From ae6d5b79fbce83e5ded8d8d46108b193c164ac14 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 May 2016 13:43:41 +1000 Subject: [PATCH] Update cert-request to allow specifying CA Add the '--ca' option to the 'ipa cert-request' command, for specifying the CA to which to direct the request. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta Reviewed-By: Martin Babinsky --- API.txt | 3 ++- VERSION | 4 ++-- ipaserver/plugins/cert.py | 18 +++++++++++++++--- 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/API.txt b/API.txt index 3d0174a7d..c3fa78c0d 100644 --- a/API.txt +++ b/API.txt @@ -758,9 +758,10 @@ arg: Str('serial_number') option: Str('version?') output: Output('result') command: cert_request -args: 1,5,1 +args: 1,6,1 arg: File('csr', cli_name='csr_file') option: Flag('add', autofill=True, default=False) +option: Str('cacn?', cli_name='ca') option: Str('principal') option: Str('profile_id?') option: Str('request_type', autofill=True, default=u'pkcs10') diff --git a/VERSION b/VERSION index a4b24076f..b84b4a9ec 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=182 -# Last change: ftweedal - update caacl plugin for lightweight CAs +IPA_API_VERSION_MINOR=183 +# Last change: ftweedal - add --ca option to cert-request diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 8fccb7629..63a051fab 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -274,7 +274,13 @@ class cert_request(VirtualCommand): Str('profile_id?', validate_profile_id, label=_("Profile ID"), doc=_("Certificate Profile to use"), - ) + ), + Str('cacn?', + cli_name='ca', + query=True, + label=_("CA"), + doc=_("CA to use"), + ), ) has_output_params = ( @@ -321,7 +327,13 @@ class cert_request(VirtualCommand): add = kw.get('add') request_type = kw.get('request_type') profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE) - ca = IPA_CA_CN # hardcoded until --ca option implemented + + # Check that requested authority exists (done before CA ACL + # enforcement so that user gets better error message if + # referencing nonexistant CA) and look up authority ID. + # + ca = kw.get('cacn', IPA_CA_CN) + ca_id = api.Command.ca_show(ca)['result']['ipacaid'][0] """ Access control is partially handled by the ACI titled @@ -499,7 +511,7 @@ class cert_request(VirtualCommand): # Request the certificate result = self.Backend.ra.request_certificate( - csr, profile_id, None, request_type=request_type) + csr, profile_id, ca_id, request_type=request_type) cert = x509.load_certificate(result['certificate']) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str)