httpd_configmap_generator 0.1.1 → 0.3.0

data/lib/httpd_configmap_generator/base/kerberos.rb

@@ -1,13 +1,15 @@
 module HttpdConfigmapGenerator
   class Base
-    def enable_kerberos_dns_lookups
-      info_msg("Configuring Kerberos DNS Lookups")
-      config_file_backup(KERBEROS_CONFIG_FILE)
-      krb5config = File.read(KERBEROS_CONFIG_FILE)
-      krb5config[/(\s*)dns_lookup_kdc(\s*)=(\s*)(.*)/, 4] = 'true'   if krb5config[/(\s*)dns_lookup_kdc(\s*)=/]
-      krb5config[/(\s*)dns_lookup_realm(\s*)=(\s*)(.*)/, 4] = 'true' if krb5config[/(\s*)dns_lookup_realm(\s*)=/]
-      debug_msg("- Updating #{KERBEROS_CONFIG_FILE}")
-      File.write(KERBEROS_CONFIG_FILE, krb5config)
+    module Kerberos
+      def enable_kerberos_dns_lookups
+        info_msg("Configuring Kerberos DNS Lookups")
+        config_file_backup(KERBEROS_CONFIG_FILE)
+        krb5config = File.read(KERBEROS_CONFIG_FILE)
+        krb5config[/(\s*)dns_lookup_kdc(\s*)=(\s*)(.*)/, 4] = 'true'   if krb5config[/(\s*)dns_lookup_kdc(\s*)=/]
+        krb5config[/(\s*)dns_lookup_realm(\s*)=(\s*)(.*)/, 4] = 'true' if krb5config[/(\s*)dns_lookup_realm(\s*)=/]
+        debug_msg("- Updating #{KERBEROS_CONFIG_FILE}")
+        File.write(KERBEROS_CONFIG_FILE, krb5config)
+      end
     end
   end
 end

data/lib/httpd_configmap_generator/base/network.rb

@@ -1,37 +1,39 @@
 module HttpdConfigmapGenerator
   class Base
-    HOSTNAME_COMMAND = "/usr/bin/hostname".freeze
+    module Network
+      HOSTNAME_COMMAND = "/usr/bin/hostname".freeze
 
-    def realm
-      domain.upcase
-    end
+      def realm
+        domain.upcase
+      end
 
-    def domain
-      domain_from_host(opts[:host])
-    end
+      def domain
+        domain_from_host(opts[:host])
+      end
 
-    def domain_from_host(host)
-      host.gsub(/^([^.]+\.)/, '') if host.present? && host.include?('.')
-    end
+      def domain_from_host(host)
+        host.gsub(/^([^.]+\.)/, '') if host.present? && host.include?('.')
+      end
 
-    def host_reachable?(host)
-      require "net/ping"
-      Net::Ping::External.new(host).ping
-    end
+      def host_reachable?(host)
+        require "net/ping"
+        Net::Ping::External.new(host).ping
+      end
 
-    def update_hostname(host)
-      command_run!(HOSTNAME_COMMAND, :params => [host]) if command_run(HOSTNAME_COMMAND).output.strip != host
-    end
+      def update_hostname(host)
+        command_run!(HOSTNAME_COMMAND, :params => [host]) if command_run(HOSTNAME_COMMAND).output.strip != host
+      end
 
-    def fetch_network_file(source_file, target_file)
-      require "net/http"
+      def fetch_network_file(source_file, target_file)
+        require "net/http"
 
-      delete_target_file(target_file)
-      create_target_directory(target_file)
-      info_msg("Downloading #{source_file} ...")
-      result = Net::HTTP.get_response(URI(source_file))
-      raise "Failed to fetch URL file source #{source_file}" unless result.kind_of?(Net::HTTPSuccess)
-      File.write(target_file, result.body)
+        delete_target_file(target_file)
+        create_target_directory(target_file)
+        info_msg("Downloading #{source_file} ...")
+        result = Net::HTTP.get_response(URI(source_file))
+        raise "Failed to fetch URL file source #{source_file}" unless result.kind_of?(Net::HTTPSuccess)
+        File.write(target_file, result.body)
+      end
     end
   end
 end

data/lib/httpd_configmap_generator/base/pam.rb

@@ -1,9 +1,11 @@
 module HttpdConfigmapGenerator
   class Base
-    def configure_pam
-      info_msg("Configuring PAM")
-      debug_msg("- Creating #{PAM_CONFIG}")
-      cp_template(PAM_CONFIG, template_directory)
+    module Pam
+      def configure_pam
+        info_msg("Configuring PAM")
+        debug_msg("- Creating #{PAM_CONFIG}")
+        cp_template(PAM_CONFIG, template_directory)
+      end
     end
   end
 end

data/lib/httpd_configmap_generator/base/sssd.rb

@@ -43,7 +43,7 @@ module HttpdConfigmapGenerator
 
     def section(key)
       if key =~ /^domain\/.*$/
-        key = sssd.entries.collect(&:key).select { |k| k.downcase == key.downcase }.first
+        key = sssd.entries.collect(&:key).select { |k| k.downcase == key.downcase }.first || key
       end
       sssd.section(key)
     end

data/lib/httpd_configmap_generator/ipa.rb

@@ -1,3 +1,5 @@
+require "socket"               
+
 module HttpdConfigmapGenerator
   class Ipa < Base
     IPA_INSTALL_COMMAND  = "/usr/sbin/ipa-client-install".freeze
@@ -9,7 +11,9 @@ module HttpdConfigmapGenerator
 
     def required_options
       super.merge(
-        :ipa_server   => { :description => "IPA Server Fqdn"     },
+        :host         => { :description => "Application Domain",
+                           :short       => "-h" },
+        :ipa_server   => { :description => "IPA Server FQDN"     },
         :ipa_password => { :description => "IPA Server Password" }
       )
     end
@@ -49,6 +53,7 @@ module HttpdConfigmapGenerator
     end
 
     def configure(opts)
+      opts[:host] = get_canonical_hostname(opts[:host])
       update_hostname(opts[:host])
       command_run!(IPA_INSTALL_COMMAND,
                    :params => [
@@ -118,5 +123,11 @@ module HttpdConfigmapGenerator
       FileUtils.chown(APACHE_USER, nil, HTTP_KEYTAB)
       FileUtils.chmod(0o600, HTTP_KEYTAB)
     end
+
+    def get_canonical_hostname(hostname)
+      Socket.gethostbyname(hostname)[0]
+    rescue SocketError
+      hostname
+    end
   end
 end

data/lib/httpd_configmap_generator/ldap.rb

@@ -0,0 +1,186 @@
+module HttpdConfigmapGenerator
+  class Ldap < Base
+    AUTHCONFIG_COMMAND = "/usr/sbin/authconfig".freeze
+    LDAP_MODES = %w(ldap ldaps).freeze
+
+    AUTH = {
+      :type    => "external",
+      :subtype => "ldap"
+    }.freeze
+
+    def required_options
+      super.merge(
+        :host        => { :description => "Application Domain",
+                          :short       => "-h" },
+        :cert_file   => { :description => "Cert File" },
+        :ldap_host   => { :description => "LDAP Directory Host FQDN" },
+        :ldap_mode   => { :description => "ldap | ldaps" },
+        :ldap_basedn => { :description => "LDAP Directory Base DN" },
+      )
+    end
+
+    def optional_options
+      super.merge(
+        :ldap_group_name         => { :description => "LDAP Directory Group Name",
+                                      :default     => "cn" },
+        :ldap_group_member       => { :description => "Attribute containing the names of the group's members",
+                                      :default     => "member" },
+        :ldap_group_object_class => { :description => "The object class of a group entry in LDAP",
+                                      :default     => "groupOfNames" },
+        :ldap_id_use_start_tls   => { :description => "Connection use tls?",
+                                      :default     => true },
+        :ldap_port               => { :description => "LDAP Directory Port" },
+        :ldap_tls_reqcert        => { :description => "The checks to perform on server certificates.",
+                                      :default     => "allow" },
+        :ldap_user_gid_number    => { :description => "LDAP attribute corresponding to the user's gid",
+                                      :default     => "gidNumber" },
+        :ldap_user_name          => { :description => "LDAP Directory User Name",
+                                      :default     => "cn"},
+        :ldap_user_object_class  => { :description => "Object class of a user entry in LDAP",
+                                      :default     => "posixAccount" },
+        :ldap_user_uid_number    => { :description => "LDAP attribute corresponding to the user's id",
+                                      :default     => "uidNumber" },
+        :ldap_user_search_base   => { :description => "The user DN search scope" },
+        :ldap_group_search_base  => { :description => "The group DN search scope" },
+        :support_non_posix       => { :description => "Suppoert non-posix user records",
+                                      :default     => false },
+      )
+    end
+
+    def persistent_files
+      %w(/etc/nsswitch.conf
+         /etc/openldap/ldap.conf
+         /etc/pam.d/fingerprint-auth-ac
+         /etc/pam.d/httpd-auth
+         /etc/pam.d/password-auth-ac
+         /etc/pam.d/postlogin-ac
+         /etc/pam.d/smartcard-auth-ac
+         /etc/pam.d/system-auth-ac
+         /etc/sssd/sssd.conf
+         /etc/sysconfig/authconfig) + [opts[:cert_file]]
+    end
+
+    def configure(opts)
+      update_hostname(opts[:host])
+
+      init_search_base
+      run_auth_config
+      configure_pam
+      configure_sssd
+      chmod_chown_cert_file
+      config_map = ConfigMap.new(opts)
+      config_map.generate(AUTH[:type], realm, persistent_files)
+      config_map.save(opts[:output])
+    rescue => err
+      log_command_error(err)
+      raise err
+    end
+
+    def unconfigure
+      return unless configured?
+      raise "Unable to unconfigure authentication against LDAP"
+    end
+
+    def configured?
+      File.exist?(SSSD_CONFIG)
+    end
+
+    def domain
+      opts[:ldap_basedn].split(",").collect do |p|
+        p.split('dc=')[1]
+      end.compact.join('.')
+    end
+
+    private
+
+    def ldapserver_url
+      opts[:ldap_port] ||= opts[:ldap_mode].downcase == "ldaps" ? 636 : 389
+      "#{opts[:ldap_mode]}://#{opts[:ldap_host]}:#{opts[:ldap_port]}"
+    end
+
+    def init_search_base
+      opts[:ldap_user_search_base] = opts[:ldap_basedn] if opts[:ldap_user_search_base]  == ""
+      opts[:ldap_group_search_base] = opts[:ldap_basedn] if opts[:ldap_group_search_base] == ""
+    end
+
+    def configure_sssd
+      info_msg("Configuring SSSD Service")
+      sssd = Sssd.new(opts)
+      sssd.load(SSSD_CONFIG)
+
+      sssd.configure_domain("default")
+      domain_section = sssd.section("domain/default")
+      domain_section["ldap_group_member"] = opts[:ldap_group_member]
+      domain_section["ldap_group_name"] = opts[:ldap_group_name]
+      domain_section["ldap_group_object_class"] = opts[:ldap_group_object_class]
+      domain_section["ldap_group_search_base"] = opts[:ldap_group_search_base]
+      domain_section["ldap_id_use_start_tls"] = opts[:ldap_id_use_start_tls]
+      domain_section["ldap_network_timeout"] = "3"
+      domain_section["ldap_pwd_policy"] = "none"
+      domain_section["ldap_tls_cacert"] = opts[:cert_file]
+      domain_section["ldap_tls_reqcert"] = opts[:ldap_tls_reqcert]
+      domain_section["ldap_user_gid_number"] = opts[:ldap_user_gid_number]
+      domain_section["ldap_user_name"] = opts[:ldap_user_name]
+      domain_section["ldap_user_object_class"] = opts[:ldap_user_object_class]
+      domain_section["ldap_user_search_base"] = opts[:ldap_user_search_base]
+      domain_section["ldap_user_uid_number"] = opts[:ldap_user_uid_number]
+      domain_section.delete("ldap_tls_cacertdir")
+
+      sssd_section = sssd.section("sssd")
+      sssd_section["config_file_version"] = "2"
+      sssd_section["domains"] = domain
+      sssd_section["default_domain_suffix"] = domain
+      sssd_section["sbus_timeout"] = "30"
+      sssd_section["services"] = "nss, pam, ifp"
+
+      sssd.add_service("pam")
+
+      sssd.configure_ifp
+
+      if opts[:support_non_posix]
+        sssd.section("pam")["pam_app_services"] = "httpd-auth"
+
+        debug_msg("- Setting application section to [application/#{domain}]")
+        domain_section.key = "application/#{domain}"
+
+        debug_msg("- Adding domain section to [domain/#{domain}]")
+        sssd.section("domain/#{domain}")
+      else
+        debug_msg("- Setting domain section to [domain/#{domain}]")
+        domain_section.key = "domain/#{domain}"
+      end
+
+      debug_msg("- Creating #{SSSD_CONFIG}")
+      sssd.save(SSSD_CONFIG)
+    end
+
+    def chmod_chown_cert_file
+      FileUtils.chown('root', 'root', opts[:cert_file])
+      FileUtils.chmod(0o600, opts[:cert_file])
+    end
+
+    def run_auth_config
+      params = {
+        :ldapserver=        => ldapserver_url,
+        :ldapbasedn=        => opts[:ldap_basedn],
+        :enablesssd         => nil,
+        :enablesssdauth     => nil,
+        :enablelocauthorize => nil,
+        :enableldap         => nil,
+        :enableldapauth     => nil,
+        :disableldaptls     => nil,
+        :enablerfc2307bis   => nil,
+        :enablecachecreds   => nil,
+        :update             => nil
+      }
+
+      command_run!(AUTHCONFIG_COMMAND, :params => params)
+    end
+
+    def validate_options(opts)
+      super(opts)
+      raise "ldap-mode must be one of #{LDAP_MODES.join(", ")}" unless LDAP_MODES.include?(opts[:ldap_mode].downcase)
+      raise "TLS certificate File #{opts[:cert_file]} not found" unless File.exist?(opts[:cert_file])
+    end
+  end
+end

data/lib/httpd_configmap_generator/oidc.rb

@@ -0,0 +1,48 @@
+module HttpdConfigmapGenerator
+  class Oidc < Base
+
+    AUTH = {
+      :type    => "openid-connect",
+      :subtype => "oidc"
+    }.freeze
+
+    def required_options
+      super.merge(
+        :oidc_url           => { :description => "OpenID-Connect Provider URL", 
+                                 :short       => "-u" },
+        :oidc_client_id     => { :description => "OpenID-Connect Provider Client ID",
+                                 :short       => "-i" },
+        :oidc_client_secret => { :description => "OpenID-Connect Provider Client Secret",
+                                 :short       => "-s" },
+      )
+    end
+
+    def configure(opts)
+      auth_oidc_data = {}
+      auth_oidc_data["auth-oidc-provider-metadata-url"] = opts[:oidc_url]
+      auth_oidc_data["auth-oidc-client-id"] = opts[:oidc_client_id]
+      auth_oidc_data["auth-oidc-client-secret"] = opts[:oidc_client_secret]
+
+      config_map = ConfigMap.new(opts)
+      config_map.generate(AUTH[:type], nil, nil, auth_oidc_data )
+      config_map.save(opts[:output])
+    rescue => err
+      log_command_error(err)
+      raise err
+    end
+
+    def validate_options(opts)
+      super(opts)
+    end
+
+    def configured?
+      false
+    end
+
+    def unconfigure
+      return unless configured?
+    end
+
+  end
+end
+

data/lib/httpd_configmap_generator/saml.rb

@@ -2,7 +2,7 @@ module HttpdConfigmapGenerator
   class Saml < Base
     MELLON_CREATE_METADATA_COMMAND = "/usr/libexec/mod_auth_mellon/mellon_create_metadata.sh".freeze
     SAML2_CONFIG_DIRECTORY = "/etc/httpd/saml2".freeze
-    MIQSP_METADATA_FILE    = "#{SAML2_CONFIG_DIRECTORY}/miqsp-metadata.xml".freeze
+    SP_METADATA_FILE       = "#{SAML2_CONFIG_DIRECTORY}/sp-metadata.xml".freeze
     IDP_METADATA_FILE      = "#{SAML2_CONFIG_DIRECTORY}/idp-metadata.xml".freeze
     AUTH = {
       :type    => "saml",
@@ -10,23 +10,25 @@ module HttpdConfigmapGenerator
     }.freeze
 
     def required_options
-      super
+      super.merge(
+        :host => { :description => "Application Domain", :short => "-h" },
+      )
     end
 
     def optional_options
       super.merge(
         :keycloak_add_metadata => { :description => "Download and add the Keycloak metadata file",
                                     :default     => false },
-        :keycloak_server       => { :description => "Keycloak Server Fqdn or IP" },
+        :keycloak_server       => { :description => "Keycloak Server FQDN or IP" },
         :keycloak_realm        => { :description => "Keycloak Realm for this client"}
       )
     end
 
     def persistent_files
       file_list = %w(
-        /etc/httpd/saml2/miqsp-key.key
-        /etc/httpd/saml2/miqsp-cert.cert
-        /etc/httpd/saml2/miqsp-metadata.xml
+        /etc/httpd/saml2/sp-key.key
+        /etc/httpd/saml2/sp-cert.cert
+        /etc/httpd/saml2/sp-metadata.xml
       )
       file_list += [IDP_METADATA_FILE] if opts[:keycloak_add_metadata]
       file_list
@@ -53,7 +55,7 @@ module HttpdConfigmapGenerator
     end
 
     def configured?
-      File.exist?(MIQSP_METADATA_FILE)
+      File.exist?(SP_METADATA_FILE)
     end
 
     def unconfigure
@@ -76,18 +78,18 @@ module HttpdConfigmapGenerator
       info_msg("Renaming mellon config files")
       Dir.chdir(SAML2_CONFIG_DIRECTORY) do
         Dir.glob("https_*.*") do |mellon_file|
-          miq_saml2_file = nil
+          saml2_file = nil
           case mellon_file
           when /^https_.*\.key$/
-            miq_saml2_file = "miqsp-key.key"
+            saml2_file = "sp-key.key"
           when /^https_.*\.cert$/
-            miq_saml2_file = "miqsp-cert.cert"
+            saml2_file = "sp-cert.cert"
           when /^https_.*\.xml$/
-            miq_saml2_file = "miqsp-metadata.xml"
+            saml2_file = "sp-metadata.xml"
           end
-          if miq_saml2_file
-            debug_msg("- renaming #{mellon_file} to #{miq_saml2_file}")
-            File.rename(mellon_file, miq_saml2_file)
+          if saml2_file
+            debug_msg("- renaming #{mellon_file} to #{saml2_file}")
+            File.rename(mellon_file, saml2_file)
           end
         end
       end