def __init__(self, name, path, *pargs):
ConfigHelper.__init__(self)
PluginObject.__init__(self, *pargs)
self.name = name
self._root = None
self.path = path
self.tree = None
def configure(self, opts, changes):
if opts['form'] != 'yes':
return
confopts = {
'instanceurl': opts['instanceurl'],
'service': opts['form_service']
}
tmpl = Template(CONF_TEMPLATE)
hunk = tmpl.substitute(**confopts)
with open(opts['httpd_conf'], 'a') as httpd_conf:
httpd_conf.write(hunk)
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'form'
po.wipe_data()
po.wipe_config_values()
# Update global config to add login plugin
po.is_enabled = True
po.save_enabled_state()
# for selinux enabled platforms, ignore if it fails just report
try:
subprocess.call(
['/usr/sbin/setsebool', '-P', 'httpd_mod_auth_pam=on'])
except Exception: # pylint: disable=broad-except
pass
def configure(self, opts, changes):
if opts["gssapi"] != "yes":
return
confopts = {"instance": opts["instance"]}
if os.path.exists(opts["gssapi_httpd_keytab"]):
confopts["keytab"] = "GssapiCredStore keytab:%s" % (opts["gssapi_httpd_keytab"])
else:
raise Exception("Keytab not found")
if opts["secure"] == "no":
confopts["gssapisslonly"] = "Off"
else:
confopts["gssapisslonly"] = "On"
tmpl = Template(CONF_TEMPLATE)
hunk = tmpl.substitute(**confopts)
with open(opts["httpd_conf"], "a") as httpd_conf:
httpd_conf.write(hunk)
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = "gssapi"
po.wipe_data()
# Update global config, put 'gssapi' always first
ph = self.pargs[0]
ph.refresh_enabled()
if "gssapi" not in ph.enabled:
enabled = []
enabled.extend(ph.enabled)
enabled.insert(0, "gssapi")
ph.save_enabled(enabled)
def __init__(self, *args):
ConfigHelper.__init__(self)
PluginObject.__init__(self, *args)
self._root = None
self._site = None
self.path = '/'
self.info = None
def configure(self, opts, changes):
if opts['gssapi'] != 'yes':
return
confopts = {'instanceurl': opts['instanceurl']}
if os.path.exists(opts['gssapi_httpd_keytab']):
confopts['keytab'] = opts['gssapi_httpd_keytab']
else:
raise Exception('Keytab not found')
if opts['secure'] == 'no':
confopts['gssapisslonly'] = 'Off'
else:
confopts['gssapisslonly'] = 'On'
tmpl = Template(CONF_TEMPLATE)
hunk = tmpl.substitute(**confopts)
with open(opts['httpd_conf'], 'a') as httpd_conf:
httpd_conf.write(hunk)
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'gssapi'
po.wipe_data()
# Update global config, put 'gssapi' always first
ph = self.pargs[0]
ph.refresh_enabled()
if 'gssapi' not in ph.enabled:
enabled = []
enabled.extend(ph.enabled)
enabled.insert(0, 'gssapi')
ph.save_enabled(enabled)
def __init__(self, name, displayname, path, *pargs):
ConfigHelper.__init__(self)
PluginObject.__init__(self, *pargs)
self.name = name
self.displayname = displayname
self._root = None
self.path = path
self.tree = None
def configure(self, opts, changes):
if opts['form'] != 'yes':
return
confopts = {'instance': opts['instance'],
'service': opts['form_service']}
tmpl = Template(CONF_TEMPLATE)
hunk = tmpl.substitute(**confopts)
with open(opts['httpd_conf'], 'a') as httpd_conf:
httpd_conf.write(hunk)
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'form'
po.wipe_data()
po.wipe_config_values()
# Update global config to add login plugin
po.is_enabled = True
po.save_enabled_state()
# for selinux enabled platforms, ignore if it fails just report
try:
subprocess.call(['/usr/sbin/setsebool', '-P',
'httpd_mod_auth_pam=on'])
except Exception: # pylint: disable=broad-except
pass
def configure(self, opts, changes):
if opts['info_nss'] != 'yes':
return
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'nss'
po.wipe_data()
po.wipe_config_values()
# Update global config to add info plugin
po.is_enabled = True
po.save_enabled_state()
def configure(self, opts, changes):
if opts['fas'] != 'yes':
return
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'fas'
po.wipe_data()
po.wipe_config_values()
# Update global config to add login plugin
po.is_enabled = True
po.save_enabled_state()
def configure(self, opts, changes):
if opts['testauth'] != 'yes':
return
logging.debug(self.pargs)
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'testauth'
po.wipe_data()
# Update global config to add login plugin
po.is_enabled = True
po.save_enabled_state()
def configure(self, opts, changes):
if opts['openidc'] != 'yes':
return
path = os.path.join(opts['data_dir'], 'openidc')
if not os.path.exists(path):
os.makedirs(path, 0o700)
keyfile = os.path.join(path, 'openidc.key')
keyid = int(time.time())
keyset = JWKSet()
# We generate one RSA2048 signing key
rsasig = JWK(generate='RSA',
size=2048,
use='sig',
kid='%s-sig' % keyid)
keyset.add(rsasig)
# We generate one RSA2048 encryption key
rsasig = JWK(generate='RSA',
size=2048,
use='enc',
kid='%s-enc' % keyid)
keyset.add(rsasig)
with open(keyfile, 'w') as m:
m.write(keyset.export())
proto = 'https'
url = '%s://%s%s/openidc/' % (proto, opts['hostname'],
opts['instanceurl'])
subject_salt = uuid.uuid4().hex
if opts['openidc_subject_salt']:
subject_salt = opts['openidc_subject_salt']
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'openidc'
po.wipe_data()
po.wipe_config_values()
config = {
'endpoint url': url,
'database url': opts['openidc_dburi'] or opts['database_url'] % {
'datadir': opts['data_dir'],
'dbname': 'openidc'
},
'static database url': opts['openidc_static_dburi']
or opts['database_url'] % {
'datadir': opts['data_dir'],
'dbname': 'openidc.static'
},
'enabled extensions': opts['openidc_extensions'],
'idp key file': keyfile,
'idp sig key id': '%s-sig' % keyid,
'idp subject salt': subject_salt
}
po.save_plugin_config(config)
# Update global config to add login plugin
po.is_enabled = True
po.save_enabled_state()
def configure(self, opts, changes):
if opts['authz_spgroup'] != 'yes':
return
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'spgroup'
po.wipe_data()
po.wipe_config_values()
config = dict()
if 'authz_spgroup_prefix' in opts:
config['prefix'] = opts['authz_spgroup_prefix']
if 'authz_spgroup_suffix' in opts:
config['suffix'] = opts['authz_spgroup_suffix']
po.save_plugin_config(config)
# Update global config to add spgroup plugin
po.is_enabled = True
po.save_enabled_state()
def configure(self, opts, changes):
if opts['saml2'] != 'yes':
return
# Check storage path is present or create it
path = os.path.join(opts['data_dir'], 'saml2')
if not os.path.exists(path):
os.makedirs(path, 0o700)
# Use the same cert for signing and ecnryption for now
cert = Certificate(path)
cert.generate('idp', opts['hostname'])
# Generate Idp Metadata
proto = 'https'
if opts['secure'].lower() == 'no':
proto = 'http'
url = '%s://%s%s' % (proto, opts['hostname'], opts['instanceurl'])
validity = int(opts['saml2_metadata_validity'])
meta = IdpMetadataGenerator(url, cert, timedelta(validity))
if 'gssapi' in opts and opts['gssapi'] == 'yes':
meta.meta.add_allowed_name_format(
lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS)
meta.output(os.path.join(path, 'metadata.xml'))
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'saml2'
po.wipe_data()
po.wipe_config_values()
config = {
'idp storage path': path,
'idp metadata file': 'metadata.xml',
'idp certificate file': cert.cert,
'idp key file': cert.key,
'idp nameid salt': uuid.uuid4().hex,
'idp metadata validity': opts['saml2_metadata_validity'],
'session database url': opts['saml2_session_dburl']
or opts['database_url'] % {
'datadir': opts['data_dir'],
'dbname': 'saml2.sessions.db'
}
}
po.save_plugin_config(config)
# Update global config to add login plugin
po.is_enabled = True
po.save_enabled_state()
# Fixup permissions so only the ipsilon user can read these files
files.fix_user_dirs(path, opts['system_user'])
def configure(self, opts, changes):
if opts["ldap"] != "yes":
return
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = "ldap"
po.wipe_data()
po.wipe_config_values()
config = dict()
if "ldap_server_url" in opts:
config["server url"] = opts["ldap_server_url"]
else:
logging.error("LDAP Server URL is required")
return False
if "ldap_bind_dn_template" in opts:
try:
opts["ldap_bind_dn_template"] % {"username": "******"}
except KeyError:
logging.error("Bind DN template does not contain %(username)s")
return False
except ValueError as e:
logging.error("Invalid syntax in Bind DN template: %s ", e)
return False
config["bind dn template"] = opts["ldap_bind_dn_template"]
if "ldap_tls_level" in opts and opts["ldap_tls_level"] is not None:
config["tls"] = opts["ldap_tls_level"]
else:
config["tls"] = "Demand"
if "ldap_base_dn" in opts and opts["ldap_base_dn"] is not None:
config["base dn"] = opts["ldap_base_dn"]
test_dn = config["base dn"]
else:
# default set in the config object
test_dn = "dc=example,dc=com"
# Test the LDAP connection anonymously
try:
lh = ldap_connect(config["server url"], config["tls"])
lh.simple_bind_s("", "")
lh.search_s(test_dn, ldap.SCOPE_BASE, attrlist=["objectclasses"])
except ldap.INSUFFICIENT_ACCESS:
logging.warn("Anonymous access not allowed, continuing")
except ldap.UNWILLING_TO_PERFORM: # probably minSSF issue
logging.warn("LDAP server unwilling to perform, expect issues")
except ldap.SERVER_DOWN:
logging.warn("LDAP server is down")
except ldap.NO_SUCH_OBJECT:
logging.error("Base DN not found")
return False
except ldap.LDAPError as e:
logging.error(e)
return False
po.save_plugin_config(config)
# Update global config to add login plugin
po.is_enabled = True
po.save_enabled_state()
# For selinux enabled platforms permit httpd to connect to ldap,
# ignore if it fails
try:
subprocess.call(["/usr/sbin/setsebool", "-P", "httpd_can_connect_ldap=on"])
except Exception: # pylint: disable=broad-except
pass
def configure(self, opts, changes):
if opts['info_ldap'] != 'yes':
return
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'ldap'
po.wipe_data()
po.wipe_config_values()
config = dict()
if 'info_ldap_server_url' in opts:
config['server url'] = opts['info_ldap_server_url']
elif 'ldap_server_url' in opts:
config['server url'] = opts['ldap_server_url']
if 'info_ldap_bind_dn' in opts:
config['bind dn'] = opts['info_ldap_bind_dn']
if 'info_ldap_bind_pwd' in opts:
config['bind password'] = opts['info_ldap_bind_pwd']
if 'info_ldap_user_dn_template' in opts:
config['user dn template'] = opts['info_ldap_user_dn_template']
elif 'ldap_bind_dn_template' in opts:
config['user dn template'] = opts['ldap_bind_dn_template']
if 'info_ldap_tls_level' in opts and opts['info_ldap_tls_level']:
config['tls'] = opts['info_ldap_tls_level']
elif 'ldap_tls_level' in opts and opts['ldap_tls_level']:
config['tls'] = opts['ldap_tls_level']
else:
config['tls'] = 'Demand'
if 'info_ldap_base_dn' in opts and opts['info_ldap_base_dn']:
config['base dn'] = opts['info_ldap_base_dn']
elif 'ldap_base_dn' in opts and opts['ldap_base_dn']:
config['base dn'] = opts['ldap_base_dn']
po.save_plugin_config(config)
# Update global config to add info plugin
po.is_enabled = True
po.save_enabled_state()
# For selinux enabled platforms permit httpd to connect to ldap,
# ignore if it fails
try:
subprocess.call(
['/usr/sbin/setsebool', '-P', 'httpd_can_connect_ldap=on'])
except Exception: # pylint: disable=broad-except
pass
def configure(self, opts, changes):
if opts['pam'] != 'yes':
return
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'pam'
po.wipe_data()
po.wipe_config_values()
config = {'service name': opts['pam_service']}
po.save_plugin_config(config)
# Update global config to add login plugin
po.is_enabled = True
po.save_enabled_state()
# for selinux enabled platforms, ignore if it fails just report
try:
subprocess.call(['/usr/sbin/setsebool', '-P',
'httpd_mod_auth_pam=on',
'httpd_tmp_exec=on'])
except Exception: # pylint: disable=broad-except
pass
def __init__(self, *pargs):
ConfigHelper.__init__(self)
PluginObject.__init__(self, *pargs)
def configure(self, opts, changes):
if opts['persona'] != 'yes':
return
# Check storage path is present or create it
path = os.path.join(opts['data_dir'], 'persona')
if not os.path.exists(path):
os.makedirs(path, 0700)
keyfile = os.path.join(path, 'persona.key')
exponent = 0x10001
key = M2Crypto.RSA.gen_key(2048, exponent)
key.save_key(keyfile, cipher=None)
key_n = 0
for c in key.n[4:]:
key_n = (key_n*256) + ord(c)
wellknown = dict()
wellknown['authentication'] = '/%s/persona/SignIn/' % opts['instance']
wellknown['provisioning'] = '/%s/persona/' % opts['instance']
wellknown['public-key'] = {'algorithm': 'RS',
'e': str(exponent),
'n': str(key_n)}
with open(os.path.join(opts['wellknown_dir'], 'browserid'), 'w') as f:
f.write(json.dumps(wellknown))
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'persona'
po.wipe_data()
po.wipe_config_values()
config = {'issuer domain': opts['hostname'],
'idp key file': keyfile,
'allowed domains': opts['hostname']}
po.save_plugin_config(config)
# Update global config to add login plugin
po.is_enabled = True
po.save_enabled_state()
# Fixup permissions so only the ipsilon user can read these files
files.fix_user_dirs(path, opts['system_user'])
def configure(self, opts, changes):
if opts['pam'] != 'yes':
return
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'pam'
po.wipe_data()
po.wipe_config_values()
config = {'service name': opts['pam_service']}
po.save_plugin_config(config)
# Update global config to add login plugin
po.is_enabled = True
po.save_enabled_state()
# for selinux enabled platforms, ignore if it fails just report
try:
subprocess.call([
'/usr/sbin/setsebool', '-P', 'httpd_mod_auth_pam=on',
'httpd_tmp_exec=on'
])
except Exception: # pylint: disable=broad-except
pass
def configure(self, opts, changes):
if opts['saml2'] != 'yes':
return
# Check storage path is present or create it
path = os.path.join(opts['data_dir'], 'saml2')
if not os.path.exists(path):
os.makedirs(path, 0700)
# Use the same cert for signing and ecnryption for now
cert = Certificate(path)
cert.generate('idp', opts['hostname'])
# Generate Idp Metadata
proto = 'https'
if opts['secure'].lower() == 'no':
proto = 'http'
url = '%s://%s/%s' % (proto, opts['hostname'], opts['instance'])
validity = int(opts['saml2_metadata_validity'])
meta = IdpMetadataGenerator(url, cert,
timedelta(validity))
if 'gssapi' in opts and opts['gssapi'] == 'yes':
meta.meta.add_allowed_name_format(
lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS)
meta.output(os.path.join(path, 'metadata.xml'))
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'saml2'
po.wipe_data()
po.wipe_config_values()
config = {'idp storage path': path,
'idp metadata file': 'metadata.xml',
'idp certificate file': cert.cert,
'idp key file': cert.key,
'idp nameid salt': uuid.uuid4().hex,
'idp metadata validity': opts['saml2_metadata_validity'],
'session database url': opts['saml2_session_dburl'] or
opts['database_url'] % {
'datadir': opts['data_dir'],
'dbname': 'saml2.sessions.db'}}
po.save_plugin_config(config)
# Update global config to add login plugin
po.is_enabled = True
po.save_enabled_state()
# Fixup permissions so only the ipsilon user can read these files
files.fix_user_dirs(path, opts['system_user'])
def configure(self, opts, changes):
if opts['openid'] != 'yes':
return
proto = 'https'
if opts['secure'].lower() == 'no':
proto = 'http'
url = '%s://%s%s/openid/' % (proto, opts['hostname'],
opts['instanceurl'])
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'openid'
po.wipe_data()
po.wipe_config_values()
config = {
'endpoint url': url,
'identity url template': '%sid/%%(username)s' % url,
'database url': opts['openid_dburi'] or opts['database_url'] % {
'datadir': opts['data_dir'],
'dbname': 'openid'
},
'enabled extensions': opts['openid_extensions']
}
po.save_plugin_config(config)
# Update global config to add login plugin
po.is_enabled = True
po.save_enabled_state()
def configure(self, opts, changes):
if opts['info_ldap'] != 'yes':
return
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'ldap'
po.wipe_data()
po.wipe_config_values()
config = dict()
if 'info_ldap_server_url' in opts:
config['server url'] = opts['info_ldap_server_url']
elif 'ldap_server_url' in opts:
config['server url'] = opts['ldap_server_url']
if 'info_ldap_bind_dn' in opts:
config['bind dn'] = opts['info_ldap_bind_dn']
if 'info_ldap_bind_pwd' in opts:
config['bind password'] = opts['info_ldap_bind_pwd']
if 'info_ldap_user_dn_template' in opts:
config['user dn template'] = opts['info_ldap_user_dn_template']
elif 'ldap_bind_dn_template' in opts:
config['user dn template'] = opts['ldap_bind_dn_template']
if 'info_ldap_tls_level' in opts and opts['info_ldap_tls_level']:
config['tls'] = opts['info_ldap_tls_level']
elif 'ldap_tls_level' in opts and opts['ldap_tls_level']:
config['tls'] = opts['ldap_tls_level']
else:
config['tls'] = 'Demand'
if 'info_ldap_base_dn' in opts and opts['info_ldap_base_dn']:
config['base dn'] = opts['info_ldap_base_dn']
elif 'ldap_base_dn' in opts and opts['ldap_base_dn']:
config['base dn'] = opts['ldap_base_dn']
po.save_plugin_config(config)
# Update global config to add info plugin
po.is_enabled = True
po.save_enabled_state()
# For selinux enabled platforms permit httpd to connect to ldap,
# ignore if it fails
try:
subprocess.call(['/usr/sbin/setsebool', '-P',
'httpd_can_connect_ldap=on'])
except Exception: # pylint: disable=broad-except
pass
def configure(self, opts, changes):
if opts['info_fas'] != 'yes':
return
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'fas'
po.wipe_data()
po.wipe_config_values()
config = dict()
if 'info_fas_bind_username' in opts:
config['Bind Username'] = opts['info_fas_bind_username']
if 'info_fas_bind_password' in opts:
config['Bind Password'] = opts['info_fas_bind_password']
po.save_plugin_config(config)
# Update global config to add login plugin
po.is_enabled = True
po.save_enabled_state()
def configure(self, opts, changes):
if opts['openid'] != 'yes':
return
proto = 'https'
if opts['secure'].lower() == 'no':
proto = 'http'
url = '%s://%s/%s/openid/' % (
proto, opts['hostname'], opts['instance'])
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'openid'
po.wipe_data()
po.wipe_config_values()
config = {'endpoint url': url,
'identity url template': '%sid/%%(username)s' % url,
'database url': opts['openid_dburi'] or
opts['database_url'] % {
'datadir': opts['data_dir'], 'dbname': 'openid'},
'enabled extensions': opts['openid_extensions']}
po.save_plugin_config(config)
# Update global config to add login plugin
po.is_enabled = True
po.save_enabled_state()
def configure(self, opts, changes):
if opts['info_sssd'] != 'yes':
return
configured = 0
try:
sssdconfig = SSSDConfig.SSSDConfig()
sssdconfig.import_config()
except Exception as e: # pylint: disable=broad-except
# Unable to read existing SSSD config so it is probably not
# configured.
logging.info('Loading SSSD config failed: %s', e)
return False
if not opts['info_sssd_domain']:
domains = sssdconfig.list_domains()
else:
domains = opts['info_sssd_domain']
changes['domains'] = {}
for domain in domains:
changes['domains'][domain] = {}
try:
sssd_domain = sssdconfig.get_domain(domain)
except SSSDConfig.NoDomainError:
logging.info('No SSSD domain %s', domain)
continue
else:
try:
changes['domains'][domain] = {
'ldap_user_extra_attrs':
# noqa (pep8 E126)
sssd_domain.get_option('ldap_user_extra_attrs')
}
except SSSDConfig.NoOptionError:
pass
sssd_domain.set_option('ldap_user_extra_attrs',
', '.join(SSSD_ATTRS))
sssdconfig.save_domain(sssd_domain)
configured += 1
logging.info("Configured SSSD domain %s", domain)
if configured == 0:
logging.info('No SSSD domains configured')
return False
changes['ifp'] = {}
try:
sssdconfig.new_service('ifp')
changes['ifp']['new'] = True
except SSSDConfig.ServiceAlreadyExists:
changes['ifp']['new'] = False
sssdconfig.activate_service('ifp')
ifp = sssdconfig.get_service('ifp')
if not changes['ifp']['new']:
try:
changes['ifp']['allowed_uids'] = ifp.get_option('allowed_uids')
except SSSDConfig.NoOptionError:
pass
try:
changes['ifp']['user_attributes'] = ifp.get_option(
'user_attributes')
except SSSDConfig.NoOptionError:
pass
ifp.set_option('allowed_uids', 'ipsilon, root')
ifp.set_option('user_attributes', '+' + ', +'.join(SSSD_ATTRS))
sssdconfig.save_service(ifp)
sssdconfig.write(SSSD_CONF)
# for selinux enabled platforms, ignore if it fails just report
try:
subprocess.call(
['/usr/sbin/setsebool', '-P', 'httpd_dbus_sssd=on'])
except Exception: # pylint: disable=broad-except
pass
try:
subprocess.call(['/sbin/service', 'sssd', 'restart'])
except Exception: # pylint: disable=broad-except
pass
# Give SSSD a chance to restart
time.sleep(5)
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'sssd'
po.wipe_data()
po.wipe_config_values()
config = {'preconfigured': 'True'}
po.save_plugin_config(config)
# Update global config to add info plugin
po.is_enabled = True
po.save_enabled_state()
def configure(self, opts, changes):
if opts['testauth'] != 'yes':
return
logging.debug(self.pargs)
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'testauth'
po.wipe_data()
po.wipe_config_values()
config = dict()
if opts['testauth_groups'] is not None:
cherrypy.log(
'testauth_groups is %s (%s)' %
(opts['testauth_groups'], type(opts['testauth_groups'])))
config['groups'] = opts['testauth_groups']
po.save_plugin_config(config)
# Update global config to add login plugin
po.is_enabled = True
po.save_enabled_state()
def __init__(self, *pargs):
ConfigHelper.__init__(self)
PluginObject.__init__(self, *pargs)
def configure(self, opts, changes):
if opts['info_fas'] != 'yes':
return
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'fas'
po.wipe_data()
po.wipe_config_values()
config = dict()
if 'info_fas_bind_username' in opts:
config['Bind Username'] = opts['info_fas_bind_username']
if 'info_fas_bind_password' in opts:
config['Bind Password'] = opts['info_fas_bind_password']
po.save_plugin_config(config)
# Update global config to add login plugin
po.is_enabled = True
po.save_enabled_state()
def configure(self, opts, changes):
if opts['persona'] != 'yes':
return
# Check storage path is present or create it
path = os.path.join(opts['data_dir'], 'persona')
if not os.path.exists(path):
os.makedirs(path, 0o700)
keyfile = os.path.join(path, 'persona.key')
exponent = 0x10001
key = M2Crypto.RSA.gen_key(2048, exponent)
key.save_key(keyfile, cipher=None)
key_n = 0
for c in key.n[4:]:
key_n = (key_n*256) + ord(c)
wellknown = dict()
wellknown['authentication'] = ('%s/persona/SignIn/'
% opts['instanceurl'])
wellknown['provisioning'] = '%s/persona/' % opts['instanceurl']
wellknown['public-key'] = {'algorithm': 'RS',
'e': str(exponent),
'n': str(key_n)}
with open(os.path.join(opts['wellknown_dir'], 'browserid'), 'w') as f:
f.write(json.dumps(wellknown))
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'persona'
po.wipe_data()
po.wipe_config_values()
config = {'issuer domain': opts['hostname'],
'idp key file': keyfile,
'allowed domains': opts['hostname']}
po.save_plugin_config(config)
# Update global config to add login plugin
po.is_enabled = True
po.save_enabled_state()
# Fixup permissions so only the ipsilon user can read these files
files.fix_user_dirs(path, opts['system_user'])
def configure(self, opts, changes):
if opts["openidc"] != "yes":
return
path = os.path.join(opts["data_dir"], "openidc")
if not os.path.exists(path):
os.makedirs(path, 0700)
keyfile = os.path.join(path, "openidc.key")
keyid = int(time.time())
keyset = JWKSet()
# We generate one RSA2048 signing key
rsasig = JWK(generate="RSA", size=2048, use="sig", kid="%s-sig" % keyid)
keyset.add(rsasig)
# We generate one RSA2048 encryption key
rsasig = JWK(generate="RSA", size=2048, use="enc", kid="%s-enc" % keyid)
keyset.add(rsasig)
with open(keyfile, "w") as m:
m.write(keyset.export())
proto = "https"
url = "%s://%s/%s/openidc/" % (proto, opts["hostname"], opts["instance"])
subject_salt = uuid.uuid4().hex
if opts["openidc_subject_salt"]:
subject_salt = opts["openidc_subject_salt"]
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = "openidc"
po.wipe_data()
po.wipe_config_values()
config = {
"endpoint url": url,
"database url": opts["openidc_dburi"]
or opts["database_url"] % {"datadir": opts["data_dir"], "dbname": "openidc"},
"enabled extensions": opts["openidc_extensions"],
"idp key file": keyfile,
"idp sig key id": "%s-sig" % keyid,
"idp subject salt": subject_salt,
}
po.save_plugin_config(config)
# Update global config to add login plugin
po.is_enabled = True
po.save_enabled_state()
def configure(self, opts, changes):
if opts['ldap'] != 'yes':
return
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'ldap'
po.wipe_data()
po.wipe_config_values()
config = dict()
if 'ldap_server_url' in opts:
config['server url'] = opts['ldap_server_url']
else:
logging.error('LDAP Server URL is required')
return False
if 'ldap_bind_dn_template' in opts:
try:
opts['ldap_bind_dn_template'] % {'username': '******'}
except KeyError:
logging.error('Bind DN template does not contain %(username)s')
return False
except ValueError as e:
logging.error('Invalid syntax in Bind DN template: %s ', e)
return False
config['bind dn template'] = opts['ldap_bind_dn_template']
if 'ldap_tls_level' in opts and opts['ldap_tls_level'] is not None:
config['tls'] = opts['ldap_tls_level']
else:
config['tls'] = 'Demand'
if 'ldap_base_dn' in opts and opts['ldap_base_dn'] is not None:
config['base dn'] = opts['ldap_base_dn']
test_dn = config['base dn']
else:
# default set in the config object
test_dn = 'dc=example,dc=com'
# Test the LDAP connection anonymously
try:
lh = ldap_connect(config['server url'], config['tls'])
lh.simple_bind_s('', '')
lh.search_s(test_dn, ldap.SCOPE_BASE, attrlist=['objectclasses'])
except ldap.INSUFFICIENT_ACCESS:
logging.warn('Anonymous access not allowed, continuing')
except ldap.UNWILLING_TO_PERFORM: # probably minSSF issue
logging.warn('LDAP server unwilling to perform, expect issues')
except ldap.SERVER_DOWN:
logging.warn('LDAP server is down')
except ldap.NO_SUCH_OBJECT:
logging.error('Base DN not found')
return False
except ldap.LDAPError as e:
logging.error(e)
return False
po.save_plugin_config(config)
# Update global config to add login plugin
po.is_enabled = True
po.save_enabled_state()
# For selinux enabled platforms permit httpd to connect to ldap,
# ignore if it fails
try:
subprocess.call(
['/usr/sbin/setsebool', '-P', 'httpd_can_connect_ldap=on'])
except Exception: # pylint: disable=broad-except
pass
def configure(self, opts, changes):
if opts['info_sssd'] != 'yes':
return
configured = 0
confopts = {'instance': opts['instance']}
tmpl = Template(CONF_TEMPLATE)
hunk = tmpl.substitute(**confopts)
with open(opts['httpd_conf'], 'a') as httpd_conf:
httpd_conf.write(hunk)
try:
sssdconfig = SSSDConfig.SSSDConfig()
sssdconfig.import_config()
except Exception as e: # pylint: disable=broad-except
# Unable to read existing SSSD config so it is probably not
# configured.
logging.info('Loading SSSD config failed: %s', e)
return False
if not opts['info_sssd_domain']:
domains = sssdconfig.list_domains()
else:
domains = opts['info_sssd_domain']
changes['domains'] = {}
for domain in domains:
changes['domains'][domain] = {}
try:
sssd_domain = sssdconfig.get_domain(domain)
except SSSDConfig.NoDomainError:
logging.info('No SSSD domain %s', domain)
continue
else:
try:
changes['domains'][domain] = {
'ldap_user_extra_attrs':
sssd_domain.get_option('ldap_user_extra_attrs')}
except SSSDConfig.NoOptionError:
pass
sssd_domain.set_option(
'ldap_user_extra_attrs', ', '.join(SSSD_ATTRS)
)
sssdconfig.save_domain(sssd_domain)
configured += 1
logging.info("Configured SSSD domain %s", domain)
if configured == 0:
logging.info('No SSSD domains configured')
return False
changes['ifp'] = {}
try:
sssdconfig.new_service('ifp')
changes['ifp']['new'] = True
except SSSDConfig.ServiceAlreadyExists:
changes['ifp']['new'] = False
sssdconfig.activate_service('ifp')
ifp = sssdconfig.get_service('ifp')
if not changes['ifp']['new']:
try:
changes['ifp']['allowed_uids'] = ifp.get_option('allowed_uids')
except SSSDConfig.NoOptionError:
pass
try:
changes['ifp']['user_attributes'] = ifp.get_option(
'user_attributes')
except SSSDConfig.NoOptionError:
pass
ifp.set_option('allowed_uids', 'apache, root')
ifp.set_option('user_attributes', '+' + ', +'.join(SSSD_ATTRS))
sssdconfig.save_service(ifp)
sssdconfig.write(SSSD_CONF)
# for selinux enabled platforms, ignore if it fails just report
try:
subprocess.call(['/usr/sbin/setsebool', '-P',
'httpd_dbus_sssd=on'])
except Exception: # pylint: disable=broad-except
pass
try:
subprocess.call(['/sbin/service', 'sssd', 'restart'])
except Exception: # pylint: disable=broad-except
pass
# Give SSSD a chance to restart
time.sleep(5)
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'sssd'
po.wipe_data()
po.wipe_config_values()
config = {'preconfigured': 'True'}
po.save_plugin_config(config)
# Update global config to add info plugin
po.is_enabled = True
po.save_enabled_state()
