From 6e05a3d6888b25734ea85365a38f6ca816227570 Mon Sep 17 00:00:00 2001 From: Joe VLcek Date: Tue, 27 Aug 2019 17:33:24 -0400 Subject: [PATCH 1/9] Add support to automate external auth config for ldap Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1745775 Add config spec test --- spec/tools/miqldap_to_sssd/cli_config_spec.rb | 93 ++++++++++++ .../{cli_spec.rb => cli_convert_spec.rb} | 20 +-- .../configure_appliance_settings_spec.rb | 18 ++- tools/miqldap_to_sssd/cli.rb | 62 +------- tools/miqldap_to_sssd/cli_config.rb | 143 ++++++++++++++++++ tools/miqldap_to_sssd/cli_convert.rb | 58 +++++++ .../configure_appliance_settings.rb | 10 +- tools/miqldap_to_sssd/converter.rb | 4 +- 8 files changed, 338 insertions(+), 70 deletions(-) create mode 100644 spec/tools/miqldap_to_sssd/cli_config_spec.rb rename spec/tools/miqldap_to_sssd/{cli_spec.rb => cli_convert_spec.rb} (58%) create mode 100644 tools/miqldap_to_sssd/cli_config.rb create mode 100644 tools/miqldap_to_sssd/cli_convert.rb diff --git a/spec/tools/miqldap_to_sssd/cli_config_spec.rb b/spec/tools/miqldap_to_sssd/cli_config_spec.rb new file mode 100644 index 00000000000..250b3561cae --- /dev/null +++ b/spec/tools/miqldap_to_sssd/cli_config_spec.rb @@ -0,0 +1,93 @@ +$LOAD_PATH << Rails.root.join("tools").to_s + +require "miqldap_to_sssd/cli_config" + +describe MiqLdapToSssd::CliConfig do + before do + @all_opts = :tls_cacert, :tls_cacertdir, :domain, :ldaphost, :ldapport, :user_type, :user_suffix, :mode, + :bind_dn, :bind_pwd, :only_change_userids, :skip_post_conversion_userid_change + @all_required_opts = %w[-H ldaphost -T dn-cn -S user_suffix -M ldap] + allow(TCPSocket).to receive(:new).and_return(double(:close => nil)) + + stub_const("LOGGER", double) + allow(LOGGER).to receive(:debug) + end + + describe "#parse" do + it "should assign defaults" do + opts = described_class.new.parse(@all_required_opts).opts.slice(*@all_opts) + expect(opts).to include(:ldapport => 389, :skip_post_conversion_userid_change => false) + end + + it "should assign all required options" do + opts = described_class.new.parse(@all_required_opts).opts.slice(*@all_opts) + expect(opts).to eq(:ldaphost => ["ldaphost"], + :ldapport => 389, + :mode => "ldap", + :only_change_userids => false, + :skip_post_conversion_userid_change => false, + :user_suffix => "user_suffix", + :user_type => "dn-cn") + end + + it "should assign default non-secure ldapport" do + opts = described_class.new.parse(@all_required_opts).opts.slice(:ldapport) + expect(opts).to eq(:ldapport => 389) + end + + it "should assign default secure ldapport" do + opts = described_class.new.parse(@all_required_opts - %w[-M ldap] + %w[-M ldaps]).opts.slice(:ldapport) + expect(opts).to eq(:ldapport => 636) + end + + it "should parse ldaphost" do + opts = described_class.new.parse(@all_required_opts).opts.slice(:ldaphost) + expect(opts).to eq(:ldaphost => ["ldaphost"]) + end + + it "should parse ldapport" do + opts = described_class.new.parse(@all_required_opts + %w[-P 8675309]).opts.slice(:ldapport) + expect(opts).to eq(:ldapport => "8675309") + end + + it "should parse user_type" do + opts = described_class.new.parse(@all_required_opts).opts.slice(:user_type) + expect(opts).to eq(:user_type => "dn-cn") + end + + it "should parse user_suffix" do + opts = described_class.new.parse(@all_required_opts).opts.slice(:user_suffix) + expect(opts).to eq(:user_suffix => "user_suffix") + end + + it "should parse mode" do + opts = described_class.new.parse(@all_required_opts).opts.slice(:mode) + expect(opts).to eq(:mode => "ldap") + end + + it "should parse base DN domain names" do + opts = described_class.new.parse(@all_required_opts + %w[-d example.com]).opts.slice(:domain) + expect(opts).to eq(:domain => "example.com") + end + + it "should parse bind DN" do + opts = described_class.new.parse(@all_required_opts + %w[-b cn=Manager,dc=example,dc=com]).opts.slice(:bind_dn) + expect(opts).to eq(:bind_dn => "cn=Manager,dc=example,dc=com") + end + + it "should parse bind pwd" do + opts = described_class.new.parse(@all_required_opts + %w[-p password]).opts.slice(:bind_pwd) + expect(opts).to eq(:bind_pwd => "password") + end + + it "should parse TLS cacert path and directory" do + opts = described_class.new.parse(@all_required_opts + %w[-c /a/path/to/a/cacert]).opts.slice(:tls_cacert, :tls_cacertdir) + expect(opts).to eq(:tls_cacert => "/a/path/to/a/cacert", :tls_cacertdir => "/a/path/to/a") + end + + it "can skip updating the userids after the conversion" do + opts = described_class.new.parse(@all_required_opts + %w[-s]).opts.slice(*@all_opts) + expect(opts).to include(:skip_post_conversion_userid_change => true) + end + end +end diff --git a/spec/tools/miqldap_to_sssd/cli_spec.rb b/spec/tools/miqldap_to_sssd/cli_convert_spec.rb similarity index 58% rename from spec/tools/miqldap_to_sssd/cli_spec.rb rename to spec/tools/miqldap_to_sssd/cli_convert_spec.rb index 7f30ad546f2..d4611d1ac7c 100644 --- a/spec/tools/miqldap_to_sssd/cli_spec.rb +++ b/spec/tools/miqldap_to_sssd/cli_convert_spec.rb @@ -1,47 +1,47 @@ $LOAD_PATH << Rails.root.join("tools").to_s -require "miqldap_to_sssd/cli" +require "miqldap_to_sssd/cli_convert" -describe MiqLdapToSssd::Cli do +describe MiqLdapToSssd::CliConvert do before do - @all_options = :tls_cacert, :tls_cacertdir, :domain, :only_change_userids, :skip_post_conversion_userid_change + @all_opts = :tls_cacert, :tls_cacertdir, :domain, :only_change_userids, :skip_post_conversion_userid_change stub_const("LOGGER", double) allow(LOGGER).to receive(:debug) end describe "#parse" do it "should assign defaults" do - opts = described_class.new.parse([]).options.slice(*@all_options) + opts = described_class.new.parse([]).opts.slice(*@all_opts) expect(opts).to eq(:only_change_userids => false, :skip_post_conversion_userid_change => false) end it "should parse base DN domain names" do - opts = described_class.new.parse(%w(-d example.com)).options.slice(:domain) + opts = described_class.new.parse(%w[-d example.com]).opts.slice(:domain) expect(opts).to eq(:domain => "example.com") end it "should parse bind DN" do - opts = described_class.new.parse(%w(-b cn=Manager,dc=example,dc=com)).options.slice(:bind_dn) + opts = described_class.new.parse(%w[-b cn=Manager,dc=example,dc=com]).opts.slice(:bind_dn) expect(opts).to eq(:bind_dn => "cn=Manager,dc=example,dc=com") end it "should parse bind pwd" do - opts = described_class.new.parse(%w(-p password)).options.slice(:bind_pwd) + opts = described_class.new.parse(%w[-p password]).opts.slice(:bind_pwd) expect(opts).to eq(:bind_pwd => "password") end it "should parse TLS cacert path and directory" do - opts = described_class.new.parse(%w(-c /a/path/to/a/cacert)).options.slice(:tls_cacert, :tls_cacertdir) + opts = described_class.new.parse(%w[-c /a/path/to/a/cacert]).opts.slice(:tls_cacert, :tls_cacertdir) expect(opts).to eq(:tls_cacert => "/a/path/to/a/cacert", :tls_cacertdir => "/a/path/to/a") end it "can only updating the userids" do - opts = described_class.new.parse(%w(-n)).options.slice(*@all_options) + opts = described_class.new.parse(%w[-n]).opts.slice(*@all_opts) expect(opts).to eq(:only_change_userids => true, :skip_post_conversion_userid_change => false) end it "can skip updating the userids after the conversion" do - opts = described_class.new.parse(%w(-s)).options.slice(*@all_options) + opts = described_class.new.parse(%w[-s]).opts.slice(*@all_opts) expect(opts).to eq(:only_change_userids => false, :skip_post_conversion_userid_change => true) end end diff --git a/spec/tools/miqldap_to_sssd/configure_appliance_settings_spec.rb b/spec/tools/miqldap_to_sssd/configure_appliance_settings_spec.rb index 829c5b62759..04469620602 100644 --- a/spec/tools/miqldap_to_sssd/configure_appliance_settings_spec.rb +++ b/spec/tools/miqldap_to_sssd/configure_appliance_settings_spec.rb @@ -28,12 +28,28 @@ Vmdb::Settings.save!(miq_server, @auth_config) Settings.reload! - described_class.new.configure + described_class.new(:ldap_role => nil).configure settings = miq_server.settings expect(settings.fetch_path(:authentication, :mode)).to eq("httpd") expect(settings.fetch_path(:authentication, :ldap_role)).to eq(false) expect(settings.fetch_path(:authentication, :httpd_role)).to eq(true) end + + it 'sets httpd_role to ldap_role if ldap_role is specified' do + # Needed to avoid pitfalls of not running on a live appliance with real settings + allow_any_instance_of(Vmdb::Settings).to receive(:activate) + allow_any_instance_of(ConfigurationManagementMixin).to receive(:reload_all_server_settings) + + Vmdb::Settings.save!(miq_server, @auth_config) + Settings.reload! + + described_class.new(:ldap_role => false).configure + + settings = miq_server.settings + expect(settings.fetch_path(:authentication, :mode)).to eq("httpd") + expect(settings.fetch_path(:authentication, :ldap_role)).to eq(false) + expect(settings.fetch_path(:authentication, :httpd_role)).to eq(false) + end end end diff --git a/tools/miqldap_to_sssd/cli.rb b/tools/miqldap_to_sssd/cli.rb index d0f168b49da..cde3e29e19b 100644 --- a/tools/miqldap_to_sssd/cli.rb +++ b/tools/miqldap_to_sssd/cli.rb @@ -1,67 +1,21 @@ require 'optimist' module MiqLdapToSssd - class Cli - attr_accessor :options - - def parse(args) - args.shift if args.first == "--" # Handle when called through script/runner - - LOGGER.debug("Invoked #{self.class}\##{__method__}") - - self.options = Optimist.options(args) do - banner "Usage: ruby #{$PROGRAM_NAME} [options]\n" - - opt :domain, - "The domain name for the Base DN, e.g. example.com", - :short => "d", - :default => nil, - :type => :string - - opt :bind_dn, - "The Bind DN, credential to use to authenticate against LDAP e.g. cn=Manager,dc=example,dc=com", - :short => "b", - :default => nil, - :type => :string - - opt :bind_pwd, - "The password for the Bind DN.", - :short => "p", - :default => nil, - :type => :string - - opt :tls_cacert, - "Path to certificate file", - :short => "c", - :default => nil, - :type => :string + class CliError < StandardError; end - opt :only_change_userids, - "normalize the userids then exit", - :short => "n", - :default => false, - :type => :flag - - opt :skip_post_conversion_userid_change, - "Do the MiqLdap to SSSD conversion but skip the normalizing of the userids", - :short => "s", - :default => false, - :type => :flag - end - - options[:tls_cacertdir] = File.dirname(options[:tls_cacert]) unless options[:tls_cacert].nil? - self.options = options.delete_if { |_n, v| v.nil? } - LOGGER.debug("User provided settings: #{options}") - - self - end + class Cli + attr_accessor :opts def run - Converter.new(options).run + Converter.new(opts).run end def self.run(args) new.parse(args).run end + + def parse(_args) + raise NotImplementedError, _("parse must be implemented in a subclass") + end end end diff --git a/tools/miqldap_to_sssd/cli_config.rb b/tools/miqldap_to_sssd/cli_config.rb new file mode 100644 index 00000000000..64c928bf02c --- /dev/null +++ b/tools/miqldap_to_sssd/cli_config.rb @@ -0,0 +1,143 @@ +require 'optimist' +require 'miqldap_to_sssd/cli' + +module MiqLdapToSssd + VALID_USER_TYPES = %w[dn-cn dn-uid userprincipalname mail samaccountname].freeze + + class CliConfig < Cli + def parse(args) + args.shift if args.first == "--" # Handle when called through script/runner + + LOGGER.debug("Invoked #{self.class}\##{__method__}") + + self.opts = Optimist.options(args) do + banner "Usage: ruby #{$PROGRAM_NAME} [opts]\n" + + opt :ldaphost, + "LDAP Host Name", + :short => "H", + :type => :string, + :required => true + + opt :ldapport, + "LDAP Port", + :short => "P", + :type => :string, + :required => false + + opt :user_type, + "User Type for LDAP server use: dn-cn of dn-uid. For AD server use: userprincipalname, mail, samaccountname", + :short => "T", + :type => :string, + :required => true + + opt :user_suffix, + "User Suffix @", + :short => "S", + :type => :string, + :required => true + + opt :mode, + "The Mode for the connection ldap or secure ldaps", + :short => "M", + :type => :string, + :required => true + + opt :domain, + "The domain name for the Base DN, e.g. example.com", + :short => "d", + :default => nil, + :type => :string, + :required => false + + opt :bind_dn, + "The Bind DN, credential to use to authenticate against LDAP e.g. cn=Manager,dc=example,dc=com", + :short => "b", + :default => nil, + :type => :string, + :required => false + + opt :bind_pwd, + "The password for the Bind DN.", + :short => "p", + :default => nil, + :type => :string, + :required => false + + opt :tls_cacert, + "Path to certificate file", + :short => "c", + :default => nil, + :type => :string, + :required => false + + opt :only_change_userids, + "normalize the userids then exit", + :short => "n", + :default => false, + :type => :flag, + :required => false + + opt :skip_post_conversion_userid_change, + "Do the MiqLdap to SSSD conversion but skip the normalizing of the userids", + :short => "s", + :default => false, + :type => :flag, + :required => false + end + + Optimist.die "#{opts[:mode]} is not a valid mode. Must be ldap or ldaps" unless mode_valid? + Optimist.die "#{opts[:user_type]} is not a valid mode. Must be one of #{VALID_USER_TYPES}" unless user_type_valid? + default_port_from_mode + Optimist.die "#{opts[:ldaphost]}:#{opts[:ldapport]} is not open." unless ldaphost_and_ldapport_valid? + opts[:ldaphost] = [opts[:ldaphost]] # Currently only supporting a single host from the command line. + set_ldap_role + + opts[:tls_cacertdir] = File.dirname(opts[:tls_cacert]) unless opts[:tls_cacert].nil? + self.opts = opts.delete_if { |_n, v| v.nil? } + LOGGER.debug("User provided settings: #{opts}") + + self + end + + private + + def mode_valid? + opts[:mode] == "ldaps" || opts[:mode] == "ldap" + end + + def default_port_from_mode + return unless opts[:ldapport].nil? + + opts[:ldapport] = 389 if opts[:mode] == "ldap" + opts[:ldapport] = 636 if opts[:mode] == "ldaps" + end + + def ldaphost_and_ldapport_valid? + begin + Timeout.timeout(1) do + begin + TCPSocket.new(opts[:ldaphost], opts[:ldapport]).close + return true + rescue Errno::ECONNREFUSED, Errno::EHOSTUNREACH + return false + end + end + rescue Timeout::Error + return false + end + + false + end + + def set_ldap_role + opts[:ldap_role] = opts[:bind_pwd].nil? ? false : true + end + + def user_type_valid? + return true if VALID_USER_TYPES.include?(opts[:user_type]) + + false + end + end +end diff --git a/tools/miqldap_to_sssd/cli_convert.rb b/tools/miqldap_to_sssd/cli_convert.rb new file mode 100644 index 00000000000..34222a025fd --- /dev/null +++ b/tools/miqldap_to_sssd/cli_convert.rb @@ -0,0 +1,58 @@ +require 'optimist' +require 'miqldap_to_sssd/cli' + +module MiqLdapToSssd + class CliConvert < Cli + def parse(args) + args.shift if args.first == "--" # Handle when called through script/runner + + LOGGER.debug("Invoked #{self.class}\##{__method__}") + + self.opts = Optimist.options(args) do + banner "Usage: ruby #{$PROGRAM_NAME} [opts]\n" + + opt :domain, + "The domain name for the Base DN, e.g. example.com", + :short => "d", + :default => nil, + :type => :string + + opt :bind_dn, + "The Bind DN, credential to use to authenticate against LDAP e.g. cn=Manager,dc=example,dc=com", + :short => "b", + :default => nil, + :type => :string + + opt :bind_pwd, + "The password for the Bind DN.", + :short => "p", + :default => nil, + :type => :string + + opt :tls_cacert, + "Path to certificate file", + :short => "c", + :default => nil, + :type => :string + + opt :only_change_userids, + "normalize the userids then exit", + :short => "n", + :default => false, + :type => :flag + + opt :skip_post_conversion_userid_change, + "Do the MiqLdap to SSSD conversion but skip the normalizing of the userids", + :short => "s", + :default => false, + :type => :flag + end + + opts[:tls_cacertdir] = File.dirname(opts[:tls_cacert]) unless opts[:tls_cacert].nil? + self.opts = opts.delete_if { |_n, v| v.nil? } + LOGGER.debug("User provided settings: #{opts}") + + self + end + end +end diff --git a/tools/miqldap_to_sssd/configure_appliance_settings.rb b/tools/miqldap_to_sssd/configure_appliance_settings.rb index 77aeab2fdf1..325b905e234 100644 --- a/tools/miqldap_to_sssd/configure_appliance_settings.rb +++ b/tools/miqldap_to_sssd/configure_appliance_settings.rb @@ -6,12 +6,18 @@ class ConfigureApplianceSettingsError < StandardError; end class ConfigureApplianceSettings attr_reader :initial_settings + def initialize(initial_settings) + @initial_settings = initial_settings + end + def configure - LOGGER.debug("Invoked #{self.class}\##{__method__}") + LOGGER.debug("Invoked #{self.class}\##{__method__} initial_settings #{initial_settings} ") + + ldap_role = initial_settings[:ldap_role].nil? ? Settings.authentication.ldap_role : initial_settings[:ldap_role] new_settings = { :authentication => {:mode => "httpd", - :httpd_role => Settings.authentication.ldap_role, + :httpd_role => ldap_role, :ldap_role => false} } diff --git a/tools/miqldap_to_sssd/converter.rb b/tools/miqldap_to_sssd/converter.rb index 9871ceb306a..527116f9124 100644 --- a/tools/miqldap_to_sssd/converter.rb +++ b/tools/miqldap_to_sssd/converter.rb @@ -1,5 +1,3 @@ -#!/usr/bin/env ruby - module MiqLdapToSssd SSSD_CONF_FILE = "/etc/sssd/sssd.conf".freeze SSSD_ALREADY_CONFIGURED = "ERROR: #{SSSD_CONF_FILE} already exists. No changes will be made. Exiting".freeze @@ -36,7 +34,7 @@ def do_conversion disable_tls ConfigureApache.new(initial_settings).configure ConfigureSELinux.new(initial_settings).configure - ConfigureApplianceSettings.new.configure + ConfigureApplianceSettings.new(initial_settings).configure end def disable_tls From 7282da646503424b06f973609eb45f159ab92bfd Mon Sep 17 00:00:00 2001 From: Joe VLcek Date: Wed, 28 Aug 2019 17:44:21 -0400 Subject: [PATCH 2/9] Rename miqldap_to_sssd to miq_config_sssd_ldap Update the main entry point Fix one missed update from u to user Dry PROGRAM_NAME == __FILE__ Move action assignment --- .../auth_establish_spec.rb | 12 +++--- .../cli_config_spec.rb | 4 +- .../cli_convert_spec.rb | 4 +- .../configure_apache_spec.rb | 14 +++---- .../configure_appliance_settings_spec.rb | 4 +- .../configure_selinux_spec.rb | 14 +++---- .../miqldap_configuration_spec.rb | 20 +++++----- .../sssd_conf_spec.rb | 10 ++--- ...dap_to_sssd.rb => miq_config_sssd_ldap.rb} | 24 +++++++++--- .../auth_establish.rb | 2 +- .../auth_template_files.rb | 2 +- .../cli.rb | 2 +- .../cli_config.rb | 6 +-- .../cli_convert.rb | 4 +- .../configure_apache.rb | 3 +- .../configure_appliance_settings.rb | 2 +- .../configure_database.rb | 38 +++++++++---------- .../configure_selinux.rb | 4 +- .../configure_sssd_rules.rb | 2 +- .../converter.rb | 2 +- .../miqldap_configuration.rb | 2 +- .../services.rb | 2 +- .../sssd_conf.rb | 2 +- .../sssd_conf/common.rb | 4 +- .../sssd_conf/domain.rb | 6 +-- .../sssd_conf/ifp.rb | 4 +- .../sssd_conf/pam.rb | 4 +- .../sssd_conf/sssd.rb | 6 +-- 28 files changed, 107 insertions(+), 96 deletions(-) rename spec/tools/{miqldap_to_sssd => miq_config_sssd_ldap}/auth_establish_spec.rb (89%) rename spec/tools/{miqldap_to_sssd => miq_config_sssd_ldap}/cli_config_spec.rb (97%) rename spec/tools/{miqldap_to_sssd => miq_config_sssd_ldap}/cli_convert_spec.rb (95%) rename spec/tools/{miqldap_to_sssd => miq_config_sssd_ldap}/configure_apache_spec.rb (87%) rename spec/tools/{miqldap_to_sssd => miq_config_sssd_ldap}/configure_appliance_settings_spec.rb (93%) rename spec/tools/{miqldap_to_sssd => miq_config_sssd_ldap}/configure_selinux_spec.rb (85%) rename spec/tools/{miqldap_to_sssd => miq_config_sssd_ldap}/miqldap_configuration_spec.rb (76%) rename spec/tools/{miqldap_to_sssd => miq_config_sssd_ldap}/sssd_conf_spec.rb (87%) rename tools/{miqldap_to_sssd.rb => miq_config_sssd_ldap.rb} (53%) rename tools/{miqldap_to_sssd => miq_config_sssd_ldap}/auth_establish.rb (98%) rename tools/{miqldap_to_sssd => miq_config_sssd_ldap}/auth_template_files.rb (96%) rename tools/{miqldap_to_sssd => miq_config_sssd_ldap}/cli.rb (92%) rename tools/{miqldap_to_sssd => miq_config_sssd_ldap}/cli_config.rb (96%) rename tools/{miqldap_to_sssd => miq_config_sssd_ldap}/cli_convert.rb (96%) rename tools/{miqldap_to_sssd => miq_config_sssd_ldap}/configure_apache.rb (98%) rename tools/{miqldap_to_sssd => miq_config_sssd_ldap}/configure_appliance_settings.rb (97%) rename tools/{miqldap_to_sssd => miq_config_sssd_ldap}/configure_database.rb (68%) rename tools/{miqldap_to_sssd => miq_config_sssd_ldap}/configure_selinux.rb (95%) rename tools/{miqldap_to_sssd => miq_config_sssd_ldap}/configure_sssd_rules.rb (96%) rename tools/{miqldap_to_sssd => miq_config_sssd_ldap}/converter.rb (98%) rename tools/{miqldap_to_sssd => miq_config_sssd_ldap}/miqldap_configuration.rb (99%) rename tools/{miqldap_to_sssd => miq_config_sssd_ldap}/services.rb (96%) rename tools/{miqldap_to_sssd => miq_config_sssd_ldap}/sssd_conf.rb (98%) rename tools/{miqldap_to_sssd => miq_config_sssd_ldap}/sssd_conf/common.rb (89%) rename tools/{miqldap_to_sssd => miq_config_sssd_ldap}/sssd_conf/domain.rb (96%) rename tools/{miqldap_to_sssd => miq_config_sssd_ldap}/sssd_conf/ifp.rb (73%) rename tools/{miqldap_to_sssd => miq_config_sssd_ldap}/sssd_conf/pam.rb (67%) rename tools/{miqldap_to_sssd => miq_config_sssd_ldap}/sssd_conf/sssd.rb (81%) diff --git a/spec/tools/miqldap_to_sssd/auth_establish_spec.rb b/spec/tools/miq_config_sssd_ldap/auth_establish_spec.rb similarity index 89% rename from spec/tools/miqldap_to_sssd/auth_establish_spec.rb rename to spec/tools/miq_config_sssd_ldap/auth_establish_spec.rb index 186807f6e44..e45e81d75ee 100644 --- a/spec/tools/miqldap_to_sssd/auth_establish_spec.rb +++ b/spec/tools/miq_config_sssd_ldap/auth_establish_spec.rb @@ -1,8 +1,8 @@ $LOAD_PATH << Rails.root.join("tools").to_s -require "miqldap_to_sssd" +require "miq_config_sssd_ldap" -describe MiqLdapToSssd::AuthEstablish do +describe MiqConfigSssdLdap::AuthEstablish do describe '#run_auth_establish' do before do @initial_settings = {:mode => "bob", :ldaphost => ["hostname"], :ldapport => 22} @@ -22,10 +22,10 @@ end it 'handles authconfig failures' do - expect(MiqLdapToSssd::LOGGER).to receive(:fatal) + expect(MiqConfigSssdLdap::LOGGER).to receive(:fatal) expect(AwesomeSpawn).to receive(:run) .and_return(double(:command_line => "authselect", :failure? => true, :error => "malfunction")) - expect { @auth_establish.run_auth_establish }.to raise_error(MiqLdapToSssd::AuthEstablishError) + expect { @auth_establish.run_auth_establish }.to raise_error(MiqConfigSssdLdap::AuthEstablishError) end end @@ -53,10 +53,10 @@ end it 'handles authconfig failures' do - expect(MiqLdapToSssd::LOGGER).to receive(:fatal) + expect(MiqConfigSssdLdap::LOGGER).to receive(:fatal) expect(AwesomeSpawn).to receive(:run) .and_return(double(:command_line => "authconfig", :failure? => true, :error => "malfunction")) - expect { @auth_establish.run_auth_establish }.to raise_error(MiqLdapToSssd::AuthEstablishError) + expect { @auth_establish.run_auth_establish }.to raise_error(MiqConfigSssdLdap::AuthEstablishError) end end end diff --git a/spec/tools/miqldap_to_sssd/cli_config_spec.rb b/spec/tools/miq_config_sssd_ldap/cli_config_spec.rb similarity index 97% rename from spec/tools/miqldap_to_sssd/cli_config_spec.rb rename to spec/tools/miq_config_sssd_ldap/cli_config_spec.rb index 250b3561cae..ffe39ae9504 100644 --- a/spec/tools/miqldap_to_sssd/cli_config_spec.rb +++ b/spec/tools/miq_config_sssd_ldap/cli_config_spec.rb @@ -1,8 +1,8 @@ $LOAD_PATH << Rails.root.join("tools").to_s -require "miqldap_to_sssd/cli_config" +require "miq_config_sssd_ldap/cli_config" -describe MiqLdapToSssd::CliConfig do +describe MiqConfigSssdLdap::CliConfig do before do @all_opts = :tls_cacert, :tls_cacertdir, :domain, :ldaphost, :ldapport, :user_type, :user_suffix, :mode, :bind_dn, :bind_pwd, :only_change_userids, :skip_post_conversion_userid_change diff --git a/spec/tools/miqldap_to_sssd/cli_convert_spec.rb b/spec/tools/miq_config_sssd_ldap/cli_convert_spec.rb similarity index 95% rename from spec/tools/miqldap_to_sssd/cli_convert_spec.rb rename to spec/tools/miq_config_sssd_ldap/cli_convert_spec.rb index d4611d1ac7c..3bea5aab73a 100644 --- a/spec/tools/miqldap_to_sssd/cli_convert_spec.rb +++ b/spec/tools/miq_config_sssd_ldap/cli_convert_spec.rb @@ -1,8 +1,8 @@ $LOAD_PATH << Rails.root.join("tools").to_s -require "miqldap_to_sssd/cli_convert" +require "miq_config_sssd_ldap/cli_convert" -describe MiqLdapToSssd::CliConvert do +describe MiqConfigSssdLdap::CliConvert do before do @all_opts = :tls_cacert, :tls_cacertdir, :domain, :only_change_userids, :skip_post_conversion_userid_change stub_const("LOGGER", double) diff --git a/spec/tools/miqldap_to_sssd/configure_apache_spec.rb b/spec/tools/miq_config_sssd_ldap/configure_apache_spec.rb similarity index 87% rename from spec/tools/miqldap_to_sssd/configure_apache_spec.rb rename to spec/tools/miq_config_sssd_ldap/configure_apache_spec.rb index 9a06078e107..c0eaf393349 100644 --- a/spec/tools/miqldap_to_sssd/configure_apache_spec.rb +++ b/spec/tools/miq_config_sssd_ldap/configure_apache_spec.rb @@ -1,11 +1,11 @@ $LOAD_PATH << Rails.root.join("tools").to_s -require "miqldap_to_sssd" +require "miq_config_sssd_ldap" require "tempfile" require "fileutils" require 'auth_template_files' -describe MiqLdapToSssd::ConfigureApache do +describe MiqConfigSssdLdap::ConfigureApache do before do @spec_name = File.basename(__FILE__).split(".rb").first.freeze end @@ -53,17 +53,17 @@ @test_dir = "#{Dir.tmpdir}/#{@spec_name}" @template_dir = "#{@test_dir}/TEMPLATE" - stub_const("MiqLdapToSssd::AuthTemplateFiles::TEMPLATE_DIR", @template_dir) + stub_const("MiqConfigSssdLdap::AuthTemplateFiles::TEMPLATE_DIR", @template_dir) @httpd_conf_dir = "#{@test_dir}/etc/httpd/conf.d" FileUtils.mkdir_p @httpd_conf_dir @httpd_template_dir = FileUtils.mkdir_p("#{@template_dir}/#{@httpd_conf_dir}")[0] - stub_const("MiqLdapToSssd::AuthTemplateFiles::HTTPD_CONF_DIR", @httpd_conf_dir) + stub_const("MiqConfigSssdLdap::AuthTemplateFiles::HTTPD_CONF_DIR", @httpd_conf_dir) @pam_conf_dir = "#{@test_dir}/etc/pam.d" FileUtils.mkdir_p @pam_conf_dir @pam_template_dir = FileUtils.mkdir_p("#{@template_dir}/#{@pam_conf_dir}")[0] - stub_const("MiqLdapToSssd::AuthTemplateFiles::PAM_CONF_DIR", @pam_conf_dir) + stub_const("MiqConfigSssdLdap::AuthTemplateFiles::PAM_CONF_DIR", @pam_conf_dir) File.open("#{@pam_template_dir}/httpd-auth", "w") { |f| f.write(manageiq_pam_conf) } File.open("#{@httpd_template_dir}/manageiq-remote-user.conf", "w") { |f| f.write(manageiq_remote_user_conf) } @@ -94,8 +94,8 @@ it 'raises an error when a TEMPLATE file is missing' do FileUtils.rm_f("#{@pam_template_dir}/httpd-auth") - expect(MiqLdapToSssd::LOGGER).to receive(:fatal) - expect { described_class.new(@initial_settings).configure }.to raise_error(MiqLdapToSssd::ConfigureApacheError) + expect(MiqConfigSssdLdap::LOGGER).to receive(:fatal) + expect { described_class.new(@initial_settings).configure }.to raise_error(MiqConfigSssdLdap::ConfigureApacheError) end end end diff --git a/spec/tools/miqldap_to_sssd/configure_appliance_settings_spec.rb b/spec/tools/miq_config_sssd_ldap/configure_appliance_settings_spec.rb similarity index 93% rename from spec/tools/miqldap_to_sssd/configure_appliance_settings_spec.rb rename to spec/tools/miq_config_sssd_ldap/configure_appliance_settings_spec.rb index 04469620602..8a9fc078e7b 100644 --- a/spec/tools/miqldap_to_sssd/configure_appliance_settings_spec.rb +++ b/spec/tools/miq_config_sssd_ldap/configure_appliance_settings_spec.rb @@ -1,8 +1,8 @@ -$LOAD_PATH << Rails.root.join("tools", "miqldap_to_sssd").to_s +$LOAD_PATH << Rails.root.join("tools", "miq_config_sssd_ldap").to_s require "configure_appliance_settings" -describe MiqLdapToSssd::ConfigureApplianceSettings do +describe MiqConfigSssdLdap::ConfigureApplianceSettings do before do stub_const("LOGGER", double) allow(LOGGER).to receive(:debug) diff --git a/spec/tools/miqldap_to_sssd/configure_selinux_spec.rb b/spec/tools/miq_config_sssd_ldap/configure_selinux_spec.rb similarity index 85% rename from spec/tools/miqldap_to_sssd/configure_selinux_spec.rb rename to spec/tools/miq_config_sssd_ldap/configure_selinux_spec.rb index 858b731edbb..610401ca4c8 100644 --- a/spec/tools/miqldap_to_sssd/configure_selinux_spec.rb +++ b/spec/tools/miq_config_sssd_ldap/configure_selinux_spec.rb @@ -1,8 +1,8 @@ $LOAD_PATH << Rails.root.join("tools").to_s -require "miqldap_to_sssd" +require "miq_config_sssd_ldap" -describe MiqLdapToSssd::ConfigureSELinux do +describe MiqConfigSssdLdap::ConfigureSELinux do describe '#configure' do before do @initial_settings = {:ldapport => '22'} @@ -31,7 +31,7 @@ end it 'handles semanage already defined result' do - expect(MiqLdapToSssd::LOGGER).to_not receive(:fatal) + expect(MiqConfigSssdLdap::LOGGER).to_not receive(:fatal) expect(AwesomeSpawn).to receive(:run).once .and_return(double(:command_line => "semanage", :failure? => true, :error => "malfunction already defined")) @@ -49,14 +49,14 @@ end it 'handles semanage failures' do - expect(MiqLdapToSssd::LOGGER).to receive(:fatal).with("semanage failed with: malfunction") + expect(MiqConfigSssdLdap::LOGGER).to receive(:fatal).with("semanage failed with: malfunction") expect(AwesomeSpawn).to receive(:run) .and_return(double(:command_line => "semanage", :failure? => true, :error => "malfunction")) - expect { described_class.new(@initial_settings).configure }.to raise_error(MiqLdapToSssd::ConfigureSELinuxError) + expect { described_class.new(@initial_settings).configure }.to raise_error(MiqConfigSssdLdap::ConfigureSELinuxError) end it 'handles setsebool failures' do - expect(MiqLdapToSssd::LOGGER).to receive(:fatal).with("setsebool failed with: malfunction") + expect(MiqConfigSssdLdap::LOGGER).to receive(:fatal).with("setsebool failed with: malfunction") expect(AwesomeSpawn).to receive(:run).once .with("semanage", :params => {nil => "port", @@ -67,7 +67,7 @@ expect(AwesomeSpawn).to receive(:run) .and_return(double(:command_line => "setsebool", :failure? => true, :error => "malfunction")) - expect { described_class.new(@initial_settings).configure }.to raise_error(MiqLdapToSssd::ConfigureSELinuxError) + expect { described_class.new(@initial_settings).configure }.to raise_error(MiqConfigSssdLdap::ConfigureSELinuxError) end end end diff --git a/spec/tools/miqldap_to_sssd/miqldap_configuration_spec.rb b/spec/tools/miq_config_sssd_ldap/miqldap_configuration_spec.rb similarity index 76% rename from spec/tools/miqldap_to_sssd/miqldap_configuration_spec.rb rename to spec/tools/miq_config_sssd_ldap/miqldap_configuration_spec.rb index b1a1a1a069d..bd2b0d53f5b 100644 --- a/spec/tools/miqldap_to_sssd/miqldap_configuration_spec.rb +++ b/spec/tools/miq_config_sssd_ldap/miqldap_configuration_spec.rb @@ -1,37 +1,37 @@ $LOAD_PATH << Rails.root.join("tools").to_s -require "miqldap_to_sssd" +require "miq_config_sssd_ldap" -describe MiqLdapToSssd::MiqLdapConfiguration do +describe MiqConfigSssdLdap::MiqLdapConfiguration do describe '#retrieve_initial_settings' do let(:settings) { {:tls_cacert => 'cert', :domain => "example.com"} } it 'raises an error when the basedn domain can not be determined' do - expect(MiqLdapToSssd::LOGGER).to receive(:fatal) + expect(MiqConfigSssdLdap::LOGGER).to receive(:fatal) subject = described_class.new(settings.merge(:basedn => nil, :domain => nil)) - expect { subject.retrieve_initial_settings }.to raise_error(MiqLdapToSssd::MiqLdapConfigurationArgumentError) + expect { subject.retrieve_initial_settings }.to raise_error(MiqConfigSssdLdap::MiqLdapConfigurationArgumentError) end it 'when mode is ldap and bind dn is nil raises an error' do - expect(MiqLdapToSssd::LOGGER).to receive(:fatal) + expect(MiqConfigSssdLdap::LOGGER).to receive(:fatal) subject = described_class.new(settings.merge(:mode => 'ldap', :bind_pwd => nil)) - expect { subject.retrieve_initial_settings }.to raise_error(MiqLdapToSssd::MiqLdapConfigurationArgumentError) + expect { subject.retrieve_initial_settings }.to raise_error(MiqConfigSssdLdap::MiqLdapConfigurationArgumentError) end it 'when mode is ldaps and bind dn is nil does not raises an error' do - expect(MiqLdapToSssd::LOGGER).to_not receive(:fatal) + expect(MiqConfigSssdLdap::LOGGER).to_not receive(:fatal) subject = described_class.new(settings.merge(:mode => 'ldaps', :bind_dn => nil)) expect { subject.retrieve_initial_settings }.to_not raise_error end it 'when mode is ldap and bind pwd is nil raises an error' do - expect(MiqLdapToSssd::LOGGER).to receive(:fatal) + expect(MiqConfigSssdLdap::LOGGER).to receive(:fatal) subject = described_class.new(settings.merge(:mode => 'ldap', :bind_pwd => nil)) - expect { subject.retrieve_initial_settings }.to raise_error(MiqLdapToSssd::MiqLdapConfigurationArgumentError) + expect { subject.retrieve_initial_settings }.to raise_error(MiqConfigSssdLdap::MiqLdapConfigurationArgumentError) end it 'when mode is ldaps and bind pwd is nil does not raises an error' do - expect(MiqLdapToSssd::LOGGER).to_not receive(:fatal) + expect(MiqConfigSssdLdap::LOGGER).to_not receive(:fatal) subject = described_class.new(settings.merge(:mode => 'ldaps', :bind_pwd => nil)) expect { subject.retrieve_initial_settings }.to_not raise_error end diff --git a/spec/tools/miqldap_to_sssd/sssd_conf_spec.rb b/spec/tools/miq_config_sssd_ldap/sssd_conf_spec.rb similarity index 87% rename from spec/tools/miqldap_to_sssd/sssd_conf_spec.rb rename to spec/tools/miq_config_sssd_ldap/sssd_conf_spec.rb index 3f7b37b5417..7b68a470310 100644 --- a/spec/tools/miqldap_to_sssd/sssd_conf_spec.rb +++ b/spec/tools/miq_config_sssd_ldap/sssd_conf_spec.rb @@ -1,11 +1,11 @@ $LOAD_PATH << Rails.root.join("tools").to_s -require "miqldap_to_sssd" +require "miq_config_sssd_ldap" require "tempfile" require "fileutils" require "auth_template_files" -describe MiqLdapToSssd::SssdConf do +describe MiqConfigSssdLdap::SssdConf do before do @spec_name = File.basename(__FILE__).split(".rb").first.freeze end @@ -58,14 +58,14 @@ @test_dir = "#{Dir.tmpdir}/#{@spec_name}" @template_dir = "#{@test_dir}/TEMPLATE" - stub_const("MiqLdapToSssd::AuthTemplateFiles::TEMPLATE_DIR", @template_dir) + stub_const("MiqConfigSssdLdap::AuthTemplateFiles::TEMPLATE_DIR", @template_dir) @sssd_conf_dir = "#{@test_dir}/etc/sssd" @sssd_conf_file = "#{@sssd_conf_dir}/sssd.conf" FileUtils.mkdir_p @sssd_conf_dir @sssd_template_dir = FileUtils.mkdir_p("#{@template_dir}/#{@sssd_conf_dir}")[0] - stub_const("MiqLdapToSssd::AuthTemplateFiles::SSSD_CONF_DIR", @sssd_conf_dir) - stub_const("MiqLdapToSssd::SSSD_CONF_FILE", @sssd_conf_file) + stub_const("MiqConfigSssdLdap::AuthTemplateFiles::SSSD_CONF_DIR", @sssd_conf_dir) + stub_const("MiqConfigSssdLdap::SSSD_CONF_FILE", @sssd_conf_file) end after do diff --git a/tools/miqldap_to_sssd.rb b/tools/miq_config_sssd_ldap.rb similarity index 53% rename from tools/miqldap_to_sssd.rb rename to tools/miq_config_sssd_ldap.rb index 6cf5b425a56..0e53efb7a4c 100755 --- a/tools/miqldap_to_sssd.rb +++ b/tools/miq_config_sssd_ldap.rb @@ -1,17 +1,18 @@ #!/usr/bin/env ruby -# usage: ruby miqldap_to_sssd -h +# usage: ruby miq_config_sssd_ldap -h # # upgrades authentication mode from LDAP(s) to External Auth with SSSD # Alternatively, it will update all user records to have a userid in UPN format $LOAD_PATH.push(File.expand_path(__dir__)) -$LOAD_PATH.push(File.expand_path(File.join(__dir__, %w[miqldap_to_sssd]))) +$LOAD_PATH.push(File.expand_path(File.join(__dir__, %w[miq_config_sssd_ldap]))) require File.expand_path('../config/environment', __dir__) require 'auth_establish' -require 'cli' +require 'cli_config' +require 'cli_convert' require 'configure_apache' require 'configure_appliance_settings' require 'configure_database' @@ -22,12 +23,23 @@ require 'services' require 'sssd_conf' -module MiqLdapToSssd - LOGGER = Logger.new('log/miqldap_to_sssd.log') +module MiqConfigSssdLdap + LOGGER = Logger.new('log/miq_config_sssd_ldap.log') LOGGER.formatter = proc do |severity, time, _progname, msg| "[#{time}] #{severity}: #{msg}\n" end - MiqLdapToSssd::Cli.run(ARGV) if $PROGRAM_NAME == __FILE__ + if $PROGRAM_NAME == __FILE__ + action = ARGV.nil? ? "convert" : ARGV.shift + + case action + when "convert" + MiqConfigSssdLdap::CliConvert.run(ARGV) + when "config" + MiqConfigSssdLdap::CliConfig.run(ARGV) + else + raise ArgumentError, "The first argument must be \"convert\" or \"config\"" + end + end end diff --git a/tools/miqldap_to_sssd/auth_establish.rb b/tools/miq_config_sssd_ldap/auth_establish.rb similarity index 98% rename from tools/miqldap_to_sssd/auth_establish.rb rename to tools/miq_config_sssd_ldap/auth_establish.rb index 6a651e522f1..c08740c7503 100644 --- a/tools/miqldap_to_sssd/auth_establish.rb +++ b/tools/miq_config_sssd_ldap/auth_establish.rb @@ -1,7 +1,7 @@ require 'awesome_spawn' require 'miqldap_configuration' -module MiqLdapToSssd +module MiqConfigSssdLdap class AuthEstablishError < StandardError; end class AuthEstablish diff --git a/tools/miqldap_to_sssd/auth_template_files.rb b/tools/miq_config_sssd_ldap/auth_template_files.rb similarity index 96% rename from tools/miqldap_to_sssd/auth_template_files.rb rename to tools/miq_config_sssd_ldap/auth_template_files.rb index 014fc24cd8e..9fa9ef6b059 100644 --- a/tools/miqldap_to_sssd/auth_template_files.rb +++ b/tools/miq_config_sssd_ldap/auth_template_files.rb @@ -1,6 +1,6 @@ require 'fileutils' -module MiqLdapToSssd +module MiqConfigSssdLdap class AuthTemplateFilesError < StandardError; end class AuthTemplateFiles diff --git a/tools/miqldap_to_sssd/cli.rb b/tools/miq_config_sssd_ldap/cli.rb similarity index 92% rename from tools/miqldap_to_sssd/cli.rb rename to tools/miq_config_sssd_ldap/cli.rb index cde3e29e19b..95d6bcc05f2 100644 --- a/tools/miqldap_to_sssd/cli.rb +++ b/tools/miq_config_sssd_ldap/cli.rb @@ -1,6 +1,6 @@ require 'optimist' -module MiqLdapToSssd +module MiqConfigSssdLdap class CliError < StandardError; end class Cli diff --git a/tools/miqldap_to_sssd/cli_config.rb b/tools/miq_config_sssd_ldap/cli_config.rb similarity index 96% rename from tools/miqldap_to_sssd/cli_config.rb rename to tools/miq_config_sssd_ldap/cli_config.rb index 64c928bf02c..6a7ce09c3f6 100644 --- a/tools/miqldap_to_sssd/cli_config.rb +++ b/tools/miq_config_sssd_ldap/cli_config.rb @@ -1,7 +1,7 @@ require 'optimist' -require 'miqldap_to_sssd/cli' +require 'miq_config_sssd_ldap/cli' -module MiqLdapToSssd +module MiqConfigSssdLdap VALID_USER_TYPES = %w[dn-cn dn-uid userprincipalname mail samaccountname].freeze class CliConfig < Cli @@ -79,7 +79,7 @@ def parse(args) :required => false opt :skip_post_conversion_userid_change, - "Do the MiqLdap to SSSD conversion but skip the normalizing of the userids", + "Do the SSSD configuration but skip the normalizing of the userids", :short => "s", :default => false, :type => :flag, diff --git a/tools/miqldap_to_sssd/cli_convert.rb b/tools/miq_config_sssd_ldap/cli_convert.rb similarity index 96% rename from tools/miqldap_to_sssd/cli_convert.rb rename to tools/miq_config_sssd_ldap/cli_convert.rb index 34222a025fd..3398dfaf0f2 100644 --- a/tools/miqldap_to_sssd/cli_convert.rb +++ b/tools/miq_config_sssd_ldap/cli_convert.rb @@ -1,7 +1,7 @@ require 'optimist' -require 'miqldap_to_sssd/cli' +require 'miq_config_sssd_ldap/cli' -module MiqLdapToSssd +module MiqConfigSssdLdap class CliConvert < Cli def parse(args) args.shift if args.first == "--" # Handle when called through script/runner diff --git a/tools/miqldap_to_sssd/configure_apache.rb b/tools/miq_config_sssd_ldap/configure_apache.rb similarity index 98% rename from tools/miqldap_to_sssd/configure_apache.rb rename to tools/miq_config_sssd_ldap/configure_apache.rb index cbdabab940b..b28c728d42e 100644 --- a/tools/miqldap_to_sssd/configure_apache.rb +++ b/tools/miq_config_sssd_ldap/configure_apache.rb @@ -1,11 +1,10 @@ require 'fileutils' require 'auth_template_files' -module MiqLdapToSssd +module MiqConfigSssdLdap class ConfigureApacheError < StandardError; end class ConfigureApache < AuthTemplateFiles - def configure LOGGER.debug("Invoked #{self.class}\##{__method__} template_dir #{template_dir}") create_files diff --git a/tools/miqldap_to_sssd/configure_appliance_settings.rb b/tools/miq_config_sssd_ldap/configure_appliance_settings.rb similarity index 97% rename from tools/miqldap_to_sssd/configure_appliance_settings.rb rename to tools/miq_config_sssd_ldap/configure_appliance_settings.rb index 325b905e234..422bb4ec32c 100644 --- a/tools/miqldap_to_sssd/configure_appliance_settings.rb +++ b/tools/miq_config_sssd_ldap/configure_appliance_settings.rb @@ -1,6 +1,6 @@ require 'fileutils' -module MiqLdapToSssd +module MiqConfigSssdLdap class ConfigureApplianceSettingsError < StandardError; end class ConfigureApplianceSettings diff --git a/tools/miqldap_to_sssd/configure_database.rb b/tools/miq_config_sssd_ldap/configure_database.rb similarity index 68% rename from tools/miqldap_to_sssd/configure_database.rb rename to tools/miq_config_sssd_ldap/configure_database.rb index a926ccccf82..8dc63c08903 100644 --- a/tools/miqldap_to_sssd/configure_database.rb +++ b/tools/miq_config_sssd_ldap/configure_database.rb @@ -1,8 +1,8 @@ require 'fileutils' require 'inifile' -module MiqLdapToSssd - CHANGE_MODES = %w(httpd ldaps ldap).freeze +module MiqConfigSssdLdap + CHANGE_MODES = %w[httpd ldaps ldap].freeze class ConfigureDatabaseError < StandardError; end @@ -22,7 +22,7 @@ def change_userids_to_upn return unless CHANGE_MODES.include?(Settings.authentication.to_hash[:mode]) User.all.map do |u| - next if %w(consumption_admin admin).include?(u.userid) + next if %w[consumption_admin admin].include?(u.userid) LOGGER.debug("Updating userid #{u.userid}") save_new_or_delete_duplicate_userid(update_the_userid(u)) @@ -31,30 +31,30 @@ def change_userids_to_upn private - def update_the_userid(u) - if u.userid.include?(",") + def update_the_userid(user) + if user.userid.include?(",") LOGGER.debug("userid was generated from an MiqLdap login using OpenLdap.") - u.userid = dn_to_upn(u.userid) - elsif u.userid.include?("@") + user.userid = dn_to_upn(user.userid) + elsif user.userid.include?("@") LOGGER.debug("userid was Generated from an MiqLdap login using Active Directory") - u.userid = u.userid.downcase + user.userid = user.userid.downcase else LOGGER.debug("userid was generated from an SSSD login") - u.userid = "#{u.userid}@#{sssd_domain}".downcase + user.userid = "#{user.userid}@#{sssd_domain}".downcase end - LOGGER.debug("The updated user name is #{u.userid}") - u + LOGGER.debug("The updated user name is #{user.userid}") + user end - def save_new_or_delete_duplicate_userid(u) - LOGGER.debug("Invoked #{self.class}\##{__method__} userid #{u.userid}") - check_duplicate_u = find_user(u.userid) - if check_duplicate_u.nil? || check_duplicate_u.id == u.id - LOGGER.debug("Saving userid #{u.userid}") - u.save + def save_new_or_delete_duplicate_userid(user) + LOGGER.debug("Invoked #{self.class}\##{__method__} userid #{user.userid}") + check_duplicate_u = find_user(user.userid) + if check_duplicate_u.nil? || check_duplicate_u.id == user.id + LOGGER.debug("Saving userid #{user.userid}") + user.save else - LOGGER.debug("Deleting this user, duplicate found #{u.id}") - u.delete + LOGGER.debug("Deleting this user, duplicate found #{user.id}") + user.delete end end diff --git a/tools/miqldap_to_sssd/configure_selinux.rb b/tools/miq_config_sssd_ldap/configure_selinux.rb similarity index 95% rename from tools/miqldap_to_sssd/configure_selinux.rb rename to tools/miq_config_sssd_ldap/configure_selinux.rb index 958e4091688..563bae5f40d 100644 --- a/tools/miqldap_to_sssd/configure_selinux.rb +++ b/tools/miq_config_sssd_ldap/configure_selinux.rb @@ -1,6 +1,6 @@ require 'awesome_spawn' -module MiqLdapToSssd +module MiqConfigSssdLdap class ConfigureSELinuxError < StandardError; end class ConfigureSELinux @@ -21,7 +21,7 @@ def configure def enable_non_standard_ldap_port(port_number) LOGGER.debug("Invoked #{self.class}\##{__method__}(#{port_number})") - return if %w(389 636).include?(port_number) + return if %w[389 636].include?(port_number) params = { nil => "port", diff --git a/tools/miqldap_to_sssd/configure_sssd_rules.rb b/tools/miq_config_sssd_ldap/configure_sssd_rules.rb similarity index 96% rename from tools/miqldap_to_sssd/configure_sssd_rules.rb rename to tools/miq_config_sssd_ldap/configure_sssd_rules.rb index c249a210ba9..9776fc5eb55 100644 --- a/tools/miqldap_to_sssd/configure_sssd_rules.rb +++ b/tools/miq_config_sssd_ldap/configure_sssd_rules.rb @@ -1,6 +1,6 @@ require 'fileutils' -module MiqLdapToSssd +module MiqConfigSssdLdap class ConfigureSssdRulesError < StandardError; end class ConfigureSssdRules diff --git a/tools/miqldap_to_sssd/converter.rb b/tools/miq_config_sssd_ldap/converter.rb similarity index 98% rename from tools/miqldap_to_sssd/converter.rb rename to tools/miq_config_sssd_ldap/converter.rb index 527116f9124..5a7e9e68e8a 100644 --- a/tools/miqldap_to_sssd/converter.rb +++ b/tools/miq_config_sssd_ldap/converter.rb @@ -1,4 +1,4 @@ -module MiqLdapToSssd +module MiqConfigSssdLdap SSSD_CONF_FILE = "/etc/sssd/sssd.conf".freeze SSSD_ALREADY_CONFIGURED = "ERROR: #{SSSD_CONF_FILE} already exists. No changes will be made. Exiting".freeze diff --git a/tools/miqldap_to_sssd/miqldap_configuration.rb b/tools/miq_config_sssd_ldap/miqldap_configuration.rb similarity index 99% rename from tools/miqldap_to_sssd/miqldap_configuration.rb rename to tools/miq_config_sssd_ldap/miqldap_configuration.rb index 0280bad7db7..058e9ce5607 100644 --- a/tools/miqldap_to_sssd/miqldap_configuration.rb +++ b/tools/miq_config_sssd_ldap/miqldap_configuration.rb @@ -1,4 +1,4 @@ -module MiqLdapToSssd +module MiqConfigSssdLdap class MiqLdapConfigurationArgumentError < StandardError; end class MiqLdapConfiguration diff --git a/tools/miqldap_to_sssd/services.rb b/tools/miq_config_sssd_ldap/services.rb similarity index 96% rename from tools/miqldap_to_sssd/services.rb rename to tools/miq_config_sssd_ldap/services.rb index 674156443ba..da64689dcda 100644 --- a/tools/miqldap_to_sssd/services.rb +++ b/tools/miq_config_sssd_ldap/services.rb @@ -1,6 +1,6 @@ require 'linux_admin' -module MiqLdapToSssd +module MiqConfigSssdLdap class Services def self.restart LOGGER.debug("Invoked #{self.class}\##{__method__}") diff --git a/tools/miqldap_to_sssd/sssd_conf.rb b/tools/miq_config_sssd_ldap/sssd_conf.rb similarity index 98% rename from tools/miqldap_to_sssd/sssd_conf.rb rename to tools/miq_config_sssd_ldap/sssd_conf.rb index e3ffc829192..67809652bd2 100644 --- a/tools/miqldap_to_sssd/sssd_conf.rb +++ b/tools/miq_config_sssd_ldap/sssd_conf.rb @@ -7,7 +7,7 @@ require 'sssd_conf/sssd' require 'auth_template_files' -module MiqLdapToSssd +module MiqConfigSssdLdap class SssdConfError < StandardError; end class SssdConf < AuthTemplateFiles diff --git a/tools/miqldap_to_sssd/sssd_conf/common.rb b/tools/miq_config_sssd_ldap/sssd_conf/common.rb similarity index 89% rename from tools/miqldap_to_sssd/sssd_conf/common.rb rename to tools/miq_config_sssd_ldap/sssd_conf/common.rb index 5703d7633ca..8447584c100 100644 --- a/tools/miqldap_to_sssd/sssd_conf/common.rb +++ b/tools/miq_config_sssd_ldap/sssd_conf/common.rb @@ -1,8 +1,8 @@ require 'miqldap_configuration' -module MiqLdapToSssd +module MiqConfigSssdLdap class Common - USER_ATTRS = %w(mail givenname sn displayname domainname).freeze + USER_ATTRS = %w[mail givenname sn displayname domainname].freeze attr_reader :initial_settings, :installation_specific_fields diff --git a/tools/miqldap_to_sssd/sssd_conf/domain.rb b/tools/miq_config_sssd_ldap/sssd_conf/domain.rb similarity index 96% rename from tools/miqldap_to_sssd/sssd_conf/domain.rb rename to tools/miq_config_sssd_ldap/sssd_conf/domain.rb index f18ade06a58..e10236ec7fc 100644 --- a/tools/miqldap_to_sssd/sssd_conf/domain.rb +++ b/tools/miq_config_sssd_ldap/sssd_conf/domain.rb @@ -1,6 +1,6 @@ require 'sssd_conf/common' -module MiqLdapToSssd +module MiqConfigSssdLdap class DomainError < StandardError; end class Domain < Common @@ -9,7 +9,7 @@ class Domain < Common def initialize(initial_settings) self.active_directory = determine_if_active_directory_configured(initial_settings) - super(%w(entry_cache_timeout + super(%w[entry_cache_timeout ldap_auth_disable_tls_never_use_in_production ldap_default_bind_dn ldap_default_authtok @@ -28,7 +28,7 @@ def initialize(initial_settings) ldap_user_name ldap_user_object_class ldap_user_search_base - ldap_user_uid_number), initial_settings) + ldap_user_uid_number], initial_settings) end def entry_cache_timeout diff --git a/tools/miqldap_to_sssd/sssd_conf/ifp.rb b/tools/miq_config_sssd_ldap/sssd_conf/ifp.rb similarity index 73% rename from tools/miqldap_to_sssd/sssd_conf/ifp.rb rename to tools/miq_config_sssd_ldap/sssd_conf/ifp.rb index d285517a14e..5b0dbdb58a2 100644 --- a/tools/miqldap_to_sssd/sssd_conf/ifp.rb +++ b/tools/miq_config_sssd_ldap/sssd_conf/ifp.rb @@ -1,9 +1,9 @@ require 'sssd_conf/common' -module MiqLdapToSssd +module MiqConfigSssdLdap class Ifp < Common def initialize(initial_settings) - super(%w(allowed_uids user_attributes), initial_settings) + super(%w[allowed_uids user_attributes], initial_settings) end def allowed_uids diff --git a/tools/miqldap_to_sssd/sssd_conf/pam.rb b/tools/miq_config_sssd_ldap/sssd_conf/pam.rb similarity index 67% rename from tools/miqldap_to_sssd/sssd_conf/pam.rb rename to tools/miq_config_sssd_ldap/sssd_conf/pam.rb index 736e166abd1..9a93a15285b 100644 --- a/tools/miqldap_to_sssd/sssd_conf/pam.rb +++ b/tools/miq_config_sssd_ldap/sssd_conf/pam.rb @@ -1,9 +1,9 @@ require 'sssd_conf/common' -module MiqLdapToSssd +module MiqConfigSssdLdap class Pam < Common def initialize(initial_settings) - super(%w(pam_app_services), initial_settings) + super(%w[pam_app_services], initial_settings) end def pam_app_services diff --git a/tools/miqldap_to_sssd/sssd_conf/sssd.rb b/tools/miq_config_sssd_ldap/sssd_conf/sssd.rb similarity index 81% rename from tools/miqldap_to_sssd/sssd_conf/sssd.rb rename to tools/miq_config_sssd_ldap/sssd_conf/sssd.rb index 250e8c8271d..62d61ca5620 100644 --- a/tools/miqldap_to_sssd/sssd_conf/sssd.rb +++ b/tools/miq_config_sssd_ldap/sssd_conf/sssd.rb @@ -1,13 +1,13 @@ require 'sssd_conf/common' -module MiqLdapToSssd +module MiqConfigSssdLdap class Sssd < Common def initialize(initial_settings) - super(%w(config_file_version + super(%w[config_file_version default_domain_suffix domains sbus_timeout - services), initial_settings) + services], initial_settings) end def config_file_version From 6f5b0bd9657ecea9cd55587c11b40d129c6f07b4 Mon Sep 17 00:00:00 2001 From: Joe VLcek Date: Fri, 30 Aug 2019 09:12:37 -0400 Subject: [PATCH 3/9] Address rubocop warnings --- .../configure_selinux_spec.rb | 52 ++++++++++--------- .../miq_config_sssd_ldap/sssd_conf/domain.rb | 2 +- 2 files changed, 28 insertions(+), 26 deletions(-) diff --git a/spec/tools/miq_config_sssd_ldap/configure_selinux_spec.rb b/spec/tools/miq_config_sssd_ldap/configure_selinux_spec.rb index 610401ca4c8..b97075264a2 100644 --- a/spec/tools/miq_config_sssd_ldap/configure_selinux_spec.rb +++ b/spec/tools/miq_config_sssd_ldap/configure_selinux_spec.rb @@ -10,22 +10,22 @@ it 'invokes semanage and setsebool with valid parameters' do expect(AwesomeSpawn).to receive(:run).once - .with("semanage", - :params => {nil => "port", - :a => nil, - :t => "ldap_port_t", - :p => %w(tcp 22)}) - .and_return(double(:command_line => "semanage", :failure? => false)) + .with("semanage", + :params => {nil => "port", + :a => nil, + :t => "ldap_port_t", + :p => %w[tcp 22]}) + .and_return(double(:command_line => "semanage", :failure? => false)) expect(AwesomeSpawn).to receive(:run).once - .with("setsebool", - :params => {:P=>%w(allow_httpd_mod_auth_pam on)}) - .and_return(double(:command_line => "semanage", :failure? => false)) + .with("setsebool", + :params => {:P=>%w[allow_httpd_mod_auth_pam on]}) + .and_return(double(:command_line => "semanage", :failure? => false)) expect(AwesomeSpawn).to receive(:run).once - .with("setsebool", - :params => {:P=>%w(httpd_dbus_sssd on)}) - .and_return(double(:command_line => "semanage", :failure? => false)) + .with("setsebool", + :params => {:P=>%w[httpd_dbus_sssd on]}) + .and_return(double(:command_line => "semanage", :failure? => false)) expect { described_class.new(@initial_settings).configure }.to_not raise_error end @@ -33,17 +33,19 @@ it 'handles semanage already defined result' do expect(MiqConfigSssdLdap::LOGGER).to_not receive(:fatal) expect(AwesomeSpawn).to receive(:run).once - .and_return(double(:command_line => "semanage", :failure? => true, :error => "malfunction already defined")) + .and_return(double(:command_line => "semanage", + :failure? => true, + :error => "malfunction already defined")) expect(AwesomeSpawn).to receive(:run).once - .with("setsebool", - :params => {:P=>%w(allow_httpd_mod_auth_pam on)}) - .and_return(double(:command_line => "semanage", :failure? => false)) + .with("setsebool", + :params => {:P=>%w[allow_httpd_mod_auth_pam on]}) + .and_return(double(:command_line => "semanage", :failure? => false)) expect(AwesomeSpawn).to receive(:run).once - .with("setsebool", - :params => {:P=>%w(httpd_dbus_sssd on)}) - .and_return(double(:command_line => "semanage", :failure? => false)) + .with("setsebool", + :params => {:P=>%w[httpd_dbus_sssd on]}) + .and_return(double(:command_line => "semanage", :failure? => false)) expect { described_class.new(@initial_settings).configure }.to_not raise_error end @@ -58,12 +60,12 @@ it 'handles setsebool failures' do expect(MiqConfigSssdLdap::LOGGER).to receive(:fatal).with("setsebool failed with: malfunction") expect(AwesomeSpawn).to receive(:run).once - .with("semanage", - :params => {nil => "port", - :a => nil, - :t => "ldap_port_t", - :p => %w(tcp 22)}) - .and_return(double(:command_line => "semanage", :failure? => false)) + .with("semanage", + :params => {nil => "port", + :a => nil, + :t => "ldap_port_t", + :p => %w[tcp 22]}) + .and_return(double(:command_line => "semanage", :failure? => false)) expect(AwesomeSpawn).to receive(:run) .and_return(double(:command_line => "setsebool", :failure? => true, :error => "malfunction")) diff --git a/tools/miq_config_sssd_ldap/sssd_conf/domain.rb b/tools/miq_config_sssd_ldap/sssd_conf/domain.rb index e10236ec7fc..3af23928790 100644 --- a/tools/miq_config_sssd_ldap/sssd_conf/domain.rb +++ b/tools/miq_config_sssd_ldap/sssd_conf/domain.rb @@ -36,7 +36,7 @@ def entry_cache_timeout end def ldap_auth_disable_tls_never_use_in_production - initial_settings[:mode] == "ldaps" ? false : true + initial_settings[:mode] != "ldaps" end def ldap_default_bind_dn From 678da75c3d129decf7d4a910cf08ae2e7c8b73ed Mon Sep 17 00:00:00 2001 From: Joe VLcek Date: Fri, 30 Aug 2019 11:33:28 -0400 Subject: [PATCH 4/9] Streamline source to address rubocop warnings --- .../configure_selinux_spec.rb | 54 +++++-------------- 1 file changed, 12 insertions(+), 42 deletions(-) diff --git a/spec/tools/miq_config_sssd_ldap/configure_selinux_spec.rb b/spec/tools/miq_config_sssd_ldap/configure_selinux_spec.rb index b97075264a2..b4036f192c0 100644 --- a/spec/tools/miq_config_sssd_ldap/configure_selinux_spec.rb +++ b/spec/tools/miq_config_sssd_ldap/configure_selinux_spec.rb @@ -6,66 +6,36 @@ describe '#configure' do before do @initial_settings = {:ldapport => '22'} + @success = double(:command_line => "semanage", :failure? => false) + @semanage_params = {nil => "port", :a => nil, :t => "ldap_port_t", :p => %w[tcp 22]} + @failure_1 = double(:command_line => "semanage", :failure? => true, :error => "malfunction already defined") + @failure_2 = double(:command_line => "semanage", :failure? => true, :error => "malfunction") end it 'invokes semanage and setsebool with valid parameters' do - expect(AwesomeSpawn).to receive(:run).once - .with("semanage", - :params => {nil => "port", - :a => nil, - :t => "ldap_port_t", - :p => %w[tcp 22]}) - .and_return(double(:command_line => "semanage", :failure? => false)) - - expect(AwesomeSpawn).to receive(:run).once - .with("setsebool", - :params => {:P=>%w[allow_httpd_mod_auth_pam on]}) - .and_return(double(:command_line => "semanage", :failure? => false)) - - expect(AwesomeSpawn).to receive(:run).once - .with("setsebool", - :params => {:P=>%w[httpd_dbus_sssd on]}) - .and_return(double(:command_line => "semanage", :failure? => false)) - + expect(AwesomeSpawn).to receive(:run).once.with("semanage", :params => @semanage_params).and_return(@success) + expect(AwesomeSpawn).to receive(:run).once.with("setsebool", :params => {:P=>%w[allow_httpd_mod_auth_pam on]}).and_return(@success) + expect(AwesomeSpawn).to receive(:run).once.with("setsebool", :params => {:P=>%w[httpd_dbus_sssd on]}).and_return(@success) expect { described_class.new(@initial_settings).configure }.to_not raise_error end it 'handles semanage already defined result' do expect(MiqConfigSssdLdap::LOGGER).to_not receive(:fatal) - expect(AwesomeSpawn).to receive(:run).once - .and_return(double(:command_line => "semanage", - :failure? => true, - :error => "malfunction already defined")) - - expect(AwesomeSpawn).to receive(:run).once - .with("setsebool", - :params => {:P=>%w[allow_httpd_mod_auth_pam on]}) - .and_return(double(:command_line => "semanage", :failure? => false)) - - expect(AwesomeSpawn).to receive(:run).once - .with("setsebool", - :params => {:P=>%w[httpd_dbus_sssd on]}) - .and_return(double(:command_line => "semanage", :failure? => false)) - + expect(AwesomeSpawn).to receive(:run).once.and_return(@failure_1) + expect(AwesomeSpawn).to receive(:run).once.with("setsebool", :params => {:P=>%w[allow_httpd_mod_auth_pam on]}).and_return(@success) + expect(AwesomeSpawn).to receive(:run).once.with("setsebool", :params => {:P=>%w[httpd_dbus_sssd on]}).and_return(@success) expect { described_class.new(@initial_settings).configure }.to_not raise_error end it 'handles semanage failures' do expect(MiqConfigSssdLdap::LOGGER).to receive(:fatal).with("semanage failed with: malfunction") - expect(AwesomeSpawn).to receive(:run) - .and_return(double(:command_line => "semanage", :failure? => true, :error => "malfunction")) + expect(AwesomeSpawn).to receive(:run).and_return(@failure_2) expect { described_class.new(@initial_settings).configure }.to raise_error(MiqConfigSssdLdap::ConfigureSELinuxError) end it 'handles setsebool failures' do expect(MiqConfigSssdLdap::LOGGER).to receive(:fatal).with("setsebool failed with: malfunction") - expect(AwesomeSpawn).to receive(:run).once - .with("semanage", - :params => {nil => "port", - :a => nil, - :t => "ldap_port_t", - :p => %w[tcp 22]}) - .and_return(double(:command_line => "semanage", :failure? => false)) + expect(AwesomeSpawn).to receive(:run).once.with("semanage", :params => @semanage_params).and_return(@success) expect(AwesomeSpawn).to receive(:run) .and_return(double(:command_line => "setsebool", :failure? => true, :error => "malfunction")) From 522dcabd0b7d9eb750428d5e99cdc648155b8603 Mon Sep 17 00:00:00 2001 From: Joe VLcek Date: Fri, 30 Aug 2019 12:06:52 -0400 Subject: [PATCH 5/9] Avoid Kernel#open and add spec to support this change --- .../configure_selinux_spec.rb | 8 ++--- .../configure_sssd_rules.rb | 34 +++++++++++++++++++ .../configure_sssd_rules.rb | 2 +- 3 files changed, 39 insertions(+), 5 deletions(-) create mode 100644 spec/tools/miq_config_sssd_ldap/configure_sssd_rules.rb diff --git a/spec/tools/miq_config_sssd_ldap/configure_selinux_spec.rb b/spec/tools/miq_config_sssd_ldap/configure_selinux_spec.rb index b4036f192c0..2cc6140ab13 100644 --- a/spec/tools/miq_config_sssd_ldap/configure_selinux_spec.rb +++ b/spec/tools/miq_config_sssd_ldap/configure_selinux_spec.rb @@ -8,8 +8,8 @@ @initial_settings = {:ldapport => '22'} @success = double(:command_line => "semanage", :failure? => false) @semanage_params = {nil => "port", :a => nil, :t => "ldap_port_t", :p => %w[tcp 22]} - @failure_1 = double(:command_line => "semanage", :failure? => true, :error => "malfunction already defined") - @failure_2 = double(:command_line => "semanage", :failure? => true, :error => "malfunction") + @failure1 = double(:command_line => "semanage", :failure? => true, :error => "malfunction already defined") + @failure2 = double(:command_line => "semanage", :failure? => true, :error => "malfunction") end it 'invokes semanage and setsebool with valid parameters' do @@ -21,7 +21,7 @@ it 'handles semanage already defined result' do expect(MiqConfigSssdLdap::LOGGER).to_not receive(:fatal) - expect(AwesomeSpawn).to receive(:run).once.and_return(@failure_1) + expect(AwesomeSpawn).to receive(:run).once.and_return(@failure1) expect(AwesomeSpawn).to receive(:run).once.with("setsebool", :params => {:P=>%w[allow_httpd_mod_auth_pam on]}).and_return(@success) expect(AwesomeSpawn).to receive(:run).once.with("setsebool", :params => {:P=>%w[httpd_dbus_sssd on]}).and_return(@success) expect { described_class.new(@initial_settings).configure }.to_not raise_error @@ -29,7 +29,7 @@ it 'handles semanage failures' do expect(MiqConfigSssdLdap::LOGGER).to receive(:fatal).with("semanage failed with: malfunction") - expect(AwesomeSpawn).to receive(:run).and_return(@failure_2) + expect(AwesomeSpawn).to receive(:run).and_return(@failure2) expect { described_class.new(@initial_settings).configure }.to raise_error(MiqConfigSssdLdap::ConfigureSELinuxError) end diff --git a/spec/tools/miq_config_sssd_ldap/configure_sssd_rules.rb b/spec/tools/miq_config_sssd_ldap/configure_sssd_rules.rb new file mode 100644 index 00000000000..90c27ecda71 --- /dev/null +++ b/spec/tools/miq_config_sssd_ldap/configure_sssd_rules.rb @@ -0,0 +1,34 @@ +$LOAD_PATH << Rails.root.join("tools").to_s + +require "miq_config_sssd_ldap" +require "tempfile" +require "fileutils" +require 'auth_template_files' + +describe MiqConfigSssdLdap::ConfigureSssdRules do + before do + @spec_name = File.basename(__FILE__).split(".rb").first.freeze + end + + describe '#disable_tls' do + let(:disable_tls_conf) do + <<-CFG_RULES_CONF.strip_heredoc + option = ldap_auth_disable_tls_never_use_in_production + CFG_RULES_CONF + end + + before do + @test_dir = "#{Dir.tmpdir}/#{@spec_name}" + stub_const("MiqConfigSssdLdap::ConfigureSssdRules::CFG_RULES_FILE", @test_dir) + end + + after do + FileUtils.rm_rf(@test_dir) + end + + it 'appends the disable tls option to the sssd config file' do + described_class.disable_tls + expect(File.read(@test_dir)).to eq(disable_tls_conf) + end + end +end diff --git a/tools/miq_config_sssd_ldap/configure_sssd_rules.rb b/tools/miq_config_sssd_ldap/configure_sssd_rules.rb index 9776fc5eb55..fbf66b7ca04 100644 --- a/tools/miq_config_sssd_ldap/configure_sssd_rules.rb +++ b/tools/miq_config_sssd_ldap/configure_sssd_rules.rb @@ -14,7 +14,7 @@ def self.disable_tls LOGGER.warn(message) begin - open(CFG_RULES_FILE, 'a') do |f| + File.open(CFG_RULES_FILE, 'a') do |f| f << "option = ldap_auth_disable_tls_never_use_in_production\n" end rescue Errno::ENOENT => err From 4b75c3c6539bbff132186cae457544d2c15a9f4a Mon Sep 17 00:00:00 2001 From: Joe VLcek Date: Wed, 9 Oct 2019 13:18:12 -0400 Subject: [PATCH 6/9] Require the subcommand config or convert --- tools/miq_config_sssd_ldap.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/miq_config_sssd_ldap.rb b/tools/miq_config_sssd_ldap.rb index 0e53efb7a4c..7323aea3e5a 100755 --- a/tools/miq_config_sssd_ldap.rb +++ b/tools/miq_config_sssd_ldap.rb @@ -31,7 +31,7 @@ module MiqConfigSssdLdap end if $PROGRAM_NAME == __FILE__ - action = ARGV.nil? ? "convert" : ARGV.shift + action = ARGV.shift case action when "convert" From c0bbfca6fce7e0d506d532327e1695f8017216de Mon Sep 17 00:00:00 2001 From: Joe VLcek Date: Wed, 9 Oct 2019 15:39:04 -0400 Subject: [PATCH 7/9] Spec-ing z-spec yavol --- .../{configure_sssd_rules.rb => configure_sssd_rules_spec.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename spec/tools/miq_config_sssd_ldap/{configure_sssd_rules.rb => configure_sssd_rules_spec.rb} (100%) diff --git a/spec/tools/miq_config_sssd_ldap/configure_sssd_rules.rb b/spec/tools/miq_config_sssd_ldap/configure_sssd_rules_spec.rb similarity index 100% rename from spec/tools/miq_config_sssd_ldap/configure_sssd_rules.rb rename to spec/tools/miq_config_sssd_ldap/configure_sssd_rules_spec.rb From deebc84bc7415b6c5c5f7a688cd035ddb2a38600 Mon Sep 17 00:00:00 2001 From: Joe VLcek Date: Wed, 16 Oct 2019 17:52:18 -0400 Subject: [PATCH 8/9] Don't merge settings when configuring --- .../miq_config_sssd_ldap/cli_config_spec.rb | 43 ++++++++++++++++--- .../miqldap_configuration_spec.rb | 19 ++++++++ tools/miq_config_sssd_ldap/cli_config.rb | 21 +++++++-- tools/miq_config_sssd_ldap/cli_convert.rb | 1 + .../miqldap_configuration.rb | 2 +- 5 files changed, 75 insertions(+), 11 deletions(-) diff --git a/spec/tools/miq_config_sssd_ldap/cli_config_spec.rb b/spec/tools/miq_config_sssd_ldap/cli_config_spec.rb index ffe39ae9504..8ac5445dbac 100644 --- a/spec/tools/miq_config_sssd_ldap/cli_config_spec.rb +++ b/spec/tools/miq_config_sssd_ldap/cli_config_spec.rb @@ -6,7 +6,7 @@ before do @all_opts = :tls_cacert, :tls_cacertdir, :domain, :ldaphost, :ldapport, :user_type, :user_suffix, :mode, :bind_dn, :bind_pwd, :only_change_userids, :skip_post_conversion_userid_change - @all_required_opts = %w[-H ldaphost -T dn-cn -S user_suffix -M ldap] + @all_required_opts = %w[-H ldaphost -T dn-cn -S user_suffix -M ldap -d example.com -b cn=Manager,dc=example,dc=com -p password] allow(TCPSocket).to receive(:new).and_return(double(:close => nil)) stub_const("LOGGER", double) @@ -19,9 +19,12 @@ expect(opts).to include(:ldapport => 389, :skip_post_conversion_userid_change => false) end - it "should assign all required options" do + it "should assign all required options when mode is ldap" do opts = described_class.new.parse(@all_required_opts).opts.slice(*@all_opts) - expect(opts).to eq(:ldaphost => ["ldaphost"], + expect(opts).to eq(:bind_dn => "cn=Manager,dc=example,dc=com", + :bind_pwd => "password", + :domain => "example.com", + :ldaphost => ["ldaphost"], :ldapport => 389, :mode => "ldap", :only_change_userids => false, @@ -66,17 +69,17 @@ end it "should parse base DN domain names" do - opts = described_class.new.parse(@all_required_opts + %w[-d example.com]).opts.slice(:domain) + opts = described_class.new.parse(@all_required_opts).opts.slice(:domain) expect(opts).to eq(:domain => "example.com") end it "should parse bind DN" do - opts = described_class.new.parse(@all_required_opts + %w[-b cn=Manager,dc=example,dc=com]).opts.slice(:bind_dn) + opts = described_class.new.parse(@all_required_opts).opts.slice(:bind_dn) expect(opts).to eq(:bind_dn => "cn=Manager,dc=example,dc=com") end it "should parse bind pwd" do - opts = described_class.new.parse(@all_required_opts + %w[-p password]).opts.slice(:bind_pwd) + opts = described_class.new.parse(@all_required_opts).opts.slice(:bind_pwd) expect(opts).to eq(:bind_pwd => "password") end @@ -89,5 +92,33 @@ opts = described_class.new.parse(@all_required_opts + %w[-s]).opts.slice(*@all_opts) expect(opts).to include(:skip_post_conversion_userid_change => true) end + + context "When mode is ldap" do + it "requires bind_dn" do + expect(Optimist).to receive(:die) + described_class.new.parse(@all_required_opts - %w[-b cn=Manager,dc=example,dc=com]) + end + + it "requires bind_pwd" do + expect(Optimist).to receive(:die) + described_class.new.parse(@all_required_opts - %w[-p password]) + end + end + + context "When ldap_role is true" do + before do + @ldap_role_ldaps_opts = @all_required_opts - %w[-M ldap] + %w[-M ldaps -g] + end + + it "requires bind_dn" do + expect(Optimist).to receive(:die) + described_class.new.parse(@ldap_role_ldaps_opts - %w[-b cn=Manager,dc=example,dc=com]) + end + + it "requires bind_pwd" do + expect(Optimist).to receive(:die) + described_class.new.parse(@ldap_role_ldaps_opts - %w[-p password]) + end + end end end diff --git a/spec/tools/miq_config_sssd_ldap/miqldap_configuration_spec.rb b/spec/tools/miq_config_sssd_ldap/miqldap_configuration_spec.rb index bd2b0d53f5b..41b80abcb69 100644 --- a/spec/tools/miq_config_sssd_ldap/miqldap_configuration_spec.rb +++ b/spec/tools/miq_config_sssd_ldap/miqldap_configuration_spec.rb @@ -3,6 +3,25 @@ require "miq_config_sssd_ldap" describe MiqConfigSssdLdap::MiqLdapConfiguration do + describe '#initialize' do + let(:settings) { {:tls_cacert => 'cert', :domain => "example.com"} } + let(:options) do + {:action => "config", + :ldaphost => "my-ldap-server", + :user_type => "dn-cn", + :user_suffix => "ou=people,ou=prod,dc=example,dc=com", + :mode => "ldap", + :domain => "example.com", + :bind_dn => "cn=Manager,dc=example,dc=com", + :bind_pwd => "password"} + end + + it 'does not merge current authentication setting with options when doing a fresh configuration' do + expect(described_class).to_not receive(:current_authentication_settings) + described_class.new(options) + end + end + describe '#retrieve_initial_settings' do let(:settings) { {:tls_cacert => 'cert', :domain => "example.com"} } diff --git a/tools/miq_config_sssd_ldap/cli_config.rb b/tools/miq_config_sssd_ldap/cli_config.rb index 6a7ce09c3f6..66d4d3d2334 100644 --- a/tools/miq_config_sssd_ldap/cli_config.rb +++ b/tools/miq_config_sssd_ldap/cli_config.rb @@ -48,7 +48,7 @@ def parse(args) :short => "d", :default => nil, :type => :string, - :required => false + :required => true opt :bind_dn, "The Bind DN, credential to use to authenticate against LDAP e.g. cn=Manager,dc=example,dc=com", @@ -64,6 +64,13 @@ def parse(args) :type => :string, :required => false + opt :ldap_role, + "Get user groups from LDAP true or false", + :short => "g", + :default => false, + :type => :flag, + :required => false + opt :tls_cacert, "Path to certificate file", :short => "c", @@ -91,9 +98,11 @@ def parse(args) default_port_from_mode Optimist.die "#{opts[:ldaphost]}:#{opts[:ldapport]} is not open." unless ldaphost_and_ldapport_valid? opts[:ldaphost] = [opts[:ldaphost]] # Currently only supporting a single host from the command line. - set_ldap_role + + Optimist.die "bind_dn and bind_pwd are required when when Get user groups from ldap is true or mode is ldap." unless bind_dn_and_bind_pwd_valid? opts[:tls_cacertdir] = File.dirname(opts[:tls_cacert]) unless opts[:tls_cacert].nil? + opts[:action] = "config" self.opts = opts.delete_if { |_n, v| v.nil? } LOGGER.debug("User provided settings: #{opts}") @@ -130,8 +139,12 @@ def ldaphost_and_ldapport_valid? false end - def set_ldap_role - opts[:ldap_role] = opts[:bind_pwd].nil? ? false : true + def bind_dn_and_bind_pwd_valid? + if opts[:mode] == "ldap" || opts[:ldap_role] == true + return false if opts[:bind_dn].nil? + return false if opts[:bind_pwd].nil? + end + true end def user_type_valid? diff --git a/tools/miq_config_sssd_ldap/cli_convert.rb b/tools/miq_config_sssd_ldap/cli_convert.rb index 3398dfaf0f2..c065da1b983 100644 --- a/tools/miq_config_sssd_ldap/cli_convert.rb +++ b/tools/miq_config_sssd_ldap/cli_convert.rb @@ -49,6 +49,7 @@ def parse(args) end opts[:tls_cacertdir] = File.dirname(opts[:tls_cacert]) unless opts[:tls_cacert].nil? + opts[:action] = "convert" self.opts = opts.delete_if { |_n, v| v.nil? } LOGGER.debug("User provided settings: #{opts}") diff --git a/tools/miq_config_sssd_ldap/miqldap_configuration.rb b/tools/miq_config_sssd_ldap/miqldap_configuration.rb index 058e9ce5607..f105489a222 100644 --- a/tools/miq_config_sssd_ldap/miqldap_configuration.rb +++ b/tools/miq_config_sssd_ldap/miqldap_configuration.rb @@ -15,7 +15,7 @@ class MiqLdapConfiguration attr_accessor :initial_settings def initialize(options = {}) - self.initial_settings = current_authentication_settings.merge(options) + self.initial_settings = options[:action] == "config" ? options : current_authentication_settings.merge(options) end def retrieve_initial_settings From 4efc07e2fe37dac892c20ccbf482204644dadb44 Mon Sep 17 00:00:00 2001 From: Joe VLcek Date: Wed, 30 Oct 2019 12:25:04 -0400 Subject: [PATCH 9/9] streamline multi condition check in #bind_dn_and_bind_pwd_valid? --- tools/miq_config_sssd_ldap/cli_config.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tools/miq_config_sssd_ldap/cli_config.rb b/tools/miq_config_sssd_ldap/cli_config.rb index 66d4d3d2334..d5018153253 100644 --- a/tools/miq_config_sssd_ldap/cli_config.rb +++ b/tools/miq_config_sssd_ldap/cli_config.rb @@ -141,8 +141,7 @@ def ldaphost_and_ldapport_valid? def bind_dn_and_bind_pwd_valid? if opts[:mode] == "ldap" || opts[:ldap_role] == true - return false if opts[:bind_dn].nil? - return false if opts[:bind_pwd].nil? + return false if opts[:bind_dn].nil? || opts[:bind_pwd].nil? end true end