Blob Blame History Raw
From f16d9533c7917a8a57a9148dee61df3b12a5e767 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Fri, 2 Jun 2017 18:36:29 +0200
Subject: [PATCH] Prepare advise plugin for smart card auth configuration

The plugin contains recipes for configuring Smart Card authentication
on FreeIPA server and enrolled client.

https://www.freeipa.org/page/V4/Smartcard_authentication_ipa-advise_recipes
https://pagure.io/freeipa/issue/6982

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
 ipaserver/advise/plugins/smart_card_auth.py | 266 ++++++++++++++++++++++++++++
 1 file changed, 266 insertions(+)
 create mode 100644 ipaserver/advise/plugins/smart_card_auth.py

diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
new file mode 100644
index 0000000000000000000000000000000000000000..5859e350939fdba0a8b258de5285dd10c7b3bc23
--- /dev/null
+++ b/ipaserver/advise/plugins/smart_card_auth.py
@@ -0,0 +1,266 @@
+#
+# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
+#
+
+from ipalib.plugable import Registry
+from ipaplatform.paths import paths
+from ipaserver.advise.base import Advice
+from ipaserver.install.httpinstance import NSS_OCSP_ENABLED
+
+register = Registry()
+
+
+@register()
+class config_server_for_smart_card_auth(Advice):
+    """
+    Configures smart card authentication via Kerberos (PKINIT) and for WebUI
+    """
+
+    description = ("Instructions for enabling Smart Card authentication on "
+                   " a single FreeIPA server. Includes Apache configuration, "
+                   "enabling PKINIT on KDC and configuring WebUI to accept "
+                   "Smart Card auth requests. To enable the feature in the "
+                   "whole topology you have to run the script on each master")
+
+    nss_conf = paths.HTTPD_NSS_CONF
+    nss_ocsp_directive = 'NSSOCSP'
+    nss_nickname_directive = 'NSSNickname'
+
+    def get_info(self):
+        self.log.exit_on_nonroot_euid()
+        self.check_ccache_not_empty()
+        self.check_hostname_is_in_masters()
+        self.resolve_ipaca_records()
+        self.enable_nss_ocsp()
+        self.mark_httpd_cert_as_trusted()
+        self.restart_httpd()
+        self.record_httpd_ocsp_status()
+        self.check_and_enable_pkinit()
+        self.enable_ok_to_auth_as_delegate_on_http_principal()
+
+    def check_ccache_not_empty(self):
+        self.log.comment('Check whether the credential cache is not empty')
+        self.log.exit_on_failed_command(
+            'klist',
+            [
+                "Credential cache is empty",
+                'Use kinit as privileged user to obtain Kerberos credentials'
+            ])
+
+    def check_hostname_is_in_masters(self):
+        self.log.comment('Check whether the host is IPA master')
+        self.log.exit_on_failed_command(
+            'ipa server-find $(hostname -f)',
+            ["This script can be run on IPA master only"])
+
+    def resolve_ipaca_records(self):
+        ipa_domain_name = self.api.env.domain
+
+        self.log.comment('make sure bind-utils are installed so that we can '
+                         'dig for ipa-ca records')
+        self.log.exit_on_failed_command(
+            'yum install -y bind-utils',
+            ['Failed to install bind-utils'])
+
+        self.log.comment('make sure ipa-ca records are resolvable, '
+                         'otherwise error out and instruct')
+        self.log.comment('the user to update the DNS infrastructure')
+        self.log.command('ipaca_records=$(dig +short '
+                         'ipa-ca.{})'.format(ipa_domain_name))
+
+        self.log.exit_on_predicate(
+            '[ -z "$ipaca_records" ]',
+            [
+                'Can not resolve ipa-ca records for ${domain_name}',
+                'Please make sure to update your DNS infrastructure with ',
+                'ipa-ca record pointing to IP addresses of IPA CA masters'
+            ])
+
+    def enable_nss_ocsp(self):
+        self.log.comment('look for the OCSP directive in nss.conf')
+        self.log.comment(' if it is present, switch it on')
+        self.log.comment(
+            'if it is absent, append it to the end of VirtualHost section')
+        predicate = self._interpolate_ocsp_directive_file_into_command(
+            "grep -q '{directive} ' {filename}")
+
+        self.log.commands_on_predicate(
+            predicate,
+            [
+                self._interpolate_ocsp_directive_file_into_command(
+                    "  sed -i.ipabkp -r "
+                    "'s/^#*[[:space:]]*{directive}[[:space:]]+(on|off)$"
+                    "/{directive} on/' {filename}")
+            ],
+            commands_to_run_when_false=[
+                self._interpolate_ocsp_directive_file_into_command(
+                    "  sed -i.ipabkp '/<\/VirtualHost>/i {directive} on' "
+                    "{filename}")
+            ]
+        )
+
+    def _interpolate_ocsp_directive_file_into_command(self, fmt_line):
+        return self._format_command(
+            fmt_line, self.nss_ocsp_directive, self.nss_conf)
+
+    def _format_command(self, fmt_line, directive, filename):
+        return fmt_line.format(directive=directive, filename=filename)
+
+    def mark_httpd_cert_as_trusted(self):
+        self.log.comment(
+            'mark the HTTP certificate as trusted peer to avoid '
+            'chicken-egg startup issue')
+        self.log.command(
+            self._interpolate_nssnickname_directive_file_into_command(
+                "http_cert_nick=$(grep '{directive}' {filename} |"
+                " cut -f 2 -d ' ')"))
+
+        self.log.exit_on_failed_command(
+            'certutil -M -n $http_cert_nick -d "{}" -t "Pu,u,u"'.format(
+                paths.HTTPD_ALIAS_DIR),
+            ['Can not set trust flags on HTTP certificate'])
+
+    def _interpolate_nssnickname_directive_file_into_command(self, fmt_line):
+        return self._format_command(
+            fmt_line, self.nss_nickname_directive, self.nss_conf)
+
+    def restart_httpd(self):
+        self.log.comment('finally restart apache')
+        self.log.command('systemctl restart httpd')
+
+    def record_httpd_ocsp_status(self):
+        self.log.comment('store the OCSP upgrade state')
+        self.log.command(
+            "python -c 'from ipaserver.install import sysupgrade; "
+            "sysupgrade.set_upgrade_state(\"httpd\", "
+            "\"{}\", True)'".format(NSS_OCSP_ENABLED))
+
+    def check_and_enable_pkinit(self):
+        self.log.comment('check whether PKINIT is configured on the master')
+        self.log.command(
+            "if ipa-pkinit-manage status | grep -q 'enabled'")
+        self.log.command('then')
+        self.log.command('  echo "PKINIT already enabled"')
+        self.log.command('else')
+        self.log.exit_on_failed_command(
+            'ipa-pkinit-manage enable',
+            ['Failed to issue PKINIT certificates to local KDC'],
+            indent_spaces=2)
+        self.log.command('fi')
+
+    def enable_ok_to_auth_as_delegate_on_http_principal(self):
+        self.log.comment('Enable OK-AS-DELEGATE flag on the HTTP principal')
+        self.log.comment('This enables smart card login to WebUI')
+        self.log.command(
+            'output=$(ipa service-mod HTTP/$(hostname -f) '
+            '--ok-to-auth-as-delegate=True 2>&1)')
+        self.log.exit_on_predicate(
+            '[ "$?" -ne "0" -a '
+            '-z "$(echo $output | grep \'no modifications\')" ]',
+            ["Failed to set OK_AS_AUTH_AS_DELEGATE flag on HTTP principal"]
+        )
+
+
+@register()
+class config_client_for_smart_card_auth(Advice):
+    """
+    Configures smart card authentication on FreeIPA client
+    """
+    smart_card_ca_cert_variable_name = "SC_CA_CERT"
+
+    description = ("Instructions for enabling Smart Card authentication on "
+                   " a single FreeIPA client. Configures Smart Card daemon, "
+                   "set the system-wide trust store and configures SSSD to "
+                   "allow smart card logins to desktop")
+
+    opensc_module_name = "OpenSC"
+    pkcs11_shared_lib = '/usr/lib64/opensc-pkcs11.so'
+    smart_card_service_file = 'pcscd.service'
+    smart_card_socket = 'pcscd.socket'
+    systemwide_nssdb = paths.NSS_DB_DIR
+
+    def get_info(self):
+        self.log.exit_on_nonroot_euid()
+        self.check_and_set_ca_cert_path()
+        self.check_and_remove_pam_pkcs11()
+        self.install_opensc_and_dconf_packages()
+        self.start_enable_smartcard_daemon()
+        self.add_pkcs11_module_to_systemwide_db()
+        self.upload_smartcard_ca_certificate_to_systemwide_db()
+        self.run_authconfig_to_configure_smart_card_auth()
+        self.restart_sssd()
+
+    def check_and_set_ca_cert_path(self):
+        ca_path_variable = self.smart_card_ca_cert_variable_name
+        self.log.command("{}=$1".format(ca_path_variable))
+        self.log.exit_on_predicate(
+            '[ -z "${}" ]'.format(ca_path_variable),
+            ['You need to provide the path to the PEM file containing CA '
+             'signing the Smart Cards']
+        )
+        self.log.exit_on_predicate(
+            '[ ! -f "${}" ]'.format(ca_path_variable),
+            ['Invalid CA certificate filename: ${}'.format(ca_path_variable),
+             'Please check that the path exists and is a valid file']
+        )
+
+    def check_and_remove_pam_pkcs11(self):
+        self.log.command('rpm -qi pam_pkcs11 > /dev/null')
+        self.log.commands_on_predicate(
+            '[ "$?" -eq "0" ]',
+            [
+                'yum remove -y pam_pkcs11'
+            ]
+        )
+
+    def install_opensc_and_dconf_packages(self):
+        self.log.comment(
+            'authconfig often complains about missing dconf, '
+            'install it explicitly')
+        self.log.exit_on_failed_command(
+            'yum install -y {} dconf'.format(self.opensc_module_name.lower()),
+            ['Could not install OpenSC package']
+        )
+
+    def start_enable_smartcard_daemon(self):
+        self.log.command(
+            'systemctl start {service} {socket} '
+            '&& systemctl enable {service} {socket}'.format(
+                service=self.smart_card_service_file,
+                socket=self.smart_card_socket))
+
+    def add_pkcs11_module_to_systemwide_db(self):
+        module_name = self.opensc_module_name
+        nssdb = self.systemwide_nssdb
+        shared_lib = self.pkcs11_shared_lib
+
+        self.log.commands_on_predicate(
+            'modutil -dbdir {} -list | grep -q {}'.format(
+                nssdb, module_name),
+            [
+                'echo "{} PKCS#11 module already configured"'.format(
+                    module_name)
+            ],
+            commands_to_run_when_false=[
+                'echo "" | modutil -dbdir {} -add "{}" -libfile {}'.format(
+                    nssdb, module_name, shared_lib),
+            ]
+        )
+
+    def upload_smartcard_ca_certificate_to_systemwide_db(self):
+        self.log.command(
+            'certutil -d {} -A -i ${} -n "Smart Card CA" -t CT,C,C'.format(
+                self.systemwide_nssdb, self.smart_card_ca_cert_variable_name
+            )
+        )
+
+    def run_authconfig_to_configure_smart_card_auth(self):
+        self.log.exit_on_failed_command(
+            'authconfig --enablesmartcard --smartcardmodule=sssd --updateall',
+            [
+                'Failed to configure Smart Card authentication in SSSD'
+            ]
+        )
+
+    def restart_sssd(self):
+        self.log.command('systemctl restart sssd.service')
-- 
2.9.4