This patch adds python config file ipaconfig.py, which can contain various configuration directives for ipalib and other python code. These directives can be detected at build time.
The first config directive in use is enable_pkinit, which can be set by running (in 'install' subdirectory) ./configure --enable-pkinit or ./configure --disable-pkinit When pkinit is disabled, classes in pkinit plugin are not registered to API and the whole functionality is hidden in installation scripts. https://fedorahosted.org/freeipa/ticket/616 I'm primarily interested about the concept. This is the best one I came up with. If you have any suggestion how to make this differently, let me know. -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic
From fb8a3ffc2fe9cf1c2e6da3861001ac8e959465a4 Mon Sep 17 00:00:00 2001 From: Jan Zeleny <jzel...@redhat.com> Date: Mon, 31 Jan 2011 03:02:28 -0500 Subject: [PATCH] Allow pkinit functionality to be hidden in production version This patch adds python config file ipaconfig.py, which can contain various configuration directives for ipalib and other python code. These directives can be detected at build time. The first config directive in use is enable_pkinit, which can be set by running (in 'install' subdirectory) ./configure --enable-pkinit or ./configure --disable-pkinit When pkinit is disabled, classes in pkinit plugin are not registered to API and the whole functionality is hidden in installation scripts. https://fedorahosted.org/freeipa/ticket/616 --- freeipa.spec.in | 3 ++- install/conf/Makefile.am | 2 ++ install/conf/ipaconfig.py.in | 3 +++ install/configure.ac | 13 +++++++++++++ install/tools/ipa-replica-install | 11 +++++++++-- install/tools/ipa-replica-prepare | 21 +++++++++++++++------ install/tools/ipa-server-install | 21 +++++++++++++++------ ipalib/plugins/pkinit.py | 12 ++++++++++-- ipaserver/install/krbinstance.py | 10 ++++++++-- 9 files changed, 77 insertions(+), 19 deletions(-) create mode 100644 install/conf/ipaconfig.py.in diff --git a/freeipa.spec.in b/freeipa.spec.in index e35f3370bca7936a96d87eab9049b10e01904e1e..949c67ca1b08555ced400d521d41621ec1d69673 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -202,7 +202,7 @@ make version-update cd ipa-client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd .. %if ! %{ONLY_CLIENT} cd daemons; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir} --with-openldap; cd .. -cd install; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd .. +cd install; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir} --disable-pkinit; cd .. %endif %if ! %{ONLY_CLIENT} @@ -463,6 +463,7 @@ fi %{python_sitelib}/ipapython/*.py* %dir %{python_sitelib}/ipalib %{python_sitelib}/ipalib/* +%{python_sitelib}/ipaconfig.py* %{python_sitearch}/default_encoding_utf8.so %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6 %{python_sitelib}/ipapython-*.egg-info diff --git a/install/conf/Makefile.am b/install/conf/Makefile.am index e00ad618f47b704d3fb6451545fe3fbfaa1b31a9..33e1fd94aab7e35c52efcd90710a090662793a3a 100644 --- a/install/conf/Makefile.am +++ b/install/conf/Makefile.am @@ -1,5 +1,7 @@ NULL = +python_PYTHON = ipaconfig.py + appdir = $(IPA_DATA_DIR) app_DATA = \ ipa.conf \ diff --git a/install/conf/ipaconfig.py.in b/install/conf/ipaconfig.py.in new file mode 100644 index 0000000000000000000000000000000000000000..3a20c4734d942a4658af41a67c5866c153bfcc1b --- /dev/null +++ b/install/conf/ipaconfig.py.in @@ -0,0 +1,3 @@ +#!/usr/bin/python + +enable_pkinit=@IPA_ENABLE_PKINIT@ diff --git a/install/configure.ac b/install/configure.ac index 88bf9f805f71e62d0f98bef97a7ea4fc2ddec114..6f653df0169e492f4ffe5efee2a3401d94d8ac9e 100644 --- a/install/configure.ac +++ b/install/configure.ac @@ -6,8 +6,10 @@ AC_INIT([ipa-server], #AC_CONFIG_SRCDIR([ipaserver/ipaldap.py]) AC_CONFIG_HEADERS([config.h]) +AC_CONFIG_FILES([conf/ipaconfig.py]) AM_INIT_AUTOMAKE([foreign]) +AM_PATH_PYTHON([2.7]) AM_MAINTAINER_MODE #AC_PROG_CC @@ -48,6 +50,16 @@ if test "x$MSGCMP" = "xno"; then AC_MSG_ERROR([msgcmp not found, install gettext]) fi +AC_ARG_ENABLE([pkinit], + [AS_HELP_STRING([--enable-pkinit], + [enable pkinit features])], + [if test "x$enableval" = "xyes" ; then + enable_pkinit=True + else + enable_pkinit=False + fi], + [enable_pkinit=True]) + AC_ARG_WITH([gettext_domain], [AS_HELP_STRING([--with-gettext-domain=name], [set the name of the i18n message catalog])], @@ -63,6 +75,7 @@ IPA_DATA_DIR="$datadir/ipa" IPA_SYSCONF_DIR="$sysconfdir/ipa" AC_SUBST(IPA_DATA_DIR) AC_SUBST(IPA_SYSCONF_DIR) +AC_SUBST(IPA_ENABLE_PKINIT, $enable_pkinit) # Files diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 3eb41daae3572e6cfdec943bd776f525f30bf87b..c793f8e9dc7040d14a37d3e3ffb086aab358b709 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -34,6 +34,12 @@ from ipapython import version from ipalib import api, errors, util from ipapython.config import IPAOptionParser +try: + from ipaconfig import enable_pkinit +except ImportError: + # This will happen during build process - we want this to be True + enable_pkinit = True + CACERT="/etc/ipa/ca.crt" class HostnameLocalhost(Exception): @@ -70,8 +76,9 @@ def parse_options(): parser.add_option("--no-host-dns", dest="no_host_dns", action="store_true", default=False, help="Do not use DNS for hostname lookup during installation") - parser.add_option("--no-pkinit", dest="setup_pkinit", action="store_false", - default=True, help="disables pkinit setup steps") + if enable_pkinit: + parser.add_option("--no-pkinit", dest="setup_pkinit", action="store_false", + default=True, help="disables pkinit setup steps") parser.add_option("-U", "--unattended", dest="unattended", action="store_true", default=False, help="unattended installation never prompts the user") diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index 908c50a13362c2f34263a2e3a5a9f5cd00a0177c..0dc52683ea28d1b2b574980ede1c090319e53fcb 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -34,6 +34,12 @@ from ipaserver.plugins.ldap2 import ldap2 from ipapython import version from ipalib import api, errors, util +try: + from ipaconfig import enable_pkinit +except ImportError: + # This will happen during build process - we want this to be True + enable_pkinit = True + def parse_options(): usage = "%prog [options] FQDN (e.g. replica.example.com)" parser = OptionParser(usage=usage, version=version.VERSION) @@ -42,22 +48,25 @@ def parse_options(): help="install certificate for the directory server") parser.add_option("--http_pkcs12", dest="http_pkcs12", help="install certificate for the http server") - parser.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12", - help="install certificate for the KDC") + if enable_pkinit: + parser.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12", + help="install certificate for the KDC") parser.add_option("--dirsrv_pin", dest="dirsrv_pin", help="PIN for the Directory Server PKCS#12 file") parser.add_option("--http_pin", dest="http_pin", help="PIN for the Apache Server PKCS#12 file") - parser.add_option("--pkinit_pin", dest="pkinit_pin", - help="PIN for the KDC pkinit PKCS#12 file") + if enable_pkinit: + parser.add_option("--pkinit_pin", dest="pkinit_pin", + help="PIN for the KDC pkinit PKCS#12 file") parser.add_option("-p", "--password", dest="password", help="Directory Manager (existing master) password") parser.add_option("--ip-address", dest="ip_address", help="Add A and PTR records of the future replica") parser.add_option("--ca", dest="ca_file", default="/root/cacert.p12", help="Location of CA PKCS#12 file, default /root/cacert.p12") - parser.add_option("--no-pkinit", dest="setup_pkinit", action="store_false", - default=True, help="disables pkinit setup steps") + if enable_pkinit: + parser.add_option("--no-pkinit", dest="setup_pkinit", action="store_false", + default=True, help="disables pkinit setup steps") options, args = parser.parse_args() diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index c07f6fc3e8544b290b7a6dbee987487c9bfd7db9..a455c6e3b39db7bde76d92f78b2284511b4546d8 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -58,6 +58,12 @@ from ipapython.ipautil import * from ipalib import api, errors, util from ipapython.config import IPAOptionParser +try: + from ipaconfig import enable_pkinit +except ImportError: + # This will happen during build process - we want this to be True + enable_pkinit = True + DEF_DS_USER = 'dirsrv' pw_name = None @@ -110,20 +116,23 @@ def parse_options(): default=False, help="uninstall an existing installation") parser.add_option("-N", "--no-ntp", dest="conf_ntp", action="store_false", help="do not configure ntp", default=True) - parser.add_option("--no-pkinit", dest="setup_pkinit", action="store_false", - default=True, help="disables pkinit setup steps") + if enable_pkinit: + parser.add_option("--no-pkinit", dest="setup_pkinit", action="store_false", + default=True, help="disables pkinit setup steps") parser.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12", help="PKCS#12 file containing the Directory Server SSL certificate") parser.add_option("--http_pkcs12", dest="http_pkcs12", help="PKCS#12 file containing the Apache Server SSL certificate") - parser.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12", - help="PKCS#12 file containing the Kerberos KDC SSL certificate") + if enable_pkinit: + parser.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12", + help="PKCS#12 file containing the Kerberos KDC SSL certificate") parser.add_option("--dirsrv_pin", dest="dirsrv_pin", sensitive=True, help="The password of the Directory Server PKCS#12 file") parser.add_option("--http_pin", dest="http_pin", sensitive=True, help="The password of the Apache Server PKCS#12 file") - parser.add_option("--pkinit_pin", dest="pkinit_pin", - help="The password of the Kerberos KDC PKCS#12 file") + if enable_pkinit: + parser.add_option("--pkinit_pin", dest="pkinit_pin", + help="The password of the Kerberos KDC PKCS#12 file") parser.add_option("--no-host-dns", dest="no_host_dns", action="store_true", default=False, help="Do not use DNS for hostname lookup during installation") diff --git a/ipalib/plugins/pkinit.py b/ipalib/plugins/pkinit.py index 76934f9ebdbb2a7154991e605c1082590838be8d..2809bb3e35a0cacf9d37323107b97864d45ea18c 100644 --- a/ipalib/plugins/pkinit.py +++ b/ipalib/plugins/pkinit.py @@ -36,6 +36,12 @@ from ipalib import Int, Str from ipalib import Object, Command from ipalib import _ +try: + from ipaconfig import enable_pkinit +except ImportError: + # This will happen during build process - we want this to be True + enable_pkinit = True + class pkinit(Object): """ @@ -45,7 +51,8 @@ class pkinit(Object): label=_('PKINIT') -api.register(pkinit) +if enable_pkinit: + api.register(pkinit) def valid_arg(ugettext, action): """ @@ -95,4 +102,5 @@ class pkinit_anonymous(Command): return dict(result=True) -api.register(pkinit_anonymous) +if enable_pkinit: + api.register(pkinit_anonymous) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 9f706797fcbeb79bf0c58c60294c0fc7f6e5f4b9..c983195d5be918711512a876c8d526b0e729666e 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -49,6 +49,12 @@ import struct import certs from distutils import version +try: + from ipaconfig import enable_pkinit +except ImportError: + # This will happen during build process - we want this to be True + enable_pkinit = True + KRBMKEY_DENY_ACI = '(targetattr = "krbMKey")(version 3.0; acl "No external access"; deny (read,write,search,compare) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";;)' def update_key_val_in_file(filename, key, val): @@ -172,7 +178,7 @@ class KrbInstance(service.Service): self.step("exporting the kadmin keytab", self.__export_kadmin_changepw_keytab) self.step("adding the password extension to the directory", self.__add_pwd_extop_module) self.step("adding the kerberos master key to the directory", self.__add_master_key) - if setup_pkinit: + if setup_pkinit and enable_pkinit: self.step("creating X509 Certificate for PKINIT", self.__setup_pkinit) self.step("creating principal for anonymous PKINIT", self.__add_anonymous_pkinit_principal) @@ -204,7 +210,7 @@ class KrbInstance(service.Service): self.step("creating a keytab for the directory", self.__create_ds_keytab) self.step("creating a keytab for the machine", self.__create_host_keytab) self.step("adding the password extension to the directory", self.__add_pwd_extop_module) - if setup_pkinit: + if setup_pkinit and enable_pkinit: self.step("installing X509 Certificate for PKINIT", self.__setup_pkinit) self.step("Enable GSSAPI for replication", self.__convert_to_gssapi_replication) -- 1.7.3.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
