smartcard: make the ipa-advise script compatible with authselect/authconfig

"ipa-advise config-client-for-smart-card-auth" is run on a server and creates a script that needs to be copied and executed on a client. The client may be of a different version and use authconfig instead of authselect. The generated script must be able to handle both cases (client using authselect or client using authconfig). The patch checks whether authselect is available and calls the proper configuration command (authselect or authconfig) depending on its availability on the client. Fixes: https://pagure.io/freeipa/issue/8113 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-11-06 11:08:10 +01:00
parent 6bac58ca5c
commit d9d9abbab2
1 changed files with 20 additions and 6 deletions
--- a/ipaserver/advise/plugins/smart_card_auth.py
+++ b/ipaserver/advise/plugins/smart_card_auth.py
@@ -319,8 +319,20 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config):
        )

    def run_authselect_to_configure_smart_card_auth(self):
+        # In order to be compatible with all clients, we check first
+        # if the client supports authselect.
+        # Otherwise authconfig will be used.
+        self.log.comment('Use either authselect or authconfig to enable '
+                         'Smart Card authentication')
+        self.log.commands_on_predicate(
+            '[ -f {} ]'.format(paths.AUTHSELECT),
+            ['AUTHCMD="authselect enable-feature with-smartcard"'],
+            ['AUTHCMD="authconfig --enablesssd --enablesssdauth '
+             '--enablesmartcard --smartcardmodule=sssd --smartcardaction=1 '
+             '--updateall"']
+        )
        self.log.exit_on_failed_command(
-            'authselect enable-feature with-smartcard',
+            '$AUTHCMD',
            [
                'Failed to configure Smart Card authentication in SSSD'
            ]
@@ -328,11 +340,13 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config):

    def configure_pam_cert_auth(self):
        self.log.comment('Set pam_cert_auth=True in /etc/sssd/sssd.conf')
-        self.log.command(
-            "{} -c 'from SSSDConfig import SSSDConfig; "
-            "c = SSSDConfig(); c.import_config(); "
-            "c.set(\"pam\", \"pam_cert_auth\", \"True\"); "
-            "c.write()'".format(sys.executable))
+        self.log.comment('This step is required only when authselect is used')
+        self.log.commands_on_predicate(
+            '[ -f {} ]'.format(paths.AUTHSELECT),
+            ["{} -c 'from SSSDConfig import SSSDConfig; "
+             "c = SSSDConfig(); c.import_config(); "
+             "c.set(\"pam\", \"pam_cert_auth\", \"True\"); "
+             "c.write()'".format(sys.executable)])

    def restart_sssd(self):
        self.log.command('systemctl restart sssd.service')