Split the FreeIPA server into its own VM

Fixes: #52 Signed-off-by: Aurélien Bompard <[email protected]>
fedora-infra · Jul 19, 2023 · ac7e57c · ac7e57c
1 parent 9fba5c6
commit ac7e57c
Show file tree

Hide file tree

Showing 21 changed files with 287 additions and 291 deletions.
diff --git a/README.md b/README.md
@@ -6,9 +6,9 @@ Testing and developing Fedora Infra applications can be  tedious without having
 As a minimum, tiny-stage creates the following machines, and configures them to talk to each other:
 
 * The `auth` VM, including:
-  * FreeIPA, with the FreeIPA FAS extensions installed: https://auth.tinystage.test/
-  * FASJSON (the Fedora Accounts API): http://auth.tinystage.test/fasjson/
-  * Ipsilon: https://auth.tinystage.test/idp
+  * FreeIPA, with the FreeIPA FAS extensions installed: https://ipa.tinystage.test/
+  * FASJSON (the Fedora Accounts API): http://fasjson.tinystage.test/fasjson/
+  * Ipsilon: https://ipsilon.tinystage.test/idp
   * Noggin: https://auth.tinystage.test/noggin
   * Test-Auth: https://auth.tinystage.test/test-auth
 * The `tinystage` VM, including:
@@ -34,7 +34,7 @@ $ sudo systemctl enable libvirtd
 $ sudo systemctl start libvirtd
 ```
 
-Then run vagrant to create the 4 default machines (freeipa, fasjson, ipsilon, fedora-messages):
+Then run vagrant to create the 3 default machines (ipa, auth, tinystage):
 
 ```
 $ vagrant up
@@ -59,6 +59,7 @@ To check what machines are currently running, use the command:
 $ vagrant status
 Current machine states:
 
+ipa                       running (libvirt)
 auth                      running (libvirt)
 elections                 running (libvirt)
 mirrormanager2            not created (libvirt)

diff --git a/Vagrantfile b/Vagrantfile
@@ -6,11 +6,16 @@ ENV['VAGRANT_NO_PARALLEL'] = 'yes'
 domain = "tinystage.test"
 
 machines = {
-  "auth": {
-    "hostmanager.aliases": ["ipa", "kerberos", "noggin", "fasjson", "ipsilon", "test-auth"],
+  "ipa": {
+    "hostmanager.aliases": ["kerberos"],
     "autostart": true,
     "libvirt.memory": 2048,
   },
+  "auth": {
+    "hostmanager.aliases": ["fasjson", "ipsilon"],
+    "autostart": true,
+    "libvirt.memory": 1536,
+  },
   "elections": {},
   "mirrormanager2": {},
   "ipaclient": {},

diff --git a/ansible/auth.yml b/ansible/auth.yml
@@ -4,18 +4,17 @@
   become_method: sudo
   roles:
     - common
-    - role: freeipa
-      tags: ipa
+    - ipa-client
+    - apache
     - role: ipsilon
       tags: ipsilon
-    - role: noggin
-      tags: noggin
     - role: fasjson
       tags: fasjson
+    - role: noggin
+      tags: noggin
     - role: oidc-register
       tags: oidc-register
       vars:
-        ipsilon_hostname: "{{ ansible_fqdn }}"
         redirect_path: test-auth/oidc/oidc_callback
         dest: "/home/vagrant/test-auth.client_secrets.json"
     - role: test-auth
@@ -27,9 +26,3 @@
         name: httpd
         state: restarted
         daemon_reload: yes
-
-    - name: restart gssproxy
-      systemd:
-        name: gssproxy
-        state: restarted
-        daemon_reload: yes
diff --git a/ansible/freeipa.yml → ansible/ipa.yml b/ansible/freeipa.yml → ansible/ipa.yml
@@ -1,7 +1,8 @@
 ---
-- hosts: freeipa
+- hosts: ipa
   become: true
   become_method: sudo
   roles:
     - common
-    - freeipa
+    - role: freeipa
+      tags: ipa
diff --git a/ansible/roles/apache/tasks/main.yml b/ansible/roles/apache/tasks/main.yml
@@ -0,0 +1,38 @@
+---
+- name: Install RPM packages
+  dnf:
+    name:
+      - httpd
+      - krb5-workstation
+      - sqlite
+      - openssl
+      - mod_ssl
+    state: present
+
+- name: kinit for Apache
+  shell: echo "{{ ipa_admin_password }}" | kinit {{ ipa_admin_user }}@{{ krb_realm }}
+
+- name: Get the certificates
+  import_role:
+    name: cert
+  vars:
+    cert_hostname: "{{ ansible_fqdn }}"
+    cert_basename: server
+
+- name: configure SSLCertificateFile in ssl.conf
+  lineinfile:
+    path: /etc/httpd/conf.d/ssl.conf
+    regexp: "SSLCertificateFile \/etc\/pki\/tls\/certs\/localhost.crt"
+    line: SSLCertificateFile /etc/pki/tls/certs/server.pem
+
+- name: configure SSLCertificateKeyFile in ssl.conf
+  lineinfile:
+    path: /etc/httpd/conf.d/ssl.conf
+    regexp: "SSLCertificateKeyFile \/etc\/pki\/tls\/private\/localhost.key"
+    line: SSLCertificateKeyFile /etc/pki/tls/private/server.key
+
+- name: set default client keytab in krb5.conf
+  lineinfile:
+    path: /etc/krb5.conf
+    insertafter: 'default_ccache_name.*'
+    line: '  default_client_keytab_name = FILE:/etc/httpd/conf/http.keytab'
diff --git a/ansible/roles/cert/defaults/main.yml b/ansible/roles/cert/defaults/main.yml
@@ -1 +1,3 @@
-service: HTTP
+krb_service: HTTP
+cert_hostname: "{{ ansible_fqdn }}"
+cert_basename: server
diff --git a/ansible/roles/cert/tasks/main.yml b/ansible/roles/cert/tasks/main.yml
@@ -1,16 +1,16 @@
 
 
 - name: Generate and get SSL cert
-  shell: ipa-getcert request -f /etc/pki/tls/certs/server.pem -k /etc/pki/tls/private/server.key -K {{ service }}/{{ ansible_fqdn }}
+  shell: ipa-getcert request -f /etc/pki/tls/certs/{{ cert_basename }}.pem -k /etc/pki/tls/private/{{ cert_basename }}.key -K {{ krb_service }}/{{ cert_hostname }} -N {{ cert_hostname }}
   args:
-    creates: /etc/pki/tls/certs/server.pem
+    creates: /etc/pki/tls/certs/{{ cert_basename }}.pem
 
 - name: Check the cert is there
   wait_for:
-    path: /etc/pki/tls/certs/server.pem
+    path: /etc/pki/tls/certs/{{ cert_basename }}.pem
     state: present
 
 - name: Check the key is there
   wait_for:
-    path: /etc/pki/tls/private/server.key
+    path: /etc/pki/tls/private/{{ cert_basename }}.key
     state: present
diff --git a/ansible/roles/fasjson/defaults/main.yml b/ansible/roles/fasjson/defaults/main.yml
@@ -0,0 +1 @@
+vhost: fasjson.{{ ansible_domain }}
diff --git a/ansible/roles/fasjson/files/fasjson.wsgi b/ansible/roles/fasjson/files/fasjson.wsgi
@@ -2,5 +2,4 @@ import os
 from fasjson.web.app import create_app
 
 os.environ["KRB5CCNAME"] = "/tmp/krb5cc-httpd"
-os.environ["GSS_USE_PROXY"] = "yes"
 application = create_app()
diff --git a/ansible/roles/fasjson/files/gssproxy.conf b/ansible/roles/fasjson/files/gssproxy.conf
diff --git a/ansible/roles/fasjson/tasks/main.yml b/ansible/roles/fasjson/tasks/main.yml
@@ -50,51 +50,50 @@
   notify:
     - restart httpd
 
-
-- name: Copy the service setup script
-  template:
-    src: setup-fasjson-service.sh
-    dest: /srv/setup-fasjson-service.sh
-    mode: 0755
-
 - name: kinit for FASJSON
   shell: echo {{ ipa_admin_password }} | kinit {{ ipa_admin_user }}@{{ krb_realm }}
 
-- name: Create the service in IPA
-  command: bash /srv/setup-fasjson-service.sh FASJSON/{{ ansible_fqdn }}
-
-- name: Get service keytab for HTTPd
-  shell: ipa-getkeytab -p FASJSON/{{ ansible_fqdn }} -k /var/lib/gssproxy/fasjson.keytab
-  args:
-    creates: /var/lib/gssproxy/fasjson.keytab
-  notify:
-    - restart gssproxy
-
-- name: Set the correct permissions on keytab
-  file:
-    path: /var/lib/gssproxy/fasjson.keytab
-    owner: root
-    group: root
-    mode: 0640
-  notify:
-    - restart gssproxy
-
-- name: Copy gssproxy conf
-  copy:
-    src: gssproxy.conf
-    dest: /etc/gssproxy/80-fasjson.conf
-    mode: 0644
-    owner: root
-    group: root
-  notify:
-    - restart gssproxy
-
-- name: Enable and restart GSSProxy
-  systemd:
-    state: started
-    name: gssproxy
-    enabled: yes
-    daemon_reload: yes
+- name: Create the vhost in IPA
+  import_role:
+    name: ipa-vhost
+  vars:
+    app_name: fasjson
+
+- name: Create the fasjson service delegation rule
+  shell: ipa servicedelegationrule-add fasjson-delegation
+  register: result
+  changed_when: '"Added servicedelegationrule" in result.stdout'
+  failed_when: '" already exists" not in result.stderr and result.rc != 0'
+
+- name: Add fasjson to the service delegation rule
+  shell: ipa servicedelegationrule-add-member --principals HTTP/{{ vhost }} fasjson-delegation
+  register: result
+  changed_when: '"Member added to servicedelegationrule" in result.stdout'
+  failed_when: '"HTTP/"+vhost+": This entry is already a member" not in result.stdout and result.rc != 0'
+
+- name: Add the LDAP delegation target to the service delegation rule
+  shell: ipa servicedelegationrule-add-target --servicedelegationtargets=ipa-ldap-delegation-targets fasjson-delegation
+  register: result
+  changed_when: '"Number of targets added 1" in result.stdout'
+  failed_when: '"ipa-ldap-delegation-targets: This entry is already a member" not in result.stdout and result.rc != 0'
+
+- name: Create the HTTP delegation target
+  shell: ipa servicedelegationtarget-add ipa-http-delegation-targets
+  register: result
+  changed_when: '"Added servicedelegationtarget" in result.stdout'
+  failed_when: '" already exists" not in result.stderr and result.rc != 0'
+
+- name: Add IPA to the HTTP delegation target
+  shell: ipa servicedelegationtarget-add-member ipa-http-delegation-targets --principals=HTTP/ipa.tinystage.test@{{ krb_realm }}
+  register: result
+  changed_when: '"Member added to servicedelegationtarget" in result.stdout'
+  failed_when: '"HTTP/ipa.tinystage.test@"+krb_realm+": This entry is already a member" not in result.stdout and result.rc != 0'
+
+- name: Add the HTTP delegation target to the delegation rule
+  shell: ipa servicedelegationrule-add-target --servicedelegationtargets=ipa-http-delegation-targets fasjson-delegation
+  register: result
+  changed_when: '"Number of targets added 1" in result.stdout'
+  failed_when: '"ipa-http-delegation-targets: This entry is already a member" not in result.stdout and result.rc != 0'
 
 - name: Configure temporary files
   copy:
@@ -118,19 +117,25 @@
   notify:
     - restart httpd
 
-- name: Create Apache service
+- name: Create Apache service config directory
   file:
     path: /etc/systemd/system/httpd.service.d
     state: directory
     mode: 0755
 
-- name: Copy configs for Apache
-  copy:
+- name: Copy the Apache config
+  template:
     src: httpd.conf
     dest: /etc/httpd/conf.d/fasjson.conf
   notify:
     - restart httpd
 
+- name: Allow apache to modify files in /run/fasjson
+  community.general.sefcontext:
+    target: '/var/run/fasjson(/.*)?'
+    setype: httpd_var_run_t
+    state: present
+
 - name: Enable and restart Apache
   systemd:
     state: started

diff --git a/ansible/roles/fasjson/files/httpd.conf → ansible/roles/fasjson/templates/httpd.conf b/ansible/roles/fasjson/files/httpd.conf → ansible/roles/fasjson/templates/httpd.conf
@@ -11,6 +11,19 @@ WSGIImportScript /srv/fasjson.wsgi \
 WSGIScriptAlias /fasjson /srv/fasjson.wsgi
 WSGIScriptReloading Off
 
+<Virtualhost _default_:443>
+
+ServerName {{ vhost }}
+ErrorLog logs/error_log
+TransferLog logs/access_log
+LogLevel info
+
+SSLEngine on
+SSLCipherSuite PROFILE=SYSTEM
+SSLProxyCipherSuite PROFILE=SYSTEM
+SSLCertificateFile /etc/pki/tls/certs/fasjson.pem
+SSLCertificateKeyFile /etc/pki/tls/private/fasjson.key
+
 <Location "/fasjson">
   WSGIProcessGroup fasjson
   WSGIApplicationGroup fasjson
@@ -25,10 +38,12 @@ WSGIScriptReloading Off
   AuthName "Kerberos Login"
   GssapiUseSessions On
   Session On
-  SessionCookieName ipa_session path=/fasjson;httponly;secure;
-  SessionHeader IPASESSION
+  SessionCookieName fasjson_session path=/fasjson;httponly;secure;
+  SessionHeader FASJSONSESSION
   GssapiSessionKey file:/run/fasjson/session.key
-
+  GssapiCredStore keytab:/etc/httpd/conf/fasjson.keytab
+  GssapiCredStore client_keytab:/etc/httpd/conf/fasjson.keytab
+  GssapiCredStore ccache:FILE:/run/fasjson/krb5ccache
   GssapiImpersonate On
   GssapiDelegCcacheDir /run/fasjson/ccaches
   GssapiDelegCcachePerms mode:0660
@@ -43,3 +58,4 @@ WSGIScriptReloading Off
   Header unset ETag
   FileETag None
 </LocationMatch>
+</VirtualHost>
diff --git a/ansible/roles/fasjson/templates/setup-fasjson-service.sh b/ansible/roles/fasjson/templates/setup-fasjson-service.sh