def check(self):
cm = certmonger._certmonger()
all_requests = cm.obj_if.get_requests()
for req in all_requests:
request = certmonger._cm_dbus_object(cm.bus, cm, req,
certmonger.DBUS_CM_REQUEST_IF,
certmonger.DBUS_CM_IF, True)
id = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'nickname')
notafter = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF,
'not-valid-after')
nafter = datetime.fromtimestamp(notafter, timezone.utc)
now = datetime.now(timezone.utc)
if now > nafter:
yield Result(self,
constants.ERROR,
key=id,
expiration_date=generalized_time(nafter),
msg='Request id %s expired on %s' %
(id, generalized_time(nafter)))
else:
delta = nafter - now
diff = int(delta.total_seconds() / DAY)
if diff < self.config.cert_expiration_days:
yield Result(self,
constants.WARNING,
key=id,
expiration_date=generalized_time(nafter),
days=diff,
msg='Request id %s expires in %s days' %
(id, diff))
else:
yield Result(self, constants.SUCCESS, key=id)
def match_ldap_nss_cert(plugin, ldap, db, cert_dn, attr, cert_nick):
try:
entry = ldap.get_entry(cert_dn)
except errors.NotFound:
yield Result(plugin,
constants.ERROR,
msg='%s entry not found in LDAP' % cert_dn)
return False
try:
nsscert = db.get_cert_from_db(cert_nick)
except Exception as e:
yield Result(plugin,
constants.ERROR,
error=str(e),
msg=('Unable to load %s certificate:'
'{error}' % cert_nick))
return False
cert_matched = any(cert == nsscert for cert in entry[attr])
if not cert_matched:
yield Result(plugin,
constants.ERROR,
key=cert_nick,
nickname=cert_nick,
dbdir=db.secdir,
msg=('{nickname} certificate in NSS DB {dbdir} '
'does not match entry in LDAP'))
return False
return True
def check(self):
data = self.registry.json
crlmanagers = []
for fqdn in data.keys():
output = find_checks(data[fqdn], 'ipahealthcheck.ipa.roles',
'IPACRLManagerCheck')
enabled = output[0].get('kw').get('crlgen_enabled')
if enabled:
crlmanagers.append(fqdn)
if len(crlmanagers) == 0:
yield Result(self,
constants.ERROR,
name='crlmanager',
error='No CRL Manager defined')
elif len(crlmanagers) == 1:
yield Result(self,
constants.SUCCESS,
name='crlmanager',
value=crlmanagers[0])
else:
yield Result(self,
constants.ERROR,
name='crlmanager',
value=','.join(crlmanagers),
error='Multiple CRL Managers defined')
def match_cacert_and_db(plugin, cacerts, dbpath):
db = certs.CertDB(api.env.realm, dbpath)
nickname = '%s IPA CA' % api.env.realm
try:
dbcacerts = self.get_cert_list_from_db(db, nickname)
except Exception as e:
yield Result(plugin,
constants.ERROR,
error=str(e),
msg='Unable to load CA cert: {error}')
return False
ok = True
for cert in dbcacerts:
if cert not in cacerts:
ok = False
yield Result(plugin,
constants.ERROR,
nickname=nickname,
serial_number=cert.serial_number,
dbdir=dbpath,
certdir=paths.IPA_CA_CRT,
msg=('CA Certificate nickname {nickname} '
'with serial number {serial} '
'is in {dbdir} but is not in'
'%s' % paths.IPA_CA_CRT))
return ok
def check(self):
expected_trust = {
'ocspSigningCert cert-pki-ca': 'u,u,u',
'subsystemCert cert-pki-ca': 'u,u,u',
'auditSigningCert cert-pki-ca': 'u,u,Pu',
'Server-Cert cert-pki-ca': 'u,u,u',
}
kra = krainstance.KRAInstance(api.env.realm)
if kra.is_installed():
kra_trust = {
'transportCert cert-pki-kra': 'u,u,u',
'storageCert cert-pki-kra': 'u,u,u',
'auditSigningCert cert-pki-kra': 'u,u,Pu',
}
expected_trust.update(kra_trust)
if not self.ca.is_configured():
logger.debug('CA is not configured, skipping NSS trust check')
return
db = certs.CertDB(api.env.realm, paths.PKI_TOMCAT_ALIAS_DIR)
for nickname, _trust_flags in db.list_certs():
flags = certdb.unparse_trust_flags(_trust_flags)
if nickname.startswith('caSigningCert cert-pki-ca'):
expected = 'CTu,Cu,Cu'
else:
try:
expected = expected_trust[nickname]
except KeyError:
logger.debug("%s not found in %s, assuming 3rd party" %
(nickname, paths.PKI_TOMCAT_ALIAS_DIR))
continue
try:
expected_trust.pop(nickname)
except KeyError:
pass
if flags != expected:
yield Result(
self,
constants.ERROR,
key=nickname,
expected=expected,
got=flags,
nickname=nickname,
dbdir=paths.PKI_TOMCAT_ALIAS_DIR,
msg='Incorrect NSS trust for {nickname} in {dbdir}. '
'Got {got} expected {expected}.')
continue
else:
yield Result(self, constants.SUCCESS, key=nickname)
for nickname in expected_trust:
yield Result(
self,
constants.ERROR,
key=nickname,
nickname=nickname,
dbdir=paths.PKI_TOMCAT_ALIAS_DIR,
msg='Certificate {nickname} missing from {dbdir} while '
'verifying trust')
def check(self):
try:
conn = ipaldap.LDAPClient.from_realm(api.env.realm)
except AttributeError:
conn = ipaldap.LDAPClient(api.env.ldap_uri)
conn.external_bind()
filterstr = "(&(!(objectclass=nstombstone))(nsds5ReplConflict=*))"
attrlist = ['nsds5ReplConflict', 'objectclass']
try:
entries = conn.get_entries(api.env.basedn, ldap.SCOPE_SUBTREE,
filterstr, attrlist)
except errors.EmptyResult:
entries = []
if entries:
for entry in entries:
glue = 'glue' in entry['objectclass']
yield Result(self,
constants.ERROR,
key=str(entry.dn),
glue=glue,
conflict=entry['nsds5replconflict'][0],
msg='Replication conflict')
else:
yield Result(self, constants.SUCCESS)
def check(self):
if not self.registry.trust_controller:
logger.debug('Not a trust controller, skipping')
return
service_dn = DN(('cn', 'ADTRUST'), ('cn', api.env.host),
api.env.container_masters, api.env.basedn)
try:
entry = self.conn.get_entry(service_dn,
attrs_list=['ipaconfigstring'])
except Exception as e:
yield Result(self,
constants.ERROR,
key=str(service_dn),
error=str(e),
msg='Error retrieving ldap entry {key}: '
'{error}')
else:
configs = entry.get('ipaconfigstring', [])
enabled = False
for config in configs:
if config == ENABLED_SERVICE:
enabled = True
break
if enabled:
yield Result(self, constants.SUCCESS, key='ADTRUST')
else:
yield Result(self,
constants.ERROR,
key='ADTRUST',
msg='{key} service is not enabled')
def check(self):
if not self.registry.trust_controller:
logger.debug('Not a trust controller, skipping')
return
agent_dn = DN(
('krbprincipalname', 'cifs/%s@%s' % (api.env.host, api.env.realm)),
api.env.container_service, api.env.basedn)
group_dn = DN(('cn', 'adtrust agents'), api.env.container_sysaccounts,
api.env.basedn)
try:
entry = self.conn.get_entry(agent_dn, attrs_list=['memberOf'])
except Exception as e:
yield Result(self,
constants.ERROR,
key=str(agent_dn),
error=str(e),
msg='Error retrieving ldap entry {key}: '
'{error}')
else:
memberof = entry.get('memberof', [])
for member in memberof:
if DN(member) == group_dn:
yield Result(self,
constants.SUCCESS,
key='cifs/%s@%s' %
(api.env.host, api.env.realm))
return
yield Result(self,
constants.ERROR,
key='cifs/%s@%s' % (api.env.host, api.env.realm),
group='adtrust agents',
msg='{key} is not a member of {group}')
def check(self):
if not self.registry.trust_controller:
logger.debug('Not a trust controller, skipping')
return
admins_dn = DN(('cn', 'admins'), api.env.container_group,
api.env.basedn)
try:
entry = self.conn.get_entry(admins_dn,
attrs_list=['ipantsecurityidentifier'])
except Exception as e:
yield Result(self,
constants.ERROR,
key=str(admins_dn),
error=str(e),
msg='Error retrieving ldap entry {key}: '
'{error}')
return
identifier = entry.get('ipantsecurityidentifier', [None])[0]
if not identifier or not identifier.endswith('512'):
yield Result(self,
constants.ERROR,
key='ipantsecurityidentifier',
rid=identifier,
msg='{key} is not a Domain Admins RID')
else:
yield Result(self,
constants.SUCCESS,
rid=identifier,
key='ipantsecurityidentifier')
def check(self):
certlist = [paths.HTTPD_CERT_FILE]
if self.ca.is_configured():
certlist.append(paths.RA_AGENT_PEM)
for cert in certlist:
try:
response = self.validate_openssl(cert)
except Exception as e:
yield Result(
self,
constants.ERROR,
key=cert,
error=str(e),
msg='Certificate validation for {key} failed: {error}')
continue
else:
if ': OK' not in response.raw_output.decode('utf-8'):
yield Result(
self,
constants.ERROR,
key=cert,
reason=response.raw_error_output.decode('utf-8'),
msg='Certificate validation for {key} failed: '
'{reason}')
else:
yield Result(self, constants.SUCCESS, key=cert)
def check(self):
if not self.instance.exists():
logger.debug('Invalid instance: %s', self.instance.name)
yield Result(self,
constants.CRITICAL,
msg='Invalid PKI instance: %s' % self.instance.name)
return
self.instance.load()
# Make a list of known good trust flags for ALL system certs
expected_trust = {
'sslserver': 'u,u,u',
'subsystem': 'u,u,u',
'audit_signing': 'u,u,Pu'
}
tps = self.instance.get_subsystem('tps')
if not tps:
logger.info(
"No TPS configured, skipping TPS System Cert Trust Flag check")
return
certs = tps.find_system_certs()
# Iterate on TPS's all system certificate to check with list of expected trust flags
for cert in certs:
cert_id = cert['id']
# Load cert trust from NSSDB
with nssdb_connection(self.instance) as nssdb:
try:
cert_trust = nssdb.get_trust(nickname=cert['nickname'],
token=cert['token'])
except Exception as e: # pylint: disable=broad-except
logger.debug('Unable to load cert from NSSDB: %s', str(e))
yield Result(self,
constants.ERROR,
key=cert_id,
nssdbDir=self.instance.nssdb_dir,
msg='Unable to load cert from NSSDB: %s' %
str(e))
continue
if cert_trust != expected_trust[cert_id]:
yield Result(
self,
constants.ERROR,
cert_id=cert_id,
nickname=cert['nickname'],
token=cert['token'],
cert_trust=cert_trust,
msg='Incorrect NSS trust for %s. Got %s expected %s' %
(cert['nickname'], cert_trust, expected_trust[cert_id]))
else:
yield Result(self,
constants.SUCCESS,
cert_id=cert_id,
nickname=cert['nickname'])
def check(self):
key = 'workers'
cpus = os.sysconf('SC_NPROCESSORS_ONLN')
logging.debug('Detected %s CPUs', cpus)
lines = get_contents(SYSCONFIG)
args_read = False
for line in lines:
sline = line.strip()
workers = 0
if sline.startswith('KRB5KDC_ARGS'):
args_read = True
sline = sline.split('=', maxsplit=1)[1]
if sline.find("-w") == -1:
if cpus == 1:
# -w is not configured when cpus == 1
yield Result(self, constants.SUCCESS, key=key)
return
else:
yield Result(self,
constants.WARNING,
key=key,
sysconfig=SYSCONFIG,
msg='No KDC workers defined in '
'{sysconfig}')
return
# Making an assumption that this line is not misconfigured
# otherwise the KDC wouldn't start at all.
sline = sline.replace("'", "")
sline = sline.replace('"', "")
sline = sline.split()
for i in range(len(sline)):
if sline[i] == '-w':
workers = int(sline[i + 1])
break
if cpus == workers:
yield Result(self, constants.SUCCESS, key=key)
else:
yield Result(self,
constants.WARNING,
key=key,
cpus=cpus,
workers=workers,
sysconfig=SYSCONFIG,
msg='The number of CPUs {cpus} does not '
'match the number of workers '
'{workers} in {sysconfig}')
break
if not args_read:
yield Result(self,
constants.WARNING,
key=key,
sysconfig=SYSCONFIG,
msg='KRB5KDC_ARGS is not set in '
'{sysconfig}')
def check(self):
if not self.registry.trust_controller:
logger.debug('Not a trust controller, skipping')
return
ldapi_socket = "ipasam:ldapi://%%2fvar%%2frun%%2fslapd-%s.socket" % \
realm_to_serverid(api.env.realm)
try:
result = ipautil.run(['net', 'conf', 'list'], capture_output=True)
except Exception as e:
yield Result(self,
constants.ERROR,
key='net conf list',
error=str(e),
msg='Execution of {key} failed: {error}')
return
conf = result.output.replace('\t', '')
config = configparser.ConfigParser(delimiters=('='),
interpolation=None)
try:
config.read_string(conf)
except Exception as e:
yield Result(self,
constants.ERROR,
key='net conf list',
error=str(e),
msg='Unable to parse {key} output: {error}')
return
try:
net_ldapi = config.get('global', 'passdb backend')
except Exception as e:
yield Result(self,
constants.ERROR,
key='net conf list',
error=str(e),
section='global',
option='passdb backend',
msg='Unable to read \'{option}\' in section '
'{section} in {key} output: {error}')
return
if net_ldapi != ldapi_socket:
yield Result(self,
constants.ERROR,
key='net conf list',
got=net_ldapi,
expected=ldapi_socket,
option='passdb backend',
msg='{key} option {option} value {got} '
'doesn\'t match expected value {expected}')
else:
yield Result(self, constants.SUCCESS, key='net conf list')
def compare_nssdb_with_cs(class_instance, subsystem, cert_tag):
"""
Check whether the System Certs in NSSDB match with certs in CS.cfg
:param class_instance: Reporting Class Instance
:type class_instance: object
:param subsystem: Subsystem
:type subsystem: pki.server.subsystem.PKISubsystem
:param cert_tag: Certificate tag name
:type cert_tag: str
:return: Result object with prefilled args
:rtype: Result
"""
# Generate cert_id for logging purpose
cert_id = '{}_{}'.format(subsystem.name, cert_tag)
# Load cert from CS
cert = subsystem.get_cert_info(cert_tag)
cert_cs = cert['data']
# Load cert from NSSDB
with nssdb_connection(subsystem.instance) as nssdb:
try:
# Retrieve the nickname and token from CS.cfg and then load
# the corresponding cert from NSSDB
cert_nssdb = nssdb.get_cert(nickname=cert['nickname'],
token=cert['token'],
output_format='base64')
except Exception as e: # pylint: disable=broad-except
logger.debug('Unable to load cert from NSSDB: %s', str(e))
return Result(class_instance,
constants.ERROR,
key=cert_id,
nssdbDir=subsystem.instance.nssdb_dir,
msg='Unable to load cert from NSSDB: %s' % str(e))
# Compare whether the certs match
if cert_nssdb != cert_cs:
directive = '%s.%s.cert' % (subsystem.name, cert_tag)
return Result(class_instance,
constants.ERROR,
key=cert_id,
nickname=cert['nickname'],
directive=directive,
configfile=subsystem.cs_conf,
msg='Certificate \'%s\' does not match the value '
'of %s in %s' %
(cert['nickname'], directive, subsystem.cs_conf))
else:
return Result(class_instance,
constants.SUCCESS,
key=cert_id,
configfile=subsystem.cs_conf)
def run_plugin(plugin, available=()):
# manually calculate duration when we create results of our own
start = datetime.utcnow()
try:
for result in plugin.check():
if result is None:
# Treat no result as success, fudge start time
result = Result(plugin, constants.SUCCESS, start=start)
yield result
except Exception as e:
logger.debug('Exception raised: %s', e)
yield Result(plugin, constants.CRITICAL, exception=str(e), start=start)
def check(self):
try:
result = api.Command.server_find(pkey_only=True)
except Exception as e:
yield Result(self,
constants.ERROR,
msg='server-show failed, %s' % e)
else:
masters = []
for server in result['result']:
masters.append(server['cn'][0])
yield Result(self, constants.SUCCESS, masters=masters)
def check(self):
requests = get_expected_requests(self.ca, self.ds, self.serverid)
cm = certmonger._certmonger()
ids = []
all_requests = cm.obj_if.get_requests()
for req in all_requests:
request = certmonger._cm_dbus_object(cm.bus, cm, req,
certmonger.DBUS_CM_REQUEST_IF,
certmonger.DBUS_CM_IF, True)
id = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'nickname')
ids.append(str(id))
for request in requests:
request_id = certmonger.get_request_id(request)
try:
if request_id is not None:
# Tracking found, move onto the next
ids.remove(request_id)
yield Result(self, constants.SUCCESS, key=request_id)
continue
except ValueError as e:
# A request was found but the id isn't in the
# list from certmonger!?
yield Result(self,
constants.ERROR,
key=request_id,
error=str(e),
msg='Found request id {key} but it is not tracked'
'by certmonger!?: {error}')
continue
# The criteria was not met
if request_id is None:
flatten = ', '.join("{!s}={!s}".format(key, val)
for (key, val) in request.items())
yield Result(self,
constants.ERROR,
key=flatten,
msg='Expected certmonger tracking is missing for '
'{key}. Automated renewal will not happen '
'for this certificate')
continue
# Report any unknown certmonger requests as warnings
if ids:
for id in ids:
yield Result(self,
constants.WARNING,
key=id,
msg='certmonger tracking request {key} found and '
'is not expected on an IPA master.')
def check(self):
for store, threshold in self._pathchecks.items():
try:
percent_free = self.get_fs_free_space_percentage(store)
except FileNotFoundError:
yield Result(self,
constants.WARNING,
key=store,
msg='File system {store} is not mounted',
store=store)
continue
if percent_free < self.min_free_percent:
yield Result(self,
constants.ERROR,
key=store,
msg='%s: %s %s%% < %s%%' %
(store, 'free space percentage under threshold:',
percent_free, self.min_free_percent),
store=store,
percent_free=percent_free,
threshold=self.min_free_percent)
else:
yield Result(self,
constants.SUCCESS,
key=store,
msg='%s: %s %s%% >= %s%%' %
(store, 'free space percentage within limits:',
percent_free, self.min_free_percent),
store=store,
percent_free=percent_free,
threshold=self.min_free_percent)
free_space = self.get_fs_free_space(store)
if free_space < threshold:
yield Result(self,
constants.ERROR,
key=store,
msg='%s: %s %s MiB < %s MiB' %
(store, 'free space under threshold:', free_space,
threshold),
store=store,
free_space=free_space,
threshold=threshold)
else:
yield Result(self,
constants.SUCCESS,
key=store,
msg='%s: %s %s MiB >= %s MiB' %
(store, 'free space within limits:', free_space,
threshold),
store=store,
free_space=free_space,
threshold=threshold)
def check(self):
if not self.registry.trust_agent:
logger.debug('Not a trust agent, skipping')
return
try:
sssdconfig = SSSDConfig.SSSDConfig()
sssdconfig.import_config()
except Exception as e:
logger.debug('Failed to parse sssd.conf: %s', e)
yield Result(self,
constants.CRITICAL,
error=str(e),
msg='Unable to parse sssd.conf: {error}')
return
else:
domains = sssdconfig.list_active_domains()
errors = False
for name in domains:
domain = sssdconfig.get_domain(name)
try:
provider = domain.get_option('id_provider')
except SSSDConfig.NoOptionError:
continue
if provider == "ipa":
try:
mode = domain.get_option('ipa_server_mode')
except SSSDConfig.NoOptionError:
yield Result(self,
constants.ERROR,
key='ipa_server_mode_missing',
attr='ipa_server_mode',
domain=name,
sssd_config=paths.SSSD_CONF,
msg='{sssd_config} is missing {attr} '
'in the domain {domain}')
errors = True
else:
if not mode:
yield Result(self,
constants.ERROR,
key='ipa_server_mode_false',
attr='ipa_server_mode',
domain=name,
sssd_config=paths.SSSD_CONF,
msg='{attr} is not True in {sssd_config} '
'in the domain {domain}')
errors = True
if not errors:
yield Result(self, constants.SUCCESS)
def check(self):
try:
sssdconfig = SSSDConfig.SSSDConfig()
sssdconfig.import_config()
except Exception as e:
logger.debug('Failed to parse sssd.conf: %s', e)
yield Result(self,
constants.CRITICAL,
error=str(e),
key='domain-check',
msg='Unable to parse sssd.conf: {error}')
return
try:
domain = sssdconfig.get_domain(api.env.domain)
except SSSDConfig.NoDomainError:
yield Result(self,
constants.ERROR,
key='domain-check',
domain=api.env.domain,
msg='IPA domain {domain} not found in sssd.conf')
return
error = False
for option in ('id_provider', 'auth_provider', 'chpass_provider',
'access_provider'):
try:
provider = domain.get_option(option)
except SSSDConfig.NoOptionError:
yield Result(self,
constants.ERROR,
key='domain-check',
domain=api.env.domain,
option=option,
msg='Option {option} in domain {domain} not '
'found in sssd.conf')
error = True
continue
if provider != "ipa":
yield Result(self,
constants.ERROR,
key='domain-check',
option=option,
provider=provider,
domain=api.env.domain,
msg='Option {option} in domain {domain} is '
'{provider} not ipa')
error = True
if not error:
yield Result(self, constants.SUCCESS, key='domain-check')
def check(self):
try:
enabled = self.ca.is_crlgen_enabled()
except AttributeError:
yield Result(self,
constants.SUCCESS,
key='crl_manager',
crlgen_enabled=None,
msg='Not available in this version of IPA')
else:
yield Result(self,
constants.SUCCESS,
key='crl_manager',
crlgen_enabled=enabled)
def check(self):
try:
result = api.Command.config_show()
except Exception as e:
yield Result(self,
constants.ERROR,
key='renewal_master',
msg='Request for configuration failed, %s' % e)
else:
server = result['result'].get('ca_renewal_master_server', None)
yield Result(self,
constants.SUCCESS,
key='renewal_master',
master=server == api.env.host)
def check(self):
try:
ca_certs = x509.load_certificate_list_from_file(paths.IPA_CA_CRT)
except IOError as e:
logger.debug("Could not open %s: %s", paths.IPA_CA_CRT, e)
yield Result(self,
constants.ERROR,
key=paths.IPA_CA_CRT,
error=str(e),
msg='Error opening IPA CA chain at {key}: {error}')
return
except ValueError as e:
logger.debug("% contains an invalid certificate" %
paths.IPA_CA_CRT)
yield Result(self,
constants.ERROR,
key=paths.IPA_CA_CRT,
error=str(e),
msg='IPA CA chain {key} contains an invalid '
'certificate: {error}')
return
now = datetime.now(timezone.utc)
soon = now + timedelta(days=self.config.cert_expiration_days)
for cert in ca_certs:
subject = DN(cert.subject)
subject = str(subject).replace('\\;', '\\3b')
dt = cert.not_valid_after.replace(tzinfo=timezone.utc)
if dt < now:
logger.debug("%s is expired" % subject)
yield Result(self,
constants.CRITICAL,
path=paths.IPA_CA_CRT,
key=subject,
msg='CA \'{key}\' in {path} is expired.')
elif dt <= soon:
logger.debug("%s is expiring soon" % subject)
yield Result(self,
constants.WARNING,
path=paths.IPA_CA_CRT,
key=subject,
days=(dt - now).days,
msg='CA \'{key}\' in {path} is expiring in '
'{days} days.')
else:
yield Result(self,
constants.SUCCESS,
path=paths.IPA_CA_CRT,
key=subject,
days=(dt - now).days)
def check(self):
ruv = self.get_ruv(
DN(('cn', 'replica'), ('cn', api.env.basedn),
('cn', 'mapping tree'), ('cn', 'config')))
csruv = self.get_ruv(
DN(('cn', 'replica'), ('cn', 'o=ipaca'), ('cn', 'mapping tree'),
('cn', 'config')))
if ruv is not None:
yield Result(self,
constants.SUCCESS,
key=str(api.env.basedn),
ruv=ruv)
if csruv is not None:
yield Result(self, constants.SUCCESS, key='o=ipaca', ruv=csruv)
def check(self):
requests = get_expected_requests(self.ca, self.ds, self.serverid)
cm = certmonger._certmonger()
ids = []
all_requests = cm.obj_if.get_requests()
for req in all_requests:
request = certmonger._cm_dbus_object(cm.bus, cm, req,
certmonger.DBUS_CM_REQUEST_IF,
certmonger.DBUS_CM_IF, True)
id = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'nickname')
ids.append(str(id))
for request in requests:
request_id = certmonger.get_request_id(request)
try:
if request_id is not None:
# Tracking found, move onto the next
ids.remove(request_id)
yield Result(self, constants.SUCCESS, key=request_id)
continue
except ValueError as e:
# A request was found but the id isn't in the
# list from certmonger!?
yield Result(self,
constants.ERROR,
key=request_id,
msg='Request id %s is not tracked: %s' %
(request_id, e))
continue
# The criteria was not met
if request_id is None:
flatten = ', '.join("{!s}={!s}".format(key, val)
for (key, val) in request.items())
yield Result(self,
constants.ERROR,
key=flatten,
msg='Missing tracking for %s' % flatten)
continue
# Report any unknown certmonger requests as warnings
if ids:
for id in ids:
yield Result(self,
constants.WARNING,
key=id,
msg='Unknown certmonger id %s' % id)
def check(self):
results = self.doCheck(self.check_class, self.many)
if len(results) > 0:
for result in results:
yield result
else:
yield Result(self, constants.SUCCESS)
def check(self):
if not self.instance.exists():
logger.debug('Invalid instance: %s', self.instance.name)
yield Result(self,
constants.CRITICAL,
msg='Invalid PKI instance: %s' % self.instance.name)
return
self.instance.load()
ca = self.instance.get_subsystem('ca')
if not ca:
logger.info("No CA configured, skipping dogtag config check")
return
cert_nicknames = [
'sslserver', 'subsystem', 'audit_signing', 'ocsp_signing',
'signing'
]
# Run the sync check
for cert_tag in cert_nicknames:
yield compare_nssdb_with_cs(class_instance=self,
subsystem=ca,
cert_tag=cert_tag)
def check(self):
cm = certmonger._certmonger()
all_requests = cm.obj_if.get_requests()
for req in all_requests:
request = certmonger._cm_dbus_object(cm.bus, cm, req,
certmonger.DBUS_CM_REQUEST_IF,
certmonger.DBUS_CM_IF, True)
id = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'nickname')
notafter = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF,
'not-valid-after')
if notafter == 0:
yield Result(self,
constants.ERROR,
key=id,
msg='certmonger request id {key} does not have '
'a not-valid-after date, assuming it '
'has not been issued yet.')
continue
nafter = datetime.fromtimestamp(notafter, timezone.utc)
now = datetime.now(timezone.utc)
if now > nafter:
yield Result(self,
constants.ERROR,
key=id,
expiration_date=generalized_time(nafter),
msg='Request id {key} expired on '
'{expiration_date}')
else:
delta = nafter - now
diff = int(delta.total_seconds() / DAY)
if diff < int(self.config.cert_expiration_days):
yield Result(self,
constants.WARNING,
key=id,
expiration_date=generalized_time(nafter),
days=diff,
msg='Request id {key} expires in {days} '
'days. certmonger should renew this '
'automatically. Watch the status with '
'getcert list -i {key}.')
else:
yield Result(self, constants.SUCCESS, key=id)
def check(self):
ca_list = ['IPA']
if self.ca.is_configured():
ca_list.extend([
'dogtag-ipa-ca-renew-agent', 'dogtag-ipa-ca-renew-agent-reuse'
])
for ca in ca_list:
logger.debug('Checking for existence of certmonger CA \'%s\'', ca)
try:
self.find_ca(ca)
except Exception as e:
logger.debug('Search for certmonger CA %s failed: %s', ca, e)
yield Result(self,
constants.ERROR,
key=ca,
msg='Certmonger CA \'{key}\' missing')
else:
yield Result(self, constants.SUCCESS, key=ca)
def check(self):
if self.registry.trust_controller:
logger.debug('Trust controller, skipping')
return
if not self.registry.trust_agent:
logger.debug('Not a trust agent, skipping')
return
# The trust-ad package provides this import
try:
from ipaserver.install import adtrustinstance # noqa: F401
yield Result(self, constants.SUCCESS, key='adtrustpackage')
except ImportError:
yield Result(self,
constants.WARNING,
key='adtrustpackage',
msg='trust-ad sub-package is not installed. '
'Administration will be limited.')
