cert: add output file option to cert-request

The certificate returned by cert-request can now be saved to a file in the
CLI using a new --certificate-out option.

Deprecate --out in cert-show in favor of --certificate-out.

https://pagure.io/freeipa/issue/6547

Reviewed-By: David Kupka <dkupka@redhat.com>

ipaclient/plugins/cert.py

@@ -19,6 +19,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+import base64
 import subprocess
 from tempfile import NamedTemporaryFile as NTF
 
@@ -38,9 +39,36 @@ if six.PY3:
 register = Registry()
 
 
-@register(override=True, no_fail=True)
+class CertRetrieveOverride(MethodOverride):
-class cert_request(MethodOverride):
     takes_options = (
+        Str(
+            'certificate_out?',
+            doc=_('Write certificate (chain if --chain used) to file'),
+            include='cli',
+            cli_metavar='FILE',
+        ),
+    )
+
+    def forward(self, *args, **options):
+        certificate_out = options.pop('certificate_out', None)
+        if certificate_out is not None:
+            util.check_writable_file(certificate_out)
+
+        result = super(CertRetrieveOverride, self).forward(*args, **options)
+
+        if certificate_out is not None:
+            certs = [result['result']['certificate']]
+            certs = (x509.normalize_certificate(cert) for cert in certs)
+            certs = (x509.make_pem(base64.b64encode(cert)) for cert in certs)
+            with open(certificate_out, 'w') as f:
+                f.write('\n'.join(certs))
+
+        return result
+
+
+@register(override=True, no_fail=True)
+class cert_request(CertRetrieveOverride):
+    takes_options = CertRetrieveOverride.takes_options + (
         Str(
             'database?',
             label=_('Path to NSS database'),
@@ -135,18 +163,28 @@ class cert_request(MethodOverride):
 
 
 @register(override=True, no_fail=True)
-class cert_show(MethodOverride):
+class cert_show(CertRetrieveOverride):
-    def forward(self, *keys, **options):
+    def get_options(self):
-        if 'out' in options:
+        for option in super(cert_show, self).get_options():
-            util.check_writable_file(options['out'])
+            if option.name == 'out':
-            result = super(cert_show, self).forward(*keys, **options)
+                # skip server-defined --out
-            if 'certificate' in result['result']:
+                continue
-                x509.write_certificate(result['result']['certificate'], options['out'])
+            if option.name == 'certificate_out':
-                return result
+                # add --out as a deprecated alias of --certificate-out
-            else:
+                option = option.clone_rename(
-                raise errors.NoCertificateError(entry=keys[-1])
+                    'out',
-        else:
+                    cli_name='certificate_out',
-            return super(cert_show, self).forward(*keys, **options)
+                    deprecated_cli_aliases={'out'},
+                )
+            yield option
+
+    def forward(self, *args, **options):
+        try:
+            options['certificate_out'] = options.pop('out')
+        except KeyError:
+            pass
+
+        return super(cert_show, self).forward(*args, **options)
 
 
 @register(override=True, no_fail=True)