Convert ipa-httpd-pwdreader into Python script

and use paths from ipaplatform. Fixes: https://pagure.io/freeipa/issue/8401 Signed-off-by: Christian Heimes <[email protected]> Reviewed-By: Alexander Bokovoy <[email protected]> Reviewed-By: Francois Cami <[email protected]>
progier389 · Jul 30, 2020 · 8f6502d · 8f6502d
1 parent 664007e
commit 8f6502d
Show file tree

Hide file tree

Showing 6 changed files with 50 additions and 29 deletions.
diff --git a/.gitignore b/.gitignore
@@ -133,6 +133,7 @@ makeaci
 makeapi
 client/ipa-certupdate
 client/ipa-client-automount
+client/certbot-dns-ipa
 client/ipa-client-install
 client/ipa-client-samba
 client/ipa-epn
@@ -156,6 +157,7 @@ install/restart_scripts/renew_ra_cert_pre
 install/restart_scripts/restart_dirsrv
 install/restart_scripts/restart_httpd
 install/restart_scripts/stop_pkicad
+install/tools/ipa-acme-manage
 install/tools/ipa-adtrust-install
 install/tools/ipa-advise
 install/tools/ipa-backup
@@ -170,6 +172,7 @@ install/tools/ipa-custodia
 install/tools/ipa-custodia-check
 install/tools/ipa-dns-install
 install/tools/ipa-httpd-kdcproxy
+install/tools/ipa-httpd-pwdreader
 install/tools/ipa-kra-install
 install/tools/ipa-ldap-updater
 install/tools/ipa-managed-entries

diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
@@ -33,6 +33,7 @@ dist_noinst_DATA =		\
 	ipa-custodia.in		\
 	ipa-custodia-check.in	\
 	ipa-httpd-kdcproxy.in	\
+	ipa-httpd-pwdreader.in	\
 	ipa-pki-retrieve-key.in	\
 	ipa-pki-wait-running.in	\
 	ipa-acme-manage.in	\
@@ -72,14 +73,11 @@ nodist_app_SCRIPTS =		\
 	ipa-custodia		\
 	ipa-custodia-check	\
 	ipa-httpd-kdcproxy	\
+	ipa-httpd-pwdreader	\
 	ipa-pki-retrieve-key	\
 	ipa-pki-wait-running	\
 	$(NULL)
 
-dist_app_SCRIPTS =		\
-	ipa-httpd-pwdreader	\
-	$(NULL)
-
 PYTHON_SHEBANG = 					\
 	$(nodist_sbin_SCRIPTS)	\
 	$(nodist_app_SCRIPTS)	\

diff --git a/install/tools/ipa-httpd-pwdreader b/install/tools/ipa-httpd-pwdreader
diff --git a/install/tools/ipa-httpd-pwdreader.in b/install/tools/ipa-httpd-pwdreader.in
@@ -0,0 +1,43 @@
+#!/usr/bin/python3
+"""mod_ssl password reader
+This program is a handler written for Apache mod_ssl's SSLPassPhraseDialog.
+
+If you'd like to write your custom binary providing passwords to mod_ssl,
+see the documentation of the aforementioned directive of the mod_ssl module.
+"""
+import argparse
+import os
+
+from ipaplatform.paths import paths
+
+HTTPD_PASSWD_DIR = os.path.realpath(
+    os.path.dirname(paths.HTTPD_PASSWD_FILE_FMT)
+)
+
+parser = argparse.ArgumentParser(description="mod_ssl password reader")
+parser.add_argument(
+    "host_port", help="host:port",
+)
+parser.add_argument(
+    "keytype", help="RSA|DSA|ECC|number",
+)
+
+
+def main():
+    args = parser.parse_args()
+    host_port = args.host_port.replace(":", "-")
+    keytype = args.keytype
+    pwdpath = os.path.realpath(
+        os.path.join(HTTPD_PASSWD_DIR, f"{host_port}-{keytype}")
+    )
+    if not pwdpath.startswith(HTTPD_PASSWD_DIR):
+        parser.error(f"Invalid path {pwdpath}\n")
+    try:
+        with open(pwdpath) as f:
+            print(f.read(), end="")
+    except OSError as e:
+        parser.error(str(e))
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ipaplatform/fedora_container/paths.py b/ipaplatform/fedora_container/paths.py
@@ -24,6 +24,7 @@ class FedoraContainerPathNamespace(FedoraPathNamespace):
     PKI_CONFIGURATION = data(FedoraPathNamespace.PKI_CONFIGURATION)
     SAMBA_DIR = data(FedoraPathNamespace.SAMBA_DIR)
     HTTPD_IPA_WSGI_MODULES_CONF = None
+    HTTPD_PASSWD_FILE_FMT = data(FedoraPathNamespace.HTTPD_PASSWD_FILE_FMT)
 
 
 paths = FedoraContainerPathNamespace()
diff --git a/ipaplatform/rhel_container/paths.py b/ipaplatform/rhel_container/paths.py
@@ -24,6 +24,7 @@ class RHELContainerPathNamespace(RHELPathNamespace):
     PKI_CONFIGURATION = data(RHELPathNamespace.PKI_CONFIGURATION)
     SAMBA_DIR = data(RHELPathNamespace.SAMBA_DIR)
     HTTPD_IPA_WSGI_MODULES_CONF = None
+    HTTPD_PASSWD_FILE_FMT = data(RHELPathNamespace.HTTPD_PASSWD_FILE_FMT)
 
 
 paths = RHELContainerPathNamespace()