websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Upstream version 4.8.10

Browse Source
This commit is contained in:
Mario Fetka
2021-10-03 11:06:28 +02:00
parent 10dfc9587b
commit 03a8170b15
2361 changed files with 1883897 additions and 338759 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
ipaplatform/debian/__init__.py Normal file
View File

@@ -0,0 +1,7 @@
#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#
"""
This module contains Debian specific platform files.
"""

30
ipaplatform/debian/constants.py Normal file
View File

@@ -0,0 +1,30 @@
#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#
'''
This Debian family platform module exports platform dependant constants.
'''
# Fallback to default path definitions
from __future__ import absolute_import
from ipaplatform.base.constants import BaseConstantsNamespace
class DebianConstantsNamespace(BaseConstantsNamespace):
HTTPD_USER = "www-data"
HTTPD_GROUP = "www-data"
NAMED_USER = "bind"
NAMED_GROUP = "bind"
NAMED_DATA_DIR = ""
NAMED_ZONE_COMMENT = "//"
# ntpd init variable used for daemon options
NTPD_OPTS_VAR = "NTPD_OPTS"
# quote used for daemon options
NTPD_OPTS_QUOTE = "\'"
ODS_USER = "opendnssec"
ODS_GROUP = "opendnssec"
SECURE_NFS_VAR = "NEED_GSSD"
constants = DebianConstantsNamespace()

122
ipaplatform/debian/paths.py Normal file
View File

@@ -0,0 +1,122 @@
#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#
"""
This Debian base platform module exports default filesystem paths as common
in Debian-based systems.
"""
# Fallback to default path definitions
from __future__ import absolute_import
from ipaplatform.base.paths import BasePathNamespace
import sysconfig
MULTIARCH = sysconfig.get_config_var('MULTIARCH')
class DebianPathNamespace(BasePathNamespace):
BIN_HOSTNAMECTL = "/usr/bin/hostnamectl"
AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf"
ETC_HTTPD_DIR = "/etc/apache2"
HTTPD_ALIAS_DIR = "/etc/apache2/nssdb"
ALIAS_CACERT_ASC = "/etc/apache2/nssdb/cacert.asc"
ALIAS_PWDFILE_TXT = "/etc/apache2/nssdb/pwdfile.txt"
HTTPD_CONF_D_DIR = "/etc/apache2/conf-enabled/"
HTTPD_IPA_KDCPROXY_CONF_SYMLINK = "/etc/apache2/conf-enabled/ipa-kdc-proxy.conf"
HTTPD_IPA_PKI_PROXY_CONF = "/etc/apache2/conf-enabled/ipa-pki-proxy.conf"
HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-available/ipa-rewrite.conf"
HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf"
HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf"
HTTPD_SSL_CONF = "/etc/apache2/mods-available/ssl.conf"
HTTPD_SSL_SITE_CONF = "/etc/apache2/sites-available/default-ssl.conf"
OLD_IPA_KEYTAB = "/etc/apache2/ipa.keytab"
HTTPD_PASSWORD_CONF = "/etc/apache2/password.conf"
NAMED_CONF = "/etc/bind/named.conf"
NAMED_CONF_BAK = "/etc/bind/named.conf.ipa-backup"
NAMED_CUSTOM_CONF = "/etc/bind/ipa-ext.conf"
NAMED_CUSTOM_OPTIONS_CONF = "/etc/bind/ipa-options-ext.conf"
NAMED_VAR_DIR = "/var/cache/bind"
NAMED_KEYTAB = "/etc/bind/named.keytab"
NAMED_RFC1912_ZONES = "/etc/bind/named.conf.default-zones"
NAMED_ROOT_KEY = "/etc/bind/bind.keys"
NAMED_MANAGED_KEYS_DIR = "/var/cache/bind/dynamic"
CHRONY_CONF = "/etc/chrony/chrony.conf"
OPENLDAP_LDAP_CONF = "/etc/ldap/ldap.conf"
ETC_DEBIAN_VERSION = "/etc/debian_version"
# Old versions of freeipa wrote all trusted certificates to a single
# file, which is not supported by ca-certificates.
CA_CERTIFICATES_BUNDLE_PEM = "/usr/local/share/ca-certificates/ipa-ca.crt"
CA_CERTIFICATES_DIR = "/usr/local/share/ca-certificates/ipa-ca"
# Debian's p11-kit does not use ipa.p11-kit, so the file is provided
# for information only.
IPA_P11_KIT = "/usr/local/share/ca-certificates/ipa.p11-kit"
ETC_SYSCONFIG_DIR = "/etc/default"
SYSCONFIG_AUTOFS = "/etc/default/autofs"
SYSCONFIG_DIRSRV = "/etc/default/dirsrv"
SYSCONFIG_DIRSRV_INSTANCE = "/etc/default/dirsrv-%s"
SYSCONFIG_DIRSRV_SYSTEMD = "/etc/default/dirsrv.systemd"
SYSCONFIG_IPA_DNSKEYSYNCD = "/etc/default/ipa-dnskeysyncd"
SYSCONFIG_IPA_ODS_EXPORTER = "/etc/default/ipa-ods-exporter"
SYSCONFIG_KRB5KDC_DIR = "/etc/default/krb5-kdc"
SYSCONFIG_NAMED = "/etc/default/bind9"
SYSCONFIG_NFS = "/etc/default/nfs-common"
SYSCONFIG_NTPD = "/etc/default/ntp"
SYSCONFIG_ODS = "/etc/default/opendnssec"
SYSCONFIG_PKI = "/etc/dogtag/"
SYSCONFIG_PKI_TOMCAT = "/etc/default/pki-tomcat"
SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/dogtag/tomcat/pki-tomcat"
BIN_TOMCAT = "/usr/share/tomcat9/bin/version.sh"
SYSTEMD_SYSTEM_HTTPD_D_DIR = "/etc/systemd/system/apache2.service.d/"
SYSTEMD_SYSTEM_HTTPD_IPA_CONF = "/etc/systemd/system/apache2.service.d/ipa.conf"
DNSSEC_TRUSTED_KEY = "/etc/bind/trusted-key.key"
GSSAPI_SESSION_KEY = "/etc/apache2/ipasession.key"
OLD_KRA_AGENT_PEM = "/etc/apache2/nssdb/kra-agent.pem"
SBIN_SERVICE = "/usr/sbin/service"
CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s"
ODS_KSMUTIL = None
UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates"
BIND_LDAP_DNS_IPA_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/"
BIND_LDAP_DNS_ZONE_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/master/"
LIBARCH = "/{0}".format(MULTIARCH)
LIBSOFTHSM2_SO = "/usr/lib/softhsm/libsofthsm2.so"
PAM_KRB5_SO = "/usr/lib/{0}/security/pam_krb5.so".format(MULTIARCH)
LIB_SYSTEMD_SYSTEMD_DIR = "/lib/systemd/system/"
LIBEXEC_CERTMONGER_DIR = "/usr/lib/certmonger"
DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = "/usr/lib/certmonger/dogtag-ipa-ca-renew-agent-submit"
DOGTAG_IPA_RENEW_AGENT_SUBMIT = "/usr/lib/certmonger/dogtag-ipa-renew-agent-submit"
CERTMONGER_DOGTAG_SUBMIT = "/usr/lib/certmonger/dogtag-submit"
IPA_SERVER_GUARD = "/usr/lib/certmonger/ipa-server-guard"
GENERATE_RNDC_KEY = "/bin/true"
LIBEXEC_IPA_DIR = "/usr/lib/ipa"
IPA_DNSKEYSYNCD_REPLICA = "/usr/lib/ipa/ipa-dnskeysync-replica"
IPA_DNSKEYSYNCD = "/usr/lib/ipa/ipa-dnskeysyncd"
IPA_HTTPD_KDCPROXY = "/usr/lib/ipa/ipa-httpd-kdcproxy"
IPA_ODS_EXPORTER = "/usr/lib/ipa/ipa-ods-exporter"
IPA_PKI_RETRIEVE_KEY = "/usr/lib/ipa/ipa-pki-retrieve-key"
IPA_HTTPD_PASSWD_READER = "/usr/lib/ipa/ipa-httpd-pwdreader"
IPA_PKI_WAIT_RUNNING = "/usr/lib/ipa/ipa-pki-wait-running"
HTTPD = "/usr/sbin/apache2ctl"
FONTS_DIR = "/usr/share/fonts/truetype"
FONTS_OPENSANS_DIR = "/usr/share/fonts/truetype/open-sans"
FONTS_FONTAWESOME_DIR = "/usr/share/fonts/truetype/font-awesome"
VAR_KERBEROS_KRB5KDC_DIR = "/var/lib/krb5kdc/"
VAR_KRB5KDC_K5_REALM = "/var/lib/krb5kdc/.k5."
CACERT_PEM = "/var/lib/ipa/certs/cacert.pem"
KRB5KDC_KADM5_ACL = "/etc/krb5kdc/kadm5.acl"
KRB5KDC_KADM5_KEYTAB = "/etc/krb5kdc/kadm5.keytab"
KRB5KDC_KDC_CONF = "/etc/krb5kdc/kdc.conf"
KDC_CERT = "/var/lib/ipa/certs/kdc.crt"
KDC_KEY = "/var/lib/ipa/certs/kdc.key"
VAR_LOG_HTTPD_DIR = "/var/log/apache2"
VAR_LOG_HTTPD_ERROR = "/var/log/apache2/error.log"
NAMED_RUN = "/var/cache/bind/named.run"
VAR_OPENDNSSEC_DIR = "/var/lib/opendnssec"
OPENDNSSEC_KASP_DB = "/var/lib/opendnssec/db/kasp.db"
IPA_ODS_EXPORTER_CCACHE = "/var/lib/opendnssec/tmp/ipa-ods-exporter.ccache"
IPA_CUSTODIA_SOCKET = "/run/apache2/ipa-custodia.sock"
IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
IPA_CUSTODIA_HANDLER = "/usr/lib/ipa/custodia"
WSGI_PREFIX_DIR = "/run/apache2/wsgi"
paths = DebianPathNamespace()

184
ipaplatform/debian/services.py Normal file
View File

@@ -0,0 +1,184 @@
#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#
"""
Contains Debian-specific service class implementations.
"""
from __future__ import absolute_import
from ipaplatform.base import services as base_services
from ipaplatform.redhat import services as redhat_services
from ipapython import ipautil
from ipaplatform.paths import paths
# Mappings from service names as FreeIPA code references to these services
# to their actual systemd service names
debian_system_units = redhat_services.redhat_system_units.copy()
# For beginning just remap names to add .service
# As more services will migrate to systemd, unit names will deviate and
# mapping will be kept in this dictionary
debian_system_units['httpd'] = 'apache2.service'
debian_system_units['kadmin'] = 'krb5-admin-server.service'
debian_system_units['krb5kdc'] = 'krb5-kdc.service'
debian_system_units['named-regular'] = 'bind9.service'
debian_system_units['named-pkcs11'] = 'bind9-pkcs11.service'
debian_system_units['named'] = debian_system_units['named-pkcs11']
debian_system_units['pki-tomcatd'] = 'pki-tomcatd.service'
debian_system_units['pki_tomcatd'] = debian_system_units['pki-tomcatd']
debian_system_units['ods-enforcerd'] = 'opendnssec-enforcer.service'
debian_system_units['ods_enforcerd'] = debian_system_units['ods-enforcerd']
debian_system_units['ods-signerd'] = 'opendnssec-signer.service'
debian_system_units['ods_signerd'] = debian_system_units['ods-signerd']
debian_system_units['rpcgssd'] = 'rpc-gssd.service'
debian_system_units['rpcidmapd'] = 'nfs-idmapd.service'
debian_system_units['smb'] = 'smbd.service'
# Service classes that implement Debian family-specific behaviour
class DebianService(redhat_services.RedHatService):
system_units = debian_system_units
class DebianSysvService(base_services.PlatformService):
def __wait_for_open_ports(self, instance_name=""):
"""
If this is a service we need to wait for do so.
"""
ports = None
if instance_name in base_services.wellknownports:
ports = base_services.wellknownports[instance_name]
else:
if self.service_name in base_services.wellknownports:
ports = base_services.wellknownports[self.service_name]
if ports:
ipautil.wait_for_open_ports('localhost', ports, self.api.env.startup_timeout)
def stop(self, instance_name='', capture_output=True):
ipautil.run([paths.SBIN_SERVICE, self.service_name, "stop",
instance_name], capture_output=capture_output)
super(DebianSysvService, self).stop(instance_name)
def start(self, instance_name='', capture_output=True, wait=True):
ipautil.run([paths.SBIN_SERVICE, self.service_name, "start",
instance_name], capture_output=capture_output)
if wait and self.is_running(instance_name):
self.__wait_for_open_ports(instance_name)
super(DebianSysvService, self).start(instance_name)
def restart(self, instance_name='', capture_output=True, wait=True):
ipautil.run([paths.SBIN_SERVICE, self.service_name, "restart",
instance_name], capture_output=capture_output)
if wait and self.is_running(instance_name):
self.__wait_for_open_ports(instance_name)
def is_running(self, instance_name="", wait=True):
ret = True
try:
result = ipautil.run([paths.SBIN_SERVICE,
self.service_name, "status",
instance_name],
capture_output=True)
sout = result.output
if sout.find("NOT running") >= 0:
ret = False
if sout.find("stop") >= 0:
ret = False
if sout.find("inactive") >= 0:
ret = False
except ipautil.CalledProcessError:
ret = False
return ret
def is_installed(self):
installed = True
try:
ipautil.run([paths.SBIN_SERVICE, self.service_name, "status"])
except ipautil.CalledProcessError as e:
if e.returncode == 1:
# service is not installed or there is other serious issue
installed = False
return installed
@staticmethod
def is_enabled(instance_name=""):
# Services are always assumed to be enabled when installed
return True
@staticmethod
def enable():
return True
@staticmethod
def disable():
return True
@staticmethod
def install():
return True
@staticmethod
def remove():
return True
# For services which have no Debian counterpart
class DebianNoService(base_services.PlatformService):
@staticmethod
def start():
return True
@staticmethod
def stop():
return True
@staticmethod
def restart():
return True
@staticmethod
def disable():
return True
# Function that constructs proper Debian-specific server classes for services
# of specified name
def debian_service_class_factory(name, api=None):
if name == 'dirsrv':
return redhat_services.RedHatDirectoryService(name, api)
if name == 'domainname':
return DebianNoService(name, api)
if name == 'ipa':
return redhat_services.RedHatIPAService(name, api)
if name in ('pki-tomcatd', 'pki_tomcatd'):
return redhat_services.RedHatCAService(name, api)
if name == 'ntpd':
return DebianSysvService("ntp", api)
return DebianService(name, api)
# Magicdict containing DebianService instances.
class DebianServices(base_services.KnownServices):
def __init__(self):
# pylint: disable=ipa-forbidden-import
import ipalib # FixMe: break import cycle
# pylint: enable=ipa-forbidden-import
services = dict()
for s in base_services.wellknownservices:
services[s] = self.service_class_factory(s, ipalib.api)
# Call base class constructor. This will lock services to read-only
super(DebianServices, self).__init__(services)
@staticmethod
def service_class_factory(name, api=None):
return debian_service_class_factory(name, api)
# Objects below are expected to be exported by platform module
timedate_services = base_services.timedate_services
service = debian_service_class_factory
knownservices = DebianServices()

213
ipaplatform/debian/tasks.py Normal file
View File

@@ -0,0 +1,213 @@
#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#
"""
This module contains default Debian-specific implementations of system tasks.
"""
from __future__ import absolute_import
import logging
import os
import shutil
from pathlib import Path
from ipaplatform.base.tasks import BaseTaskNamespace
from ipaplatform.redhat.tasks import RedHatTaskNamespace
from ipaplatform.paths import paths
from ipapython import directivesetter
from ipapython import ipautil
from ipapython.dn import DN
logger = logging.getLogger(__name__)
class DebianTaskNamespace(RedHatTaskNamespace):
@staticmethod
def restore_pre_ipa_client_configuration(fstore, statestore,
was_sssd_installed,
was_sssd_configured):
try:
ipautil.run(["pam-auth-update",
"--package", "--remove", "mkhomedir"])
except ipautil.CalledProcessError:
return False
return True
@staticmethod
def set_nisdomain(nisdomain):
# Debian doesn't use authconfig, nothing to set
return True
@staticmethod
def modify_nsswitch_pam_stack(sssd, mkhomedir, statestore, sudo=True):
if mkhomedir:
try:
ipautil.run(["pam-auth-update",
"--package", "--enable", "mkhomedir"])
except ipautil.CalledProcessError:
return False
return True
else:
return True
@staticmethod
def modify_pam_to_use_krb5(statestore):
# Debian doesn't use authconfig, this is handled by pam-auth-update
return True
@staticmethod
def backup_auth_configuration(path):
# Debian doesn't use authconfig, nothing to backup
return True
@staticmethod
def restore_auth_configuration(path):
# Debian doesn't use authconfig, nothing to restore
return True
def migrate_auth_configuration(self, statestore):
# Debian doesn't have authselect
return True
def configure_httpd_wsgi_conf(self):
# Debian doesn't require special mod_wsgi configuration
pass
def configure_httpd_protocol(self):
# TLS 1.3 is not yet supported
directivesetter.set_directive(paths.HTTPD_SSL_CONF,
'SSLProtocol',
'TLSv1.2', False)
def setup_httpd_logging(self):
# Debian handles httpd logging differently
pass
def configure_pkcs11_modules(self, fstore):
# Debian doesn't use p11-kit
pass
def restore_pkcs11_modules(self, fstore):
pass
def platform_insert_ca_certs(self, ca_certs):
# ca-certificates does not use this file, so it doesn't matter if we
# fail to create it.
try:
self.write_p11kit_certs(paths.IPA_P11_KIT, ca_certs),
except Exception:
logger.exception("""\
Could not create p11-kit anchor trust file. On Debian this file is not
used by ca-certificates and is provided for information only.\
""")
return any([
self.write_ca_certificates_dir(
paths.CA_CERTIFICATES_DIR, ca_certs
),
self.remove_ca_certificates_bundle(
paths.CA_CERTIFICATES_BUNDLE_PEM
),
])
def write_ca_certificates_dir(self, directory, ca_certs):
# pylint: disable=ipa-forbidden-import
from ipalib import x509 # FixMe: break import cycle
# pylint: enable=ipa-forbidden-import
path = Path(directory)
try:
path.mkdir(mode=0o755, exist_ok=True)
except Exception:
logger.error("Could not create %s", path)
raise
for cert, nickname, trusted, _ext_key_usage in ca_certs:
if not trusted:
continue
# I'm not handling errors here because they have already
# been checked by the time we get here
subject = DN(cert.subject)
issuer = DN(cert.issuer)
# Construct the certificate filename using the Subject DN so that
# the user can see which CA a particular file is for, and include
# the serial number to disambiguate clashes where a subordinate CA
# had a new certificate issued.
#
# Strictly speaking, certificates are uniquely idenified by (Issuer
# DN, Serial Number). Do we care about the possibility of a clash
# where a subordinate CA had two certificates issued by different
# CAs who used the same serial number?)
filename = f'{subject.ldap_text()} {cert.serial_number}.crt'
# pylint: disable=old-division
cert_path = path / filename
# pylint: enable=old-division
try:
f = open(cert_path, 'w')
except Exception:
logger.error("Could not create %s", cert_path)
raise
with f:
try:
os.fchmod(f.fileno(), 0o644)
except Exception:
logger.error("Could not set mode of %s", cert_path)
raise
try:
f.write(f"""\
This file was created by IPA. Do not edit.
Description: {nickname}
Subject: {subject.ldap_text()}
Issuer: {issuer.ldap_text()}
Serial Number (dec): {cert.serial_number}
Serial Number (hex): {cert.serial_number:#x}
""")
pem = cert.public_bytes(x509.Encoding.PEM).decode('ascii')
f.write(pem)
except Exception:
logger.error("Could not write to %s", cert_path)
raise
return True
def platform_remove_ca_certs(self):
return any([
self.remove_ca_certificates_dir(paths.CA_CERTIFICATES_DIR),
self.remove_ca_certificates_bundle(paths.IPA_P11_KIT),
self.remove_ca_certificates_bundle(
paths.CA_CERTIFICATES_BUNDLE_PEM
),
])
def remove_ca_certificates_dir(self, directory):
path = Path(paths.CA_CERTIFICATES_DIR)
if not path.exists():
return False
try:
shutil.rmtree(path)
except Exception:
logger.error("Could not remove %s", path)
raise
return True
# Debian doesn't use authselect, so call enable/disable_ldap_automount
# from BaseTaskNamespace.
def enable_ldap_automount(self, statestore):
return BaseTaskNamespace.enable_ldap_automount(self, statestore)
def disable_ldap_automount(self, statestore):
return BaseTaskNamespace.disable_ldap_automount(self, statestore)
tasks = DebianTaskNamespace()