2007-10-15 14:42:12 -05:00
|
|
|
# Authors: Rob Crittenden <rcritten@redhat.com>
|
|
|
|
|
#
|
|
|
|
|
# Copyright (C) 2007 Red Hat
|
|
|
|
|
# see file 'COPYING' for use and warranty information
|
|
|
|
|
#
|
|
|
|
|
# This program is free software; you can redistribute it and/or
|
|
|
|
|
# modify it under the terms of the GNU General Public License as
|
|
|
|
|
# published by the Free Software Foundation; version 2 or later
|
|
|
|
|
#
|
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
|
#
|
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
|
# along with this program; if not, write to the Free Software
|
|
|
|
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
|
|
|
#
|
|
|
|
|
|
2007-12-13 03:31:28 -06:00
|
|
|
import os
|
|
|
|
|
import os.path
|
2007-10-15 14:42:12 -05:00
|
|
|
import subprocess
|
|
|
|
|
import string
|
|
|
|
|
import tempfile
|
|
|
|
|
import logging
|
|
|
|
|
import pwd
|
|
|
|
|
import fileinput
|
|
|
|
|
import sys
|
0000-12-31 18:09:24 -05:50
|
|
|
import time
|
2007-12-12 08:36:32 -06:00
|
|
|
import shutil
|
0000-12-31 18:09:24 -05:50
|
|
|
|
|
|
|
|
import service
|
0000-12-31 18:09:24 -05:50
|
|
|
import certs
|
|
|
|
|
import dsinstance
|
0000-12-31 18:09:24 -05:50
|
|
|
import installutils
|
2007-12-13 03:31:28 -06:00
|
|
|
from ipa import ipautil
|
2007-10-15 14:42:12 -05:00
|
|
|
|
|
|
|
|
HTTPD_DIR = "/etc/httpd"
|
|
|
|
|
SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf"
|
|
|
|
|
NSS_CONF = HTTPD_DIR + "/conf.d/nss.conf"
|
0000-12-31 18:09:24 -05:50
|
|
|
NSS_DIR = HTTPD_DIR + "/alias"
|
2007-10-15 14:42:12 -05:00
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
selinux_warning = """WARNING: could not set selinux boolean httpd_can_network_connect to true.
|
|
|
|
|
The web interface may not function correctly until this boolean is
|
|
|
|
|
successfully change with the command:
|
|
|
|
|
/usr/sbin/setsebool -P httpd_can_network_connect true
|
|
|
|
|
Try updating the policycoreutils and selinux-policy packages.
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
class HTTPInstance(service.Service):
|
2007-10-15 14:42:12 -05:00
|
|
|
def __init__(self):
|
0000-12-31 18:09:24 -05:50
|
|
|
service.Service.__init__(self, "httpd")
|
2007-10-15 14:42:12 -05:00
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
def create_instance(self, realm, fqdn):
|
|
|
|
|
self.fqdn = fqdn
|
|
|
|
|
self.realm = realm
|
2007-12-12 08:36:32 -06:00
|
|
|
self.domain = fqdn[fqdn.find(".")+1:]
|
|
|
|
|
self.sub_dict = { "REALM" : realm, "FQDN": fqdn, "DOMAIN" : self.domain }
|
0000-12-31 18:09:24 -05:50
|
|
|
|
2007-12-13 03:31:28 -06:00
|
|
|
self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl)
|
|
|
|
|
self.step("Setting mod_nss port to 443", self.__set_mod_nss_port)
|
|
|
|
|
self.step("configuring httpd", self.__configure_http)
|
|
|
|
|
self.step("creating a keytab for httpd", self.__create_http_keytab)
|
|
|
|
|
self.step("Setting up ssl", self.__setup_ssl)
|
|
|
|
|
self.step("Setting up browser autoconfig", self.__setup_autoconfig)
|
|
|
|
|
self.step("configuring SELinux for httpd", self.__selinux_config)
|
|
|
|
|
self.step("restarting httpd", self.restart)
|
|
|
|
|
self.step("configuring httpd to start on boot", self.chkconfig_on)
|
|
|
|
|
|
|
|
|
|
self.start_creation("Configuring the web interface")
|
0000-12-31 18:09:24 -05:50
|
|
|
|
|
|
|
|
def __selinux_config(self):
|
|
|
|
|
selinux=0
|
2007-10-15 14:42:12 -05:00
|
|
|
try:
|
0000-12-31 18:09:24 -05:50
|
|
|
if (os.path.exists('/usr/sbin/selinuxenabled')):
|
2007-12-13 03:31:28 -06:00
|
|
|
ipautil.run(["/usr/sbin/selinuxenabled"])
|
0000-12-31 18:09:24 -05:50
|
|
|
selinux=1
|
2007-11-30 14:53:02 -06:00
|
|
|
except ipautil.CalledProcessError:
|
0000-12-31 18:09:24 -05:50
|
|
|
# selinuxenabled returns 1 if not enabled
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
if selinux:
|
|
|
|
|
# Allow apache to connect to the turbogears web gui
|
|
|
|
|
# This can still fail even if selinux is enabled
|
|
|
|
|
try:
|
2007-12-13 03:31:28 -06:00
|
|
|
ipautil.run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
|
0000-12-31 18:09:24 -05:50
|
|
|
except:
|
|
|
|
|
self.print_msg(selinux_warning)
|
|
|
|
|
|
|
|
|
|
def __create_http_keytab(self):
|
|
|
|
|
try:
|
2007-12-13 03:31:28 -06:00
|
|
|
if ipautil.file_exists("/etc/httpd/conf/ipa.keytab"):
|
0000-12-31 18:09:24 -05:50
|
|
|
os.remove("/etc/httpd/conf/ipa.keytab")
|
|
|
|
|
except os.error:
|
|
|
|
|
print "Failed to remove /etc/httpd/conf/ipa.keytab."
|
|
|
|
|
(kwrite, kread, kerr) = os.popen3("/usr/kerberos/sbin/kadmin.local")
|
|
|
|
|
kwrite.write("addprinc -randkey HTTP/"+self.fqdn+"@"+self.realm+"\n")
|
|
|
|
|
kwrite.flush()
|
|
|
|
|
kwrite.write("ktadd -k /etc/httpd/conf/ipa.keytab HTTP/"+self.fqdn+"@"+self.realm+"\n")
|
|
|
|
|
kwrite.flush()
|
|
|
|
|
kwrite.close()
|
|
|
|
|
kread.close()
|
|
|
|
|
kerr.close()
|
|
|
|
|
|
|
|
|
|
# give kadmin time to actually write the file before we go on
|
|
|
|
|
retry = 0
|
2007-12-13 03:31:28 -06:00
|
|
|
while not ipautil.file_exists("/etc/httpd/conf/ipa.keytab"):
|
0000-12-31 18:09:24 -05:50
|
|
|
time.sleep(1)
|
|
|
|
|
retry += 1
|
|
|
|
|
if retry > 15:
|
|
|
|
|
print "Error timed out waiting for kadmin to finish operations\n"
|
|
|
|
|
sys.exit(1)
|
2007-10-15 14:42:12 -05:00
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
pent = pwd.getpwnam("apache")
|
|
|
|
|
os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid)
|
2007-10-15 14:42:12 -05:00
|
|
|
|
0000-12-31 18:09:24 -05:50
|
|
|
def __configure_http(self):
|
2007-12-13 03:31:28 -06:00
|
|
|
http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)
|
0000-12-31 18:09:24 -05:50
|
|
|
http_fd = open("/etc/httpd/conf.d/ipa.conf", "w")
|
|
|
|
|
http_fd.write(http_txt)
|
|
|
|
|
http_fd.close()
|
2007-10-15 14:42:12 -05:00
|
|
|
|
|
|
|
|
|
|
|
|
|
def __disable_mod_ssl(self):
|
|
|
|
|
if os.path.exists(SSL_CONF):
|
|
|
|
|
os.rename(SSL_CONF, "%s.moved_by_ipa" % SSL_CONF)
|
|
|
|
|
|
|
|
|
|
def __set_mod_nss_port(self):
|
0000-12-31 18:09:24 -05:50
|
|
|
if installutils.update_file(NSS_CONF, '8443', '443') != 0:
|
2007-11-15 10:09:17 -06:00
|
|
|
print "Updating %s failed." % NSS_CONF
|
0000-12-31 18:09:24 -05:50
|
|
|
|
|
|
|
|
def __setup_ssl(self):
|
|
|
|
|
ds_ca = certs.CertDB(dsinstance.config_dirname(self.realm))
|
0000-12-31 18:09:24 -05:50
|
|
|
ca = certs.CertDB(NSS_DIR)
|
|
|
|
|
ds_ca.cur_serial = 2000
|
0000-12-31 18:09:24 -05:50
|
|
|
ca.create_from_cacert(ds_ca.cacert_fname)
|
0000-12-31 18:09:24 -05:50
|
|
|
ca.create_server_cert("Server-Cert", "cn=%s,ou=Apache Web Server" % self.fqdn, ds_ca)
|
2007-12-12 08:36:32 -06:00
|
|
|
ca.create_signing_cert("Signing-Cert", "cn=%s,ou=Signing Certificate,o=Identity Policy Audit" % self.fqdn, ds_ca)
|
|
|
|
|
|
|
|
|
|
def __setup_autoconfig(self):
|
2007-12-13 03:31:28 -06:00
|
|
|
prefs_txt = ipautil.template_file(ipautil.SHARE_DIR + "preferences.html.template", self.sub_dict)
|
2007-12-12 08:36:32 -06:00
|
|
|
prefs_fd = open("/usr/share/ipa/html/preferences.html", "w")
|
|
|
|
|
prefs_fd.write(prefs_txt)
|
|
|
|
|
prefs_fd.close()
|
|
|
|
|
|
|
|
|
|
# The signing cert is generated in __setup_ssl
|
|
|
|
|
ds_ca = certs.CertDB(dsinstance.config_dirname(self.realm))
|
|
|
|
|
ca = certs.CertDB(NSS_DIR)
|
|
|
|
|
|
|
|
|
|
# Publish the CA certificate
|
|
|
|
|
shutil.copy(ds_ca.cacert_fname, "/usr/share/ipa/html/ca.crt")
|
|
|
|
|
os.chmod("/usr/share/ipa/html/ca.crt", 0444)
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
shutil.rmtree("/tmp/ipa")
|
|
|
|
|
except:
|
|
|
|
|
pass
|
|
|
|
|
os.mkdir("/tmp/ipa")
|
|
|
|
|
shutil.copy("/usr/share/ipa/html/preferences.html", "/tmp/ipa")
|
|
|
|
|
|
|
|
|
|
ca.run_signtool(["-k", "Signing-Cert",
|
|
|
|
|
"-Z", "/usr/share/ipa/html/configure.jar",
|
|
|
|
|
"-e", ".html",
|
|
|
|
|
"/tmp/ipa"])
|
|
|
|
|
shutil.rmtree("/tmp/ipa")
|
