module ManageIQ::ApplianceConsole::ExternalHttpdAuthentication::ExternalHttpdConfiguration
Constants
- APACHE_USER
- GETENFORCE_COMMAND
- GETSEBOOL_COMMAND
- HTTP_EXTERNAL_AUTH
- HTTP_EXTERNAL_AUTH_TEMPLATE
- HTTP_KEYTAB
- HTTP_REMOTE_USER
- HTTP_REMOTE_USER_OIDC
- IPA_COMMAND
External Authentication Definitions
- IPA_GETKEYTAB
- IPA_INSTALL_COMMAND
- KERBEROS_CONFIG_FILE
- LDAP_ATTRS
- PAM_CONFIG
- SETSEBOOL_COMMAND
- SSSD_CONFIG
- TIMESTAMP_FORMAT
Public Instance Methods
config_file_write(config, path, timestamp)
click to toggle source
Config File I/O Methods
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 180 def config_file_write(config, path, timestamp) FileUtils.copy(path, "#{path}.#{timestamp}") if File.exist?(path) File.open(path, "w") { |f| f.write(config) } end
configure_httpd_application()
click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 80 def configure_httpd_application cp_template(HTTP_EXTERNAL_AUTH_TEMPLATE, template_directory) cp_template(HTTP_REMOTE_USER, template_directory) end
configure_sssd_domain(config, domain)
click to toggle source
SSSD File Methods
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 104 def configure_sssd_domain(config, domain) ldap_user_extra_attrs = LDAP_ATTRS.keys.join(", ") if config.include?("ldap_user_extra_attrs = ") pattern = "[domain/#{Regexp.escape(domain)}](\n.*)+ldap_user_extra_attrs = (.*)" config[/#{pattern}/, 2] = ldap_user_extra_attrs else pattern = "[domain/#{Regexp.escape(domain)}].*(\n)" config[/#{pattern}/, 1] = "\nldap_user_extra_attrs = #{ldap_user_extra_attrs}\n" end pattern = "[domain/#{Regexp.escape(domain)}].*(\n)" config[/#{pattern}/, 1] = "\nentry_cache_timeout = 600\n" end
configure_sssd_ifp(config)
click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 124 def configure_sssd_ifp(config) user_attributes = LDAP_ATTRS.keys.collect { |k| "+#{k}" }.join(", ") ifp_config = " allowed_uids = #{APACHE_USER}, root user_attributes = #{user_attributes} " if config.include?("[ifp]") if config[/\[ifp\](\n.*)+user_attributes = (.*)/] config[/\[ifp\](\n.*)+user_attributes = (.*)/, 2] = user_attributes else config[/\[ifp\](\n)/, 1] = ifp_config end else config << "\n[ifp]#{ifp_config}\n" end end
configure_sssd_service(config)
click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 118 def configure_sssd_service(config) services = config.match(/\[sssd\](\n.*)+services = (.*)/)[2] services = "#{services}, ifp" unless services.include?("ifp") config[/\[sssd\](\n.*)+services = (.*)/, 2] = services end
cp_template(file, src_dir, dest_dir = "/")
click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 200 def cp_template(file, src_dir, dest_dir = "/") src_path = path_join(src_dir, file) dest_path = path_join(dest_dir, file.gsub(".erb", "")) if src_path.to_s.include?(".erb") File.write(dest_path, ERB.new(File.read(src_path), nil, '-').result(binding)) else FileUtils.cp src_path, dest_path end end
deactivate()
click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 62 def deactivate ipa_client_unconfigure unconfigure_httpd end
enable_kerberos_dns_lookups()
click to toggle source
Kerberos KRB5 File Methods
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 93 def enable_kerberos_dns_lookups FileUtils.copy(KERBEROS_CONFIG_FILE, "#{KERBEROS_CONFIG_FILE}.miqbkp") krb5config = File.read(KERBEROS_CONFIG_FILE) krb5config[/(\s*)dns_lookup_kdc(\s*)=(\s*)(.*)/, 4] = 'true' krb5config[/(\s*)dns_lookup_realm(\s*)=(\s*)(.*)/, 4] = 'true' File.write(KERBEROS_CONFIG_FILE, krb5config) end
host_reachable?(host, what = "Server")
click to toggle source
Network validation
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 188 def host_reachable?(host, what = "Server") require 'net/ping' say("Checking connectivity to #{host} ... ") unless Net::Ping::External.new(host).ping say("Failed.\nCould not connect to #{host},") say("the #{what} must be reachable by name.") return false end say("Succeeded.") true end
installation_valid?()
click to toggle source
Validation Methods
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 144 def installation_valid? installed_rpm_packages = LinuxAdmin::Rpm.list_installed.keys rpm_packages = %w(ipa-client sssd-dbus mod_intercept_form_submit mod_authnz_pam mod_lookup_identity) missing = rpm_packages.count do |package| installed = installed_rpm_packages.include?(package) say("#{package} RPM is not installed") unless installed !installed end if missing > 0 say("\nAppliance Installation is not valid for enabling External Authentication\n") return false end true end
ipa_client_configure(realm, domain, server, principal, password)
click to toggle source
IPA Configuration Methods
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 48 def ipa_client_configure(realm, domain, server, principal, password) say("Configuring the IPA Client ...") AwesomeSpawn.run!(IPA_INSTALL_COMMAND, :params => [ "-N", :force_join, :fixed_primary, :unattended, { :realm= => realm, :domain= => domain, :server= => server, :principal= => principal, :password= => password } ]) end
ipa_client_unconfigure()
click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 67 def ipa_client_unconfigure say("Un-Configuring the IPA Client ...") AwesomeSpawn.run(IPA_INSTALL_COMMAND, :params => [:uninstall, :unattended]) end
path_join(*args)
click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 215 def path_join(*args) path = Pathname.new(args.shift) args.each { |path_seg| path = path.join("./#{path_seg}") } path end
rm_file(file, dir = "/")
click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 210 def rm_file(file, dir = "/") path = path_join(dir, file) File.delete(path) if File.exist?(path) end
template_directory()
click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 41 def template_directory Pathname.new(ENV.fetch("APPLIANCE_TEMPLATE_DIRECTORY")) end
unconfigure_httpd()
click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 72 def unconfigure_httpd say("Unconfiguring httpd ...") unconfigure_httpd_application say("Restarting httpd ...") LinuxAdmin::Service.new("httpd").restart end
unconfigure_httpd_application()
click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 85 def unconfigure_httpd_application rm_file(HTTP_EXTERNAL_AUTH) rm_file(HTTP_REMOTE_USER) end
valid_environment?()
click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 162 def valid_environment? return false unless installation_valid? if ipa_client_configured? show_current_configuration return false unless agree("\nIPA Client already configured on this Appliance, Un-Configure first? (Y/N): ") deactivate return false unless agree("\nProceed with External Authentication Configuration? (Y/N): ") end true end
valid_parameters?(ipaserver)
click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 173 def valid_parameters?(ipaserver) host_reachable?(ipaserver, "IPA Server") end