mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-28 18:01:23 -06:00
c3edfa2d8c
Services hasn't been restored correctly, which causes disabling already disabled services, or some service did not start. This patch fix these issues. Ticket: https://fedorahosted.org/freeipa/ticket/4869 Reviewed-By: David Kupka <dkupka@redhat.com>
438 lines
18 KiB
Python
438 lines
18 KiB
Python
# Authors: Rob Crittenden <rcritten@redhat.com>
|
|
#
|
|
# Copyright (C) 2007 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
import os
|
|
import os.path
|
|
import tempfile
|
|
import pwd
|
|
import shutil
|
|
import re
|
|
import dbus
|
|
import shlex
|
|
import pipes
|
|
|
|
import service
|
|
import certs
|
|
import installutils
|
|
from ipapython import sysrestore
|
|
from ipapython import ipautil
|
|
from ipapython import dogtag
|
|
from ipapython.ipa_log_manager import root_logger
|
|
import ipapython.errors
|
|
from ipaserver.install import sysupgrade
|
|
from ipalib import api
|
|
from ipaplatform.tasks import tasks
|
|
from ipaplatform.paths import paths
|
|
from ipaplatform import services
|
|
|
|
|
|
SELINUX_BOOLEAN_SETTINGS = dict(
|
|
httpd_can_network_connect='on',
|
|
httpd_manage_ipa='on',
|
|
)
|
|
|
|
|
|
def httpd_443_configured():
|
|
"""
|
|
We now allow mod_ssl to be installed so don't automatically disable it.
|
|
However it can't share the same listen port as mod_nss, so check for that.
|
|
|
|
Returns True if something other than mod_nss is listening on 443.
|
|
False otherwise.
|
|
"""
|
|
try:
|
|
(stdout, stderr, rc) = ipautil.run([paths.HTTPD, '-t', '-D', 'DUMP_VHOSTS'])
|
|
except ipautil.CalledProcessError, e:
|
|
service.print_msg("WARNING: cannot check if port 443 is already configured")
|
|
service.print_msg("httpd returned error when checking: %s" % e)
|
|
return False
|
|
|
|
port_line_re = re.compile(r'(?P<address>\S+):(?P<port>\d+)')
|
|
for line in stdout.splitlines():
|
|
m = port_line_re.match(line)
|
|
if m and int(m.group('port')) == 443:
|
|
service.print_msg("Apache is already configured with a listener on port 443:")
|
|
service.print_msg(line)
|
|
return True
|
|
|
|
return False
|
|
|
|
class WebGuiInstance(service.SimpleServiceInstance):
|
|
def __init__(self):
|
|
service.SimpleServiceInstance.__init__(self, "ipa_webgui")
|
|
|
|
class HTTPInstance(service.Service):
|
|
def __init__(self, fstore=None, cert_nickname='Server-Cert'):
|
|
service.Service.__init__(self, "httpd", service_desc="the web interface")
|
|
if fstore:
|
|
self.fstore = fstore
|
|
else:
|
|
self.fstore = sysrestore.FileStore(paths.SYSRESTORE)
|
|
|
|
self.cert_nickname = cert_nickname
|
|
self.ca_is_configured = True
|
|
|
|
subject_base = ipautil.dn_attribute_property('_subject_base')
|
|
|
|
def create_instance(self, realm, fqdn, domain_name, dm_password=None,
|
|
autoconfig=True, pkcs12_info=None,
|
|
subject_base=None, auto_redirect=True, ca_file=None,
|
|
ca_is_configured=None):
|
|
self.fqdn = fqdn
|
|
self.realm = realm
|
|
self.domain = domain_name
|
|
self.dm_password = dm_password
|
|
self.suffix = ipautil.realm_to_suffix(self.realm)
|
|
self.pkcs12_info = pkcs12_info
|
|
self.principal = "HTTP/%s@%s" % (self.fqdn, self.realm)
|
|
self.dercert = None
|
|
self.subject_base = subject_base
|
|
self.sub_dict = dict(
|
|
REALM=realm,
|
|
FQDN=fqdn,
|
|
DOMAIN=self.domain,
|
|
AUTOREDIR='' if auto_redirect else '#',
|
|
CRL_PUBLISH_PATH=dogtag.install_constants.CRL_PUBLISH_PATH,
|
|
)
|
|
self.ca_file = ca_file
|
|
if ca_is_configured is not None:
|
|
self.ca_is_configured = ca_is_configured
|
|
|
|
# get a connection to the DS
|
|
self.ldap_connect()
|
|
|
|
|
|
self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
|
|
self.step("setting mod_nss protocol list to TLSv1.0 - TLSv1.2",
|
|
self.set_mod_nss_protocol)
|
|
self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
|
|
self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
|
|
self.step("adding URL rewriting rules", self.__add_include)
|
|
self.step("configuring httpd", self.__configure_http)
|
|
if self.ca_is_configured:
|
|
self.step("configure certmonger for renewals",
|
|
self.configure_certmonger_renewal_guard)
|
|
self.step("setting up ssl", self.__setup_ssl)
|
|
self.step("importing CA certificates from LDAP", self.__import_ca_certs)
|
|
if autoconfig:
|
|
self.step("setting up browser autoconfig", self.__setup_autoconfig)
|
|
self.step("publish CA cert", self.__publish_ca_cert)
|
|
self.step("creating a keytab for httpd", self.__create_http_keytab)
|
|
self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
|
|
self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
|
|
self.step("restarting httpd", self.__start)
|
|
self.step("configuring httpd to start on boot", self.__enable)
|
|
|
|
self.start_creation(runtime=60)
|
|
|
|
def __start(self):
|
|
self.backup_state("running", self.is_running())
|
|
self.restart()
|
|
|
|
def __enable(self):
|
|
self.backup_state("enabled", self.is_enabled())
|
|
# We do not let the system start IPA components on its own,
|
|
# Instead we reply on the IPA init script to start only enabled
|
|
# components as found in our LDAP configuration tree
|
|
self.ldap_enable('HTTP', self.fqdn, self.dm_password, self.suffix)
|
|
|
|
def configure_selinux_for_httpd(self):
|
|
try:
|
|
tasks.set_selinux_booleans(SELINUX_BOOLEAN_SETTINGS,
|
|
self.backup_state)
|
|
except ipapython.errors.SetseboolError as e:
|
|
self.print_msg(e.format_service_warning('web interface'))
|
|
|
|
def __create_http_keytab(self):
|
|
installutils.kadmin_addprinc(self.principal)
|
|
installutils.create_keytab(paths.IPA_KEYTAB, self.principal)
|
|
self.move_service(self.principal)
|
|
self.add_cert_to_service()
|
|
|
|
pent = pwd.getpwnam("apache")
|
|
os.chown(paths.IPA_KEYTAB, pent.pw_uid, pent.pw_gid)
|
|
|
|
def remove_httpd_ccache(self):
|
|
# Clean up existing ccache
|
|
# Make sure that empty env is passed to avoid passing KRB5CCNAME from
|
|
# current env
|
|
ipautil.run(['kdestroy', '-A'], runas='apache', raiseonerr=False, env={})
|
|
|
|
def __configure_http(self):
|
|
target_fname = paths.HTTPD_IPA_CONF
|
|
http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)
|
|
self.fstore.backup_file(paths.HTTPD_IPA_CONF)
|
|
http_fd = open(target_fname, "w")
|
|
http_fd.write(http_txt)
|
|
http_fd.close()
|
|
os.chmod(target_fname, 0644)
|
|
|
|
target_fname = paths.HTTPD_IPA_REWRITE_CONF
|
|
http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa-rewrite.conf", self.sub_dict)
|
|
self.fstore.backup_file(paths.HTTPD_IPA_REWRITE_CONF)
|
|
http_fd = open(target_fname, "w")
|
|
http_fd.write(http_txt)
|
|
http_fd.close()
|
|
os.chmod(target_fname, 0644)
|
|
|
|
def change_mod_nss_port_from_http(self):
|
|
# mod_ssl enforces SSLEngine on for vhost on 443 even though
|
|
# the listener is mod_nss. This then crashes the httpd as mod_nss
|
|
# listened port obviously does not match mod_ssl requirements.
|
|
#
|
|
# The workaround for this was to change port to http. It is no longer
|
|
# necessary, as mod_nss now ships with default configuration which
|
|
# sets SSLEngine off when mod_ssl is installed.
|
|
#
|
|
# Remove the workaround.
|
|
if sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
|
|
installutils.set_directive(paths.HTTPD_NSS_CONF, 'Listen', '443', quotes=False)
|
|
sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', False)
|
|
|
|
def __set_mod_nss_port(self):
|
|
self.fstore.backup_file(paths.HTTPD_NSS_CONF)
|
|
if installutils.update_file(paths.HTTPD_NSS_CONF, '8443', '443') != 0:
|
|
print "Updating port in %s failed." % paths.HTTPD_NSS_CONF
|
|
|
|
def __set_mod_nss_nickname(self, nickname):
|
|
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSNickname', nickname)
|
|
|
|
def set_mod_nss_protocol(self):
|
|
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSProtocol', 'TLSv1.0,TLSv1.1,TLSv1.2', False)
|
|
|
|
def enable_mod_nss_renegotiate(self):
|
|
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
|
|
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
|
|
|
|
def __set_mod_nss_passwordfile(self):
|
|
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf')
|
|
|
|
def __add_include(self):
|
|
"""This should run after __set_mod_nss_port so is already backed up"""
|
|
if installutils.update_file(paths.HTTPD_NSS_CONF, '</VirtualHost>', 'Include conf.d/ipa-rewrite.conf\n</VirtualHost>') != 0:
|
|
print "Adding Include conf.d/ipa-rewrite to %s failed." % paths.HTTPD_NSS_CONF
|
|
|
|
def configure_certmonger_renewal_guard(self):
|
|
certmonger = services.knownservices.certmonger
|
|
certmonger_stopped = not certmonger.is_running()
|
|
|
|
if certmonger_stopped:
|
|
certmonger.start()
|
|
try:
|
|
bus = dbus.SystemBus()
|
|
obj = bus.get_object('org.fedorahosted.certmonger',
|
|
'/org/fedorahosted/certmonger')
|
|
iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
|
|
path = iface.find_ca_by_nickname('IPA')
|
|
if path:
|
|
ca_obj = bus.get_object('org.fedorahosted.certmonger', path)
|
|
ca_iface = dbus.Interface(ca_obj,
|
|
'org.freedesktop.DBus.Properties')
|
|
helper = ca_iface.Get('org.fedorahosted.certmonger.ca',
|
|
'external-helper')
|
|
if helper:
|
|
args = shlex.split(helper)
|
|
if args[0] != paths.IPA_SERVER_GUARD:
|
|
self.backup_state('certmonger_ipa_helper', helper)
|
|
args = [paths.IPA_SERVER_GUARD] + args
|
|
helper = ' '.join(pipes.quote(a) for a in args)
|
|
ca_iface.Set('org.fedorahosted.certmonger.ca',
|
|
'external-helper', helper)
|
|
finally:
|
|
if certmonger_stopped:
|
|
certmonger.stop()
|
|
|
|
def __setup_ssl(self):
|
|
fqdn = self.fqdn
|
|
|
|
ca_db = certs.CertDB(self.realm, host_name=fqdn, subject_base=self.subject_base)
|
|
|
|
db = certs.CertDB(self.realm, subject_base=self.subject_base)
|
|
if self.pkcs12_info:
|
|
if self.ca_is_configured:
|
|
trust_flags = 'CT,C,C'
|
|
else:
|
|
trust_flags = None
|
|
db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
|
|
passwd=None, ca_file=self.ca_file,
|
|
trust_flags=trust_flags)
|
|
server_certs = db.find_server_certs()
|
|
if len(server_certs) == 0:
|
|
raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0])
|
|
|
|
db.create_password_conf()
|
|
|
|
# We only handle one server cert
|
|
nickname = server_certs[0][0]
|
|
self.dercert = db.get_cert_from_db(nickname, pem=False)
|
|
|
|
if self.ca_is_configured:
|
|
db.track_server_cert(nickname, self.principal, db.passwd_fname, 'restart_httpd')
|
|
|
|
self.__set_mod_nss_nickname(nickname)
|
|
else:
|
|
|
|
db.create_password_conf()
|
|
self.dercert = db.create_server_cert(self.cert_nickname, self.fqdn,
|
|
ca_db)
|
|
db.track_server_cert(self.cert_nickname, self.principal,
|
|
db.passwd_fname, 'restart_httpd')
|
|
db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)
|
|
|
|
# Fix the database permissions
|
|
os.chmod(certs.NSS_DIR + "/cert8.db", 0660)
|
|
os.chmod(certs.NSS_DIR + "/key3.db", 0660)
|
|
os.chmod(certs.NSS_DIR + "/secmod.db", 0660)
|
|
os.chmod(certs.NSS_DIR + "/pwdfile.txt", 0660)
|
|
|
|
pent = pwd.getpwnam("apache")
|
|
os.chown(certs.NSS_DIR + "/cert8.db", 0, pent.pw_gid )
|
|
os.chown(certs.NSS_DIR + "/key3.db", 0, pent.pw_gid )
|
|
os.chown(certs.NSS_DIR + "/secmod.db", 0, pent.pw_gid )
|
|
os.chown(certs.NSS_DIR + "/pwdfile.txt", 0, pent.pw_gid )
|
|
|
|
# Fix SELinux permissions on the database
|
|
tasks.restore_context(certs.NSS_DIR + "/cert8.db")
|
|
tasks.restore_context(certs.NSS_DIR + "/key3.db")
|
|
|
|
def __import_ca_certs(self):
|
|
db = certs.CertDB(self.realm, subject_base=self.subject_base)
|
|
self.import_ca_certs(db, self.ca_is_configured)
|
|
|
|
def __setup_autoconfig(self):
|
|
target_fname = paths.PREFERENCES_HTML
|
|
ipautil.copy_template_file(
|
|
ipautil.SHARE_DIR + "preferences.html.template",
|
|
target_fname, self.sub_dict)
|
|
os.chmod(target_fname, 0644)
|
|
|
|
# The signing cert is generated in __setup_ssl
|
|
db = certs.CertDB(self.realm, subject_base=self.subject_base)
|
|
with open(db.passwd_fname) as pwdfile:
|
|
pwd = pwdfile.read()
|
|
|
|
# Setup configure.jar
|
|
if db.has_nickname('Signing-Cert'):
|
|
tmpdir = tempfile.mkdtemp(prefix="tmp-")
|
|
target_fname = paths.CONFIGURE_JAR
|
|
shutil.copy(paths.PREFERENCES_HTML, tmpdir)
|
|
db.run_signtool(["-k", "Signing-Cert",
|
|
"-Z", target_fname,
|
|
"-e", ".html", "-p", pwd,
|
|
tmpdir])
|
|
shutil.rmtree(tmpdir)
|
|
os.chmod(target_fname, 0644)
|
|
else:
|
|
root_logger.warning('Object-signing certificate was not found; '
|
|
'therefore, configure.jar was not created.')
|
|
|
|
self.setup_firefox_extension(self.realm, self.domain)
|
|
|
|
def setup_firefox_extension(self, realm, domain):
|
|
"""Set up the signed browser configuration extension
|
|
"""
|
|
|
|
target_fname = paths.KRB_JS
|
|
sub_dict = dict(REALM=realm, DOMAIN=domain)
|
|
db = certs.CertDB(realm)
|
|
with open(db.passwd_fname) as pwdfile:
|
|
pwd = pwdfile.read()
|
|
|
|
ipautil.copy_template_file(ipautil.SHARE_DIR + "krb.js.template",
|
|
target_fname, sub_dict)
|
|
os.chmod(target_fname, 0644)
|
|
|
|
# Setup extension
|
|
tmpdir = tempfile.mkdtemp(prefix="tmp-")
|
|
extdir = tmpdir + "/ext"
|
|
target_fname = paths.KERBEROSAUTH_XPI
|
|
shutil.copytree(paths.FFEXTENSION, extdir)
|
|
if db.has_nickname('Signing-Cert'):
|
|
db.run_signtool(["-k", "Signing-Cert",
|
|
"-p", pwd,
|
|
"-X", "-Z", target_fname,
|
|
extdir])
|
|
else:
|
|
root_logger.warning('Object-signing certificate was not found. '
|
|
'Creating unsigned Firefox configuration extension.')
|
|
filenames = os.listdir(extdir)
|
|
ipautil.run([paths.ZIP, '-r', target_fname] + filenames,
|
|
cwd=extdir)
|
|
shutil.rmtree(tmpdir)
|
|
os.chmod(target_fname, 0644)
|
|
|
|
def __publish_ca_cert(self):
|
|
ca_db = certs.CertDB(self.realm)
|
|
ca_db.publish_ca_cert(paths.CA_CRT)
|
|
|
|
def uninstall(self):
|
|
if self.is_configured():
|
|
self.print_msg("Unconfiguring web server")
|
|
|
|
running = self.restore_state("running")
|
|
enabled = self.restore_state("enabled")
|
|
|
|
|
|
self.stop_tracking_certificates()
|
|
|
|
helper = self.restore_state('certmonger_ipa_helper')
|
|
if helper:
|
|
bus = dbus.SystemBus()
|
|
obj = bus.get_object('org.fedorahosted.certmonger',
|
|
'/org/fedorahosted/certmonger')
|
|
iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
|
|
path = iface.find_ca_by_nickname('IPA')
|
|
if path:
|
|
ca_obj = bus.get_object('org.fedorahosted.certmonger', path)
|
|
ca_iface = dbus.Interface(ca_obj,
|
|
'org.freedesktop.DBus.Properties')
|
|
ca_iface.Set('org.fedorahosted.certmonger.ca',
|
|
'external-helper', helper)
|
|
|
|
for f in [paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF, paths.HTTPD_NSS_CONF]:
|
|
try:
|
|
self.fstore.restore_file(f)
|
|
except ValueError, error:
|
|
root_logger.debug(error)
|
|
pass
|
|
|
|
# Remove the configuration files we create
|
|
installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF)
|
|
installutils.remove_file(paths.HTTPD_IPA_CONF)
|
|
installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF)
|
|
|
|
# Restore SELinux boolean states
|
|
boolean_states = {name: self.restore_state(name)
|
|
for name in SELINUX_BOOLEAN_SETTINGS}
|
|
try:
|
|
tasks.set_selinux_booleans(boolean_states)
|
|
except ipapython.errors.SetseboolError as e:
|
|
self.print_msg('WARNING: ' + str(e))
|
|
|
|
if running:
|
|
self.restart()
|
|
|
|
# disabled by default, by ldap_enable()
|
|
if enabled:
|
|
self.enable()
|
|
|
|
def stop_tracking_certificates(self):
|
|
db = certs.CertDB(api.env.realm)
|
|
db.untrack_server_cert(self.cert_nickname)
|