smart_proxy_realm_ad_plugin 0.1

data/README.md

@@ -0,0 +1,111 @@
+# Status
+
+Hi!!! Please try this out and test it. I need feedback.
+
+# Description
+This plugin adds a new realm provider for managing hosts in Active Directory.
+
+Useful if you directly integrate with Active Directory and dont use FreeIPA. 
+
+If you use this plugin you let foreman-proxy provision/deprovision computer accounts and password and also distribute the password to a kickstart file.
+
+It does the following:
+
+  * When hosts are created in foreman it will create a new computer account in active directory
+    and return the password to foreman so it can be used in the kickstart file.
+    
+  * When hosts are rebuilt it will reset the computers account and return a new password to the kickstart file.
+
+  * When hosts are deleted in foreman it will delete the associated computer account in active directory.
+  
+## Installation 
+See How_to_Install_a_Smart-Proxy_Plugin for how to install Smart Proxy plugins.
+
+Install this gem:
+
+First clone this repo:
+```
+git clone https://github.com/martencassel/smart_proxy_realm_ad_plugin 
+```
+
+Then run bundle and gem install.
+
+```
+cd smart_proxy_realm_ad_plugin
+bundle install && gem build smart_proxy_realm_ad_plugin.gemspec \
+    && sudo gem install smart_proxy_realm_ad_plugin-0.1.gem
+
+```
+
+Then add the depedencies to to smart-proxy bundler.d directory like below:
+
+Edit 'bundler.d/Gemfile.local.rb' and set:
+
+    gem 'smart_proxy_realm_ad_plugin'
+    gem 'radcli'
+    gem 'rkerberos', '>= 0.1.1'
+    gem 'passgen'
+
+## Configuration
+
+Then enable this as a realm provider in foreman-proxy
+
+To enable this realm provider, edit `/etc/foreman-proxy/settings.d/realm.yml` and set:
+
+    :enabled: true
+    
+    :use_provider: realm_ad
+    
+## Testing
+
+     bundle exec rake test
+
+## Install dependencies
+
+Install the gem dependencies first:
+
+  1. rkerberos
+  2. radcli
+
+### rkerberos
+```
+sudo gem install rkerberos
+```
+
+### radcli
+
+#### radcli prereqs (ubuntu)
+```
+sudo apt-get install ruby gem ruby-dev
+sudo gem install rake bundler rakecompiler rspec
+sudo apt-get install automake autoconf xmlto xsltproc libkrb5-dev libldap2-dev libsasl2-dev
+```
+
+```
+git clone https://github.com/martencassel/radcli
+cd radcli
+rake build
+gem install pkg/radcli-0.1.0.gem
+```
+
+## Contributing
+
+Fork and send a Pull Request. Thanks!
+
+## Copyright
+
+Copyright (c) 2016,2017 Mårten Cassel
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
+

data/bundler.d/realm_ad_plugin.rb

@@ -0,0 +1,2 @@
+gem 'smart_proxy_realm_ad_plugin'
+gem 'radcli'

data/config/realm_ad.yml.example

@@ -0,0 +1,24 @@
+---
+# Authentication for Kerberos-based Realms
+:realm: EXAMPLE.COM
+
+# Kerberos pricipal used to authenticate against Active Directory
+:principal: realm-proxy@EXAMPLE.COM
+
+# Path to the keytab used to authenticate against Active Directory
+:keytab_path:  /etc/foreman-proxy/realm_ad.keytab
+
+# FQDN of the Domain Controller
+:domain_controller: dc.example.com
+
+# Optional: OU where the machine account shall be placed
+#:ou: OU=Linux,OU=Servers,DC=example,DC=com
+
+# Optional: Prefix for the computername
+#:computername_prefix: ''
+
+# Optional: Generate the computername by calculating the SHA256 hexdigest of the hostname
+#:computername_hash: false
+
+# Optional:  use the fqdn of the host to generate the computername
+#:computername_use_fqdn: false

data/lib/smart_proxy_realm_ad/configuration_loader.rb

@@ -0,0 +1,23 @@
+module Proxy::AdRealm
+  class ConfigurationLoader
+    def load_classes
+      require 'smart_proxy_realm_ad/provider'
+    end
+
+    def load_dependency_injection_wirings(container_instance, settings)
+      container_instance.dependency :realm_provider_impl,
+                                    lambda {
+                                      ::Proxy::AdRealm::Provider.new(
+                                        realm: settings[:realm],
+                                        keytab_path: settings[:keytab_path],
+                                        principal: settings[:principal],
+                                        domain_controller: settings[:domain_controller],
+                                        ou: settings[:ou],
+                                        computername_prefix: settings[:computername_prefix],
+                                        computername_hash: settings[:computername_hash],
+                                        computername_use_fqdn: settings[:computername_use_fqdn]
+                                      )
+                                    }
+    end
+  end
+end

data/lib/smart_proxy_realm_ad/plugin.rb

@@ -0,0 +1,12 @@
+require 'smart_proxy_realm_ad/version'
+
+module Proxy::AdRealm
+  class Plugin < Proxy::Provider
+    load_classes ::Proxy::AdRealm::ConfigurationLoader
+    load_dependency_injection_wirings ::Proxy::AdRealm::ConfigurationLoader
+
+    validate_presence :realm, :keytab_path, :principal, :domain_controller
+
+    plugin :realm_ad, ::Proxy::AdRealm::VERSION
+  end
+end

data/lib/smart_proxy_realm_ad/provider.rb

@@ -0,0 +1,131 @@
+require 'proxy/kerberos'
+require 'radcli'
+require 'digest'
+
+module Proxy::AdRealm
+  class Provider
+    include Proxy::Log
+    include Proxy::Util
+    include Proxy::Kerberos
+
+    attr_reader :realm, :keytab_path, :principal, :domain_controller, :domain, :ou, :computername_prefix, :computername_hash, :computername_use_fqdn
+
+    def initialize(options = {})
+      @realm = options[:realm]
+      @keytab_path = options[:keytab_path]
+      @principal = options[:principal]
+      @domain_controller = options[:domain_controller]
+      @domain = options[:realm].downcase
+      @ou = options[:ou]
+      @computername_prefix = options[:computername_prefix]
+      @computername_hash = options.fetch(:computername_hash, false)
+      @computername_use_fqdn = options.fetch(:computername_use_fqdn, false)
+      logger.info 'Proxy::AdRealm: initialize...'
+    end
+
+    def check_realm(realm)
+      raise Exception, "Unknown realm #{realm}" unless realm.casecmp(@realm).zero?
+    end
+
+    def find(_hostfqdn)
+      true
+    end
+
+    def create(realm, hostfqdn, params)
+      logger.info "Proxy::AdRealm: create... #{realm}, #{hostfqdn}, #{params}"
+      check_realm(realm)
+      kinit_radcli_connect
+
+      password = generate_password
+      result = { randompassword: password }
+
+      computername = hostfqdn_to_computername(hostfqdn)
+
+      if params[:rebuild] == 'true'
+        radcli_password(computername, password)
+      else
+        radcli_join(hostfqdn, computername, password)
+      end
+
+      JSON.pretty_generate(result)
+    end
+
+    def delete(realm, hostfqdn)
+      logger.info "Proxy::AdRealm: delete... #{realm}, #{hostfqdn}"
+      kinit_radcli_connect
+      check_realm(realm)
+      computername = hostfqdn_to_computername(hostfqdn)
+      radcli_delete(computername)
+    end
+
+    private
+
+    def hostfqdn_to_computername(hostfqdn)
+      computername = hostfqdn
+
+      # strip the domain from the host
+      computername = computername.split('.').first unless computername_use_fqdn
+
+      # generate the SHA256 hexdigest from the computername
+      computername = Digest::SHA256.hexdigest(computername) if computername_hash
+
+      # apply prefix if it has not already been applied
+      computername = computername_prefix + computername if apply_computername_prefix?(computername)
+
+      # limit length to 15 characters and upcase the computername
+      # see https://support.microsoft.com/en-us/kb/909264
+      computername[0, 15].upcase
+    end
+
+    def apply_computername_prefix?(computername)
+      !computername_prefix.nil? && !computername_prefix.empty? && (computername_hash || !computername[0, computername_prefix.size].casecmp(computername_prefix).zero?)
+    end
+
+    def kinit_radcli_connect
+      init_krb5_ccache(@keytab_path, @principal)
+      @adconn = radcli_connect
+    end
+
+    def radcli_connect
+      # Connect to active directory
+      conn = Adcli::AdConn.new(@domain)
+      conn.set_domain_realm(@realm)
+      conn.set_domain_controller(@domain_controller)
+      conn.set_login_ccache_name('')
+      conn.connect
+      conn
+    end
+
+    def radcli_join(hostfqdn, computername, password)
+      # Join computer
+      enroll = Adcli::AdEnroll.new(@adconn)
+      enroll.set_computer_name(computername)
+      enroll.set_host_fqdn(hostfqdn)
+      enroll.set_domain_ou(@ou) if @ou
+      enroll.set_computer_password(password)
+      enroll.join
+    end
+
+    def generate_password
+      characters = ('A'..'Z').to_a + ('a'..'z').to_a + (0..9).to_a
+      Array.new(20) { characters.sample }.join
+    end
+
+    def radcli_password(computername, password)
+      # Reset a computer's password
+      enroll = Adcli::AdEnroll.new(@adconn)
+      enroll.set_computer_name(computername)
+      enroll.set_domain_ou(@ou) if @ou
+      enroll.set_computer_password(password)
+      enroll.password
+    end
+
+    def radcli_delete(computername)
+      # Delete a computer's account
+      enroll = Adcli::AdEnroll.new(@adconn)
+      enroll.set_computer_name(computername)
+      enroll.set_domain_ou(@ou) if @ou
+      enroll.delete
+    end
+  end
+end

data/lib/smart_proxy_realm_ad/version.rb

@@ -0,0 +1,5 @@
+module Proxy
+  module AdRealm
+    VERSION = '0.1'.freeze
+  end
+end

data/lib/smart_proxy_realm_ad_plugin.rb

@@ -0,0 +1,4 @@
+require 'smart_proxy_realm_ad/configuration_loader'
+require 'smart_proxy_realm_ad/plugin'
+
+module Proxy::AdRealm; end

data/test/ad_provider_test.rb

@@ -0,0 +1,125 @@
+require 'rubygems'
+require 'test_helper'
+require 'smart_proxy_realm_ad/provider'
+require 'radcli'
+
+class RealmAdTest < Test::Unit::TestCase
+  def setup
+    @realm = 'test_realm'
+    @provider = Proxy::AdRealm::Provider.new(
+      realm: 'example.com',
+      keytab_path: 'keytab_path',
+      principal: 'principal',
+      domain_controller: 'domain-controller',
+      ou: nil,
+      computername_prefix: nil,
+      computername_hash: false,
+      computername_use_fqdn: false
+    )
+  end
+
+  def test_create_host
+    hostname = 'host.example.com'
+    computername = 'HOST'
+    params = {
+      rebuild: 'false'
+    }
+    @provider.expects(:check_realm).with(@realm)
+    @provider.expects(:kinit_radcli_connect)
+    @provider.expects(:generate_password).returns('password')
+    @provider.expects(:radcli_join).with(hostname, computername, 'password')
+    @provider.create(@realm, hostname, params)
+  end
+
+  def test_create_host_generates_password
+    hostname = 'host.example.com'
+    params = {
+      rebuild: 'false'
+    }
+    @provider.expects(:check_realm).with(@realm)
+    @provider.expects(:kinit_radcli_connect)
+    @provider.expects(:radcli_join)
+    response = JSON.parse(@provider.create(@realm, hostname, params))
+    assert_kind_of String, response['randompassword']
+    assert_equal 20, response['randompassword'].size
+  end
+
+  def test_create_host_prefixes_computername
+    hostname = 'host.example.com'
+    computername = 'ORG-HOST'
+    params = {
+      rebuild: 'false'
+    }
+    @provider.stubs(:computername_prefix).returns('ORG-')
+    @provider.expects(:check_realm).with(@realm)
+    @provider.expects(:kinit_radcli_connect)
+    @provider.expects(:generate_password).returns('password')
+    @provider.expects(:radcli_join).with(hostname, computername, 'password')
+    @provider.create(@realm, hostname, params)
+  end
+
+  def test_create_host_limits_computername_to_15_characters
+    hostname = 'superlonghostname.example.com'
+    computername = 'SUPERLONGHOSTNA'
+    params = {
+      rebuild: 'false'
+    }
+    @provider.expects(:check_realm).with(@realm)
+    @provider.expects(:kinit_radcli_connect)
+    @provider.expects(:generate_password).returns('password')
+    @provider.expects(:radcli_join).with(hostname, computername, 'password')
+    @provider.create(@realm, hostname, params)
+  end
+
+  def test_create_host_applies_sha256_to_computername
+    hostname = 'host.example.com'
+    computername = '4740AE6347B0172'
+    params = {
+      rebuild: 'false'
+    }
+    @provider.stubs(:computername_hash).returns(true)
+    @provider.expects(:check_realm).with(@realm)
+    @provider.expects(:kinit_radcli_connect)
+    @provider.expects(:generate_password).returns('password')
+    @provider.expects(:radcli_join).with(hostname, computername, 'password')
+    @provider.create(@realm, hostname, params)
+  end
+
+  def test_create_with_unrecognized_realm_raises_exception
+    assert_raises(Exception) { @provider.create('unknown_realm', 'a_host', {}) }
+  end
+
+  def test_create_rebuild
+    hostname = 'host.example.com'
+    params = {}
+    params[:rebuild] = 'true'
+    @provider.expects(:check_realm).with(@realm)
+    @provider.expects(:kinit_radcli_connect)
+    @provider.expects(:radcli_password)
+    response = JSON.parse(@provider.create(@realm, hostname, params))
+    assert_kind_of String, response['randompassword']
+    assert_equal 20, response['randompassword'].size
+  end
+
+  def test_rebuild_with_unrecognized_realm_raises_exception
+    params = {}
+    params[:rebuild] = 'true'
+    assert_raises(Exception) { @provider.create('unknown_realm', 'a_host', params) }
+  end
+
+  def test_find
+    assert_true @provider.find('a_host_fqdn')
+  end
+
+  def test_delete
+    @provider.expects(:check_realm).with(@realm)
+    @provider.expects(:kinit_radcli_connect)
+    @provider.expects(:radcli_delete)
+    @provider.delete(@realm, 'a_host')
+  end
+
+  def test_delete_unrecognized_realm_raises_exception
+    @provider.expects(:kinit_radcli_connect)
+    assert_raises(Exception) { @provider.delete('unkown_realm', 'a_host') }
+  end
+end