mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-26 16:16:31 -06:00
2cf7c7b4ac
Bundle remote plugin interface definitions for servers which lack API schema support. These server API versions are included: * 2.49: IPA 3.1.0 on RHEL/CentOS 6.5+, * 2.114: IPA 4.1.4 on Fedora 22, * 2.156: IPA 4.2.0 on RHEL/CentOS 7.2 and IPA 4.2.4 on Fedora 23, * 2.164: IPA 4.3.1 on Fedora 23. For servers with other API versions, the closest lower API version is used. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
383 lines
9.7 KiB
Python
383 lines
9.7 KiB
Python
#
|
|
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
|
|
#
|
|
|
|
# pylint: disable=unused-import
|
|
import six
|
|
|
|
from . import Command, Method, Object
|
|
from ipalib import api, parameters, output
|
|
from ipalib.parameters import DefaultFrom
|
|
from ipalib.plugable import Registry
|
|
from ipalib.text import _
|
|
from ipapython.dn import DN
|
|
from ipapython.dnsutil import DNSName
|
|
|
|
if six.PY3:
|
|
unicode = str
|
|
|
|
__doc__ = _("""
|
|
IPA certificate operations
|
|
|
|
Implements a set of commands for managing server SSL certificates.
|
|
|
|
Certificate requests exist in the form of a Certificate Signing Request (CSR)
|
|
in PEM format.
|
|
|
|
The dogtag CA uses just the CN value of the CSR and forces the rest of the
|
|
subject to values configured in the server.
|
|
|
|
A certificate is stored with a service principal and a service principal
|
|
needs a host.
|
|
|
|
In order to request a certificate:
|
|
|
|
* The host must exist
|
|
* The service must exist (or you use the --add option to automatically add it)
|
|
|
|
SEARCHING:
|
|
|
|
Certificates may be searched on by certificate subject, serial number,
|
|
revocation reason, validity dates and the issued date.
|
|
|
|
When searching on dates the _from date does a >= search and the _to date
|
|
does a <= search. When combined these are done as an AND.
|
|
|
|
Dates are treated as GMT to match the dates in the certificates.
|
|
|
|
The date format is YYYY-mm-dd.
|
|
|
|
EXAMPLES:
|
|
|
|
Request a new certificate and add the principal:
|
|
ipa cert-request --add --principal=HTTP/lion.example.com example.csr
|
|
|
|
Retrieve an existing certificate:
|
|
ipa cert-show 1032
|
|
|
|
Revoke a certificate (see RFC 5280 for reason details):
|
|
ipa cert-revoke --revocation-reason=6 1032
|
|
|
|
Remove a certificate from revocation hold status:
|
|
ipa cert-remove-hold 1032
|
|
|
|
Check the status of a signing request:
|
|
ipa cert-status 10
|
|
|
|
Search for certificates by hostname:
|
|
ipa cert-find --subject=ipaserver.example.com
|
|
|
|
Search for revoked certificates by reason:
|
|
ipa cert-find --revocation-reason=5
|
|
|
|
Search for certificates based on issuance date
|
|
ipa cert-find --issuedon-from=2013-02-01 --issuedon-to=2013-02-07
|
|
|
|
IPA currently immediately issues (or declines) all certificate requests so
|
|
the status of a request is not normally useful. This is for future use
|
|
or the case where a CA does not immediately issue a certificate.
|
|
|
|
The following revocation reasons are supported:
|
|
|
|
* 0 - unspecified
|
|
* 1 - keyCompromise
|
|
* 2 - cACompromise
|
|
* 3 - affiliationChanged
|
|
* 4 - superseded
|
|
* 5 - cessationOfOperation
|
|
* 6 - certificateHold
|
|
* 8 - removeFromCRL
|
|
* 9 - privilegeWithdrawn
|
|
* 10 - aACompromise
|
|
|
|
Note that reason code 7 is not used. See RFC 5280 for more details:
|
|
|
|
http://www.ietf.org/rfc/rfc5280.txt
|
|
""")
|
|
|
|
register = Registry()
|
|
|
|
|
|
@register()
|
|
class ca_is_enabled(Command):
|
|
__doc__ = _("Checks if any of the servers has the CA service enabled.")
|
|
|
|
NO_CLI = True
|
|
|
|
takes_options = (
|
|
)
|
|
has_output = (
|
|
output.Output(
|
|
'summary',
|
|
(unicode, type(None)),
|
|
doc=_(u'User-friendly description of action performed'),
|
|
),
|
|
output.Output(
|
|
'result',
|
|
bool,
|
|
doc=_(u'True means the operation was successful'),
|
|
),
|
|
output.PrimaryKey(
|
|
'value',
|
|
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
|
|
),
|
|
)
|
|
|
|
|
|
@register()
|
|
class cert_find(Command):
|
|
__doc__ = _("Search for existing certificates.")
|
|
|
|
takes_options = (
|
|
parameters.Str(
|
|
'subject',
|
|
required=False,
|
|
label=_(u'Subject'),
|
|
),
|
|
parameters.Int(
|
|
'revocation_reason',
|
|
required=False,
|
|
label=_(u'Reason'),
|
|
doc=_(u'Reason for revoking the certificate (0-10)'),
|
|
),
|
|
parameters.Int(
|
|
'min_serial_number',
|
|
required=False,
|
|
doc=_(u'minimum serial number'),
|
|
),
|
|
parameters.Int(
|
|
'max_serial_number',
|
|
required=False,
|
|
doc=_(u'maximum serial number'),
|
|
),
|
|
parameters.Flag(
|
|
'exactly',
|
|
required=False,
|
|
doc=_(u'match the common name exactly'),
|
|
default=False,
|
|
autofill=True,
|
|
),
|
|
parameters.Str(
|
|
'validnotafter_from',
|
|
required=False,
|
|
doc=_(u'Valid not after from this date (YYYY-mm-dd)'),
|
|
),
|
|
parameters.Str(
|
|
'validnotafter_to',
|
|
required=False,
|
|
doc=_(u'Valid not after to this date (YYYY-mm-dd)'),
|
|
),
|
|
parameters.Str(
|
|
'validnotbefore_from',
|
|
required=False,
|
|
doc=_(u'Valid not before from this date (YYYY-mm-dd)'),
|
|
),
|
|
parameters.Str(
|
|
'validnotbefore_to',
|
|
required=False,
|
|
doc=_(u'Valid not before to this date (YYYY-mm-dd)'),
|
|
),
|
|
parameters.Str(
|
|
'issuedon_from',
|
|
required=False,
|
|
doc=_(u'Issued on from this date (YYYY-mm-dd)'),
|
|
),
|
|
parameters.Str(
|
|
'issuedon_to',
|
|
required=False,
|
|
doc=_(u'Issued on to this date (YYYY-mm-dd)'),
|
|
),
|
|
parameters.Str(
|
|
'revokedon_from',
|
|
required=False,
|
|
doc=_(u'Revoked on from this date (YYYY-mm-dd)'),
|
|
),
|
|
parameters.Str(
|
|
'revokedon_to',
|
|
required=False,
|
|
doc=_(u'Revoked on to this date (YYYY-mm-dd)'),
|
|
),
|
|
parameters.Int(
|
|
'sizelimit',
|
|
required=False,
|
|
label=_(u'Size Limit'),
|
|
doc=_(u'Maximum number of certs returned'),
|
|
default=100,
|
|
),
|
|
parameters.Flag(
|
|
'all',
|
|
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
|
|
exclude=('webui',),
|
|
default=False,
|
|
autofill=True,
|
|
),
|
|
parameters.Flag(
|
|
'raw',
|
|
doc=_(u'Print entries as stored on the server. Only affects output format.'),
|
|
exclude=('webui',),
|
|
default=False,
|
|
autofill=True,
|
|
),
|
|
)
|
|
has_output = (
|
|
output.Output(
|
|
'summary',
|
|
(unicode, type(None)),
|
|
doc=_(u'User-friendly description of action performed'),
|
|
),
|
|
output.ListOfEntries(
|
|
'result',
|
|
),
|
|
output.Output(
|
|
'count',
|
|
int,
|
|
doc=_(u'Number of entries returned'),
|
|
),
|
|
output.Output(
|
|
'truncated',
|
|
bool,
|
|
doc=_(u'True if not all results were returned'),
|
|
),
|
|
)
|
|
|
|
|
|
@register()
|
|
class cert_remove_hold(Command):
|
|
__doc__ = _("Take a revoked certificate off hold.")
|
|
|
|
takes_args = (
|
|
parameters.Str(
|
|
'serial_number',
|
|
label=_(u'Serial number'),
|
|
doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'),
|
|
no_convert=True,
|
|
),
|
|
)
|
|
takes_options = (
|
|
)
|
|
has_output = (
|
|
output.Output(
|
|
'result',
|
|
),
|
|
)
|
|
|
|
|
|
@register()
|
|
class cert_request(Command):
|
|
__doc__ = _("Submit a certificate signing request.")
|
|
|
|
takes_args = (
|
|
parameters.Str(
|
|
'csr',
|
|
cli_name='csr_file',
|
|
label=_(u'CSR'),
|
|
no_convert=True,
|
|
),
|
|
)
|
|
takes_options = (
|
|
parameters.Str(
|
|
'principal',
|
|
label=_(u'Principal'),
|
|
doc=_(u'Principal for this certificate (e.g. HTTP/test.example.com)'),
|
|
),
|
|
parameters.Str(
|
|
'request_type',
|
|
default=u'pkcs10',
|
|
autofill=True,
|
|
),
|
|
parameters.Flag(
|
|
'add',
|
|
doc=_(u"automatically add the principal if it doesn't exist"),
|
|
default=False,
|
|
autofill=True,
|
|
),
|
|
parameters.Str(
|
|
'profile_id',
|
|
required=False,
|
|
label=_(u'Profile ID'),
|
|
doc=_(u'Certificate Profile to use'),
|
|
),
|
|
)
|
|
has_output = (
|
|
output.Output(
|
|
'result',
|
|
dict,
|
|
doc=_(u'Dictionary mapping variable name to value'),
|
|
),
|
|
)
|
|
|
|
|
|
@register()
|
|
class cert_revoke(Command):
|
|
__doc__ = _("Revoke a certificate.")
|
|
|
|
takes_args = (
|
|
parameters.Str(
|
|
'serial_number',
|
|
label=_(u'Serial number'),
|
|
doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'),
|
|
no_convert=True,
|
|
),
|
|
)
|
|
takes_options = (
|
|
parameters.Int(
|
|
'revocation_reason',
|
|
label=_(u'Reason'),
|
|
doc=_(u'Reason for revoking the certificate (0-10)'),
|
|
default=0,
|
|
autofill=True,
|
|
),
|
|
)
|
|
has_output = (
|
|
output.Output(
|
|
'result',
|
|
),
|
|
)
|
|
|
|
|
|
@register()
|
|
class cert_show(Command):
|
|
__doc__ = _("Retrieve an existing certificate.")
|
|
|
|
takes_args = (
|
|
parameters.Str(
|
|
'serial_number',
|
|
label=_(u'Serial number'),
|
|
doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'),
|
|
no_convert=True,
|
|
),
|
|
)
|
|
takes_options = (
|
|
parameters.Str(
|
|
'out',
|
|
required=False,
|
|
label=_(u'Output filename'),
|
|
doc=_(u'File to store the certificate in.'),
|
|
exclude=('webui',),
|
|
),
|
|
)
|
|
has_output = (
|
|
output.Output(
|
|
'result',
|
|
),
|
|
)
|
|
|
|
|
|
@register()
|
|
class cert_status(Command):
|
|
__doc__ = _("Check the status of a certificate signing request.")
|
|
|
|
takes_args = (
|
|
parameters.Str(
|
|
'request_id',
|
|
label=_(u'Request id'),
|
|
),
|
|
)
|
|
takes_options = (
|
|
)
|
|
has_output = (
|
|
output.Output(
|
|
'result',
|
|
),
|
|
)
|