From f0aca4290c7098c1bed462daf27e417b18a7cb57 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Jan 10 2017 22:56:58 +0000 Subject: Merge #6573 `Adding kerberos authentication` --- diff --git a/scripts/block_retired.py b/scripts/block_retired.py index 2a9d2f6..1ca6d8e 100755 --- a/scripts/block_retired.py +++ b/scripts/block_retired.py @@ -26,11 +26,6 @@ STAGING_PKGDB = "https://admin.stg.fedoraproject.org/pkgdb" PRODUCTION_KOJI = "https://koji.fedoraproject.org/kojihub" STAGING_KOJI = "https://koji.stg.fedoraproject.org/kojihub" -# Should probably set these from a koji config file -SERVERCA = os.path.expanduser('~/.fedora-server-ca.cert') -CLIENTCA = os.path.expanduser('~/.fedora-upload-ca.cert') -CLIENTCERT = os.path.expanduser('~/.fedora.cert') - class ReleaseMapper(object): BRANCHNAME = 0 @@ -84,8 +79,8 @@ def get_packages(tag, staging=False): Get a list of all blocked and unblocked packages in a branch. """ url = PRODUCTION_KOJI if not staging else STAGING_KOJI - kojisession = koji.ClientSession(url) - kojisession.ssl_login(CLIENTCERT, CLIENTCA, SERVERCA) + kojisession = koji.ClientSession(url, {'krb_rdns': False}) + kojisession.krb_login() pkglist = kojisession.listPackages(tagID=tag, inherited=True) blocked = [] unblocked = [] diff --git a/scripts/build-current.py b/scripts/build-current.py index f0699ae..016d3f5 100755 --- a/scripts/build-current.py +++ b/scripts/build-current.py @@ -19,11 +19,6 @@ LOCALKOJIHUB = 'http://arm.koji.fedoraproject.org/kojihub' REMOTEKOJIHUB = 'http://koji.fedoraproject.org/kojihub' PACKAGEURL = 'http://kojipkgs.fedoraproject.org/' -# Should probably set these from a koji config file -SERVERCA = os.path.expanduser('~/.fedora-server-ca.cert') -CLIENTCA = os.path.expanduser('~/.fedora-server-ca.cert') -CLIENTCERT = os.path.expanduser('~/.fedora.cert') - workpath = '/tmp/build-recent' loglevel = logging.DEBUG @@ -139,9 +134,9 @@ def importBuild(build, rpms, buildinfo, tag=None): # setup the koji session logging.info('Setting up koji session') -localkojisession = koji.ClientSession(LOCALKOJIHUB) +localkojisession = koji.ClientSession(LOCALKOJIHUB, {'krb_rdns': False}) remotekojisession = koji.ClientSession(REMOTEKOJIHUB) -localkojisession.ssl_login(CLIENTCERT, CLIENTCA, SERVERCA) +localkojisession.krb_login() tag = 'f18-rebuild' diff --git a/scripts/build-previous.py b/scripts/build-previous.py index 316e128..3525425 100644 --- a/scripts/build-previous.py +++ b/scripts/build-previous.py @@ -20,11 +20,6 @@ LOCALKOJIHUB = 'http://sparc.koji.fedoraproject.org/kojihub' REMOTEKOJIHUB = 'http://koji.fedoraproject.org/kojihub' PACKAGEURL = 'http://kojipkgs.fedoraproject.org/' -# Should probably set these from a koji config file -SERVERCA = os.path.expanduser('~/.fedora-server-ca.cert') -CLIENTCA = os.path.expanduser('~/.fedora-server-ca.cert') -CLIENTCERT = os.path.expanduser('~/.fedora.cert') - workpath = '/tmp/build-recent' loglevel = logging.DEBUG @@ -130,9 +125,9 @@ def importBuild(build, rpms, buildinfo, tag=None): # setup the koji session logging.info('Setting up koji session') -localkojisession = koji.ClientSession(LOCALKOJIHUB) +localkojisession = koji.ClientSession(LOCALKOJIHUB, {'krb_rdns': False}) remotekojisession = koji.ClientSession(REMOTEKOJIHUB) -localkojisession.ssl_login(CLIENTCERT, CLIENTCA, SERVERCA) +localkojisession.krb_login() tag = 'dist-f16' diff --git a/scripts/check-latest-build.py b/scripts/check-latest-build.py index 77d6ad1..d55d2cb 100755 --- a/scripts/check-latest-build.py +++ b/scripts/check-latest-build.py @@ -39,10 +39,6 @@ if args.arch is None: else: KOJIHUB = 'http://%s.koji.fedoraproject.org/kojihub' % (args.arch) -# Should probably set these from a koji config file -SERVERCA = os.path.expanduser('~/.fedora-server-ca.cert') -CLIENTCA = os.path.expanduser('~/.fedora-upload-ca.cert') -CLIENTCERT = os.path.expanduser('~/.fedora.cert') def _rpmvercmp((e1, v1, r1), (e2, v2, r2)): """find out which build is newer""" @@ -62,8 +58,8 @@ def _rpmvercmp((e1, v1, r1), (e2, v2, r2)): return -1 -kojisession = koji.ClientSession(KOJIHUB) -kojisession.ssl_login(CLIENTCERT, CLIENTCA, SERVERCA) +kojisession = koji.ClientSession(KOJIHUB, {'krb_rdns': False}) +kojisession.krb_login() if args.package == []: latest_builds = sorted(kojisession.listTagged(args.tag, latest=True), diff --git a/scripts/isolate-tag.py b/scripts/isolate-tag.py index 7d3a093..03704dc 100755 --- a/scripts/isolate-tag.py +++ b/scripts/isolate-tag.py @@ -16,13 +16,10 @@ import os tag = 'f25' oldtag = 'f24' # Create a koji session -kojisession = koji.ClientSession('http://ppc.koji.fedoraproject.org/kojihub') +kojisession = koji.ClientSession('http://ppc.koji.fedoraproject.org/kojihub', {'krb_rdns': False}) # Log into koji -clientcert = os.path.expanduser('~/.fedora.cert') -clientca = os.path.expanduser('~/.fedora-upload-ca.cert') -serverca = os.path.expanduser('~/.fedora-server-ca.cert') -kojisession.ssl_login(clientcert, clientca, serverca) +kojisession.krb_login() # Get all builds tagged into the tag w/o inherited builds builds = kojisession.listTagged(tag, latest=True) diff --git a/scripts/koji-build-srpm.py b/scripts/koji-build-srpm.py index 3ce86f3..bd0cd4c 100755 --- a/scripts/koji-build-srpm.py +++ b/scripts/koji-build-srpm.py @@ -36,6 +36,7 @@ REMOTEKOJIHUB = 'https://koji.fedoraproject.org/kojihub' PACKAGEURL = 'http://kojipkgs.fedoraproject.org/' # Should probably set these from a koji config file +# Should only be used for ssl login SERVERCA = os.path.expanduser('~/.fedora-server-ca.cert') CLIENTCA = os.path.expanduser('~/.fedora-upload-ca.cert') CLIENTCERT = os.path.expanduser('~/.fedora.cert') @@ -71,7 +72,7 @@ logging.info('Setting up koji session') localkojisession = koji.ClientSession(LOCALKOJIHUB, session_opts) remotekojisession = koji.ClientSession(REMOTEKOJIHUB) if os.path.isfile(CLIENTCERT): - localckojisession.ssl_login(CLIENTCERT, CLIENTCA, SERVERCA) + localkojisession.ssl_login(CLIENTCERT, CLIENTCA, SERVERCA) else: if args.keytab and args.principal: localkojisession.krb_login(principal=args.principal, keytab=args.keytab) diff --git a/scripts/koji-import.py b/scripts/koji-import.py index fa3f4d5..adf77cb 100755 --- a/scripts/koji-import.py +++ b/scripts/koji-import.py @@ -34,6 +34,7 @@ REMOTEKOJIHUB = 'https://koji.fedoraproject.org/kojihub' PACKAGEURL = 'http://kojipkgs.fedoraproject.org/' # Should probably set these from a koji config file +# Should only be used for ssl login SERVERCA = os.path.expanduser('~/.fedora-server-ca.cert') CLIENTCA = os.path.expanduser('~/.fedora-upload-ca.cert') CLIENTCERT = os.path.expanduser('~/.fedora.cert') @@ -150,7 +151,7 @@ logging.info('Setting up koji session') localkojisession = koji.ClientSession(LOCALKOJIHUB, session_opts) remotekojisession = koji.ClientSession(REMOTEKOJIHUB) if os.path.isfile(CLIENTCERT): - localckojisession.ssl_login(CLIENTCERT, CLIENTCA, SERVERCA) + localkojisession.ssl_login(CLIENTCERT, CLIENTCA, SERVERCA) else: if args.keytab and args.principal: localkojisession.krb_login(principal=args.principal, keytab=args.keytab) diff --git a/scripts/koji-reimport.py b/scripts/koji-reimport.py index 477f105..df90f77 100755 --- a/scripts/koji-reimport.py +++ b/scripts/koji-reimport.py @@ -23,14 +23,11 @@ pkgs = [''] tag = '' # setup koji sessions: -serverca = os.path.expanduser('~/.fedora-server-ca.cert') -clientca = os.path.expanduser('~/.fedora-upload-ca.cert') -clientcrt = os.path.expanduser('~/.fedora.cert') primarykoji = 'https://koji.fedoraproject.org/kojihub' secondarykoji = 'https://ppc.koji.fedoraproject.org/kojihub' primary = koji.ClientSession(primarykoji) -secondary = koji.ClientSession(secondarykoji) -secondary.ssl_login(clientcrt, clientca, serverca) +secondary = koji.ClientSession(secondarykoji, {'krb_rdns': False}) +secondary.krb_login() # do the thing: diff --git a/scripts/koji-stalk.py b/scripts/koji-stalk.py index f404477..df17a6d 100755 --- a/scripts/koji-stalk.py +++ b/scripts/koji-stalk.py @@ -45,9 +45,6 @@ distronames = ['f20', 'f21', 'f22', 'f23'] rawhide = 'f23' # koji setup -auth_cert = os.path.expanduser('~/.fedora.cert') -auth_ca = os.path.expanduser('~/.fedora-server-ca.cert') -serverca = os.path.expanduser('~/.fedora-server-ca.cert') remote = koji.ClientSession('http://koji.fedoraproject.org/kojihub') # Configuration options below have been converted to use options. @@ -95,8 +92,8 @@ if testonly: # parse the koji-shadow config file, login to our koji: ks_config = ConfigParser.ConfigParser() ks_config.read(shadowconfig) -local = koji.ClientSession(ks_config.get("main", "server")) -local.ssl_login(auth_cert, auth_ca, serverca) +local = koji.ClientSession(ks_config.get("main", "server"), {'krb_rdns': False}) +local.krb_login() # set up the queues buildqueue = deque() diff --git a/scripts/mass-tag.py b/scripts/mass-tag.py index ab87d39..59d5290 100755 --- a/scripts/mass-tag.py +++ b/scripts/mass-tag.py @@ -21,7 +21,7 @@ newbuilds = {} # dict of packages that have a newer build attempt tasks = {} # dict of new build task info # Create a koji session -kojisession = koji.ClientSession('https://koji.fedoraproject.org/kojihub') +kojisession = koji.ClientSession('https://koji.fedoraproject.org/kojihub', {'krb_rdns': False}) # Log into koji kojisession.krb_login() diff --git a/scripts/prune-tag.py b/scripts/prune-tag.py index a9119b4..a02e6b2 100755 --- a/scripts/prune-tag.py +++ b/scripts/prune-tag.py @@ -21,10 +21,6 @@ builds = {} untag = [] loglevel = '' KOJIHUB = 'https://koji.fedoraproject.org/kojihub' -# Should probably set these from a koji config file -SERVERCA = os.path.expanduser('~/.fedora-server-ca.cert') -CLIENTCA = os.path.expanduser('~/.fedora-upload-ca.cert') -CLIENTCERT = os.path.expanduser('~/.fedora.cert') # Setup a dict of our key names as sigul knows them to the actual key ID # that koji would use. We should get this from sigul somehow. @@ -60,8 +56,8 @@ tag = args[0] # setup the koji session logging.info('Setting up koji session') -kojisession = koji.ClientSession(KOJIHUB) -if not kojisession.ssl_login(CLIENTCERT, CLIENTCA, SERVERCA): +kojisession = koji.ClientSession(KOJIHUB, {'krb_rdns': False}) +if not kojisession.krb_login(): logging.error('Unable to log into koji') sys.exit(1) diff --git a/scripts/sign_unsigned.py b/scripts/sign_unsigned.py index a6fabf6..7268734 100755 --- a/scripts/sign_unsigned.py +++ b/scripts/sign_unsigned.py @@ -315,6 +315,7 @@ class KojiTool(AbstractTool): self.options.kojihub = 'http://koji.fedoraproject.org/kojihub' self.options.regex = False self.options.ignore = [] + self.options.krb_rdns = False def create_koji_session(self): # used options: debug, debug_xmlrpc, user, password @@ -742,10 +743,7 @@ class SignUnsigned(CliTool, KojiTool): def cmd_default(self): self.tweak_options() - clientcert = '/etc/pki/pkgsigner/pkgsigner.pem' - clientca = '/etc/pki/pkgsigner/fedora-upload-ca.cert' - serverca = '/etc/pki/pkgsigner/fedora-server-ca.cert' - self.koji_session.ssl_login(clientcert, clientca, serverca) # NEEDSWORK + self.koji_session.krb_login() self.print_msg("Getting rpm list from koji") if self.options.builds: rpms = self.get_build_rpms(self.options.builds) diff --git a/scripts/sigulsign_unsigned.py b/scripts/sigulsign_unsigned.py index ccc9c46..ed5be55 100755 --- a/scripts/sigulsign_unsigned.py +++ b/scripts/sigulsign_unsigned.py @@ -184,9 +184,6 @@ class KojiHelper(object): arch=arch) else: self.kojihub = 'https://koji.fedoraproject.org/kojihub' - self.serverca = os.path.expanduser('~/.fedora-server-ca.cert') - self.clientca = os.path.expanduser('~/.fedora-upload-ca.cert') - self.clientcert = os.path.expanduser('~/.fedora.cert') self.kojisession = koji.ClientSession(self.kojihub, {'krb_rdns': False}) self.kojisession.krb_login() diff --git a/scripts/sync-blocked-primary.py b/scripts/sync-blocked-primary.py index 5854b9b..f3892c0 100755 --- a/scripts/sync-blocked-primary.py +++ b/scripts/sync-blocked-primary.py @@ -21,11 +21,6 @@ tags = ['f26', 'f25', 'f24', 'f23'] # tag to check in koji arches = ['arm', 'ppc', 's390'] -# Should probably set these from a koji config file -SERVERCA = os.path.expanduser('~/.fedora-server-ca.cert') -CLIENTCA = os.path.expanduser('~/.fedora-upload-ca.cert') -CLIENTCERT = os.path.expanduser('~/.fedora.cert') - kojisession = koji.ClientSession('https://koji.fedoraproject.org/kojihub') def getBlocked(kojisession, tag): @@ -51,8 +46,8 @@ def getUnBlocked(kojisession, tag): for arch in arches: print "== Working on Arch: %s" % arch # Create a koji session - seckojisession = koji.ClientSession('https://%s.koji.fedoraproject.org/kojihub' % arch ) - seckojisession.ssl_login(CLIENTCERT, CLIENTCA, SERVERCA) + seckojisession = koji.ClientSession('https://%s.koji.fedoraproject.org/kojihub' % arch , {'krb_rdns': False}) + seckojisession.krb_login() for tag in tags: print "=== Working on tag: %s" % tag diff --git a/scripts/sync-tagged-primary.py b/scripts/sync-tagged-primary.py index f49639b..15749a2 100755 --- a/scripts/sync-tagged-primary.py +++ b/scripts/sync-tagged-primary.py @@ -29,6 +29,7 @@ parser.add_argument("tag", nargs="+", help="tag to sync") args = parser.parse_args() # Should probably set these from a koji config file +# Should only be used for ssl login SERVERCA = os.path.expanduser('~/.fedora-server-ca.cert') CLIENTCA = os.path.expanduser('~/.fedora-upload-ca.cert') CLIENTCERT = os.path.expanduser('~/.fedora.cert')