manageiq-appliance_console 5.0.3 → 5.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4baaae9e551222520424d741df95ce3dc1649b18303ef9fd873c9964177da440
-  data.tar.gz: b40882a8c0ac7f02cde200cbde365c3cc51f46a1a83608d9bde769ce77355138
+  metadata.gz: 842d9e3f4effbab338ffca56f0d10023b54089078d8a35f51e1af7c34a17f7cd
+  data.tar.gz: fa3019d794de206d44b82fb70f5afbfd6eb28a165c45344957b6bcf4cc6b3b36
 SHA512:
-  metadata.gz: 79ed5ef8f7b163a48925057baf5f7938167a35e381b5fbdb114c07630ed412aa93a846bd99980e3728016ae5029b6c0d0dc9c87653a7184b00a05ca5f5ae8768
-  data.tar.gz: 4e541333c7e5eb1a1d77aba86e2a865317ac95a2822b31d2520b893c3a04434a6745f2f5fc249fd462a62c5c94534a13aaa80b2c8f3f9e19df8d724b434dcfae
+  metadata.gz: 32782c59824479eea39097a7adf542b0654ac77a02342e6b398113abbd76426ff5fb0908b5c4eccfeffca22b829b16862322357f286288a41fbf4f1c06fb3335
+  data.tar.gz: 2e9fcbc67a7ad8baff5cbcdba421bfc6c6ba99706a97b53d4a1c4137f606178cb0d74ac5d295c99c9de00478c65b208ef6cf23fa416c2e99dba12d73c79859e9

data/.travis.yml

@@ -1,7 +1,8 @@
+---
 language: ruby
 rvm:
-- 2.4.6
-- 2.5.3
+- 2.5.7
+- 2.6.5
 sudo: false
 cache: bundler
 env:

data/lib/manageiq-appliance_console.rb

@@ -44,6 +44,7 @@ require 'manageiq/appliance_console/key_configuration'
 require 'manageiq/appliance_console/logfile_configuration'
 require 'manageiq/appliance_console/logical_volume_management'
 require 'manageiq/appliance_console/principal'
+require 'manageiq/appliance_console/saml_authentication'
 require 'manageiq/appliance_console/scap'
 require 'manageiq/appliance_console/temp_storage_configuration'
 require 'manageiq/appliance_console/timezone_configuration'

data/lib/manageiq/appliance_console/cli.rb

@@ -77,6 +77,14 @@ module ApplianceConsole
       options[:extauth_opts]
     end
 
+    def saml_config?
+      options[:saml_config]
+    end
+
+    def saml_unconfig?
+      options[:saml_unconfig]
+    end
+
     def set_server_state?
       options[:server]
     end
@@ -145,6 +153,11 @@ module ApplianceConsole
         opt :datetime,             "Date and time, in YYYY-MM-DDTHH:MM:SS (ISO8601) format", :type => :string
         opt :http_cert,            "install certs for http server",     :type => :boolean
         opt :extauth_opts,         "External Authentication Options",   :type => :string
+        opt :saml_config,          "Configure Appliance for SAML Authentication",        :type => :boolean, :default => false
+        opt :saml_client_host,     "Optional Appliance host used for SAML registration", :type => :string
+        opt :saml_idp_metadata,    "The file path or URL of the SAML IDP Metadata",      :type => :string
+        opt :saml_enable_sso,      "Optionally enable SSO with SAML Authentication",     :type => :boolean, :default => false
+        opt :saml_unconfig,        "Unconfigure Appliance SAML Authentication",          :type => :boolean, :default => false
         opt :server,               "{start|stop|restart} actions on evmserverd Server",   :type => :string
       end
       Optimist.die :region, "needed when setting up a local database" if region_number_required? && options[:region].nil?
@@ -157,8 +170,9 @@ module ApplianceConsole
 
     def run
       Optimist.educate unless set_host? || key? || database? || tmp_disk? || log_disk? ||
-                             uninstall_ipa? || install_ipa? || certs? || extauth_opts? ||
-                             time_zone? || date_time? || set_server_state? || set_replication?
+                              uninstall_ipa? || install_ipa? || certs? || extauth_opts? ||
+                              time_zone? || date_time? || set_server_state? || set_replication? ||
+                              saml_config? || saml_unconfig?
       if set_host?
         system_hosts = LinuxAdmin::Hosts.new
         system_hosts.hostname = options[:host]
@@ -177,6 +191,8 @@ module ApplianceConsole
       install_ipa if install_ipa?
       install_certs if certs?
       extauth_opts if extauth_opts?
+      saml_config if saml_config?
+      saml_unconfig if saml_unconfig?
       set_server_state if set_server_state?
     rescue CliError => e
       say(e.message)
@@ -388,6 +404,14 @@ module ApplianceConsole
       extauthopts.update_configuration(extauthopts_hash)
     end
 
+    def saml_config
+      SamlAuthentication.new(options).configure(options[:saml_client_host] || host)
+    end
+
+    def saml_unconfig
+      SamlAuthentication.new(options).unconfigure
+    end
+
     def set_server_state
       service = LinuxAdmin::Service.new("evmserverd")
       service_running = service.running?

data/lib/manageiq/appliance_console/saml_authentication.rb

@@ -0,0 +1,208 @@
+require "uri"
+
+module ManageIQ
+  module ApplianceConsole
+    class SamlAuthentication
+      MELLON_CREATE_METADATA_COMMAND = Pathname.new("/usr/libexec/mod_auth_mellon/mellon_create_metadata.sh")
+
+      HTTPD_CONFIG_DIRECTORY = Pathname.new("/etc/httpd/conf.d")
+      SAML2_CONFIG_DIRECTORY = Pathname.new("/etc/httpd/saml2")
+      IDP_METADATA_FILE      = SAML2_CONFIG_DIRECTORY.join("idp-metadata.xml")
+
+      attr_accessor :host, :options
+
+      def initialize(options)
+        @options = options
+      end
+
+      def configure(host)
+        @host = host
+        validate_saml_idp_metadata_option
+
+        say("Configuring SAML Authentication for https://#{host} ...")
+        copy_apache_saml_configfiles
+        FileUtils.mkdir_p(SAML2_CONFIG_DIRECTORY)
+        AwesomeSpawn.run!(MELLON_CREATE_METADATA_COMMAND,
+                          :chdir  => SAML2_CONFIG_DIRECTORY,
+                          :params => ["https://#{host}", "https://#{host}/saml2"])
+        rename_mellon_configfiles
+        fetch_idp_metadata
+        configure_auth_settings_saml
+        restart_httpd
+        true
+      rescue AwesomeSpawn::CommandResultError => e
+        log_command_error(e)
+        say("Failed to Configure SAML Authentication - #{e}")
+        false
+      rescue => e
+        say("Failed to Configure SAML Authentication - #{e}")
+        false
+      end
+
+      def unconfigure
+        raise "Appliance is not currently configured for SAML" unless configured?
+
+        say("Unconfiguring SAML Authentication ...")
+        remove_apache_saml_configfiles
+        configure_auth_settings_database
+        restart_httpd
+        true
+      rescue AwesomeSpawn::CommandResultError => e
+        log_command_error(e)
+        say("Failed to Unconfigure SAML Authentication - #{e}")
+        false
+      rescue => e
+        say("Failed to Unconfigure SAML Authentication - #{e}")
+        false
+      end
+
+      private
+
+      # Apache SAML Configuration
+
+      def rename_mellon_configfiles
+        debug_msg("Renaming mellon config files ...")
+        Dir.chdir(SAML2_CONFIG_DIRECTORY) do
+          Dir.glob("https_*.*") do |mellon_file|
+            saml2_file =
+              case mellon_file
+              when /^https_.*\.key$/  then "miqsp-key.key"
+              when /^https_.*\.cert$/ then "miqsp-cert.cert"
+              when /^https_.*\.xml$/  then "miqsp-metadata.xml"
+              end
+            if saml2_file
+              debug_msg("Renaming #{mellon_file} to #{saml2_file}")
+              File.rename(mellon_file, saml2_file)
+            end
+          end
+        end
+      end
+
+      def fetch_idp_metadata
+        idp_metadata = options[:saml_idp_metadata]
+        if path_is_file?(idp_metadata) && idp_metadata != IDP_METADATA_FILE
+          debug_msg("Copying IDP metadata file #{idp_metadata} to #{IDP_METADATA_FILE} ...")
+          FileUtils.cp(idp_metadata, IDP_METADATA_FILE)
+        elsif path_is_url?(idp_metadata)
+          debug_msg("Downloading IDP metadata file from #{idp_metadata}")
+          download_network_file(idp_metadata, IDP_METADATA_FILE)
+        end
+      end
+
+      def copy_apache_saml_configfiles
+        debug_msg("Copying Apache SAML Config files ...")
+        copy_template(HTTPD_CONFIG_DIRECTORY, "manageiq-remote-user.conf")
+        copy_template(HTTPD_CONFIG_DIRECTORY, "manageiq-external-auth-saml.conf")
+      end
+
+      def remove_apache_saml_configfiles
+        debug_msg("Removing Apache SAML Config files ...")
+        remove_file(HTTPD_CONFIG_DIRECTORY.join("manageiq-remote-user.conf"))
+        remove_file(HTTPD_CONFIG_DIRECTORY.join("manageiq-external-auth-saml.conf"))
+      end
+
+      def configured?
+        HTTPD_CONFIG_DIRECTORY.join("manageiq-external-auth-saml.conf").exist?
+      end
+
+      def restart_httpd
+        httpd_service = LinuxAdmin::Service.new("httpd")
+        if httpd_service.running?
+          say("Restarting httpd ...")
+          httpd_service.restart
+        end
+      end
+
+      # SAML IDP Metadata
+
+      def validate_saml_idp_metadata_option
+        idp_metadata = options[:saml_idp_metadata]
+        raise "Must specify the SAML IDP metadata file or URL via --saml-idp-metadata" if idp_metadata.blank?
+
+        raise "Missing SAML IDP metadata file #{idp_metadata}" if path_is_file?(idp_metadata) && !File.exist?(idp_metadata)
+      end
+
+      def path_is_file?(path)
+        path.present? && !path_is_url?(path)
+      end
+
+      def path_is_url?(path)
+        path =~ /\A#{URI.regexp(["http", "https"])}\z/x
+      end
+
+      # File Management
+
+      def remove_file(path)
+        if path.exist?
+          debug_msg("Removing #{path} ...")
+          File.delete(path)
+        end
+      end
+
+      def copy_template(dir, file)
+        src_path = template_directory.join(relative_from_root(dir), file)
+        dest_path = dir.join(file)
+        debug_msg("Copying template #{src_path} to #{dest_path} ...")
+        FileUtils.cp(src_path, dest_path)
+      end
+
+      def download_network_file(source_file_url, target_file)
+        require "net/http"
+
+        say("Downloading #{source_file_url} ...")
+        result = Net::HTTP.get_response(URI(source_file_url))
+        raise "Failed to download file from #{source_file_url}" unless result.kind_of?(Net::HTTPSuccess)
+
+        File.write(target_file, result.body)
+      end
+
+      def template_directory
+        @template_directory ||= Pathname.new(ENV.fetch("APPLIANCE_TEMPLATE_DIRECTORY"))
+      end
+
+      def relative_from_root(path)
+        path.absolute? ? path.relative_path_from(Pathname.new("/")) : path
+      end
+
+      # Appliance Settings
+
+      def configure_auth_settings_saml
+        say("Setting Appliance Authentication Settings to SAML ...")
+        params = [
+          "/authentication/mode=httpd",
+          "/authentication/httpd_role=true",
+          "/authentication/saml_enabled=true",
+          "/authentication/oidc_enabled=false",
+          "/authentication/sso_enabled=#{options[:saml_enable_sso] ? 'true' : 'false'}",
+          "/authentication/provider_type=saml"
+        ]
+        Utilities.rake_run("evm:settings:set", params)
+      end
+
+      def configure_auth_settings_database
+        say("Setting Appliance Authentication Settings to Database ...")
+        params = [
+          "/authentication/mode=database",
+          "/authentication/httpd_role=false",
+          "/authentication/saml_enabled=false",
+          "/authentication/oidc_enabled=false",
+          "/authentication/sso_enabled=false",
+          "/authentication/provider_type=none"
+        ]
+        Utilities.rake_run("evm:settings:set", params)
+      end
+
+      # Logging
+
+      def debug_msg(msg)
+        say(msg) if options[:verbose]
+      end
+
+      def log_command_error(err)
+        say(err.result.output)
+        say(err.result.error)
+        say("")
+      end
+    end
+  end
+end

data/lib/manageiq/appliance_console/version.rb

@@ -1,5 +1,5 @@
 module ManageIQ
   module ApplianceConsole
-    VERSION = '5.0.3'.freeze
+    VERSION = '5.1.0'.freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: manageiq-appliance_console
 version: !ruby/object:Gem::Version
-  version: 5.0.3
+  version: 5.1.0
 platform: ruby
 authors:
 - ManageIQ Developers
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-09-19 00:00:00.000000000 Z
+date: 2019-11-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activerecord
@@ -287,6 +287,7 @@ files:
 - lib/manageiq/appliance_console/logical_volume_management.rb
 - lib/manageiq/appliance_console/principal.rb
 - lib/manageiq/appliance_console/prompts.rb
+- lib/manageiq/appliance_console/saml_authentication.rb
 - lib/manageiq/appliance_console/scap.rb
 - lib/manageiq/appliance_console/temp_storage_configuration.rb
 - lib/manageiq/appliance_console/timezone_configuration.rb