Python get_directiveの例

コード例 #1

ファイル: test_directivesetter.py プロジェクト: stlaz/freeipa

    def test_get_directive(self, tmpdir):
        configfile = tmpdir.join('config')
        configfile.write(''.join(WHITESPACE_CONFIG))

        assert '1' == directivesetter.get_directive(str(configfile),
                                                    'foo')
        assert '2' == directivesetter.get_directive(str(configfile),
                                                    'foobar')

コード例 #2

    def test_get_directive(self, tmpdir):
        configfile = tmpdir.join('config')
        configfile.write(''.join(EXAMPLE_CONFIG))

        assert '1' == directivesetter.get_directive(str(configfile),
                                                    'foo',
                                                    separator='=')
        assert '2' == directivesetter.get_directive(str(configfile),
                                                    'foobar',
                                                    separator='=')

コード例 #3

ファイル: test_directivesetter.py プロジェクト: stlaz/freeipa

    def test_get_directive(self, tmpdir):
        configfile = tmpdir.join('config')
        configfile.write(''.join(EXAMPLE_CONFIG))

        assert '1' == directivesetter.get_directive(str(configfile),
                                                    'foo',
                                                    separator='=')
        assert '2' == directivesetter.get_directive(str(configfile),
                                                    'foobar',
                                                    separator='=')

コード例 #4

ファイル: dnskeysyncinstance.py プロジェクト: zavarat/freeipa

    def setup_named_sysconfig(self):
        logger.debug("Setup BIND sysconfig")
        sysconfig = paths.SYSCONFIG_NAMED
        self.fstore.backup_file(sysconfig)

        directivesetter.set_directive(sysconfig,
                                      'SOFTHSM2_CONF',
                                      paths.DNSSEC_SOFTHSM2_CONF,
                                      quotes=False,
                                      separator='=')

        if constants.NAMED_OPENSSL_ENGINE is not None:
            directivesetter.set_directive(sysconfig,
                                          'OPENSSL_CONF',
                                          paths.DNSSEC_OPENSSL_CONF,
                                          quotes=False,
                                          separator='=')

            options = directivesetter.get_directive(
                paths.SYSCONFIG_NAMED,
                constants.NAMED_OPTIONS_VAR,
                separator="=") or ''
            if not self._are_named_options_configured(options):
                engine_cmd = "-E {}".format(constants.NAMED_OPENSSL_ENGINE)
                new_options = ' '.join([options, engine_cmd])
                directivesetter.set_directive(sysconfig,
                                              constants.NAMED_OPTIONS_VAR,
                                              new_options,
                                              quotes=True,
                                              separator='=')

コード例 #5

    def check_cs_cfg(self):
        """Compare cert blob in NSS database to that stored in CS.cfg"""
        if not self.ca.is_configured():
            logger.debug("No CA configured, skipping CS config check")
            return

        blobs = {
            'auditSigningCert cert-pki-ca': 'ca.audit_signing.cert',
            'ocspSigningCert cert-pki-ca': 'ca.ocsp_signing.cert',
            'caSigningCert cert-pki-ca': 'ca.signing.cert',
            'subsystemCert cert-pki-ca': 'ca.subsystem.cert',
            'Server-Cert cert-pki-ca': 'ca.sslserver.cert'
        }

        db = certs.CertDB(api.env.realm, paths.PKI_TOMCAT_ALIAS_DIR)
        for nickname, _trust_flags in db.list_certs():
            val = get_directive(paths.CA_CS_CFG_PATH, blobs[nickname], '=')
            if val is None:
                self.failure('Certificate %s not found in %s' %
                             (blobs[nickname], paths.CA_CS_CFG_PATH))
                continue
            cert = db.get_cert_from_db(nickname)
            if isinstance(cert, string_types):
                pem = cert
                pem = pem.replace('\r\n', '')
            else:
                pem = cert.public_bytes(Encoding.PEM).decode()
                pem = pem.replace('\n', '')
            pem = pem.replace('-----BEGIN CERTIFICATE-----', '')
            pem = pem.replace('-----END CERTIFICATE-----', '')

            # TODO: Handle multi-valued certs.
            if pem.strip() != val:
                self.failure('Certificate %s does not match %s' %
                             (blobs[nickname], paths.CA_CS_CFG_PATH))

コード例 #6

ファイル: ipa_cert_fix.py プロジェクト: wladich/freeipa

def fix_certreq_directives(certs):
    """
    For all the certs to be fixed, ensure that the corresponding CSR is found
    in PKI config file, or try to get the CSR from certmonger.
    """
    directives = {
        'auditSigningCert cert-pki-ca':
        ('ca.audit_signing.certreq', paths.CA_CS_CFG_PATH),
        'ocspSigningCert cert-pki-ca':
        ('ca.ocsp_signing.certreq', paths.CA_CS_CFG_PATH),
        'subsystemCert cert-pki-ca':
        ('ca.subsystem.certreq', paths.CA_CS_CFG_PATH),
        'Server-Cert cert-pki-ca':
        ('ca.sslserver.certreq', paths.CA_CS_CFG_PATH),
        'auditSigningCert cert-pki-kra': ('kra.audit_signing.certreq',
                                          paths.KRA_CS_CFG_PATH),
        'storageCert cert-pki-kra': ('kra.storage.certreq',
                                     paths.KRA_CS_CFG_PATH),
        'transportCert cert-pki-kra': ('kra.transport.certreq',
                                       paths.KRA_CS_CFG_PATH),
    }

    # pki-server cert-fix needs to find the CSR in the subsystem config file
    # otherwise it will fail
    # For each cert to be fixed, check that the CSR is present or
    # get it from certmonger
    for (certid, _cert) in certs:
        # Check if the directive is set in the config file
        nickname = cert_nicknames[certid]
        (directive, cfg_path) = directives[nickname]
        if directivesetter.get_directive(cfg_path, directive, '=') is None:
            # The CSR is missing, try to get it from certmonger
            csr = get_csr_from_certmonger(nickname)
            if csr:
                # Update the directive
                directivesetter.set_directive(cfg_path,
                                              directive,
                                              csr,
                                              quotes=False,
                                              separator='=')

コード例 #7

ファイル: httpinstance.py プロジェクト: strikerttd/freeipa

 def get_mod_nss_nickname(self):
     cert = directivesetter.get_directive(paths.HTTPD_NSS_CONF,
                                          'NSSNickname')
     nickname = directivesetter.unquote_directive_value(cert,
                                                        quote_char="'")
     return nickname

コード例 #8

ファイル: ca_renewal_master.py プロジェクト: encukou/freeipa

    def execute(self, **options):
        ca = cainstance.CAInstance(self.api.env.realm)
        if not ca.is_configured():
            logger.debug("CA is not configured on this host")
            return False, []

        ldap = self.api.Backend.ldap2
        base_dn = DN(self.api.env.container_masters, self.api.env.basedn)
        dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
        filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))'
        try:
            entries = ldap.get_entries(base_dn=base_dn, filter=filter,
                                       attrs_list=[])
        except errors.NotFound:
            pass
        else:
            logger.debug("found CA renewal master %s", entries[0].dn[1].value)

            master = False
            updates = []

            for entry in entries:
                if entry.dn == dn:
                    master = True
                    continue

                updates.append({
                    'dn': entry.dn,
                    'updates': [
                        dict(action='remove', attr='ipaConfigString',
                             value='caRenewalMaster')
                    ],
                })

            if master:
                return False, updates
            else:
                return False, []

        criteria = {
            'cert-file': paths.RA_AGENT_PEM,
        }
        request_id = certmonger.get_request_id(criteria)
        if request_id is not None:
            logger.debug("found certmonger request for RA cert")

            ca_name = certmonger.get_request_value(request_id, 'ca-name')
            if ca_name is None:
                logger.warning(
                    "certmonger request for RA cert is missing ca_name, "
                    "assuming local CA is renewal slave")
                return False, []
            ca_name = ca_name.strip()

            if ca_name == 'dogtag-ipa-renew-agent':
                pass
            elif ca_name == 'dogtag-ipa-retrieve-agent-submit':
                return False, []
            elif ca_name == 'dogtag-ipa-ca-renew-agent':
                return False, []
            else:
                logger.warning(
                    "certmonger request for RA cert has unknown ca_name '%s', "
                    "assuming local CA is renewal slave", ca_name)
                return False, []
        else:
            logger.debug("certmonger request for RA cert not found")

            config = directivesetter.get_directive(
                paths.CA_CS_CFG_PATH, 'subsystem.select', '=')

            if config == 'New':
                pass
            elif config == 'Clone':
                return False, []
            else:
                logger.warning(
                    "CS.cfg has unknown subsystem.select value '%s', "
                    "assuming local CA is renewal slave", config)
                return (False, False, [])

        update = {
                'dn': dn,
                'updates': [
                    dict(action='add', attr='ipaConfigString',
                         value='caRenewalMaster')
                ],
        }

        return False, [update]

コード例 #9

    def test_get_directive(self, tmpdir):
        configfile = tmpdir.join('config')
        configfile.write(''.join(WHITESPACE_CONFIG))

        assert '1' == directivesetter.get_directive(str(configfile), 'foo')
        assert '2' == directivesetter.get_directive(str(configfile), 'foobar')

コード例 #10

    def check(self):
        if not self.ca.is_configured():
            logger.debug("No CA configured, skipping dogtag config check")
            return

        kra = krainstance.KRAInstance(api.env.realm)

        blobs = {
            'auditSigningCert cert-pki-ca': 'ca.audit_signing.cert',
            'ocspSigningCert cert-pki-ca': 'ca.ocsp_signing.cert',
            'caSigningCert cert-pki-ca': 'ca.signing.cert',
            'subsystemCert cert-pki-ca': 'ca.subsystem.cert',
            'Server-Cert cert-pki-ca': 'ca.sslserver.cert'
        }

        # Nicknames to skip because their certs are not in CS.cfg
        skip = []

        if kra.is_installed:
            kra_blobs = {
                'transportCert cert-pki-kra': 'ca.connector.KRA.transportCert',
            }
            blobs.update(kra_blobs)
            skip.append('storageCert cert-pki-kra')
            skip.append('auditSigningCert cert-pki-kra')

        db = certs.CertDB(api.env.realm, paths.PKI_TOMCAT_ALIAS_DIR)
        for nickname, _trust_flags in db.list_certs():
            if nickname in skip:
                logging.debug('Skipping nickname %s because it isn\'t in '
                              'the configuration file')
                continue
            try:
                val = get_directive(paths.CA_CS_CFG_PATH, blobs[nickname], '=')
            except KeyError:
                print("%s not found, assuming 3rd party" % nickname)
                continue
            if val is None:
                yield Result(self,
                             constants.ERROR,
                             key=nickname,
                             configfile=paths.CA_CS_CFG_PATH,
                             msg='Certificate %s not found in %s' %
                             (blobs[nickname], paths.CA_CS_CFG_PATH))
                continue
            cert = db.get_cert_from_db(nickname)
            pem = cert.public_bytes(Encoding.PEM).decode()
            pem = pem.replace('\n', '')
            pem = pem.replace('-----BEGIN CERTIFICATE-----', '')
            pem = pem.replace('-----END CERTIFICATE-----', '')

            if pem.strip() != val:
                yield Result(self,
                             constants.ERROR,
                             key=nickname,
                             directive=blobs[nickname],
                             configfile=paths.CA_CS_CFG_PATH,
                             msg='Certificate \'%s\' does not match the value '
                             'of %s in %s' %
                             (nickname, blobs[nickname], paths.CA_CS_CFG_PATH))
            else:
                yield Result(self,
                             constants.SUCCESS,
                             key=nickname,
                             configfile=paths.CA_CS_CFG_PATH)

コード例 #11

ファイル: httpinstance.py プロジェクト: stlaz/freeipa

 def get_mod_nss_nickname(self):
     cert = directivesetter.get_directive(paths.HTTPD_NSS_CONF,
                                          'NSSNickname')
     nickname = directivesetter.unquote_directive_value(cert,
                                                        quote_char="'")
     return nickname

コード例 #12

ファイル: ca_renewal_master.py プロジェクト: zhoubh/freeipa

    def execute(self, **options):
        ca = cainstance.CAInstance(self.api.env.realm)
        if not ca.is_configured():
            logger.debug("CA is not configured on this host")
            return False, []

        ldap = self.api.Backend.ldap2
        base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
                     self.api.env.basedn)
        dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
        filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))'
        try:
            entries = ldap.get_entries(base_dn=base_dn,
                                       filter=filter,
                                       attrs_list=[])
        except errors.NotFound:
            pass
        else:
            logger.debug("found CA renewal master %s", entries[0].dn[1].value)

            master = False
            updates = []

            for entry in entries:
                if entry.dn == dn:
                    master = True
                    continue

                updates.append({
                    'dn':
                    entry.dn,
                    'updates': [
                        dict(action='remove',
                             attr='ipaConfigString',
                             value='caRenewalMaster')
                    ],
                })

            if master:
                return False, updates
            else:
                return False, []

        criteria = {
            'cert-file': paths.RA_AGENT_PEM,
        }
        request_id = certmonger.get_request_id(criteria)
        if request_id is not None:
            logger.debug("found certmonger request for RA cert")

            ca_name = certmonger.get_request_value(request_id, 'ca-name')
            if ca_name is None:
                logger.warning(
                    "certmonger request for RA cert is missing ca_name, "
                    "assuming local CA is renewal slave")
                return False, []
            ca_name = ca_name.strip()

            if ca_name == 'dogtag-ipa-renew-agent':
                pass
            elif ca_name == 'dogtag-ipa-retrieve-agent-submit':
                return False, []
            elif ca_name == 'dogtag-ipa-ca-renew-agent':
                return False, []
            else:
                logger.warning(
                    "certmonger request for RA cert has unknown ca_name '%s', "
                    "assuming local CA is renewal slave", ca_name)
                return False, []
        else:
            logger.debug("certmonger request for RA cert not found")

            config = directivesetter.get_directive(paths.CA_CS_CFG_PATH,
                                                   'subsystem.select', '=')

            if config == 'New':
                pass
            elif config == 'Clone':
                return False, []
            else:
                logger.warning(
                    "CS.cfg has unknown subsystem.select value '%s', "
                    "assuming local CA is renewal slave", config)
                return (False, False, [])

        update = {
            'dn':
            dn,
            'updates': [
                dict(action='add',
                     attr='ipaConfigString',
                     value='caRenewalMaster')
            ],
        }

        return False, [update]