diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e594810 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +*.rpm +*.log +*spec-20* +*.tar.xz diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..cc725e1 --- /dev/null +++ b/Makefile @@ -0,0 +1,21 @@ +# Makefile for source rpm: smeserver-phpki-ng +# $Id: Makefile,v 1.1 2020/11/24 16:28:21 jcrisp Exp $ +NAME := smeserver-phpki-ng +SPECFILE = $(firstword $(wildcard *.spec)) + +define find-makefile-common +for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done +endef + +MAKEFILE_COMMON := $(shell $(find-makefile-common)) + +ifeq ($(MAKEFILE_COMMON),) +# attept a checkout +define checkout-makefile-common +test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 +endef + +MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) +endif + +include $(MAKEFILE_COMMON) diff --git a/README.md b/README.md index 4af39c2..1469103 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,15 @@ -# smeserver-phpki-ng +# smeserver-phpki-ng -SMEServer Koozali developed git repo for smeserver-phpki-ng smecontribs \ No newline at end of file +SMEServer Koozali developed git repo for smeserver-phpki-ng smecontribs + +## Wiki +
https://wiki.koozali.org/ + +## Bugzilla +Show list of outstanding bugs: [here](https://bugs.koozali.org/buglist.cgi?component=smeserver-phpki-ng&product=SME%20Contribs&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED) + +## Description + +
*This description has been generated by an LLM AI system and cannot be relied on to be fully correct.* +*Once it has been checked, then this comment will be deleted* +
diff --git a/contriborbase b/contriborbase new file mode 100644 index 0000000..9b7fd51 --- /dev/null +++ b/contriborbase @@ -0,0 +1 @@ +contribs10 diff --git a/createlinks b/createlinks new file mode 100644 index 0000000..1499de9 --- /dev/null +++ b/createlinks @@ -0,0 +1,60 @@ +#!/usr/bin/perl -w + +use esmith::Build::CreateLinks qw(:all); + +# Start and stop links + +#service_link_enhanced("httpd-pki", "S86", "7"); +#service_link_enhanced("httpd-pki", "K15", "6"); +#service_link_enhanced("httpd-pki", "K15", "0"); +#service_link_enhanced("httpd-pki", "K15", "1"); + +#safe_symlink("../daemontools" , 'root/etc/rc.d/init.d/supervise/httpd-pki'); +#safe_symlink("/var/service/httpd-pki" , 'root/service/httpd-pki'); + +# Panel links + +panel_link("phpki", 'manager'); + +# Events links +event_link("phpki-fixtakey", qw(bootstrap-console-save post-upgrade), "50"); +event_link("phpki-fixownership", qw(bootstrap-console-save post-upgrade), "02"); +templates2events("/etc/httpd/pki-conf/httpd.conf", qw(bootstrap-console-save conf-userpanel domain-modify)); +safe_symlink("restart", "root/etc/e-smith/events/conf-userpanel/services2adjust/httpd-pki"); +safe_symlink("restart", "root/etc/e-smith/events/domain-modify/services2adjust/httpd-pki"); +safe_symlink("restart", "root/etc/e-smith/events/logrotate/services2adjust/httpd-pki"); + + +# our event specific for updating with yum without reboot +$event = "smeserver-phpki-ng-update"; +#add here the path to your templates needed to expand +#see the /etc/systemd/system-preset/49-koozali.preset should be present for systemd integration on all you yum update event + +foreach my $file (qw( + /etc/systemd/system-preset/49-koozali.preset + /etc/httpd/conf/httpd.conf + /etc/httpd/pki-conf/httpd.conf + /etc/opt/remi/php73/php-fpm.d/www.conf + /opt/phpki/html/config.php +)) +{ + templates2events( $file, $event ); +} + +#action needed in case we have a systemd unit +event_link("systemd-default", $event, "10"); +event_link("systemd-reload", $event, "50"); + +#action specific to this package +event_link("phpki-fixownership", $event, "02"); +event_link("phpki-fixtakey", $event, "50"); +#event_link("conf-timezone", $event, "30"); +#services we need to restart +safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/httpd-pki"); +safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith"); +safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/php73-php-fpm"); + +use esmith::Build::Backup qw(:all); +backup_includes("smeserver-phpki-ng", qw( +/opt/phpki/ +)); diff --git a/root/etc/e-smith/db/accounts/defaults/phpki/type b/root/etc/e-smith/db/accounts/defaults/phpki/type new file mode 100644 index 0000000..bec3a35 --- /dev/null +++ b/root/etc/e-smith/db/accounts/defaults/phpki/type @@ -0,0 +1 @@ +system diff --git a/root/etc/e-smith/db/configuration/defaults/httpd-pki/TCPPort b/root/etc/e-smith/db/configuration/defaults/httpd-pki/TCPPort new file mode 100644 index 0000000..8421eae --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/httpd-pki/TCPPort @@ -0,0 +1 @@ +940 diff --git a/root/etc/e-smith/db/configuration/defaults/httpd-pki/status b/root/etc/e-smith/db/configuration/defaults/httpd-pki/status new file mode 100644 index 0000000..86981e6 --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/httpd-pki/status @@ -0,0 +1 @@ +enabled diff --git a/root/etc/e-smith/db/configuration/defaults/httpd-pki/type b/root/etc/e-smith/db/configuration/defaults/httpd-pki/type new file mode 100644 index 0000000..24e1098 --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/httpd-pki/type @@ -0,0 +1 @@ +service diff --git a/root/etc/e-smith/events/actions/phpki-fixownership b/root/etc/e-smith/events/actions/phpki-fixownership new file mode 100644 index 0000000..061a5de --- /dev/null +++ b/root/etc/e-smith/events/actions/phpki-fixownership @@ -0,0 +1,9 @@ +#!/bin/bash + +chown root:phpki /opt/phpki/html/config.php +chown root:phpki /opt/phpki/html/openssl.cnf +chown phpki:phpki -R /opt/phpki/phpki-store* +chown root:phpki /opt/phpki/html/ca + +chmod +x /opt/phpki/html/ +chmod +x /opt/phpki/html/ca diff --git a/root/etc/e-smith/events/actions/phpki-fixtakey b/root/etc/e-smith/events/actions/phpki-fixtakey new file mode 100644 index 0000000..358b0fb --- /dev/null +++ b/root/etc/e-smith/events/actions/phpki-fixtakey @@ -0,0 +1,8 @@ +#!/bin/bash + +if [[ -f /opt/phpki/phpki-store/CA/private/cakey.pem && ! -f /opt/phpki/phpki-store/CA/private/takey.pem ]] +then + echo "creating missing takey.pem" + runuser -u phpki -- openvpn --genkey --secret /opt/phpki/phpki-store/CA/private/takey.pem +fi + diff --git a/root/etc/e-smith/locale/fr/etc/e-smith/web/functions/phpki b/root/etc/e-smith/locale/fr/etc/e-smith/web/functions/phpki new file mode 100644 index 0000000..b291434 --- /dev/null +++ b/root/etc/e-smith/locale/fr/etc/e-smith/web/functions/phpki @@ -0,0 +1,8 @@ + + + + Certificate Management + Gestion des certificats + + diff --git a/root/etc/e-smith/templates.metadata/opt/phpki/html/config.php b/root/etc/e-smith/templates.metadata/opt/phpki/html/config.php new file mode 100644 index 0000000..008ae2d --- /dev/null +++ b/root/etc/e-smith/templates.metadata/opt/phpki/html/config.php @@ -0,0 +1,3 @@ +FILTER=sub { $_[0] =~ /^\s*$/ ? '' : $_[0] } +GID='phpki' +PERMS=0660 diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28phpkiProxyPass b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28phpkiProxyPass new file mode 100644 index 0000000..7aaad6b --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28phpkiProxyPass @@ -0,0 +1,69 @@ +{ + # vim: ft=perl: + + + $haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ? 'yes' : 'no'; + + $OUT = ''; + if ((${'httpd-pki'}{'status'} || 'disabled') eq 'enabled'){ + + if (($port eq "80") && ($haveSSL eq 'yes')){ + $OUT .= " RewriteRule ^/phpki(/.*|\$) https://%{HTTP_HOST}/phpki\$1 [L,R]\n"; + } + else{ + $OUT .= " ProxyPass /phpki http://127.0.0.1:${'httpd-pki'}{TCPPort}/phpki\n"; + $OUT .= " ProxyPassReverse /phpki http://127.0.0.1:${'httpd-pki'}{TCPPort}/phpki\n"; + } + + $OUT .=<<"HERE"; + + #LoadModule proxy_ajp_module modules/mod_proxy_ajp.so + #LoadModule proxy_connect_module modules/mod_proxy_connect.so + #LoadModule proxy_express_module modules/mod_proxy_express.so + #LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so + #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so + #LoadModule proxy_scgi_module modules/mod_proxy_scgi.so + #LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so + + + SSLRequireSSL on + Require ip $localAccess $externalSSLAccess + + # we want Public access to ns_revoke_query.php + + Require all granted + + # we want Public access to policy + + Require all granted + + # we want Public access to help + + Require all granted + + + Require all granted + + # we want Public access to crl list + + Require all granted + + + Require all granted + + # and we redirect old config to our new safer script + RewriteEngine On + RewriteCond %{QUERY_STRING} stage=dl_crl(&|\$) + RewriteRule ^ /phpki/dl_crl.php [QSD,R=302,L] + RewriteCond %{QUERY_STRING} stage=dl_crl_pem(&|\$) + RewriteRule ^ /phpki/dl_crl_pem.php [QSD,R=302,L] + +HERE + # safely redirect crl request to php script striping all GET requests + # but would leave POST + #RewriteEngine On + #RewriteCond %{REQUEST_URI} ^/?phpki/dl_crl/?\$ + #RewriteRule ^ /phpki/index.php?stage=dl_crl [P,NC] + + } +} diff --git a/root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/00functions b/root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/00functions new file mode 100644 index 0000000..6fdeb0f --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/00functions @@ -0,0 +1,28 @@ +{ + +use esmith::AccountsDB; + +sub getUsersList ($){ + my ($panelName) = @_; + my $a = esmith::AccountsDB->open_ro || die "Error opening accounts db"; + my @users = $a->users(); + my @groups = $a->groups(); + my @Users = (); + foreach my $user (@users){ + my $panels = $user->prop('AdminPanels') || ''; + push(@Users,$user->key) if ($panels =~ /^(.*,)?$panelName(,.*)?$/); + } + foreach my $group (@groups){ + $panels = $group->prop('AdminPanels') || ''; + if ($panels =~ /^(.*,)?$panelName(,.*)?$/){ + my @members = split(/,/,($group->prop('Members') || '')); + push(@Users,@members); + } + } + + my %seen = (); + my $u = join (' ', grep { ! $seen{ $_ }++ } @Users); + return $u; +} +} + diff --git a/root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/01localAccessString b/root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/01localAccessString new file mode 100644 index 0000000..f6508c0 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/01localAccessString @@ -0,0 +1,23 @@ +{ + #--------------------------------------------------------------------- + # Grab ValidFrom access list property of httpd-admin + # SSL enabled virtual hosts should only allow access from IP's in + # this list, as well as local networks. + #--------------------------------------------------------------------- + use esmith::NetworksDB; + + my $ndb = esmith::NetworksDB->open_ro(); + + my @localAccess = $ndb->local_access_spec(); + my $validFrom = ${'httpd-admin'}{'ValidFrom'}; + if ($validFrom) + { + push @localAccess, split /,/, $validFrom; + } + $localAccess .= join ' ', + map { s:/255.255.255.255::; $_ } + @localAccess; + + ""; +} + diff --git a/root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/19AuthTKT b/root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/19AuthTKT new file mode 100644 index 0000000..543ad8f --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/19AuthTKT @@ -0,0 +1,8 @@ +{ + $OUT .= "LoadModule auth_tkt_module modules/mod_auth_tkt.so\n"; + + my $secret = ${'httpd-admin'}{TKTAuthSecret} || "34322500-7330-4400-423A-3A00434F5245"; + $OUT .= "TKTAuthSecret \"$secret\"\n"; + $OUT .= "TKTAuthDigestType SHA256\n"; +} + diff --git a/root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/20Modules b/root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/20Modules new file mode 100644 index 0000000..8a645ba --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/20Modules @@ -0,0 +1,162 @@ +{ + my $port = ${'httpd-pki'}{TCPPort} || '940'; + $OUT .= "Listen 127.0.0.1:$port\n"; + + $OUT .= <s %b" common +LogFormat "%{User-agent}i" agent + +CustomLog /var/log/httpd/pki_access_log common + +KeepAlive On +MaxKeepAliveRequests 100 +KeepAliveTimeout 15 + +MaxClients 150 +MaxRequestsPerChild 100 + +ServerName www.$DomainName + +MinSpareServers 1 +MaxSpareServers 5 +StartServers 1 +Timeout 300 + +DefaultIcon /icons/unknown.gif +DirectoryIndex index.htm index.html index.php index.cgi +IndexOptions FancyIndexing VersionSort NameWidth=* +IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t +AccessFileName .htaccess + +AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip +AddIconByType (TXT,/icons/text.gif) text/* +AddIconByType (IMG,/icons/image2.gif) image/* +AddIconByType (SND,/icons/sound2.gif) audio/* +AddIconByType (VID,/icons/movie.gif) video/* +TypesConfig /etc/mime.types + +AddEncoding x-compress Z +AddEncoding x-gzip gz + +AddIcon /icons/binary.gif .bin .exe +AddIcon /icons/binhex.gif .hqx +AddIcon /icons/tar.gif .tar +AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv +AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip +AddIcon /icons/a.gif .ps .ai .eps +AddIcon /icons/layout.gif .html .shtml .htm .pdf +AddIcon /icons/text.gif .txt +AddIcon /icons/c.gif .c +AddIcon /icons/p.gif .pl .py +AddIcon /icons/f.gif .for +AddIcon /icons/dvi.gif .dvi +AddIcon /icons/uuencoded.gif .uu +AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl +AddIcon /icons/tex.gif .tex +AddIcon /icons/bomb.gif core + +AddIcon /icons/back.gif .. +AddIcon /icons/hand.right.gif README +AddIcon /icons/folder.gif ^^DIRECTORY^^ +AddIcon /icons/blank.gif ^^BLANKICON^^ + +AddLanguage en .en +AddLanguage fr .fr +AddLanguage de .de +AddLanguage da .da +AddLanguage el .el +AddLanguage it .it + +LanguagePriority en fr de + +AddType text/html .shtml +AddType application/x-pkcs7-crl .crl + +AddType application/x-x509-ca-cert .crt + +BrowserMatch "Mozilla/2" nokeepalive +BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 +BrowserMatch "RealPlayer 4\.0" force-response-1.0 +BrowserMatch "Java/1\.0" force-response-1.0 +BrowserMatch "JDK/1\.0" force-response-1.0 + +AddHandler cgi-script .cgi +AddHandler server-parsed .shtml +AddHandler imap-file map + +DocumentRoot /opt/phpki/html + +HERE +} + diff --git a/root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/85DefaultAccess b/root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/85DefaultAccess new file mode 100644 index 0000000..0c29bb7 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/85DefaultAccess @@ -0,0 +1,11 @@ + +# First, we configure the "default" to be a very restrictive set of +# permissions. + + + Options None + AllowOverride None + Require all denied + + + diff --git a/root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/90phpki b/root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/90phpki new file mode 100644 index 0000000..cc911aa --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/pki-conf/httpd.conf/90phpki @@ -0,0 +1,52 @@ + +Alias /phpki /opt/phpki/html/ + +# Main access allowed for valid user + + AddType application/x-httpd-php .php + Options FollowSymLinks +{ + my $key = "phpki"; + my $pool_name = lc $key; + my $version = ${httpd-pki}{'PHPVersion'} || '73'; + $OUT .=" + + SetHandler \"proxy:unix:/var/run/php-fpm/php${version}-${pool_name}.sock|fcgi://localhost\" +\n"; +} + SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 + SetEnvIfNoCase Cookie ".*auth_tkt=(.*);?" HTTP_AUTH_TKT=$1 + AddType application/x-x509-ca-cert .crt .pem + AddType application/pkix-crl .crl + AddType application/pkix-cert .cer .der + AllowOverride None + Require ip 127.0.0.1 + + +# /ca is only allowed for admin and explicitely authorized users + + AuthName "PHPKI Admin" + AuthType Basic + TKTAuthLoginURL /server-common/cgi-bin/login + + Require user admin {getUsersList("phpki");} + Require ip 127.0.0.1 + + SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 + SetEnvIfNoCase Cookie ".*auth_tkt=(.*);?" HTTP_AUTH_TKT=$1 +{ + my $ManagerTimeout = ${'httpd-admin'}{ManagerTimeout} || "30m"; + $OUT = " TKTAuthTimeout $ManagerTimeout\n"; + my $Cookie = ${'httpd-admin'}{Cookie} || "disabled"; + $OUT .= " TKTAuthCookieExpires $ManagerTimeout\n" if "$Cookie" eq "enabled"; + my $ManagerTimeoutReset = ${'httpd-admin'}{ManagerTimeoutReset} || "0.66"; + $OUT .= " TKTAuthTimeoutRefresh $ManagerTimeoutReset\n"; +} + + +# Disable access to /admin, which is used to configure user/password +# via an htaccess file + + Require all denied + + diff --git a/root/etc/e-smith/templates/etc/php-fpm.d/www.conf/20pki b/root/etc/e-smith/templates/etc/php-fpm.d/www.conf/20pki new file mode 100644 index 0000000..fa4b950 --- /dev/null +++ b/root/etc/e-smith/templates/etc/php-fpm.d/www.conf/20pki @@ -0,0 +1,69 @@ +{ + use esmith::ConfigDB; + my $c = esmith::ConfigDB->open_ro || die "Couldn't open the configuration database\n"; + my $httpdpki = $c->get( 'httpd-pki' ); + + my $version = $httpdpki->prop('PHPVersion') || '73'; + # we enable both the httpd server and php pool with same status + my $status = $httpdpki->prop('status') || 'disabled'; + return unless ($status eq 'enabled' && $version eq $PHP_VERSION); + my $key = 'phpki'; + my $pool_name = lc $key; + my $include_path = ".:/usr/share/pear-addons:/usr/share/pear:/usr/share/pear-data:/usr/share/php:/usr/sbin/:/usr/bin:/opt/phpki/html:/opt/phpki/html/include"; + my $open_basedir = "/opt/phpki:/var/lib/php/phpki:/usr/sbin/openvpn:/usr/bin/which:/usr/bin/cat:/usr/bin/egrep:$include_path"; + my $disabled_functions = 'show_source,dl,passthru' +; + # Format vars + $disabled_functions = join(', ', split /[,;:]/, $disabled_functions); + $open_basedir = join(':', split(/[,;:]/, $open_basedir . ",/usr/share/php")); + + $OUT .=<<"_EOF" if ($version eq $PHP_VERSION); + +[$pool_name] +user = phpki +group = phpki +listen.owner = root +listen.group = phpki +listen.mode = 0660 +listen = /var/run/php-fpm/php$version-$pool_name.sock +catch_workers_output = yes +pm = dynamic +pm.max_children = 15 +pm.start_servers = 3 +pm.min_spare_servers = 3 +pm.max_spare_servers = 4 +pm.max_requests = 1000 +slowlog = /var/log/$key/slow.log +php_admin_value[session.save_path] = /var/lib/php/$key/session +php_admin_value[opcache.file_cache] = /var/lib/php/$key/opcache +php_admin_value[upload_tmp_dir] = /var/lib/php/$key/tmp +php_admin_value[sys_temp_dir] = /var/lib/php/$key/tmp +php_admin_flag[display_errors] = off +php_admin_value[error_reporting] =E_ERROR | E_WARNING | E_PARSE +php_admin_value[error_log] = /var/log/$key/error.log +php_admin_flag[log_errors] = on +; php_admin_value[max_execution_time] = $max_execution_time +php_admin_value[disable_functions] = $disabled_functions +php_admin_flag[allow_url_fopen] = off +php_admin_flag[file_upload] = off +php_admin_flag[session.cookie_httponly] = on +php_admin_flag[allow_url_include] = off +php_admin_value[session.save_handler] = files +php_admin_value[open_basedir] = $open_basedir + +php_admin_value[auto_prepend_file] = /usr/share/php/auth_translation.php +php_value[include_path] = $include_path +php_flag[magic_quotes_gpc] = off +php_flag[track_vars] = on +php_flag[session.use_trans_sid] = off +php_flag[register_globals] = off +php_flag[register_long_arrays] = on + +; Needed so shell_exec does it right +env[PATH] = $include_path + +_EOF + + +} + diff --git a/root/etc/e-smith/templates/opt/phpki/html/config.php/01config b/root/etc/e-smith/templates/opt/phpki/html/config.php/01config new file mode 100644 index 0000000..abd156e --- /dev/null +++ b/root/etc/e-smith/templates/opt/phpki/html/config.php/01config @@ -0,0 +1,38 @@ +{ +# use Data::Validate::IP; + use Net::IP qw(ip_is_ipv4 ip_is_ipv6); + our $KeySize = $modSSL{KeySize} ||'4096'; + our $FQDN = "$SystemName.$DomainName"; + our $Country = $modSSL{Country} || "--"; + our $State = $modSSL{State} || "----"; + our $commonName = $modSSL{CommonName} || $FQDN; + our $crt = "/home/e-smith/ssl.crt/$FQDN.crt"; + our $key = "/home/e-smith/ssl.key/$FQDN.key"; + our $defaultCity = $ldap{defaultCity} || '-'; + our $defaultCompany = $ldap{defaultCompany} || $commonName ; + our $defaultDepartment = $ldap{defaultDepartment} || '-'; + our $email = "admin\@$DomainName"; + our @subjectAlt = `/sbin/e-smith/generate-subjectaltnames`; + chomp @subjectAlt; + our $subjectAltName = ""; + my $i=0; + for my $elem (@subjectAlt) { + $subjectAltName .= ", " if $i>0; + $i++; + if (ip_is_ipv4($elem) || ip_is_ipv6($elem) ){ + $subjectAltName .= "IP:$elem"; + next; + } + $subjectAltName .= "DNS:$elem"; + } + $subjectAltName = ( $subjectAltName eq "DNS: ")? "": $subjectAltName; + + # crop fields that are too long for X509: + $Country = substr($Country, 0, 2); + $defaultCity = substr($defaultCity, 0, 128); + $defaultCompany = substr($defaultCompany, 0, 64); + $defaultDepartment = substr($defaultDepartment, 0, 64); + $email = substr($email, 0, 64); + $commonName = substr($commonName, 0, 64); + $OUT=""; +} diff --git a/root/etc/e-smith/templates/opt/phpki/html/config.php/50SetFields b/root/etc/e-smith/templates/opt/phpki/html/config.php/50SetFields new file mode 100644 index 0000000..cb42fbe --- /dev/null +++ b/root/etc/e-smith/templates/opt/phpki/html/config.php/50SetFields @@ -0,0 +1,30 @@ +{ + my $phone = ${ldap}{defaultPhoneNumber} || "none"; + my $zip = ${ldap}{postalCode} || "H0H 0H0"; + my $street = ${ldap}{defaultStreet} || "Address Line #1"; + @lines = map { + m:\$config\['common_name'\]: && s/.*/\$config['common_name']='$commonName';/; + m:\$config\['unit'\]: && s/.*/\$config['unit']='$defaultDepartment';/; + m:\$config\['keysize'\]: && s/.*/\$config['keysize']='4096';/; + m:\$config\['country'\]: && s/.*/\$config['country']='$Country';/; + m:\$config\['province'\]: && s/.*/\$config['province']='$State';/; + m:\$config\['locality'\]: && s/.*/\$config['locality']='$defaultCity';/; + m:\$config\['organization'\]: && s/.*/\$config['organization']='$defaultCompany';/; + m:\$config\['contact'\]: && s/.*/\$config['contact']='$email';/; + m:\$config\['base_url'\]: && s/.*/\$config['base_url']='https:\/\/$commonName\/phpki\/';/; + s/(^|\n)[\n\s]*/$1/g;; + $_ + } @lines; + push @lines, "\$config['common_name']='$commonName';" unless grep( /\$config\['common_name'\]/ ,@lines); + push @lines, "\$config['unit']='$defaultDepartment';" unless grep( /\$config\['unit'\]/ ,@lines); + push @lines, "\$config['keysize']='4096';" unless grep( /\$config\['keysize'\]/ ,@lines); + push @lines, "\$config['country']='$Country';" unless grep( /\$config\['country'\]/ ,@lines); + push @lines, "\$config['province']='$State';" unless grep( /\$config\['province'\]/ ,@lines); + push @lines, "\$config['locality']='$defaultCity';" unless grep( /\$config\['locality'\]/ ,@lines); + push @lines, "\$config['organization']='$defaultCompany';" unless grep( /\$config\['organization'\]/ ,@lines); + push @lines, "\$config['contact']='$email';" unless grep( /\$config\['contact'\]/ ,@lines); + push @lines, "\$config['base_url']='https://$commonName/phpki/';" unless grep( /\$config\['base_url'\]/ ,@lines); + # we do not update the following as it will mess up the file. + push @lines, "\$config[\'getting_help\']=\'Contact:
\nFirst-Name Last-Name
\n$defaultCompany/$defaultDepartment
\n$street
\n$defaultCity, $State, $zip
\n
\nPhone: $phone
\nE-mail: $email   E-mail is preferred.
\';" unless grep( /\$config\['getting_help'\]/ ,@lines); + ""; +} diff --git a/root/etc/e-smith/templates/opt/phpki/html/config.php/99writefile b/root/etc/e-smith/templates/opt/phpki/html/config.php/99writefile new file mode 100644 index 0000000..609caac --- /dev/null +++ b/root/etc/e-smith/templates/opt/phpki/html/config.php/99writefile @@ -0,0 +1,12 @@ +{ + $OUT .= ""; + foreach my $line (@lines) + { + chomp $line; + next if grep { /^$/ } $line ; + push @lines, $_; + + $OUT .= "$line\n"; + } + $OUT .= "?>"; +} diff --git a/root/etc/e-smith/templates/opt/phpki/html/config.php/template-begin b/root/etc/e-smith/templates/opt/phpki/html/config.php/template-begin new file mode 100644 index 0000000..4e3ac37 --- /dev/null +++ b/root/etc/e-smith/templates/opt/phpki/html/config.php/template-begin @@ -0,0 +1,17 @@ +{ + # vim: ft=perl: + %lines = (); + @lines = (); + open (RD, ") + { + chomp; + next if grep { /^$/ } $_ ; + next if grep { /^\?/ } $_; + push @lines, $_; + $lines{$_} = 1; + } + close(RD); + ""; +} diff --git a/root/etc/e-smith/web/functions/phpki b/root/etc/e-smith/web/functions/phpki new file mode 100644 index 0000000..dd9e408 --- /dev/null +++ b/root/etc/e-smith/web/functions/phpki @@ -0,0 +1,32 @@ +#!/usr/bin/perl +#---------------------------------------------------------------------- +# heading : Security +# description : Certificate Management +# navigation : 4000 4200 +#---------------------------------------------------------------------- + +use strict; +use CGI':all'; +use CGI::Carp qw(fatalsToBrowser); + + +BEGIN +{ + $ENV {'PATH'} = '/bin:/usr/bin:/sbin'; + $ENV {'SHELL'} = '/bin/bash'; + delete $ENV {'ENV'}; +} + + +my $q = new CGI; +my $content="0; url=https://".$ENV {'HTTP_X_FORWARDED_HOST'}."/phpki/ca/"; +$q->default_dtd('-//W3C//DTD XHTML 1.0 Transitional//EN'); + +print $q->header ('text/html'); +print $q->start_html (-head=>meta({-http_equiv=>'refresh', -content=>$content})); + + + +print $q->end_html; + + diff --git a/root/etc/httpd/pki-conf/httpd.conf b/root/etc/httpd/pki-conf/httpd.conf new file mode 100644 index 0000000..fb96505 --- /dev/null +++ b/root/etc/httpd/pki-conf/httpd.conf @@ -0,0 +1,163 @@ +#------------------------------------------------------------ +# !!DO NOT MODIFY THIS FILE!! +# +# Manual changes will be lost when this file is regenerated. +# +# Please read the developer's guide, which is available +# at http://www.contribs.org/development/ +# +# Copyright (C) 1999-2006 Mitel Networks Corporation +#------------------------------------------------------------ + + +LoadModule auth_tkt_module modules/mod_auth_tkt.so +TKTAuthSecret "1234" + + +Listen 127.0.0.1:940 + +HostnameLookups off + +ServerAdmin admin +ServerRoot /etc/httpd +ServerTokens ProductOnly + +User phpki +Group phpki + +ErrorLog /var/log/httpd/pki_error_log +LogLevel warn +LoadModule env_module modules/mod_env.so +LoadModule log_config_module modules/mod_log_config.so +LoadModule mime_module modules/mod_mime.so +LoadModule negotiation_module modules/mod_negotiation.so +LoadModule status_module modules/mod_status.so +LoadModule info_module modules/mod_info.so +LoadModule include_module modules/mod_include.so +LoadModule autoindex_module modules/mod_autoindex.so +LoadModule dir_module modules/mod_dir.so +LoadModule asis_module modules/mod_asis.so +#LoadModule imap_module modules/mod_imap.so +LoadModule actions_module modules/mod_actions.so +LoadModule userdir_module modules/mod_userdir.so +LoadModule proxy_module modules/mod_proxy.so +LoadModule proxy_http_module modules/mod_proxy_http.so +LoadModule alias_module modules/mod_alias.so +LoadModule rewrite_module modules/mod_rewrite.so +#LoadModule access_module modules/mod_access.so +#LoadModule auth_module modules/mod_auth.so +#LoadModule auth_anon_module modules/mod_auth_anon.so +LoadModule auth_digest_module modules/mod_auth_digest.so +LoadModule expires_module modules/mod_expires.so +LoadModule headers_module modules/mod_headers.so +LoadModule usertrack_module modules/mod_usertrack.so +LoadModule setenvif_module modules/mod_setenvif.so +LoadModule ssl_module modules/mod_ssl.so +LoadModule cgi_module modules/mod_cgi.so + +LoadModule mpm_prefork_module modules/mod_mpm_prefork.so +LoadModule unixd_module modules/mod_unixd.so +LoadModule access_compat_module modules/mod_access_compat.so +LoadModule authn_core_module modules/mod_authn_core.so +LoadModule authz_core_module modules/mod_authz_core.so + +PidFile /var/run/httpd-bkpc.pid +ScoreBoardFile /var/run/httpd-bkpc.scoreboard +UseCanonicalName off +LogFormat "%h %l %u %t \"%r\" %>s %b" common +LogFormat "%{User-agent}i" agent + +CustomLog /var/log/httpd/pki_access_log common + +KeepAlive On +MaxKeepAliveRequests 100 +KeepAliveTimeout 15 + +MaxClients 150 +MaxRequestsPerChild 100 + +ServerName www.domain.tld + +MinSpareServers 1 +MaxSpareServers 5 +StartServers 1 +Timeout 300 + +DefaultIcon /icons/unknown.gif +DirectoryIndex index.htm index.html index.php index.cgi +IndexOptions FancyIndexing VersionSort NameWidth=* +IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t +AccessFileName .htaccess + +AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip +AddIconByType (TXT,/icons/text.gif) text/* +AddIconByType (IMG,/icons/image2.gif) image/* +AddIconByType (SND,/icons/sound2.gif) audio/* +AddIconByType (VID,/icons/movie.gif) video/* +DefaultType text/plain +TypesConfig /etc/mime.types + +AddEncoding x-compress Z +AddEncoding x-gzip gz + +AddIcon /icons/binary.gif .bin .exe +AddIcon /icons/binhex.gif .hqx +AddIcon /icons/tar.gif .tar +AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv +AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip +AddIcon /icons/a.gif .ps .ai .eps +AddIcon /icons/layout.gif .html .shtml .htm .pdf +AddIcon /icons/text.gif .txt +AddIcon /icons/c.gif .c +AddIcon /icons/p.gif .pl .py +AddIcon /icons/f.gif .for +AddIcon /icons/dvi.gif .dvi +AddIcon /icons/uuencoded.gif .uu +AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl +AddIcon /icons/tex.gif .tex +AddIcon /icons/bomb.gif core + +AddIcon /icons/back.gif .. +AddIcon /icons/hand.right.gif README +AddIcon /icons/folder.gif ^^DIRECTORY^^ +AddIcon /icons/blank.gif ^^BLANKICON^^ + +AddLanguage en .en +AddLanguage fr .fr +AddLanguage de .de +AddLanguage da .da +AddLanguage el .el +AddLanguage it .it + +LanguagePriority en fr de + +AddType text/html .shtml +AddType application/x-pkcs7-crl .crl + +AddType application/x-x509-ca-cert .crt + +BrowserMatch "Mozilla/2" nokeepalive +BrowserMatch "MSIE 4.0b2;" nokeepalive downgrade-1.0 force-response-1.0 +BrowserMatch "RealPlayer 4.0" force-response-1.0 +BrowserMatch "Java/1.0" force-response-1.0 +BrowserMatch "JDK/1.0" force-response-1.0 + +AddHandler cgi-script .cgi +AddHandler server-parsed .shtml +AddHandler imap-file map + +DocumentRoot /opt/phpki/ + + +# First, we configure the "default" to be a very restrictive set of +# permissions. + + + Options None + AllowOverride None + order deny,allow + deny from all + allow from none + + + diff --git a/root/usr/lib/systemd/system/httpd-pki.service b/root/usr/lib/systemd/system/httpd-pki.service new file mode 100644 index 0000000..e1e71bb --- /dev/null +++ b/root/usr/lib/systemd/system/httpd-pki.service @@ -0,0 +1,9 @@ +[Unit] +Description=Certificate management +After=network.service +[Service] +Type=forking +ExecStart=/usr/sbin/systemd/httpd-pki +[Install] +WantedBy=sme-server.target + diff --git a/root/usr/sbin/systemd/httpd-pki b/root/usr/sbin/systemd/httpd-pki new file mode 100644 index 0000000..e319d9f --- /dev/null +++ b/root/usr/sbin/systemd/httpd-pki @@ -0,0 +1,12 @@ +#!/bin/sh +#---------------------------------------------------------------------- +# copyright (C) 1999-2004 Mitel Networks Corporation +#---------------------------------------------------------------------- + +config=/etc/httpd/pki-conf/httpd.conf + +[ -e $config ] || exit 1 + +exec 2>&1 +exec chpst -P /usr/sbin/httpd -f $config -D FOREGROUND & + diff --git a/root/var/lib/php/phpki/opcache/.gitignore b/root/var/lib/php/phpki/opcache/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/root/var/lib/php/phpki/session/.gitignore b/root/var/lib/php/phpki/session/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/root/var/lib/php/phpki/tmp/.gitignore b/root/var/lib/php/phpki/tmp/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/root/var/log/phpki/.gitignore b/root/var/log/phpki/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/root/var/service/.gitignore b/root/var/service/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/smeserver-phpki-ng.spec b/smeserver-phpki-ng.spec new file mode 100644 index 0000000..ca1a33b --- /dev/null +++ b/smeserver-phpki-ng.spec @@ -0,0 +1,198 @@ +# $Id: smeserver-phpki.spec,v 1.6 2017/05/03 21:08:27 unnilennium Exp $ +# Authority: vip-ire +# Name: Daniel Berteaud + +Name: smeserver-phpki-ng +Version: 0.3 +Release: 23%{?dist} +Summary: php integration into SME server + +Group: Applications/System +License: GPL +URL: http://phpki.sourceforge.net/ +Source: %{name}-%{version}.tar.xz + +#Patch0: smeserver-phpki-0.2-fix_redirect_with_user-manager_and_sso.patch +#Patch1: smeserver-phpki-0.2.bz10267.updatetktauth.patch + + +BuildRoot: %{_tmppath}/%{name}-%{version} +BuildArch: noarch + +BuildRequires: e-smith-devtools + +Requires: mod_auth_tkt +Requires: openvpn +Requires: e-smith-base +Requires: phpki-ng >= 0.84-14 +Requires: php-process +Requires: e-smith-manager >= 2.6.0-22 +Requires: e-smith-apache >= 2.6.0-19 +Requires: smeserver-php >= 3.0.0-44 +Provides: smeserver-phpki +#Obsoletes: smeserver-phpki + +%description +PHPki is an Open Source Web application for managing a multi-agency PKI for HIPAA compliance. +With it, you may create and centrally manage X.509 certificates for use with S/MIME enabled +e-mail clients, SSL servers, and VPN applications. +This package contains specific configuration for SME server + + +%changelog +* Sat Sep 07 2024 cvs2git.sh aka Brian Read 0.3-23.sme +- Roll up patches and move to git repo [SME: 12338] + +* Sat Sep 07 2024 BogusDateBot +- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday, + by assuming the date is correct and changing the weekday. + +* Thu May 11 2023 Jean-Philippe Pialasse 0.3-22.sme +- fix httpd needs QSD in place of ? [SME: 12354] + +* Wed Dec 28 2022 Jean-Philippe Pialasse 0.3-21.sme +- fix chop isntead of chomp for config.php [SME: 12293] + fix PATH not right for exec + +* Sat Dec 17 2022 Jean-Philippe Pialasse 0.3-19.sme +- small fixes for config.php and httpd + +* Wed Dec 14 2022 Jean-Philippe Pialasse 0.3-18.sme +- revert log/phpki [SME: 12266] +- phpki-ng autopopulate base info from ldap [SME: 11440] +- ensure user are seen by php-pool [SME: 12268] +- safe remote access for crl [SME: 11439] +- 17-18: applying patches + +* Tue Dec 13 2022 Jean-Philippe Pialasse 0.3-15.sme +- fix typo preventing httpd-pki to start 2 + +* Sun Nov 20 2022 Jean-Philippe Pialasse 0.3-14.sme +- fix typo preventing httpd-pki to start + +* Fri Nov 18 2022 Jean-Philippe Pialasse 0.3-13.sme +- add some more needed bins which cat and egrep [SME: 11438] + +* Fri Nov 18 2022 Jean-Philippe Pialasse 0.3-11.sme +- fix missing takey [SME: 11438] + +* Fri Nov 18 2022 Jean-Philippe Pialasse 0.3-10.sme +- ease migration from smeserver-phpki smeserver-phpki-ng using Provides [SME: 12222] +- fix ownership on migration (backup/restore) [SME: 12228] +- remove /var/service/httpd-pki [SME: 12229] +- remove old logrotate [SME: 11873] +- remove /var/log/phpki and /var/log/httpd-pki [SME: 12198] + +* Tue Oct 04 2022 John Crisp 0.3-9.sme +- Fix spec file versioning + +* Sat Jul 30 2022 Brian Read 0.3-8.sme +- Re-build and link to latest devtools [SME: 11997] + +* Thu Jul 21 2022 Jean-Philippe Pialasse 0.3-7.sme +- add to core backup [SME: 12021] +- httpd 2.4 access syntax [SME: 12054] + +* Thu Aug 05 2021 John Crisp 0.3-6.sme +- remove modules from patch file [SME: 11402] + +* Sun Mar 07 2021 John Crisp 0.3-5.sme +- modify dirs in spec file + +* Thu Feb 25 2021 Jean-Philipe Pialasse 0.3-4.sme +- configure php73 pool [SME: 11207] + tidy httpd.conf file + reuse phpki user and group + +* Sat Feb 13 2021 Brian Read 0.3-3.sme +- Set execution bit on /opt/phpki/html/ca in spec file[SME: 11207] + +* Tue Feb 09 2021 Brian Read 0.3-3.sme +- Add-in-systemd-startup [SME: 11207] + +* Thu Nov 26 2020 Brian Read 0.3-2.sme +- Add in Loadmodules needed to pki-conf/httpd.conf [SME: 11207] + +* Fri Apr 03 2020 John Crisp 0.3-1.sme +- New release for phpki-ng-0.84 based on phpki-0.83 + +* Wed May 03 2017 Jean-Philipe Pialasse 0.2-3.sme +- update TKT auth parameter for SME 9.2 update [SME: 10267] + +* Mon Nov 18 2013 Daniel B. - 0.2-2.sme +- Fix a redirect issue with user-manager and LemonLDAP::NG as SSO + +* Mon Nov 11 2013 Daniel B. - 0.2-1.sme +- Rebuild for SME9 +- Do not disable httpd-pki service on uninstall + +* Fri May 24 2013 JP Pialasse - 0.1-6.sme +- added php-process as dependency [SME: 7439] + +* Thu Oct 13 2011 Daniel B. - 0.1-5.sme +- Change session path [SME: 6661] + +* Wed Jul 20 2011 Daniel B. - 0.1-5.sme +- Protect by location (so we can set another location protected by LemonLDAP::NG) + +* Mon Feb 23 2009 Daniel B. [0.1-4] +- Fix logrotate issue (send a sigusr1 signal to httpd-pki) + +* Mon Dec 15 2008 Daniel B. [0.1-3] +- Move server-manager panel to "security" section + +* Wed Dec 10 2008 Daniel B. [0.1-2] +- expand-templates in bootstrap-console-save instead of post-upgrade +- Disable authentication for the public part (so CRL can be updated automatically) +- Change the name of the menue in server-manager to certificate Management + +* Tue Dec 02 2008 Daniel B. [0.1-1] +- Restrict access to /phpki/ca for admin, ask for a valid user for /phpki +- expand-templates on signal events conf-userpanels and domain-modify + +* Thu Nov 27 2008 Daniel B. [0.1-0] +- initial release + + +%prep +%setup -q -n %{name}-%{version} +mkdir -p root/var/lib/php/phpki/{tmp,session,opcache} +rm -rf root/var/lib/php/pki-session +mkdir -p root/var/log/phpki +rm -rf root/var/service/httpd-pki + +%build +perl createlinks + +%install + +%{__mkdir_p} $RPM_BUILD_ROOT/var/lib/php/pki-session + + +(cd root ; /usr/bin/find . -depth -print | /bin/cpio -dump $RPM_BUILD_ROOT) + +chmod +x $RPM_BUILD_ROOT/usr/sbin/systemd/httpd-pki + +/bin/rm -f %{name}-%{version}-filelist +/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \ + --dir /var/lib/php/phpki 'attr(0770,root,phpki)' \ + --dir /var/lib/php/phpki/session 'attr(0770,root,phpki)' \ + --dir /var/lib/php/phpki/opcache 'attr(0770,root,phpki)' \ + --dir /var/lib/php/phpki/tmp 'attr(0770,root,phpki)' \ + --dir /var/log/phpki 'attr(0770,phpki,phpki)' \ + > %{name}-%{version}-filelist + +%post + +%clean +rm -rf $RPM_BUILD_ROOT + +%files -f %{name}-%{version}-filelist +%defattr(-,root,root) + +%pre +#/sbin/e-smith/create-system-user phpki 455 'Phpki User' /opt/phpki /bin/false >& /dev/null || : + +%preun + +