Added pki-server <subsystem>-audit-file-verify CLI.

A new pki-server <subsystem>-audit-file-verify CLI has been added to verify audit log files on the server. Change-Id: I88e827d45cfb83cf34052146e2ec678f4cd2345f
author: Endi S. Dewata <edewata@redhat.com> 2017-04-11 18:04:41 +0200
committer: Endi S. Dewata <edewata@redhat.com> 2017-04-11 22:34:03 +0200
commit: a29888e42c14c9c7e642769b747bb288d39a0809 (patch)
tree: 1270ed94c7b05dccc1d3657af39c5725af874a4e /base/server/python/pki/server
parent: d8081073d10065987341a6583a6a7e7351b22438 (diff)
download: pki-a29888e42c14c9c7e642769b747bb288d39a0809.tar.gz
pki-a29888e42c14c9c7e642769b747bb288d39a0809.tar.xz
pki-a29888e42c14c9c7e642769b747bb288d39a0809.zip
2 files changed, 96 insertions, 0 deletions
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index 112dcbff3..88986548d 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -389,6 +389,11 @@ class PKISubsystem(object):
 
         pki.util.customize_file(input_file, output_file, params)
 
+    def get_audit_log_dir(self):
+
+        current_file_path = self.config['log.instance.SignedAudit.fileName']
+        return os.path.dirname(current_file_path)
+
     def get_audit_log_files(self):
 
         current_file_path = self.config['log.instance.SignedAudit.fileName']
diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py
index 3bb9d5f0f..0833ca816 100644
--- a/base/server/python/pki/server/cli/audit.py
+++ b/base/server/python/pki/server/cli/audit.py
@@ -21,7 +21,11 @@
 from __future__ import absolute_import
 from __future__ import print_function
 import getopt
+import os
+import shutil
+import subprocess
 import sys
+import tempfile
 
 import pki.cli
 
@@ -34,6 +38,7 @@ class AuditCLI(pki.cli.CLI):
 
         self.parent = parent
         self.add_module(AuditFileFindCLI(self))
+        self.add_module(AuditFileVerifyCLI(self))
 
 
 class AuditFileFindCLI(pki.cli.CLI):
@@ -107,3 +112,89 @@ class AuditFileFindCLI(pki.cli.CLI):
                 print()
 
             print('  File name: %s' % filename)
+
+
+class AuditFileVerifyCLI(pki.cli.CLI):
+
+    def __init__(self, parent):
+        super(AuditFileVerifyCLI, self).__init__(
+            'file-verify', 'Verify audit log files')
+
+        self.parent = parent
+
+    def print_help(self):
+        print('Usage: pki-server %s-audit-file-verify [OPTIONS]' % self.parent.parent.name)
+        print()
+        print('  -i, --instance <instance ID>       Instance ID (default: pki-tomcat).')
+        print('      --help                         Show help message.')
+        print()
+
+    def execute(self, args):
+
+        try:
+            opts, _ = getopt.gnu_getopt(args, 'i:v', [
+                'instance=',
+                'verbose', 'help'])
+
+        except getopt.GetoptError as e:
+            print('ERROR: ' + str(e))
+            self.print_help()
+            sys.exit(1)
+
+        instance_name = 'pki-tomcat'
+
+        for o, a in opts:
+            if o in ('-i', '--instance'):
+                instance_name = a
+
+            elif o in ('-v', '--verbose'):
+                self.set_verbose(True)
+
+            elif o == '--help':
+                self.print_help()
+                sys.exit()
+
+            else:
+                print('ERROR: unknown option ' + o)
+                self.print_help()
+                sys.exit(1)
+
+        instance = pki.server.PKIInstance(instance_name)
+        if not instance.is_valid():
+            print('ERROR: Invalid instance %s.' % instance_name)
+            sys.exit(1)
+
+        instance.load()
+
+        subsystem_name = self.parent.parent.name
+        subsystem = instance.get_subsystem(subsystem_name)
+        if not subsystem:
+            print('ERROR: No %s subsystem in instance %s.'
+                  % (subsystem_name.upper(), instance_name))
+            sys.exit(1)
+
+        log_dir = subsystem.get_audit_log_dir()
+        log_files = subsystem.get_audit_log_files()
+        signing_cert = subsystem.get_subsystem_cert('audit_signing')
+
+        tmpdir = tempfile.mkdtemp()
+
+        try:
+            file_list = os.path.join(tmpdir, 'audit.txt')
+
+            with open(file_list, 'w') as f:
+                for filename in log_files:
+                    f.write(os.path.join(log_dir, filename) + '\n')
+
+            cmd = ['AuditVerify',
+                   '-d', instance.nssdb_dir,
+                   '-n', signing_cert['nickname'],
+                   '-a', file_list]
+
+            if self.verbose:
+                print('Command: %s' % ' '.join(cmd))
+
+            subprocess.call(cmd)
+
+        finally:
+            shutil.rmtree(tmpdir)
author	Endi S. Dewata <edewata@redhat.com>	2017-04-11 18:04:41 +0200
committer	Endi S. Dewata <edewata@redhat.com>	2017-04-11 22:34:03 +0200
commit	a29888e42c14c9c7e642769b747bb288d39a0809 (patch)
tree	1270ed94c7b05dccc1d3657af39c5725af874a4e /base/server/python/pki/server
parent	d8081073d10065987341a6583a6a7e7351b22438 (diff)
download	pki-a29888e42c14c9c7e642769b747bb288d39a0809.tar.gz pki-a29888e42c14c9c7e642769b747bb288d39a0809.tar.xz pki-a29888e42c14c9c7e642769b747bb288d39a0809.zip