module ManageIQ::ApplianceConsole::ExternalHttpdAuthentication::ExternalHttpdConfiguration

Constants

APACHE_USER
GETENFORCE_COMMAND
GETSEBOOL_COMMAND
HTTP_EXTERNAL_AUTH
HTTP_EXTERNAL_AUTH_TEMPLATE
HTTP_KEYTAB
HTTP_REMOTE_USER
HTTP_REMOTE_USER_OIDC
IPA_COMMAND

External Authentication Definitions

IPA_GETKEYTAB
IPA_INSTALL_COMMAND
KERBEROS_CONFIG_FILE
LDAP_ATTRS
PAM_CONFIG
SETSEBOOL_COMMAND
SSSD_CONFIG
TIMESTAMP_FORMAT

Public Instance Methods

config_file_write(config, path, timestamp) click to toggle source

Config File I/O Methods

# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 180
def config_file_write(config, path, timestamp)
  FileUtils.copy(path, "#{path}.#{timestamp}") if File.exist?(path)
  File.open(path, "w") { |f| f.write(config) }
end
configure_httpd_application() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 80
def configure_httpd_application
  cp_template(HTTP_EXTERNAL_AUTH_TEMPLATE, template_directory)
  cp_template(HTTP_REMOTE_USER, template_directory)
end
configure_sssd_domain(config, domain) click to toggle source

SSSD File Methods

# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 104
def configure_sssd_domain(config, domain)
  ldap_user_extra_attrs = LDAP_ATTRS.keys.join(", ")
  if config.include?("ldap_user_extra_attrs = ")
    pattern = "[domain/#{Regexp.escape(domain)}](\n.*)+ldap_user_extra_attrs = (.*)"
    config[/#{pattern}/, 2] = ldap_user_extra_attrs
  else
    pattern = "[domain/#{Regexp.escape(domain)}].*(\n)"
    config[/#{pattern}/, 1] = "\nldap_user_extra_attrs = #{ldap_user_extra_attrs}\n"
  end

  pattern = "[domain/#{Regexp.escape(domain)}].*(\n)"
  config[/#{pattern}/, 1] = "\nentry_cache_timeout = 600\n"
end
configure_sssd_ifp(config) click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 124
      def configure_sssd_ifp(config)
        user_attributes = LDAP_ATTRS.keys.collect { |k| "+#{k}" }.join(", ")
        ifp_config      = "
  allowed_uids = #{APACHE_USER}, root
  user_attributes = #{user_attributes}
"
        if config.include?("[ifp]")
          if config[/\[ifp\](\n.*)+user_attributes = (.*)/]
            config[/\[ifp\](\n.*)+user_attributes = (.*)/, 2] = user_attributes
          else
            config[/\[ifp\](\n)/, 1] = ifp_config
          end
        else
          config << "\n[ifp]#{ifp_config}\n"
        end
      end
configure_sssd_service(config) click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 118
def configure_sssd_service(config)
  services = config.match(/\[sssd\](\n.*)+services = (.*)/)[2]
  services = "#{services}, ifp" unless services.include?("ifp")
  config[/\[sssd\](\n.*)+services = (.*)/, 2] = services
end
cp_template(file, src_dir, dest_dir = "/") click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 200
def cp_template(file, src_dir, dest_dir = "/")
  src_path  = path_join(src_dir, file)
  dest_path = path_join(dest_dir, file.gsub(".erb", ""))
  if src_path.to_s.include?(".erb")
    File.write(dest_path, ERB.new(File.read(src_path), nil, '-').result(binding))
  else
    FileUtils.cp src_path, dest_path
  end
end
deactivate() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 62
def deactivate
  ipa_client_unconfigure
  unconfigure_httpd
end
enable_kerberos_dns_lookups() click to toggle source

Kerberos KRB5 File Methods

# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 93
def enable_kerberos_dns_lookups
  FileUtils.copy(KERBEROS_CONFIG_FILE, "#{KERBEROS_CONFIG_FILE}.miqbkp")
  krb5config = File.read(KERBEROS_CONFIG_FILE)
  krb5config[/(\s*)dns_lookup_kdc(\s*)=(\s*)(.*)/, 4] = 'true'
  krb5config[/(\s*)dns_lookup_realm(\s*)=(\s*)(.*)/, 4] = 'true'
  File.write(KERBEROS_CONFIG_FILE, krb5config)
end
host_reachable?(host, what = "Server") click to toggle source

Network validation

# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 188
def host_reachable?(host, what = "Server")
  require 'net/ping'
  say("Checking connectivity to #{host} ... ")
  unless Net::Ping::External.new(host).ping
    say("Failed.\nCould not connect to #{host},")
    say("the #{what} must be reachable by name.")
    return false
  end
  say("Succeeded.")
  true
end
installation_valid?() click to toggle source

Validation Methods

# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 144
def installation_valid?
  installed_rpm_packages = LinuxAdmin::Rpm.list_installed.keys
  rpm_packages = %w(ipa-client sssd-dbus mod_intercept_form_submit mod_authnz_pam mod_lookup_identity)

  missing = rpm_packages.count do |package|
    installed = installed_rpm_packages.include?(package)
    say("#{package} RPM is not installed") unless installed
    !installed
  end

  if missing > 0
    say("\nAppliance Installation is not valid for enabling External Authentication\n")
    return false
  end

  true
end
ipa_client_configure(realm, domain, server, principal, password) click to toggle source

IPA Configuration Methods

# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 48
def ipa_client_configure(realm, domain, server, principal, password)
  say("Configuring the IPA Client ...")
  AwesomeSpawn.run!(IPA_INSTALL_COMMAND,
                    :params => [
                      "-N", :force_join, :fixed_primary, :unattended, {
                        :realm=     => realm,
                        :domain=    => domain,
                        :server=    => server,
                        :principal= => principal,
                        :password=  => password
                      }
                    ])
end
ipa_client_unconfigure() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 67
def ipa_client_unconfigure
  say("Un-Configuring the IPA Client ...")
  AwesomeSpawn.run(IPA_INSTALL_COMMAND, :params => [:uninstall, :unattended])
end
path_join(*args) click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 215
def path_join(*args)
  path = Pathname.new(args.shift)
  args.each { |path_seg| path = path.join("./#{path_seg}") }
  path
end
rm_file(file, dir = "/") click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 210
def rm_file(file, dir = "/")
  path = path_join(dir, file)
  File.delete(path) if File.exist?(path)
end
template_directory() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 41
def template_directory
  Pathname.new(ENV.fetch("APPLIANCE_TEMPLATE_DIRECTORY"))
end
unconfigure_httpd() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 72
def unconfigure_httpd
  say("Unconfiguring httpd ...")
  unconfigure_httpd_application

  say("Restarting httpd ...")
  LinuxAdmin::Service.new("httpd").restart
end
unconfigure_httpd_application() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 85
def unconfigure_httpd_application
  rm_file(HTTP_EXTERNAL_AUTH)
  rm_file(HTTP_REMOTE_USER)
end
valid_environment?() click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 162
def valid_environment?
  return false unless installation_valid?
  if ipa_client_configured?
    show_current_configuration
    return false unless agree("\nIPA Client already configured on this Appliance, Un-Configure first? (Y/N): ")
    deactivate
    return false unless agree("\nProceed with External Authentication Configuration? (Y/N): ")
  end
  true
end
valid_parameters?(ipaserver) click to toggle source
# File lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb, line 173
def valid_parameters?(ipaserver)
  host_reachable?(ipaserver, "IPA Server")
end