New pki-server CLI commands have been added to simplify inspecting the audit log files on the server.
Pushed to master under trivial rule. -- Endi S. Dewata
>From d8081073d10065987341a6583a6a7e7351b22438 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <edew...@redhat.com> Date: Tue, 11 Apr 2017 18:04:41 +0200 Subject: [PATCH] Added pki-server <subsystem>-audit-file-find CLI. A new pki-server <subsystem>-audit-file-find CLI has been added to list audit log files on the server. Change-Id: I88e827d45cfb83cf34052146e2ec678f4cd2345f --- base/server/python/pki/server/__init__.py | 14 ++++ base/server/python/pki/server/cli/audit.py | 109 +++++++++++++++++++++++++++++ base/server/python/pki/server/cli/ca.py | 2 + base/server/python/pki/server/cli/kra.py | 2 + base/server/python/pki/server/cli/ocsp.py | 2 + base/server/python/pki/server/cli/tks.py | 2 + base/server/python/pki/server/cli/tps.py | 2 + 7 files changed, 133 insertions(+) create mode 100644 base/server/python/pki/server/cli/audit.py diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py index 5032274705744290313b29e878721c638909bc57..112dcbff3625c752d6130b847d4448799e8c8224 100644 --- a/base/server/python/pki/server/__init__.py +++ b/base/server/python/pki/server/__init__.py @@ -389,6 +389,20 @@ class PKISubsystem(object): pki.util.customize_file(input_file, output_file, params) + def get_audit_log_files(self): + + current_file_path = self.config['log.instance.SignedAudit.fileName'] + (log_dir, current_file) = os.path.split(current_file_path) + + # sort log files based on timestamp + files = [f for f in os.listdir(log_dir) if f != current_file] + files.sort() + + # put the current log file at the end + files.append(current_file) + + return files + def __repr__(self): return str(self.instance) + '/' + self.name diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py new file mode 100644 index 0000000000000000000000000000000000000000..3bb9d5f0f68748797d9809b0d3e93952c5cd2d5d --- /dev/null +++ b/base/server/python/pki/server/cli/audit.py @@ -0,0 +1,109 @@ +# Authors: +# Endi S. Dewata <edew...@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2017 Red Hat, Inc. +# All rights reserved. +# + +from __future__ import absolute_import +from __future__ import print_function +import getopt +import sys + +import pki.cli + + +class AuditCLI(pki.cli.CLI): + + def __init__(self, parent): + super(AuditCLI, self).__init__( + 'audit', 'Audit management commands') + + self.parent = parent + self.add_module(AuditFileFindCLI(self)) + + +class AuditFileFindCLI(pki.cli.CLI): + + def __init__(self, parent): + super(AuditFileFindCLI, self).__init__( + 'file-find', 'Find audit log files') + + self.parent = parent + + def print_help(self): + print('Usage: pki-server %s-audit-file-find [OPTIONS]' % self.parent.parent.name) + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' --help Show help message.') + print() + + def execute(self, args): + + try: + opts, _ = getopt.gnu_getopt(args, 'i:v', [ + 'instance=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) + self.print_help() + sys.exit(1) + + instance_name = 'pki-tomcat' + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o in ('-v', '--verbose'): + self.set_verbose(True) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + print('ERROR: unknown option ' + o) + self.print_help() + sys.exit(1) + + instance = pki.server.PKIInstance(instance_name) + if not instance.is_valid(): + print('ERROR: Invalid instance %s.' % instance_name) + sys.exit(1) + + instance.load() + + subsystem_name = self.parent.parent.name + subsystem = instance.get_subsystem(subsystem_name) + if not subsystem: + print('ERROR: No %s subsystem in instance %s.' + % (subsystem_name.upper(), instance_name)) + sys.exit(1) + + log_files = subsystem.get_audit_log_files() + + self.print_message('%s entries matched' % len(log_files)) + + first = True + for filename in log_files: + if first: + first = False + else: + print() + + print(' File name: %s' % filename) diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py index 1d1c00f0f977d63066d68a9ae960aefcd183ad13..550e5110aac9f443819c50eab313ee399c86e6a7 100644 --- a/base/server/python/pki/server/cli/ca.py +++ b/base/server/python/pki/server/cli/ca.py @@ -28,6 +28,7 @@ import sys import tempfile import pki.cli +import pki.server.cli.audit class CACLI(pki.cli.CLI): @@ -38,6 +39,7 @@ class CACLI(pki.cli.CLI): self.add_module(CACertCLI()) self.add_module(CACloneCLI()) + self.add_module(pki.server.cli.audit.AuditCLI(self)) class CACertCLI(pki.cli.CLI): diff --git a/base/server/python/pki/server/cli/kra.py b/base/server/python/pki/server/cli/kra.py index 5558d6a00bc111410306e7fc23999af2b2dbf845..3724014652762a92e82071cc5d805dfcb39422df 100644 --- a/base/server/python/pki/server/cli/kra.py +++ b/base/server/python/pki/server/cli/kra.py @@ -32,6 +32,7 @@ import tempfile import time import pki.cli +import pki.server.cli.audit KRA_VLVS = ['allKeys', 'kraAll', @@ -51,6 +52,7 @@ class KRACLI(pki.cli.CLI): self.add_module(KRACloneCLI()) self.add_module(KRADBCLI()) + self.add_module(pki.server.cli.audit.AuditCLI(self)) class KRACloneCLI(pki.cli.CLI): diff --git a/base/server/python/pki/server/cli/ocsp.py b/base/server/python/pki/server/cli/ocsp.py index 246f5932dc839d2be1207d8e67e46f1b5e5182b3..3e9b6aa64773f76a3fea795af2f6d94abcc73ef6 100644 --- a/base/server/python/pki/server/cli/ocsp.py +++ b/base/server/python/pki/server/cli/ocsp.py @@ -28,6 +28,7 @@ import sys import tempfile import pki.cli +import pki.server.cli.audit class OCSPCLI(pki.cli.CLI): @@ -37,6 +38,7 @@ class OCSPCLI(pki.cli.CLI): 'ocsp', 'OCSP management commands') self.add_module(OCSPCloneCLI()) + self.add_module(pki.server.cli.audit.AuditCLI(self)) class OCSPCloneCLI(pki.cli.CLI): diff --git a/base/server/python/pki/server/cli/tks.py b/base/server/python/pki/server/cli/tks.py index 2c4157a03bc601c36141f67880fe7624aa1febee..0e6a998f776a4943b9b1daf0f51e5944a7cceb55 100644 --- a/base/server/python/pki/server/cli/tks.py +++ b/base/server/python/pki/server/cli/tks.py @@ -28,6 +28,7 @@ import sys import tempfile import pki.cli +import pki.server.cli.audit class TKSCLI(pki.cli.CLI): @@ -37,6 +38,7 @@ class TKSCLI(pki.cli.CLI): 'tks', 'TKS management commands') self.add_module(TKSCloneCLI()) + self.add_module(pki.server.cli.audit.AuditCLI(self)) class TKSCloneCLI(pki.cli.CLI): diff --git a/base/server/python/pki/server/cli/tps.py b/base/server/python/pki/server/cli/tps.py index 1f71b8ece1431426d865d7e98fa87e5417beb36c..03df8de96e7c711288f5fa386b16c2704fb755b7 100644 --- a/base/server/python/pki/server/cli/tps.py +++ b/base/server/python/pki/server/cli/tps.py @@ -32,6 +32,7 @@ import tempfile import time import pki.cli +import pki.server.cli.audit TPS_VLV_PATH = '/usr/share/pki/tps/conf/vlv.ldif' @@ -46,6 +47,7 @@ class TPSCLI(pki.cli.CLI): self.add_module(TPSCloneCLI()) self.add_module(TPSDBCLI()) + self.add_module(pki.server.cli.audit.AuditCLI(self)) class TPSCloneCLI(pki.cli.CLI): -- 2.9.3
>From a29888e42c14c9c7e642769b747bb288d39a0809 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <edew...@redhat.com> Date: Tue, 11 Apr 2017 18:04:41 +0200 Subject: [PATCH] Added pki-server <subsystem>-audit-file-verify CLI. A new pki-server <subsystem>-audit-file-verify CLI has been added to verify audit log files on the server. Change-Id: I88e827d45cfb83cf34052146e2ec678f4cd2345f --- base/server/python/pki/server/__init__.py | 5 ++ base/server/python/pki/server/cli/audit.py | 91 ++++++++++++++++++++++++++++++ 2 files changed, 96 insertions(+) diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py index 112dcbff3625c752d6130b847d4448799e8c8224..88986548df323484117be829dd25e459050de2ac 100644 --- a/base/server/python/pki/server/__init__.py +++ b/base/server/python/pki/server/__init__.py @@ -389,6 +389,11 @@ class PKISubsystem(object): pki.util.customize_file(input_file, output_file, params) + def get_audit_log_dir(self): + + current_file_path = self.config['log.instance.SignedAudit.fileName'] + return os.path.dirname(current_file_path) + def get_audit_log_files(self): current_file_path = self.config['log.instance.SignedAudit.fileName'] diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py index 3bb9d5f0f68748797d9809b0d3e93952c5cd2d5d..0833ca816aef852ac155c4cfce90599a37c9fdb4 100644 --- a/base/server/python/pki/server/cli/audit.py +++ b/base/server/python/pki/server/cli/audit.py @@ -21,7 +21,11 @@ from __future__ import absolute_import from __future__ import print_function import getopt +import os +import shutil +import subprocess import sys +import tempfile import pki.cli @@ -34,6 +38,7 @@ class AuditCLI(pki.cli.CLI): self.parent = parent self.add_module(AuditFileFindCLI(self)) + self.add_module(AuditFileVerifyCLI(self)) class AuditFileFindCLI(pki.cli.CLI): @@ -107,3 +112,89 @@ class AuditFileFindCLI(pki.cli.CLI): print() print(' File name: %s' % filename) + + +class AuditFileVerifyCLI(pki.cli.CLI): + + def __init__(self, parent): + super(AuditFileVerifyCLI, self).__init__( + 'file-verify', 'Verify audit log files') + + self.parent = parent + + def print_help(self): + print('Usage: pki-server %s-audit-file-verify [OPTIONS]' % self.parent.parent.name) + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' --help Show help message.') + print() + + def execute(self, args): + + try: + opts, _ = getopt.gnu_getopt(args, 'i:v', [ + 'instance=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) + self.print_help() + sys.exit(1) + + instance_name = 'pki-tomcat' + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o in ('-v', '--verbose'): + self.set_verbose(True) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + print('ERROR: unknown option ' + o) + self.print_help() + sys.exit(1) + + instance = pki.server.PKIInstance(instance_name) + if not instance.is_valid(): + print('ERROR: Invalid instance %s.' % instance_name) + sys.exit(1) + + instance.load() + + subsystem_name = self.parent.parent.name + subsystem = instance.get_subsystem(subsystem_name) + if not subsystem: + print('ERROR: No %s subsystem in instance %s.' + % (subsystem_name.upper(), instance_name)) + sys.exit(1) + + log_dir = subsystem.get_audit_log_dir() + log_files = subsystem.get_audit_log_files() + signing_cert = subsystem.get_subsystem_cert('audit_signing') + + tmpdir = tempfile.mkdtemp() + + try: + file_list = os.path.join(tmpdir, 'audit.txt') + + with open(file_list, 'w') as f: + for filename in log_files: + f.write(os.path.join(log_dir, filename) + '\n') + + cmd = ['AuditVerify', + '-d', instance.nssdb_dir, + '-n', signing_cert['nickname'], + '-a', file_list] + + if self.verbose: + print('Command: %s' % ' '.join(cmd)) + + subprocess.call(cmd) + + finally: + shutil.rmtree(tmpdir) -- 2.9.3
_______________________________________________ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel