def erase_ds_instance_data(serverid): installutils.rmtree("/etc/dirsrv/slapd-%s" % serverid) installutils.rmtree("/usr/lib/dirsrv/slapd-%s" % serverid) installutils.rmtree("/usr/lib64/dirsrv/slapd-%s" % serverid) installutils.rmtree("/var/lib/dirsrv/slapd-%s" % serverid) installutils.rmtree("/var/lock/dirsrv/slapd-%s" % serverid) installutils.remove_file("/var/run/slapd-%s.socket" % serverid) installutils.rmtree("/var/lib/dirsrv/scripts-%s" % serverid) installutils.remove_file("/etc/dirsrv/ds.keytab") installutils.remove_file("/etc/sysconfig/dirsrv-%s" % serverid)
except ValueError, error: root_logger.debug(error) pass # disabled during IPA installation if enabled: self.enable() serverid = self.restore_state("serverid") if serverid is not None: self.stop_tracking_certificates(serverid) root_logger.debug("Removing DS instance %s" % serverid) try: remove_ds_instance(serverid) root_logger.debug("Removing DS keytab") installutils.remove_file(paths.DS_KEYTAB) except ipautil.CalledProcessError: root_logger.error("Failed to remove DS instance. You may " "need to remove instance data manually") # At one time we removed this user on uninstall. That can potentially # orphan files, or worse, if another useradd runs in the intermim, # cause files to have a new owner. user_exists = self.restore_state("user_exists") # Make sure some upgrade-related state is removed. This could cause # re-installation problems. self.restore_state('nsslapd-port') self.restore_state('nsslapd-security') self.restore_state('nsslapd-ldapiautobind')
def remove_httpd_ccache(self): # Clean up existing ccache pent = pwd.getpwnam("apache") installutils.remove_file('/tmp/krb5cc_%d' % pent.pw_uid)
self.stop() db = certs.CertDB(api.env.realm) db.untrack_server_cert("Server-Cert") if not enabled is None and not enabled: self.disable() for f in ["/etc/httpd/conf.d/ipa.conf", SSL_CONF, NSS_CONF]: try: self.fstore.restore_file(f) except ValueError, error: root_logger.debug(error) pass # Remove the configuration files we create installutils.remove_file("/etc/httpd/conf.d/ipa-rewrite.conf") installutils.remove_file("/etc/httpd/conf.d/ipa.conf") installutils.remove_file("/etc/httpd/conf.d/ipa-pki-proxy.conf") for var in ["httpd_can_network_connect", "httpd_manage_ipa"]: sebool_state = self.restore_state(var) if not sebool_state is None: try: ipautil.run( ["/usr/sbin/setsebool", "-P", var, sebool_state]) except ipautil.CalledProcessError, e: self.print_msg("Cannot restore SELinux boolean '%s' back to '%s': %s" \ % (var, sebool_state, e)) if not running is None and running: self.start()
class HTTPInstance(service.Service): def __init__(self, fstore=None, cert_nickname='Server-Cert'): service.Service.__init__(self, "httpd", service_desc="the web interface") if fstore: self.fstore = fstore else: self.fstore = sysrestore.FileStore(paths.SYSRESTORE) self.cert_nickname = cert_nickname self.ca_is_configured = True subject_base = ipautil.dn_attribute_property('_subject_base') def create_instance(self, realm, fqdn, domain_name, dm_password=None, autoconfig=True, pkcs12_info=None, subject_base=None, auto_redirect=True, ca_file=None, ca_is_configured=None): self.fqdn = fqdn self.realm = realm self.domain = domain_name self.dm_password = dm_password self.suffix = ipautil.realm_to_suffix(self.realm) self.pkcs12_info = pkcs12_info self.principal = "HTTP/%s@%s" % (self.fqdn, self.realm) self.dercert = None self.subject_base = subject_base self.sub_dict = dict( REALM=realm, FQDN=fqdn, DOMAIN=self.domain, AUTOREDIR='' if auto_redirect else '#', CRL_PUBLISH_PATH=dogtag.install_constants.CRL_PUBLISH_PATH, ) self.ca_file = ca_file if ca_is_configured is not None: self.ca_is_configured = ca_is_configured # get a connection to the DS self.ldap_connect() self.step("setting mod_nss port to 443", self.__set_mod_nss_port) self.step("setting mod_nss protocol list to TLSv1.0 - TLSv1.2", self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) if self.ca_is_configured: self.step("configure certmonger for renewals", self.configure_certmonger_renewal_guard) self.step("setting up ssl", self.__setup_ssl) self.step("importing CA certificates from LDAP", self.__import_ca_certs) if autoconfig: self.step("setting up browser autoconfig", self.__setup_autoconfig) self.step("publish CA cert", self.__publish_ca_cert) self.step("creating a keytab for httpd", self.__create_http_keytab) self.step("clean up any existing httpd ccache", self.remove_httpd_ccache) self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd) self.step("restarting httpd", self.__start) self.step("configuring httpd to start on boot", self.__enable) self.start_creation(runtime=60) def __start(self): self.backup_state("running", self.is_running()) self.restart() def __enable(self): self.backup_state("enabled", self.is_enabled()) # We do not let the system start IPA components on its own, # Instead we reply on the IPA init script to start only enabled # components as found in our LDAP configuration tree self.ldap_enable('HTTP', self.fqdn, self.dm_password, self.suffix) def configure_selinux_for_httpd(self): try: tasks.set_selinux_booleans(SELINUX_BOOLEAN_SETTINGS, self.backup_state) except ipapython.errors.SetseboolError as e: self.print_msg(e.format_service_warning('web interface')) def __create_http_keytab(self): installutils.kadmin_addprinc(self.principal) installutils.create_keytab(paths.IPA_KEYTAB, self.principal) self.move_service(self.principal) self.add_cert_to_service() pent = pwd.getpwnam("apache") os.chown(paths.IPA_KEYTAB, pent.pw_uid, pent.pw_gid) def remove_httpd_ccache(self): # Clean up existing ccache # Make sure that empty env is passed to avoid passing KRB5CCNAME from # current env ipautil.run(['kdestroy', '-A'], runas='apache', raiseonerr=False, env={}) def __configure_http(self): target_fname = paths.HTTPD_IPA_CONF http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict) self.fstore.backup_file(paths.HTTPD_IPA_CONF) http_fd = open(target_fname, "w") http_fd.write(http_txt) http_fd.close() os.chmod(target_fname, 0644) target_fname = paths.HTTPD_IPA_REWRITE_CONF http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa-rewrite.conf", self.sub_dict) self.fstore.backup_file(paths.HTTPD_IPA_REWRITE_CONF) http_fd = open(target_fname, "w") http_fd.write(http_txt) http_fd.close() os.chmod(target_fname, 0644) def change_mod_nss_port_from_http(self): # mod_ssl enforces SSLEngine on for vhost on 443 even though # the listener is mod_nss. This then crashes the httpd as mod_nss # listened port obviously does not match mod_ssl requirements. # # The workaround for this was to change port to http. It is no longer # necessary, as mod_nss now ships with default configuration which # sets SSLEngine off when mod_ssl is installed. # # Remove the workaround. if sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'): installutils.set_directive(paths.HTTPD_NSS_CONF, 'Listen', '443', quotes=False) sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', False) def __set_mod_nss_port(self): self.fstore.backup_file(paths.HTTPD_NSS_CONF) if installutils.update_file(paths.HTTPD_NSS_CONF, '8443', '443') != 0: print "Updating port in %s failed." % paths.HTTPD_NSS_CONF def __set_mod_nss_nickname(self, nickname): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSNickname', nickname) def set_mod_nss_protocol(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSProtocol', 'TLSv1.0,TLSv1.1,TLSv1.2', False) def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) def __set_mod_nss_passwordfile(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf') def __add_include(self): """This should run after __set_mod_nss_port so is already backed up""" if installutils.update_file(paths.HTTPD_NSS_CONF, '</VirtualHost>', 'Include conf.d/ipa-rewrite.conf\n</VirtualHost>') != 0: print "Adding Include conf.d/ipa-rewrite to %s failed." % paths.HTTPD_NSS_CONF def configure_certmonger_renewal_guard(self): certmonger = services.knownservices.certmonger certmonger_stopped = not certmonger.is_running() if certmonger_stopped: certmonger.start() try: bus = dbus.SystemBus() obj = bus.get_object('org.fedorahosted.certmonger', '/org/fedorahosted/certmonger') iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') path = iface.find_ca_by_nickname('IPA') if path: ca_obj = bus.get_object('org.fedorahosted.certmonger', path) ca_iface = dbus.Interface(ca_obj, 'org.freedesktop.DBus.Properties') helper = ca_iface.Get('org.fedorahosted.certmonger.ca', 'external-helper') if helper: args = shlex.split(helper) if args[0] != paths.IPA_SERVER_GUARD: self.backup_state('certmonger_ipa_helper', helper) args = [paths.IPA_SERVER_GUARD] + args helper = ' '.join(pipes.quote(a) for a in args) ca_iface.Set('org.fedorahosted.certmonger.ca', 'external-helper', helper) finally: if certmonger_stopped: certmonger.stop() def __setup_ssl(self): fqdn = self.fqdn ca_db = certs.CertDB(self.realm, host_name=fqdn, subject_base=self.subject_base) db = certs.CertDB(self.realm, subject_base=self.subject_base) if self.pkcs12_info: if self.ca_is_configured: trust_flags = 'CT,C,C' else: trust_flags = None db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], passwd=None, ca_file=self.ca_file, trust_flags=trust_flags) server_certs = db.find_server_certs() if len(server_certs) == 0: raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0]) db.create_password_conf() # We only handle one server cert nickname = server_certs[0][0] self.dercert = db.get_cert_from_db(nickname, pem=False) if self.ca_is_configured: db.track_server_cert(nickname, self.principal, db.passwd_fname, 'restart_httpd') self.__set_mod_nss_nickname(nickname) else: db.create_password_conf() self.dercert = db.create_server_cert(self.cert_nickname, self.fqdn, ca_db) db.track_server_cert(self.cert_nickname, self.principal, db.passwd_fname, 'restart_httpd') db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db) # Fix the database permissions os.chmod(certs.NSS_DIR + "/cert8.db", 0660) os.chmod(certs.NSS_DIR + "/key3.db", 0660) os.chmod(certs.NSS_DIR + "/secmod.db", 0660) os.chmod(certs.NSS_DIR + "/pwdfile.txt", 0660) pent = pwd.getpwnam("apache") os.chown(certs.NSS_DIR + "/cert8.db", 0, pent.pw_gid ) os.chown(certs.NSS_DIR + "/key3.db", 0, pent.pw_gid ) os.chown(certs.NSS_DIR + "/secmod.db", 0, pent.pw_gid ) os.chown(certs.NSS_DIR + "/pwdfile.txt", 0, pent.pw_gid ) # Fix SELinux permissions on the database tasks.restore_context(certs.NSS_DIR + "/cert8.db") tasks.restore_context(certs.NSS_DIR + "/key3.db") def __import_ca_certs(self): db = certs.CertDB(self.realm, subject_base=self.subject_base) self.import_ca_certs(db, self.ca_is_configured) def __setup_autoconfig(self): target_fname = paths.PREFERENCES_HTML ipautil.copy_template_file( ipautil.SHARE_DIR + "preferences.html.template", target_fname, self.sub_dict) os.chmod(target_fname, 0644) # The signing cert is generated in __setup_ssl db = certs.CertDB(self.realm, subject_base=self.subject_base) with open(db.passwd_fname) as pwdfile: pwd = pwdfile.read() # Setup configure.jar if db.has_nickname('Signing-Cert'): tmpdir = tempfile.mkdtemp(prefix="tmp-") target_fname = paths.CONFIGURE_JAR shutil.copy(paths.PREFERENCES_HTML, tmpdir) db.run_signtool(["-k", "Signing-Cert", "-Z", target_fname, "-e", ".html", "-p", pwd, tmpdir]) shutil.rmtree(tmpdir) os.chmod(target_fname, 0644) else: root_logger.warning('Object-signing certificate was not found; ' 'therefore, configure.jar was not created.') self.setup_firefox_extension(self.realm, self.domain) def setup_firefox_extension(self, realm, domain): """Set up the signed browser configuration extension """ target_fname = paths.KRB_JS sub_dict = dict(REALM=realm, DOMAIN=domain) db = certs.CertDB(realm) with open(db.passwd_fname) as pwdfile: pwd = pwdfile.read() ipautil.copy_template_file(ipautil.SHARE_DIR + "krb.js.template", target_fname, sub_dict) os.chmod(target_fname, 0644) # Setup extension tmpdir = tempfile.mkdtemp(prefix="tmp-") extdir = tmpdir + "/ext" target_fname = paths.KERBEROSAUTH_XPI shutil.copytree(paths.FFEXTENSION, extdir) if db.has_nickname('Signing-Cert'): db.run_signtool(["-k", "Signing-Cert", "-p", pwd, "-X", "-Z", target_fname, extdir]) else: root_logger.warning('Object-signing certificate was not found. ' 'Creating unsigned Firefox configuration extension.') filenames = os.listdir(extdir) ipautil.run([paths.ZIP, '-r', target_fname] + filenames, cwd=extdir) shutil.rmtree(tmpdir) os.chmod(target_fname, 0644) def __publish_ca_cert(self): ca_db = certs.CertDB(self.realm) ca_db.publish_ca_cert(paths.CA_CRT) def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring web server") running = self.restore_state("running") enabled = self.restore_state("enabled") self.stop_tracking_certificates() helper = self.restore_state('certmonger_ipa_helper') if helper: bus = dbus.SystemBus() obj = bus.get_object('org.fedorahosted.certmonger', '/org/fedorahosted/certmonger') iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') path = iface.find_ca_by_nickname('IPA') if path: ca_obj = bus.get_object('org.fedorahosted.certmonger', path) ca_iface = dbus.Interface(ca_obj, 'org.freedesktop.DBus.Properties') ca_iface.Set('org.fedorahosted.certmonger.ca', 'external-helper', helper) for f in [paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF, paths.HTTPD_NSS_CONF]: try: self.fstore.restore_file(f) except ValueError, error: root_logger.debug(error) pass # Remove the configuration files we create installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF) installutils.remove_file(paths.HTTPD_IPA_CONF) installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF) # Restore SELinux boolean states boolean_states = {name: self.restore_state(name) for name in SELINUX_BOOLEAN_SETTINGS} try: tasks.set_selinux_booleans(boolean_states) except ipapython.errors.SetseboolError as e: self.print_msg('WARNING: ' + str(e)) if running: self.restart() # disabled by default, by ldap_enable() if enabled: self.enable()
if not running is None: self.stop() self.stop_tracking_certificates() if not enabled is None and not enabled: self.disable() for f in ["/etc/httpd/conf.d/ipa.conf", SSL_CONF, NSS_CONF]: try: self.fstore.restore_file(f) except ValueError, error: root_logger.debug(error) pass # Remove the configuration files we create installutils.remove_file("/etc/httpd/conf.d/ipa-rewrite.conf") installutils.remove_file("/etc/httpd/conf.d/ipa.conf") installutils.remove_file("/etc/httpd/conf.d/ipa-pki-proxy.conf") for var in ["httpd_can_network_connect", "httpd_manage_ipa"]: sebool_state = self.restore_state(var) if not sebool_state is None: try: ipautil.run(["/usr/sbin/setsebool", "-P", var, sebool_state]) except ipautil.CalledProcessError, e: self.print_msg("Cannot restore SELinux boolean '%s' back to '%s': %s" \ % (var, sebool_state, e)) if not running is None and running: self.start()