[Freeipa-devel] [freeipa PR#10] Client-side CSR autogeneration (synchronize)
LiptonB's pull request #10: "Client-side CSR autogeneration" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/10 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/10/head:pr10 git checkout pr10 From eeeb57fa9ff1642dbd1e32fbfe435052de2541ee Mon Sep 17 00:00:00 2001 From: Ben LiptonDate: Tue, 5 Jul 2016 14:19:35 -0400 Subject: [PATCH 01/10] Add code to generate scripts that generate CSRs Adds a library that uses jinja2 to format a script that, when run, will build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses this library and builds the script for a given principal. The rules are read from json files in /usr/share/ipa/csr, but the rule provider is a separate class so that it can be replaced easily. https://fedorahosted.org/freeipa/ticket/4899 --- freeipa.spec.in | 8 + install/configure.ac| 1 + install/share/Makefile.am | 1 + install/share/csr/Makefile.am | 27 +++ install/share/csr/templates/certutil_base.tmpl | 14 ++ install/share/csr/templates/ipa_macros.tmpl | 42 install/share/csr/templates/openssl_base.tmpl | 35 +++ install/share/csr/templates/openssl_macros.tmpl | 29 +++ ipaclient/plugins/certmapping.py| 105 + ipalib/certmapping.py | 285 ipalib/errors.py| 9 + ipapython/templating.py | 31 +++ 12 files changed, 587 insertions(+) create mode 100644 install/share/csr/Makefile.am create mode 100644 install/share/csr/templates/certutil_base.tmpl create mode 100644 install/share/csr/templates/ipa_macros.tmpl create mode 100644 install/share/csr/templates/openssl_base.tmpl create mode 100644 install/share/csr/templates/openssl_macros.tmpl create mode 100644 ipaclient/plugins/certmapping.py create mode 100644 ipalib/certmapping.py create mode 100644 ipapython/templating.py diff --git a/freeipa.spec.in b/freeipa.spec.in index e3ad5b6..ab8e8e6 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -507,6 +507,7 @@ Requires: python-custodia Requires: python-dns >= 1.11.1 Requires: python-netifaces >= 0.10.4 Requires: pyusb +Requires: python-jinja2 Conflicts: %{alt_name}-python < %{version} @@ -1178,6 +1179,13 @@ fi %{_usr}/share/ipa/advise/legacy/*.template %dir %{_usr}/share/ipa/profiles %{_usr}/share/ipa/profiles/*.cfg +%dir %{_usr}/share/ipa/csr +%dir %{_usr}/share/ipa/csr/templates +%{_usr}/share/ipa/csr/templates/*.tmpl +%dir %{_usr}/share/ipa/csr/profiles +%{_usr}/share/ipa/csr/profiles/*.json +%dir %{_usr}/share/ipa/csr/rules +%{_usr}/share/ipa/csr/rules/*.json %dir %{_usr}/share/ipa/ffextension %{_usr}/share/ipa/ffextension/bootstrap.js %{_usr}/share/ipa/ffextension/install.rdf diff --git a/install/configure.ac b/install/configure.ac index 81f17b9..365f0e9 100644 --- a/install/configure.ac +++ b/install/configure.ac @@ -87,6 +87,7 @@ AC_CONFIG_FILES([ share/Makefile share/advise/Makefile share/advise/legacy/Makefile +share/csr/Makefile share/profiles/Makefile share/schema.d/Makefile ui/Makefile diff --git a/install/share/Makefile.am b/install/share/Makefile.am index d8845ee..0a15635 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -2,6 +2,7 @@ NULL = SUBDIRS = \ advise\ + csr\ profiles \ schema.d \ $(NULL) diff --git a/install/share/csr/Makefile.am b/install/share/csr/Makefile.am new file mode 100644 index 000..5a8ef5c --- /dev/null +++ b/install/share/csr/Makefile.am @@ -0,0 +1,27 @@ +NULL = + +profiledir = $(IPA_DATA_DIR)/csr/profiles +profile_DATA =\ + $(NULL) + +ruledir = $(IPA_DATA_DIR)/csr/rules +rule_DATA =\ + $(NULL) + +templatedir = $(IPA_DATA_DIR)/csr/templates +template_DATA = \ + templates/certutil_base.tmpl \ + templates/openssl_base.tmpl \ + templates/openssl_macros.tmpl \ + templates/ipa_macros.tmpl \ + $(NULL) + +EXTRA_DIST =\ + $(profile_DATA) \ + $(rule_DATA) \ + $(template_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~\ + Makefile.in diff --git a/install/share/csr/templates/certutil_base.tmpl b/install/share/csr/templates/certutil_base.tmpl new file mode 100644 index 000..6c6425f --- /dev/null +++ b/install/share/csr/templates/certutil_base.tmpl @@ -0,0 +1,14 @@ +{% raw -%} +{% import "ipa_macros.tmpl" as ipa -%} +{%- endraw %} +#!/bin/bash -e + +if [[ $# -lt 1 ]]; then +echo "Usage: $0 [ ]" +echo "Called as: $0 $@" +exit 1 +fi + +CSR="$1" +shift +certutil -R -a -z <(head -c 4096 /dev/urandom) -o "$CSR" {{ options|join(' ') }} "$@" diff --git a/install/share/csr/templates/ipa_macros.tmpl b/install/share/csr/templates/ipa_macros.tmpl new file mode 100644 index 000..e790d4e --- /dev/null +++
[Freeipa-devel] [freeipa PR#10] Client-side CSR autogeneration (synchronize)
LiptonB's pull request #10: "Client-side CSR autogeneration" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/10 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/10/head:pr10 git checkout pr10 From eeeb57fa9ff1642dbd1e32fbfe435052de2541ee Mon Sep 17 00:00:00 2001 From: Ben LiptonDate: Tue, 5 Jul 2016 14:19:35 -0400 Subject: [PATCH 1/8] Add code to generate scripts that generate CSRs Adds a library that uses jinja2 to format a script that, when run, will build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses this library and builds the script for a given principal. The rules are read from json files in /usr/share/ipa/csr, but the rule provider is a separate class so that it can be replaced easily. https://fedorahosted.org/freeipa/ticket/4899 --- freeipa.spec.in | 8 + install/configure.ac| 1 + install/share/Makefile.am | 1 + install/share/csr/Makefile.am | 27 +++ install/share/csr/templates/certutil_base.tmpl | 14 ++ install/share/csr/templates/ipa_macros.tmpl | 42 install/share/csr/templates/openssl_base.tmpl | 35 +++ install/share/csr/templates/openssl_macros.tmpl | 29 +++ ipaclient/plugins/certmapping.py| 105 + ipalib/certmapping.py | 285 ipalib/errors.py| 9 + ipapython/templating.py | 31 +++ 12 files changed, 587 insertions(+) create mode 100644 install/share/csr/Makefile.am create mode 100644 install/share/csr/templates/certutil_base.tmpl create mode 100644 install/share/csr/templates/ipa_macros.tmpl create mode 100644 install/share/csr/templates/openssl_base.tmpl create mode 100644 install/share/csr/templates/openssl_macros.tmpl create mode 100644 ipaclient/plugins/certmapping.py create mode 100644 ipalib/certmapping.py create mode 100644 ipapython/templating.py diff --git a/freeipa.spec.in b/freeipa.spec.in index e3ad5b6..ab8e8e6 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -507,6 +507,7 @@ Requires: python-custodia Requires: python-dns >= 1.11.1 Requires: python-netifaces >= 0.10.4 Requires: pyusb +Requires: python-jinja2 Conflicts: %{alt_name}-python < %{version} @@ -1178,6 +1179,13 @@ fi %{_usr}/share/ipa/advise/legacy/*.template %dir %{_usr}/share/ipa/profiles %{_usr}/share/ipa/profiles/*.cfg +%dir %{_usr}/share/ipa/csr +%dir %{_usr}/share/ipa/csr/templates +%{_usr}/share/ipa/csr/templates/*.tmpl +%dir %{_usr}/share/ipa/csr/profiles +%{_usr}/share/ipa/csr/profiles/*.json +%dir %{_usr}/share/ipa/csr/rules +%{_usr}/share/ipa/csr/rules/*.json %dir %{_usr}/share/ipa/ffextension %{_usr}/share/ipa/ffextension/bootstrap.js %{_usr}/share/ipa/ffextension/install.rdf diff --git a/install/configure.ac b/install/configure.ac index 81f17b9..365f0e9 100644 --- a/install/configure.ac +++ b/install/configure.ac @@ -87,6 +87,7 @@ AC_CONFIG_FILES([ share/Makefile share/advise/Makefile share/advise/legacy/Makefile +share/csr/Makefile share/profiles/Makefile share/schema.d/Makefile ui/Makefile diff --git a/install/share/Makefile.am b/install/share/Makefile.am index d8845ee..0a15635 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -2,6 +2,7 @@ NULL = SUBDIRS = \ advise\ + csr\ profiles \ schema.d \ $(NULL) diff --git a/install/share/csr/Makefile.am b/install/share/csr/Makefile.am new file mode 100644 index 000..5a8ef5c --- /dev/null +++ b/install/share/csr/Makefile.am @@ -0,0 +1,27 @@ +NULL = + +profiledir = $(IPA_DATA_DIR)/csr/profiles +profile_DATA =\ + $(NULL) + +ruledir = $(IPA_DATA_DIR)/csr/rules +rule_DATA =\ + $(NULL) + +templatedir = $(IPA_DATA_DIR)/csr/templates +template_DATA = \ + templates/certutil_base.tmpl \ + templates/openssl_base.tmpl \ + templates/openssl_macros.tmpl \ + templates/ipa_macros.tmpl \ + $(NULL) + +EXTRA_DIST =\ + $(profile_DATA) \ + $(rule_DATA) \ + $(template_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~\ + Makefile.in diff --git a/install/share/csr/templates/certutil_base.tmpl b/install/share/csr/templates/certutil_base.tmpl new file mode 100644 index 000..6c6425f --- /dev/null +++ b/install/share/csr/templates/certutil_base.tmpl @@ -0,0 +1,14 @@ +{% raw -%} +{% import "ipa_macros.tmpl" as ipa -%} +{%- endraw %} +#!/bin/bash -e + +if [[ $# -lt 1 ]]; then +echo "Usage: $0 [ ]" +echo "Called as: $0 $@" +exit 1 +fi + +CSR="$1" +shift +certutil -R -a -z <(head -c 4096 /dev/urandom) -o "$CSR" {{ options|join(' ') }} "$@" diff --git a/install/share/csr/templates/ipa_macros.tmpl b/install/share/csr/templates/ipa_macros.tmpl new file mode 100644 index 000..e790d4e --- /dev/null +++
[Freeipa-devel] [freeipa PR#10] Client-side CSR autogeneration (synchronize)
LiptonB's pull request #10: "Client-side CSR autogeneration" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/10 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/10/head:pr10 git checkout pr10 From eeeb57fa9ff1642dbd1e32fbfe435052de2541ee Mon Sep 17 00:00:00 2001 From: Ben LiptonDate: Tue, 5 Jul 2016 14:19:35 -0400 Subject: [PATCH 1/6] Add code to generate scripts that generate CSRs Adds a library that uses jinja2 to format a script that, when run, will build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses this library and builds the script for a given principal. The rules are read from json files in /usr/share/ipa/csr, but the rule provider is a separate class so that it can be replaced easily. https://fedorahosted.org/freeipa/ticket/4899 --- freeipa.spec.in | 8 + install/configure.ac| 1 + install/share/Makefile.am | 1 + install/share/csr/Makefile.am | 27 +++ install/share/csr/templates/certutil_base.tmpl | 14 ++ install/share/csr/templates/ipa_macros.tmpl | 42 install/share/csr/templates/openssl_base.tmpl | 35 +++ install/share/csr/templates/openssl_macros.tmpl | 29 +++ ipaclient/plugins/certmapping.py| 105 + ipalib/certmapping.py | 285 ipalib/errors.py| 9 + ipapython/templating.py | 31 +++ 12 files changed, 587 insertions(+) create mode 100644 install/share/csr/Makefile.am create mode 100644 install/share/csr/templates/certutil_base.tmpl create mode 100644 install/share/csr/templates/ipa_macros.tmpl create mode 100644 install/share/csr/templates/openssl_base.tmpl create mode 100644 install/share/csr/templates/openssl_macros.tmpl create mode 100644 ipaclient/plugins/certmapping.py create mode 100644 ipalib/certmapping.py create mode 100644 ipapython/templating.py diff --git a/freeipa.spec.in b/freeipa.spec.in index e3ad5b6..ab8e8e6 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -507,6 +507,7 @@ Requires: python-custodia Requires: python-dns >= 1.11.1 Requires: python-netifaces >= 0.10.4 Requires: pyusb +Requires: python-jinja2 Conflicts: %{alt_name}-python < %{version} @@ -1178,6 +1179,13 @@ fi %{_usr}/share/ipa/advise/legacy/*.template %dir %{_usr}/share/ipa/profiles %{_usr}/share/ipa/profiles/*.cfg +%dir %{_usr}/share/ipa/csr +%dir %{_usr}/share/ipa/csr/templates +%{_usr}/share/ipa/csr/templates/*.tmpl +%dir %{_usr}/share/ipa/csr/profiles +%{_usr}/share/ipa/csr/profiles/*.json +%dir %{_usr}/share/ipa/csr/rules +%{_usr}/share/ipa/csr/rules/*.json %dir %{_usr}/share/ipa/ffextension %{_usr}/share/ipa/ffextension/bootstrap.js %{_usr}/share/ipa/ffextension/install.rdf diff --git a/install/configure.ac b/install/configure.ac index 81f17b9..365f0e9 100644 --- a/install/configure.ac +++ b/install/configure.ac @@ -87,6 +87,7 @@ AC_CONFIG_FILES([ share/Makefile share/advise/Makefile share/advise/legacy/Makefile +share/csr/Makefile share/profiles/Makefile share/schema.d/Makefile ui/Makefile diff --git a/install/share/Makefile.am b/install/share/Makefile.am index d8845ee..0a15635 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -2,6 +2,7 @@ NULL = SUBDIRS = \ advise\ + csr\ profiles \ schema.d \ $(NULL) diff --git a/install/share/csr/Makefile.am b/install/share/csr/Makefile.am new file mode 100644 index 000..5a8ef5c --- /dev/null +++ b/install/share/csr/Makefile.am @@ -0,0 +1,27 @@ +NULL = + +profiledir = $(IPA_DATA_DIR)/csr/profiles +profile_DATA =\ + $(NULL) + +ruledir = $(IPA_DATA_DIR)/csr/rules +rule_DATA =\ + $(NULL) + +templatedir = $(IPA_DATA_DIR)/csr/templates +template_DATA = \ + templates/certutil_base.tmpl \ + templates/openssl_base.tmpl \ + templates/openssl_macros.tmpl \ + templates/ipa_macros.tmpl \ + $(NULL) + +EXTRA_DIST =\ + $(profile_DATA) \ + $(rule_DATA) \ + $(template_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~\ + Makefile.in diff --git a/install/share/csr/templates/certutil_base.tmpl b/install/share/csr/templates/certutil_base.tmpl new file mode 100644 index 000..6c6425f --- /dev/null +++ b/install/share/csr/templates/certutil_base.tmpl @@ -0,0 +1,14 @@ +{% raw -%} +{% import "ipa_macros.tmpl" as ipa -%} +{%- endraw %} +#!/bin/bash -e + +if [[ $# -lt 1 ]]; then +echo "Usage: $0 [ ]" +echo "Called as: $0 $@" +exit 1 +fi + +CSR="$1" +shift +certutil -R -a -z <(head -c 4096 /dev/urandom) -o "$CSR" {{ options|join(' ') }} "$@" diff --git a/install/share/csr/templates/ipa_macros.tmpl b/install/share/csr/templates/ipa_macros.tmpl new file mode 100644 index 000..e790d4e --- /dev/null +++
[Freeipa-devel] [freeipa PR#10] Client-side CSR autogeneration (synchronize)
LiptonB's pull request #10: "Client-side CSR autogeneration" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/10 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/10/head:pr10 git checkout pr10 freeipa-pr-10.patch Description: application/text/diff -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#10] Client-side CSR autogeneration (synchronize)
LiptonB's pull request #10: "Client-side CSR autogeneration" was synchronize See the full pull-request at https://github.com/freeipa/freeipa/pull/10 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/10/head:pr10 git checkout pr10 freeipa-pr-10.patch Description: application/text/diff -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code