First step in enabling SSL in the IPA web server

4 files changed, 84 insertions, 3 deletions

diff --git a/ipa-server/freeipa-server.spec b/ipa-server/freeipa-server.spec
index 0519c8191..eaca6ac17 100755
--- a/ipa-server/freeipa-server.spec
+++ b/ipa-server/freeipa-server.spec
@@ -11,7 +11,7 @@ BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildRequires: fedora-ds-base-devel openldap-devel krb5-devel nss-devel mozldap-devel openssl-devel
 
-Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntp cyrus-sasl-gssapi nss TurboGears
+Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntp cyrus-sasl-gssapi nss TurboGears mod_nss
 
 %define httpd_conf /etc/httpd/conf.d
 %define plugin_dir %{_libdir}/dirsrv/plugins
diff --git a/ipa-server/freeipa-server.spec.in b/ipa-server/freeipa-server.spec.in
index 914a7c051..1b7e219fc 100644
--- a/ipa-server/freeipa-server.spec.in
+++ b/ipa-server/freeipa-server.spec.in
@@ -11,7 +11,7 @@ BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildRequires: fedora-ds-base-devel openldap-devel krb5-devel nss-devel mozldap-devel openssl-devel
 
-Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntp cyrus-sasl-gssapi nss TurboGears
+Requires: python fedora-ds-base krb5-server krb5-server-ldap nss-tools openldap-clients httpd mod_python mod_auth_kerb python-ldap freeipa-python ntp cyrus-sasl-gssapi nss TurboGears mod_nss
 
 %define httpd_conf /etc/httpd/conf.d
 %define plugin_dir %{_libdir}/dirsrv/plugins
diff --git a/ipa-server/ipa-install/ipa-server-install b/ipa-server/ipa-install/ipa-server-install
index f970d5ef8..eb295e76c 100644
--- a/ipa-server/ipa-install/ipa-server-install
+++ b/ipa-server/ipa-install/ipa-server-install
@@ -43,6 +43,7 @@ from optparse import OptionParser
 import ipaserver.dsinstance
 import ipaserver.krbinstance
 import ipaserver.bindinstance
+import ipaserver.httpinstance
 from ipa.ipautil import run
 
 def parse_options():
@@ -387,8 +388,8 @@ def main():
     print "To accept the default shown in brackets, press the Enter key."
     print ""
 
-    check_ports()
     check_existing_installation()
+    check_ports()
 
     options = parse_options()
     logging_setup(options)
@@ -508,6 +509,10 @@ def main():
     krb = ipaserver.krbinstance.KrbInstance()
     krb.create_instance(ds_user, realm_name, host_name, dm_password, master_password)
 
+    # Create a HTTP instance
+    http = ipaserver.httpinstance.HTTPInstance()
+    http.create_instance()
+
     bind.setup(host_name, ip_address, realm_name)
     if options.setup_bind:
         skipbind = False
diff --git a/ipa-server/ipaserver/httpinstance.py b/ipa-server/ipaserver/httpinstance.py
new file mode 100644
index 000000000..818682785
--- /dev/null
+++ b/ipa-server/ipaserver/httpinstance.py
@@ -0,0 +1,76 @@
+# Authors: Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2007  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 or later
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+import subprocess
+import string
+import tempfile
+import shutil
+import logging
+import pwd
+from ipa.ipautil import *
+import fileinput
+import sys
+
+HTTPD_DIR = "/etc/httpd"
+SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf"
+NSS_CONF = HTTPD_DIR + "/conf.d/nss.conf"
+
+def update_file(filename, orig, subst):
+    if os.path.exists(filename):
+        pattern = "%s" % re.escape(orig)
+        p = re.compile(pattern)
+        for line in fileinput.input(filename, inplace=1):
+            if not p.search(line):
+                sys.stdout.write(line)
+            else:
+                sys.stdout.write(p.sub(subst, line))
+        fileinput.close()
+
+class HTTPInstance:
+    def __init__(self):
+        pass 
+
+    def create_instance(self):
+        self.__disable_mod_ssl()
+        self.__set_mod_nss_port()
+        try:
+            self.restart()
+        except:
+            # TODO: roll back here?
+            print "Failed to restart httpd"
+
+    def stop(self):
+        run(["/sbin/service", "httpd", "stop"])
+
+    def start(self):
+        run(["/sbin/service", "httpd", "start"])
+
+    def restart(self):
+        run(["/sbin/service", "httpd", "restart"])
+
+    def __disable_mod_ssl(self):
+        logging.debug("disabling mod_ssl in httpd")
+        if os.path.exists(SSL_CONF):
+            os.rename(SSL_CONF, "%s.moved_by_ipa" % SSL_CONF)
+        logging.debug("done disabling mod_ssl")
+
+    def __set_mod_nss_port(self):
+        logging.debug("Setting mod_nss port to 443")
+        update_file(NSS_CONF, '8443', '443')
+        logging.debug("done setting mod_nss port")