Configure HTTPD to work via Gss-Proxy

https://fedorahosted.org/freeipa/ticket/4189
https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

20 files changed, 70 insertions, 24 deletions

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 8a050cc5f..a65b9bcf1 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -259,6 +259,8 @@ Requires: systemd-python
 Requires: %{etc_systemd_dir}
 Requires: gzip
 Requires: oddjob
+# Require 0.6.0 for the new delegation access control features
+Requires: gssproxy >= 0.6.0
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
@@ -1271,6 +1273,7 @@ fi
 %{_usr}/share/ipa/updates/*
 %dir %{_localstatedir}/lib/ipa
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup
+%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/gssproxy
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
 %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
diff --git a/init/systemd/ipa.service.in b/init/systemd/ipa.service.in
index 9acd587e5..4c924d5ed 100644
--- a/init/systemd/ipa.service.in
+++ b/init/systemd/ipa.service.in
@@ -1,6 +1,7 @@
 [Unit]
 Description=Identity, Policy, Audit
 Requires=network.target
+Requires=gssproxy.service
 After=network.target
 
 [Service]
diff --git a/install/Makefile.am b/install/Makefile.am
index 845e751d6..f895bccd2 100644
--- a/install/Makefile.am
+++ b/install/Makefile.am
@@ -21,6 +21,7 @@ SUBDIRS =			\
 install-exec-local:
 	$(INSTALL) -d -m 700 $(DESTDIR)$(IPA_SYSCONF_DIR)/custodia
 	$(INSTALL) -d -m 700 $(DESTDIR)$(localstatedir)/lib/ipa/backup
+	$(INSTALL) -d -m 700 $(DESTDIR)$(localstatedir)/lib/ipa/gssproxy
 	$(INSTALL) -d -m 700 $(DESTDIR)$(localstatedir)/lib/ipa/sysrestore
 	$(INSTALL) -d -m 700 $(DESTDIR)$(localstatedir)/lib/ipa/sysupgrade
 	$(INSTALL) -d -m 755 $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index ce2ea74a1..c1b10d035 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -69,8 +69,6 @@ WSGIScriptReloading Off
   SessionHeader IPASESSION
   GssapiSessionKey file:/etc/httpd/alias/ipasession.key
 
-  GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
-  GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
   GssapiDelegCcacheDir /var/run/ipa/ccaches
   GssapiUseS4U2Proxy on
   GssapiAllowedMech krb5
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index bb09c9882..c58e1d2dd 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -90,6 +90,7 @@ dist_app_DATA =				\
 	ipa-httpd.conf.template		\
 	gssapi.login			\
 	ipa.conf.tmpfiles		\
+	gssproxy.conf.template		\
 	$(NULL)
 
 kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy
diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template
new file mode 100644
index 000000000..cb5775de6
--- /dev/null
+++ b/install/share/gssproxy.conf.template
@@ -0,0 +1,8 @@
+#Installed and maintained by ipa update tools, please do not modify
+[service/ipa-httpd]
+  mechs = krb5
+  cred_store = keytab:$HTTP_KEYTAB
+  cred_store = client_keytab:$HTTP_KEYTAB
+  allow_protocol_transition = true
+  cred_usage = both
+  euid = $HTTPD_USER
diff --git a/install/share/ipa-httpd.conf.template b/install/share/ipa-httpd.conf.template
index a907d73cc..8822066ba 100644
--- a/install/share/ipa-httpd.conf.template
+++ b/install/share/ipa-httpd.conf.template
@@ -1,7 +1,7 @@
 # Do not edit. Created by IPA installer.
 
 [Service]
-Environment=KRB5CCNAME=$KRB5CC_HTTPD
+Environment=GSS_USE_PROXY=yes
 Environment=KDCPROXY_CONFIG=$KDCPROXY_CONFIG
 ExecStartPre=$IPA_HTTPD_KDCPROXY
 ExecStopPost=$POST
diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
index 3e1c4c6f7..3984147b6 100644
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@@ -11,6 +11,7 @@ class BaseConstantsNamespace(object):
     DS_USER = 'dirsrv'
     DS_GROUP = 'dirsrv'
     HTTPD_USER = "apache"
+    GSSPROXY_USER = "root"
     IPA_DNS_PACKAGE_NAME = "freeipa-server-dns"
     KDCPROXY_USER = "kdcproxy"
     NAMED_USER = "named"
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 374a1987b..28db7f1fc 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -49,7 +49,8 @@ class BasePathNamespace(object):
     HTTPD_IPA_CONF = "/etc/httpd/conf.d/ipa.conf"
     HTTPD_NSS_CONF = "/etc/httpd/conf.d/nss.conf"
     HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf"
-    IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab"
+    OLD_IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab"
+    HTTP_KEYTAB = "/var/lib/ipa/gssproxy/http.keytab"
     ANON_KEYTAB = "/var/lib/ipa/api/anon.keytab"
     HTTPD_PASSWORD_CONF = "/etc/httpd/conf/password.conf"
     IDMAPD_CONF = "/etc/idmapd.conf"
@@ -328,7 +329,7 @@ class BasePathNamespace(object):
     IPA_ODS_EXPORTER_CCACHE = "/var/opendnssec/tmp/ipa-ods-exporter.ccache"
     VAR_RUN_DIRSRV_DIR = "/var/run/dirsrv"
     IPA_CCACHES = "/var/run/ipa/ccaches"
-    KRB5CC_HTTPD = "/var/run/ipa/ccaches/http.ccache"
+    HTTP_CCACHE = "/var/lib/ipa/gssproxy/http.ccache"
     IPA_RENEWAL_LOCK = "/var/run/ipa/renewal.lock"
     SVC_LIST_FILE = "/var/run/ipa/services.list"
     KRB5CC_SAMBA = "/var/run/samba/krb5cc_samba"
@@ -349,5 +350,6 @@ class BasePathNamespace(object):
     IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
     IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab'
     EXTERNAL_SCHEMA_DIR = '/usr/share/ipa/schema.d'
+    GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf'
 
 path_namespace = BasePathNamespace
diff --git a/ipaplatform/base/services.py b/ipaplatform/base/services.py
index 9c9a5ae78..8149ff1ef 100644
--- a/ipaplatform/base/services.py
+++ b/ipaplatform/base/services.py
@@ -42,7 +42,7 @@ wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc',
                      'messagebus', 'nslcd', 'nscd', 'ntpd', 'portmap',
                      'rpcbind', 'kadmin', 'sshd', 'autofs', 'rpcgssd',
                      'rpcidmapd', 'pki_tomcatd', 'chronyd', 'domainname',
-                     'named', 'ods_enforcerd', 'ods_signerd']
+                     'named', 'ods_enforcerd', 'ods_signerd', 'gssproxy']
 
 # The common ports for these services. This is used to wait for the
 # service to become available.
diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index cc5d67477..5d8e1ecaa 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -68,6 +68,7 @@ redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service'
 redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd']
 redhat_system_units['ods-signerd'] = 'ods-signerd.service'
 redhat_system_units['ods_signerd'] = redhat_system_units['ods-signerd']
+redhat_system_units['gssproxy'] = 'gssproxy.service'
 
 
 # Service classes that implement Red Hat OS family-specific behaviour
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 1191acd07..c9b1c49aa 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -451,7 +451,6 @@ class RedHatTaskNamespace(BaseTaskNamespace):
             os.path.join(paths.USR_SHARE_IPA_DIR, 'ipa-httpd.conf.template'),
             paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF,
             dict(
-                KRB5CC_HTTPD=paths.KRB5CC_HTTPD,
                 KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG,
                 IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY,
                 POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY)
@@ -461,6 +460,20 @@ class RedHatTaskNamespace(BaseTaskNamespace):
         os.chmod(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, 0o644)
         self.restore_context(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF)
 
+    def configure_http_gssproxy_conf(self):
+        ipautil.copy_template_file(
+            os.path.join(paths.USR_SHARE_IPA_DIR, 'gssproxy.conf.template'),
+            paths.GSSPROXY_CONF,
+            dict(
+                HTTP_KEYTAB=paths.HTTP_KEYTAB,
+                HTTP_CCACHE=paths.HTTP_CCACHE,
+                HTTPD_USER=constants.HTTPD_USER
+            )
+        )
+
+        os.chmod(paths.GSSPROXY_CONF, 0o600)
+        self.restore_context(paths.GSSPROXY_CONF)
+
     def remove_httpd_service_ipa_conf(self):
         """Remove systemd config for httpd service of IPA"""
         try:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index d07b32253..dddf097c0 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -129,10 +129,11 @@ class HTTPInstance(service.Service):
             api=api,
             service_prefix=u'HTTP',
             service_user=HTTPD_USER,
-            keytab=paths.IPA_KEYTAB)
+            keytab=paths.HTTP_KEYTAB)
 
         self.cert_nickname = cert_nickname
         self.ca_is_configured = True
+        self.keytab_user = constants.GSSPROXY_USER
 
     subject_base = ipautil.dn_attribute_property('_subject_base')
 
@@ -169,13 +170,15 @@ class HTTPInstance(service.Service):
         self.step("configuring httpd", self.__configure_http)
         self.step("setting up httpd keytab", self._request_service_keytab)
         self.step("retrieving anonymous keytab", self.request_anon_keytab)
+        self.step("configuring Gssproxy", self.configure_gssproxy)
         self.step("setting up ssl", self.__setup_ssl)
         if self.ca_is_configured:
             self.step("configure certmonger for renewals",
                       self.configure_certmonger_renewal_guard)
         self.step("importing CA certificates from LDAP", self.__import_ca_certs)
         self.step("publish CA cert", self.__publish_ca_cert)
-        self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
+        self.step("clean up any existing httpd ccaches",
+                  self.remove_httpd_ccaches)
         self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
         if not self.is_kdcproxy_configured():
             self.step("create KDC proxy user", create_kdcproxy_user)
@@ -205,13 +208,13 @@ class HTTPInstance(service.Service):
         except ipapython.errors.SetseboolError as e:
             self.print_msg(e.format_service_warning('web interface'))
 
-    def remove_httpd_ccache(self):
-        # Clean up existing ccache
+    def remove_httpd_ccaches(self):
+        # Clean up existing ccaches
         # Make sure that empty env is passed to avoid passing KRB5CCNAME from
         # current env
-        ipautil.run(
-            [paths.KDESTROY, '-A'], runas=self.service_user, raiseonerr=False,
-            env={})
+        installutils.remove_file(paths.HTTP_CCACHE)
+        for f in os.listdir(paths.IPA_CCACHES):
+            os.remove(os.path.join(paths.IPA_CCACHES, f))
 
     def __configure_http(self):
         self.update_httpd_service_ipa_conf()
@@ -235,6 +238,10 @@ class HTTPInstance(service.Service):
         http_fd.close()
         os.chmod(target_fname, 0o644)
 
+    def configure_gssproxy(self):
+        tasks.configure_http_gssproxy_conf()
+        services.knownservices.gssproxy.restart()
+
     def change_mod_nss_port_from_http(self):
         # mod_ssl enforces SSLEngine on for vhost on 443 even though
         # the listener is mod_nss. This then crashes the httpd as mod_nss
@@ -541,8 +548,7 @@ class HTTPInstance(service.Service):
                 root_logger.debug(error)
 
         installutils.remove_keytab(self.keytab)
-        installutils.remove_ccache(ccache_path=paths.KRB5CC_HTTPD,
-                                   run_as=self.service_user)
+        installutils.remove_file(paths.HTTP_CCACHE)
 
         # Remove the configuration files we create
         installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF)
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index 4ba61e529..b2f2e2a9f 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -141,7 +141,7 @@ class Backup(admintool.AdminTool):
         paths.OPENLDAP_LDAP_CONF,
         paths.LIMITS_CONF,
         paths.HTTPD_PASSWORD_CONF,
-        paths.IPA_KEYTAB,
+        paths.HTTP_KEYTAB,
         paths.HTTPD_IPA_KDCPROXY_CONF,
         paths.HTTPD_IPA_PKI_PROXY_CONF,
         paths.HTTPD_IPA_REWRITE_CONF,
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index 89cf9e609..d798654ea 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -413,7 +413,7 @@ class Restore(admintool.AdminTool):
                 self.log.info('Restarting SSSD')
                 sssd = services.service('sssd', api)
                 sssd.restart()
-                http.remove_httpd_ccache()
+                http.remove_httpd_ccaches()
         finally:
             try:
                 os.chdir(cwd)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 80abeba53..6919f521e 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1431,6 +1431,14 @@ def update_ipa_httpd_service_conf(http):
     http.update_httpd_service_ipa_conf()
 
 
+def update_http_keytab(http):
+    root_logger.info('[Moving HTTPD service keytab to gssproxy]')
+    if os.path.exists(paths.OLD_IPA_KEYTAB):
+        shutil.move(paths.OLD_IPA_KEYTAB, http.keytab)
+    pent = pwd.getpwnam(http.keytab_user)
+    os.chown(http.keytab, pent.pw_uid, pent.pw_gid)
+
+
 def ds_enable_sidgen_extdom_plugins(ds):
     """For AD trust agents, make sure we enable sidgen and extdom plugins
     """
@@ -1629,6 +1637,8 @@ def upgrade_configuration():
     update_mod_nss_cipher_suite(http)
     fix_trust_flags()
     export_kra_agent_pem()
+    update_http_keytab(http)
+    http.configure_gssproxy()
     http.start()
 
     uninstall_selfsign(ds, http)
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index fe6defc9c..b9d1ffc63 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -166,6 +166,7 @@ class Service(object):
         self.dercert = None
         self.api = api
         self.service_user = service_user
+        self.keytab_user = service_user
         self.dm_password = None  # silence pylint
         self.promote = False
 
@@ -584,7 +585,7 @@ class Service(object):
         self._add_service_principal()
         self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal)
 
-        pent = pwd.getpwnam(self.service_user)
+        pent = pwd.getpwnam(self.keytab_user)
         os.chown(self.keytab, pent.pw_uid, pent.pw_gid)
 
 
diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index f6fa45140..95234506d 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -474,7 +474,7 @@ def establish_trust_with_ad(master, ad_domain, extra_args=()):
     """
 
     # Force KDC to reload MS-PAC info by trying to get TGT for HTTP
-    master.run_command(['kinit', '-kt', paths.IPA_KEYTAB,
+    master.run_command(['kinit', '-kt', paths.HTTP_KEYTAB,
                         'HTTP/%s' % master.hostname])
     master.run_command(['systemctl', 'restart', 'krb5kdc.service'])
     master.run_command(['kdestroy', '-A'])
diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index e47984cf7..c0f4080a9 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -1169,7 +1169,7 @@ class TestIPACommands(CALessBase):
                                  '--certificate', self.client_pem])
         self.master.run_command(['ipa-getkeytab', '-s', self.master.hostname,
                                  '-p' "host/%s" % self.test_hostname,
-                                 '-k', paths.IPA_KEYTAB])
+                                 '-k', paths.HTTP_KEYTAB])
         try:
             yield
         finally:
@@ -1186,7 +1186,7 @@ class TestIPACommands(CALessBase):
             self.master.run_command(['ipa-getkeytab', '-s',
                                      self.master.hostname,
                                      '-p', self.test_service,
-                                     '-k', paths.IPA_KEYTAB])
+                                     '-k', paths.HTTP_KEYTAB])
             yield
 
     def test_service_mod_doesnt_revoke(self):
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index 06bc4935b..b32e0ab97 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -334,7 +334,7 @@ class TestNonexternalTrustWithSubdomain(ADTrustSubdomainBase):
     """
     def test_establish_trust(self):
         """ Tests establishing non-external trust with Active Directory """
-        self.master.run_command(['kinit', '-kt', paths.IPA_KEYTAB,
+        self.master.run_command(['kinit', '-kt', paths.HTTP_KEYTAB,
                                  'HTTP/%s' % self.master.hostname])
         self.master.run_command(['systemctl', 'restart', 'krb5kdc.service'])
         self.master.run_command(['kdestroy', '-A'])
@@ -401,7 +401,7 @@ class TestNonexternalTrustWithTreedomain(ADTrustTreedomainBase):
     """
     def test_establish_trust(self):
         """ Tests establishing non-external trust with Active Directory """
-        self.master.run_command(['kinit', '-kt', paths.IPA_KEYTAB,
+        self.master.run_command(['kinit', '-kt', paths.HTTP_KEYTAB,
                                  'HTTP/%s' % self.master.hostname])
         self.master.run_command(['systemctl', 'restart', 'krb5kdc.service'])
         self.master.run_command(['kdestroy', '-A'])