From c68d14b6be858523c06939c2e7f4f4e3de3221de Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Jul 30 2020 11:06:01 +0000 Subject: Convert ipa-httpd-pwdreader into Python script and use paths from ipaplatform. Fixes: https://pagure.io/freeipa/issue/8401 Signed-off-by: Christian Heimes Reviewed-By: Alexander Bokovoy Reviewed-By: Francois Cami --- diff --git a/.gitignore b/.gitignore index 4cedb1f..cdb73b0 100644 --- a/.gitignore +++ b/.gitignore @@ -129,6 +129,7 @@ makeaci makeapi client/ipa-certupdate client/ipa-client-automount +client/certbot-dns-ipa client/ipa-client-install client/ipa-client-samba client/ipa-epn @@ -152,6 +153,7 @@ install/restart_scripts/renew_ra_cert_pre install/restart_scripts/restart_dirsrv install/restart_scripts/restart_httpd install/restart_scripts/stop_pkicad +install/tools/ipa-acme-manage install/tools/ipa-adtrust-install install/tools/ipa-advise install/tools/ipa-backup @@ -166,6 +168,7 @@ install/tools/ipa-custodia install/tools/ipa-custodia-check install/tools/ipa-dns-install install/tools/ipa-httpd-kdcproxy +install/tools/ipa-httpd-pwdreader install/tools/ipa-kra-install install/tools/ipa-ldap-updater install/tools/ipa-managed-entries diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index 12562e4..12bc44d 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -33,6 +33,7 @@ dist_noinst_DATA = \ ipa-custodia.in \ ipa-custodia-check.in \ ipa-httpd-kdcproxy.in \ + ipa-httpd-pwdreader.in \ ipa-pki-retrieve-key.in \ ipa-pki-wait-running.in \ $(NULL) @@ -70,14 +71,11 @@ nodist_app_SCRIPTS = \ ipa-custodia \ ipa-custodia-check \ ipa-httpd-kdcproxy \ + ipa-httpd-pwdreader \ ipa-pki-retrieve-key \ ipa-pki-wait-running \ $(NULL) -dist_app_SCRIPTS = \ - ipa-httpd-pwdreader \ - $(NULL) - PYTHON_SHEBANG = \ $(nodist_sbin_SCRIPTS) \ $(nodist_app_SCRIPTS) \ diff --git a/install/tools/ipa-httpd-pwdreader b/install/tools/ipa-httpd-pwdreader deleted file mode 100755 index db73293..0000000 --- a/install/tools/ipa-httpd-pwdreader +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -# This program is a handler written for Apache mod_ssl's SSLPassPhraseDialog. -# -# If you'd like to write your custom binary providing passwords to mod_ssl, -# see the documentation of the aforementioned directive of the mod_ssl module. - -USAGE="./ipa-pwdreader host:port RSA|DSA|ECC|number" - -if [ "$#" -ne 2 ]; then - echo "Wrong number of arguments!" 1>&2 - echo "$USAGE" 1>&2 - exit 1 -fi - -fname=${1/:/-}-$2 -pwdpath=/var/lib/ipa/passwds/$fname - -# Make sure the values passed in do not contain path information -checkpath=$(/usr/bin/realpath -e ${pwdpath} 2>/dev/null) - -if [ $pwdpath == "${checkpath}" ]; then - cat $pwdpath -else - echo "Invalid path ${pwdpath}" 1>&2 -fi diff --git a/install/tools/ipa-httpd-pwdreader.in b/install/tools/ipa-httpd-pwdreader.in new file mode 100755 index 0000000..d488f07 --- /dev/null +++ b/install/tools/ipa-httpd-pwdreader.in @@ -0,0 +1,43 @@ +#!/usr/bin/python3 +"""mod_ssl password reader +This program is a handler written for Apache mod_ssl's SSLPassPhraseDialog. + +If you'd like to write your custom binary providing passwords to mod_ssl, +see the documentation of the aforementioned directive of the mod_ssl module. +""" +import argparse +import os + +from ipaplatform.paths import paths + +HTTPD_PASSWD_DIR = os.path.realpath( + os.path.dirname(paths.HTTPD_PASSWD_FILE_FMT) +) + +parser = argparse.ArgumentParser(description="mod_ssl password reader") +parser.add_argument( + "host_port", help="host:port", +) +parser.add_argument( + "keytype", help="RSA|DSA|ECC|number", +) + + +def main(): + args = parser.parse_args() + host_port = args.host_port.replace(":", "-") + keytype = args.keytype + pwdpath = os.path.realpath( + os.path.join(HTTPD_PASSWD_DIR, f"{host_port}-{keytype}") + ) + if not pwdpath.startswith(HTTPD_PASSWD_DIR): + parser.error(f"Invalid path {pwdpath}\n") + try: + with open(pwdpath) as f: + print(f.read(), end="") + except OSError as e: + parser.error(str(e)) + + +if __name__ == "__main__": + main() diff --git a/ipaplatform/fedora_container/paths.py b/ipaplatform/fedora_container/paths.py index 47e7b59..b6eb87b 100644 --- a/ipaplatform/fedora_container/paths.py +++ b/ipaplatform/fedora_container/paths.py @@ -24,6 +24,7 @@ class FedoraContainerPathNamespace(FedoraPathNamespace): PKI_CONFIGURATION = data(FedoraPathNamespace.PKI_CONFIGURATION) SAMBA_DIR = data(FedoraPathNamespace.SAMBA_DIR) HTTPD_IPA_WSGI_MODULES_CONF = None + HTTPD_PASSWD_FILE_FMT = data(FedoraPathNamespace.HTTPD_PASSWD_FILE_FMT) paths = FedoraContainerPathNamespace() diff --git a/ipaplatform/rhel_container/paths.py b/ipaplatform/rhel_container/paths.py index 5598dae..55cbc2c 100644 --- a/ipaplatform/rhel_container/paths.py +++ b/ipaplatform/rhel_container/paths.py @@ -24,6 +24,7 @@ class RHELContainerPathNamespace(RHELPathNamespace): PKI_CONFIGURATION = data(RHELPathNamespace.PKI_CONFIGURATION) SAMBA_DIR = data(RHELPathNamespace.SAMBA_DIR) HTTPD_IPA_WSGI_MODULES_CONF = None + HTTPD_PASSWD_FILE_FMT = data(RHELPathNamespace.HTTPD_PASSWD_FILE_FMT) paths = RHELContainerPathNamespace()