URL: https://github.com/freeipa/freeipa/pull/337
Author: LiptonB
 Title: #337: Client-side CSR autogeneration (take 2)
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/337/head:pr337
git checkout pr337
From 4ead459036761600c43c414cb91a21c591ad906a Mon Sep 17 00:00:00 2001
From: Ben Lipton <blip...@redhat.com>
Date: Tue, 5 Jul 2016 14:19:35 -0400
Subject: [PATCH 1/7] Add code to generate scripts that generate CSRs

Adds a library that uses jinja2 to format a script that, when run, will
build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses
this library and builds the script for a given principal. The rules are
read from json files in /usr/share/ipa/csr, but the rule provider is a
separate class so that it can be replaced easily.

https://fedorahosted.org/freeipa/ticket/4899
---
 configure.ac                                       |   1 +
 freeipa.spec.in                                    |   9 +
 install/share/Makefile.am                          |   1 +
 install/share/csr/templates/ipa_macros.tmpl        |  42 +++
 install/share/csrgen/Makefile.am                   |  27 ++
 install/share/csrgen/templates/certutil_base.tmpl  |  14 +
 install/share/csrgen/templates/openssl_base.tmpl   |  35 +++
 install/share/csrgen/templates/openssl_macros.tmpl |  29 ++
 ipaclient/csrgen.py                                | 320 +++++++++++++++++++++
 ipaclient/plugins/csrgen.py                        | 116 ++++++++
 ipalib/errors.py                                   |  28 ++
 ipaplatform/base/paths.py                          |   1 +
 12 files changed, 623 insertions(+)
 create mode 100644 install/share/csr/templates/ipa_macros.tmpl
 create mode 100644 install/share/csrgen/Makefile.am
 create mode 100644 install/share/csrgen/templates/certutil_base.tmpl
 create mode 100644 install/share/csrgen/templates/openssl_base.tmpl
 create mode 100644 install/share/csrgen/templates/openssl_macros.tmpl
 create mode 100644 ipaclient/csrgen.py
 create mode 100644 ipaclient/plugins/csrgen.py

diff --git a/configure.ac b/configure.ac
index e8a4701..01fc81e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -530,6 +530,7 @@ AC_CONFIG_FILES([
     install/share/Makefile
     install/share/advise/Makefile
     install/share/advise/legacy/Makefile
+    install/share/csrgen/Makefile
     install/share/profiles/Makefile
     install/share/schema.d/Makefile
     install/ui/Makefile
diff --git a/freeipa.spec.in b/freeipa.spec.in
index c4420a0..8396105 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -147,6 +147,7 @@ BuildRequires:  python-sssdconfig
 BuildRequires:  python-nose
 BuildRequires:  python-paste
 BuildRequires:  systemd-python
+BuildRequires:  python2-jinja2
 
 %if 0%{?with_python3}
 # FIXME: this depedency is missing - server will not work
@@ -602,6 +603,7 @@ Requires: python-dns >= 1.15
 Requires: python-enum34
 Requires: python-netifaces >= 0.10.4
 Requires: pyusb
+Requires: python2-jinja2
 
 Conflicts: %{alt_name}-python < %{version}
 
@@ -1208,6 +1210,13 @@ fi
 %{_usr}/share/ipa/advise/legacy/*.template
 %dir %{_usr}/share/ipa/profiles
 %{_usr}/share/ipa/profiles/*.cfg
+%dir %{_usr}/share/ipa/csrgen
+%dir %{_usr}/share/ipa/csrgen/templates
+%{_usr}/share/ipa/csrgen/templates/*.tmpl
+%dir %{_usr}/share/ipa/csrgen/profiles
+%{_usr}/share/ipa/csrgen/profiles/*.json
+%dir %{_usr}/share/ipa/csrgen/rules
+%{_usr}/share/ipa/csrgen/rules/*.json
 %dir %{_usr}/share/ipa/html
 %{_usr}/share/ipa/html/ffconfig.js
 %{_usr}/share/ipa/html/ffconfig_page.js
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 10de84d..715912d 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -2,6 +2,7 @@ NULL =
 
 SUBDIRS =  				\
 	advise				\
+	csrgen				\
 	profiles			\
 	schema.d			\
 	$(NULL)
diff --git a/install/share/csr/templates/ipa_macros.tmpl b/install/share/csr/templates/ipa_macros.tmpl
new file mode 100644
index 0000000..e790d4e
--- /dev/null
+++ b/install/share/csr/templates/ipa_macros.tmpl
@@ -0,0 +1,42 @@
+{% set rendersyntax = {} %}
+
+{% set renderdata = {} %}
+
+{# Wrapper for syntax rules. We render the contents of the rule into a
+variable, so that if we find that none of the contained data rules rendered we
+can suppress the whole syntax rule. That is, a syntax rule is rendered either
+if no data rules are specified (unusual) or if at least one of the data rules
+rendered successfully. #}
+{% macro syntaxrule() -%}
+{% do rendersyntax.update(none=true, any=false) -%}
+{% set contents -%}
+{{ caller() -}}
+{% endset -%}
+{% if rendersyntax['none'] or rendersyntax['any'] -%}
+{{ contents -}}
+{% endif -%}
+{% endmacro %}
+
+{# Wrapper for data rules. A data rule is rendered only when all of the data
+fields it contains have data available. #}
+{% macro datarule() -%}
+{% do rendersyntax.update(none=false) -%}
+{% do renderdata.update(all=true) -%}
+{% set contents -%}
+{{ caller() -}}
+{% endset -%}
+{% if renderdata['all'] -%}
+{% do rendersyntax.update(any=true) -%}
+{{ contents -}}
+{% endif -%}
+{% endmacro %}
+
+{# Wrapper for fields in data rules. If any value wrapped by this macro
+produces an empty string, the entire data rule will be suppressed. #}
+{% macro datafield(value) -%}
+{% if value -%}
+{{ value -}}
+{% else -%}
+{% do renderdata.update(all=false) -%}
+{% endif -%}
+{% endmacro %}
diff --git a/install/share/csrgen/Makefile.am b/install/share/csrgen/Makefile.am
new file mode 100644
index 0000000..7b718cc
--- /dev/null
+++ b/install/share/csrgen/Makefile.am
@@ -0,0 +1,27 @@
+NULL =
+
+profiledir = $(IPA_DATA_DIR)/csrgen/profiles
+profile_DATA =				\
+	$(NULL)
+
+ruledir = $(IPA_DATA_DIR)/csrgen/rules
+rule_DATA =				\
+	$(NULL)
+
+templatedir = $(IPA_DATA_DIR)/csrgen/templates
+template_DATA =			\
+	templates/certutil_base.tmpl	\
+	templates/openssl_base.tmpl	\
+	templates/openssl_macros.tmpl	\
+	templates/ipa_macros.tmpl	\
+	$(NULL)
+
+EXTRA_DIST =				\
+	$(profile_DATA)			\
+	$(rule_DATA)			\
+	$(template_DATA)		\
+	$(NULL)
+
+MAINTAINERCLEANFILES =			\
+	*~				\
+	Makefile.in
diff --git a/install/share/csrgen/templates/certutil_base.tmpl b/install/share/csrgen/templates/certutil_base.tmpl
new file mode 100644
index 0000000..6c6425f
--- /dev/null
+++ b/install/share/csrgen/templates/certutil_base.tmpl
@@ -0,0 +1,14 @@
+{% raw -%}
+{% import "ipa_macros.tmpl" as ipa -%}
+{%- endraw %}
+#!/bin/bash -e
+
+if [[ $# -lt 1 ]]; then
+echo "Usage: $0 <outfile> [<any> <certutil> <args>]"
+echo "Called as: $0 $@"
+exit 1
+fi
+
+CSR="$1"
+shift
+certutil -R -a -z <(head -c 4096 /dev/urandom) -o "$CSR" {{ options|join(' ') }} "$@"
diff --git a/install/share/csrgen/templates/openssl_base.tmpl b/install/share/csrgen/templates/openssl_base.tmpl
new file mode 100644
index 0000000..597577b
--- /dev/null
+++ b/install/share/csrgen/templates/openssl_base.tmpl
@@ -0,0 +1,35 @@
+{% raw -%}
+{% import "openssl_macros.tmpl" as openssl -%}
+{% import "ipa_macros.tmpl" as ipa -%}
+{%- endraw %}
+#!/bin/bash -e
+
+if [[ $# -ne 2 ]]; then
+echo "Usage: $0 <outfile> <keyfile>"
+echo "Called as: $0 $@"
+exit 1
+fi
+
+CONFIG="$(mktemp)"
+CSR="$1"
+shift
+
+echo \
+{% raw %}{% filter quote %}{% endraw -%}
+[ req ]
+prompt = no
+encrypt_key = no
+
+{{ parameters|join('\n') }}
+{% raw %}{% set rendered_extensions -%}{% endraw %}
+{{ extensions|join('\n') }}
+{% raw -%}
+{%- endset -%}
+{% if rendered_extensions -%}
+req_extensions = {% call openssl.section() %}{{ rendered_extensions }}{% endcall %}
+{% endif %}
+{{ openssl.openssl_sections|join('\n\n') }}
+{% endfilter %}{%- endraw %} > "$CONFIG"
+
+openssl req -new -config "$CONFIG" -out "$CSR" -key $1
+rm "$CONFIG"
diff --git a/install/share/csrgen/templates/openssl_macros.tmpl b/install/share/csrgen/templates/openssl_macros.tmpl
new file mode 100644
index 0000000..d31b8fe
--- /dev/null
+++ b/install/share/csrgen/templates/openssl_macros.tmpl
@@ -0,0 +1,29 @@
+{# List containing rendered sections to be included at end #}
+{% set openssl_sections = [] %}
+
+{#
+List containing one entry for each section name allocated. Because of
+scoping rules, we need to use a list so that it can be a "per-render global"
+that gets updated in place. Real globals are shared by all templates with the
+same environment, and variables defined in the macro don't persist after the
+macro invocation ends.
+#}
+{% set openssl_section_num = [] %}
+
+{% macro section() -%}
+{% set name -%}
+sec{{ openssl_section_num|length -}}
+{% endset -%}
+{% do openssl_section_num.append('') -%}
+{% set contents %}{{ caller() }}{% endset -%}
+{% if contents -%}
+{% set sectiondata = formatsection(name, contents) -%}
+{% do openssl_sections.append(sectiondata) -%}
+{% endif -%}
+{{ name -}}
+{% endmacro %}
+
+{% macro formatsection(name, contents) -%}
+[ {{ name }} ]
+{{ contents -}}
+{% endmacro %}
diff --git a/ipaclient/csrgen.py b/ipaclient/csrgen.py
new file mode 100644
index 0000000..8d7cfce
--- /dev/null
+++ b/ipaclient/csrgen.py
@@ -0,0 +1,320 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import collections
+import json
+import os.path
+import pipes
+import traceback
+
+import jinja2
+import jinja2.ext
+import jinja2.sandbox
+import six
+
+from ipalib import api
+from ipalib import errors
+from ipalib.text import _
+from ipaplatform.paths import paths
+from ipapython.ipa_log_manager import log_mgr
+
+if six.PY3:
+    unicode = str
+
+__doc__ = _("""
+Routines for constructing certificate signing requests using IPA data and
+stored mapping rules.
+""")
+
+logger = log_mgr.get_logger(__name__)
+
+
+class IndexableUndefined(jinja2.Undefined):
+    def __getitem__(self, key):
+        return jinja2.Undefined(
+            hint=self._undefined_hint, obj=self._undefined_obj,
+            name=self._undefined_name, exc=self._undefined_exception)
+
+
+class IPAExtension(jinja2.ext.Extension):
+    """Jinja2 extension providing useful features for cert mapping rules."""
+
+    def __init__(self, environment):
+        super(IPAExtension, self).__init__(environment)
+
+        environment.filters.update(
+            quote=self.quote,
+            required=self.required,
+        )
+
+    def quote(self, data):
+        return pipes.quote(data)
+
+    def required(self, data, name):
+        if not data:
+            raise errors.CSRTemplateError(
+                reason=_('Required mapping rule %(name)s is missing data') %
+                {'name': name})
+        return data
+
+
+class Formatter(object):
+    """
+    Class for processing a set of mapping rules into a template.
+
+    The template can be rendered with user and database data to produce a
+    script, which generates a CSR when run.
+
+    Subclasses of Formatter should set the value of base_template_name to the
+    filename of a base template with spaces for the processed rules.
+    Additionally, they should override the _get_template_params method to
+    produce the correct output for the base template.
+    """
+    base_template_name = None
+
+    def __init__(self, csr_data_dir=paths.CSR_DATA_DIR):
+        self.jinja2 = jinja2.sandbox.SandboxedEnvironment(
+            loader=jinja2.FileSystemLoader(
+                os.path.join(csr_data_dir, 'templates')),
+            extensions=[jinja2.ext.ExprStmtExtension, IPAExtension],
+            keep_trailing_newline=True, undefined=IndexableUndefined)
+
+        self.passthrough_globals = {}
+        self._define_passthrough('ipa.syntaxrule')
+        self._define_passthrough('ipa.datarule')
+
+    def _define_passthrough(self, call):
+
+        def passthrough(caller):
+            return u'{%% call %s() %%}%s{%% endcall %%}' % (call, caller())
+
+        parts = call.split('.')
+        current_level = self.passthrough_globals
+        for part in parts[:-1]:
+            if part not in current_level:
+                current_level[part] = {}
+            current_level = current_level[part]
+        current_level[parts[-1]] = passthrough
+
+    def build_template(self, rules):
+        """
+        Construct a template that can produce CSR generator strings.
+
+        :param rules: list of MappingRuleset to use to populate the template.
+
+        :returns: jinja2.Template that can be rendered to produce the CSR data.
+        """
+        syntax_rules = []
+        for description, syntax_rule, data_rules in rules:
+            data_rules_prepared = [
+                self._prepare_data_rule(rule) for rule in data_rules]
+            syntax_rules.append(self._prepare_syntax_rule(
+                syntax_rule, data_rules_prepared, description))
+
+        template_params = self._get_template_params(syntax_rules)
+        base_template = self.jinja2.get_template(
+            self.base_template_name, globals=self.passthrough_globals)
+
+        try:
+            combined_template_source = base_template.render(**template_params)
+        except jinja2.UndefinedError:
+            logger.debug(traceback.format_exc())
+            raise errors.CSRTemplateError(reason=_(
+                'Template error when formatting certificate data'))
+
+        logger.debug(
+            'Formatting with template: %s' % combined_template_source)
+        combined_template = self.jinja2.from_string(combined_template_source)
+
+        return combined_template
+
+    def _wrap_rule(self, rule, rule_type):
+        template = '{%% call ipa.%srule() %%}%s{%% endcall %%}' % (
+            rule_type, rule)
+
+        return template
+
+    def _wrap_required(self, rule, description):
+        template = '{%% filter required("%s") %%}%s{%% endfilter %%}' % (
+            description, rule)
+
+        return template
+
+    def _prepare_data_rule(self, data_rule):
+        return self._wrap_rule(data_rule.template, 'data')
+
+    def _prepare_syntax_rule(self, syntax_rule, data_rules, description):
+        logger.debug('Syntax rule template: %s' % syntax_rule.template)
+        template = self.jinja2.from_string(
+            syntax_rule.template, globals=self.passthrough_globals)
+        is_required = syntax_rule.options.get('required', False)
+        try:
+            rendered = template.render(datarules=data_rules)
+        except jinja2.UndefinedError:
+            logger.debug(traceback.format_exc())
+            raise errors.CSRTemplateError(reason=_(
+                'Template error when formatting certificate data'))
+
+        prepared_template = self._wrap_rule(rendered, 'syntax')
+        if is_required:
+            prepared_template = self._wrap_required(
+                prepared_template, description)
+
+        return prepared_template
+
+    def _get_template_params(self, syntax_rules):
+        """
+        Package the syntax rules into fields expected by the base template.
+
+        :param syntax_rules: list of prepared syntax rules to be included in
+            the template.
+
+        :returns: dict of values needed to render the base template.
+        """
+        raise NotImplementedError('Formatter class must be subclassed')
+
+
+class OpenSSLFormatter(Formatter):
+    """Formatter class supporting the openssl command-line tool."""
+
+    base_template_name = 'openssl_base.tmpl'
+
+    # Syntax rules are wrapped in this data structure, to keep track of whether
+    # each goes in the extension or the root section
+    SyntaxRule = collections.namedtuple(
+        'SyntaxRule', ['template', 'is_extension'])
+
+    def __init__(self):
+        super(OpenSSLFormatter, self).__init__()
+        self._define_passthrough('openssl.section')
+
+    def _get_template_params(self, syntax_rules):
+        parameters = [rule.template for rule in syntax_rules
+                      if not rule.is_extension]
+        extensions = [rule.template for rule in syntax_rules
+                      if rule.is_extension]
+
+        return {'parameters': parameters, 'extensions': extensions}
+
+    def _prepare_syntax_rule(self, syntax_rule, data_rules, description):
+        """Overrides method to pull out whether rule is an extension or not."""
+        prepared_template = super(OpenSSLFormatter, self)._prepare_syntax_rule(
+            syntax_rule, data_rules, description)
+        is_extension = syntax_rule.options.get('extension', False)
+        return self.SyntaxRule(prepared_template, is_extension)
+
+
+class CertutilFormatter(Formatter):
+    base_template_name = 'certutil_base.tmpl'
+
+    def _get_template_params(self, syntax_rules):
+        return {'options': syntax_rules}
+
+
+# FieldMapping - representation of the rules needed to construct a complete
+# certificate field.
+# - description: str, a name or description of this field, to be used in
+#   messages
+# - syntax_rule: Rule, the rule defining the syntax of this field
+# - data_rules: list of Rule, the rules that produce data to be stored in this
+#   field
+FieldMapping = collections.namedtuple(
+    'FieldMapping', ['description', 'syntax_rule', 'data_rules'])
+Rule = collections.namedtuple(
+    'Rule', ['name', 'template', 'options'])
+
+
+class RuleProvider(object):
+    def rules_for_profile(self, profile_id, helper):
+        """
+        Return the rules needed to build a CSR for the given certificate
+        profile.
+
+        :param profile_id: str, name of the certificate profile to use
+        :param helper: str, name of tool (e.g. openssl, certutil) that will be
+            used to create CSR
+
+        :returns: list of FieldMapping, filled out with the appropriate rules
+        """
+        raise NotImplementedError('RuleProvider class must be subclassed')
+
+
+class FileRuleProvider(RuleProvider):
+    def __init__(self, csr_data_dir=paths.CSR_DATA_DIR):
+        self.rules = {}
+        self.csr_data_dir = csr_data_dir
+
+    def _rule(self, rule_name, helper):
+        if (rule_name, helper) not in self.rules:
+            rule_path = os.path.join(self.csr_data_dir, 'rules',
+                                     '%s.json' % rule_name)
+            try:
+                with open(rule_path) as rule_file:
+                    ruleset = json.load(rule_file)
+            except IOError:
+                raise errors.NotFound(
+                    reason=_('Ruleset %(ruleset)s does not exist.') %
+                    {'ruleset': rule_name})
+
+            matching_rules = [r for r in ruleset['rules']
+                              if r['helper'] == helper]
+            if len(matching_rules) == 0:
+                raise errors.EmptyResult(
+                    reason=_('No transformation in "%(ruleset)s" rule supports'
+                             ' helper "%(helper)s"') %
+                    {'ruleset': rule_name, 'helper': helper})
+            elif len(matching_rules) > 1:
+                raise errors.RedundantMappingRule(
+                    ruleset=rule_name, helper=helper)
+            rule = matching_rules[0]
+
+            options = {}
+            if 'options' in ruleset:
+                options.update(ruleset['options'])
+            if 'options' in rule:
+                options.update(rule['options'])
+            self.rules[(rule_name, helper)] = Rule(
+                rule_name, rule['template'], options)
+        return self.rules[(rule_name, helper)]
+
+    def rules_for_profile(self, profile_id, helper):
+        profile_path = os.path.join(self.csr_data_dir, 'profiles',
+                                    '%s.json' % profile_id)
+        with open(profile_path) as profile_file:
+            profile = json.load(profile_file)
+
+        field_mappings = []
+        for field in profile:
+            syntax_rule = self._rule(field['syntax'], helper)
+            data_rules = [self._rule(name, helper) for name in field['data']]
+            field_mappings.append(FieldMapping(
+                syntax_rule.name, syntax_rule, data_rules))
+        return field_mappings
+
+
+class CSRGenerator(object):
+    FORMATTERS = {
+        'openssl': OpenSSLFormatter,
+        'certutil': CertutilFormatter,
+    }
+
+    def __init__(self, rule_provider):
+        self.rule_provider = rule_provider
+
+    def csr_script(self, principal, profile_id, helper):
+        config = api.Command.config_show()['result']
+        render_data = {'subject': principal, 'config': config}
+
+        formatter = self.FORMATTERS[helper]()
+        rules = self.rule_provider.rules_for_profile(profile_id, helper)
+        template = formatter.build_template(rules)
+
+        try:
+            script = template.render(render_data)
+        except jinja2.UndefinedError:
+            logger.debug(traceback.format_exc())
+            raise errors.CSRTemplateError(reason=_(
+                'Template error when formatting certificate data'))
+
+        return script
diff --git a/ipaclient/plugins/csrgen.py b/ipaclient/plugins/csrgen.py
new file mode 100644
index 0000000..22b4fb0
--- /dev/null
+++ b/ipaclient/plugins/csrgen.py
@@ -0,0 +1,116 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import six
+
+from ipaclient.csrgen import CSRGenerator, FileRuleProvider
+from ipalib import api
+from ipalib import errors
+from ipalib import output
+from ipalib import util
+from ipalib.frontend import Local, Str
+from ipalib.parameters import Principal
+from ipalib.plugable import Registry
+from ipalib.text import _
+from ipaserver.plugins.certprofile import validate_profile_id
+
+if six.PY3:
+    unicode = str
+
+register = Registry()
+
+__doc__ = _("""
+Commands to build certificate requests automatically
+""")
+
+
+@register()
+class cert_get_requestdata(Local):
+    __doc__ = _('Gather data for a certificate signing request.')
+
+    takes_options = (
+        Principal(
+            'principal',
+            label=_('Principal'),
+            doc=_('Principal for this certificate (e.g.'
+                  ' HTTP/test.example.com)'),
+        ),
+        Str(
+            'profile_id',
+            validate_profile_id,
+            label=_('Profile ID'),
+            doc=_('Certificate Profile to use'),
+        ),
+        Str(
+            'helper',
+            label=_('Name of CSR generation tool'),
+            doc=_('Name of tool (e.g. openssl, certutil) that will be used to'
+                  ' create CSR'),
+        ),
+        Str(
+            'out?',
+            doc=_('Write CSR generation script to file'),
+        ),
+    )
+
+    has_output = (
+        output.Output(
+            'result',
+            type=dict,
+            doc=_('Dictionary mapping variable name to value'),
+        ),
+    )
+
+    has_output_params = (
+        Str(
+            'script',
+            label=_('Generation script'),
+        )
+    )
+
+    def execute(self, *args, **options):
+        if 'out' in options:
+            util.check_writable_file(options['out'])
+
+        principal = options.get('principal')
+        profile_id = options.get('profile_id')
+        helper = options.get('helper')
+
+        if self.api.env.in_server:
+            backend = self.api.Backend.ldap2
+        else:
+            backend = self.api.Backend.rpcclient
+        if not backend.isconnected():
+            backend.connect()
+
+        try:
+            if principal.is_host:
+                principal_obj = api.Command.host_show(
+                    principal.hostname, all=True)
+            elif principal.is_service:
+                principal_obj = api.Command.service_show(
+                    unicode(principal), all=True)
+            elif principal.is_user:
+                principal_obj = api.Command.user_show(
+                    principal.username, all=True)
+        except errors.NotFound:
+            raise errors.NotFound(
+                reason=_("The principal for this request doesn't exist."))
+        principal_obj = principal_obj['result']
+
+        generator = CSRGenerator(FileRuleProvider())
+
+        script = generator.csr_script(
+            principal_obj, profile_id, helper)
+
+        result = {}
+        if 'out' in options:
+            with open(options['out'], 'wb') as f:
+                f.write(script)
+        else:
+            result = dict(script=script)
+
+        return dict(
+            result=result
+        )
diff --git a/ipalib/errors.py b/ipalib/errors.py
index 88707ac..6aaca70 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -1422,6 +1422,34 @@ class HTTPRequestError(RemoteRetrieveError):
     format = _('Request failed with status %(status)s: %(reason)s')
 
 
+class RedundantMappingRule(SingleMatchExpected):
+    """
+    **4036** Raised when more than one rule in a CSR generation ruleset matches
+    a particular helper.
+
+    For example:
+
+    >>> raise RedundantMappingRule(ruleset='syntaxSubject', helper='certutil')
+    Traceback (most recent call last):
+      ...
+    RedundantMappingRule: Mapping ruleset "syntaxSubject" has more than one
+    rule for the certutil helper.
+    """
+
+    errno = 4036
+    format = _('Mapping ruleset "%(ruleset)s" has more than one rule for the'
+               ' %(helper)s helper')
+
+
+class CSRTemplateError(ExecutionError):
+    """
+    **4037** Raised when evaluation of a CSR generation template fails
+    """
+
+    errno = 4037
+    format = _('%(reason)s')
+
+
 class BuiltinError(ExecutionError):
     """
     **4100** Base class for builtin execution errors (*4100 - 4199*).
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 0ba64ef..4234789 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -233,6 +233,7 @@ class BasePathNamespace(object):
     SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/schema_compat.uldif"
     IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins"
     UPDATES_DIR = "/usr/share/ipa/updates/"
+    CSR_DATA_DIR = "/usr/share/ipa/csrgen"
     DICT_WORDS = "/usr/share/dict/words"
     CACHE_IPA_SESSIONS = "/var/cache/ipa/sessions"
     VAR_KERBEROS_KRB5KDC_DIR = "/var/kerberos/krb5kdc/"

From ffac15722ade12827380dee5d7d37e35d4ffcb83 Mon Sep 17 00:00:00 2001
From: Ben Lipton <blip...@redhat.com>
Date: Mon, 22 Aug 2016 10:43:49 -0400
Subject: [PATCH 2/7] Add certificate mappings for caIPAserviceCert

https://fedorahosted.org/freeipa/ticket/4899
---
 install/share/csrgen/Makefile.am                    |  5 +++++
 install/share/csrgen/profiles/caIPAserviceCert.json | 14 ++++++++++++++
 install/share/csrgen/rules/dataDNS.json             | 12 ++++++++++++
 install/share/csrgen/rules/dataHostCN.json          | 12 ++++++++++++
 install/share/csrgen/rules/syntaxSAN.json           | 15 +++++++++++++++
 install/share/csrgen/rules/syntaxSubject.json       | 15 +++++++++++++++
 6 files changed, 73 insertions(+)
 create mode 100644 install/share/csrgen/profiles/caIPAserviceCert.json
 create mode 100644 install/share/csrgen/rules/dataDNS.json
 create mode 100644 install/share/csrgen/rules/dataHostCN.json
 create mode 100644 install/share/csrgen/rules/syntaxSAN.json
 create mode 100644 install/share/csrgen/rules/syntaxSubject.json

diff --git a/install/share/csrgen/Makefile.am b/install/share/csrgen/Makefile.am
index 7b718cc..c9437f5 100644
--- a/install/share/csrgen/Makefile.am
+++ b/install/share/csrgen/Makefile.am
@@ -2,10 +2,15 @@ NULL =
 
 profiledir = $(IPA_DATA_DIR)/csrgen/profiles
 profile_DATA =				\
+	profiles/caIPAserviceCert.json	\
 	$(NULL)
 
 ruledir = $(IPA_DATA_DIR)/csrgen/rules
 rule_DATA =				\
+	rules/dataDNS.json		\
+	rules/dataHostCN.json		\
+	rules/syntaxSAN.json		\
+	rules/syntaxSubject.json	\
 	$(NULL)
 
 templatedir = $(IPA_DATA_DIR)/csrgen/templates
diff --git a/install/share/csrgen/profiles/caIPAserviceCert.json b/install/share/csrgen/profiles/caIPAserviceCert.json
new file mode 100644
index 0000000..0d1be5e
--- /dev/null
+++ b/install/share/csrgen/profiles/caIPAserviceCert.json
@@ -0,0 +1,14 @@
+[
+    {
+        "syntax": "syntaxSubject",
+        "data": [
+            "dataHostCN"
+        ]
+    },
+    {
+        "syntax": "syntaxSAN",
+        "data": [
+            "dataDNS"
+        ]
+    }
+]
diff --git a/install/share/csrgen/rules/dataDNS.json b/install/share/csrgen/rules/dataDNS.json
new file mode 100644
index 0000000..f0aadca
--- /dev/null
+++ b/install/share/csrgen/rules/dataDNS.json
@@ -0,0 +1,12 @@
+{
+  "rules": [
+    {
+      "helper": "openssl",
+      "template": "DNS = {{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])}}"
+    },
+    {
+      "helper": "certutil",
+      "template": "dns:{{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])|quote}}"
+    }
+  ]
+}
diff --git a/install/share/csrgen/rules/dataHostCN.json b/install/share/csrgen/rules/dataHostCN.json
new file mode 100644
index 0000000..172c7ec
--- /dev/null
+++ b/install/share/csrgen/rules/dataHostCN.json
@@ -0,0 +1,12 @@
+{
+  "rules": [
+    {
+      "helper": "openssl",
+      "template": "{{ipa.datafield(config.ipacertificatesubjectbase.0)}}\nCN={{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])}}"
+    },
+    {
+      "helper": "certutil",
+      "template": "CN={{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])|quote}},{{ipa.datafield(config.ipacertificatesubjectbase.0)|quote}}"
+    }
+  ]
+}
diff --git a/install/share/csrgen/rules/syntaxSAN.json b/install/share/csrgen/rules/syntaxSAN.json
new file mode 100644
index 0000000..122eb12
--- /dev/null
+++ b/install/share/csrgen/rules/syntaxSAN.json
@@ -0,0 +1,15 @@
+{
+  "rules": [
+    {
+      "helper": "openssl",
+      "template": "subjectAltName = @{% call openssl.section() %}{{ datarules|join('\n') }}{% endcall %}",
+      "options": {
+        "extension": true
+      }
+    },
+    {
+      "helper": "certutil",
+      "template": "--extSAN {{ datarules|join(',') }}"
+    }
+  ]
+}
diff --git a/install/share/csrgen/rules/syntaxSubject.json b/install/share/csrgen/rules/syntaxSubject.json
new file mode 100644
index 0000000..7dfa932
--- /dev/null
+++ b/install/share/csrgen/rules/syntaxSubject.json
@@ -0,0 +1,15 @@
+{
+  "rules": [
+    {
+      "helper": "openssl",
+      "template": "distinguished_name = {% call openssl.section() %}{{ datarules|first }}{% endcall %}"
+    },
+    {
+      "helper": "certutil",
+      "template": "-s {{ datarules|first }}"
+    }
+  ],
+  "options": {
+    "required": true
+  }
+}

From a3c581904cef64bc5136348ad855d3cc63fb5447 Mon Sep 17 00:00:00 2001
From: Ben Lipton <blip...@redhat.com>
Date: Mon, 22 Aug 2016 10:45:04 -0400
Subject: [PATCH 3/7] Add a new cert profile for users

https://fedorahosted.org/freeipa/ticket/4899
---
 install/share/csrgen/Makefile.am               |  3 +
 install/share/csrgen/profiles/userCert.json    | 14 ++++
 install/share/csrgen/rules/dataEmail.json      | 12 ++++
 install/share/csrgen/rules/dataUsernameCN.json | 12 ++++
 install/share/profiles/Makefile.am             |  1 +
 install/share/profiles/userCert.cfg            | 97 ++++++++++++++++++++++++++
 ipapython/dogtag.py                            |  1 +
 7 files changed, 140 insertions(+)
 create mode 100644 install/share/csrgen/profiles/userCert.json
 create mode 100644 install/share/csrgen/rules/dataEmail.json
 create mode 100644 install/share/csrgen/rules/dataUsernameCN.json
 create mode 100644 install/share/profiles/userCert.cfg

diff --git a/install/share/csrgen/Makefile.am b/install/share/csrgen/Makefile.am
index c9437f5..2cd6ce2 100644
--- a/install/share/csrgen/Makefile.am
+++ b/install/share/csrgen/Makefile.am
@@ -3,12 +3,15 @@ NULL =
 profiledir = $(IPA_DATA_DIR)/csrgen/profiles
 profile_DATA =				\
 	profiles/caIPAserviceCert.json	\
+	profiles/userCert.json		\
 	$(NULL)
 
 ruledir = $(IPA_DATA_DIR)/csrgen/rules
 rule_DATA =				\
 	rules/dataDNS.json		\
+	rules/dataEmail.json		\
 	rules/dataHostCN.json		\
+	rules/dataUsernameCN.json	\
 	rules/syntaxSAN.json		\
 	rules/syntaxSubject.json	\
 	$(NULL)
diff --git a/install/share/csrgen/profiles/userCert.json b/install/share/csrgen/profiles/userCert.json
new file mode 100644
index 0000000..d5f822e
--- /dev/null
+++ b/install/share/csrgen/profiles/userCert.json
@@ -0,0 +1,14 @@
+[
+    {
+        "syntax": "syntaxSubject",
+        "data": [
+            "dataUsernameCN"
+        ]
+    },
+    {
+        "syntax": "syntaxSAN",
+        "data": [
+            "dataEmail"
+        ]
+    }
+]
diff --git a/install/share/csrgen/rules/dataEmail.json b/install/share/csrgen/rules/dataEmail.json
new file mode 100644
index 0000000..cfc1f60
--- /dev/null
+++ b/install/share/csrgen/rules/dataEmail.json
@@ -0,0 +1,12 @@
+{
+  "rules": [
+    {
+      "helper": "openssl",
+      "template": "email = {{ipa.datafield(subject.mail.0)}}"
+    },
+    {
+      "helper": "certutil",
+      "template": "email:{{ipa.datafield(subject.mail.0)|quote}}"
+    }
+  ]
+}
diff --git a/install/share/csrgen/rules/dataUsernameCN.json b/install/share/csrgen/rules/dataUsernameCN.json
new file mode 100644
index 0000000..c3e2409
--- /dev/null
+++ b/install/share/csrgen/rules/dataUsernameCN.json
@@ -0,0 +1,12 @@
+{
+  "rules": [
+    {
+      "helper": "openssl",
+      "template": "{{ipa.datafield(config.ipacertificatesubjectbase.0)}}\nCN={{ipa.datafield(subject.uid.0)}}"
+    },
+    {
+      "helper": "certutil",
+      "template": "CN={{ipa.datafield(subject.uid.0)|quote}},{{ipa.datafield(config.ipacertificatesubjectbase.0)|quote}}"
+    }
+  ]
+}
diff --git a/install/share/profiles/Makefile.am b/install/share/profiles/Makefile.am
index 640ca0a..47fe68e 100644
--- a/install/share/profiles/Makefile.am
+++ b/install/share/profiles/Makefile.am
@@ -5,6 +5,7 @@ app_DATA =				\
 	caIPAserviceCert.cfg		\
 	IECUserRoles.cfg		\
 	KDCs_PKINIT_Certs.cfg		\
+	userCert.cfg			\
 	$(NULL)
 
 EXTRA_DIST =				\
diff --git a/install/share/profiles/userCert.cfg b/install/share/profiles/userCert.cfg
new file mode 100644
index 0000000..3c2eeb5
--- /dev/null
+++ b/install/share/profiles/userCert.cfg
@@ -0,0 +1,97 @@
+profileId=userCert
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling user certificates with S/MIME key usage permitted
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=Manual User Dual-Use S/MIME capabilities Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=userCertSet
+policyset.userCertSet.list=1,2,3,4,5,6,7,8,9,10
+policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.userCertSet.1.constraint.name=Subject Name Constraint
+policyset.userCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.userCertSet.1.constraint.params.accept=true
+policyset.userCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.userCertSet.1.default.name=Subject Name Default
+policyset.userCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.userCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.userCertSet.2.constraint.name=Validity Constraint
+policyset.userCertSet.2.constraint.params.range=365
+policyset.userCertSet.2.constraint.params.notBeforeCheck=false
+policyset.userCertSet.2.constraint.params.notAfterCheck=false
+policyset.userCertSet.2.default.class_id=validityDefaultImpl
+policyset.userCertSet.2.default.name=Validity Default
+policyset.userCertSet.2.default.params.range=180
+policyset.userCertSet.2.default.params.startTime=0
+policyset.userCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.userCertSet.3.constraint.name=Key Constraint
+policyset.userCertSet.3.constraint.params.keyType=RSA
+policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
+policyset.userCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.userCertSet.3.default.name=Key Default
+policyset.userCertSet.4.constraint.class_id=noConstraintImpl
+policyset.userCertSet.4.constraint.name=No Constraint
+policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.userCertSet.4.default.name=Authority Key Identifier Default
+policyset.userCertSet.5.constraint.class_id=noConstraintImpl
+policyset.userCertSet.5.constraint.name=No Constraint
+policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.userCertSet.5.default.name=AIA Extension Default
+policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.userCertSet.5.default.params.authInfoAccessADLocation_0=http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp
+policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.userCertSet.5.default.params.authInfoAccessCritical=false
+policyset.userCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.userCertSet.6.constraint.params.keyUsageCritical=true
+policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false
+policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.userCertSet.6.default.name=Key Usage Default
+policyset.userCertSet.6.default.params.keyUsageCritical=true
+policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false
+policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.userCertSet.6.default.params.keyUsageCrlSign=false
+policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.userCertSet.7.constraint.class_id=noConstraintImpl
+policyset.userCertSet.7.constraint.name=No Constraint
+policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.userCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.userCertSet.7.default.params.exKeyUsageCritical=false
+policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.userCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.userCertSet.8.constraint.name=No Constraint
+policyset.userCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
+policyset.userCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.userCertSet.8.default.name=Signing Alg
+policyset.userCertSet.8.default.params.signingAlg=-
+policyset.userCertSet.9.constraint.class_id=noConstraintImpl
+policyset.userCertSet.9.constraint.name=No Constraint
+policyset.userCertSet.9.default.class_id=subjectKeyIdentifierExtDefaultImpl
+policyset.userCertSet.9.default.name=Subject Key Identifier Extension Default
+policyset.userCertSet.9.default.params.critical=false
+policyset.userCertSet.10.constraint.class_id=noConstraintImpl
+policyset.userCertSet.10.constraint.name=No Constraint
+policyset.userCertSet.10.default.class_id=userExtensionDefaultImpl
+policyset.userCertSet.10.default.name=User Supplied Extension Default
+policyset.userCertSet.10.default.params.userExtOID=2.5.29.17
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index eb1f73e..9a1fea3 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -47,6 +47,7 @@
 
 INCLUDED_PROFILES = {
     Profile(u'caIPAserviceCert', u'Standard profile for network services', True),
+    Profile(u'userCert', u'Standard profile for users', True),
     Profile(u'IECUserRoles', u'User profile that includes IECUserRoles extension from request', True),
     Profile(u'KDCs_PKINIT_Certs',
             u'Profile for PKINIT support by KDCs',

From 381f7cbe34294ef572aefd7993178ae43635f683 Mon Sep 17 00:00:00 2001
From: Ben Lipton <blip...@redhat.com>
Date: Tue, 6 Sep 2016 14:58:24 -0400
Subject: [PATCH 4/7] Use data_sources option to define which fields are
 rendered

This removes the ipa.syntaxrule and ipa.datarule macros in favor of
simple 'if' statements based on the data referenced in the rules. The
'if' statement for a syntax rule is generated based on the data rules it
contains.

The Subject DN should not be generated unless all data rules are in
place, so the ability to override the logical operator that combines
data_sources (from 'or' to 'and') is added.
---
 install/share/csr/templates/ipa_macros.tmpl        | 42 ----------------------
 install/share/csrgen/Makefile.am                   |  2 +-
 .../share/csrgen/profiles/caIPAserviceCert.json    |  3 +-
 install/share/csrgen/profiles/userCert.json        |  3 +-
 install/share/csrgen/rules/dataDNS.json            |  9 +++--
 install/share/csrgen/rules/dataEmail.json          |  9 +++--
 install/share/csrgen/rules/dataHostCN.json         |  9 +++--
 install/share/csrgen/rules/dataSubjectBase.json    | 15 ++++++++
 install/share/csrgen/rules/dataUsernameCN.json     |  9 +++--
 install/share/csrgen/rules/syntaxSubject.json      |  7 ++--
 install/share/csrgen/templates/certutil_base.tmpl  |  3 --
 install/share/csrgen/templates/openssl_base.tmpl   |  1 -
 ipaclient/csrgen.py                                | 40 ++++++++++++++-------
 13 files changed, 75 insertions(+), 77 deletions(-)
 delete mode 100644 install/share/csr/templates/ipa_macros.tmpl
 create mode 100644 install/share/csrgen/rules/dataSubjectBase.json

diff --git a/install/share/csr/templates/ipa_macros.tmpl b/install/share/csr/templates/ipa_macros.tmpl
deleted file mode 100644
index e790d4e..0000000
--- a/install/share/csr/templates/ipa_macros.tmpl
+++ /dev/null
@@ -1,42 +0,0 @@
-{% set rendersyntax = {} %}
-
-{% set renderdata = {} %}
-
-{# Wrapper for syntax rules. We render the contents of the rule into a
-variable, so that if we find that none of the contained data rules rendered we
-can suppress the whole syntax rule. That is, a syntax rule is rendered either
-if no data rules are specified (unusual) or if at least one of the data rules
-rendered successfully. #}
-{% macro syntaxrule() -%}
-{% do rendersyntax.update(none=true, any=false) -%}
-{% set contents -%}
-{{ caller() -}}
-{% endset -%}
-{% if rendersyntax['none'] or rendersyntax['any'] -%}
-{{ contents -}}
-{% endif -%}
-{% endmacro %}
-
-{# Wrapper for data rules. A data rule is rendered only when all of the data
-fields it contains have data available. #}
-{% macro datarule() -%}
-{% do rendersyntax.update(none=false) -%}
-{% do renderdata.update(all=true) -%}
-{% set contents -%}
-{{ caller() -}}
-{% endset -%}
-{% if renderdata['all'] -%}
-{% do rendersyntax.update(any=true) -%}
-{{ contents -}}
-{% endif -%}
-{% endmacro %}
-
-{# Wrapper for fields in data rules. If any value wrapped by this macro
-produces an empty string, the entire data rule will be suppressed. #}
-{% macro datafield(value) -%}
-{% if value -%}
-{{ value -}}
-{% else -%}
-{% do renderdata.update(all=false) -%}
-{% endif -%}
-{% endmacro %}
diff --git a/install/share/csrgen/Makefile.am b/install/share/csrgen/Makefile.am
index 2cd6ce2..12c62c4 100644
--- a/install/share/csrgen/Makefile.am
+++ b/install/share/csrgen/Makefile.am
@@ -12,6 +12,7 @@ rule_DATA =				\
 	rules/dataEmail.json		\
 	rules/dataHostCN.json		\
 	rules/dataUsernameCN.json	\
+	rules/dataSubjectBase.json	\
 	rules/syntaxSAN.json		\
 	rules/syntaxSubject.json	\
 	$(NULL)
@@ -21,7 +22,6 @@ template_DATA =			\
 	templates/certutil_base.tmpl	\
 	templates/openssl_base.tmpl	\
 	templates/openssl_macros.tmpl	\
-	templates/ipa_macros.tmpl	\
 	$(NULL)
 
 EXTRA_DIST =				\
diff --git a/install/share/csrgen/profiles/caIPAserviceCert.json b/install/share/csrgen/profiles/caIPAserviceCert.json
index 0d1be5e..114d2ff 100644
--- a/install/share/csrgen/profiles/caIPAserviceCert.json
+++ b/install/share/csrgen/profiles/caIPAserviceCert.json
@@ -2,7 +2,8 @@
     {
         "syntax": "syntaxSubject",
         "data": [
-            "dataHostCN"
+            "dataHostCN",
+            "dataSubjectBase"
         ]
     },
     {
diff --git a/install/share/csrgen/profiles/userCert.json b/install/share/csrgen/profiles/userCert.json
index d5f822e..d6cf5cf 100644
--- a/install/share/csrgen/profiles/userCert.json
+++ b/install/share/csrgen/profiles/userCert.json
@@ -2,7 +2,8 @@
     {
         "syntax": "syntaxSubject",
         "data": [
-            "dataUsernameCN"
+            "dataUsernameCN",
+            "dataSubjectBase"
         ]
     },
     {
diff --git a/install/share/csrgen/rules/dataDNS.json b/install/share/csrgen/rules/dataDNS.json
index f0aadca..2663f11 100644
--- a/install/share/csrgen/rules/dataDNS.json
+++ b/install/share/csrgen/rules/dataDNS.json
@@ -2,11 +2,14 @@
   "rules": [
     {
       "helper": "openssl",
-      "template": "DNS = {{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])}}"
+      "template": "DNS = {{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]}}"
     },
     {
       "helper": "certutil",
-      "template": "dns:{{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])|quote}}"
+      "template": "dns:{{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]|quote}}"
     }
-  ]
+  ],
+  "options": {
+    "data_source": "subject.krbprincipalname.0.partition('/')[2].partition('@')[0]"
+  }
 }
diff --git a/install/share/csrgen/rules/dataEmail.json b/install/share/csrgen/rules/dataEmail.json
index cfc1f60..2eae9fb 100644
--- a/install/share/csrgen/rules/dataEmail.json
+++ b/install/share/csrgen/rules/dataEmail.json
@@ -2,11 +2,14 @@
   "rules": [
     {
       "helper": "openssl",
-      "template": "email = {{ipa.datafield(subject.mail.0)}}"
+      "template": "email = {{subject.mail.0}}"
     },
     {
       "helper": "certutil",
-      "template": "email:{{ipa.datafield(subject.mail.0)|quote}}"
+      "template": "email:{{subject.mail.0|quote}}"
     }
-  ]
+  ],
+  "options": {
+    "data_source": "subject.mail.0"
+  }
 }
diff --git a/install/share/csrgen/rules/dataHostCN.json b/install/share/csrgen/rules/dataHostCN.json
index 172c7ec..5c415bb 100644
--- a/install/share/csrgen/rules/dataHostCN.json
+++ b/install/share/csrgen/rules/dataHostCN.json
@@ -2,11 +2,14 @@
   "rules": [
     {
       "helper": "openssl",
-      "template": "{{ipa.datafield(config.ipacertificatesubjectbase.0)}}\nCN={{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])}}"
+      "template": "CN={{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]}}"
     },
     {
       "helper": "certutil",
-      "template": "CN={{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])|quote}},{{ipa.datafield(config.ipacertificatesubjectbase.0)|quote}}"
+      "template": "CN={{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]|quote}}"
     }
-  ]
+  ],
+  "options": {
+    "data_source": "subject.krbprincipalname.0.partition('/')[2].partition('@')[0]"
+  }
 }
diff --git a/install/share/csrgen/rules/dataSubjectBase.json b/install/share/csrgen/rules/dataSubjectBase.json
new file mode 100644
index 0000000..309dfb1
--- /dev/null
+++ b/install/share/csrgen/rules/dataSubjectBase.json
@@ -0,0 +1,15 @@
+{
+  "rules": [
+    {
+      "helper": "openssl",
+      "template": "{{config.ipacertificatesubjectbase.0}}"
+    },
+    {
+      "helper": "certutil",
+      "template": "{{config.ipacertificatesubjectbase.0|quote}}"
+    }
+  ],
+  "options": {
+    "data_source": "config.ipacertificatesubjectbase.0"
+  }
+}
diff --git a/install/share/csrgen/rules/dataUsernameCN.json b/install/share/csrgen/rules/dataUsernameCN.json
index c3e2409..37e7e01 100644
--- a/install/share/csrgen/rules/dataUsernameCN.json
+++ b/install/share/csrgen/rules/dataUsernameCN.json
@@ -2,11 +2,14 @@
   "rules": [
     {
       "helper": "openssl",
-      "template": "{{ipa.datafield(config.ipacertificatesubjectbase.0)}}\nCN={{ipa.datafield(subject.uid.0)}}"
+      "template": "CN={{subject.uid.0}}"
     },
     {
       "helper": "certutil",
-      "template": "CN={{ipa.datafield(subject.uid.0)|quote}},{{ipa.datafield(config.ipacertificatesubjectbase.0)|quote}}"
+      "template": "CN={{subject.uid.0|quote}}"
     }
-  ]
+  ],
+  "options": {
+    "data_source": "subject.uid.0"
+  }
 }
diff --git a/install/share/csrgen/rules/syntaxSubject.json b/install/share/csrgen/rules/syntaxSubject.json
index 7dfa932..af6ec03 100644
--- a/install/share/csrgen/rules/syntaxSubject.json
+++ b/install/share/csrgen/rules/syntaxSubject.json
@@ -2,14 +2,15 @@
   "rules": [
     {
       "helper": "openssl",
-      "template": "distinguished_name = {% call openssl.section() %}{{ datarules|first }}{% endcall %}"
+      "template": "distinguished_name = {% call openssl.section() %}{{ datarules|reverse|join('\n') }}{% endcall %}"
     },
     {
       "helper": "certutil",
-      "template": "-s {{ datarules|first }}"
+      "template": "-s {{ datarules|join(',') }}"
     }
   ],
   "options": {
-    "required": true
+    "required": true,
+    "data_source_combinator": "and"
   }
 }
diff --git a/install/share/csrgen/templates/certutil_base.tmpl b/install/share/csrgen/templates/certutil_base.tmpl
index 6c6425f..a5556fd 100644
--- a/install/share/csrgen/templates/certutil_base.tmpl
+++ b/install/share/csrgen/templates/certutil_base.tmpl
@@ -1,6 +1,3 @@
-{% raw -%}
-{% import "ipa_macros.tmpl" as ipa -%}
-{%- endraw %}
 #!/bin/bash -e
 
 if [[ $# -lt 1 ]]; then
diff --git a/install/share/csrgen/templates/openssl_base.tmpl b/install/share/csrgen/templates/openssl_base.tmpl
index 597577b..2d6c070 100644
--- a/install/share/csrgen/templates/openssl_base.tmpl
+++ b/install/share/csrgen/templates/openssl_base.tmpl
@@ -1,6 +1,5 @@
 {% raw -%}
 {% import "openssl_macros.tmpl" as openssl -%}
-{% import "ipa_macros.tmpl" as ipa -%}
 {%- endraw %}
 #!/bin/bash -e
 
diff --git a/ipaclient/csrgen.py b/ipaclient/csrgen.py
index 8d7cfce..6461d62 100644
--- a/ipaclient/csrgen.py
+++ b/ipaclient/csrgen.py
@@ -81,8 +81,6 @@ def __init__(self, csr_data_dir=paths.CSR_DATA_DIR):
             keep_trailing_newline=True, undefined=IndexableUndefined)
 
         self.passthrough_globals = {}
-        self._define_passthrough('ipa.syntaxrule')
-        self._define_passthrough('ipa.datarule')
 
     def _define_passthrough(self, call):
 
@@ -109,8 +107,15 @@ def build_template(self, rules):
         for description, syntax_rule, data_rules in rules:
             data_rules_prepared = [
                 self._prepare_data_rule(rule) for rule in data_rules]
+
+            data_sources = []
+            for rule in data_rules:
+                data_source = rule.options.get('data_source')
+                if data_source:
+                    data_sources.append(data_source)
+
             syntax_rules.append(self._prepare_syntax_rule(
-                syntax_rule, data_rules_prepared, description))
+                syntax_rule, data_rules_prepared, description, data_sources))
 
         template_params = self._get_template_params(syntax_rules)
         base_template = self.jinja2.get_template(
@@ -129,11 +134,9 @@ def build_template(self, rules):
 
         return combined_template
 
-    def _wrap_rule(self, rule, rule_type):
-        template = '{%% call ipa.%srule() %%}%s{%% endcall %%}' % (
-            rule_type, rule)
-
-        return template
+    def _wrap_conditional(self, rule, condition):
+        rule = '{%% if %s %%}%s{%% endif %%}' % (condition, rule)
+        return rule
 
     def _wrap_required(self, rule, description):
         template = '{%% filter required("%s") %%}%s{%% endfilter %%}' % (
@@ -142,9 +145,16 @@ def _wrap_required(self, rule, description):
         return template
 
     def _prepare_data_rule(self, data_rule):
-        return self._wrap_rule(data_rule.template, 'data')
+        template = data_rule.template
+
+        data_source = data_rule.options.get('data_source')
+        if data_source:
+            template = self._wrap_conditional(template, data_source)
+
+        return template
 
-    def _prepare_syntax_rule(self, syntax_rule, data_rules, description):
+    def _prepare_syntax_rule(
+            self, syntax_rule, data_rules, description, data_sources):
         logger.debug('Syntax rule template: %s' % syntax_rule.template)
         template = self.jinja2.from_string(
             syntax_rule.template, globals=self.passthrough_globals)
@@ -156,7 +166,10 @@ def _prepare_syntax_rule(self, syntax_rule, data_rules, description):
             raise errors.CSRTemplateError(reason=_(
                 'Template error when formatting certificate data'))
 
-        prepared_template = self._wrap_rule(rendered, 'syntax')
+        combinator = ' %s ' % syntax_rule.options.get(
+            'data_source_combinator', 'or')
+        condition = combinator.join(data_sources)
+        prepared_template = self._wrap_conditional(rendered, condition)
         if is_required:
             prepared_template = self._wrap_required(
                 prepared_template, description)
@@ -197,10 +210,11 @@ def _get_template_params(self, syntax_rules):
 
         return {'parameters': parameters, 'extensions': extensions}
 
-    def _prepare_syntax_rule(self, syntax_rule, data_rules, description):
+    def _prepare_syntax_rule(
+            self, syntax_rule, data_rules, description, data_sources):
         """Overrides method to pull out whether rule is an extension or not."""
         prepared_template = super(OpenSSLFormatter, self)._prepare_syntax_rule(
-            syntax_rule, data_rules, description)
+            syntax_rule, data_rules, description, data_sources)
         is_extension = syntax_rule.options.get('extension', False)
         return self.SyntaxRule(prepared_template, is_extension)
 

From 6454f10fa9e1dc12f7929c5794431d40d7f13218 Mon Sep 17 00:00:00 2001
From: Ben Lipton <blip...@redhat.com>
Date: Thu, 8 Sep 2016 18:29:46 -0400
Subject: [PATCH 5/7] Add tests for CSR autogeneration

Some tests are failing and will be fixed in the next commit.
This patch also contains some code changes to make the code easier to
test.
---
 ipaclient/csrgen.py                                |  65 +++--
 ipaclient/plugins/csrgen.py                        |   3 +-
 ipatests/setup.py                                  |   2 +
 ipatests/test_ipaclient/__init__.py                |   7 +
 .../data/test_csrgen/profiles/profile.json         |   8 +
 .../data/test_csrgen/rules/basic.json              |  12 +
 .../data/test_csrgen/rules/options.json            |  18 ++
 .../scripts/caIPAserviceCert_certutil.sh           |  11 +
 .../scripts/caIPAserviceCert_openssl.sh            |  33 +++
 .../data/test_csrgen/scripts/userCert_certutil.sh  |  11 +
 .../data/test_csrgen/scripts/userCert_openssl.sh   |  33 +++
 .../data/test_csrgen/templates/identity_base.tmpl  |   1 +
 ipatests/test_ipaclient/test_csrgen.py             | 298 +++++++++++++++++++++
 13 files changed, 479 insertions(+), 23 deletions(-)
 create mode 100644 ipatests/test_ipaclient/__init__.py
 create mode 100644 ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json
 create mode 100644 ipatests/test_ipaclient/data/test_csrgen/rules/basic.json
 create mode 100644 ipatests/test_ipaclient/data/test_csrgen/rules/options.json
 create mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_certutil.sh
 create mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_openssl.sh
 create mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_certutil.sh
 create mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_openssl.sh
 create mode 100644 ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl
 create mode 100644 ipatests/test_ipaclient/test_csrgen.py

diff --git a/ipaclient/csrgen.py b/ipaclient/csrgen.py
index 6461d62..500f56f 100644
--- a/ipaclient/csrgen.py
+++ b/ipaclient/csrgen.py
@@ -13,7 +13,6 @@
 import jinja2.sandbox
 import six
 
-from ipalib import api
 from ipalib import errors
 from ipalib.text import _
 from ipaplatform.paths import paths
@@ -104,18 +103,20 @@ def build_template(self, rules):
         :returns: jinja2.Template that can be rendered to produce the CSR data.
         """
         syntax_rules = []
-        for description, syntax_rule, data_rules in rules:
+        for field_mapping in rules:
             data_rules_prepared = [
-                self._prepare_data_rule(rule) for rule in data_rules]
+                self._prepare_data_rule(rule)
+                for rule in field_mapping.data_rules]
 
             data_sources = []
-            for rule in data_rules:
+            for rule in field_mapping.data_rules:
                 data_source = rule.options.get('data_source')
                 if data_source:
                     data_sources.append(data_source)
 
             syntax_rules.append(self._prepare_syntax_rule(
-                syntax_rule, data_rules_prepared, description, data_sources))
+                field_mapping.syntax_rule, data_rules_prepared,
+                field_mapping.description, data_sources))
 
         template_params = self._get_template_params(syntax_rules)
         base_template = self.jinja2.get_template(
@@ -198,8 +199,8 @@ class OpenSSLFormatter(Formatter):
     SyntaxRule = collections.namedtuple(
         'SyntaxRule', ['template', 'is_extension'])
 
-    def __init__(self):
-        super(OpenSSLFormatter, self).__init__()
+    def __init__(self, *args, **kwargs):
+        super(OpenSSLFormatter, self).__init__(*args, **kwargs)
         self._define_passthrough('openssl.section')
 
     def _get_template_params(self, syntax_rules):
@@ -226,17 +227,31 @@ def _get_template_params(self, syntax_rules):
         return {'options': syntax_rules}
 
 
-# FieldMapping - representation of the rules needed to construct a complete
-# certificate field.
-# - description: str, a name or description of this field, to be used in
-#   messages
-# - syntax_rule: Rule, the rule defining the syntax of this field
-# - data_rules: list of Rule, the rules that produce data to be stored in this
-#   field
-FieldMapping = collections.namedtuple(
-    'FieldMapping', ['description', 'syntax_rule', 'data_rules'])
-Rule = collections.namedtuple(
-    'Rule', ['name', 'template', 'options'])
+class FieldMapping(object):
+    """Representation of the rules needed to construct a complete cert field.
+
+    Attributes:
+        description: str, a name or description of this field, to be used in
+            messages
+        syntax_rule: Rule, the rule defining the syntax of this field
+        data_rules: list of Rule, the rules that produce data to be stored in
+            this field
+    """
+    __slots__ = ['description', 'syntax_rule', 'data_rules']
+
+    def __init__(self, description, syntax_rule, data_rules):
+        self.description = description
+        self.syntax_rule = syntax_rule
+        self.data_rules = data_rules
+
+
+class Rule(object):
+    __slots__ = ['name', 'template', 'options']
+
+    def __init__(self, name, template, options):
+        self.name = name
+        self.template = template
+        self.options = options
 
 
 class RuleProvider(object):
@@ -288,15 +303,22 @@ def _rule(self, rule_name, helper):
                 options.update(ruleset['options'])
             if 'options' in rule:
                 options.update(rule['options'])
+
             self.rules[(rule_name, helper)] = Rule(
                 rule_name, rule['template'], options)
+
         return self.rules[(rule_name, helper)]
 
     def rules_for_profile(self, profile_id, helper):
         profile_path = os.path.join(self.csr_data_dir, 'profiles',
                                     '%s.json' % profile_id)
-        with open(profile_path) as profile_file:
-            profile = json.load(profile_file)
+        try:
+            with open(profile_path) as profile_file:
+                profile = json.load(profile_file)
+        except IOError:
+            raise errors.NotFound(
+                reason=_('No certificate mappings are defined for profile'
+                         ' %(profile_id)s') % {'profile_id': profile_id})
 
         field_mappings = []
         for field in profile:
@@ -316,8 +338,7 @@ class CSRGenerator(object):
     def __init__(self, rule_provider):
         self.rule_provider = rule_provider
 
-    def csr_script(self, principal, profile_id, helper):
-        config = api.Command.config_show()['result']
+    def csr_script(self, principal, config, profile_id, helper):
         render_data = {'subject': principal, 'config': config}
 
         formatter = self.FORMATTERS[helper]()
diff --git a/ipaclient/plugins/csrgen.py b/ipaclient/plugins/csrgen.py
index 22b4fb0..e798a85 100644
--- a/ipaclient/plugins/csrgen.py
+++ b/ipaclient/plugins/csrgen.py
@@ -98,11 +98,12 @@ def execute(self, *args, **options):
             raise errors.NotFound(
                 reason=_("The principal for this request doesn't exist."))
         principal_obj = principal_obj['result']
+        config = api.Command.config_show()['result']
 
         generator = CSRGenerator(FileRuleProvider())
 
         script = generator.csr_script(
-            principal_obj, profile_id, helper)
+            principal_obj, config, profile_id, helper)
 
         result = {}
         if 'out' in options:
diff --git a/ipatests/setup.py b/ipatests/setup.py
index 1fb5e92..e46e922 100644
--- a/ipatests/setup.py
+++ b/ipatests/setup.py
@@ -38,6 +38,7 @@
             "ipatests.test_cmdline",
             "ipatests.test_install",
             "ipatests.test_integration",
+            "ipatests.test_ipaclient",
             "ipatests.test_ipalib",
             "ipatests.test_ipapython",
             "ipatests.test_ipaserver",
@@ -51,6 +52,7 @@
         package_data={
             'ipatests.test_install': ['*.update'],
             'ipatests.test_integration': ['scripts/*'],
+            'ipatests.test_ipaclient': ['data/*/*/*'],
             'ipatests.test_ipalib': ['data/*'],
             'ipatests.test_pkcs10': ['*.csr'],
             "ipatests.test_ipaserver": ['data/*'],
diff --git a/ipatests/test_ipaclient/__init__.py b/ipatests/test_ipaclient/__init__.py
new file mode 100644
index 0000000..0c42891
--- /dev/null
+++ b/ipatests/test_ipaclient/__init__.py
@@ -0,0 +1,7 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+"""
+Sub-package containing unit tests for `ipaclient` package.
+"""
diff --git a/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json b/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json
new file mode 100644
index 0000000..676f91b
--- /dev/null
+++ b/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json
@@ -0,0 +1,8 @@
+[
+    {
+        "syntax": "basic",
+        "data": [
+            "options"
+        ]
+    }
+]
diff --git a/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json b/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json
new file mode 100644
index 0000000..feba3e9
--- /dev/null
+++ b/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json
@@ -0,0 +1,12 @@
+{
+  "rules": [
+    {
+      "helper": "openssl",
+      "template": "openssl_rule"
+    },
+    {
+      "helper": "certutil",
+      "template": "certutil_rule"
+    }
+  ]
+}
diff --git a/ipatests/test_ipaclient/data/test_csrgen/rules/options.json b/ipatests/test_ipaclient/data/test_csrgen/rules/options.json
new file mode 100644
index 0000000..111a6d8
--- /dev/null
+++ b/ipatests/test_ipaclient/data/test_csrgen/rules/options.json
@@ -0,0 +1,18 @@
+{
+  "rules": [
+    {
+      "helper": "openssl",
+      "template": "openssl_rule",
+      "options": {
+        "helper_option": true
+      }
+    },
+    {
+      "helper": "certutil",
+      "template": "certutil_rule"
+    }
+  ],
+  "options": {
+    "global_option": true
+  }
+}
diff --git a/ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_certutil.sh b/ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_certutil.sh
new file mode 100644
index 0000000..74a704c
--- /dev/null
+++ b/ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_certutil.sh
@@ -0,0 +1,11 @@
+#!/bin/bash -e
+
+if [[ $# -lt 1 ]]; then
+echo "Usage: $0 <outfile> [<any> <certutil> <args>]"
+echo "Called as: $0 $@"
+exit 1
+fi
+
+CSR="$1"
+shift
+certutil -R -a -z <(head -c 4096 /dev/urandom) -o "$CSR" -s CN=machine.example.com,O=DOMAIN.EXAMPLE.COM --extSAN dns:machine.example.com "$@"
diff --git a/ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_openssl.sh b/ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_openssl.sh
new file mode 100644
index 0000000..c621a69
--- /dev/null
+++ b/ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_openssl.sh
@@ -0,0 +1,33 @@
+#!/bin/bash -e
+
+if [[ $# -ne 2 ]]; then
+echo "Usage: $0 <outfile> <keyfile>"
+echo "Called as: $0 $@"
+exit 1
+fi
+
+CONFIG="$(mktemp)"
+CSR="$1"
+shift
+
+echo \
+'[ req ]
+prompt = no
+encrypt_key = no
+
+distinguished_name = sec0
+req_extensions = sec2
+
+[ sec0 ]
+O=DOMAIN.EXAMPLE.COM
+CN=machine.example.com
+
+[ sec1 ]
+DNS = machine.example.com
+
+[ sec2 ]
+subjectAltName = @sec1
+' > "$CONFIG"
+
+openssl req -new -config "$CONFIG" -out "$CSR" -key $1
+rm "$CONFIG"
diff --git a/ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_certutil.sh b/ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_certutil.sh
new file mode 100644
index 0000000..4aaeda0
--- /dev/null
+++ b/ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_certutil.sh
@@ -0,0 +1,11 @@
+#!/bin/bash -e
+
+if [[ $# -lt 1 ]]; then
+echo "Usage: $0 <outfile> [<any> <certutil> <args>]"
+echo "Called as: $0 $@"
+exit 1
+fi
+
+CSR="$1"
+shift
+certutil -R -a -z <(head -c 4096 /dev/urandom) -o "$CSR" -s CN=testuser,O=DOMAIN.EXAMPLE.COM --extSAN email:testu...@example.com "$@"
diff --git a/ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_openssl.sh b/ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_openssl.sh
new file mode 100644
index 0000000..cdbe8a1
--- /dev/null
+++ b/ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_openssl.sh
@@ -0,0 +1,33 @@
+#!/bin/bash -e
+
+if [[ $# -ne 2 ]]; then
+echo "Usage: $0 <outfile> <keyfile>"
+echo "Called as: $0 $@"
+exit 1
+fi
+
+CONFIG="$(mktemp)"
+CSR="$1"
+shift
+
+echo \
+'[ req ]
+prompt = no
+encrypt_key = no
+
+distinguished_name = sec0
+req_extensions = sec2
+
+[ sec0 ]
+O=DOMAIN.EXAMPLE.COM
+CN=testuser
+
+[ sec1 ]
+email = testu...@example.com
+
+[ sec2 ]
+subjectAltName = @sec1
+' > "$CONFIG"
+
+openssl req -new -config "$CONFIG" -out "$CSR" -key $1
+rm "$CONFIG"
diff --git a/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl b/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl
new file mode 100644
index 0000000..79111ab
--- /dev/null
+++ b/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl
@@ -0,0 +1 @@
+{{ options|join(";") }}
diff --git a/ipatests/test_ipaclient/test_csrgen.py b/ipatests/test_ipaclient/test_csrgen.py
new file mode 100644
index 0000000..556f8e0
--- /dev/null
+++ b/ipatests/test_ipaclient/test_csrgen.py
@@ -0,0 +1,298 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import os
+import pytest
+
+from ipaclient import csrgen
+from ipalib import errors
+
+BASE_DIR = os.path.dirname(__file__)
+CSR_DATA_DIR = os.path.join(BASE_DIR, 'data', 'test_csrgen')
+
+
+@pytest.fixture
+def formatter():
+    return csrgen.Formatter(csr_data_dir=CSR_DATA_DIR)
+
+
+@pytest.fixture
+def rule_provider():
+    return csrgen.FileRuleProvider(csr_data_dir=CSR_DATA_DIR)
+
+
+@pytest.fixture
+def generator():
+    return csrgen.CSRGenerator(csrgen.FileRuleProvider())
+
+
+class StubRuleProvider(csrgen.RuleProvider):
+    def __init__(self):
+        self.syntax_rule = csrgen.Rule(
+            'syntax', '{{datarules|join(",")}}', {})
+        self.data_rule = csrgen.Rule('data', 'data_template', {})
+        self.field_mapping = csrgen.FieldMapping(
+            'example', self.syntax_rule, [self.data_rule])
+        self.rules = [self.field_mapping]
+
+    def rules_for_profile(self, profile_id, helper):
+        return self.rules
+
+
+class IdentityFormatter(csrgen.Formatter):
+    base_template_name = 'identity_base.tmpl'
+
+    def __init__(self):
+        super(IdentityFormatter, self).__init__(csr_data_dir=CSR_DATA_DIR)
+
+    def _get_template_params(self, syntax_rules):
+        return {'options': syntax_rules}
+
+
+class IdentityCSRGenerator(csrgen.CSRGenerator):
+    FORMATTERS = {'identity': IdentityFormatter}
+
+
+class test_Formatter(object):
+    def test_prepare_data_rule_with_data_source(self, formatter):
+        data_rule = csrgen.Rule('uid', '{{subject.uid.0}}',
+                                {'data_source': 'subject.uid.0'})
+        prepared = formatter._prepare_data_rule(data_rule)
+        assert prepared == '{% if subject.uid.0 %}{{subject.uid.0}}{% endif %}'
+
+    def test_prepare_data_rule_no_data_source(self, formatter):
+        """Not a normal case, but we should handle it anyway"""
+        data_rule = csrgen.Rule('uid', 'static_text', {})
+        prepared = formatter._prepare_data_rule(data_rule)
+        assert prepared == 'static_text'
+
+    def test_prepare_syntax_rule_with_data_sources(self, formatter):
+        syntax_rule = csrgen.Rule(
+            'example', '{{datarules|join(",")}}', {})
+        data_rules = ['{{subject.field1}}', '{{subject.field2}}']
+        data_sources = ['subject.field1', 'subject.field2']
+        prepared = formatter._prepare_syntax_rule(
+            syntax_rule, data_rules, 'example', data_sources)
+
+        assert prepared == (
+            '{% if subject.field1 or subject.field2 %}{{subject.field1}},'
+            '{{subject.field2}}{% endif %}')
+
+    def test_prepare_syntax_rule_with_combinator(self, formatter):
+        syntax_rule = csrgen.Rule('example', '{{datarules|join(",")}}',
+                                  {'data_source_combinator': 'and'})
+        data_rules = ['{{subject.field1}}', '{{subject.field2}}']
+        data_sources = ['subject.field1', 'subject.field2']
+        prepared = formatter._prepare_syntax_rule(
+            syntax_rule, data_rules, 'example', data_sources)
+
+        assert prepared == (
+            '{% if subject.field1 and subject.field2 %}{{subject.field1}},'
+            '{{subject.field2}}{% endif %}')
+
+    def test_prepare_syntax_rule_required(self, formatter):
+        syntax_rule = csrgen.Rule('example', '{{datarules|join(",")}}',
+                                  {'required': True})
+        data_rules = ['{{subject.field1}}']
+        data_sources = ['subject.field1']
+        prepared = formatter._prepare_syntax_rule(
+            syntax_rule, data_rules, 'example', data_sources)
+
+        assert prepared == (
+            '{% filter required("example") %}{% if subject.field1 %}'
+            '{{subject.field1}}{% endif %}{% endfilter %}')
+
+    def test_prepare_syntax_rule_passthrough(self, formatter):
+        """
+        Calls to macros defined as passthrough are still call tags in the final
+        template.
+        """
+        formatter._define_passthrough('example.macro')
+
+        syntax_rule = csrgen.Rule(
+            'example',
+            '{% call example.macro() %}{{datarules|join(",")}}{% endcall %}',
+            {})
+        data_rules = ['{{subject.field1}}']
+        data_sources = ['subject.field1']
+        prepared = formatter._prepare_syntax_rule(
+            syntax_rule, data_rules, 'example', data_sources)
+
+        assert prepared == (
+            '{% if subject.field1 %}{% call example.macro() %}'
+            '{{subject.field1}}{% endcall %}{% endif %}')
+
+    def test_prepare_syntax_rule_no_data_sources(self, formatter):
+        """Not a normal case, but we should handle it anyway"""
+        syntax_rule = csrgen.Rule(
+            'example', '{{datarules|join(",")}}', {})
+        data_rules = ['rule1', 'rule2']
+        data_sources = []
+        prepared = formatter._prepare_syntax_rule(
+            syntax_rule, data_rules, 'example', data_sources)
+
+        assert prepared == 'rule1,rule2'
+
+
+class test_FileRuleProvider(object):
+    def test_rule_basic(self, rule_provider):
+        rule_name = 'basic'
+
+        rule1 = rule_provider._rule(rule_name, 'openssl')
+        rule2 = rule_provider._rule(rule_name, 'certutil')
+
+        assert rule1.template == 'openssl_rule'
+        assert rule2.template == 'certutil_rule'
+
+    def test_rule_global_options(self, rule_provider):
+        rule_name = 'options'
+
+        rule1 = rule_provider._rule(rule_name, 'openssl')
+        rule2 = rule_provider._rule(rule_name, 'certutil')
+
+        assert rule1.options['global_option'] is True
+        assert rule2.options['global_option'] is True
+
+    def test_rule_helper_options(self, rule_provider):
+        rule_name = 'options'
+
+        rule1 = rule_provider._rule(rule_name, 'openssl')
+        rule2 = rule_provider._rule(rule_name, 'certutil')
+
+        assert rule1.options['helper_option'] is True
+        assert 'helper_option' not in rule2.options
+
+    def test_rule_nosuchrule(self, rule_provider):
+        with pytest.raises(errors.NotFound):
+            rule_provider._rule('nosuchrule', 'openssl')
+
+    def test_rule_nosuchhelper(self, rule_provider):
+        with pytest.raises(errors.EmptyResult):
+            rule_provider._rule('basic', 'nosuchhelper')
+
+    def test_rules_for_profile_success(self, rule_provider):
+        rules = rule_provider.rules_for_profile('profile', 'certutil')
+
+        assert len(rules) == 1
+        field_mapping = rules[0]
+        assert field_mapping.syntax_rule.name == 'basic'
+        assert len(field_mapping.data_rules) == 1
+        assert field_mapping.data_rules[0].name == 'options'
+
+    def test_rules_for_profile_nosuchprofile(self, rule_provider):
+        with pytest.raises(errors.NotFound):
+            rule_provider.rules_for_profile('nosuchprofile', 'certutil')
+
+
+class test_CSRGenerator(object):
+    def test_userCert_OpenSSL(self, generator):
+        principal = {
+            'uid': ['testuser'],
+            'mail': ['testu...@example.com'],
+        }
+        config = {
+            'ipacertificatesubjectbase': [
+                'O=DOMAIN.EXAMPLE.COM'
+            ],
+        }
+
+        script = generator.csr_script(principal, config, 'userCert', 'openssl')
+        with open(os.path.join(
+                CSR_DATA_DIR, 'scripts', 'userCert_openssl.sh')) as f:
+            expected_script = f.read()
+        assert script == expected_script
+
+    def test_userCert_Certutil(self, generator):
+        principal = {
+            'uid': ['testuser'],
+            'mail': ['testu...@example.com'],
+        }
+        config = {
+            'ipacertificatesubjectbase': [
+                'O=DOMAIN.EXAMPLE.COM'
+            ],
+        }
+
+        script = generator.csr_script(
+            principal, config, 'userCert', 'certutil')
+
+        with open(os.path.join(
+                CSR_DATA_DIR, 'scripts', 'userCert_certutil.sh')) as f:
+            expected_script = f.read()
+        assert script == expected_script
+
+    def test_caIPAserviceCert_OpenSSL(self, generator):
+        principal = {
+            'krbprincipalname': [
+                'HTTP/machine.example....@domain.example.com'
+            ],
+        }
+        config = {
+            'ipacertificatesubjectbase': [
+                'O=DOMAIN.EXAMPLE.COM'
+            ],
+        }
+
+        script = generator.csr_script(
+            principal, config, 'caIPAserviceCert', 'openssl')
+        with open(os.path.join(
+                CSR_DATA_DIR, 'scripts', 'caIPAserviceCert_openssl.sh')) as f:
+            expected_script = f.read()
+        assert script == expected_script
+
+    def test_caIPAserviceCert_Certutil(self, generator):
+        principal = {
+            'krbprincipalname': [
+                'HTTP/machine.example....@domain.example.com'
+            ],
+        }
+        config = {
+            'ipacertificatesubjectbase': [
+                'O=DOMAIN.EXAMPLE.COM'
+            ],
+        }
+
+        script = generator.csr_script(
+            principal, config, 'caIPAserviceCert', 'certutil')
+        with open(os.path.join(
+                CSR_DATA_DIR, 'scripts', 'caIPAserviceCert_certutil.sh')) as f:
+            expected_script = f.read()
+        assert script == expected_script
+
+
+class test_rule_handling(object):
+    def test_optionalAttributeMissing(self, generator):
+        principal = {'uid': 'testuser'}
+        rule_provider = StubRuleProvider()
+        rule_provider.data_rule.template = '{{subject.mail}}'
+        rule_provider.data_rule.options = {'data_source': 'subject.mail'}
+        generator = IdentityCSRGenerator(rule_provider)
+
+        script = generator.csr_script(
+            principal, {}, 'example', 'identity')
+        assert script == '\n'
+
+    def test_twoDataRulesOneMissing(self, generator):
+        principal = {'uid': 'testuser'}
+        rule_provider = StubRuleProvider()
+        rule_provider.data_rule.template = '{{subject.mail}}'
+        rule_provider.data_rule.options = {'data_source': 'subject.mail'}
+        rule_provider.field_mapping.data_rules.append(csrgen.Rule(
+            'data2', '{{subject.uid}}', {'data_source': 'subject.uid'}))
+        generator = IdentityCSRGenerator(rule_provider)
+
+        script = generator.csr_script(principal, {}, 'example', 'identity')
+        assert script == ',testuser\n'
+
+    def test_requiredAttributeMissing(self):
+        principal = {'uid': 'testuser'}
+        rule_provider = StubRuleProvider()
+        rule_provider.data_rule.template = '{{subject.mail}}'
+        rule_provider.data_rule.options = {'data_source': 'subject.mail'}
+        rule_provider.syntax_rule.options = {'required': True}
+        generator = IdentityCSRGenerator(rule_provider)
+
+        with pytest.raises(errors.CSRTemplateError):
+            _script = generator.csr_script(
+                principal, {}, 'example', 'identity')

From 038ba5cb727f377452c447bf0cbf8cfbd719d864 Mon Sep 17 00:00:00 2001
From: Ben Lipton <blip...@redhat.com>
Date: Thu, 8 Sep 2016 19:54:48 -0400
Subject: [PATCH 6/7] Fix broken tests in CSR autogeneration

---
 ipaclient/csrgen.py | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/ipaclient/csrgen.py b/ipaclient/csrgen.py
index 500f56f..8b87751 100644
--- a/ipaclient/csrgen.py
+++ b/ipaclient/csrgen.py
@@ -82,6 +82,11 @@ def __init__(self, csr_data_dir=paths.CSR_DATA_DIR):
         self.passthrough_globals = {}
 
     def _define_passthrough(self, call):
+        """Some macros are meant to be interpreted during the final render, not
+        when data rules are interpolated into syntax rules. This method allows
+        those macros to be registered so that calls to them are passed through
+        to the prepared rule rather than interpreted.
+        """
 
         def passthrough(caller):
             return u'{%% call %s() %%}%s{%% endcall %%}' % (call, caller())
@@ -161,16 +166,19 @@ def _prepare_syntax_rule(
             syntax_rule.template, globals=self.passthrough_globals)
         is_required = syntax_rule.options.get('required', False)
         try:
-            rendered = template.render(datarules=data_rules)
+            prepared_template = template.render(datarules=data_rules)
         except jinja2.UndefinedError:
             logger.debug(traceback.format_exc())
             raise errors.CSRTemplateError(reason=_(
                 'Template error when formatting certificate data'))
 
-        combinator = ' %s ' % syntax_rule.options.get(
-            'data_source_combinator', 'or')
-        condition = combinator.join(data_sources)
-        prepared_template = self._wrap_conditional(rendered, condition)
+        if data_sources:
+            combinator = ' %s ' % syntax_rule.options.get(
+                'data_source_combinator', 'or')
+            condition = combinator.join(data_sources)
+            prepared_template = self._wrap_conditional(
+                prepared_template, condition)
+
         if is_required:
             prepared_template = self._wrap_required(
                 prepared_template, description)

From 1704ef68a8baf6644cf487f73c6bb03a9dc4948a Mon Sep 17 00:00:00 2001
From: Ben Lipton <blip...@redhat.com>
Date: Tue, 17 Jan 2017 18:30:35 -0500
Subject: [PATCH 7/7] fixup! Add code to generate scripts that generate CSRs

---
 freeipa.spec.in | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 8396105..5a77af2 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -185,6 +185,7 @@ BuildRequires:  python3-libsss_nss_idmap
 BuildRequires:  python3-nose
 BuildRequires:  python3-paste
 BuildRequires:  python3-systemd
+BuildRequires:  python3-jinja2
 %endif # with_python3
 %endif # with_lint
 
@@ -484,6 +485,7 @@ Requires: %{name}-client-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python2-ipalib = %{version}-%{release}
 Requires: python-dns >= 1.15
+Requires: python2-jinja2
 
 %description -n python2-ipaclient
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -506,6 +508,7 @@ Requires: %{name}-client-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python3-ipalib = %{version}-%{release}
 Requires: python3-dns >= 1.15
+Requires: python3-jinja2
 
 %description -n python3-ipaclient
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -603,7 +606,6 @@ Requires: python-dns >= 1.15
 Requires: python-enum34
 Requires: python-netifaces >= 0.10.4
 Requires: pyusb
-Requires: python2-jinja2
 
 Conflicts: %{alt_name}-python < %{version}
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to