diff options
| author | Petr Vobornik <pvoborni@redhat.com> | 2012-10-04 17:08:17 +0200 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-10-04 18:08:04 -0400 |
| commit | 247a3a43b7fb9eac9af9497e61cdc9c964bee4ff (patch) | |
| tree | 1f107c410a48a62c1c4a21cf18a73818ac2c13fd | |
| parent | 206b6ca04b0e06b3bebf34d985f5310489fd7aac (diff) | |
| download | freeipa-247a3a43b7fb9eac9af9497e61cdc9c964bee4ff.tar.gz freeipa-247a3a43b7fb9eac9af9497e61cdc9c964bee4ff.tar.xz freeipa-247a3a43b7fb9eac9af9497e61cdc9c964bee4ff.zip | |
Build and installation of Kerberos authentication extension
This patch is adding a build of kerberosauth.xpi (FF Kerberos authentication extension).
Currently the build is done in install phase of FreeIPA server. It is to allow signing of the extension by singing certificate. The signing might not be necessary because the only outcome is that in extension installation FF doesn't show that the maker is not verified. It shows text: 'Object signing cert'. This might be a bug in httpinstance.py:262(db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)) The value is in place of hostname parameter.
If the extension is not signed, it can be created in rpm build phase, which should make upgrades easier. Current implementation doesn't handle upgrades yet.
In order to keep extension and config pages not dependent on a realm, a krb.js.teplate file was created. This template is used for creating a /usr/share/ipa/html/krb.js file in install phase which holds FreeIPA's realm and domain information. This information can be then used by config pages by importing this file.
Ticket: https://fedorahosted.org/freeipa/ticket/3094
| -rw-r--r-- | freeipa.spec.in | 4 | ||||
| -rw-r--r-- | install/share/Makefile.am | 3 | ||||
| -rw-r--r-- | install/share/krb.js.template | 2 | ||||
| -rwxr-xr-x | install/tools/ipa-replica-install | 2 | ||||
| -rwxr-xr-x | install/tools/ipa-replica-prepare | 2 | ||||
| -rw-r--r-- | ipaserver/install/httpinstance.py | 21 |
6 files changed, 32 insertions, 2 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index e8e51644f..136eea0d2 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -415,7 +415,9 @@ mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/ mkdir -p %{buildroot}%{_usr}/share/ipa/html/ /bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt /bin/touch %{buildroot}%{_usr}/share/ipa/html/configure.jar +/bin/touch %{buildroot}%{_usr}/share/ipa/html/kerberosauth.xpi /bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con +/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.js /bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini /bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con /bin/touch %{buildroot}%{_usr}/share/ipa/html/preferences.html @@ -664,7 +666,9 @@ fi %{_usr}/share/ipa/ipa-pki-proxy.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/configure.jar +%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con +%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.js %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/preferences.html diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 68c98e05a..03fef9a66 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -31,8 +31,9 @@ app_DATA = \ krb5.conf.template \ krb5.ini.template \ krb.con.template \ + krb.js.template \ krbrealm.con.template \ - preferences.html.template \ + preferences.html.template \ smb.conf.template \ smb.conf.empty \ referint-conf.ldif \ diff --git a/install/share/krb.js.template b/install/share/krb.js.template new file mode 100644 index 000000000..e7ea05595 --- /dev/null +++ b/install/share/krb.js.template @@ -0,0 +1,2 @@ +var IPA_REALM = "$REALM"; +var IPA_DOMAIN = "$DOMAIN";
\ No newline at end of file diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 55417b72f..c1679c723 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -207,6 +207,8 @@ def install_http(config, auto_redirect): try: shutil.copy(config.dir + "/preferences.html", "/usr/share/ipa/html/preferences.html") shutil.copy(config.dir + "/configure.jar", "/usr/share/ipa/html/configure.jar") + shutil.copy(config.dir + "/krb.js", "/usr/share/ipa/html/krb.js") + shutil.copy(config.dir + "/kerberosauth.xpi", "/usr/share/ipa/html/kerberosauth.xpi") except Exception, e: print "error copying files: " + str(e) sys.exit(1) diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index dea52ea1e..d67ed818e 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -225,6 +225,8 @@ def copy_files(realm_name, dir): try: shutil.copy("/usr/share/ipa/html/ca.crt", dir + "/ca.crt") if ipautil.file_exists("/usr/share/ipa/html/preferences.html"): + shutil.copy("/usr/share/ipa/html/krb.js", dir + "/krb.js") + shutil.copy("/usr/share/ipa/html/kerberosauth.xpi", dir + "/kerberosauth.xpi") shutil.copy("/usr/share/ipa/html/preferences.html", dir + "/preferences.html") shutil.copy("/usr/share/ipa/html/configure.jar", dir + "/configure.jar") if ipautil.file_exists("/var/kerberos/krb5kdc/cacert.pem"): diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index e1d8b6db8..afadde40b 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -292,13 +292,20 @@ class HTTPInstance(service.Service): prefs_fd.close() os.chmod(target_fname, 0644) + target_fname = '/usr/share/ipa/html/krb.js' + prefs_txt = ipautil.template_file(ipautil.SHARE_DIR + "krb.js.template", self.sub_dict) + prefs_fd = open(target_fname, "w") + prefs_fd.write(prefs_txt) + prefs_fd.close() + os.chmod(target_fname, 0644) + # The signing cert is generated in __setup_ssl db = certs.CertDB(self.realm, subject_base=self.subject_base) - pwdfile = open(db.passwd_fname) pwd = pwdfile.read() pwdfile.close() + # Setup configure.jar tmpdir = tempfile.mkdtemp(prefix = "tmp-") target_fname = '/usr/share/ipa/html/configure.jar' shutil.copy("/usr/share/ipa/html/preferences.html", tmpdir) @@ -309,6 +316,18 @@ class HTTPInstance(service.Service): shutil.rmtree(tmpdir) os.chmod(target_fname, 0644) + # Setup extension + tmpdir = tempfile.mkdtemp(prefix = "tmp-") + extdir = tmpdir + "/ext" + target_fname = "/usr/share/ipa/html/kerberosauth.xpi" + shutil.copytree("/usr/share/ipa/ffextension", extdir) + db.run_signtool(["-k", "Signing-Cert", + "-p", pwd, + "-X", "-Z", target_fname, + extdir]) + shutil.rmtree(tmpdir) + os.chmod(target_fname, 0644) + def __publish_ca_cert(self): ca_db = certs.CertDB(self.realm) ca_db.publish_ca_cert("/usr/share/ipa/html/ca.crt") |