IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-26 00:41:25 -06:00
Code Issues Packages Projects Releases Wiki Activity
1c31b5bc08
freeipa/ipaserver/install/installutils.py
Rob Crittenden dfe9db5548 Add signing profile to CA installation so we can sign the firefox jar file. 
Use the requestId we get back from the CA when requesting the RA agent cert
and use that to issue the certificate rather than hardcoding 7.

This also adds some clean-up of file permissions and leaking fds
2009-05-04 16:54:42 -04:00

274 lines
8.4 KiB
Python
Raw Blame History

# Authors: Simo Sorce <ssorce@redhat.com>
#
# Copyright (C) 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
import logging
import socket
import errno
import getpass
import os
import re
import fileinput
import sys
import time
import struct
import fcntl
from ipapython import ipautil
from ipapython import dnsclient
def get_fqdn():
fqdn = ""
try:
fqdn = socket.getfqdn()
except:
try:
fqdn = socket.gethostname()
except:
fqdn = ""
return fqdn
def verify_fqdn(host_name,no_host_dns=False):
if len(host_name.split(".")) < 2 or host_name == "localhost.localdomain":
raise RuntimeError("Invalid hostname: " + host_name)
try:
hostaddr = socket.getaddrinfo(host_name, None)
except:
raise RuntimeError("Unable to resolve host name, check /etc/hosts or DNS name resolution")
if len(hostaddr) == 0:
raise RuntimeError("Unable to resolve host name, check /etc/hosts or DNS name resolution")
for a in hostaddr:
if a[4][0] == '127.0.0.1' or a[4][0] == '::1':
raise RuntimeError("The IPA Server hostname cannot resolve to localhost (%s). A routable IP address must be used. Check /etc/hosts to see if %s is an alias for %s" % (a[4][0], host_name, a[4][0]))
try:
revname = socket.gethostbyaddr(a[4][0])[0]
except:
raise RuntimeError("Unable to resolve the reverse ip address, check /etc/hosts or DNS name resolution")
if revname != host_name:
raise RuntimeError("The host name %s does not match the reverse lookup %s" % (host_name, revname))
if no_host_dns:
print "Warning: skipping DNS resolution of host", host_name
return
# Verify this is NOT a CNAME
rs = dnsclient.query(host_name+".", dnsclient.DNS_C_IN, dnsclient.DNS_T_CNAME)
if len(rs) != 0:
for rsn in rs:
if rsn.dns_type == dnsclient.DNS_T_CNAME:
raise RuntimeError("The IPA Server Hostname cannot be a CNAME, only A names are allowed.")
# Verify that it is a DNS A record
rs = dnsclient.query(host_name+".", dnsclient.DNS_C_IN, dnsclient.DNS_T_A)
if len(rs) == 0:
print "Warning: Hostname (%s) not found in DNS" % host_name
return
rec = None
for rsn in rs:
if rsn.dns_type == dnsclient.DNS_T_A:
rec = rsn
break
if rec == None:
print "Warning: Hostname (%s) not found in DNS" % host_name
return
# Compare the forward and reverse
forward = rec.dns_name
addr = socket.inet_ntoa(struct.pack('<L',rec.rdata.address))
ipaddr = socket.inet_ntoa(struct.pack('!L',rec.rdata.address))
addr = addr + ".in-addr.arpa."
rs = dnsclient.query(addr, dnsclient.DNS_C_IN, dnsclient.DNS_T_PTR)
if len(rs) == 0:
raise RuntimeError("Cannot find Reverse Address for %s (%s)" % (host_name, addr))
rev = None
for rsn in rs:
if rsn.dns_type == dnsclient.DNS_T_PTR:
rev = rsn
break
if rev == None:
raise RuntimeError("Cannot find Reverse Address for %s (%s)" % (host_name, addr))
reverse = rev.rdata.ptrdname
if forward != reverse:
raise RuntimeError("The DNS forward record %s does not match the reverse address %s" % (forward, reverse))
def port_available(port):
"""Try to bind to a port on the wildcard host
Return 1 if the port is available
Return 0 if the port is in use
"""
rv = 1
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
fcntl.fcntl(s, fcntl.F_SETFD, fcntl.FD_CLOEXEC)
s.bind(('', port))
s.close()
except socket.error, e:
if e[0] == errno.EADDRINUSE:
rv = 0
if rv:
try:
s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
fcntl.fcntl(s, fcntl.F_SETFD, fcntl.FD_CLOEXEC)
s.bind(('', port))
s.close()
except socket.error, e:
if e[0] == errno.EADDRINUSE:
rv = 0
return rv
def standard_logging_setup(log_filename, debug=False):
old_umask = os.umask(077)
# Always log everything (i.e., DEBUG) to the log
# file.
logging.basicConfig(level=logging.DEBUG,
format='%(asctime)s %(levelname)s %(message)s',
filename=log_filename,
filemode='w')
os.umask(old_umask)
console = logging.StreamHandler()
# If the debug option is set, also log debug messages to the console
if debug:
console.setLevel(logging.DEBUG)
else:
# Otherwise, log critical and error messages
console.setLevel(logging.ERROR)
formatter = logging.Formatter('%(name)-12s: %(levelname)-8s %(message)s')
console.setFormatter(formatter)
logging.getLogger('').addHandler(console)
def get_password(prompt):
if os.isatty(sys.stdin.fileno()):
return getpass.getpass(prompt)
else:
return sys.stdin.readline().rstrip()
def read_password(user, confirm=True, validate=True):
correct = False
pwd = ""
while not correct:
pwd = get_password(user + " password: ")
if not pwd:
continue
if validate and len(pwd) < 8:
print "Password must be at least 8 characters long"
continue
if not confirm:
correct = True
continue
pwd_confirm = get_password("Password (confirm): ")
if pwd != pwd_confirm:
print "Password mismatch!"
print ""
else:
correct = True
print ""
return pwd
def update_file(filename, orig, subst):
if os.path.exists(filename):
pattern = "%s" % re.escape(orig)
p = re.compile(pattern)
for line in fileinput.input(filename, inplace=1):
if not p.search(line):
sys.stdout.write(line)
else:
sys.stdout.write(p.sub(subst, line))
fileinput.close()
return 0
else:
print "File %s doesn't exist." % filename
return 1
def set_directive(filename, directive, value, quotes=True, separator=' '):
"""Set a name/value pair directive in a configuration file.
This has only been tested with nss.conf
"""
valueset = False
fd = open(filename)
file = []
for line in fd:
if directive in line:
valueset = True
if quotes:
file.append('%s%s"%s"\n' % (directive, separator, value))
else:
file.append('%s%s%s\n' % (directive, separator, value))
else:
file.append(line)
fd.close()
if not valueset:
if quotes:
file.append('%s%s"%s"\n' % (directive, separator, value))
else:
file.append('%s%s%s\n' % (directive, separator, value))
fd = open(filename, "w")
fd.write("".join(file))
fd.close()
def get_directive(filename, directive, strip_quotes=True, separator=' '):
"""
A rather inefficient way to get a configuration directive.
"""
fd = open(filename, "r")
for line in fd:
if directive in line:
line = line.strip()
result = line.split(separator, 1)[1]
result = result.strip('"')
fd.close()
return result
fd.close()
return None
def kadmin(command):
ipautil.run(["/usr/kerberos/sbin/kadmin.local", "-q", command])
def kadmin_addprinc(principal):
kadmin("addprinc -randkey " + principal)
def kadmin_modprinc(principal, options):
kadmin("modprinc " + options + " " + principal)
def create_keytab(path, principal):
try:
if ipautil.file_exists(path):
os.remove(path)
except os.error:
logging.critical("Failed to remove %s." % path)
kadmin("ktadd -k " + path + " " + principal)
Reference in New Issue View Git Blame Copy Permalink