enable SSL client certificate authentication for kojid

builder/Makefile

@@ -25,4 +25,5 @@ install:
 	mkdir -p $(DESTDIR)/etc/sysconfig
 	install -p -m 644 kojid.sysconfig $(DESTDIR)/etc/sysconfig/kojid
 
-	install -p -m 644 kojid.conf $(DESTDIR)/etc/kojid.conf
+	mkdir -p $(DESTDIR)/etc/kojid
+	install -p -m 644 kojid.conf $(DESTDIR)/etc/kojid/kojid.conf

builder/kojid

@@ -2270,7 +2270,7 @@ def get_options():
     parser = OptionParser()
     parser.add_option("-c", "--config", dest="configFile",
                       help="use alternate configuration file", metavar="FILE",
-                      default="/etc/kojid.conf")
+                      default="/etc/kojid/kojid.conf")
     parser.add_option("--user", help="specify user")
     parser.add_option("--password", help="specify password")
     parser.add_option("-f", "--fg", dest="daemon",
@@ -2327,10 +2327,13 @@ def get_options():
                 'from_addr': 'Koji Build System <buildsys@example.com>',
                 'krb_principal': None,
                 'host_principal_format': 'compile/%s@EXAMPLE.COM',
-                'keytab': '/etc/kojid.keytab',
+                'keytab': '/etc/kojid/kojid.keytab',
                 'server': None,
                 'user': None,
-                'password': None}
+                'password': None,
+                'cert': '/etc/kojid/client.crt',
+                'ca': '/etc/kojid/clientca.crt',
+                'serverca': '/etc/kojid/serverca.crt'}
     if config.has_section('kojid'):
         for name, value in config.items('kojid'):
             if name in ['sleeptime', 'maxjobs', 'minspace']:
@@ -2343,7 +2346,7 @@ def get_options():
             else:
                 quit("unknown config option: %s" % name)
     for name, value in defaults.items():
-        if getattr(options, name) is None:
+        if getattr(options, name, None) is None:
             setattr(options, name, value)
 
     #make sure workdir exists
@@ -2380,13 +2383,13 @@ if __name__ == "__main__":
 
     #build session options
     session_opts = {}
-    for k in ('user','password','debug_xmlrpc', 'debug'):
+    for k in ('cert', 'ca', 'serverca', 'user','password','debug_xmlrpc', 'debug'):
         session_opts[k] = getattr(options,k)
     #start a session and login
     session = koji.ClientSession(options.server, session_opts)
-    if options.user:
+    if os.path.isfile(options.cert) or options.user:
         try:
-            #authenticate using user/password
+            # authenticate using SSL client cert or user/password
             session.login()
         except koji.AuthError:
             quit("Error: Unable to log in. Bad credentials?")

builder/kojid.conf

@@ -32,3 +32,14 @@
 
 ; The URL for the xmlrpc server
 server=http://hub.example.com/kojihub
+
+;configuration for SSL athentication
+
+;client certificate
+;cert = /etc/kojid/client.crt
+
+;certificate of the CA that issued the client certificate
+;ca = /etc/kojid/clientca.crt
+
+;certificate of the CA that issued the HTTP server certificate
+;serverca = /etc/kojid/serverca.crt

koji.spec

@@ -121,7 +121,7 @@ rm -rf $RPM_BUILD_ROOT
 %{_sbindir}/kojid
 %{_initrddir}/kojid
 %config(noreplace) %{_sysconfdir}/sysconfig/kojid
-%config(noreplace) %{_sysconfdir}/kojid.conf
+%config(noreplace) %{_sysconfdir}/kojid/kojid.conf
 %attr(-,kojibuilder,kojibuilder) /etc/mock/koji
 
 %pre builder