def _setup(self, setup_pkinit):
config = api.Command.config_show()['result']
ca_enabled = api.Command.ca_is_enabled()['result']
krb = KrbInstance()
krb.init_info(
realm_name=api.env.realm,
host_name=api.env.host,
setup_pkinit=setup_pkinit,
subject_base=config['ipacertificatesubjectbase'][0],
)
if bool(is_pkinit_enabled()) is not bool(setup_pkinit):
try:
krb.stop_tracking_certs()
except RuntimeError as e:
if ca_enabled:
logger.warning("Failed to stop tracking certificates: %s",
e)
# remove the cert and key
krb.delete_pkinit_cert()
krb.enable_ssl()
if setup_pkinit:
if not is_pkinit_enabled():
krb.setup_pkinit()
krb.pkinit_enable()
else:
krb.pkinit_disable()
def _setup(self, setup_pkinit):
config = api.Command.config_show()['result']
ca_enabled = api.Command.ca_is_enabled()['result']
krb = KrbInstance()
krb.init_info(
realm_name=api.env.realm,
host_name=api.env.host,
setup_pkinit=setup_pkinit,
subject_base=config['ipacertificatesubjectbase'][0],
)
if bool(is_pkinit_enabled()) is not bool(setup_pkinit):
try:
krb.stop_tracking_certs()
except RuntimeError as e:
if ca_enabled:
logger.warning(
"Failed to stop tracking certificates: %s", e)
krb.enable_ssl()
if setup_pkinit:
krb.pkinit_enable()
else:
krb.pkinit_disable()
def check(self):
self.files = []
if self.ca.is_configured():
self.files.append((paths.RA_AGENT_PEM, 'root', 'ipaapi', '0440'))
self.files.append((paths.RA_AGENT_KEY, 'root', 'ipaapi', '0440'))
if krbinstance.is_pkinit_enabled():
self.files.append((paths.KDC_CERT, 'root', 'root', '0644'))
self.files.append((paths.KDC_KEY, 'root', 'root', '0600'))
if self.dns_container_exists():
self.files.append((paths.NAMED_KEYTAB, constants.NAMED_USER,
constants.NAMED_GROUP, '0400'))
if os.path.exists(paths.IPA_DNSKEYSYNCD_KEYTAB):
self.files.append((paths.IPA_DNSKEYSYNCD_KEYTAB, 'root',
constants.ODS_GROUP, '0440'))
self.files.append((paths.GSSAPI_SESSION_KEY, 'root', 'root', '0600'))
self.files.append(
(paths.DS_KEYTAB, constants.DS_USER, constants.DS_GROUP, '0600'))
self.files.append((paths.IPA_CA_CRT, 'root', 'root', '0644'))
self.files.append((paths.IPA_CUSTODIA_KEYS, 'root', 'root', '0600'))
self.files.append((paths.RESOLV_CONF, ('root', 'systemd-resolve'),
('root', 'systemd-resolve'), '0644'))
self.files.append((paths.HOSTS, 'root', 'root', '0644'))
return FileCheck.check(self)
def status(self):
if is_pkinit_enabled():
print("PKINIT is enabled")
else:
print("PKINIT is disabled")
def check(self):
self.files = []
if self.ca.is_configured():
self.files.append(
(paths.RA_AGENT_PEM, 'root', constants.IPAAPI_GROUP, '0440'))
self.files.append(
(paths.RA_AGENT_KEY, 'root', constants.IPAAPI_GROUP, '0440'))
if krbinstance.is_pkinit_enabled():
self.files.append((paths.KDC_CERT, 'root', 'root', '0644'))
self.files.append((paths.KDC_KEY, 'root', 'root', '0600'))
if self.dns_container_exists():
self.files.append((paths.NAMED_KEYTAB, constants.NAMED_USER,
constants.NAMED_GROUP, '0400'))
if os.path.exists(paths.IPA_DNSKEYSYNCD_KEYTAB):
self.files.append((paths.IPA_DNSKEYSYNCD_KEYTAB, 'root',
constants.ODS_GROUP, '0440'))
self.files.append((paths.GSSAPI_SESSION_KEY, 'root', 'root', '0600'))
self.files.append(
(paths.DS_KEYTAB, constants.DS_USER, constants.DS_GROUP, '0600'))
self.files.append((paths.IPA_CA_CRT, 'root', 'root', '0644'))
self.files.append((paths.IPA_CUSTODIA_KEYS, 'root', 'root', '0600'))
self.files.append((paths.RESOLV_CONF, ('root', 'systemd-resolve'),
('root', 'systemd-resolve'), '0644'))
self.files.append((paths.HOSTS, 'root', 'root', '0644'))
# IPA log files that may vary by installation. Only verify
# those that exist
for filename in (
paths.IPABACKUP_LOG,
paths.IPARESTORE_LOG,
paths.IPACLIENT_INSTALL_LOG,
paths.IPACLIENT_UNINSTALL_LOG,
paths.IPAREPLICA_CA_INSTALL_LOG,
paths.IPAREPLICA_CONNCHECK_LOG,
paths.IPAREPLICA_INSTALL_LOG,
paths.IPASERVER_INSTALL_LOG,
paths.IPASERVER_KRA_INSTALL_LOG,
paths.IPASERVER_UNINSTALL_LOG,
paths.IPAUPGRADE_LOG,
paths.IPATRUSTENABLEAGENT_LOG,
):
if os.path.exists(filename):
self.files.append((filename, 'root', 'root', '0600'))
self.files.append(
(paths.IPA_CUSTODIA_AUDIT_LOG, 'root', 'root', '0644'))
self.files.append(
(paths.KADMIND_LOG, 'root', 'root', ('0600', '0640')))
self.files.append((paths.KRB5KDC_LOG, 'root', 'root', '0640'))
inst = api.env.realm.replace('.', '-')
self.files.append((paths.SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE % inst,
constants.DS_USER, constants.DS_GROUP, '0600'))
self.files.append((paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst,
constants.DS_USER, constants.DS_GROUP, '0600'))
self.files.append((paths.VAR_LOG_HTTPD_ERROR, 'root', 'root', '0644'))
for globpath in glob.glob("%s/debug*.log" % paths.TOMCAT_CA_DIR):
self.files.append(
(globpath, constants.PKI_USER, constants.PKI_GROUP, "0644"))
for globpath in glob.glob("%s/ca_audit*" %
paths.TOMCAT_SIGNEDAUDIT_DIR):
self.files.append(
(globpath, constants.PKI_USER, constants.PKI_GROUP, '0640'))
for filename in ('selftests.log', 'system', 'transactions'):
self.files.append((os.path.join(paths.TOMCAT_CA_DIR,
filename), constants.PKI_USER,
constants.PKI_GROUP, '0640'))
for globpath in glob.glob("%s/debug*.log" % paths.TOMCAT_KRA_DIR):
self.files.append(
(globpath, constants.PKI_USER, constants.PKI_GROUP, "0644"))
for globpath in glob.glob("%s/ca_audit*" %
paths.TOMCAT_KRA_SIGNEDAUDIT_DIR):
self.files.append(
(globpath, constants.PKI_USER, constants.PKI_GROUP, '0640'))
for filename in ('selftests.log', 'system', 'transactions'):
self.files.append((os.path.join(paths.TOMCAT_KRA_DIR,
filename), constants.PKI_USER,
constants.PKI_GROUP, '0640'))
self.files.append((paths.IPA_CCACHES, constants.IPAAPI_USER,
constants.IPAAPI_GROUP, '6770'))
self.files.append((paths.IPA_RENEWAL_LOCK, 'root', 'root', '0600'))
self.files.append((paths.SVC_LIST_FILE, 'root', 'root', '0644'))
return FileCheck.check(self)
