From b573ab9818bcaa576b1156b0a1375d420bd29f58 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 21 Aug 2023 09:22:53 -0500 Subject: [PATCH] Add pki-server ca-crl-ip-find/show The pki-server ca-crl-ip-find/show commands have been added to make it easier to inspect CRL issuing point configuration. --- base/server/python/pki/server/cli/ca.py | 205 +++++++++++++++++++++ base/server/python/pki/server/subsystem.py | 36 ++++ 2 files changed, 241 insertions(+) diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py index f46b7a6cb0d..88a5c6b05b5 100644 --- a/base/server/python/pki/server/cli/ca.py +++ b/base/server/python/pki/server/cli/ca.py @@ -829,6 +829,7 @@ def __init__(self): super().__init__('crl', 'CA CRL configuration management commands') self.add_module(CACRLShowCLI()) + self.add_module(CACRLIPCLI()) @staticmethod def print_crl_config(config): @@ -909,6 +910,210 @@ def execute(self, argv): CACRLCLI.print_crl_config(config) +class CACRLIPCLI(pki.cli.CLI): + + def __init__(self): + super().__init__('ip', 'CA CRL issuing point configuration management commands') + + self.add_module(CACRLIPFindCLI()) + self.add_module(CACRLIPShowCLI()) + + @staticmethod + def print_crl_issuing_point_config(id, config, details=False): + + output = f''' + ID: {id} + Description: {config.get('description')} + Class: {config.get('class')} + Enable: {config.get('enable')} + ''' + + print(textwrap.indent(textwrap.dedent(output).strip(), ' ')) + + if not details: + return + + output = f''' + Allow Extensions: {config.get('allowExtensions')} + Always Update: {config.get('alwaysUpdate')} + Auto Update Interval: {config.get('autoUpdateInterval')} + CA Certs Only: {config.get('caCertsOnly')} + Cache Update Interval: {config.get('cacheUpdateInterval')} + Unexpected Exception Wait Time: {config.get('unexpectedExceptionWaitTime')} + Unexpected Exception Loop Max: {config.get('unexpectedExceptionLoopMax')} + Daily Updates: {config.get('dailyUpdates')} + Enable CRL Cache: {config.get('enableCRLCache')} + Enable CRL Updates: {config.get('enableCRLUpdates')} + Enable Cache Testing: {config.get('enableCacheTesting')} + Enable Cache Recovery: {config.get('enableCacheRecovery')} + Enable Daily Updates: {config.get('enableDailyUpdates')} + Enable Update Interval: {config.get('enableUpdateInterval')} + Extended Next Update: {config.get('extendedNextUpdate')} + Include Expired Certs: {config.get('includeExpiredCerts')} + Min Update Interval: {config.get('minUpdateInterval')} + Next Update Grace Period: {config.get('nextUpdateGracePeriod')} + Publish On Start: {config.get('publishOnStart')} + Save Memory: {config.get('saveMemory')} + Signing Algorithm: {config.get('signingAlgorithm')} + Update Schema: {config.get('updateSchema')} + ''' + + print(textwrap.indent(textwrap.dedent(output).strip(), ' ')) + + +class CACRLIPFindCLI(pki.cli.CLI): + ''' + Find CRL issuing point configurations in CA + ''' + + help = '''\ + Usage: pki-server ca-crl-ip-find [OPTIONS] + + -i, --instance Instance ID (default: pki-tomcat) + -v, --verbose Run in verbose mode. + --debug Run in debug mode. + --help Show help message. + ''' # noqa: E501 + + def __init__(self): + super().__init__('find', inspect.cleandoc(self.__class__.__doc__)) + + def print_help(self): + print(textwrap.dedent(self.__class__.help)) + + def execute(self, argv): + + try: + opts, _ = getopt.gnu_getopt(argv, 'i:v', [ + 'instance=', + 'verbose', 'debug', 'help']) + + except getopt.GetoptError as e: + logger.error(e) + self.print_help() + sys.exit(1) + + instance_name = 'pki-tomcat' + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o in ('-v', '--verbose'): + logging.getLogger().setLevel(logging.INFO) + + elif o == '--debug': + logging.getLogger().setLevel(logging.DEBUG) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + logger.error('Invalid option: %s', o) + self.print_help() + sys.exit(1) + + instance = pki.server.instance.PKIServerFactory.create(instance_name) + if not instance.exists(): + logger.error('Invalid instance: %s', instance_name) + sys.exit(1) + + instance.load() + + subsystem = instance.get_subsystem('ca') + if not subsystem: + logger.error('No CA subsystem in instance %s', instance_name) + sys.exit(1) + + ids = subsystem.find_crl_issuing_point_ids() + + first = True + for id in ids: + if first: + first = False + else: + print() + + config = subsystem.get_crl_issuing_point_config(id) + CACRLIPCLI.print_crl_issuing_point_config(id, config) + + +class CACRLIPShowCLI(pki.cli.CLI): + ''' + Show CRL issuing point configuration in CA + ''' + + help = '''\ + Usage: pki-server ca-crl-ip-show [OPTIONS] + + -i, --instance Instance ID (default: pki-tomcat) + -v, --verbose Run in verbose mode. + --debug Run in debug mode. + --help Show help message. + ''' # noqa: E501 + + def __init__(self): + super().__init__('show', inspect.cleandoc(self.__class__.__doc__)) + + def print_help(self): + print(textwrap.dedent(self.__class__.help)) + + def execute(self, argv): + + try: + opts, args = getopt.gnu_getopt(argv, 'i:v', [ + 'instance=', + 'verbose', 'debug', 'help']) + + except getopt.GetoptError as e: + logger.error(e) + self.print_help() + sys.exit(1) + + if len(args) != 1: + logger.error('Missing CRL issuing point ID') + self.print_help() + sys.exit(1) + + id = args[0] + instance_name = 'pki-tomcat' + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o in ('-v', '--verbose'): + logging.getLogger().setLevel(logging.INFO) + + elif o == '--debug': + logging.getLogger().setLevel(logging.DEBUG) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + logger.error('Invalid option: %s', o) + self.print_help() + sys.exit(1) + + instance = pki.server.instance.PKIServerFactory.create(instance_name) + if not instance.exists(): + logger.error('Invalid instance: %s', instance_name) + sys.exit(1) + + instance.load() + + subsystem = instance.get_subsystem('ca') + if not subsystem: + logger.error('No CA subsystem in instance %s', instance_name) + sys.exit(1) + + config = subsystem.get_crl_issuing_point_config(id) + CACRLIPCLI.print_crl_issuing_point_config(id, config, details=True) + + class CACloneCLI(pki.cli.CLI): def __init__(self): diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py index 97fdfc0fb4d..b84b17ba5cc 100644 --- a/base/server/python/pki/server/subsystem.py +++ b/base/server/python/pki/server/subsystem.py @@ -2399,6 +2399,42 @@ def get_crl_config(self): return config + def find_crl_issuing_point_ids(self): + + ids = [] + + # find ca.crl..class params + pattern = re.compile(r'^ca.crl\.([^\.]*)\.class$') + + for key in self.config.keys(): + + m = pattern.match(key) + if not m: + continue + + id = m.group(1) + ids.append(id) + + return ids + + def get_crl_issuing_point_config(self, id): + + config = {} + + # find ca.crl..* params + pattern = re.compile(r'^ca.crl\.%s\.([^\.]*)' % id) + + for key, value in self.config.items(): + + m = pattern.match(key) + if not m: + continue + + name = m.group(1) + config[name] = value + + return config + class KRASubsystem(PKISubsystem):