pam: use a pam object method instead of pam module function

[cascardo/ipsilon.git] / ipsilon / info / infosssd.py

diff --git a/ipsilon/info/infosssd.py b/ipsilon/info/infosssd.py
index ff468a9..6b75965 100644 (file)
--- a/ipsilon/info/infosssd.py
+++ b/ipsilon/info/infosssd.py
@@ -1,6 +1,4 @@
-# Copyright (C) 2014 Ipsilon Project Contributors
-#
-# See the file named COPYING for the project license
+# Copyright (C) 2014 Ipsilon project Contributors, for license see COPYING
 
 # Info plugin for mod_lookup_identity Apache module via SSSD
 # http://www.adelton.com/apache/mod_lookup_identity/
@@ -9,11 +7,13 @@ from ipsilon.info.common import InfoProviderBase
 from ipsilon.info.common import InfoProviderInstaller
 from ipsilon.util.plugin import PluginObject
 from ipsilon.util.policy import Policy
+from ipsilon.util import config as pconfig
 from string import Template
 import cherrypy
 import time
 import subprocess
 import SSSDConfig
+import logging
 
 SSSD_CONF = '/etc/sssd/sssd.conf'
 
@@ -21,6 +21,7 @@ SSSD_CONF = '/etc/sssd/sssd.conf'
 SSSD_ATTRS = ['mail',
               'street',
               'locality',
+              'st',
               'postalCode',
               'telephoneNumber',
               'givenname',
@@ -35,6 +36,7 @@ sssd_mapping = [
     ['REMOTE_USER_LASTNAME', 'surname'],
     ['REMOTE_USER_STREET', 'street'],
     ['REMOTE_USER_STATE', 'state'],
+    ['REMOTE_USER_CITY', 'city'],
     ['REMOTE_USER_POSTALCODE', 'postcode'],
     ['REMOTE_USER_TELEPHONENUMBER', 'phone'],
 ]
@@ -46,7 +48,13 @@ class InfoProvider(InfoProviderBase):
         super(InfoProvider, self).__init__(*pargs)
         self.mapper = Policy(sssd_mapping)
         self.name = 'sssd'
-        self.new_config(self.name)
+        self.new_config(
+            self.name,
+            pconfig.Condition(
+                'preconfigured',
+                'SSSD can only be used when pre-configured',
+                False),
+        )
 
     def _get_user_data(self, user):
         reply = dict()
@@ -80,13 +88,26 @@ class InfoProvider(InfoProviderBase):
 
         return reply
 
+    def save_plugin_config(self, *args, **kwargs):
+        raise ValueError('Configuration cannot be modified live for SSSD')
+
+    def get_config_obj(self):
+        return None
+
+    def enable(self):
+        self.refresh_plugin_config()
+        if not self.get_config_value('preconfigured'):
+            raise Exception("SSSD Can be enabled only if pre-configured")
+        super(InfoProvider, self).enable()
+
 
 CONF_TEMPLATE = """
 LoadModule lookup_identity_module modules/mod_lookup_identity.so
 
 <Location /${instance}>
   LookupUserAttr sn REMOTE_USER_LASTNAME
-  LookupUserAttr locality REMOTE_USER_STATE
+  LookupUserAttr st REMOTE_USER_STATE
+  LookupUserAttr locality REMOTE_USER_CITY
   LookupUserAttr street REMOTE_USER_STREET
   LookupUserAttr telephoneNumber REMOTE_USER_TELEPHONENUMBER
   LookupUserAttr givenname REMOTE_USER_FIRSTNAME
@@ -109,22 +130,20 @@ class Installer(InfoProviderInstaller):
                            default='no',
                            help='Use mod_lookup_identity and SSSD to populate'
                                 ' user attrs')
-        group.add_argument('--info-sssd-domain', action='store',
+        group.add_argument('--info-sssd-domain', action='append',
                            help='SSSD domain to enable mod_lookup_identity'
                                 ' for')
 
-    def configure(self, opts):
+    def configure(self, opts, changes):
         if opts['info_sssd'] != 'yes':
             return
 
-        if not opts['info_sssd_domain']:
-            print 'info-identity-domain is required'
-            return False
+        configured = 0
 
         confopts = {'instance': opts['instance']}
 
         tmpl = Template(CONF_TEMPLATE)
-        hunk = tmpl.substitute(**confopts)  # pylint: disable=star-args
+        hunk = tmpl.substitute(**confopts)
         with open(opts['httpd_conf'], 'a') as httpd_conf:
             httpd_conf.write(hunk)
 
@@ -134,32 +153,73 @@ class Installer(InfoProviderInstaller):
         except Exception as e:  # pylint: disable=broad-except
             # Unable to read existing SSSD config so it is probably not
             # configured.
-            print 'Loading SSSD config failed: %s' % e
+            logging.info('Loading SSSD config failed: %s', e)
             return False
 
-        try:
-            domain = sssdconfig.get_domain(opts['info_sssd_domain'])
-        except SSSDConfig.NoDomainError:
-            print 'No domain %s' % opts['info_sssd_domain']
+        if not opts['info_sssd_domain']:
+            domains = sssdconfig.list_domains()
+        else:
+            domains = opts['info_sssd_domain']
+
+        changes['domains'] = {}
+        for domain in domains:
+            changes['domains'][domain] = {}
+            try:
+                sssd_domain = sssdconfig.get_domain(domain)
+            except SSSDConfig.NoDomainError:
+                logging.info('No SSSD domain %s', domain)
+                continue
+            else:
+                try:
+                    changes['domains'][domain] = {
+                        'ldap_user_extra_attrs':
+                            sssd_domain.get_option('ldap_user_extra_attrs')}
+                except SSSDConfig.NoOptionError:
+                    pass
+                sssd_domain.set_option(
+                    'ldap_user_extra_attrs', ', '.join(SSSD_ATTRS)
+                )
+                sssdconfig.save_domain(sssd_domain)
+                configured += 1
+                logging.info("Configured SSSD domain %s", domain)
+
+        if configured == 0:
+            logging.info('No SSSD domains configured')
             return False
 
-        domain.set_option('ldap_user_extra_attrs', ', '.join(SSSD_ATTRS))
-
+        changes['ifp'] = {}
         try:
             sssdconfig.new_service('ifp')
+            changes['ifp']['new'] = True
         except SSSDConfig.ServiceAlreadyExists:
-            pass
+            changes['ifp']['new'] = False
 
         sssdconfig.activate_service('ifp')
 
         ifp = sssdconfig.get_service('ifp')
+        if not changes['ifp']['new']:
+            try:
+                changes['ifp']['allowed_uids'] = ifp.get_option('allowed_uids')
+            except SSSDConfig.NoOptionError:
+                pass
+            try:
+                changes['ifp']['user_attributes'] = ifp.get_option(
+                    'user_attributes')
+            except SSSDConfig.NoOptionError:
+                pass
         ifp.set_option('allowed_uids', 'apache, root')
         ifp.set_option('user_attributes', '+' + ', +'.join(SSSD_ATTRS))
 
         sssdconfig.save_service(ifp)
-        sssdconfig.save_domain(domain)
         sssdconfig.write(SSSD_CONF)
 
+        # for selinux enabled platforms, ignore if it fails just report
+        try:
+            subprocess.call(['/usr/sbin/setsebool', '-P',
+                             'httpd_dbus_sssd=on'])
+        except Exception:  # pylint: disable=broad-except
+            pass
+
         try:
             subprocess.call(['/sbin/service', 'sssd', 'restart'])
         except Exception:  # pylint: disable=broad-except
@@ -173,7 +233,59 @@ class Installer(InfoProviderInstaller):
         po.name = 'sssd'
         po.wipe_data()
         po.wipe_config_values()
+        config = {'preconfigured': 'True'}
+        po.save_plugin_config(config)
 
         # Update global config to add info plugin
         po.is_enabled = True
         po.save_enabled_state()
+
+    def unconfigure(self, opts, changes):
+        try:
+            sssdconfig = SSSDConfig.SSSDConfig()
+            sssdconfig.import_config()
+        except Exception as e:  # pylint: disable=broad-except
+            # Unable to read existing SSSD config so it is probably not
+            # configured.
+            logging.info('Loading SSSD config failed: %s', e)
+            return False
+
+        for domain in changes['domains']:
+            try:
+                sssd_domain = sssdconfig.get_domain(domain.encode('utf-8'))
+            except SSSDConfig.NoDomainError:
+                logging.info('No SSSD domain %s', domain)
+                continue
+            else:
+                if 'ldap_user_extra_attrs' in changes['domains'][domain]:
+                    sssd_domain.set_option('ldap_user_extra_attrs',
+                                           changes['domains'][domain][
+                                               'ldap_user_extra_attrs'].encode(
+                                                   'utf-8'))
+                else:
+                    sssd_domain.remove_option('ldap_user_extra_attrs')
+                sssdconfig.save_domain(sssd_domain)
+
+        if changes['ifp']['new']:
+            # We created the service newly, let's remove
+            sssdconfig.delete_service('ifp')
+        else:
+            ifp = sssdconfig.get_service('ifp')
+            if 'allowed_uids' in changes['ifp']:
+                ifp.set_option('allowed_uids',
+                               changes['ifp']['allowed_uids'].encode('utf-8'))
+            if 'user_attributes' in changes['ifp']:
+                ifp.set_option('user_attributes',
+                               changes['ifp']['user_attributes'].encode(
+                                   'utf-8'))
+            sssdconfig.save_service(ifp)
+
+        sssdconfig.write(SSSD_CONF)
+
+        try:
+            subprocess.call(['/sbin/service', 'sssd', 'restart'])
+        except Exception:  # pylint: disable=broad-except
+            pass
+
+        # Give SSSD a chance to restart
+        time.sleep(5)