Merge pull request #1403 from stdweird/ipa47

ncm-freeipa: support freeipa 4.7
quattor · Jul 28, 2023 · 7a12116 · 7a12116
2 parents 395f803 + e65657a
commit 7a12116
Show file tree

Hide file tree

Showing 6 changed files with 66 additions and 23 deletions.
diff --git a/.github/workflows/continuous-integration.yaml b/.github/workflows/continuous-integration.yaml
@@ -23,7 +23,7 @@ jobs:
         # work, but this is a quick way of pulling in a lot of required dependencies.
         # Surprisingly `which` is not installed by default and panc depends on it.
         # libselinux-utils is required for /usr/sbin/selinuxenabled
-        dnf install -y maven which panc ncm-lib-blockdevices \
+        dnf install -y maven which rpm-build panc ncm-lib-blockdevices \
           ncm-ncd git libselinux-utils sudo perl-Crypt-OpenSSL-X509 \
           perl-Data-Compare perl-Date-Manip perl-File-Touch perl-JSON-Any \
           perl-Net-DNS perl-Net-FreeIPA perl-Net-OpenNebula \

diff --git a/ncm-freeipa/src/main/pan/components/freeipa/config.pan b/ncm-freeipa/src/main/pan/components/freeipa/config.pan
@@ -1 +1,17 @@
 ${componentconfig}
+
+variable FREEIPA_CLI_REQUIRES_PAM_KRB5 ?= true;
+
+'cli_packages' ?= {
+    t = list(
+        'ncm-freeipa-${no-snapshot-version}-${rpm.release}',
+        'nss-pam-ldapd',
+        'ipa-client',
+        'nss-tools',
+        'openssl',
+    );
+    if (FREEIPA_CLI_REQUIRES_PAM_KRB5) {
+        append(t, 'pam_krb5');
+    };
+    t;
+};
diff --git a/ncm-freeipa/src/main/pan/components/freeipa/schema.pan b/ncm-freeipa/src/main/pan/components/freeipa/schema.pan
@@ -155,9 +155,11 @@ type ${project.artifactId}_component = {
     'principals' ? component_${project.artifactId}_principal{} with {
         foreach (k; v; SELF) {
             if (!match(k, '^(client|server|aii)$')) {
-                error(format("Unsupported principal %s (must be one of client, server or aii)", k));
+                error("Unsupported principal %s (must be one of client, server or aii)", k);
             };
         };
         true;
     }
+    @{Packages required for CLI installation (e.g. in kickstart)}
+    'cli_packages' : string[]
 };
diff --git a/ncm-freeipa/src/main/perl/FreeIPA/CLI.pm b/ncm-freeipa/src/main/perl/FreeIPA/CLI.pm
@@ -3,6 +3,7 @@
 use parent qw(CAF::Application NCM::Component::freeipa CAF::Reporter CAF::Object Exporter);
 
 use NCM::Component::freeipa;
+use version;
 
 our @EXPORT = qw(install);
 
@@ -15,8 +16,10 @@ use Readonly;
 Readonly::Array my @TIME_SERVICES => qw(ntpd chronyd ptpd ptpd2);
 Readonly::Array my @NTPDATE_SYNC => qw(/usr/sbin/ntpdate -U ntp -b -v);
 
-Readonly::Array my @IPA_INSTALL => qw(ipa-client-install --unattended --debug --noac);
-Readonly::Array my @IPA_INSTALL_NOS => qw(sssd sudo sshd ssh ntp dns-sshfp nisdomain);
+Readonly::Array my @IPA_INSTALL => qw(ipa-client-install --unattended --debug);
+Readonly::Array my @IPA_INSTALL_PRE47 => qw(--noac);
+Readonly::Array my @IPA_INSTALL_NOS => qw(sudo sshd ssh ntp dns-sshfp nisdomain);
+Readonly::Array my @IPA_INSTALL_NOS_PRE47 => qw(sssd);
 
 # Location based discovery
 # http://www.freeipa.org/page/V4/DNS_Location_Mechanism
@@ -215,6 +218,28 @@ sub location_based_discovery
     return;
 }
 
+# Return version instance C<v$major.$minor.$remainder> version information (from C<ipa-client-install --version>)
+# Return undef in case of problem.
+sub get_ipa_install_version
+{
+    my ($self) = @_;
+
+    my $proc = CAF::Process->new(
+        [$IPA_INSTALL[0], "--version"],
+        log => $self,
+        keeps_state => 1,
+        );
+    my $output = $proc->output();
+
+    # e.g. '4.6.5'
+    if ($output && $output =~ m/\D((?:\d+)(?:\.\d+)+)\s*$/) {
+        return version->new("v$1");
+    } else {
+        $self->error("Failed to parse output from $proc: $output");
+        return;
+    }
+}
+
 
 # TODO: ipa-join is enough?
 sub ipa_install
@@ -224,17 +249,24 @@ sub ipa_install
     my $ec = SUCCESS;
     $self->debug(1, "begin ipa_install with primary $primary realm $realm");
 
+    my @ipa_install = @IPA_INSTALL;
+    my @ipa_install_nos = @IPA_INSTALL_NOS;
+    my $version = $self->get_ipa_install_version();
+    if ($version < version->new('4.7.0')) {
+        push(@ipa_install, @IPA_INSTALL_PRE47);
+        push(@ipa_install_nos, @IPA_INSTALL_NOS_PRE47);
+    }
 
     #$self->pre_time($opts{ntpserver});
 
     # It is ok to log this, the password is an OTP
     # TODO: set expiration window on password or cron job to reset password
     my $cmd = [
-        @IPA_INSTALL,
+        @ipa_install,
         '--realm', $realm,
         '--domain', $domain,
         '--password', $otp,
-        map {"--no-$_"} @IPA_INSTALL_NOS, # Nothing after this, will all be map'ped
+        map {"--no-$_"} @ipa_install_nos, # Nothing after this, will all be map'ped
         ];
 
     if ($self->location_based_discovery($domain, $primary)) {

diff --git a/ncm-freeipa/src/main/perl/freeipa.pm b/ncm-freeipa/src/main/perl/freeipa.pm
@@ -123,16 +123,6 @@ $NCM::Component::${project.artifactId}::NoActionSupported = 1;
 Readonly my $DEBUGAPI_LEVEL => 3;
 Readonly::Array my @GET_KEYTAB => qw(/usr/sbin/ipa-getkeytab);
 
-# packages to install with yum for dependencies
-Readonly::Array our @CLI_YUM_PACKAGES => qw(
-    ncm-freeipa
-    nss-pam-ldapd
-    ipa-client
-    nss-tools
-    openssl
-    pam_krb5
-);
-
 Readonly my $IPA_BASEDIR => '/etc/ipa';
 Readonly our $IPA_QUATTOR_BASEDIR => "$IPA_BASEDIR/quattor";
 
@@ -587,16 +577,18 @@ sub _manual_initialisation
     my $tree = $config->getTree($self->prefix());
     my $network = $config->getTree('/system/network');
 
-    my $yum_packages = join(" ", );
-
     my $domain = $tree->{domain} || $network->{domainname};
 
     # Is optional, but we use the template value; not the CLI default
     my $hostcert = $tree->{hostcert} ? 1 : 0;
 
-    my @yum = qw(yum -y install);
-    push(@yum, @CLI_YUM_PACKAGES);
-    push(@yum, qw(-c /tmp/aii/yum/yum.conf)) if $opts{aii};
+    my @cli_packages = @{$tree->{cli_packages}};
+    my @yum;
+    if (@cli_packages) {
+        push(@yum, qw(yum -y install), @cli_packages);
+        push(@yum, qw(-c /tmp/aii/yum/yum.conf)) if $opts{aii};
+
+    }
 
     my @cli = qw(PERL5LIB=/usr/lib/perl perl -MNCM::Component::FreeIPA::CLI -w -e install --);
 
@@ -614,7 +606,8 @@ sub _manual_initialisation
         );
 
     my @cmds;
-    push(@cmds, join(" ", @yum), join(" ", @cli));
+    push(@cmds, join(" ", @yum)) if @yum;
+    push(@cmds, join(" ", @cli));
 
     return join("\n", @cmds);
 }

diff --git a/ncm-freeipa/src/test/perl/aii-basic.t b/ncm-freeipa/src/test/perl/aii-basic.t
@@ -58,7 +58,7 @@ ok(POST_history_ok([
    ]), "host_add / host_mod called");
 
 
-like($fh, qr(^yum -y install ncm-freeipa nss-pam-ldapd ipa-client nss-tools openssl pam_krb5 -c /tmp/aii/yum/yum.conf$)m,
+like($fh, qr(^yum -y install ncm-freeipa-\d+\.\d+\.\d+-\w+ nss-pam-ldapd ipa-client nss-tools openssl pam_krb5 -c /tmp/aii/yum/yum.conf$)m,
      "install freeipa component and CLI dependencies in post_reboot");
 like($fh, qr(^PERL5LIB=/usr/lib/perl perl -MNCM::Component::FreeIPA::CLI -w -e install -- --realm MY.REALM --primary myhost.example.com --domain com --fqdn myhost.example.com --hostcert 1 --otp 'superse\\\$cret\\\$OTP'$)m,
      "CLI called as expected");