def test_get_directive(self, tmpdir): configfile = tmpdir.join('config') configfile.write(''.join(WHITESPACE_CONFIG)) assert '1' == directivesetter.get_directive(str(configfile), 'foo') assert '2' == directivesetter.get_directive(str(configfile), 'foobar')
def test_get_directive(self, tmpdir): configfile = tmpdir.join('config') configfile.write(''.join(EXAMPLE_CONFIG)) assert '1' == directivesetter.get_directive(str(configfile), 'foo', separator='=') assert '2' == directivesetter.get_directive(str(configfile), 'foobar', separator='=')
def test_get_directive(self, tmpdir): configfile = tmpdir.join('config') configfile.write(''.join(EXAMPLE_CONFIG)) assert '1' == directivesetter.get_directive(str(configfile), 'foo', separator='=') assert '2' == directivesetter.get_directive(str(configfile), 'foobar', separator='=')
def setup_named_sysconfig(self): logger.debug("Setup BIND sysconfig") sysconfig = paths.SYSCONFIG_NAMED self.fstore.backup_file(sysconfig) directivesetter.set_directive(sysconfig, 'SOFTHSM2_CONF', paths.DNSSEC_SOFTHSM2_CONF, quotes=False, separator='=') if constants.NAMED_OPENSSL_ENGINE is not None: directivesetter.set_directive(sysconfig, 'OPENSSL_CONF', paths.DNSSEC_OPENSSL_CONF, quotes=False, separator='=') options = directivesetter.get_directive( paths.SYSCONFIG_NAMED, constants.NAMED_OPTIONS_VAR, separator="=") or '' if not self._are_named_options_configured(options): engine_cmd = "-E {}".format(constants.NAMED_OPENSSL_ENGINE) new_options = ' '.join([options, engine_cmd]) directivesetter.set_directive(sysconfig, constants.NAMED_OPTIONS_VAR, new_options, quotes=True, separator='=')
def check_cs_cfg(self): """Compare cert blob in NSS database to that stored in CS.cfg""" if not self.ca.is_configured(): logger.debug("No CA configured, skipping CS config check") return blobs = { 'auditSigningCert cert-pki-ca': 'ca.audit_signing.cert', 'ocspSigningCert cert-pki-ca': 'ca.ocsp_signing.cert', 'caSigningCert cert-pki-ca': 'ca.signing.cert', 'subsystemCert cert-pki-ca': 'ca.subsystem.cert', 'Server-Cert cert-pki-ca': 'ca.sslserver.cert' } db = certs.CertDB(api.env.realm, paths.PKI_TOMCAT_ALIAS_DIR) for nickname, _trust_flags in db.list_certs(): val = get_directive(paths.CA_CS_CFG_PATH, blobs[nickname], '=') if val is None: self.failure('Certificate %s not found in %s' % (blobs[nickname], paths.CA_CS_CFG_PATH)) continue cert = db.get_cert_from_db(nickname) if isinstance(cert, string_types): pem = cert pem = pem.replace('\r\n', '') else: pem = cert.public_bytes(Encoding.PEM).decode() pem = pem.replace('\n', '') pem = pem.replace('-----BEGIN CERTIFICATE-----', '') pem = pem.replace('-----END CERTIFICATE-----', '') # TODO: Handle multi-valued certs. if pem.strip() != val: self.failure('Certificate %s does not match %s' % (blobs[nickname], paths.CA_CS_CFG_PATH))
def fix_certreq_directives(certs): """ For all the certs to be fixed, ensure that the corresponding CSR is found in PKI config file, or try to get the CSR from certmonger. """ directives = { 'auditSigningCert cert-pki-ca': ('ca.audit_signing.certreq', paths.CA_CS_CFG_PATH), 'ocspSigningCert cert-pki-ca': ('ca.ocsp_signing.certreq', paths.CA_CS_CFG_PATH), 'subsystemCert cert-pki-ca': ('ca.subsystem.certreq', paths.CA_CS_CFG_PATH), 'Server-Cert cert-pki-ca': ('ca.sslserver.certreq', paths.CA_CS_CFG_PATH), 'auditSigningCert cert-pki-kra': ('kra.audit_signing.certreq', paths.KRA_CS_CFG_PATH), 'storageCert cert-pki-kra': ('kra.storage.certreq', paths.KRA_CS_CFG_PATH), 'transportCert cert-pki-kra': ('kra.transport.certreq', paths.KRA_CS_CFG_PATH), } # pki-server cert-fix needs to find the CSR in the subsystem config file # otherwise it will fail # For each cert to be fixed, check that the CSR is present or # get it from certmonger for (certid, _cert) in certs: # Check if the directive is set in the config file nickname = cert_nicknames[certid] (directive, cfg_path) = directives[nickname] if directivesetter.get_directive(cfg_path, directive, '=') is None: # The CSR is missing, try to get it from certmonger csr = get_csr_from_certmonger(nickname) if csr: # Update the directive directivesetter.set_directive(cfg_path, directive, csr, quotes=False, separator='=')
def get_mod_nss_nickname(self): cert = directivesetter.get_directive(paths.HTTPD_NSS_CONF, 'NSSNickname') nickname = directivesetter.unquote_directive_value(cert, quote_char="'") return nickname
def execute(self, **options): ca = cainstance.CAInstance(self.api.env.realm) if not ca.is_configured(): logger.debug("CA is not configured on this host") return False, [] ldap = self.api.Backend.ldap2 base_dn = DN(self.api.env.container_masters, self.api.env.basedn) dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn) filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))' try: entries = ldap.get_entries(base_dn=base_dn, filter=filter, attrs_list=[]) except errors.NotFound: pass else: logger.debug("found CA renewal master %s", entries[0].dn[1].value) master = False updates = [] for entry in entries: if entry.dn == dn: master = True continue updates.append({ 'dn': entry.dn, 'updates': [ dict(action='remove', attr='ipaConfigString', value='caRenewalMaster') ], }) if master: return False, updates else: return False, [] criteria = { 'cert-file': paths.RA_AGENT_PEM, } request_id = certmonger.get_request_id(criteria) if request_id is not None: logger.debug("found certmonger request for RA cert") ca_name = certmonger.get_request_value(request_id, 'ca-name') if ca_name is None: logger.warning( "certmonger request for RA cert is missing ca_name, " "assuming local CA is renewal slave") return False, [] ca_name = ca_name.strip() if ca_name == 'dogtag-ipa-renew-agent': pass elif ca_name == 'dogtag-ipa-retrieve-agent-submit': return False, [] elif ca_name == 'dogtag-ipa-ca-renew-agent': return False, [] else: logger.warning( "certmonger request for RA cert has unknown ca_name '%s', " "assuming local CA is renewal slave", ca_name) return False, [] else: logger.debug("certmonger request for RA cert not found") config = directivesetter.get_directive( paths.CA_CS_CFG_PATH, 'subsystem.select', '=') if config == 'New': pass elif config == 'Clone': return False, [] else: logger.warning( "CS.cfg has unknown subsystem.select value '%s', " "assuming local CA is renewal slave", config) return (False, False, []) update = { 'dn': dn, 'updates': [ dict(action='add', attr='ipaConfigString', value='caRenewalMaster') ], } return False, [update]
def test_get_directive(self, tmpdir): configfile = tmpdir.join('config') configfile.write(''.join(WHITESPACE_CONFIG)) assert '1' == directivesetter.get_directive(str(configfile), 'foo') assert '2' == directivesetter.get_directive(str(configfile), 'foobar')
def check(self): if not self.ca.is_configured(): logger.debug("No CA configured, skipping dogtag config check") return kra = krainstance.KRAInstance(api.env.realm) blobs = { 'auditSigningCert cert-pki-ca': 'ca.audit_signing.cert', 'ocspSigningCert cert-pki-ca': 'ca.ocsp_signing.cert', 'caSigningCert cert-pki-ca': 'ca.signing.cert', 'subsystemCert cert-pki-ca': 'ca.subsystem.cert', 'Server-Cert cert-pki-ca': 'ca.sslserver.cert' } # Nicknames to skip because their certs are not in CS.cfg skip = [] if kra.is_installed: kra_blobs = { 'transportCert cert-pki-kra': 'ca.connector.KRA.transportCert', } blobs.update(kra_blobs) skip.append('storageCert cert-pki-kra') skip.append('auditSigningCert cert-pki-kra') db = certs.CertDB(api.env.realm, paths.PKI_TOMCAT_ALIAS_DIR) for nickname, _trust_flags in db.list_certs(): if nickname in skip: logging.debug('Skipping nickname %s because it isn\'t in ' 'the configuration file') continue try: val = get_directive(paths.CA_CS_CFG_PATH, blobs[nickname], '=') except KeyError: print("%s not found, assuming 3rd party" % nickname) continue if val is None: yield Result(self, constants.ERROR, key=nickname, configfile=paths.CA_CS_CFG_PATH, msg='Certificate %s not found in %s' % (blobs[nickname], paths.CA_CS_CFG_PATH)) continue cert = db.get_cert_from_db(nickname) pem = cert.public_bytes(Encoding.PEM).decode() pem = pem.replace('\n', '') pem = pem.replace('-----BEGIN CERTIFICATE-----', '') pem = pem.replace('-----END CERTIFICATE-----', '') if pem.strip() != val: yield Result(self, constants.ERROR, key=nickname, directive=blobs[nickname], configfile=paths.CA_CS_CFG_PATH, msg='Certificate \'%s\' does not match the value ' 'of %s in %s' % (nickname, blobs[nickname], paths.CA_CS_CFG_PATH)) else: yield Result(self, constants.SUCCESS, key=nickname, configfile=paths.CA_CS_CFG_PATH)
def get_mod_nss_nickname(self): cert = directivesetter.get_directive(paths.HTTPD_NSS_CONF, 'NSSNickname') nickname = directivesetter.unquote_directive_value(cert, quote_char="'") return nickname
def execute(self, **options): ca = cainstance.CAInstance(self.api.env.realm) if not ca.is_configured(): logger.debug("CA is not configured on this host") return False, [] ldap = self.api.Backend.ldap2 base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), self.api.env.basedn) dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn) filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))' try: entries = ldap.get_entries(base_dn=base_dn, filter=filter, attrs_list=[]) except errors.NotFound: pass else: logger.debug("found CA renewal master %s", entries[0].dn[1].value) master = False updates = [] for entry in entries: if entry.dn == dn: master = True continue updates.append({ 'dn': entry.dn, 'updates': [ dict(action='remove', attr='ipaConfigString', value='caRenewalMaster') ], }) if master: return False, updates else: return False, [] criteria = { 'cert-file': paths.RA_AGENT_PEM, } request_id = certmonger.get_request_id(criteria) if request_id is not None: logger.debug("found certmonger request for RA cert") ca_name = certmonger.get_request_value(request_id, 'ca-name') if ca_name is None: logger.warning( "certmonger request for RA cert is missing ca_name, " "assuming local CA is renewal slave") return False, [] ca_name = ca_name.strip() if ca_name == 'dogtag-ipa-renew-agent': pass elif ca_name == 'dogtag-ipa-retrieve-agent-submit': return False, [] elif ca_name == 'dogtag-ipa-ca-renew-agent': return False, [] else: logger.warning( "certmonger request for RA cert has unknown ca_name '%s', " "assuming local CA is renewal slave", ca_name) return False, [] else: logger.debug("certmonger request for RA cert not found") config = directivesetter.get_directive(paths.CA_CS_CFG_PATH, 'subsystem.select', '=') if config == 'New': pass elif config == 'Clone': return False, [] else: logger.warning( "CS.cfg has unknown subsystem.select value '%s', " "assuming local CA is renewal slave", config) return (False, False, []) update = { 'dn': dn, 'updates': [ dict(action='add', attr='ipaConfigString', value='caRenewalMaster') ], } return False, [update]