From 136c6c3e2a4f77a27f435efd4a1cd95c9e089314 Mon Sep 17 00:00:00 2001 From: Ben Lipton Date: Apr 03 2017 07:46:30 +0000 Subject: csrgen: Change to pure openssl config format (no script) https://pagure.io/freeipa/issue/4899 Reviewed-By: Jan Cholasta --- diff --git a/ipaclient/csrgen.py b/ipaclient/csrgen.py index 8ca0722..eca99a1 100644 --- a/ipaclient/csrgen.py +++ b/ipaclient/csrgen.py @@ -66,7 +66,7 @@ class Formatter(object): Class for processing a set of CSR generation rules into a template. The template can be rendered with user and database data to produce a - script, which generates a CSR when run. + config, which specifies how to build a CSR. Subclasses of Formatter should set the value of base_template_name to the filename of a base template with spaces for the processed rules. @@ -214,7 +214,7 @@ class Formatter(object): class OpenSSLFormatter(Formatter): - """Formatter class supporting the openssl command-line tool.""" + """Formatter class generating the openssl config-file format.""" base_template_name = 'openssl_base.tmpl' @@ -359,17 +359,17 @@ class CSRGenerator(object): self.rule_provider = rule_provider self.formatter = formatter_class() - def csr_script(self, principal, config, profile_id): + def csr_config(self, principal, config, profile_id): render_data = {'subject': principal, 'config': config} rules = self.rule_provider.rules_for_profile(profile_id) template = self.formatter.build_template(rules) try: - script = template.render(render_data) + config = template.render(render_data) except jinja2.UndefinedError: logger.debug(traceback.format_exc()) raise errors.CSRTemplateError(reason=_( 'Template error when formatting certificate data')) - return script + return config diff --git a/ipaclient/csrgen/templates/openssl_base.tmpl b/ipaclient/csrgen/templates/openssl_base.tmpl index 22b1686..8d37994 100644 --- a/ipaclient/csrgen/templates/openssl_base.tmpl +++ b/ipaclient/csrgen/templates/openssl_base.tmpl @@ -1,21 +1,6 @@ {% raw -%} {% import "openssl_macros.tmpl" as openssl -%} -{%- endraw %} -#!/bin/bash -e - -if [[ $# -lt 2 ]]; then -echo "Usage: $0 " -echo "Called as: $0 $@" -exit 1 -fi - -CONFIG="$(mktemp)" -CSR="$1" -KEYFILE="$2" -shift; shift - -echo \ -{% raw %}{% filter quote %}{% endraw -%} +{% endraw -%} [ req ] prompt = no encrypt_key = no @@ -29,7 +14,4 @@ encrypt_key = no req_extensions = {% call openssl.section() %}{{ rendered_extensions }}{% endcall %} {% endif %} {{ openssl.openssl_sections|join('\n\n') }} -{% endfilter %}{%- endraw %} > "$CONFIG" - -openssl req -new -config "$CONFIG" -out "$CSR" -key "$KEYFILE" "$@" -rm "$CONFIG" +{%- endraw %} diff --git a/ipaclient/plugins/csrgen.py b/ipaclient/plugins/csrgen.py index c10ef2d..15ed791 100644 --- a/ipaclient/plugins/csrgen.py +++ b/ipaclient/plugins/csrgen.py @@ -105,8 +105,7 @@ class cert_get_requestdata(Local): generator = CSRGenerator(FileRuleProvider()) - script = generator.csr_script( - principal_obj, config, profile_id) + script = generator.csr_config(principal_obj, config, profile_id) result = {} if 'out' in options: diff --git a/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf b/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf index 811bfd7..3724bdc 100644 --- a/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf +++ b/ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf @@ -1,18 +1,4 @@ -#!/bin/bash -e - -if [[ $# -lt 2 ]]; then -echo "Usage: $0 " -echo "Called as: $0 $@" -exit 1 -fi - -CONFIG="$(mktemp)" -CSR="$1" -KEYFILE="$2" -shift; shift - -echo \ -'[ req ] +[ req ] prompt = no encrypt_key = no @@ -28,7 +14,3 @@ DNS = machine.example.com [ sec2 ] subjectAltName = @sec1 -' > "$CONFIG" - -openssl req -new -config "$CONFIG" -out "$CSR" -key "$KEYFILE" "$@" -rm "$CONFIG" diff --git a/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf b/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf index 2edf067..00d63de 100644 --- a/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf +++ b/ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf @@ -1,18 +1,4 @@ -#!/bin/bash -e - -if [[ $# -lt 2 ]]; then -echo "Usage: $0 " -echo "Called as: $0 $@" -exit 1 -fi - -CONFIG="$(mktemp)" -CSR="$1" -KEYFILE="$2" -shift; shift - -echo \ -'[ req ] +[ req ] prompt = no encrypt_key = no @@ -28,7 +14,3 @@ email = testuser@example.com [ sec2 ] subjectAltName = @sec1 -' > "$CONFIG" - -openssl req -new -config "$CONFIG" -out "$CSR" -key "$KEYFILE" "$@" -rm "$CONFIG" diff --git a/ipatests/test_ipaclient/test_csrgen.py b/ipatests/test_ipaclient/test_csrgen.py index ae127c9..d0798f8 100644 --- a/ipatests/test_ipaclient/test_csrgen.py +++ b/ipatests/test_ipaclient/test_csrgen.py @@ -176,7 +176,7 @@ class test_CSRGenerator(object): ], } - script = generator.csr_script(principal, config, 'userCert') + script = generator.csr_config(principal, config, 'userCert') with open(os.path.join( CSR_DATA_DIR, 'configs', 'userCert.conf')) as f: expected_script = f.read() @@ -194,7 +194,7 @@ class test_CSRGenerator(object): ], } - script = generator.csr_script( + script = generator.csr_config( principal, config, 'caIPAserviceCert') with open(os.path.join( CSR_DATA_DIR, 'configs', 'caIPAserviceCert.conf')) as f: @@ -211,7 +211,7 @@ class test_rule_handling(object): generator = csrgen.CSRGenerator( rule_provider, formatter_class=IdentityFormatter) - script = generator.csr_script( + script = generator.csr_config( principal, {}, 'example') assert script == '\n' @@ -225,7 +225,7 @@ class test_rule_handling(object): generator = csrgen.CSRGenerator( rule_provider, formatter_class=IdentityFormatter) - script = generator.csr_script(principal, {}, 'example') + script = generator.csr_config(principal, {}, 'example') assert script == ',testuser\n' def test_requiredAttributeMissing(self): @@ -238,5 +238,5 @@ class test_rule_handling(object): rule_provider, formatter_class=IdentityFormatter) with pytest.raises(errors.CSRTemplateError): - _script = generator.csr_script( + _script = generator.csr_config( principal, {}, 'example')