websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 4.8.10-2

Browse Source
This commit is contained in:
Timo Aaltonen
2020-11-23 20:48:56 +02:00
committed by Mario Fetka
parent 8bc559c5a1
commit 358acdd85f
917 changed files with 1185414 additions and 1069733 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
ipaserver/advise/base.py
View File

@@ -81,7 +81,7 @@ As a result, you can redirect the advice's output directly to a script file.
DEFAULT_INDENTATION_INCREMENT = 2
class _IndentationTracker(object):
class _IndentationTracker:
"""
A simple wrapper that tracks the indentation level of the generated bash
commands
@@ -130,7 +130,7 @@ class _IndentationTracker(object):
self._recompute_indentation_level()
class CompoundStatement(object):
class CompoundStatement:
"""
Wrapper around indented blocks of Bash statements.
@@ -221,12 +221,13 @@ class ForLoop(CompoundStatement):
self.advice_output.command('done')
class _AdviceOutput(object):
class _AdviceOutput:
def __init__(self):
self.content = []
self.prefix = '# '
self.options = None
self.pkgmgr_detected = False
self._indentation_tracker = _IndentationTracker(
spaces_per_indent=DEFAULT_INDENTATION_INCREMENT)
@@ -312,6 +313,41 @@ class _AdviceOutput(object):
self.command('exit 1')
def detect_pkgmgr(self):
self.commands_on_predicate(
'which yum >/dev/null',
commands_to_run_when_true=['PKGMGR=yum'],
commands_to_run_when_false=['PKGMGR=dnf']
)
self.pkgmgr_detected = True
def install_packages(self, names, error_message_lines):
assert isinstance(names, list)
self.detect_pkgmgr()
self.command('rpm -qi {} > /dev/null'.format(' '.join(names)))
self.commands_on_predicate(
'[ "$?" -ne "0" ]',
['$PKGMGR install -y {}'.format(' '.join(names))]
)
self.exit_on_predicate(
'[ "$?" -ne "0" ]',
error_message_lines
)
def remove_package(self, name, error_message_lines):
# remove only supports one package name
assert ' ' not in name
self.detect_pkgmgr()
self.command('rpm -qi {} > /dev/null'.format(name))
self.commands_on_predicate(
'[ "$?" -eq "0" ]',
['$PKGMGR remove -y {} || exit 1'.format(name)]
)
self.exit_on_predicate(
'[ "$?" -ne "0" ]',
error_message_lines
)
@contextmanager
def unbranched_if(self, predicate):
with self._compound_statement(UnbranchedIfStatement, predicate):

80
ipaserver/advise/plugins/smart_card_auth.py
View File

@@ -105,6 +105,7 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
ssl_conf = paths.HTTPD_SSL_CONF
ssl_ocsp_directive = OCSP_DIRECTIVE
kdc_service_name = services.knownservices.krb5kdc.systemd_name
httpd_service_name = services.knownservices.httpd.systemd_name
def get_info(self):
self.log.exit_on_nonroot_euid()
@@ -117,6 +118,7 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
self.record_httpd_ocsp_status()
self.check_and_enable_pkinit()
self.enable_ok_to_auth_as_delegate_on_http_principal()
self.allow_httpd_ifp()
self.upload_smartcard_ca_certificates_to_systemwide_db()
self.install_smart_card_signing_ca_certs()
self.update_ipa_ca_certificate_store()
@@ -133,9 +135,10 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
self.log.comment('make sure bind-utils are installed so that we can '
'dig for ipa-ca records')
self.log.exit_on_failed_command(
'yum install -y bind-utils',
['Failed to install bind-utils'])
self.log.install_packages(
['bind-utils'],
['Failed to install bind-utils']
)
self.log.comment('make sure ipa-ca records are resolvable, '
'otherwise error out and instruct')
@@ -183,7 +186,9 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
def restart_httpd(self):
self.log.comment('finally restart apache')
self.log.command('systemctl restart httpd')
self.log.command(
'systemctl restart {}'.format(self.httpd_service_name)
)
def record_httpd_ocsp_status(self):
self.log.comment('store the OCSP upgrade state')
@@ -214,6 +219,21 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
["Failed to set OK_AS_AUTH_AS_DELEGATE flag on HTTP principal"]
)
def allow_httpd_ifp(self):
self.log.comment('Allow Apache to access SSSD IFP')
self.log.exit_on_failed_command(
'{} -c "import SSSDConfig; '
'from ipaclient.install.client import sssd_enable_ifp; '
'from ipaplatform.paths import paths; '
'c = SSSDConfig.SSSDConfig(); '
'c.import_config(); '
'sssd_enable_ifp(c, allow_httpd=True); '
'c.write(paths.SSSD_CONF)"'.format(sys.executable),
['Failed to modify SSSD config']
)
self.log.comment('Restart sssd')
self.log.command('systemctl restart sssd')
def restart_kdc(self):
self.log.exit_on_failed_command(
'systemctl restart {}'.format(self.kdc_service_name),
@@ -253,26 +273,23 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config):
self.restart_sssd()
def check_and_remove_pam_pkcs11(self):
self.log.command('rpm -qi pam_pkcs11 > /dev/null')
self.log.commands_on_predicate(
'[ "$?" -eq "0" ]',
[
'yum remove -y pam_pkcs11'
]
self.log.remove_package(
'pam_pkcs11',
['Could not remove pam_pkcs11 package']
)
def install_opensc_and_dconf_packages(self):
self.log.comment(
'authconfig often complains about missing dconf, '
'install it explicitly')
self.log.exit_on_failed_command(
'yum install -y {} dconf'.format(self.opensc_module_name.lower()),
self.log.install_packages(
[self.opensc_module_name.lower(), 'dconf'],
['Could not install OpenSC package']
)
def install_krb5_client_dependencies(self):
self.log.exit_on_failed_command(
'yum install -y krb5-pkinit-openssl',
self.log.install_packages(
['krb5-pkinit-openssl'],
['Failed to install Kerberos client PKINIT extensions.']
)
@@ -302,8 +319,20 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config):
)
def run_authselect_to_configure_smart_card_auth(self):
# In order to be compatible with all clients, we check first
# if the client supports authselect.
# Otherwise authconfig will be used.
self.log.comment('Use either authselect or authconfig to enable '
'Smart Card authentication')
self.log.commands_on_predicate(
'[ -f {} ]'.format(paths.AUTHSELECT),
['AUTHCMD="authselect enable-feature with-smartcard"'],
['AUTHCMD="authconfig --enablesssd --enablesssdauth '
'--enablesmartcard --smartcardmodule=sssd --smartcardaction=1 '
'--updateall"']
)
self.log.exit_on_failed_command(
'authselect enable-feature with-smartcard',
'$AUTHCMD',
[
'Failed to configure Smart Card authentication in SSSD'
]
@@ -311,11 +340,22 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config):
def configure_pam_cert_auth(self):
self.log.comment('Set pam_cert_auth=True in /etc/sssd/sssd.conf')
self.log.command(
"{} -c 'from SSSDConfig import SSSDConfig; "
"c = SSSDConfig(); c.import_config(); "
"c.set(\"pam\", \"pam_cert_auth\", \"True\"); "
"c.write()'".format(sys.executable))
self.log.comment('This step is required only when authselect is used')
# If the advise command is run on RHEL7 or fedora but the client
# is rhel8, python3 executable may be in a different location
# Find the right python path first
self.log.command("python3 --version >/dev/null 2>&1")
self.log.commands_on_predicate(
'[ "$?" -eq 0 ]',
['PYTHON3CMD=python3'],
['PYTHON3CMD=/usr/libexec/platform-python']
)
self.log.commands_on_predicate(
'[ -f {} ]'.format(paths.AUTHSELECT),
["${PYTHON3CMD} -c 'from SSSDConfig import SSSDConfig; "
"c = SSSDConfig(); c.import_config(); "
"c.set(\"pam\", \"pam_cert_auth\", \"True\"); "
"c.write()'"])
def restart_sssd(self):
self.log.command('systemctl restart sssd.service')