From 1e5e2748a717ecf2bb2b895e48037ae8e180a668 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Aug 13 2017 16:53:27 +0000 Subject: [PATCH 1/3] Add Debian example apache conf Signed-off-by: Patrick Uiterwijk --- diff --git a/examples/apache.conf b/examples/apache.conf deleted file mode 100644 index cacbf70..0000000 --- a/examples/apache.conf +++ /dev/null @@ -1,23 +0,0 @@ -Alias /idp/ui /usr/share/ipsilon/ui -WSGIScriptAlias /idp /usr/libexec/ipsilon.py -WSGIDaemonProcess idp maximum-requests=2 user=ipsilon group=ipsilon -WSGIProcessGroup idp - - - AuthType GSSAPI - AuthName "GSSAPI Single Sign On Login" - GssapiCredStore /etc/httpd/conf/http.keytab - GssapiSSLonly On - GssapiLocalName on - Require valid-user - - ErrorDocument 401 /idp/login/gssapi/unauthorized - ErrorDocument 500 /idp/login/gssapi/failed - - - - Order allow,deny - Allow from all - Require all granted - - diff --git a/examples/apache.debian.conf b/examples/apache.debian.conf new file mode 100644 index 0000000..f5c98ff --- /dev/null +++ b/examples/apache.debian.conf @@ -0,0 +1,23 @@ +Alias /idp/ui /usr/share/ipsilon/ui +WSGIScriptAlias /idp /usr/share/ipsilon/wsgi/ipsilon +WSGIDaemonProcess idp maximum-requests=2 user=ipsilon group=ipsilon +WSGIProcessGroup idp + + + AuthType GSSAPI + AuthName "GSSAPI Single Sign On Login" + GssapiCredStore /etc/apache2/conf/http.keytab + GssapiSSLonly On + GssapiLocalName on + Require valid-user + + ErrorDocument 401 /idp/login/gssapi/unauthorized + ErrorDocument 500 /idp/login/gssapi/failed + + + + Order allow,deny + Allow from all + Require all granted + + diff --git a/examples/apache.fedora.conf b/examples/apache.fedora.conf new file mode 100644 index 0000000..cacbf70 --- /dev/null +++ b/examples/apache.fedora.conf @@ -0,0 +1,23 @@ +Alias /idp/ui /usr/share/ipsilon/ui +WSGIScriptAlias /idp /usr/libexec/ipsilon.py +WSGIDaemonProcess idp maximum-requests=2 user=ipsilon group=ipsilon +WSGIProcessGroup idp + + + AuthType GSSAPI + AuthName "GSSAPI Single Sign On Login" + GssapiCredStore /etc/httpd/conf/http.keytab + GssapiSSLonly On + GssapiLocalName on + Require valid-user + + ErrorDocument 401 /idp/login/gssapi/unauthorized + ErrorDocument 500 /idp/login/gssapi/failed + + + + Order allow,deny + Allow from all + Require all granted + + From 50f38ba052ffab5ea080181678603e26b6003086 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Aug 13 2017 17:00:00 +0000 Subject: [PATCH 2/3] Abstract distro-specific paths away Signed-off-by: Patrick Uiterwijk --- diff --git a/ipsilon/distro_profile/__init__.py b/ipsilon/distro_profile/__init__.py new file mode 100644 index 0000000..8c52ec4 --- /dev/null +++ b/ipsilon/distro_profile/__init__.py @@ -0,0 +1,12 @@ +# Copyright (C) 2017 Ipsilon project Contributors, for license see COPYING +# pragma pylint: disable=wildcard-import + +import platform + +distro = platform.linux_distribution()[0].lower() + +if distro.startswith(('fedora', 'centos', 'red hat')): + from ipsilon.distro_profile.fedora import * +else: + # We need to do something... Let's just default to Fedora? + from ipsilon.distro_profile.fedora import * diff --git a/ipsilon/distro_profile/fedora.py b/ipsilon/distro_profile/fedora.py new file mode 100644 index 0000000..6e23c55 --- /dev/null +++ b/ipsilon/distro_profile/fedora.py @@ -0,0 +1,13 @@ +# Copyright (C) 2017 Ipsilon project Contributors, for license see COPYING + +BINDIR = '/usr/libexec' +HTTPD_BIN = '/usr/sbin/httpd' +HTTPD_IPA_KEYTAB = '/etc/httpd/conf/ipa.keytab' +HTTPD_HTTP_KEYTAB = '/etc/httpd/conf/http.keytab' +HTTPD_USER = 'apache' +HTTPD_CONFD = '/etc/httpd/conf.d' +HTTPD_CLIENT_CONFFILE = '/etc/httpd/conf.d/ipsilon-%s.conf' +HTTPD_CLIENT_CONFDIR = '/etc/httpd/%s' +HTTPD_MODULESDIR = '/etc/httpd/modules' +LDAP_SCHEMADIR = '/etc/openldap/schema' +POSTGRES_PGCTL = '/usr/bin/pg_ctl' diff --git a/ipsilon/helpers/ipa.py b/ipsilon/helpers/ipa.py index 8111eb8..40d14ff 100644 --- a/ipsilon/helpers/ipa.py +++ b/ipsilon/helpers/ipa.py @@ -7,13 +7,14 @@ import socket import subprocess from ipsilon.helpers.common import EnvHelpersInstaller +import ipsilon.distro_profile as distro IPA_CONFIG_FILE = '/etc/ipa/default.conf' -HTTPD_IPA_KEYTAB = '/etc/httpd/conf/ipa.keytab' +HTTPD_IPA_KEYTAB = distro.HTTPD_IPA_KEYTAB IPA_COMMAND = '/usr/bin/ipa' IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab' -HTTPD_USER = 'apache' +HTTPD_USER = distro.HTTPD_USER NO_CREDS_FOR_KEYTAB = """ Valid IPA admin credentials are required to get a keytab. diff --git a/ipsilon/install/ipsilon-client-install b/ipsilon/install/ipsilon-client-install index 101c3cb..96c3508 100755 --- a/ipsilon/install/ipsilon-client-install +++ b/ipsilon/install/ipsilon-client-install @@ -7,6 +7,7 @@ from ipsilon.tools.saml2metadata import SAML2_NAMEID_MAP from ipsilon.tools.saml2metadata import SAML2_SERVICE_MAP from ipsilon.tools.certs import Certificate from ipsilon.tools import files +import ipsilon.distro_profile as distro from urllib import urlencode import argparse import ConfigParser @@ -22,11 +23,11 @@ import sys import base64 -HTTPDCONFD = '/etc/httpd/conf.d' +HTTPDCONFD = distro.HTTPD_CONFD SAML2_TEMPLATE = '/usr/share/ipsilon/templates/install/saml2/sp.conf' OPENIDC_TEMPLATE = '/usr/share/ipsilon/templates/install/openidc/rp.conf' -CONFFILE = '/etc/httpd/conf.d/ipsilon-%s.conf' -HTTPDIR = '/etc/httpd/%s' +CONFFILE = distro.HTTPD_CLIENT_CONFFILE +HTTPDIR = distro.HTTPD_CLIENT_CONFDIR PROTECTED = '/protected' #Installation arguments @@ -523,7 +524,7 @@ def parse_args(): parser.add_argument('--admin-password', default=None, help="File containing the password for the account " + "used to create a SP (- to read from stdin)") - parser.add_argument('--httpd-user', default='apache', + parser.add_argument('--httpd-user', default=distro.HTTPD_USER, help="Web server account used to read certs") parser.add_argument('--auth-location', default=PROTECTED, help="Where authentication is enforced") diff --git a/ipsilon/install/ipsilon-server-install b/ipsilon/install/ipsilon-server-install index 1a4efcb..9d16b53 100755 --- a/ipsilon/install/ipsilon-server-install +++ b/ipsilon/install/ipsilon-server-install @@ -11,6 +11,7 @@ from ipsilon.helpers.common import EnvHelpersInstall from ipsilon.authz.common import AuthzProviderInstall from ipsilon.util.data import UserStore from ipsilon.tools import files, dbupgrade +import ipsilon.distro_profile as distro import ConfigParser import argparse import cherrypy @@ -28,8 +29,8 @@ import time TEMPLATES = '/usr/share/ipsilon/templates/install' CONFDIR = '/etc/ipsilon' DATADIR = '/var/lib/ipsilon' -HTTPDCONFD = '/etc/httpd/conf.d' -BINDIR = '/usr/libexec' +HTTPDCONFD = distro.HTTPD_CONFD +BINDIR = distro.BINDIR STATICDIR = '/usr/share/ipsilon' CACHEDIR = '/var/cache/ipsilon' WSGI_SOCKET_PREFIX = None diff --git a/ipsilon/login/authgssapi.py b/ipsilon/login/authgssapi.py index 3eebb7f..075d845 100644 --- a/ipsilon/login/authgssapi.py +++ b/ipsilon/login/authgssapi.py @@ -4,6 +4,7 @@ from ipsilon.login.common import LoginPageBase, LoginManagerBase, \ LoginManagerInstaller from ipsilon.util.plugin import PluginObject from ipsilon.util.user import UserSession +import ipsilon.distro_profile as distro from string import Template import cherrypy import os @@ -119,7 +120,7 @@ class Installer(LoginManagerInstaller): group.add_argument('--gssapi', choices=['yes', 'no'], default='no', help='Configure GSSAPI authentication') group.add_argument('--gssapi-httpd-keytab', - default='/etc/httpd/conf/http.keytab', + default=distro.HTTPD_HTTP_KEYTAB, help='Kerberos keytab location for HTTPD') def configure(self, opts, changes): diff --git a/setup.py b/setup.py index 3508e65..bfce20e 100755 --- a/setup.py +++ b/setup.py @@ -30,8 +30,10 @@ setup( ('share/man/man1', ['man/ipsilon-client-install.1', 'man/ipsilon-server-install.1']), ('share/doc/ipsilon', ['COPYING', 'README.md']), - ('share/doc/ipsilon/examples', ['examples/ipsilon.conf', - 'examples/apache.conf']), + ('share/doc/ipsilon/examples', + ['examples/ipsilon.conf', + 'examples/apache.fedora.conf', + 'examples/apache.debian.conf']), (DATA+'ui/css', glob('ui/css/*.css')), (DATA+'ui/img', glob('ui/img/*')), (DATA+'ui/js', glob('ui/js/*.js')), diff --git a/tests/helpers/common.py b/tests/helpers/common.py index e366db2..1d3ee0b 100755 --- a/tests/helpers/common.py +++ b/tests/helpers/common.py @@ -13,6 +13,7 @@ from string import Template import subprocess from control import TC # pylint: disable=relative-import +import ipsilon.distro_profile as distro WRAP_HOSTNAME = 'idp.ipsilon.dev' @@ -188,7 +189,7 @@ basicConstraints = CA:false""" % {'certdir': os.path.join(self.testdir, os.mkdir(os.path.join(httpdir, 'conf.d')) os.mkdir(os.path.join(httpdir, 'html')) os.mkdir(os.path.join(httpdir, 'logs')) - os.symlink('/etc/httpd/modules', os.path.join(httpdir, 'modules')) + os.symlink(distro.HTTPD_MODULESDIR, os.path.join(httpdir, 'modules')) with open(os.path.join(self.rootdir, 'tests/httpd.conf')) as f: t = Template(f.read()) @@ -264,7 +265,8 @@ basicConstraints = CA:false""" % {'certdir': os.path.join(self.testdir, return http_conf_file def setup_pgdb(self, datadir, env): - cmd = ['/usr/bin/pg_ctl', 'initdb', '-D', datadir, '-o', '-E UNICODE'] + cmd = [distro.POSTGRES_PGCTL, 'initdb', '-D', datadir, '-o', + '-E UNICODE'] subprocess.check_call(cmd, env=env, stdout=self.stdout, stderr=self.stderr) auth = 'host all all 127.0.0.1/24 trust\n' @@ -293,15 +295,15 @@ basicConstraints = CA:false""" % {'certdir': os.path.join(self.testdir, env['MALLOC_PERTURB_'] = str(random.randint(0, 32767) % 255 + 1) env['REQUESTS_CA_BUNDLE'] = os.path.join(self.testdir, 'certs', 'root.cert.pem') - p = subprocess.Popen(['/usr/sbin/httpd', '-DFOREGROUND', '-f', conf], + p = subprocess.Popen([distro.HTTPD_BIN, '-DFOREGROUND', '-f', conf], env=env, preexec_fn=os.setsid, stdout=self.stdout, stderr=self.stderr) self.processes.append(p) return p def start_pgdb_server(self, datadir, rundir, log, addr, port, env): - p = subprocess.Popen(['/usr/bin/pg_ctl', 'start', '-D', datadir, '-o', - '-k %s -c port=%s -c \ + p = subprocess.Popen([distro.POSTGRES_PGCTL, 'start', '-D', datadir, + '-o', '-k %s -c port=%s -c \ listen_addresses=%s' % (rundir, port, addr), '-l', log, '-w'], env=env, preexec_fn=os.setsid, @@ -319,7 +321,8 @@ basicConstraints = CA:false""" % {'certdir': os.path.join(self.testdir, os.mkdir(ldapdir) with open(os.path.join(self.rootdir, 'tests/slapd.conf')) as f: t = Template(f.read()) - text = t.substitute({'ldapdir': ldapdir}) + text = t.substitute({'ldapdir': ldapdir, + 'schemadir': distro.LDAP_SCHEMADIR}) filename = os.path.join(ldapdir, 'slapd.conf') with open(filename, 'w+') as f: f.write(text) diff --git a/tests/slapd.conf b/tests/slapd.conf index 83416ba..07d84fe 100644 --- a/tests/slapd.conf +++ b/tests/slapd.conf @@ -1,7 +1,9 @@ -include /etc/openldap/schema/core.schema -include /etc/openldap/schema/cosine.schema -include /etc/openldap/schema/inetorgperson.schema -include /etc/openldap/schema/nis.schema +moduleload back_mdb + +include ${schemadir}/core.schema +include ${schemadir}/cosine.schema +include ${schemadir}/inetorgperson.schema +include ${schemadir}/nis.schema pidfile ${ldapdir}/slapd.pid attributeoptions x-hidden lang- From 340fc244dd3f6bd05fff9cf3bdafcc61638b0453 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Aug 13 2017 17:09:54 +0000 Subject: [PATCH 3/3] Add Debian distro profile Signed-off-by: Patrick Uiterwijk --- diff --git a/examples/apache.debian.conf b/examples/apache.debian.conf index f5c98ff..867e5de 100644 --- a/examples/apache.debian.conf +++ b/examples/apache.debian.conf @@ -15,7 +15,7 @@ WSGIProcessGroup idp ErrorDocument 500 /idp/login/gssapi/failed - + Order allow,deny Allow from all Require all granted diff --git a/ipsilon/distro_profile/__init__.py b/ipsilon/distro_profile/__init__.py index 8c52ec4..8392775 100644 --- a/ipsilon/distro_profile/__init__.py +++ b/ipsilon/distro_profile/__init__.py @@ -7,6 +7,8 @@ distro = platform.linux_distribution()[0].lower() if distro.startswith(('fedora', 'centos', 'red hat')): from ipsilon.distro_profile.fedora import * +elif distro.startswith(('debian', 'ubuntu')): + from ipsilon.distro_profile.debian import * else: # We need to do something... Let's just default to Fedora? from ipsilon.distro_profile.fedora import * diff --git a/ipsilon/distro_profile/debian.py b/ipsilon/distro_profile/debian.py new file mode 100644 index 0000000..44cd442 --- /dev/null +++ b/ipsilon/distro_profile/debian.py @@ -0,0 +1,23 @@ +# Copyright (C) 2017 Ipsilon project Contributors, for license see COPYING +import glob + +BINDIR = '/usr/share/ipsilon/wsgi' +HTTPD_BIN = '/usr/sbin/apache2' +HTTPD_IPA_KEYTAB = '/etc/apache2/ipa.keytab' +HTTPD_HTTP_KEYTAB = '/etc/apache2/http.keytab' +HTTPD_USER = 'www-data' +HTTPD_CONFD = '/etc/apache2/conf-enabled' +HTTPD_CLIENT_CONFFILE = '/etc/apache2/conf-enabled/ipsilon-%s.conf' +HTTPD_CLIENT_CONFDIR = '/etc/apache2/%s' +HTTPD_MODULESDIR = '/usr/lib/apache2/modules' +LDAP_SCHEMADIR = '/etc/ldap/schema' + +# Debian has a version numbered pg_ctl +pgctls = glob.glob('/usr/lib/postgresql/*/bin/pg_ctl') +if len(pgctls) == 0: + POSTGRES_PGCTL = None +else: + # We either have exactly one, or more than one version of postges available + # Given that Ipsilon is not really sensitive to Postgres version, let's + # just grab the first one we find + POSTGRES_PGCTL = pgctls[0]