Adding support for configuring External Authentication

- New menu entry "Configure External Authentication (httpd)"
- Checks for pre-requisites
- Validates the IPA Server is reachable
- Uninstalls/Re-Installs and configures the IPA Client
- Configures ipa/pam/sssd/httpd/SELinux
- Restarts sssd and httpd

Author: abellotti

lib/appliance_console.rb

@@ -153,6 +153,7 @@ def agree_with_timeout(*args, &block)
 require 'appliance_console/database_configuration'
 require 'appliance_console/internal_database_configuration'
 require 'appliance_console/external_database_configuration'
+require 'appliance_console/external_httpd_authentication'
 require 'appliance_console/temp_storage_configuration'
 require 'appliance_console/env'
 require 'appliance_console/key_configuration'
@@ -359,6 +360,21 @@ module ApplianceConsole
             ca.remote(cahost, causer).run
           end
           press_any_key
+
+        when I18n.t("advanced_settings.httpdauth")
+          say("#{selection}\n\n")
+
+          httpdauth = ExternalHttpdAuthentication.new(host)
+          if httpdauth.activate
+            httpdauth.post_activation
+            say("\nExternal Authentication configured successfully.\n")
+            press_any_key
+          else
+            say("\nExternal Authentication configuration failed!\n")
+            press_any_key
+            raise MiqSignalError
+          end
+
         when I18n.t("advanced_settings.evmstop")
           say("#{selection}\n\n")
           if agree("\nNote: It may take up to a few minutes for all EVM Server processes to exit gracefully.  Perform an EVM stop? (Y/N): ")

lib/appliance_console/external_httpd_authentication.rb

@@ -0,0 +1,113 @@
+require_relative "external_httpd_configuration"
+
+module ApplianceConsole
+  class ExternalHttpdAuthentication
+    include ApplianceConsole::ExternalHttpdConfiguration
+
+    def initialize(host = nil)
+      @ipaserver, @domain, @password = nil
+      @domain    = host.gsub(/^([^.]+\.)/, '') if host && host.include?('.')
+      @principal = "admin"
+      @timestamp = Time.now.strftime("%Y%m%d_%H%M%S")
+    end
+
+    def ask_for_parameters
+      say("\nIPA Server Parameters:\n\n")
+      @ipaserver = ask_for_hostname("IPA Server Hostname")
+      @domain    = ask_for_domain("IPA Server Domain", @domain)
+      @principal = just_ask("IPA Server Principal", @principal)
+      @password  = ask_for_password("IPA Server Principal Password")
+
+      @ipaserver = "#{@ipaserver}.#{@domain}" unless @ipaserver.include?(".")
+    end
+
+    def show_parameters
+      say("\nExternal Authentication (httpd) Configuration:\n")
+      say("IPA Server Details:\n")
+      say("  Hostname:       #{@ipaserver}\n")
+      say("  Domain:         #{@domain}\n")
+      say("  Realm:          #{realm}\n")
+      say("  Naming Context: #{domain_naming_context}\n")
+      say("  Principal:      #{@principal}\n")
+    end
+
+    def activate
+      return false unless valid_environment?
+      ask_for_parameters
+      show_parameters
+      return false unless agree("\nProceed? (Y/N): ")
+      return false unless valid_parameters?(@ipaserver)
+
+      begin
+        configure_ipa
+        configure_pam
+        configure_sssd
+        configure_httpd_external_auth
+        configure_httpd
+        configure_selinux
+      rescue => e
+        say("Failed to Configure External Authentication - #{e}")
+        return false
+      end
+      true
+    end
+
+    def post_activation
+      say("\nRestarting sssd and httpd ...")
+      AwesomeSpawn.run!("#{SERVICE_COMMAND} sssd restart")
+      AwesomeSpawn.run!("#{SERVICE_COMMAND} httpd restart")
+
+      say("Configuring sssd to start upon reboots ...")
+      AwesomeSpawn.run!("#{CHKCONFIG_COMMAND} sssd on")
+    end
+
+    private
+
+    def domain_naming_context
+      @domain.split(".").collect { |s| "dc=#{s}" }.join(",")
+    end
+
+    def realm
+      @domain.upcase
+    end
+
+    def configure_ipa
+      say("\nConfiguring IPA (may take a minute) ...")
+      ipa_client_unconfigure if ipa_client_configured?
+      ipa_client_configure(realm, @domain, @ipaserver, @principal, @password)
+    end
+
+    def configure_pam
+      say("Configuring pam ...")
+      config_file_write(PAM_CONFIGURATION, PAM_CONFIG, @timestamp)
+    end
+
+    def configure_sssd
+      say("Configuring sssd ...")
+      config = config_file_read(SSSD_CONFIG)
+      configure_sssd_domain(config, @domain)
+      configure_sssd_service(config)
+      configure_sssd_ifp(config)
+      config_file_write(config, SSSD_CONFIG, @timestamp)
+    end
+
+    def configure_httpd_external_auth
+      say("Configuring httpd External Authentication ...")
+      config_file_write(httpd_mod_intercept_config, HTTPD_EXTERNAL_AUTH, @timestamp)
+    end
+
+    def configure_httpd
+      say("Configuring httpd ...")
+      config = config_file_read(HTTPD_CONFIG)
+      configure_httpd_application(config)
+      config_file_write(config, HTTPD_CONFIG, @timestamp)
+    end
+
+    def configure_selinux
+      say("Configuring SELinux ...")
+      AwesomeSpawn.run!("#{SETSEBOOL_COMMAND} -P allow_httpd_mod_auth_pam on")
+      result = AwesomeSpawn.run("#{GETSEBOOL_COMMAND} httpd_dbus_sssd")
+      AwesomeSpawn.run!("#{SETSEBOOL_COMMAND} -P httpd_dbus_sssd on") if result.exit_status == 0
+    end
+  end
+end

lib/appliance_console/external_httpd_configuration.rb

@@ -0,0 +1,208 @@
+module ApplianceConsole
+  module ExternalHttpdConfiguration
+    #
+    # External Authentication Definitions
+    #
+    IPA_INSTALL_COMMAND = "/usr/sbin/ipa-client-install"
+
+    PAM_MODULE          = "httpd-auth"
+    PAM_CONFIG          = "/etc/pam.d/#{PAM_MODULE}"
+    PAM_CONFIGURATION   = <<EOS
+auth    required pam_sss.so
+account required pam_sss.so
+EOS
+    SSSD_CONFIG         = "/etc/sssd/sssd.conf"
+
+    EXTERNAL_AUTH_FILE  = "conf.d/cfme-external-auth"
+    HTTPD_EXTERNAL_AUTH = "/etc/httpd/#{EXTERNAL_AUTH_FILE}"
+    HTTPD_CONFIG        = "/etc/httpd/conf.d/cfme-https-application.conf"
+
+    RPM_COMMAND         = "/bin/rpm"
+    SERVICE_COMMAND     = "/sbin/service"
+    CHKCONFIG_COMMAND   = "/sbin/chkconfig"
+
+    GETSEBOOL_COMMAND   = "/usr/sbin/getsebool"
+    SETSEBOOL_COMMAND   = "/usr/sbin/setsebool"
+
+    INTERCEPT_FORM      = "/dashboard/authenticate"
+
+    LDAP_ATTRS          = {
+      "mail"        => "REMOTE_USER_EMAIL",
+      "givenname"   => "REMOTE_USER_FIRSTNAME",
+      "sn"          => "REMOTE_USER_LASTNAME",
+      "displayname" => "REMOTE_USER_FULLNAME"
+    }
+
+    #
+    # IPA Configuration Methods
+    #
+    def ipa_client_configured?
+      File.exist?(SSSD_CONFIG)
+    end
+
+    def ipa_client_configure(realm, domain, server, principal, password)
+      say("Configuring the IPA Client ...")
+      AwesomeSpawn.run!(IPA_INSTALL_COMMAND,
+                        :params => {"-N"              => nil,
+                                    "--force-join"    => nil,
+                                    "--realm="        => realm,
+                                    "--domain="       => domain,
+                                    "--server="       => server,
+                                    "--principal="    => principal,
+                                    "--password="     => password,
+                                    "--fixed-primary" => nil,
+                                    "--unattended"    => nil})
+    end
+
+    def ipa_client_unconfigure
+      say("Un-Configuring the IPA Client ...")
+      AwesomeSpawn.run(IPA_INSTALL_COMMAND,
+                       :params => {"--uninstall"  => nil,
+                                   "--unattended" => nil})
+    end
+
+    #
+    # HTTPD Configuration Methods
+    #
+    def httpd_mod_intercept_config
+      config = "
+LoadModule authnz_pam_module modules/mod_authnz_pam.so
+LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
+LoadModule lookup_identity_module modules/mod_lookup_identity.so
+
+<Location #{INTERCEPT_FORM}>
+  InterceptFormPAMService #{PAM_MODULE}
+  InterceptFormLogin      user_name
+  InterceptFormPassword   user_password
+  InterceptFormLoginSkip  admin
+  InterceptFormClearRemoteUserForSkipped on
+</Location>
+
+<Location #{INTERCEPT_FORM}>
+"
+      LDAP_ATTRS.each { |ldap, http| config << "  LookupUserAttr #{ldap} #{http}\n" }
+      config << "
+  LookupUserGroups        REMOTE_USER_GROUPS \":\"
+  LookupDbusTimeout       5000
+</Location>
+"
+    end
+
+    def httpd_external_auth_config
+      config = "RequestHeader unset X_REMOTE_USER\n"
+      attrs = %w(REMOTE_USER EXTERNAL_AUTH_ERROR) + LDAP_ATTRS.values + %w(REMOTE_USER_GROUPS)
+      attrs.each { |attr| config << "RequestHeader set X_#{attr} %{#{attr}}e env=#{attr}\n" }
+      config.chomp!
+    end
+
+    def configure_httpd_application(config)
+      ext_auth_include = "Include #{EXTERNAL_AUTH_FILE}"
+      unless config.include?(ext_auth_include)
+        config[/(\n)<VirtualHost/, 1] = "\n#{ext_auth_include}\n\n"
+      end
+
+      if config.include?("set X_REMOTE_USER")
+        config[/RequestHeader unset X_REMOTE_USER(\n.*)+env=REMOTE_USER_GROUPS/] = httpd_external_auth_config
+      else
+        config[/set X_FORWARDED_PROTO 'https'(\n)/, 1] = "\n\n#{httpd_external_auth_config}\n"
+      end
+    end
+
+    #
+    # SSSD File Methods
+    #
+    def configure_sssd_domain(config, domain)
+      ldap_user_extra_attrs = LDAP_ATTRS.keys.join(", ")
+      if config.include?("ldap_user_extra_attrs = ")
+        pattern = "[domain/#{domain}](\n.*)+ldap_user_extra_attrs = (.*)"
+        config[/#{pattern}/, 2] = ldap_user_extra_attrs
+      else
+        pattern = "[domain/#{domain}].*(\n)"
+        config[/#{pattern}/, 1] = "\nldap_user_extra_attrs = #{ldap_user_extra_attrs}\n"
+      end
+    end
+
+    def configure_sssd_service(config)
+      services = config.match(/\[sssd\](\n.*)+services = (.*)/)[2]
+      services = "#{services}, ifp" unless services.include?("ifp")
+      config[/\[sssd\](\n.*)+services = (.*)/, 2] = services
+    end
+
+    def configure_sssd_ifp(config)
+      user_attributes = LDAP_ATTRS.keys.collect { |k| "+#{k}" }.join(", ")
+      if config.include?("[ifp]")
+        config[/\[ifp\](\n.*)+user_attributes = (.*)/, 2] = user_attributes
+      else
+        config << "\n[ifp]
+  allowed_uids = apache, root
+  user_attributes = #{user_attributes}\n"
+      end
+    end
+
+    #
+    # RPM Utilities
+    #
+    def rpm_installed?(rpm_package)
+      result = AwesomeSpawn.run!(RPM_COMMAND, :params => {"-qa" => rpm_package})
+      if result.output.blank?
+        say("#{rpm_package} RPM is not installed")
+        return false
+      end
+      true
+    end
+
+    #
+    # Validation Methods
+    #
+    def installation_valid?
+      rpm_packages = %w(ipa-client sssd-dbus mod_intercept_form_submit mod_authnz_pam mod_lookup_identity)
+      missing = rpm_packages.count { |package| !rpm_installed?(package) }
+      if missing > 0
+        say("\nAppliance Installation is not valid for enabling External Authentication\n")
+        return false
+      end
+      true
+    end
+
+    def valid_environment?
+      return false unless installation_valid?
+      if ipa_client_configured?
+        return false unless agree("\nIPA Client already configured on this Appliance, Un-Configure first? (Y/N): ")
+        ipa_client_unconfigure
+        return false unless agree("\nProceed with External Authentication Configuration? (Y/N): ")
+      end
+      true
+    end
+
+    def valid_parameters?(ipaserver)
+      host_reachable?(ipaserver, "IPA Server")
+    end
+
+    #
+    # Config File I/O Methods
+    #
+    def config_file_read(path)
+      File.open(path, "r") { |f| f.read }
+    end
+
+    def config_file_write(config, path, timestamp)
+      FileUtils.copy(path, "#{path}.#{timestamp}") if File.exist?(path)
+      File.open(path, "w") { |f| f.write(config) }
+    end
+
+    #
+    # Network validation
+    #
+    def host_reachable?(host, what = "Server")
+      require 'net/ping'
+      say("Checking connectivity to #{host} ... ")
+      unless Net::Ping::External.new(host).ping
+        say("Failed.\nCould not connect to #{host},")
+        say("the #{what} must be reachable by name.")
+        return false
+      end
+      say("Succeeded.")
+      true
+    end
+  end
+end

lib/appliance_console/locales/en.yml

@@ -8,6 +8,7 @@ en:
     - hostname
     - datetime
     - dbrestore
+    - httpdauth
     - evmstop
     - evmstart
     - restart
@@ -20,6 +21,7 @@ en:
     hostname: Set Hostname
     datetime: Set Timezone, Date, and Time
     dbrestore: Restore Database From Backup
+    httpdauth: Configure External Authentication (httpd)
     evmstop: Stop EVM Server Processes
     evmstart: Start EVM Server Processes
     restart: Restart Appliance

lib/appliance_console/prompts.rb

@@ -2,6 +2,7 @@ module ApplianceConsole
   module Prompts
     CLEAR_CODE    = `clear`
     IP_REGEXP     = /^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/
+    DOMAIN_REGEXP = /^[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,13}$/
     DATE_REGEXP   = /^(2[0-9]{3})-(0?[1-9]|1[0-2])-(0?[1-9]|[12][0-9]|3[01])/
     TIME_REGEXP   = /^(0?[0-9]|1[0-9]|2[0-3]):([0-5][0-9]):([0-5][0-9])/
     INT_REGEXP    = /^[0-9]+$/
@@ -49,6 +50,10 @@ def are_you_sure?(clarifier = nil)
       agree("Are you sure#{clarifier}? (Y/N): ")
     end
 
+    def ask_for_domain(prompt, default = nil, validate = DOMAIN_REGEXP, error_text = "a valid Domain.", &block)
+      just_ask(prompt, default, validate, error_text, &block)
+    end
+
     def ask_for_ip(prompt, default, validate = IP_REGEXP, error_text = "a valid IP Address.", &block)
       just_ask(prompt, default, validate, error_text, &block)
     end
@@ -58,6 +63,10 @@ def ask_for_ip_or_none(prompt, default = nil)
       ask_for_ip(prompt, default, validation).gsub(/^'?NONE'?$/i, "")
     end
 
+    def ask_for_hostname(prompt, default = nil, validate = HOSTNAME_REGEXP, error_text = "a valid Hostname.", &block)
+      just_ask(prompt, default, validate, error_text, &block)
+    end
+
     def ask_for_ip_or_hostname(prompt, default = nil)
       validation = ->(h) { (h =~ HOSTNAME_REGEXP || h =~ IP_REGEXP) && h.length > 0 }
       ask_for_ip(prompt, default, validation, "a valid Hostname or IP Address.")