diff options
author | Endi S. Dewata <edewata@redhat.com> | 2017-06-14 23:08:29 +0200 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2017-06-16 22:49:28 +0200 |
commit | d2e247798a36225880ef6050716cc7576fe2ad7f (patch) | |
tree | fd5a3ceacdee606f809d68c657529c4330309064 /base | |
parent | 89f14cc5b7858e60107dc0776a59394bdfb8edaf (diff) | |
download | pki-d2e247798a36225880ef6050716cc7576fe2ad7f.tar.gz pki-d2e247798a36225880ef6050716cc7576fe2ad7f.tar.xz pki-d2e247798a36225880ef6050716cc7576fe2ad7f.zip |
Added banner validation during server startup.
Some pki-server CLIs have been added to inspect and validate the
content of the banner file.
The PKI server startup script has been modified to validate the
content of the banner file using the new CLI.
https://pagure.io/dogtagpki/issue/2671
Change-Id: Ibc51afee184d0a720cc0d2961af08ef75d2b54c4
Diffstat (limited to 'base')
-rw-r--r-- | base/server/python/pki/server/__init__.py | 8 | ||||
-rw-r--r-- | base/server/python/pki/server/cli/banner.py | 186 | ||||
-rw-r--r-- | base/server/sbin/pki-server | 2 | ||||
-rw-r--r-- | base/server/scripts/operations | 6 |
4 files changed, 202 insertions, 0 deletions
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py index 46c6711ed..0852b121b 100644 --- a/base/server/python/pki/server/__init__.py +++ b/base/server/python/pki/server/__init__.py @@ -19,6 +19,7 @@ # from __future__ import absolute_import +import codecs from lxml import etree import functools import getpass @@ -501,6 +502,7 @@ class PKIInstance(object): self.conf_dir = os.path.join(CONFIG_BASE_DIR, name) self.log_dir = os.path.join(LOG_BASE_DIR, name) + self.banner_file = os.path.join(self.conf_dir, 'banner.txt') self.password_conf = os.path.join(self.conf_dir, 'password.conf') self.external_certs_conf = os.path.join( self.conf_dir, 'external_certs.conf') @@ -792,6 +794,12 @@ class PKIInstance(object): self.conf_dir, 'Catalina', 'localhost', webapp_name + '.xml') os.remove(context_xml) + def banner_installed(self): + return os.path.exists(self.banner_file) + + def get_banner(self): + return codecs.open(self.banner_file, "UTF-8").read().strip() + def __repr__(self): if self.type == 9: return "Dogtag 9 " + self.name diff --git a/base/server/python/pki/server/cli/banner.py b/base/server/python/pki/server/cli/banner.py new file mode 100644 index 000000000..98f8f164c --- /dev/null +++ b/base/server/python/pki/server/cli/banner.py @@ -0,0 +1,186 @@ +# Authors: +# Endi S. Dewata <edewata@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2017 Red Hat, Inc. +# All rights reserved. +# + +from __future__ import absolute_import +from __future__ import print_function +import codecs +import getopt +from lxml import etree +import sys +import traceback + +import pki.cli + + +class BannerCLI(pki.cli.CLI): + + def __init__(self): + super(BannerCLI, self).__init__('banner', + 'Banner management commands') + + self.add_module(BannerShowCLI()) + self.add_module(BannerValidateCLI()) + + +class BannerShowCLI(pki.cli.CLI): + + def __init__(self): + super(BannerShowCLI, self).__init__('show', 'Show banner') + + def usage(self): + print('Usage: pki-server banner-show [OPTIONS]') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() + + def execute(self, argv): + + try: + opts, _ = getopt.gnu_getopt(argv, 'i:v', [ + 'instance=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) + self.usage() + sys.exit(1) + + instance_name = 'pki-tomcat' + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o in ('-v', '--verbose'): + self.set_verbose(True) + + elif o == '--help': + self.usage() + sys.exit() + + else: + print('ERROR: unknown option ' + o) + self.usage() + sys.exit(1) + + instance = pki.server.PKIInstance(instance_name) + + if not instance.is_valid(): + print('ERROR: Invalid instance %s.' % instance_name) + sys.exit(1) + + instance.load() + + if not instance.banner_installed(): + print('ERROR: Banner is not installed') + sys.exit(1) + + print(instance.get_banner()) + + +class BannerValidateCLI(pki.cli.CLI): + + def __init__(self): + super(BannerValidateCLI, self).__init__('validate', 'Validate banner') + + def usage(self): + print('Usage: pki-server banner-validate [OPTIONS]') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' --file <path> Validate specified banner file.') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() + + def execute(self, argv): + + try: + opts, _ = getopt.gnu_getopt(argv, 'i:v', [ + 'instance=', 'file=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) + self.usage() + sys.exit(1) + + instance_name = 'pki-tomcat' + banner_file = None + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o == '--file': + banner_file = a + + elif o in ('-v', '--verbose'): + self.set_verbose(True) + + elif o == '--help': + self.usage() + sys.exit() + + else: + print('ERROR: unknown option ' + o) + self.usage() + sys.exit(1) + + if banner_file: + + # load banner from file + banner = codecs.open(banner_file, "UTF-8").read().strip() + + else: + + # load banner from instance + instance = pki.server.PKIInstance(instance_name) + + if not instance.is_valid(): + print('ERROR: Invalid instance %s.' % instance_name) + sys.exit(1) + + instance.load() + + if not instance.banner_installed(): + self.print_message('Banner is not installed') + return + + banner = instance.get_banner() + + if not banner: + print('ERROR: Banner is empty') + sys.exit(1) + + xml_banner = "<banner>" + banner + "</banner>" + + try: + parser = etree.XMLParser() + etree.fromstring(xml_banner, parser) + + self.print_message('Banner is valid') + + except etree.XMLSyntaxError as e: + if self.verbose: + traceback.print_exc() + print('ERROR: Banner contains invalid character(s)') + sys.exit(1) diff --git a/base/server/sbin/pki-server b/base/server/sbin/pki-server index 6df70dc84..ce06e28ab 100644 --- a/base/server/sbin/pki-server +++ b/base/server/sbin/pki-server @@ -32,6 +32,7 @@ import pki.server.cli.kra import pki.server.cli.ocsp import pki.server.cli.tks import pki.server.cli.tps +import pki.server.cli.banner import pki.server.cli.db import pki.server.cli.instance import pki.server.cli.subsystem @@ -52,6 +53,7 @@ class PKIServerCLI(pki.cli.CLI): self.add_module(pki.server.cli.tks.TKSCLI()) self.add_module(pki.server.cli.tps.TPSCLI()) + self.add_module(pki.server.cli.banner.BannerCLI()) self.add_module(pki.server.cli.db.DBCLI()) self.add_module(pki.server.cli.instance.InstanceCLI()) self.add_module(pki.server.cli.subsystem.SubsystemCLI()) diff --git a/base/server/scripts/operations b/base/server/scripts/operations index 907dd0ee1..908c952e9 100644 --- a/base/server/scripts/operations +++ b/base/server/scripts/operations @@ -1297,6 +1297,12 @@ EOF /var/lib/pki/$PKI_INSTANCE_NAME/conf/custom.policy > \ /var/lib/pki/$PKI_INSTANCE_NAME/conf/catalina.policy + pki-server banner-validate -i "$PKI_INSTANCE_NAME" + rv=$? + if [ $rv -ne 0 ]; then + return $rv + fi + if [ "${PKI_SERVER_AUTO_ENABLE_SUBSYSTEMS}" = "true" ] ; then # enable all subsystems pki-server subsystem-enable -i "$PKI_INSTANCE_NAME" --all |