2014-05-21 07:38:57 -05:00
|
|
|
# Authors:
|
2014-05-26 06:01:49 -05:00
|
|
|
# Alexander Bokovoy <abokovoy@redhat.com>
|
2014-05-21 07:38:57 -05:00
|
|
|
# Tomas Babej <tbabej@redhat.com>
|
|
|
|
#
|
2014-05-26 06:01:49 -05:00
|
|
|
# Copyright (C) 2011-2014 Red Hat
|
2014-05-21 07:38:57 -05:00
|
|
|
# see file 'COPYING' for use and warranty information
|
|
|
|
#
|
|
|
|
# This program is free software; you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
# (at your option) any later version.
|
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
'''
|
|
|
|
This module contains default platform-specific implementations of system tasks.
|
|
|
|
'''
|
2014-05-26 06:01:49 -05:00
|
|
|
|
2018-04-05 02:21:16 -05:00
|
|
|
from __future__ import absolute_import
|
|
|
|
|
2019-04-18 01:02:38 -05:00
|
|
|
import os
|
2017-05-25 05:42:54 -05:00
|
|
|
import logging
|
|
|
|
|
2015-04-10 08:42:58 -05:00
|
|
|
from pkg_resources import parse_version
|
|
|
|
|
2019-04-18 01:02:38 -05:00
|
|
|
from ipaplatform.constants import constants
|
2014-05-26 06:01:49 -05:00
|
|
|
from ipaplatform.paths import paths
|
2014-10-22 08:07:44 -05:00
|
|
|
from ipapython import ipautil
|
|
|
|
|
2017-05-25 05:42:54 -05:00
|
|
|
logger = logging.getLogger(__name__)
|
2014-05-26 06:01:49 -05:00
|
|
|
|
|
|
|
|
2018-09-26 04:59:50 -05:00
|
|
|
class BaseTaskNamespace:
|
2014-06-13 09:20:14 -05:00
|
|
|
|
2018-02-08 09:57:11 -06:00
|
|
|
def restore_context(self, filepath, force=False):
|
|
|
|
"""Restore SELinux security context on the given filepath.
|
2014-06-13 09:20:14 -05:00
|
|
|
|
|
|
|
No return value expected.
|
|
|
|
"""
|
2016-04-19 11:52:21 -05:00
|
|
|
raise NotImplementedError()
|
2014-05-26 06:01:49 -05:00
|
|
|
|
2016-07-28 09:13:55 -05:00
|
|
|
def backup_hostname(self, fstore, statestore):
|
2014-06-13 09:20:14 -05:00
|
|
|
"""
|
|
|
|
Backs up the current hostname in the statestore (so that it can be
|
2016-04-19 11:36:32 -05:00
|
|
|
restored by the restore_hostname platform task).
|
2014-06-13 09:20:14 -05:00
|
|
|
|
|
|
|
No return value expected.
|
|
|
|
"""
|
|
|
|
|
2016-04-19 11:52:21 -05:00
|
|
|
raise NotImplementedError()
|
2014-05-26 06:01:49 -05:00
|
|
|
|
2014-11-10 10:24:22 -06:00
|
|
|
def reload_systemwide_ca_store(self):
|
|
|
|
"""
|
|
|
|
Reloads the systemwide CA store.
|
|
|
|
|
|
|
|
Returns True if the operation succeeded, False otherwise.
|
|
|
|
"""
|
|
|
|
|
2016-04-19 11:52:21 -05:00
|
|
|
raise NotImplementedError()
|
2014-11-10 10:24:22 -06:00
|
|
|
|
2014-06-12 10:20:19 -05:00
|
|
|
def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
|
2014-06-13 09:20:14 -05:00
|
|
|
"""
|
2014-06-12 10:20:19 -05:00
|
|
|
Adds CA certificates from 'ca_certs' to the systemwide CA store
|
2014-06-13 09:20:14 -05:00
|
|
|
(if available on the platform).
|
|
|
|
|
|
|
|
Returns True if the operation succeeded, False otherwise.
|
|
|
|
"""
|
|
|
|
|
2016-04-19 11:52:21 -05:00
|
|
|
raise NotImplementedError()
|
2014-05-26 06:01:49 -05:00
|
|
|
|
2014-06-12 10:20:19 -05:00
|
|
|
def remove_ca_certs_from_systemwide_ca_store(self):
|
2014-06-13 09:20:14 -05:00
|
|
|
"""
|
2014-06-12 10:20:19 -05:00
|
|
|
Removes IPA CA certificates from the systemwide CA store
|
|
|
|
(if available on the platform).
|
2014-06-13 09:20:14 -05:00
|
|
|
|
|
|
|
Returns True if the operation succeeded, False otherwise.
|
|
|
|
"""
|
|
|
|
|
2016-04-19 11:52:21 -05:00
|
|
|
raise NotImplementedError()
|
2014-05-26 06:01:49 -05:00
|
|
|
|
2014-06-03 09:17:16 -05:00
|
|
|
def get_svc_list_file(self):
|
2014-06-13 09:20:14 -05:00
|
|
|
"""
|
|
|
|
Returns the path to the IPA service list file.
|
|
|
|
"""
|
|
|
|
|
2014-06-03 09:17:16 -05:00
|
|
|
return paths.SVC_LIST_FILE
|
2014-05-26 06:01:49 -05:00
|
|
|
|
2019-04-25 06:24:48 -05:00
|
|
|
def is_selinux_enabled(self):
|
|
|
|
"""Check if SELinux is available and enabled
|
|
|
|
|
|
|
|
:return: True if SELinux is available and enabled
|
2014-06-13 09:20:14 -05:00
|
|
|
"""
|
2019-04-25 06:24:48 -05:00
|
|
|
return False
|
|
|
|
|
|
|
|
def check_selinux_status(self):
|
|
|
|
"""Checks if SELinux is available on the platform.
|
|
|
|
|
|
|
|
If it is, this task also makes sure that restorecon tool is available.
|
2014-06-13 09:20:14 -05:00
|
|
|
|
|
|
|
If SELinux is available, but restorcon tool is not installed, raises
|
|
|
|
an RuntimeError, which suggest installing the package containing
|
|
|
|
restorecon and rerunning the installation.
|
|
|
|
|
2019-04-25 06:24:48 -05:00
|
|
|
:return: True if SELinux is available and enabled
|
|
|
|
"""
|
2016-04-19 11:52:21 -05:00
|
|
|
raise NotImplementedError()
|
2014-05-26 06:01:49 -05:00
|
|
|
|
2017-03-07 06:54:41 -06:00
|
|
|
def check_ipv6_stack_enabled(self):
|
|
|
|
"""Check whether IPv6 kernel module is loaded"""
|
|
|
|
|
|
|
|
raise NotImplementedError()
|
|
|
|
|
2018-12-12 10:32:06 -06:00
|
|
|
def detect_container(self):
|
|
|
|
"""Check if running inside a container
|
|
|
|
|
|
|
|
:returns: container runtime or None
|
|
|
|
:rtype: str, None
|
|
|
|
"""
|
|
|
|
raise NotImplementedError
|
|
|
|
|
2016-04-19 11:36:32 -05:00
|
|
|
def restore_hostname(self, fstore, statestore):
|
2014-06-13 09:20:14 -05:00
|
|
|
"""
|
|
|
|
Restores the original hostname as backed up in the
|
2016-07-28 09:13:55 -05:00
|
|
|
backup_hostname platform task.
|
2014-06-13 09:20:14 -05:00
|
|
|
"""
|
|
|
|
|
2016-04-19 11:52:21 -05:00
|
|
|
raise NotImplementedError()
|
2014-05-26 06:01:49 -05:00
|
|
|
|
2014-06-03 09:17:16 -05:00
|
|
|
def restore_pre_ipa_client_configuration(self, fstore, statestore,
|
|
|
|
was_sssd_installed,
|
|
|
|
was_sssd_configured):
|
2014-06-13 09:20:14 -05:00
|
|
|
"""
|
|
|
|
Restores the pre-ipa-client configuration that was modified by the
|
|
|
|
following platform tasks:
|
|
|
|
modify_nsswitch_pam_stack
|
|
|
|
modify_pam_to_use_krb5
|
|
|
|
"""
|
|
|
|
|
2016-04-19 11:52:21 -05:00
|
|
|
raise NotImplementedError()
|
2014-05-26 06:01:49 -05:00
|
|
|
|
2014-06-03 09:17:16 -05:00
|
|
|
def set_nisdomain(self, nisdomain):
|
2014-06-13 09:20:14 -05:00
|
|
|
"""
|
|
|
|
Sets the NIS domain name to 'nisdomain'.
|
|
|
|
"""
|
|
|
|
|
2016-04-19 11:52:21 -05:00
|
|
|
raise NotImplementedError()
|
2014-05-26 06:01:49 -05:00
|
|
|
|
2018-06-18 06:27:41 -05:00
|
|
|
def modify_nsswitch_pam_stack(self, sssd, mkhomedir, statestore,
|
|
|
|
sudo=True):
|
2014-06-13 09:20:14 -05:00
|
|
|
"""
|
2018-04-26 09:51:42 -05:00
|
|
|
If sssd flag is true, configure pam and nsswitch so that SSSD is used
|
2014-06-13 09:20:14 -05:00
|
|
|
for retrieving user information and authentication.
|
|
|
|
|
|
|
|
Otherwise, configure pam and nsswitch to leverage pure LDAP.
|
|
|
|
"""
|
|
|
|
|
2016-04-19 11:52:21 -05:00
|
|
|
raise NotImplementedError()
|
2014-05-26 06:01:49 -05:00
|
|
|
|
2014-06-16 11:49:47 -05:00
|
|
|
def modify_pam_to_use_krb5(self, statestore):
|
2014-06-13 09:20:14 -05:00
|
|
|
"""
|
|
|
|
Configure pam stack to allow kerberos authentication.
|
|
|
|
"""
|
|
|
|
|
2016-04-19 11:52:21 -05:00
|
|
|
raise NotImplementedError()
|
2014-05-26 06:07:09 -05:00
|
|
|
|
2018-04-26 09:51:42 -05:00
|
|
|
def is_nosssd_supported(self):
|
|
|
|
"""
|
|
|
|
Check if the flag --no-sssd is supported for client install.
|
|
|
|
"""
|
|
|
|
|
|
|
|
return True
|
|
|
|
|
2015-08-19 01:10:03 -05:00
|
|
|
def backup_auth_configuration(self, path):
|
|
|
|
"""
|
|
|
|
Create backup of access control configuration.
|
|
|
|
:param path: store the backup here. This will be passed to
|
|
|
|
restore_auth_configuration as well.
|
|
|
|
"""
|
2016-04-19 11:52:21 -05:00
|
|
|
raise NotImplementedError()
|
2015-08-19 01:10:03 -05:00
|
|
|
|
|
|
|
def restore_auth_configuration(self, path):
|
|
|
|
"""
|
|
|
|
Restore backup of access control configuration.
|
|
|
|
:param path: restore the backup from here.
|
|
|
|
"""
|
2016-04-19 11:52:21 -05:00
|
|
|
raise NotImplementedError()
|
2015-08-19 01:10:03 -05:00
|
|
|
|
2018-04-26 09:51:42 -05:00
|
|
|
def migrate_auth_configuration(self, statestore):
|
|
|
|
"""
|
|
|
|
Migrate pam stack configuration to authselect.
|
|
|
|
"""
|
|
|
|
|
2014-08-14 10:14:07 -05:00
|
|
|
def set_selinux_booleans(self, required_settings, backup_func=None):
|
|
|
|
"""Set the specified SELinux booleans
|
|
|
|
|
|
|
|
:param required_settings: A dictionary mapping the boolean names
|
|
|
|
to desired_values.
|
2014-11-18 03:40:31 -06:00
|
|
|
The desired value can be 'on' or 'off',
|
|
|
|
or None to leave the setting unchanged.
|
2014-08-14 10:14:07 -05:00
|
|
|
|
|
|
|
:param backup_func: A function called for each boolean with two
|
|
|
|
arguments: the name and the previous value
|
|
|
|
|
|
|
|
If SELinux is disabled, return False; on success returns True.
|
|
|
|
|
|
|
|
If setting the booleans fails,
|
|
|
|
an ipapython.errors.SetseboolError is raised.
|
|
|
|
"""
|
|
|
|
|
2016-04-19 11:52:21 -05:00
|
|
|
raise NotImplementedError()
|
2014-08-14 10:14:07 -05:00
|
|
|
|
2017-01-05 04:41:08 -06:00
|
|
|
@staticmethod
|
|
|
|
def parse_ipa_version(version):
|
2015-04-10 08:42:58 -05:00
|
|
|
"""
|
|
|
|
:param version: textual version
|
|
|
|
:return: object implementing proper __cmp__ method for version compare
|
|
|
|
"""
|
|
|
|
return parse_version(version)
|
2016-03-16 03:04:42 -05:00
|
|
|
|
2016-04-19 11:36:32 -05:00
|
|
|
def set_hostname(self, hostname):
|
|
|
|
"""
|
|
|
|
Set hostname for the system
|
|
|
|
|
|
|
|
No return value expected, raise CalledProcessError when error occurred
|
|
|
|
"""
|
2016-04-19 11:52:21 -05:00
|
|
|
raise NotImplementedError()
|
2016-04-19 11:36:32 -05:00
|
|
|
|
2016-03-16 03:04:42 -05:00
|
|
|
def configure_httpd_service_ipa_conf(self):
|
|
|
|
"""Configure httpd service to work with IPA"""
|
|
|
|
raise NotImplementedError()
|
|
|
|
|
2017-10-11 05:09:30 -05:00
|
|
|
def configure_http_gssproxy_conf(self, ipauser):
|
|
|
|
raise NotImplementedError()
|
|
|
|
|
2016-03-16 03:04:42 -05:00
|
|
|
def remove_httpd_service_ipa_conf(self):
|
|
|
|
"""Remove configuration of httpd service of IPA"""
|
|
|
|
raise NotImplementedError()
|
2016-11-23 09:13:31 -06:00
|
|
|
|
2018-02-06 03:05:49 -06:00
|
|
|
def configure_httpd_wsgi_conf(self):
|
|
|
|
"""Configure WSGI for correct Python version"""
|
|
|
|
raise NotImplementedError()
|
|
|
|
|
2016-11-23 09:13:31 -06:00
|
|
|
def is_fips_enabled(self):
|
|
|
|
return False
|
2016-08-16 08:03:19 -05:00
|
|
|
|
|
|
|
def add_user_to_group(self, user, group):
|
2017-05-25 05:42:54 -05:00
|
|
|
logger.debug('Adding user %s to group %s', user, group)
|
2016-08-16 08:03:19 -05:00
|
|
|
args = [paths.USERMOD, '-a', '-G', group, user]
|
|
|
|
try:
|
|
|
|
ipautil.run(args)
|
2017-05-25 05:42:54 -05:00
|
|
|
logger.debug('Done adding user to group')
|
2016-08-16 08:03:19 -05:00
|
|
|
except ipautil.CalledProcessError as e:
|
2017-05-25 05:42:54 -05:00
|
|
|
logger.debug('Failed to add user to group: %s', e)
|
2017-10-11 05:09:30 -05:00
|
|
|
|
2018-05-21 05:46:42 -05:00
|
|
|
def setup_httpd_logging(self):
|
|
|
|
raise NotImplementedError()
|
|
|
|
|
2019-04-02 09:13:05 -05:00
|
|
|
def systemd_daemon_reload(self):
|
|
|
|
"""Tell systemd to reload config files"""
|
|
|
|
raise NotImplementedError
|
|
|
|
|
2019-04-05 06:39:13 -05:00
|
|
|
def configure_dns_resolver(self, nameservers, searchdomains, fstore=None):
|
|
|
|
"""Configure global DNS resolver (e.g. /etc/resolv.conf)
|
|
|
|
|
|
|
|
:param nameservers: list of IP addresses
|
|
|
|
:param searchdomains: list of search domaons
|
|
|
|
:param fstore: optional file store for backup
|
|
|
|
"""
|
|
|
|
raise NotImplementedError
|
|
|
|
|
|
|
|
def unconfigure_dns_resolver(self, fstore=None):
|
|
|
|
"""Unconfigure global DNS resolver (e.g. /etc/resolv.conf)
|
|
|
|
|
|
|
|
:param fstore: optional file store for restore
|
|
|
|
"""
|
|
|
|
if fstore is not None and fstore.has_file(paths.RESOLV_CONF):
|
|
|
|
fstore.restore_file(paths.RESOLV_CONF)
|
|
|
|
|
2019-04-18 01:02:38 -05:00
|
|
|
def run_ods_setup(self):
|
|
|
|
"""Initialize a new kasp.db
|
|
|
|
"""
|
|
|
|
if paths.ODS_KSMUTIL is not None:
|
|
|
|
cmd = [paths.ODS_KSMUTIL, 'setup']
|
|
|
|
else:
|
|
|
|
cmd = [paths.ODS_ENFORCER_DB_SETUP]
|
|
|
|
return ipautil.run(cmd, stdin="y", runas=constants.ODS_USER)
|
|
|
|
|
|
|
|
def run_ods_manager(self, params, **kwargs):
|
|
|
|
"""Run OpenDNSSEC manager command (ksmutil, enforcer)
|
|
|
|
|
|
|
|
:param params: parameter for ODS command
|
|
|
|
:param kwargs: additional arguments for ipautil.run()
|
|
|
|
:return: result from ipautil.run()
|
|
|
|
"""
|
|
|
|
assert params[0] != 'setup'
|
|
|
|
|
|
|
|
if paths.ODS_KSMUTIL is not None:
|
|
|
|
# OpenDNSSEC 1.4
|
|
|
|
cmd = [paths.ODS_KSMUTIL]
|
|
|
|
else:
|
|
|
|
# OpenDNSSEC 2.x
|
|
|
|
cmd = [paths.ODS_ENFORCER]
|
|
|
|
cmd.extend(params)
|
|
|
|
|
|
|
|
# run commands as ODS user
|
|
|
|
if os.geteuid() == 0:
|
|
|
|
kwargs['runas'] = constants.ODS_USER
|
|
|
|
|
|
|
|
return ipautil.run(cmd, **kwargs)
|
|
|
|
|
2019-04-24 06:13:45 -05:00
|
|
|
def configure_pkcs11_modules(self, fstore):
|
|
|
|
"""Disable p11-kit modules
|
|
|
|
|
|
|
|
The p11-kit configuration injects p11-kit-proxy into all NSS
|
|
|
|
databases. Amongst other p11-kit loads SoftHSM2 PKCS#11 provider.
|
|
|
|
This interferes with 389-DS, certmonger, Dogtag and other services.
|
|
|
|
For example certmonger tries to open OpenDNSSEC's SoftHSM2 token,
|
|
|
|
although it doesn't use it at all. It also breaks Dogtag HSM support
|
|
|
|
testing with SoftHSM2.
|
|
|
|
|
|
|
|
IPA server does neither need nor use SoftHSM2 proxied by p11-kit.
|
|
|
|
"""
|
|
|
|
raise NotImplementedError
|
|
|
|
|
|
|
|
def restore_pkcs11_modules(self, fstore):
|
|
|
|
"""Restore global p11-kit modules for NSS
|
|
|
|
"""
|
|
|
|
raise NotImplementedError
|
|
|
|
|
2017-10-11 05:09:30 -05:00
|
|
|
|
|
|
|
tasks = BaseTaskNamespace()
|