Exemplo n.º 1
0
    def configure(self, opts, changes):
        if opts['form'] != 'yes':
            return

        confopts = {
            'instanceurl': opts['instanceurl'],
            'service': opts['form_service']
        }

        tmpl = Template(CONF_TEMPLATE)
        hunk = tmpl.substitute(**confopts)
        with open(opts['httpd_conf'], 'a') as httpd_conf:
            httpd_conf.write(hunk)

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'form'
        po.wipe_data()
        po.wipe_config_values()

        # Update global config to add login plugin
        po.is_enabled = True
        po.save_enabled_state()

        # for selinux enabled platforms, ignore if it fails just report
        try:
            subprocess.call(
                ['/usr/sbin/setsebool', '-P', 'httpd_mod_auth_pam=on'])
        except Exception:  # pylint: disable=broad-except
            pass
Exemplo n.º 2
0
    def configure(self, opts, changes):
        if opts['openid'] != 'yes':
            return

        proto = 'https'
        if opts['secure'].lower() == 'no':
            proto = 'http'
        url = '%s://%s%s/openid/' % (proto, opts['hostname'],
                                     opts['instanceurl'])

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'openid'
        po.wipe_data()
        po.wipe_config_values()
        config = {
            'endpoint url': url,
            'identity url template': '%sid/%%(username)s' % url,
            'database url': opts['openid_dburi'] or opts['database_url'] % {
                'datadir': opts['data_dir'],
                'dbname': 'openid'
            },
            'enabled extensions': opts['openid_extensions']
        }
        po.save_plugin_config(config)

        # Update global config to add login plugin
        po.is_enabled = True
        po.save_enabled_state()
Exemplo n.º 3
0
    def configure(self, opts, changes):
        if opts['form'] != 'yes':
            return

        confopts = {'instance': opts['instance'],
                    'service': opts['form_service']}

        tmpl = Template(CONF_TEMPLATE)
        hunk = tmpl.substitute(**confopts)
        with open(opts['httpd_conf'], 'a') as httpd_conf:
            httpd_conf.write(hunk)

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'form'
        po.wipe_data()
        po.wipe_config_values()

        # Update global config to add login plugin
        po.is_enabled = True
        po.save_enabled_state()

        # for selinux enabled platforms, ignore if it fails just report
        try:
            subprocess.call(['/usr/sbin/setsebool', '-P',
                             'httpd_mod_auth_pam=on'])
        except Exception:  # pylint: disable=broad-except
            pass
Exemplo n.º 4
0
    def configure(self, opts, changes):
        if opts['openid'] != 'yes':
            return

        proto = 'https'
        if opts['secure'].lower() == 'no':
            proto = 'http'
        url = '%s://%s/%s/openid/' % (
            proto, opts['hostname'], opts['instance'])

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'openid'
        po.wipe_data()
        po.wipe_config_values()
        config = {'endpoint url': url,
                  'identity url template': '%sid/%%(username)s' % url,
                  'database url': opts['openid_dburi'] or
                  opts['database_url'] % {
                      'datadir': opts['data_dir'], 'dbname': 'openid'},
                  'enabled extensions': opts['openid_extensions']}
        po.save_plugin_config(config)

        # Update global config to add login plugin
        po.is_enabled = True
        po.save_enabled_state()
Exemplo n.º 5
0
    def configure(self, opts, changes):
        if opts['saml2'] != 'yes':
            return

        # Check storage path is present or create it
        path = os.path.join(opts['data_dir'], 'saml2')
        if not os.path.exists(path):
            os.makedirs(path, 0o700)

        # Use the same cert for signing and ecnryption for now
        cert = Certificate(path)
        cert.generate('idp', opts['hostname'])

        # Generate Idp Metadata
        proto = 'https'
        if opts['secure'].lower() == 'no':
            proto = 'http'
        url = '%s://%s%s' % (proto, opts['hostname'], opts['instanceurl'])
        validity = int(opts['saml2_metadata_validity'])
        meta = IdpMetadataGenerator(url, cert, timedelta(validity))
        if 'gssapi' in opts and opts['gssapi'] == 'yes':
            meta.meta.add_allowed_name_format(
                lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS)

        meta.output(os.path.join(path, 'metadata.xml'))

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'saml2'
        po.wipe_data()
        po.wipe_config_values()
        config = {
            'idp storage path': path,
            'idp metadata file': 'metadata.xml',
            'idp certificate file': cert.cert,
            'idp key file': cert.key,
            'idp nameid salt': uuid.uuid4().hex,
            'idp metadata validity': opts['saml2_metadata_validity'],
            'session database url': opts['saml2_session_dburl']
            or opts['database_url'] % {
                'datadir': opts['data_dir'],
                'dbname': 'saml2.sessions.db'
            }
        }
        po.save_plugin_config(config)

        # Update global config to add login plugin
        po.is_enabled = True
        po.save_enabled_state()

        # Fixup permissions so only the ipsilon user can read these files
        files.fix_user_dirs(path, opts['system_user'])
Exemplo n.º 6
0
    def configure(self, opts, changes):
        if opts['fas'] != 'yes':
            return

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'fas'
        po.wipe_data()
        po.wipe_config_values()

        # Update global config to add login plugin
        po.is_enabled = True
        po.save_enabled_state()
Exemplo n.º 7
0
    def configure(self, opts, changes):
        if opts['testauth'] != 'yes':
            return

        logging.debug(self.pargs)
        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'testauth'
        po.wipe_data()

        # Update global config to add login plugin
        po.is_enabled = True
        po.save_enabled_state()
Exemplo n.º 8
0
    def configure(self, opts, changes):
        if opts['info_nss'] != 'yes':
            return

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'nss'
        po.wipe_data()
        po.wipe_config_values()

        # Update global config to add info plugin
        po.is_enabled = True
        po.save_enabled_state()
Exemplo n.º 9
0
    def configure(self, opts, changes):
        if opts['saml2'] != 'yes':
            return

        # Check storage path is present or create it
        path = os.path.join(opts['data_dir'], 'saml2')
        if not os.path.exists(path):
            os.makedirs(path, 0700)

        # Use the same cert for signing and ecnryption for now
        cert = Certificate(path)
        cert.generate('idp', opts['hostname'])

        # Generate Idp Metadata
        proto = 'https'
        if opts['secure'].lower() == 'no':
            proto = 'http'
        url = '%s://%s/%s' % (proto, opts['hostname'], opts['instance'])
        validity = int(opts['saml2_metadata_validity'])
        meta = IdpMetadataGenerator(url, cert,
                                    timedelta(validity))
        if 'gssapi' in opts and opts['gssapi'] == 'yes':
            meta.meta.add_allowed_name_format(
                lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS)

        meta.output(os.path.join(path, 'metadata.xml'))

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'saml2'
        po.wipe_data()
        po.wipe_config_values()
        config = {'idp storage path': path,
                  'idp metadata file': 'metadata.xml',
                  'idp certificate file': cert.cert,
                  'idp key file': cert.key,
                  'idp nameid salt': uuid.uuid4().hex,
                  'idp metadata validity': opts['saml2_metadata_validity'],
                  'session database url': opts['saml2_session_dburl'] or
                  opts['database_url'] % {
                      'datadir': opts['data_dir'],
                      'dbname': 'saml2.sessions.db'}}
        po.save_plugin_config(config)

        # Update global config to add login plugin
        po.is_enabled = True
        po.save_enabled_state()

        # Fixup permissions so only the ipsilon user can read these files
        files.fix_user_dirs(path, opts['system_user'])
Exemplo n.º 10
0
    def configure(self, opts, changes):
        if opts["openidc"] != "yes":
            return

        path = os.path.join(opts["data_dir"], "openidc")
        if not os.path.exists(path):
            os.makedirs(path, 0700)

        keyfile = os.path.join(path, "openidc.key")
        keyid = int(time.time())
        keyset = JWKSet()
        # We generate one RSA2048 signing key
        rsasig = JWK(generate="RSA", size=2048, use="sig", kid="%s-sig" % keyid)
        keyset.add(rsasig)
        # We generate one RSA2048 encryption key
        rsasig = JWK(generate="RSA", size=2048, use="enc", kid="%s-enc" % keyid)
        keyset.add(rsasig)

        with open(keyfile, "w") as m:
            m.write(keyset.export())

        proto = "https"
        url = "%s://%s/%s/openidc/" % (proto, opts["hostname"], opts["instance"])

        subject_salt = uuid.uuid4().hex
        if opts["openidc_subject_salt"]:
            subject_salt = opts["openidc_subject_salt"]

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = "openidc"
        po.wipe_data()
        po.wipe_config_values()
        config = {
            "endpoint url": url,
            "database url": opts["openidc_dburi"]
            or opts["database_url"] % {"datadir": opts["data_dir"], "dbname": "openidc"},
            "enabled extensions": opts["openidc_extensions"],
            "idp key file": keyfile,
            "idp sig key id": "%s-sig" % keyid,
            "idp subject salt": subject_salt,
        }
        po.save_plugin_config(config)

        # Update global config to add login plugin
        po.is_enabled = True
        po.save_enabled_state()
Exemplo n.º 11
0
    def configure(self, opts, changes):
        if opts['info_ldap'] != 'yes':
            return

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'ldap'
        po.wipe_data()
        po.wipe_config_values()
        config = dict()
        if 'info_ldap_server_url' in opts:
            config['server url'] = opts['info_ldap_server_url']
        elif 'ldap_server_url' in opts:
            config['server url'] = opts['ldap_server_url']
        if 'info_ldap_bind_dn' in opts:
            config['bind dn'] = opts['info_ldap_bind_dn']
        if 'info_ldap_bind_pwd' in opts:
            config['bind password'] = opts['info_ldap_bind_pwd']
        if 'info_ldap_user_dn_template' in opts:
            config['user dn template'] = opts['info_ldap_user_dn_template']
        elif 'ldap_bind_dn_template' in opts:
            config['user dn template'] = opts['ldap_bind_dn_template']
        if 'info_ldap_tls_level' in opts and opts['info_ldap_tls_level']:
            config['tls'] = opts['info_ldap_tls_level']
        elif 'ldap_tls_level' in opts and opts['ldap_tls_level']:
            config['tls'] = opts['ldap_tls_level']
        else:
            config['tls'] = 'Demand'
        if 'info_ldap_base_dn' in opts and opts['info_ldap_base_dn']:
            config['base dn'] = opts['info_ldap_base_dn']
        elif 'ldap_base_dn' in opts and opts['ldap_base_dn']:
            config['base dn'] = opts['ldap_base_dn']
        po.save_plugin_config(config)

        # Update global config to add info plugin
        po.is_enabled = True
        po.save_enabled_state()

        # For selinux enabled platforms permit httpd to connect to ldap,
        # ignore if it fails
        try:
            subprocess.call(['/usr/sbin/setsebool', '-P',
                             'httpd_can_connect_ldap=on'])
        except Exception:  # pylint: disable=broad-except
            pass
Exemplo n.º 12
0
    def configure(self, opts, changes):
        if opts['info_ldap'] != 'yes':
            return

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'ldap'
        po.wipe_data()
        po.wipe_config_values()
        config = dict()
        if 'info_ldap_server_url' in opts:
            config['server url'] = opts['info_ldap_server_url']
        elif 'ldap_server_url' in opts:
            config['server url'] = opts['ldap_server_url']
        if 'info_ldap_bind_dn' in opts:
            config['bind dn'] = opts['info_ldap_bind_dn']
        if 'info_ldap_bind_pwd' in opts:
            config['bind password'] = opts['info_ldap_bind_pwd']
        if 'info_ldap_user_dn_template' in opts:
            config['user dn template'] = opts['info_ldap_user_dn_template']
        elif 'ldap_bind_dn_template' in opts:
            config['user dn template'] = opts['ldap_bind_dn_template']
        if 'info_ldap_tls_level' in opts and opts['info_ldap_tls_level']:
            config['tls'] = opts['info_ldap_tls_level']
        elif 'ldap_tls_level' in opts and opts['ldap_tls_level']:
            config['tls'] = opts['ldap_tls_level']
        else:
            config['tls'] = 'Demand'
        if 'info_ldap_base_dn' in opts and opts['info_ldap_base_dn']:
            config['base dn'] = opts['info_ldap_base_dn']
        elif 'ldap_base_dn' in opts and opts['ldap_base_dn']:
            config['base dn'] = opts['ldap_base_dn']
        po.save_plugin_config(config)

        # Update global config to add info plugin
        po.is_enabled = True
        po.save_enabled_state()

        # For selinux enabled platforms permit httpd to connect to ldap,
        # ignore if it fails
        try:
            subprocess.call(
                ['/usr/sbin/setsebool', '-P', 'httpd_can_connect_ldap=on'])
        except Exception:  # pylint: disable=broad-except
            pass
Exemplo n.º 13
0
    def configure(self, opts, changes):
        if opts['authz_spgroup'] != 'yes':
            return

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'spgroup'
        po.wipe_data()
        po.wipe_config_values()
        config = dict()
        if 'authz_spgroup_prefix' in opts:
            config['prefix'] = opts['authz_spgroup_prefix']
        if 'authz_spgroup_suffix' in opts:
            config['suffix'] = opts['authz_spgroup_suffix']
        po.save_plugin_config(config)

        # Update global config to add spgroup plugin
        po.is_enabled = True
        po.save_enabled_state()
Exemplo n.º 14
0
    def configure(self, opts, changes):
        if opts['persona'] != 'yes':
            return

        # Check storage path is present or create it
        path = os.path.join(opts['data_dir'], 'persona')
        if not os.path.exists(path):
            os.makedirs(path, 0o700)

        keyfile = os.path.join(path, 'persona.key')
        exponent = 0x10001
        key = M2Crypto.RSA.gen_key(2048, exponent)
        key.save_key(keyfile, cipher=None)
        key_n = 0
        for c in key.n[4:]:
            key_n = (key_n*256) + ord(c)
        wellknown = dict()
        wellknown['authentication'] = ('%s/persona/SignIn/'
                                       % opts['instanceurl'])
        wellknown['provisioning'] = '%s/persona/' % opts['instanceurl']
        wellknown['public-key'] = {'algorithm': 'RS',
                                   'e': str(exponent),
                                   'n': str(key_n)}
        with open(os.path.join(opts['wellknown_dir'], 'browserid'), 'w') as f:
            f.write(json.dumps(wellknown))

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'persona'
        po.wipe_data()
        po.wipe_config_values()
        config = {'issuer domain': opts['hostname'],
                  'idp key file': keyfile,
                  'allowed domains': opts['hostname']}
        po.save_plugin_config(config)

        # Update global config to add login plugin
        po.is_enabled = True
        po.save_enabled_state()

        # Fixup permissions so only the ipsilon user can read these files
        files.fix_user_dirs(path, opts['system_user'])
Exemplo n.º 15
0
    def configure(self, opts, changes):
        if opts['info_fas'] != 'yes':
            return

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'fas'
        po.wipe_data()
        po.wipe_config_values()

        config = dict()
        if 'info_fas_bind_username' in opts:
            config['Bind Username'] = opts['info_fas_bind_username']
        if 'info_fas_bind_password' in opts:
            config['Bind Password'] = opts['info_fas_bind_password']
        po.save_plugin_config(config)

        # Update global config to add login plugin
        po.is_enabled = True
        po.save_enabled_state()
Exemplo n.º 16
0
    def configure(self, opts, changes):
        if opts['info_fas'] != 'yes':
            return

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'fas'
        po.wipe_data()
        po.wipe_config_values()

        config = dict()
        if 'info_fas_bind_username' in opts:
            config['Bind Username'] = opts['info_fas_bind_username']
        if 'info_fas_bind_password' in opts:
            config['Bind Password'] = opts['info_fas_bind_password']
        po.save_plugin_config(config)

        # Update global config to add login plugin
        po.is_enabled = True
        po.save_enabled_state()
Exemplo n.º 17
0
    def configure(self, opts, changes):
        if opts['persona'] != 'yes':
            return

        # Check storage path is present or create it
        path = os.path.join(opts['data_dir'], 'persona')
        if not os.path.exists(path):
            os.makedirs(path, 0700)

        keyfile = os.path.join(path, 'persona.key')
        exponent = 0x10001
        key = M2Crypto.RSA.gen_key(2048, exponent)
        key.save_key(keyfile, cipher=None)
        key_n = 0
        for c in key.n[4:]:
            key_n = (key_n*256) + ord(c)
        wellknown = dict()
        wellknown['authentication'] = '/%s/persona/SignIn/' % opts['instance']
        wellknown['provisioning'] = '/%s/persona/' % opts['instance']
        wellknown['public-key'] = {'algorithm': 'RS',
                                   'e': str(exponent),
                                   'n': str(key_n)}
        with open(os.path.join(opts['wellknown_dir'], 'browserid'), 'w') as f:
            f.write(json.dumps(wellknown))

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'persona'
        po.wipe_data()
        po.wipe_config_values()
        config = {'issuer domain': opts['hostname'],
                  'idp key file': keyfile,
                  'allowed domains': opts['hostname']}
        po.save_plugin_config(config)

        # Update global config to add login plugin
        po.is_enabled = True
        po.save_enabled_state()

        # Fixup permissions so only the ipsilon user can read these files
        files.fix_user_dirs(path, opts['system_user'])
Exemplo n.º 18
0
    def configure(self, opts, changes):
        if opts['testauth'] != 'yes':
            return

        logging.debug(self.pargs)
        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'testauth'
        po.wipe_data()
        po.wipe_config_values()

        config = dict()
        if opts['testauth_groups'] is not None:
            cherrypy.log(
                'testauth_groups is %s (%s)' %
                (opts['testauth_groups'], type(opts['testauth_groups'])))
            config['groups'] = opts['testauth_groups']
        po.save_plugin_config(config)

        # Update global config to add login plugin
        po.is_enabled = True
        po.save_enabled_state()
Exemplo n.º 19
0
    def configure(self, opts, changes):
        if opts['pam'] != 'yes':
            return

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'pam'
        po.wipe_data()
        po.wipe_config_values()
        config = {'service name': opts['pam_service']}
        po.save_plugin_config(config)

        # Update global config to add login plugin
        po.is_enabled = True
        po.save_enabled_state()

        # for selinux enabled platforms, ignore if it fails just report
        try:
            subprocess.call(['/usr/sbin/setsebool', '-P',
                             'httpd_mod_auth_pam=on',
                             'httpd_tmp_exec=on'])
        except Exception:  # pylint: disable=broad-except
            pass
Exemplo n.º 20
0
    def configure(self, opts, changes):
        if opts['pam'] != 'yes':
            return

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'pam'
        po.wipe_data()
        po.wipe_config_values()
        config = {'service name': opts['pam_service']}
        po.save_plugin_config(config)

        # Update global config to add login plugin
        po.is_enabled = True
        po.save_enabled_state()

        # for selinux enabled platforms, ignore if it fails just report
        try:
            subprocess.call([
                '/usr/sbin/setsebool', '-P', 'httpd_mod_auth_pam=on',
                'httpd_tmp_exec=on'
            ])
        except Exception:  # pylint: disable=broad-except
            pass
Exemplo n.º 21
0
    def configure(self, opts, changes):
        if opts['info_sssd'] != 'yes':
            return

        configured = 0

        try:
            sssdconfig = SSSDConfig.SSSDConfig()
            sssdconfig.import_config()
        except Exception as e:  # pylint: disable=broad-except
            # Unable to read existing SSSD config so it is probably not
            # configured.
            logging.info('Loading SSSD config failed: %s', e)
            return False

        if not opts['info_sssd_domain']:
            domains = sssdconfig.list_domains()
        else:
            domains = opts['info_sssd_domain']

        changes['domains'] = {}
        for domain in domains:
            changes['domains'][domain] = {}
            try:
                sssd_domain = sssdconfig.get_domain(domain)
            except SSSDConfig.NoDomainError:
                logging.info('No SSSD domain %s', domain)
                continue
            else:
                try:
                    changes['domains'][domain] = {
                        'ldap_user_extra_attrs':
                        # noqa (pep8 E126)
                        sssd_domain.get_option('ldap_user_extra_attrs')
                    }
                except SSSDConfig.NoOptionError:
                    pass
                sssd_domain.set_option('ldap_user_extra_attrs',
                                       ', '.join(SSSD_ATTRS))
                sssdconfig.save_domain(sssd_domain)
                configured += 1
                logging.info("Configured SSSD domain %s", domain)

        if configured == 0:
            logging.info('No SSSD domains configured')
            return False

        changes['ifp'] = {}
        try:
            sssdconfig.new_service('ifp')
            changes['ifp']['new'] = True
        except SSSDConfig.ServiceAlreadyExists:
            changes['ifp']['new'] = False

        sssdconfig.activate_service('ifp')

        ifp = sssdconfig.get_service('ifp')
        if not changes['ifp']['new']:
            try:
                changes['ifp']['allowed_uids'] = ifp.get_option('allowed_uids')
            except SSSDConfig.NoOptionError:
                pass
            try:
                changes['ifp']['user_attributes'] = ifp.get_option(
                    'user_attributes')
            except SSSDConfig.NoOptionError:
                pass
        ifp.set_option('allowed_uids', 'ipsilon, root')
        ifp.set_option('user_attributes', '+' + ', +'.join(SSSD_ATTRS))

        sssdconfig.save_service(ifp)
        sssdconfig.write(SSSD_CONF)

        # for selinux enabled platforms, ignore if it fails just report
        try:
            subprocess.call(
                ['/usr/sbin/setsebool', '-P', 'httpd_dbus_sssd=on'])
        except Exception:  # pylint: disable=broad-except
            pass

        try:
            subprocess.call(['/sbin/service', 'sssd', 'restart'])
        except Exception:  # pylint: disable=broad-except
            pass

        # Give SSSD a chance to restart
        time.sleep(5)

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'sssd'
        po.wipe_data()
        po.wipe_config_values()
        config = {'preconfigured': 'True'}
        po.save_plugin_config(config)

        # Update global config to add info plugin
        po.is_enabled = True
        po.save_enabled_state()
Exemplo n.º 22
0
    def configure(self, opts, changes):
        if opts['openidc'] != 'yes':
            return

        path = os.path.join(opts['data_dir'], 'openidc')
        if not os.path.exists(path):
            os.makedirs(path, 0o700)

        keyfile = os.path.join(path, 'openidc.key')
        keyid = int(time.time())
        keyset = JWKSet()
        # We generate one RSA2048 signing key
        rsasig = JWK(generate='RSA',
                     size=2048,
                     use='sig',
                     kid='%s-sig' % keyid)
        keyset.add(rsasig)
        # We generate one RSA2048 encryption key
        rsasig = JWK(generate='RSA',
                     size=2048,
                     use='enc',
                     kid='%s-enc' % keyid)
        keyset.add(rsasig)

        with open(keyfile, 'w') as m:
            m.write(keyset.export())

        proto = 'https'
        url = '%s://%s%s/openidc/' % (proto, opts['hostname'],
                                      opts['instanceurl'])

        subject_salt = uuid.uuid4().hex
        if opts['openidc_subject_salt']:
            subject_salt = opts['openidc_subject_salt']

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'openidc'
        po.wipe_data()
        po.wipe_config_values()
        config = {
            'endpoint url': url,
            'database url': opts['openidc_dburi'] or opts['database_url'] % {
                'datadir': opts['data_dir'],
                'dbname': 'openidc'
            },
            'static database url': opts['openidc_static_dburi']
            or opts['database_url'] % {
                'datadir': opts['data_dir'],
                'dbname': 'openidc.static'
            },
            'enabled extensions': opts['openidc_extensions'],
            'idp key file': keyfile,
            'idp sig key id': '%s-sig' % keyid,
            'idp subject salt': subject_salt
        }
        po.save_plugin_config(config)

        # Update global config to add login plugin
        po.is_enabled = True
        po.save_enabled_state()
Exemplo n.º 23
0
    def configure(self, opts, changes):
        if opts["ldap"] != "yes":
            return

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = "ldap"
        po.wipe_data()
        po.wipe_config_values()

        config = dict()
        if "ldap_server_url" in opts:
            config["server url"] = opts["ldap_server_url"]
        else:
            logging.error("LDAP Server URL is required")
            return False
        if "ldap_bind_dn_template" in opts:
            try:
                opts["ldap_bind_dn_template"] % {"username": "******"}
            except KeyError:
                logging.error("Bind DN template does not contain %(username)s")
                return False
            except ValueError as e:
                logging.error("Invalid syntax in Bind DN template: %s ", e)
                return False
            config["bind dn template"] = opts["ldap_bind_dn_template"]
        if "ldap_tls_level" in opts and opts["ldap_tls_level"] is not None:
            config["tls"] = opts["ldap_tls_level"]
        else:
            config["tls"] = "Demand"
        if "ldap_base_dn" in opts and opts["ldap_base_dn"] is not None:
            config["base dn"] = opts["ldap_base_dn"]
            test_dn = config["base dn"]
        else:
            # default set in the config object
            test_dn = "dc=example,dc=com"

        # Test the LDAP connection anonymously
        try:
            lh = ldap_connect(config["server url"], config["tls"])
            lh.simple_bind_s("", "")
            lh.search_s(test_dn, ldap.SCOPE_BASE, attrlist=["objectclasses"])
        except ldap.INSUFFICIENT_ACCESS:
            logging.warn("Anonymous access not allowed, continuing")
        except ldap.UNWILLING_TO_PERFORM:  # probably minSSF issue
            logging.warn("LDAP server unwilling to perform, expect issues")
        except ldap.SERVER_DOWN:
            logging.warn("LDAP server is down")
        except ldap.NO_SUCH_OBJECT:
            logging.error("Base DN not found")
            return False
        except ldap.LDAPError as e:
            logging.error(e)
            return False

        po.save_plugin_config(config)

        # Update global config to add login plugin
        po.is_enabled = True
        po.save_enabled_state()

        # For selinux enabled platforms permit httpd to connect to ldap,
        # ignore if it fails
        try:
            subprocess.call(["/usr/sbin/setsebool", "-P", "httpd_can_connect_ldap=on"])
        except Exception:  # pylint: disable=broad-except
            pass
Exemplo n.º 24
0
    def configure(self, opts, changes):
        if opts['ldap'] != 'yes':
            return

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'ldap'
        po.wipe_data()
        po.wipe_config_values()

        config = dict()
        if 'ldap_server_url' in opts:
            config['server url'] = opts['ldap_server_url']
        else:
            logging.error('LDAP Server URL is required')
            return False
        if 'ldap_bind_dn_template' in opts:
            try:
                opts['ldap_bind_dn_template'] % {'username': '******'}
            except KeyError:
                logging.error('Bind DN template does not contain %(username)s')
                return False
            except ValueError as e:
                logging.error('Invalid syntax in Bind DN template: %s ', e)
                return False
            config['bind dn template'] = opts['ldap_bind_dn_template']
        if 'ldap_tls_level' in opts and opts['ldap_tls_level'] is not None:
            config['tls'] = opts['ldap_tls_level']
        else:
            config['tls'] = 'Demand'
        if 'ldap_base_dn' in opts and opts['ldap_base_dn'] is not None:
            config['base dn'] = opts['ldap_base_dn']
            test_dn = config['base dn']
        else:
            # default set in the config object
            test_dn = 'dc=example,dc=com'

        # Test the LDAP connection anonymously
        try:
            lh = ldap_connect(config['server url'], config['tls'])
            lh.simple_bind_s('', '')
            lh.search_s(test_dn, ldap.SCOPE_BASE, attrlist=['objectclasses'])
        except ldap.INSUFFICIENT_ACCESS:
            logging.warn('Anonymous access not allowed, continuing')
        except ldap.UNWILLING_TO_PERFORM:  # probably minSSF issue
            logging.warn('LDAP server unwilling to perform, expect issues')
        except ldap.SERVER_DOWN:
            logging.warn('LDAP server is down')
        except ldap.NO_SUCH_OBJECT:
            logging.error('Base DN not found')
            return False
        except ldap.LDAPError as e:
            logging.error(e)
            return False

        po.save_plugin_config(config)

        # Update global config to add login plugin
        po.is_enabled = True
        po.save_enabled_state()

        # For selinux enabled platforms permit httpd to connect to ldap,
        # ignore if it fails
        try:
            subprocess.call(
                ['/usr/sbin/setsebool', '-P', 'httpd_can_connect_ldap=on'])
        except Exception:  # pylint: disable=broad-except
            pass
Exemplo n.º 25
0
    def configure(self, opts, changes):
        if opts['info_sssd'] != 'yes':
            return

        configured = 0

        confopts = {'instance': opts['instance']}

        tmpl = Template(CONF_TEMPLATE)
        hunk = tmpl.substitute(**confopts)
        with open(opts['httpd_conf'], 'a') as httpd_conf:
            httpd_conf.write(hunk)

        try:
            sssdconfig = SSSDConfig.SSSDConfig()
            sssdconfig.import_config()
        except Exception as e:  # pylint: disable=broad-except
            # Unable to read existing SSSD config so it is probably not
            # configured.
            logging.info('Loading SSSD config failed: %s', e)
            return False

        if not opts['info_sssd_domain']:
            domains = sssdconfig.list_domains()
        else:
            domains = opts['info_sssd_domain']

        changes['domains'] = {}
        for domain in domains:
            changes['domains'][domain] = {}
            try:
                sssd_domain = sssdconfig.get_domain(domain)
            except SSSDConfig.NoDomainError:
                logging.info('No SSSD domain %s', domain)
                continue
            else:
                try:
                    changes['domains'][domain] = {
                        'ldap_user_extra_attrs':
                            sssd_domain.get_option('ldap_user_extra_attrs')}
                except SSSDConfig.NoOptionError:
                    pass
                sssd_domain.set_option(
                    'ldap_user_extra_attrs', ', '.join(SSSD_ATTRS)
                )
                sssdconfig.save_domain(sssd_domain)
                configured += 1
                logging.info("Configured SSSD domain %s", domain)

        if configured == 0:
            logging.info('No SSSD domains configured')
            return False

        changes['ifp'] = {}
        try:
            sssdconfig.new_service('ifp')
            changes['ifp']['new'] = True
        except SSSDConfig.ServiceAlreadyExists:
            changes['ifp']['new'] = False

        sssdconfig.activate_service('ifp')

        ifp = sssdconfig.get_service('ifp')
        if not changes['ifp']['new']:
            try:
                changes['ifp']['allowed_uids'] = ifp.get_option('allowed_uids')
            except SSSDConfig.NoOptionError:
                pass
            try:
                changes['ifp']['user_attributes'] = ifp.get_option(
                    'user_attributes')
            except SSSDConfig.NoOptionError:
                pass
        ifp.set_option('allowed_uids', 'apache, root')
        ifp.set_option('user_attributes', '+' + ', +'.join(SSSD_ATTRS))

        sssdconfig.save_service(ifp)
        sssdconfig.write(SSSD_CONF)

        # for selinux enabled platforms, ignore if it fails just report
        try:
            subprocess.call(['/usr/sbin/setsebool', '-P',
                             'httpd_dbus_sssd=on'])
        except Exception:  # pylint: disable=broad-except
            pass

        try:
            subprocess.call(['/sbin/service', 'sssd', 'restart'])
        except Exception:  # pylint: disable=broad-except
            pass

        # Give SSSD a chance to restart
        time.sleep(5)

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'sssd'
        po.wipe_data()
        po.wipe_config_values()
        config = {'preconfigured': 'True'}
        po.save_plugin_config(config)

        # Update global config to add info plugin
        po.is_enabled = True
        po.save_enabled_state()