From 1c3849eb576dc9d4cd3d4a39aff9da78be0ddcba Mon Sep 17 00:00:00 2001
From: Karl MacMillan <kmacmill@redhat.com>
Date: Wed, 12 Dec 2007 11:19:42 -0500
Subject: User provided certs.

---
 ipa-server/ipaserver/httpinstance.py | 18 ++----------------
 1 file changed, 2 insertions(+), 16 deletions(-)

(limited to 'ipa-server/ipaserver/httpinstance.py')

diff --git a/ipa-server/ipaserver/httpinstance.py b/ipa-server/ipaserver/httpinstance.py
index 1799cca0..de0b3af8 100644
--- a/ipa-server/ipaserver/httpinstance.py
+++ b/ipa-server/ipaserver/httpinstance.py
@@ -29,6 +29,7 @@ import time
 import service
 import certs
 import dsinstance
+import installutils
 from ipa.ipautil import *
 
 HTTPD_DIR = "/etc/httpd"
@@ -43,21 +44,6 @@ successfully change with the command:
 Try updating the policycoreutils and selinux-policy packages.
 """
 
-def update_file(filename, orig, subst):
-    if os.path.exists(filename):
-        pattern = "%s" % re.escape(orig)
-        p = re.compile(pattern)
-        for line in fileinput.input(filename, inplace=1):
-            if not p.search(line):
-                sys.stdout.write(line)
-            else:
-                sys.stdout.write(p.sub(subst, line))
-        fileinput.close()
-        return 0
-    else:
-        print "File %s doesn't exist." % filename
-        return 1
-
 class HTTPInstance(service.Service):
     def __init__(self):
         service.Service.__init__(self, "httpd")
@@ -145,7 +131,7 @@ class HTTPInstance(service.Service):
 
     def __set_mod_nss_port(self):
         self.step("Setting mod_nss port to 443")
-        if update_file(NSS_CONF, '8443', '443') != 0:
+        if installutils.update_file(NSS_CONF, '8443', '443') != 0:
             print "Updating %s failed." % NSS_CONF
 
     def __setup_ssl(self):
-- 
cgit 


From 6390db3502eaee385cb990eef723bc4f27a633c0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 12 Dec 2007 09:36:32 -0500
Subject: Add automatic browser configuration for kerberos SSO using
 javascript. This uses the UniversalPreferencesWrite function to set the
 browser preferences to allow negotiation and ticket forwarding in the IPA
 domain. A self-signed certificate is generated to sign the javascript.

---
 ipa-server/ipaserver/httpinstance.py | 34 ++++++++++++++++++++++++++++++++--
 1 file changed, 32 insertions(+), 2 deletions(-)

(limited to 'ipa-server/ipaserver/httpinstance.py')

diff --git a/ipa-server/ipaserver/httpinstance.py b/ipa-server/ipaserver/httpinstance.py
index de0b3af8..a131faed 100644
--- a/ipa-server/ipaserver/httpinstance.py
+++ b/ipa-server/ipaserver/httpinstance.py
@@ -25,6 +25,7 @@ import pwd
 import fileinput
 import sys
 import time
+import shutil
 
 import service
 import certs
@@ -49,9 +50,10 @@ class HTTPInstance(service.Service):
         service.Service.__init__(self, "httpd")
 
     def create_instance(self, realm, fqdn):
-        self.sub_dict = { "REALM" : realm, "FQDN":  fqdn }
         self.fqdn = fqdn
         self.realm = realm
+        self.domain = fqdn[fqdn.find(".")+1:]
+        self.sub_dict = { "REALM" : realm, "FQDN": fqdn, "DOMAIN" : self.domain }
         
         self.start_creation(7, "Configuring the web interface")
         
@@ -60,6 +62,7 @@ class HTTPInstance(service.Service):
         self.__configure_http()
         self.__create_http_keytab()
         self.__setup_ssl()
+        self.__setup_autoconfig()
 
         self.step("restarting httpd")
         self.restart()
@@ -141,4 +144,31 @@ class HTTPInstance(service.Service):
         ds_ca.cur_serial = 2000
         ca.create_from_cacert(ds_ca.cacert_fname)
         ca.create_server_cert("Server-Cert", "cn=%s,ou=Apache Web Server" % self.fqdn, ds_ca)
-        
+        ca.create_signing_cert("Signing-Cert", "cn=%s,ou=Signing Certificate,o=Identity Policy Audit" % self.fqdn, ds_ca)
+
+    def __setup_autoconfig(self):
+        prefs_txt = template_file(SHARE_DIR + "preferences.html.template", self.sub_dict)
+        prefs_fd = open("/usr/share/ipa/html/preferences.html", "w")
+        prefs_fd.write(prefs_txt)
+        prefs_fd.close()                
+
+        # The signing cert is generated in __setup_ssl
+        ds_ca = certs.CertDB(dsinstance.config_dirname(self.realm))
+        ca = certs.CertDB(NSS_DIR)
+
+        # Publish the CA certificate
+        shutil.copy(ds_ca.cacert_fname, "/usr/share/ipa/html/ca.crt")
+        os.chmod("/usr/share/ipa/html/ca.crt", 0444)
+
+        try:
+            shutil.rmtree("/tmp/ipa")
+        except:
+            pass
+        os.mkdir("/tmp/ipa")
+        shutil.copy("/usr/share/ipa/html/preferences.html", "/tmp/ipa")
+
+        ca.run_signtool(["-k", "Signing-Cert",
+                         "-Z", "/usr/share/ipa/html/configure.jar",
+                         "-e", ".html",
+                         "/tmp/ipa"])
+        shutil.rmtree("/tmp/ipa")
-- 
cgit 


From 2a036abe7a601bbc8e65bbe4ab7c489b81db0eb5 Mon Sep 17 00:00:00 2001
From: Mark McLoughlin <markmc@redhat.com>
Date: Thu, 13 Dec 2007 09:31:28 +0000
Subject: More ipautil fixing

Recently, dsinstance and krbinstance was fixed to
not import * from ipautil; do the same for the
rest of ipaserver.

Signed-off-by: Mark McLoughlin <markmc@redhat.com>
---
 ipa-server/ipaserver/httpinstance.py | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

(limited to 'ipa-server/ipaserver/httpinstance.py')

diff --git a/ipa-server/ipaserver/httpinstance.py b/ipa-server/ipaserver/httpinstance.py
index a131faed..8a7c527a 100644
--- a/ipa-server/ipaserver/httpinstance.py
+++ b/ipa-server/ipaserver/httpinstance.py
@@ -17,6 +17,8 @@
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 #
 
+import os
+import os.path
 import subprocess
 import string
 import tempfile
@@ -31,7 +33,7 @@ import service
 import certs
 import dsinstance
 import installutils
-from ipa.ipautil import *
+from ipa import ipautil
 
 HTTPD_DIR = "/etc/httpd"
 SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf"
@@ -77,7 +79,7 @@ class HTTPInstance(service.Service):
         selinux=0
         try:
             if (os.path.exists('/usr/sbin/selinuxenabled')):
-                run(["/usr/sbin/selinuxenabled"])
+                ipautil.run(["/usr/sbin/selinuxenabled"])
                 selinux=1
         except ipautil.CalledProcessError:
             # selinuxenabled returns 1 if not enabled
@@ -87,14 +89,14 @@ class HTTPInstance(service.Service):
             # Allow apache to connect to the turbogears web gui
             # This can still fail even if selinux is enabled
             try:
-                run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
+                ipautil.run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
             except:
                 self.print_msg(selinux_warning)
                 
     def __create_http_keytab(self):
         self.step("creating a keytab for httpd")
         try:
-            if file_exists("/etc/httpd/conf/ipa.keytab"):
+            if ipautil.file_exists("/etc/httpd/conf/ipa.keytab"):
                 os.remove("/etc/httpd/conf/ipa.keytab")
         except os.error:
             print "Failed to remove /etc/httpd/conf/ipa.keytab."
@@ -109,7 +111,7 @@ class HTTPInstance(service.Service):
 
         # give kadmin time to actually write the file before we go on
 	retry = 0
-        while not file_exists("/etc/httpd/conf/ipa.keytab"):
+        while not ipautil.file_exists("/etc/httpd/conf/ipa.keytab"):
             time.sleep(1)
             retry += 1
             if retry > 15:
@@ -121,7 +123,7 @@ class HTTPInstance(service.Service):
 
     def __configure_http(self):
         self.step("configuring httpd")
-        http_txt = template_file(SHARE_DIR + "ipa.conf", self.sub_dict)
+        http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)
         http_fd = open("/etc/httpd/conf.d/ipa.conf", "w")
         http_fd.write(http_txt)
         http_fd.close()                
@@ -147,7 +149,7 @@ class HTTPInstance(service.Service):
         ca.create_signing_cert("Signing-Cert", "cn=%s,ou=Signing Certificate,o=Identity Policy Audit" % self.fqdn, ds_ca)
 
     def __setup_autoconfig(self):
-        prefs_txt = template_file(SHARE_DIR + "preferences.html.template", self.sub_dict)
+        prefs_txt = ipautil.template_file(ipautil.SHARE_DIR + "preferences.html.template", self.sub_dict)
         prefs_fd = open("/usr/share/ipa/html/preferences.html", "w")
         prefs_fd.write(prefs_txt)
         prefs_fd.close()                
-- 
cgit 


From 6976f92862c1dba3f7a25baa1893c41a67590b23 Mon Sep 17 00:00:00 2001
From: Mark McLoughlin <markmc@redhat.com>
Date: Thu, 13 Dec 2007 09:31:28 +0000
Subject: Refactor krbinstance and dsinstance creation steps

Creation steps are currently done with:

  self.start_creation(2, "Create foo")
  self.step("do foo")
  self.foo()
  self.step("do bar")
  self.bar()
  self.done_creation()

This patch refactors that into the much more
straightforward:

  self.step("do foo", self.foo)
  self.step("do bar", self.bar)
  self.start_creation("Create foo")

Signed-off-by: Mark McLoughlin <markmc@redhat.com>
---
 ipa-server/ipaserver/httpinstance.py | 33 +++++++++++----------------------
 1 file changed, 11 insertions(+), 22 deletions(-)

(limited to 'ipa-server/ipaserver/httpinstance.py')

diff --git a/ipa-server/ipaserver/httpinstance.py b/ipa-server/ipaserver/httpinstance.py
index 8a7c527a..d0329cca 100644
--- a/ipa-server/ipaserver/httpinstance.py
+++ b/ipa-server/ipaserver/httpinstance.py
@@ -57,25 +57,19 @@ class HTTPInstance(service.Service):
         self.domain = fqdn[fqdn.find(".")+1:]
         self.sub_dict = { "REALM" : realm, "FQDN": fqdn, "DOMAIN" : self.domain }
         
-        self.start_creation(7, "Configuring the web interface")
-        
-        self.__disable_mod_ssl()
-        self.__set_mod_nss_port()
-        self.__configure_http()
-        self.__create_http_keytab()
-        self.__setup_ssl()
-        self.__setup_autoconfig()
-
-        self.step("restarting httpd")
-        self.restart()
-
-        self.step("configuring httpd to start on boot")
-        self.chkconfig_on()
-
-        self.done_creation()
+        self.step("disabling mod_ssl in httpd", self.__disable_mod_ssl)
+        self.step("Setting mod_nss port to 443", self.__set_mod_nss_port)
+        self.step("configuring httpd", self.__configure_http)
+        self.step("creating a keytab for httpd", self.__create_http_keytab)
+        self.step("Setting up ssl", self.__setup_ssl)
+        self.step("Setting up browser autoconfig", self.__setup_autoconfig)
+        self.step("configuring SELinux for httpd", self.__selinux_config)
+        self.step("restarting httpd", self.restart)
+        self.step("configuring httpd to start on boot", self.chkconfig_on)
+
+        self.start_creation("Configuring the web interface")
 
     def __selinux_config(self):
-        self.step("configuring SELinux for httpd")
         selinux=0
         try:
             if (os.path.exists('/usr/sbin/selinuxenabled')):
@@ -94,7 +88,6 @@ class HTTPInstance(service.Service):
                 self.print_msg(selinux_warning)
                 
     def __create_http_keytab(self):
-        self.step("creating a keytab for httpd")
         try:
             if ipautil.file_exists("/etc/httpd/conf/ipa.keytab"):
                 os.remove("/etc/httpd/conf/ipa.keytab")
@@ -122,7 +115,6 @@ class HTTPInstance(service.Service):
         os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid)
 
     def __configure_http(self):
-        self.step("configuring httpd")
         http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)
         http_fd = open("/etc/httpd/conf.d/ipa.conf", "w")
         http_fd.write(http_txt)
@@ -130,17 +122,14 @@ class HTTPInstance(service.Service):
 
 
     def __disable_mod_ssl(self):
-        self.step("disabling mod_ssl in httpd")
         if os.path.exists(SSL_CONF):
             os.rename(SSL_CONF, "%s.moved_by_ipa" % SSL_CONF)
 
     def __set_mod_nss_port(self):
-        self.step("Setting mod_nss port to 443")
         if installutils.update_file(NSS_CONF, '8443', '443') != 0:
             print "Updating %s failed." % NSS_CONF
 
     def __setup_ssl(self):
-        self.step("Setting up ssl")
         ds_ca = certs.CertDB(dsinstance.config_dirname(self.realm))
         ca = certs.CertDB(NSS_DIR)
         ds_ca.cur_serial = 2000
-- 
cgit