httpd_configmap_generator 0.1.0

data/Rakefile

@@ -0,0 +1,8 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :test    => :spec
+task :default => :spec
+

data/bin/httpd_configmap_generator

@@ -0,0 +1,101 @@
+#! /usr/bin/env ruby
+#
+# Script for configuring container with external authentication
+#
+# Stdout: standard processing messages ...
+# Stderr: any errors during configuration ...
+# -o filename: for the generated auth-config map.
+#
+
+require "bundler/setup"
+require "trollop"
+require "httpd_configmap_generator"
+
+CMD = File.basename($PROGRAM_NAME)
+
+def error_msg(msg)
+  $stderr.puts msg
+  exit 1
+end
+
+module HttpdConfigmapGenerator
+  class Cli
+    def parse_arguments(auth_config)
+      opts = Trollop.options do
+        version("#{CMD} #{HttpdConfigmapGenerator::VERSION} - External Authentication Configuration script")
+        banner <<-EOS
+#{version}
+
+Usage: #{CMD} auth_type | update | export [--help | options]
+
+#{CMD} options are:
+      EOS
+        opt :version, "Version of the #{CMD} command",
+            :default => false, :short => "-V"
+        auth_config.required_options.each do |key, key_options|
+          opt key, key_options[:description], HttpdConfigmapGenerator::Cli.options_for(key_options, true)
+        end
+        auth_config.optional_options.each do |key, key_options|
+          opt key, key_options[:description], HttpdConfigmapGenerator::Cli.options_for(key_options)
+        end
+      end
+      opts
+    end
+
+    def run_configure(auth_type)
+      begin
+        auth_config = HttpdConfigmapGenerator.new_config(auth_type)
+      rescue => err
+        error_msg(err.to_s)
+      end
+
+      auth_config.run_configure(parse_arguments(auth_config))
+    end
+
+    def run_update
+      begin
+        auth_config = HttpdConfigmapGenerator::Update.new
+      rescue => err
+        error_msg(err.to_s)
+      end
+
+      auth_config.update(parse_arguments(auth_config))
+    end
+
+    def run_export
+      begin
+        auth_config = HttpdConfigmapGenerator::Export.new
+      rescue => err
+        error_msg(err.to_s)
+      end
+
+      auth_config.export(parse_arguments(auth_config))
+    end
+
+    def self.options_for(key_options, required = false)
+      options = {}
+      options[:default] = key_options.key?(:default) ? key_options[:default] : ""
+      options[:required] = true if required
+      options[:short]    = key_options[:short] if key_options[:short]
+      options[:multi]    = key_options[:multi] if key_options[:multi]
+      options
+    end
+  end
+end
+
+if ARGV.empty?
+  error_msg("
+Usage: #{CMD} auth_type | update | export [--help | options]
+Supported auth_type: #{HttpdConfigmapGenerator.supported_auth_types.join(', ')}
+")
+else
+  auth_type = ARGV.shift
+  case auth_type
+  when "update"
+    HttpdConfigmapGenerator::Cli.new.run_update
+  when "export"
+    HttpdConfigmapGenerator::Cli.new.run_export
+  else
+    HttpdConfigmapGenerator::Cli.new.run_configure(auth_type)
+  end
+end

data/httpd_configmap_generator.gemspec

@@ -0,0 +1,34 @@
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+
+# Declare Gem's Version
+require "httpd_configmap_generator/version"
+
+# Declare Dependencies
+Gem::Specification.new do |s|
+  s.name          = "httpd_configmap_generator"
+  s.version       = HttpdConfigmapGenerator::VERSION
+  s.authors       = ["Httpd Auth Config Developers"]
+  s.homepage      = "https://github.com/ManageIQ/httpd_configmap_generator"
+  s.summary       = "The Httpd Configmap Generator"
+  s.description   = "The Httpd Configmap Generator"
+  s.licenses      = ["Apache-2.0"]
+
+  s.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  s.bindir        = "bin"
+  s.executables   = s.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  s.add_development_dependency "codeclimate-test-reporter", "~> 1.0.0"
+  s.add_development_dependency "rspec",    "~> 3.0"
+  s.add_development_dependency "rake"
+  s.add_development_dependency "simplecov"
+
+  s.add_dependency "activesupport",        ">=5.0"
+  s.add_dependency "awesome_spawn",        "~> 1.4"
+  s.add_dependency "iniparse",             "~> 1.4"
+  s.add_dependency "more_core_extensions", "~> 3.4"
+  s.add_dependency "trollop",              "~> 2.1"
+end

data/lib/httpd_configmap_generator.rb

@@ -0,0 +1,29 @@
+require "httpd_configmap_generator/version"
+require "httpd_configmap_generator/base"
+require "httpd_configmap_generator/active_directory"
+require "httpd_configmap_generator/ipa"
+require "httpd_configmap_generator/saml"
+require "httpd_configmap_generator/update"
+require "httpd_configmap_generator/export"
+require "more_core_extensions/core_ext/hash"
+
+module HttpdConfigmapGenerator
+  def self.new_config(auth_type)
+    auth_class(auth_type).new
+  end
+
+  def self.supported_auth_types
+    constants.collect do |c|
+      k = const_get(c)
+      k::AUTH[:subtype] if k.kind_of?(Class) && k.constants.include?(:AUTH)
+    end.compact
+  end
+
+  def self.auth_class(auth_type)
+    require "active_support/core_ext/string" # for camelize
+
+    auth_type = auth_type.tr('-', '_').camelize
+    raise "Invalid Authentication Type #{auth_type} specified" unless const_defined?(auth_type, false)
+    const_get(auth_type, false)
+  end
+end

data/lib/httpd_configmap_generator/active_directory.rb

@@ -0,0 +1,114 @@
+module HttpdConfigmapGenerator
+  class ActiveDirectory < Base
+    REALM_COMMAND        = "/usr/sbin/realm".freeze
+    KERBEROS_KEYTAB_FILE = "/etc/krb5.keytab".freeze
+    AUTH = {
+      :type    => "active-directory",
+      :subtype => "active-directory"
+    }.freeze
+
+    def required_options
+      super.merge(
+        :ad_domain   => { :description => "Active Directory Domain"   },
+        :ad_user     => { :description => "Active Directory User"     },
+        :ad_password => { :description => "Active Directory Password" }
+      )
+    end
+
+    def optional_options
+      super.merge(
+        :ad_realm  => { :description => "Active Directory Realm"  },
+        :ad_server => { :description => "Active Directory Server" }
+      )
+    end
+
+    def persistent_files
+      %w(
+        /etc/krb5.keytab
+        /etc/krb5.conf
+        /etc/nsswitch.conf
+        /etc/openldap/ldap.conf
+        /etc/pam.d/fingerprint-auth-ac
+        /etc/pam.d/httpd-auth
+        /etc/pam.d/password-auth-ac
+        /etc/pam.d/postlogin-ac
+        /etc/pam.d/smartcard-auth-ac
+        /etc/pam.d/system-auth-ac
+        /etc/resolv.conf
+        /etc/sssd/sssd.conf
+        /etc/sysconfig/authconfig
+        /etc/sysconfig/network
+      )
+    end
+
+    def configure(opts)
+      update_hostname(opts[:host])
+      join_ad_realm
+      realm_permit_all
+      configure_pam
+      configure_sssd
+      update_kerberos_keytab_permissions
+      enable_kerberos_dns_lookups
+      config_map = ConfigMap.new(opts)
+      config_map.generate(AUTH[:type], realm, persistent_files)
+      config_map.save(opts[:output])
+    rescue => err
+      log_command_error(err)
+      raise err
+    end
+
+    def configured?
+      File.exist?(SSSD_CONFIG)
+    end
+
+    def unconfigure
+      return unless configured?
+    end
+
+    def realm
+      @realm ||= opts[:ad_realm] if opts[:ad_realm].present?
+      @realm ||= domain
+      @realm ||= super
+      @realm = @realm.upcase
+    end
+
+    def domain
+      @domain ||= opts[:ad_domain] if opts[:ad_domain].present?
+      @domain ||= super
+      @domain
+    end
+
+    private
+
+    def configure_sssd
+      info_msg("Configuring SSSD Service")
+      sssd = Sssd.new(opts)
+      sssd.load(SSSD_CONFIG)
+      sssd.configure_domain(domain)
+      sssd.section("domain/#{domain}")["ad_server"] = opts[:ad_server] if opts[:ad_server].present?
+      sssd.section("sssd")["domains"] = domain
+      sssd.section("sssd")["default_domain_suffix"] = domain
+      sssd.add_service("pam")
+      sssd.configure_ifp
+      debug_msg("- Creating #{SSSD_CONFIG}")
+      sssd.save(SSSD_CONFIG)
+    end
+
+    def join_ad_realm
+      info_msg("Joining the AD Realm ...")
+      debug_msg(" - realm join #{realm} ...")
+      command_run!(REALM_COMMAND, :params => ["join", domain, "-U", opts[:ad_user]], :stdin_data => opts[:ad_password])
+    end
+
+    def realm_permit_all
+      info_msg("Allowing AD Users to Login ...")
+      command_run!(REALM_COMMAND, :params => ["permit", "--all"])
+    end
+
+    def update_kerberos_keytab_permissions
+      info_msg("Updating Kerberos keytab permissions ...")
+      FileUtils.chown("apache", "root", KERBEROS_KEYTAB_FILE)
+      FileUtils.chmod(0o640, KERBEROS_KEYTAB_FILE)
+    end
+  end
+end

data/lib/httpd_configmap_generator/base.rb

@@ -0,0 +1,83 @@
+require "pathname"
+require "httpd_configmap_generator/base/command"
+require "httpd_configmap_generator/base/config"
+require "httpd_configmap_generator/base/config_map"
+require "httpd_configmap_generator/base/file"
+require "httpd_configmap_generator/base/kerberos"
+require "httpd_configmap_generator/base/network"
+require "httpd_configmap_generator/base/pam"
+require "httpd_configmap_generator/base/principal"
+require "httpd_configmap_generator/base/sssd"
+
+module HttpdConfigmapGenerator
+  class Base
+    APACHE_USER          = "apache".freeze
+    HTTP_KEYTAB          = "/etc/http.keytab".freeze
+    IPA_COMMAND          = "/usr/bin/ipa".freeze
+    KERBEROS_CONFIG_FILE = "/etc/krb5.conf".freeze
+    LDAP_ATTRS           = {
+      "mail"        => "REMOTE_USER_EMAIL",
+      "givenname"   => "REMOTE_USER_FIRSTNAME",
+      "sn"          => "REMOTE_USER_LASTNAME",
+      "displayname" => "REMOTE_USER_FULLNAME",
+      "domainname"  => "REMOTE_USER_DOMAIN"
+    }.freeze
+    PAM_CONFIG           = "/etc/pam.d/httpd-auth".freeze
+    SSSD_CONFIG          = "/etc/sssd/sssd.conf".freeze
+    TIMESTAMP_FORMAT     = "%Y%m%d_%H%M%S".freeze
+
+    attr_accessor :opts
+
+    def initialize(opts = {})
+      @opts = opts
+      @realm = @domain = nil
+    end
+
+    def err_msg(msg)
+      STDERR.puts(msg)
+    end
+
+    def info_msg(msg)
+      STDOUT.puts(msg)
+    end
+
+    def debug_msg(msg)
+      STDOUT.puts(msg) if opts[:debug]
+    end
+
+    def required_options
+      {
+        :host   => { :description => "Application Domain",
+                     :short       => "-h" },
+        :output => { :description => "Configuration map file to create",
+                     :short       => "-o" }
+      }
+    end
+
+    def optional_options
+      {
+        :force => { :description => "Force configuration if configured already",
+                    :short       => "-f",
+                    :default     => false },
+        :debug => { :description => "Enable debugging",
+                    :short       => "-d",
+                    :default     => false }
+      }
+    end
+
+    def run_configure(opts)
+      validate_options(opts)
+      @opts = opts
+      unconfigure if configured? && opts[:force]
+      raise "#{self.class.name} Already Configured" if configured?
+      unless ENV["HTTPD_AUTH_TYPE"]
+        raise "Not running in httpd_configmap_generator container - Skipping #{self.class.name} configuration"
+      end
+      configure(opts)
+    end
+
+    def validate_options(_options)
+      nil
+    end
+  end
+end

data/lib/httpd_configmap_generator/base/command.rb

@@ -0,0 +1,29 @@
+require "awesome_spawn"
+
+module HttpdConfigmapGenerator
+  class Base
+    def command_run(executable, options = {})
+      if opts && opts[:debug]
+        debug_msg("Running Command: #{AwesomeSpawn.build_command_line(executable, options)}")
+      end
+      AwesomeSpawn.run(executable, options)
+    end
+
+    def command_run!(executable, options = {})
+      if opts && opts[:debug]
+        debug_msg("Running Command: #{AwesomeSpawn.build_command_line(executable, options)}")
+      end
+      AwesomeSpawn.run!(executable, options)
+    end
+
+    def log_command_error(err)
+      err_msg("Command Error: #{err}")
+      if err.kind_of?(AwesomeSpawn::CommandResultError)
+        err_msg("stdout: #{err.result.output}")
+        err_msg("stderr: #{err.result.error}")
+      else
+        err_msg(err.backtrace)
+      end
+    end
+  end
+end

data/lib/httpd_configmap_generator/base/config.rb

@@ -0,0 +1,13 @@
+require "active_support"
+require "active_support/core_ext" # for Time.current
+
+module HttpdConfigmapGenerator
+  class Base
+    def config_file_backup(path)
+      if File.exist?(path)
+        timestamp = Time.current.strftime(TIMESTAMP_FORMAT)
+        FileUtils.copy(path, "#{path}.#{timestamp}")
+      end
+    end
+  end
+end

data/lib/httpd_configmap_generator/base/config_map.rb

@@ -0,0 +1,183 @@
+require "base64"
+require "yaml"
+require "uri"
+require "etc"
+
+module HttpdConfigmapGenerator
+  class ConfigMap < Base
+    DATA_SECTION = "data".freeze
+    AUTH_CONFIGURATION = "auth-configuration.conf".freeze
+
+    attr_accessor :config_map
+    attr_accessor :opts
+
+    def initialize(opts = {})
+      @opts = opts
+      @config_map = template
+    end
+
+    def generate(auth_type, realm, file_list)
+      info_msg("Generating Auth Config-Map for #{auth_type}")
+      @config_map = template(auth_type, realm)
+      file_specs = gen_filespecs(file_list)
+      define_configuration(file_specs)
+      include_files(file_specs)
+    end
+
+    def load(file_path)
+      @config_map = File.exist?(file_path) ? YAML.load_file(file_path) : {}
+    end
+
+    def save(file_path)
+      delete_target_file(file_path)
+      info_msg("Saving Auth Config-Map to #{file_path}")
+      File.open(file_path, "w") { |f| f.write(config_map.to_yaml) }
+    end
+
+    def add_files(file_list)
+      return unless file_list
+      file_specs = gen_filespecs_for_files_to_add(file_list)
+      update_configuration(file_specs)
+      include_files(file_specs)
+    end
+
+    def export_file(file_entry, output_file)
+      basename, _target_file, _mode = search_file_entry(file_entry)
+      raise "File #{file_entry} does not exist in the configuration map" unless basename
+      delete_target_file(output_file)
+      create_target_directory(output_file)
+      debug_msg("Exporting #{file_entry} to #{output_file} ...")
+      content = config_map.fetch_path(DATA_SECTION, basename)
+      content = Base64.decode64(content) if basename =~ /^.*\.base64$/
+      File.write(output_file, content)
+    end
+
+    private
+
+    def template(auth_type = "internal", kerberos_realms = "undefined")
+      {
+        DATA_SECTION => {
+          "auth-type"            => auth_type,
+          "auth-kerberos-realms" => kerberos_realms
+        },
+        "kind"       => "ConfigMap",
+        "metadata"   => {
+          "name" => "httpd-auth-configs"
+        }
+      }
+    end
+
+    def gen_filespecs(file_list)
+      file_specs = []
+      file_list.each do |file|
+        file_specs << file_entry_spec(file.strip)
+      end
+      file_specs.sort_by { |file_spec| file_spec[:basename] }
+    end
+
+    # Supporting the following signatures:
+    #   /path/of/real/file
+    #   /path/of/source/file,/path/of/real/file
+    #   /path/of/source/file,/path/of/real/file,mode
+    #   http://url_source,/path/of/real/file,mode
+    def gen_filespecs_for_files_to_add(file_list)
+      file_specs = []
+      file_list.each do |file_to_add|
+        file_spec = file_to_add.split(",").map(&:strip)
+        case file_spec.length
+        when 1
+          file = file_spec.first
+          file_entry = file_entry_spec(file)
+        when 2
+          source_file, target_file = file_spec
+          raise "Must specify a mode for URL file sources" if source_file =~ URI.regexp(%w(http https))
+          file_entry = file_entry_spec(source_file, target_file)
+        when 3
+          source_file, target_file, mode = file_spec
+          if source_file =~ URI.regexp(%w(http https))
+            fetch_network_file(source_file, target_file)
+            file_entry = file_entry_spec(target_file, target_file, mode)
+          else
+            file_entry = file_entry_spec(source_file, target_file, mode)
+          end
+        else
+          raise "Invalid file specification #{file_to_add}"
+        end
+        file_specs << file_entry
+      end
+      file_specs.sort_by { |file_spec| file_spec[:basename] }
+    end
+
+    def file_entry_spec(source_file, target_file = nil, mode = nil)
+      target_file = source_file.dup unless target_file
+      unless mode
+        stat = File.stat(source_file)
+        file_owner = Etc.getpwuid(stat.uid).name
+        file_group = Etc.getgrgid(stat.gid).name
+      end
+      {
+        :basename => File.basename(target_file).dup,
+        :binary   => file_binary?(source_file),
+        :target   => target_file,
+        :mode     => mode ? mode : "%4o:%s:%s" % [stat.mode & 0o7777, file_owner, file_group]
+      }
+    end
+
+    def update_configuration(file_specs)
+      auth_configuration = fetch_auth_configuration
+      return define_configuration(file_specs) unless auth_configuration
+      # first, remove any file_specs references in the file list, we don't want duplication here.
+      auth_configuration = auth_configuration.split("\n")
+      file_specs.each do |file_spec|
+        entry = auth_configuration.select { |line| line =~ file_entry_regex(file_spec[:target]) }
+        auth_configuration -= entry if entry
+      end
+      auth_configuration = auth_configuration.join("\n") + "\n"
+      # now, append any of the new file_specs at the end of the list.
+      append_configuration(auth_configuration, file_specs)
+    end
+
+    def search_file_entry(target_file)
+      auth_configuration = fetch_auth_configuration
+      return nil unless auth_configuration
+      auth_configuration = auth_configuration.split("\n")
+      entry = auth_configuration.select { |line| line =~ file_entry_regex(target_file) }
+      entry ? entry.first.split('=')[1].strip.split(' ') : nil
+    end
+
+    def define_configuration(file_specs)
+      auth_configuration = "# External Authentication Configuration File\n#\n"
+      append_configuration(auth_configuration, file_specs)
+    end
+
+    def include_files(file_specs)
+      file_specs.each do |file_spec|
+        content = File.read(file_spec[:target])
+        content = Base64.encode64(content) if file_spec[:binary]
+        # encode(:universal_newline => true) will convert \r\n to \n, necessary for to_yaml to render properly.
+        config_map[DATA_SECTION].merge!(file_basename(file_spec) => content.encode(:universal_newline => true))
+      end
+    end
+
+    def file_basename(file_spec)
+      file_spec[:binary] ? "#{file_spec[:basename]}.base64" : file_spec[:basename]
+    end
+
+    def append_configuration(auth_configuration, file_specs)
+      file_specs.each do |file_spec|
+        debug_msg("Adding file #{file_spec[:target]} ...")
+        auth_configuration += "file = #{file_basename(file_spec)} #{file_spec[:target]} #{file_spec[:mode]}\n"
+      end
+      config_map[DATA_SECTION] ||= {}
+      config_map[DATA_SECTION].merge!(AUTH_CONFIGURATION => auth_configuration)
+    end
+
+    def fetch_auth_configuration
+      config_map.fetch_path(DATA_SECTION, AUTH_CONFIGURATION)
+    end
+
+    def file_entry_regex(target_file)
+      /^file = .* #{target_file} .*$/
+    end
+  end
+end