Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package himmelblau for openSUSE:Factory checked in at 2025-11-26 17:14:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/himmelblau (Old) and /work/SRC/openSUSE:Factory/.himmelblau.new.14147 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "himmelblau" Wed Nov 26 17:14:35 2025 rev:38 rq:1320053 version:2.0.4+git.2.5d26a19 Changes: -------- --- /work/SRC/openSUSE:Factory/himmelblau/himmelblau.changes 2025-11-20 14:52:34.615941370 +0100 +++ /work/SRC/openSUSE:Factory/.himmelblau.new.14147/himmelblau.changes 2025-11-26 17:14:51.612732474 +0100 @@ -1,0 +2,233 @@ +Mon Nov 24 19:58:32 UTC 2025 - David Mulder <[email protected]> + +- Resolve mode mismatch with Chromium package. + +------------------------------------------------------------------- +Thu Nov 20 20:19:52 UTC 2025 - David Mulder <[email protected]> + +- Update to version 2.0.4+git.2.5d26a19: + * deps(rust): bump the all-cargo-updates group with 13 updates + * Version 2.0.4 + * Update kanidm_build_profiles mask version + * Utilize cargo vet from main + * Add policies cache patch via systemd-tmpfiles + +------------------------------------------------------------------- +Thu Nov 20 17:39:46 UTC 2025 - David Mulder <[email protected]> + +- Update to version 2.0.3+git.4.4f6e025: + * Fix man page comments about change idmap_range + * Stub picky-krb for osc build + * Stub a kanidm_build_profiles which builds in osc + * Ensure nss cache is created on Ubuntu/Debian + * Request a user token if NSS hasn't been called + * Version 2.0.3 + * Add nss cache patch via systemd-tmpfiles + * Version 2.0.2 + * Recommend `patch` with the pam package + * Fix passwordless FIDO authentication not being used when available + * Git workflow updates for stable-2.x + * Only warn on Intune failure + * Version 2.0.1 + * Force o365 desktop files to always rebuild + * Always rebuild the o365 apps + * Add restart on-failure to systemd services + * Clarify `domain` SHOULD match login domain + * Remove warning about `domain` himmelblau.conf opt + * Pseudo eliminate multi-tenant and domains section + * Revert "Fix Hello PIN lookup when an alias domain" + * Comment out `KbdInteractiveAuthentication on` in sshd conf + * Check the nxset sooner, to avoid unwanted errors + * Recommend oddjob_mkhomedir with authselect + * Pin libhimmelblau to 0.7.x + * Deprecate Fedora 41 + * Cargo vet + * deps(rust): bump the all-cargo-updates group with 11 updates + * Bump github/codeql-action from 4.30.8 to 4.31.2 + * Bump cachix/install-nix-action from 31.8.1 to 31.8.2 + * Bump actions/upload-artifact from 4.6.2 to 5.0.0 + * cargo clippy and rebase fix + * fixup! add extra debug output to NotFound error code + * force error output to show up in CI logs + * wrap repeated sources of IdpError::NotFound in helper functions + * add extra debug output to NotFound error code + * use direnv for loading the nix devshell + * We should still encourage mapping by name + * Add support for Fedora 43 + * Provide a offline 'breakglass' mode + * cargo clippy + * Add warning about incorrect nsswitch configuration + * Distinguish between online and offline token fail + * Ensure user token uses original name + * Fix alias domain in auth result causing failure + * Resolve cargo clippy warnings + * Only map on cn name for the primary domain + * Install systemd in build scripts for gen service + * Fix systemd version parsing + * cargo vet + * Update libhimmelblau to 0.7.19 + * Resolve SELinux build failures in nightly (part 2) + * Rocky container image updates were failing + * Warn instead of error when no idmap_range specified + * deps(rust): bump the all-cargo-updates group across 1 directory with 7 updates + * Trim whitespace from local group names + * Fix borrowing error + * Fix reference to local_sudo_group in condition + * Only run sudo_groups if local_groups does not contain local_sudo_group + * Leave SELinux in permissive mode for Himmelblau + * Resolve SELinux build failures in nightly + * nix: add join_type option to nixos-module settings + * Build host configuration changes + * Ensure that hsm_pin isn't present decrypted + * Document Soft HSM changes to TPM bound + * Disable SELinux by default on NixOS + * sh doesn't have `source` + * Encrypt hsm-pin using systemd-creds + * Recommend uuid id mapping + * Improve himmelblau.conf man page formatting + * Implement Local User Mapping + * Add o365 dependency for jq + * Add selinux rules for gdm login + * Narrow the scope of selinux policy with audit2allow + * Generate the systemd service files + * Fix selinux build for SLE16 + * Resolve SLE16 build dependency failure + * Fix the rawhide build + * Mask the sshkey-attest package + * Bump cachix/install-nix-action from 31.7.0 to 31.8.1 + * cargo vet dependency updates + * deps(rust): bump the all-cargo-updates group across 1 directory with 13 updates + * Bump actions/dependency-review-action from 4.8.0 to 4.8.1 + * Bump cachix/install-nix-action from 31.7.0 to 31.8.0 + * Bump github/codeql-action from 3.30.5 to 4.30.8 + * Bump ossf/scorecard-action from 2.4.2 to 2.4.3 + * SELinux improvements + * Fix a typo in package gen scripts + * cargo fmt + * Permit NSS response for mapped primary fake group + * Fix Nix Error With Fuzz + * Decrease CI fuzzer setup time + * Document join types + * Support for Entra registered devices + * Run `cargo test` in a container + * Bump cachix/install-nix-action from 31.6.2 to 31.7.0 + * cargo vet + * deps(rust): bump the all-cargo-updates group across 1 directory with 2 updates + * Bump github/codeql-action from 3.30.4 to 3.30.5 + * Use pastey crate instead of unmaintained paste + * cargo vet + * Pin unmaintained serde_cbor dep to serde_cbor_2 + * Resolve tower-http `cargo audit` warning + * Replace unmaintained fxhash with own version + * Resolve warning about workflow top level write permissions + * Remove dependabot automerge + * Resolve division by 0 in idmap code + * deps(rust): bump the all-cargo-updates group across 1 directory with 3 updates + * [StepSecurity] ci: Harden GitHub Actions + * Only idmap against initialized domains + * Resolve invalid init of idmap with same domain + * Resolve division by 0 in idmap code + * Add fuzzing of idmap code + * Add basic fuzzing of the config options + * cargo clippy + * Resolve error found by fuzzing + * cargo vet prune + * deps(rust): bump regex in the all-cargo-updates group + * Bump actions/dependency-review-action from 4.7.3 to 4.8.0 + * Bump actions/checkout from 3.6.0 to 5.0.0 + * Bump cachix/cachix-action from 14 to 16 + * Bump ossf/scorecard-action from 2.4.0 to 2.4.2 + * Bump cachix/install-nix-action from 25 to 31 + * Add the OpenSSF Best Practices badge + * Add scorecard badge + * [StepSecurity] Apply security best practices + * Fix group static mapping + * Move aad-tool idmap cache clear to the idmap cmd + * Resolve errant "Hello key missing." messages + * Update flake.nix + * Slow the dependabot update frequency + * Audit dependabot updates + * deps(rust): bump the all-cargo-updates group across 1 directory with 11 updates + * feat: Add support for aarch64 on Debian-based distributions + * Resolve possible invalid pointer dereferences + * Cargo clippy + * Cargo fmt + * Avoid revealing account ids in debug log + * Cause doc links to open in the correct apps + * Permit opening multiple instances of Word/Excel + * Modify systray and app close behavior + * Don't use questionably licensed icons for o365 + * Resolve NixOS CI failure + * Fix building w/out deprecated interactive feature + * Update himmelblau.conf.5 sudo_groups example + * Entra group based sudo access + * Audited the cargo updates + * deps(rust): bump the all-cargo-updates group with 6 updates + * Vet libhimmelblau + * Add `make vet` command + * Update deny.toml + * Remove incompatible licenses from deps + * Fix RHEL8 package signing + * Add SBOM generation + * Add an IRP checklist for security incidents + * Run the nixos build/release on the correct version + * Add crate dependency auditing on MR + * Add some exceptions + * Initialize cargo vet + * Remove in-tree kanidm dependencies + * Fix Hello PIN lookup when an alias domain + * Raise maximum group lookup from 100 to 999 + * Always work with lowercase account names + * Modify FUNDING.yml for funding sources + * Remove glib dependency + * deps(rust): bump the all-cargo-updates group with 10 updates + * Add CI check for licenses + * Update dependabot.yml to target all stable branches + * Add authselect module for Rocky/Fedora + * Recommend packages, instead of require + * Add a Contributing document + * Add a Code of Conduct + * add withSelinux flag to nix build, brings SELinux binaries into the build environment. + * deps(rust): bump tracing-subscriber in the cargo group + * Don't overwrite the himmelblau.conf on rpm upgrade + * Add help output to the Makefile + * Fix building packages with docker in root mode + * Update to latest libhimmelblau and identity_dbus_broker + * Make PRT SSO cookie via broker work as well for Edge + * Make broker work for Edge + * Generate Office 365 desktop apps + * Update README + * Add `make uninstall` command + * Remove the deprecated tests suite + * Himmelblau no longer has git submodules + * Make install using packages + * Add Debian 13 packages + * Generate Dockerfiles automatically + * Add SELinux configuration + * Himmelblau daemon requires system tss user + * Add cron dependency for Intune scripts + * Do not mangle /usr/etc configuration files + * Fix building packages with docker in root mode + * deps(rust): bump the all-cargo-updates group with 11 updates + * deps(rust): bump the all-cargo-updates group with 7 updates + * Add SLE16 (beta) build target + * Automatically append to nsswitch.conf in postinst + * Correct the RPM postinst script syntax + * Fix Kerberos credential cache permissions + * Set file owner and group before writing its content + * Create SECURITY.md + * deps(rust): bump the all-cargo-updates group with 6 updates + * Rev the dev version to 2.0.0 + * Ensure alias domains match when checking Intune device id + * Debian 12 doesn't support ConditionPathExists and notify-reload + * Write scripts policy to a readable directory + * Apply Intune policies right after enrollment + * Add more debug instrumentation + * Provide device_id to Intune enrollment if not cached + * Ensure nss cache directory is created during install + * Remove /var/cache/himmelblaud access from tasks daemon + * Resolve daemon startup absolute path warnings + * Delay Intune enrollment on Device Auth fail + * Do not leak the Intune IW service token in the logs + +------------------------------------------------------------------- Old: ---- himmelblau-1.4.2+git.0.52da279.tar.bz2 New: ---- himmelblau-2.0.4+git.2.5d26a19.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ himmelblau.spec ++++++ --- /var/tmp/diff_new_pack.DYoNWw/_old 2025-11-26 17:14:53.244801279 +0100 +++ /var/tmp/diff_new_pack.DYoNWw/_new 2025-11-26 17:14:53.248801448 +0100 @@ -16,8 +16,21 @@ # +%define chrome_nm_dir /etc/opt/chrome/native-messaging-hosts +%define chromium_nm_dir /etc/chromium/native-messaging-hosts +%define chrome_policy_dir /etc/opt/chrome/policies/managed +%define chromium_policy_dir /etc/chromium/policies/managed +%define chrome_ext_dir /usr/share/google-chrome/extensions + +# SELinux macros +%if 0%{?suse_version} > 1600 || 0%{?sle_version} >= 160000 +%define _selinux_sharedir /usr/share/selinux +%define _selinux_pkgdir %{_selinux_sharedir}/packages +%define _selinux_docdir %{_docdir}/himmelblau-selinux/selinux +%endif + Name: himmelblau -Version: 1.4.2+git.0.52da279 +Version: 2.0.4+git.2.5d26a19 Release: 0 Summary: Interoperability suite for Microsoft Azure Entra Id License: GPL-3.0-or-later @@ -40,24 +53,19 @@ BuildRequires: pam-devel BuildRequires: patchelf BuildRequires: pcre2-devel -BuildRequires: sqlite3-devel -BuildRequires: tpm2-0-tss-devel -%if 0%{?sle_version} > 150600 -BuildRequires: atk-devel -BuildRequires: cairo-devel -BuildRequires: gdk-pixbuf-devel -BuildRequires: gobject-introspection-devel -BuildRequires: gtk3-devel -BuildRequires: libsoup-devel -BuildRequires: libudev-devel -BuildRequires: mercurial -BuildRequires: pango-devel -BuildRequires: webkit2gtk3-devel +%if 0%{?suse_version} > 1600 || 0%{?sle_version} >= 160000 +BuildRequires: selinux-policy-devel %endif +BuildRequires: sqlite3-devel BuildRequires: systemd-devel +BuildRequires: systemd-rpm-macros +BuildRequires: tpm2-0-tss-devel ExclusiveArch: %{rust_tier1_arches} +Recommends: cron +Recommends: krb5 Recommends: libnss_himmelblau2 Recommends: pam-himmelblau +Requires: system-user-tss Provides: aad-cli Provides: aad-common Provides: authd @@ -75,8 +83,9 @@ Summary: Azure Entra Id authentication PAM module Requires: %{name} = %{version} Provides: libpam-aad -Suggests: himmelblau-sshd-config Suggests: himmelblau-qr-greeter +Recommends: authselect +Recommends: (oddjob-mkhomedir if authselect) %description -n pam-himmelblau Himmelblau is an interoperability suite for Microsoft Azure Entra Id, @@ -99,6 +108,7 @@ %package -n himmelblau-sshd-config Summary: Azure Entra Id SSHD Configuration Requires: %{name} = %{version} +Supplements: (pam-himmelblau and openssh-server) Requires: openssh-server BuildRequires: openssh-server BuildArch: noarch @@ -109,58 +119,72 @@ Entra Id credentials. %package -n himmelblau-sso -Summary: Azure Entra Id Firefox SSO Configuration +Summary: Azure Entra Id Browser SSO Requires: %{name} = %{version} -Requires: MozillaFirefox +Supplements: (MozillaFirefox and himmelblau) +Supplements: (chromium and himmelblau) +Supplements: (google-chrome-stable and himmelblau) +Supplements: (microsoft-edge-stable and himmelblau) Provides: linux-entra-sso +# This is a hint, enabling users to call `zypper in intune-portal`, and receive +# the expected himmelblau+intune+sso capabilities. +Provides: intune-portal # This is necessary to prevent users from installing Himmelblau SSO along side # Microsoft's Broker, as these will conflict. Provides: microsoft-identity-broker %description -n himmelblau-sso -Himmelblau is an interoperability suite for Microsoft Azure Entra Id, -which allows users to sign into a Linux machine using Azure -Entra Id credentials. +Himmelblau SSO provides Azure Entra Id browser single sign-on via +Firefox, Chromium, Google Chrome, and Microsoft Edge (where installed), +using native messaging and managed browser policies. %package -n himmelblau-qr-greeter Summary: Azure Entra Id DAG URL QR code GNOME Shell extension Requires: gnome-shell >= 45 +Supplements: (pam-himmelblau and gnome-shell) BuildArch: noarch %description -n himmelblau-qr-greeter GNOME Shell extension that adds a QR code to authentication prompts when a MS DAG URL is detected. -%post -n libnss_himmelblau2 -p /sbin/ldconfig %postun -n libnss_himmelblau2 -p /sbin/ldconfig %prep %autosetup -a1 -install -D -m 644 %{SOURCE2} .cargo/config %build -# Dependencies for interative Hello PIN changes aren't present prior to 15.6 -%if 0%{?sle_version} <= 150600 -%{cargo_build} -%else -%{cargo_build} --features interactive +make rpm-servicefiles +%if !(0%{?suse_version} > 1600 || 0%{?sle_version} >= 160000) +export HIMMELBLAU_ALLOW_MISSING_SELINUX=1 %endif +%{cargo_build} --workspace --exclude himmelblau-fuzz %check - -%{cargo_test} +%if !(0%{?suse_version} > 1600 || 0%{?sle_version} >= 160000) +export HIMMELBLAU_ALLOW_MISSING_SELINUX=1 +%endif +%{cargo_test} --workspace --exclude himmelblau-fuzz %install -install -D -d -m 0755 %{buildroot}/%{_sysconfdir}/himmelblau -cp src/config/himmelblau.conf.example %{buildroot}/%{_sysconfdir}/himmelblau/himmelblau.conf +# NSS cp target/release/libnss_%{name}.so target/release/libnss_%{name}.so.2 install -D -d -m 0755 %{buildroot}/%{_libdir} strip --strip-unneeded target/release/libnss_himmelblau.so.2 patchelf --set-soname libnss_himmelblau.so.2 target/release/libnss_himmelblau.so.2 install -m 0755 target/release/libnss_%{name}.so.2 %{buildroot}/%{_libdir} +install -Dm 0644 src/nss/src/nss-himmelblau.tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/nss-himmelblau.conf + +# PAM install -D -d -m 0755 %{buildroot}/%{_pam_moduledir} strip --strip-unneeded target/release/libpam_himmelblau.so install -m 0755 target/release/libpam_%{name}.so %{buildroot}/%{_pam_moduledir}/pam_%{name}.so +install -D -d -m 0755 %{buildroot}%{_datadir}/authselect/vendor/himmelblau +install -m 644 platform/el/authselect/* %{buildroot}%{_datadir}/authselect/vendor/himmelblau/ + +# Daemons, etc +install -D -d -m 0755 %{buildroot}/%{_sysconfdir}/himmelblau +cp src/config/himmelblau.conf.example %{buildroot}/%{_sysconfdir}/himmelblau/himmelblau.conf install -D -d -m 0755 %{buildroot}%{_sbindir} strip --strip-unneeded target/release/himmelblaud strip --strip-unneeded target/release/himmelblaud_tasks @@ -177,50 +201,178 @@ strip --strip-unneeded target/release/aad-tool install -m 0755 target/release/aad-tool %{buildroot}/%{_bindir} install -D -d -m 0755 %{buildroot}%{_unitdir} -install -m 0644 %{_builddir}/%{name}-%{version}/platform/opensuse/himmelblaud.service %{buildroot}%{_unitdir}/himmelblaud.service -install -m 0644 %{_builddir}/%{name}-%{version}/platform/opensuse/himmelblaud-tasks.service %{buildroot}%{_unitdir}/himmelblaud-tasks.service +install -m 0644 platform/opensuse/himmelblaud.service %{buildroot}%{_unitdir}/himmelblaud.service +install -m 0644 platform/opensuse/himmelblaud-tasks.service %{buildroot}%{_unitdir}/himmelblaud-tasks.service install -D -d -m 0755 %{buildroot}%{_datarootdir}/dbus-1/services -install -m 0644 %{_builddir}/%{name}-%{version}/platform/opensuse/com.microsoft.identity.broker1.service %{buildroot}%{_datarootdir}/dbus-1/services/ +install -m 0644 platform/opensuse/com.microsoft.identity.broker1.service %{buildroot}%{_datarootdir}/dbus-1/services/ install -D -d -m 0755 %{buildroot}%{_sysconfdir}/ssh/sshd_config.d -install -m 0644 %{_builddir}/%{name}-%{version}/platform/el/sshd_config %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/himmelblau.conf +install -m 0644 platform/el/sshd_config %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/himmelblau.conf install -D -d -m 0755 %{buildroot}%{_sysconfdir}/krb5.conf.d -install -m 0644 %{_builddir}/%{name}-%{version}/src/config/krb5_himmelblau.conf %{buildroot}%{_sysconfdir}/krb5.conf.d/krb5_himmelblau.conf +install -m 0644 src/config/krb5_himmelblau.conf %{buildroot}%{_sysconfdir}/krb5.conf.d/krb5_himmelblau.conf install -d -m 0600 %{buildroot}%{_localstatedir}/cache/himmelblau-policies +install -Dm 0644 src/config/gdm3_service_override.conf %{buildroot}%{_unitdir}/display-manager.service.d/override.conf +%if 0%{?suse_version} > 1600 || 0%{?sle_version} >= 160000 +install -Dm 0644 target/release/himmelblaud.pp %{buildroot}%{_selinux_pkgdir}/himmelblaud.pp +install -Dm 0644 src/selinux/src/himmelblaud.te %{buildroot}%{_selinux_docdir}/himmelblaud.te +install -Dm 0644 src/selinux/src/himmelblaud.fc %{buildroot}%{_selinux_docdir}/himmelblaud.fc +%endif -# Firefox Single Sign On +# Single Sign On strip --strip-unneeded target/release/linux-entra-sso install -m 0755 target/release/linux-entra-sso %{buildroot}/%{_bindir}/linux-entra-sso install -D -d -m 0755 %{buildroot}%{_libdir}/mozilla/native-messaging-hosts -install -m 0644 %{_builddir}/%{name}-%{version}/src/sso/src/firefox/linux_entra_sso.json %{buildroot}%{_libdir}/mozilla/native-messaging-hosts/ +install -m 0644 src/sso/src/firefox/linux_entra_sso.json %{buildroot}%{_libdir}/mozilla/native-messaging-hosts/ install -D -d -m 0755 %{buildroot}%{_sysconfdir}/firefox/policies -install -m 0644 %{_builddir}/%{name}-%{version}/src/sso/src/firefox/policies.json %{buildroot}%{_sysconfdir}/firefox/policies/ +install -m 0644 src/sso/src/firefox/policies.json %{buildroot}%{_sysconfdir}/firefox/policies/ +install -D -d -m0755 %{buildroot}%{chrome_nm_dir} +install -D -d -m0755 %{buildroot}%{chromium_nm_dir} +install -D -d -m0755 %{buildroot}%{chrome_ext_dir} +install -D -d -m0755 %{buildroot}%{chrome_policy_dir} +install -D -d -m0755 %{buildroot}%{chromium_policy_dir} +install -m 0644 src/sso/src/chrome/linux_entra_sso.json %{buildroot}%{chrome_nm_dir} +install -m 0644 src/sso/src/chrome/linux_entra_sso.json %{buildroot}%{chromium_nm_dir} +install -m 0644 src/sso/src/chrome/extension.json %{buildroot}%{chrome_ext_dir}/jlnfnnolkbjieggibinobhkjdfbpcohn.json +install -m 0644 src/sso/src/chrome/policies.json %{buildroot}%{chrome_policy_dir}/himmelblau.json +install -m 0644 src/sso/src/chrome/policies.json %{buildroot}%{chromium_policy_dir}/himmelblau.json +install -m 0755 src/o365/src/o365.sh %{buildroot}/%{_bindir}/o365 +install -m 0755 src/o365/src/o365-multi.sh %{buildroot}/%{_bindir}/o365-multi +install -m 0755 src/o365/src/o365-url-handler.sh %{buildroot}/%{_bindir}/o365-url-handler +install -D -d -m 0755 %{buildroot}%{_datadir}/applications/ +install -m 0644 src/o365/generated/*.desktop %{buildroot}%{_datadir}/applications/ +%{!?_iconsdir:%global _iconsdir %{_datadir}/icons} +install -D -d -m 0755 %{buildroot}%{_iconsdir}/hicolor/256x256/apps/ +install -m 0644 src/o365/src/*.png %{buildroot}%{_iconsdir}/hicolor/256x256/apps/ # Man pages install -D -d -m 0755 %{buildroot}%{_mandir}/man1 install -D -d -m 0755 %{buildroot}%{_mandir}/man5 install -D -d -m 0755 %{buildroot}%{_mandir}/man8 -install -m 0644 %{_builddir}/%{name}-%{version}/man/man1/aad-tool.1 %{buildroot}%{_mandir}/man1/ -install -m 0644 %{_builddir}/%{name}-%{version}/man/man5/himmelblau.conf.5 %{buildroot}%{_mandir}/man5/ -install -m 0644 %{_builddir}/%{name}-%{version}/man/man8/himmelblaud.8 %{buildroot}%{_mandir}/man8/ -install -m 0644 %{_builddir}/%{name}-%{version}/man/man8/himmelblaud_tasks.8 %{buildroot}%{_mandir}/man8/ +install -m 0644 man/man1/aad-tool.1 %{buildroot}%{_mandir}/man1/ +install -m 0644 man/man5/himmelblau.conf.5 %{buildroot}%{_mandir}/man5/ +install -m 0644 man/man8/himmelblaud.8 %{buildroot}%{_mandir}/man8/ +install -m 0644 man/man8/himmelblaud_tasks.8 %{buildroot}%{_mandir}/man8/ # QR Greeter install -D -d -m 0755 %{buildroot}%{_datarootdir}/gnome-shell/extensions/[email protected] -install -m 0644 %{_builddir}/%{name}-%{version}/src/qr-greeter/src/[email protected]/extension.js %{buildroot}%{_datarootdir}/gnome-shell/extensions/[email protected]/ -install -m 0644 %{_builddir}/%{name}-%{version}/src/qr-greeter/src/[email protected]/metadata.json %{buildroot}%{_datarootdir}/gnome-shell/extensions/[email protected]/ -install -m 0644 %{_builddir}/%{name}-%{version}/src/qr-greeter/src/[email protected]/stylesheet.css %{buildroot}%{_datarootdir}/gnome-shell/extensions/[email protected]/ -install -m 0644 %{_builddir}/%{name}-%{version}/src/qr-greeter/src/msdag.png %{buildroot}%{_datarootdir}/gnome-shell/extensions/[email protected]/ +install -m 0644 src/qr-greeter/src/[email protected]/extension.js %{buildroot}%{_datarootdir}/gnome-shell/extensions/[email protected]/ +install -m 0644 src/qr-greeter/src/[email protected]/metadata.json %{buildroot}%{_datarootdir}/gnome-shell/extensions/[email protected]/ +install -m 0644 src/qr-greeter/src/[email protected]/stylesheet.css %{buildroot}%{_datarootdir}/gnome-shell/extensions/[email protected]/ +install -m 0644 src/qr-greeter/src/msdag.png %{buildroot}%{_datarootdir}/gnome-shell/extensions/[email protected]/ %pre %service_add_pre himmelblaud.service himmelblaud-tasks.service %post +gen_pin_hex() { + if command -v openssl >/dev/null 2>&1; then + openssl rand -hex 24 | tr -d '\n' + else + head -c 24 /dev/urandom | od -An -t x1 | tr -d ' \n' + fi +} + +if command -v systemd-creds >/dev/null 2>&1; then + # Migrate the hsm-pin to a TPM bound cred (where a TPM is available) + LEGACY=/var/lib/private/himmelblaud/hsm-pin + CRED=/var/lib/private/himmelblaud/hsm-pin.enc + + if [ ! -f $CRED ]; then + # Generate a new PIN if one doesn't exist, otherwise use the existing one + if [ ! -f $LEGACY ]; then + HSM_PIN=$(gen_pin_hex) + else + echo "Migrating existing HSM-PIN to encrypted credential" + HSM_PIN=$(cat $LEGACY) + fi + + # Encrypt the PIN + install -d -m 755 /var/lib/private/himmelblaud + printf '%s' "$HSM_PIN" | systemd-creds encrypt --name=hsm-pin --with-key=auto --tpm2-device=auto - "$CRED" && (rm -f $LEGACY || true) + fi +fi + +if command -v selinuxenabled >/dev/null 2>&1 && selinuxenabled; then + if semodule -i /usr/share/selinux/packages/himmelblaud.pp; then + semanage fcontext -a -t himmelblau_var_cache_t '/var/cache/himmelblaud' + #restorecon -v -h /var/cache/himmelblaud + TARGET="$(readlink -f /var/cache/himmelblaud)" + semanage fcontext -a -t himmelblau_var_cache_t "${TARGET}(/.*)?" + #restorecon -Rv "${TARGET}" + + # Relabel installed binaries (fc covers /usr/bin and /usr/sbin) /usr/sbin/himmelblaud /usr/sbin/himmelblaud_tasks + restorecon -Fv /usr/sbin/himmelblaud /usr/sbin/himmelblaud_tasks || : + + # Relabel existing dirs only (DynamicUser will create cache dirs on first start) + [ -d /etc/himmelblau ] && restorecon -RFv /etc/himmelblau || : + [ -d /run/himmelblaud ] && restorecon -RFv /run/himmelblaud || : + [ -d /var/cache/private/himmelblaud ] && restorecon -RFv /var/cache/private/himmelblaud || : + [ -d /var/cache/himmelblaud ] && restorecon -RFv /var/cache/himmelblaud || : + [ -d /var/cache/nss-himmelblau ] && restorecon -RFv /var/cache/nss-himmelblau || : + + # /var/lib/himmelblaud is a systemd DynamicUser symlink to /var/lib/private/himmelblaud + semanage fcontext -a -t himmelblau_var_lib_t '/var/lib/himmelblaud' + #restorecon -v -h /var/lib/himmelblaud + LIBTARGET="$(readlink -f /var/lib/himmelblaud || true)" + [ -n "$LIBTARGET" ] && semanage fcontext -a -t himmelblau_var_lib_t "${LIBTARGET}(/.*)?" + # If the private dir already exists (e.g. after a previous run), relabel it + [ -d "$LIBTARGET" ] && restorecon -RFv "$LIBTARGET" || : + fi +fi + %service_add_post himmelblaud.service himmelblaud-tasks.service +%post -n libnss_himmelblau2 +/sbin/ldconfig + +handle_nsswitch_conf() { + conf=$1 + sed -i '/^passwd:/ {/himmelblau/! s/$/ himmelblau/}' $conf + sed -i '/^group:/ {/himmelblau/! s/$/ himmelblau/}' $conf + sed -i '/^shadow:/ {/himmelblau/! s/$/ himmelblau/}' $conf +} + +etc_nsswitch_conf="/etc/nsswitch.conf" +usr_etc_nsswitch_conf="/usr/etc/nsswitch.conf" +if [ -f $etc_nsswitch_conf ]; then + handle_nsswitch_conf $etc_nsswitch_conf +elif [ -f $usr_etc_nsswitch_conf ]; then + cp $usr_etc_nsswitch_conf $etc_nsswitch_conf + handle_nsswitch_conf $etc_nsswitch_conf +fi + +# Ensure cache directory is created immediately after installation, ignoring failures +systemd-tmpfiles --create /usr/lib/tmpfiles.d/nss-himmelblau.conf 2>/dev/null || systemd-tmpfiles --create /usr/lib/x86_64-linux-gnu/tmpfiles.d/nss-himmelblau.conf 2>/dev/null || true + +%post -n pam-himmelblau +if command -v authselect >/dev/null 2>&1; then + feats="$(authselect current 2>/dev/null | awk '"'"'/Enabled features:/{f=1;next} f && /^-/{print $2}'"'"')" + authselect select himmelblau $feats --force >/dev/null 2>&1 || : + authselect apply-changes >/dev/null 2>&1 || : +fi + %preun %service_del_preun himmelblaud.service himmelblaud-tasks.service +%preun -n pam-himmelblau +# $1 is set by RPM: 0=uninstall, 1=upgrade. If your packager doesn’t pass it, we default to 0. +if [ "${1:-0}" -ne 0 ]; then exit 0; fi # don’t switch on upgrade +if command -v authselect >/dev/null 2>&1; then + if authselect current 2>/dev/null | grep -qE "^Profile ID:\s+himmelblau$"; then + if [ -d /usr/share/authselect/default/local ]; then base=local + elif [ -d /usr/share/authselect/default/minimal ]; then base=minimal + else base=sssd; fi + feats="$(authselect current 2>/dev/null | awk '"'"'/Enabled features:/{f=1;next} f && /^-/{print $2}'"'"')" + authselect select "$base" $feats --force >/dev/null 2>&1 || : + authselect apply-changes >/dev/null 2>&1 || : + fi +fi + %postun +if [ "$1" -eq 0 ]; then + if command -v selinuxenabled >/dev/null 2>&1 && selinuxenabled; then + semodule -r himmelblaud || : + fi +fi %service_del_postun himmelblaud.service himmelblaud-tasks.service %files @@ -228,26 +380,39 @@ %dir %{_localstatedir}/cache/himmelblau-policies %config(noreplace) %{_sysconfdir}/himmelblau/himmelblau.conf %config %{_sysconfdir}/krb5.conf.d/krb5_himmelblau.conf +%dir %{_unitdir}/display-manager.service.d +%config %{_unitdir}/display-manager.service.d/override.conf %{_sbindir}/himmelblaud %{_sbindir}/rchimmelblaud %{_sbindir}/himmelblaud_tasks %{_sbindir}/rchimmelblaud_tasks -%{_sbindir}/broker -%{_sbindir}/rcbroker %{_bindir}/aad-tool %{_unitdir}/himmelblaud.service %{_unitdir}/himmelblaud-tasks.service -%{_datarootdir}/dbus-1/services/com.microsoft.identity.broker1.service %{_mandir}/man1/aad-tool.1* %{_mandir}/man5/himmelblau.conf.5* %{_mandir}/man8/himmelblaud.8* %{_mandir}/man8/himmelblaud_tasks.8* +%if 0%{?suse_version} > 1600 || 0%{?sle_version} >= 160000 +%{_selinux_pkgdir}/himmelblaud.pp +%dir %{_docdir}/himmelblau-selinux +%dir %{_selinux_docdir} +%{_selinux_docdir}/himmelblaud.te +%{_selinux_docdir}/himmelblaud.fc +%endif %files -n libnss_himmelblau2 %{_libdir}/libnss_%{name}.so.* +%dir %{_tmpfilesdir} +%{_tmpfilesdir}/nss-himmelblau.conf +%ghost %attr(0755,root,root) /var/cache/nss-himmelblau %files -n pam-himmelblau %{_pam_moduledir}/pam_%{name}.so +%dir %{_datadir}/authselect +%dir %{_datadir}/authselect/vendor +%dir %{_datadir}/authselect/vendor/himmelblau +%{_datadir}/authselect/vendor/himmelblau/* %files -n himmelblau-sshd-config # openssh-server doesn't own /etc/ssh/sshd_config.d before 15.5 @@ -264,6 +429,36 @@ %dir %{_sysconfdir}/firefox %dir %{_sysconfdir}/firefox/policies %config %{_sysconfdir}/firefox/policies/policies.json +%{_sbindir}/broker +%{_sbindir}/rcbroker +%{_datarootdir}/dbus-1/services/com.microsoft.identity.broker1.service +%dir /etc/chromium +%dir /etc/chromium/native-messaging-hosts +%dir /etc/chromium/policies +%dir /etc/chromium/policies/managed +%dir /etc/opt/chrome +%dir /etc/opt/chrome/native-messaging-hosts +%dir /etc/opt/chrome/policies +%dir /etc/opt/chrome/policies/managed +%dir /usr/share/google-chrome +%dir %{chrome_nm_dir} +%dir %{chromium_nm_dir} +%dir %attr(0555,root,root) %{chrome_policy_dir} +%dir %attr(0555,root,root) %{chromium_policy_dir} +%dir %{chrome_ext_dir} +%config %{chrome_nm_dir}/linux_entra_sso.json +%config %{chromium_nm_dir}/linux_entra_sso.json +%config %{chrome_ext_dir}/jlnfnnolkbjieggibinobhkjdfbpcohn.json +%config %{chrome_policy_dir}/himmelblau.json +%config %{chromium_policy_dir}/himmelblau.json +%{_bindir}/o365 +%{_bindir}/o365-multi +%{_bindir}/o365-url-handler +%{_datadir}/applications/*.desktop +%dir %{_iconsdir}/hicolor +%dir %{_iconsdir}/hicolor/256x256 +%dir %{_iconsdir}/hicolor/256x256/apps +%{_iconsdir}/hicolor/256x256/apps/*.png %files -n himmelblau-qr-greeter %dir %{_datarootdir}/gnome-shell ++++++ _service ++++++ --- /var/tmp/diff_new_pack.DYoNWw/_old 2025-11-26 17:14:53.280802796 +0100 +++ /var/tmp/diff_new_pack.DYoNWw/_new 2025-11-26 17:14:53.284802965 +0100 @@ -2,7 +2,7 @@ <service name="tar_scm" mode="manual"> <param name="url">https://github.com/himmelblau-idm/himmelblau.git</param> <param name="scm">git</param> - <param name="revision">stable-1.x</param> + <param name="revision">stable-2.x</param> <param name="versionformat">@PARENT_TAG@+git.@TAG_OFFSET@.%h</param> <param name="versionrewrite-pattern">himmelblau-(.*)</param> <param name="versionrewrite-replacement">\1</param> @@ -24,9 +24,5 @@ <param name="srcdir">himmelblau</param> <param name="update">true</param> </service> - <service name="cargo_audit" mode="manual"> - <param name="srcdir">himmelblau</param> - <param name="lockfile">Cargo.lock</param> - </service> </services> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.DYoNWw/_old 2025-11-26 17:14:53.304803808 +0100 +++ /var/tmp/diff_new_pack.DYoNWw/_new 2025-11-26 17:14:53.308803977 +0100 @@ -3,6 +3,6 @@ <param name="url">https://github.com/openSUSE/himmelblau.git</param> <param name="changesrevision">6d2f6450ff3c0c945a884d4b35307e03a035a581</param></service><service name="tar_scm"> <param name="url">https://github.com/himmelblau-idm/himmelblau.git</param> - <param name="changesrevision">52da279cb3d24e70ab569bfd169d5feb9fb01c10</param></service></servicedata> + <param name="changesrevision">5d26a19e656f605e744e3a4ff9af48cc53eb936d</param></service></servicedata> (No newline at EOF) ++++++ himmelblau-1.4.2+git.0.52da279.tar.bz2 -> himmelblau-2.0.4+git.2.5d26a19.tar.bz2 ++++++ ++++ 26071 lines of diff (skipped) ++++++ vendor.tar.zst ++++++ /work/SRC/openSUSE:Factory/himmelblau/vendor.tar.zst /work/SRC/openSUSE:Factory/.himmelblau.new.14147/vendor.tar.zst differ: char 7, line 1
