From 5f31f2d35f714880230c1a92a322c620e8708eb3 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Tue, 27 May 2014 09:13:59 +0200 Subject: ipaplatform: Do not require custom Authconfig implementations from platform modules https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin --- ipaplatform/base/authconfig.py | 102 +++++++++++++++++++++++++++++++++++++++ ipaplatform/base/tasks.py | 18 +++++++ ipaplatform/fedora/authconfig.py | 56 +++++++++++++++++++++ ipaplatform/fedora/tasks.py | 65 +++++++++++++++++++++++++ 4 files changed, 241 insertions(+) create mode 100644 ipaplatform/base/authconfig.py create mode 100644 ipaplatform/fedora/authconfig.py (limited to 'ipaplatform') diff --git a/ipaplatform/base/authconfig.py b/ipaplatform/base/authconfig.py new file mode 100644 index 000000000..f3f207be7 --- /dev/null +++ b/ipaplatform/base/authconfig.py @@ -0,0 +1,102 @@ +# Authors: +# Alexander Bokovoy +# Tomas Babej +# +# Copyright (C) 2011-2014 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + + +class AuthConfig(object): + """ + AuthConfig class implements system-independent interface to configure + system authentication resources. In Red Hat systems this is done with + authconfig(8) utility. + + AuthConfig class is nothing more than a tool to gather configuration + options and execute their processing. These options then converted by + an actual implementation to series of a system calls to appropriate + utilities performing real configuration. + + IPA *expects* names of AuthConfig's options to follow authconfig(8) + naming scheme! + + Actual implementation should be done in ipapython/platform/.py + by inheriting from platform.AuthConfig and redefining build_args() + and execute() methods. + + from ipapython.platform import platform + class PlatformAuthConfig(platform.AuthConfig): + def build_args(): + ... + + def execute(): + ... + + authconfig = PlatformAuthConfig + .... + + See ipapython/platform/redhat.py for a sample implementation that uses + authconfig(8) as its backend. + + From IPA code perspective, the authentication configuration should be + done with use of ipapython.services.authconfig: + + from ipapython import services as ipaservices + auth_config = ipaservices.authconfig() + auth_config.disable("ldap") + auth_config.disable("krb5") + auth_config.disable("sssd") + auth_config.disable("sssdauth") + auth_config.disable("mkhomedir") + auth_config.add_option("update") + auth_config.enable("nis") + auth_config.add_parameter("nisdomain","foobar") + auth_config.execute() + + If you need to re-use existing AuthConfig instance for multiple runs, + make sure to call 'AuthConfig.reset()' between the runs. + """ + + def __init__(self): + self.parameters = {} + + def enable(self, option): + self.parameters[option] = True + return self + + def disable(self, option): + self.parameters[option] = False + return self + + def add_option(self, option): + self.parameters[option] = None + return self + + def add_parameter(self, option, value): + self.parameters[option] = [value] + return self + + def build_args(self): + # do nothing + return None + + def execute(self): + # do nothing + return None + + def reset(self): + self.parameters = {} + return self diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index 8719ad1db..7d776deb5 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -60,3 +60,21 @@ def restore_network_configuration(fstore, statestore): def backup_and_replace_hostname(fstore, statestore, hostname): return + + +def restore_pre_ipa_client_configuration(fstore, statestore, + was_sssd_installed, + was_sssd_configured): + return + + +def set_nisdomain(nisdomain): + return + + +def modify_nsswitch_pam_stack(sssd, mkhomedir, statestore): + return + + +def modify_pam_to_use_krb5(statestore): + return diff --git a/ipaplatform/fedora/authconfig.py b/ipaplatform/fedora/authconfig.py new file mode 100644 index 000000000..166a826f7 --- /dev/null +++ b/ipaplatform/fedora/authconfig.py @@ -0,0 +1,56 @@ +# Authors: Simo Sorce +# Alexander Bokovoy +# Tomas Babej +# +# Copyright (C) 2007-2014 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from ipapython import ipautil +from ipaplatform.base.authconfig import AuthConfig + + +class FedoraAuthConfig(AuthConfig): + """ + AuthConfig class implements system-independent interface to configure + system authentication resources. In Red Hat-produced systems this is done + with authconfig(8) utility. + """ + + def build_args(self): + args = [] + + for (option, value) in self.parameters.items(): + if type(value) is bool: + if value: + args.append("--enable%s" % (option)) + else: + args.append("--disable%s" % (option)) + elif type(value) in (tuple, list): + args.append("--%s" % (option)) + args.append("%s" % (value[0])) + elif value is None: + args.append("--%s" % (option)) + else: + args.append("--%s%s" % (option, value)) + + return args + + def execute(self, update=True): + if update: + self.add_option("update") + + args = self.build_args() + ipautil.run(["/usr/sbin/authconfig"] + args) diff --git a/ipaplatform/fedora/tasks.py b/ipaplatform/fedora/tasks.py index 841b3d4e0..46fc08d70 100644 --- a/ipaplatform/fedora/tasks.py +++ b/ipaplatform/fedora/tasks.py @@ -25,6 +25,7 @@ This module contains default Fedora-specific implementations of system tasks. import os import ipautil +from ipaplatform.fedora.authconfig import FedoraAuthConfig from ipaplatform.base.tasks import * @@ -76,3 +77,67 @@ def check_selinux_status(restorecon='/sbin/restorecon'): raise RuntimeError('SELinux is enabled but %s does not exist.\n' 'Install the policycoreutils package and start the ' 'installation again.' % restorecon) + + +def restore_pre_ipa_client_configuration(fstore, statestore, + was_sssd_installed, + was_sssd_configured): + + auth_config = FedoraAuthConfig() + if statestore.has_state('authconfig'): + # disable only those configurations that we enabled during install + for conf in ('ldap', 'krb5', 'sssd', 'sssdauth', 'mkhomedir'): + cnf = statestore.restore_state('authconfig', conf) + # Do not disable sssd, as this can cause issues with its later + # uses. Remove it from statestore however, so that it becomes + # empty at the end of uninstall process. + if cnf and conf != 'sssd': + auth_config.disable(conf) + else: + # There was no authconfig status store + # It means the code was upgraded after original install + # Fall back to old logic + auth_config.disable("ldap") + auth_config.disable("krb5") + if not(was_sssd_installed and was_sssd_configured): + # Only disable sssdauth. Disabling sssd would cause issues + # with its later uses. + auth_config.disable("sssdauth") + auth_config.disable("mkhomedir") + + auth_config.execute() + + +def set_nisdomain(nisdomain): + # Let authconfig setup the permanent configuration + auth_config = FedoraAuthConfig() + auth_config.add_parameter("nisdomain", nisdomain) + auth_config.execute() + + +def modify_nsswitch_pam_stack(sssd, mkhomedir, statestore): + auth_config = FedoraAuthConfig() + + if sssd: + statestore.backup_state('authconfig', 'sssd', True) + statestore.backup_state('authconfig', 'sssdauth', True) + auth_config.enable("sssd") + auth_config.enable("sssdauth") + else: + statestore.backup_state('authconfig', 'ldap', True) + auth_config.enable("ldap") + auth_config.enable("forcelegacy") + + if mkhomedir: + statestore.backup_state('authconfig', 'mkhomedir', True) + auth_config.enable("mkhomedir") + + auth_config.execute() + + +def modify_pam_to_use_krb5(statestore): + auth_config = FedoraAuthConfig() + statestore.backup_state('authconfig', 'krb5', True) + auth_config.enable("krb5") + auth_config.add_option("nostart") + auth_config.execute() -- cgit