httpd_configmap_generator 0.1.0

data/lib/httpd_configmap_generator/base/file.rb

@@ -0,0 +1,66 @@
+require "pathname"
+
+module HttpdConfigmapGenerator
+  class Base
+    def template_directory
+      @template_directory ||= begin
+        Pathname.new(Bundler.locked_gems.specs.select { |g| g.name == "httpd_configmap_generator" }.first.gem_dir).join("templates")
+      end
+    end
+
+    def cp_template(file, src_dir, dest_dir = "/")
+      src_path  = path_join(src_dir, file)
+      dest_path = path_join(dest_dir, file.gsub(".erb", ""))
+      if src_path.to_s.include?(".erb")
+        File.write(dest_path, ERB.new(File.read(src_path), nil, '-').result(binding))
+      else
+        FileUtils.cp(src_path, dest_path)
+      end
+    end
+
+    def delete_target_file(file_path)
+      if File.exist?(file_path)
+        if opts[:force]
+          info_msg("File #{file_path} exists, forcing a delete")
+          File.delete(file_path)
+        else
+          raise "File #{file_path} already exist"
+        end
+      end
+    end
+
+    def create_target_directory(file_path)
+      dirname = File.dirname(file_path)
+      return if File.exist?(dirname)
+      debug_msg("Creating directory #{dirname} ...")
+      FileUtils.mkdir_p(dirname)
+    end
+
+    def rm_file(file, dir = "/")
+      path = path_join(dir, file)
+      File.delete(path) if File.exist?(path)
+    end
+
+    def path_join(*args)
+      path = Pathname.new(args.shift)
+      args.each { |path_seg| path = path.join("./#{path_seg}") }
+      path
+    end
+
+    def file_binary?(file)
+      data = File.read(file)
+      ascii = control = binary = total = 0
+      data[0..512].each_byte do |c|
+        total += 1
+        if c < 32
+          control += 1
+        elsif c >= 32 && c <= 128
+          ascii += 1
+        else
+          binary += 1
+        end
+      end
+      control.to_f / ascii > 0.1 || binary.to_f / ascii > 0.05
+    end
+  end
+end

data/lib/httpd_configmap_generator/base/kerberos.rb

@@ -0,0 +1,13 @@
+module HttpdConfigmapGenerator
+  class Base
+    def enable_kerberos_dns_lookups
+      info_msg("Configuring Kerberos DNS Lookups")
+      config_file_backup(KERBEROS_CONFIG_FILE)
+      krb5config = File.read(KERBEROS_CONFIG_FILE)
+      krb5config[/(\s*)dns_lookup_kdc(\s*)=(\s*)(.*)/, 4] = 'true'   if krb5config[/(\s*)dns_lookup_kdc(\s*)=/]
+      krb5config[/(\s*)dns_lookup_realm(\s*)=(\s*)(.*)/, 4] = 'true' if krb5config[/(\s*)dns_lookup_realm(\s*)=/]
+      debug_msg("- Updating #{KERBEROS_CONFIG_FILE}")
+      File.write(KERBEROS_CONFIG_FILE, krb5config)
+    end
+  end
+end

data/lib/httpd_configmap_generator/base/network.rb

@@ -0,0 +1,37 @@
+module HttpdConfigmapGenerator
+  class Base
+    HOSTNAME_COMMAND = "/usr/bin/hostname".freeze
+
+    def realm
+      domain.upcase
+    end
+
+    def domain
+      domain_from_host(opts[:host])
+    end
+
+    def domain_from_host(host)
+      host.gsub(/^([^.]+\.)/, '') if host.present? && host.include?('.')
+    end
+
+    def host_reachable?(host)
+      require "net/ping"
+      Net::Ping::External.new(host).ping
+    end
+
+    def update_hostname(host)
+      command_run!(HOSTNAME_COMMAND, :params => [host]) if command_run(HOSTNAME_COMMAND).output.strip != host
+    end
+
+    def fetch_network_file(source_file, target_file)
+      require "net/http"
+
+      delete_target_file(target_file)
+      create_target_directory(target_file)
+      info_msg("Downloading #{source_file} ...")
+      result = Net::HTTP.get_response(URI(source_file))
+      raise "Failed to fetch URL file source #{source_file}" unless result.kind_of?(Net::HTTPSuccess)
+      File.write(target_file, result.body)
+    end
+  end
+end

data/lib/httpd_configmap_generator/base/pam.rb

@@ -0,0 +1,9 @@
+module HttpdConfigmapGenerator
+  class Base
+    def configure_pam
+      info_msg("Configuring PAM")
+      debug_msg("- Creating #{PAM_CONFIG}")
+      cp_template(PAM_CONFIG, template_directory)
+    end
+  end
+end

data/lib/httpd_configmap_generator/base/principal.rb

@@ -0,0 +1,33 @@
+require "awesome_spawn"
+
+module HttpdConfigmapGenerator
+  class Principal < Base
+    attr_accessor :hostname
+    attr_accessor :realm        # EXAMPLE.COM
+    attr_accessor :service      # HTTP
+
+    attr_accessor :name         # Kerberos principal name generated
+
+    def initialize(options = {})
+      options.each { |n, v| public_send("#{n}=", v) }
+      @realm = @realm.upcase if @realm
+      @name ||= "#{service}/#{hostname}@#{realm}"
+      @name
+    end
+
+    def register
+      request unless exist?
+    end
+
+    private
+
+    def exist?
+      command_run(IPA_COMMAND, :params => ["-e", "skip_version_check=1", "service-find", "--principal", name]).success?
+    end
+
+    def request
+      # Using --force because these services tend not to be in dns. This is like VERIFY_NONE.
+      command_run!(IPA_COMMAND, :params => ["-e", "skip_version_check=1", "service-add", "--force", name])
+    end
+  end
+end

data/lib/httpd_configmap_generator/base/sssd.rb

@@ -0,0 +1,51 @@
+require 'iniparse'
+
+module HttpdConfigmapGenerator
+  class Sssd < Base
+    attr_accessor :sssd
+    attr_accessor :opts
+
+    def initialize(opts = {})
+      @opts = opts
+      @sssd = nil
+    end
+
+    def load(file_path)
+      @sssd = IniParse.open(file_path)
+    end
+
+    def save(file_path)
+      return unless sssd
+      config_file_backup(file_path)
+      info_msg("Saving SSSD to #{file_path}")
+      sssd.save(file_path)
+    end
+
+    def configure_domain(domain)
+      domain = section("domain/#{domain}")
+      domain["ldap_user_extra_attrs"] = LDAP_ATTRS.keys.join(", ")
+      domain["entry_cache_timeout"] = 600
+    end
+
+    def add_service(service)
+      services = section("sssd")["services"]
+      services = (services.split(",").map(&:strip) | [service]).join(", ")
+      sssd.section("sssd")["services"] = services
+      sssd.section(service)
+    end
+
+    def configure_ifp
+      add_service("ifp")
+      ifp = section("ifp")
+      ifp["allowed_uids"] = "#{APACHE_USER}, root"
+      ifp["user_attributes"] = LDAP_ATTRS.keys.collect { |k| "+#{k}" }.join(", ")
+    end
+
+    def section(key)
+      if key =~ /^domain\/.*$/
+        key = sssd.entries.collect(&:key).select { |k| k.downcase == key.downcase }.first
+      end
+      sssd.section(key)
+    end
+  end
+end

data/lib/httpd_configmap_generator/export.rb

@@ -0,0 +1,31 @@
+module HttpdConfigmapGenerator
+  class Export < Base
+    def required_options
+      {
+        :input  => { :description => "Input config map file",
+                     :short       => "-i" },
+        :file   => { :description => "Config map file to export",
+                     :short       => "-l" },
+        :output => { :description => "The output file being exported",
+                     :short       => "-o" }
+      }
+    end
+
+    def export(opts)
+      validate_options(opts)
+      @opts = opts
+      config_map = ConfigMap.new(opts)
+      config_map.load(opts[:input])
+      config_map.export_file(opts[:file], opts[:output])
+    rescue => err
+      log_command_error(err)
+      raise err
+    end
+
+    private
+
+    def validate_options(options)
+      raise "Input configuration map #{options[:input]} does not exist" unless File.exist?(options[:input])
+    end
+  end
+end

data/lib/httpd_configmap_generator/ipa.rb

@@ -0,0 +1,122 @@
+module HttpdConfigmapGenerator
+  class Ipa < Base
+    IPA_INSTALL_COMMAND  = "/usr/sbin/ipa-client-install".freeze
+    IPA_GETKEYTAB        = "/usr/sbin/ipa-getkeytab".freeze
+    AUTH = {
+      :type    => "external",
+      :subtype => "ipa"
+    }.freeze
+
+    def required_options
+      super.merge(
+        :ipa_server   => { :description => "IPA Server Fqdn"     },
+        :ipa_password => { :description => "IPA Server Password" }
+      )
+    end
+
+    def optional_options
+      super.merge(
+        :ipa_principal => { :description => "IPA Server Principal", :default => "admin" },
+        :ipa_domain    => { :description => "Domain of IPA Server" },
+        :ipa_realm     => { :description => "Realm of IPA Server" }
+      )
+    end
+
+    def persistent_files
+      %w(
+        /etc/http.keytab
+        /etc/ipa/ca.crt
+        /etc/ipa/default.conf
+        /etc/ipa/nssdb/cert8.db
+        /etc/ipa/nssdb/key3.db
+        /etc/ipa/nssdb/pwdfile.txt
+        /etc/ipa/nssdb/secmod.db
+        /etc/krb5.conf
+        /etc/krb5.keytab
+        /etc/nsswitch.conf
+        /etc/openldap/ldap.conf
+        /etc/pam.d/fingerprint-auth-ac
+        /etc/pam.d/httpd-auth
+        /etc/pam.d/password-auth-ac
+        /etc/pam.d/postlogin-ac
+        /etc/pam.d/smartcard-auth-ac
+        /etc/pam.d/system-auth-ac
+        /etc/pki/ca-trust/source/ipa.p11-kit
+        /etc/sssd/sssd.conf
+        /etc/sysconfig/authconfig
+        /etc/sysconfig/network
+      )
+    end
+
+    def configure(opts)
+      update_hostname(opts[:host])
+      command_run!(IPA_INSTALL_COMMAND,
+                   :params => [
+                     "-N", :force_join, :fixed_primary, :unattended, {
+                       :realm=     => realm,
+                       :domain=    => domain,
+                       :server=    => opts[:ipa_server],
+                       :principal= => opts[:ipa_principal],
+                       :password=  => opts[:ipa_password]
+                     }
+                   ])
+      configure_ipa_http_service
+      configure_pam
+      configure_sssd
+      enable_kerberos_dns_lookups
+      config_map = ConfigMap.new(opts)
+      config_map.generate(AUTH[:type], realm, persistent_files)
+      config_map.save(opts[:output])
+    rescue => err
+      log_command_error(err)
+      raise err
+    end
+
+    def configured?
+      File.exist?(SSSD_CONFIG)
+    end
+
+    def unconfigure
+      return unless configured?
+      command_run(IPA_INSTALL_COMMAND, :params => [:uninstall, :unattended])
+    end
+
+    def realm
+      @realm ||= opts[:ipa_realm] if opts[:ipa_realm].present?
+      @realm ||= domain
+      @realm ||= super
+      @realm = @realm.upcase
+    end
+
+    def domain
+      @domain ||= opts[:ipa_domain] if opts[:ipa_domain].present?
+      @domain ||= domain_from_host(opts[:ipa_server]) if opts[:ipa_server].present?
+      @domain ||= super
+      @domain
+    end
+
+    private
+
+    def configure_sssd
+      info_msg("Configuring SSSD Service")
+      sssd = Sssd.new(opts)
+      sssd.load(SSSD_CONFIG)
+      sssd.configure_domain(domain)
+      sssd.add_service("pam")
+      sssd.configure_ifp
+      debug_msg("- Creating #{SSSD_CONFIG}")
+      sssd.save(SSSD_CONFIG)
+    end
+
+    def configure_ipa_http_service
+      info_msg("Configuring IPA HTTP Service")
+      command_run!("/usr/bin/kinit", :params => [opts[:ipa_principal]], :stdin_data => opts[:ipa_password])
+      service = Principal.new(:hostname => opts[:host], :realm => realm, :service => "HTTP")
+      service.register
+      debug_msg("- Fetching #{HTTP_KEYTAB}")
+      command_run!(IPA_GETKEYTAB, :params => {"-s" => opts[:ipa_server], "-k" => HTTP_KEYTAB, "-p" => service.name})
+      FileUtils.chown(APACHE_USER, nil, HTTP_KEYTAB)
+      FileUtils.chmod(0o600, HTTP_KEYTAB)
+    end
+  end
+end

data/lib/httpd_configmap_generator/options.rb

@@ -0,0 +1,13 @@
+module HttpdConfigmapGenerator
+  def self.required_options
+    {
+      :host => { :description => "Application Domain" }
+    }
+  end
+
+  def self.optional_options
+    {
+      :force => { :description => "Force configuration if configured already", :default => false }
+    }
+  end
+end

data/lib/httpd_configmap_generator/saml.rb

@@ -0,0 +1,104 @@
+module HttpdConfigmapGenerator
+  class Saml < Base
+    MELLON_CREATE_METADATA_COMMAND = "/usr/libexec/mod_auth_mellon/mellon_create_metadata.sh".freeze
+    SAML2_CONFIG_DIRECTORY = "/etc/httpd/saml2".freeze
+    MIQSP_METADATA_FILE    = "#{SAML2_CONFIG_DIRECTORY}/miqsp-metadata.xml".freeze
+    IDP_METADATA_FILE      = "#{SAML2_CONFIG_DIRECTORY}/idp-metadata.xml".freeze
+    AUTH = {
+      :type    => "saml",
+      :subtype => "saml"
+    }.freeze
+
+    def required_options
+      super
+    end
+
+    def optional_options
+      super.merge(
+        :keycloak_add_metadata => { :description => "Download and add the Keycloak metadata file",
+                                    :default     => false },
+        :keycloak_server       => { :description => "Keycloak Server Fqdn or IP" },
+        :keycloak_realm        => { :description => "Keycloak Realm for this client"}
+      )
+    end
+
+    def persistent_files
+      file_list = %w(
+        /etc/httpd/saml2/miqsp-key.key
+        /etc/httpd/saml2/miqsp-cert.cert
+        /etc/httpd/saml2/miqsp-metadata.xml
+      )
+      file_list += [IDP_METADATA_FILE] if opts[:keycloak_add_metadata]
+      file_list
+    end
+
+    def configure(opts)
+      update_hostname(opts[:host])
+      Dir.mkdir(SAML2_CONFIG_DIRECTORY)
+      Dir.chdir(SAML2_CONFIG_DIRECTORY) do
+        command_run!(MELLON_CREATE_METADATA_COMMAND,
+                     :params => [
+                       "https://#{opts[:host]}",
+                       "https://#{opts[:host]}/saml2"
+                     ])
+        rename_mellon_configfiles
+        fetch_idp_metadata
+      end
+      config_map = ConfigMap.new(opts)
+      config_map.generate(AUTH[:type], realm, persistent_files)
+      config_map.save(opts[:output])
+    rescue => err
+      log_command_error(err)
+      raise err
+    end
+
+    def configured?
+      File.exist?(MIQSP_METADATA_FILE)
+    end
+
+    def unconfigure
+      return unless configured?
+      FileUtils.rm_rf(SAML2_CONFIG_DIRECTORY) if Dir.exist?(SAML2_CONFIG_DIRECTORY)
+    end
+
+    private
+
+    def validate_options(options)
+      super(options)
+      if options[:keycloak_add_metadata]
+        if options[:keycloak_server] == "" || options[:keycloak_realm] == ""
+          raise "Must specify both keycloak-server and keycloak-realm for fetching the IdP metadata file"
+        end
+      end
+    end
+
+    def rename_mellon_configfiles
+      info_msg("Renaming mellon config files")
+      Dir.chdir(SAML2_CONFIG_DIRECTORY) do
+        Dir.glob("https_*.*") do |mellon_file|
+          miq_saml2_file = nil
+          case mellon_file
+          when /^https_.*\.key$/
+            miq_saml2_file = "miqsp-key.key"
+          when /^https_.*\.cert$/
+            miq_saml2_file = "miqsp-cert.cert"
+          when /^https_.*\.xml$/
+            miq_saml2_file = "miqsp-metadata.xml"
+          end
+          if miq_saml2_file
+            debug_msg("- renaming #{mellon_file} to #{miq_saml2_file}")
+            File.rename(mellon_file, miq_saml2_file)
+          end
+        end
+      end
+    end
+
+    def fetch_idp_metadata
+      if opts[:keycloak_add_metadata]
+        source_file  = "http://#{opts[:keycloak_server]}:8080"
+        source_file += "/auth/realms/#{opts[:keycloak_realm]}/protocol/saml/descriptor"
+        fetch_network_file(source_file, IDP_METADATA_FILE)
+      end
+    end
+  end
+end