freeipa/ipaclient/plugins/cert.py

# Authors:
#   Andrew Wnuk <awnuk@redhat.com>
#   Jason Gerard DeRose <jderose@redhat.com>
#   John Dennis <jdennis@redhat.com>
#
# Copyright (C) 2009  Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import base64

from ipaclient.frontend import MethodOverride
from ipalib import errors
from ipalib import x509
from ipalib import util
from ipalib.parameters import BinaryFile, File, Flag, Str
from ipalib.plugable import Registry
from ipalib.text import _

register = Registry()


class CertRetrieveOverride(MethodOverride):
    takes_options = (
        Str(
            'certificate_out?',
            doc=_('Write certificate (chain if --chain used) to file'),
            include='cli',
            cli_metavar='FILE',
        ),
    )

    def forward(self, *args, **options):
        filename = None
        if 'certificate_out' in options:
            filename = options.pop('certificate_out')

        result = super(CertRetrieveOverride, self).forward(*args, **options)

        if filename is not None:
            try:
                util.check_writable_file(filename)
            except errors.FileError as e:
                raise errors.ValidationError(name='certificate-out',
                                             error=str(e))
            if options.get('chain', False):
                certs = result['result']['certificate_chain']
            else:
                certs = [base64.b64decode(result['result']['certificate'])]
            certs = (x509.load_der_x509_certificate(cert) for cert in certs)
            x509.write_certificate_list(certs, filename)

        return result


@register(override=True, no_fail=True)
class cert_request(CertRetrieveOverride):
    def get_args(self):
        for arg in super(cert_request, self).get_args():
            if arg.name == 'csr':
                arg = arg.clone_retype(arg.name, File, required=False)
            yield arg


@register(override=True, no_fail=True)
class cert_show(CertRetrieveOverride):
    def get_options(self):
        for option in super(cert_show, self).get_options():
            if option.name == 'out':
                # skip server-defined --out
                continue
            if option.name == 'certificate_out':
                # add --out as a deprecated alias of --certificate-out
                option = option.clone_rename(
                    'out',
                    cli_name='certificate_out',
                    deprecated_cli_aliases={'out'},
                )
            yield option

    def forward(self, *args, **options):
        try:
            options['certificate_out'] = options.pop('out')
        except KeyError:
            pass

        return super(cert_show, self).forward(*args, **options)


@register(override=True, no_fail=True)
class cert_remove_hold(MethodOverride):
    has_output_params = (
        Flag('unrevoked',
            label=_('Unrevoked'),
        ),
        Str('error_string',
            label=_('Error'),
        ),
    )


@register(override=True, no_fail=True)
class cert_find(MethodOverride):
    takes_options = (
        BinaryFile(
            'file?',
            label=_("Input filename"),
            doc=_('File to load the certificate from.'),
            include='cli',
        ),
    )

    def forward(self, *args, **options):
        if self.api.env.context == 'cli':
            if 'certificate' in options and 'file' in options:
                raise errors.MutuallyExclusiveError(
                    reason=_("cannot specify both raw certificate and file"))
            if 'certificate' not in options and 'file' in options:
                options['certificate'] = x509.load_unknown_x509_certificate(
                                            options.pop('file'))

        return super(cert_find, self).forward(*args, **options)
ipalib: split off client-side plugin code into ipaclient Provide client-side overrides for command plugins which implement any of the client-side `interactive_prompt_callback`, `forward` or `output_for_cli` methods and move the methods from the original plugins to the overrides. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com> 2016-04-28 03:15:01 -05:00			`# Authors:`
			`# Andrew Wnuk <awnuk@redhat.com>`
			`# Jason Gerard DeRose <jderose@redhat.com>`
			`# John Dennis <jdennis@redhat.com>`
			`#`
			`# Copyright (C) 2009 Red Hat`
			`# see file 'COPYING' for use and warranty information`
			`#`
			`# This program is free software; you can redistribute it and/or modify`
			`# it under the terms of the GNU General Public License as published by`
			`# the Free Software Foundation, either version 3 of the License, or`
			`# (at your option) any later version.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with this program. If not, see <http://www.gnu.org/licenses/>.`

cert: add output file option to cert-request The certificate returned by cert-request can now be saved to a file in the CLI using a new --certificate-out option. Deprecate --out in cert-show in favor of --certificate-out. https://pagure.io/freeipa/issue/6547 Reviewed-By: David Kupka <dkupka@redhat.com> 2017-03-10 03:19:53 -06:00			`import base64`
csrgen: Automate full cert request flow Allows the `ipa cert-request` command to generate its own CSR. It no longer requires a CSR passed on the command line, instead it creates a config (bash script) with `cert-get-requestdata`, then runs it to build a CSR, and submits that CSR. Example usage (NSS database): $ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --database /tmp/certs Example usage (PEM private key file): $ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --private-key /tmp/key.pem https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2016-08-22 09:46:02 -05:00
cert: add object plugin Implement cert as an object with methods rather than a bunch of loosely related commands. https://fedorahosted.org/freeipa/ticket/5381 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com> 2016-06-13 23:29:18 -05:00			`from ipaclient.frontend import MethodOverride`
ipalib: split off client-side plugin code into ipaclient Provide client-side overrides for command plugins which implement any of the client-side `interactive_prompt_callback`, `forward` or `output_for_cli` methods and move the methods from the original plugins to the overrides. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com> 2016-04-28 03:15:01 -05:00			`from ipalib import errors`
			`from ipalib import x509`
			`from ipalib import util`
Load certificate files as binary data In Python 3, cryptography requires certificate data to be binary. Even PEM encoded files are treated as binary content. certmap-match and cert-find were loading certificates as text files. A new BinaryFile type loads files as binary content. Fixes: https://pagure.io/freeipa/issue/7520 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 2018-04-27 05:29:17 -05:00			`from ipalib.parameters import BinaryFile, File, Flag, Str`
ipalib: split off client-side plugin code into ipaclient Provide client-side overrides for command plugins which implement any of the client-side `interactive_prompt_callback`, `forward` or `output_for_cli` methods and move the methods from the original plugins to the overrides. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com> 2016-04-28 03:15:01 -05:00			`from ipalib.plugable import Registry`
cert: allow search by certificate Allow search by certificate data or file in cert-find. https://fedorahosted.org/freeipa/ticket/5381 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com> 2016-06-14 02:44:22 -05:00			`from ipalib.text import _`
ipalib: split off client-side plugin code into ipaclient Provide client-side overrides for command plugins which implement any of the client-side `interactive_prompt_callback`, `forward` or `output_for_cli` methods and move the methods from the original plugins to the overrides. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com> 2016-04-28 03:15:01 -05:00
			`register = Registry()`


cert: add output file option to cert-request The certificate returned by cert-request can now be saved to a file in the CLI using a new --certificate-out option. Deprecate --out in cert-show in favor of --certificate-out. https://pagure.io/freeipa/issue/6547 Reviewed-By: David Kupka <dkupka@redhat.com> 2017-03-10 03:19:53 -06:00			`class CertRetrieveOverride(MethodOverride):`
csrgen: Automate full cert request flow Allows the `ipa cert-request` command to generate its own CSR. It no longer requires a CSR passed on the command line, instead it creates a config (bash script) with `cert-get-requestdata`, then runs it to build a CSR, and submits that CSR. Example usage (NSS database): $ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --database /tmp/certs Example usage (PEM private key file): $ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --private-key /tmp/key.pem https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2016-08-22 09:46:02 -05:00			`takes_options = (`
cert: add output file option to cert-request The certificate returned by cert-request can now be saved to a file in the CLI using a new --certificate-out option. Deprecate --out in cert-show in favor of --certificate-out. https://pagure.io/freeipa/issue/6547 Reviewed-By: David Kupka <dkupka@redhat.com> 2017-03-10 03:19:53 -06:00			`Str(`
			`'certificate_out?',`
			`doc=_('Write certificate (chain if --chain used) to file'),`
			`include='cli',`
			`cli_metavar='FILE',`
			`),`
			`)`

			`def forward(self, args, *options):`
Check for file permissions after the ca/cert-show is complete The commands ca-show and cert-show provide the ability to direct the certificate output to a file. If the requested object was not present then this resulted in a zero-length file. This is because the check to determine if the file was writable, by opening it, was done prior to the operation to retrieve the entry. So move the check after the data retrieval. Also convert cert-show to be more consistent with ca-show. I considered cleaning up the empty file afterward but IMHO we shouldn't touch the file until we're ready to write. This costs an API roundtrip but its a small price to pay for potentially protecting existing data. Fixes: https://pagure.io/freeipa/issue/9562 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 2024-03-25 13:08:13 -05:00			`filename = None`
ca/cert-show: check certificate_out in options If --certificate-out was specified on the command line, it will appear among the options. If it was empty, it will be None. This check was done properly in the ca plugin. Lets' just unify how this is handled and improve user experience by announcing which option causes the failure. https://pagure.io/freeipa/issue/6885 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2017-05-09 10:45:20 -05:00			`if 'certificate_out' in options:`
Check for file permissions after the ca/cert-show is complete The commands ca-show and cert-show provide the ability to direct the certificate output to a file. If the requested object was not present then this resulted in a zero-length file. This is because the check to determine if the file was writable, by opening it, was done prior to the operation to retrieve the entry. So move the check after the data retrieval. Also convert cert-show to be more consistent with ca-show. I considered cleaning up the empty file afterward but IMHO we shouldn't touch the file until we're ready to write. This costs an API roundtrip but its a small price to pay for potentially protecting existing data. Fixes: https://pagure.io/freeipa/issue/9562 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 2024-03-25 13:08:13 -05:00			`filename = options.pop('certificate_out')`

			`result = super(CertRetrieveOverride, self).forward(args, *options)`

			`if filename is not None:`
ca/cert-show: check certificate_out in options If --certificate-out was specified on the command line, it will appear among the options. If it was empty, it will be None. This check was done properly in the ca plugin. Lets' just unify how this is handled and improve user experience by announcing which option causes the failure. https://pagure.io/freeipa/issue/6885 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2017-05-09 10:45:20 -05:00			`try:`
Check for file permissions after the ca/cert-show is complete The commands ca-show and cert-show provide the ability to direct the certificate output to a file. If the requested object was not present then this resulted in a zero-length file. This is because the check to determine if the file was writable, by opening it, was done prior to the operation to retrieve the entry. So move the check after the data retrieval. Also convert cert-show to be more consistent with ca-show. I considered cleaning up the empty file afterward but IMHO we shouldn't touch the file until we're ready to write. This costs an API roundtrip but its a small price to pay for potentially protecting existing data. Fixes: https://pagure.io/freeipa/issue/9562 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 2024-03-25 13:08:13 -05:00			`util.check_writable_file(filename)`
ca/cert-show: check certificate_out in options If --certificate-out was specified on the command line, it will appear among the options. If it was empty, it will be None. This check was done properly in the ca plugin. Lets' just unify how this is handled and improve user experience by announcing which option causes the failure. https://pagure.io/freeipa/issue/6885 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2017-05-09 10:45:20 -05:00			`except errors.FileError as e:`
			`raise errors.ValidationError(name='certificate-out',`
			`error=str(e))`
cert: include certificate chain in cert command output Include the full certificate chain in the output of cert-request, cert-show and cert-find if --chain or --all is specified. If output file is specified in the CLI together with --chain, the full certificate chain is written to the file. https://pagure.io/freeipa/issue/6547 Reviewed-By: David Kupka <dkupka@redhat.com> 2017-03-10 03:22:42 -06:00			`if options.get('chain', False):`
			`certs = result['result']['certificate_chain']`
			`else:`
Fix writing certificate chain to file An client-side error occurs when cert commands are instructed to write the certificate chain (--chain option) to a file (--certificate-out option). This regression was introduced in the 'cert' plugin in commit 5a44ca638310913ab6b0c239374f4b0ddeeedeb3, and reflected in the 'ca' plugin in commit c7064494e5801d5fd4670e6aab1e07c65d7a0731. The server behaviour did not change; rather the client did not correctly handle the DER-encoded certificates in the 'certificate_chain' response field. Fix the issue by treating the 'certificate' field as base-64 encoded DER, and the 'certificate_chain' field as an array of raw DER certificates. Add tests for checking that the relevant commands succeed and write PEM data to the file (both with and without --chain). Fixes: https://pagure.io/freeipa/issue/7700 Reviewed-By: Christian Heimes <cheimes@redhat.com> 2018-09-27 01:36:59 -05:00			`certs = [base64.b64decode(result['result']['certificate'])]`
			`certs = (x509.load_der_x509_certificate(cert) for cert in certs)`
Check for file permissions after the ca/cert-show is complete The commands ca-show and cert-show provide the ability to direct the certificate output to a file. If the requested object was not present then this resulted in a zero-length file. This is because the check to determine if the file was writable, by opening it, was done prior to the operation to retrieve the entry. So move the check after the data retrieval. Also convert cert-show to be more consistent with ca-show. I considered cleaning up the empty file afterward but IMHO we shouldn't touch the file until we're ready to write. This costs an API roundtrip but its a small price to pay for potentially protecting existing data. Fixes: https://pagure.io/freeipa/issue/9562 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 2024-03-25 13:08:13 -05:00			`x509.write_certificate_list(certs, filename)`
cert: add output file option to cert-request The certificate returned by cert-request can now be saved to a file in the CLI using a new --certificate-out option. Deprecate --out in cert-show in favor of --certificate-out. https://pagure.io/freeipa/issue/6547 Reviewed-By: David Kupka <dkupka@redhat.com> 2017-03-10 03:19:53 -06:00
			`return result`


			`@register(override=True, no_fail=True)`
			`class cert_request(CertRetrieveOverride):`
ipalib: move File command arguments to ipaclient File arguments are relevant only on the client, on the server they are the same as Str. Specify the arguments as Str in ipalib.plugins and override them with File in ipaclient.plugins. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com> 2016-06-01 08:58:47 -05:00			`def get_args(self):`
			`for arg in super(cert_request, self).get_args():`
			`if arg.name == 'csr':`
csrgen: Automate full cert request flow Allows the `ipa cert-request` command to generate its own CSR. It no longer requires a CSR passed on the command line, instead it creates a config (bash script) with `cert-get-requestdata`, then runs it to build a CSR, and submits that CSR. Example usage (NSS database): $ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --database /tmp/certs Example usage (PEM private key file): $ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --private-key /tmp/key.pem https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2016-08-22 09:46:02 -05:00			`arg = arg.clone_retype(arg.name, File, required=False)`
ipalib: move File command arguments to ipaclient File arguments are relevant only on the client, on the server they are the same as Str. Specify the arguments as Str in ipalib.plugins and override them with File in ipaclient.plugins. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com> 2016-06-01 08:58:47 -05:00			`yield arg`


client: ignore override errors in command overrides This fixes API initialization errors when the remote server does not have the overriden command. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com> 2016-06-27 02:33:29 -05:00			`@register(override=True, no_fail=True)`
cert: add output file option to cert-request The certificate returned by cert-request can now be saved to a file in the CLI using a new --certificate-out option. Deprecate --out in cert-show in favor of --certificate-out. https://pagure.io/freeipa/issue/6547 Reviewed-By: David Kupka <dkupka@redhat.com> 2017-03-10 03:19:53 -06:00			`class cert_show(CertRetrieveOverride):`
			`def get_options(self):`
			`for option in super(cert_show, self).get_options():`
			`if option.name == 'out':`
			`# skip server-defined --out`
			`continue`
			`if option.name == 'certificate_out':`
			`# add --out as a deprecated alias of --certificate-out`
			`option = option.clone_rename(`
			`'out',`
			`cli_name='certificate_out',`
			`deprecated_cli_aliases={'out'},`
			`)`
			`yield option`

			`def forward(self, args, *options):`
			`try:`
			`options['certificate_out'] = options.pop('out')`
			`except KeyError:`
			`pass`

			`return super(cert_show, self).forward(args, *options)`
cert: allow search by certificate Allow search by certificate data or file in cert-find. https://fedorahosted.org/freeipa/ticket/5381 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com> 2016-06-14 02:44:22 -05:00

client: ignore override errors in command overrides This fixes API initialization errors when the remote server does not have the overriden command. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com> 2016-06-27 02:33:29 -05:00			`@register(override=True, no_fail=True)`
cert: fix CLI output of cert_remove_hold cert_remove_hold uses output params instead of exceptions to convey unsuccessful result. Move the output params to the client side before the command is fixed to use exceptions. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com> 2016-06-29 11:11:41 -05:00			`class cert_remove_hold(MethodOverride):`
			`has_output_params = (`
			`Flag('unrevoked',`
			`label=_('Unrevoked'),`
			`),`
			`Str('error_string',`
			`label=_('Error'),`
			`),`
			`)`


client: ignore override errors in command overrides This fixes API initialization errors when the remote server does not have the overriden command. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com> 2016-06-27 02:33:29 -05:00			`@register(override=True, no_fail=True)`
cert: allow search by certificate Allow search by certificate data or file in cert-find. https://fedorahosted.org/freeipa/ticket/5381 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com> 2016-06-14 02:44:22 -05:00			`class cert_find(MethodOverride):`
			`takes_options = (`
Load certificate files as binary data In Python 3, cryptography requires certificate data to be binary. Even PEM encoded files are treated as binary content. certmap-match and cert-find were loading certificates as text files. A new BinaryFile type loads files as binary content. Fixes: https://pagure.io/freeipa/issue/7520 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 2018-04-27 05:29:17 -05:00			`BinaryFile(`
cert: allow search by certificate Allow search by certificate data or file in cert-find. https://fedorahosted.org/freeipa/ticket/5381 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com> 2016-06-14 02:44:22 -05:00			`'file?',`
			`label=_("Input filename"),`
			`doc=_('File to load the certificate from.'),`
			`include='cli',`
			`),`
			`)`

			`def forward(self, args, *options):`
			`if self.api.env.context == 'cli':`
			`if 'certificate' in options and 'file' in options:`
			`raise errors.MutuallyExclusiveError(`
			`reason=_("cannot specify both raw certificate and file"))`
			`if 'certificate' not in options and 'file' in options:`
x509: remove the strip_header() function We don't need the strip_header() function, to load an unknown x509 certificate, load_unknown_x509_certificate() should be used. Reviewed-By: Tibor Dudlak <tdudlak@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 2017-09-25 02:54:53 -05:00			`options['certificate'] = x509.load_unknown_x509_certificate(`
			`options.pop('file'))`
cert: allow search by certificate Allow search by certificate data or file in cert-find. https://fedorahosted.org/freeipa/ticket/5381 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com> 2016-06-14 02:44:22 -05:00
			`return super(cert_find, self).forward(args, *options)`