rpms / zuul

Clone
Source Code
GIT

#13 Bump to 4.5.0: Fix pyJWT dependency for Fedora 34
Opened 2 years ago by mhuin. Modified 2 years ago
rpms/ mhuin/zuul f34_4.5.0  into  f34

Merge
file modified
+1 
@@ -3,3 +3,4 @@ 
 

  *.rpm
 

  /zuul-3.19.0.tar.gz
 

  /zuul-3.19.1.tar.gz
 

+ /zuul-4.5.0.tar.gz

file added
+23 
@@ -0,0 +1,23 @@ 
 

+ From 73406a92d878a24dc63e4bd2926f702ea7d07172 Mon Sep 17 00:00:00 2001
 

+ From: Matthieu Huin <mhuin@redhat.com>
 

+ Date: Thu, 17 Jun 2021 18:23:52 +0200
 

+ Subject: [PATCH 1/1] Fix psycopg2 requirement
 

+ 

+ Change-Id: I14fff8b67db01e3be815ae7968c403581a20ee8c
 

+ ---
 

+  requirements.txt | 2 +-
 

+  1 file changed, 1 insertion(+), 1 deletion(-)
 

+ 

+ diff --git a/requirements.txt b/requirements.txt
 

+ index 9fc76296..737cd0d7 100644
 

+ --- a/requirements.txt
 

+ +++ b/requirements.txt
 

+ @@ -36,4 +36,4 @@ urllib3!=1.25.4,!=1.25.5  # https://github.com/urllib3/urllib3/pull/1684
 

+  cheroot!=8.1.*,!=8.2.*,!=8.3.0 # https://github.com/cherrypy/cheroot/issues/263
 

+  elasticsearch
 

+  PyMySQL
 

+ -psycopg2-binary
 

+ +psycopg2
 

+ -- 

+ 2.31.1
 

+

file modified
+4 -4 
@@ -1,7 +1,7 @@ 
 

- From 6feb399854ef55a3e43c5a46c56fae487dcd8d28 Mon Sep 17 00:00:00 2001
 

+ From d52afc88b57f2c93f39b79fae0c1206b10f74063 Mon Sep 17 00:00:00 2001
 

  From: Fabien Boucher <fboucher@redhat.com>
 

  Date: Tue, 19 May 2020 14:40:51 +0200
 

- Subject: [PATCH] Remove another shebang and remove useless exec bits
 

+ Subject: [PATCH 1/1] Remove another shebang and remove useless exec bits
 

  

  Change-Id: Id49bc9a4b50948b1f07e4fa917c93acac0c2a17e
 

  ---
 
@@ -31,7 +31,7 @@ 
 

  diff --git a/zuul/cmd/merger.py b/zuul/cmd/merger.py
 

  old mode 100755
 

  new mode 100644
 

- index 1d4b6fef..9b827427
 

+ index 5e318fb9..b86b8e75
 

  --- a/zuul/cmd/merger.py
 

  +++ b/zuul/cmd/merger.py
 

  @@ -1,4 +1,3 @@
 
@@ -54,5 +54,5 @@ 
 

  old mode 100755
 

  new mode 100644
 

  -- 

- 2.25.1
 

+ 2.31.1

file removed
-54 
@@ -1,54 +0,0 @@ 
 

- From b27dc5df5dc1617fc2f1d438611b87b3e63383c4 Mon Sep 17 00:00:00 2001
 

- From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
 

- Date: Mon, 1 Jun 2020 12:49:07 +0200
 

- Subject: [PATCH] Replace deprecated Thread.isAlive() with Thread.is_alive()
 

- 

- The isAlive() method of threading.Thread has been removed in Python 3.9.
 

- The is_alive() method is available on Python 2.6+.
 

- 

- See https://bugs.python.org/issue37804
 

- 

- Change-Id: I951b1ae331c3101722fe34babf81d6f82d838380
 

- ---
 

-  zuul/ansible/base/library/command.py | 4 ++--
 

-  zuul/lib/log_streamer.py             | 2 +-
 

-  2 files changed, 3 insertions(+), 3 deletions(-)
 

- 

- diff --git a/zuul/ansible/base/library/command.py b/zuul/ansible/base/library/command.py
 

- index a3b969d9..0c461b3a 100755
 

- --- a/zuul/ansible/base/library/command.py
 

- +++ b/zuul/ansible/base/library/command.py
 

- @@ -474,7 +474,7 @@ def zuul_run_command(self, args, zuul_log_id, check_rc=False, close_fds=True, ex
 

-          if t:
 

-              t.join(10)
 

-              with Console(zuul_log_id) as console:
 

- -                if t.isAlive():
 

- +                if t.is_alive():
 

-                      console.addLine("[Zuul] standard output/error still open "
 

-                                      "after child exited")
 

-              # ZUUL: stdout and stderr are in the console log file
 

- @@ -495,7 +495,7 @@ def zuul_run_command(self, args, zuul_log_id, check_rc=False, close_fds=True, ex
 

-      finally:
 

-          if t:
 

-              with Console(zuul_log_id) as console:
 

- -                if t.isAlive():
 

- +                if t.is_alive():
 

-                      console.addLine("[Zuul] standard output/error still open "
 

-                                      "after child exited")
 

-                  if fail_json_kwargs:
 

- diff --git a/zuul/lib/log_streamer.py b/zuul/lib/log_streamer.py
 

- index 16b72227..9ed124c5 100644
 

- --- a/zuul/lib/log_streamer.py
 

- +++ b/zuul/lib/log_streamer.py
 

- @@ -181,7 +181,7 @@ class LogStreamer(object):
 

-              raise
 

-  

-      def stop(self):
 

- -        if self.thd.isAlive():
 

- +        if self.thd.is_alive():
 

-              self.server.shutdown()
 

-              self.server.server_close()
 

-              self.thd.join()
 

- -- 

- 2.25.4
 

-

file added
+557 
@@ -0,0 +1,557 @@ 
 

+ From 38c4f963644d40007851b79fdbb5bb652edc1fc9 Mon Sep 17 00:00:00 2001
 

+ From: Matthieu Huin <mhuin@redhat.com>
 

+ Date: Thu, 17 Jun 2021 12:32:06 +0200
 

+ Subject: [PATCH 1/1] Revert to pyJWT 1.7.1
 

+ 

+ Fedora 34 packages pyJWT 1.7.1 - This fixes packaging problems.
 

+ 

+ Change-Id: I8a3e260b7f1268fca59dd14d296591b87cba06d0
 

+ ---
 

+  requirements.txt                       |  2 +-
 

+  tests/unit/test_auth.py                | 40 +++++++-------------
 

+  tests/unit/test_client.py              |  4 +-
 

+  tests/unit/test_web.py                 | 52 +++++++++++++-------------
 

+  tests/zuul_client/test_zuulclient.py   | 10 ++---
 

+  zuul/cmd/client.py                     |  2 +-
 

+  zuul/driver/auth/jwt.py                | 38 ++++++++++++-------
 

+  zuul/driver/github/githubconnection.py |  2 +-
 

+  zuul/lib/auth.py                       |  2 +-
 

+  9 files changed, 76 insertions(+), 76 deletions(-)
 

+ 

+ diff --git a/requirements.txt b/requirements.txt
 

+ index 3ca11a6a..9fc76296 100644
 

+ --- a/requirements.txt
 

+ +++ b/requirements.txt
 

+ @@ -23,7 +23,7 @@ alembic
 

+  cryptography>=1.6
 

+  cachecontrol
 

+  cachetools
 

+ -pyjwt>=2.0.0,<3.0
 

+ +pyjwt<2.0.0
 

+  iso8601
 

+  psutil
 

+  fb-re2>=1.0.6
 

+ diff --git a/tests/unit/test_auth.py b/tests/unit/test_auth.py
 

+ index 74fdf180..768db8d7 100644
 

+ --- a/tests/unit/test_auth.py
 

+ +++ b/tests/unit/test_auth.py
 

+ @@ -17,7 +17,6 @@ import json
 

+  from unittest import mock
 

+  import os.path
 

+  import jwt
 

+ -from io import StringIO
 

+  import time
 

+  

+  from zuul.driver import auth
 

+ @@ -32,10 +31,10 @@ with open(os.path.join(FIXTURE_DIR,
 

+  algo = jwt.algorithms.RSAAlgorithm(jwt.algorithms.RSAAlgorithm.SHA256)
 

+  with open(os.path.join(FIXTURE_DIR,
 

+                         'auth/oidc-key'), 'r') as k:
 

+ -    OIDC_PRIVATE_KEY = algo.prepare_key(k.read())
 

+ +    OIDC_PRIVATE_KEY = algo.prepare_key(k.read().encode('utf-8'))
 

+  with open(os.path.join(FIXTURE_DIR,
 

+                         'auth/oidc-key.pub'), 'r') as k:
 

+ -    pub_key = algo.prepare_key(k.read())
 

+ +    pub_key = algo.prepare_key(k.read().encode('utf-8'))
 

+      pub_jwk = algo.to_jwk(pub_key)
 

+      key = {
 

+          "kid": "OwO",
 

+ @@ -53,31 +52,23 @@ with open(os.path.join(FIXTURE_DIR,
 

+      }
 

+  

+  

+ -class FakeResponse:
 

+ -    def __init__(self, json_dict):
 

+ -        self._json = json_dict
 

+ -
 

+ -    def json(self):
 

+ -        return self._json
 

+ -
 

+ -
 

+  def mock_get(url, params=None, **kwargs):
 

+      if url == ("https://my.oidc.provider/auth/realms/realm-one/"
 

+                 ".well-known/openid-configuration"):
 

+          return FakeResponse(FAKE_WELL_KNOWN_CONFIG)
 

+ +    elif url == ("https://my.oidc.provider/auth/realms/realm-one/"
 

+ +                 "protocol/openid-connect/certs"):
 

+ +        return FakeResponse(FAKE_CERTS)
 

+      else:
 

+          raise Exception("Unknown URL %s" % url)
 

+  

+  

+ -def mock_urlopen(url, *args, **kwargs):
 

+ -    if url == ("https://my.oidc.provider/auth/realms/realm-one/"
 

+ -               "protocol/openid-connect/certs"):
 

+ -        io = StringIO()
 

+ -        json.dump(FAKE_CERTS, io)
 

+ -        io.seek(0)
 

+ -        return io
 

+ -    else:
 

+ -        raise Exception("Unknown URL %s" % url)
 

+ +class FakeResponse:
 

+ +    def __init__(self, json_dict):
 

+ +        self._json = json_dict
 

+ +
 

+ +    def json(self):
 

+ +        return self._json
 

+  

+  

+  class TestOpenIDConnectAuthenticator(BaseTestCase):
 

+ @@ -101,9 +92,6 @@ class TestOpenIDConnectAuthenticator(BaseTestCase):
 

+              algorithm='RS256',
 

+              headers={'kid': 'OwO'})
 

+          with mock.patch('requests.get', side_effect=mock_get):
 

+ -            # patching call in PyJWKClient's fetch_data
 

+ -            with mock.patch('urllib.request.urlopen',
 

+ -                            side_effect=mock_urlopen):
 

+ -                decoded = OIDCAuth.decodeToken(token)
 

+ -                for claim in payload.keys():
 

+ -                    self.assertEqual(payload[claim], decoded[claim])
 

+ +            decoded = OIDCAuth.decodeToken(token)
 

+ +            for claim in payload.keys():
 

+ +                self.assertEqual(payload[claim], decoded[claim])
 

+ diff --git a/tests/unit/test_client.py b/tests/unit/test_client.py
 

+ index 461a8b4a..9b3edb44 100644
 

+ --- a/tests/unit/test_client.py
 

+ +++ b/tests/unit/test_client.py
 

+ @@ -146,9 +146,9 @@ class TestWebTokenClient(BaseClientTestCase):
 

+                             key=self.config.get(
 

+                                 'auth zuul_operator',
 

+                                 'secret'),
 

+ -                           algorithms=[self.config.get(
 

+ +                           algorithms=self.config.get(
 

+                                 'auth zuul_operator',
 

+ -                               'driver')],
 

+ +                               'driver'),
 

+                             audience=self.config.get(
 

+                                 'auth zuul_operator',
 

+                                 'client_id'),)
 

+ diff --git a/tests/unit/test_web.py b/tests/unit/test_web.py
 

+ index bfbc3302..3a7ac636 100644
 

+ --- a/tests/unit/test_web.py
 

+ +++ b/tests/unit/test_web.py
 

+ @@ -1466,7 +1466,7 @@ class TestTenantScopedWebApi(BaseTestWeb):
 

+                   },
 

+                   'exp': time.time() + 3600}
 

+          token = jwt.encode(authz, key='OnlyZuulNoDana',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          resp = self.post_url(
 

+              "api/tenant/tenant-one/project/org/project/autohold",
 

+              headers={'Authorization': 'Bearer %s' % token},
 

+ @@ -1501,7 +1501,7 @@ class TestTenantScopedWebApi(BaseTestWeb):
 

+                   },
 

+                   'exp': time.time() - 3600}
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          resp = self.post_url(
 

+              "api/tenant/tenant-one/project/org/project/autohold",
 

+              headers={'Authorization': 'Bearer %s' % token},
 

+ @@ -1536,7 +1536,7 @@ class TestTenantScopedWebApi(BaseTestWeb):
 

+                   },
 

+                   'exp': time.time() + 3600}
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          resp = self.post_url(
 

+              "api/tenant/tenant-one/project/org/project/autohold",
 

+              headers={'Authorization': 'Bearer %s' % token},
 

+ @@ -1576,7 +1576,7 @@ class TestTenantScopedWebApi(BaseTestWeb):
 

+                  'ref': None,
 

+                  'node_hold_expiration': None}
 

+          good_token = jwt.encode(good_authz, key='NoDanaOnlyZuul',
 

+ -                                algorithm='HS256')
 

+ +                                algorithm='HS256').decode('utf-8')
 

+          req = self.post_url(
 

+              'api/tenant/tenant-one/project/org/project/autohold',
 

+              headers={'Authorization': 'Bearer %s' % good_token},
 

+ @@ -1610,7 +1610,7 @@ class TestTenantScopedWebApi(BaseTestWeb):
 

+                   },
 

+                   'exp': time.time() + 3600}
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          req = self.post_url(
 

+              'api/tenant/tenant-one/project/org/project/autohold',
 

+              headers={'Authorization': 'Bearer %s' % token},
 

+ @@ -1636,7 +1636,7 @@ class TestTenantScopedWebApi(BaseTestWeb):
 

+  

+      def _init_autohold_delete(self, authz):
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+  

+          client = zuul.rpcclient.RPCClient('127.0.0.1',
 

+                                            self.gearman_server.port)
 

+ @@ -1674,7 +1674,7 @@ class TestTenantScopedWebApi(BaseTestWeb):
 

+                       },
 

+                       'exp': time.time() + 3600}
 

+          bad_token = jwt.encode(bad_authz, key='NoDanaOnlyZuul',
 

+ -                               algorithm='HS256')
 

+ +                               algorithm='HS256').decode('utf-8')
 

+          resp = self.delete_url(
 

+              "api/tenant/tenant-one/autohold/%s" % request_id,
 

+              headers={'Authorization': 'Bearer %s' % bad_token})
 

+ @@ -1718,7 +1718,7 @@ class TestTenantScopedWebApi(BaseTestWeb):
 

+                   },
 

+                   'exp': time.time() + 3600}
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          path = "api/tenant/%(tenant)s/project/%(project)s/enqueue"
 

+          enqueue_args = {'tenant': 'tenant-one',
 

+                          'project': 'org/project', }
 

+ @@ -1770,7 +1770,7 @@ class TestTenantScopedWebApi(BaseTestWeb):
 

+                   },
 

+                   'exp': time.time() + 3600}
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          req = self.post_url(path % enqueue_args,
 

+                              headers={'Authorization': 'Bearer %s' % token},
 

+                              json=ref)
 

+ @@ -1811,7 +1811,7 @@ class TestTenantScopedWebApi(BaseTestWeb):
 

+                   },
 

+                   'exp': time.time() + 3600}
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          path = "api/tenant/%(tenant)s/project/%(project)s/dequeue"
 

+          dequeue_args = {'tenant': 'tenant-one',
 

+                          'project': 'org/project', }
 

+ @@ -1933,7 +1933,7 @@ class TestTenantScopedWebApi(BaseTestWeb):
 

+                   'exp': time.time() + 3600,
 

+                   'iat': time.time()}
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          req = self.post_url(
 

+              'api/tenant/tenant-one/promote',
 

+              headers={'Authorization': 'Bearer %s' % token},
 

+ @@ -2007,7 +2007,7 @@ class TestTenantScopedWebApiWithAuthRules(BaseTestWeb):
 

+                   },
 

+                   'exp': time.time() + 3600}
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          req = self.post_url(
 

+              'api/tenant/tenant-one/project/org/project/autohold',
 

+              headers={'Authorization': 'Bearer %s' % token},
 

+ @@ -2030,7 +2030,7 @@ class TestTenantScopedWebApiWithAuthRules(BaseTestWeb):
 

+                              'project': project, }
 

+  

+              token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                               algorithm='HS256')
 

+ +                               algorithm='HS256').decode('utf-8')
 

+              req = self.post_url(path % enqueue_args,
 

+                                  headers={'Authorization': 'Bearer %s' % token},
 

+                                  json=change)
 

+ @@ -2074,7 +2074,7 @@ class TestTenantScopedWebApiWithAuthRules(BaseTestWeb):
 

+                   'groups': ['ghostbusters', 'secretary'],
 

+                   'exp': time.time() + 3600}
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          path = "api/tenant/%(tenant)s/project/%(project)s/enqueue"
 

+          enqueue_args = {'tenant': 'tenant-one',
 

+                          'project': 'org/project2', }
 

+ @@ -2100,7 +2100,7 @@ class TestTenantScopedWebApiWithAuthRules(BaseTestWeb):
 

+                       'car': 'ecto-1'},
 

+                   'exp': time.time() + 3600}
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          path = "api/tenant/%(tenant)s/project/%(project)s/enqueue"
 

+          enqueue_args = {'tenant': 'tenant-one',
 

+                          'project': 'org/project', }
 

+ @@ -2122,7 +2122,7 @@ class TestTenantScopedWebApiWithAuthRules(BaseTestWeb):
 

+                   'zuul': {'admin': admin_tenants},
 

+                   'exp': time.time() + 3600}
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          # TODO(mhu) deprecated, remove after next release
 

+          req = self.get_url('/api/user/authorizations',
 

+                             headers={'Authorization': 'Bearer %s' % token})
 

+ @@ -2164,7 +2164,7 @@ class TestTenantScopedWebApiWithAuthRules(BaseTestWeb):
 

+              authz = test_user['authz']
 

+              authz['exp'] = time.time() + 3600
 

+              token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                               algorithm='HS256')
 

+ +                               algorithm='HS256').decode('utf-8')
 

+              # TODO(mhu) deprecated, remove after next release
 

+              req = self.get_url('/api/user/authorizations',
 

+                                 headers={'Authorization': 'Bearer %s' % token})
 

+ @@ -2231,7 +2231,7 @@ class TestTenantScopedWebApiTokenWithExpiry(BaseTestWeb):
 

+                   },
 

+                   'exp': time.time() + 3600}
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          resp = self.post_url(
 

+              "api/tenant/tenant-one/project/org/project/autohold",
 

+              headers={'Authorization': 'Bearer %s' % token},
 

+ @@ -2267,7 +2267,7 @@ class TestTenantScopedWebApiTokenWithExpiry(BaseTestWeb):
 

+                   'exp': time.time() + 7200,
 

+                   'iat': time.time() + 3600}
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          resp = self.post_url(
 

+              "api/tenant/tenant-one/project/org/project/autohold",
 

+              headers={'Authorization': 'Bearer %s' % token},
 

+ @@ -2303,7 +2303,7 @@ class TestTenantScopedWebApiTokenWithExpiry(BaseTestWeb):
 

+                   'exp': time.time() + 3600,
 

+                   'iat': time.time()}
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          time.sleep(10)
 

+          resp = self.post_url(
 

+              "api/tenant/tenant-one/project/org/project/autohold",
 

+ @@ -2347,7 +2347,7 @@ class TestTenantScopedWebApiTokenWithExpiry(BaseTestWeb):
 

+                   'exp': time.time() + 3600,
 

+                   'iat': time.time()}
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          req = self.post_url(
 

+              'api/tenant/tenant-one/project/org/project/autohold',
 

+              headers={'Authorization': 'Bearer %s' % token},
 

+ @@ -2451,7 +2451,7 @@ class TestCLIViaWebApi(BaseTestWeb):
 

+                   },
 

+                   'exp': time.time() + 3600}
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          p = subprocess.Popen(
 

+              [os.path.join(sys.prefix, 'bin/zuul'),
 

+               '--zuul-url', self.base_url, '--auth-token', token,
 

+ @@ -2490,7 +2490,7 @@ class TestCLIViaWebApi(BaseTestWeb):
 

+                   },
 

+                   'exp': time.time() + 3600}
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          p = subprocess.Popen(
 

+              [os.path.join(sys.prefix, 'bin/zuul'),
 

+               '--zuul-url', self.base_url, '--auth-token', token,
 

+ @@ -2519,7 +2519,7 @@ class TestCLIViaWebApi(BaseTestWeb):
 

+                   },
 

+                   'exp': time.time() + 3600}
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          p = subprocess.Popen(
 

+              [os.path.join(sys.prefix, 'bin/zuul'),
 

+               '--zuul-url', self.base_url, '--auth-token', token,
 

+ @@ -2555,7 +2555,7 @@ class TestCLIViaWebApi(BaseTestWeb):
 

+                   },
 

+                   'exp': time.time() + 3600}
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          p = subprocess.Popen(
 

+              [os.path.join(sys.prefix, 'bin/zuul'),
 

+               '--zuul-url', self.base_url, '--auth-token', token,
 

+ @@ -2606,7 +2606,7 @@ class TestCLIViaWebApi(BaseTestWeb):
 

+                   },
 

+                   'exp': time.time() + 3600}
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          p = subprocess.Popen(
 

+              [os.path.join(sys.prefix, 'bin/zuul'),
 

+               '--zuul-url', self.base_url, '--auth-token', token,
 

+ diff --git a/tests/zuul_client/test_zuulclient.py b/tests/zuul_client/test_zuulclient.py
 

+ index c17b2ab9..705119c6 100644
 

+ --- a/tests/zuul_client/test_zuulclient.py
 

+ +++ b/tests/zuul_client/test_zuulclient.py
 

+ @@ -190,7 +190,7 @@ class TestZuulClientAdmin(BaseTestWeb):
 

+                   },
 

+                   'exp': time.time() + 3600}
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          p = subprocess.Popen(
 

+              ['zuul-client',
 

+               '--zuul-url', self.base_url, '--auth-token', token, '-v',
 

+ @@ -230,7 +230,7 @@ class TestZuulClientAdmin(BaseTestWeb):
 

+                   },
 

+                   'exp': time.time() + 3600}
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          p = subprocess.Popen(
 

+              ['zuul-client',
 

+               '--zuul-url', self.base_url, '--auth-token', token, '-v',
 

+ @@ -266,7 +266,7 @@ class TestZuulClientAdmin(BaseTestWeb):
 

+                   },
 

+                   'exp': time.time() + 3600}
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          p = subprocess.Popen(
 

+              ['zuul-client',
 

+               '--zuul-url', self.base_url, '--auth-token', token, '-v',
 

+ @@ -308,7 +308,7 @@ class TestZuulClientAdmin(BaseTestWeb):
 

+                   },
 

+                   'exp': time.time() + 3600}
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          p = subprocess.Popen(
 

+              ['zuul-client',
 

+               '--zuul-url', self.base_url, '--auth-token', token, '-v',
 

+ @@ -359,7 +359,7 @@ class TestZuulClientAdmin(BaseTestWeb):
 

+                   },
 

+                   'exp': time.time() + 3600}
 

+          token = jwt.encode(authz, key='NoDanaOnlyZuul',
 

+ -                           algorithm='HS256')
 

+ +                           algorithm='HS256').decode('utf-8')
 

+          p = subprocess.Popen(
 

+              ['zuul-client',
 

+               '--zuul-url', self.base_url, '--auth-token', token, '-v',
 

+ diff --git a/zuul/cmd/client.py b/zuul/cmd/client.py
 

+ index d7154184..7e99c040 100644
 

+ --- a/zuul/cmd/client.py
 

+ +++ b/zuul/cmd/client.py
 

+ @@ -572,7 +572,7 @@ class Client(zuul.cmd.ZuulApp):
 

+          try:
 

+              auth_token = jwt.encode(token,
 

+                                      key=key,
 

+ -                                    algorithm=driver)
 

+ +                                    algorithm=driver).decode('utf-8')
 

+              print("Bearer %s" % auth_token)
 

+              err_code = 0
 

+          except Exception as e:
 

+ diff --git a/zuul/driver/auth/jwt.py b/zuul/driver/auth/jwt.py
 

+ index 7fe23f2f..2cc79826 100644
 

+ --- a/zuul/driver/auth/jwt.py
 

+ +++ b/zuul/driver/auth/jwt.py
 

+ @@ -16,6 +16,7 @@
 

+  import logging
 

+  import math
 

+  import time
 

+ +import json
 

+  import jwt
 

+  import requests
 

+  from urllib.parse import urljoin
 

+ @@ -70,19 +71,19 @@ class JWTAuthenticator(AuthenticatorInterface):
 

+          """Verify the raw token and return the decoded dictionary of claims"""
 

+          try:
 

+              decoded = self._decode(rawToken)
 

+ -        except jwt.exceptions.InvalidSignatureError:
 

+ +        except jwt.InvalidSignatureError:
 

+              raise exceptions.AuthTokenInvalidSignatureException(
 

+                  realm=self.realm)
 

+ -        except jwt.exceptions.DecodeError:
 

+ +        except jwt.DecodeError:
 

+              raise exceptions.AuthTokenUndecodedException(
 

+                  realm=self.realm)
 

+ -        except jwt.exceptions.ExpiredSignatureError:
 

+ +        except jwt.ExpiredSignatureError:
 

+              raise exceptions.TokenExpiredError(
 

+                  realm=self.realm)
 

+ -        except jwt.exceptions.InvalidIssuerError:
 

+ +        except jwt.InvalidIssuerError:
 

+              raise exceptions.IssuerUnknownError(
 

+                  realm=self.realm)
 

+ -        except jwt.exceptions.InvalidAudienceError:
 

+ +        except jwt.InvalidAudienceError:
 

+              raise exceptions.IncorrectAudienceError(
 

+                  realm=self.realm)
 

+          except Exception as e:
 

+ @@ -153,7 +154,7 @@ class HS256Authenticator(JWTAuthenticator):
 

+      def _decode(self, rawToken):
 

+          return jwt.decode(rawToken, self.secret, issuer=self.issuer_id,
 

+                            audience=self.audience,
 

+ -                          algorithms=[self.algorithm])
 

+ +                          algorithms=self.algorithm)
 

+  

+  

+  class RS256Authenticator(JWTAuthenticator):
 

+ @@ -171,7 +172,7 @@ class RS256Authenticator(JWTAuthenticator):
 

+      def _decode(self, rawToken):
 

+          return jwt.decode(rawToken, self.public_key, issuer=self.issuer_id,
 

+                            audience=self.audience,
 

+ -                          algorithms=[self.algorithm])
 

+ +                          algorithms=self.algorithm)
 

+  

+  

+  class OpenIDConnectAuthenticator(JWTAuthenticator):
 

+ @@ -202,9 +203,9 @@ class OpenIDConnectAuthenticator(JWTAuthenticator):
 

+              raise exceptions.JWKSException(
 

+                  realm=self.realm,
 

+                  msg=msg)
 

+ -        jwks_client = jwt.PyJWKClient(keys_url)
 

+ +        # TODO keys can probably be cached
 

+          try:
 

+ -            signing_key = jwks_client.get_signing_key(kid=key_id)
 

+ +            certs = requests.get(keys_url).json()
 

+          except Exception as e:
 

+              msg = 'Could not fetch Identity Provider keys at %s: %s'
 

+              logger.error(msg % (keys_url, e))
 

+ @@ -212,9 +213,20 @@ class OpenIDConnectAuthenticator(JWTAuthenticator):
 

+                  realm=self.realm,
 

+                  msg='There was an error while fetching '
 

+                      'keys for Identity Provider, check logs for details')
 

+ -        algorithm = signing_key._jwk_data.get("alg", None) or self.algorithm
 

+ -        key = signing_key.key
 

+ -        return key, algorithm
 

+ +        for key_dict in certs['keys']:
 

+ +            if key_dict.get('kid') == key_id:
 

+ +                # TODO: theoretically two other types of keys are
 

+ +                # supported by the JWKS standard. We should raise an error
 

+ +                # in the unlikely case 'kty' is not RSA.
 

+ +                # (see https://tools.ietf.org/html/rfc7518#section-6.1)
 

+ +                key = jwt.algorithms.RSAAlgorithm.from_jwk(
 

+ +                    json.dumps(key_dict))
 

+ +                algorithm = key_dict.get('alg', None) or self.algorithm
 

+ +                return key, algorithm
 

+ +        raise exceptions.JWKSException(
 

+ +            self.realm,
 

+ +            'Cannot verify token: public key %s '
 

+ +            'not listed by Identity Provider' % key_id)
 

+  

+      def get_well_known_config(self):
 

+          issuer = self.issuer_id
 

+ @@ -246,7 +258,7 @@ class OpenIDConnectAuthenticator(JWTAuthenticator):
 

+          key, algorithm = self.get_key(key_id)
 

+          return jwt.decode(rawToken, key, issuer=self.issuer_id,
 

+                            audience=self.audience,
 

+ -                          algorithms=[algorithm])
 

+ +                          algorithms=algorithm)
 

+  

+  

+  AUTHENTICATORS = {
 

+ diff --git a/zuul/driver/github/githubconnection.py b/zuul/driver/github/githubconnection.py
 

+ index 6089d4be..ed9a967e 100644
 

+ --- a/zuul/driver/github/githubconnection.py
 

+ +++ b/zuul/driver/github/githubconnection.py
 

+ @@ -964,7 +964,7 @@ class GithubClientManager:
 

+          data = {'iat': now, 'exp': expiry, 'iss': self.app_id}
 

+          app_token = jwt.encode(data,
 

+                                 self.app_key,
 

+ -                               algorithm='RS256')
 

+ +                               algorithm='RS256').decode('utf-8')
 

+  

+          headers = {'Accept': PREVIEW_JSON_ACCEPT,
 

+                     'Authorization': 'Bearer %s' % app_token}
 

+ diff --git a/zuul/lib/auth.py b/zuul/lib/auth.py
 

+ index a5866e90..effb4bc5 100644
 

+ --- a/zuul/lib/auth.py
 

+ +++ b/zuul/lib/auth.py
 

+ @@ -74,7 +74,7 @@ class AuthenticatorRegistry(object):
 

+          cpb.capabilities_registry.register_capabilities('auth', capabilities)
 

+  

+      def authenticate(self, rawToken):
 

+ -        unverified = jwt.decode(rawToken, options={'verify_signature': False})
 

+ +        unverified = jwt.decode(rawToken, verify=False)
 

+          for auth_name in self.authenticators:
 

+              authenticator = self.authenticators[auth_name]
 

+              if authenticator.issuer_id == unverified.get('iss', ''):
 

+ -- 

+ 2.31.1
 

+

file removed
-36 
@@ -1,36 +0,0 @@ 
 

- From e8935676a8b6db3b29d419d440f9e82b5090a5b2 Mon Sep 17 00:00:00 2001
 

- From: Fabien Boucher <fboucher@redhat.com>
 

- Date: Mon, 13 Jul 2020 15:32:53 +0000
 

- Subject: [PATCH] Update cherrypy and cheroot requirement pinning
 

- 

- Cheroot 8.3.1 have been released with the https://github.com/cherrypy/cheroot/issues/263
 

- fix.
 

- 

- Change-Id: I83aad30a6145ed2c7689d6c25c624c453c07ed2b
 

- ---
 

-  requirements.txt | 7 ++-----
 

-  1 file changed, 2 insertions(+), 5 deletions(-)
 

- 

- diff --git a/requirements.txt b/requirements.txt
 

- index 78eb980f..829c7606 100644
 

- --- a/requirements.txt
 

- +++ b/requirements.txt
 

- @@ -29,13 +29,10 @@ iso8601
 

-  psutil
 

-  fb-re2>=1.0.6
 

-  paho-mqtt
 

- -cherrypy==18.3.0; # last version to support cheroot below
 

- +cherrypy
 

-  ws4py
 

-  routes
 

-  pathspec
 

-  jsonpath-rw
 

-  urllib3!=1.25.4,!=1.25.5  # https://github.com/urllib3/urllib3/pull/1684
 

- -# TODO(tobiash): cheroot 8.1.0 introduced a regression when handling concurrent
 

- -# requests. Remove the following line when this issue is resolved:
 

- -# https://github.com/cherrypy/cheroot/issues/263
 

- -cheroot<8.1.0
 

- +cheroot!=8.1.*,!=8.2.*,!=8.3.0 # https://github.com/cherrypy/cheroot/issues/263
 

- -- 

- 2.27.0
 

-

file removed
-28 
@@ -1,28 +0,0 @@ 
 

- From ea0b50c90d22a2f24b288e1a91e2b85f17059cbc Mon Sep 17 00:00:00 2001
 

- From: Tristan Cacqueray <tdecacqu@redhat.com>
 

- Date: Mon, 25 May 2020 17:39:59 +0000
 

- Subject: [PATCH] requirements: add explicit reference to dateutil
 

- 

- Zuul is using a dateutil provided transitively. This change
 

- makes the requirements explicit.
 

- 

- Change-Id: I672d409a1bb241e5d199c77acdd51a8260d99ee2
 

- ---
 

-  requirements.txt | 1 +
 

-  1 file changed, 1 insertion(+)
 

- 

- diff --git a/requirements.txt b/requirements.txt
 

- index 732aa35a..78eb980f 100644
 

- --- a/requirements.txt
 

- +++ b/requirements.txt
 

- @@ -4,6 +4,7 @@ importlib-resources==1.0.2
 

-  # Early virtualenv 20 had bad file location assumptions
 

-  virtualenv!=20.0.0,!=20.0.1,>20
 

-  

- +python-dateutil
 

-  github3.py>=1.1.0
 

-  PyYAML>=3.1.0
 

-  paramiko>=2.0.1
 

- -- 

- 2.25.4
 

-

file modified
+52 -8 
@@ -18,22 +18,38 @@ 
 

  This process describes the minimal steps to get a Zookeeper service running. You
 

  should refer to the Zookeeper documentation to get a production setup if needed.
 

  

+ Zookeeper must be used with TLS. More information can be found in Zuul's documentation: https://zuul-ci.org/docs/zuul/howtos/zookeeper.html
 

+ 

  ```
 

  $ mkdir /tmp/zookeeper && cd /tmp/zookeeper
 

- $ curl -OL https://downloads.apache.org/zookeeper/zookeeper-3.6.1/apache-zookeeper-3.6.1-bin.tar.gz
 

- $ tar -xvzf apache-zookeeper-3.6.1-bin.tar.gz
 

- $ cp apache-zookeeper-3.6.1-bin/conf/zoo_sample.cfg apache-zookeeper-3.6.1-bin/conf/zoo.cfg
 

- $ sudo apache-zookeeper-3.6.1-bin/bin/zkServer.sh start
 

+ $ curl -OL https://apache.mediamirrors.org/zookeeper/zookeeper-3.6.3/apache-zookeeper-3.6.3-bin.tar.gz
 

+ $ tar -xvzf apache-zookeeper-3.6.3-bin.tar.gz
 

+ $ cp apache-zookeeper-3.6.3-bin/conf/zoo_sample.cfg apache-zookeeper-3.6.3-bin/conf/zoo.cfg
 

+ $ sudo dnf install openssl
 

+ $ mkdir /tmp/zookeeper/ca/
 

+ $ curl -OL https://opendev.org/zuul/zuul/raw/branch/master/tools/zk-ca.sh
 

+ $ curl -OL https://opendev.org/zuul/zuul/raw/branch/master/tools/openssl.cnf
 

+ $ zk-ca.sh /tmp/zookeeper/ca localhost
 

+ $ echo 'server.1=localhost:2888:3888' >> apache-zookeeper-3.6.3-bin/conf/zoo.cfg
 

+ $ echo 'serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory' >> apache-zookeeper-3.6.3-bin/conf/zoo.cfg
 

+ $ echo 'secureClientPort=2281' >> apache-zookeeper-3.6.3-bin/conf/zoo.cfg
 

+ $ echo 'ssl.keyStore.location=/tmp/zookeeper/ca/keystores/localhost.pem' >> apache-zookeeper-3.6.3-bin/conf/zoo.cfg
 

+ $ echo 'ssl.trustStore.location=/tmp/zookeeper/ca/certs/cacert.pem' >> apache-zookeeper-3.6.3-bin/conf/zoo.cfg
 

+ $ sudo apache-zookeeper-3.6.3-bin/bin/zkServer.sh start
 

  ```
 

  

  ### Install and setup postgresql
 

  

  This process describes the minimal steps to get a postgres service running. You
 

- should refer to the postgrres documentation to get a production setup if needed.
 

+ should refer to the postgres documentation to get a production setup if needed.
 

  

  ```
 

- $ sudo dnf install -y posgresql python3-psycopg2
 

- $ su - postgres
 

+ $ sudo dnf install -y postgresql python3-psycopg2
 

+ $ sudo dnf install -y postgresql python3-psycopg2 postgresql-server postgresql-contrib
 

+ $ sudo systemctl enable postgresql
 

+ $ sudo postgresql-setup --initdb --unit postgresql
 

+ $ sudo systemctl start postgresql
 

+ $ sudo su - postgres
 

  $ psql
 

    ALTER USER postgres WITH PASSWORD 'mypassword';
 

  $ createdb --owner=postgres zuul
 
@@ -44,7 +60,7 @@ 
 

  

  ```
 

  $ sudo sed -i 's|127.0.0.1/32            ident|127.0.0.1/32            md5|' /var/lib/pgsql/data/pg_hba.conf
 

- $ sudo systemctl restart posgreql
 

+ $ sudo systemctl restart postgreql
 

  ```
 

  

  Validate server connection by running:
 
@@ -71,6 +87,34 @@ 
 

  dburi=postgresql://postgres:mypassword@127.0.0.1:5432/zuul
 

  ```
 

  

+ ### Configure the Zookeeper connection in Zuul
 

+ 

+ In /etc/zuul/zuul.conf add the following:
 

+ 

+ ```
 

+ [keystore]
 

+ password=XXXXXXX
 

+ ```
 

+ 

+ Copy the zookeeper certificates in /etc/zuul/:
 

+ 

+ ```
 

+ $ cp /tmp/zookeeper/ca/certs/cacert.pem /etc/zuul/cacert.pem
 

+ $ cp /tmp/zookeeper/ca/certs/client.pem /etc/zuul/client.pem
 

+ $ cp /tmp/zookeeper/ca/keys/clientkey.pem /etc/zuul/clientkey.pem
 

+ $ chown zuul /etc/zuul/*.pem
 

+ ```
 

+ 

+ And modify the `[zookeeper]` section in /etc/zuul/zuul.conf like so:
 

+ 

+ ```
 

+ [zookeeper]
 

+ hosts=localhost:2281
 

+ tls_cert=/etc/zuul/client.pem
 

+ tls_key=/etc/zuul/clientkey.pem
 

+ tls_ca=/etc/zuul/cacert.pem
 

+ ```
 

+ 

  ### Setup Ansible virtual environment for the Zuul executor
 

  

  The Zuul executor is the component in charge of running Zuul Jobs. A Zuul job is

file modified
+1 -1 
@@ -1,1 +1,1 @@ 
 

- SHA512 (zuul-3.19.1.tar.gz) = 0460e7e8407cd9cc005d1c05be718ca350a526cb7db44bfb1e8fe702a28c127ad828d6f6a7b1786205722e778def571fae80663db3d371df8a06e6b37ca50d89
 

+ SHA512 (zuul-4.5.0.tar.gz) = dc73cfaff3fb8bee68ae64368380c5d51db5faac0bdca2a9fbe78897a9ae9e7dd96a2d2e7eb003e662242597ea86aff797a5151e5097483309faa085a43b2e5a

file added
+352 
@@ -0,0 +1,352 @@ 
 

+ #
 

+ # OpenSSL example configuration file.
 

+ # This is mostly being used for generation of certificate requests.
 

+ #
 

+ 

+ # Note that you can include other files from the main configuration
 

+ # file using the .include directive.
 

+ #.include filename
 

+ 

+ # This definition stops the following lines choking if HOME isn't
 

+ # defined.
 

+ HOME			= .
 

+ RANDFILE		= $ENV::HOME/.rnd
 

+ 

+ # Extra OBJECT IDENTIFIER info:
 

+ #oid_file		= $ENV::HOME/.oid
 

+ oid_section		= new_oids
 

+ 

+ # To use this configuration file with the "-extfile" option of the
 

+ # "openssl x509" utility, name here the section containing the
 

+ # X.509v3 extensions to use:
 

+ # extensions		= 

+ # (Alternatively, use a configuration file that has only
 

+ # X.509v3 extensions in its main [= default] section.)
 

+ 

+ [ new_oids ]
 

+ 

+ # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
 

+ # Add a simple OID like this:
 

+ # testoid1=1.2.3.4
 

+ # Or use config file substitution like this:
 

+ # testoid2=${testoid1}.5.6
 

+ 

+ # Policies used by the TSA examples.
 

+ tsa_policy1 = 1.2.3.4.1
 

+ tsa_policy2 = 1.2.3.4.5.6
 

+ tsa_policy3 = 1.2.3.4.5.7
 

+ 

+ ####################################################################
 

+ [ ca ]
 

+ default_ca	= CA_default		# The default ca section
 

+ 

+ ####################################################################
 

+ [ CA_default ]
 

+ 

+ dir		= ./demoCA		# Where everything is kept
 

+ certs		= $dir/certs		# Where the issued certs are kept
 

+ crl_dir		= $dir/crl		# Where the issued crl are kept
 

+ database	= $dir/index.txt	# database index file.
 

+ #unique_subject	= no			# Set to 'no' to allow creation of
 

+ 					# several certs with same subject.
 

+ new_certs_dir	= $dir/newcerts		# default place for new certs.
 

+ 

+ certificate	= $dir/cacert.pem 	# The CA certificate
 

+ serial		= $dir/serial 		# The current serial number
 

+ crlnumber	= $dir/crlnumber	# the current crl number
 

+ 					# must be commented out to leave a V1 CRL
 

+ crl		= $dir/crl.pem 		# The current CRL
 

+ private_key	= $dir/private/cakey.pem# The private key
 

+ RANDFILE	= $dir/private/.rand	# private random number file
 

+ 

+ x509_extensions	= usr_cert		# The extensions to add to the cert
 

+ 

+ # Comment out the following two lines for the "traditional"
 

+ # (and highly broken) format.
 

+ name_opt 	= ca_default		# Subject Name options
 

+ cert_opt 	= ca_default		# Certificate field options
 

+ 

+ # Extension copying option: use with caution.
 

+ # copy_extensions = copy
 

+ 

+ # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
 

+ # so this is commented out by default to leave a V1 CRL.
 

+ # crlnumber must also be commented out to leave a V1 CRL.
 

+ # crl_extensions	= crl_ext
 

+ 

+ default_days	= 365			# how long to certify for
 

+ default_crl_days= 30			# how long before next CRL
 

+ default_md	= default		# use public key default MD
 

+ preserve	= no			# keep passed DN ordering
 

+ 

+ # A few difference way of specifying how similar the request should look
 

+ # For type CA, the listed attributes must be the same, and the optional
 

+ # and supplied fields are just that :-)
 

+ policy		= policy_match
 

+ 

+ # For the CA policy
 

+ [ policy_match ]
 

+ countryName		= match
 

+ stateOrProvinceName	= match
 

+ organizationName	= match
 

+ organizationalUnitName	= optional
 

+ commonName		= supplied
 

+ emailAddress		= optional
 

+ 

+ # For the 'anything' policy
 

+ # At this point in time, you must list all acceptable 'object'
 

+ # types.
 

+ [ policy_anything ]
 

+ countryName		= optional
 

+ stateOrProvinceName	= optional
 

+ localityName		= optional
 

+ organizationName	= optional
 

+ organizationalUnitName	= optional
 

+ commonName		= supplied
 

+ emailAddress		= optional
 

+ 

+ ####################################################################
 

+ [ req ]
 

+ default_bits		= 2048
 

+ default_keyfile 	= privkey.pem
 

+ distinguished_name	= req_distinguished_name
 

+ attributes		= req_attributes
 

+ x509_extensions	= v3_ca	# The extensions to add to the self signed cert
 

+ 

+ # Passwords for private keys if not present they will be prompted for
 

+ # input_password = secret
 

+ # output_password = secret
 

+ 

+ # This sets a mask for permitted string types. There are several options. 

+ # default: PrintableString, T61String, BMPString.
 

+ # pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
 

+ # utf8only: only UTF8Strings (PKIX recommendation after 2004).
 

+ # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
 

+ # MASK:XXXX a literal mask value.
 

+ # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
 

+ string_mask = utf8only
 

+ 

+ # req_extensions = v3_req # The extensions to add to a certificate request
 

+ 

+ [ req_distinguished_name ]
 

+ countryName			= Country Name (2 letter code)
 

+ countryName_default		= AU
 

+ countryName_min			= 2
 

+ countryName_max			= 2
 

+ 

+ stateOrProvinceName		= State or Province Name (full name)
 

+ stateOrProvinceName_default	= Some-State
 

+ 

+ localityName			= Locality Name (eg, city)
 

+ 

+ 0.organizationName		= Organization Name (eg, company)
 

+ 0.organizationName_default	= Internet Widgits Pty Ltd
 

+ 

+ # we can do this but it is not needed normally :-)
 

+ #1.organizationName		= Second Organization Name (eg, company)
 

+ #1.organizationName_default	= World Wide Web Pty Ltd
 

+ 

+ organizationalUnitName		= Organizational Unit Name (eg, section)
 

+ #organizationalUnitName_default	=
 

+ 

+ commonName			= Common Name (e.g. server FQDN or YOUR name)
 

+ commonName_max			= 64
 

+ 

+ emailAddress			= Email Address
 

+ emailAddress_max		= 64
 

+ 

+ # SET-ex3			= SET extension number 3
 

+ 

+ [ req_attributes ]
 

+ challengePassword		= A challenge password
 

+ challengePassword_min		= 4
 

+ challengePassword_max		= 20
 

+ 

+ unstructuredName		= An optional company name
 

+ 

+ [ usr_cert ]
 

+ 

+ # These extensions are added when 'ca' signs a request.
 

+ 

+ # This goes against PKIX guidelines but some CAs do it and some software
 

+ # requires this to avoid interpreting an end user certificate as a CA.
 

+ 

+ basicConstraints=CA:FALSE
 

+ 

+ # Here are some examples of the usage of nsCertType. If it is omitted
 

+ # the certificate can be used for anything *except* object signing.
 

+ 

+ # This is OK for an SSL server.
 

+ # nsCertType			= server
 

+ 

+ # For an object signing certificate this would be used.
 

+ # nsCertType = objsign
 

+ 

+ # For normal client use this is typical
 

+ # nsCertType = client, email
 

+ 

+ # and for everything including object signing:
 

+ # nsCertType = client, email, objsign
 

+ 

+ # This is typical in keyUsage for a client certificate.
 

+ # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 

+ 

+ # This will be displayed in Netscape's comment listbox.
 

+ nsComment			= "OpenSSL Generated Certificate"
 

+ 

+ # PKIX recommendations harmless if included in all certificates.
 

+ subjectKeyIdentifier=hash
 

+ authorityKeyIdentifier=keyid,issuer
 

+ 

+ # This stuff is for subjectAltName and issuerAltname.
 

+ # Import the email address.
 

+ # subjectAltName=email:copy
 

+ # An alternative to produce certificates that aren't
 

+ # deprecated according to PKIX.
 

+ # subjectAltName=email:move
 

+ 

+ # Copy subject details
 

+ # issuerAltName=issuer:copy
 

+ 

+ #nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
 

+ #nsBaseUrl
 

+ #nsRevocationUrl
 

+ #nsRenewalUrl
 

+ #nsCaPolicyUrl
 

+ #nsSslServerName
 

+ 

+ # This is required for TSA certificates.
 

+ # extendedKeyUsage = critical,timeStamping
 

+ 

+ [ v3_req ]
 

+ 

+ # Extensions to add to a certificate request
 

+ 

+ basicConstraints = CA:FALSE
 

+ keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 

+ 

+ [ v3_ca ]
 

+ 

+ 

+ # Extensions for a typical CA
 

+ 

+ 

+ # PKIX recommendation.
 

+ 

+ subjectKeyIdentifier=hash
 

+ 

+ authorityKeyIdentifier=keyid:always,issuer
 

+ 

+ basicConstraints = critical,CA:true
 

+ 

+ # Key usage: this is typical for a CA certificate. However since it will
 

+ # prevent it being used as an test self-signed certificate it is best
 

+ # left out by default.
 

+ # keyUsage = cRLSign, keyCertSign
 

+ 

+ # Some might want this also
 

+ # nsCertType = sslCA, emailCA
 

+ 

+ # Include email address in subject alt name: another PKIX recommendation
 

+ # subjectAltName=email:copy
 

+ # Copy issuer details
 

+ # issuerAltName=issuer:copy
 

+ 

+ # DER hex encoding of an extension: beware experts only!
 

+ # obj=DER:02:03
 

+ # Where 'obj' is a standard or added object
 

+ # You can even override a supported extension:
 

+ # basicConstraints= critical, DER:30:03:01:01:FF
 

+ 

+ [ crl_ext ]
 

+ 

+ # CRL extensions.
 

+ # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
 

+ 

+ # issuerAltName=issuer:copy
 

+ authorityKeyIdentifier=keyid:always
 

+ 

+ [ proxy_cert_ext ]
 

+ # These extensions should be added when creating a proxy certificate
 

+ 

+ # This goes against PKIX guidelines but some CAs do it and some software
 

+ # requires this to avoid interpreting an end user certificate as a CA.
 

+ 

+ basicConstraints=CA:FALSE
 

+ 

+ # Here are some examples of the usage of nsCertType. If it is omitted
 

+ # the certificate can be used for anything *except* object signing.
 

+ 

+ # This is OK for an SSL server.
 

+ # nsCertType			= server
 

+ 

+ # For an object signing certificate this would be used.
 

+ # nsCertType = objsign
 

+ 

+ # For normal client use this is typical
 

+ # nsCertType = client, email
 

+ 

+ # and for everything including object signing:
 

+ # nsCertType = client, email, objsign
 

+ 

+ # This is typical in keyUsage for a client certificate.
 

+ # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 

+ 

+ # This will be displayed in Netscape's comment listbox.
 

+ nsComment			= "OpenSSL Generated Certificate"
 

+ 

+ # PKIX recommendations harmless if included in all certificates.
 

+ subjectKeyIdentifier=hash
 

+ authorityKeyIdentifier=keyid,issuer
 

+ 

+ # This stuff is for subjectAltName and issuerAltname.
 

+ # Import the email address.
 

+ # subjectAltName=email:copy
 

+ # An alternative to produce certificates that aren't
 

+ # deprecated according to PKIX.
 

+ # subjectAltName=email:move
 

+ 

+ # Copy subject details
 

+ # issuerAltName=issuer:copy
 

+ 

+ #nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
 

+ #nsBaseUrl
 

+ #nsRevocationUrl
 

+ #nsRenewalUrl
 

+ #nsCaPolicyUrl
 

+ #nsSslServerName
 

+ 

+ # This really needs to be in place for it to be a proxy certificate.
 

+ proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
 

+ 

+ ####################################################################
 

+ [ tsa ]
 

+ 

+ default_tsa = tsa_config1	# the default TSA section
 

+ 

+ [ tsa_config1 ]
 

+ 

+ # These are used by the TSA reply generation only.
 

+ dir		= ./demoCA		# TSA root directory
 

+ serial		= $dir/tsaserial	# The current serial number (mandatory)
 

+ crypto_device	= builtin		# OpenSSL engine to use for signing
 

+ signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
 

+ 					# (optional)
 

+ certs		= $dir/cacert.pem	# Certificate chain to include in reply
 

+ 					# (optional)
 

+ signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
 

+ signer_digest  = sha256			# Signing digest to use. (Optional)
 

+ default_policy	= tsa_policy1		# Policy if request did not specify it
 

+ 					# (optional)
 

+ other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
 

+ digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
 

+ accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
 

+ clock_precision_digits  = 0	# number of digits after dot. (optional)
 

+ ordering		= yes	# Is ordering defined for timestamps?
 

+ 				# (optional, default: no)
 

+ tsa_name		= yes	# Must the TSA name be included in the reply?
 

+ 				# (optional, default: no)
 

+ ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
 

+ 				# (optional, default: no)
 

+ ess_cert_id_alg		= sha1	# algorithm to compute certificate
 

+ 				# identifier (optional, default: sha1)

file added
+104 
@@ -0,0 +1,104 @@ 
 

+ #!/bin/sh -e
 

+ 

+ # Copyright 2020 Red Hat, Inc
 

+ #
 

+ # Licensed under the Apache License, Version 2.0 (the "License"); you may
 

+ # not use this file except in compliance with the License. You may obtain
 

+ # a copy of the License at
 

+ #
 

+ #      http://www.apache.org/licenses/LICENSE-2.0
 

+ #
 

+ # Unless required by applicable law or agreed to in writing, software
 

+ # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 

+ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 

+ # License for the specific language governing permissions and limitations
 

+ # under the License.
 

+ 

+ # Manage a CA for Zookeeper
 

+ 

+ CAROOT=$1
 

+ SERVER=$2
 

+ 

+ SUBJECT='/C=US/ST=California/L=Oakland/O=Company Name/OU=Org'
 

+ TOOLSDIR=$(dirname $0)
 

+ ABSTOOLSDIR=$(cd $TOOLSDIR ;pwd)
 

+ CONFIG="-config $ABSTOOLSDIR/openssl.cnf"
 

+ 

+ make_ca() {
 

+     mkdir $CAROOT/demoCA
 

+     mkdir $CAROOT/demoCA/reqs
 

+     mkdir $CAROOT/demoCA/newcerts
 

+     mkdir $CAROOT/demoCA/crl
 

+     mkdir $CAROOT/demoCA/private
 

+     chmod 700 $CAROOT/demoCA/private
 

+     touch $CAROOT/demoCA/index.txt
 

+     touch $CAROOT/demoCA/index.txt.attr
 

+     mkdir $CAROOT/certs
 

+     mkdir $CAROOT/keys
 

+     mkdir $CAROOT/keystores
 

+     chmod 700 $CAROOT/keys
 

+     chmod 700 $CAROOT/keystores
 

+ 

+     openssl req $CONFIG -new -nodes -subj "$SUBJECT/CN=caroot" \
 

+             -keyout $CAROOT/demoCA/private/cakey.pem \
 

+             -out $CAROOT/demoCA/reqs/careq.pem
 

+     openssl ca $CONFIG -create_serial -days 3560 -batch -selfsign -extensions v3_ca \
 

+             -out $CAROOT/demoCA/cacert.pem \
 

+             -keyfile $CAROOT/demoCA/private/cakey.pem \
 

+             -infiles $CAROOT/demoCA/reqs/careq.pem
 

+     cp $CAROOT/demoCA/cacert.pem $CAROOT/certs
 

+ }
 

+ 

+ make_client() {
 

+     openssl req $CONFIG -new -nodes -subj "$SUBJECT/CN=client" \
 

+             -keyout $CAROOT/keys/clientkey.pem \
 

+             -out $CAROOT/demoCA/reqs/clientreq.pem
 

+     openssl ca $CONFIG -batch -policy policy_anything -days 3560 \
 

+             -out $CAROOT/certs/client.pem \
 

+             -infiles $CAROOT/demoCA/reqs/clientreq.pem
 

+ }
 

+ 

+ make_server() {
 

+     openssl req $CONFIG -new -nodes -subj "$SUBJECT/CN=$SERVER" \
 

+             -keyout $CAROOT/keys/${SERVER}key.pem \
 

+             -out $CAROOT/demoCA/reqs/${SERVER}req.pem
 

+     openssl ca $CONFIG -batch -policy policy_anything -days 3560 \
 

+             -out $CAROOT/certs/$SERVER.pem \
 

+             -infiles $CAROOT/demoCA/reqs/${SERVER}req.pem
 

+     cat $CAROOT/certs/$SERVER.pem $CAROOT/keys/${SERVER}key.pem \
 

+         > $CAROOT/keystores/$SERVER.pem
 

+ }
 

+ 

+ help() {
 

+     echo "$0 CAROOT [SERVER]"
 

+     echo
 

+     echo "  CAROOT is the path to a directory in which to store the CA"
 

+     echo "         and certificates."
 

+     echo "  SERVER is the FQDN of a server for which a certificate should"
 

+     echo "         be generated"
 

+ }
 

+ 

+ if [ ! -d "$CAROOT" ]; then
 

+     echo "CAROOT must be a directory"
 

+     help
 

+     exit 1
 

+ fi
 

+ 

+ cd $CAROOT
 

+ CAROOT=`pwd`
 

+ 

+ if [ ! -d "$CAROOT/demoCA" ]; then
 

+     echo 'Generate CA'
 

+     make_ca
 

+     echo 'Generate client certificate'
 

+     make_client
 

+ fi
 

+ 

+ if [ -f "$CAROOT/certs/$SERVER.pem" ]; then
 

+     echo "Certificate for $SERVER already exists"
 

+     exit 0
 

+ fi
 

+ 

+ if [ "$SERVER" != "" ]; then
 

+     make_server
 

+ fi

file modified
+37 
@@ -24,6 +24,43 @@ 
 

      remote_src: true
 

    become: true
 

  

+ - name: Install OpenSSL
 

+   package:
 

+     name: openssl
 

+   become: true
 

+ 

+ - name: Create CA directory
 

+   file:
 

+     path: /tmp/zookeeper/ca
 

+     state: directory
 

+     mode: 0755
 

+   become: true
 

+ 

+ - name: Copy openssl.cnf
 

+   copy:
 

+     src: files/openssl.cnf
 

+     dest: /tmp/zookeeper/ca/openssl.cnf
 

+     mode: 0755
 

+ 

+ - name: Copy zk-ca.sh
 

+   copy:
 

+     src: files/zk-ca.sh
 

+     dest: /tmp/zookeeper/ca/zk-ca.sh
 

+     mode: 0755
 

+ 

+ - name: Render certificates
 

+   command: "/tmp/zookeeper/ca/zk-ca.sh /tmp/zookeeper/ca localhost"
 

+ 

+ - name: add CA to ZK configuration
 

+   blockinfile:
 

+     path: /tmp/zookeeper/apache-zookeeper-{{ zookeeper_version }}-bin/conf/zoo.cfg
 

+     block: |
 

+       server.1=localhost:2888:3888
 

+       serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
 

+       secureClientPort=2281
 

+       ssl.keyStore.location=/tmp/zookeeper/ca/keystores/localhost.pem
 

+       ssl.trustStore.location=/tmp/zookeeper/ca/certs/cacert.pem     

+ 

  - name: Ensure Zookeeper not running
 

    command: pkill -f zookeeper
 

    ignore_errors: true

file modified
+32 
@@ -23,6 +23,38 @@ 
 

        dburi=postgresql://postgres:mypassword@127.0.0.1:5432/zuul
 

    become: true
 

  

+ - name: Configure Zookeeper TLS
 

+   block:
 

+     - copy:
 

+         src: /tmp/zookeeper/ca/certs/{{ item }}
 

+         dest: /etc/zuul/{{ item }}
 

+         owner: zuul
 

+       loop:
 

+         - client.pem
 

+         - cacert.pem
 

+     - copy:
 

+         src: /tmp/zookeeper/ca/keys/clientkey.pem
 

+         dest: /etc/zuul/clientkey.pem
 

+         owner: zuul
 

+     - blockinfile:
 

+         path: /etc/zuul/zuul.conf
 

+         marker: "# {mark} zk tls"
 

+         insertafter: "^hosts=127.0.0.1:2181"
 

+         block: |
 

+           tls_cert=/etc/zuul/client.pem
 

+           tls_key=/etc/zuul/clientkey.pem
 

+           tls_ca=/etc/zuul/cacert.pem
 

+     - lineinfile:
 

+         path: /etc/zuul/zuul.conf
 

+         regexp: "^hosts=127.0.0.1"
 

+         line: hosts=localhost:2281
 

+     - blockinfile:
 

+         path: /etc/zuul/zuul.conf
 

+         block: |
 

+           [keystore]
 

+           password={{ lookup('password', '/dev/null chars=ascii_lowercase,digits length=256') }}
 

+   become: true
 

+ 

  - name: Setup Ansible virtual environment for the Zuul executor
 

    shell: zuul-manage-ansible -u -r /var/lib/zuul/ansible-bin
 

    become_user: zuul

file modified
+1 -1 
@@ -1,6 +1,6 @@ 
 

  - hosts: localhost
 

    vars:
 

-     zookeeper_version: "3.6.1"
 

+     zookeeper_version: "3.6.3"
 

    tasks:
 

      - import_tasks: setup_zookeeper.yml
 

        tags:

file modified
+15 -19 
@@ -1,6 +1,6 @@ 
 

  Name:           zuul
 

- Version:        3.19.1
 

- Release:        2%{?dist}
 

+ Version:        4.5.0
 

+ Release:        1%{?dist}
 

  Summary:        Trunk Gating System
 

  

  # The entire source code is ASL 2.0 except files under %%{python3_sitelib}/zuul/ansible which is GPLv3+
 
@@ -19,9 +19,8 @@ 
 

  Source10:       main.yaml
 

  

  Patch01:        0001-Remove-another-shebang-and-remove-useless-exec-bits.patch
 

- Patch02:        0001-requirements-add-explicit-reference-to-dateutil.patch
 

- Patch03:        0001-Replace-deprecated-Thread.isAlive-with-Thread.is_ali.patch
 

- Patch04:        0001-Update-cherrypy-and-cheroot-requirement-pinning.patch
 

+ Patch02:        0001-Revert-to-pyJWT-1.7.1.patch
 

+ Patch03:        0001-Fix-psycopg2-requirement.patch
 

  

  BuildArch:      noarch
 

  
@@ -71,10 +70,15 @@ 
 

  BuildRequires:  python3-graphene
 

  BuildRequires:  systemd
 

  BuildRequires:  ansible
 

+ BuildRequires:  python3-prometheus_client
 

+ BuildRequires:  python3-elasticsearch
 

+ BuildRequires:  python3-cheroot
 

+ 

+ 

  

  Provides:       bundled(ansible) = 2.9
fbo commented 2 years ago

Can it provides more version ?

 
  Provides:       bundled(ansible) = 2.8
 

- Provides:       bundled(ansible) = 2.7
 

+ #Provides:       bundled(ansible) = 2.7
fbo commented 2 years ago

Can be removed

 
  

  %description
 

  Zuul is a program that drives continuous integration, delivery,
 
@@ -152,14 +156,6 @@ 
 

  %description fingergw
 

  A gateway which provides finger protocol access to live streaming of logs.
 

  

- %package migrate
 

- Summary: Migrate zuul v2 and Jenkins Job Builder to Zuul v3
 

- Requires: %{name} = %{?epoch:%{epoch}:}%{version}-%{release}
 

- Requires: bubblewrap
 

- 

- %description migrate
 

- Migrate zuul v2 and Jenkins Job Builder to Zuul v3
 

- 

  %package doc
 

  Summary: Zuul documentation
 

  
@@ -189,7 +185,7 @@ 
 

  install -m 0644 %{SOURCE7} README.fedora
 

  # Fix 0001-Replace-deprecated-Thread.isAlive-with-Thread.is_ali.patch not fully apply
 

  # due to pypi archive removing the symlinks
 

- cp zuul/ansible/base/library/command.py zuul/ansible/2.7/library/
 

+ # cp zuul/ansible/base/library/command.py zuul/ansible/2.7/library/
fbo commented 2 years ago

can be removed

 
  cp zuul/ansible/base/library/command.py zuul/ansible/2.8/library/
 

  cp zuul/ansible/base/library/command.py zuul/ansible/2.9/library/
 

  
@@ -328,16 +324,16 @@ 
 

  %{_bindir}/zuul-fingergw
 

  %{_unitdir}/zuul-fingergw.service
 

  

- %files migrate
 

- %license LICENSE
 

- %{_bindir}/zuul-migrate
 

- 

  %files doc
 

  %license LICENSE
 

  %doc build/html README.fedora
 

  

  

  %changelog
 

+ * Thu Jun 17 2021 Matthieu Huin <mhuin@redhat.com> - 4.5.0-1
 

+ - Bump to 4.5.0
 

+ - Remove obsolete utility zuul-migrate, ansible 2.7
 

+ 

  * Tue Jan 26 2021 Matthieu Huin <mhuin@redhat.com> - 3.19.1-2
 

  - Fix incorrect static_path, enabling badges endpoint

no initial comment

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

1 new commit added

  • Fix README, bump zk to 3.6.3, remove obsolete zuul-migrate
2 years ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

1 new commit added

  • Fix wrong changelog date
2 years ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

1 new commit added

  • Fix psycopg2 dependency, add tls config for zookeeper in tests
2 years ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

1 new commit added

  • remove unknown var ansible_user
2 years ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

1 new commit added

  • tests: add zookeeper TLS configuration
2 years ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

1 new commit added

  • Tests: fix zk certs ownership for zuul config
2 years ago

1 new commit added

  • fix bad character escaping
2 years ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

1 new commit added

  • Fix and document zookeeper configuration for zuul
2 years ago

Build succeeded.

1 new commit added

  • Add missing dependencies
2 years ago

Can it provides more version ?

Can be removed

can be removed

:thumbsup:

Metadata
None
No Tags
Changes Summary 15
+1 -0
file changed
.gitignore
+23
file added
0001-Fix-psycopg2-requirement.patch
+4 -4
file changed
0001-Remove-another-shebang-and-remove-useless-exec-bits.patch
-54
file removed
0001-Replace-deprecated-Thread.isAlive-with-Thread.is_ali.patch
+557
file added
0001-Revert-to-pyJWT-1.7.1.patch
-36
file removed
0001-Update-cherrypy-and-cheroot-requirement-pinning.patch
-28
file removed
0001-requirements-add-explicit-reference-to-dateutil.patch
+52 -8
file changed
README.md
+1 -1
file changed
sources
+352
file added
tests/files/openssl.cnf
+104
file added
tests/files/zk-ca.sh
+37 -0
file changed
tests/setup_zookeeper.yml
+32 -0
file changed
tests/setup_zuul_core.yml
+1 -1
file changed
tests/tests.yml
+15 -19
file changed
zuul.spec
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.