Add a status option to ipa-acme-manage

It's handy in general and good for testing to be able to detect the current ACME status without having to revert to using curl. https://pagure.io/freeipa/issue/8524 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-10-14 13:20:16 -04:00 · 2020-10-14 13:20:16 -04:00 · 69ae48c8b6
commit 69ae48c8b6
parent 92c3ea4e29
3 changed files with 41 additions and 4 deletions
--- a/install/tools/man/ipa-acme-manage.1
+++ b/install/tools/man/ipa-acme-manage.1
@ -5,11 +5,11 @@
 .SH "NAME"
 ipa\-acme\-manage \- Manage the FreeIPA ACME service
 .SH "SYNOPSIS"
-ipa\-acme\-manage enable|disable
+ipa\-acme\-manage enable|disable|status
 .SH "DESCRIPTION"

-Use the \fIipa-acme-manage\fR command to enable or disable the ACME
-service on a FreeIPA CA server.
+Use the \fIipa-acme-manage\fR command to enable, disable or retrieve
+the status of the ACME service on a FreeIPA CA server.

 In a FreeIPA topology all CA servers capable of ACME will
 have the ACME service deployed.  The service is not enabled
@ -24,6 +24,9 @@ Enable the ACME service on this host.
 .TP
 \fBdisable\fR
 Disable the ACME service on this host.
+.TP
+\fBstatus\fR
+Display the status of the ACME service.

 .SH "EXIT STATUS"
 0 if the command was successful
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@ -150,6 +150,35 @@ def ca_status(ca_host=None):
    return _parse_ca_status(body)


+def acme_status(ca_host=None):
+    """Return the status of ACME
+
+    Returns a boolean.
+
+    If the proxy is not working or the CA is not running then this could
+    return a false negative.
+    """
+    if ca_host is None:
+        ca_host = api.env.ca_host
+    status, _headers, _body = https_request(
+        ca_host, 443,
+        url='/acme/directory',
+        cafile=api.env.tls_ca_cert,
+        client_certfile=None,
+        client_keyfile=None,
+        method='GET',
+        timeout=api.env.http_timeout)
+    if status == 200:
+        return True
+    elif status == 503:
+        # This is what it should return when disabled
+        return False
+    else:
+        # Unexpected status code, log and return False
+        logger.error('ACME status request returned %d', status)
+        return False
+
+
 def https_request(
        host, port, url, cafile, client_certfile, client_keyfile,
        method='POST', headers=None, body=None, **kw):
--- a/ipaserver/install/ipa_acme_manage.py
+++ b/ipaserver/install/ipa_acme_manage.py
@ -69,11 +69,12 @@ class acme_state(RestClient):
 class Command(enum.Enum):
    ENABLE = 'enable'
    DISABLE = 'disable'
+    STATUS = 'status'


 class IPAACMEManage(AdminTool):
    command_name = "ipa-acme-manage"
-    usage = "%prog [enable|disable]"
+    usage = "%prog [enable|disable|status]"
    description = "Manage the IPA ACME service"

    def validate_options(self):
@ -108,6 +109,10 @@ class IPAACMEManage(AdminTool):
                ca_api.enable()
            elif self.command == Command.DISABLE:
                ca_api.disable()
+            elif self.command == Command.STATUS:
+                status = "enabled" if dogtag.acme_status() else "disabled"
+                print("ACME is {}".format(status))
+                return 0
            else:
                raise RuntimeError('programmer error: unhandled enum case')