def check_ca_clones(self):
for host in self.clone_cas:
cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
# Reach out and get some certs, to serve as a data and connectivity check
try:
connection = PKIConnection(protocol='https',
hostname=host.Hostname,
port=host.SecurePort,
verify=False)
cert_client = CertClient(connection)
# get the first 3 in case we cant to make a sanity check of replicated data
certs = cert_client.list_certs(size=3)
if certs is not None and len(certs.cert_data_info_list) == 3:
logger.info('Cert data successfully obtained from clone.')
else:
raise BaseException('CA clone problem reading data.' +
cur_clone_msg)
except BaseException as e:
logger.error("Internal server error %s", e)
raise BaseException('Internal error testing CA clone.' +
cur_clone_msg)
return
def __init__(self, connection, cert_sn, number_of_tests_per_client):
super().__init__()
self.connection = connection
self.number_of_tests_per_client = number_of_tests_per_client
self.cert_sn = cert_sn
self.cert_client = CertClient(self.connection)
return
def connection(self):
connection = PKIConnection(protocol=self.protocol,
hostname=self.hostname,
port=self.port)
connection.set_authentication_cert(self.cert)
client = CertClient(connection)
return client
class TestClient(threading.Thread):
def __init__(self, connection, cert_sn, number_of_tests_per_client):
super().__init__()
self.connection = connection
self.number_of_tests_per_client = number_of_tests_per_client
self.cert_sn = cert_sn
self.cert_client = CertClient(self.connection)
return
def run(self):
# execute the specified number of tests
for sn in range(self.number_of_tests_per_client):
try:
start = timer()
log.info("Revoking Cert : {}".format(self.cert_sn[sn]))
revoke_data = self.cert_client.revoke_cert(
self.cert_sn[sn], revocation_reason='Key_Compromise')
end = timer()
revocation_times.append(int(end - start))
except Exception as error:
log.error(error)
return
log = logging.getLogger()
logging.basicConfig(stream=sys.stdout, level=logging.INFO)
args = parser.parse_args()
# Create a PKIConnection object that stores the details of the CA.
connection = PKIConnection('https', args.hostname, args.port, cert_paths=args.ca_cert_path)
# The pem file used for authentication. Created from a p12 file using the
# command -
# openssl pkcs12 -in <p12_file_path> -out /tmp/auth.pem -nodes
connection.set_authentication_cert(args.client_cert)
# Instantiate the CertClient
cert_client = CertClient(connection)
class cert_enroll(object):
"""
#This class will enroll the certificate.
"""
def __init__(self, sn_uid):
"""
Constructor
"""
# Enrolling an user certificate
inputs = dict()
inputs['cert_request_type'] = 'pkcs10'
def check(self):
if not self.instance.exists():
logger.debug('Invalid instance: %s', self.instance.name)
yield Result(self,
constants.CRITICAL,
msg='Invalid PKI instance: %s' % self.instance.name)
return
self.instance.load()
ca = self.instance.get_subsystem('ca')
if not ca:
logger.info(
"No CA configured, skipping dogtag CA connectivity check")
return
try:
# Make a plain HTTP GET request to /ca/admin/ca/getStatus REST api end point
# and check if the CA is ready
if ca.is_ready():
logger.debug("CA instance is running")
# Make a plain HTTPS GET to "find" one certificate, to test that
# the server is up AND is able to respond back
connection = PKIConnection(protocol='https',
hostname='localhost',
port='8443',
verify=False)
cert_client = CertClient(connection)
cert = cert_client.list_certs(size=1)
cert_info = cert.cert_data_info_list[0]
if cert_info:
# All we care is whether the serial_number is not NONE
if cert_info.serial_number:
logger.info("Serial number of retrieved cert: %s",
cert_info.serial_number)
yield Result(self,
constants.SUCCESS,
serial_number=cert_info.serial_number,
subject_dn=cert_info.subject_dn)
else:
logger.info(
"Serial number cannot retrieved for cert: %s",
cert_info)
yield Result(
self,
constants.ERROR,
msg=
"Unable to read serial number from retrieved cert",
cert_info=cert_info,
serverURI=connection.serverURI,
cert_url=cert_client.cert_url)
else:
logger.info(
"Request was made but none of the certs were retrieved"
)
yield Result(
self,
constants.ERROR,
msg=
"PKI server is up. But, unable to retrieve any certs",
serverURI=connection.serverURI,
rest_path=cert_client.cert_url)
else:
yield Result(self,
constants.CRITICAL,
msg='CA subsystem is down')
except BaseException as e:
logger.error("Internal server error %s", e)
yield Result(self,
constants.CRITICAL,
msg="Internal server error. Is your CA subsystem and "
"LDAP database up?",
instance_name=self.instance.name,
exception="%s" % e)