freeipa/contrib/lite-setup.py

193 lines
5.0 KiB
Python
Raw Normal View History

#!/usr/bin/python3
#
# Copyright (C) 2020 FreeIPA Contributors see COPYING for license
#
"""Configure lite-server environment.
See README.md for more details.
"""
import argparse
import os
import socket
from urllib.request import urlopen
DEFAULT_CONF = """\
[global]
host = {args.hostname}
server = {args.servername}
basedn = {args.basedn}
realm = {args.realm}
domain = {args.domain}
xmlrpc_uri = {args.xmlrpc_uri}
ldap_uri = ldap://{args.servername}
debug = {args.debug}
enable_ra = False
ra_plugin = dogtag
dogtag_version = 10
"""
KRB5_CONF = """\
[libdefaults]
default_realm = {args.realm}
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = FILE:{args.ccache}
[realms]
{args.realm} = {{
kdc = {args.kdc}
master_kdc = {args.kdc}
admin_server = {args.kadmin}
default_domain = ipa.example
pkinit_anchors = FILE:{args.ca_crt}
pkinit_pool = FILE:{args.ca_crt}
http_anchors = FILE:{args.ca_crt}
}}
[domain_realm]
.ipa.example = {args.realm}
ipa.example = {args.realm}
{args.servername} = {args.realm}
"""
LDAP_CONF = """\
URI ldaps://{args.servername}
BASE {args.basedn}
TLS_CACERT {args.ca_crt}
SASL_MECH GSSAPI
SASL_NOCANON on
"""
IPA_BIN = """\
#!/bin/sh
exec python3 -m ipaclient $*
"""
ACTIVATE = """\
deactivate_ipaenv () {{
export PS1="${{_OLD_IPAENV_PS1}}"
export PATH="${{_OLD_IPAENV_PATH}}"
unset _OLD_IPAENV_PS1
unset _OLD_IPAENV_PATH
unset KRB5_CONFIG
unset KRB5CCNAME
unset LDAPCONF
unset IPA_CONFDIR
unset PYTHONPATH
unset -f deactivate_ipaenv
}}
export _OLD_IPAENV_PS1="${{PS1:-}}"
export _OLD_IPAENV_PATH="${{PATH:-}}"
export PS1="(ipaenv) ${{PS1:-}}"
export PATH="{args.dot_ipa}:${{PATH:-}}"
export KRB5_CONFIG="{args.krb5_conf}"
export KRB5CCNAME="{args.ccache}"
{args.tracecomment}export KRB5_TRACE=/dev/stderr
export LDAPCONF="{args.ldap_conf}"
export IPA_CONFDIR="{args.dot_ipa}"
export PYTHONPATH="{args.basedir}"
"""
MSG = """\
Configured for server '{args.servername}' and realm '{args.realm}'.
To activate the IPA test env:
source {args.activate}
kinit
make lite-server
To deactivate the IPA test env and to unset the env vars:
deactivate_ipaenv
The source file configures the env vars:
export KRB5_CONFIG="{args.krb5_conf}"
export KRB5CCNAME="{args.ccache}"
export LDAPCONF="{args.ldap_conf}"
export IPA_CONFDIR="{args.dot_ipa}"
export PYTHONPATH="{args.basedir}"
"""
parser = argparse.ArgumentParser()
parser.add_argument("servername", help="IPA server name")
parser.add_argument("domain", default=None, nargs="?")
parser.add_argument(
"--kdcproxy", action="store_true", help="Use KRB5 over HTTPS (KDC-Proxy)"
)
parser.add_argument(
"--debug",
action="store_true",
help="Enable debug mode for lite-server and KRB5",
)
parser.add_argument(
"--remote-server",
action="store_true",
help="Configure client to use a remote server instead of lite-server",
)
def main():
args = parser.parse_args()
if args.domain is None:
args.domain = args.servername.lower().split(".", 1)[1]
else:
args.domain = args.domain.lower().rstrip(".")
args.realm = args.domain.upper()
args.hostname = socket.gethostname()
args.basedn = ",".join(f"dc={part}" for part in args.domain.split("."))
args.tracecomment = "" if args.debug else "#"
if args.kdcproxy:
args.kdc = f"https://{args.servername}/KdcProxy"
args.kadmin = f"https://{args.servername}/KdcProxy"
else:
args.kdc = f"{args.servername}:88"
args.kadmin = f"{args.servername}:749"
if args.remote_server:
args.xmlrpc_uri = f"https://{args.servername}/ipa/xml"
else:
args.xmlrpc_uri = f"http://localhost:8888/ipa/xml"
args.basedir = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
args.dot_ipa = os.path.expanduser("~/.ipa")
args.default_conf = os.path.join(args.dot_ipa, "default.conf")
args.ca_crt = os.path.join(args.dot_ipa, "ca.crt")
args.krb5_conf = os.path.join(args.dot_ipa, "krb5.conf")
args.ldap_conf = os.path.join(args.dot_ipa, "ldap.conf")
args.ccache = os.path.join(args.dot_ipa, "ccache")
args.ipa_bin = os.path.join(args.dot_ipa, "ipa")
args.activate = os.path.join(args.dot_ipa, "activate.sh")
if not os.path.isdir(args.dot_ipa):
os.makedirs(args.dot_ipa, mode=0o750)
with urlopen(f"http://{args.servername}/ipa/config/ca.crt") as req:
ca_data = req.read()
with open(args.ca_crt, "wb") as f:
f.write(ca_data)
with open(args.default_conf, "w") as f:
f.write(DEFAULT_CONF.format(args=args))
with open(args.krb5_conf, "w") as f:
f.write(KRB5_CONF.format(args=args))
with open(args.ldap_conf, "w") as f:
f.write(LDAP_CONF.format(args=args))
with open(args.ipa_bin, "w") as f:
f.write(IPA_BIN.format(args=args))
os.fchmod(f.fileno(), 0o755)
with open(args.activate, "w") as f:
f.write(ACTIVATE.format(args=args))
print(MSG.format(args=args))
if __name__ == "__main__":
main()