On 07/27/2016 02:42 PM, Ben Lipton wrote:
On 07/21/2016 11:43 AM, Petr Spacek wrote:
Besides this nit,
http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Mapping_Rules#Planned_implementation
sounds reasonable. I like how it prevents bad data from template-injection.
That's what I like about it, too. It does turn out to make things a
little tricky when it comes to writing rules that won't render if the
data they depend on is unavailable. (Because instead of rendering
individual rules which we can drop if they're missing data, we build
one big template that has to handle missing data correctly on its
own.) I think it's probably still worth it, though. I added this to
the "Alternatives considered" section of the above document.
By the way, I just wrote a followup blog post on this subject:
describing the challenges I've had with suppressing rules when the data
isn't available, and wondering if it's worth it. The post is here:
http://blog.benjaminlipton.com/2016/09/01/rule-suppression.html. It
might be a bit of a dense read, but I wanted to have the considerations
documented at least. As always, please let me know if there's anything I
can clarify. And if you do happen to read it and it makes you prefer one
solution over the others, I'd love to hear your opinion.
Ben
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
