[HOME]

Path : /lib/python2.7/site-packages/sos/plugins/
Upload :
Current File : //lib/python2.7/site-packages/sos/plugins/ipa.py

# Copyright (C) 2007 Red Hat, Inc., Kent Lamb <klamb@redhat.com>

# This file is part of the sos project: https://github.com/sosreport/sos
#
# This copyrighted material is made available to anyone wishing to use,
# modify, copy, or redistribute it subject to the terms and conditions of
# version 2 of the GNU General Public License.
#
# See the LICENSE file in the source distribution for further information.

from sos.plugins import Plugin, RedHatPlugin, SoSPredicate
from glob import glob
from os.path import exists


class Ipa(Plugin, RedHatPlugin):
    """ Identity, policy, audit
    """

    plugin_name = 'ipa'
    profiles = ('identity', 'apache')

    ipa_server = False
    ipa_client = False

    files = ('/etc/ipa',)
    packages = ('ipa-server', 'ipa-client', 'freeipa-server', 'freeipa-client')

    def check_ipa_server_version(self):
        if self.is_installed("pki-server") \
                or exists("/var/lib/pki") \
                or exists("/usr/share/doc/ipa-server-4.2.0"):
            return "v4"
        elif self.is_installed("pki-common") \
                or exists("/var/lib/pki-ca/"):
            return "v3"
        return None

    def ca_installed(self):
        # Follow the same checks as IPA CA installer code
        if exists("%s/conf/ca/CS.cfg" % self.pki_tomcat_dir_v4) \
                or exists("%s/conf/CS.cfg" % self.pki_tomcat_dir_v3):
            return True

    def ipa_server_installed(self):
        if self.is_installed("ipa-server") \
                or self.is_installed("freeipa-server"):
            return True

    def retrieve_pki_logs(self, ipa_version):
        if ipa_version == "v4":
            self.add_copy_spec([
               "/var/log/pki/pki-tomcat/ca/debug",
               "/var/log/pki/pki-tomcat/ca/system",
               "/var/log/pki/pki-tomcat/ca/transactions",
               "/var/log/pki/pki-tomcat/ca/selftests.log",
               "/var/log/pki/pki-tomcat/catalina.*",
               "/var/log/pki/pki-ca-spawn.*",
               "/var/log/pki/pki-tomcat/kra/debug",
               "/var/log/pki/pki-tomcat/kra/system",
               "/var/log/pki/pki-tomcat/kra/transactions",
               "/var/log/pki/pki-kra-spawn.*"
            ])
        elif ipa_version == "v3":
            self.add_copy_spec([
               "/var/log/pki-ca/debug",
               "/var/log/pki-ca/system",
               "/var/log/pki-ca/transactions",
               "/var/log/pki-ca/selftests.log",
               "/var/log/pki-ca/catalina.*",
               "/var/log/pki/pki-ca-spawn.*"
            ])

    def setup(self):
        self.pki_tomcat_dir_v4 = "/var/lib/pki/pki-tomcat"
        self.pki_tomcat_dir_v3 = "/var/lib/pki-ca"

        self.pki_tomcat_conf_dir_v4 = "/etc/pki/pki-tomcat/ca"
        self.pki_tomcat_conf_dir_v3 = "/etc/pki-ca"

        # Returns "v3", "v4", or None
        ipa_version = self.check_ipa_server_version()

        if self.ipa_server_installed():
            self._log_debug("IPA server install detected")

            self._log_debug("IPA version is [%s]" % ipa_version)

            self.add_copy_spec([
                "/var/log/ipaserver-install.log",
                "/var/log/ipaserver-kra-install.log",
                "/var/log/ipareplica-install.log",
                "/var/log/ipareplica-ca-install.log",
                "/var/log/ipa-custodia.audit.log"
            ])

        if self.ca_installed():
            self._log_debug("CA is installed: retrieving PKI logs")
            self.retrieve_pki_logs(ipa_version)

        self.add_copy_spec([
            "/var/log/ipaclient-install.log",
            "/var/log/ipaupgrade.log",
            "/var/log/krb5kdc.log",
            "/var/log/dirsrv/slapd-*/logs/access",
            "/var/log/dirsrv/slapd-*/logs/errors",
            "/etc/dirsrv/slapd-*/dse.ldif",
            "/etc/dirsrv/slapd-*/schema/99user.ldif",
            "/etc/hosts",
            "/etc/httpd/alias/*",
            "/etc/named.*",
            "/etc/ipa/ca.crt",
            "/etc/ipa/default.conf",
            "/etc/ipa/kdcproxy/kdcproxy.conf",
            "/etc/ipa/kdcproxy/ipa-kdc-proxy.conf",
            "/etc/ipa/kdcproxy.conf",
            "/root/.ipa/log/cli.log",
            "/var/lib/certmonger/requests/[0-9]*",
            "/var/lib/certmonger/cas/[0-9]*",
            "/var/lib/ipa/ra-agent.pem",
            "/var/lib/ipa/certs/httpd.crt",
            "/var/kerberos/krb5kdc/kdc.crt",
            "/var/lib/ipa/sysrestore/sysrestore.state",
            "/var/log/ipa/healthcheck/healthcheck.log*"
        ])

        #  Make sure to use the right PKI config and NSS DB folders
        if ipa_version == "v4":
            self.pki_tomcat_dir = self.pki_tomcat_dir_v4
            self.pki_tomcat_conf_dir = self.pki_tomcat_conf_dir_v4
        else:
            self.pki_tomcat_dir = self.pki_tomcat_dir_v3
            self.pki_tomcat_conf_dir = self.pki_tomcat_conf_dir_v3

        self.add_cmd_output("certutil -L -d %s/alias" % self.pki_tomcat_dir)
        self.add_copy_spec("%s/CS.cfg" % self.pki_tomcat_conf_dir)

        self.add_forbidden_path([
            "/etc/pki/nssdb/key*",
            "/etc/dirsrv/slapd-*/key*",
            "/etc/dirsrv/slapd-*/pin.txt",
            "/etc/dirsrv/slapd-*/pwdfile.txt",
            "/etc/httpd/alias/ipasession.key",
            "/etc/httpd/alias/key*",
            "/etc/httpd/alias/pin.txt",
            "/etc/httpd/alias/pwdfile.txt",
            "/etc/named.keytab",
            "%s/alias/key*" % self.pki_tomcat_dir,
            "%s/flatfile.txt" % self.pki_tomcat_conf_dir,
            "%s/password.conf" % self.pki_tomcat_conf_dir,
        ])

        self.add_cmd_output([
            "ls -la /etc/dirsrv/slapd-*/schema/",
            "certutil -L -d /etc/httpd/alias/",
            "pki-server cert-find --show-all",
            "pki-server subsystem-cert-validate ca",
            "klist -ket /etc/dirsrv/ds.keytab",
            "klist -ket /etc/httpd/conf/ipa.keytab",
            "klist -ket /var/lib/ipa/gssproxy/http.keytab"
        ])

        getcert_pred = SoSPredicate(self,
                                    services=['certmonger'])

        self.add_cmd_output("getcert list", pred=getcert_pred)

        for certdb_directory in glob("/etc/dirsrv/slapd-*/"):
            self.add_cmd_output("certutil -L -d %s" % certdb_directory)
        return

    def postproc(self):
        match = r"(\s*arg \"password )[^\"]*"
        subst = r"\1********"
        self.do_file_sub("/etc/named.conf", match, subst)

        self.do_cmd_output_sub("getcert list",
                               r"(pin=)'(\d+)'",
                               r"\1'***'")

        request_logs = "/var/lib/certmonger/requests/[0-9]*"
        for request_log in glob(request_logs):
            self.do_file_sub(request_log,
                             r"(key_pin=)(\d+)",
                             r"\1***")


# vim: set et ts=4 sw=4 :