Module: ManageIQ::ApplianceConsole::ExternalHttpdAuthentication::ExternalHttpdConfiguration
- Defined in:
- lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb
Constant Summary collapse
- IPA_COMMAND =
External Authentication Definitions
"/usr/bin/ipa".freeze
- IPA_INSTALL_COMMAND =
"/usr/sbin/ipa-client-install".freeze
- IPA_GETKEYTAB =
"/usr/sbin/ipa-getkeytab".freeze
- KERBEROS_CONFIG_FILE =
"/etc/krb5.conf".freeze
- SSSD_CONFIG =
"/etc/sssd/sssd.conf".freeze
- PAM_CONFIG =
"/etc/pam.d/httpd-auth".freeze
- HTTP_KEYTAB =
"/etc/http.keytab".freeze
- HTTP_REMOTE_USER =
"/etc/httpd/conf.d/manageiq-remote-user.conf".freeze
- HTTP_REMOTE_USER_OIDC =
"/etc/httpd/conf.d/manageiq-remote-user-openidc.conf".freeze
- HTTP_EXTERNAL_AUTH =
"/etc/httpd/conf.d/manageiq-external-auth.conf".freeze
- HTTP_EXTERNAL_AUTH_TEMPLATE =
"#{HTTP_EXTERNAL_AUTH}.erb".freeze
- GETSEBOOL_COMMAND =
"/usr/sbin/getsebool".freeze
- SETSEBOOL_COMMAND =
"/usr/sbin/setsebool".freeze
- GETENFORCE_COMMAND =
"/usr/sbin/getenforce".freeze
- APACHE_USER =
"apache".freeze
- TIMESTAMP_FORMAT =
"%Y%m%d_%H%M%S".freeze
- LDAP_ATTRS =
{ "mail" => "REMOTE_USER_EMAIL", "givenname" => "REMOTE_USER_FIRSTNAME", "sn" => "REMOTE_USER_LASTNAME", "displayname" => "REMOTE_USER_FULLNAME", "domainname" => "REMOTE_USER_DOMAIN" }.freeze
Instance Method Summary collapse
-
#config_file_write(config, path, timestamp) ⇒ Object
Config File I/O Methods.
- #configure_httpd_application ⇒ Object
-
#configure_sssd_domain(config, domain) ⇒ Object
SSSD File Methods.
- #configure_sssd_ifp(config) ⇒ Object
- #configure_sssd_service(config) ⇒ Object
- #cp_template(file, src_dir, dest_dir = "/") ⇒ Object
- #deactivate ⇒ Object
-
#enable_kerberos_dns_lookups ⇒ Object
Kerberos KRB5 File Methods.
-
#host_reachable?(host, what = "Server") ⇒ Boolean
Network validation.
-
#installation_valid? ⇒ Boolean
Validation Methods.
-
#ipa_client_configure(realm, domain, server, principal, password) ⇒ Object
IPA Configuration Methods.
- #ipa_client_unconfigure ⇒ Object
- #path_join(*args) ⇒ Object
- #rm_file(file, dir = "/") ⇒ Object
- #template_directory ⇒ Object
- #unconfigure_httpd ⇒ Object
- #unconfigure_httpd_application ⇒ Object
- #valid_environment? ⇒ Boolean
- #valid_parameters?(ipaserver) ⇒ Boolean
Instance Method Details
#config_file_write(config, path, timestamp) ⇒ Object
Config File I/O Methods
180 181 182 183 |
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 180 def config_file_write(config, path, ) FileUtils.copy(path, "#{path}.#{}") if File.exist?(path) File.open(path, "w") { |f| f.write(config) } end |
#configure_httpd_application ⇒ Object
80 81 82 83 |
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 80 def configure_httpd_application cp_template(HTTP_EXTERNAL_AUTH_TEMPLATE, template_directory) cp_template(HTTP_REMOTE_USER, template_directory) end |
#configure_sssd_domain(config, domain) ⇒ Object
SSSD File Methods
104 105 106 107 108 109 110 111 112 113 114 115 116 |
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 104 def configure_sssd_domain(config, domain) ldap_user_extra_attrs = LDAP_ATTRS.keys.join(", ") if config.include?("ldap_user_extra_attrs = ") pattern = "[domain/#{Regexp.escape(domain)}](\n.*)+ldap_user_extra_attrs = (.*)" config[/#{pattern}/, 2] = ldap_user_extra_attrs else pattern = "[domain/#{Regexp.escape(domain)}].*(\n)" config[/#{pattern}/, 1] = "\nldap_user_extra_attrs = #{ldap_user_extra_attrs}\n" end pattern = "[domain/#{Regexp.escape(domain)}].*(\n)" config[/#{pattern}/, 1] = "\nentry_cache_timeout = 600\n" end |
#configure_sssd_ifp(config) ⇒ Object
124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 |
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 124 def configure_sssd_ifp(config) user_attributes = LDAP_ATTRS.keys.collect { |k| "+#{k}" }.join(", ") ifp_config = " allowed_uids = #{APACHE_USER}, root, manageiq user_attributes = #{user_attributes} " if config.include?("[ifp]") if config[/\[ifp\](\n.*)+user_attributes = (.*)/] config[/\[ifp\](\n.*)+user_attributes = (.*)/, 2] = user_attributes else config[/\[ifp\](\n)/, 1] = ifp_config end else config << "\n[ifp]#{ifp_config}\n" end end |
#configure_sssd_service(config) ⇒ Object
118 119 120 121 122 |
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 118 def configure_sssd_service(config) services = config.match(/\[sssd\](\n.*)+services = (.*)/)[2] services = "#{services}, ifp" unless services.include?("ifp") config[/\[sssd\](\n.*)+services = (.*)/, 2] = services end |
#cp_template(file, src_dir, dest_dir = "/") ⇒ Object
200 201 202 203 204 205 206 207 208 |
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 200 def cp_template(file, src_dir, dest_dir = "/") src_path = path_join(src_dir, file) dest_path = path_join(dest_dir, file.gsub(".erb", "")) if src_path.to_s.include?(".erb") File.write(dest_path, ERB.new(File.read(src_path), nil, '-').result(binding)) else FileUtils.cp src_path, dest_path end end |
#deactivate ⇒ Object
62 63 64 65 |
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 62 def deactivate ipa_client_unconfigure unconfigure_httpd end |
#enable_kerberos_dns_lookups ⇒ Object
Kerberos KRB5 File Methods
93 94 95 96 97 98 99 |
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 93 def enable_kerberos_dns_lookups FileUtils.copy(KERBEROS_CONFIG_FILE, "#{KERBEROS_CONFIG_FILE}.miqbkp") krb5config = File.read(KERBEROS_CONFIG_FILE) krb5config[/(\s*)dns_lookup_kdc(\s*)=(\s*)(.*)/, 4] = 'true' krb5config[/(\s*)dns_lookup_realm(\s*)=(\s*)(.*)/, 4] = 'true' File.write(KERBEROS_CONFIG_FILE, krb5config) end |
#host_reachable?(host, what = "Server") ⇒ Boolean
Network validation
188 189 190 191 192 193 194 195 196 197 198 |
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 188 def host_reachable?(host, what = "Server") require 'net/ping' say("Checking connectivity to #{host} ... ") unless Net::Ping::External.new(host).ping say("Failed.\nCould not connect to #{host},") say("the #{what} must be reachable by name.") return false end say("Succeeded.") true end |
#installation_valid? ⇒ Boolean
Validation Methods
144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 |
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 144 def installation_valid? installed_rpm_packages = LinuxAdmin::Rpm.list_installed.keys rpm_packages = %w(ipa-client sssd-dbus mod_intercept_form_submit mod_authnz_pam mod_lookup_identity) missing = rpm_packages.count do |package| installed = installed_rpm_packages.include?(package) say("#{package} RPM is not installed") unless installed !installed end if missing > 0 say("\nAppliance Installation is not valid for enabling External Authentication\n") return false end true end |
#ipa_client_configure(realm, domain, server, principal, password) ⇒ Object
IPA Configuration Methods
48 49 50 51 52 53 54 55 56 57 58 59 60 |
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 48 def ipa_client_configure(realm, domain, server, principal, password) say("Configuring the IPA Client ...") AwesomeSpawn.run!(IPA_INSTALL_COMMAND, :params => [ "-N", :force_join, :fixed_primary, :unattended, { :realm= => realm, :domain= => domain, :server= => server, :principal= => principal, :password= => password } ]) end |
#ipa_client_unconfigure ⇒ Object
67 68 69 70 |
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 67 def ipa_client_unconfigure say("Un-Configuring the IPA Client ...") AwesomeSpawn.run(IPA_INSTALL_COMMAND, :params => [:uninstall, :unattended]) end |
#path_join(*args) ⇒ Object
215 216 217 218 219 |
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 215 def path_join(*args) path = Pathname.new(args.shift) args.each { |path_seg| path = path.join("./#{path_seg}") } path end |
#rm_file(file, dir = "/") ⇒ Object
210 211 212 213 |
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 210 def rm_file(file, dir = "/") path = path_join(dir, file) File.delete(path) if File.exist?(path) end |
#template_directory ⇒ Object
41 42 43 |
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 41 def template_directory Pathname.new(ENV.fetch("APPLIANCE_TEMPLATE_DIRECTORY")) end |
#unconfigure_httpd ⇒ Object
72 73 74 75 76 77 78 |
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 72 def unconfigure_httpd say("Unconfiguring httpd ...") unconfigure_httpd_application say("Restarting httpd ...") LinuxAdmin::Service.new("httpd").restart end |
#unconfigure_httpd_application ⇒ Object
85 86 87 88 |
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 85 def unconfigure_httpd_application rm_file(HTTP_EXTERNAL_AUTH) rm_file(HTTP_REMOTE_USER) end |
#valid_environment? ⇒ Boolean
162 163 164 165 166 167 168 169 170 171 |
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 162 def valid_environment? return false unless installation_valid? if ipa_client_configured? show_current_configuration return false unless agree("\nIPA Client already configured on this Appliance, Un-Configure first? (Y/N): ") deactivate return false unless agree("\nProceed with External Authentication Configuration? (Y/N): ") end true end |
#valid_parameters?(ipaserver) ⇒ Boolean
173 174 175 |
# File 'lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb', line 173 def valid_parameters?(ipaserver) host_reachable?(ipaserver, "IPA Server") end |