From d7d17ece57ae1322c8368b7853f24d56b1d6a150 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Dec 14 2018 08:53:01 +0000
Subject: Smart card auth advise: Allow Apache user


Modify the smard card auth advise script to use sssd_enable_ifp() in
order to allow Apache to access SSSD IFP.

See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
index 97e2330..9a7a315 100644
--- a/ipaserver/advise/plugins/smart_card_auth.py
+++ b/ipaserver/advise/plugins/smart_card_auth.py
@@ -105,6 +105,7 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
     ssl_conf = paths.HTTPD_SSL_CONF
     ssl_ocsp_directive = OCSP_DIRECTIVE
     kdc_service_name = services.knownservices.krb5kdc.systemd_name
+    httpd_service_name = services.knownservices.httpd.systemd_name
 
     def get_info(self):
         self.log.exit_on_nonroot_euid()
@@ -117,6 +118,7 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
         self.record_httpd_ocsp_status()
         self.check_and_enable_pkinit()
         self.enable_ok_to_auth_as_delegate_on_http_principal()
+        self.allow_httpd_ifp()
         self.upload_smartcard_ca_certificates_to_systemwide_db()
         self.install_smart_card_signing_ca_certs()
         self.update_ipa_ca_certificate_store()
@@ -183,7 +185,9 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
 
     def restart_httpd(self):
         self.log.comment('finally restart apache')
-        self.log.command('systemctl restart httpd')
+        self.log.command(
+            'systemctl restart {}'.format(self.httpd_service_name)
+        )
 
     def record_httpd_ocsp_status(self):
         self.log.comment('store the OCSP upgrade state')
@@ -214,6 +218,21 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
             ["Failed to set OK_AS_AUTH_AS_DELEGATE flag on HTTP principal"]
         )
 
+    def allow_httpd_ifp(self):
+        self.log.comment('Allow Apache to access SSSD IFP')
+        self.log.exit_on_failed_command(
+            '{} -c "import SSSDConfig; '
+            'from ipaclient.install.client import sssd_enable_ifp; '
+            'from ipaplatform.paths import paths; '
+            'c = SSSDConfig.SSSDConfig(); '
+            'c.import_config(); '
+            'sssd_enable_ifp(c, allow_httpd=True); '
+            'c.write(paths.SSSD_CONF)"'.format(sys.executable),
+            ['Failed to modify SSSD config']
+        )
+        self.log.comment('Restart sssd')
+        self.log.command('systemctl restart sssd')
+
     def restart_kdc(self):
         self.log.exit_on_failed_command(
             'systemctl restart {}'.format(self.kdc_service_name),