mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 16:31:08 -06:00
dcb6181525
The LDAP schema cache makes the lite-server behave more like mod_wsgi. See https://fedorahosted.org/freeipa/ticket/6679 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
283 lines
8.8 KiB
Python
Executable File
283 lines
8.8 KiB
Python
Executable File
#!/usr/bin/env python
|
|
#
|
|
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
|
|
#
|
|
"""In-tree development server
|
|
|
|
The dev server requires a Kerberos TGT and a file based credential cache:
|
|
|
|
$ mkdir -p ~/.ipa
|
|
$ export KRB5CCNAME=~/.ipa/ccache
|
|
$ kinit admin
|
|
$ make lite-server
|
|
|
|
Optionally you can set KRB5_CONFIG to use a custom Kerberos configuration
|
|
instead of /etc/krb5.conf.
|
|
|
|
To run the lite-server with another Python interpreter:
|
|
|
|
$ make lite-server PYTHON=/path/to/bin/python
|
|
|
|
To enable profiling:
|
|
|
|
$ make lite-server LITESERVER_ARGS='--enable-profiler=-'
|
|
|
|
By default the dev server supports HTTP only. To switch to HTTPS, you can put
|
|
a PEM file at ~/.ipa/lite.pem. The PEM file must contain a server certificate,
|
|
its unencrypted private key and intermediate chain certs (if applicable).
|
|
|
|
Prerequisite
|
|
------------
|
|
|
|
Additionally to build and runtime requirements of FreeIPA, the dev server
|
|
depends on the werkzeug framework and optionally watchdog for auto-reloading.
|
|
You may also have to enable a development COPR.
|
|
|
|
$ sudo dnf install -y dnf-plugins-core
|
|
$ sudo dnf builddep --spec freeipa.spec.in
|
|
$ sudo dnf install -y python-werkzeug python2-watchdog \
|
|
python3-werkzeug python3-watchdog
|
|
$ ./autogen.sh
|
|
|
|
For more information see
|
|
|
|
* http://www.freeipa.org/page/Build
|
|
* http://www.freeipa.org/page/Testing
|
|
|
|
"""
|
|
from __future__ import print_function
|
|
|
|
import os
|
|
import optparse # pylint: disable=deprecated-module
|
|
import ssl
|
|
import sys
|
|
import time
|
|
import warnings
|
|
|
|
import ipalib
|
|
from ipalib import api
|
|
from ipalib.errors import NetworkError
|
|
from ipalib.krb_utils import krb5_parse_ccache
|
|
from ipalib.krb_utils import krb5_unparse_ccache
|
|
|
|
# pylint: disable=import-error
|
|
from werkzeug.contrib.profiler import ProfilerMiddleware
|
|
from werkzeug.exceptions import NotFound
|
|
from werkzeug.serving import run_simple
|
|
from werkzeug.utils import redirect, append_slash_redirect
|
|
from werkzeug.wsgi import DispatcherMiddleware, SharedDataMiddleware
|
|
# pylint: enable=import-error
|
|
|
|
|
|
BASEDIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
|
|
IMPORTDIR = os.path.dirname(os.path.dirname(os.path.abspath(ipalib.__file__)))
|
|
|
|
if BASEDIR != IMPORTDIR:
|
|
warnings.warn(
|
|
"ipalib was imported from '{}' instead of '{}'!".format(
|
|
IMPORTDIR, BASEDIR),
|
|
RuntimeWarning
|
|
)
|
|
|
|
STATIC_FILES = {
|
|
'/ipa/ui': os.path.join(BASEDIR, 'install/ui'),
|
|
'/ipa/ui/js': os.path.join(BASEDIR, 'install/ui/src'),
|
|
'/ipa/ui/js/dojo': os.path.join(BASEDIR, 'install/ui/build/dojo'),
|
|
'/ipa/ui/fonts': '/usr/share/fonts',
|
|
}
|
|
|
|
|
|
def get_ccname():
|
|
"""Retrieve and validate Kerberos credential cache
|
|
|
|
Only FILE schema is supported.
|
|
"""
|
|
ccname = os.environ.get('KRB5CCNAME')
|
|
if ccname is None:
|
|
raise ValueError("KRB5CCNAME env var is not set.")
|
|
scheme, location = krb5_parse_ccache(ccname)
|
|
if scheme != 'FILE': # MEMORY makes no sense
|
|
raise ValueError("Unsupported KRB5CCNAME scheme {}".format(scheme))
|
|
if not os.path.isfile(location):
|
|
raise ValueError("KRB5CCNAME file '{}' does not exit".format(location))
|
|
return krb5_unparse_ccache(scheme, location)
|
|
|
|
|
|
class KRBCheater(object):
|
|
"""Add KRB5CCNAME to WSGI environ
|
|
"""
|
|
def __init__(self, app, ccname):
|
|
self.app = app
|
|
self.ccname = ccname
|
|
|
|
def __call__(self, environ, start_response):
|
|
environ['KRB5CCNAME'] = self.ccname
|
|
return self.app(environ, start_response)
|
|
|
|
|
|
class StaticFilesMiddleware(SharedDataMiddleware):
|
|
def get_directory_loader(self, directory):
|
|
# override directory loader to support index.html
|
|
def loader(path):
|
|
if path is not None:
|
|
path = os.path.join(directory, path)
|
|
else:
|
|
path = directory
|
|
# use index.html for directory views
|
|
if os.path.isdir(path):
|
|
path = os.path.join(path, 'index.html')
|
|
if os.path.isfile(path):
|
|
return os.path.basename(path), self._opener(path)
|
|
return None, None
|
|
return loader
|
|
|
|
|
|
def init_api(ccname):
|
|
"""Initialize FreeIPA API from command line
|
|
"""
|
|
parser = optparse.OptionParser()
|
|
|
|
parser.add_option(
|
|
'--dev',
|
|
help='Run WebUI in development mode',
|
|
default=True,
|
|
action='store_false',
|
|
dest='prod',
|
|
)
|
|
parser.add_option(
|
|
'--host',
|
|
help='Listen on address HOST (default 127.0.0.1)',
|
|
default='127.0.0.1',
|
|
)
|
|
parser.add_option(
|
|
'--port',
|
|
help='Listen on PORT (default 8888)',
|
|
default=8888,
|
|
type='int',
|
|
)
|
|
parser.add_option(
|
|
'--enable-profiler',
|
|
help="Path to WSGI profiler directory or '-' for stderr",
|
|
default=None,
|
|
type='str',
|
|
)
|
|
|
|
api.env.in_server = True
|
|
api.env.startup_traceback = True
|
|
# workaround for RefererError in rpcserver
|
|
api.env.in_tree = True
|
|
# workaround: AttributeError: locked: cannot set ldap2.time_limit to None
|
|
api.env.mode = 'production'
|
|
|
|
start_time = time.time()
|
|
# pylint: disable=unused-variable
|
|
options, args = api.bootstrap_with_global_options(parser, context='lite')
|
|
api.env._merge(
|
|
lite_port=options.port,
|
|
lite_host=options.host,
|
|
webui_prod=options.prod,
|
|
lite_profiler=options.enable_profiler,
|
|
lite_pem=api.env._join('dot_ipa', 'lite.pem'),
|
|
)
|
|
api.finalize()
|
|
api_time = time.time()
|
|
api.log.info("API initialized in {:03f} sec".format(api_time - start_time))
|
|
|
|
# Validate LDAP connection and pre-fetch schema
|
|
# Pre-fetching makes the lite-server behave similar to mod_wsgi. werkzeug's
|
|
# multi-process WSGI server forks a new process for each request while
|
|
# mod_wsgi handles multiple request in a daemon process. Without schema
|
|
# cache, every lite server request would download the LDAP schema and
|
|
# distort performance profiles.
|
|
ldap2 = api.Backend.ldap2
|
|
try:
|
|
if not ldap2.isconnected():
|
|
ldap2.connect(ccache=ccname)
|
|
except NetworkError as e:
|
|
api.log.error("Unable to connect to LDAP: %s", e)
|
|
api.log.error("lite-server needs a working LDAP connect. Did you "
|
|
"configure ldap_uri in '%s'?", api.env.conf_default)
|
|
sys.exit(2)
|
|
else:
|
|
# prefetch schema
|
|
assert ldap2.schema
|
|
# Disconnect main process, each WSGI request handler subprocess will
|
|
# must have its own connection.
|
|
ldap2.disconnect()
|
|
ldap_time = time.time()
|
|
api.log.info("LDAP schema retrieved {:03f} sec".format(
|
|
ldap_time - api_time))
|
|
|
|
|
|
def redirect_ui(app):
|
|
"""Redirects for UI
|
|
"""
|
|
def wsgi(environ, start_response):
|
|
path_info = environ['PATH_INFO']
|
|
if path_info in {'/', '/ipa', '/ipa/'}:
|
|
response = redirect('/ipa/ui/')
|
|
return response(environ, start_response)
|
|
# Redirect to append slash to some routes
|
|
if path_info in {'/ipa/ui', '/ipa/ui/test'}:
|
|
response = append_slash_redirect(environ)
|
|
return response(environ, start_response)
|
|
if path_info == '/favicon.ico':
|
|
response = redirect('/ipa/ui/favicon.ico')
|
|
return response(environ, start_response)
|
|
return app(environ, start_response)
|
|
return wsgi
|
|
|
|
|
|
def main():
|
|
try:
|
|
ccname = get_ccname()
|
|
except ValueError as e:
|
|
print("ERROR:", e, file=sys.stderr)
|
|
print("\nliteserver requires a KRB5CCNAME env var and "
|
|
"a valid Kerberos TGT:\n", file=sys.stderr)
|
|
print(" export KRB5CCNAME=~/.ipa/ccache", file=sys.stderr)
|
|
print(" kinit\n", file=sys.stderr)
|
|
sys.exit(1)
|
|
|
|
init_api(ccname)
|
|
|
|
if os.path.isfile(api.env.lite_pem):
|
|
ctx = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH)
|
|
ctx.load_cert_chain(api.env.lite_pem)
|
|
else:
|
|
ctx = None
|
|
|
|
app = NotFound()
|
|
app = DispatcherMiddleware(app, {
|
|
'/ipa': KRBCheater(api.Backend.wsgi_dispatch, ccname),
|
|
})
|
|
|
|
# only profile api calls
|
|
if api.env.lite_profiler == '-':
|
|
print('Profiler enable, stats are written to stderr.')
|
|
app = ProfilerMiddleware(app, stream=sys.stderr, restrictions=(30,))
|
|
elif api.env.lite_profiler:
|
|
profile_dir = os.path.abspath(api.env.lite_profiler)
|
|
print("Profiler enable, profiles are stored in '{}'.".format(
|
|
profile_dir
|
|
))
|
|
app = ProfilerMiddleware(app, profile_dir=profile_dir)
|
|
|
|
app = StaticFilesMiddleware(app, STATIC_FILES)
|
|
app = redirect_ui(app)
|
|
|
|
run_simple(
|
|
hostname=api.env.lite_host,
|
|
port=api.env.lite_port,
|
|
application=app,
|
|
processes=5,
|
|
ssl_context=ctx,
|
|
use_reloader=True,
|
|
# debugger doesn't work because framework catches all exceptions
|
|
# use_debugger=not api.env.webui_prod,
|
|
# use_evalex=not api.env.webui_prod,
|
|
)
|
|
|
|
if __name__ == '__main__':
|
|
main()
|