websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Upstream version 4.6.2

Browse Source
This commit is contained in:
Mario Fetka
2021-07-25 07:32:41 +02:00
commit 8ff3be4216
1788 changed files with 1900965 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
ipaplatform/Makefile.am Normal file
View File

@@ -0,0 +1,12 @@
include $(top_srcdir)/Makefile.python.am
EXTRA_DIST = override.py.in
all-local: override.py
dist-hook: override.py
install-exec-local: override.py
override.py: override.py.in $(top_builddir)/$(CONFIG_STATUS)
$(AM_V_GEN)sed \
-e 's|@IPAPLATFORM[@]|$(IPAPLATFORM)|g' \
$< > $@

628
ipaplatform/Makefile.in Normal file
View File

@@ -0,0 +1,628 @@
# Makefile.in generated by automake 1.15.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2017 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
@SET_MAKE@
VPATH = @srcdir@
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
false; \
elif test -n '$(MAKE_HOST)'; then \
true; \
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
true; \
else \
false; \
fi; \
}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
*) echo "am__make_running_with_option: internal error: invalid" \
"target option '$${target_option-}' specified" >&2; \
exit 1;; \
esac; \
has_opt=no; \
sane_makeflags=$$MAKEFLAGS; \
if $(am__is_gnu_make); then \
sane_makeflags=$$MFLAGS; \
else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
bs=\\; \
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
fi; \
skip_next=no; \
strip_trailopt () \
{ \
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
}; \
for flg in $$sane_makeflags; do \
test $$skip_next = yes && { skip_next=no; continue; }; \
case $$flg in \
*=*|--*) continue;; \
-*I) strip_trailopt 'I'; skip_next=yes;; \
-*I?*) strip_trailopt 'I';; \
-*O) strip_trailopt 'O'; skip_next=yes;; \
-*O?*) strip_trailopt 'O';; \
-*l) strip_trailopt 'l'; skip_next=yes;; \
-*l?*) strip_trailopt 'l';; \
-[dEDm]) skip_next=yes;; \
-[JT]) skip_next=yes;; \
esac; \
case $$flg in \
*$$target_option*) has_opt=yes; break;; \
esac; \
done; \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
install_sh_SCRIPT = $(install_sh) -c
INSTALL_HEADER = $(INSTALL_DATA)
transform = $(program_transform_name)
NORMAL_INSTALL = :
PRE_INSTALL = :
POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = ipaplatform
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/VERSION.m4 \
$(top_srcdir)/server.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo " GEN " $@;
am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
SOURCES =
DIST_SOURCES =
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
am__DIST_COMMON = $(srcdir)/Makefile.in \
$(top_srcdir)/Makefile.python.am
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
API_VERSION = @API_VERSION@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
CMOCKA_LIBS = @CMOCKA_LIBS@
CONFIG_STATUS = @CONFIG_STATUS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DIRSRV_CFLAGS = @DIRSRV_CFLAGS@
DIRSRV_LIBS = @DIRSRV_LIBS@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
INTLLIBS = @INTLLIBS@
INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
LIBOBJS = @LIBOBJS@
LIBPDB_NAME = @LIBPDB_NAME@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
LIBVERTO_CFLAGS = @LIBVERTO_CFLAGS@
LIBVERTO_LIBS = @LIBVERTO_LIBS@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBICONV = @LTLIBICONV@
LTLIBINTL = @LTLIBINTL@
LTLIBOBJS = @LTLIBOBJS@
LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
MK_ASSIGN = @MK_ASSIGN@
MK_ELSE = @MK_ELSE@
MK_ENDIF = @MK_ENDIF@
MK_IFEQ = @MK_IFEQ@
MSGATTRIB = @MSGATTRIB@
MSGFMT = @MSGFMT@
MSGFMT_015 = @MSGFMT_015@
MSGMERGE = @MSGMERGE@
NAMED_GROUP = @NAMED_GROUP@
NDRNBT_CFLAGS = @NDRNBT_CFLAGS@
NDRNBT_LIBS = @NDRNBT_LIBS@
NDRPAC_CFLAGS = @NDRPAC_CFLAGS@
NDRPAC_LIBS = @NDRPAC_LIBS@
NDR_CFLAGS = @NDR_CFLAGS@
NDR_LIBS = @NDR_LIBS@
NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SSSCERTMAP_CFLAGS = @SSSCERTMAP_CFLAGS@
SSSCERTMAP_LIBS = @SSSCERTMAP_LIBS@
SSSIDMAP_CFLAGS = @SSSIDMAP_CFLAGS@
SSSIDMAP_LIBS = @SSSIDMAP_LIBS@
SSSNSSIDMAP_CFLAGS = @SSSNSSIDMAP_CFLAGS@
SSSNSSIDMAP_LIBS = @SSSNSSIDMAP_LIBS@
STRIP = @STRIP@
TALLOC_CFLAGS = @TALLOC_CFLAGS@
TALLOC_LIBS = @TALLOC_LIBS@
TEVENT_CFLAGS = @TEVENT_CFLAGS@
TEVENT_LIBS = @TEVENT_LIBS@
UNISTRING_LIBS = @UNISTRING_LIBS@
UNLINK = @UNLINK@
USE_NLS = @USE_NLS@
UUID_CFLAGS = @UUID_CFLAGS@
UUID_LIBS = @UUID_LIBS@
VENDOR_SUFFIX = @VENDOR_SUFFIX@
VERSION = @VERSION@
XGETTEXT = @XGETTEXT@
XGETTEXT_015 = @XGETTEXT_015@
XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
XMLRPC_CFLAGS = @XMLRPC_CFLAGS@
XMLRPC_LIBS = @XMLRPC_LIBS@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
i18ntests = @i18ntests@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
krb5rundir = @krb5rundir@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
pkgpyexecdir = @pkgpyexecdir@
pkgpythondir = $(pythondir)/$(pkgname)
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
pkgname = $(shell basename "$(abs_srcdir)")
@VERBOSE_MAKE_FALSE@VERBOSITY = "--quiet"
@VERBOSE_MAKE_TRUE@VERBOSITY = "--verbose"
WHEELDISTDIR = $(top_builddir)/dist/wheels
EXTRA_DIST = override.py.in
all: all-am
.SUFFIXES:
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(top_srcdir)/Makefile.python.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
&& { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign ipaplatform/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign ipaplatform/Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
esac;
$(top_srcdir)/Makefile.python.am $(am__empty):
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(top_srcdir)/configure: $(am__configure_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
mostlyclean-libtool:
-rm -f *.lo
clean-libtool:
-rm -rf .libs _libs
tags TAGS:
ctags CTAGS:
cscope cscopelist:
distdir: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
dist_files=`for file in $$list; do echo $$file; done | \
sed -e "s|^$$srcdirstrip/||;t" \
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
case $$dist_files in \
*/*) $(MKDIR_P) `echo "$$dist_files" | \
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
sort -u` ;; \
esac; \
for file in $$dist_files; do \
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
if test -d $$d/$$file; then \
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
if test -d "$(distdir)/$$file"; then \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
else \
test -f "$(distdir)/$$file" \
|| cp -p $$d/$$file "$(distdir)/$$file" \
|| exit 1; \
fi; \
done
$(MAKE) $(AM_MAKEFLAGS) \
top_distdir="$(top_distdir)" distdir="$(distdir)" \
dist-hook
check-am: all-am
check: check-am
all-am: Makefile all-local
installdirs:
install: install-am
install-exec: install-exec-am
install-data: install-data-am
uninstall: uninstall-am
install-am: all-am
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
installcheck: installcheck-am
install-strip:
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
install; \
else \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
fi
mostlyclean-generic:
clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
clean: clean-am
clean-am: clean-generic clean-libtool clean-local mostlyclean-am
distclean: distclean-am
-rm -f Makefile
distclean-am: clean-am distclean-generic
dvi: dvi-am
dvi-am:
html: html-am
html-am:
info: info-am
info-am:
install-data-am:
install-dvi: install-dvi-am
install-dvi-am:
install-exec-am: install-exec-local
install-html: install-html-am
install-html-am:
install-info: install-info-am
install-info-am:
install-man:
install-pdf: install-pdf-am
install-pdf-am:
install-ps: install-ps-am
install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
mostlyclean: mostlyclean-am
mostlyclean-am: mostlyclean-generic mostlyclean-libtool
pdf: pdf-am
pdf-am:
ps: ps-am
ps-am:
uninstall-am: uninstall-local
.MAKE: install-am install-strip
.PHONY: all all-am all-local check check-am clean clean-generic \
clean-libtool clean-local cscopelist-am ctags-am dist-hook \
distclean distclean-generic distclean-libtool distdir dvi \
dvi-am html html-am info info-am install install-am \
install-data install-data-am install-dvi install-dvi-am \
install-exec install-exec-am install-exec-local install-html \
install-html-am install-info install-info-am install-man \
install-pdf install-pdf-am install-ps install-ps-am \
install-strip installcheck installcheck-am installdirs \
maintainer-clean maintainer-clean-generic mostlyclean \
mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
tags-am uninstall uninstall-am uninstall-local
.PRECIOUS: Makefile
# hack to handle back-in-the-hierarchy depedency on ipasetup.py
.PHONY: $(top_builddir)/ipasetup.py
$(top_builddir)/ipasetup.py:
(cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) ipasetup.py)
all-local: $(top_builddir)/ipasetup.py
cd $(srcdir); $(PYTHON) setup.py \
$(VERBOSITY) \
build \
--build-base "$(abs_builddir)/build"
install-exec-local: $(top_builddir)/ipasetup.py
if [ "x$(pkginstall)" != "xfalse" ]; then \
$(PYTHON) $(srcdir)/setup.py \
$(VERBOSITY) \
build \
--build-base "$(abs_builddir)/build" \
install \
--prefix "$(DESTDIR)$(prefix)" \
--single-version-externally-managed \
--record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \
--optimize 1 \
$(PYTHON_INSTALL_EXTRA_OPTIONS); \
fi
uninstall-local:
if [ -f "$(DESTDIR)$(pkgpythondir)/install_files.txt" ]; then \
cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf ; \
fi
rm -rf "$(DESTDIR)$(pkgpythondir)"
clean-local: $(top_builddir)/ipasetup.py
$(PYTHON) "$(srcdir)/setup.py" \
clean \
--all
--build-base "$(abs_builddir)/build"
rm -rf "$(srcdir)/build" "$(srcdir)/dist" "$(srcdir)/MANIFEST"
find "$(srcdir)" \
-name "*.py[co]" -delete -o \
-name "__pycache__" -delete -o \
-name "*.egg-info" -exec rm -rf {} +
# take list of all Python source files and copy them into distdir
# SOURCES.txt does not contain directories so we need to create those
dist-hook: $(top_builddir)/ipasetup.py
$(PYTHON) "$(srcdir)/setup.py" egg_info
PYTHON_SOURCES=$$(cat "$(srcdir)/$(pkgname).egg-info/SOURCES.txt") || exit $$?; \
for FILEN in $${PYTHON_SOURCES}; \
do \
if test -x "$(srcdir)/$${FILEN}"; then MODE=755; else MODE=644; fi; \
$(INSTALL) -D -m $${MODE} "$(srcdir)/$${FILEN}" "$(distdir)/$${FILEN}" || exit $$?; \
done
.PHONY: bdist_wheel
bdist_wheel: $(top_builddir)/ipasetup.py
rm -rf $(WHEELDISTDIR)/$(pkgname)-*.whl
$(PYTHON) "$(srcdir)/setup.py" \
build \
--build-base "$(abs_builddir)/build" \
bdist_wheel \
--dist-dir=$(WHEELDISTDIR)
all-local: override.py
dist-hook: override.py
install-exec-local: override.py
override.py: override.py.in $(top_builddir)/$(CONFIG_STATUS)
$(AM_V_GEN)sed \
-e 's|@IPAPLATFORM[@]|$(IPAPLATFORM)|g' \
$< > $@
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

11
ipaplatform/__init__.py Normal file
View File

@@ -0,0 +1,11 @@
#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#
"""ipaplatform namespace package
In the presence of a namespace package, any code in this module will be
ignore.
"""
__import__('pkg_resources').declare_namespace(__name__)
NAME = None # initialized by IpaMetaImporter

150
ipaplatform/_importhook.py Normal file
View File

@@ -0,0 +1,150 @@
#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#
"""Meta import hook for ipaplatform.
Known Linux distros with /etc/os-release
----------------------------------------
- alpine
- centos (like rhel, fedora)
- debian
- fedora
- rhel
- ubuntu (like debian)
"""
import importlib
import io
import re
import sys
import warnings
import ipaplatform
try:
from ipaplatform.override import OVERRIDE
except ImportError:
OVERRIDE = None
_osrelease_line = re.compile(
u"^(?!#)(?P<name>[a-zA-Z0-9_]+)="
u"(?P<quote>[\"\']?)(?P<value>.+)(?P=quote)$"
)
class IpaMetaImporter(object):
"""Meta import hook and platform detector.
The meta import hook uses /etc/os-release to auto-detects the best
matching ipaplatform provider. It is compatible with external namespace
packages, too.
"""
modules = {
'ipaplatform.constants',
'ipaplatform.paths',
'ipaplatform.services',
'ipaplatform.tasks'
}
bsd_family = (
'freebsd',
'openbsd',
'netbsd',
'dragonfly',
'gnukfreebsd'
)
def __init__(self, override=OVERRIDE):
self.override = override
self.platform_ids = self._get_platform_ids(self.override)
self.platform = self._get_platform(self.platform_ids)
def _get_platform_ids(self, override):
platforms = []
# allow RPM and Debian packages to override platform
if override is not None:
platforms.append(override)
if sys.platform.startswith('linux'):
# Linux, get distribution from /etc/os-release
try:
platforms.extend(self._parse_osrelease())
except Exception as e:
warnings.warn("Failed to read /etc/os-release: {}".format(e))
elif sys.platform == 'win32':
# Windows 32 or 64bit platform
platforms.append('win32')
elif sys.platform == 'darwin':
# macOS
platforms.append('macos')
elif sys.platform.startswith(self.bsd_family):
# BSD family, look for e.g. ['freebsd10', 'freebsd']
platforms.append(sys.platform)
simple = sys.platform.rstrip('0123456789')
if simple != sys.platform:
platforms.append(simple)
if not platforms:
raise ValueError("Unsupported platform: {}".format(sys.platform))
return platforms
def _parse_osrelease(self, filename='/etc/os-release'):
release = {}
with io.open(filename, encoding='utf-8') as f:
for line in f:
mo = _osrelease_line.match(line)
if mo is not None:
release[mo.group('name')] = mo.group('value')
platforms = [
release['ID'],
]
if "ID_LIKE" in release:
platforms.extend(
v.strip() for v in release['ID_LIKE'].split(' ') if v.strip()
)
return platforms
def _get_platform(self, platform_ids):
for platform in platform_ids:
try:
importlib.import_module('ipaplatform.{}'.format(platform))
except ImportError:
pass
else:
return platform
raise ImportError('No ipaplatform available for "{}"'.format(
', '.join(platform_ids)))
def find_module(self, fullname, path=None):
"""Meta importer hook"""
if fullname in self.modules:
return self
return None
def load_module(self, fullname):
"""Meta importer hook"""
suffix = fullname.split('.', 1)[1]
alias = 'ipaplatform.{}.{}'.format(self.platform, suffix)
platform_mod = importlib.import_module(alias)
base_mod = sys.modules.get(fullname)
if base_mod is not None:
# module has been imported before, update its __dict__
base_mod.__dict__.update(platform_mod.__dict__)
for key in list(base_mod.__dict__):
if not hasattr(platform_mod, key):
delattr(base_mod, key)
else:
sys.modules[fullname] = platform_mod
return platform_mod
metaimporter = IpaMetaImporter()
sys.meta_path.insert(0, metaimporter)
fixup_module = metaimporter.load_module
ipaplatform.NAME = metaimporter.platform

23
ipaplatform/base/__init__.py Normal file
View File

@@ -0,0 +1,23 @@
# Authors:
# Tomas Babej <tbabej@redhat.com>
#
# Copyright (C) 2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
'''
This module should contain generic default implementations and definitions
of all the objects that a platform module is expected to export.
'''

42
ipaplatform/base/constants.py Normal file
View File

@@ -0,0 +1,42 @@
#
# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
#
'''
This base platform module exports platform dependant constants.
'''
class BaseConstantsNamespace(object):
DS_USER = 'dirsrv'
DS_GROUP = 'dirsrv'
HTTPD_USER = "apache"
HTTPD_GROUP = "apache"
GSSPROXY_USER = "root"
IPA_DNS_PACKAGE_NAME = "freeipa-server-dns"
KDCPROXY_USER = "kdcproxy"
NAMED_USER = "named"
NAMED_GROUP = "named"
PKI_USER = 'pkiuser'
PKI_GROUP = 'pkiuser'
# ntpd init variable used for daemon options
NTPD_OPTS_VAR = "OPTIONS"
# quote used for daemon options
NTPD_OPTS_QUOTE = "\""
ODS_USER = "ods"
ODS_GROUP = "ods"
# nfsd init variable used to enable kerberized NFS
SECURE_NFS_VAR = "SECURE_NFS"
SELINUX_BOOLEAN_ADTRUST = {
'samba_portmapper': 'on',
}
SELINUX_BOOLEAN_HTTPD = {
'httpd_can_network_connect': 'on',
'httpd_manage_ipa': 'on',
'httpd_run_ipa': 'on',
'httpd_dbus_sssd': 'on',
}
SSSD_USER = "sssd"
constants = BaseConstantsNamespace()

362
ipaplatform/base/paths.py Normal file
View File

@@ -0,0 +1,362 @@
# Authors:
# Tomas Babej <tbabej@redhat.com>
#
# Copyright (C) 2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
'''
This base platform module exports default filesystem paths.
'''
class BasePathNamespace(object):
BASH = "/bin/bash"
BIN_HOSTNAMECTL = "/bin/hostnamectl"
LS = "/bin/ls"
SH = "/bin/sh"
SYSTEMCTL = "/bin/systemctl"
TAR = "/bin/tar"
AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf"
ETC_DIRSRV = "/etc/dirsrv"
DS_KEYTAB = "/etc/dirsrv/ds.keytab"
ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE = "/etc/dirsrv/slapd-%s"
ETC_FEDORA_RELEASE = "/etc/fedora-release"
GROUP = "/etc/group"
ETC_HOSTNAME = "/etc/hostname"
HOSTS = "/etc/hosts"
ETC_HTTPD_DIR = "/etc/httpd"
HTTPD_ALIAS_DIR = "/etc/httpd/alias"
OLD_KRA_AGENT_PEM = "/etc/httpd/alias/kra-agent.pem"
HTTPD_CONF_D_DIR = "/etc/httpd/conf.d/"
HTTPD_IPA_KDCPROXY_CONF = "/etc/ipa/kdcproxy/ipa-kdc-proxy.conf"
HTTPD_IPA_KDCPROXY_CONF_SYMLINK = "/etc/httpd/conf.d/ipa-kdc-proxy.conf"
HTTPD_IPA_PKI_PROXY_CONF = "/etc/httpd/conf.d/ipa-pki-proxy.conf"
HTTPD_IPA_REWRITE_CONF = "/etc/httpd/conf.d/ipa-rewrite.conf"
HTTPD_IPA_CONF = "/etc/httpd/conf.d/ipa.conf"
HTTPD_NSS_CONF = "/etc/httpd/conf.d/nss.conf"
HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf"
OLD_IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab"
HTTP_KEYTAB = "/var/lib/ipa/gssproxy/http.keytab"
HTTPD_PASSWORD_CONF = "/etc/httpd/conf/password.conf"
IDMAPD_CONF = "/etc/idmapd.conf"
ETC_IPA = "/etc/ipa"
CONNCHECK_CCACHE = "/etc/ipa/.conncheck_ccache"
IPA_DNS_CCACHE = "/etc/ipa/.dns_ccache"
IPA_DNS_UPDATE_TXT = "/etc/ipa/.dns_update.txt"
IPA_CA_CRT = "/etc/ipa/ca.crt"
IPA_DEFAULT_CONF = "/etc/ipa/default.conf"
IPA_DNSKEYSYNCD_KEYTAB = "/etc/ipa/dnssec/ipa-dnskeysyncd.keytab"
IPA_ODS_EXPORTER_KEYTAB = "/etc/ipa/dnssec/ipa-ods-exporter.keytab"
DNSSEC_SOFTHSM2_CONF = "/etc/ipa/dnssec/softhsm2.conf"
DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so"
IPA_NSSDB_DIR = "/etc/ipa/nssdb"
IPA_NSSDB_PWDFILE_TXT = "/etc/ipa/nssdb/pwdfile.txt"
COMMON_KRB5_CONF_DIR = "/etc/krb5.conf.d/"
KRB5_CONF = "/etc/krb5.conf"
KRB5_KEYTAB = "/etc/krb5.keytab"
LDAP_CONF = "/etc/ldap.conf"
LIBNSS_LDAP_CONF = "/etc/libnss-ldap.conf"
NAMED_CONF = "/etc/named.conf"
NAMED_VAR_DIR = "/var/named"
NAMED_KEYTAB = "/etc/named.keytab"
NAMED_RFC1912_ZONES = "/etc/named.rfc1912.zones"
NAMED_ROOT_KEY = "/etc/named.root.key"
NAMED_BINDKEYS_FILE = "/etc/named.iscdlv.key"
NAMED_MANAGED_KEYS_DIR = "/var/named/dynamic"
NSLCD_CONF = "/etc/nslcd.conf"
NSS_LDAP_CONF = "/etc/nss_ldap.conf"
NSSWITCH_CONF = "/etc/nsswitch.conf"
NTP_CONF = "/etc/ntp.conf"
NTP_STEP_TICKERS = "/etc/ntp/step-tickers"
ETC_OPENDNSSEC_DIR = "/etc/opendnssec"
OPENDNSSEC_CONF_FILE = "/etc/opendnssec/conf.xml"
OPENDNSSEC_KASP_FILE = "/etc/opendnssec/kasp.xml"
OPENDNSSEC_ZONELIST_FILE = "/etc/opendnssec/zonelist.xml"
OPENLDAP_LDAP_CONF = "/etc/openldap/ldap.conf"
PAM_LDAP_CONF = "/etc/pam_ldap.conf"
PASSWD = "/etc/passwd"
SYSTEMWIDE_IPA_CA_CRT = "/etc/pki/ca-trust/source/anchors/ipa-ca.crt"
IPA_P11_KIT = "/etc/pki/ca-trust/source/ipa.p11-kit"
NSS_DB_DIR = "/etc/pki/nssdb"
PKI_TOMCAT = "/etc/pki/pki-tomcat"
PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias"
PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
ETC_REDHAT_RELEASE = "/etc/redhat-release"
RESOLV_CONF = "/etc/resolv.conf"
SAMBA_KEYTAB = "/etc/samba/samba.keytab"
SMB_CONF = "/etc/samba/smb.conf"
LIMITS_CONF = "/etc/security/limits.conf"
SSH_CONFIG_DIR = "/etc/ssh"
SSH_CONFIG = "/etc/ssh/ssh_config"
SSHD_CONFIG = "/etc/ssh/sshd_config"
SSSD_CONF = "/etc/sssd/sssd.conf"
SSSD_CONF_BKP = "/etc/sssd/sssd.conf.bkp"
SSSD_CONF_DELETED = "/etc/sssd/sssd.conf.deleted"
ETC_SYSCONFIG_DIR = "/etc/sysconfig"
ETC_SYSCONFIG_AUTHCONFIG = "/etc/sysconfig/authconfig"
SYSCONFIG_AUTOFS = "/etc/sysconfig/autofs"
SYSCONFIG_DIRSRV = "/etc/sysconfig/dirsrv"
SYSCONFIG_DIRSRV_INSTANCE = "/etc/sysconfig/dirsrv-%s"
SYSCONFIG_DIRSRV_SYSTEMD = "/etc/sysconfig/dirsrv.systemd"
SYSCONFIG_IPA_DNSKEYSYNCD = "/etc/sysconfig/ipa-dnskeysyncd"
SYSCONFIG_IPA_ODS_EXPORTER = "/etc/sysconfig/ipa-ods-exporter"
SYSCONFIG_HTTPD = "/etc/sysconfig/httpd"
SYSCONFIG_KRB5KDC_DIR = "/etc/sysconfig/krb5kdc"
SYSCONFIG_NAMED = "/etc/sysconfig/named"
SYSCONFIG_NFS = "/etc/sysconfig/nfs"
SYSCONFIG_NTPD = "/etc/sysconfig/ntpd"
SYSCONFIG_ODS = "/etc/sysconfig/ods"
SYSCONFIG_PKI = "/etc/sysconfig/pki"
SYSCONFIG_PKI_TOMCAT = "/etc/sysconfig/pki-tomcat"
SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/sysconfig/pki/tomcat/pki-tomcat"
ETC_SYSTEMD_SYSTEM_DIR = "/etc/systemd/system/"
SYSTEMD_SYSTEM_HTTPD_D_DIR = "/etc/systemd/system/httpd.service.d/"
SYSTEMD_SYSTEM_HTTPD_IPA_CONF = "/etc/systemd/system/httpd.service.d/ipa.conf"
SYSTEMD_CERTMONGER_SERVICE = "/etc/systemd/system/multi-user.target.wants/certmonger.service"
SYSTEMD_IPA_SERVICE = "/etc/systemd/system/multi-user.target.wants/ipa.service"
SYSTEMD_SSSD_SERVICE = "/etc/systemd/system/multi-user.target.wants/sssd.service"
SYSTEMD_PKI_TOMCAT_SERVICE = "/etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service"
ETC_TMPFILESD_DIRSRV = "/etc/tmpfiles.d/dirsrv-%s.conf"
DNSSEC_TRUSTED_KEY = "/etc/trusted-key.key"
HOME_DIR = "/home"
PROC_FIPS_ENABLED = "/proc/sys/crypto/fips_enabled"
ROOT_IPA_CACHE = "/root/.ipa_cache"
ROOT_PKI = "/root/.pki"
DOGTAG_ADMIN_P12 = "/root/ca-agent.p12"
RA_AGENT_PEM = "/var/lib/ipa/ra-agent.pem"
RA_AGENT_KEY = "/var/lib/ipa/ra-agent.key"
CACERT_P12 = "/root/cacert.p12"
ROOT_IPA_CSR = "/root/ipa.csr"
NAMED_PID = "/run/named/named.pid"
NOLOGIN = "/sbin/nologin"
SBIN_REBOOT = "/sbin/reboot"
SBIN_RESTORECON = "/sbin/restorecon"
SBIN_SERVICE = "/sbin/service"
TMP = "/tmp"
TMP_CA_P12 = "/tmp/ca.p12"
TMP_KRB5CC = "/tmp/krb5cc_%d"
USR_DIR = "/usr"
CERTMONGER_COMMAND_TEMPLATE = "/usr/libexec/ipa/certmonger/%s"
PKCS12EXPORT = "/usr/bin/PKCS12Export"
CERTUTIL = "/usr/bin/certutil"
CHROMIUM_BROWSER = "/usr/bin/chromium-browser"
FIREFOX = "/usr/bin/firefox"
GETCERT = "/usr/bin/getcert"
GPG = "/usr/bin/gpg"
GPG_AGENT = "/usr/bin/gpg-agent"
IPA_GETCERT = "/usr/bin/ipa-getcert"
KDESTROY = "/usr/bin/kdestroy"
KINIT = "/usr/bin/kinit"
BIN_KVNO = "/usr/bin/kvno"
LDAPMODIFY = "/usr/bin/ldapmodify"
LDAPPASSWD = "/usr/bin/ldappasswd"
MODUTIL = "/usr/bin/modutil"
NET = "/usr/bin/net"
BIN_NISDOMAINNAME = "/usr/bin/nisdomainname"
NSUPDATE = "/usr/bin/nsupdate"
ODS_KSMUTIL = "/usr/bin/ods-ksmutil"
ODS_SIGNER = "/usr/sbin/ods-signer"
OPENSSL = "/usr/bin/openssl"
PK12UTIL = "/usr/bin/pk12util"
SOFTHSM2_UTIL = "/usr/bin/softhsm2-util"
SSLGET = "/usr/bin/sslget"
SSS_SSH_AUTHORIZEDKEYS = "/usr/bin/sss_ssh_authorizedkeys"
SSS_SSH_KNOWNHOSTSPROXY = "/usr/bin/sss_ssh_knownhostsproxy"
BIN_TIMEOUT = "/usr/bin/timeout"
UPDATE_CA_TRUST = "/usr/bin/update-ca-trust"
BIN_CURL = "/usr/bin/curl"
BIND_LDAP_SO = "/usr/lib/bind/ldap.so"
BIND_LDAP_DNS_IPA_WORKDIR = "/var/named/dyndb-ldap/ipa/"
BIND_LDAP_DNS_ZONE_WORKDIR = "/var/named/dyndb-ldap/ipa/master/"
USR_LIB_DIRSRV = "/usr/lib/dirsrv"
LIB_FIREFOX = "/usr/lib/firefox"
LIBSOFTHSM2_SO = "/usr/lib/pkcs11/libsofthsm2.so"
PAM_KRB5_SO = "/usr/lib/security/pam_krb5.so"
LIB_SYSTEMD_SYSTEMD_DIR = "/usr/lib/systemd/system/"
BIND_LDAP_SO_64 = "/usr/lib64/bind/ldap.so"
USR_LIB_DIRSRV_64 = "/usr/lib64/dirsrv"
LIB64_FIREFOX = "/usr/lib64/firefox"
LIBSOFTHSM2_SO_64 = "/usr/lib64/pkcs11/libsofthsm2.so"
PAM_KRB5_SO_64 = "/usr/lib64/security/pam_krb5.so"
DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit"
DOGTAG_IPA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit"
CERTMONGER_DOGTAG_SUBMIT = "/usr/libexec/certmonger/dogtag-submit"
IPA_SERVER_GUARD = "/usr/libexec/certmonger/ipa-server-guard"
GENERATE_RNDC_KEY = "/usr/libexec/generate-rndc-key.sh"
IPA_DNSKEYSYNCD_REPLICA = "/usr/libexec/ipa/ipa-dnskeysync-replica"
IPA_DNSKEYSYNCD = "/usr/libexec/ipa/ipa-dnskeysyncd"
IPA_HTTPD_KDCPROXY = "/usr/libexec/ipa/ipa-httpd-kdcproxy"
IPA_ODS_EXPORTER = "/usr/libexec/ipa/ipa-ods-exporter"
DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
GETSEBOOL = "/usr/sbin/getsebool"
GROUPADD = "/usr/sbin/groupadd"
USERMOD = "/usr/sbin/usermod"
HTTPD = "/usr/sbin/httpd"
IPA_CLIENT_INSTALL = "/usr/sbin/ipa-client-install"
IPA_DNS_INSTALL = "/usr/sbin/ipa-dns-install"
SBIN_IPA_JOIN = "/usr/sbin/ipa-join"
IPA_REPLICA_CONNCHECK = "/usr/sbin/ipa-replica-conncheck"
IPA_RMKEYTAB = "/usr/sbin/ipa-rmkeytab"
IPACTL = "/usr/sbin/ipactl"
NAMED = "/usr/sbin/named"
NAMED_PKCS11 = "/usr/sbin/named-pkcs11"
NTPD = "/usr/sbin/ntpd"
PKIDESTROY = "/usr/sbin/pkidestroy"
PKISPAWN = "/usr/sbin/pkispawn"
PKI = "/usr/bin/pki"
REMOVE_DS_PL = "/usr/sbin/remove-ds.pl"
RESTORECON = "/usr/sbin/restorecon"
SELINUXENABLED = "/usr/sbin/selinuxenabled"
SETSEBOOL = "/usr/sbin/setsebool"
SETUP_DS_PL = "/usr/sbin/setup-ds.pl"
SMBD = "/usr/sbin/smbd"
USERADD = "/usr/sbin/useradd"
USR_SHARE_IPA_DIR = "/usr/share/ipa/"
CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif"
IPA_HTML_DIR = "/usr/share/ipa/html"
CA_CRT = "/usr/share/ipa/html/ca.crt"
KRB_CON = "/usr/share/ipa/html/krb.con"
HTML_KRB5_INI = "/usr/share/ipa/html/krb5.ini"
HTML_KRBREALM_CON = "/usr/share/ipa/html/krbrealm.con"
NIS_ULDIF = "/usr/share/ipa/nis.uldif"
NIS_UPDATE_ULDIF = "/usr/share/ipa/nis-update.uldif"
SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/updates/91-schema_compat.update"
SCHEMA_COMPAT_POST_ULDIF = "/usr/share/ipa/schema_compat_post.uldif"
IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins"
UPDATES_DIR = "/usr/share/ipa/updates/"
DICT_WORDS = "/usr/share/dict/words"
CACHE_IPA_SESSIONS = "/var/cache/ipa/sessions"
VAR_KERBEROS_KRB5KDC_DIR = "/var/kerberos/krb5kdc/"
VAR_KRB5KDC_K5_REALM = "/var/kerberos/krb5kdc/.k5."
CACERT_PEM = "/var/kerberos/krb5kdc/cacert.pem"
KRB5KDC_KADM5_ACL = "/var/kerberos/krb5kdc/kadm5.acl"
KRB5KDC_KADM5_KEYTAB = "/var/kerberos/krb5kdc/kadm5.keytab"
KRB5KDC_KDC_CONF = "/var/kerberos/krb5kdc/kdc.conf"
KDC_CERT = "/var/kerberos/krb5kdc/kdc.crt"
KDC_KEY = "/var/kerberos/krb5kdc/kdc.key"
VAR_LIB = "/var/lib"
AUTHCONFIG_LAST = "/var/lib/authconfig/last"
VAR_LIB_CERTMONGER_DIR = "/var/lib/certmonger"
CERTMONGER_CAS_DIR = "/var/lib/certmonger/cas/"
CERTMONGER_CAS_CA_RENEWAL = "/var/lib/certmonger/cas/ca_renewal"
CERTMONGER_REQUESTS_DIR = "/var/lib/certmonger/requests/"
VAR_LIB_DIRSRV = "/var/lib/dirsrv"
DIRSRV_BOOT_LDIF = "/var/lib/dirsrv/boot.ldif"
VAR_LIB_DIRSRV_INSTANCE_SCRIPTS_TEMPLATE = "/var/lib/dirsrv/scripts-%s"
VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s"
SLAPD_INSTANCE_BACKUP_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s/bak/%s"
SLAPD_INSTANCE_DB_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s/db/%s"
SLAPD_INSTANCE_LDIF_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s/ldif"
VAR_LIB_IPA = "/var/lib/ipa"
IPA_CLIENT_SYSRESTORE = "/var/lib/ipa-client/sysrestore"
SYSRESTORE_INDEX = "/var/lib/ipa-client/sysrestore/sysrestore.index"
IPA_BACKUP_DIR = "/var/lib/ipa/backup"
IPA_DNSSEC_DIR = "/var/lib/ipa/dnssec"
IPA_KASP_DB_BACKUP = "/var/lib/ipa/ipa-kasp.db.backup"
DNSSEC_TOKENS_DIR = "/var/lib/ipa/dnssec/tokens"
DNSSEC_SOFTHSM_PIN = "/var/lib/ipa/dnssec/softhsm_pin"
IPA_CA_CSR = "/var/lib/ipa/ca.csr"
PKI_CA_PUBLISH_DIR = "/var/lib/ipa/pki-ca/publish"
REPLICA_INFO_TEMPLATE = "/var/lib/ipa/replica-info-%s"
REPLICA_INFO_GPG_TEMPLATE = "/var/lib/ipa/replica-info-%s.gpg"
SYSRESTORE = "/var/lib/ipa/sysrestore"
STATEFILE_DIR = "/var/lib/ipa/sysupgrade"
VAR_LIB_KDCPROXY = "/var/lib/kdcproxy"
VAR_LIB_PKI_DIR = "/var/lib/pki"
VAR_LIB_PKI_CA_ALIAS_DIR = "/var/lib/pki-ca/alias"
VAR_LIB_PKI_TOMCAT_DIR = "/var/lib/pki/pki-tomcat"
CA_BACKUP_KEYS_P12 = "/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12"
KRA_BACKUP_KEYS_P12 = "/var/lib/pki/pki-tomcat/alias/kra_backup_keys.p12"
CA_CS_CFG_PATH = "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
CASIGNEDLOGCERT_CFG = (
"/var/lib/pki/pki-tomcat/ca/profiles/ca/caSignedLogCert.cfg")
KRA_CS_CFG_PATH = "/var/lib/pki/pki-tomcat/conf/kra/CS.cfg"
KRACERT_P12 = "/root/kracert.p12"
SAMBA_DIR = "/var/lib/samba/"
SSSD_DB = "/var/lib/sss/db"
SSSD_MC_GROUP = "/var/lib/sss/mc/group"
SSSD_MC_PASSWD = "/var/lib/sss/mc/passwd"
SSSD_PUBCONF_KNOWN_HOSTS = "/var/lib/sss/pubconf/known_hosts"
SSSD_PUBCONF_KRB5_INCLUDE_D_DIR = "/var/lib/sss/pubconf/krb5.include.d/"
VAR_LOG_AUDIT = "/var/log/audit/audit.log"
DIRSRV_LOCK_DIR = "/var/lock/dirsrv"
VAR_LOG_DIRSRV_INSTANCE_TEMPLATE = "/var/log/dirsrv/slapd-%s"
SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE = "/var/log/dirsrv/slapd-%s/access"
SLAPD_INSTANCE_ERROR_LOG_TEMPLATE = "/var/log/dirsrv/slapd-%s/errors"
VAR_LOG_HTTPD_DIR = "/var/log/httpd"
VAR_LOG_HTTPD_ERROR = "/var/log/httpd/error_log"
IPABACKUP_LOG = "/var/log/ipabackup.log"
IPACLIENT_INSTALL_LOG = "/var/log/ipaclient-install.log"
IPACLIENT_UNINSTALL_LOG = "/var/log/ipaclient-uninstall.log"
IPAREPLICA_CA_INSTALL_LOG = "/var/log/ipareplica-ca-install.log"
IPAREPLICA_CONNCHECK_LOG = "/var/log/ipareplica-conncheck.log"
IPAREPLICA_INSTALL_LOG = "/var/log/ipareplica-install.log"
IPARESTORE_LOG = "/var/log/iparestore.log"
IPASERVER_INSTALL_LOG = "/var/log/ipaserver-install.log"
IPASERVER_KRA_INSTALL_LOG = "/var/log/ipaserver-kra-install.log"
IPASERVER_UNINSTALL_LOG = "/var/log/ipaserver-uninstall.log"
IPAUPGRADE_LOG = "/var/log/ipaupgrade.log"
KADMIND_LOG = "/var/log/kadmind.log"
KRB5KDC_LOG = "/var/log/krb5kdc.log"
MESSAGES = "/var/log/messages"
VAR_LOG_PKI_DIR = "/var/log/pki/"
TOMCAT_TOPLEVEL_DIR = "/var/log/pki/pki-tomcat"
TOMCAT_CA_DIR = "/var/log/pki/pki-tomcat/ca"
TOMCAT_CA_ARCHIVE_DIR = "/var/log/pki/pki-tomcat/ca/archive"
TOMCAT_SIGNEDAUDIT_DIR = "/var/log/pki/pki-tomcat/ca/signedAudit"
TOMCAT_KRA_DIR = "/var/log/pki/pki-tomcat/kra"
TOMCAT_KRA_ARCHIVE_DIR = "/var/log/pki/pki-tomcat/kra/archive"
TOMCAT_KRA_SIGNEDAUDIT_DIR = "/var/log/pki/pki-tomcat/kra/signedAudit"
LOG_SECURE = "/var/log/secure"
VAR_LOG_SSSD_DIR = "/var/log/sssd"
NAMED_RUN = "/var/named/data/named.run"
VAR_OPENDNSSEC_DIR = "/var/opendnssec"
OPENDNSSEC_KASP_DB = "/var/opendnssec/kasp.db"
IPA_ODS_EXPORTER_CCACHE = "/var/opendnssec/tmp/ipa-ods-exporter.ccache"
VAR_RUN_DIRSRV_DIR = "/var/run/dirsrv"
IPA_CCACHES = "/var/run/ipa/ccaches"
HTTP_CCACHE = "/var/lib/ipa/gssproxy/http.ccache"
CA_BUNDLE_PEM = "/var/lib/ipa-client/pki/ca-bundle.pem"
KDC_CA_BUNDLE_PEM = "/var/lib/ipa-client/pki/kdc-ca-bundle.pem"
IPA_RENEWAL_LOCK = "/var/run/ipa/renewal.lock"
SVC_LIST_FILE = "/var/run/ipa/services.list"
KRB5CC_SAMBA = "/var/run/samba/krb5cc_samba"
SLAPD_INSTANCE_SOCKET_TEMPLATE = "/var/run/slapd-%s.socket"
ALL_SLAPD_INSTANCE_SOCKETS = "/var/run/slapd-*.socket"
ADMIN_CERT_PATH = '/root/.dogtag/pki-tomcat/ca_admin.cert'
ENTROPY_AVAIL = '/proc/sys/kernel/random/entropy_avail'
LDIF2DB = '/usr/sbin/ldif2db'
DB2LDIF = '/usr/sbin/db2ldif'
BAK2DB = '/usr/sbin/bak2db'
DB2BAK = '/usr/sbin/db2bak'
KDCPROXY_CONFIG = '/etc/ipa/kdcproxy/kdcproxy.conf'
CERTMONGER = '/usr/sbin/certmonger'
NETWORK_MANAGER_CONFIG_DIR = '/etc/NetworkManager/conf.d'
IPA_CUSTODIA_CONF_DIR = '/etc/ipa/custodia'
IPA_CUSTODIA_CONF = '/etc/ipa/custodia/custodia.conf'
IPA_CUSTODIA_KEYS = '/etc/ipa/custodia/server.keys'
IPA_CUSTODIA_SOCKET = '/run/httpd/ipa-custodia.sock'
IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab'
EXTERNAL_SCHEMA_DIR = '/usr/share/ipa/schema.d'
GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf'
KRB5CC_HTTPD = '/tmp/krb5cc-httpd'
IF_INET6 = '/proc/net/if_inet6'
AUTHCONFIG = None
IPA_SERVER_UPGRADE = '/usr/sbin/ipa-server-upgrade'
paths = BasePathNamespace()

517
ipaplatform/base/services.py Normal file
View File

@@ -0,0 +1,517 @@
# Author: Alexander Bokovoy <abokovoy@redhat.com>
# Tomas Babej <tbabej@redhat.com>
#
# Copyright (C) 2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
'''
This base module contains default implementations of IPA interface for
interacting with system services.
'''
import os
import json
import time
import collections
import warnings
import six
from ipapython import ipautil
from ipaplatform.paths import paths
# Canonical names of services as IPA wants to see them. As we need to have
# *some* naming, set them as in Red Hat distributions. Actual implementation
# should make them available through knownservices.<name> and take care of
# re-mapping internally, if needed
wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc',
'messagebus', 'nslcd', 'nscd', 'ntpd', 'portmap',
'rpcbind', 'kadmin', 'sshd', 'autofs', 'rpcgssd',
'rpcidmapd', 'pki_tomcatd', 'chronyd', 'domainname',
'named', 'ods_enforcerd', 'ods_signerd', 'gssproxy']
# The common ports for these services. This is used to wait for the
# service to become available.
wellknownports = {
'dirsrv': [389], # only used if the incoming instance name is blank
'pki-tomcatd@pki-tomcat.service': [8080, 8443],
'pki-tomcat': [8080, 8443],
'pki-tomcatd': [8080, 8443], # used if the incoming instance name is blank
}
SERVICE_POLL_INTERVAL = 0.1 # seconds
class KnownServices(collections.Mapping):
"""
KnownServices is an abstract class factory that should give out instances
of well-known platform services. Actual implementation must create these
instances as its own attributes on first access (or instance creation)
and cache them.
"""
def __init__(self, d):
self.__d = d
def __getitem__(self, key):
return self.__d[key]
def __iter__(self):
return iter(self.__d)
def __len__(self):
return len(self.__d)
def __call__(self):
return six.itervalues(self.__d)
def __getattr__(self, name):
try:
return self.__d[name]
except KeyError:
raise AttributeError(name)
class PlatformService(object):
"""
PlatformService abstracts out external process running on the system
which is possible to administer (start, stop, check status, etc).
"""
def __init__(self, service_name, api=None):
# pylint: disable=ipa-forbidden-import
import ipalib # FixMe: break import cycle
# pylint: enable=ipa-forbidden-import
self.service_name = service_name
if api is not None:
self.api = api
else:
self.api = ipalib.api
warnings.warn(
"{s.__class__.__name__}('{s.service_name}', api=None) "
"is deprecated.".format(s=self),
RuntimeWarning, stacklevel=2)
def start(self, instance_name="", capture_output=True, wait=True,
update_service_list=True):
"""
When a service is started record the fact in a special file.
This allows ipactl stop to always stop all services that have
been started via ipa tools
"""
if not update_service_list:
return
svc_list = []
try:
with open(paths.SVC_LIST_FILE, 'r') as f:
svc_list = json.load(f)
except Exception:
# not fatal, may be the first service
pass
if self.service_name not in svc_list:
svc_list.append(self.service_name)
with open(paths.SVC_LIST_FILE, 'w') as f:
json.dump(svc_list, f)
return
def stop(self, instance_name="", capture_output=True,
update_service_list=True):
"""
When a service is stopped remove it from the service list file.
"""
if not update_service_list:
return
svc_list = []
try:
with open(paths.SVC_LIST_FILE, 'r') as f:
svc_list = json.load(f)
except Exception:
# not fatal, may be the first service
pass
while self.service_name in svc_list:
svc_list.remove(self.service_name)
with open(paths.SVC_LIST_FILE, 'w') as f:
json.dump(svc_list, f)
return
def reload_or_restart(self, instance_name="", capture_output=True,
wait=True):
return
def restart(self, instance_name="", capture_output=True, wait=True):
return
def is_running(self, instance_name="", wait=True):
return False
def is_installed(self):
return False
def is_enabled(self, instance_name=""):
return False
def is_masked(self, instance_name=""):
return False
def enable(self, instance_name=""):
return
def disable(self, instance_name=""):
return
def mask(self, instance_name=""):
return
def unmask(self, instance_name=""):
return
def install(self, instance_name=""):
return
def remove(self, instance_name=""):
return
class SystemdService(PlatformService):
SYSTEMD_SRV_TARGET = "%s.target.wants"
def __init__(self, service_name, systemd_name, api=None):
super(SystemdService, self).__init__(service_name, api=api)
self.systemd_name = systemd_name
self.lib_path = os.path.join(paths.LIB_SYSTEMD_SYSTEMD_DIR,
self.systemd_name)
self.lib_path_exists = None
def service_instance(self, instance_name, operation=None):
if self.lib_path_exists is None:
self.lib_path_exists = os.path.exists(self.lib_path)
elements = self.systemd_name.split("@")
# Make sure the correct DS instance is returned
if elements[0] == 'dirsrv' and not instance_name:
return ('dirsrv@%s.service'
% str(self.api.env.realm.replace('.', '-')))
# Short-cut: if there is already exact service name, return it
if self.lib_path_exists and instance_name:
if len(elements) == 1:
# service name is like pki-tomcatd.target or krb5kdc.service
return self.systemd_name
if len(elements) > 1 and elements[1][0] != '.':
# Service name is like pki-tomcatd@pki-tomcat.service
# and that file exists
return self.systemd_name
if len(elements) > 1:
# We have dynamic service
if instance_name:
# Instanciate dynamic service
return "%s@%s.service" % (elements[0], instance_name)
else:
# No instance name, try with target
tgt_name = "%s.target" % (elements[0])
srv_lib = os.path.join(paths.LIB_SYSTEMD_SYSTEMD_DIR, tgt_name)
if os.path.exists(srv_lib):
return tgt_name
return self.systemd_name
def parse_variables(self, text, separator=None):
"""
Parses 'systemctl show' output and returns a dict[variable]=value
Arguments: text -- 'systemctl show' output as string
separator -- optional (defaults to None), what separates
the key/value pairs in the text
"""
def splitter(x, separator=None):
if len(x) > 1:
y = x.split(separator)
return (y[0], y[-1])
return (None, None)
return dict(splitter(x, separator=separator) for x in text.split("\n"))
def wait_for_open_ports(self, instance_name=""):
"""
If this is a service we need to wait for do so.
"""
ports = None
if instance_name in wellknownports:
ports = wellknownports[instance_name]
else:
elements = self.systemd_name.split("@")
if elements[0] in wellknownports:
ports = wellknownports[elements[0]]
if ports:
ipautil.wait_for_open_ports('localhost', ports,
self.api.env.startup_timeout)
def stop(self, instance_name="", capture_output=True):
instance = self.service_instance(instance_name)
args = [paths.SYSTEMCTL, "stop", instance]
# The --ignore-dependencies switch is used to avoid possible
# deadlock during the shutdown transaction. For more details, see
# https://fedorahosted.org/freeipa/ticket/3729#comment:1 and
# https://bugzilla.redhat.com/show_bug.cgi?id=973331#c11
if instance == "ipa-otpd.socket":
args.append("--ignore-dependencies")
ipautil.run(args, skip_output=not capture_output)
update_service_list = getattr(self.api.env, 'context',
None) in ['ipactl', 'installer']
super(SystemdService, self).stop(
instance_name,
update_service_list=update_service_list)
def start(self, instance_name="", capture_output=True, wait=True):
ipautil.run([paths.SYSTEMCTL, "start",
self.service_instance(instance_name)],
skip_output=not capture_output)
update_service_list = getattr(self.api.env, 'context',
None) in ['ipactl', 'installer']
if wait and self.is_running(instance_name):
self.wait_for_open_ports(self.service_instance(instance_name))
super(SystemdService, self).start(
instance_name,
update_service_list=update_service_list)
def _restart_base(self, instance_name, operation, capture_output=True,
wait=False):
ipautil.run([paths.SYSTEMCTL, operation,
self.service_instance(instance_name)],
skip_output=not capture_output)
if wait and self.is_running(instance_name):
self.wait_for_open_ports(self.service_instance(instance_name))
def reload_or_restart(self, instance_name="", capture_output=True,
wait=True):
self._restart_base(instance_name, "reload-or-restart",
capture_output, wait)
def restart(self, instance_name="", capture_output=True, wait=True):
self._restart_base(instance_name, "restart",
capture_output, wait)
def is_running(self, instance_name="", wait=True):
instance = self.service_instance(instance_name, 'is-active')
while True:
try:
result = ipautil.run(
[paths.SYSTEMCTL, "is-active", instance],
capture_output=True
)
except ipautil.CalledProcessError as e:
if e.returncode == 3 and 'activating' in str(e.output):
time.sleep(SERVICE_POLL_INTERVAL)
continue
return False
else:
# activating
if result.returncode == 3 and 'activating' in result.output:
time.sleep(SERVICE_POLL_INTERVAL)
continue
# active
if result.returncode == 0:
return True
# not active
return False
def is_installed(self):
try:
result = ipautil.run(
[paths.SYSTEMCTL, "list-unit-files", "--full"],
capture_output=True)
if result.returncode != 0:
return False
else:
svar = self.parse_variables(result.output)
if not self.service_instance("") in svar:
# systemd doesn't show the service
return False
except ipautil.CalledProcessError:
return False
return True
def is_enabled(self, instance_name=""):
enabled = True
try:
result = ipautil.run(
[paths.SYSTEMCTL, "is-enabled",
self.service_instance(instance_name)])
if result.returncode != 0:
enabled = False
except ipautil.CalledProcessError:
enabled = False
return enabled
def is_masked(self, instance_name=""):
masked = False
try:
result = ipautil.run(
[paths.SYSTEMCTL, "is-enabled",
self.service_instance(instance_name)],
capture_output=True)
if result.returncode == 1 and result.output == 'masked':
masked = True
except ipautil.CalledProcessError:
pass
return masked
def enable(self, instance_name=""):
if self.lib_path_exists is None:
self.lib_path_exists = os.path.exists(self.lib_path)
elements = self.systemd_name.split("@")
l = len(elements)
if self.lib_path_exists and (l > 1 and elements[1][0] != '.'):
# There is explicit service unit supporting this instance,
# follow normal systemd enabler
self.__enable(instance_name)
return
if self.lib_path_exists and (l == 1):
# There is explicit service unit which does not support
# the instances, ignore instance
self.__enable()
return
if len(instance_name) > 0 and l > 1:
# New instance, we need to do following:
# 1. Make /etc/systemd/system/<service>.target.wants/
# if it is not there
# 2. Link /etc/systemd/system/<service>.target.wants/
# <service>@<instance_name>.service to
# /lib/systemd/system/<service>@.service
srv_tgt = os.path.join(paths.ETC_SYSTEMD_SYSTEM_DIR,
self.SYSTEMD_SRV_TARGET % (elements[0]))
srv_lnk = os.path.join(srv_tgt,
self.service_instance(instance_name))
try:
if not os.path.isdir(srv_tgt):
os.mkdir(srv_tgt)
os.chmod(srv_tgt, 0o755)
if os.path.exists(srv_lnk):
# Remove old link
os.unlink(srv_lnk)
if not os.path.exists(srv_lnk):
# object does not exist _or_ is a broken link
if not os.path.islink(srv_lnk):
# if it truly does not exist, make a link
os.symlink(self.lib_path, srv_lnk)
else:
# Link exists and it is broken, make new one
os.unlink(srv_lnk)
os.symlink(self.lib_path, srv_lnk)
ipautil.run([paths.SYSTEMCTL, "--system", "daemon-reload"])
except Exception:
pass
else:
self.__enable(instance_name)
def disable(self, instance_name=""):
elements = self.systemd_name.split("@")
if instance_name != "" and len(elements) > 1:
# Remove instance, we need to do following:
# Remove link from /etc/systemd/system/<service>.target.wants/
# <service>@<instance_name>.service
# to /lib/systemd/system/<service>@.service
srv_tgt = os.path.join(paths.ETC_SYSTEMD_SYSTEM_DIR,
self.SYSTEMD_SRV_TARGET % (elements[0]))
srv_lnk = os.path.join(srv_tgt,
self.service_instance(instance_name))
try:
if os.path.isdir(srv_tgt):
if os.path.islink(srv_lnk):
os.unlink(srv_lnk)
ipautil.run([paths.SYSTEMCTL, "--system", "daemon-reload"])
except Exception:
pass
else:
try:
ipautil.run([paths.SYSTEMCTL, "disable",
self.service_instance(instance_name)])
except ipautil.CalledProcessError:
pass
def mask(self, instance_name=""):
srv_tgt = os.path.join(paths.ETC_SYSTEMD_SYSTEM_DIR, self.service_instance(instance_name))
if os.path.exists(srv_tgt):
os.unlink(srv_tgt)
try:
ipautil.run([paths.SYSTEMCTL, "mask",
self.service_instance(instance_name)])
except ipautil.CalledProcessError:
pass
def unmask(self, instance_name=""):
try:
ipautil.run([paths.SYSTEMCTL, "unmask",
self.service_instance(instance_name)])
except ipautil.CalledProcessError:
pass
def __enable(self, instance_name=""):
try:
ipautil.run([paths.SYSTEMCTL, "enable",
self.service_instance(instance_name)])
except ipautil.CalledProcessError:
pass
def install(self):
self.enable()
def remove(self):
self.disable()
# Objects below are expected to be exported by platform module
def base_service_class_factory(name, api=None):
raise NotImplementedError
service = base_service_class_factory
knownservices = KnownServices({})
# System may support more time&date services. FreeIPA supports ntpd only, other
# services will be disabled during IPA installation
timedate_services = ['ntpd', 'chronyd']

227
ipaplatform/base/tasks.py Normal file
View File

@@ -0,0 +1,227 @@
# Authors:
# Alexander Bokovoy <abokovoy@redhat.com>
# Tomas Babej <tbabej@redhat.com>
#
# Copyright (C) 2011-2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
'''
This module contains default platform-specific implementations of system tasks.
'''
import logging
from pkg_resources import parse_version
from ipaplatform.paths import paths
from ipapython import ipautil
logger = logging.getLogger(__name__)
class BaseTaskNamespace(object):
def restore_context(self, filepath):
"""
Restore SELinux security context on the given filepath.
No return value expected.
"""
raise NotImplementedError()
def backup_hostname(self, fstore, statestore):
"""
Backs up the current hostname in the statestore (so that it can be
restored by the restore_hostname platform task).
No return value expected.
"""
raise NotImplementedError()
def reload_systemwide_ca_store(self):
"""
Reloads the systemwide CA store.
Returns True if the operation succeeded, False otherwise.
"""
raise NotImplementedError()
def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
"""
Adds CA certificates from 'ca_certs' to the systemwide CA store
(if available on the platform).
Returns True if the operation succeeded, False otherwise.
"""
raise NotImplementedError()
def remove_ca_certs_from_systemwide_ca_store(self):
"""
Removes IPA CA certificates from the systemwide CA store
(if available on the platform).
Returns True if the operation succeeded, False otherwise.
"""
raise NotImplementedError()
def get_svc_list_file(self):
"""
Returns the path to the IPA service list file.
"""
return paths.SVC_LIST_FILE
def check_selinux_status(self):
"""
Checks if SELinux is available on the platform. If it is, this task
also makes sure that restorecon tool is available.
If SELinux is available, but restorcon tool is not installed, raises
an RuntimeError, which suggest installing the package containing
restorecon and rerunning the installation.
"""
raise NotImplementedError()
def check_ipv6_stack_enabled(self):
"""Check whether IPv6 kernel module is loaded"""
raise NotImplementedError()
def restore_hostname(self, fstore, statestore):
"""
Restores the original hostname as backed up in the
backup_hostname platform task.
"""
raise NotImplementedError()
def restore_pre_ipa_client_configuration(self, fstore, statestore,
was_sssd_installed,
was_sssd_configured):
"""
Restores the pre-ipa-client configuration that was modified by the
following platform tasks:
modify_nsswitch_pam_stack
modify_pam_to_use_krb5
"""
raise NotImplementedError()
def set_nisdomain(self, nisdomain):
"""
Sets the NIS domain name to 'nisdomain'.
"""
raise NotImplementedError()
def modify_nsswitch_pam_stack(self, sssd, mkhomedir, statestore):
"""
If sssd flag is true, configure pam and nsswtich so that SSSD is used
for retrieving user information and authentication.
Otherwise, configure pam and nsswitch to leverage pure LDAP.
"""
raise NotImplementedError()
def modify_pam_to_use_krb5(self, statestore):
"""
Configure pam stack to allow kerberos authentication.
"""
raise NotImplementedError()
def backup_auth_configuration(self, path):
"""
Create backup of access control configuration.
:param path: store the backup here. This will be passed to
restore_auth_configuration as well.
"""
raise NotImplementedError()
def restore_auth_configuration(self, path):
"""
Restore backup of access control configuration.
:param path: restore the backup from here.
"""
raise NotImplementedError()
def set_selinux_booleans(self, required_settings, backup_func=None):
"""Set the specified SELinux booleans
:param required_settings: A dictionary mapping the boolean names
to desired_values.
The desired value can be 'on' or 'off',
or None to leave the setting unchanged.
:param backup_func: A function called for each boolean with two
arguments: the name and the previous value
If SELinux is disabled, return False; on success returns True.
If setting the booleans fails,
an ipapython.errors.SetseboolError is raised.
"""
raise NotImplementedError()
@staticmethod
def parse_ipa_version(version):
"""
:param version: textual version
:return: object implementing proper __cmp__ method for version compare
"""
return parse_version(version)
def set_hostname(self, hostname):
"""
Set hostname for the system
No return value expected, raise CalledProcessError when error occurred
"""
raise NotImplementedError()
def configure_httpd_service_ipa_conf(self):
"""Configure httpd service to work with IPA"""
raise NotImplementedError()
def configure_http_gssproxy_conf(self, ipauser):
raise NotImplementedError()
def remove_httpd_service_ipa_conf(self):
"""Remove configuration of httpd service of IPA"""
raise NotImplementedError()
def is_fips_enabled(self):
return False
def add_user_to_group(self, user, group):
logger.debug('Adding user %s to group %s', user, group)
args = [paths.USERMOD, '-a', '-G', group, user]
try:
ipautil.run(args)
logger.debug('Done adding user to group')
except ipautil.CalledProcessError as e:
logger.debug('Failed to add user to group: %s', e)
tasks = BaseTaskNamespace()

8
ipaplatform/constants.py Normal file
View File

@@ -0,0 +1,8 @@
#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#
"""IpaMetaImporter replaces this module with ipaplatform.$NAME.constants.
"""
import ipaplatform._importhook
ipaplatform._importhook.fixup_module('ipaplatform.constants')

7
ipaplatform/debian/__init__.py Normal file
View File

@@ -0,0 +1,7 @@
#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#
"""
This module contains Debian specific platform files.
"""

25
ipaplatform/debian/constants.py Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#
'''
This Debian family platform module exports platform dependant constants.
'''
# Fallback to default path definitions
from ipaplatform.base.constants import BaseConstantsNamespace
class DebianConstantsNamespace(BaseConstantsNamespace):
HTTPD_USER = "www-data"
NAMED_USER = "bind"
NAMED_GROUP = "bind"
# ntpd init variable used for daemon options
NTPD_OPTS_VAR = "NTPD_OPTS"
# quote used for daemon options
NTPD_OPTS_QUOTE = "\'"
ODS_USER = "opendnssec"
ODS_GROUP = "opendnssec"
SECURE_NFS_VAR = "NEED_GSSD"
constants = DebianConstantsNamespace()

97
ipaplatform/debian/paths.py Normal file
View File

@@ -0,0 +1,97 @@
#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#
"""
This Debian base platform module exports default filesystem paths as common
in Debian-based systems.
"""
# Fallback to default path definitions
from ipaplatform.base.paths import BasePathNamespace
import sysconfig
MULTIARCH = sysconfig.get_config_var('MULTIARCH')
class DebianPathNamespace(BasePathNamespace):
BIN_HOSTNAMECTL = "/usr/bin/hostnamectl"
AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf"
ETC_HTTPD_DIR = "/etc/apache2"
HTTPD_ALIAS_DIR = "/etc/apache2/nssdb"
ALIAS_CACERT_ASC = "/etc/apache2/nssdb/cacert.asc"
ALIAS_PWDFILE_TXT = "/etc/apache2/nssdb/pwdfile.txt"
HTTPD_CONF_D_DIR = "/etc/apache2/conf-enabled/"
HTTPD_IPA_KDCPROXY_CONF_SYMLINK = "/etc/apache2/conf-enabled/ipa-kdc-proxy.conf"
HTTPD_IPA_PKI_PROXY_CONF = "/etc/apache2/conf-enabled/ipa-pki-proxy.conf"
HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-available/ipa-rewrite.conf"
HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf"
HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf"
OLD_IPA_KEYTAB = "/etc/apache2/ipa.keytab"
HTTPD_PASSWORD_CONF = "/etc/apache2/password.conf"
NAMED_CONF = "/etc/bind/named.conf"
NAMED_VAR_DIR = "/var/cache/bind"
NAMED_KEYTAB = "/etc/bind/named.keytab"
NAMED_RFC1912_ZONES = "/etc/bind/named.conf.default-zones"
NAMED_ROOT_KEY = "/etc/bind/bind.keys"
NAMED_BINDKEYS_FILE = "/etc/bind/bind.keys"
NAMED_MANAGED_KEYS_DIR = "/var/cache/bind/dynamic"
OPENLDAP_LDAP_CONF = "/etc/ldap/ldap.conf"
ETC_DEBIAN_VERSION = "/etc/debian_version"
IPA_P11_KIT = "/usr/local/share/ca-certificates/ipa-ca.crt"
ETC_SYSCONFIG_DIR = "/etc/default"
SYSCONFIG_AUTOFS = "/etc/default/autofs"
SYSCONFIG_DIRSRV = "/etc/default/dirsrv"
SYSCONFIG_DIRSRV_INSTANCE = "/etc/default/dirsrv-%s"
SYSCONFIG_DIRSRV_SYSTEMD = "/etc/default/dirsrv.systemd"
SYSCONFIG_IPA_DNSKEYSYNCD = "/etc/default/ipa-dnskeysyncd"
SYSCONFIG_IPA_ODS_EXPORTER = "/etc/default/ipa-ods-exporter"
SYSCONFIG_KRB5KDC_DIR = "/etc/default/krb5-kdc"
SYSCONFIG_NAMED = "/etc/default/bind9"
SYSCONFIG_NFS = "/etc/default/nfs-common"
SYSCONFIG_NTPD = "/etc/default/ntp"
SYSCONFIG_ODS = "/etc/default/opendnssec"
SYSCONFIG_PKI = "/etc/dogtag/"
SYSCONFIG_PKI_TOMCAT = "/etc/default/pki-tomcat"
SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/dogtag/tomcat/pki-tomcat"
SYSTEMD_SYSTEM_HTTPD_D_DIR = "/etc/systemd/system/apache2.service.d/"
SYSTEMD_SYSTEM_HTTPD_IPA_CONF = "/etc/systemd/system/apache2.service.d/ipa.conf"
DNSSEC_TRUSTED_KEY = "/etc/bind/trusted-key.key"
OLD_KRA_AGENT_PEM = "/etc/apache2/nssdb/kra-agent.pem"
SBIN_SERVICE = "/usr/sbin/service"
CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s"
UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates"
BIND_LDAP_DNS_IPA_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/"
BIND_LDAP_DNS_ZONE_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/master/"
LIBSOFTHSM2_SO = "/usr/lib/softhsm/libsofthsm2.so"
PAM_KRB5_SO = "/usr/lib/{0}/security/pam_krb5.so".format(MULTIARCH)
LIB_SYSTEMD_SYSTEMD_DIR = "/lib/systemd/system/"
DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = "/usr/lib/certmonger/dogtag-ipa-ca-renew-agent-submit"
DOGTAG_IPA_RENEW_AGENT_SUBMIT = "/usr/lib/certmonger/dogtag-ipa-renew-agent-submit"
CERTMONGER_DOGTAG_SUBMIT = "/usr/lib/certmonger/dogtag-submit"
IPA_SERVER_GUARD = "/usr/lib/certmonger/ipa-server-guard"
GENERATE_RNDC_KEY = "/bin/true"
IPA_DNSKEYSYNCD_REPLICA = "/usr/lib/ipa/ipa-dnskeysync-replica"
IPA_DNSKEYSYNCD = "/usr/lib/ipa/ipa-dnskeysyncd"
IPA_HTTPD_KDCPROXY = "/usr/lib/ipa/ipa-httpd-kdcproxy"
IPA_ODS_EXPORTER = "/usr/lib/ipa/ipa-ods-exporter"
HTTPD = "/usr/sbin/apache2ctl"
REMOVE_DS_PL = "/usr/sbin/remove-ds"
SETUP_DS_PL = "/usr/sbin/setup-ds"
VAR_KERBEROS_KRB5KDC_DIR = "/var/lib/krb5kdc/"
VAR_KRB5KDC_K5_REALM = "/var/lib/krb5kdc/.k5."
CACERT_PEM = "/var/lib/krb5kdc/cacert.pem"
KRB5KDC_KADM5_ACL = "/etc/krb5kdc/kadm5.acl"
KRB5KDC_KADM5_KEYTAB = "/etc/krb5kdc/kadm5.keytab"
KRB5KDC_KDC_CONF = "/etc/krb5kdc/kdc.conf"
KDC_CERT = "/var/lib/krb5kdc/kdc.crt"
KDC_KEY = "/var/lib/krb5kdc/kdc.key"
VAR_LOG_HTTPD_DIR = "/var/log/apache2"
VAR_LOG_HTTPD_ERROR = "/var/log/apache2/error.log"
NAMED_RUN = "/var/cache/bind/named.run"
VAR_OPENDNSSEC_DIR = "/var/lib/opendnssec"
OPENDNSSEC_KASP_DB = "/var/lib/opendnssec/db/kasp.db"
IPA_ODS_EXPORTER_CCACHE = "/var/lib/opendnssec/tmp/ipa-ods-exporter.ccache"
IPA_CUSTODIA_SOCKET = "/run/apache2/ipa-custodia.sock"
IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
paths = DebianPathNamespace()

182
ipaplatform/debian/services.py Normal file
View File

@@ -0,0 +1,182 @@
#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#
"""
Contains Debian-specific service class implementations.
"""
from ipaplatform.base import services as base_services
from ipaplatform.redhat import services as redhat_services
from ipapython import ipautil
from ipaplatform.paths import paths
# Mappings from service names as FreeIPA code references to these services
# to their actual systemd service names
debian_system_units = redhat_services.redhat_system_units.copy()
# For beginning just remap names to add .service
# As more services will migrate to systemd, unit names will deviate and
# mapping will be kept in this dictionary
debian_system_units['httpd'] = 'apache2.service'
debian_system_units['kadmin'] = 'krb5-admin-server.service'
debian_system_units['krb5kdc'] = 'krb5-kdc.service'
debian_system_units['named-regular'] = 'bind9.service'
debian_system_units['named-pkcs11'] = 'bind9-pkcs11.service'
debian_system_units['named'] = debian_system_units['named-pkcs11']
debian_system_units['pki-tomcatd'] = 'pki-tomcatd.service'
debian_system_units['pki_tomcatd'] = debian_system_units['pki-tomcatd']
debian_system_units['ods-enforcerd'] = 'opendnssec-enforcer.service'
debian_system_units['ods_enforcerd'] = debian_system_units['ods-enforcerd']
debian_system_units['ods-signerd'] = 'opendnssec-signer.service'
debian_system_units['ods_signerd'] = debian_system_units['ods-signerd']
debian_system_units['rpcgssd'] = 'rpc-gssd.service'
debian_system_units['rpcidmapd'] = 'nfs-idmapd.service'
debian_system_units['smb'] = 'smbd.service'
# Service classes that implement Debian family-specific behaviour
class DebianService(redhat_services.RedHatService):
system_units = debian_system_units
class DebianSysvService(base_services.PlatformService):
def __wait_for_open_ports(self, instance_name=""):
"""
If this is a service we need to wait for do so.
"""
ports = None
if instance_name in base_services.wellknownports:
ports = base_services.wellknownports[instance_name]
else:
if self.service_name in base_services.wellknownports:
ports = base_services.wellknownports[self.service_name]
if ports:
ipautil.wait_for_open_ports('localhost', ports, self.api.env.startup_timeout)
def stop(self, instance_name='', capture_output=True):
ipautil.run([paths.SBIN_SERVICE, self.service_name, "stop",
instance_name], capture_output=capture_output)
super(DebianSysvService, self).stop(instance_name)
def start(self, instance_name='', capture_output=True, wait=True):
ipautil.run([paths.SBIN_SERVICE, self.service_name, "start",
instance_name], capture_output=capture_output)
if wait and self.is_running(instance_name):
self.__wait_for_open_ports(instance_name)
super(DebianSysvService, self).start(instance_name)
def restart(self, instance_name='', capture_output=True, wait=True):
ipautil.run([paths.SBIN_SERVICE, self.service_name, "restart",
instance_name], capture_output=capture_output)
if wait and self.is_running(instance_name):
self.__wait_for_open_ports(instance_name)
def is_running(self, instance_name="", wait=True):
ret = True
try:
result = ipautil.run([paths.SBIN_SERVICE,
self.service_name, "status",
instance_name],
capture_output=True)
sout = result.output
if sout.find("NOT running") >= 0:
ret = False
if sout.find("stop") >= 0:
ret = False
if sout.find("inactive") >= 0:
ret = False
except ipautil.CalledProcessError:
ret = False
return ret
def is_installed(self):
installed = True
try:
ipautil.run([paths.SBIN_SERVICE, self.service_name, "status"])
except ipautil.CalledProcessError as e:
if e.returncode == 1:
# service is not installed or there is other serious issue
installed = False
return installed
@staticmethod
def is_enabled(instance_name=""):
# Services are always assumed to be enabled when installed
return True
@staticmethod
def enable():
return True
@staticmethod
def disable():
return True
@staticmethod
def install():
return True
@staticmethod
def remove():
return True
# For services which have no Debian counterpart
class DebianNoService(base_services.PlatformService):
@staticmethod
def start():
return True
@staticmethod
def stop():
return True
@staticmethod
def restart():
return True
@staticmethod
def disable():
return True
# Function that constructs proper Debian-specific server classes for services
# of specified name
def debian_service_class_factory(name, api=None):
if name == 'dirsrv':
return redhat_services.RedHatDirectoryService(name, api)
if name == 'domainname':
return DebianNoService(name, api)
if name == 'ipa':
return redhat_services.RedHatIPAService(name, api)
if name == 'messagebus':
return DebianNoService(name, api)
if name == 'ntpd':
return DebianSysvService("ntp", api)
return DebianService(name, api)
# Magicdict containing DebianService instances.
class DebianServices(base_services.KnownServices):
def __init__(self):
# pylint: disable=ipa-forbidden-import
import ipalib # FixMe: break import cycle
# pylint: enable=ipa-forbidden-import
services = dict()
for s in base_services.wellknownservices:
services[s] = self.service_class_factory(s, ipalib.api)
# Call base class constructor. This will lock services to read-only
super(DebianServices, self).__init__(services)
@staticmethod
def service_class_factory(name, api=None):
return debian_service_class_factory(name, api)
# Objects below are expected to be exported by platform module
timedate_services = base_services.timedate_services
service = debian_service_class_factory
knownservices = DebianServices()

50
ipaplatform/debian/tasks.py Normal file
View File

@@ -0,0 +1,50 @@
#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#
"""
This module contains default Debian-specific implementations of system tasks.
"""
from ipaplatform.base.tasks import BaseTaskNamespace
from ipaplatform.redhat.tasks import RedHatTaskNamespace
class DebianTaskNamespace(RedHatTaskNamespace):
@staticmethod
def restore_pre_ipa_client_configuration(fstore, statestore,
was_sssd_installed,
was_sssd_configured):
# Debian doesn't use authconfig, nothing to restore
return True
@staticmethod
def set_nisdomain(nisdomain):
# Debian doesn't use authconfig, nothing to set
return True
@staticmethod
def modify_nsswitch_pam_stack(sssd, mkhomedir, statestore):
# Debian doesn't use authconfig, this is handled by pam-auth-update
return True
@staticmethod
def modify_pam_to_use_krb5(statestore):
# Debian doesn't use authconfig, this is handled by pam-auth-update
return True
@staticmethod
def backup_auth_configuration(path):
# Debian doesn't use authconfig, nothing to backup
return True
@staticmethod
def restore_auth_configuration(path):
# Debian doesn't use authconfig, nothing to restore
return True
@staticmethod
def parse_ipa_version(version):
return BaseTaskNamespace.parse_ipa_version(version)
tasks = DebianTaskNamespace()

23
ipaplatform/fedora/__init__.py Normal file
View File

@@ -0,0 +1,23 @@
# Authors:
# Tomas Babej <tbabej@redhat.com>
#
# Copyright (C) 2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
'''
This module contains Fedora specific platform files.
'''
NAME = 'fedora'

16
ipaplatform/fedora/constants.py Normal file
View File

@@ -0,0 +1,16 @@
#
# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
#
'''
This Fedora base platform module exports platform related constants.
'''
# Fallback to default constant definitions
from ipaplatform.redhat.constants import RedHatConstantsNamespace
class FedoraConstantsNamespace(RedHatConstantsNamespace):
pass
constants = FedoraConstantsNamespace()

33
ipaplatform/fedora/paths.py Normal file
View File

@@ -0,0 +1,33 @@
# Authors:
# Tomas Babej <tbabej@redhat.com>
#
# Copyright (C) 2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
'''
This Fedora base platform module exports default filesystem paths as common
in Fedora-based systems.
'''
# Fallback to default path definitions
from ipaplatform.redhat.paths import RedHatPathNamespace
class FedoraPathNamespace(RedHatPathNamespace):
pass
paths = FedoraPathNamespace()

61
ipaplatform/fedora/services.py Normal file
View File

@@ -0,0 +1,61 @@
# Author: Alexander Bokovoy <abokovoy@redhat.com>
# Tomas Babej <tbabej@redhat.com>
#
# Copyright (C) 2011-2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
"""
Contains Fedora-specific service class implementations.
"""
from ipaplatform.redhat import services as redhat_services
# Mappings from service names as FreeIPA code references to these services
# to their actual systemd service names
fedora_system_units = redhat_services.redhat_system_units.copy()
# Service that sets domainname on Fedora is called fedora-domainname.service
fedora_system_units['domainname'] = 'fedora-domainname.service'
# Service classes that implement Fedora-specific behaviour
class FedoraService(redhat_services.RedHatService):
system_units = fedora_system_units
# Function that constructs proper Fedora-specific server classes for services
# of specified name
def fedora_service_class_factory(name, api=None):
if name == 'domainname':
return FedoraService(name, api)
return redhat_services.redhat_service_class_factory(name, api)
# Magicdict containing FedoraService instances.
class FedoraServices(redhat_services.RedHatServices):
def service_class_factory(self, name, api=None):
return fedora_service_class_factory(name, api)
# Objects below are expected to be exported by platform module
timedate_services = redhat_services.timedate_services
service = fedora_service_class_factory
knownservices = FedoraServices()

33
ipaplatform/fedora/tasks.py Normal file
View File

@@ -0,0 +1,33 @@
# Authors: Simo Sorce <ssorce@redhat.com>
# Alexander Bokovoy <abokovoy@redhat.com>
# Martin Kosek <mkosek@redhat.com>
# Tomas Babej <tbabej@redhat.com>
#
# Copyright (C) 2007-2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
'''
This module contains default Fedora-specific implementations of system tasks.
'''
from ipaplatform.redhat.tasks import RedHatTaskNamespace
class FedoraTaskNamespace(RedHatTaskNamespace):
pass
tasks = FedoraTaskNamespace()

31
ipaplatform/ipaplatform.egg-info/PKG-INFO Normal file
View File

@@ -0,0 +1,31 @@
Metadata-Version: 1.2
Name: ipaplatform
Version: 4.6.2
Summary: FreeIPA platform
Home-page: http://www.freeipa.org/
Author: FreeIPA Developers
Author-email: freeipa-devel@redhat.com
License: GPLv3
Download-URL: http://www.freeipa.org/page/Downloads
Description: FreeIPA platform
Platform: Linux
Platform: Solaris
Platform: Unix
Classifier: Development Status :: 5 - Production/Stable
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: GNU General Public License v3 (GPLv3)
Classifier: Programming Language :: C
Classifier: Programming Language :: Python :: 2
Classifier: Programming Language :: Python :: 2.7
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: Implementation :: CPython
Classifier: Operating System :: POSIX
Classifier: Operating System :: POSIX :: Linux
Classifier: Operating System :: Unix
Classifier: Topic :: Internet :: Name Service (DNS)
Classifier: Topic :: Security
Classifier: Topic :: System :: Systems Administration :: Authentication/Directory :: LDAP
Requires-Python: >=2.7.5,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*

41
ipaplatform/ipaplatform.egg-info/SOURCES.txt Normal file
View File

@@ -0,0 +1,41 @@
__init__.py
_importhook.py
constants.py
override.py
paths.py
services.py
setup.cfg
setup.py
tasks.py
base/__init__.py
base/constants.py
base/paths.py
base/services.py
base/tasks.py
debian/__init__.py
debian/constants.py
debian/paths.py
debian/services.py
debian/tasks.py
fedora/__init__.py
fedora/constants.py
fedora/paths.py
fedora/services.py
fedora/tasks.py
ipaplatform.egg-info/PKG-INFO
ipaplatform.egg-info/SOURCES.txt
ipaplatform.egg-info/dependency_links.txt
ipaplatform.egg-info/namespace_packages.txt
ipaplatform.egg-info/requires.txt
ipaplatform.egg-info/top_level.txt
redhat/__init__.py
redhat/authconfig.py
redhat/constants.py
redhat/paths.py
redhat/services.py
redhat/tasks.py
rhel/__init__.py
rhel/constants.py
rhel/paths.py
rhel/services.py
rhel/tasks.py

1
ipaplatform/ipaplatform.egg-info/dependency_links.txt Normal file
View File

@@ -0,0 +1 @@

1
ipaplatform/ipaplatform.egg-info/namespace_packages.txt Normal file
View File

@@ -0,0 +1 @@
ipaplatform

4
ipaplatform/ipaplatform.egg-info/requires.txt Normal file
View File

@@ -0,0 +1,4 @@
cffi
ipapython==4.6.2
pyasn1
six

1
ipaplatform/ipaplatform.egg-info/top_level.txt Normal file
View File

@@ -0,0 +1 @@
ipaplatform

1
ipaplatform/override.py Normal file
View File

@@ -0,0 +1 @@
OVERRIDE = 'fedora'

1
ipaplatform/override.py.in Normal file
View File

@@ -0,0 +1 @@
OVERRIDE = '@IPAPLATFORM@'

8
ipaplatform/paths.py Normal file
View File

@@ -0,0 +1,8 @@
#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#
"""IpaMetaImporter replaces this module with ipaplatform.$NAME.paths.
"""
import ipaplatform._importhook
ipaplatform._importhook.fixup_module('ipaplatform.paths')

22
ipaplatform/redhat/__init__.py Normal file
View File

@@ -0,0 +1,22 @@
# Authors:
# Tomas Babej <tbabej@redhat.com>
#
# Copyright (C) 2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
'''
This module contains Red Hat OS family specific platform files.
'''

116
ipaplatform/redhat/authconfig.py Normal file
View File

@@ -0,0 +1,116 @@
# Authors: Simo Sorce <ssorce@redhat.com>
# Alexander Bokovoy <abokovoy@redhat.com>
# Tomas Babej <tbabej@redhat.com>
#
# Copyright (C) 2007-2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from ipaplatform.paths import paths
from ipapython import ipautil
from ipapython.admintool import ScriptError
import os
FILES_TO_NOT_BACKUP = ['passwd', 'group', 'shadow', 'gshadow']
class RedHatAuthConfig(object):
"""
AuthConfig class implements system-independent interface to configure
system authentication resources. In Red Hat systems this is done with
authconfig(8) utility.
AuthConfig class is nothing more than a tool to gather configuration
options and execute their processing. These options then converted by
an actual implementation to series of a system calls to appropriate
utilities performing real configuration.
If you need to re-use existing AuthConfig instance for multiple runs,
make sure to call 'AuthConfig.reset()' between the runs.
"""
def __init__(self):
self.parameters = {}
def enable(self, option):
self.parameters[option] = True
return self
def disable(self, option):
self.parameters[option] = False
return self
def add_option(self, option):
self.parameters[option] = None
return self
def add_parameter(self, option, value):
self.parameters[option] = [value]
return self
def reset(self):
self.parameters = {}
return self
def build_args(self):
args = []
for (option, value) in self.parameters.items():
if type(value) is bool:
if value:
args.append("--enable%s" % (option))
else:
args.append("--disable%s" % (option))
elif type(value) in (tuple, list):
args.append("--%s" % (option))
args.append("%s" % (value[0]))
elif value is None:
args.append("--%s" % (option))
else:
args.append("--%s%s" % (option, value))
return args
def execute(self, update=True):
if update:
self.add_option("update")
args = self.build_args()
try:
ipautil.run([paths.AUTHCONFIG] + args)
except ipautil.CalledProcessError:
raise ScriptError("Failed to execute authconfig command")
def backup(self, path):
try:
ipautil.run([paths.AUTHCONFIG, "--savebackup", path])
except ipautil.CalledProcessError:
raise ScriptError("Failed to execute authconfig command")
# do not backup these files since we don't want to mess with
# users/groups during restore. Authconfig doesn't seem to mind about
# having them deleted from backup dir
files_to_remove = [os.path.join(path, f) for f in FILES_TO_NOT_BACKUP]
for filename in files_to_remove:
try:
os.remove(filename)
except OSError:
pass
def restore(self, path):
try:
ipautil.run([paths.AUTHCONFIG, "--restorebackup", path])
except ipautil.CalledProcessError:
raise ScriptError("Failed to execute authconfig command")

17
ipaplatform/redhat/constants.py Normal file
View File

@@ -0,0 +1,17 @@
#
# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
#
'''
This Red Hat OS family base platform module exports default platform
related constants for the Red Hat OS family-based systems.
'''
# Fallback to default path definitions
from ipaplatform.base.constants import BaseConstantsNamespace
class RedHatConstantsNamespace(BaseConstantsNamespace):
pass
constants = RedHatConstantsNamespace()

40
ipaplatform/redhat/paths.py Normal file
View File

@@ -0,0 +1,40 @@
# Authors:
# Tomas Babej <tbabej@redhat.com>
#
# Copyright (C) 2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
'''
This Red Hat OS family base platform module exports default filesystem paths as
common in Red Hat OS family-based systems.
'''
import sys
# Fallback to default path definitions
from ipaplatform.base.paths import BasePathNamespace
class RedHatPathNamespace(BasePathNamespace):
# https://docs.python.org/2/library/platform.html#cross-platform
if sys.maxsize > 2**32:
LIBSOFTHSM2_SO = BasePathNamespace.LIBSOFTHSM2_SO_64
PAM_KRB5_SO = BasePathNamespace.PAM_KRB5_SO_64
BIND_LDAP_SO = BasePathNamespace.BIND_LDAP_SO_64
AUTHCONFIG = '/usr/sbin/authconfig'
paths = RedHatPathNamespace()

249
ipaplatform/redhat/services.py Normal file
View File

@@ -0,0 +1,249 @@
# Author: Alexander Bokovoy <abokovoy@redhat.com>
# Tomas Babej <tbabej@redhat.com>
#
# Copyright (C) 2011-2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
"""
Contains Red Hat OS family-specific service class implementations.
"""
import logging
import os
import time
import contextlib
from ipaplatform.base import services as base_services
from ipapython import ipautil, dogtag
from ipaplatform.paths import paths
logger = logging.getLogger(__name__)
# Mappings from service names as FreeIPA code references to these services
# to their actual systemd service names
# For beginning just remap names to add .service
# As more services will migrate to systemd, unit names will deviate and
# mapping will be kept in this dictionary
redhat_system_units = dict((x, "%s.service" % x)
for x in base_services.wellknownservices)
redhat_system_units['rpcgssd'] = 'nfs-secure.service'
redhat_system_units['rpcidmapd'] = 'nfs-idmap.service'
# Rewrite dirsrv and pki-tomcatd services as they support instances via separate
# service generator. To make this working, one needs to have both foo@.servic
# and foo.target -- the latter is used when request should be coming for
# all instances (like stop). systemd, unfortunately, does not allow one
# to request action for all service instances at once if only foo@.service
# unit is available. To add more, if any of those services need to be
# started/stopped automagically, one needs to manually create symlinks in
# /etc/systemd/system/foo.target.wants/ (look into systemd.py's enable()
# code).
redhat_system_units['dirsrv'] = 'dirsrv@.service'
# Our PKI instance is pki-tomcatd@pki-tomcat.service
redhat_system_units['pki-tomcatd'] = 'pki-tomcatd@pki-tomcat.service'
redhat_system_units['pki_tomcatd'] = redhat_system_units['pki-tomcatd']
redhat_system_units['ipa-otpd'] = 'ipa-otpd.socket'
redhat_system_units['ipa-dnskeysyncd'] = 'ipa-dnskeysyncd.service'
redhat_system_units['named-regular'] = 'named.service'
redhat_system_units['named-pkcs11'] = 'named-pkcs11.service'
redhat_system_units['named'] = redhat_system_units['named-pkcs11']
redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service'
redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd']
redhat_system_units['ods-signerd'] = 'ods-signerd.service'
redhat_system_units['ods_signerd'] = redhat_system_units['ods-signerd']
redhat_system_units['gssproxy'] = 'gssproxy.service'
# Service classes that implement Red Hat OS family-specific behaviour
class RedHatService(base_services.SystemdService):
system_units = redhat_system_units
def __init__(self, service_name, api=None):
systemd_name = service_name
if service_name in self.system_units:
systemd_name = self.system_units[service_name]
else:
if '.' not in service_name:
# if service_name does not have a dot, it is not foo.service
# and not a foo.target. Thus, not correct service name for
# systemd, default to foo.service style then
systemd_name = "%s.service" % (service_name)
super(RedHatService, self).__init__(service_name, systemd_name, api)
class RedHatDirectoryService(RedHatService):
def is_installed(self, instance_name):
file_path = "{}/{}-{}".format(paths.ETC_DIRSRV, "slapd", instance_name)
return os.path.exists(file_path)
def restart(self, instance_name="", capture_output=True, wait=True,
ldapi=False):
# We need to explicitly enable instances to install proper symlinks as
# dirsrv.target.wants/ dependencies. Standard systemd service class does it
# on enable() method call. Unfortunately, ipa-server-install does not do
# explicit dirsrv.enable() because the service startup is handled by ipactl.
#
# If we wouldn't do this, our instances will not be started as systemd would
# not have any clue about instances (PKI-IPA and the domain we serve)
# at all. Thus, hook into dirsrv.restart().
if instance_name:
elements = self.systemd_name.split("@")
srv_etc = os.path.join(paths.ETC_SYSTEMD_SYSTEM_DIR,
self.systemd_name)
srv_tgt = os.path.join(paths.ETC_SYSTEMD_SYSTEM_DIR,
self.SYSTEMD_SRV_TARGET % (elements[0]))
srv_lnk = os.path.join(srv_tgt,
self.service_instance(instance_name))
if not os.path.exists(srv_etc):
self.enable(instance_name)
elif not os.path.samefile(srv_etc, srv_lnk):
os.unlink(srv_lnk)
os.symlink(srv_etc, srv_lnk)
with self.__wait(instance_name, wait, ldapi) as wait:
super(RedHatDirectoryService, self).restart(
instance_name, capture_output=capture_output, wait=wait)
def start(self, instance_name="", capture_output=True, wait=True,
ldapi=False):
with self.__wait(instance_name, wait, ldapi) as wait:
super(RedHatDirectoryService, self).start(
instance_name, capture_output=capture_output, wait=wait)
@contextlib.contextmanager
def __wait(self, instance_name, wait, ldapi):
if ldapi:
instance_name = self.service_instance(instance_name)
if instance_name.endswith('.service'):
instance_name = instance_name[:-8]
if instance_name.startswith('dirsrv'):
# this is intentional, return the empty string if the instance
# name is 'dirsrv'
instance_name = instance_name[7:]
if not instance_name:
ldapi = False
if ldapi:
yield False
socket_name = paths.SLAPD_INSTANCE_SOCKET_TEMPLATE % instance_name
ipautil.wait_for_open_socket(socket_name,
self.api.env.startup_timeout)
else:
yield wait
class RedHatIPAService(RedHatService):
# Enforce restart of IPA services when we do enable it
# This gets around the fact that after ipa-server-install systemd thinks
# ipa.service is not yet started but all services were actually started
# already.
def enable(self, instance_name=""):
super(RedHatIPAService, self).enable(instance_name)
self.restart(instance_name)
class RedHatCAService(RedHatService):
def wait_until_running(self):
logger.debug('Waiting until the CA is running')
timeout = float(self.api.env.startup_timeout)
op_timeout = time.time() + timeout
while time.time() < op_timeout:
try:
# check status of CA instance on this host, not remote ca_host
status = dogtag.ca_status(self.api.env.host)
except Exception as e:
status = 'check interrupted due to error: %s' % e
logger.debug('The CA status is: %s', status)
if status == 'running':
break
logger.debug('Waiting for CA to start...')
time.sleep(1)
else:
raise RuntimeError('CA did not start in %ss' % timeout)
def start(self, instance_name="", capture_output=True, wait=True):
super(RedHatCAService, self).start(
instance_name, capture_output=capture_output, wait=wait)
if wait:
self.wait_until_running()
def restart(self, instance_name="", capture_output=True, wait=True):
super(RedHatCAService, self).restart(
instance_name, capture_output=capture_output, wait=wait)
if wait:
self.wait_until_running()
def is_running(self, instance_name="", wait=True):
if instance_name:
return super(RedHatCAService, self).is_running(instance_name)
try:
status = dogtag.ca_status()
if status == 'running':
return True
elif status == 'starting' and wait:
# Exception is raised if status is 'starting' even after wait
self.wait_until_running()
return True
except Exception as e:
logger.debug(
'Failed to check CA status: %s', e
)
return False
# Function that constructs proper Red Hat OS family-specific server classes for
# services of specified name
def redhat_service_class_factory(name, api=None):
if name == 'dirsrv':
return RedHatDirectoryService(name, api)
if name == 'ipa':
return RedHatIPAService(name, api)
if name in ('pki-tomcatd', 'pki_tomcatd'):
return RedHatCAService(name, api)
return RedHatService(name, api)
# Magicdict containing RedHatService instances.
class RedHatServices(base_services.KnownServices):
def __init__(self):
# pylint: disable=ipa-forbidden-import
import ipalib # FixMe: break import cycle
# pylint: enable=ipa-forbidden-import
services = dict()
for s in base_services.wellknownservices:
services[s] = self.service_class_factory(s, ipalib.api)
# Call base class constructor. This will lock services to read-only
super(RedHatServices, self).__init__(services)
def service_class_factory(self, name, api=None):
return redhat_service_class_factory(name, api)
# Objects below are expected to be exported by platform module
timedate_services = base_services.timedate_services
service = redhat_service_class_factory
knownservices = RedHatServices()

524
ipaplatform/redhat/tasks.py Normal file
View File

@@ -0,0 +1,524 @@
# Authors: Simo Sorce <ssorce@redhat.com>
# Alexander Bokovoy <abokovoy@redhat.com>
# Martin Kosek <mkosek@redhat.com>
# Tomas Babej <tbabej@redhat.com>
#
# Copyright (C) 2007-2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
'''
This module contains default Red Hat OS family-specific implementations of
system tasks.
'''
from __future__ import print_function
import logging
import os
import socket
import traceback
import errno
from ctypes.util import find_library
from functools import total_ordering
from subprocess import CalledProcessError
from cffi import FFI
from pyasn1.error import PyAsn1Error
from six.moves import urllib
from ipapython import ipautil
import ipapython.errors
from ipaplatform.constants import constants
from ipaplatform.paths import paths
from ipaplatform.redhat.authconfig import RedHatAuthConfig
from ipaplatform.base.tasks import BaseTaskNamespace
logger = logging.getLogger(__name__)
_ffi = FFI()
_ffi.cdef("""
int rpmvercmp (const char *a, const char *b);
""")
# use ctypes loader to get correct librpm.so library version according to
# https://cffi.readthedocs.org/en/latest/overview.html#id8
_librpm = _ffi.dlopen(find_library("rpm"))
def selinux_enabled():
"""
Check if SELinux is enabled.
"""
if os.path.exists(paths.SELINUXENABLED):
try:
ipautil.run([paths.SELINUXENABLED])
return True
except ipautil.CalledProcessError:
# selinuxenabled returns 1 if not enabled
return False
else:
# No selinuxenabled, no SELinux
return False
@total_ordering
class IPAVersion(object):
def __init__(self, version):
self._version = version
self._bytes = version.encode('utf-8')
@property
def version(self):
return self._version
def __eq__(self, other):
if not isinstance(other, IPAVersion):
return NotImplemented
return _librpm.rpmvercmp(self._bytes, other._bytes) == 0
def __lt__(self, other):
if not isinstance(other, IPAVersion):
return NotImplemented
return _librpm.rpmvercmp(self._bytes, other._bytes) < 0
def __hash__(self):
return hash(self._version)
class RedHatTaskNamespace(BaseTaskNamespace):
def restore_context(self, filepath, restorecon=paths.SBIN_RESTORECON):
"""
restore security context on the file path
SELinux equivalent is /path/to/restorecon <filepath>
restorecon's return values are not reliable so we have to
ignore them (BZ #739604).
ipautil.run() will do the logging.
"""
if not selinux_enabled():
return
if (os.path.exists(restorecon)):
ipautil.run([restorecon, filepath], raiseonerr=False)
def check_selinux_status(self, restorecon=paths.RESTORECON):
"""
We don't have a specific package requirement for policycoreutils
which provides restorecon. This is because we don't require
SELinux on client installs. However if SELinux is enabled then
this package is required.
This function returns nothing but may raise a Runtime exception
if SELinux is enabled but restorecon is not available.
"""
if not selinux_enabled():
return
if not os.path.exists(restorecon):
raise RuntimeError('SELinux is enabled but %s does not exist.\n'
'Install the policycoreutils package and start '
'the installation again.' % restorecon)
def check_ipv6_stack_enabled(self):
"""Checks whether IPv6 kernel module is loaded.
Function checks if /proc/net/if_inet6 is present. If IPv6 stack is
enabled, it exists and contains the interfaces configuration.
:raises: RuntimeError when IPv6 stack is disabled
"""
if not os.path.exists(paths.IF_INET6):
raise RuntimeError(
"IPv6 stack has to be enabled in the kernel and some "
"interface has to have ::1 address assigned. Typically "
"this is 'lo' interface. If you do not wish to use IPv6 "
"globally, disable it on the specific interfaces in "
"sysctl.conf except 'lo' interface.")
try:
localhost6 = ipautil.CheckedIPAddress('::1', allow_loopback=True)
if localhost6.get_matching_interface() is None:
raise ValueError("no interface for ::1 address found")
except ValueError:
raise RuntimeError(
"IPv6 stack is enabled in the kernel but there is no "
"interface that has ::1 address assigned. Add ::1 address "
"resolution to 'lo' interface. You might need to enable IPv6 "
"on the interface 'lo' in sysctl.conf.")
def restore_pre_ipa_client_configuration(self, fstore, statestore,
was_sssd_installed,
was_sssd_configured):
auth_config = RedHatAuthConfig()
if statestore.has_state('authconfig'):
# disable only those configurations that we enabled during install
for conf in ('ldap', 'krb5', 'sssd', 'sssdauth', 'mkhomedir'):
cnf = statestore.restore_state('authconfig', conf)
# Do not disable sssd, as this can cause issues with its later
# uses. Remove it from statestore however, so that it becomes
# empty at the end of uninstall process.
if cnf and conf != 'sssd':
auth_config.disable(conf)
else:
# There was no authconfig status store
# It means the code was upgraded after original install
# Fall back to old logic
auth_config.disable("ldap")
auth_config.disable("krb5")
if not(was_sssd_installed and was_sssd_configured):
# Only disable sssdauth. Disabling sssd would cause issues
# with its later uses.
auth_config.disable("sssdauth")
auth_config.disable("mkhomedir")
auth_config.execute()
def set_nisdomain(self, nisdomain):
# Let authconfig setup the permanent configuration
auth_config = RedHatAuthConfig()
auth_config.add_parameter("nisdomain", nisdomain)
auth_config.execute()
def modify_nsswitch_pam_stack(self, sssd, mkhomedir, statestore):
auth_config = RedHatAuthConfig()
if sssd:
statestore.backup_state('authconfig', 'sssd', True)
statestore.backup_state('authconfig', 'sssdauth', True)
auth_config.enable("sssd")
auth_config.enable("sssdauth")
else:
statestore.backup_state('authconfig', 'ldap', True)
auth_config.enable("ldap")
auth_config.enable("forcelegacy")
if mkhomedir:
statestore.backup_state('authconfig', 'mkhomedir', True)
auth_config.enable("mkhomedir")
auth_config.execute()
def modify_pam_to_use_krb5(self, statestore):
auth_config = RedHatAuthConfig()
statestore.backup_state('authconfig', 'krb5', True)
auth_config.enable("krb5")
auth_config.add_option("nostart")
auth_config.execute()
def backup_auth_configuration(self, path):
auth_config = RedHatAuthConfig()
auth_config.backup(path)
def restore_auth_configuration(self, path):
auth_config = RedHatAuthConfig()
auth_config.restore(path)
def reload_systemwide_ca_store(self):
try:
ipautil.run([paths.UPDATE_CA_TRUST])
except CalledProcessError as e:
logger.error(
"Could not update systemwide CA trust database: %s", e)
return False
else:
logger.info("Systemwide CA database updated.")
return True
def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
# pylint: disable=ipa-forbidden-import
from ipalib import x509 # FixMe: break import cycle
from ipalib.errors import CertificateError
# pylint: enable=ipa-forbidden-import
new_cacert_path = paths.SYSTEMWIDE_IPA_CA_CRT
if os.path.exists(new_cacert_path):
try:
os.remove(new_cacert_path)
except OSError as e:
logger.error(
"Could not remove %s: %s", new_cacert_path, e)
return False
new_cacert_path = paths.IPA_P11_KIT
try:
f = open(new_cacert_path, 'w')
except IOError as e:
logger.info("Failed to open %s: %s", new_cacert_path, e)
return False
f.write("# This file was created by IPA. Do not edit.\n"
"\n")
has_eku = set()
for cert, nickname, trusted, _ext_key_usage in ca_certs:
try:
subject = cert.subject_bytes
issuer = cert.issuer_bytes
serial_number = cert.serial_number_bytes
public_key_info = cert.public_key_info_bytes
except (PyAsn1Error, ValueError, CertificateError) as e:
logger.warning(
"Failed to decode certificate \"%s\": %s", nickname, e)
continue
label = urllib.parse.quote(nickname)
subject = urllib.parse.quote(subject)
issuer = urllib.parse.quote(issuer)
serial_number = urllib.parse.quote(serial_number)
public_key_info = urllib.parse.quote(public_key_info)
obj = ("[p11-kit-object-v1]\n"
"class: certificate\n"
"certificate-type: x-509\n"
"certificate-category: authority\n"
"label: \"%(label)s\"\n"
"subject: \"%(subject)s\"\n"
"issuer: \"%(issuer)s\"\n"
"serial-number: \"%(serial_number)s\"\n"
"x-public-key-info: \"%(public_key_info)s\"\n" %
dict(label=label,
subject=subject,
issuer=issuer,
serial_number=serial_number,
public_key_info=public_key_info))
if trusted is True:
obj += "trusted: true\n"
elif trusted is False:
obj += "x-distrusted: true\n"
obj += "{pem}\n\n".format(
pem=cert.public_bytes(x509.Encoding.PEM).decode('ascii'))
f.write(obj)
if (cert.extended_key_usage is not None and
public_key_info not in has_eku):
try:
ext_key_usage = cert.extended_key_usage_bytes
except PyAsn1Error as e:
logger.warning(
"Failed to encode extended key usage for \"%s\": %s",
nickname, e)
continue
value = urllib.parse.quote(ext_key_usage)
obj = ("[p11-kit-object-v1]\n"
"class: x-certificate-extension\n"
"label: \"ExtendedKeyUsage for %(label)s\"\n"
"x-public-key-info: \"%(public_key_info)s\"\n"
"object-id: 2.5.29.37\n"
"value: \"%(value)s\"\n\n" %
dict(label=label,
public_key_info=public_key_info,
value=value))
f.write(obj)
has_eku.add(public_key_info)
f.close()
# Add the CA to the systemwide CA trust database
if not self.reload_systemwide_ca_store():
return False
return True
def remove_ca_certs_from_systemwide_ca_store(self):
result = True
update = False
# Remove CA cert from systemwide store
for new_cacert_path in (paths.IPA_P11_KIT,
paths.SYSTEMWIDE_IPA_CA_CRT):
if not os.path.exists(new_cacert_path):
continue
try:
os.remove(new_cacert_path)
except OSError as e:
logger.error(
"Could not remove %s: %s", new_cacert_path, e)
result = False
else:
update = True
if update:
if not self.reload_systemwide_ca_store():
return False
return result
def backup_hostname(self, fstore, statestore):
filepath = paths.ETC_HOSTNAME
if os.path.exists(filepath):
fstore.backup_file(filepath)
# store old hostname
old_hostname = socket.gethostname()
statestore.backup_state('network', 'hostname', old_hostname)
def restore_hostname(self, fstore, statestore):
old_hostname = statestore.get_state('network', 'hostname')
if old_hostname is not None:
try:
self.set_hostname(old_hostname)
except ipautil.CalledProcessError as e:
logger.debug("%s", traceback.format_exc())
logger.error(
"Failed to restore this machine hostname to %s (%s).",
old_hostname, e
)
filepath = paths.ETC_HOSTNAME
if fstore.has_file(filepath):
fstore.restore_file(filepath)
def set_selinux_booleans(self, required_settings, backup_func=None):
def get_setsebool_args(changes):
args = [paths.SETSEBOOL, "-P"]
args.extend(["%s=%s" % update for update in changes.items()])
return args
if not selinux_enabled():
return False
updated_vars = {}
failed_vars = {}
for setting, state in required_settings.items():
if state is None:
continue
try:
result = ipautil.run(
[paths.GETSEBOOL, setting],
capture_output=True
)
original_state = result.output.split()[2]
if backup_func is not None:
backup_func(setting, original_state)
if original_state != state:
updated_vars[setting] = state
except ipautil.CalledProcessError as e:
logger.error("Cannot get SELinux boolean '%s': %s", setting, e)
failed_vars[setting] = state
if updated_vars:
args = get_setsebool_args(updated_vars)
try:
ipautil.run(args)
except ipautil.CalledProcessError:
failed_vars.update(updated_vars)
if failed_vars:
raise ipapython.errors.SetseboolError(
failed=failed_vars,
command=' '.join(get_setsebool_args(failed_vars)))
return True
def parse_ipa_version(self, version):
"""
:param version: textual version
:return: object implementing proper __cmp__ method for version compare
"""
return IPAVersion(version)
def configure_httpd_service_ipa_conf(self):
"""Create systemd config for httpd service to work with IPA
"""
if not os.path.exists(paths.SYSTEMD_SYSTEM_HTTPD_D_DIR):
os.mkdir(paths.SYSTEMD_SYSTEM_HTTPD_D_DIR, 0o755)
ipautil.copy_template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, 'ipa-httpd.conf.template'),
paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF,
dict(
KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG,
IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY,
KRB5CC_HTTPD=paths.KRB5CC_HTTPD,
)
)
os.chmod(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, 0o644)
self.restore_context(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF)
ipautil.run([paths.SYSTEMCTL, "--system", "daemon-reload"],
raiseonerr=False)
def configure_http_gssproxy_conf(self, ipaapi_user):
ipautil.copy_template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, 'gssproxy.conf.template'),
paths.GSSPROXY_CONF,
dict(
HTTP_KEYTAB=paths.HTTP_KEYTAB,
HTTP_CCACHE=paths.HTTP_CCACHE,
HTTPD_USER=constants.HTTPD_USER,
IPAAPI_USER=ipaapi_user,
)
)
os.chmod(paths.GSSPROXY_CONF, 0o600)
self.restore_context(paths.GSSPROXY_CONF)
def remove_httpd_service_ipa_conf(self):
"""Remove systemd config for httpd service of IPA"""
try:
os.unlink(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF)
except OSError as e:
if e.errno == errno.ENOENT:
logger.debug(
'Trying to remove %s but file does not exist',
paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF
)
else:
logger.error(
'Error removing %s: %s',
paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, e
)
return
ipautil.run([paths.SYSTEMCTL, "--system", "daemon-reload"],
raiseonerr=False)
def set_hostname(self, hostname):
ipautil.run([paths.BIN_HOSTNAMECTL, 'set-hostname', hostname])
def is_fips_enabled(self):
"""
Checks whether this host is FIPS-enabled.
Returns a boolean indicating if the host is FIPS-enabled, i.e. if the
file /proc/sys/crypto/fips_enabled contains a non-0 value. Otherwise,
or if the file /proc/sys/crypto/fips_enabled does not exist,
the function returns False.
"""
try:
with open(paths.PROC_FIPS_ENABLED, 'r') as f:
if f.read().strip() != '0':
return True
except IOError:
# Consider that the host is not fips-enabled if the file does not
# exist
pass
return False
tasks = RedHatTaskNamespace()

23
ipaplatform/rhel/__init__.py Normal file
View File

@@ -0,0 +1,23 @@
# Authors:
# Jan Cholasta <jcholast@redhat.com>
#
# Copyright (C) 2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
'''
This module contains RHEL-specific platform files.
'''
NAME = 'rhel'

16
ipaplatform/rhel/constants.py Normal file
View File

@@ -0,0 +1,16 @@
#
# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
#
'''
This RHEL base platform module exports platform related constants.
'''
# Fallback to default constant definitions
from ipaplatform.redhat.constants import RedHatConstantsNamespace
class RHELConstantsNamespace(RedHatConstantsNamespace):
IPA_DNS_PACKAGE_NAME = "ipa-server-dns"
constants = RHELConstantsNamespace()

33
ipaplatform/rhel/paths.py Normal file
View File

@@ -0,0 +1,33 @@
# Authors:
# Jan Cholasta <jcholast@redhat.com>
#
# Copyright (C) 2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
'''
This RHEL base platform module exports default filesystem paths as common
in RHEL-based systems.
'''
# Fallback to default path definitions
from ipaplatform.redhat.paths import RedHatPathNamespace
class RHELPathNamespace(RedHatPathNamespace):
pass
paths = RHELPathNamespace()

61
ipaplatform/rhel/services.py Normal file
View File

@@ -0,0 +1,61 @@
# Authors:
# Jan Cholasta <jcholast@redhat.com>
#
# Copyright (C) 2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
"""
Contains RHEL-specific service class implementations.
"""
from ipaplatform.redhat import services as redhat_services
# Mappings from service names as FreeIPA code references to these services
# to their actual systemd service names
rhel_system_units = redhat_services.redhat_system_units
# Service that sets domainname on RHEL is called rhel-domainname.service
rhel_system_units['domainname'] = 'rhel-domainname.service'
# Service classes that implement RHEL-specific behaviour
class RHELService(redhat_services.RedHatService):
system_units = rhel_system_units
# Function that constructs proper RHEL-specific server classes for services
# of specified name
def rhel_service_class_factory(name, api=None):
if name == 'domainname':
return RHELService(name, api)
return redhat_services.redhat_service_class_factory(name, api)
# Magicdict containing RHELService instances.
class RHELServices(redhat_services.RedHatServices):
def service_class_factory(self, name, api=None):
return rhel_service_class_factory(name, api)
# Objects below are expected to be exported by platform module
timedate_services = redhat_services.timedate_services
service = rhel_service_class_factory
knownservices = RHELServices()

31
ipaplatform/rhel/tasks.py Normal file
View File

@@ -0,0 +1,31 @@
# Authors:
# Jan Cholasta <jcholast@redhat.com>
#
# Copyright (C) 2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
'''
This module contains default RHEL-specific implementations of system tasks.
'''
from ipaplatform.redhat.tasks import RedHatTaskNamespace
class RHELTaskNamespace(RedHatTaskNamespace):
pass
tasks = RHELTaskNamespace()

8
ipaplatform/services.py Normal file
View File

@@ -0,0 +1,8 @@
#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#
"""IpaMetaImporter replaces this module with ipaplatform.$NAME.services.
"""
import ipaplatform._importhook
ipaplatform._importhook.fixup_module('ipaplatform.services')

5
ipaplatform/setup.cfg Normal file
View File

@@ -0,0 +1,5 @@
[bdist_wheel]
universal = 1
[metadata]
license_file = ../COPYING

51
ipaplatform/setup.py Normal file
View File

@@ -0,0 +1,51 @@
#!/usr/bin/python2
# Copyright (C) 2014 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
"""FreeIPA platform
FreeIPA is a server for identity, policy, and audit.
"""
from os.path import abspath, dirname
import sys
if __name__ == '__main__':
# include ../ for ipasetup.py
sys.path.append(dirname(dirname(abspath(__file__))))
from ipasetup import ipasetup # noqa: E402
ipasetup(
name="ipaplatform",
doc=__doc__,
package_dir={'ipaplatform': ''},
namespace_packages=['ipaplatform'],
packages=[
"ipaplatform",
"ipaplatform.base",
"ipaplatform.debian",
"ipaplatform.fedora",
"ipaplatform.redhat",
"ipaplatform.rhel"
],
install_requires=[
"cffi",
# "ipalib", # circular dependency
"ipapython",
"pyasn1",
"six",
],
)

8
ipaplatform/tasks.py Normal file
View File

@@ -0,0 +1,8 @@
#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#
"""IpaMetaImporter replaces this module with ipaplatform.$NAME.tasks.
"""
import ipaplatform._importhook
ipaplatform._importhook.fixup_module('ipaplatform.tasks')