manageiq-appliance_console 1.0.0

data/lib/manageiq/appliance_console/errors.rb

@@ -0,0 +1,5 @@
+module ManageIQ
+  module ApplianceConsole
+    class MiqSignalError < RuntimeError; end
+  end
+end

data/lib/manageiq/appliance_console/external_auth_options.rb

@@ -0,0 +1,153 @@
+require 'pathname'
+require 'fileutils'
+
+module ManageIQ
+module ApplianceConsole
+  class ExternalAuthOptions
+    AUTH_PATH = "/authentication".freeze
+
+    EXT_AUTH_OPTIONS = {
+      "#{AUTH_PATH}/sso_enabled"          => {:label => "Single Sign-On", :logic => true},
+      "#{AUTH_PATH}/saml_enabled"         => {:label => "SAML",           :logic => true},
+      "#{AUTH_PATH}/local_login_disabled" => {:label => "Local Login",    :logic => false}
+    }.freeze
+
+    include ManageIQ::ApplianceConsole::Logging
+
+    def initialize
+      @updates = {}
+      @current_config = {}
+    end
+
+    def ask_questions
+      @current_config = load_current
+      apply = EXT_AUTH_OPTIONS.keys.count + 1
+      skip = apply + 1
+      selection = 0
+      while selection < apply
+        say("\nExternal Authentication Options:")
+        cnt = 1
+        EXT_AUTH_OPTIONS.keys.each do |key|
+          current_state = selected_value(key)
+          say("#{cnt}) #{selected_verb(key, !current_state)} #{EXT_AUTH_OPTIONS[key][:label]}")
+          cnt += 1
+        end
+        say("#{apply}) Apply updates")
+        say("#{skip}) Skip updates")
+        show_updates
+        selection = ask_for_integer("option number to apply", 1..skip)
+        if selection < apply
+          key = EXT_AUTH_OPTIONS.keys[selection - 1]
+          @updates[key] = !selected_value(key)
+        end
+      end
+      @updates = {} if selection == skip
+      true
+    end
+
+    def show_updates
+      updates_todo = ""
+      EXT_AUTH_OPTIONS.keys.each do |key|
+        next unless @updates.key?(key)
+        updates_todo << ", " if updates_todo.present?
+        updates_todo << " #{selected_verb(key, @updates[key])} #{EXT_AUTH_OPTIONS[key][:label]}"
+      end
+      updates_to_apply = updates_todo.present? ? "Updates to apply: #{updates_todo}" : ""
+      say("\n#{updates_to_apply}")
+    end
+
+    def selected_value(key)
+      return @updates[key] if @updates.key?(key)
+      return @current_config[key] if @current_config.key?(key)
+      false
+    end
+
+    def selected_verb(key, flag)
+      if EXT_AUTH_OPTIONS[key][:logic]
+        flag ? "Enable" : "Disable"
+      else
+        flag ? "Disable" : "Enable"
+      end
+    end
+
+    def any_updates?
+      @updates.present?
+    end
+
+    def update_configuration(update_hash = nil)
+      update_hash ||= @updates
+      if update_hash.present?
+        say("\nUpdating external authentication options on appliance ...")
+        params = update_hash.collect { |key, value| "#{key}=#{value}" }
+        result = ManageIQ::ApplianceConsole::Utilities.rake_run("evm:settings:set", params)
+        raise parse_errors(result).join(', ') if result.failure?
+      end
+    end
+
+    # extauth_opts option parser: syntax is key=value,key=value
+    #   key is one of the EXT_AUTH_OPTIONS keys.
+    #   value is one of 1, true, 0 or false.
+    #
+    def parse(options)
+      parsed_updates = {}
+      options.split(",").each do |keyval|
+        key, val = keyval.split('=')
+        key, val = normalize_key(key.to_s.strip), val.to_s.strip
+        unless EXT_AUTH_OPTIONS.key?(key)
+          message = "Unknown external authentication option #{key} specified"
+          message << ", supported options are #{EXT_AUTH_OPTIONS.keys.join(', ')}"
+          raise message
+        end
+
+        value = option_value(val)
+        raise("Invalid #{key} option value #{val} specified, must be true or false") if value.nil?
+        parsed_updates[key] = value
+      end
+      parsed_updates
+    end
+
+    def self.configured?
+      # DB Up and running
+      true
+    end
+
+    private
+
+    def load_current
+      say("\nFetching external authentication options from appliance ...")
+      result = ManageIQ::ApplianceConsole::Utilities.rake_run("evm:settings:get", EXT_AUTH_OPTIONS.keys)
+
+      if result.success?
+        return parse_response(result)
+      else
+        raise parse_errors(result).join(', ')
+      end
+    end
+
+    def parse_errors(result)
+      result.error.split("\n").collect { |line| line if line =~ /^error: /i }.compact
+    end
+
+    def normalize_key(key)
+      key.include?('/') ? key : "#{AUTH_PATH}/#{key}"
+    end
+
+    def parse_response(result)
+      result.output.split("\n").each_with_object({}) do |line, hash|
+        key, val = line.split("=")
+        hash[key] = parse_value(val)
+      end
+    end
+
+    def option_value(value)
+      return true  if value == '1' || value =~ /true/i
+      return false if value == '0' || value =~ /false/i
+      nil
+    end
+
+    def parse_value(value)
+      value.present? ? option_value(value) : false
+    end
+  end
+end
+end

data/lib/manageiq/appliance_console/external_database_configuration.rb

@@ -0,0 +1,34 @@
+module ManageIQ
+module ApplianceConsole
+  class ExternalDatabaseConfiguration < DatabaseConfiguration
+    attr_accessor :action
+
+    def initialize(hash = {})
+      set_defaults
+      super
+    end
+
+    def set_defaults
+      self.username = "root"
+      self.port     = DEFAULT_PORT
+      self.database = "vmdb_production"
+    end
+
+    def activate
+      ask_questions if host.nil?
+      super
+    end
+
+    def ask_questions
+      create_new_region_questions if action == :create
+      clear_screen
+      say("Database Configuration\n")
+      ask_for_database_credentials(false)
+    end
+
+    def post_activation
+      start_evm
+    end
+  end
+end
+end

data/lib/manageiq/appliance_console/external_httpd_authentication.rb

@@ -0,0 +1,157 @@
+require "manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration"
+
+module ManageIQ
+module ApplianceConsole
+  class ExternalHttpdAuthentication
+    include ExternalHttpdConfiguration
+
+    def initialize(host = nil, options = {})
+      @ipaserver, @domain, @password = nil
+      @host      = host
+      @domain    = options[:domain] || domain_from_host(host)
+      @realm     = options[:realm]
+      @ipaserver = options[:ipaserver]
+      @principal = options[:principal] || "admin"
+      @password  = options[:password]
+      @timestamp = Time.now.strftime(TIMESTAMP_FORMAT)
+
+      @ipaserver = fqdn(@ipaserver, @domain)
+    end
+
+    def ask_for_parameters
+      say("\nIPA Server Parameters:\n\n")
+      @ipaserver = ask_for_hostname("IPA Server Hostname", @ipaserver)
+      @domain    = ask_for_domain("IPA Server Domain", @domain)
+      @realm     = ask_for_string("IPA Server Realm", realm)
+      @principal = ask_for_string("IPA Server Principal", @principal)
+      @password  = ask_for_password("IPA Server Principal Password", @password)
+
+      @ipaserver = fqdn(@ipaserver, @domain)
+    end
+
+    def show_parameters
+      say("\nExternal Authentication (httpd) Configuration:\n")
+      say("IPA Server Details:\n")
+      say("  Hostname:       #{@ipaserver}\n")
+      say("  Domain:         #{@domain}\n")
+      say("  Realm:          #{realm}\n")
+      say("  Naming Context: #{domain_naming_context}\n")
+      say("  Principal:      #{@principal}\n")
+    end
+
+    def show_current_configuration
+      return unless ipa_client_configured?
+      config = config_file_read(SSSD_CONFIG)
+      say("\nCurrent External Authentication (httpd) Configuration:\n")
+      say("IPA Server Details:\n")
+      say("  Hostname:       #{fetch_ipa_configuration("ipa_server", config)}\n")
+      say("  Domain:         #{fetch_ipa_configuration("ipa_domain", config)}\n")
+    end
+
+    def ask_questions
+      return false unless valid_environment?
+      ask_for_parameters
+      show_parameters
+      return false unless agree("\nProceed? (Y/N): ")
+      return false unless valid_parameters?(@ipaserver)
+      true
+    end
+
+    def activate
+      begin
+        configure_ipa
+        configure_pam
+        configure_sssd
+        configure_ipa_http_service
+        configure_httpd
+        configure_selinux
+      rescue AwesomeSpawn::CommandResultError => e
+        say e.result.output
+        say e.result.error
+        say ""
+        say("Failed to Configure External Authentication - #{e}")
+        return false
+      rescue => e
+        say("Failed to Configure External Authentication - #{e}")
+        return false
+      end
+      true
+    end
+
+    def post_activation
+      say("\nRestarting httpd, if running ...")
+      httpd_service = LinuxAdmin::Service.new("httpd")
+      httpd_service.restart if httpd_service.running?
+
+      say("Restarting sssd and configure it to start on reboots ...")
+      LinuxAdmin::Service.new("sssd").restart.enable
+    end
+
+    private
+
+    def domain_naming_context
+      @domain.split(".").collect { |s| "dc=#{s}" }.join(",")
+    end
+
+    def domain_from_host(host)
+      host.gsub(/^([^.]+\.)/, '') if host && host.include?('.')
+    end
+
+    def fqdn(host, domain)
+      (host && domain && !host.include?(".")) ? "#{host}.#{domain}" : host
+    end
+
+    def realm
+      (@realm || @domain).upcase
+    end
+
+    def configure_ipa
+      say("\nConfiguring IPA (may take a minute) ...")
+      ipa_client_unconfigure if ipa_client_configured?
+      ipa_client_configure(realm, @domain, @ipaserver, @principal, @password)
+      enable_kerberos_dns_lookups
+    end
+
+    def configure_pam
+      say("Configuring pam ...")
+      cp_template(PAM_CONFIG, template_directory)
+    end
+
+    def configure_sssd
+      say("Configuring sssd ...")
+      config = config_file_read(SSSD_CONFIG)
+      configure_sssd_domain(config, @domain)
+      configure_sssd_service(config)
+      configure_sssd_ifp(config)
+      config_file_write(config, SSSD_CONFIG, @timestamp)
+    end
+
+    def configure_ipa_http_service
+      say("Configuring IPA HTTP Service and Keytab ...")
+      AwesomeSpawn.run!("/usr/bin/kinit", :params => [@principal], :stdin_data => @password)
+      service = Principal.new(:hostname => @host, :realm => realm, :service => "HTTP", :ca_name => "ipa")
+      service.register
+      AwesomeSpawn.run!(IPA_GETKEYTAB, :params => {"-s" => @ipaserver, "-k" => HTTP_KEYTAB, "-p" => service.name})
+      FileUtils.chown(APACHE_USER, nil, HTTP_KEYTAB)
+      FileUtils.chmod(0600, HTTP_KEYTAB)
+    end
+
+    def configure_httpd
+      say("Configuring httpd ...")
+      configure_httpd_application
+    end
+
+    def configure_selinux
+      say("Configuring SELinux ...")
+      get_enforce = AwesomeSpawn.run!(GETENFORCE_COMMAND)
+      if get_enforce.output.downcase.include?("disabled")
+        say("SELinux is Disabled")
+      else
+        AwesomeSpawn.run!("#{SETSEBOOL_COMMAND} -P allow_httpd_mod_auth_pam on")
+        result = AwesomeSpawn.run("#{GETSEBOOL_COMMAND} httpd_dbus_sssd")
+        AwesomeSpawn.run!("#{SETSEBOOL_COMMAND} -P httpd_dbus_sssd on") if result.exit_status == 0
+      end
+    end
+  end
+end
+end

data/lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb

@@ -0,0 +1,249 @@
+require 'active_support/core_ext/module/delegation'
+require 'pathname'
+
+module ManageIQ
+module ApplianceConsole
+  class ExternalHttpdAuthentication
+    module ExternalHttpdConfiguration
+      #
+      # External Authentication Definitions
+      #
+      IPA_COMMAND          = "/usr/bin/ipa".freeze
+      IPA_INSTALL_COMMAND  = "/usr/sbin/ipa-client-install".freeze
+      IPA_GETKEYTAB        = "/usr/sbin/ipa-getkeytab".freeze
+
+      KERBEROS_CONFIG_FILE = "/etc/krb5.conf".freeze
+
+      SSSD_CONFIG          = "/etc/sssd/sssd.conf".freeze
+      PAM_CONFIG           = "/etc/pam.d/httpd-auth".freeze
+      HTTP_KEYTAB          = "/etc/http.keytab".freeze
+      HTTP_REMOTE_USER     = "/etc/httpd/conf.d/manageiq-remote-user.conf".freeze
+      HTTP_EXTERNAL_AUTH   = "/etc/httpd/conf.d/manageiq-external-auth.conf".freeze
+      HTTP_EXTERNAL_AUTH_TEMPLATE = "#{HTTP_EXTERNAL_AUTH}.erb".freeze
+
+      GETSEBOOL_COMMAND    = "/usr/sbin/getsebool".freeze
+      SETSEBOOL_COMMAND    = "/usr/sbin/setsebool".freeze
+      GETENFORCE_COMMAND   = "/usr/sbin/getenforce".freeze
+
+      APACHE_USER          = "apache".freeze
+
+      TIMESTAMP_FORMAT     = "%Y%m%d_%H%M%S".freeze
+
+      LDAP_ATTRS           = {
+        "mail"        => "REMOTE_USER_EMAIL",
+        "givenname"   => "REMOTE_USER_FIRSTNAME",
+        "sn"          => "REMOTE_USER_LASTNAME",
+        "displayname" => "REMOTE_USER_FULLNAME",
+        "domainname"  => "REMOTE_USER_DOMAIN"
+      }.freeze
+
+      def template_directory
+        Pathname.new(ENV.fetch("APPLIANCE_TEMPLATE_DIRECTORY"))
+      end
+
+      #
+      # IPA Configuration Methods
+      #
+      def ipa_client_configure(realm, domain, server, principal, password)
+        say("Configuring the IPA Client ...")
+        AwesomeSpawn.run!(IPA_INSTALL_COMMAND,
+                          :params => [
+                            "-N", :force_join, :fixed_primary, :unattended, {
+                              :realm=     => realm,
+                              :domain=    => domain,
+                              :server=    => server,
+                              :principal= => principal,
+                              :password=  => password
+                            }
+                          ])
+      end
+
+      def deactivate
+        ipa_client_unconfigure
+        unconfigure_httpd
+      end
+
+      def ipa_client_unconfigure
+        say("Un-Configuring the IPA Client ...")
+        AwesomeSpawn.run(IPA_INSTALL_COMMAND, :params => [:uninstall, :unattended])
+      end
+
+      def unconfigure_httpd
+        say("Unconfiguring httpd ...")
+        unconfigure_httpd_application
+
+        say("Restarting httpd ...")
+        LinuxAdmin::Service.new("httpd").restart
+      end
+
+      def configure_httpd_application
+        cp_template(HTTP_EXTERNAL_AUTH_TEMPLATE, template_directory)
+        cp_template(HTTP_REMOTE_USER, template_directory)
+      end
+
+      def unconfigure_httpd_application
+        rm_file(HTTP_EXTERNAL_AUTH)
+        rm_file(HTTP_REMOTE_USER)
+      end
+
+      #
+      # Kerberos KRB5 File Methods
+      #
+      def enable_kerberos_dns_lookups
+        FileUtils.copy(KERBEROS_CONFIG_FILE, "#{KERBEROS_CONFIG_FILE}.miqbkp")
+        krb5config = File.read(KERBEROS_CONFIG_FILE)
+        krb5config[/(\s*)dns_lookup_kdc(\s*)=(\s*)(.*)/, 4] = 'true'
+        krb5config[/(\s*)dns_lookup_realm(\s*)=(\s*)(.*)/, 4] = 'true'
+        File.write(KERBEROS_CONFIG_FILE, krb5config)
+      end
+
+      #
+      # SSSD File Methods
+      #
+      def configure_sssd_domain(config, domain)
+        ldap_user_extra_attrs = LDAP_ATTRS.keys.join(", ")
+        if config.include?("ldap_user_extra_attrs = ")
+          pattern = "[domain/#{Regexp.escape(domain)}](\n.*)+ldap_user_extra_attrs = (.*)"
+          config[/#{pattern}/, 2] = ldap_user_extra_attrs
+        else
+          pattern = "[domain/#{Regexp.escape(domain)}].*(\n)"
+          config[/#{pattern}/, 1] = "\nldap_user_extra_attrs = #{ldap_user_extra_attrs}\n"
+        end
+
+        pattern = "[domain/#{Regexp.escape(domain)}].*(\n)"
+        config[/#{pattern}/, 1] = "\nentry_cache_timeout = 600\n"
+      end
+
+      def configure_sssd_service(config)
+        services = config.match(/\[sssd\](\n.*)+services = (.*)/)[2]
+        services = "#{services}, ifp" unless services.include?("ifp")
+        config[/\[sssd\](\n.*)+services = (.*)/, 2] = services
+      end
+
+      def configure_sssd_ifp(config)
+        user_attributes = LDAP_ATTRS.keys.collect { |k| "+#{k}" }.join(", ")
+        ifp_config      = "
+  allowed_uids = #{APACHE_USER}, root
+  user_attributes = #{user_attributes}
+"
+        if config.include?("[ifp]")
+          if config[/\[ifp\](\n.*)+user_attributes = (.*)/]
+            config[/\[ifp\](\n.*)+user_attributes = (.*)/, 2] = user_attributes
+          else
+            config[/\[ifp\](\n)/, 1] = ifp_config
+          end
+        else
+          config << "\n[ifp]#{ifp_config}\n"
+        end
+      end
+
+      #
+      # Validation Methods
+      #
+      def installation_valid?
+        installed_rpm_packages = LinuxAdmin::Rpm.list_installed.keys
+        rpm_packages = %w(ipa-client sssd-dbus mod_intercept_form_submit mod_authnz_pam mod_lookup_identity)
+
+        missing = rpm_packages.count do |package|
+          installed = installed_rpm_packages.include?(package)
+          say("#{package} RPM is not installed") unless installed
+          !installed
+        end
+
+        if missing > 0
+          say("\nAppliance Installation is not valid for enabling External Authentication\n")
+          return false
+        end
+
+        true
+      end
+
+      def valid_environment?
+        return false unless installation_valid?
+        if ipa_client_configured?
+          show_current_configuration
+          return false unless agree("\nIPA Client already configured on this Appliance, Un-Configure first? (Y/N): ")
+          deactivate
+          return false unless agree("\nProceed with External Authentication Configuration? (Y/N): ")
+        end
+        true
+      end
+
+      def valid_parameters?(ipaserver)
+        host_reachable?(ipaserver, "IPA Server")
+      end
+
+      #
+      # Config File I/O Methods
+      #
+      def config_file_write(config, path, timestamp)
+        FileUtils.copy(path, "#{path}.#{timestamp}") if File.exist?(path)
+        File.open(path, "w") { |f| f.write(config) }
+      end
+
+      #
+      # Network validation
+      #
+      def host_reachable?(host, what = "Server")
+        require 'net/ping'
+        say("Checking connectivity to #{host} ... ")
+        unless Net::Ping::External.new(host).ping
+          say("Failed.\nCould not connect to #{host},")
+          say("the #{what} must be reachable by name.")
+          return false
+        end
+        say("Succeeded.")
+        true
+      end
+
+      def cp_template(file, src_dir, dest_dir = "/")
+        src_path  = path_join(src_dir, file)
+        dest_path = path_join(dest_dir, file.gsub(".erb", ""))
+        if src_path.to_s.include?(".erb")
+          File.write(dest_path, ERB.new(File.read(src_path), nil, '-').result(binding))
+        else
+          FileUtils.cp src_path, dest_path
+        end
+      end
+
+      def rm_file(file, dir = "/")
+        path = path_join(dir, file)
+        File.delete(path) if File.exist?(path)
+      end
+
+      def path_join(*args)
+        path = Pathname.new(args.shift)
+        args.each { |path_seg| path = path.join("./#{path_seg}") }
+        path
+      end
+    end
+
+    def self.config_status
+      fetch_ipa_configuration("ipa_server") || fetch_sssd_domain || "not configured"
+    end
+
+    def self.ipa_client_configured?
+      File.exist?(SSSD_CONFIG)
+    end
+
+    def self.config_file_read(path)
+      File.read(path)
+    end
+
+    def self.fetch_ipa_configuration(what, config = nil)
+      unless config
+        return nil unless ipa_client_configured?
+        config = config_file_read(SSSD_CONFIG)
+      end
+      pattern = "[domain/.*].*(\n.*)+#{Regexp.escape(what)} = (.*)"
+      config[/#{pattern}/, 2]
+    end
+
+    def self.fetch_sssd_domain
+      config_file_read(SSSD_CONFIG)[/\[domain\/(.*)\]/, 1] if File.exist?(SSSD_CONFIG)
+    end
+
+    delegate :ipa_client_configured?, :config_file_read, :fetch_ipa_configuration, :config_status, :to => self
+  end
+end
+end