mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 07:33:27 -06:00
a9bb811296
The commands ca-show and cert-show provide the ability to direct the certificate output to a file. If the requested object was not present then this resulted in a zero-length file. This is because the check to determine if the file was writable, by opening it, was done prior to the operation to retrieve the entry. So move the check after the data retrieval. Also convert cert-show to be more consistent with ca-show. I considered cleaning up the empty file afterward but IMHO we shouldn't touch the file until we're ready to write. This costs an API roundtrip but its a small price to pay for potentially protecting existing data. Fixes: https://pagure.io/freeipa/issue/9562 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
67 lines
2.0 KiB
Python
67 lines
2.0 KiB
Python
#
|
|
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
|
|
#
|
|
import base64
|
|
|
|
from ipaclient.frontend import MethodOverride
|
|
from ipalib import errors, util, x509, Str
|
|
from ipalib.plugable import Registry
|
|
from ipalib.text import _
|
|
|
|
register = Registry()
|
|
|
|
|
|
class WithCertOutArgs(MethodOverride):
|
|
|
|
takes_options = (
|
|
Str(
|
|
'certificate_out?',
|
|
doc=_('Write certificate (chain if --chain used) to file'),
|
|
include='cli',
|
|
cli_metavar='FILE',
|
|
),
|
|
)
|
|
|
|
def forward(self, *keys, **options):
|
|
filename = None
|
|
if 'certificate_out' in options:
|
|
filename = options.pop('certificate_out')
|
|
|
|
result = super(WithCertOutArgs, self).forward(*keys, **options)
|
|
|
|
if filename:
|
|
try:
|
|
util.check_writable_file(filename)
|
|
except errors.FileError as e:
|
|
raise errors.ValidationError(name='certificate-out',
|
|
error=str(e))
|
|
|
|
# if result certificate / certificate_chain not present in result,
|
|
# it means Dogtag did not provide it (probably due to LWCA key
|
|
# replication lag or failure. The server transmits a warning
|
|
# message in this case, which the client automatically prints.
|
|
# So in this section we just ignore it and move on.
|
|
certs = None
|
|
if options.get('chain', False):
|
|
if 'certificate_chain' in result['result']:
|
|
certs = result['result']['certificate_chain']
|
|
else:
|
|
if 'certificate' in result['result']:
|
|
certs = [base64.b64decode(result['result']['certificate'])]
|
|
if certs:
|
|
x509.write_certificate_list(
|
|
(x509.load_der_x509_certificate(cert) for cert in certs),
|
|
filename)
|
|
|
|
return result
|
|
|
|
|
|
@register(override=True, no_fail=True)
|
|
class ca_add(WithCertOutArgs):
|
|
pass
|
|
|
|
|
|
@register(override=True, no_fail=True)
|
|
class ca_show(WithCertOutArgs):
|
|
pass
|