Metadata-Version: 2.1
Name: koji
Version: 1.32.0
Summary: Koji is a system for building and tracking RPMS. The base package contains shared libraries and the command-line interface.
Home-page: http://pagure.io/koji/
Author: Koji developers
Author-email: koji-devel@lists.fedorahosted.org
License: LGPLv2 and GPLv2+
Classifier: Development Status :: 5 - Production/Stable
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: GNU Lesser General Public License v2 or later (LGPLv2+)
Classifier: Natural Language :: English
Classifier: Programming Language :: Python :: 2.7
Classifier: Programming Language :: Python :: 3
Classifier: Operating System :: POSIX :: Linux
Classifier: Topic :: Utilities
Requires-Python: >=2.7
Description-Content-Type: text/markdown
License-File: COPYING
Requires-Dist: python-dateutil
Requires-Dist: requests
Requires-Dist: requests-gssapi
Requires-Dist: six

koji - RPM building and tracking system
=======================================

Koji is an RPM-based build system. The Fedora Project uses Koji for [their build system](https://koji.fedoraproject.org/koji/), as do [several other projects](https://fedoraproject.org/wiki/Koji/RunsHere).

Koji's goal is to provide a flexible, secure, and reproducible way to build software.

Key features:

* New buildroot for each build
* Robust XML-RPC APIs for easy integration with other tools
* Web interface with SSL and Kerberos authentication
* Thin, portable command line client
* Users can create local buildroots
* Buildroot contents are tracked in the database
* Versioned data

Communicate
-----------

* Comments, questions, bugs, feedback, ideas, help requests? We'd love to hear from you.
* Mailing lists:
    * Development: [koji-devel AT lists.fedorahosted.org](https://lists.fedorahosted.org/archives/list/koji-devel@lists.fedorahosted.org/)
    * User discussion and Fedora-specific topics: [buildsys AT lists.fedoraproject.org](https://lists.fedoraproject.org/archives/list/buildsys@lists.fedoraproject.org/)
* IRC chat: #koji on [libera.chat](https://libera.chat/)

Bugs/RFEs
---------

If you have found a bug or would like to request a new feature, please [report an issue in Pagure](https://pagure.io/koji/issues).

Download
--------

The koji source code can be downloaded with git via:

    git clone https://pagure.io/koji.git

You may browse code at https://pagure.io/koji

Archived releases can be found at https://pagure.io/koji/releases

Documentation
-------------

See: https://docs.pagure.org/koji/


Related Software
----------------

* [Mock](https://fedoraproject.org/wiki/Projects/Mock): The tool Koji uses to generate buildroots
* [Yum](http://yum.baseurl.org/)
* [Pungi](https://pagure.io/pungi): Use Pungi to "compose" Koji builds into highly customizable Yum repositories.
* [Koji Tools](https://pagure.io/koji-tools): Various utilities for Koji
* [Kojiji](https://github.com/release-engineering/kojiji): Koji Java Interface
* [txkoji](https://github.com/ktdreyer/txkoji): Async interface to Koji, using Twisted
* [koji-hs](https://hackage.haskell.org/package/koji): Koji Haskell Interface



## KylinSSO Configuration

Server Side:

**IMPORTANT: For KylinSSO work properly, Extended mod_auth_openidc required. general mod_auth_openidc will not work with KylinSSO. customization mod_auth_openidc Please Contact ZhaoYu Jiang <jiangzhaoyu@kylinos.cn>**

**Keycloak Configuration and KylinSSO Configuration CAN NOT ENABLE BOTH!!!!!!!**

/etc/httpd/conf.d/kojiweb.conf, Example:

```
<VirtualHost *:80>
    OIDCXForwardedHeaders X-Forwarded-Proto
    OIDCXForwardedHeaders X-Forwarded-Port
    OIDCProviderTokenEndpoint https://sso-test.kylinos.cn:9000/oauth2/token
    OIDCProviderTokenEndpointAuth client_secret_post
    OIDCProviderUserInfoEndpoint https://sso-test.kylinos.cn:9000/oauth2/getUserInfo
    OIDCUserInfoTokenMethod get_param
    OIDCProviderEndSessionEndpoint https://sso-test.kylinos.cn:9000/oauth2/logout
    OIDCProviderAuthorizationEndpoint https://sso-test.kylinos.cn:9000/oauth2/authorize
    OIDCProviderAuthRequestMethod GET
    OIDCProviderIssuer http://sso.com/
    OIDCOAuthAcceptTokenAs "cookie:kylinsso_token"
    OIDCSessionType client-cookie:persistent:store_id_token
    OIDCResponseType code
    OIDCIDTokenIatSlack 3600
    OIDCScope "openid"
    OIDCClientID koji
    OIDCClientSecret 123456
    OIDCCryptoPassphrase 123456
    OIDCRedirectURI https://test-buildsystem.kylinos.cn/koji/login/redirect_uri
    OIDCUserInfoRefreshInterval 3600
    OIDCSSLValidateServer off
    OIDCPassClaimsAs both
    OIDCPassIDTokenAs serialized
    <Location /koji>
        AuthType openid-connect
        Require valid-user
        #LogLevel debug
    </Location>

    <Location /koji/login>
        AuthType openid-connect
        Require valid-user
        #LogLevel debug
    </Location>
</VirtualHost>
```

For KylinSSO, OIDCProviderIssuer/OIDCClientID/OIDCClientSecret/\*Endpoint\*/OIDCRedirectURI For Production Line Need to Confirm with HuaHua <huahua@kylinos.cn>.

/etc/koji-hub/hub.conf, Example:

```
WebAuthType=kylinsso
KylinSSOAuthURL=https://sso-test.kylinos.cn:9000/oauth2
KylinSSOAuthPublicKeyFile=/etc/pki/koji/kylinsso/sso_public_key.pem
KylinSSOClientID=koji
KylinSSOClientSecret=123456
```

KylinSSOAuthPublicKeyFile Please Contact with ZhaoYu Jiang <jiangzhaoyu@kylinos.cn>, ClientID, ClientSecret and SSOAuthURL comply with /etc/httpd/conf.d/kojiweb.conf

/etc/kojiweb/web.conf, Example:

```
WebAuthType = kylinsso
KylinSSOAuthURL = https://sso-test.kylinos.cn:9000/oauth2
KylinSSOClientID = koji
KylinSSORedirectURI = https://test-buildsystem.kylinos.cn/koji/
```

Client Side:

/etc/koji.conf

```
authtype=kylinsso
```

Only authtype comply with kylinsso will enable kylinsso authentication. Koji Client will get current shell user by default to login if user params not given. password also.

## RPM Download Tracking & SSO Configuration

This feature enables tracking of RPM downloads via SSO authentication and logging.

### Prerequisites

*   `mod_auth_openidc` module for Apache.
*   `requests` python library installed on the Koji Web server (`yum install python3-requests`).
*   The `sso_wrapper.py` script installed to `/var/www/cgi-bin/`.

### Configuration

Add the following to your `/etc/httpd/conf.d/kojiweb.conf`:

```apache
# ========================================================
# Enable CGI Support for the wrapper script
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options +ExecCGI
    AddHandler cgi-script .py
    Require all granted
</Directory>

# =============================================================
# OAuth Verification Configuration -> Points to local wrapper
# =============================================================
OIDCOAuthIntrospectionEndpoint http://127.0.0.1/cgi-bin/sso_wrapper.py

# Authentication Method: None (Parameters passed via URL)
OIDCOAuthIntrospectionEndpointAuth none
OIDCOAuthIntrospectionEndpointMethod GET
OIDCOAuthRemoteUserClaim username
OIDCOAuthTokenExpiryClaim exp
OIDCOAuthTokenIntrospectionInterval 60
OIDCSSLValidateServer off
OIDCOAuthSSLValidateServer off

# Protect the RPM packages directory
<Location /kojifiles/packages/>
    AuthType auth-openidc
    Require valid-user
</Location>

# Logging Configuration
OIDCRemoteUserClaim preferred_username
SetEnvIfNoCase Request_URI "\.rpm$" is_rpm_download
LogFormat "%t %h %u \"%r\" %>s %b" rpm_log_format

# Log RPM downloads separately
CustomLog "logs/rpm_downloads_log" rpm_log_format env=is_rpm_download
CustomLog "logs/access_log" combined env=!is_rpm_download
```

### SSO Wrapper Script

The `sso_wrapper.py` script (located in `www/cgi-bin/` in source) handles token introspection against the Kylin SSO service. Ensure it is executable (`chmod +x`).


