csrgen: Change to pure openssl config format (no script)

https://pagure.io/freeipa/issue/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-01-26 16:16:31 -06:00 · 2017-03-21 17:23:46 -04:00 · 2017-03-21 17:23:46 -04:00 · 136c6c3e2a
commit 136c6c3e2a
parent 5420e9cfbe
6 changed files with 15 additions and 70 deletions
--- a/ipaclient/csrgen.py
+++ b/ipaclient/csrgen.py
@ -66,7 +66,7 @@ class Formatter(object):
    Class for processing a set of CSR generation rules into a template.

    The template can be rendered with user and database data to produce a
-    script, which generates a CSR when run.
+    config, which specifies how to build a CSR.

    Subclasses of Formatter should set the value of base_template_name to the
    filename of a base template with spaces for the processed rules.
@ -214,7 +214,7 @@ class Formatter(object):


 class OpenSSLFormatter(Formatter):
-    """Formatter class supporting the openssl command-line tool."""
+    """Formatter class generating the openssl config-file format."""

    base_template_name = 'openssl_base.tmpl'

@ -359,17 +359,17 @@ class CSRGenerator(object):
        self.rule_provider = rule_provider
        self.formatter = formatter_class()

-    def csr_script(self, principal, config, profile_id):
+    def csr_config(self, principal, config, profile_id):
        render_data = {'subject': principal, 'config': config}

        rules = self.rule_provider.rules_for_profile(profile_id)
        template = self.formatter.build_template(rules)

        try:
-            script = template.render(render_data)
+            config = template.render(render_data)
        except jinja2.UndefinedError:
            logger.debug(traceback.format_exc())
            raise errors.CSRTemplateError(reason=_(
                'Template error when formatting certificate data'))

-        return script
+        return config
--- a/ipaclient/csrgen/templates/openssl_base.tmpl
+++ b/ipaclient/csrgen/templates/openssl_base.tmpl
@ -1,21 +1,6 @@
 {% raw -%}
 {% import "openssl_macros.tmpl" as openssl -%}
-{%- endraw %}
-#!/bin/bash -e
-
-if [[ $# -lt 2 ]]; then
-echo "Usage: $0 <outfile> <keyfile> <other openssl arguments>"
-echo "Called as: $0 $@"
-exit 1
-fi
-
-CONFIG="$(mktemp)"
-CSR="$1"
-KEYFILE="$2"
-shift; shift
-
-echo \
-{% raw %}{% filter quote %}{% endraw -%}
+{% endraw -%}
 [ req ]
 prompt = no
 encrypt_key = no
@ -29,7 +14,4 @@ encrypt_key = no
 req_extensions = {% call openssl.section() %}{{ rendered_extensions }}{% endcall %}
 {% endif %}
 {{ openssl.openssl_sections|join('\n\n') }}
-{% endfilter %}{%- endraw %} > "$CONFIG"
-
-openssl req -new -config "$CONFIG" -out "$CSR" -key "$KEYFILE" "$@"
-rm "$CONFIG"
+{%- endraw %}
--- a/ipaclient/plugins/csrgen.py
+++ b/ipaclient/plugins/csrgen.py
@ -105,8 +105,7 @@ class cert_get_requestdata(Local):

        generator = CSRGenerator(FileRuleProvider())

-        script = generator.csr_script(
-            principal_obj, config, profile_id)
+        script = generator.csr_config(principal_obj, config, profile_id)

        result = {}
        if 'out' in options:
--- a/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf
+++ b/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf
@ -1,18 +1,4 @@
-#!/bin/bash -e
-
-if [[ $# -lt 2 ]]; then
-echo "Usage: $0 <outfile> <keyfile> <other openssl arguments>"
-echo "Called as: $0 $@"
-exit 1
-fi
-
-CONFIG="$(mktemp)"
-CSR="$1"
-KEYFILE="$2"
-shift; shift
-
-echo \
-'[ req ]
+[ req ]
 prompt = no
 encrypt_key = no

@ -28,7 +14,3 @@ DNS = machine.example.com

 [ sec2 ]
 subjectAltName = @sec1
-' > "$CONFIG"
-
-openssl req -new -config "$CONFIG" -out "$CSR" -key "$KEYFILE" "$@"
-rm "$CONFIG"
--- a/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf
+++ b/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf
@ -1,18 +1,4 @@
-#!/bin/bash -e
-
-if [[ $# -lt 2 ]]; then
-echo "Usage: $0 <outfile> <keyfile> <other openssl arguments>"
-echo "Called as: $0 $@"
-exit 1
-fi
-
-CONFIG="$(mktemp)"
-CSR="$1"
-KEYFILE="$2"
-shift; shift
-
-echo \
-'[ req ]
+[ req ]
 prompt = no
 encrypt_key = no

@ -28,7 +14,3 @@ email = testuser@example.com

 [ sec2 ]
 subjectAltName = @sec1
-' > "$CONFIG"
-
-openssl req -new -config "$CONFIG" -out "$CSR" -key "$KEYFILE" "$@"
-rm "$CONFIG"
--- a/ipatests/test_ipaclient/test_csrgen.py
+++ b/ipatests/test_ipaclient/test_csrgen.py
@ -176,7 +176,7 @@ class test_CSRGenerator(object):
            ],
        }

-        script = generator.csr_script(principal, config, 'userCert')
+        script = generator.csr_config(principal, config, 'userCert')
        with open(os.path.join(
                CSR_DATA_DIR, 'configs', 'userCert.conf')) as f:
            expected_script = f.read()
@ -194,7 +194,7 @@ class test_CSRGenerator(object):
            ],
        }

-        script = generator.csr_script(
+        script = generator.csr_config(
            principal, config, 'caIPAserviceCert')
        with open(os.path.join(
                CSR_DATA_DIR, 'configs', 'caIPAserviceCert.conf')) as f:
@ -211,7 +211,7 @@ class test_rule_handling(object):
        generator = csrgen.CSRGenerator(
            rule_provider, formatter_class=IdentityFormatter)

-        script = generator.csr_script(
+        script = generator.csr_config(
            principal, {}, 'example')
        assert script == '\n'

@ -225,7 +225,7 @@ class test_rule_handling(object):
        generator = csrgen.CSRGenerator(
            rule_provider, formatter_class=IdentityFormatter)

-        script = generator.csr_script(principal, {}, 'example')
+        script = generator.csr_config(principal, {}, 'example')
        assert script == ',testuser\n'

    def test_requiredAttributeMissing(self):
@ -238,5 +238,5 @@ class test_rule_handling(object):
            rule_provider, formatter_class=IdentityFormatter)

        with pytest.raises(errors.CSRTemplateError):
-            _script = generator.csr_script(
+            _script = generator.csr_config(
                principal, {}, 'example')