On 07/27/2016 02:42 PM, Ben Lipton wrote:
On 07/21/2016 11:43 AM, Petr Spacek wrote:
Besides this nit,
http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Mapping_Rules#Planned_implementation
sounds reasonable. I like how it prevents bad data from template-injection.

That's what I like about it, too. It does turn out to make things a little tricky when it comes to writing rules that won't render if the data they depend on is unavailable. (Because instead of rendering individual rules which we can drop if they're missing data, we build one big template that has to handle missing data correctly on its own.) I think it's probably still worth it, though. I added this to the "Alternatives considered" section of the above document.

By the way, I just wrote a followup blog post on this subject: describing the challenges I've had with suppressing rules when the data isn't available, and wondering if it's worth it. The post is here: http://blog.benjaminlipton.com/2016/09/01/rule-suppression.html. It might be a bit of a dense read, but I wanted to have the considerations documented at least. As always, please let me know if there's anything I can clarify. And if you do happen to read it and it makes you prefer one solution over the others, I'd love to hear your opinion.

Ben

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to