def _setup(self, setup_pkinit): config = api.Command.config_show()['result'] ca_enabled = api.Command.ca_is_enabled()['result'] krb = KrbInstance() krb.init_info( realm_name=api.env.realm, host_name=api.env.host, setup_pkinit=setup_pkinit, subject_base=config['ipacertificatesubjectbase'][0], ) if bool(is_pkinit_enabled()) is not bool(setup_pkinit): try: krb.stop_tracking_certs() except RuntimeError as e: if ca_enabled: logger.warning("Failed to stop tracking certificates: %s", e) # remove the cert and key krb.delete_pkinit_cert() krb.enable_ssl() if setup_pkinit: if not is_pkinit_enabled(): krb.setup_pkinit() krb.pkinit_enable() else: krb.pkinit_disable()
def _setup(self, setup_pkinit): config = api.Command.config_show()['result'] ca_enabled = api.Command.ca_is_enabled()['result'] krb = KrbInstance() krb.init_info( realm_name=api.env.realm, host_name=api.env.host, setup_pkinit=setup_pkinit, subject_base=config['ipacertificatesubjectbase'][0], ) if bool(is_pkinit_enabled()) is not bool(setup_pkinit): try: krb.stop_tracking_certs() except RuntimeError as e: if ca_enabled: logger.warning( "Failed to stop tracking certificates: %s", e) krb.enable_ssl() if setup_pkinit: krb.pkinit_enable() else: krb.pkinit_disable()
def check(self): self.files = [] if self.ca.is_configured(): self.files.append((paths.RA_AGENT_PEM, 'root', 'ipaapi', '0440')) self.files.append((paths.RA_AGENT_KEY, 'root', 'ipaapi', '0440')) if krbinstance.is_pkinit_enabled(): self.files.append((paths.KDC_CERT, 'root', 'root', '0644')) self.files.append((paths.KDC_KEY, 'root', 'root', '0600')) if self.dns_container_exists(): self.files.append((paths.NAMED_KEYTAB, constants.NAMED_USER, constants.NAMED_GROUP, '0400')) if os.path.exists(paths.IPA_DNSKEYSYNCD_KEYTAB): self.files.append((paths.IPA_DNSKEYSYNCD_KEYTAB, 'root', constants.ODS_GROUP, '0440')) self.files.append((paths.GSSAPI_SESSION_KEY, 'root', 'root', '0600')) self.files.append( (paths.DS_KEYTAB, constants.DS_USER, constants.DS_GROUP, '0600')) self.files.append((paths.IPA_CA_CRT, 'root', 'root', '0644')) self.files.append((paths.IPA_CUSTODIA_KEYS, 'root', 'root', '0600')) self.files.append((paths.RESOLV_CONF, ('root', 'systemd-resolve'), ('root', 'systemd-resolve'), '0644')) self.files.append((paths.HOSTS, 'root', 'root', '0644')) return FileCheck.check(self)
def status(self): if is_pkinit_enabled(): print("PKINIT is enabled") else: print("PKINIT is disabled")
def check(self): self.files = [] if self.ca.is_configured(): self.files.append( (paths.RA_AGENT_PEM, 'root', constants.IPAAPI_GROUP, '0440')) self.files.append( (paths.RA_AGENT_KEY, 'root', constants.IPAAPI_GROUP, '0440')) if krbinstance.is_pkinit_enabled(): self.files.append((paths.KDC_CERT, 'root', 'root', '0644')) self.files.append((paths.KDC_KEY, 'root', 'root', '0600')) if self.dns_container_exists(): self.files.append((paths.NAMED_KEYTAB, constants.NAMED_USER, constants.NAMED_GROUP, '0400')) if os.path.exists(paths.IPA_DNSKEYSYNCD_KEYTAB): self.files.append((paths.IPA_DNSKEYSYNCD_KEYTAB, 'root', constants.ODS_GROUP, '0440')) self.files.append((paths.GSSAPI_SESSION_KEY, 'root', 'root', '0600')) self.files.append( (paths.DS_KEYTAB, constants.DS_USER, constants.DS_GROUP, '0600')) self.files.append((paths.IPA_CA_CRT, 'root', 'root', '0644')) self.files.append((paths.IPA_CUSTODIA_KEYS, 'root', 'root', '0600')) self.files.append((paths.RESOLV_CONF, ('root', 'systemd-resolve'), ('root', 'systemd-resolve'), '0644')) self.files.append((paths.HOSTS, 'root', 'root', '0644')) # IPA log files that may vary by installation. Only verify # those that exist for filename in ( paths.IPABACKUP_LOG, paths.IPARESTORE_LOG, paths.IPACLIENT_INSTALL_LOG, paths.IPACLIENT_UNINSTALL_LOG, paths.IPAREPLICA_CA_INSTALL_LOG, paths.IPAREPLICA_CONNCHECK_LOG, paths.IPAREPLICA_INSTALL_LOG, paths.IPASERVER_INSTALL_LOG, paths.IPASERVER_KRA_INSTALL_LOG, paths.IPASERVER_UNINSTALL_LOG, paths.IPAUPGRADE_LOG, paths.IPATRUSTENABLEAGENT_LOG, ): if os.path.exists(filename): self.files.append((filename, 'root', 'root', '0600')) self.files.append( (paths.IPA_CUSTODIA_AUDIT_LOG, 'root', 'root', '0644')) self.files.append( (paths.KADMIND_LOG, 'root', 'root', ('0600', '0640'))) self.files.append((paths.KRB5KDC_LOG, 'root', 'root', '0640')) inst = api.env.realm.replace('.', '-') self.files.append((paths.SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE % inst, constants.DS_USER, constants.DS_GROUP, '0600')) self.files.append((paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst, constants.DS_USER, constants.DS_GROUP, '0600')) self.files.append((paths.VAR_LOG_HTTPD_ERROR, 'root', 'root', '0644')) for globpath in glob.glob("%s/debug*.log" % paths.TOMCAT_CA_DIR): self.files.append( (globpath, constants.PKI_USER, constants.PKI_GROUP, "0644")) for globpath in glob.glob("%s/ca_audit*" % paths.TOMCAT_SIGNEDAUDIT_DIR): self.files.append( (globpath, constants.PKI_USER, constants.PKI_GROUP, '0640')) for filename in ('selftests.log', 'system', 'transactions'): self.files.append((os.path.join(paths.TOMCAT_CA_DIR, filename), constants.PKI_USER, constants.PKI_GROUP, '0640')) for globpath in glob.glob("%s/debug*.log" % paths.TOMCAT_KRA_DIR): self.files.append( (globpath, constants.PKI_USER, constants.PKI_GROUP, "0644")) for globpath in glob.glob("%s/ca_audit*" % paths.TOMCAT_KRA_SIGNEDAUDIT_DIR): self.files.append( (globpath, constants.PKI_USER, constants.PKI_GROUP, '0640')) for filename in ('selftests.log', 'system', 'transactions'): self.files.append((os.path.join(paths.TOMCAT_KRA_DIR, filename), constants.PKI_USER, constants.PKI_GROUP, '0640')) self.files.append((paths.IPA_CCACHES, constants.IPAAPI_USER, constants.IPAAPI_GROUP, '6770')) self.files.append((paths.IPA_RENEWAL_LOCK, 'root', 'root', '0600')) self.files.append((paths.SVC_LIST_FILE, 'root', 'root', '0644')) return FileCheck.check(self)