Refine our web space some more so that everything we reference is in /ipa

UI: /ipa/ui
XML-RPC: /ipa/xml
errors: /ipa/errors
config: /ipa/config

I had to hardcode that URI into the CSS pages but TurboGears handles the
rest of the translations with tg.url().

Added a version to ipa.conf and ipa-rewrite.conf so we can update them
in the future if needed with ipa-upgradeconfig

440443

ipa-python/rpcclient.py

@@ -38,7 +38,7 @@ class RPCClient:
     
     def server_url(self, server):
         """Build the XML-RPC server URL from our configuration"""
-        url = "https://" + server + "/ipaxml"
+        url = "https://" + server + "/ipa/xml"
         if self.verbose:
             print "Connecting to IPA server: %s" % url
         return url

ipa-server/Makefile.am

@@ -14,6 +14,10 @@ SUBDIRS =			\
 	man			\
 	$(NULL)
 
+sbin_SCRIPTS =			\
+	ipa-upgradeconfig	\
+	$(NULL)
+
 install-exec-local:
 	mkdir -p $(DESTDIR)$(localstatedir)/lib/ipa/sysrestore
 	chmod 700 $(DESTDIR)$(localstatedir)/lib/ipa/sysrestore
@@ -35,6 +39,7 @@ EXTRA_DIST =			\
 	HACKING			\
 	NEWS			\
 	ChangeLog		\
+	$(sbin_SCRIPTS)		\
 	$(NULL)
 
 DISTCLEANFILES =		\

ipa-server/ipa-gui/ipa_webgui.cfg

@@ -29,11 +29,11 @@ server.thread_pool = 10
 
 # if this is part of a larger site, you can set the path
 # to the TurboGears instance here
-server.webpath="/ipa"
+server.webpath="/ipa/ui"
 
 # Set to True if you are deploying your App behind a proxy
 # e.g. Apache using mod_proxy
-# base_url_filter.on = False
+base_url_filter.on = True
 
 # Set to True if your proxy adds the x_forwarded_host header
 # base_url_filter.use_x_forwarded_host = True

ipa-server/ipa-gui/ipagui/static/css/style_freeipa.css

@@ -40,10 +40,10 @@
   text-decoration: underline;
 }
 .sortasc {
-  background-image: url(/static/images/up.gif) !important;
+  background-image: url(/ipa/ui/static/images/up.gif) !important;
 }
 .sortdesc {
-  background-image: url(/static/images/down.gif) !important;
+  background-image: url(/ipa/ui/static/images/down.gif) !important;
 }
 
 .warning_message {

ipa-server/ipa-gui/ipagui/static/css/style_platform-objects.css

@@ -1,19 +1,19 @@
 /* object h1 styles */
 
-#details h1.overview { background-image: url('/static/images/objects/object-overview.png'); }
+#details h1.overview { background-image: url('/ipa/ui/static/images/objects/object-overview.png'); }
 
-#details h1.accesscontrol { background-image: url('/static/images/objects/object-accesscontrol.png'); }
+#details h1.accesscontrol { background-image: url('/ipa/ui/static/images/objects/object-accesscontrol.png'); }
 
-#details h1.user { background-image: url('/static/images/objects/object-user.png'); }
-#details h1.usergroup { background-image: url('/static/images/objects/object-usergroup.png'); }
+#details h1.user { background-image: url('/ipa/ui/static/images/objects/object-user.png'); }
+#details h1.usergroup { background-image: url('/ipa/ui/static/images/objects/object-usergroup.png'); }
 
-#details h1.content-overview { background-image: url('/static/images/objects/object-content.png'); }
-#details h1.channel { background-image: url('/static/images/objects/object-channel.png'); }
-#details h1.channel-new { background-image: url('/static/images/objects/object-channel.png'); }
-#details h1.channels { background-image: url('/static/images/objects/object-channels.png'); }
-#details h1.media { background-image: url('/static/images/objects/object-media.png'); }
+#details h1.content-overview { background-image: url('/ipa/ui/static/images/objects/object-content.png'); }
+#details h1.channel { background-image: url('/ipa/ui/static/images/objects/object-channel.png'); }
+#details h1.channel-new { background-image: url('/ipa/ui/static/images/objects/object-channel.png'); }
+#details h1.channels { background-image: url('/ipa/ui/static/images/objects/object-channels.png'); }
+#details h1.media { background-image: url('/ipa/ui/static/images/objects/object-media.png'); }
 
-#details h1.system { background-image: url('/static/images/objects/object-system.png'); }
-#details h1.virtualsystem { background-image: url('/static/images/objects/object-virtualsystem.png'); }
+#details h1.system { background-image: url('/ipa/ui/static/images/objects/object-system.png'); }
+#details h1.virtualsystem { background-image: url('/ipa/ui/static/images/objects/object-virtualsystem.png'); }
 
-#details h1.policy { background-image: url('/static/images/objects/object-policy.png'); }
+#details h1.policy { background-image: url('/ipa/ui/static/images/objects/object-policy.png'); }

ipa-server/ipa-gui/ipagui/static/css/style_platform.css

@@ -12,7 +12,7 @@ html, body {
 }
 
 body {
-  background-image:		url('/static/images/template/background.png');
+  background-image:		url('/ipa/ui/static/images/template/background.png');
   background-repeat:		repeat-x;
   background-color:		#f9f9f9;
   margin:			0px;
@@ -45,7 +45,7 @@ td, th {
   float:			left;
   margin-top:			-10px;
 
-  background:			url('/static/images/branding/logo.png') no-repeat;
+  background:			url('/ipa/ui/static/images/branding/logo.png') no-repeat;
 }
 
 #content {
@@ -53,7 +53,7 @@ td, th {
   min-height:			100%;
 
   background-color:		#f9f9f9;
-  background-image:		url('/static/images/template/background-content.png');
+  background-image:		url('/ipa/ui/static/images/template/background-content.png');
   background-repeat:		repeat-x;
 }
 
@@ -95,7 +95,7 @@ div#search {
   margin: 			0px;
   clear:			both;
 
-  background-image:		url('/static/images/template/background-navbar.png');
+  background-image:		url('/ipa/ui/static/images/template/background-navbar.png');
   background-repeat:		repeat-x;
 
 }
@@ -121,7 +121,7 @@ div#search {
 }
 
 #navbar .active {
-  background-image:		url('/static/images/template/background-navbar-active.png');
+  background-image:		url('/ipa/ui/static/images/template/background-navbar-active.png');
   height:			70px;
   width:			116px;
 
@@ -156,7 +156,7 @@ div#search {
 
   border:			1px solid #aaa;
   background-color:		#ccc;
-  background-image:		url('/static/images/template/background-sidebar.png');
+  background-image:		url('/ipa/ui/static/images/template/background-sidebar.png');
   background-repeat:		repeat-y;
 }
 
@@ -477,7 +477,7 @@ div.instructions {
   padding-top: 2ex;
   width: 40%;
   float: right;
-  background-image:     url('/static/images/template/background-search.png');
+  background-image:     url('/ipa/ui/static/images/template/background-search.png');
   background-repeat:        repeat-y;
   background-color: white;
 } 

ipa-server/ipa-gui/ipagui/templates/master.kid

@@ -24,13 +24,13 @@
     <title py:replace="''">Your title goes here</title>
     <meta py:replace="item[:]"/>
     <style type="text/css" media="all">
-    @import "/static/css/style_platform.css";
-    @import "/static/css/style_platform-objects.css";
-    @import "/static/css/style_freeipa.css";
+    @import "${tg.url('/static/css/style_platform.css')}";
+    @import "${tg.url('/static/css/style_platform-objects.css')}";
+    @import "${tg.url('/static/css/style_freeipa.css')}";
     </style>
-    <script type="text/javascript" charset="utf-8" src="/static/javascript/prototype.js"></script>
-    <script type="text/javascript" charset="utf-8" src="/static/javascript/scriptaculous.js?load=effects"></script>
-    <script type="text/javascript" charset="utf-8" src="/static/javascript/ipautil.js"></script>
+    <script type="text/javascript" charset="utf-8" src="${tg.url('/static/javascript/prototype.js')}"></script>
+    <script type="text/javascript" charset="utf-8" src="${tg.url('/static/javascript/scriptaculous.js?load=effects')}"></script>
+    <script type="text/javascript" charset="utf-8" src="${tg.url('/static/javascript/ipautil.js')}"></script>
 </head>
 
 <body py:match="item.tag=='{http://www.w3.org/1999/xhtml}body'" py:attrs="item.items()">

ipa-server/ipa-server.spec.in

@@ -1,6 +1,6 @@
 Name:           ipa-server
 Version:        VERSION
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        IPA authentication server
 
 Group:          System Environment/Base
@@ -93,6 +93,7 @@ fi
 /bin/chown apache /var/log/ipa_error.log
 /bin/chmod 600 /var/log/ipa_error.log
 restorecon /var/log/ipa_error.log
+/usr/sbin/ipa-upgradeconfig
 
 %preun
 if [ $1 = 0 ]; then
@@ -118,6 +119,7 @@ fi
 %{_sbindir}/ipactl
 %{_sbindir}/ipa_kpasswd
 %{_sbindir}/ipa_webgui
+%{_sbindir}/ipa-upgradeconfig
 %attr(755,root,root) %{_initrddir}/ipa_kpasswd
 %attr(755,root,root) %{_initrddir}/ipa_webgui
 
@@ -166,6 +168,9 @@ fi
 %{_mandir}/man1/ipa-server-install.1.gz
 
 %changelog
+* Tue May  5 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-2
+- Add ipa-upgradeconfig command and run it at post
+
 * Thu Apr  3 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-1
 - Version bump for release
 

ipa-server/ipa-upgradeconfig

@@ -0,0 +1,112 @@
+#!/usr/bin/python
+#
+# Upgrade configuration files to a newer template.
+
+import sys
+try:
+    from ipa import ipautil
+    import krbV
+    import re
+    import os
+    import shutil
+    import fileinput
+except ImportError:
+    print >> sys.stderr, """\
+There was a problem importing one of the required Python modules. The
+error was:
+
+    %s
+""" % sys.exc_value
+    sys.exit(1)
+
+def backup_file(filename, ext):
+    """Make a backup of filename using ext as the extension. Do not overwrite
+       previous backups."""
+    if not os.path.isabs(filename):
+        raise ValueError("Absolute path required")
+
+    backupfile = filename + ".bak"
+    (reldir, file) = os.path.split(filename)
+
+    while os.path.exists(backupfile):
+        backupfile = backupfile + "." + str(ext)
+
+    shutil.copy2(filename, backupfile)
+
+def update_conf(sub_dict, filename, template_filename):
+    template = ipautil.template_file(template_filename, sub_dict)
+    fd = open(filename, "w")
+    fd.write(template)
+    fd.close()
+
+def find_hostname():
+    """Find the hostname currently configured in ipa-rewrite.conf"""
+    filename="/etc/httpd/conf.d/ipa-rewrite.conf"
+    if os.path.exists(filename):
+        pattern = "^[\s#]*.*https:\/\/([A-Za-z0-9\.\-]*)\/.*"
+        p = re.compile(pattern)
+        for line in fileinput.input(filename):
+            if p.search(line):
+                fileinput.close()
+                return p.search(line).group(1)
+        fileinput.close()
+
+    return None
+
+def find_version(filename):
+    """Find the version of a configuration file"""
+    if os.path.exists(filename):
+        pattern = "^[\s#]*VERSION\s+([0-9]+)\s+.*"
+        p = re.compile(pattern)
+        for line in fileinput.input(filename):
+            if p.search(line):
+                fileinput.close()
+                return p.search(line).group(1)
+        fileinput.close()
+
+        # no VERSION found
+        return 0
+    else:
+        return -1
+
+def upgrade(sub_dict, filename, template):
+    old = int(find_version(filename))
+    new = int(find_version(template))
+
+    if old < 0:
+        print "%s not found." % filename
+        sys.exit(1)
+
+    if new < 0:
+        print "%s not found." % template
+
+    if old < new:
+        backup_file(filename, new)
+        update_conf(sub_dict, filename, template)
+        print "Upgraded %s to version %d" % (filename, new)
+
+def main():
+    try:
+        krbctx = krbV.default_context()
+    except krbV.Krb5Error, e:
+        print "Unable to get default kerberos realm: %s" % e[1]
+        sys.exit(1)
+
+    fqdn = find_hostname()
+
+    if fqdn is None:
+        print "Unable to determine hostname from ipa-rewrite.conf"
+        sys.exit(1)
+
+    sub_dict = { "REALM" : krbctx.default_realm, "FQDN": fqdn }
+
+    upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf")
+    upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf")
+
+try:
+    if __name__ == "__main__":
+        sys.exit(main())
+except SystemExit, e:
+    sys.exit(e)
+except KeyboardInterrupt, e:
+    sys.exit(1)

ipa-server/xmlrpc-server/ipa-rewrite.conf

@@ -1,9 +1,11 @@
+# VERSION 1 - DO NOT REMOVE THIS LINE
+
 RewriteEngine on
 
 # By default forward all requests to /ipa. If you don't want IPA
 # to be the default on your web server comment this line out. You will
 # need to modify ipa_webgui.cfg as well.
-RewriteRule ^/$$ https://$FQDN/ipa [L,NC,R=301]
+RewriteRule ^/$$ https://$FQDN/ipa/ui [L,NC,R=301]
 
 # Redirect to the fully-qualified hostname. Not redirecting to secure
 # port so configuration files can be retrieved without requiring SSL.

ipa-server/xmlrpc-server/ipa.conf

@@ -1,3 +1,6 @@
+#
+# VERSION 1 - DO NOT REMOVE THIS LINE
+#
 # LoadModule auth_kerb_module modules/mod_auth_kerb.so
 
 ProxyRequests Off
@@ -17,7 +20,7 @@ AddType application/java-archive        jar
   Krb5KeyTab /etc/httpd/conf/ipa.keytab
   KrbSaveCredentials on
   Require valid-user
-  ErrorDocument 401 /errors/unauthorized.html
+  ErrorDocument 401 /ipa/errors/unauthorized.html
   RewriteEngine on
   Order deny,allow
   Allow from all
@@ -28,20 +31,17 @@ AddType application/java-archive        jar
 </Proxy>
 
 # The URI's with a trailing ! are those that aren't handled by the proxy
-ProxyPass /ipa http://localhost:8080/ipa
-ProxyPassReverse /ipa http://localhost:8080/ipa
+ProxyPass /ipa/ui http://localhost:8080/ipa/ui
+ProxyPassReverse /ipa/ui http://localhost:8080/ipa/ui
 
 # Configure the XML-RPC service
-Alias /ipaxml "/usr/share/ipa/ipaserver/XMLRPC"
+Alias /ipa/xml "/usr/share/ipa/ipaserver/XMLRPC"
 
 # This is where we redirect on failed auth
-Alias /errors "/usr/share/ipa/html"
+Alias /ipa/errors "/usr/share/ipa/html"
 
 # For the MIT Windows config files
-Alias /config "/usr/share/ipa/html"
-
-# So we don't have to hardcode a path into the CSS
-Alias /static "/usr/share/ipa/ipagui/static"
+Alias /ipa/config "/usr/share/ipa/html"
 
 <Directory "/usr/share/ipa/ipaserver">
   AuthType Kerberos
@@ -53,7 +53,7 @@ Alias /static "/usr/share/ipa/ipagui/static"
   Krb5KeyTab /etc/httpd/conf/ipa.keytab
   KrbSaveCredentials on
   Require valid-user
-  ErrorDocument 401 /errors/unauthorized.html
+  ErrorDocument 401 /ipa/errors/unauthorized.html
 
   SetHandler mod_python
   PythonHandler ipaxmlrpc
@@ -84,7 +84,7 @@ Alias /static "/usr/share/ipa/ipagui/static"
   Krb5KeyTab /etc/httpd/conf/ipa.keytab
   KrbSaveCredentials on
   Require valid-user
-  ErrorDocument 401 /errors/unauthorized.html
+  ErrorDocument 401 /ipa/errors/unauthorized.html
 </Directory>
 
 #Alias /ipatest "/usr/share/ipa/ipatest"
@@ -99,7 +99,7 @@ Alias /static "/usr/share/ipa/ipagui/static"
 #  Krb5KeyTab /etc/httpd/conf/ipa.keytab
 #  KrbSaveCredentials on
 #  Require valid-user
-#  ErrorDocument 401 /errors/unauthorized.html
+#  ErrorDocument 401 /ipa/errors/unauthorized.html
 #
 #  SetHandler mod_python
 #  PythonHandler test_mod_python

ipa-server/xmlrpc-server/unauthorized.html

@@ -5,12 +5,12 @@
 <p>
 Unable to verify your Kerberos credentials. Please make sure
 that you have valid Kerberos tickets (obtainable via kinit), and that you
-have <a href="/errors/ssbrowser.html">configured your
+have <a href="/ipa/errors/ssbrowser.html">configured your
 browser correctly</a>. If you are still unable to access
 the IPA Web interface, please contact the helpdesk on for additional assistance.
 </p>
 <p>
-Import the <a href="/errors/ca.crt">IPA Certificate Authority</a>.
+Import the <a href="/ipa/errors/ca.crt">IPA Certificate Authority</a>.
 </p>
 <p>
 <script type="text/javascript">
@@ -19,7 +19,7 @@ Import the <a href="/errors/ca.crt">IPA Certificate Authority</a>.
   {
     document.write("<p>You can automatically configure your browser to work with Kerberos by importing the Certificate Authority above and clicking on the Configure Browser button.</p>");
     document.write("<p>You <strong>must</strong> reload this page after importing the Certificate Authority for the automatic settings to work</p>");
-    document.write("<object data=\"jar:/errors/configure.jar!/preferences.html\" type=\"text/html\"><\/object");
+    document.write("<object data=\"jar:/ipa/errors/configure.jar!/preferences.html\" type=\"text/html\"><\/object");
   }
 </script>
 </p>