class ManageIQ::ApplianceConsole::ExternalHttpdAuthentication

Public Class Methods

config_file_read(path) click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 234
def self.config_file_read(path)
  File.read(path)
end
config_status() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 222
def self.config_status
  fetch_ipa_configuration("ipa_server") ||
    fetch_sssd_domain                   ||
    oidc_status                         ||
    saml_status                         ||
    "not configured"
end
fetch_ipa_configuration(what, config = nil) click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 238
def self.fetch_ipa_configuration(what, config = nil)
  unless config
    return nil unless ipa_client_configured?
    config = config_file_read(SSSD_CONFIG)
  end
  pattern = "[domain/.*].*(\n.*)+#{Regexp.escape(what)} = (.*)"
  config[/#{pattern}/, 2]
end
fetch_sssd_domain() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 247
def self.fetch_sssd_domain
  config_file_read(SSSD_CONFIG)[/\[domain\/(.*)\]/, 1] if File.exist?(SSSD_CONFIG)
end
ipa_client_configured?() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 230
def self.ipa_client_configured?
  File.exist?(SSSD_CONFIG)
end
new(host = nil, options = {}) click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication.rb, line 8
def initialize(host = nil, options = {})
  @ipaserver, @domain, @password = nil
  @host      = host
  @domain    = options[:domain] || domain_from_host(host)
  @realm     = options[:realm]
  @ipaserver = options[:ipaserver]
  @principal = options[:principal] || "admin"
  @password  = options[:password]
  @timestamp = Time.now.strftime(TIMESTAMP_FORMAT)

  @ipaserver = fqdn(@ipaserver, @domain)
end
oidc_status() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 255
def self.oidc_status
  "External Auth OpenID Connect" if File.exist?(HTTP_REMOTE_USER_OIDC)
end
saml_status() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 251
def self.saml_status
  "External Auth SAML" if File.exist?(HTTP_REMOTE_USER)
end

Public Instance Methods

activate() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication.rb, line 60
def activate
  begin
    configure_ipa
    configure_pam
    configure_sssd
    configure_ipa_http_service
    configure_httpd
    configure_selinux
  rescue AwesomeSpawn::CommandResultError => e
    say e.result.output
    say e.result.error
    say ""
    say("Failed to Configure External Authentication - #{e}")
    return false
  rescue => e
    say("Failed to Configure External Authentication - #{e}")
    return false
  end
  true
end
ask_for_parameters() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication.rb, line 21
def ask_for_parameters
  say("\nIPA Server Parameters:\n\n")
  @ipaserver = ask_for_hostname("IPA Server Hostname", @ipaserver)
  @domain    = ask_for_domain("IPA Server Domain", @domain)
  @realm     = ask_for_string("IPA Server Realm", realm)
  @principal = ask_for_string("IPA Server Principal", @principal)
  @password  = ask_for_password("IPA Server Principal Password", @password)

  @ipaserver = fqdn(@ipaserver, @domain)
end
ask_questions() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication.rb, line 51
def ask_questions
  return false unless valid_environment?
  ask_for_parameters
  show_parameters
  return false unless agree("\nProceed? (Y/N): ")
  return false unless valid_parameters?(@ipaserver)
  true
end
post_activation() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication.rb, line 81
def post_activation
  say("\nRestarting httpd, if running ...")
  httpd_service = LinuxAdmin::Service.new("httpd")
  httpd_service.restart if httpd_service.running?

  say("Restarting sssd and configure it to start on reboots ...")
  LinuxAdmin::Service.new("sssd").restart.enable
end
show_current_configuration() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication.rb, line 42
def show_current_configuration
  return unless ipa_client_configured?
  config = config_file_read(SSSD_CONFIG)
  say("\nCurrent External Authentication (httpd) Configuration:\n")
  say("IPA Server Details:\n")
  say("  Hostname:       #{fetch_ipa_configuration("ipa_server", config)}\n")
  say("  Domain:         #{fetch_ipa_configuration("ipa_domain", config)}\n")
end
show_parameters() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication.rb, line 32
def show_parameters
  say("\nExternal Authentication (httpd) Configuration:\n")
  say("IPA Server Details:\n")
  say("  Hostname:       #{@ipaserver}\n")
  say("  Domain:         #{@domain}\n")
  say("  Realm:          #{realm}\n")
  say("  Naming Context: #{domain_naming_context}\n")
  say("  Principal:      #{@principal}\n")
end

Private Instance Methods

configure_httpd() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication.rb, line 139
def configure_httpd
  say("Configuring httpd ...")
  configure_httpd_application
end
configure_ipa() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication.rb, line 108
def configure_ipa
  say("\nConfiguring IPA (may take a minute) ...")
  ipa_client_unconfigure if ipa_client_configured?
  ipa_client_configure(realm, @domain, @ipaserver, @principal, @password)
  enable_kerberos_dns_lookups
end
configure_ipa_http_service() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication.rb, line 129
def configure_ipa_http_service
  say("Configuring IPA HTTP Service and Keytab ...")
  AwesomeSpawn.run!("/usr/bin/kinit", :params => [@principal], :stdin_data => @password)
  service = Principal.new(:hostname => @host, :realm => realm, :service => "HTTP", :ca_name => "ipa")
  service.register
  AwesomeSpawn.run!(IPA_GETKEYTAB, :params => {"-s" => @ipaserver, "-k" => HTTP_KEYTAB, "-p" => service.name})
  FileUtils.chown(APACHE_USER, nil, HTTP_KEYTAB)
  FileUtils.chmod(0600, HTTP_KEYTAB)
end
configure_pam() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication.rb, line 115
def configure_pam
  say("Configuring pam ...")
  cp_template(PAM_CONFIG, template_directory)
end
configure_selinux() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication.rb, line 144
def configure_selinux
  say("Configuring SELinux ...")
  get_enforce = AwesomeSpawn.run!(GETENFORCE_COMMAND)
  if get_enforce.output.downcase.include?("disabled")
    say("SELinux is Disabled")
  else
    AwesomeSpawn.run!("#{SETSEBOOL_COMMAND} -P allow_httpd_mod_auth_pam on")
    result = AwesomeSpawn.run("#{GETSEBOOL_COMMAND} httpd_dbus_sssd")
    AwesomeSpawn.run!("#{SETSEBOOL_COMMAND} -P httpd_dbus_sssd on") if result.exit_status == 0
  end
end
configure_sssd() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication.rb, line 120
def configure_sssd
  say("Configuring sssd ...")
  config = config_file_read(SSSD_CONFIG)
  configure_sssd_domain(config, @domain)
  configure_sssd_service(config)
  configure_sssd_ifp(config)
  config_file_write(config, SSSD_CONFIG, @timestamp)
end
domain_from_host(host) click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication.rb, line 96
def domain_from_host(host)
  host.gsub(/^([^.]+\.)/, '') if host && host.include?('.')
end
domain_naming_context() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication.rb, line 92
def domain_naming_context
  @domain.split(".").collect { |s| "dc=#{s}" }.join(",")
end
fqdn(host, domain) click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication.rb, line 100
def fqdn(host, domain)
  (host && domain && !host.include?(".")) ? "#{host}.#{domain}" : host
end
realm() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication.rb, line 104
def realm
  (@realm || @domain).upcase
end