URL: https://github.com/freeipa/freeipa/pull/337 Author: LiptonB Title: #337: Client-side CSR autogeneration (take 2) Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/337/head:pr337 git checkout pr337
From 43189fa00bbab51bac8d52a467397ab04cc88005 Mon Sep 17 00:00:00 2001 From: Ben Lipton <blip...@redhat.com> Date: Tue, 5 Jul 2016 14:19:35 -0400 Subject: [PATCH 1/5] csrgen: Add code to generate scripts that generate CSRs Adds a library that uses jinja2 to format a script that, when run, will build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses this library and builds the script for a given principal. The rules are read from json files in /usr/share/ipa/csr, but the rule provider is a separate class so that it can be replaced easily. https://fedorahosted.org/freeipa/ticket/4899 --- configure.ac | 1 + freeipa.spec.in | 11 + install/share/Makefile.am | 1 + install/share/csr/templates/ipa_macros.tmpl | 42 +++ install/share/csrgen/Makefile.am | 27 ++ install/share/csrgen/templates/certutil_base.tmpl | 14 + install/share/csrgen/templates/openssl_base.tmpl | 35 +++ install/share/csrgen/templates/openssl_macros.tmpl | 29 ++ ipaclient/csrgen.py | 320 +++++++++++++++++++++ ipaclient/plugins/csrgen.py | 114 ++++++++ ipaclient/setup.py | 1 + ipalib/errors.py | 28 ++ ipaplatform/base/paths.py | 1 + 13 files changed, 624 insertions(+) create mode 100644 install/share/csr/templates/ipa_macros.tmpl create mode 100644 install/share/csrgen/Makefile.am create mode 100644 install/share/csrgen/templates/certutil_base.tmpl create mode 100644 install/share/csrgen/templates/openssl_base.tmpl create mode 100644 install/share/csrgen/templates/openssl_macros.tmpl create mode 100644 ipaclient/csrgen.py create mode 100644 ipaclient/plugins/csrgen.py diff --git a/configure.ac b/configure.ac index 6cd3a89..ff5f7b6 100644 --- a/configure.ac +++ b/configure.ac @@ -533,6 +533,7 @@ AC_CONFIG_FILES([ install/share/Makefile install/share/advise/Makefile install/share/advise/legacy/Makefile + install/share/csrgen/Makefile install/share/profiles/Makefile install/share/schema.d/Makefile install/ui/Makefile diff --git a/freeipa.spec.in b/freeipa.spec.in index a7e05f3..ba2e294 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -153,6 +153,7 @@ BuildRequires: python-sssdconfig BuildRequires: python-nose BuildRequires: python-paste BuildRequires: systemd-python +BuildRequires: python2-jinja2 %if 0%{?with_python3} # FIXME: this depedency is missing - server will not work @@ -190,6 +191,7 @@ BuildRequires: python3-libsss_nss_idmap BuildRequires: python3-nose BuildRequires: python3-paste BuildRequires: python3-systemd +BuildRequires: python3-jinja2 %endif # with_python3 %endif # with_lint @@ -489,6 +491,7 @@ Requires: %{name}-client-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python2-ipalib = %{version}-%{release} Requires: python-dns >= 1.15 +Requires: python2-jinja2 %description -n python2-ipaclient IPA is an integrated solution to provide centrally managed Identity (users, @@ -511,6 +514,7 @@ Requires: %{name}-client-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python3-ipalib = %{version}-%{release} Requires: python3-dns >= 1.15 +Requires: python3-jinja2 %description -n python3-ipaclient IPA is an integrated solution to provide centrally managed Identity (users, @@ -1217,6 +1221,13 @@ fi %{_usr}/share/ipa/advise/legacy/*.template %dir %{_usr}/share/ipa/profiles %{_usr}/share/ipa/profiles/*.cfg +%dir %{_usr}/share/ipa/csrgen +%dir %{_usr}/share/ipa/csrgen/templates +%{_usr}/share/ipa/csrgen/templates/*.tmpl +%dir %{_usr}/share/ipa/csrgen/profiles +%{_usr}/share/ipa/csrgen/profiles/*.json +%dir %{_usr}/share/ipa/csrgen/rules +%{_usr}/share/ipa/csrgen/rules/*.json %dir %{_usr}/share/ipa/html %{_usr}/share/ipa/html/ffconfig.js %{_usr}/share/ipa/html/ffconfig_page.js diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 10de84d..715912d 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -2,6 +2,7 @@ NULL = SUBDIRS = \ advise \ + csrgen \ profiles \ schema.d \ $(NULL) diff --git a/install/share/csr/templates/ipa_macros.tmpl b/install/share/csr/templates/ipa_macros.tmpl new file mode 100644 index 0000000..e790d4e --- /dev/null +++ b/install/share/csr/templates/ipa_macros.tmpl @@ -0,0 +1,42 @@ +{% set rendersyntax = {} %} + +{% set renderdata = {} %} + +{# Wrapper for syntax rules. We render the contents of the rule into a +variable, so that if we find that none of the contained data rules rendered we +can suppress the whole syntax rule. That is, a syntax rule is rendered either +if no data rules are specified (unusual) or if at least one of the data rules +rendered successfully. #} +{% macro syntaxrule() -%} +{% do rendersyntax.update(none=true, any=false) -%} +{% set contents -%} +{{ caller() -}} +{% endset -%} +{% if rendersyntax['none'] or rendersyntax['any'] -%} +{{ contents -}} +{% endif -%} +{% endmacro %} + +{# Wrapper for data rules. A data rule is rendered only when all of the data +fields it contains have data available. #} +{% macro datarule() -%} +{% do rendersyntax.update(none=false) -%} +{% do renderdata.update(all=true) -%} +{% set contents -%} +{{ caller() -}} +{% endset -%} +{% if renderdata['all'] -%} +{% do rendersyntax.update(any=true) -%} +{{ contents -}} +{% endif -%} +{% endmacro %} + +{# Wrapper for fields in data rules. If any value wrapped by this macro +produces an empty string, the entire data rule will be suppressed. #} +{% macro datafield(value) -%} +{% if value -%} +{{ value -}} +{% else -%} +{% do renderdata.update(all=false) -%} +{% endif -%} +{% endmacro %} diff --git a/install/share/csrgen/Makefile.am b/install/share/csrgen/Makefile.am new file mode 100644 index 0000000..7b718cc --- /dev/null +++ b/install/share/csrgen/Makefile.am @@ -0,0 +1,27 @@ +NULL = + +profiledir = $(IPA_DATA_DIR)/csrgen/profiles +profile_DATA = \ + $(NULL) + +ruledir = $(IPA_DATA_DIR)/csrgen/rules +rule_DATA = \ + $(NULL) + +templatedir = $(IPA_DATA_DIR)/csrgen/templates +template_DATA = \ + templates/certutil_base.tmpl \ + templates/openssl_base.tmpl \ + templates/openssl_macros.tmpl \ + templates/ipa_macros.tmpl \ + $(NULL) + +EXTRA_DIST = \ + $(profile_DATA) \ + $(rule_DATA) \ + $(template_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/install/share/csrgen/templates/certutil_base.tmpl b/install/share/csrgen/templates/certutil_base.tmpl new file mode 100644 index 0000000..6c6425f --- /dev/null +++ b/install/share/csrgen/templates/certutil_base.tmpl @@ -0,0 +1,14 @@ +{% raw -%} +{% import "ipa_macros.tmpl" as ipa -%} +{%- endraw %} +#!/bin/bash -e + +if [[ $# -lt 1 ]]; then +echo "Usage: $0 <outfile> [<any> <certutil> <args>]" +echo "Called as: $0 $@" +exit 1 +fi + +CSR="$1" +shift +certutil -R -a -z <(head -c 4096 /dev/urandom) -o "$CSR" {{ options|join(' ') }} "$@" diff --git a/install/share/csrgen/templates/openssl_base.tmpl b/install/share/csrgen/templates/openssl_base.tmpl new file mode 100644 index 0000000..597577b --- /dev/null +++ b/install/share/csrgen/templates/openssl_base.tmpl @@ -0,0 +1,35 @@ +{% raw -%} +{% import "openssl_macros.tmpl" as openssl -%} +{% import "ipa_macros.tmpl" as ipa -%} +{%- endraw %} +#!/bin/bash -e + +if [[ $# -ne 2 ]]; then +echo "Usage: $0 <outfile> <keyfile>" +echo "Called as: $0 $@" +exit 1 +fi + +CONFIG="$(mktemp)" +CSR="$1" +shift + +echo \ +{% raw %}{% filter quote %}{% endraw -%} +[ req ] +prompt = no +encrypt_key = no + +{{ parameters|join('\n') }} +{% raw %}{% set rendered_extensions -%}{% endraw %} +{{ extensions|join('\n') }} +{% raw -%} +{%- endset -%} +{% if rendered_extensions -%} +req_extensions = {% call openssl.section() %}{{ rendered_extensions }}{% endcall %} +{% endif %} +{{ openssl.openssl_sections|join('\n\n') }} +{% endfilter %}{%- endraw %} > "$CONFIG" + +openssl req -new -config "$CONFIG" -out "$CSR" -key $1 +rm "$CONFIG" diff --git a/install/share/csrgen/templates/openssl_macros.tmpl b/install/share/csrgen/templates/openssl_macros.tmpl new file mode 100644 index 0000000..d31b8fe --- /dev/null +++ b/install/share/csrgen/templates/openssl_macros.tmpl @@ -0,0 +1,29 @@ +{# List containing rendered sections to be included at end #} +{% set openssl_sections = [] %} + +{# +List containing one entry for each section name allocated. Because of +scoping rules, we need to use a list so that it can be a "per-render global" +that gets updated in place. Real globals are shared by all templates with the +same environment, and variables defined in the macro don't persist after the +macro invocation ends. +#} +{% set openssl_section_num = [] %} + +{% macro section() -%} +{% set name -%} +sec{{ openssl_section_num|length -}} +{% endset -%} +{% do openssl_section_num.append('') -%} +{% set contents %}{{ caller() }}{% endset -%} +{% if contents -%} +{% set sectiondata = formatsection(name, contents) -%} +{% do openssl_sections.append(sectiondata) -%} +{% endif -%} +{{ name -}} +{% endmacro %} + +{% macro formatsection(name, contents) -%} +[ {{ name }} ] +{{ contents -}} +{% endmacro %} diff --git a/ipaclient/csrgen.py b/ipaclient/csrgen.py new file mode 100644 index 0000000..8d7cfce --- /dev/null +++ b/ipaclient/csrgen.py @@ -0,0 +1,320 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +import collections +import json +import os.path +import pipes +import traceback + +import jinja2 +import jinja2.ext +import jinja2.sandbox +import six + +from ipalib import api +from ipalib import errors +from ipalib.text import _ +from ipaplatform.paths import paths +from ipapython.ipa_log_manager import log_mgr + +if six.PY3: + unicode = str + +__doc__ = _(""" +Routines for constructing certificate signing requests using IPA data and +stored mapping rules. +""") + +logger = log_mgr.get_logger(__name__) + + +class IndexableUndefined(jinja2.Undefined): + def __getitem__(self, key): + return jinja2.Undefined( + hint=self._undefined_hint, obj=self._undefined_obj, + name=self._undefined_name, exc=self._undefined_exception) + + +class IPAExtension(jinja2.ext.Extension): + """Jinja2 extension providing useful features for cert mapping rules.""" + + def __init__(self, environment): + super(IPAExtension, self).__init__(environment) + + environment.filters.update( + quote=self.quote, + required=self.required, + ) + + def quote(self, data): + return pipes.quote(data) + + def required(self, data, name): + if not data: + raise errors.CSRTemplateError( + reason=_('Required mapping rule %(name)s is missing data') % + {'name': name}) + return data + + +class Formatter(object): + """ + Class for processing a set of mapping rules into a template. + + The template can be rendered with user and database data to produce a + script, which generates a CSR when run. + + Subclasses of Formatter should set the value of base_template_name to the + filename of a base template with spaces for the processed rules. + Additionally, they should override the _get_template_params method to + produce the correct output for the base template. + """ + base_template_name = None + + def __init__(self, csr_data_dir=paths.CSR_DATA_DIR): + self.jinja2 = jinja2.sandbox.SandboxedEnvironment( + loader=jinja2.FileSystemLoader( + os.path.join(csr_data_dir, 'templates')), + extensions=[jinja2.ext.ExprStmtExtension, IPAExtension], + keep_trailing_newline=True, undefined=IndexableUndefined) + + self.passthrough_globals = {} + self._define_passthrough('ipa.syntaxrule') + self._define_passthrough('ipa.datarule') + + def _define_passthrough(self, call): + + def passthrough(caller): + return u'{%% call %s() %%}%s{%% endcall %%}' % (call, caller()) + + parts = call.split('.') + current_level = self.passthrough_globals + for part in parts[:-1]: + if part not in current_level: + current_level[part] = {} + current_level = current_level[part] + current_level[parts[-1]] = passthrough + + def build_template(self, rules): + """ + Construct a template that can produce CSR generator strings. + + :param rules: list of MappingRuleset to use to populate the template. + + :returns: jinja2.Template that can be rendered to produce the CSR data. + """ + syntax_rules = [] + for description, syntax_rule, data_rules in rules: + data_rules_prepared = [ + self._prepare_data_rule(rule) for rule in data_rules] + syntax_rules.append(self._prepare_syntax_rule( + syntax_rule, data_rules_prepared, description)) + + template_params = self._get_template_params(syntax_rules) + base_template = self.jinja2.get_template( + self.base_template_name, globals=self.passthrough_globals) + + try: + combined_template_source = base_template.render(**template_params) + except jinja2.UndefinedError: + logger.debug(traceback.format_exc()) + raise errors.CSRTemplateError(reason=_( + 'Template error when formatting certificate data')) + + logger.debug( + 'Formatting with template: %s' % combined_template_source) + combined_template = self.jinja2.from_string(combined_template_source) + + return combined_template + + def _wrap_rule(self, rule, rule_type): + template = '{%% call ipa.%srule() %%}%s{%% endcall %%}' % ( + rule_type, rule) + + return template + + def _wrap_required(self, rule, description): + template = '{%% filter required("%s") %%}%s{%% endfilter %%}' % ( + description, rule) + + return template + + def _prepare_data_rule(self, data_rule): + return self._wrap_rule(data_rule.template, 'data') + + def _prepare_syntax_rule(self, syntax_rule, data_rules, description): + logger.debug('Syntax rule template: %s' % syntax_rule.template) + template = self.jinja2.from_string( + syntax_rule.template, globals=self.passthrough_globals) + is_required = syntax_rule.options.get('required', False) + try: + rendered = template.render(datarules=data_rules) + except jinja2.UndefinedError: + logger.debug(traceback.format_exc()) + raise errors.CSRTemplateError(reason=_( + 'Template error when formatting certificate data')) + + prepared_template = self._wrap_rule(rendered, 'syntax') + if is_required: + prepared_template = self._wrap_required( + prepared_template, description) + + return prepared_template + + def _get_template_params(self, syntax_rules): + """ + Package the syntax rules into fields expected by the base template. + + :param syntax_rules: list of prepared syntax rules to be included in + the template. + + :returns: dict of values needed to render the base template. + """ + raise NotImplementedError('Formatter class must be subclassed') + + +class OpenSSLFormatter(Formatter): + """Formatter class supporting the openssl command-line tool.""" + + base_template_name = 'openssl_base.tmpl' + + # Syntax rules are wrapped in this data structure, to keep track of whether + # each goes in the extension or the root section + SyntaxRule = collections.namedtuple( + 'SyntaxRule', ['template', 'is_extension']) + + def __init__(self): + super(OpenSSLFormatter, self).__init__() + self._define_passthrough('openssl.section') + + def _get_template_params(self, syntax_rules): + parameters = [rule.template for rule in syntax_rules + if not rule.is_extension] + extensions = [rule.template for rule in syntax_rules + if rule.is_extension] + + return {'parameters': parameters, 'extensions': extensions} + + def _prepare_syntax_rule(self, syntax_rule, data_rules, description): + """Overrides method to pull out whether rule is an extension or not.""" + prepared_template = super(OpenSSLFormatter, self)._prepare_syntax_rule( + syntax_rule, data_rules, description) + is_extension = syntax_rule.options.get('extension', False) + return self.SyntaxRule(prepared_template, is_extension) + + +class CertutilFormatter(Formatter): + base_template_name = 'certutil_base.tmpl' + + def _get_template_params(self, syntax_rules): + return {'options': syntax_rules} + + +# FieldMapping - representation of the rules needed to construct a complete +# certificate field. +# - description: str, a name or description of this field, to be used in +# messages +# - syntax_rule: Rule, the rule defining the syntax of this field +# - data_rules: list of Rule, the rules that produce data to be stored in this +# field +FieldMapping = collections.namedtuple( + 'FieldMapping', ['description', 'syntax_rule', 'data_rules']) +Rule = collections.namedtuple( + 'Rule', ['name', 'template', 'options']) + + +class RuleProvider(object): + def rules_for_profile(self, profile_id, helper): + """ + Return the rules needed to build a CSR for the given certificate + profile. + + :param profile_id: str, name of the certificate profile to use + :param helper: str, name of tool (e.g. openssl, certutil) that will be + used to create CSR + + :returns: list of FieldMapping, filled out with the appropriate rules + """ + raise NotImplementedError('RuleProvider class must be subclassed') + + +class FileRuleProvider(RuleProvider): + def __init__(self, csr_data_dir=paths.CSR_DATA_DIR): + self.rules = {} + self.csr_data_dir = csr_data_dir + + def _rule(self, rule_name, helper): + if (rule_name, helper) not in self.rules: + rule_path = os.path.join(self.csr_data_dir, 'rules', + '%s.json' % rule_name) + try: + with open(rule_path) as rule_file: + ruleset = json.load(rule_file) + except IOError: + raise errors.NotFound( + reason=_('Ruleset %(ruleset)s does not exist.') % + {'ruleset': rule_name}) + + matching_rules = [r for r in ruleset['rules'] + if r['helper'] == helper] + if len(matching_rules) == 0: + raise errors.EmptyResult( + reason=_('No transformation in "%(ruleset)s" rule supports' + ' helper "%(helper)s"') % + {'ruleset': rule_name, 'helper': helper}) + elif len(matching_rules) > 1: + raise errors.RedundantMappingRule( + ruleset=rule_name, helper=helper) + rule = matching_rules[0] + + options = {} + if 'options' in ruleset: + options.update(ruleset['options']) + if 'options' in rule: + options.update(rule['options']) + self.rules[(rule_name, helper)] = Rule( + rule_name, rule['template'], options) + return self.rules[(rule_name, helper)] + + def rules_for_profile(self, profile_id, helper): + profile_path = os.path.join(self.csr_data_dir, 'profiles', + '%s.json' % profile_id) + with open(profile_path) as profile_file: + profile = json.load(profile_file) + + field_mappings = [] + for field in profile: + syntax_rule = self._rule(field['syntax'], helper) + data_rules = [self._rule(name, helper) for name in field['data']] + field_mappings.append(FieldMapping( + syntax_rule.name, syntax_rule, data_rules)) + return field_mappings + + +class CSRGenerator(object): + FORMATTERS = { + 'openssl': OpenSSLFormatter, + 'certutil': CertutilFormatter, + } + + def __init__(self, rule_provider): + self.rule_provider = rule_provider + + def csr_script(self, principal, profile_id, helper): + config = api.Command.config_show()['result'] + render_data = {'subject': principal, 'config': config} + + formatter = self.FORMATTERS[helper]() + rules = self.rule_provider.rules_for_profile(profile_id, helper) + template = formatter.build_template(rules) + + try: + script = template.render(render_data) + except jinja2.UndefinedError: + logger.debug(traceback.format_exc()) + raise errors.CSRTemplateError(reason=_( + 'Template error when formatting certificate data')) + + return script diff --git a/ipaclient/plugins/csrgen.py b/ipaclient/plugins/csrgen.py new file mode 100644 index 0000000..964db08 --- /dev/null +++ b/ipaclient/plugins/csrgen.py @@ -0,0 +1,114 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +import six + +from ipaclient.csrgen import CSRGenerator, FileRuleProvider +from ipalib import api +from ipalib import errors +from ipalib import output +from ipalib import util +from ipalib.frontend import Local, Str +from ipalib.parameters import Principal +from ipalib.plugable import Registry +from ipalib.text import _ + +if six.PY3: + unicode = str + +register = Registry() + +__doc__ = _(""" +Commands to build certificate requests automatically +""") + + +@register() +class cert_get_requestdata(Local): + __doc__ = _('Gather data for a certificate signing request.') + + takes_options = ( + Principal( + 'principal', + label=_('Principal'), + doc=_('Principal for this certificate (e.g.' + ' HTTP/test.example.com)'), + ), + Str( + 'profile_id', + label=_('Profile ID'), + doc=_('Certificate Profile to use'), + ), + Str( + 'helper', + label=_('Name of CSR generation tool'), + doc=_('Name of tool (e.g. openssl, certutil) that will be used to' + ' create CSR'), + ), + Str( + 'out?', + doc=_('Write CSR generation script to file'), + ), + ) + + has_output = ( + output.Output( + 'result', + type=dict, + doc=_('Dictionary mapping variable name to value'), + ), + ) + + has_output_params = ( + Str( + 'script', + label=_('Generation script'), + ) + ) + + def execute(self, *args, **options): + if 'out' in options: + util.check_writable_file(options['out']) + + principal = options.get('principal') + profile_id = options.get('profile_id') + helper = options.get('helper') + + if self.api.env.in_server: + backend = self.api.Backend.ldap2 + else: + backend = self.api.Backend.rpcclient + if not backend.isconnected(): + backend.connect() + + try: + if principal.is_host: + principal_obj = api.Command.host_show( + principal.hostname, all=True) + elif principal.is_service: + principal_obj = api.Command.service_show( + unicode(principal), all=True) + elif principal.is_user: + principal_obj = api.Command.user_show( + principal.username, all=True) + except errors.NotFound: + raise errors.NotFound( + reason=_("The principal for this request doesn't exist.")) + principal_obj = principal_obj['result'] + + generator = CSRGenerator(FileRuleProvider()) + + script = generator.csr_script( + principal_obj, profile_id, helper) + + result = {} + if 'out' in options: + with open(options['out'], 'wb') as f: + f.write(script) + else: + result = dict(script=script) + + return dict( + result=result + ) diff --git a/ipaclient/setup.py b/ipaclient/setup.py index c413fc5..e7c8072 100644 --- a/ipaclient/setup.py +++ b/ipaclient/setup.py @@ -47,6 +47,7 @@ "cryptography", "ipalib", "ipapython", + "jinja2", "python-nss", "python-yubico", "pyusb", diff --git a/ipalib/errors.py b/ipalib/errors.py index 88707ac..6aaca70 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1422,6 +1422,34 @@ class HTTPRequestError(RemoteRetrieveError): format = _('Request failed with status %(status)s: %(reason)s') +class RedundantMappingRule(SingleMatchExpected): + """ + **4036** Raised when more than one rule in a CSR generation ruleset matches + a particular helper. + + For example: + + >>> raise RedundantMappingRule(ruleset='syntaxSubject', helper='certutil') + Traceback (most recent call last): + ... + RedundantMappingRule: Mapping ruleset "syntaxSubject" has more than one + rule for the certutil helper. + """ + + errno = 4036 + format = _('Mapping ruleset "%(ruleset)s" has more than one rule for the' + ' %(helper)s helper') + + +class CSRTemplateError(ExecutionError): + """ + **4037** Raised when evaluation of a CSR generation template fails + """ + + errno = 4037 + format = _('%(reason)s') + + class BuiltinError(ExecutionError): """ **4100** Base class for builtin execution errors (*4100 - 4199*). diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 0ba64ef..4234789 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -233,6 +233,7 @@ class BasePathNamespace(object): SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/schema_compat.uldif" IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins" UPDATES_DIR = "/usr/share/ipa/updates/" + CSR_DATA_DIR = "/usr/share/ipa/csrgen" DICT_WORDS = "/usr/share/dict/words" CACHE_IPA_SESSIONS = "/var/cache/ipa/sessions" VAR_KERBEROS_KRB5KDC_DIR = "/var/kerberos/krb5kdc/" From b419eb23bbdd3765c5e2ce2f2bec44a94dc9f56d Mon Sep 17 00:00:00 2001 From: Ben Lipton <blip...@redhat.com> Date: Mon, 22 Aug 2016 10:43:49 -0400 Subject: [PATCH 2/5] csrgen: Add CSR template for caIPAserviceCert https://fedorahosted.org/freeipa/ticket/4899 --- install/share/csrgen/Makefile.am | 5 +++++ install/share/csrgen/profiles/caIPAserviceCert.json | 14 ++++++++++++++ install/share/csrgen/rules/dataDNS.json | 12 ++++++++++++ install/share/csrgen/rules/dataHostCN.json | 12 ++++++++++++ install/share/csrgen/rules/syntaxSAN.json | 15 +++++++++++++++ install/share/csrgen/rules/syntaxSubject.json | 15 +++++++++++++++ 6 files changed, 73 insertions(+) create mode 100644 install/share/csrgen/profiles/caIPAserviceCert.json create mode 100644 install/share/csrgen/rules/dataDNS.json create mode 100644 install/share/csrgen/rules/dataHostCN.json create mode 100644 install/share/csrgen/rules/syntaxSAN.json create mode 100644 install/share/csrgen/rules/syntaxSubject.json diff --git a/install/share/csrgen/Makefile.am b/install/share/csrgen/Makefile.am index 7b718cc..c9437f5 100644 --- a/install/share/csrgen/Makefile.am +++ b/install/share/csrgen/Makefile.am @@ -2,10 +2,15 @@ NULL = profiledir = $(IPA_DATA_DIR)/csrgen/profiles profile_DATA = \ + profiles/caIPAserviceCert.json \ $(NULL) ruledir = $(IPA_DATA_DIR)/csrgen/rules rule_DATA = \ + rules/dataDNS.json \ + rules/dataHostCN.json \ + rules/syntaxSAN.json \ + rules/syntaxSubject.json \ $(NULL) templatedir = $(IPA_DATA_DIR)/csrgen/templates diff --git a/install/share/csrgen/profiles/caIPAserviceCert.json b/install/share/csrgen/profiles/caIPAserviceCert.json new file mode 100644 index 0000000..0d1be5e --- /dev/null +++ b/install/share/csrgen/profiles/caIPAserviceCert.json @@ -0,0 +1,14 @@ +[ + { + "syntax": "syntaxSubject", + "data": [ + "dataHostCN" + ] + }, + { + "syntax": "syntaxSAN", + "data": [ + "dataDNS" + ] + } +] diff --git a/install/share/csrgen/rules/dataDNS.json b/install/share/csrgen/rules/dataDNS.json new file mode 100644 index 0000000..f0aadca --- /dev/null +++ b/install/share/csrgen/rules/dataDNS.json @@ -0,0 +1,12 @@ +{ + "rules": [ + { + "helper": "openssl", + "template": "DNS = {{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])}}" + }, + { + "helper": "certutil", + "template": "dns:{{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])|quote}}" + } + ] +} diff --git a/install/share/csrgen/rules/dataHostCN.json b/install/share/csrgen/rules/dataHostCN.json new file mode 100644 index 0000000..172c7ec --- /dev/null +++ b/install/share/csrgen/rules/dataHostCN.json @@ -0,0 +1,12 @@ +{ + "rules": [ + { + "helper": "openssl", + "template": "{{ipa.datafield(config.ipacertificatesubjectbase.0)}}\nCN={{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])}}" + }, + { + "helper": "certutil", + "template": "CN={{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])|quote}},{{ipa.datafield(config.ipacertificatesubjectbase.0)|quote}}" + } + ] +} diff --git a/install/share/csrgen/rules/syntaxSAN.json b/install/share/csrgen/rules/syntaxSAN.json new file mode 100644 index 0000000..122eb12 --- /dev/null +++ b/install/share/csrgen/rules/syntaxSAN.json @@ -0,0 +1,15 @@ +{ + "rules": [ + { + "helper": "openssl", + "template": "subjectAltName = @{% call openssl.section() %}{{ datarules|join('\n') }}{% endcall %}", + "options": { + "extension": true + } + }, + { + "helper": "certutil", + "template": "--extSAN {{ datarules|join(',') }}" + } + ] +} diff --git a/install/share/csrgen/rules/syntaxSubject.json b/install/share/csrgen/rules/syntaxSubject.json new file mode 100644 index 0000000..7dfa932 --- /dev/null +++ b/install/share/csrgen/rules/syntaxSubject.json @@ -0,0 +1,15 @@ +{ + "rules": [ + { + "helper": "openssl", + "template": "distinguished_name = {% call openssl.section() %}{{ datarules|first }}{% endcall %}" + }, + { + "helper": "certutil", + "template": "-s {{ datarules|first }}" + } + ], + "options": { + "required": true + } +} From 60200ac99f9f41bc226fd7b02008aebbd3e334e3 Mon Sep 17 00:00:00 2001 From: Ben Lipton <blip...@redhat.com> Date: Mon, 22 Aug 2016 10:45:04 -0400 Subject: [PATCH 3/5] csrgen: Add a CSR template for user certificates https://fedorahosted.org/freeipa/ticket/4899 --- install/share/csrgen/Makefile.am | 3 +++ install/share/csrgen/profiles/userCert.json | 14 ++++++++++++++ install/share/csrgen/rules/dataEmail.json | 12 ++++++++++++ install/share/csrgen/rules/dataUsernameCN.json | 12 ++++++++++++ 4 files changed, 41 insertions(+) create mode 100644 install/share/csrgen/profiles/userCert.json create mode 100644 install/share/csrgen/rules/dataEmail.json create mode 100644 install/share/csrgen/rules/dataUsernameCN.json diff --git a/install/share/csrgen/Makefile.am b/install/share/csrgen/Makefile.am index c9437f5..2cd6ce2 100644 --- a/install/share/csrgen/Makefile.am +++ b/install/share/csrgen/Makefile.am @@ -3,12 +3,15 @@ NULL = profiledir = $(IPA_DATA_DIR)/csrgen/profiles profile_DATA = \ profiles/caIPAserviceCert.json \ + profiles/userCert.json \ $(NULL) ruledir = $(IPA_DATA_DIR)/csrgen/rules rule_DATA = \ rules/dataDNS.json \ + rules/dataEmail.json \ rules/dataHostCN.json \ + rules/dataUsernameCN.json \ rules/syntaxSAN.json \ rules/syntaxSubject.json \ $(NULL) diff --git a/install/share/csrgen/profiles/userCert.json b/install/share/csrgen/profiles/userCert.json new file mode 100644 index 0000000..d5f822e --- /dev/null +++ b/install/share/csrgen/profiles/userCert.json @@ -0,0 +1,14 @@ +[ + { + "syntax": "syntaxSubject", + "data": [ + "dataUsernameCN" + ] + }, + { + "syntax": "syntaxSAN", + "data": [ + "dataEmail" + ] + } +] diff --git a/install/share/csrgen/rules/dataEmail.json b/install/share/csrgen/rules/dataEmail.json new file mode 100644 index 0000000..cfc1f60 --- /dev/null +++ b/install/share/csrgen/rules/dataEmail.json @@ -0,0 +1,12 @@ +{ + "rules": [ + { + "helper": "openssl", + "template": "email = {{ipa.datafield(subject.mail.0)}}" + }, + { + "helper": "certutil", + "template": "email:{{ipa.datafield(subject.mail.0)|quote}}" + } + ] +} diff --git a/install/share/csrgen/rules/dataUsernameCN.json b/install/share/csrgen/rules/dataUsernameCN.json new file mode 100644 index 0000000..c3e2409 --- /dev/null +++ b/install/share/csrgen/rules/dataUsernameCN.json @@ -0,0 +1,12 @@ +{ + "rules": [ + { + "helper": "openssl", + "template": "{{ipa.datafield(config.ipacertificatesubjectbase.0)}}\nCN={{ipa.datafield(subject.uid.0)}}" + }, + { + "helper": "certutil", + "template": "CN={{ipa.datafield(subject.uid.0)|quote}},{{ipa.datafield(config.ipacertificatesubjectbase.0)|quote}}" + } + ] +} From b9cf54445c8aca7f3e01bdb4d9abb45a8c9efcd7 Mon Sep 17 00:00:00 2001 From: Ben Lipton <blip...@redhat.com> Date: Tue, 6 Sep 2016 14:58:24 -0400 Subject: [PATCH 4/5] csrgen: Use data_sources option to define which fields are rendered This removes the ipa.syntaxrule and ipa.datarule macros in favor of simple 'if' statements based on the data referenced in the rules. The 'if' statement for a syntax rule is generated based on the data rules it contains. The Subject DN should not be generated unless all data rules are in place, so the ability to override the logical operator that combines data_sources (from 'or' to 'and') is added. https://fedorahosted.org/freeipa/ticket/4899 --- install/share/csr/templates/ipa_macros.tmpl | 42 ---------------------- install/share/csrgen/Makefile.am | 2 +- .../share/csrgen/profiles/caIPAserviceCert.json | 3 +- install/share/csrgen/profiles/userCert.json | 3 +- install/share/csrgen/rules/dataDNS.json | 9 +++-- install/share/csrgen/rules/dataEmail.json | 9 +++-- install/share/csrgen/rules/dataHostCN.json | 9 +++-- install/share/csrgen/rules/dataSubjectBase.json | 15 ++++++++ install/share/csrgen/rules/dataUsernameCN.json | 9 +++-- install/share/csrgen/rules/syntaxSubject.json | 7 ++-- install/share/csrgen/templates/certutil_base.tmpl | 3 -- install/share/csrgen/templates/openssl_base.tmpl | 1 - ipaclient/csrgen.py | 40 ++++++++++++++------- 13 files changed, 75 insertions(+), 77 deletions(-) delete mode 100644 install/share/csr/templates/ipa_macros.tmpl create mode 100644 install/share/csrgen/rules/dataSubjectBase.json diff --git a/install/share/csr/templates/ipa_macros.tmpl b/install/share/csr/templates/ipa_macros.tmpl deleted file mode 100644 index e790d4e..0000000 --- a/install/share/csr/templates/ipa_macros.tmpl +++ /dev/null @@ -1,42 +0,0 @@ -{% set rendersyntax = {} %} - -{% set renderdata = {} %} - -{# Wrapper for syntax rules. We render the contents of the rule into a -variable, so that if we find that none of the contained data rules rendered we -can suppress the whole syntax rule. That is, a syntax rule is rendered either -if no data rules are specified (unusual) or if at least one of the data rules -rendered successfully. #} -{% macro syntaxrule() -%} -{% do rendersyntax.update(none=true, any=false) -%} -{% set contents -%} -{{ caller() -}} -{% endset -%} -{% if rendersyntax['none'] or rendersyntax['any'] -%} -{{ contents -}} -{% endif -%} -{% endmacro %} - -{# Wrapper for data rules. A data rule is rendered only when all of the data -fields it contains have data available. #} -{% macro datarule() -%} -{% do rendersyntax.update(none=false) -%} -{% do renderdata.update(all=true) -%} -{% set contents -%} -{{ caller() -}} -{% endset -%} -{% if renderdata['all'] -%} -{% do rendersyntax.update(any=true) -%} -{{ contents -}} -{% endif -%} -{% endmacro %} - -{# Wrapper for fields in data rules. If any value wrapped by this macro -produces an empty string, the entire data rule will be suppressed. #} -{% macro datafield(value) -%} -{% if value -%} -{{ value -}} -{% else -%} -{% do renderdata.update(all=false) -%} -{% endif -%} -{% endmacro %} diff --git a/install/share/csrgen/Makefile.am b/install/share/csrgen/Makefile.am index 2cd6ce2..12c62c4 100644 --- a/install/share/csrgen/Makefile.am +++ b/install/share/csrgen/Makefile.am @@ -12,6 +12,7 @@ rule_DATA = \ rules/dataEmail.json \ rules/dataHostCN.json \ rules/dataUsernameCN.json \ + rules/dataSubjectBase.json \ rules/syntaxSAN.json \ rules/syntaxSubject.json \ $(NULL) @@ -21,7 +22,6 @@ template_DATA = \ templates/certutil_base.tmpl \ templates/openssl_base.tmpl \ templates/openssl_macros.tmpl \ - templates/ipa_macros.tmpl \ $(NULL) EXTRA_DIST = \ diff --git a/install/share/csrgen/profiles/caIPAserviceCert.json b/install/share/csrgen/profiles/caIPAserviceCert.json index 0d1be5e..114d2ff 100644 --- a/install/share/csrgen/profiles/caIPAserviceCert.json +++ b/install/share/csrgen/profiles/caIPAserviceCert.json @@ -2,7 +2,8 @@ { "syntax": "syntaxSubject", "data": [ - "dataHostCN" + "dataHostCN", + "dataSubjectBase" ] }, { diff --git a/install/share/csrgen/profiles/userCert.json b/install/share/csrgen/profiles/userCert.json index d5f822e..d6cf5cf 100644 --- a/install/share/csrgen/profiles/userCert.json +++ b/install/share/csrgen/profiles/userCert.json @@ -2,7 +2,8 @@ { "syntax": "syntaxSubject", "data": [ - "dataUsernameCN" + "dataUsernameCN", + "dataSubjectBase" ] }, { diff --git a/install/share/csrgen/rules/dataDNS.json b/install/share/csrgen/rules/dataDNS.json index f0aadca..2663f11 100644 --- a/install/share/csrgen/rules/dataDNS.json +++ b/install/share/csrgen/rules/dataDNS.json @@ -2,11 +2,14 @@ "rules": [ { "helper": "openssl", - "template": "DNS = {{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])}}" + "template": "DNS = {{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]}}" }, { "helper": "certutil", - "template": "dns:{{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])|quote}}" + "template": "dns:{{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]|quote}}" } - ] + ], + "options": { + "data_source": "subject.krbprincipalname.0.partition('/')[2].partition('@')[0]" + } } diff --git a/install/share/csrgen/rules/dataEmail.json b/install/share/csrgen/rules/dataEmail.json index cfc1f60..2eae9fb 100644 --- a/install/share/csrgen/rules/dataEmail.json +++ b/install/share/csrgen/rules/dataEmail.json @@ -2,11 +2,14 @@ "rules": [ { "helper": "openssl", - "template": "email = {{ipa.datafield(subject.mail.0)}}" + "template": "email = {{subject.mail.0}}" }, { "helper": "certutil", - "template": "email:{{ipa.datafield(subject.mail.0)|quote}}" + "template": "email:{{subject.mail.0|quote}}" } - ] + ], + "options": { + "data_source": "subject.mail.0" + } } diff --git a/install/share/csrgen/rules/dataHostCN.json b/install/share/csrgen/rules/dataHostCN.json index 172c7ec..5c415bb 100644 --- a/install/share/csrgen/rules/dataHostCN.json +++ b/install/share/csrgen/rules/dataHostCN.json @@ -2,11 +2,14 @@ "rules": [ { "helper": "openssl", - "template": "{{ipa.datafield(config.ipacertificatesubjectbase.0)}}\nCN={{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])}}" + "template": "CN={{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]}}" }, { "helper": "certutil", - "template": "CN={{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])|quote}},{{ipa.datafield(config.ipacertificatesubjectbase.0)|quote}}" + "template": "CN={{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]|quote}}" } - ] + ], + "options": { + "data_source": "subject.krbprincipalname.0.partition('/')[2].partition('@')[0]" + } } diff --git a/install/share/csrgen/rules/dataSubjectBase.json b/install/share/csrgen/rules/dataSubjectBase.json new file mode 100644 index 0000000..309dfb1 --- /dev/null +++ b/install/share/csrgen/rules/dataSubjectBase.json @@ -0,0 +1,15 @@ +{ + "rules": [ + { + "helper": "openssl", + "template": "{{config.ipacertificatesubjectbase.0}}" + }, + { + "helper": "certutil", + "template": "{{config.ipacertificatesubjectbase.0|quote}}" + } + ], + "options": { + "data_source": "config.ipacertificatesubjectbase.0" + } +} diff --git a/install/share/csrgen/rules/dataUsernameCN.json b/install/share/csrgen/rules/dataUsernameCN.json index c3e2409..37e7e01 100644 --- a/install/share/csrgen/rules/dataUsernameCN.json +++ b/install/share/csrgen/rules/dataUsernameCN.json @@ -2,11 +2,14 @@ "rules": [ { "helper": "openssl", - "template": "{{ipa.datafield(config.ipacertificatesubjectbase.0)}}\nCN={{ipa.datafield(subject.uid.0)}}" + "template": "CN={{subject.uid.0}}" }, { "helper": "certutil", - "template": "CN={{ipa.datafield(subject.uid.0)|quote}},{{ipa.datafield(config.ipacertificatesubjectbase.0)|quote}}" + "template": "CN={{subject.uid.0|quote}}" } - ] + ], + "options": { + "data_source": "subject.uid.0" + } } diff --git a/install/share/csrgen/rules/syntaxSubject.json b/install/share/csrgen/rules/syntaxSubject.json index 7dfa932..af6ec03 100644 --- a/install/share/csrgen/rules/syntaxSubject.json +++ b/install/share/csrgen/rules/syntaxSubject.json @@ -2,14 +2,15 @@ "rules": [ { "helper": "openssl", - "template": "distinguished_name = {% call openssl.section() %}{{ datarules|first }}{% endcall %}" + "template": "distinguished_name = {% call openssl.section() %}{{ datarules|reverse|join('\n') }}{% endcall %}" }, { "helper": "certutil", - "template": "-s {{ datarules|first }}" + "template": "-s {{ datarules|join(',') }}" } ], "options": { - "required": true + "required": true, + "data_source_combinator": "and" } } diff --git a/install/share/csrgen/templates/certutil_base.tmpl b/install/share/csrgen/templates/certutil_base.tmpl index 6c6425f..a5556fd 100644 --- a/install/share/csrgen/templates/certutil_base.tmpl +++ b/install/share/csrgen/templates/certutil_base.tmpl @@ -1,6 +1,3 @@ -{% raw -%} -{% import "ipa_macros.tmpl" as ipa -%} -{%- endraw %} #!/bin/bash -e if [[ $# -lt 1 ]]; then diff --git a/install/share/csrgen/templates/openssl_base.tmpl b/install/share/csrgen/templates/openssl_base.tmpl index 597577b..2d6c070 100644 --- a/install/share/csrgen/templates/openssl_base.tmpl +++ b/install/share/csrgen/templates/openssl_base.tmpl @@ -1,6 +1,5 @@ {% raw -%} {% import "openssl_macros.tmpl" as openssl -%} -{% import "ipa_macros.tmpl" as ipa -%} {%- endraw %} #!/bin/bash -e diff --git a/ipaclient/csrgen.py b/ipaclient/csrgen.py index 8d7cfce..6461d62 100644 --- a/ipaclient/csrgen.py +++ b/ipaclient/csrgen.py @@ -81,8 +81,6 @@ def __init__(self, csr_data_dir=paths.CSR_DATA_DIR): keep_trailing_newline=True, undefined=IndexableUndefined) self.passthrough_globals = {} - self._define_passthrough('ipa.syntaxrule') - self._define_passthrough('ipa.datarule') def _define_passthrough(self, call): @@ -109,8 +107,15 @@ def build_template(self, rules): for description, syntax_rule, data_rules in rules: data_rules_prepared = [ self._prepare_data_rule(rule) for rule in data_rules] + + data_sources = [] + for rule in data_rules: + data_source = rule.options.get('data_source') + if data_source: + data_sources.append(data_source) + syntax_rules.append(self._prepare_syntax_rule( - syntax_rule, data_rules_prepared, description)) + syntax_rule, data_rules_prepared, description, data_sources)) template_params = self._get_template_params(syntax_rules) base_template = self.jinja2.get_template( @@ -129,11 +134,9 @@ def build_template(self, rules): return combined_template - def _wrap_rule(self, rule, rule_type): - template = '{%% call ipa.%srule() %%}%s{%% endcall %%}' % ( - rule_type, rule) - - return template + def _wrap_conditional(self, rule, condition): + rule = '{%% if %s %%}%s{%% endif %%}' % (condition, rule) + return rule def _wrap_required(self, rule, description): template = '{%% filter required("%s") %%}%s{%% endfilter %%}' % ( @@ -142,9 +145,16 @@ def _wrap_required(self, rule, description): return template def _prepare_data_rule(self, data_rule): - return self._wrap_rule(data_rule.template, 'data') + template = data_rule.template + + data_source = data_rule.options.get('data_source') + if data_source: + template = self._wrap_conditional(template, data_source) + + return template - def _prepare_syntax_rule(self, syntax_rule, data_rules, description): + def _prepare_syntax_rule( + self, syntax_rule, data_rules, description, data_sources): logger.debug('Syntax rule template: %s' % syntax_rule.template) template = self.jinja2.from_string( syntax_rule.template, globals=self.passthrough_globals) @@ -156,7 +166,10 @@ def _prepare_syntax_rule(self, syntax_rule, data_rules, description): raise errors.CSRTemplateError(reason=_( 'Template error when formatting certificate data')) - prepared_template = self._wrap_rule(rendered, 'syntax') + combinator = ' %s ' % syntax_rule.options.get( + 'data_source_combinator', 'or') + condition = combinator.join(data_sources) + prepared_template = self._wrap_conditional(rendered, condition) if is_required: prepared_template = self._wrap_required( prepared_template, description) @@ -197,10 +210,11 @@ def _get_template_params(self, syntax_rules): return {'parameters': parameters, 'extensions': extensions} - def _prepare_syntax_rule(self, syntax_rule, data_rules, description): + def _prepare_syntax_rule( + self, syntax_rule, data_rules, description, data_sources): """Overrides method to pull out whether rule is an extension or not.""" prepared_template = super(OpenSSLFormatter, self)._prepare_syntax_rule( - syntax_rule, data_rules, description) + syntax_rule, data_rules, description, data_sources) is_extension = syntax_rule.options.get('extension', False) return self.SyntaxRule(prepared_template, is_extension) From 3dd0ba6ddc1fa8808d6e75c27296238735826850 Mon Sep 17 00:00:00 2001 From: Ben Lipton <blip...@redhat.com> Date: Thu, 8 Sep 2016 18:29:46 -0400 Subject: [PATCH 5/5] tests: Add tests for CSR autogeneration This patch also contains some code changes to make the code easier to test and to make the tests pass. https://fedorahosted.org/freeipa/ticket/4899 --- ipaclient/csrgen.py | 83 ++++-- ipaclient/plugins/csrgen.py | 3 +- ipatests/setup.py | 2 + ipatests/test_ipaclient/__init__.py | 7 + .../data/test_csrgen/profiles/profile.json | 8 + .../data/test_csrgen/rules/basic.json | 12 + .../data/test_csrgen/rules/options.json | 18 ++ .../scripts/caIPAserviceCert_certutil.sh | 11 + .../scripts/caIPAserviceCert_openssl.sh | 33 +++ .../data/test_csrgen/scripts/userCert_certutil.sh | 11 + .../data/test_csrgen/scripts/userCert_openssl.sh | 33 +++ .../data/test_csrgen/templates/identity_base.tmpl | 1 + ipatests/test_ipaclient/test_csrgen.py | 298 +++++++++++++++++++++ 13 files changed, 492 insertions(+), 28 deletions(-) create mode 100644 ipatests/test_ipaclient/__init__.py create mode 100644 ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json create mode 100644 ipatests/test_ipaclient/data/test_csrgen/rules/basic.json create mode 100644 ipatests/test_ipaclient/data/test_csrgen/rules/options.json create mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_certutil.sh create mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_openssl.sh create mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_certutil.sh create mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_openssl.sh create mode 100644 ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl create mode 100644 ipatests/test_ipaclient/test_csrgen.py diff --git a/ipaclient/csrgen.py b/ipaclient/csrgen.py index 6461d62..8b87751 100644 --- a/ipaclient/csrgen.py +++ b/ipaclient/csrgen.py @@ -13,7 +13,6 @@ import jinja2.sandbox import six -from ipalib import api from ipalib import errors from ipalib.text import _ from ipaplatform.paths import paths @@ -83,6 +82,11 @@ def __init__(self, csr_data_dir=paths.CSR_DATA_DIR): self.passthrough_globals = {} def _define_passthrough(self, call): + """Some macros are meant to be interpreted during the final render, not + when data rules are interpolated into syntax rules. This method allows + those macros to be registered so that calls to them are passed through + to the prepared rule rather than interpreted. + """ def passthrough(caller): return u'{%% call %s() %%}%s{%% endcall %%}' % (call, caller()) @@ -104,18 +108,20 @@ def build_template(self, rules): :returns: jinja2.Template that can be rendered to produce the CSR data. """ syntax_rules = [] - for description, syntax_rule, data_rules in rules: + for field_mapping in rules: data_rules_prepared = [ - self._prepare_data_rule(rule) for rule in data_rules] + self._prepare_data_rule(rule) + for rule in field_mapping.data_rules] data_sources = [] - for rule in data_rules: + for rule in field_mapping.data_rules: data_source = rule.options.get('data_source') if data_source: data_sources.append(data_source) syntax_rules.append(self._prepare_syntax_rule( - syntax_rule, data_rules_prepared, description, data_sources)) + field_mapping.syntax_rule, data_rules_prepared, + field_mapping.description, data_sources)) template_params = self._get_template_params(syntax_rules) base_template = self.jinja2.get_template( @@ -160,16 +166,19 @@ def _prepare_syntax_rule( syntax_rule.template, globals=self.passthrough_globals) is_required = syntax_rule.options.get('required', False) try: - rendered = template.render(datarules=data_rules) + prepared_template = template.render(datarules=data_rules) except jinja2.UndefinedError: logger.debug(traceback.format_exc()) raise errors.CSRTemplateError(reason=_( 'Template error when formatting certificate data')) - combinator = ' %s ' % syntax_rule.options.get( - 'data_source_combinator', 'or') - condition = combinator.join(data_sources) - prepared_template = self._wrap_conditional(rendered, condition) + if data_sources: + combinator = ' %s ' % syntax_rule.options.get( + 'data_source_combinator', 'or') + condition = combinator.join(data_sources) + prepared_template = self._wrap_conditional( + prepared_template, condition) + if is_required: prepared_template = self._wrap_required( prepared_template, description) @@ -198,8 +207,8 @@ class OpenSSLFormatter(Formatter): SyntaxRule = collections.namedtuple( 'SyntaxRule', ['template', 'is_extension']) - def __init__(self): - super(OpenSSLFormatter, self).__init__() + def __init__(self, *args, **kwargs): + super(OpenSSLFormatter, self).__init__(*args, **kwargs) self._define_passthrough('openssl.section') def _get_template_params(self, syntax_rules): @@ -226,17 +235,31 @@ def _get_template_params(self, syntax_rules): return {'options': syntax_rules} -# FieldMapping - representation of the rules needed to construct a complete -# certificate field. -# - description: str, a name or description of this field, to be used in -# messages -# - syntax_rule: Rule, the rule defining the syntax of this field -# - data_rules: list of Rule, the rules that produce data to be stored in this -# field -FieldMapping = collections.namedtuple( - 'FieldMapping', ['description', 'syntax_rule', 'data_rules']) -Rule = collections.namedtuple( - 'Rule', ['name', 'template', 'options']) +class FieldMapping(object): + """Representation of the rules needed to construct a complete cert field. + + Attributes: + description: str, a name or description of this field, to be used in + messages + syntax_rule: Rule, the rule defining the syntax of this field + data_rules: list of Rule, the rules that produce data to be stored in + this field + """ + __slots__ = ['description', 'syntax_rule', 'data_rules'] + + def __init__(self, description, syntax_rule, data_rules): + self.description = description + self.syntax_rule = syntax_rule + self.data_rules = data_rules + + +class Rule(object): + __slots__ = ['name', 'template', 'options'] + + def __init__(self, name, template, options): + self.name = name + self.template = template + self.options = options class RuleProvider(object): @@ -288,15 +311,22 @@ def _rule(self, rule_name, helper): options.update(ruleset['options']) if 'options' in rule: options.update(rule['options']) + self.rules[(rule_name, helper)] = Rule( rule_name, rule['template'], options) + return self.rules[(rule_name, helper)] def rules_for_profile(self, profile_id, helper): profile_path = os.path.join(self.csr_data_dir, 'profiles', '%s.json' % profile_id) - with open(profile_path) as profile_file: - profile = json.load(profile_file) + try: + with open(profile_path) as profile_file: + profile = json.load(profile_file) + except IOError: + raise errors.NotFound( + reason=_('No certificate mappings are defined for profile' + ' %(profile_id)s') % {'profile_id': profile_id}) field_mappings = [] for field in profile: @@ -316,8 +346,7 @@ class CSRGenerator(object): def __init__(self, rule_provider): self.rule_provider = rule_provider - def csr_script(self, principal, profile_id, helper): - config = api.Command.config_show()['result'] + def csr_script(self, principal, config, profile_id, helper): render_data = {'subject': principal, 'config': config} formatter = self.FORMATTERS[helper]() diff --git a/ipaclient/plugins/csrgen.py b/ipaclient/plugins/csrgen.py index 964db08..28a1330 100644 --- a/ipaclient/plugins/csrgen.py +++ b/ipaclient/plugins/csrgen.py @@ -96,11 +96,12 @@ def execute(self, *args, **options): raise errors.NotFound( reason=_("The principal for this request doesn't exist.")) principal_obj = principal_obj['result'] + config = api.Command.config_show()['result'] generator = CSRGenerator(FileRuleProvider()) script = generator.csr_script( - principal_obj, profile_id, helper) + principal_obj, config, profile_id, helper) result = {} if 'out' in options: diff --git a/ipatests/setup.py b/ipatests/setup.py index 1fb5e92..e46e922 100644 --- a/ipatests/setup.py +++ b/ipatests/setup.py @@ -38,6 +38,7 @@ "ipatests.test_cmdline", "ipatests.test_install", "ipatests.test_integration", + "ipatests.test_ipaclient", "ipatests.test_ipalib", "ipatests.test_ipapython", "ipatests.test_ipaserver", @@ -51,6 +52,7 @@ package_data={ 'ipatests.test_install': ['*.update'], 'ipatests.test_integration': ['scripts/*'], + 'ipatests.test_ipaclient': ['data/*/*/*'], 'ipatests.test_ipalib': ['data/*'], 'ipatests.test_pkcs10': ['*.csr'], "ipatests.test_ipaserver": ['data/*'], diff --git a/ipatests/test_ipaclient/__init__.py b/ipatests/test_ipaclient/__init__.py new file mode 100644 index 0000000..0c42891 --- /dev/null +++ b/ipatests/test_ipaclient/__init__.py @@ -0,0 +1,7 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +""" +Sub-package containing unit tests for `ipaclient` package. +""" diff --git a/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json b/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json new file mode 100644 index 0000000..676f91b --- /dev/null +++ b/ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json @@ -0,0 +1,8 @@ +[ + { + "syntax": "basic", + "data": [ + "options" + ] + } +] diff --git a/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json b/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json new file mode 100644 index 0000000..feba3e9 --- /dev/null +++ b/ipatests/test_ipaclient/data/test_csrgen/rules/basic.json @@ -0,0 +1,12 @@ +{ + "rules": [ + { + "helper": "openssl", + "template": "openssl_rule" + }, + { + "helper": "certutil", + "template": "certutil_rule" + } + ] +} diff --git a/ipatests/test_ipaclient/data/test_csrgen/rules/options.json b/ipatests/test_ipaclient/data/test_csrgen/rules/options.json new file mode 100644 index 0000000..111a6d8 --- /dev/null +++ b/ipatests/test_ipaclient/data/test_csrgen/rules/options.json @@ -0,0 +1,18 @@ +{ + "rules": [ + { + "helper": "openssl", + "template": "openssl_rule", + "options": { + "helper_option": true + } + }, + { + "helper": "certutil", + "template": "certutil_rule" + } + ], + "options": { + "global_option": true + } +} diff --git a/ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_certutil.sh b/ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_certutil.sh new file mode 100644 index 0000000..74a704c --- /dev/null +++ b/ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_certutil.sh @@ -0,0 +1,11 @@ +#!/bin/bash -e + +if [[ $# -lt 1 ]]; then +echo "Usage: $0 <outfile> [<any> <certutil> <args>]" +echo "Called as: $0 $@" +exit 1 +fi + +CSR="$1" +shift +certutil -R -a -z <(head -c 4096 /dev/urandom) -o "$CSR" -s CN=machine.example.com,O=DOMAIN.EXAMPLE.COM --extSAN dns:machine.example.com "$@" diff --git a/ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_openssl.sh b/ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_openssl.sh new file mode 100644 index 0000000..c621a69 --- /dev/null +++ b/ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_openssl.sh @@ -0,0 +1,33 @@ +#!/bin/bash -e + +if [[ $# -ne 2 ]]; then +echo "Usage: $0 <outfile> <keyfile>" +echo "Called as: $0 $@" +exit 1 +fi + +CONFIG="$(mktemp)" +CSR="$1" +shift + +echo \ +'[ req ] +prompt = no +encrypt_key = no + +distinguished_name = sec0 +req_extensions = sec2 + +[ sec0 ] +O=DOMAIN.EXAMPLE.COM +CN=machine.example.com + +[ sec1 ] +DNS = machine.example.com + +[ sec2 ] +subjectAltName = @sec1 +' > "$CONFIG" + +openssl req -new -config "$CONFIG" -out "$CSR" -key $1 +rm "$CONFIG" diff --git a/ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_certutil.sh b/ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_certutil.sh new file mode 100644 index 0000000..4aaeda0 --- /dev/null +++ b/ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_certutil.sh @@ -0,0 +1,11 @@ +#!/bin/bash -e + +if [[ $# -lt 1 ]]; then +echo "Usage: $0 <outfile> [<any> <certutil> <args>]" +echo "Called as: $0 $@" +exit 1 +fi + +CSR="$1" +shift +certutil -R -a -z <(head -c 4096 /dev/urandom) -o "$CSR" -s CN=testuser,O=DOMAIN.EXAMPLE.COM --extSAN email:testu...@example.com "$@" diff --git a/ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_openssl.sh b/ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_openssl.sh new file mode 100644 index 0000000..cdbe8a1 --- /dev/null +++ b/ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_openssl.sh @@ -0,0 +1,33 @@ +#!/bin/bash -e + +if [[ $# -ne 2 ]]; then +echo "Usage: $0 <outfile> <keyfile>" +echo "Called as: $0 $@" +exit 1 +fi + +CONFIG="$(mktemp)" +CSR="$1" +shift + +echo \ +'[ req ] +prompt = no +encrypt_key = no + +distinguished_name = sec0 +req_extensions = sec2 + +[ sec0 ] +O=DOMAIN.EXAMPLE.COM +CN=testuser + +[ sec1 ] +email = testu...@example.com + +[ sec2 ] +subjectAltName = @sec1 +' > "$CONFIG" + +openssl req -new -config "$CONFIG" -out "$CSR" -key $1 +rm "$CONFIG" diff --git a/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl b/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl new file mode 100644 index 0000000..79111ab --- /dev/null +++ b/ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl @@ -0,0 +1 @@ +{{ options|join(";") }} diff --git a/ipatests/test_ipaclient/test_csrgen.py b/ipatests/test_ipaclient/test_csrgen.py new file mode 100644 index 0000000..556f8e0 --- /dev/null +++ b/ipatests/test_ipaclient/test_csrgen.py @@ -0,0 +1,298 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +import os +import pytest + +from ipaclient import csrgen +from ipalib import errors + +BASE_DIR = os.path.dirname(__file__) +CSR_DATA_DIR = os.path.join(BASE_DIR, 'data', 'test_csrgen') + + +@pytest.fixture +def formatter(): + return csrgen.Formatter(csr_data_dir=CSR_DATA_DIR) + + +@pytest.fixture +def rule_provider(): + return csrgen.FileRuleProvider(csr_data_dir=CSR_DATA_DIR) + + +@pytest.fixture +def generator(): + return csrgen.CSRGenerator(csrgen.FileRuleProvider()) + + +class StubRuleProvider(csrgen.RuleProvider): + def __init__(self): + self.syntax_rule = csrgen.Rule( + 'syntax', '{{datarules|join(",")}}', {}) + self.data_rule = csrgen.Rule('data', 'data_template', {}) + self.field_mapping = csrgen.FieldMapping( + 'example', self.syntax_rule, [self.data_rule]) + self.rules = [self.field_mapping] + + def rules_for_profile(self, profile_id, helper): + return self.rules + + +class IdentityFormatter(csrgen.Formatter): + base_template_name = 'identity_base.tmpl' + + def __init__(self): + super(IdentityFormatter, self).__init__(csr_data_dir=CSR_DATA_DIR) + + def _get_template_params(self, syntax_rules): + return {'options': syntax_rules} + + +class IdentityCSRGenerator(csrgen.CSRGenerator): + FORMATTERS = {'identity': IdentityFormatter} + + +class test_Formatter(object): + def test_prepare_data_rule_with_data_source(self, formatter): + data_rule = csrgen.Rule('uid', '{{subject.uid.0}}', + {'data_source': 'subject.uid.0'}) + prepared = formatter._prepare_data_rule(data_rule) + assert prepared == '{% if subject.uid.0 %}{{subject.uid.0}}{% endif %}' + + def test_prepare_data_rule_no_data_source(self, formatter): + """Not a normal case, but we should handle it anyway""" + data_rule = csrgen.Rule('uid', 'static_text', {}) + prepared = formatter._prepare_data_rule(data_rule) + assert prepared == 'static_text' + + def test_prepare_syntax_rule_with_data_sources(self, formatter): + syntax_rule = csrgen.Rule( + 'example', '{{datarules|join(",")}}', {}) + data_rules = ['{{subject.field1}}', '{{subject.field2}}'] + data_sources = ['subject.field1', 'subject.field2'] + prepared = formatter._prepare_syntax_rule( + syntax_rule, data_rules, 'example', data_sources) + + assert prepared == ( + '{% if subject.field1 or subject.field2 %}{{subject.field1}},' + '{{subject.field2}}{% endif %}') + + def test_prepare_syntax_rule_with_combinator(self, formatter): + syntax_rule = csrgen.Rule('example', '{{datarules|join(",")}}', + {'data_source_combinator': 'and'}) + data_rules = ['{{subject.field1}}', '{{subject.field2}}'] + data_sources = ['subject.field1', 'subject.field2'] + prepared = formatter._prepare_syntax_rule( + syntax_rule, data_rules, 'example', data_sources) + + assert prepared == ( + '{% if subject.field1 and subject.field2 %}{{subject.field1}},' + '{{subject.field2}}{% endif %}') + + def test_prepare_syntax_rule_required(self, formatter): + syntax_rule = csrgen.Rule('example', '{{datarules|join(",")}}', + {'required': True}) + data_rules = ['{{subject.field1}}'] + data_sources = ['subject.field1'] + prepared = formatter._prepare_syntax_rule( + syntax_rule, data_rules, 'example', data_sources) + + assert prepared == ( + '{% filter required("example") %}{% if subject.field1 %}' + '{{subject.field1}}{% endif %}{% endfilter %}') + + def test_prepare_syntax_rule_passthrough(self, formatter): + """ + Calls to macros defined as passthrough are still call tags in the final + template. + """ + formatter._define_passthrough('example.macro') + + syntax_rule = csrgen.Rule( + 'example', + '{% call example.macro() %}{{datarules|join(",")}}{% endcall %}', + {}) + data_rules = ['{{subject.field1}}'] + data_sources = ['subject.field1'] + prepared = formatter._prepare_syntax_rule( + syntax_rule, data_rules, 'example', data_sources) + + assert prepared == ( + '{% if subject.field1 %}{% call example.macro() %}' + '{{subject.field1}}{% endcall %}{% endif %}') + + def test_prepare_syntax_rule_no_data_sources(self, formatter): + """Not a normal case, but we should handle it anyway""" + syntax_rule = csrgen.Rule( + 'example', '{{datarules|join(",")}}', {}) + data_rules = ['rule1', 'rule2'] + data_sources = [] + prepared = formatter._prepare_syntax_rule( + syntax_rule, data_rules, 'example', data_sources) + + assert prepared == 'rule1,rule2' + + +class test_FileRuleProvider(object): + def test_rule_basic(self, rule_provider): + rule_name = 'basic' + + rule1 = rule_provider._rule(rule_name, 'openssl') + rule2 = rule_provider._rule(rule_name, 'certutil') + + assert rule1.template == 'openssl_rule' + assert rule2.template == 'certutil_rule' + + def test_rule_global_options(self, rule_provider): + rule_name = 'options' + + rule1 = rule_provider._rule(rule_name, 'openssl') + rule2 = rule_provider._rule(rule_name, 'certutil') + + assert rule1.options['global_option'] is True + assert rule2.options['global_option'] is True + + def test_rule_helper_options(self, rule_provider): + rule_name = 'options' + + rule1 = rule_provider._rule(rule_name, 'openssl') + rule2 = rule_provider._rule(rule_name, 'certutil') + + assert rule1.options['helper_option'] is True + assert 'helper_option' not in rule2.options + + def test_rule_nosuchrule(self, rule_provider): + with pytest.raises(errors.NotFound): + rule_provider._rule('nosuchrule', 'openssl') + + def test_rule_nosuchhelper(self, rule_provider): + with pytest.raises(errors.EmptyResult): + rule_provider._rule('basic', 'nosuchhelper') + + def test_rules_for_profile_success(self, rule_provider): + rules = rule_provider.rules_for_profile('profile', 'certutil') + + assert len(rules) == 1 + field_mapping = rules[0] + assert field_mapping.syntax_rule.name == 'basic' + assert len(field_mapping.data_rules) == 1 + assert field_mapping.data_rules[0].name == 'options' + + def test_rules_for_profile_nosuchprofile(self, rule_provider): + with pytest.raises(errors.NotFound): + rule_provider.rules_for_profile('nosuchprofile', 'certutil') + + +class test_CSRGenerator(object): + def test_userCert_OpenSSL(self, generator): + principal = { + 'uid': ['testuser'], + 'mail': ['testu...@example.com'], + } + config = { + 'ipacertificatesubjectbase': [ + 'O=DOMAIN.EXAMPLE.COM' + ], + } + + script = generator.csr_script(principal, config, 'userCert', 'openssl') + with open(os.path.join( + CSR_DATA_DIR, 'scripts', 'userCert_openssl.sh')) as f: + expected_script = f.read() + assert script == expected_script + + def test_userCert_Certutil(self, generator): + principal = { + 'uid': ['testuser'], + 'mail': ['testu...@example.com'], + } + config = { + 'ipacertificatesubjectbase': [ + 'O=DOMAIN.EXAMPLE.COM' + ], + } + + script = generator.csr_script( + principal, config, 'userCert', 'certutil') + + with open(os.path.join( + CSR_DATA_DIR, 'scripts', 'userCert_certutil.sh')) as f: + expected_script = f.read() + assert script == expected_script + + def test_caIPAserviceCert_OpenSSL(self, generator): + principal = { + 'krbprincipalname': [ + 'HTTP/machine.example....@domain.example.com' + ], + } + config = { + 'ipacertificatesubjectbase': [ + 'O=DOMAIN.EXAMPLE.COM' + ], + } + + script = generator.csr_script( + principal, config, 'caIPAserviceCert', 'openssl') + with open(os.path.join( + CSR_DATA_DIR, 'scripts', 'caIPAserviceCert_openssl.sh')) as f: + expected_script = f.read() + assert script == expected_script + + def test_caIPAserviceCert_Certutil(self, generator): + principal = { + 'krbprincipalname': [ + 'HTTP/machine.example....@domain.example.com' + ], + } + config = { + 'ipacertificatesubjectbase': [ + 'O=DOMAIN.EXAMPLE.COM' + ], + } + + script = generator.csr_script( + principal, config, 'caIPAserviceCert', 'certutil') + with open(os.path.join( + CSR_DATA_DIR, 'scripts', 'caIPAserviceCert_certutil.sh')) as f: + expected_script = f.read() + assert script == expected_script + + +class test_rule_handling(object): + def test_optionalAttributeMissing(self, generator): + principal = {'uid': 'testuser'} + rule_provider = StubRuleProvider() + rule_provider.data_rule.template = '{{subject.mail}}' + rule_provider.data_rule.options = {'data_source': 'subject.mail'} + generator = IdentityCSRGenerator(rule_provider) + + script = generator.csr_script( + principal, {}, 'example', 'identity') + assert script == '\n' + + def test_twoDataRulesOneMissing(self, generator): + principal = {'uid': 'testuser'} + rule_provider = StubRuleProvider() + rule_provider.data_rule.template = '{{subject.mail}}' + rule_provider.data_rule.options = {'data_source': 'subject.mail'} + rule_provider.field_mapping.data_rules.append(csrgen.Rule( + 'data2', '{{subject.uid}}', {'data_source': 'subject.uid'})) + generator = IdentityCSRGenerator(rule_provider) + + script = generator.csr_script(principal, {}, 'example', 'identity') + assert script == ',testuser\n' + + def test_requiredAttributeMissing(self): + principal = {'uid': 'testuser'} + rule_provider = StubRuleProvider() + rule_provider.data_rule.template = '{{subject.mail}}' + rule_provider.data_rule.options = {'data_source': 'subject.mail'} + rule_provider.syntax_rule.options = {'required': True} + generator = IdentityCSRGenerator(rule_provider) + + with pytest.raises(errors.CSRTemplateError): + _script = generator.csr_script( + principal, {}, 'example', 'identity')
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
