update modulemd etc

gating.yaml

@@ -0,0 +1,9 @@
+# recipients: abokovoy, twoerner, rcritten, ftrivino
+--- !Policy
+product_versions:
+  - rhel-8
+decision_context: osci_compose_gate_modules
+subject_type: redhat-module
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.redhat-module.tier0.functional}
+  - !PassingTestCaseRule {test_case_name: idm-ci.redhat-module.tier1.functional}

idm.yaml

@@ -0,0 +1,103 @@
+---
+document: modulemd
+version: 2
+data:
+  stream: DL1
+  summary: The Red Hat Enterprise Linux Identity Management system module
+  description: >-
+    RHEL IdM is an integrated solution to provide centrally managed Identity (users,
+    hosts, services), Authentication (SSO, 2FA), and Authorization (host access control,
+    SELinux user roles, services). The solution provides features for further integration
+    with Linux based clients (SUDO, automount) and integration with Active Directory
+    based infrastructures (Trusts).
+  license:
+    module:
+    - MIT
+  dependencies:
+  - buildrequires:
+      389-ds: [1.4]
+      httpd: [2.4]
+      pki-core: [10.6]
+      platform: [el8]
+    requires:
+      389-ds: [1.4]
+      httpd: [2.4]
+      pki-core: [10.6]
+      platform: [el8]
+  references:
+    community: https://www.freeipa.org/
+    documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/index
+    tracker: https://pagure.io/freeipa/issues
+  profiles:
+    adtrust:
+      description: RHEL IdM Server Integration with Active Directory
+      rpms:
+      - ipa-healthcheck
+      - ipa-healthcheck-core
+      - ipa-server-trust-ad
+    client:
+      description: RHEL IdM Client
+      rpms:
+      - ipa-client
+    common:
+      description: A default profile for RHEL IdM client
+      rpms:
+      - ipa-client
+    dns:
+      description: RHEL IdM with integrated DNS server and integrated CA
+      rpms:
+      - ipa-healthcheck
+      - ipa-healthcheck-core
+      - ipa-server
+      - ipa-server-dns
+    server:
+      description: Base RHEL IdM Server with integrated CA and no integrated DNS
+      rpms:
+      - ipa-healthcheck
+      - ipa-healthcheck-core
+      - ipa-server
+  components:
+    rpms:
+      bind-dyndb-ldap:
+        rationale: Driver for BIND to store DNS information in LDAP
+        ref: stream-idm-DL1-rhel-8.8.0
+      custodia:
+        rationale: Remote access to secrets and credentials in IdM topology
+        ref: stream-idm-DL1-rhel-8.8.0
+        buildorder: 2
+      ipa:
+        rationale: Module API
+        ref: stream-idm-DL1-rhel-8.8.0
+      ipa-healthcheck:
+        rationale: A tool to detect issues in IdM clusters
+        ref: stream-DL1-rhel-8.8.0
+        buildorder: 3
+      opendnssec:
+        rationale: An implementation of DNSSEC support for IdM integrated DNS server
+        ref: stream-idm-DL1-rhel-8.8.0
+      python-jwcrypto:
+        rationale: JSON Web Cryptographic Tokens used by Custodia
+        ref: stream-idm-DL1-rhel-8.8.0
+        buildorder: 1
+      python-kdcproxy:
+        rationale: MS-KKDCP (kerberos proxy) WSGI module
+        ref: stream-idm-DL1-rhel-8.8.0
+      python-qrcode:
+        rationale: QR code generator for IdM two-factor authentication
+        ref: stream-idm-DL1-rhel-8.8.0
+      python-yubico:
+        rationale: Support for Yubikey-based tokens for IdM two-factor authentication
+        ref: stream-idm-DL1-rhel-8.8.0
+        buildorder: 2
+      pyusb:
+        rationale: Python USB support to access USB tokens for IdM two-factor authentication
+        ref: stream-idm-DL1-rhel-8.8.0
+        buildorder: 1
+      slapi-nis:
+        rationale: Compatibility plugin to serve legacy clients
+        ref: stream-idm-DL1-rhel-8.8.0
+        arches: [aarch64, ppc64le, s390x, x86_64]
+      softhsm:
+        rationale: Software version of a PKCS#11 Hardware Security Module
+        ref: stream-idm-DL1-rhel-8.8.0
+...

tests/python-qrcode/test_ipa_otptoken.py

@@ -0,0 +1,30 @@
+#!/usr/libexec/platform-python
+"""Simple test for APIs used by python3-qrcode
+"""
+import io
+import logging
+import hashlib
+
+import qrcode
+
+logging.basicConfig(level=logging.INFO)
+log = logging.getLogger()
+
+TEXT = "example data"
+HASH = "4d0186bad6cb0ea83f634959bba9bd2494f2b15cc785285e0914521246452e06"
+
+
+def main():
+    qr_output = io.StringIO()
+    qr = qrcode.QRCode()
+    qr.add_data(TEXT)
+    qr.make()
+    qr.print_ascii(out=qr_output, tty=False)
+    value = qr_output.getvalue()
+    print(value)
+    assert hashlib.sha256(value.encode('utf-8')).hexdigest() == HASH
+    log.info("PASS")
+
+
+if __name__ == "__main__":
+    main()

tests/python-yubico/test_ipa_yubikey.py

@@ -0,0 +1,28 @@
+#!/usr/libexec/platform-python
+"""Simple test for APIs used by IPA's otptoken plugin
+"""
+import logging
+
+import yubico
+import usb.core
+
+logging.basicConfig(level=logging.INFO)
+log = logging.getLogger()
+
+
+def main():
+    try:
+        yk = yubico.find_yubikey()
+    except usb.core.USBError as e:
+        log.info(e)
+    except yubico.yubikey.YubiKeyError as e:
+        log.info(e)
+    else:
+        assert yk.version_num()
+        log.info(yk.status())
+        log.info(yk.status().valid_configs())
+    log.info("PASS")
+
+
+if __name__ == "__main__":
+    main()

tests/pyusb/test_ipa_yubico_api.py

@@ -0,0 +1,33 @@
+#!/usr/libexec/platform-python
+"""Simple test for APIs used by python-yubico
+"""
+import logging
+
+import usb.core
+import usb.legacy
+
+logging.basicConfig(level=logging.INFO)
+log = logging.getLogger()
+
+
+def main():
+    for d in usb.core.find(find_all=True):
+        usb_device = usb.legacy.Device(d)
+        # import pdb; pdb.set_trace()
+        log.info(vars(usb_device))
+        assert usb_device.idVendor
+        assert usb_device.idProduct
+        usb_conf = usb_device.configurations[0]
+        log.info(vars(usb_conf))
+        usb_int = usb_conf.interfaces[0][0]
+        try:
+            usb_handle = usb_device.open()
+            assert usb_handle.controlMsg.__call__
+            usb_handle.releaseInterface()
+        except usb.core.USBError:
+            log.info("Unable to open USB device")
+    log.info("PASS")
+
+
+if __name__ == "__main__":
+    main()

tests/sanity/runtest.sh

@@ -0,0 +1,8 @@
+#!/bin/sh -eux
+
+systemctl unmask gssproxy
+ipa-server-install --hostname=$(hostname) -r EXAMPLE.TEST -n example.test --setup-dns --no-forwarders --allow-zone-overlap -p Secret123 -a Secret123 -U
+echo Secret123 | kinit admin
+ipa config-show
+ipa-server-install --uninstall -U
+

tests/tests.yml

@@ -0,0 +1,50 @@
+---
+- hosts: localhost
+  tags:
+  - classic
+  pre_tasks:
+  - name: Enable brewroot repository (so we have all latest packages available)
+    command: dnf config-manager --set-enabled baseos-ci-tag-repository
+    args:
+      warn: false
+  - name: Enable IDM module
+    command: dnf module enable -y idm:DL1
+    args:
+      warn: false
+  - name: Install IDM packages
+    command: dnf module install -y idm:DL1/server idm:DL1/dns
+    args:
+      warn: false
+  - name: Get Custodia version
+    command: rpm -q --qf '%{VERSION}' custodia
+    args:
+      warn: false
+    register: custodia_version
+  roles:
+  - role: standard-test-basic
+    required_packages:
+    - sudo
+    # pytest for Custodia testing
+    - python3-pytest
+    repositories:
+      - repo: "https://github.com/latchset/custodia.git"
+        dest: "custodia_git"
+        # tag name is e.g. "v0.6.0"
+        version: "v{{ custodia_version.stdout }}"
+    tests:
+    - sanity
+    #- custodia_setup:
+    #    dir: "custodia_git"
+    #    run: "cd tests/ca && ./custodia-ca.sh"
+    #- custodia:
+    #    dir: "custodia_git"
+    #    run: "pytest-3 -k 'not test_client_no_client_cert' tests/"
+    - python_qrcode:
+        dir: "python-qrcode"
+        run: "./test_ipa_otptoken.py"
+    - python_yubico:
+        dir: "python-yubico"
+        run: "./test_ipa_yubikey.py"
+    - pyusb:
+        dir: "pyusb"
+        run: "./test_ipa_yubico_api.py"