def check_tracking(self): """Compare expected vs actual tracking configuration""" requests = self.get_requests() cm = certmonger._certmonger() ids = [] all_requests = cm.obj_if.get_requests() for req in all_requests: request = certmonger._cm_dbus_object(cm.bus, cm, req, certmonger.DBUS_CM_REQUEST_IF, certmonger.DBUS_CM_IF, True) id = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'nickname') ids.append(str(id)) for request in requests: request_id = certmonger.get_request_id(request) try: if request_id is not None: ids.remove(request_id) except ValueError as e: self.failure('Failure trying to remove % from ' 'list: %s' % (request_id, e)) if request_id is None: self.failure('Missing tracking for %s' % request) if ids: self.warning('Unknown certmonger ids: %s' % ','.join(ids))
def check(self): cm = certmonger._certmonger() all_requests = cm.obj_if.get_requests() for req in all_requests: request = certmonger._cm_dbus_object(cm.bus, cm, req, certmonger.DBUS_CM_REQUEST_IF, certmonger.DBUS_CM_IF, True) id = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'nickname') notafter = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'not-valid-after') nafter = datetime.fromtimestamp(notafter, timezone.utc) now = datetime.now(timezone.utc) if now > nafter: yield Result(self, constants.ERROR, key=id, expiration_date=generalized_time(nafter), msg='Request id %s expired on %s' % (id, generalized_time(nafter))) else: delta = nafter - now diff = int(delta.total_seconds() / DAY) if diff < self.config.cert_expiration_days: yield Result(self, constants.WARNING, key=id, expiration_date=generalized_time(nafter), days=diff, msg='Request id %s expires in %s days' % (id, diff)) else: yield Result(self, constants.SUCCESS, key=id)
def check(self): requests = get_expected_requests(self.ca, self.ds, self.serverid) cm = certmonger._certmonger() ids = [] all_requests = cm.obj_if.get_requests() for req in all_requests: request = certmonger._cm_dbus_object(cm.bus, cm, req, certmonger.DBUS_CM_REQUEST_IF, certmonger.DBUS_CM_IF, True) id = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'nickname') ids.append(str(id)) for request in requests: request_id = certmonger.get_request_id(request) try: if request_id is not None: # Tracking found, move onto the next ids.remove(request_id) yield Result(self, constants.SUCCESS, key=request_id) continue except ValueError as e: # A request was found but the id isn't in the # list from certmonger!? yield Result(self, constants.ERROR, key=request_id, error=str(e), msg='Found request id {key} but it is not tracked' 'by certmonger!?: {error}') continue # The criteria was not met if request_id is None: flatten = ', '.join("{!s}={!s}".format(key, val) for (key, val) in request.items()) yield Result(self, constants.ERROR, key=flatten, msg='Expected certmonger tracking is missing for ' '{key}. Automated renewal will not happen ' 'for this certificate') continue # Report any unknown certmonger requests as warnings if ids: for id in ids: yield Result(self, constants.WARNING, key=id, msg='certmonger tracking request {key} found and ' 'is not expected on an IPA master.')
def check(self): requests = get_expected_requests(self.ca, self.ds, self.serverid) cm = certmonger._certmonger() ids = [] all_requests = cm.obj_if.get_requests() for req in all_requests: request = certmonger._cm_dbus_object(cm.bus, cm, req, certmonger.DBUS_CM_REQUEST_IF, certmonger.DBUS_CM_IF, True) id = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'nickname') ids.append(str(id)) for request in requests: request_id = certmonger.get_request_id(request) try: if request_id is not None: # Tracking found, move onto the next ids.remove(request_id) yield Result(self, constants.SUCCESS, key=request_id) continue except ValueError as e: # A request was found but the id isn't in the # list from certmonger!? yield Result(self, constants.ERROR, key=request_id, msg='Request id %s is not tracked: %s' % (request_id, e)) continue # The criteria was not met if request_id is None: flatten = ', '.join("{!s}={!s}".format(key, val) for (key, val) in request.items()) yield Result(self, constants.ERROR, key=flatten, msg='Missing tracking for %s' % flatten) continue # Report any unknown certmonger requests as warnings if ids: for id in ids: yield Result(self, constants.WARNING, key=id, msg='Unknown certmonger id %s' % id)
def check(self): cm = certmonger._certmonger() all_requests = cm.obj_if.get_requests() for req in all_requests: request = certmonger._cm_dbus_object(cm.bus, cm, req, certmonger.DBUS_CM_REQUEST_IF, certmonger.DBUS_CM_IF, True) id = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'nickname') notafter = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'not-valid-after') if notafter == 0: yield Result(self, constants.ERROR, key=id, msg='certmonger request id {key} does not have ' 'a not-valid-after date, assuming it ' 'has not been issued yet.') continue nafter = datetime.fromtimestamp(notafter, timezone.utc) now = datetime.now(timezone.utc) if now > nafter: yield Result(self, constants.ERROR, key=id, expiration_date=generalized_time(nafter), msg='Request id {key} expired on ' '{expiration_date}') else: delta = nafter - now diff = int(delta.total_seconds() / DAY) if diff < int(self.config.cert_expiration_days): yield Result(self, constants.WARNING, key=id, expiration_date=generalized_time(nafter), days=diff, msg='Request id {key} expires in {days} ' 'days. certmonger should renew this ' 'automatically. Watch the status with ' 'getcert list -i {key}.') else: yield Result(self, constants.SUCCESS, key=id)
def find_ca(self, name): cm = certmonger._certmonger() ca_path = cm.obj_if.find_ca_by_nickname(name) return certmonger._cm_dbus_object(cm.bus, cm, ca_path, certmonger.DBUS_CM_CA_IF, certmonger.DBUS_CM_IF, True)
def check(self): cm = certmonger._certmonger() all_requests = cm.obj_if.get_requests() for req in all_requests: request = certmonger._cm_dbus_object(cm.bus, cm, req, certmonger.DBUS_CM_REQUEST_IF, certmonger.DBUS_CM_IF, True) id = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'nickname') store = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'cert-storage') if store == 'FILE': certfile = str( request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'cert-file')) try: cert = x509.load_certificate_from_file(certfile) except Exception as e: yield Result(self, constants.ERROR, key=id, certfile=certfile, error=str(e), msg='Request id {key}: Unable to open cert ' 'file \'{certfile}\': {error}') continue elif store == 'NSSDB': nickname = str( request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'key_nickname')) dbdir = str( request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'cert_database')) try: db = certdb.NSSDatabase(dbdir) except Exception as e: yield Result(self, constants.ERROR, key=id, dbdir=dbdir, error=str(e), msg='Request id {key}: Unable to open NSS ' 'database \'{dbdir}\': {error}') continue try: cert = db.get_cert(nickname) except Exception as e: yield Result(self, constants.ERROR, key=id, dbdir=dbdir, nickname=nickname, error=str(e), msg='Request id {key}: Unable to retrieve ' 'cert \'{nickname}\' from \'{dbdir}\': ' '{error}') continue else: yield Result(self, constants.ERROR, key=id, store=store, msg='Request id {key}: Unknown certmonger ' 'storage type: {store}') continue now = datetime.utcnow() notafter = cert.not_valid_after if now > notafter: yield Result(self, constants.ERROR, key=id, expiration_date=generalized_time(notafter), msg='Request id {key} expired on ' '{expiration_date}') continue delta = notafter - now diff = int(delta.total_seconds() / DAY) if diff < int(self.config.cert_expiration_days): yield Result(self, constants.WARNING, key=id, expiration_date=generalized_time(notafter), days=diff, msg='Request id {key} expires in {days} ' 'days. certmonger should renew this ' 'automatically. Watch the status with' 'getcert list -i {key}.') else: yield Result(self, constants.SUCCESS, key=id)
def check(self): cm = certmonger._certmonger() all_requests = cm.obj_if.get_requests() for req in all_requests: request = certmonger._cm_dbus_object(cm.bus, cm, req, certmonger.DBUS_CM_REQUEST_IF, certmonger.DBUS_CM_IF, True) id = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'nickname') store = request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'cert-storage') if store == 'FILE': certfile = str( request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'cert-file')) try: cert = x509.load_certificate_from_file(certfile) except Exception as e: yield Result(self, constants.ERROR, key=id, certfile=certfile, error=str(e), msg='Unable to open cert file \'%s\': %s' % (certfile, e)) continue elif store == 'NSSDB': nickname = str( request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'key_nickname')) dbdir = str( request.prop_if.Get(certmonger.DBUS_CM_REQUEST_IF, 'cert_database')) try: db = certdb.NSSDatabase(dbdir) except Exception as e: yield Result(self, constants.ERROR, key=id, dbdir=dbdir, error=str(e), msg='Unable to open NSS database \'%s\': %s' % (dbdir, e)) continue try: cert = db.get_cert(nickname) except Exception as e: yield Result(self, constants.ERROR, key=id, dbdir=dbdir, nickname=nickname, error=str(e), msg='Unable to retrieve cert \'%s\' from ' '\'%s\': %s' % (nickname, dbdir, e)) continue else: yield Result(self, constants.ERROR, key=id, store=store, msg='Unknown certmonger storage type: %s' % store) continue now = datetime.utcnow() notafter = cert.not_valid_after if now > notafter: yield Result(self, constants.ERROR, key=id, expiration_date=generalized_time(notafter), msg='Request id %s expired on %s' % (id, generalized_time(notafter))) continue delta = notafter - now diff = int(delta.total_seconds() / DAY) if diff < self.config.cert_expiration_days: yield Result(self, constants.WARNING, key=id, expiration_date=generalized_time(notafter), days=diff, msg='Request id %s expires in %s days' % (id, diff)) else: yield Result(self, constants.SUCCESS, key=id)