import keycloak-httpd-client-install-1.0-2.el8

.gitignore

@@ -0,0 +1 @@
+SOURCES/RELEASE_1_0.tar.gz

.keycloak-httpd-client-install.metadata

@@ -0,0 +1 @@
+50e2b29a2dd8a150dd8259491449ea31a13b86b8 SOURCES/RELEASE_1_0.tar.gz

SOURCES/0001-doc-Fix-a-typo-in-oidc-redirect-uri-description.patch

@@ -0,0 +1,25 @@
+From d4b703761cc52d25e82d8bdf7fb860ccedaa15a2 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Fri, 28 Jun 2019 21:18:45 +0200
+Subject: [PATCH 1/4] doc: Fix a typo in --oidc-redirect-uri description
+
+---
+ doc/keycloak-httpd-client-install.8 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/keycloak-httpd-client-install.8 b/doc/keycloak-httpd-client-install.8
+index f67c227..734e837 100644
+--- a/doc/keycloak-httpd-client-install.8
++++ b/doc/keycloak-httpd-client-install.8
+@@ -205,7 +205,7 @@ Common root ancestor for all protected locations
+ .B mod_auth_oidc OIDC RP Client Options
+ 
+ .TP
+-.BR \-\-oidc\-redirect\--uri " " \fIOIDC_REDIRECT_URI\fR
++.BR \-\-oidc\-redirect\-uri " " \fIOIDC_REDIRECT_URI\fR
+ The OIDC redirect_uri. Must be an antecedent (i.e. child) of one of the
+ protected locations.
+ (default: The first protected location appened with "/redirect_uri")
+-- 
+2.20.1
+

SOURCES/0002-Add-a-new-oidc-logout-uri-command-line-option.patch

@@ -0,0 +1,93 @@
+From 1428515ecb6297b9ccc074210aa6f466fbae30d8 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Mon, 1 Jul 2019 15:33:05 +0200
+Subject: [PATCH 2/4] Add a new --oidc-logout-uri command line option
+
+This patch adds a new command line option, unset by default, which if
+set, is added as an additional redirectUri when the keycloak client is
+being created.
+
+This option might be useful to add an extra allowed redirect for logout
+pages.
+
+The mod_auth_openidc wiki:
+    https://github.com/zmartzone/mod_auth_openidc/wiki#9-how-do-i-logout-users
+says:
+   By redirecting the user to the OIDCRedirectURI with a parameter named
+   logout. The value of that parameter contains the (URL-encoded) URL where
+   the user will be redirected to after the session has been killed.
+and also:
+   make sure that the (URL-encoded) callback URL passed in the logout
+   parameter points to a location that is not protected by
+   mod_auth_openidc or else the login process will be started again.
+---
+ bin/keycloak-httpd-client-install        | 5 +++++
+ doc/keycloak-httpd-client-install.8      | 8 ++++++++
+ templates/oidc-client-registration.tpl   | 3 +++
+ templates/oidc-client-representation.tpl | 3 +++
+ 4 files changed, 19 insertions(+)
+
+diff --git a/bin/keycloak-httpd-client-install b/bin/keycloak-httpd-client-install
+index f211a4d..128f962 100755
+--- a/bin/keycloak-httpd-client-install
++++ b/bin/keycloak-httpd-client-install
+@@ -886,6 +886,11 @@ def main():
+                        help='claim used when setting the REMOTE_USER variable, '
+                        'default="sub"')
+ 
++    group.add_argument('--oidc-logout-uri',
++                       help='Should not be a child of one of the protected '
++                       'locations. When set, adds the argument as a valid '
++                       'redirectUri for Keycloak')
++
+     # ---- Argument Group "Mellon SP"  ----
+ 
+     group = parser.add_argument_group('Mellon SP')
+diff --git a/doc/keycloak-httpd-client-install.8 b/doc/keycloak-httpd-client-install.8
+index 734e837..ead8717 100644
+--- a/doc/keycloak-httpd-client-install.8
++++ b/doc/keycloak-httpd-client-install.8
+@@ -210,6 +210,14 @@ The OIDC redirect_uri. Must be an antecedent (i.e. child) of one of the
+ protected locations.
+ (default: The first protected location appened with "/redirect_uri")
+ 
++.TP
++.BR \-\-oidc\-logout\-uri " " \fIOIDC_REDIRECT_URI\fR
++Can be used to add the location the user is redirected to after logout as
++an additional redirectUri value in Keycloak's client representation. The
++location should not be nested under any of the protected locations,
++otherwise the login process would start again.
++(default: None)
++
+ .TP
+ .BR \-\-oidc\-client\-secret " " \fIOIDC_CLIENT_SECRET\fR
+ OIDC client secret
+diff --git a/templates/oidc-client-registration.tpl b/templates/oidc-client-registration.tpl
+index 3c45c09..fd6cd38 100644
+--- a/templates/oidc-client-registration.tpl
++++ b/templates/oidc-client-registration.tpl
+@@ -2,5 +2,8 @@
+     "client_name": "{{ clientid }}",
+     "redirect_uris": [
+         "{{ client_https_url }}{{ oidc_redirect_uri }}"
++        {% if oidc_logout_uri %}
++        ,"{{ client_https_url }}{{ oidc_logout_uri }}",
++        {% endif %}
+     ]
+ }
+diff --git a/templates/oidc-client-representation.tpl b/templates/oidc-client-representation.tpl
+index 2bbf66a..1f4a496 100644
+--- a/templates/oidc-client-representation.tpl
++++ b/templates/oidc-client-representation.tpl
+@@ -6,5 +6,8 @@
+     "clientAuthenticatorType": "client-secret",
+     "redirectUris": [
+         "{{ client_https_url }}{{ oidc_redirect_uri }}"
++        {% if oidc_logout_uri %}
++        ,"{{ client_https_url }}{{ oidc_logout_uri }}"
++        {% endif %}
+     ]
+ }
+-- 
+2.20.1
+

SPECS/keycloak-httpd-client-install.spec

@@ -0,0 +1,146 @@
+%global srcname keycloak-httpd-client-install
+%global summary Tools to configure Apache HTTPD as Keycloak client
+
+%bcond_without python2
+%bcond_with python3
+
+Name:           %{srcname}
+Version:        1.0
+Release:        2%{?dist}
+Summary:        %{summary}
+
+%global git_tag RELEASE_%(r=%{version}; echo $r | tr '.' '_')
+
+License:        GPLv3
+URL:            https://github.com/jdennis/keycloak-httpd-client-install
+Source0:        https://github.com/jdennis/keycloak-httpd-client-install/archive/%{git_tag}.tar.gz
+
+Patch0001:      0001-doc-Fix-a-typo-in-oidc-redirect-uri-description.patch
+Patch0002:      0002-Add-a-new-oidc-logout-uri-command-line-option.patch
+
+BuildArch:      noarch
+
+BuildRequires:  python3-devel
+
+Requires:       %{_bindir}/keycloak-httpd-client-install
+
+%description
+Keycloak is a federated Identity Provider (IdP). Apache HTTPD supports
+a variety of authentication modules which can be configured to utilize
+a Keycloak IdP to perform authentication. This package contains
+libraries and tools which can automate and simplify configuring an
+Apache HTTPD authentication module and registering as a client of a
+Keycloak IdP.
+
+%package -n python3-%{srcname}
+Summary:        %{summary}
+
+%{?python_provide:%python_provide python3-%{srcname}}
+
+Requires:       %{name} = %{version}-%{release}
+Requires:       python3-requests
+Requires:       python3-requests-oauthlib
+Requires:       python3-jinja2
+
+%description -n python3-%{srcname}
+Keycloak is an authentication server. This package contains libraries and
+programs which can invoke the Keycloak REST API and configure clients
+of a Keycloak server.
+
+%prep
+%autosetup -n %{srcname}-%{git_tag} -p1
+
+%build
+%py3_build
+
+%install
+%py3_install
+
+install -d -m 755 %{buildroot}/%{_mandir}/man8
+install -c -m 644 doc/keycloak-httpd-client-install.8 %{buildroot}/%{_mandir}/man8
+
+%files
+%license LICENSE.txt
+%doc README.md doc/ChangeLog
+%{_datadir}/%{srcname}/
+
+%files -n python3-%{srcname}
+%{python3_sitelib}/*
+%{_bindir}/keycloak-httpd-client-install
+%{_bindir}/keycloak-rest
+%{_mandir}/man8/*
+
+%changelog
+* Wed Jul  3 2019 Jakub Hrozek <jhrozek@redhat.com> - 1.0-2
+- Backport upstream patches to adds the --oidc-logout-uri option
+  and fix OIDC-related man page issues
+- Related: rhbz#1553890 - [RFE] Add mod_auth_openidc support
+
+* Fri Jun 14 2019 Jakub Hrozek <jhrozek@redhat.com> - 1.0-1
+- New upstream release
+- Resolves: rhbz#1553890 - [RFE] Add mod_auth_openidc support
+
+* Fri Jul 27 2018  <jdennis@redhat.com> - 0.8-7
+- fix SOURCE0, it was pointing to github repo archive instead of release tarball
+
+* Tue Jul 10 2018  <jdennis@redhat.com> - 0.8-6
+- Restore use of bcond for python conditionals
+
+* Mon Jul  9 2018  <jdennis@redhat.com> - 0.8-5
+- Share same spec file with Fedora
+
+* Mon Jun 11 2018 Charalampos Stratakis <cstratak@redhat.com> - 0.8-4
+- Conditionalize the python2 subpackage
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.8-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Mon Jan 15 2018 Iryna Shcherbina <ishcherb@redhat.com> - 0.8-2
+- Update Python 2 dependency declarations to new packaging standards
+  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
+
+* Wed Jan 10 2018 John Dennis <jdennis@redhat.com> - 0.8-1
+- Upgrade to upstream 0,8, includes:
+- CVE-2017-15112 unsafe use of -p/--admin-password on command line
+- CVE-2017-15111 unsafe /tmp log file in --log-file option in keycloak_cli.py
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Wed Mar  1 2017 John Dennis <jdennis@redhat.com> - 0.6-1
+- Resolves: rhbz#1427720, if --mellon-root is not supplied and defaults to /
+  you end up with double slashes in entityId and endpoints
+- add --tls-verify option to control python-requests behavor when
+  using tls to connect. With this option you can use a self-signed
+  cert or point to a CA bundle.
+- Fix warnings and checks when using client originate method
+  'registration' with 'anonymous' authentication.
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Fri Jan  6 2017 John Dennis <jdennis@redhat.com> - 0.5-1
+- Fix default port bug
+  Strip the port from the URL if it matches the scheme (e.g. 80 for
+  http and 443 for https)
+
+* Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com> - 0.4-3
+- Rebuild for Python 3.6
+
+* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.4-2
+- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
+
+* Mon Jun 27 2016 John Dennis <jdennis@redhat.com> - 0.4-1
+- new upstream
+  See ChangeLog for details
+
+* Fri May 20 2016 John Dennis <jdennis@redhat.com> - 0.3-1
+- new upstream
+  See ChangeLog for details
+
+* Tue May 17 2016 John Dennis <jdennis@redhat.com> - 0.2-1
+- new upstream
+- Add keycloak-httpd-client-install.8 man page
+
+* Fri May 13 2016 John Dennis <jdennis@redhat.com> - 0.1-1
+- Initial version