freeipa/ipaclient/plugins/ca.py

#
# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
#
import base64

from ipaclient.frontend import MethodOverride
from ipalib import errors, util, x509, Str
from ipalib.plugable import Registry
from ipalib.text import _

register = Registry()


class WithCertOutArgs(MethodOverride):

    takes_options = (
        Str(
            'certificate_out?',
            doc=_('Write certificate (chain if --chain used) to file'),
            include='cli',
            cli_metavar='FILE',
        ),
    )

    def forward(self, *keys, **options):
        filename = None
        if 'certificate_out' in options:
            filename = options.pop('certificate_out')
            try:
                util.check_writable_file(filename)
            except errors.FileError as e:
                raise errors.ValidationError(name='certificate-out',
                                             error=str(e))

        result = super(WithCertOutArgs, self).forward(*keys, **options)
        if filename:
            if options.get('chain', False):
                certs = result['result']['certificate_chain']
            else:
                certs = [base64.b64decode(result['result']['certificate'])]
            certs = (x509.load_der_x509_certificate(cert) for cert in certs)
            x509.write_certificate_list(certs, filename)

        return result


@register(override=True, no_fail=True)
class ca_add(WithCertOutArgs):
    pass


@register(override=True, no_fail=True)
class ca_show(WithCertOutArgs):
    pass
Add options to write lightweight CA cert or chain to file Administrators need a way to retrieve the certificate or certificate chain of an IPA-managed lightweight CA. Add params to the `ca' object for carrying the CA certificate and chain (as multiple DER values). Add the `--chain' flag for including the chain in the result (chain is also included with `--all'). Add the `--certificate-out' option for writing the certificate to a file (or the chain, if `--chain' was given). Fixes: https://fedorahosted.org/freeipa/ticket/6178 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 2016-08-07 23:27:20 -05:00			`#`
			`# Copyright (C) 2016 FreeIPA Contributors see COPYING for license`
			`#`
Fix certificate type error when exporting to file Commands `ipa ca-show` and `ipa cert-show` share the same code, this commit updates the former, closing the gap between them. Reflecting the changes done in 5a44ca638310913ab6b0c239374f4b0ddeeedeb3. https://pagure.io/freeipa/issue/7628 Signed-off-by: Armando Neto <abiagion@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 2018-09-03 16:52:57 -05:00			`import base64`
Add options to write lightweight CA cert or chain to file Administrators need a way to retrieve the certificate or certificate chain of an IPA-managed lightweight CA. Add params to the `ca' object for carrying the CA certificate and chain (as multiple DER values). Add the `--chain' flag for including the chain in the result (chain is also included with `--all'). Add the `--certificate-out' option for writing the certificate to a file (or the chain, if `--chain' was given). Fixes: https://fedorahosted.org/freeipa/ticket/6178 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 2016-08-07 23:27:20 -05:00
			`from ipaclient.frontend import MethodOverride`
ca/cert-show: check certificate_out in options If --certificate-out was specified on the command line, it will appear among the options. If it was empty, it will be None. This check was done properly in the ca plugin. Lets' just unify how this is handled and improve user experience by announcing which option causes the failure. https://pagure.io/freeipa/issue/6885 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2017-05-09 10:45:20 -05:00			`from ipalib import errors, util, x509, Str`
Add options to write lightweight CA cert or chain to file Administrators need a way to retrieve the certificate or certificate chain of an IPA-managed lightweight CA. Add params to the `ca' object for carrying the CA certificate and chain (as multiple DER values). Add the `--chain' flag for including the chain in the result (chain is also included with `--all'). Add the `--certificate-out' option for writing the certificate to a file (or the chain, if `--chain' was given). Fixes: https://fedorahosted.org/freeipa/ticket/6178 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 2016-08-07 23:27:20 -05:00			`from ipalib.plugable import Registry`
			`from ipalib.text import _`

			`register = Registry()`


			`class WithCertOutArgs(MethodOverride):`

			`takes_options = (`
			`Str(`
			`'certificate_out?',`
			`doc=_('Write certificate (chain if --chain used) to file'),`
			`include='cli',`
			`cli_metavar='FILE',`
			`),`
			`)`

			`def forward(self, keys, *options):`
			`filename = None`
			`if 'certificate_out' in options:`
			`filename = options.pop('certificate_out')`
ca/cert-show: check certificate_out in options If --certificate-out was specified on the command line, it will appear among the options. If it was empty, it will be None. This check was done properly in the ca plugin. Lets' just unify how this is handled and improve user experience by announcing which option causes the failure. https://pagure.io/freeipa/issue/6885 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2017-05-09 10:45:20 -05:00			`try:`
			`util.check_writable_file(filename)`
			`except errors.FileError as e:`
			`raise errors.ValidationError(name='certificate-out',`
			`error=str(e))`
Add options to write lightweight CA cert or chain to file Administrators need a way to retrieve the certificate or certificate chain of an IPA-managed lightweight CA. Add params to the `ca' object for carrying the CA certificate and chain (as multiple DER values). Add the `--chain' flag for including the chain in the result (chain is also included with `--all'). Add the `--certificate-out' option for writing the certificate to a file (or the chain, if `--chain' was given). Fixes: https://fedorahosted.org/freeipa/ticket/6178 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 2016-08-07 23:27:20 -05:00
			`result = super(WithCertOutArgs, self).forward(keys, *options)`
			`if filename:`
			`if options.get('chain', False):`
Fix certificate type error when exporting to file Commands `ipa ca-show` and `ipa cert-show` share the same code, this commit updates the former, closing the gap between them. Reflecting the changes done in 5a44ca638310913ab6b0c239374f4b0ddeeedeb3. https://pagure.io/freeipa/issue/7628 Signed-off-by: Armando Neto <abiagion@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 2018-09-03 16:52:57 -05:00			`certs = result['result']['certificate_chain']`
Add options to write lightweight CA cert or chain to file Administrators need a way to retrieve the certificate or certificate chain of an IPA-managed lightweight CA. Add params to the `ca' object for carrying the CA certificate and chain (as multiple DER values). Add the `--chain' flag for including the chain in the result (chain is also included with `--all'). Add the `--certificate-out' option for writing the certificate to a file (or the chain, if `--chain' was given). Fixes: https://fedorahosted.org/freeipa/ticket/6178 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 2016-08-07 23:27:20 -05:00			`else:`
Fix writing certificate chain to file An client-side error occurs when cert commands are instructed to write the certificate chain (--chain option) to a file (--certificate-out option). This regression was introduced in the 'cert' plugin in commit 5a44ca638310913ab6b0c239374f4b0ddeeedeb3, and reflected in the 'ca' plugin in commit c7064494e5801d5fd4670e6aab1e07c65d7a0731. The server behaviour did not change; rather the client did not correctly handle the DER-encoded certificates in the 'certificate_chain' response field. Fix the issue by treating the 'certificate' field as base-64 encoded DER, and the 'certificate_chain' field as an array of raw DER certificates. Add tests for checking that the relevant commands succeed and write PEM data to the file (both with and without --chain). Fixes: https://pagure.io/freeipa/issue/7700 Reviewed-By: Christian Heimes <cheimes@redhat.com> 2018-09-27 01:36:59 -05:00			`certs = [base64.b64decode(result['result']['certificate'])]`
			`certs = (x509.load_der_x509_certificate(cert) for cert in certs)`
x509: Make certificates represented as objects https://pagure.io/freeipa/issue/4985 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 2017-06-16 03:18:07 -05:00			`x509.write_certificate_list(certs, filename)`
Add options to write lightweight CA cert or chain to file Administrators need a way to retrieve the certificate or certificate chain of an IPA-managed lightweight CA. Add params to the `ca' object for carrying the CA certificate and chain (as multiple DER values). Add the `--chain' flag for including the chain in the result (chain is also included with `--all'). Add the `--certificate-out' option for writing the certificate to a file (or the chain, if `--chain' was given). Fixes: https://fedorahosted.org/freeipa/ticket/6178 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 2016-08-07 23:27:20 -05:00
			`return result`


			`@register(override=True, no_fail=True)`
			`class ca_add(WithCertOutArgs):`
			`pass`


			`@register(override=True, no_fail=True)`
			`class ca_show(WithCertOutArgs):`
			`pass`