From 415295a6f68f4c797529e19a3f0cf956619d4bed Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Dec 14 2018 08:53:01 +0000
Subject: Allow HTTPd user to access SSSD IFP


For smart card and certificate authentication, Apache's
mod_lookup_identity module must be able to acess SSSD IFP. The module
accesses IFP as Apache user, not as ipaapi user.

Apache is not allowed to use IFP by default. The update code uses the
service's ok-to-auth-as-delegate flag to detect smart card / cert auth.

See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index f9b003e..6125588 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -47,6 +47,7 @@ from ipalib.util import (
     verify_host_resolvable,
 )
 from ipaplatform import services
+from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipaplatform.tasks import tasks
 from ipapython import certdb, kernel_keyring, ipaldap, ipautil
@@ -1038,8 +1039,13 @@ def sssd_enable_service(sssdconfig, name):
     return sssdconfig.get_service(name)
 
 
-def sssd_enable_ifp(sssdconfig):
+def sssd_enable_ifp(sssdconfig, allow_httpd=False):
     """Enable and configure libsss_simpleifp plugin
+
+    Allow the ``ipaapi`` user to access IFP. In case allow_httpd is true,
+    the Apache HTTPd user is also allowed to access IFP. For smart card
+    authentication, mod_lookup_identity must be allowed to access user
+    information.
     """
     service = sssd_enable_service(sssdconfig, 'ifp')
     if service is None:
@@ -1058,6 +1064,8 @@ def sssd_enable_ifp(sssdconfig):
         uids.add('root')
     # allow IPA API to access IFP
     uids.add(IPAAPI_USER)
+    if allow_httpd:
+        uids.add(constants.HTTPD_USER)
     service.set_option('allowed_uids', ', '.join(sorted(uids)))
     sssdconfig.save_service(service)
 
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 71bdd36..4de7fd9 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1407,8 +1407,17 @@ def sssd_update():
     domain.set_option('ipa_server_mode', 'True')
     domain.set_option('ipa_server', api.env.host)
     sssdconfig.save_domain(domain)
+    # check if service has ok_to_auth_as_delegate
+    service = 'HTTP/{}'.format(api.env.host)
+    result = api.Command.service_show(service, all=True)
+    flag = result['result'].get('ipakrboktoauthasdelegate', False)
+    if flag:
+        logger.debug(
+            "%s has ok_to_auth_as_delegate, allow Apache to access IFP",
+            services
+        )
     # enable and configure IFP plugin
-    sssd_enable_ifp(sssdconfig)
+    sssd_enable_ifp(sssdconfig, allow_httpd=flag)
     # write config and restart service
     sssdconfig.write(paths.SSSD_CONF)
     sssd = services.service('sssd', api)