mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
39a5d9c5aa
Allows the `ipa cert-request` command to generate its own CSR. It no longer requires a CSR passed on the command line, instead it creates a config (bash script) with `cert-get-requestdata`, then runs it to build a CSR, and submits that CSR. Example usage (NSS database): $ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --database /tmp/certs Example usage (PEM private key file): $ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --private-key /tmp/key.pem https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
119 lines
3.2 KiB
Python
119 lines
3.2 KiB
Python
#
|
|
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
|
|
#
|
|
|
|
import six
|
|
|
|
from ipaclient.csrgen import CSRGenerator, FileRuleProvider
|
|
from ipalib import api
|
|
from ipalib import errors
|
|
from ipalib import output
|
|
from ipalib import util
|
|
from ipalib.frontend import Local, Str
|
|
from ipalib.parameters import Principal
|
|
from ipalib.plugable import Registry
|
|
from ipalib.text import _
|
|
from ipapython import dogtag
|
|
|
|
if six.PY3:
|
|
unicode = str
|
|
|
|
register = Registry()
|
|
|
|
__doc__ = _("""
|
|
Commands to build certificate requests automatically
|
|
""")
|
|
|
|
|
|
@register()
|
|
class cert_get_requestdata(Local):
|
|
__doc__ = _('Gather data for a certificate signing request.')
|
|
|
|
takes_options = (
|
|
Principal(
|
|
'principal',
|
|
label=_('Principal'),
|
|
doc=_('Principal for this certificate (e.g.'
|
|
' HTTP/test.example.com)'),
|
|
),
|
|
Str(
|
|
'profile_id?',
|
|
label=_('Profile ID'),
|
|
doc=_('CSR Generation Profile to use'),
|
|
),
|
|
Str(
|
|
'helper',
|
|
label=_('Name of CSR generation tool'),
|
|
doc=_('Name of tool (e.g. openssl, certutil) that will be used to'
|
|
' create CSR'),
|
|
),
|
|
Str(
|
|
'out?',
|
|
doc=_('Write CSR generation script to file'),
|
|
),
|
|
)
|
|
|
|
has_output = (
|
|
output.Output(
|
|
'result',
|
|
type=dict,
|
|
doc=_('Dictionary mapping variable name to value'),
|
|
),
|
|
)
|
|
|
|
has_output_params = (
|
|
Str(
|
|
'script',
|
|
label=_('Generation script'),
|
|
)
|
|
)
|
|
|
|
def execute(self, *args, **options):
|
|
if 'out' in options:
|
|
util.check_writable_file(options['out'])
|
|
|
|
principal = options.get('principal')
|
|
profile_id = options.get('profile_id')
|
|
if profile_id is None:
|
|
profile_id = dogtag.DEFAULT_PROFILE
|
|
helper = options.get('helper')
|
|
|
|
if self.api.env.in_server:
|
|
backend = self.api.Backend.ldap2
|
|
else:
|
|
backend = self.api.Backend.rpcclient
|
|
if not backend.isconnected():
|
|
backend.connect()
|
|
|
|
try:
|
|
if principal.is_host:
|
|
principal_obj = api.Command.host_show(
|
|
principal.hostname, all=True)
|
|
elif principal.is_service:
|
|
principal_obj = api.Command.service_show(
|
|
unicode(principal), all=True)
|
|
elif principal.is_user:
|
|
principal_obj = api.Command.user_show(
|
|
principal.username, all=True)
|
|
except errors.NotFound:
|
|
raise errors.NotFound(
|
|
reason=_("The principal for this request doesn't exist."))
|
|
principal_obj = principal_obj['result']
|
|
config = api.Command.config_show()['result']
|
|
|
|
generator = CSRGenerator(FileRuleProvider())
|
|
|
|
script = generator.csr_script(
|
|
principal_obj, config, profile_id, helper)
|
|
|
|
result = {}
|
|
if 'out' in options:
|
|
with open(options['out'], 'wb') as f:
|
|
f.write(script)
|
|
else:
|
|
result = dict(script=script)
|
|
|
|
return dict(
|
|
result=result
|
|
)
|