def check_tracking(self):
"""Compare expected vs actual tracking configuration"""
requests = self.get_requests()
cm = certmonger._certmonger()
ids = []
all_requests = cm.obj_if.get_requests()
for req in all_requests:
request = certmonger._cm_dbus_object(cm.bus, cm, req,
certmonger.DBUS_CM_REQUEST_IF,
certmonger.DBUS_CM_IF, True)
id = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'nickname')
ids.append(str(id))
for request in requests:
request_id = certmonger.get_request_id(request)
try:
if request_id is not None:
ids.remove(request_id)
except ValueError as e:
self.failure('Failure trying to remove % from '
'list: %s' % (request_id, e))
if request_id is None:
self.failure('Missing tracking for %s' % request)
if ids:
self.warning('Unknown certmonger ids: %s' % ','.join(ids))
def check(self):
cm = certmonger._certmonger()
all_requests = cm.obj_if.get_requests()
for req in all_requests:
request = certmonger._cm_dbus_object(cm.bus, cm, req,
certmonger.DBUS_CM_REQUEST_IF,
certmonger.DBUS_CM_IF, True)
id = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'nickname')
notafter = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF,
'not-valid-after')
nafter = datetime.fromtimestamp(notafter, timezone.utc)
now = datetime.now(timezone.utc)
if now > nafter:
yield Result(self,
constants.ERROR,
key=id,
expiration_date=generalized_time(nafter),
msg='Request id %s expired on %s' %
(id, generalized_time(nafter)))
else:
delta = nafter - now
diff = int(delta.total_seconds() / DAY)
if diff < self.config.cert_expiration_days:
yield Result(self,
constants.WARNING,
key=id,
expiration_date=generalized_time(nafter),
days=diff,
msg='Request id %s expires in %s days' %
(id, diff))
else:
yield Result(self, constants.SUCCESS, key=id)
def check(self):
requests = get_expected_requests(self.ca, self.ds, self.serverid)
cm = certmonger._certmonger()
ids = []
all_requests = cm.obj_if.get_requests()
for req in all_requests:
request = certmonger._cm_dbus_object(cm.bus, cm, req,
certmonger.DBUS_CM_REQUEST_IF,
certmonger.DBUS_CM_IF, True)
id = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'nickname')
ids.append(str(id))
for request in requests:
request_id = certmonger.get_request_id(request)
try:
if request_id is not None:
# Tracking found, move onto the next
ids.remove(request_id)
yield Result(self, constants.SUCCESS, key=request_id)
continue
except ValueError as e:
# A request was found but the id isn't in the
# list from certmonger!?
yield Result(self,
constants.ERROR,
key=request_id,
error=str(e),
msg='Found request id {key} but it is not tracked'
'by certmonger!?: {error}')
continue
# The criteria was not met
if request_id is None:
flatten = ', '.join("{!s}={!s}".format(key, val)
for (key, val) in request.items())
yield Result(self,
constants.ERROR,
key=flatten,
msg='Expected certmonger tracking is missing for '
'{key}. Automated renewal will not happen '
'for this certificate')
continue
# Report any unknown certmonger requests as warnings
if ids:
for id in ids:
yield Result(self,
constants.WARNING,
key=id,
msg='certmonger tracking request {key} found and '
'is not expected on an IPA master.')
def check(self):
requests = get_expected_requests(self.ca, self.ds, self.serverid)
cm = certmonger._certmonger()
ids = []
all_requests = cm.obj_if.get_requests()
for req in all_requests:
request = certmonger._cm_dbus_object(cm.bus, cm, req,
certmonger.DBUS_CM_REQUEST_IF,
certmonger.DBUS_CM_IF, True)
id = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'nickname')
ids.append(str(id))
for request in requests:
request_id = certmonger.get_request_id(request)
try:
if request_id is not None:
# Tracking found, move onto the next
ids.remove(request_id)
yield Result(self, constants.SUCCESS, key=request_id)
continue
except ValueError as e:
# A request was found but the id isn't in the
# list from certmonger!?
yield Result(self,
constants.ERROR,
key=request_id,
msg='Request id %s is not tracked: %s' %
(request_id, e))
continue
# The criteria was not met
if request_id is None:
flatten = ', '.join("{!s}={!s}".format(key, val)
for (key, val) in request.items())
yield Result(self,
constants.ERROR,
key=flatten,
msg='Missing tracking for %s' % flatten)
continue
# Report any unknown certmonger requests as warnings
if ids:
for id in ids:
yield Result(self,
constants.WARNING,
key=id,
msg='Unknown certmonger id %s' % id)
def check(self):
cm = certmonger._certmonger()
all_requests = cm.obj_if.get_requests()
for req in all_requests:
request = certmonger._cm_dbus_object(cm.bus, cm, req,
certmonger.DBUS_CM_REQUEST_IF,
certmonger.DBUS_CM_IF, True)
id = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'nickname')
notafter = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF,
'not-valid-after')
if notafter == 0:
yield Result(self,
constants.ERROR,
key=id,
msg='certmonger request id {key} does not have '
'a not-valid-after date, assuming it '
'has not been issued yet.')
continue
nafter = datetime.fromtimestamp(notafter, timezone.utc)
now = datetime.now(timezone.utc)
if now > nafter:
yield Result(self,
constants.ERROR,
key=id,
expiration_date=generalized_time(nafter),
msg='Request id {key} expired on '
'{expiration_date}')
else:
delta = nafter - now
diff = int(delta.total_seconds() / DAY)
if diff < int(self.config.cert_expiration_days):
yield Result(self,
constants.WARNING,
key=id,
expiration_date=generalized_time(nafter),
days=diff,
msg='Request id {key} expires in {days} '
'days. certmonger should renew this '
'automatically. Watch the status with '
'getcert list -i {key}.')
else:
yield Result(self, constants.SUCCESS, key=id)
def find_ca(self, name):
cm = certmonger._certmonger()
ca_path = cm.obj_if.find_ca_by_nickname(name)
return certmonger._cm_dbus_object(cm.bus, cm, ca_path,
certmonger.DBUS_CM_CA_IF,
certmonger.DBUS_CM_IF, True)
def check(self):
cm = certmonger._certmonger()
all_requests = cm.obj_if.get_requests()
for req in all_requests:
request = certmonger._cm_dbus_object(cm.bus, cm, req,
certmonger.DBUS_CM_REQUEST_IF,
certmonger.DBUS_CM_IF, True)
id = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'nickname')
store = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF,
'cert-storage')
if store == 'FILE':
certfile = str(
request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF,
'cert-file'))
try:
cert = x509.load_certificate_from_file(certfile)
except Exception as e:
yield Result(self,
constants.ERROR,
key=id,
certfile=certfile,
error=str(e),
msg='Request id {key}: Unable to open cert '
'file \'{certfile}\': {error}')
continue
elif store == 'NSSDB':
nickname = str(
request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF,
'key_nickname'))
dbdir = str(
request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF,
'cert_database'))
try:
db = certdb.NSSDatabase(dbdir)
except Exception as e:
yield Result(self,
constants.ERROR,
key=id,
dbdir=dbdir,
error=str(e),
msg='Request id {key}: Unable to open NSS '
'database \'{dbdir}\': {error}')
continue
try:
cert = db.get_cert(nickname)
except Exception as e:
yield Result(self,
constants.ERROR,
key=id,
dbdir=dbdir,
nickname=nickname,
error=str(e),
msg='Request id {key}: Unable to retrieve '
'cert \'{nickname}\' from \'{dbdir}\': '
'{error}')
continue
else:
yield Result(self,
constants.ERROR,
key=id,
store=store,
msg='Request id {key}: Unknown certmonger '
'storage type: {store}')
continue
now = datetime.utcnow()
notafter = cert.not_valid_after
if now > notafter:
yield Result(self,
constants.ERROR,
key=id,
expiration_date=generalized_time(notafter),
msg='Request id {key} expired on '
'{expiration_date}')
continue
delta = notafter - now
diff = int(delta.total_seconds() / DAY)
if diff < int(self.config.cert_expiration_days):
yield Result(self,
constants.WARNING,
key=id,
expiration_date=generalized_time(notafter),
days=diff,
msg='Request id {key} expires in {days} '
'days. certmonger should renew this '
'automatically. Watch the status with'
'getcert list -i {key}.')
else:
yield Result(self, constants.SUCCESS, key=id)
def check(self):
cm = certmonger._certmonger()
all_requests = cm.obj_if.get_requests()
for req in all_requests:
request = certmonger._cm_dbus_object(cm.bus, cm, req,
certmonger.DBUS_CM_REQUEST_IF,
certmonger.DBUS_CM_IF, True)
id = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'nickname')
store = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF,
'cert-storage')
if store == 'FILE':
certfile = str(
request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF,
'cert-file'))
try:
cert = x509.load_certificate_from_file(certfile)
except Exception as e:
yield Result(self,
constants.ERROR,
key=id,
certfile=certfile,
error=str(e),
msg='Unable to open cert file \'%s\': %s' %
(certfile, e))
continue
elif store == 'NSSDB':
nickname = str(
request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF,
'key_nickname'))
dbdir = str(
request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF,
'cert_database'))
try:
db = certdb.NSSDatabase(dbdir)
except Exception as e:
yield Result(self,
constants.ERROR,
key=id,
dbdir=dbdir,
error=str(e),
msg='Unable to open NSS database \'%s\': %s' %
(dbdir, e))
continue
try:
cert = db.get_cert(nickname)
except Exception as e:
yield Result(self,
constants.ERROR,
key=id,
dbdir=dbdir,
nickname=nickname,
error=str(e),
msg='Unable to retrieve cert \'%s\' from '
'\'%s\': %s' % (nickname, dbdir, e))
continue
else:
yield Result(self,
constants.ERROR,
key=id,
store=store,
msg='Unknown certmonger storage type: %s' % store)
continue
now = datetime.utcnow()
notafter = cert.not_valid_after
if now > notafter:
yield Result(self,
constants.ERROR,
key=id,
expiration_date=generalized_time(notafter),
msg='Request id %s expired on %s' %
(id, generalized_time(notafter)))
continue
delta = notafter - now
diff = int(delta.total_seconds() / DAY)
if diff < self.config.cert_expiration_days:
yield Result(self,
constants.WARNING,
key=id,
expiration_date=generalized_time(notafter),
days=diff,
msg='Request id %s expires in %s days' %
(id, diff))
else:
yield Result(self, constants.SUCCESS, key=id)
