mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-25 15:46:30 -06:00
db116f73fe
Update x509.load_certificate and related functions to return python-cryptography ``Certificate`` objects. Update the call sites accordingly, including removal of NSS initialisation code. Also update GeneralName parsing code to return python-cryptography GeneralName values, for consistency with other code that processes GeneralNames. The new function, `get_san_general_names`, and associated helper functions, can be removed when python-cryptography provides a way to deal with unrecognised critical extensions. Part of: https://fedorahosted.org/freeipa/ticket/6398 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
569 lines
23 KiB
Python
Executable File
569 lines
23 KiB
Python
Executable File
#! /usr/bin/python2 -E
|
|
# Authors: Martin Kosek <mkosek@redhat.com>
|
|
#
|
|
# Copyright (C) 2011 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
from __future__ import print_function
|
|
|
|
from ipapython.config import IPAOptionParser
|
|
from ipapython.dn import DN
|
|
from ipapython import version
|
|
from ipapython import ipautil, certdb
|
|
from ipalib import api, errors, x509
|
|
from ipaserver.install import installutils
|
|
import ipaclient.ipachangeconf
|
|
from optparse import OptionGroup, OptionValueError
|
|
from ipapython.ipa_log_manager import root_logger, standard_logging_setup
|
|
import sys
|
|
import os
|
|
import signal
|
|
import tempfile
|
|
import socket
|
|
import time
|
|
import threading
|
|
import errno
|
|
from socket import SOCK_STREAM, SOCK_DGRAM
|
|
import distutils.spawn
|
|
from ipaplatform.paths import paths
|
|
import gssapi
|
|
from cryptography.hazmat.primitives import serialization
|
|
|
|
CONNECT_TIMEOUT = 5
|
|
RESPONDERS = [ ]
|
|
QUIET = False
|
|
CCACHE_FILE = None
|
|
KRB5_CONFIG = None
|
|
|
|
class SshExec(object):
|
|
def __init__(self, user, addr):
|
|
self.user = user
|
|
self.addr = addr
|
|
self.cmd = distutils.spawn.find_executable('ssh')
|
|
|
|
def __call__(self, command, verbose=False):
|
|
# Bail if ssh is not installed
|
|
if self.cmd is None:
|
|
print("WARNING: ssh not installed, skipping ssh test")
|
|
return ('', '', 0)
|
|
|
|
tmpf = tempfile.NamedTemporaryFile()
|
|
cmd = [
|
|
self.cmd,
|
|
'-o StrictHostKeychecking=no',
|
|
'-o UserKnownHostsFile=%s' % tmpf.name,
|
|
'-o GSSAPIAuthentication=yes',
|
|
'-o User=%s' % self.user,
|
|
'%s' % self.addr,
|
|
command
|
|
]
|
|
if verbose:
|
|
cmd.insert(1, '-v')
|
|
|
|
env = dict()
|
|
if KRB5_CONFIG is not None:
|
|
env['KRB5_CONFIG'] = KRB5_CONFIG
|
|
elif 'KRB5_CONFIG' in os.environ:
|
|
env['KRB5_CONFIG'] = os.environ['KRB5_CONFIG']
|
|
if CCACHE_FILE is not None:
|
|
env['KRB5CCNAME'] = CCACHE_FILE
|
|
elif 'KRB5CCNAME' in os.environ:
|
|
env['KRB5CCNAME'] = os.environ['KRB5CCNAME']
|
|
|
|
return ipautil.run(cmd, env=env, raiseonerr=False,
|
|
capture_output=True, capture_error=True)
|
|
|
|
|
|
class CheckedPort(object):
|
|
def __init__(self, port, port_type, description):
|
|
self.port = port
|
|
self.port_type = port_type
|
|
self.description = description
|
|
|
|
BASE_PORTS = [
|
|
CheckedPort(389, SOCK_STREAM, "Directory Service: Unsecure port"),
|
|
CheckedPort(636, SOCK_STREAM, "Directory Service: Secure port"),
|
|
CheckedPort(88, SOCK_STREAM, "Kerberos KDC: TCP"),
|
|
CheckedPort(88, SOCK_DGRAM, "Kerberos KDC: UDP"),
|
|
CheckedPort(464, SOCK_STREAM, "Kerberos Kpasswd: TCP"),
|
|
CheckedPort(464, SOCK_DGRAM, "Kerberos Kpasswd: UDP"),
|
|
CheckedPort(80, SOCK_STREAM, "HTTP Server: Unsecure port"),
|
|
CheckedPort(443, SOCK_STREAM, "HTTP Server: Secure port"),
|
|
]
|
|
|
|
|
|
def print_info(msg):
|
|
if not QUIET:
|
|
print(msg)
|
|
|
|
def parse_options():
|
|
def ca_cert_file_callback(option, opt, value, parser):
|
|
if not os.path.exists(value):
|
|
raise OptionValueError(
|
|
"%s option '%s' does not exist" % (opt, value))
|
|
if not os.path.isfile(value):
|
|
raise OptionValueError(
|
|
"%s option '%s' is not a file" % (opt, value))
|
|
if not os.path.isabs(value):
|
|
raise OptionValueError(
|
|
"%s option '%s' is not an absolute file path" % (opt, value))
|
|
|
|
try:
|
|
x509.load_certificate_list_from_file(value)
|
|
except Exception:
|
|
raise OptionValueError(
|
|
"%s option '%s' is not a valid certificate file" %
|
|
(opt, value))
|
|
|
|
parser.values.ca_cert_file = value
|
|
|
|
parser = IPAOptionParser(version=version.VERSION)
|
|
|
|
replica_group = OptionGroup(parser, "on-replica options")
|
|
replica_group.add_option("-m", "--master", dest="master",
|
|
help="Master address with running IPA for output connection check")
|
|
replica_group.add_option("-a", "--auto-master-check", dest="auto_master_check",
|
|
action="store_true",
|
|
default=False,
|
|
help="Automatically execute connection check on master")
|
|
replica_group.add_option("-r", "--realm", dest="realm",
|
|
help="Realm name")
|
|
replica_group.add_option("-k", "--kdc", dest="kdc",
|
|
help="Master KDC. Defaults to master address")
|
|
replica_group.add_option("-p", "--principal", dest="principal",
|
|
default=None, help="Principal to use to log in to remote master")
|
|
replica_group.add_option("-w", "--password", dest="password", sensitive=True,
|
|
help="Password for the principal")
|
|
replica_group.add_option("--ca-cert-file", dest="ca_cert_file",
|
|
type="string", action="callback",
|
|
callback=ca_cert_file_callback,
|
|
help="load the CA certificate from this file")
|
|
parser.add_option_group(replica_group)
|
|
|
|
|
|
master_group = OptionGroup(parser, "on-master options")
|
|
master_group.add_option("-R", "--replica", dest="replica",
|
|
help="Address of remote replica machine to check against")
|
|
parser.add_option_group(master_group)
|
|
|
|
common_group = OptionGroup(parser, "common options")
|
|
common_group.add_option("-c", "--check-ca", dest="check_ca",
|
|
action="store_true",
|
|
default=False,
|
|
help="Check also ports for Certificate Authority "
|
|
"(for servers installed before IPA 3.1)")
|
|
|
|
common_group.add_option("", "--hostname", dest="hostname",
|
|
help="The hostname of this server (FQDN). "
|
|
"By default the result of getfqdn() call from "
|
|
"Python's socket module is used.")
|
|
parser.add_option_group(common_group)
|
|
|
|
parser.add_option("-d", "--debug", dest="debug",
|
|
action="store_true",
|
|
default=False, help="Print debugging information")
|
|
parser.add_option("-q", "--quiet", dest="quiet",
|
|
action="store_true",
|
|
default=False, help="Output only errors")
|
|
parser.add_option("--no-log", dest="log_to_file", action="store_false",
|
|
default=True, help="Do not log into file")
|
|
|
|
options, _args = parser.parse_args()
|
|
safe_options = parser.get_safe_opts(options)
|
|
|
|
if options.master and options.replica:
|
|
parser.error("on-master and on-replica options are mutually exclusive!")
|
|
|
|
if options.master:
|
|
if options.auto_master_check and not options.realm:
|
|
parser.error("Realm is parameter is required to connect to remote master!")
|
|
if not os.getegid() == 0:
|
|
parser.error("You can only run on-replica part as root.")
|
|
|
|
if options.master and not options.kdc:
|
|
options.kdc = options.master
|
|
|
|
if not options.master and not options.replica:
|
|
parser.error("No action: you should select either --replica or --master option.")
|
|
|
|
if not options.hostname:
|
|
options.hostname = socket.getfqdn()
|
|
|
|
if options.quiet:
|
|
global QUIET
|
|
QUIET = True
|
|
|
|
return safe_options, options
|
|
|
|
def logging_setup(options):
|
|
log_file = None
|
|
|
|
if os.getegid() == 0 and options.log_to_file:
|
|
log_file = paths.IPAREPLICA_CONNCHECK_LOG
|
|
|
|
standard_logging_setup(log_file, debug=options.debug)
|
|
|
|
def clean_responders(responders):
|
|
if not responders:
|
|
return
|
|
|
|
for responder in responders:
|
|
responder.stop()
|
|
|
|
for responder in responders:
|
|
responder.join()
|
|
responders.remove(responder)
|
|
|
|
def sigterm_handler(signum, frame):
|
|
# do what SIGINT does (raise a KeyboardInterrupt)
|
|
sigint_handler = signal.getsignal(signal.SIGINT)
|
|
if callable(sigint_handler):
|
|
sigint_handler(signum, frame)
|
|
|
|
def configure_krb5_conf(realm, kdc, filename):
|
|
|
|
krbconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
|
|
krbconf.setOptionAssignment((" = ", " "))
|
|
krbconf.setSectionNameDelimiters(("[","]"))
|
|
krbconf.setSubSectionDelimiters(("{","}"))
|
|
krbconf.setIndent((""," "," "))
|
|
|
|
opts = [{'name':'comment', 'type':'comment', 'value':'File created by ipa-replica-conncheck'},
|
|
{'name':'empty', 'type':'empty'}]
|
|
|
|
#[libdefaults]
|
|
libdefaults = [{'name':'default_realm', 'type':'option', 'value':realm}]
|
|
libdefaults.append({'name':'dns_lookup_realm', 'type':'option', 'value':'false'})
|
|
libdefaults.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'true'})
|
|
libdefaults.append({'name':'rdns', 'type':'option', 'value':'false'})
|
|
libdefaults.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'})
|
|
libdefaults.append({'name':'forwardable', 'type':'option', 'value':'true'})
|
|
libdefaults.append({'name':'udp_preference_limit', 'type':'option', 'value':'0'})
|
|
|
|
opts.append({'name':'libdefaults', 'type':'section', 'value': libdefaults})
|
|
opts.append({'name':'empty', 'type':'empty'})
|
|
|
|
#the following are necessary only if DNS discovery does not work
|
|
#[realms]
|
|
realms_info =[{'name':'kdc', 'type':'option', 'value':ipautil.format_netloc(kdc, 88)},
|
|
{'name':'master_kdc', 'type':'option', 'value':ipautil.format_netloc(kdc, 88)},
|
|
{'name':'admin_server', 'type':'option', 'value':ipautil.format_netloc(kdc, 749)}]
|
|
realms = [{'name':realm, 'type':'subsection', 'value':realms_info}]
|
|
|
|
opts.append({'name':'realms', 'type':'section', 'value':realms})
|
|
opts.append({'name':'empty', 'type':'empty'})
|
|
|
|
#[appdefaults]
|
|
pamopts = [{'name':'debug', 'type':'option', 'value':'false'},
|
|
{'name':'ticket_lifetime', 'type':'option', 'value':'36000'},
|
|
{'name':'renew_lifetime', 'type':'option', 'value':'36000'},
|
|
{'name':'forwardable', 'type':'option', 'value':'true'},
|
|
{'name':'krb4_convert', 'type':'option', 'value':'false'}]
|
|
appopts = [{'name':'pam', 'type':'subsection', 'value':pamopts}]
|
|
opts.append({'name':'appdefaults', 'type':'section', 'value':appopts})
|
|
|
|
root_logger.debug("Writing temporary Kerberos configuration to %s:\n%s"
|
|
% (filename, krbconf.dump(opts)))
|
|
|
|
krbconf.newConf(filename, opts)
|
|
|
|
class PortResponder(threading.Thread):
|
|
|
|
def __init__(self, port, port_type, socket_timeout=1):
|
|
super(PortResponder, self).__init__()
|
|
self.port = port
|
|
self.port_type = port_type
|
|
self.socket_timeout = socket_timeout
|
|
self._stop_request = False
|
|
|
|
def run(self):
|
|
while not self._stop_request:
|
|
try:
|
|
ipautil.bind_port_responder(self.port,
|
|
self.port_type,
|
|
socket_timeout=self.socket_timeout,
|
|
responder_data="FreeIPA")
|
|
except socket.timeout:
|
|
pass
|
|
except socket.error as e:
|
|
if e.errno == errno.EADDRINUSE:
|
|
time.sleep(1)
|
|
else:
|
|
raise
|
|
|
|
def stop(self):
|
|
self._stop_request = True
|
|
|
|
def port_check(host, port_list):
|
|
ports_failed = []
|
|
ports_udp_warning = [] # conncheck could not verify that port is open
|
|
for port in port_list:
|
|
try:
|
|
port_open = ipautil.host_port_open(host, port.port,
|
|
port.port_type, socket_timeout=CONNECT_TIMEOUT)
|
|
except socket.gaierror:
|
|
raise RuntimeError("Port check failed! Unable to resolve host name '%s'" % host)
|
|
if port_open:
|
|
result = "OK"
|
|
else:
|
|
if port.port_type == socket.SOCK_DGRAM:
|
|
ports_udp_warning.append(port)
|
|
result = "WARNING"
|
|
else:
|
|
ports_failed.append(port)
|
|
result = "FAILED"
|
|
print_info(" %s (%d): %s" % (port.description, port.port, result))
|
|
|
|
if ports_udp_warning:
|
|
print("The following UDP ports could not be verified as open: %s" \
|
|
% ", ".join(str(port.port) for port in ports_udp_warning))
|
|
print("This can happen if they are already bound to an application")
|
|
print("and ipa-replica-conncheck cannot attach own UDP responder.")
|
|
|
|
if ports_failed:
|
|
msg_ports = []
|
|
for port in ports_failed:
|
|
port_type_text = "TCP" if port.port_type == SOCK_STREAM else "UDP"
|
|
msg_ports.append('%d (%s)' % (port.port, port_type_text))
|
|
raise RuntimeError("Port check failed! Inaccessible port(s): %s" \
|
|
% ", ".join(msg_ports))
|
|
|
|
def main():
|
|
safe_options, options = parse_options()
|
|
|
|
logging_setup(options)
|
|
root_logger.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options))
|
|
root_logger.debug("missing options might be asked for interactively later\n")
|
|
root_logger.debug('IPA version %s' % version.VENDOR_VERSION)
|
|
|
|
signal.signal(signal.SIGTERM, sigterm_handler)
|
|
|
|
required_ports = BASE_PORTS
|
|
if options.check_ca:
|
|
# Check old Dogtag CA replication port
|
|
# New installs with unified databases use main DS port (checked above)
|
|
required_ports.append(CheckedPort(7389, SOCK_STREAM,
|
|
"PKI-CA: Directory Service port"))
|
|
|
|
if options.replica:
|
|
print_info("Check connection from master to remote replica '%s':" % options.replica)
|
|
port_check(options.replica, required_ports)
|
|
print_info("\nConnection from master to replica is OK.")
|
|
|
|
# kinit to foreign master
|
|
if options.master:
|
|
# check ports on master first
|
|
print_info("Check connection from replica to remote master '%s':" % options.master)
|
|
tcp_ports = [ port for port in required_ports if port.port_type == SOCK_STREAM ]
|
|
udp_ports = [ port for port in required_ports if port.port_type == SOCK_DGRAM ]
|
|
port_check(options.master, tcp_ports)
|
|
|
|
if udp_ports:
|
|
print_info("\nThe following list of ports use UDP protocol and would need to be")
|
|
print_info("checked manually:")
|
|
for port in udp_ports:
|
|
result = "SKIPPED"
|
|
print_info(" %s (%d): %s" % (port.description, port.port, result))
|
|
|
|
print_info("\nConnection from replica to master is OK.")
|
|
|
|
# create listeners
|
|
print_info("Start listening on required ports for remote master check")
|
|
|
|
for port in required_ports:
|
|
root_logger.debug("Start listening on port %d (%s)" % (port.port, port.description))
|
|
responder = PortResponder(port.port, port.port_type)
|
|
responder.start()
|
|
RESPONDERS.append(responder)
|
|
|
|
remote_check_opts = ['--replica %s' % options.hostname]
|
|
|
|
if options.auto_master_check:
|
|
print_info("Get credentials to log in to remote master")
|
|
cred = None
|
|
if options.principal is None:
|
|
# Check if ccache is available
|
|
try:
|
|
root_logger.debug('KRB5CCNAME set to %s' %
|
|
os.environ.get('KRB5CCNAME', None))
|
|
# get default creds, will raise if none found
|
|
cred = gssapi.creds.Credentials()
|
|
principal = str(cred.name)
|
|
except gssapi.raw.misc.GSSError as e:
|
|
root_logger.debug('Failed to find default ccache: %s' % e)
|
|
# Use admin as the default principal
|
|
principal = "admin"
|
|
else:
|
|
principal = options.principal
|
|
|
|
if cred is None:
|
|
(krb_fd, krb_name) = tempfile.mkstemp()
|
|
os.close(krb_fd)
|
|
configure_krb5_conf(options.realm, options.kdc, krb_name)
|
|
global KRB5_CONFIG
|
|
KRB5_CONFIG = krb_name
|
|
(ccache_fd, ccache_name) = tempfile.mkstemp()
|
|
os.close(ccache_fd)
|
|
global CCACHE_FILE
|
|
CCACHE_FILE = ccache_name
|
|
|
|
if principal.find('@') == -1:
|
|
principal = '%s@%s' % (principal, options.realm)
|
|
|
|
if options.password:
|
|
password=options.password
|
|
else:
|
|
password = installutils.read_password(principal, confirm=False,
|
|
validate=False, retry=False)
|
|
if password is None:
|
|
sys.exit("Principal password required")
|
|
|
|
|
|
result = ipautil.run([paths.KINIT, principal],
|
|
env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
|
|
stdin=password, raiseonerr=False, capture_error=True)
|
|
if result.returncode != 0:
|
|
raise RuntimeError("Cannot acquire Kerberos ticket: %s" %
|
|
result.error_output)
|
|
|
|
# Verify kinit was actually successful
|
|
result = ipautil.run([paths.BIN_KVNO,
|
|
'host/%s' % options.master],
|
|
env={'KRB5_CONFIG':KRB5_CONFIG, 'KRB5CCNAME':CCACHE_FILE},
|
|
raiseonerr=False, capture_error=True)
|
|
if result.returncode != 0:
|
|
raise RuntimeError("Could not get ticket for master server: %s" %
|
|
result.error_output)
|
|
|
|
try:
|
|
print_info("Check RPC connection to remote master")
|
|
|
|
xmlrpc_uri = ('https://%s/ipa/xml' %
|
|
ipautil.format_netloc(options.master))
|
|
|
|
if options.ca_cert_file:
|
|
nss_dir = None
|
|
else:
|
|
nss_dir = paths.IPA_NSSDB_DIR
|
|
|
|
with certdb.NSSDatabase(nss_dir) as nss_db:
|
|
if options.ca_cert_file:
|
|
nss_dir = nss_db.secdir
|
|
|
|
password = ipautil.ipa_generate_password()
|
|
password_file = ipautil.write_tmp_file(password)
|
|
nss_db.create_db(password_file.name)
|
|
|
|
ca_certs = x509.load_certificate_list_from_file(
|
|
options.ca_cert_file)
|
|
for ca_cert in ca_certs:
|
|
data = ca_cert.public_bytes(
|
|
serialization.Encoding.DER)
|
|
nss_db.add_cert(
|
|
data, str(DN(ca_cert.subject)), 'C,,')
|
|
else:
|
|
nss_dir = None
|
|
|
|
api.bootstrap(context='client', xmlrpc_uri=xmlrpc_uri,
|
|
nss_dir=nss_db.secdir)
|
|
api.finalize()
|
|
try:
|
|
api.Backend.rpcclient.connect()
|
|
api.Command.ping()
|
|
except Exception as e:
|
|
print_info(
|
|
"Could not connect to the remote host: %s" % e)
|
|
raise
|
|
|
|
print_info("Execute check on remote master")
|
|
try:
|
|
result = api.Backend.rpcclient.forward(
|
|
'server_conncheck',
|
|
ipautil.fsdecode(options.master),
|
|
ipautil.fsdecode(options.hostname),
|
|
version=u'2.162',
|
|
)
|
|
except (errors.CommandError, errors.NetworkError) as e:
|
|
print_info(
|
|
"Remote master does not support check over RPC: "
|
|
"%s" % e)
|
|
raise
|
|
except errors.PublicError as e:
|
|
returncode = 1
|
|
stderr = e
|
|
else:
|
|
for message in result['messages']:
|
|
print_info(message['message'])
|
|
returncode = int(not result['result'])
|
|
stderr = ("ipa-replica-conncheck returned non-zero "
|
|
"exit code")
|
|
finally:
|
|
if api.Backend.rpcclient.isconnected():
|
|
api.Backend.rpcclient.disconnect()
|
|
except Exception:
|
|
print_info("Retrying using SSH...")
|
|
|
|
# Ticket 5812 Always qualify requests for admin
|
|
user = principal
|
|
ssh = SshExec(user, options.master)
|
|
|
|
print_info("Check SSH connection to remote master")
|
|
result = ssh('echo OK', verbose=True)
|
|
if result.returncode != 0:
|
|
print('Could not SSH into remote host. Error output:')
|
|
for line in result.error_output.splitlines():
|
|
print(' %s' % line)
|
|
raise RuntimeError('Could not SSH to remote host.')
|
|
|
|
print_info("Execute check on remote master")
|
|
result = ssh(
|
|
"/usr/sbin/ipa-replica-conncheck " +
|
|
" ".join(remote_check_opts))
|
|
returncode = result.returncode
|
|
stderr = result.error_output
|
|
print_info(result.output)
|
|
if returncode != 0:
|
|
raise RuntimeError("Remote master check failed with following error message(s):\n%s" % stderr)
|
|
else:
|
|
# wait until user test is ready
|
|
print_info("Listeners are started. Use CTRL+C to terminate the listening part after the test.")
|
|
print_info("")
|
|
print_info("Please run the following command on remote master:")
|
|
|
|
print_info("/usr/sbin/ipa-replica-conncheck " + " ".join(remote_check_opts))
|
|
time.sleep(3600)
|
|
print_info("Connection check timeout: terminating listening program")
|
|
|
|
if __name__ == "__main__":
|
|
try:
|
|
sys.exit(main())
|
|
except SystemExit as e:
|
|
sys.exit(e)
|
|
except KeyboardInterrupt:
|
|
print_info("\nCleaning up...")
|
|
sys.exit(1)
|
|
except RuntimeError as e:
|
|
sys.exit(e)
|
|
finally:
|
|
clean_responders(RESPONDERS)
|
|
for file_name in (CCACHE_FILE, KRB5_CONFIG):
|
|
if file_name:
|
|
try:
|
|
os.remove(file_name)
|
|
except OSError:
|
|
pass
|