freeipa/ipaserver/plugins/pkinit.py
Martin Babinsky 99352731b4 Add pkinit-status command
This command is a more streamlined reporting tool for PKINIT feature
status in the FreeIPA topology. It prints out whether PKINIT is enabled
or disabled on individual masters in a topology. If a`--server` is
specified, it reports status for an individual server. If `--status` is
specified, it searches for all servers that have PKINIT enabled or
disabled.

https://pagure.io/freeipa/issue/6937

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-26 16:11:40 +02:00

127 lines
3.3 KiB
Python

#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#
from ipalib import Object
from ipalib import _, ngettext
from ipalib.crud import Search
from ipalib.parameters import Int, Str, StrEnum
from ipalib.plugable import Registry
register = Registry()
__doc__ = _("""
Kerberos PKINIT feature status reporting tools.
Report IPA masters on which Kerberos PKINIT is enabled or disabled
EXAMPLES:
List PKINIT status on all masters:
ipa pkinit-status
Check PKINIT status on `ipa.example.com`:
ipa pkinit-status --server ipa.example.com
List all IPA masters with disabled PKINIT:
ipa pkinit-status --status='disabled'
For more info about PKINIT support see:
https://www.freeipa.org/page/V4/Kerberos_PKINIT
""")
@register()
class pkinit(Object):
"""
PKINIT Options
"""
object_name = _('pkinit')
label = _('PKINIT')
takes_params = (
Str(
'server_server?',
cli_name='server',
label=_('Server name'),
doc=_('IPA server hostname'),
),
StrEnum(
'status?',
cli_name='status',
label=_('PKINIT status'),
doc=_('Whether PKINIT is enabled or disabled'),
values=(u'enabled', u'disabled'),
flags={'virtual_attribute', 'no_create', 'no_update'}
)
)
@register()
class pkinit_status(Search):
__doc__ = _('Report PKINIT status on the IPA masters')
msg_summary = ngettext('%(count)s server matched',
'%(count)s servers matched', 0)
takes_options = Search.takes_options + (
Int(
'timelimit?',
label=_('Time Limit'),
doc=_('Time limit of search in seconds (0 is unlimited)'),
flags=['no_display'],
minvalue=0,
autofill=False,
),
Int(
'sizelimit?',
label=_('Size Limit'),
doc=_('Maximum number of entries returned (0 is unlimited)'),
flags=['no_display'],
minvalue=0,
autofill=False,
),
)
def get_pkinit_status(self, server, status):
backend = self.api.Backend.serverroles
ipa_master_config = backend.config_retrieve("IPA master")
if server is not None:
servers = [server]
else:
servers = ipa_master_config['ipa_master_server']
pkinit_servers = ipa_master_config['pkinit_server_server']
for s in servers:
pkinit_status = {
u'server_server': s,
u'status': (
u'enabled' if s in pkinit_servers else u'disabled'
)
}
if status is not None and pkinit_status[u'status'] != status:
continue
yield pkinit_status
def execute(self, *keys, **options):
if keys:
return dict(
result=[],
count=0,
truncated=False
)
server = options.get('server_server', None)
status = options.get('status', None)
if server is not None:
self.api.Object.server_role.ensure_master_exists(server)
result = sorted(self.get_pkinit_status(server, status))
return dict(result=result, count=len(result), truncated=False)