websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 4.0.5-6~numeezy

Browse Source
This commit is contained in:
Alexandre Ellert
2016-02-17 15:07:45 +01:00
committed by Mario Fetka
parent c44de33144
commit 10dfc9587b
1203 changed files with 53869 additions and 241462 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
ipaplatform/redhat/__init__.pyc
View File

Binary file not shown.

18
ipaplatform/redhat/authconfig.py
View File

@@ -19,9 +19,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from ipapython import ipautil
import os
FILES_TO_NOT_BACKUP = ['passwd', 'group', 'shadow', 'gshadow']
class RedHatAuthConfig(object):
"""
@@ -86,19 +84,3 @@ class RedHatAuthConfig(object):
args = self.build_args()
ipautil.run(["/usr/sbin/authconfig"] + args)
def backup(self, path):
ipautil.run(["/usr/sbin/authconfig", "--savebackup", path])
# do not backup these files since we don't want to mess with
# users/groups during restore. Authconfig doesn't seem to mind about
# having them deleted from backup dir
files_to_remove = [os.path.join(path, f) for f in FILES_TO_NOT_BACKUP]
for filename in files_to_remove:
try:
os.remove(filename)
except OSError:
pass
def restore(self, path):
ipautil.run(["/usr/sbin/authconfig", "--restorebackup", path])

BIN
ipaplatform/redhat/authconfig.pyc Normal file
View File

Binary file not shown.

17
ipaplatform/redhat/constants.py
View File

@@ -1,17 +0,0 @@
#
# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
#
'''
This Red Hat OS family base platform module exports default platform
related constants for the Red Hat OS family-based systems.
'''
# Fallback to default path definitions
from ipaplatform.base.constants import BaseConstantsNamespace
class RedHatConstantsNamespace(BaseConstantsNamespace):
pass
constants = RedHatConstantsNamespace()

6
ipaplatform/redhat/paths.py
View File

@@ -22,16 +22,12 @@ This Red Hat OS family base platform module exports default filesystem paths as
common in Red Hat OS family-based systems.
'''
import sys
# Fallback to default path definitions
from ipaplatform.base.paths import BasePathNamespace
class RedHatPathNamespace(BasePathNamespace):
# https://docs.python.org/2/library/platform.html#cross-platform
if sys.maxsize > 2**32:
LIBSOFTHSM2_SO = BasePathNamespace.LIBSOFTHSM2_SO_64
pass
paths = RedHatPathNamespace()

BIN
ipaplatform/redhat/paths.pyc
View File

Binary file not shown.

90
ipaplatform/redhat/services.py
View File

@@ -24,8 +24,6 @@ Contains Red Hat OS family-specific service class implementations.
import os
import time
import xml.dom.minidom
import contextlib
from ipaplatform.tasks import tasks
from ipaplatform.base import services as base_services
@@ -58,18 +56,15 @@ redhat_system_units['rpcidmapd'] = 'nfs-idmap.service'
# code).
redhat_system_units['dirsrv'] = 'dirsrv@.service'
# Our directory server instance for PKI is dirsrv@PKI-IPA.service
redhat_system_units['pkids'] = 'dirsrv@PKI-IPA.service'
# Old style PKI instance
redhat_system_units['pki-cad'] = 'pki-cad@pki-ca.service'
redhat_system_units['pki_cad'] = redhat_system_units['pki-cad']
# Our PKI instance is pki-tomcatd@pki-tomcat.service
redhat_system_units['pki-tomcatd'] = 'pki-tomcatd@pki-tomcat.service'
redhat_system_units['pki_tomcatd'] = redhat_system_units['pki-tomcatd']
redhat_system_units['ipa-otpd'] = 'ipa-otpd.socket'
redhat_system_units['ipa-dnskeysyncd'] = 'ipa-dnskeysyncd.service'
redhat_system_units['named-regular'] = 'named.service'
redhat_system_units['named-pkcs11'] = 'named-pkcs11.service'
redhat_system_units['named'] = redhat_system_units['named-pkcs11']
redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service'
redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd']
redhat_system_units['ods-signerd'] = 'ods-signerd.service'
redhat_system_units['ods_signerd'] = redhat_system_units['ods-signerd']
# Service classes that implement Red Hat OS family-specific behaviour
@@ -120,8 +115,7 @@ class RedHatDirectoryService(RedHatService):
return True
def restart(self, instance_name="", capture_output=True, wait=True,
ldapi=False):
def restart(self, instance_name="", capture_output=True, wait=True):
# We need to explicitly enable instances to install proper symlinks as
# dirsrv.target.wants/ dependencies. Standard systemd service class does it
# on enable() method call. Unfortunately, ipa-server-install does not do
@@ -147,35 +141,8 @@ class RedHatDirectoryService(RedHatService):
os.unlink(srv_lnk)
os.symlink(srv_etc, srv_lnk)
with self.__wait(instance_name, wait, ldapi) as wait:
super(RedHatDirectoryService, self).restart(
instance_name, capture_output=capture_output, wait=wait)
def start(self, instance_name="", capture_output=True, wait=True,
ldapi=False):
with self.__wait(instance_name, wait, ldapi) as wait:
super(RedHatDirectoryService, self).start(
instance_name, capture_output=capture_output, wait=wait)
@contextlib.contextmanager
def __wait(self, instance_name, wait, ldapi):
if ldapi:
instance_name = self.service_instance(instance_name)
if instance_name.endswith('.service'):
instance_name = instance_name[:-8]
if instance_name.startswith('dirsrv'):
# this is intentional, return the empty string if the instance
# name is 'dirsrv'
instance_name = instance_name[7:]
if not instance_name:
ldapi = False
if ldapi:
yield False
socket_name = paths.SLAPD_INSTANCE_SOCKET_TEMPLATE % instance_name
ipautil.wait_for_open_socket(socket_name,
self.api.env.startup_timeout)
else:
yield wait
super(RedHatDirectoryService, self).restart(instance_name,
capture_output=capture_output, wait=wait)
class RedHatIPAService(RedHatService):
@@ -195,37 +162,24 @@ class RedHatSSHService(RedHatService):
class RedHatCAService(RedHatService):
def wait_until_running(self):
# We must not wait for the httpd proxy if httpd is not set up yet.
# Unfortunately, knownservices.httpd.is_installed() can return
# false positives, so check for existence of our configuration file.
# TODO: Use a cleaner solution
use_proxy = True
if not (os.path.exists('/etc/httpd/conf.d/ipa.conf') and
os.path.exists(paths.HTTPD_IPA_PKI_PROXY_CONF)):
root_logger.debug(
'The httpd proxy is not installed, wait on local port')
use_proxy = False
root_logger.debug('Waiting until the CA is running')
timeout = float(api.env.startup_timeout)
op_timeout = time.time() + timeout
while time.time() < op_timeout:
try:
# FIXME https://fedorahosted.org/freeipa/ticket/4716
# workaround
#
# status = dogtag.ca_status(use_proxy=use_proxy)
#
port = 8443
url = "https://%(host_port)s%(path)s" % {
"host_port": ipautil.format_netloc(api.env.ca_host, port),
"path": "/ca/admin/ca/getStatus"
}
args = [
paths.BIN_CURL,
'-o', '-',
'--connect-timeout', '30',
'-k',
url
]
result = ipautil.run(args, capture_output=True)
status = dogtag._parse_ca_status(result.output)
# end of workaround
except Exception as e:
status = 'check interrupted due to error: %s' % e
status = dogtag.ca_status(use_proxy=use_proxy)
except Exception:
status = 'check interrupted'
root_logger.debug('The CA status is: %s' % status)
if status == 'running':
break
@@ -257,7 +211,7 @@ def redhat_service_class_factory(name):
return RedHatIPAService(name)
if name == 'sshd':
return RedHatSSHService(name)
if name in ('pki-tomcatd', 'pki_tomcatd'):
if name in ('pki-cad', 'pki_cad', 'pki-tomcatd', 'pki_tomcatd'):
return RedHatCAService(name)
return RedHatService(name)

BIN
ipaplatform/redhat/services.pyc Normal file
View File

Binary file not shown.

317
ipaplatform/redhat/tasks.py
View File

@@ -23,75 +23,22 @@
This module contains default Red Hat OS family-specific implementations of
system tasks.
'''
from __future__ import print_function
import os
import shutil
import stat
import socket
import sys
import base64
from cffi import FFI
from ctypes.util import find_library
from functools import total_ordering
from subprocess import CalledProcessError
from nss.error import NSPRError
from pyasn1.error import PyAsn1Error
from six.moves import urllib
from ipapython.ipa_log_manager import root_logger, log_mgr
from ipapython.ipa_log_manager import root_logger
from ipapython import ipautil
import ipapython.errors
from ipalib import x509 # FIXME: do not import from ipalib
from ipaplatform.constants import constants
from ipaplatform.paths import paths
from ipaplatform.redhat.authconfig import RedHatAuthConfig
from ipaplatform.base.tasks import BaseTaskNamespace
_ffi = FFI()
_ffi.cdef("""
int rpmvercmp (const char *a, const char *b);
""")
# use ctypes loader to get correct librpm.so library version according to
# https://cffi.readthedocs.org/en/latest/overview.html#id8
_librpm = _ffi.dlopen(find_library("rpm"))
log = log_mgr.get_logger(__name__)
def selinux_enabled():
"""
Check if SELinux is enabled.
"""
if os.path.exists(paths.SELINUXENABLED):
try:
ipautil.run([paths.SELINUXENABLED])
return True
except ipautil.CalledProcessError:
# selinuxenabled returns 1 if not enabled
return False
else:
# No selinuxenabled, no SELinux
return False
@total_ordering
class IPAVersion(object):
def __init__(self, version):
self.version = version
def __eq__(self, other):
assert isinstance(other, IPAVersion)
return _librpm.rpmvercmp(self.version, other.version) == 0
def __lt__(self, other):
assert isinstance(other, IPAVersion)
return _librpm.rpmvercmp(self.version, other.version) < 0
class RedHatTaskNamespace(BaseTaskNamespace):
@@ -104,8 +51,14 @@ class RedHatTaskNamespace(BaseTaskNamespace):
ipautil.run() will do the logging.
"""
if not selinux_enabled():
try:
if os.path.exists(paths.SELINUXENABLED):
ipautil.run([paths.SELINUXENABLED])
else:
# No selinuxenabled, no SELinux
return
except ipautil.CalledProcessError:
# selinuxenabled returns 1 if not enabled
return
if (os.path.exists(restorecon)):
@@ -121,7 +74,14 @@ class RedHatTaskNamespace(BaseTaskNamespace):
This function returns nothing but may raise a Runtime exception
if SELinux is enabled but restorecon is not available.
"""
if not selinux_enabled():
try:
if os.path.exists(paths.SELINUXENABLED):
ipautil.run([paths.SELINUXENABLED])
else:
# No selinuxenabled, no SELinux
return
except ipautil.CalledProcessError:
# selinuxenabled returns 1 if not enabled
return
if not os.path.exists(restorecon):
@@ -189,151 +149,60 @@ class RedHatTaskNamespace(BaseTaskNamespace):
auth_config.add_option("nostart")
auth_config.execute()
def backup_auth_configuration(self, path):
auth_config = RedHatAuthConfig()
auth_config.backup(path)
def insert_ca_cert_into_systemwide_ca_store(self, cacert_path):
# Add the 'ipa-' prefix to cert name to avoid name collisions
cacert_name = os.path.basename(cacert_path)
new_cacert_path = os.path.join(paths.SYSTEMWIDE_CA_STORE,
'ipa-%s' % cacert_name)
def restore_auth_configuration(self, path):
auth_config = RedHatAuthConfig()
auth_config.restore(path)
def reload_systemwide_ca_store(self):
# Add the CA to the systemwide CA trust database
try:
shutil.copy(cacert_path, new_cacert_path)
ipautil.run([paths.UPDATE_CA_TRUST])
except CalledProcessError as e:
root_logger.error(
"Could not update systemwide CA trust database: %s", e)
return False
except OSError, e:
root_logger.info("Failed to copy %s to %s" % (cacert_path,
new_cacert_path))
except CalledProcessError, e:
root_logger.info("Failed to add CA to the systemwide "
"CA trust database: %s" % str(e))
else:
root_logger.info("Systemwide CA database updated.")
root_logger.info('Added the CA to the systemwide CA trust '
'database.')
return True
def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
new_cacert_path = paths.SYSTEMWIDE_IPA_CA_CRT
return False
def remove_ca_cert_from_systemwide_ca_store(self, cacert_path):
# Derive the certificate name in the store
cacert_name = os.path.basename(cacert_path)
new_cacert_path = os.path.join(paths.SYSTEMWIDE_CA_STORE,
'ipa-%s' % cacert_name)
# Remove CA cert from systemwide store
if os.path.exists(new_cacert_path):
try:
os.remove(new_cacert_path)
except OSError as e:
root_logger.error(
"Could not remove %s: %s", new_cacert_path, e)
ipautil.run([paths.UPDATE_CA_TRUST])
except OSError, e:
root_logger.error('Could not remove: %s, %s'
% (new_cacert_path, str(e)))
return False
new_cacert_path = paths.IPA_P11_KIT
try:
f = open(new_cacert_path, 'w')
except IOError as e:
root_logger.info("Failed to open %s: %s" % (new_cacert_path, e))
return False
f.write("# This file was created by IPA. Do not edit.\n"
"\n")
has_eku = set()
for cert, nickname, trusted, ext_key_usage in ca_certs:
try:
subject = x509.get_der_subject(cert, x509.DER)
issuer = x509.get_der_issuer(cert, x509.DER)
serial_number = x509.get_der_serial_number(cert, x509.DER)
public_key_info = x509.get_der_public_key_info(cert, x509.DER)
except (NSPRError, PyAsn1Error, ValueError) as e:
root_logger.warning(
"Failed to decode certificate \"%s\": %s", nickname, e)
continue
label = urllib.parse.quote(nickname)
subject = urllib.parse.quote(subject)
issuer = urllib.parse.quote(issuer)
serial_number = urllib.parse.quote(serial_number)
public_key_info = urllib.parse.quote(public_key_info)
cert = base64.b64encode(cert)
cert = x509.make_pem(cert)
obj = ("[p11-kit-object-v1]\n"
"class: certificate\n"
"certificate-type: x-509\n"
"certificate-category: authority\n"
"label: \"%(label)s\"\n"
"subject: \"%(subject)s\"\n"
"issuer: \"%(issuer)s\"\n"
"serial-number: \"%(serial_number)s\"\n"
"x-public-key-info: \"%(public_key_info)s\"\n" %
dict(label=label,
subject=subject,
issuer=issuer,
serial_number=serial_number,
public_key_info=public_key_info))
if trusted is True:
obj += "trusted: true\n"
elif trusted is False:
obj += "x-distrusted: true\n"
obj += "%s\n\n" % cert
f.write(obj)
if ext_key_usage is not None and public_key_info not in has_eku:
if not ext_key_usage:
ext_key_usage = {x509.EKU_PLACEHOLDER}
try:
ext_key_usage = x509.encode_ext_key_usage(ext_key_usage)
except PyAsn1Error as e:
root_logger.warning(
"Failed to encode extended key usage for \"%s\": %s",
nickname, e)
continue
value = urllib.parse.quote(ext_key_usage)
obj = ("[p11-kit-object-v1]\n"
"class: x-certificate-extension\n"
"label: \"ExtendedKeyUsage for %(label)s\"\n"
"x-public-key-info: \"%(public_key_info)s\"\n"
"object-id: 2.5.29.37\n"
"value: \"%(value)s\"\n\n" %
dict(label=label,
public_key_info=public_key_info,
value=value))
f.write(obj)
has_eku.add(public_key_info)
f.close()
# Add the CA to the systemwide CA trust database
if not self.reload_systemwide_ca_store():
return False
except CalledProcessError, e:
root_logger.error('Could not update systemwide CA trust '
'database: %s' % str(e))
return False
else:
root_logger.info('Systemwide CA database updated.')
return True
def remove_ca_certs_from_systemwide_ca_store(self):
result = True
update = False
# Remove CA cert from systemwide store
for new_cacert_path in (paths.IPA_P11_KIT,
paths.SYSTEMWIDE_IPA_CA_CRT):
if not os.path.exists(new_cacert_path):
continue
try:
os.remove(new_cacert_path)
except OSError as e:
root_logger.error(
"Could not remove %s: %s", new_cacert_path, e)
result = False
else:
update = True
if update:
if not self.reload_systemwide_ca_store():
return False
return result
def backup_and_replace_hostname(self, fstore, statestore, hostname):
old_hostname = socket.gethostname()
try:
ipautil.run([paths.BIN_HOSTNAME, hostname])
except ipautil.CalledProcessError as e:
print(("Failed to set this machine hostname to "
"%s (%s)." % (hostname, str(e))), file=sys.stderr)
except ipautil.CalledProcessError, e:
print >>sys.stderr, ("Failed to set this machine hostname to "
"%s (%s)." % (hostname, str(e)))
filepath = paths.ETC_HOSTNAME
if os.path.exists(filepath):
@@ -369,8 +238,8 @@ class RedHatTaskNamespace(BaseTaskNamespace):
# in /etc/sysconfig/network
old_filepath_restore = paths.SYSCONFIG_NETWORK_IPABKP
fstore.restore_file(old_filepath, old_filepath_restore)
print("Deprecated configuration file '%s' was restored to '%s'" \
% (old_filepath, old_filepath_restore))
print "Deprecated configuration file '%s' was restored to '%s'" \
% (old_filepath, old_filepath_restore)
hostname_was_configured = True
filepath = paths.ETC_HOSTNAME
@@ -386,79 +255,5 @@ class RedHatTaskNamespace(BaseTaskNamespace):
except OSError:
pass
def set_selinux_booleans(self, required_settings, backup_func=None):
def get_setsebool_args(changes):
args = [paths.SETSEBOOL, "-P"]
args.extend(["%s=%s" % update for update in changes.items()])
return args
if not selinux_enabled():
return False
updated_vars = {}
failed_vars = {}
for setting, state in required_settings.items():
if state is None:
continue
try:
result = ipautil.run(
[paths.GETSEBOOL, setting],
capture_output=True
)
original_state = result.output.split()[2]
if backup_func is not None:
backup_func(setting, original_state)
if original_state != state:
updated_vars[setting] = state
except ipautil.CalledProcessError as e:
log.error("Cannot get SELinux boolean '%s': %s", setting, e)
failed_vars[setting] = state
if updated_vars:
args = get_setsebool_args(updated_vars)
try:
ipautil.run(args)
except ipautil.CalledProcessError:
failed_vars.update(updated_vars)
if failed_vars:
raise ipapython.errors.SetseboolError(
failed=failed_vars,
command=' '.join(get_setsebool_args(failed_vars)))
return True
def create_system_user(self, name, group, homedir, shell, uid=None, gid=None, comment=None, create_homedir=False):
"""
Create a system user with a corresponding group
According to https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation
some system users should have fixed UID, GID and other parameters set.
This values should be constant and may be hardcoded.
Add other values for other users when needed.
"""
if name == constants.PKI_USER:
if uid is None:
uid = 17
if gid is None:
gid = 17
if comment is None:
comment = 'CA System User'
if name == constants.DS_USER:
if comment is None:
comment = 'DS System User'
super(RedHatTaskNamespace, self).create_system_user(name, group,
homedir, shell, uid, gid, comment, create_homedir)
def parse_ipa_version(self, version):
"""
:param version: textual version
:return: object implementing proper __cmp__ method for version compare
"""
return IPAVersion(version)
tasks = RedHatTaskNamespace()

BIN
ipaplatform/redhat/tasks.pyc Normal file
View File

Binary file not shown.