csrgen: Use data_sources option to define which fields are rendered

This removes the ipa.syntaxrule and ipa.datarule macros in favor of simple 'if' statements based on the data referenced in the rules. The 'if' statement for a syntax rule is generated based on the data rules it contains. The Subject DN should not be generated unless all data rules are in place, so the ability to override the logical operator that combines data_sources (from 'or' to 'and') is added. https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-09-06 14:58:24 -04:00
parent f1a1c6eca1
commit afd7c05d11
13 changed files with 75 additions and 77 deletions
--- a/install/share/csr/templates/ipa_macros.tmpl
+++ b/install/share/csr/templates/ipa_macros.tmpl
@@ -1,42 +0,0 @@
-{% set rendersyntax = {} %}
-
-{% set renderdata = {} %}
-
-{# Wrapper for syntax rules. We render the contents of the rule into a
-variable, so that if we find that none of the contained data rules rendered we
-can suppress the whole syntax rule. That is, a syntax rule is rendered either
-if no data rules are specified (unusual) or if at least one of the data rules
-rendered successfully. #}
-{% macro syntaxrule() -%}
-{% do rendersyntax.update(none=true, any=false) -%}
-{% set contents -%}
-{{ caller() -}}
-{% endset -%}
-{% if rendersyntax['none'] or rendersyntax['any'] -%}
-{{ contents -}}
-{% endif -%}
-{% endmacro %}
-
-{# Wrapper for data rules. A data rule is rendered only when all of the data
-fields it contains have data available. #}
-{% macro datarule() -%}
-{% do rendersyntax.update(none=false) -%}
-{% do renderdata.update(all=true) -%}
-{% set contents -%}
-{{ caller() -}}
-{% endset -%}
-{% if renderdata['all'] -%}
-{% do rendersyntax.update(any=true) -%}
-{{ contents -}}
-{% endif -%}
-{% endmacro %}
-
-{# Wrapper for fields in data rules. If any value wrapped by this macro
-produces an empty string, the entire data rule will be suppressed. #}
-{% macro datafield(value) -%}
-{% if value -%}
-{{ value -}}
-{% else -%}
-{% do renderdata.update(all=false) -%}
-{% endif -%}
-{% endmacro %}
--- a/install/share/csrgen/Makefile.am
+++ b/install/share/csrgen/Makefile.am
@@ -12,6 +12,7 @@ rule_DATA =				\
 	rules/dataEmail.json		\
 	rules/dataHostCN.json		\
 	rules/dataUsernameCN.json	\
+	rules/dataSubjectBase.json	\
 	rules/syntaxSAN.json		\
 	rules/syntaxSubject.json	\
 	$(NULL)
@@ -21,7 +22,6 @@ template_DATA =			\
 	templates/certutil_base.tmpl	\
 	templates/openssl_base.tmpl	\
 	templates/openssl_macros.tmpl	\
-	templates/ipa_macros.tmpl	\
 	$(NULL)

 EXTRA_DIST =				\
--- a/install/share/csrgen/profiles/caIPAserviceCert.json
+++ b/install/share/csrgen/profiles/caIPAserviceCert.json
@@ -2,7 +2,8 @@
    {
        "syntax": "syntaxSubject",
        "data": [
-            "dataHostCN"
+            "dataHostCN",
+            "dataSubjectBase"
        ]
    },
    {
--- a/install/share/csrgen/profiles/userCert.json
+++ b/install/share/csrgen/profiles/userCert.json
@@ -2,7 +2,8 @@
    {
        "syntax": "syntaxSubject",
        "data": [
-            "dataUsernameCN"
+            "dataUsernameCN",
+            "dataSubjectBase"
        ]
    },
    {
--- a/install/share/csrgen/rules/dataDNS.json
+++ b/install/share/csrgen/rules/dataDNS.json
@@ -2,11 +2,14 @@
  "rules": [
    {
      "helper": "openssl",
-      "template": "DNS = {{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])}}"
+      "template": "DNS = {{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]}}"
    },
    {
      "helper": "certutil",
-      "template": "dns:{{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])|quote}}"
+      "template": "dns:{{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]|quote}}"
    }
-  ]
+  ],
+  "options": {
+    "data_source": "subject.krbprincipalname.0.partition('/')[2].partition('@')[0]"
+  }
 }
--- a/install/share/csrgen/rules/dataEmail.json
+++ b/install/share/csrgen/rules/dataEmail.json
@@ -2,11 +2,14 @@
  "rules": [
    {
      "helper": "openssl",
-      "template": "email = {{ipa.datafield(subject.mail.0)}}"
+      "template": "email = {{subject.mail.0}}"
    },
    {
      "helper": "certutil",
-      "template": "email:{{ipa.datafield(subject.mail.0)|quote}}"
+      "template": "email:{{subject.mail.0|quote}}"
    }
-  ]
+  ],
+  "options": {
+    "data_source": "subject.mail.0"
+  }
 }
--- a/install/share/csrgen/rules/dataHostCN.json
+++ b/install/share/csrgen/rules/dataHostCN.json
@@ -2,11 +2,14 @@
  "rules": [
    {
      "helper": "openssl",
-      "template": "{{ipa.datafield(config.ipacertificatesubjectbase.0)}}\nCN={{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])}}"
+      "template": "CN={{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]}}"
    },
    {
      "helper": "certutil",
-      "template": "CN={{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])|quote}},{{ipa.datafield(config.ipacertificatesubjectbase.0)|quote}}"
+      "template": "CN={{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]|quote}}"
    }
-  ]
+  ],
+  "options": {
+    "data_source": "subject.krbprincipalname.0.partition('/')[2].partition('@')[0]"
+  }
 }
--- a/install/share/csrgen/rules/dataSubjectBase.json
+++ b/install/share/csrgen/rules/dataSubjectBase.json
@@ -0,0 +1,15 @@
+{
+  "rules": [
+    {
+      "helper": "openssl",
+      "template": "{{config.ipacertificatesubjectbase.0}}"
+    },
+    {
+      "helper": "certutil",
+      "template": "{{config.ipacertificatesubjectbase.0|quote}}"
+    }
+  ],
+  "options": {
+    "data_source": "config.ipacertificatesubjectbase.0"
+  }
+}
--- a/install/share/csrgen/rules/dataUsernameCN.json
+++ b/install/share/csrgen/rules/dataUsernameCN.json
@@ -2,11 +2,14 @@
  "rules": [
    {
      "helper": "openssl",
-      "template": "{{ipa.datafield(config.ipacertificatesubjectbase.0)}}\nCN={{ipa.datafield(subject.uid.0)}}"
+      "template": "CN={{subject.uid.0}}"
    },
    {
      "helper": "certutil",
-      "template": "CN={{ipa.datafield(subject.uid.0)|quote}},{{ipa.datafield(config.ipacertificatesubjectbase.0)|quote}}"
+      "template": "CN={{subject.uid.0|quote}}"
    }
-  ]
+  ],
+  "options": {
+    "data_source": "subject.uid.0"
+  }
 }
--- a/install/share/csrgen/rules/syntaxSubject.json
+++ b/install/share/csrgen/rules/syntaxSubject.json
@@ -2,14 +2,15 @@
  "rules": [
    {
      "helper": "openssl",
-      "template": "distinguished_name = {% call openssl.section() %}{{ datarules|first }}{% endcall %}"
+      "template": "distinguished_name = {% call openssl.section() %}{{ datarules|reverse|join('\n') }}{% endcall %}"
    },
    {
      "helper": "certutil",
-      "template": "-s {{ datarules|first }}"
+      "template": "-s {{ datarules|join(',') }}"
    }
  ],
  "options": {
-    "required": true
+    "required": true,
+    "data_source_combinator": "and"
  }
 }
--- a/install/share/csrgen/templates/certutil_base.tmpl
+++ b/install/share/csrgen/templates/certutil_base.tmpl
@@ -1,6 +1,3 @@
-{% raw -%}
-{% import "ipa_macros.tmpl" as ipa -%}
-{%- endraw %}
 #!/bin/bash -e

 if [[ $# -lt 1 ]]; then
--- a/install/share/csrgen/templates/openssl_base.tmpl
+++ b/install/share/csrgen/templates/openssl_base.tmpl
@@ -1,6 +1,5 @@
 {% raw -%}
 {% import "openssl_macros.tmpl" as openssl -%}
-{% import "ipa_macros.tmpl" as ipa -%}
 {%- endraw %}
 #!/bin/bash -e