{name}-retry.service

%postun retry
%restart_on_update %{name}-retry.service
%service_del_postun %{name}-retry.service

%files
%defattr(-,root,root)
%doc LICENSE README.md
%doc %{_mandir}/man1/%{component}.1.gz
%dir %attr(0750, %{username}, %{groupname}) %{_localstatedir}/lib/%{component}
%dir %attr(0750, %{username}, %{groupname}) %{_localstatedir}/cache/%{component}
%dir %attr(0750, %{username}, %{groupname}) %{_localstatedir}/log/%{component}
%_tmpfilesdir/%name.conf
%dir %{_sysconfdir}/%{component}
%dir %{_sysconfdir}/%{component}/%{component}.conf.d/
%{_sysconfdir}/%{component}/README.config
%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
%config %attr(0644, root, %{groupname}) %{_sysconfdir}/%{component}/barbican-functional.conf
%config(noreplace) %attr(0640, root, %{groupname}) %{_sysconfdir}/%{component}/%{component}.conf
%config(noreplace) %attr(0640, root, %{groupname}) %{_sysconfdir}/%{component}/%{component}.conf.d/010-%{component}.conf
%config %attr(0640, root, %{groupname}) %{_sysconfdir}/%{component}/policy.json
%{_bindir}/%{component}-manage
%{_bindir}/%{component}-db-manage
%{_bindir}/pkcs11-kek-rewrap
%{_bindir}/pkcs11-key-generation

%files -n python-%{component}
%defattr(-,root,root,-)
%doc LICENSE
%{python_sitelib}/%{component}/
%{python_sitelib}/%{component}-*.egg-info
%exclude %{python_sitelib}/%{component}/test*

%files api
%defattr(-,root,root,-)
%doc LICENSE
%{_bindir}/barbican-wsgi-api
%config %attr(0644, root, %{groupname}) %{_sysconfdir}/%{component}/api_audit_map.conf
%config %attr(0640, root, %{groupname}) %{_sysconfdir}/%{component}/barbican-api-paste.ini
%config %{_sysconfdir}/apache2/vhosts.d/
/srv/www/%{component}-api/
/srv/www/%{component}-api/app.wsgi
%{_sysconfdir}/apache2/vhosts.d/
%{_sysconfdir}/apache2/vhosts.d/%{component}-api.conf.sample

%files worker
%defattr(-,root,root,-)
%doc LICENSE
%{_unitdir}/%{name}-worker.service
%{_sbindir}/rc%{name}-worker
%{_bindir}/%{component}-worker

%files keystone-listener
%defattr(-,root,root,-)
%doc LICENSE
%{_unitdir}/%{name}-keystone-listener.service
%{_sbindir}/rc%{name}-keystone-listener
%{_bindir}/%{component}-keystone-listener

%files retry
%defattr(-,root,root,-)
%doc LICENSE
%{_unitdir}/%{name}-retry.service
%{_sbindir}/rc%{name}-retry
%{_bindir}/%{component}-retry

%files test
%defattr(-,root,root)
%{_localstatedir}/lib/%{name}-test/
%{python_sitelib}/%{component}/test*

%changelog

Places

File openstack-barbican.spec of Package openstack-barbican

Places