1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
#
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#
from ipalib import Object
from ipalib import _, ngettext
from ipalib.crud import Search
from ipalib.parameters import Int, Str, StrEnum
from ipalib.plugable import Registry
register = Registry()
__doc__ = _("""
Kerberos PKINIT feature status reporting tools.
Report IPA masters on which Kerberos PKINIT is enabled or disabled
EXAMPLES:
List PKINIT status on all masters:
ipa pkinit-status
Check PKINIT status on `ipa.example.com`:
ipa pkinit-status --server ipa.example.com
List all IPA masters with disabled PKINIT:
ipa pkinit-status --status='disabled'
For more info about PKINIT support see:
https://www.freeipa.org/page/V4/Kerberos_PKINIT
""")
@register()
class pkinit(Object):
"""
PKINIT Options
"""
object_name = _('pkinit')
label = _('PKINIT')
takes_params = (
Str(
'server_server?',
cli_name='server',
label=_('Server name'),
doc=_('IPA server hostname'),
),
StrEnum(
'status?',
cli_name='status',
label=_('PKINIT status'),
doc=_('Whether PKINIT is enabled or disabled'),
values=(u'enabled', u'disabled'),
flags={'virtual_attribute', 'no_create', 'no_update'}
)
)
@register()
class pkinit_status(Search):
__doc__ = _('Report PKINIT status on the IPA masters')
msg_summary = ngettext('%(count)s server matched',
'%(count)s servers matched', 0)
takes_options = Search.takes_options + (
Int(
'timelimit?',
label=_('Time Limit'),
doc=_('Time limit of search in seconds (0 is unlimited)'),
flags=['no_display'],
minvalue=0,
autofill=False,
),
Int(
'sizelimit?',
label=_('Size Limit'),
doc=_('Maximum number of entries returned (0 is unlimited)'),
flags=['no_display'],
minvalue=0,
autofill=False,
),
)
def get_pkinit_status(self, server, status):
backend = self.api.Backend.serverroles
ipa_master_config = backend.config_retrieve("IPA master")
if server is not None:
servers = [server]
else:
servers = ipa_master_config['ipa_master_server']
pkinit_servers = ipa_master_config.get('pkinit_server_server')
if pkinit_servers is None:
return
for s in servers:
pkinit_status = {
u'server_server': s,
u'status': (
u'enabled' if s in pkinit_servers else u'disabled'
)
}
if status is not None and pkinit_status[u'status'] != status:
continue
yield pkinit_status
def execute(self, *keys, **options):
if keys:
return dict(
result=[],
count=0,
truncated=False
)
server = options.get('server_server', None)
status = options.get('status', None)
if server is not None:
self.api.Object.server_role.ensure_master_exists(server)
result = sorted(self.get_pkinit_status(server, status),
key=lambda d: d.get('server_server'))
return dict(result=result, count=len(result), truncated=False)
|
