Prepare repository for first release

Perform maintenance tasks:

* Update README.
* Remove unneeded files.
* Update copyright year.

Signed-off-by: Antonio Torres <[email protected]>

README.md

@@ -1,25 +1,34 @@
 <!---
 #
-# Copyright (C) 2022  FreeIPA Contributors see COPYING for license
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 #
 -->
 
 # ipa-tuura
 
+[![Docker Repository on Quay](https://quay.io/repository/freeipa/ipa-tuura/status "Docker Repository on Quay")](https://quay.io/repository/freeipa/ipa-tuura)
+
 ipa-tuura is a bridge service that offers multiple Django apps for managing integration domains. Integration domains encompass identity and authentication realms, facilitating Create, Read, Update, and Delete (CRUD) operations for user and group identities, as well as user identity authentication methods. These apps provide REST API endpoints for various purposes:
 
 - **Administrative Endpoint (domains app)**: This app allows you to add and remove integration domains and perform client enrollment of the bridge service in the integration domain. It supports integration with FreeIPA, LDAP and Active Directory.
 
 - **SCIM v2 Endpoint (scim app)**: This app exposes endpoints following the [SCIMv2 specification](https://datatracker.ietf.org/doc/html/rfc7644) and it is based on the [django-scimv2 project](https://github.com/15five/django-scim2) and enables you to read and write user and group identities from/to an integration domain.
 
+- **Authentication Endpoint**: ipa-tuura exposes endpoints for performing both
+  GSSAPI-based authentication (`/bridge/login_kerberos`) and password-based
+  authentication (`/bridge/login_password`), using
+  identities provided provided by the integration domain. These endpoints return
+  a session cookie that can be used for further operations that require authentication.
+
 - **Credentials Validation (creds app)**: This app validates the presence and authenticity of specific user credentials from the enrolled integration domain.
 
 ## Quick Start
 
-The service is deployed as a systemd container. You can build a container image based on Fedora by following these commands:
+The service is deployed as a systemd container. You can build a container image
+based on CentOS Stream by following these commands:
 
 ```bash
-podman build -t fedora-bridge -f Containerfile.test .
+podman build -t centos-bridge -f Containerfile.test .
 ```
 
 Alternatively, you can also build a production-ready RHEL image based on the same source code. Note that you need a [Red Hat Developers](https://developers.redhat.com/) account for building the image, or any other RHEL subscription if you have one:
@@ -29,26 +38,26 @@ subscription-manager register --username <username> --password <password>
 podman build -t rhel-bridge -f prod/Containerfile .
 ```
 
-You can also opt for pre-built image from Quay.io: [quay.io/idmops/bridge](https://quay.io/repository/idmops/bridge)
+You can also opt for pre-built image from Quay.io: [quay.io/freeipa/ipa-tuura](https://quay.io/repository/freeipa/ipa-tuura)
 
 ## Usage
 
 The service can be deployed on a host using the following commands:
 
 ```bash
 setsebool -P container_manage_cgroup true
-podman run --name=bridge -d --privileged --dns <IP address> --add-host <host>:<IP address> -p 8000:8000 -p 3501:3500 -p 4701:81 -p 443:443 --hostname <hostname> quay.io/idmops/bridge
+podman run --name=bridge -d --privileged --dns <IP address> --add-host <host>:<IP address> -p 8000:8000 -p 3500:3500 -p 81:81 -p 443:443 --hostname <hostname> quay.io/freeipa/ipa-tuura
 ```
 * Where you need to provide host details such as:
-- DNS IP address: --dns ```<IP address>```
-- The integration domain host, so that the bridge service can resolve the name: --add-host ```<host>:<IP address>```
-- The hostname where the bridge is going to be deployed: --hostname ```<hostname>```
-- The container image: quay.io/idmops/bridge points to our official image, which is regularly updated by GitHub Actions on post merge request.
+- DNS IP address: `--dns <IP address>`
+- The integration domain host, so that the bridge service can resolve the name: `--add-host <host>:<IP address>`
+- The hostname where the bridge is going to be deployed: `--hostname <hostname>`
+- The container image: [quay.io/freeipa/ipa-tuura](https://quay.io/repository/freeipa/ipa-tuura), updated on every release.
 
 To enroll with an existing FreeIPA server, you can use the following CURL command:
 
 ```bash
-curl -k -X POST "https://bridge.ipa.test:443/domains/v1/domain/" -H "accept: application/json" -H "Content-Type: application/json" -H "X-CSRFToken: x1yU9RGPKs4mJdWIOzEc7wKbwbnJ0B6iTHuW6ja0gdBpEOBVacK1vIhSSYlfsnRw" -d @freeipa_integration_domain.json"
+curl -k -X POST "https://bridge.ipa.test/domains/v1/domain/" -H "accept: application/json" -H "Content-Type: application/json" -H "X-CSRFToken: x1yU9RGPKs4mJdWIOzEc7wKbwbnJ0B6iTHuW6ja0gdBpEOBVacK1vIhSSYlfsnRw" -d @freeipa_integration_domain.json"
 ```
 * Where `freeipa_integration_domain.json` is:
 ~~~
@@ -69,13 +78,13 @@ curl -k -X POST "https://bridge.ipa.test:443/domains/v1/domain/" -H "accept: app
 To un-enroll from an integration domain you can type:
 
 ```bash
-curl -k -X DELETE "https://bridge.ipa.test:4430/domains/v1/domain/1/" -H "accept: application/json" -H "X-CSRFToken: x1yU9RGPKs4mJdWIOzEc7wKbwbnJ0B6iTHuW6ja0gdBpEOBVacK1vIhSSYlfsnRw"
+curl -k -X DELETE "https://bridge.ipa.test/domains/v1/domain/1/" -H "accept: application/json" -H "X-CSRFToken: x1yU9RGPKs4mJdWIOzEc7wKbwbnJ0B6iTHuW6ja0gdBpEOBVacK1vIhSSYlfsnRw"
 ```
 
 The project also supports 389ds server:
 
 ```bash
-curl -k -X POST "https://bridge.ipa.test:443/domains/v1/domain/" -H "accept: application/json" -H "Content-Type: application/json" -H "X-CSRFToken: x1yU9RGPKs4mJdWIOzEc7wKbwbnJ0B6iTHuW6ja0gdBpEOBVacK1vIhSSYlfsnRw" -d @rhds_integration_domain.json"
+curl -k -X POST "https://bridge.ipa.test/domains/v1/domain/" -H "accept: application/json" -H "Content-Type: application/json" -H "X-CSRFToken: x1yU9RGPKs4mJdWIOzEc7wKbwbnJ0B6iTHuW6ja0gdBpEOBVacK1vIhSSYlfsnRw" -d @rhds_integration_domain.json"
 ```
 * Where `rhds_integration_domain.json` is:
 ~~~
@@ -96,7 +105,7 @@ curl -k -X POST "https://bridge.ipa.test:443/domains/v1/domain/" -H "accept: app
 and Active Directory:
 
 ```bash
-curl -k -X POST "https://bridge.ipa.test:4430/domains/v1/domain/" -H "accept: application/json" -H "Content-Type: application/json" -H "X-CSRFToken: x1yU9RGPKs4mJdWIOzEc7wKbwbnJ0B6iTHuW6ja0gdBpEOBVacK1vIhSSYlfsnRw" -d @ad_integration_domain.json"
+curl -k -X POST "https://bridge.ipa.test/domains/v1/domain/" -H "accept: application/json" -H "Content-Type: application/json" -H "X-CSRFToken: x1yU9RGPKs4mJdWIOzEc7wKbwbnJ0B6iTHuW6ja0gdBpEOBVacK1vIhSSYlfsnRw" -d @ad_integration_domain.json"
 ```
 * Where `ad_integration_domain.json` is:
 ~~~
@@ -117,17 +126,17 @@ curl -k -X POST "https://bridge.ipa.test:4430/domains/v1/domain/" -H "accept: ap
 Once the bridge service is enrolled to an integration domain, you can start using SCIMv2 app. Frist you need to get a cookie with simple authentication:
 
 ```bash
-curl -k -s -X POST --data 'username=scim&password=Secret123' -c /tmp/my.cookie -b csrftoken=XzLJ9NmZTQNQcXS6v3JCNUTnV6gFVorJ -H Accept:text/html -H Content-Type:application/x-www-form-urlencoded -H 'X-CSRFToken: XzLJ9NmZTQNQcXS6v3JCNUTnV6gFVorJ' -H referer:https://bridge.ipa.test:443/admin/login/ https://bridge.ipa.test:443/admin/login/
+curl -k -s -X POST --data 'username=scim&password=Secret123' -c /tmp/my.cookie -b csrftoken=XzLJ9NmZTQNQcXS6v3JCNUTnV6gFVorJ -H Accept:text/html -H Content-Type:application/x-www-form-urlencoded -H 'X-CSRFToken: XzLJ9NmZTQNQcXS6v3JCNUTnV6gFVorJ' -H referer:https://bridge.ipa.test:443/admin/login/ https://bridge.ipa.test/admin/login/
 ```
 * Where:
 ~~~
-bridge.ipa.test is the host that is running the bridge service.
+`bridge.ipa.test` is the host that is running the bridge service.
 ~~~
 
 and this is how you can add a user using a CURL command:
 
 ```bash
-curl -k --header 'Authorization: Basic ' -b /tmp/my.cookie -s --request POST --data @ipauser.json --header 'Content-Type: application/scim+json' https://bridge.ipa.test:443/scim/v2/Users
+curl -k --header 'Authorization: Basic ' -b /tmp/my.cookie -s --request POST --data @ipauser.json --header 'Content-Type: application/scim+json' https://bridge.ipa.test/scim/v2/Users
 ```
 * Where `@ipauser.json` is:
 ~~~
@@ -166,10 +175,22 @@ Once you deploy your Keycloak instance and install the plugin, you can navigate
 
 ![Keycloak integration domain](docs/images/keycloak_plugin_intg_domain_fields.png)
 
+As an example, we can authenticate in Nextcloud by using Keycloak through the
+[OpenID Connect user backend](https://apps.nextcloud.com/apps/user_oidc), as
+documented
+[here](https://www.schiessle.org/articles/2023/07/04/nextcloud-and-openid-connect/).
+Assuming there is an integration domain already added to Keycloak using
+ipa-tuura, we will be able to seamlessly authenticate using users from our
+provider. Additionally, GSSAPI authentication can be performed in case you have
+a valid Kerberos ticket available and your browser correctly configured:
+
+* Mozilla Firefox: add the realm to `network.negotiate-auth.trusted-uris` in
+`about:config`.
+* Google Chrome: run with `--auth-server-whitelist="<keycloak hostname>"` parameter.
+
 
 ## Existing limitations
 * The bridge can currently only handle user identities.
-* Authentication has not been implemented yet. A new end-point will be implemented to support GSSAPI authentication for the supported integration domains.
 * Only one integration domain is allowed per container. The domains app implements a singleton class allowing only one active integration domain. However, you can delete the existing one and enroll to a different system.
 * The bridge service is deployed as a privileged container; however, it is recommended to deploy it as non-privileged to follow best practices for container service deployment. This is because SSSD service is not currently rootless.
 
@@ -187,17 +208,17 @@ source ipatuura-env/bin/activate
 Install the requirements
 
 ```bash
-pip install -r $IPA_TUURA/src/install/requirements.txt
+pip install -r src/install/requirements.txt
 ```
 
 Apply migrations
 
 ```bash
-cd $IPA_TUURA/src/ipa-tuura
+cd src/ipa-tuura
 python manage.py migrate
 ```
 
-Create the djangoadmin user and start the ipa-tuura server
+Create the `djangoadmin` user and start the ipa-tuura server
 
 Note: do not use "admin" name as it conflicts with IPA "admin" user
 
@@ -212,7 +233,7 @@ If connecting from another system, update the ALLOWED_HOSTS line `root/settings.
 ALLOWED_HOSTS = ['192.168.122.221', 'localhost', '127.0.0.1']
 ```
 
-as well as the NETLOC from SCIM_SERVICE_PROVIDER settings:
+as well as the `NETLOC` from `SCIM_SERVICE_PROVIDER` settings:
 
 ```bash
 SCIM_SERVICE_PROVIDER = {
@@ -236,9 +257,9 @@ This project uses Sphinx as a documentation generator. Follow these steps to bui
 the documentation:
 
 ```bash
-cd $IPA_TUURA/docs/
+cd docs/
 make venv
 make html
 ```
 
-The generated documentation will be available at `$IPA_TUURA/docs/_build/html/` folder.
+The generated documentation will be available at `docs/_build/html/` folder.

docs/Makefile

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2022  FreeIPA Contributors see COPYING for license
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 #
 
 # Makefile for Sphinx documentation

docs/_static/css/ipatuura.css

@@ -1,6 +1,6 @@
 /*
  * #
- * # Copyright (C) 2022  FreeIPA Contributors see COPYING for license
+ * # Copyright (C) 2024  FreeIPA Contributors see COPYING for license
  * #
  */
 section ul.simple li {

docs/conf.py

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2022  FreeIPA Contributors see COPYING for license
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 #
 
 # Configuration file for the Sphinx documentation builder.

docs/index.rst

@@ -1,5 +1,5 @@
 .. #
-   # Copyright (C) 2022  FreeIPA Contributors see COPYING for license
+   # Copyright (C) 2024  FreeIPA Contributors see COPYING for license
    #
 
 .. ipa-tuura documentation master file, created by

docs/make.bat

@@ -1,5 +1,5 @@
 REM #
-REM # Copyright (C) 2022  FreeIPA Contributors see COPYING for license
+REM # Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 REM #
 
 @ECHO OFF

docs/requirements.txt

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2022  FreeIPA Contributors see COPYING for license
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 #
 
 wheel

prod/Containerfile

@@ -4,9 +4,6 @@
 #
 # Then, you can build the image by running:
 # podman build -f prod/Containerfile .
-#
-# Or with podman-compose:
-# podman-compose -f prod/podman-compose.yaml up -d
 
 FROM registry.access.redhat.com/ubi9:9.2-755
 

src/install/requirements.txt

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2022  FreeIPA Contributors see COPYING for license
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 #
 
 dbus-python

src/ipa-tuura/creds/__init__.py

@@ -1,3 +1,3 @@
 #
-# Copyright (C) 2022  FreeIPA Contributors see COPYING for license
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 #

src/ipa-tuura/creds/forms.py

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2022  FreeIPA Contributors see COPYING for license
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 #
 
 from django import forms

src/ipa-tuura/creds/templates/creds/base.html

@@ -1,6 +1,6 @@
 <! --
 #
-# Copyright (C) 2022  FreeIPA Contributors see COPYING for license
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 #
 -->
 

src/ipa-tuura/creds/templates/creds/simple_pwd.html

@@ -1,6 +1,6 @@
 <! --
 #
-# Copyright (C) 2022  FreeIPA Contributors see COPYING for license
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 #
 -->
 

src/ipa-tuura/creds/urls.py

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2022  FreeIPA Contributors see COPYING for license
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 #
 
 from creds import views

src/ipa-tuura/creds/views.py

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2022  FreeIPA Contributors see COPYING for license
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 #
 
 import json

src/ipa-tuura/domains/adapters.py

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2023  FreeIPA Contributors see COPYING for license
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 #
 
 import logging

src/ipa-tuura/domains/models.py

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2023  FreeIPA Contributors see COPYING for license
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 #
 
 import logging

src/ipa-tuura/domains/urls.py

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2023  FreeIPA Contributors see COPYING for license
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 #
 
 """Integration Domain URL Configuration

src/ipa-tuura/domains/utils.py

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2023  FreeIPA Contributors see COPYING for license
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 #
 
 import logging

src/ipa-tuura/domains/views.py

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2023  FreeIPA Contributors see COPYING for license
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 #
 
 import logging

src/ipa-tuura/manage.py

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2022  FreeIPA Contributors see COPYING for license
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 #
 
 #!/usr/bin/env python

src/ipa-tuura/root/__init__.py

@@ -1,3 +1,3 @@
 #
-# Copyright (C) 2022  FreeIPA Contributors see COPYING for license
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 #

src/ipa-tuura/root/asgi.py

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2022  FreeIPA Contributors see COPYING for license
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 #
 
 """

src/ipa-tuura/root/settings.py

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2022  FreeIPA Contributors see COPYING for license
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 #
 
 """

src/ipa-tuura/root/urls.py

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2022  FreeIPA Contributors see COPYING for license
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 #
 
 """root URL Configuration

src/ipa-tuura/root/wsgi.py

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2022  FreeIPA Contributors see COPYING for license
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 #
 
 """

src/ipa-tuura/scim/__init__.py

@@ -1,3 +1,3 @@
 #
-# Copyright (C) 2022  FreeIPA Contributors see COPYING for license
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 #

src/ipa-tuura/scim/adapters.py

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2022  FreeIPA Contributors see COPYING for license
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 #
 
 import logging

src/ipa-tuura/scim/admin.py

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2022  FreeIPA Contributors see COPYING for license
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
 #
 
 # from django.contrib import admin