def check(self): cm = certmonger._certmonger() all_requests = cm.obj_if.get_requests() for req in all_requests: request = certmonger._cm_dbus_object(cm.bus, cm, req, certmonger.DBUS_CM_REQUEST_IF, certmonger.DBUS_CM_IF, True) id = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'nickname') notafter = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'not-valid-after') nafter = datetime.fromtimestamp(notafter, timezone.utc) now = datetime.now(timezone.utc) if now > nafter: yield Result(self, constants.ERROR, key=id, expiration_date=generalized_time(nafter), msg='Request id %s expired on %s' % (id, generalized_time(nafter))) else: delta = nafter - now diff = int(delta.total_seconds() / DAY) if diff < self.config.cert_expiration_days: yield Result(self, constants.WARNING, key=id, expiration_date=generalized_time(nafter), days=diff, msg='Request id %s expires in %s days' % (id, diff)) else: yield Result(self, constants.SUCCESS, key=id)
def match_ldap_nss_cert(plugin, ldap, db, cert_dn, attr, cert_nick): try: entry = ldap.get_entry(cert_dn) except errors.NotFound: yield Result(plugin, constants.ERROR, msg='%s entry not found in LDAP' % cert_dn) return False try: nsscert = db.get_cert_from_db(cert_nick) except Exception as e: yield Result(plugin, constants.ERROR, error=str(e), msg=('Unable to load %s certificate:' '{error}' % cert_nick)) return False cert_matched = any(cert == nsscert for cert in entry[attr]) if not cert_matched: yield Result(plugin, constants.ERROR, key=cert_nick, nickname=cert_nick, dbdir=db.secdir, msg=('{nickname} certificate in NSS DB {dbdir} ' 'does not match entry in LDAP')) return False return True
def check(self): data = self.registry.json crlmanagers = [] for fqdn in data.keys(): output = find_checks(data[fqdn], 'ipahealthcheck.ipa.roles', 'IPACRLManagerCheck') enabled = output[0].get('kw').get('crlgen_enabled') if enabled: crlmanagers.append(fqdn) if len(crlmanagers) == 0: yield Result(self, constants.ERROR, name='crlmanager', error='No CRL Manager defined') elif len(crlmanagers) == 1: yield Result(self, constants.SUCCESS, name='crlmanager', value=crlmanagers[0]) else: yield Result(self, constants.ERROR, name='crlmanager', value=','.join(crlmanagers), error='Multiple CRL Managers defined')
def match_cacert_and_db(plugin, cacerts, dbpath): db = certs.CertDB(api.env.realm, dbpath) nickname = '%s IPA CA' % api.env.realm try: dbcacerts = self.get_cert_list_from_db(db, nickname) except Exception as e: yield Result(plugin, constants.ERROR, error=str(e), msg='Unable to load CA cert: {error}') return False ok = True for cert in dbcacerts: if cert not in cacerts: ok = False yield Result(plugin, constants.ERROR, nickname=nickname, serial_number=cert.serial_number, dbdir=dbpath, certdir=paths.IPA_CA_CRT, msg=('CA Certificate nickname {nickname} ' 'with serial number {serial} ' 'is in {dbdir} but is not in' '%s' % paths.IPA_CA_CRT)) return ok
def check(self): expected_trust = { 'ocspSigningCert cert-pki-ca': 'u,u,u', 'subsystemCert cert-pki-ca': 'u,u,u', 'auditSigningCert cert-pki-ca': 'u,u,Pu', 'Server-Cert cert-pki-ca': 'u,u,u', } kra = krainstance.KRAInstance(api.env.realm) if kra.is_installed(): kra_trust = { 'transportCert cert-pki-kra': 'u,u,u', 'storageCert cert-pki-kra': 'u,u,u', 'auditSigningCert cert-pki-kra': 'u,u,Pu', } expected_trust.update(kra_trust) if not self.ca.is_configured(): logger.debug('CA is not configured, skipping NSS trust check') return db = certs.CertDB(api.env.realm, paths.PKI_TOMCAT_ALIAS_DIR) for nickname, _trust_flags in db.list_certs(): flags = certdb.unparse_trust_flags(_trust_flags) if nickname.startswith('caSigningCert cert-pki-ca'): expected = 'CTu,Cu,Cu' else: try: expected = expected_trust[nickname] except KeyError: logger.debug("%s not found in %s, assuming 3rd party" % (nickname, paths.PKI_TOMCAT_ALIAS_DIR)) continue try: expected_trust.pop(nickname) except KeyError: pass if flags != expected: yield Result( self, constants.ERROR, key=nickname, expected=expected, got=flags, nickname=nickname, dbdir=paths.PKI_TOMCAT_ALIAS_DIR, msg='Incorrect NSS trust for {nickname} in {dbdir}. ' 'Got {got} expected {expected}.') continue else: yield Result(self, constants.SUCCESS, key=nickname) for nickname in expected_trust: yield Result( self, constants.ERROR, key=nickname, nickname=nickname, dbdir=paths.PKI_TOMCAT_ALIAS_DIR, msg='Certificate {nickname} missing from {dbdir} while ' 'verifying trust')
def check(self): try: conn = ipaldap.LDAPClient.from_realm(api.env.realm) except AttributeError: conn = ipaldap.LDAPClient(api.env.ldap_uri) conn.external_bind() filterstr = "(&(!(objectclass=nstombstone))(nsds5ReplConflict=*))" attrlist = ['nsds5ReplConflict', 'objectclass'] try: entries = conn.get_entries(api.env.basedn, ldap.SCOPE_SUBTREE, filterstr, attrlist) except errors.EmptyResult: entries = [] if entries: for entry in entries: glue = 'glue' in entry['objectclass'] yield Result(self, constants.ERROR, key=str(entry.dn), glue=glue, conflict=entry['nsds5replconflict'][0], msg='Replication conflict') else: yield Result(self, constants.SUCCESS)
def check(self): if not self.registry.trust_controller: logger.debug('Not a trust controller, skipping') return service_dn = DN(('cn', 'ADTRUST'), ('cn', api.env.host), api.env.container_masters, api.env.basedn) try: entry = self.conn.get_entry(service_dn, attrs_list=['ipaconfigstring']) except Exception as e: yield Result(self, constants.ERROR, key=str(service_dn), error=str(e), msg='Error retrieving ldap entry {key}: ' '{error}') else: configs = entry.get('ipaconfigstring', []) enabled = False for config in configs: if config == ENABLED_SERVICE: enabled = True break if enabled: yield Result(self, constants.SUCCESS, key='ADTRUST') else: yield Result(self, constants.ERROR, key='ADTRUST', msg='{key} service is not enabled')
def check(self): if not self.registry.trust_controller: logger.debug('Not a trust controller, skipping') return agent_dn = DN( ('krbprincipalname', 'cifs/%s@%s' % (api.env.host, api.env.realm)), api.env.container_service, api.env.basedn) group_dn = DN(('cn', 'adtrust agents'), api.env.container_sysaccounts, api.env.basedn) try: entry = self.conn.get_entry(agent_dn, attrs_list=['memberOf']) except Exception as e: yield Result(self, constants.ERROR, key=str(agent_dn), error=str(e), msg='Error retrieving ldap entry {key}: ' '{error}') else: memberof = entry.get('memberof', []) for member in memberof: if DN(member) == group_dn: yield Result(self, constants.SUCCESS, key='cifs/%s@%s' % (api.env.host, api.env.realm)) return yield Result(self, constants.ERROR, key='cifs/%s@%s' % (api.env.host, api.env.realm), group='adtrust agents', msg='{key} is not a member of {group}')
def check(self): if not self.registry.trust_controller: logger.debug('Not a trust controller, skipping') return admins_dn = DN(('cn', 'admins'), api.env.container_group, api.env.basedn) try: entry = self.conn.get_entry(admins_dn, attrs_list=['ipantsecurityidentifier']) except Exception as e: yield Result(self, constants.ERROR, key=str(admins_dn), error=str(e), msg='Error retrieving ldap entry {key}: ' '{error}') return identifier = entry.get('ipantsecurityidentifier', [None])[0] if not identifier or not identifier.endswith('512'): yield Result(self, constants.ERROR, key='ipantsecurityidentifier', rid=identifier, msg='{key} is not a Domain Admins RID') else: yield Result(self, constants.SUCCESS, rid=identifier, key='ipantsecurityidentifier')
def check(self): certlist = [paths.HTTPD_CERT_FILE] if self.ca.is_configured(): certlist.append(paths.RA_AGENT_PEM) for cert in certlist: try: response = self.validate_openssl(cert) except Exception as e: yield Result( self, constants.ERROR, key=cert, error=str(e), msg='Certificate validation for {key} failed: {error}') continue else: if ': OK' not in response.raw_output.decode('utf-8'): yield Result( self, constants.ERROR, key=cert, reason=response.raw_error_output.decode('utf-8'), msg='Certificate validation for {key} failed: ' '{reason}') else: yield Result(self, constants.SUCCESS, key=cert)
def check(self): if not self.instance.exists(): logger.debug('Invalid instance: %s', self.instance.name) yield Result(self, constants.CRITICAL, msg='Invalid PKI instance: %s' % self.instance.name) return self.instance.load() # Make a list of known good trust flags for ALL system certs expected_trust = { 'sslserver': 'u,u,u', 'subsystem': 'u,u,u', 'audit_signing': 'u,u,Pu' } tps = self.instance.get_subsystem('tps') if not tps: logger.info( "No TPS configured, skipping TPS System Cert Trust Flag check") return certs = tps.find_system_certs() # Iterate on TPS's all system certificate to check with list of expected trust flags for cert in certs: cert_id = cert['id'] # Load cert trust from NSSDB with nssdb_connection(self.instance) as nssdb: try: cert_trust = nssdb.get_trust(nickname=cert['nickname'], token=cert['token']) except Exception as e: # pylint: disable=broad-except logger.debug('Unable to load cert from NSSDB: %s', str(e)) yield Result(self, constants.ERROR, key=cert_id, nssdbDir=self.instance.nssdb_dir, msg='Unable to load cert from NSSDB: %s' % str(e)) continue if cert_trust != expected_trust[cert_id]: yield Result( self, constants.ERROR, cert_id=cert_id, nickname=cert['nickname'], token=cert['token'], cert_trust=cert_trust, msg='Incorrect NSS trust for %s. Got %s expected %s' % (cert['nickname'], cert_trust, expected_trust[cert_id])) else: yield Result(self, constants.SUCCESS, cert_id=cert_id, nickname=cert['nickname'])
def check(self): key = 'workers' cpus = os.sysconf('SC_NPROCESSORS_ONLN') logging.debug('Detected %s CPUs', cpus) lines = get_contents(SYSCONFIG) args_read = False for line in lines: sline = line.strip() workers = 0 if sline.startswith('KRB5KDC_ARGS'): args_read = True sline = sline.split('=', maxsplit=1)[1] if sline.find("-w") == -1: if cpus == 1: # -w is not configured when cpus == 1 yield Result(self, constants.SUCCESS, key=key) return else: yield Result(self, constants.WARNING, key=key, sysconfig=SYSCONFIG, msg='No KDC workers defined in ' '{sysconfig}') return # Making an assumption that this line is not misconfigured # otherwise the KDC wouldn't start at all. sline = sline.replace("'", "") sline = sline.replace('"', "") sline = sline.split() for i in range(len(sline)): if sline[i] == '-w': workers = int(sline[i + 1]) break if cpus == workers: yield Result(self, constants.SUCCESS, key=key) else: yield Result(self, constants.WARNING, key=key, cpus=cpus, workers=workers, sysconfig=SYSCONFIG, msg='The number of CPUs {cpus} does not ' 'match the number of workers ' '{workers} in {sysconfig}') break if not args_read: yield Result(self, constants.WARNING, key=key, sysconfig=SYSCONFIG, msg='KRB5KDC_ARGS is not set in ' '{sysconfig}')
def check(self): if not self.registry.trust_controller: logger.debug('Not a trust controller, skipping') return ldapi_socket = "ipasam:ldapi://%%2fvar%%2frun%%2fslapd-%s.socket" % \ realm_to_serverid(api.env.realm) try: result = ipautil.run(['net', 'conf', 'list'], capture_output=True) except Exception as e: yield Result(self, constants.ERROR, key='net conf list', error=str(e), msg='Execution of {key} failed: {error}') return conf = result.output.replace('\t', '') config = configparser.ConfigParser(delimiters=('='), interpolation=None) try: config.read_string(conf) except Exception as e: yield Result(self, constants.ERROR, key='net conf list', error=str(e), msg='Unable to parse {key} output: {error}') return try: net_ldapi = config.get('global', 'passdb backend') except Exception as e: yield Result(self, constants.ERROR, key='net conf list', error=str(e), section='global', option='passdb backend', msg='Unable to read \'{option}\' in section ' '{section} in {key} output: {error}') return if net_ldapi != ldapi_socket: yield Result(self, constants.ERROR, key='net conf list', got=net_ldapi, expected=ldapi_socket, option='passdb backend', msg='{key} option {option} value {got} ' 'doesn\'t match expected value {expected}') else: yield Result(self, constants.SUCCESS, key='net conf list')
def compare_nssdb_with_cs(class_instance, subsystem, cert_tag): """ Check whether the System Certs in NSSDB match with certs in CS.cfg :param class_instance: Reporting Class Instance :type class_instance: object :param subsystem: Subsystem :type subsystem: pki.server.subsystem.PKISubsystem :param cert_tag: Certificate tag name :type cert_tag: str :return: Result object with prefilled args :rtype: Result """ # Generate cert_id for logging purpose cert_id = '{}_{}'.format(subsystem.name, cert_tag) # Load cert from CS cert = subsystem.get_cert_info(cert_tag) cert_cs = cert['data'] # Load cert from NSSDB with nssdb_connection(subsystem.instance) as nssdb: try: # Retrieve the nickname and token from CS.cfg and then load # the corresponding cert from NSSDB cert_nssdb = nssdb.get_cert(nickname=cert['nickname'], token=cert['token'], output_format='base64') except Exception as e: # pylint: disable=broad-except logger.debug('Unable to load cert from NSSDB: %s', str(e)) return Result(class_instance, constants.ERROR, key=cert_id, nssdbDir=subsystem.instance.nssdb_dir, msg='Unable to load cert from NSSDB: %s' % str(e)) # Compare whether the certs match if cert_nssdb != cert_cs: directive = '%s.%s.cert' % (subsystem.name, cert_tag) return Result(class_instance, constants.ERROR, key=cert_id, nickname=cert['nickname'], directive=directive, configfile=subsystem.cs_conf, msg='Certificate \'%s\' does not match the value ' 'of %s in %s' % (cert['nickname'], directive, subsystem.cs_conf)) else: return Result(class_instance, constants.SUCCESS, key=cert_id, configfile=subsystem.cs_conf)
def run_plugin(plugin, available=()): # manually calculate duration when we create results of our own start = datetime.utcnow() try: for result in plugin.check(): if result is None: # Treat no result as success, fudge start time result = Result(plugin, constants.SUCCESS, start=start) yield result except Exception as e: logger.debug('Exception raised: %s', e) yield Result(plugin, constants.CRITICAL, exception=str(e), start=start)
def check(self): try: result = api.Command.server_find(pkey_only=True) except Exception as e: yield Result(self, constants.ERROR, msg='server-show failed, %s' % e) else: masters = [] for server in result['result']: masters.append(server['cn'][0]) yield Result(self, constants.SUCCESS, masters=masters)
def check(self): requests = get_expected_requests(self.ca, self.ds, self.serverid) cm = certmonger._certmonger() ids = [] all_requests = cm.obj_if.get_requests() for req in all_requests: request = certmonger._cm_dbus_object(cm.bus, cm, req, certmonger.DBUS_CM_REQUEST_IF, certmonger.DBUS_CM_IF, True) id = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'nickname') ids.append(str(id)) for request in requests: request_id = certmonger.get_request_id(request) try: if request_id is not None: # Tracking found, move onto the next ids.remove(request_id) yield Result(self, constants.SUCCESS, key=request_id) continue except ValueError as e: # A request was found but the id isn't in the # list from certmonger!? yield Result(self, constants.ERROR, key=request_id, error=str(e), msg='Found request id {key} but it is not tracked' 'by certmonger!?: {error}') continue # The criteria was not met if request_id is None: flatten = ', '.join("{!s}={!s}".format(key, val) for (key, val) in request.items()) yield Result(self, constants.ERROR, key=flatten, msg='Expected certmonger tracking is missing for ' '{key}. Automated renewal will not happen ' 'for this certificate') continue # Report any unknown certmonger requests as warnings if ids: for id in ids: yield Result(self, constants.WARNING, key=id, msg='certmonger tracking request {key} found and ' 'is not expected on an IPA master.')
def check(self): for store, threshold in self._pathchecks.items(): try: percent_free = self.get_fs_free_space_percentage(store) except FileNotFoundError: yield Result(self, constants.WARNING, key=store, msg='File system {store} is not mounted', store=store) continue if percent_free < self.min_free_percent: yield Result(self, constants.ERROR, key=store, msg='%s: %s %s%% < %s%%' % (store, 'free space percentage under threshold:', percent_free, self.min_free_percent), store=store, percent_free=percent_free, threshold=self.min_free_percent) else: yield Result(self, constants.SUCCESS, key=store, msg='%s: %s %s%% >= %s%%' % (store, 'free space percentage within limits:', percent_free, self.min_free_percent), store=store, percent_free=percent_free, threshold=self.min_free_percent) free_space = self.get_fs_free_space(store) if free_space < threshold: yield Result(self, constants.ERROR, key=store, msg='%s: %s %s MiB < %s MiB' % (store, 'free space under threshold:', free_space, threshold), store=store, free_space=free_space, threshold=threshold) else: yield Result(self, constants.SUCCESS, key=store, msg='%s: %s %s MiB >= %s MiB' % (store, 'free space within limits:', free_space, threshold), store=store, free_space=free_space, threshold=threshold)
def check(self): if not self.registry.trust_agent: logger.debug('Not a trust agent, skipping') return try: sssdconfig = SSSDConfig.SSSDConfig() sssdconfig.import_config() except Exception as e: logger.debug('Failed to parse sssd.conf: %s', e) yield Result(self, constants.CRITICAL, error=str(e), msg='Unable to parse sssd.conf: {error}') return else: domains = sssdconfig.list_active_domains() errors = False for name in domains: domain = sssdconfig.get_domain(name) try: provider = domain.get_option('id_provider') except SSSDConfig.NoOptionError: continue if provider == "ipa": try: mode = domain.get_option('ipa_server_mode') except SSSDConfig.NoOptionError: yield Result(self, constants.ERROR, key='ipa_server_mode_missing', attr='ipa_server_mode', domain=name, sssd_config=paths.SSSD_CONF, msg='{sssd_config} is missing {attr} ' 'in the domain {domain}') errors = True else: if not mode: yield Result(self, constants.ERROR, key='ipa_server_mode_false', attr='ipa_server_mode', domain=name, sssd_config=paths.SSSD_CONF, msg='{attr} is not True in {sssd_config} ' 'in the domain {domain}') errors = True if not errors: yield Result(self, constants.SUCCESS)
def check(self): try: sssdconfig = SSSDConfig.SSSDConfig() sssdconfig.import_config() except Exception as e: logger.debug('Failed to parse sssd.conf: %s', e) yield Result(self, constants.CRITICAL, error=str(e), key='domain-check', msg='Unable to parse sssd.conf: {error}') return try: domain = sssdconfig.get_domain(api.env.domain) except SSSDConfig.NoDomainError: yield Result(self, constants.ERROR, key='domain-check', domain=api.env.domain, msg='IPA domain {domain} not found in sssd.conf') return error = False for option in ('id_provider', 'auth_provider', 'chpass_provider', 'access_provider'): try: provider = domain.get_option(option) except SSSDConfig.NoOptionError: yield Result(self, constants.ERROR, key='domain-check', domain=api.env.domain, option=option, msg='Option {option} in domain {domain} not ' 'found in sssd.conf') error = True continue if provider != "ipa": yield Result(self, constants.ERROR, key='domain-check', option=option, provider=provider, domain=api.env.domain, msg='Option {option} in domain {domain} is ' '{provider} not ipa') error = True if not error: yield Result(self, constants.SUCCESS, key='domain-check')
def check(self): try: enabled = self.ca.is_crlgen_enabled() except AttributeError: yield Result(self, constants.SUCCESS, key='crl_manager', crlgen_enabled=None, msg='Not available in this version of IPA') else: yield Result(self, constants.SUCCESS, key='crl_manager', crlgen_enabled=enabled)
def check(self): try: result = api.Command.config_show() except Exception as e: yield Result(self, constants.ERROR, key='renewal_master', msg='Request for configuration failed, %s' % e) else: server = result['result'].get('ca_renewal_master_server', None) yield Result(self, constants.SUCCESS, key='renewal_master', master=server == api.env.host)
def check(self): try: ca_certs = x509.load_certificate_list_from_file(paths.IPA_CA_CRT) except IOError as e: logger.debug("Could not open %s: %s", paths.IPA_CA_CRT, e) yield Result(self, constants.ERROR, key=paths.IPA_CA_CRT, error=str(e), msg='Error opening IPA CA chain at {key}: {error}') return except ValueError as e: logger.debug("% contains an invalid certificate" % paths.IPA_CA_CRT) yield Result(self, constants.ERROR, key=paths.IPA_CA_CRT, error=str(e), msg='IPA CA chain {key} contains an invalid ' 'certificate: {error}') return now = datetime.now(timezone.utc) soon = now + timedelta(days=self.config.cert_expiration_days) for cert in ca_certs: subject = DN(cert.subject) subject = str(subject).replace('\\;', '\\3b') dt = cert.not_valid_after.replace(tzinfo=timezone.utc) if dt < now: logger.debug("%s is expired" % subject) yield Result(self, constants.CRITICAL, path=paths.IPA_CA_CRT, key=subject, msg='CA \'{key}\' in {path} is expired.') elif dt <= soon: logger.debug("%s is expiring soon" % subject) yield Result(self, constants.WARNING, path=paths.IPA_CA_CRT, key=subject, days=(dt - now).days, msg='CA \'{key}\' in {path} is expiring in ' '{days} days.') else: yield Result(self, constants.SUCCESS, path=paths.IPA_CA_CRT, key=subject, days=(dt - now).days)
def check(self): ruv = self.get_ruv( DN(('cn', 'replica'), ('cn', api.env.basedn), ('cn', 'mapping tree'), ('cn', 'config'))) csruv = self.get_ruv( DN(('cn', 'replica'), ('cn', 'o=ipaca'), ('cn', 'mapping tree'), ('cn', 'config'))) if ruv is not None: yield Result(self, constants.SUCCESS, key=str(api.env.basedn), ruv=ruv) if csruv is not None: yield Result(self, constants.SUCCESS, key='o=ipaca', ruv=csruv)
def check(self): requests = get_expected_requests(self.ca, self.ds, self.serverid) cm = certmonger._certmonger() ids = [] all_requests = cm.obj_if.get_requests() for req in all_requests: request = certmonger._cm_dbus_object(cm.bus, cm, req, certmonger.DBUS_CM_REQUEST_IF, certmonger.DBUS_CM_IF, True) id = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'nickname') ids.append(str(id)) for request in requests: request_id = certmonger.get_request_id(request) try: if request_id is not None: # Tracking found, move onto the next ids.remove(request_id) yield Result(self, constants.SUCCESS, key=request_id) continue except ValueError as e: # A request was found but the id isn't in the # list from certmonger!? yield Result(self, constants.ERROR, key=request_id, msg='Request id %s is not tracked: %s' % (request_id, e)) continue # The criteria was not met if request_id is None: flatten = ', '.join("{!s}={!s}".format(key, val) for (key, val) in request.items()) yield Result(self, constants.ERROR, key=flatten, msg='Missing tracking for %s' % flatten) continue # Report any unknown certmonger requests as warnings if ids: for id in ids: yield Result(self, constants.WARNING, key=id, msg='Unknown certmonger id %s' % id)
def check(self): results = self.doCheck(self.check_class, self.many) if len(results) > 0: for result in results: yield result else: yield Result(self, constants.SUCCESS)
def check(self): if not self.instance.exists(): logger.debug('Invalid instance: %s', self.instance.name) yield Result(self, constants.CRITICAL, msg='Invalid PKI instance: %s' % self.instance.name) return self.instance.load() ca = self.instance.get_subsystem('ca') if not ca: logger.info("No CA configured, skipping dogtag config check") return cert_nicknames = [ 'sslserver', 'subsystem', 'audit_signing', 'ocsp_signing', 'signing' ] # Run the sync check for cert_tag in cert_nicknames: yield compare_nssdb_with_cs(class_instance=self, subsystem=ca, cert_tag=cert_tag)
def check(self): cm = certmonger._certmonger() all_requests = cm.obj_if.get_requests() for req in all_requests: request = certmonger._cm_dbus_object(cm.bus, cm, req, certmonger.DBUS_CM_REQUEST_IF, certmonger.DBUS_CM_IF, True) id = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'nickname') notafter = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'not-valid-after') if notafter == 0: yield Result(self, constants.ERROR, key=id, msg='certmonger request id {key} does not have ' 'a not-valid-after date, assuming it ' 'has not been issued yet.') continue nafter = datetime.fromtimestamp(notafter, timezone.utc) now = datetime.now(timezone.utc) if now > nafter: yield Result(self, constants.ERROR, key=id, expiration_date=generalized_time(nafter), msg='Request id {key} expired on ' '{expiration_date}') else: delta = nafter - now diff = int(delta.total_seconds() / DAY) if diff < int(self.config.cert_expiration_days): yield Result(self, constants.WARNING, key=id, expiration_date=generalized_time(nafter), days=diff, msg='Request id {key} expires in {days} ' 'days. certmonger should renew this ' 'automatically. Watch the status with ' 'getcert list -i {key}.') else: yield Result(self, constants.SUCCESS, key=id)
def check(self): ca_list = ['IPA'] if self.ca.is_configured(): ca_list.extend([ 'dogtag-ipa-ca-renew-agent', 'dogtag-ipa-ca-renew-agent-reuse' ]) for ca in ca_list: logger.debug('Checking for existence of certmonger CA \'%s\'', ca) try: self.find_ca(ca) except Exception as e: logger.debug('Search for certmonger CA %s failed: %s', ca, e) yield Result(self, constants.ERROR, key=ca, msg='Certmonger CA \'{key}\' missing') else: yield Result(self, constants.SUCCESS, key=ca)
def check(self): if self.registry.trust_controller: logger.debug('Trust controller, skipping') return if not self.registry.trust_agent: logger.debug('Not a trust agent, skipping') return # The trust-ad package provides this import try: from ipaserver.install import adtrustinstance # noqa: F401 yield Result(self, constants.SUCCESS, key='adtrustpackage') except ImportError: yield Result(self, constants.WARNING, key='adtrustpackage', msg='trust-ad sub-package is not installed. ' 'Administration will be limited.')