2016-04-28 03:15:01 -05:00
|
|
|
# Authors:
|
|
|
|
# Andrew Wnuk <awnuk@redhat.com>
|
|
|
|
# Jason Gerard DeRose <jderose@redhat.com>
|
|
|
|
# John Dennis <jdennis@redhat.com>
|
|
|
|
#
|
|
|
|
# Copyright (C) 2009 Red Hat
|
|
|
|
# see file 'COPYING' for use and warranty information
|
|
|
|
#
|
|
|
|
# This program is free software; you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
# (at your option) any later version.
|
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
2016-08-22 09:46:02 -05:00
|
|
|
import subprocess
|
|
|
|
from tempfile import NamedTemporaryFile as NTF
|
|
|
|
|
|
|
|
import six
|
|
|
|
|
2016-06-13 23:29:18 -05:00
|
|
|
from ipaclient.frontend import MethodOverride
|
2016-04-28 03:15:01 -05:00
|
|
|
from ipalib import errors
|
|
|
|
from ipalib import x509
|
|
|
|
from ipalib import util
|
2016-06-29 11:11:41 -05:00
|
|
|
from ipalib.parameters import File, Flag, Str
|
2016-04-28 03:15:01 -05:00
|
|
|
from ipalib.plugable import Registry
|
2016-06-14 02:44:22 -05:00
|
|
|
from ipalib.text import _
|
2016-04-28 03:15:01 -05:00
|
|
|
|
2016-08-22 09:46:02 -05:00
|
|
|
if six.PY3:
|
|
|
|
unicode = str
|
|
|
|
|
2016-04-28 03:15:01 -05:00
|
|
|
register = Registry()
|
|
|
|
|
|
|
|
|
2016-06-27 02:33:29 -05:00
|
|
|
@register(override=True, no_fail=True)
|
2016-06-13 23:29:18 -05:00
|
|
|
class cert_request(MethodOverride):
|
2016-08-22 09:46:02 -05:00
|
|
|
takes_options = (
|
|
|
|
Str(
|
|
|
|
'database?',
|
|
|
|
label=_('Path to NSS database'),
|
|
|
|
doc=_('Path to NSS database to use for private key'),
|
|
|
|
),
|
|
|
|
Str(
|
|
|
|
'private_key?',
|
|
|
|
label=_('Path to private key file'),
|
|
|
|
doc=_('Path to PEM file containing a private key'),
|
|
|
|
),
|
2017-02-08 19:56:37 -06:00
|
|
|
Str(
|
|
|
|
'password_file?',
|
|
|
|
label=_(
|
|
|
|
'File containing a password for the private key or database'),
|
|
|
|
),
|
2017-02-04 09:25:42 -06:00
|
|
|
Str(
|
|
|
|
'csr_profile_id?',
|
|
|
|
label=_('Name of CSR generation profile (if not the same as'
|
|
|
|
' profile_id)'),
|
|
|
|
),
|
2016-08-22 09:46:02 -05:00
|
|
|
)
|
|
|
|
|
2016-06-01 08:58:47 -05:00
|
|
|
def get_args(self):
|
|
|
|
for arg in super(cert_request, self).get_args():
|
|
|
|
if arg.name == 'csr':
|
2016-08-22 09:46:02 -05:00
|
|
|
arg = arg.clone_retype(arg.name, File, required=False)
|
2016-06-01 08:58:47 -05:00
|
|
|
yield arg
|
|
|
|
|
2016-08-22 09:46:02 -05:00
|
|
|
def forward(self, csr=None, **options):
|
|
|
|
database = options.pop('database', None)
|
|
|
|
private_key = options.pop('private_key', None)
|
2017-02-04 09:25:42 -06:00
|
|
|
csr_profile_id = options.pop('csr_profile_id', None)
|
2017-02-08 19:56:37 -06:00
|
|
|
password_file = options.pop('password_file', None)
|
2016-08-22 09:46:02 -05:00
|
|
|
|
|
|
|
if csr is None:
|
|
|
|
if database:
|
|
|
|
helper = u'certutil'
|
|
|
|
helper_args = ['-d', database]
|
2017-02-08 19:56:37 -06:00
|
|
|
if password_file:
|
|
|
|
helper_args += ['-f', password_file]
|
2016-08-22 09:46:02 -05:00
|
|
|
elif private_key:
|
|
|
|
helper = u'openssl'
|
|
|
|
helper_args = [private_key]
|
2017-02-08 19:56:37 -06:00
|
|
|
if password_file:
|
|
|
|
helper_args += ['-passin', 'file:%s' % password_file]
|
2016-08-22 09:46:02 -05:00
|
|
|
else:
|
|
|
|
raise errors.InvocationError(
|
|
|
|
message=u"One of 'database' or 'private_key' is required")
|
|
|
|
|
|
|
|
with NTF() as scriptfile, NTF() as csrfile:
|
2017-02-04 09:25:42 -06:00
|
|
|
# If csr_profile_id is passed, that takes precedence.
|
|
|
|
# Otherwise, use profile_id. If neither are passed, the default
|
|
|
|
# in cert_get_requestdata will be used.
|
|
|
|
profile_id = csr_profile_id
|
|
|
|
if profile_id is None:
|
|
|
|
profile_id = options.get('profile_id')
|
2016-08-22 09:46:02 -05:00
|
|
|
|
|
|
|
self.api.Command.cert_get_requestdata(
|
|
|
|
profile_id=profile_id,
|
|
|
|
principal=options.get('principal'),
|
|
|
|
out=unicode(scriptfile.name),
|
|
|
|
helper=helper)
|
|
|
|
|
|
|
|
helper_cmd = [
|
|
|
|
'bash', '-e', scriptfile.name, csrfile.name] + helper_args
|
|
|
|
|
|
|
|
try:
|
|
|
|
subprocess.check_output(helper_cmd)
|
|
|
|
except subprocess.CalledProcessError as e:
|
|
|
|
raise errors.CertificateOperationError(
|
|
|
|
error=(
|
|
|
|
_('Error running "%(cmd)s" to generate CSR:'
|
|
|
|
' %(err)s') %
|
|
|
|
{'cmd': ' '.join(helper_cmd), 'err': e.output}))
|
|
|
|
|
|
|
|
try:
|
|
|
|
csr = unicode(csrfile.read())
|
|
|
|
except IOError as e:
|
|
|
|
raise errors.CertificateOperationError(
|
|
|
|
error=(_('Unable to read generated CSR file: %(err)s')
|
|
|
|
% {'err': e}))
|
|
|
|
if not csr:
|
|
|
|
raise errors.CertificateOperationError(
|
|
|
|
error=(_('Generated CSR was empty')))
|
|
|
|
else:
|
|
|
|
if database is not None or private_key is not None:
|
|
|
|
raise errors.MutuallyExclusiveError(reason=_(
|
|
|
|
"Options 'database' and 'private_key' are not compatible"
|
|
|
|
" with 'csr'"))
|
|
|
|
|
|
|
|
return super(cert_request, self).forward(csr, **options)
|
|
|
|
|
2016-06-01 08:58:47 -05:00
|
|
|
|
2016-06-27 02:33:29 -05:00
|
|
|
@register(override=True, no_fail=True)
|
2016-06-13 23:29:18 -05:00
|
|
|
class cert_show(MethodOverride):
|
2016-04-28 03:15:01 -05:00
|
|
|
def forward(self, *keys, **options):
|
|
|
|
if 'out' in options:
|
|
|
|
util.check_writable_file(options['out'])
|
|
|
|
result = super(cert_show, self).forward(*keys, **options)
|
|
|
|
if 'certificate' in result['result']:
|
|
|
|
x509.write_certificate(result['result']['certificate'], options['out'])
|
|
|
|
return result
|
|
|
|
else:
|
|
|
|
raise errors.NoCertificateError(entry=keys[-1])
|
|
|
|
else:
|
|
|
|
return super(cert_show, self).forward(*keys, **options)
|
2016-06-14 02:44:22 -05:00
|
|
|
|
|
|
|
|
2016-06-27 02:33:29 -05:00
|
|
|
@register(override=True, no_fail=True)
|
2016-06-29 11:11:41 -05:00
|
|
|
class cert_remove_hold(MethodOverride):
|
|
|
|
has_output_params = (
|
|
|
|
Flag('unrevoked',
|
|
|
|
label=_('Unrevoked'),
|
|
|
|
),
|
|
|
|
Str('error_string',
|
|
|
|
label=_('Error'),
|
|
|
|
),
|
|
|
|
)
|
|
|
|
|
|
|
|
|
2016-06-27 02:33:29 -05:00
|
|
|
@register(override=True, no_fail=True)
|
2016-06-14 02:44:22 -05:00
|
|
|
class cert_find(MethodOverride):
|
|
|
|
takes_options = (
|
|
|
|
File(
|
|
|
|
'file?',
|
|
|
|
label=_("Input filename"),
|
|
|
|
doc=_('File to load the certificate from.'),
|
|
|
|
include='cli',
|
|
|
|
),
|
|
|
|
)
|
|
|
|
|
|
|
|
def forward(self, *args, **options):
|
|
|
|
if self.api.env.context == 'cli':
|
|
|
|
if 'certificate' in options and 'file' in options:
|
|
|
|
raise errors.MutuallyExclusiveError(
|
|
|
|
reason=_("cannot specify both raw certificate and file"))
|
|
|
|
if 'certificate' not in options and 'file' in options:
|
|
|
|
options['certificate'] = x509.strip_header(options.pop('file'))
|
|
|
|
|
|
|
|
return super(cert_find, self).forward(*args, **options)
|