Build and installation of Kerberos authentication extension

This patch is adding a build of kerberosauth.xpi (FF Kerberos authentication extension). Currently the build is done in install phase of FreeIPA server. It is to allow signing of the extension by singing certificate. The signing might not be necessary because the only outcome is that in extension installation FF doesn't show that the maker is not verified. It shows text: 'Object signing cert'. This might be a bug in httpinstance.py:262(db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)) The value is in place of hostname parameter. If the extension is not signed, it can be created in rpm build phase, which should make upgrades easier. Current implementation doesn't handle upgrades yet. In order to keep extension and config pages not dependent on a realm, a krb.js.teplate file was created. This template is used for creating a /usr/share/ipa/html/krb.js file in install phase which holds FreeIPA's realm and domain information. This information can be then used by config pages by importing this file. Ticket: https://fedorahosted.org/freeipa/ticket/3094
2025-02-25 18:55:28 -06:00 · 2012-10-04 17:08:17 +02:00
parent 206b6ca04b
commit 247a3a43b7
6 changed files with 32 additions and 2 deletions
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -415,7 +415,9 @@ mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
 mkdir -p %{buildroot}%{_usr}/share/ipa/html/
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/configure.jar
+/bin/touch %{buildroot}%{_usr}/share/ipa/html/kerberosauth.xpi
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con
+/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.js
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/preferences.html
@@ -664,7 +666,9 @@ fi
 %{_usr}/share/ipa/ipa-pki-proxy.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/configure.jar
+%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
+%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.js
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/preferences.html
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -31,8 +31,9 @@ app_DATA =				\
 	krb5.conf.template		\
 	krb5.ini.template		\
 	krb.con.template		\
+	krb.js.template			\
 	krbrealm.con.template		\
-	preferences.html.template 	\
+	preferences.html.template	\
 	smb.conf.template		\
 	smb.conf.empty			\
 	referint-conf.ldif		\
--- a/install/share/krb.js.template
+++ b/install/share/krb.js.template
@@ -0,0 +1,2 @@
+var IPA_REALM = "$REALM";
+var IPA_DOMAIN = "$DOMAIN";
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -207,6 +207,8 @@ def install_http(config, auto_redirect):
        try:
            shutil.copy(config.dir + "/preferences.html", "/usr/share/ipa/html/preferences.html")
            shutil.copy(config.dir + "/configure.jar", "/usr/share/ipa/html/configure.jar")
+            shutil.copy(config.dir + "/krb.js", "/usr/share/ipa/html/krb.js")
+            shutil.copy(config.dir + "/kerberosauth.xpi", "/usr/share/ipa/html/kerberosauth.xpi")
        except Exception, e:
            print "error copying files: " + str(e)
            sys.exit(1)
--- a/install/tools/ipa-replica-prepare
+++ b/install/tools/ipa-replica-prepare
@@ -225,6 +225,8 @@ def copy_files(realm_name, dir):
    try:
        shutil.copy("/usr/share/ipa/html/ca.crt", dir + "/ca.crt")
        if ipautil.file_exists("/usr/share/ipa/html/preferences.html"):
+            shutil.copy("/usr/share/ipa/html/krb.js", dir + "/krb.js")
+            shutil.copy("/usr/share/ipa/html/kerberosauth.xpi", dir + "/kerberosauth.xpi")
            shutil.copy("/usr/share/ipa/html/preferences.html", dir + "/preferences.html")
            shutil.copy("/usr/share/ipa/html/configure.jar", dir + "/configure.jar")
        if ipautil.file_exists("/var/kerberos/krb5kdc/cacert.pem"):
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -292,13 +292,20 @@ class HTTPInstance(service.Service):
        prefs_fd.close()
        os.chmod(target_fname, 0644)

+        target_fname = '/usr/share/ipa/html/krb.js'
+        prefs_txt = ipautil.template_file(ipautil.SHARE_DIR + "krb.js.template", self.sub_dict)
+        prefs_fd = open(target_fname, "w")
+        prefs_fd.write(prefs_txt)
+        prefs_fd.close()
+        os.chmod(target_fname, 0644)
+
        # The signing cert is generated in __setup_ssl
        db = certs.CertDB(self.realm, subject_base=self.subject_base)
-
        pwdfile = open(db.passwd_fname)
        pwd = pwdfile.read()
        pwdfile.close()

+        # Setup configure.jar
        tmpdir = tempfile.mkdtemp(prefix = "tmp-")
        target_fname = '/usr/share/ipa/html/configure.jar'
        shutil.copy("/usr/share/ipa/html/preferences.html", tmpdir)
@@ -309,6 +316,18 @@ class HTTPInstance(service.Service):
        shutil.rmtree(tmpdir)
        os.chmod(target_fname, 0644)

+        # Setup extension
+        tmpdir = tempfile.mkdtemp(prefix = "tmp-")
+        extdir = tmpdir + "/ext"
+        target_fname = "/usr/share/ipa/html/kerberosauth.xpi"
+        shutil.copytree("/usr/share/ipa/ffextension", extdir)
+        db.run_signtool(["-k", "Signing-Cert",
+                            "-p", pwd,
+                            "-X", "-Z", target_fname,
+                            extdir])
+        shutil.rmtree(tmpdir)
+        os.chmod(target_fname, 0644)
+
    def __publish_ca_cert(self):
        ca_db = certs.CertDB(self.realm)
        ca_db.publish_ca_cert("/usr/share/ipa/html/ca.crt")