Module: ManageIQ::ApplianceConsole::ExternalHttpdAuthentication::ExternalHttpdConfiguration

Included in:
ManageIQ::ApplianceConsole::ExternalHttpdAuthentication
Defined in:
lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb

Constant Summary collapse

IPA_COMMAND =

External Authentication Definitions

"/usr/bin/ipa".freeze
IPA_INSTALL_COMMAND = 
"/usr/sbin/ipa-client-install".freeze
IPA_GETKEYTAB = 
"/usr/sbin/ipa-getkeytab".freeze
KERBEROS_CONFIG_FILE = 
"/etc/krb5.conf".freeze
SSSD_CONFIG = 
"/etc/sssd/sssd.conf".freeze
PAM_CONFIG = 
"/etc/pam.d/httpd-auth".freeze
HTTP_KEYTAB = 
"/etc/http.keytab".freeze
HTTP_REMOTE_USER = 
"/etc/httpd/conf.d/manageiq-remote-user.conf".freeze
HTTP_REMOTE_USER_OIDC = 
"/etc/httpd/conf.d/manageiq-remote-user-openidc.conf".freeze
HTTP_EXTERNAL_AUTH = 
"/etc/httpd/conf.d/manageiq-external-auth.conf".freeze
HTTP_EXTERNAL_AUTH_TEMPLATE = 
"#{HTTP_EXTERNAL_AUTH}.erb".freeze
GETSEBOOL_COMMAND = 
"/usr/sbin/getsebool".freeze
SETSEBOOL_COMMAND = 
"/usr/sbin/setsebool".freeze
GETENFORCE_COMMAND = 
"/usr/sbin/getenforce".freeze
APACHE_USER = 
"apache".freeze
TIMESTAMP_FORMAT = 
"%Y%m%d_%H%M%S".freeze
LDAP_ATTRS = 
{
  "mail"        => "REMOTE_USER_EMAIL",
  "givenname"   => "REMOTE_USER_FIRSTNAME",
  "sn"          => "REMOTE_USER_LASTNAME",
  "displayname" => "REMOTE_USER_FULLNAME",
  "domainname"  => "REMOTE_USER_DOMAIN"
}.freeze

Instance Method Summary collapse

Instance Method Details

#config_file_write(config, path, timestamp) ⇒ Object

Config File I/O Methods



180
181
182
183
 
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 180

def config_file_write(config, path, timestamp)
  FileUtils.copy(path, "#{path}.#{timestamp}") if File.exist?(path)
  File.open(path, "w") { |f| f.write(config) }
end

#configure_httpd_applicationObject 



80
81
82
83
 
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 80

def configure_httpd_application
  cp_template(HTTP_EXTERNAL_AUTH_TEMPLATE, template_directory)
  cp_template(HTTP_REMOTE_USER, template_directory)
end

#configure_sssd_domain(config, domain) ⇒ Object

SSSD File Methods



104
105
106
107
108
109
110
111
112
113
114
115
116
 
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 104

def configure_sssd_domain(config, domain)
  ldap_user_extra_attrs = LDAP_ATTRS.keys.join(", ")
  if config.include?("ldap_user_extra_attrs = ")
    pattern = "[domain/#{Regexp.escape(domain)}](\n.*)+ldap_user_extra_attrs = (.*)"
    config[/#{pattern}/, 2] = ldap_user_extra_attrs
  else
    pattern = "[domain/#{Regexp.escape(domain)}].*(\n)"
    config[/#{pattern}/, 1] = "\nldap_user_extra_attrs = #{ldap_user_extra_attrs}\n"
  end

  pattern = "[domain/#{Regexp.escape(domain)}].*(\n)"
  config[/#{pattern}/, 1] = "\nentry_cache_timeout = 600\n"
end

#configure_sssd_ifp(config) ⇒ Object 



124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
 
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 124

def configure_sssd_ifp(config)
  user_attributes = LDAP_ATTRS.keys.collect { |k| "+#{k}" }.join(", ")
  ifp_config      = "
  allowed_uids = #{APACHE_USER}, root, manageiq
  user_attributes = #{user_attributes}
"
  if config.include?("[ifp]")
    if config[/\[ifp\](\n.*)+user_attributes = (.*)/]
      config[/\[ifp\](\n.*)+user_attributes = (.*)/, 2] = user_attributes
    else
      config[/\[ifp\](\n)/, 1] = ifp_config
    end
  else
    config << "\n[ifp]#{ifp_config}\n"
  end
end

#configure_sssd_service(config) ⇒ Object 



118
119
120
121
122
 
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 118

def configure_sssd_service(config)
  services = config.match(/\[sssd\](\n.*)+services = (.*)/)[2]
  services = "#{services}, ifp" unless services.include?("ifp")
  config[/\[sssd\](\n.*)+services = (.*)/, 2] = services
end

#cp_template(file, src_dir, dest_dir = "/") ⇒ Object 



200
201
202
203
204
205
206
207
208
 
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 200

def cp_template(file, src_dir, dest_dir = "/")
  src_path  = path_join(src_dir, file)
  dest_path = path_join(dest_dir, file.gsub(".erb", ""))
  if src_path.to_s.include?(".erb")
    File.write(dest_path, ERB.new(File.read(src_path), nil, '-').result(binding))
  else
    FileUtils.cp src_path, dest_path
  end
end

#deactivateObject 



62
63
64
65
 
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 62

def deactivate
  ipa_client_unconfigure
  unconfigure_httpd
end

#enable_kerberos_dns_lookupsObject

Kerberos KRB5 File Methods



93
94
95
96
97
98
99
 
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 93

def enable_kerberos_dns_lookups
  FileUtils.copy(KERBEROS_CONFIG_FILE, "#{KERBEROS_CONFIG_FILE}.miqbkp")
  krb5config = File.read(KERBEROS_CONFIG_FILE)
  krb5config[/(\s*)dns_lookup_kdc(\s*)=(\s*)(.*)/, 4] = 'true'
  krb5config[/(\s*)dns_lookup_realm(\s*)=(\s*)(.*)/, 4] = 'true'
  File.write(KERBEROS_CONFIG_FILE, krb5config)
end

#host_reachable?(host, what = "Server") ⇒ Boolean

Network validation

Returns:

  • (Boolean) 


188
189
190
191
192
193
194
195
196
197
198
 
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 188

def host_reachable?(host, what = "Server")
  require 'net/ping'
  say("Checking connectivity to #{host} ... ")
  unless Net::Ping::External.new(host).ping
    say("Failed.\nCould not connect to #{host},")
    say("the #{what} must be reachable by name.")
    return false
  end
  say("Succeeded.")
  true
end

#installation_valid?Boolean

Validation Methods

Returns:

  • (Boolean) 


144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
 
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 144

def installation_valid?
  installed_rpm_packages = LinuxAdmin::Rpm.list_installed.keys
  rpm_packages = %w(ipa-client sssd-dbus mod_intercept_form_submit mod_authnz_pam mod_lookup_identity)

  missing = rpm_packages.count do |package|
    installed = installed_rpm_packages.include?(package)
    say("#{package} RPM is not installed") unless installed
    !installed
  end

  if missing > 0
    say("\nAppliance Installation is not valid for enabling External Authentication\n")
    return false
  end

  true
end

#ipa_client_configure(realm, domain, server, principal, password) ⇒ Object

IPA Configuration Methods



48
49
50
51
52
53
54
55
56
57
58
59
60
 
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 48

def ipa_client_configure(realm, domain, server, principal, password)
  say("Configuring the IPA Client ...")
  AwesomeSpawn.run!(IPA_INSTALL_COMMAND,
                    :params => [
                      "-N", :force_join, :fixed_primary, :unattended, {
                        :realm=     => realm,
                        :domain=    => domain,
                        :server=    => server,
                        :principal= => principal,
                        :password=  => password
                      }
                    ])
end

#ipa_client_unconfigureObject 



67
68
69
70
 
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 67

def ipa_client_unconfigure
  say("Un-Configuring the IPA Client ...")
  AwesomeSpawn.run(IPA_INSTALL_COMMAND, :params => [:uninstall, :unattended])
end

#path_join(*args) ⇒ Object 



215
216
217
218
219
 
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 215

def path_join(*args)
  path = Pathname.new(args.shift)
  args.each { |path_seg| path = path.join("./#{path_seg}") }
  path
end

#rm_file(file, dir = "/") ⇒ Object 



210
211
212
213
 
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 210

def rm_file(file, dir = "/")
  path = path_join(dir, file)
  File.delete(path) if File.exist?(path)
end

#template_directoryObject 



41
42
43
 
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 41

def template_directory
  Pathname.new(ENV.fetch("APPLIANCE_TEMPLATE_DIRECTORY"))
end

#unconfigure_httpdObject 



72
73
74
75
76
77
78
 
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 72

def unconfigure_httpd
  say("Unconfiguring httpd ...")
  unconfigure_httpd_application

  say("Restarting httpd ...")
  LinuxAdmin::Service.new("httpd").restart
end

#unconfigure_httpd_applicationObject 



85
86
87
88
 
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 85

def unconfigure_httpd_application
  rm_file(HTTP_EXTERNAL_AUTH)
  rm_file(HTTP_REMOTE_USER)
end

#valid_environment?Boolean

Returns:

  • (Boolean) 


162
163
164
165
166
167
168
169
170
171
 
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 162

def valid_environment?
  return false unless installation_valid?
  if ipa_client_configured?
    show_current_configuration
    return false unless agree("\nIPA Client already configured on this Appliance, Un-Configure first? (Y/N): ")
    deactivate
    return false unless agree("\nProceed with External Authentication Configuration? (Y/N): ")
  end
  true
end

#valid_parameters?(ipaserver) ⇒ Boolean

Returns:

  • (Boolean) 


173
174
175
 
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 173

def valid_parameters?(ipaserver)
  host_reachable?(ipaserver, "IPA Server")
end