httpd_configmap_generator 0.1.1 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 269f3519101488e9580699f67f1fa479f1db78f6
-  data.tar.gz: 3224b233aedc0c5ae68cb0299d2438e165b2b7f5
+SHA256:
+  metadata.gz: aff6b3f7af181564f46a046634efe1965f4ed7936db37d143afa8d5ad0e59890
+  data.tar.gz: ebd0cfa723b123acd3cc8beac4b30e8349991c0563a93289cacd71440798a644
 SHA512:
-  metadata.gz: a0d1935e46028b58c93d019e38b1133d2653414ae77d4bc0e33182a7d1d1230c43bdf12dd5cccd233c381bf6aa8c9fe3a632c37bd220dd3a2ec8cc820b3d1301
-  data.tar.gz: 7d85650f7f2b59dc7db1345e48e0486687fea752482232d3d1cccbde9b20e273b455003cbc45eaadff9bbd62a58b11d243abed5f23debcd57374b35da60f987e
+  metadata.gz: 430913f53ac70692b10393aaaad7c94619a6a7b674871e84286a88020f86ee1bdd2fbfe8e87fa74a031402a07e7d5c6ca6dffe18de51c4465039ebc35ddde2ac
+  data.tar.gz: 149a5aa5978a38e573d112a0138f7574a09b1427b225aaf79d528b039e9ea7a11a5a0a6e392917e9d4c4baa01f5a5603e81d71ae08eba95950426e70d7d71ba7

data/.gitignore

@@ -1,3 +1,4 @@
+Dockerfile.devel
 .rubocop-*
 /bundle/
 /.bundle/

data/.travis.yml

@@ -1,7 +1,8 @@
+---
 language: ruby
 rvm:
-- '2.3.5'
-- '2.4.2'
+- 2.5.7
+- 2.6.5
 sudo: false
 cache: bundler
 after_script: bundle exec codeclimate-test-reporter

data/.yamllint

@@ -0,0 +1,11 @@
+---
+ignore: |
+  /vendor/**
+
+extends: relaxed
+
+rules:
+  indentation:
+    indent-sequences: false
+  line-length:
+    max: 120

data/Dockerfile

@@ -1,4 +1,4 @@
-FROM manageiq/httpd:latest
+FROM manageiq/httpd-init:latest
 MAINTAINER ManageIQ https://github.com/ManageIQ
 
 LABEL name="httpd-configmap-generator" \
@@ -11,6 +11,7 @@ ENV HTTPD_AUTH_TYPE=internal \
     HTTPD_AUTH_KERBEROS_REALMS=undefined \
     TERM=xterm
 
-RUN yum -y install openldap-clients pamtester
+RUN dnf -y --disableplugin=subscription-manager install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \
+    dnf -y --disableplugin=subscription-manager install openldap-clients pamtester
 
 RUN gem install --no-ri --no-rdoc --no-document httpd_configmap_generator

data/Gemfile

@@ -2,3 +2,7 @@ source "https://rubygems.org"
 
 # Leverage the httpd_configmap_generator.gemspec
 gemspec
+
+# Load other additional Gemfiles
+#   Developers can create a file ending in .rb under bundler.d/ to specify additional development dependencies
+Dir.glob(File.join(__dir__, 'bundler.d/*.rb')).each { |f| eval_gemfile(File.expand_path(f, __dir__)) }

data/README-active-directory.md

@@ -8,21 +8,17 @@ by joining an Active Directory domain.
 
 ```
 $ httpd_configmap_generator active-directory --help
-httpd_configmap_generator 0.1.0 - External Authentication Configuration script
-
-Usage: httpd_configmap_generator auth_type | update | export [--help | options]
-
-httpd_configmap_generator options are:
-  -V, --version              Version of the httpd_configmap_generator command
-  -h, --host=<s>             Application Domain (default: )
-  -o, --output=<s>           Configuration map file to create (default: )
-  -a, --ad-domain=<s>        Active Directory Domain (default: )
-  -u, --ad-server=<s>        Active Directory User (default: )
-  -p, --ad-password=<s>      Active Directory Password (default: )
-  -f, --force                Force configuration if configured already
-  -d, --debug                Enable debugging
-  -r, --ad-realm=<s>         Active Directory Realm (default: )
-  -e, --help                 Show this message
+Options:
+  -h, --host=<s>           Application Domain
+  -o, --output=<s>         Configuration map file to create
+  -a, --ad-domain=<s>      Active Directory Domain
+  -u, --ad-user=<s>        Active Directory User
+  -p, --ad-password=<s>    Active Directory Password
+  -f, --force              Force configuration if configured already
+  -d, --debug              Enable debugging
+  -r, --ad-realm=<s>       Active Directory Realm
+  -s, --ad-server=<s>      Active Directory Server
+  -e, --help               Show this message
 ```
 
 ### Example:

data/README-ipa.md

@@ -8,21 +8,16 @@ for an IPA server.
 
 ```
 $ httpd_configmap_generator ipa --help
-httpd_configmap_generator 0.1.0 - External Authentication Configuration script
-
-Usage: httpd_configmap_generator auth_type | update | export [--help | options]
-
-httpd_configmap_generator options are:
-  -V, --version              Version of the httpd_configmap_generator command
-  -h, --host=<s>             Application Domain (default: )
-  -o, --output=<s>           Configuration map file to create (default: )
-  -i, --ipa-server=<s>       IPA Server Fqdn (default: )
-  -p, --ipa-password=<s>     IPA Server Password (default: )
+Options:
+  -h, --host=<s>             Application Domain
+  -o, --output=<s>           Configuration map file to create
+  -i, --ipa-server=<s>       IPA Server FQDN
+  -p, --ipa-password=<s>     IPA Server Password
   -f, --force                Force configuration if configured already
   -d, --debug                Enable debugging
   -a, --ipa-principal=<s>    IPA Server Principal (default: admin)
-  -m, --ipa-domain=<s>       Domain of IPA Server (default: )
-  -r, --ipa-realm=<s>        Realm of IPA Server (default: )
+  -m, --ipa-domain=<s>       Domain of IPA Server
+  -r, --ipa-realm=<s>        Realm of IPA Server
   -e, --help                 Show this message
 ```
 

data/README-ldap.md

@@ -0,0 +1,62 @@
+# Httpd Configmap Generator - LDAP
+
+This documents how to run the httpd\_configmap\_generator tool to configure external authentication
+for an LDAP server.
+
+
+## Usage for the `ldap` auth-type:
+
+```
+$ httpd_configmap_generator ldap --help
+Options:
+  -h, --host=<s>                           Application Domain
+  -o, --output=<s>                         Configuration map file to create
+  -c, --cert-file=<s>                      Cert File
+  -l, --ldap-host=<s>                      LDAP Directory Host FQDN
+  -a, --ldap-mode=<s>                      ldap | ldaps
+  -p, --ldap-basedn=<s>                    LDAP Directory Base DN
+  -f, --force                              Force configuration if configured already
+  -d, --debug                              Enable debugging
+  -g, --ldap-group-name=<s>                LDAP Directory Group Name (default: cn)
+  -r, --ldap-group-member=<s>              Attribute containing the names of the
+                                           group's members (default: member)
+  -u, --ldap-group-object-class=<s>        The object class of a group entry in
+                                           LDAP (default: groupOfNames)
+  -i, --ldap-id-use-start-tls,
+      --no-ldap-id-use-start-tls           Connection use tls? (default: true)
+  -t, --ldap-port=<s>                      LDAP Directory Port
+  -s, --ldap-tls-reqcert=<s>               The checks to perform on server
+                                           certificates. (Default: allow)
+  -e, --ldap-user-gid-number=<s>           LDAP attribute corresponding to the
+                                           user's gid (default: gidNumber)
+  -n, --ldap-user-name=<s>                 LDAP Directory User Name (default: cn)
+  -b, --ldap-user-object-class=<s>         Object class of a user entry in LDAP
+                                           (default: posixAccount)
+  -m, --ldap-user-uid-number=<s>           LDAP attribute corresponding to the
+                                           user's id (default: uidNumber)
+  --ldap-user-search-base=<s>              The user DN search scope
+  --ldap-group-search-base=<s>             The group DN search scope
+  -x, --support-non-posix                  Supports non-posix user records
+  --help                                   Shows this message
+```
+
+### Example:
+
+```
+$ httpd_configmap_generator ldap \
+    --force                                                 \
+    --host=application.example.com                          \
+    --ldap-mode=ldap                                        \
+    --ldap-host=ldap-server.example.com                     \
+    --ldap-port=10389                                       \
+    --ldap-basedn=dc=example,dc=com                         \
+    --ldap-group-name=cn                                    \
+    --ldap-group-search-base=ou=groups,dc=example,dc=com    \
+    --ldap-group-object-class=groupOfNames                  \
+    --ldap-user-name=uid                                    \
+    --ldap-user-search-base=ou=users,dc=example,dc=com      \
+    --ldap-user-object-class=person                         \
+    --cert-file=/etc/openldap/cacerts/apacheds-cert.pem     \
+    --debug                                                 \
+    -o /tmp/external-ldap.yaml
+```

data/README-oidc.md

@@ -0,0 +1,39 @@
+# Httpd Configmap Generator - OpenID-Connect (OIDC)
+
+This documents how to run the httpd\_configmap\_generator tool to configure the container against an OpenID-Connect (OIDC) identity provider.
+
+## Usage for the `oidc` auth-type:
+
+```
+$ httpd_configmap_generator oidc --help
+Options:
+  -o, --output=<s>                Configuration map file to create
+  -u, --oidc-url=<s>              OpenID-Connect Provider URL
+  -i, --oidc-client-id=<s>        OpenID-Connect Provider Client ID
+  -s, --oidc-client-secret=<s>    OpenID-Connect Provider Client Secret
+  -f, --force                     Force configuration if configured already
+  -d, --debug                     Enable debugging
+  -h, --help                      Show this message
+
+```
+
+### Examples:
+
+Creates the extra data for the container:
+
+```
+$ httpd_configmap_generator oidc \
+    --force                                     \
+    --oidc-url=http://my-keycloak:8080/auth/realms/miq/.well-known/openid-configuration \
+    --oidc-client-id=my-keycloak-oidc-client \ 
+    --oidc-client-secret=99999999-9999-9999-a999-99999a999999 \
+    --debug                                     \
+    -o /tmp/external-oidc.yaml
+```
+
+The auth configmap file for oidc does not include any files. It only includes the following extra data:
+
+* auth-oidc-provider-metadata-url
+* auth-oidc-client-id
+* auth-oidc-client-secret
+

data/README-saml.md

@@ -6,19 +6,14 @@ This documents how to run the httpd\_configmap\_generator tool to configure the
 
 ```
 $ httpd_configmap_generator saml --help
-httpd_configmap_generator 0.1.0 - External Authentication Configuration script
-
-Usage: httpd_configmap_generator auth_type | update | export [--help | options]
-
-httpd_configmap_generator options are:
-  -V, --version                  Version of the httpd_configmap_generator command
-  -h, --host=<s>                 Application Domain (default: )
-  -o, --output=<s>               Configuration map file to create (default: )
+Options:
+  -h, --host=<s>                 Application Domain
+  -o, --output=<s>               Configuration map file to create
   -f, --force                    Force configuration if configured already
   -d, --debug                    Enable debugging
   -k, --keycloak-add-metadata    Download and add the Keycloak metadata file
-  -e, --keycloak-server=<s>      Keycloak Server Fqdn or IP (default: )
-  -y, --keycloak-realm=<s>       Keycloak Realm for this client (default: )
+  -e, --keycloak-server=<s>      Keycloak Server FQDN or IP
+  -y, --keycloak-realm=<s>       Keycloak Realm for this client
   -l, --help                     Show this message
 ```
 
@@ -61,10 +56,10 @@ $ httpd_configmap_generator saml     \
 In the above example, the auth configmap file would include the following files:
 
 * /etc/httpd/saml2/
-  - miqsp-metadata.xml
-  - miqsp-cert.cert
-  - miqsp-key.key
+  - sp-metadata.xml
+  - sp-cert.cert
+  - sp-key.key
   - idp-metadata.xml
 
-For Keycloak, the `miqsp-metadata.xml` file can be imported to create the Client ID for
+For Keycloak, the `sp-metadata.xml` file can be imported to create the Client ID for
 the `application.example.com` application domain.

data/README.md

@@ -1,7 +1,7 @@
 # Httpd Configmap Generator
 
 [![Gem Version](https://badge.fury.io/rb/httpd_configmap_generator.svg)](http://badge.fury.io/rb/httpd_configmap_generator)
-[![Build Status](https://travis-ci.org/ManageIQ/httpd_configmap_generator.svg)](https://travis-ci.org/ManageIQ/httpd_configmap_generator)
+[![Build Status](https://travis-ci.org/ManageIQ/httpd_configmap_generator.svg?branch=master)](https://travis-ci.org/ManageIQ/httpd_configmap_generator)
 [![Code Climate](https://codeclimate.com/github/ManageIQ/httpd_configmap_generator.svg)](https://codeclimate.com/github/ManageIQ/httpd_configmap_generator)
 [![Test Coverage](https://codeclimate.com/github/ManageIQ/httpd_configmap_generator/badges/coverage.svg)](https://codeclimate.com/github/ManageIQ/httpd_configmap_generator/coverage)
 [![Dependency Status](https://gemnasium.com/ManageIQ/httpd_configmap_generator.svg)](https://gemnasium.com/ManageIQ/httpd_configmap_generator)
@@ -23,10 +23,16 @@ gem install httpd_configmap_generator
 Generating an auth-config map can be done by running the httpd\_configmap\_generator tool
 
 ```
-$ httpd_configmap_generator
+$ httpd_configmap_generator --help
+httpd_configmap_generator 0.1.1 - External Authentication Configuration script
 
 Usage: httpd_configmap_generator auth_type | update | export [--help | options]
-Supported auth_type: active-directory, ipa, saml
+
+supported auth_type: active-directory, ipa, ldap, saml, oidc
+
+httpd_configmap_generator options are:
+  -V, --version    Version of the httpd_configmap_generator command
+  -h, --help       Show this message
 ```
 
 Showing the usage for each authentication type or sub-command as follows:
@@ -37,11 +43,13 @@ $ httpd_configmap_generator ipa --help
 
 ## Supported Authentication Types
 
-|auth-type         | Identity Provider/Environment                  | for usage: |
-|------------------|------------------------------------------------|------------|
-| active-directory | Active Directory domain realm join             | [README-active-directory](README-active-directory.md) |
-| ipa              | IPA, IPA 2-factor authentication, IPA/AD Trust | [README-ipa](README-ipa.md) |
-| saml             | Keycloak, etc.                                 | [README-saml](README-saml.md) |
+|auth-type                          | Identity Provider/Environment                    | for usage:                                            |
+|-----------------------------------|--------------------------------------------------|-------------------------------------------------------|
+| active-directory                  | Active Directory domain realm join               | [README-active-directory](README-active-directory.md) |
+| ipa                               | IPA, IPA 2-factor authentication, IPA/AD Trust   | [README-ipa](README-ipa.md)                           |
+| ldap                              | Ldap directories                                 | [README-ldap](README-ldap.md)                         |
+| saml                              | Keycloak, etc.                                   | [README-saml](README-saml.md)                         |
+| OpenID-Connect (oidc)             | Keycloak, etc.                                   | [README-oidc](README-oidc.md)                         |
 
 ___
 
@@ -53,17 +61,12 @@ map as per the following usage:
 
 ```
 $ httpd_configmap_generator update --help
-httpd_configmap_generator 0.1.0 - External Authentication Configuration script
-
-Usage: httpd_configmap_generator auth_type | update | export [--help | options]
-
-httpd_configmap_generator options are:
-  -V, --version         Version of the httpd_configmap_generator command
-  -i, --input=<s>       Input config map file (default: )
-  -o, --output=<s>      Output config map file (default: )
+Options:
+  -i, --input=<s>       Input config map file
+  -o, --output=<s>      Output config map file
   -f, --force           Force configuration if configured already
   -d, --debug           Enable debugging
-  -a, --add-file=<s>    Add file to config map (default: )
+  -a, --add-file=<s>    Add file to config map
   -h, --help            Show this message
 ```
 
@@ -127,7 +130,7 @@ $ httpd_configmap_generator update \
 ```
 $ httpd_configmap_generator update \
   --input=/tmp/original-auth-configmap.yaml \
-  --add-file=http://aab-keycloak:8080/auth/realms/miq/protocol/saml/description,/etc/httpd/saml2/idp-metadata.xml,644:root:root \
+  --add-file=http://aab-keycloak:8080/auth/realms/testrealm/protocol/saml/description,/etc/httpd/saml2/idp-metadata.xml,644:root:root \
   --output=/tmp/updated-auth-configmap.yaml
 ```
 
@@ -143,15 +146,10 @@ map as per the following usage:
 
 ```
 $ httpd_configmap_generator export --help
-httpd_configmap_generator 0.1.0 - External Authentication Configuration script
-
-Usage: httpd_configmap_generator auth_type | update | export [--help | options]
-
-httpd_configmap_generator options are:
-  -V, --version       Version of the httpd_configmap_generator command
-  -i, --input=<s>     Input config map file (default: )
-  -l, --file=<s>      Config map file to export (default: )
-  -o, --output=<s>    The output file being exported (default: )
+Options:
+  -i, --input=<s>     Input config map file
+  -l, --file=<s>      Config map file to export
+  -o, --output=<s>    The output file being exported
   -f, --force         Force configuration if configured already
   -d, --debug         Enable debugging
   -h, --help          Show this message
@@ -218,7 +216,7 @@ Example for generating a configuration map for IPA:
 
 ```
 $ docker exec $CONFIGMAP_GENERATOR_ID httpd_configmap_generator ipa \
-    --host=miq-appliance.example.com    \
+    --host=appliance.example.com        \
     --ipa-server=ipaserver.example.com  \
     --ipa-domain=example.com            \
     --ipa-realm=EXAMPLE.COM             \
@@ -263,39 +261,29 @@ ___
 
 ### Pre-deployment tasks
 
-#### If running without OCI systemd hooks (Minishift)
-
-The httpd-configmap-generator service account must be added to the miq-sysadmin SCC before the Httpd Auth Config pod can run.
+The httpd-configmap-generator service account must be added to the httpd-scc-sysadmin SCC before the Httpd Configmap Generator can run.
 
 ##### As Admin
 
-```
-$ oc adm policy add-scc-to-user miq-sysadmin system:serviceaccount:<your-namespace>:httpd-configmap-generator
-```
-
-Verify that the httpd-configmap-generator service account is now included in the miq-sysadmin SCC:
+Create the httpd-scc-sysadmin SCC:
 
 ```
-$ oc describe scc miq-sysadmin | grep Users
-Users:        system:serviceaccount:<your-namespace>:httpd-configmap-generator
+$ oc create -f templates/httpd-scc-sysadmin.yaml
 ```
 
-#### If running  with OCI systemd hooks
-
-##### As Admin
+Include the httpd-configmap-generator service account with the new SCC:
 
 ```
-$ oc adm policy add-scc-to-user anyuid system:serviceaccount:<your-namespace>:httpd-configmap-generator
+$ oc adm policy add-scc-to-user httpd-scc-sysadmin system:serviceaccount:<your-namespace>:httpd-configmap-generator
 ```
 
-Verify that the httpd-configmap-generator service account is now included in the miq-sysadmin SCC:
+Verify that the httpd-configmap-generator service account is now included in the httpd-scc-sysadmin SCC:
 
 ```
-$ oc describe scc anyuid | grep Users
+$ oc describe scc httpd-scc-sysadmin | grep Users
 Users:        system:serviceaccount:<your-namespace>:httpd-configmap-generator
 ```
 
-
 ### Deploy the Httpd Configmap Generator Application
 
 As basic user
@@ -336,20 +324,20 @@ $ CONFIGMAP_GENERATOR_POD=`oc get pods | grep "httpd-configmap-generator" | cut
 ### Generating a configmap for external authentication against IPA
 
 ```
-$ oc rsh $CONFIGMAP_GENERATOR_POD httpd_configmap_generator ipa ...
+$ oc exec $CONFIGMAP_GENERATOR_POD  -- bash -c 'httpd_configmap_generator ipa ...
 ```
 
 Example configuration:
 
 ```
-$ oc rsh $CONFIGMAP_GENERATOR_POD httpd_configmap_generator ipa \
-    --host=miq-appliance.example.com    \
+$ oc exec $CONFIGMAP_GENERATOR_POD -- bash -c 'httpd_configmap_generator ipa \
+    --host=appliance.example.com        \
     --ipa-server=ipaserver.example.com  \
     --ipa-domain=example.com            \
     --ipa-realm=EXAMPLE.COM             \
     --ipa-principal=admin               \
     --ipa-password=smartvm1             \
-    -o /tmp/external-ipa.yaml
+    -o /tmp/external-ipa.yaml'
 ```
 
 `--host` above must be the DNS of the application exposing the httpd auth pod,