stbenjam · May 29, 2023 15:30
diff --git a/10_freeipa_integration.sh b/10_freeipa_integration.sh
 #!/bin/bash
 # Hook for Foreman/FreeIPA Integration
 # Stephen Benjamin <[email protected]>
 # 11.11.2013

 . /etc/sysconfig/foreman-ipa

 action=$1 # create or destroy
 target=$2 # hostname

 function check_success {
  if [ $? -ne 0 ]; then
      echo Failed while $@.
      exit 1
  fi
 }

 case $action in
  create)
    echo "Generating random one-time password..."
    random_password=$(openssl rand -hex 32)
    check_success generating random password || exit 1

    echo "Getting kerberos ticket..."
    echo $IPA_PASS | /usr/bin/kinit $IPA_USER
    check_success getting kerberos ticket || exit 1

    echo "Pre-adding host to IPA..."
    ipa host-add --password=${random_password} $target --force
    check_success adding host to IPA || exit 1

    if $CREATE_SERVICE_PRINCIPAL;
    then
      echo "Creating puppet/$target service principal..."
      ipa service-add puppet/$target --force
      check_success creating service principal || exit 1
    fi

    # Save for later
    echo "random_password=$random_password" > /usr/share/foreman/tmp/${target}.dat

    echo "Done!"
    exit 0
    ;;
  after_commit)
    if [ -e /usr/share/foreman/tmp/${target}.dat ];
    then 
      . /usr/share/foreman/tmp/${target}.dat
      echo "Setting ipa_onetime parameter in Foreman..."
      curl -u $FOREMAN_USER:$FOREMAN_PASS -X PUT -H 'Content-Type: application/json' -H 'Accept: application/json; version=2' -d "{\"host\": {\"host_parameters_attributes\": {\"1\": {\"name\": \"ipa_onetime\", \"value\": \"$random_password\", \"nested\": \"true\"}, \"2\": {\"name\": \"ipa_puppetca\", \"value\": \"$CREATE_SERVICE_PRINCIPAL\", \"nested\": \"true\"}}}}" http://localhost/api/hosts/$target 2>&1 > /tmp/curl.txt
    check_success setting Foreman parameter || exit
    rm -f /usr/share/foreman/tmp/${target}.dat
  fi

    ;;
  destroy)
    touch /tmp/destroy
    if $PREVENT_DELETING_HOSTS;
    then
      echo "Nothing to do; we're not allowed to remove hosts from IPA."
      exit 0
    else
      echo "Getting kerberos ticket..."
      echo $IPA_PASS | /usr/bin/kinit $IPA_USER
      check_success getting kerberos ticket || exit 1

      echo "Deleting host in IPA..."
      ipa host-del $target
      check_success deleting host from IPA || exit 1
    fi

    ;;

 esac
diff --git a/certmonger selinux policy b/certmonger selinux policy
 cat <<EOF>certmonger_2.te
 module certmonger_2 6.0;

 require {
        type certmonger_t;
        type puppet_etc_t;
        type puppet_var_lib_t;
        class dir { read getattr search open write add_name };
        class file { ioctl read write create getattr setattr lock append unlink link rename open };
 }
  
 #============= certmonger_t ==============
 allow certmonger_t puppet_var_lib_t:dir { read getattr search open write add_name };
 allow certmonger_t puppet_var_lib_t:file { ioctl read write create getattr setattr lock append unlink link rename open };
 EOF

 make -f /usr/share/selinux/devel/Makefile

 semodule -i certmonger_2.pp
diff --git a/etc_sysconfig_foreman-ipa b/etc_sysconfig_foreman-ipa
 # Are we using IPA as the CA?
 CREATE_SERVICE_PRINCIPAL=true
 
 # Allow Foreman to delete hosts from IPA
 PREVENT_DELETING_HOSTS=false
 
 # Hostname of an IPA server
 IPA_SERVER="astriaporta.bitbin.de"
 
 # User with appropriate permissions
 IPA_USER="registration"
 IPA_PASS="password"
 
 # Foreman API User/Password
 FOREMAN_USER="apiuser"
 FOREMAN_PASS="apipass"
diff --git a/foreman.ldif b/foreman.ldif
 dn: uid=foreman,cn=sysaccounts,cn=etc,dc=bitbin,dc=de
 changetype: add
 objectclass: account
 objectclass: simplesecurityobject
 uid: foreman
 userPassword: 8j926SEpcOvM0WLI
 passwordExpirationTime: 20380119031407Z
 nsIdleTimeout: 0
diff --git a/LICENSE b/LICENSE
 Copyright (c) 2013 Stephen Benjamin

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:

 The above copyright notice and this permission notice shall be included in
 all copies or substantial portions of the Software.

 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
diff --git a/post-ipa-snippet b/post-ipa-snippet
 # Register to IPA, two times
 # in case of https://fedorahosted.org/freeipa/ticket/3377
 ipa-client-install --mkhomedir -w <%= @host.params['ipa_onetime'] %> -f -U
 ipa-client-install --mkhomedir -w <%= @host.params['ipa_onetime'] %> -f -U
 
 # Make Puppet Certificate Directories
 mkdir -p /var/lib/puppet/ssl/{private_keys,certs}
 
 # Generate IPA Certificate
 ipa-getcert request -K puppet/<%= @host.name %>  -D <%= @host.name %> \
 -k /var/lib/puppet/ssl/private_keys/<%= @host.name %>.pem \
 -f /var/lib/puppet/ssl/certs/<%= @host.name %>.pem
 
 # Workaround for "stack too deep" problem
 # http://projects.puppetlabs.com/issues/21869
 cp /etc/ipa/ca.crt /var/lib/puppet/ssl/certs/ca.pem
 
 cat <<EOF > /etc/puppet/puppet.conf
 [main]
    # The Puppet log directory.
    # The default value is '$vardir/log'.
    logdir = /var/log/puppet
 
    # Where Puppet PID files are kept.
    # The default value is '$vardir/run'.
    rundir = /var/run/puppet
    ssldir = /var/lib/puppet/ssl
    server = <%= @host.puppetmaster %>
    
 [agent]
    # The file in which puppetd stores a list of the classes
    # associated with the retrieved configuratiion.  Can be loaded in
    # the separate ``puppet`` executable using the ``--loadclasses``
    # option.
    # The default value is '$confdir/classes.txt'.
    classfile = $vardir/classes.txt
 
    # Where puppetd caches the local configuration.  An
    # extension indicating the cache format is added automatically.
    # The default value is '$confdir/localconfig'.
    localconfig = $vardir/localconfig
    
    certificate_revocation = false
    certname = <%= @host.name %>
 EOF
 
 puppet agent --test
 chkconfig puppet on
	#!/bin/bash
	# Hook for Foreman/FreeIPA Integration
	# Stephen Benjamin <[email protected]>
	# 11.11.2013

	. /etc/sysconfig/foreman-ipa

	action=$1 # create or destroy
	target=$2 # hostname

	function check_success {
	if [ $? -ne 0 ]; then
	echo Failed while $@.
	exit 1
	fi
	}

	case $action in
	create)
	echo "Generating random one-time password..."
	random_password=$(openssl rand -hex 32)
	check_success generating random password \|\| exit 1

	echo "Getting kerberos ticket..."
	echo $IPA_PASS \| /usr/bin/kinit $IPA_USER
	check_success getting kerberos ticket \|\| exit 1

	echo "Pre-adding host to IPA..."
	ipa host-add --password=${random_password} $target --force
	check_success adding host to IPA \|\| exit 1

	if $CREATE_SERVICE_PRINCIPAL;
	then
	echo "Creating puppet/$target service principal..."
	ipa service-add puppet/$target --force
	check_success creating service principal \|\| exit 1
	fi

	# Save for later
	echo "random_password=$random_password" > /usr/share/foreman/tmp/${target}.dat

	echo "Done!"
	exit 0
	;;
	after_commit)
	if [ -e /usr/share/foreman/tmp/${target}.dat ];
	then
	. /usr/share/foreman/tmp/${target}.dat
	echo "Setting ipa_onetime parameter in Foreman..."
	curl -u $FOREMAN_USER:$FOREMAN_PASS -X PUT -H 'Content-Type: application/json' -H 'Accept: application/json; version=2' -d "{\"host\": {\"host_parameters_attributes\": {\"1\": {\"name\": \"ipa_onetime\", \"value\": \"$random_password\", \"nested\": \"true\"}, \"2\": {\"name\": \"ipa_puppetca\", \"value\": \"$CREATE_SERVICE_PRINCIPAL\", \"nested\": \"true\"}}}}" http://localhost/api/hosts/$target 2>&1 > /tmp/curl.txt
	check_success setting Foreman parameter \|\| exit
	rm -f /usr/share/foreman/tmp/${target}.dat
	fi

	;;
	destroy)
	touch /tmp/destroy
	if $PREVENT_DELETING_HOSTS;
	then
	echo "Nothing to do; we're not allowed to remove hosts from IPA."
	exit 0
	else
	echo "Getting kerberos ticket..."
	echo $IPA_PASS \| /usr/bin/kinit $IPA_USER
	check_success getting kerberos ticket \|\| exit 1

	echo "Deleting host in IPA..."
	ipa host-del $target
	check_success deleting host from IPA \|\| exit 1
	fi

	;;

	esac
	cat <<EOF>certmonger_2.te
	module certmonger_2 6.0;

	require {
	type certmonger_t;
	type puppet_etc_t;
	type puppet_var_lib_t;
	class dir { read getattr search open write add_name };
	class file { ioctl read write create getattr setattr lock append unlink link rename open };
	}

	#============= certmonger_t ==============
	allow certmonger_t puppet_var_lib_t:dir { read getattr search open write add_name };
	allow certmonger_t puppet_var_lib_t:file { ioctl read write create getattr setattr lock append unlink link rename open };
	EOF

	make -f /usr/share/selinux/devel/Makefile

	semodule -i certmonger_2.pp
	# Are we using IPA as the CA?
	CREATE_SERVICE_PRINCIPAL=true

	# Allow Foreman to delete hosts from IPA
	PREVENT_DELETING_HOSTS=false

	# Hostname of an IPA server
	IPA_SERVER="astriaporta.bitbin.de"

	# User with appropriate permissions
	IPA_USER="registration"
	IPA_PASS="password"

	# Foreman API User/Password
	FOREMAN_USER="apiuser"
	FOREMAN_PASS="apipass"
	dn: uid=foreman,cn=sysaccounts,cn=etc,dc=bitbin,dc=de
	changetype: add
	objectclass: account
	objectclass: simplesecurityobject
	uid: foreman
	userPassword: 8j926SEpcOvM0WLI
	passwordExpirationTime: 20380119031407Z
	nsIdleTimeout: 0
	Copyright (c) 2013 Stephen Benjamin

	Permission is hereby granted, free of charge, to any person obtaining a copy
	of this software and associated documentation files (the "Software"), to deal
	in the Software without restriction, including without limitation the rights
	to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
	copies of the Software, and to permit persons to whom the Software is
	furnished to do so, subject to the following conditions:

	The above copyright notice and this permission notice shall be included in
	all copies or substantial portions of the Software.

	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
	IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
	AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
	LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
	OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
	THE SOFTWARE.
	# Register to IPA, two times
	# in case of https://fedorahosted.org/freeipa/ticket/3377
	ipa-client-install --mkhomedir -w <%= @host.params['ipa_onetime'] %> -f -U
	ipa-client-install --mkhomedir -w <%= @host.params['ipa_onetime'] %> -f -U

	# Make Puppet Certificate Directories
	mkdir -p /var/lib/puppet/ssl/{private_keys,certs}

	# Generate IPA Certificate
	ipa-getcert request -K puppet/<%= @host.name %> -D <%= @host.name %> \
	-k /var/lib/puppet/ssl/private_keys/<%= @host.name %>.pem \
	-f /var/lib/puppet/ssl/certs/<%= @host.name %>.pem

	# Workaround for "stack too deep" problem
	# http://projects.puppetlabs.com/issues/21869
	cp /etc/ipa/ca.crt /var/lib/puppet/ssl/certs/ca.pem

	cat <<EOF > /etc/puppet/puppet.conf
	[main]
	# The Puppet log directory.
	# The default value is '$vardir/log'.
	logdir = /var/log/puppet

	# Where Puppet PID files are kept.
	# The default value is '$vardir/run'.
	rundir = /var/run/puppet
	ssldir = /var/lib/puppet/ssl
	server = <%= @host.puppetmaster %>

	[agent]
	# The file in which puppetd stores a list of the classes
	# associated with the retrieved configuratiion. Can be loaded in
	# the separate ``puppet`` executable using the ``--loadclasses``
	# option.
	# The default value is '$confdir/classes.txt'.
	classfile = $vardir/classes.txt

	# Where puppetd caches the local configuration. An
	# extension indicating the cache format is added automatically.
	# The default value is '$confdir/localconfig'.
	localconfig = $vardir/localconfig

	certificate_revocation = false
	certname = <%= @host.name %>
	EOF

	puppet agent --test
	chkconfig puppet on