ncm-freeipa: support freeipa 4.7

.github/workflows/continuous-integration.yaml

@@ -23,7 +23,7 @@ jobs:
  # work, but this is a quick way of pulling in a lot of required dependencies.
  # Surprisingly `which` is not installed by default and panc depends on it.
  # libselinux-utils is required for /usr/sbin/selinuxenabled
- dnf install -y maven which panc ncm-lib-blockdevices \
+ dnf install -y maven which rpm-build panc ncm-lib-blockdevices \
  ncm-ncd git libselinux-utils sudo perl-Crypt-OpenSSL-X509 \
  perl-Data-Compare perl-Date-Manip perl-File-Touch perl-JSON-Any \
  perl-Net-DNS perl-Net-FreeIPA perl-Net-OpenNebula \

ncm-freeipa/src/main/pan/components/freeipa/config.pan

@@ -1 +1,17 @@
 ${componentconfig}
+
+variable FREEIPA_CLI_REQUIRES_PAM_KRB5 ?= true;
+
+'cli_packages' ?= {
+ t = list(
+ 'ncm-freeipa-${no-snapshot-version}-${rpm.release}',
+ 'nss-pam-ldapd',
+ 'ipa-client',
+ 'nss-tools',
+ 'openssl',
+ );
+ if (FREEIPA_CLI_REQUIRES_PAM_KRB5) {
+ append(t, 'pam_krb5');
+ };
+ t;
+};

ncm-freeipa/src/main/pan/components/freeipa/schema.pan

@@ -155,9 +155,11 @@ type ${project.artifactId}_component = {
  'principals' ? component_${project.artifactId}_principal{} with {
  foreach (k; v; SELF) {
  if (!match(k, '^(client|server|aii)$')) {
- error(format("Unsupported principal %s (must be one of client, server or aii)", k));
+ error("Unsupported principal %s (must be one of client, server or aii)", k);
  };
  };
  true;
  }
+ @{Packages required for CLI installation (e.g. in kickstart)}
+ 'cli_packages' : string[]
 };

ncm-freeipa/src/main/perl/FreeIPA/CLI.pm

@@ -3,6 +3,7 @@
 use parent qw(CAF::Application NCM::Component::freeipa CAF::Reporter CAF::Object Exporter);
 
 use NCM::Component::freeipa;
+use version;
 
 our @EXPORT = qw(install);
 
@@ -15,8 +16,10 @@ use Readonly;
 Readonly::Array my @TIME_SERVICES => qw(ntpd chronyd ptpd ptpd2);
 Readonly::Array my @NTPDATE_SYNC => qw(/usr/sbin/ntpdate -U ntp -b -v);
 
-Readonly::Array my @IPA_INSTALL => qw(ipa-client-install --unattended --debug --noac);
-Readonly::Array my @IPA_INSTALL_NOS => qw(sssd sudo sshd ssh ntp dns-sshfp nisdomain);
+Readonly::Array my @IPA_INSTALL => qw(ipa-client-install --unattended --debug);
+Readonly::Array my @IPA_INSTALL_PRE47 => qw(--noac);
+Readonly::Array my @IPA_INSTALL_NOS => qw(sudo sshd ssh ntp dns-sshfp nisdomain);
+Readonly::Array my @IPA_INSTALL_NOS_PRE47 => qw(sssd);
 
 # Location based discovery
 # http://www.freeipa.org/page/V4/DNS_Location_Mechanism
@@ -215,6 +218,28 @@ sub location_based_discovery
  return;
 }
 
+# Return version instance C<v$major.$minor.$remainder> version information (from C<ipa-client-install --version>)
+# Return undef in case of problem.
+sub get_ipa_install_version
+{
+ my ($self) = @_;
+
+ my $proc = CAF::Process->new(
+ [$IPA_INSTALL[0], "--version"],
+ log => $self,
+ keeps_state => 1,
+ );
+ my $output = $proc->output();
+
+ # e.g. '4.6.5'
+ if ($output && $output =~ m/\D((?:\d+)(?:\.\d+)+)\s*$/) {
+ return version->new("v$1");
+ } else {
+ $self->error("Failed to parse output from $proc: $output");
+ return;
+ }
+}
+
 
 # TODO: ipa-join is enough?
 sub ipa_install
@@ -224,17 +249,24 @@ sub ipa_install
  my $ec = SUCCESS;
  $self->debug(1, "begin ipa_install with primary $primary realm $realm");
 
+ my @ipa_install = @IPA_INSTALL;
+ my @ipa_install_nos = @IPA_INSTALL_NOS;
+ my $version = $self->get_ipa_install_version();
+ if ($version < version->new('4.7.0')) {
+ push(@ipa_install, @IPA_INSTALL_PRE47);
+ push(@ipa_install_nos, @IPA_INSTALL_NOS_PRE47);
+ }
 
  #$self->pre_time($opts{ntpserver});
 
  # It is ok to log this, the password is an OTP
  # TODO: set expiration window on password or cron job to reset password
  my $cmd = [
- @IPA_INSTALL,
+ @ipa_install,
  '--realm', $realm,
  '--domain', $domain,
  '--password', $otp,
- map {"--no-$_"} @IPA_INSTALL_NOS, # Nothing after this, will all be map'ped
+ map {"--no-$_"} @ipa_install_nos, # Nothing after this, will all be map'ped
  ];
 
  if ($self->location_based_discovery($domain, $primary)) {

ncm-freeipa/src/main/perl/freeipa.pm

@@ -123,16 +123,6 @@ $NCM::Component::${project.artifactId}::NoActionSupported = 1;
 Readonly my $DEBUGAPI_LEVEL => 3;
 Readonly::Array my @GET_KEYTAB => qw(/usr/sbin/ipa-getkeytab);
 
-# packages to install with yum for dependencies
-Readonly::Array our @CLI_YUM_PACKAGES => qw(
- ncm-freeipa
- nss-pam-ldapd
- ipa-client
- nss-tools
- openssl
- pam_krb5
-);
-
 Readonly my $IPA_BASEDIR => '/etc/ipa';
 Readonly our $IPA_QUATTOR_BASEDIR => "$IPA_BASEDIR/quattor";
 
@@ -587,16 +577,18 @@ sub _manual_initialisation
  my $tree = $config->getTree($self->prefix());
  my $network = $config->getTree('/system/network');
 
- my $yum_packages = join(" ", );
-
  my $domain = $tree->{domain} || $network->{domainname};
 
  # Is optional, but we use the template value; not the CLI default
  my $hostcert = $tree->{hostcert} ? 1 : 0;
 
- my @yum = qw(yum -y install);
- push(@yum, @CLI_YUM_PACKAGES);
- push(@yum, qw(-c /tmp/aii/yum/yum.conf)) if $opts{aii};
+ my @cli_packages = @{$tree->{cli_packages}};
+ my @yum;
+ if (@cli_packages) {
+ push(@yum, qw(yum -y install), @cli_packages);
+ push(@yum, qw(-c /tmp/aii/yum/yum.conf)) if $opts{aii};
+
+ }
 
  my @cli = qw(PERL5LIB=/usr/lib/perl perl -MNCM::Component::FreeIPA::CLI -w -e install --);
 
@@ -614,7 +606,8 @@ sub _manual_initialisation
  );
 
  my @cmds;
- push(@cmds, join(" ", @yum), join(" ", @cli));
+ push(@cmds, join(" ", @yum)) if @yum;
+ push(@cmds, join(" ", @cli));
 
  return join("\n", @cmds);
 }

ncm-freeipa/src/test/perl/aii-basic.t

@@ -58,7 +58,7 @@ ok(POST_history_ok([
  ]), "host_add / host_mod called");
 
 
-like($fh, qr(^yum -y install ncm-freeipa nss-pam-ldapd ipa-client nss-tools openssl pam_krb5 -c /tmp/aii/yum/yum.conf$)m,
+like($fh, qr(^yum -y install ncm-freeipa-\d+\.\d+\.\d+-\w+ nss-pam-ldapd ipa-client nss-tools openssl pam_krb5 -c /tmp/aii/yum/yum.conf$)m,
  "install freeipa component and CLI dependencies in post_reboot");
 like($fh, qr(^PERL5LIB=/usr/lib/perl perl -MNCM::Component::FreeIPA::CLI -w -e install -- --realm MY.REALM --primary myhost.example.com --domain com --fqdn myhost.example.com --hostcert 1 --otp 'superse\\\$cret\\\$OTP'$)m,
  "CLI called as expected");