LiptonB's pull request #10: "Client-side CSR autogeneration" was synchronized
See the full pull-request at https://github.com/freeipa/freeipa/pull/10 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/10/head:pr10 git checkout pr10
From eeeb57fa9ff1642dbd1e32fbfe435052de2541ee Mon Sep 17 00:00:00 2001 From: Ben Lipton <blip...@redhat.com> Date: Tue, 5 Jul 2016 14:19:35 -0400 Subject: [PATCH 01/11] Add code to generate scripts that generate CSRs Adds a library that uses jinja2 to format a script that, when run, will build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses this library and builds the script for a given principal. The rules are read from json files in /usr/share/ipa/csr, but the rule provider is a separate class so that it can be replaced easily. https://fedorahosted.org/freeipa/ticket/4899 --- freeipa.spec.in | 8 + install/configure.ac | 1 + install/share/Makefile.am | 1 + install/share/csr/Makefile.am | 27 +++ install/share/csr/templates/certutil_base.tmpl | 14 ++ install/share/csr/templates/ipa_macros.tmpl | 42 ++++ install/share/csr/templates/openssl_base.tmpl | 35 +++ install/share/csr/templates/openssl_macros.tmpl | 29 +++ ipaclient/plugins/certmapping.py | 105 +++++++++ ipalib/certmapping.py | 285 ++++++++++++++++++++++++ ipalib/errors.py | 9 + ipapython/templating.py | 31 +++ 12 files changed, 587 insertions(+) create mode 100644 install/share/csr/Makefile.am create mode 100644 install/share/csr/templates/certutil_base.tmpl create mode 100644 install/share/csr/templates/ipa_macros.tmpl create mode 100644 install/share/csr/templates/openssl_base.tmpl create mode 100644 install/share/csr/templates/openssl_macros.tmpl create mode 100644 ipaclient/plugins/certmapping.py create mode 100644 ipalib/certmapping.py create mode 100644 ipapython/templating.py diff --git a/freeipa.spec.in b/freeipa.spec.in index e3ad5b6..ab8e8e6 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -507,6 +507,7 @@ Requires: python-custodia Requires: python-dns >= 1.11.1 Requires: python-netifaces >= 0.10.4 Requires: pyusb +Requires: python-jinja2 Conflicts: %{alt_name}-python < %{version} @@ -1178,6 +1179,13 @@ fi %{_usr}/share/ipa/advise/legacy/*.template %dir %{_usr}/share/ipa/profiles %{_usr}/share/ipa/profiles/*.cfg +%dir %{_usr}/share/ipa/csr +%dir %{_usr}/share/ipa/csr/templates +%{_usr}/share/ipa/csr/templates/*.tmpl +%dir %{_usr}/share/ipa/csr/profiles +%{_usr}/share/ipa/csr/profiles/*.json +%dir %{_usr}/share/ipa/csr/rules +%{_usr}/share/ipa/csr/rules/*.json %dir %{_usr}/share/ipa/ffextension %{_usr}/share/ipa/ffextension/bootstrap.js %{_usr}/share/ipa/ffextension/install.rdf diff --git a/install/configure.ac b/install/configure.ac index 81f17b9..365f0e9 100644 --- a/install/configure.ac +++ b/install/configure.ac @@ -87,6 +87,7 @@ AC_CONFIG_FILES([ share/Makefile share/advise/Makefile share/advise/legacy/Makefile + share/csr/Makefile share/profiles/Makefile share/schema.d/Makefile ui/Makefile diff --git a/install/share/Makefile.am b/install/share/Makefile.am index d8845ee..0a15635 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -2,6 +2,7 @@ NULL = SUBDIRS = \ advise \ + csr \ profiles \ schema.d \ $(NULL) diff --git a/install/share/csr/Makefile.am b/install/share/csr/Makefile.am new file mode 100644 index 0000000..5a8ef5c --- /dev/null +++ b/install/share/csr/Makefile.am @@ -0,0 +1,27 @@ +NULL = + +profiledir = $(IPA_DATA_DIR)/csr/profiles +profile_DATA = \ + $(NULL) + +ruledir = $(IPA_DATA_DIR)/csr/rules +rule_DATA = \ + $(NULL) + +templatedir = $(IPA_DATA_DIR)/csr/templates +template_DATA = \ + templates/certutil_base.tmpl \ + templates/openssl_base.tmpl \ + templates/openssl_macros.tmpl \ + templates/ipa_macros.tmpl \ + $(NULL) + +EXTRA_DIST = \ + $(profile_DATA) \ + $(rule_DATA) \ + $(template_DATA) \ + $(NULL) + +MAINTAINERCLEANFILES = \ + *~ \ + Makefile.in diff --git a/install/share/csr/templates/certutil_base.tmpl b/install/share/csr/templates/certutil_base.tmpl new file mode 100644 index 0000000..6c6425f --- /dev/null +++ b/install/share/csr/templates/certutil_base.tmpl @@ -0,0 +1,14 @@ +{% raw -%} +{% import "ipa_macros.tmpl" as ipa -%} +{%- endraw %} +#!/bin/bash -e + +if [[ $# -lt 1 ]]; then +echo "Usage: $0 <outfile> [<any> <certutil> <args>]" +echo "Called as: $0 $@" +exit 1 +fi + +CSR="$1" +shift +certutil -R -a -z <(head -c 4096 /dev/urandom) -o "$CSR" {{ options|join(' ') }} "$@" diff --git a/install/share/csr/templates/ipa_macros.tmpl b/install/share/csr/templates/ipa_macros.tmpl new file mode 100644 index 0000000..e790d4e --- /dev/null +++ b/install/share/csr/templates/ipa_macros.tmpl @@ -0,0 +1,42 @@ +{% set rendersyntax = {} %} + +{% set renderdata = {} %} + +{# Wrapper for syntax rules. We render the contents of the rule into a +variable, so that if we find that none of the contained data rules rendered we +can suppress the whole syntax rule. That is, a syntax rule is rendered either +if no data rules are specified (unusual) or if at least one of the data rules +rendered successfully. #} +{% macro syntaxrule() -%} +{% do rendersyntax.update(none=true, any=false) -%} +{% set contents -%} +{{ caller() -}} +{% endset -%} +{% if rendersyntax['none'] or rendersyntax['any'] -%} +{{ contents -}} +{% endif -%} +{% endmacro %} + +{# Wrapper for data rules. A data rule is rendered only when all of the data +fields it contains have data available. #} +{% macro datarule() -%} +{% do rendersyntax.update(none=false) -%} +{% do renderdata.update(all=true) -%} +{% set contents -%} +{{ caller() -}} +{% endset -%} +{% if renderdata['all'] -%} +{% do rendersyntax.update(any=true) -%} +{{ contents -}} +{% endif -%} +{% endmacro %} + +{# Wrapper for fields in data rules. If any value wrapped by this macro +produces an empty string, the entire data rule will be suppressed. #} +{% macro datafield(value) -%} +{% if value -%} +{{ value -}} +{% else -%} +{% do renderdata.update(all=false) -%} +{% endif -%} +{% endmacro %} diff --git a/install/share/csr/templates/openssl_base.tmpl b/install/share/csr/templates/openssl_base.tmpl new file mode 100644 index 0000000..597577b --- /dev/null +++ b/install/share/csr/templates/openssl_base.tmpl @@ -0,0 +1,35 @@ +{% raw -%} +{% import "openssl_macros.tmpl" as openssl -%} +{% import "ipa_macros.tmpl" as ipa -%} +{%- endraw %} +#!/bin/bash -e + +if [[ $# -ne 2 ]]; then +echo "Usage: $0 <outfile> <keyfile>" +echo "Called as: $0 $@" +exit 1 +fi + +CONFIG="$(mktemp)" +CSR="$1" +shift + +echo \ +{% raw %}{% filter quote %}{% endraw -%} +[ req ] +prompt = no +encrypt_key = no + +{{ parameters|join('\n') }} +{% raw %}{% set rendered_extensions -%}{% endraw %} +{{ extensions|join('\n') }} +{% raw -%} +{%- endset -%} +{% if rendered_extensions -%} +req_extensions = {% call openssl.section() %}{{ rendered_extensions }}{% endcall %} +{% endif %} +{{ openssl.openssl_sections|join('\n\n') }} +{% endfilter %}{%- endraw %} > "$CONFIG" + +openssl req -new -config "$CONFIG" -out "$CSR" -key $1 +rm "$CONFIG" diff --git a/install/share/csr/templates/openssl_macros.tmpl b/install/share/csr/templates/openssl_macros.tmpl new file mode 100644 index 0000000..d31b8fe --- /dev/null +++ b/install/share/csr/templates/openssl_macros.tmpl @@ -0,0 +1,29 @@ +{# List containing rendered sections to be included at end #} +{% set openssl_sections = [] %} + +{# +List containing one entry for each section name allocated. Because of +scoping rules, we need to use a list so that it can be a "per-render global" +that gets updated in place. Real globals are shared by all templates with the +same environment, and variables defined in the macro don't persist after the +macro invocation ends. +#} +{% set openssl_section_num = [] %} + +{% macro section() -%} +{% set name -%} +sec{{ openssl_section_num|length -}} +{% endset -%} +{% do openssl_section_num.append('') -%} +{% set contents %}{{ caller() }}{% endset -%} +{% if contents -%} +{% set sectiondata = formatsection(name, contents) -%} +{% do openssl_sections.append(sectiondata) -%} +{% endif -%} +{{ name -}} +{% endmacro %} + +{% macro formatsection(name, contents) -%} +[ {{ name }} ] +{{ contents -}} +{% endmacro %} diff --git a/ipaclient/plugins/certmapping.py b/ipaclient/plugins/certmapping.py new file mode 100644 index 0000000..d48dd00 --- /dev/null +++ b/ipaclient/plugins/certmapping.py @@ -0,0 +1,105 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +from ipalib import api +from ipalib import errors +from ipalib import output +from ipalib import util +from ipalib.certmapping import CSRGenerator, FileRuleProvider +from ipalib.frontend import Command, Str +from ipalib.parameters import Principal +from ipalib.plugable import Registry +from ipalib.text import _ +from ipaserver.plugins.certprofile import validate_profile_id + +register = Registry() + +import six + +if six.PY3: + unicode = str + +__doc__ = _(""" +Commands to build certificate requests automatically +""") + +@register() +class cert_get_requestdata(Command): + __doc__ = _('Gather data for a certificate signing request.') + + takes_options = ( + Principal('principal', + label=_('Principal'), + doc=_('Principal for this certificate (e.g.' + ' HTTP/test.example.com)'), + ), + Str('profile_id', + validate_profile_id, + label=_('Profile ID'), + doc=_('Certificate Profile to use'), + ), + Str('helper', + label=_('Name of CSR generation tool'), + doc=_('Name of tool (e.g. openssl, certutil) that will be used to' + ' create CSR'), + ), + Str('out?', + doc=_('Write CSR generation script to file'), + ), + ) + + has_output = ( + output.Output( + 'result', + type=dict, + doc=_('Dictionary mapping variable name to value'), + ), + ) + + has_output_params = ( + Str( + 'script', + label=_('Generation script'), + ) + ) + + + def forward(self, *args, **options): + if 'out' in options: + util.check_writable_file(options['out']) + + principal = options.get('principal') + profile_id = options.get('profile_id') + helper = options.get('helper') + + try: + if principal.is_host: + principal_obj = api.Command.host_show( + principal.hostname, all=True) + elif principal.is_service: + principal_obj = api.Command.service_show( + unicode(principal), all=True) + elif principal.is_user: + principal_obj = api.Command.user_show( + principal.username, all=True) + except errors.NotFound: + raise errors.NotFound( + reason=_("The principal for this request doesn't exist.")) + principal_obj = principal_obj['result'] + + generator = CSRGenerator(FileRuleProvider()) + + script = generator.csr_script( + principal_obj, profile_id, helper) + + result = {} + if 'out' in options: + with open(options['out'], 'wb') as f: + f.write(script) + else: + result = dict(script=script) + + return dict( + result=result + ) diff --git a/ipalib/certmapping.py b/ipalib/certmapping.py new file mode 100644 index 0000000..2259685 --- /dev/null +++ b/ipalib/certmapping.py @@ -0,0 +1,285 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +import collections +import jinja2 +import jinja2.ext +import jinja2.sandbox +import json +import os.path +import traceback + +from ipalib import api +from ipalib import errors +from ipalib.text import _ +from ipapython.ipa_log_manager import root_logger +from ipapython.templating import IPAExtension + +import six + +if six.PY3: + unicode = str + +__doc__ = _(""" +Routines for constructing certificate signing requests using IPA data and +stored mapping rules. +""") + +CSR_DATA_DIR = '/usr/share/ipa/csr' + + +class IndexableUndefined(jinja2.Undefined): + def __getitem__(self, key): + return jinja2.Undefined( + hint=self._undefined_hint, obj=self._undefined_obj, + name=self._undefined_name, exc=self._undefined_exception) + + +class Formatter(object): + """ + Class for processing a set of mapping rules into a template. + + The template can be rendered with user and database data to produce a + script, which generates a CSR when run. + + Subclasses of Formatter should set the value of base_template_name to the + filename of a base template with spaces for the processed rules. + Additionally, they should override the _get_template_params method to + produce the correct output for the base template. + """ + base_template_name = None + + def __init__(self): + self.jinja2 = jinja2.sandbox.SandboxedEnvironment( + loader=jinja2.FileSystemLoader( + os.path.join(CSR_DATA_DIR, 'templates')), + extensions=[jinja2.ext.ExprStmtExtension, IPAExtension], + keep_trailing_newline=True, undefined=IndexableUndefined) + + self.passthrough_globals = {} + self._define_passthrough('ipa.syntaxrule') + self._define_passthrough('ipa.datarule') + + def _define_passthrough(self, call): + + def passthrough(caller): + return u'{%% call %s() %%}%s{%% endcall %%}' % (call, caller()) + + parts = call.split('.') + current_level = self.passthrough_globals + for part in parts[:-1]: + if part not in current_level: + current_level[part] = {} + current_level = current_level[part] + current_level[parts[-1]] = passthrough + + def build_template(self, rules): + """ + Construct a template that can produce CSR generator strings. + + :param rules: list of MappingRuleset to use to populate the template. + + :returns: jinja2.Template that can be rendered to produce the CSR data. + """ + syntax_rules = [] + for description, syntax_rule, data_rules in rules: + data_rules_prepared = [ + self._prepare_data_rule(rule) for rule in data_rules] + syntax_rules.append(self._prepare_syntax_rule( + syntax_rule, data_rules_prepared, description)) + + template_params = self._get_template_params(syntax_rules) + base_template = self.jinja2.get_template( + self.base_template_name, globals=self.passthrough_globals) + + try: + combined_template_source = base_template.render(**template_params) + except jinja2.UndefinedError: + root_logger.debug(traceback.format_exc()) + raise errors.CertificateMappingError(reason=_( + 'Template error when formatting certificate data')) + + root_logger.debug( + 'Formatting with template: %s' % combined_template_source) + combined_template = self.jinja2.from_string(combined_template_source) + + return combined_template + + def _wrap_rule(self, rule, rule_type): + template = '{%% call ipa.%srule() %%}%s{%% endcall %%}' % ( + rule_type, rule) + + return template + + def _wrap_required(self, rule, name): + template = '{%% filter required("%s") %%}%s{%% endfilter %%}' % ( + name, rule) + + return template + + def _prepare_data_rule(self, data_rule): + return self._wrap_rule(data_rule.template, 'data') + + def _prepare_syntax_rule(self, syntax_rule, data_rules, name): + root_logger.debug('Syntax rule template: %s' % syntax_rule.template) + template = self.jinja2.from_string( + syntax_rule.template, globals=self.passthrough_globals) + is_required = syntax_rule.options.get('required', False) + try: + rendered = template.render(datarules=data_rules) + except jinja2.UndefinedError: + root_logger.debug(traceback.format_exc()) + raise errors.CertificateMappingError(reason=_( + 'Template error when formatting certificate data')) + + prepared_template = self._wrap_rule(rendered, 'syntax') + if is_required: + prepared_template = self._wrap_required(prepared_template, name) + + return prepared_template + + def _get_template_params(self, syntax_rules): + """ + Package the syntax rules into fields expected by the base template. + + :param syntax_rules: list of prepared syntax rules to be included in + the template. + + :returns: dict of values needed to render the base template. + """ + raise NotImplementedError('Formatter class must be subclassed') + + +class OpenSSLFormatter(Formatter): + """Formatter class supporting the openssl command-line tool.""" + + base_template_name = 'openssl_base.tmpl' + + # Syntax rules are wrapped in this data structure, to keep track of whether + # each goes in the extension or the root section + SyntaxRule = collections.namedtuple( + 'SyntaxRule', ['template', 'is_extension']) + + def __init__(self): + super(OpenSSLFormatter, self).__init__() + self._define_passthrough('openssl.section') + + def _get_template_params(self, syntax_rules): + parameters = [rule.template for rule in syntax_rules + if not rule.is_extension] + extensions = [rule.template for rule in syntax_rules + if rule.is_extension] + + return {'parameters': parameters, 'extensions': extensions} + + def _prepare_syntax_rule(self, syntax_rule, data_rules, name): + """Overrides method to pull out whether rule is an extension or not.""" + prepared_template = super(OpenSSLFormatter, self)._prepare_syntax_rule( + syntax_rule, data_rules, name) + is_extension = syntax_rule.options.get('extension', False) + return self.SyntaxRule(prepared_template, is_extension) + + +class CertutilFormatter(Formatter): + base_template_name = 'certutil_base.tmpl' + + def _get_template_params(self, syntax_rules): + return {'options': syntax_rules} + + +# FieldMapping - representation of the rules needed to construct a complete +# certificate field. +# - description: str, a name or description of this field, to be used in +# messages +# - syntax_rule: Rule, the rule defining the syntax of this field +# - data_rules: list of Rule, the rules that produce data to be stored in this +# field +FieldMapping = collections.namedtuple( + 'FieldMapping', ['description', 'syntax_rule', 'data_rules']) +Rule = collections.namedtuple( + 'Rule', ['name', 'template', 'options']) + + +class RuleProvider(object): + def rules_for_profile(self, profile_id, helper): + """ + Return the rules needed to build a CSR for the given certificate + profile. + + :param profile_id: str, name of the certificate profile to use + :param helper: str, name of tool (e.g. openssl, certutil) that will be + used to create CSR + + :returns: list of FieldMapping, filled out with the appropriate rules + """ + raise NotImplementedError('RuleProvider class must be subclassed') + + +class FileRuleProvider(RuleProvider): + def __init__(self): + self.rules = {} + + def _rule(self, rule_name, helper): + if (rule_name, helper) not in self.rules: + rule_path = os.path.join(CSR_DATA_DIR, 'rules', + '%s.json' % rule_name) + with open(rule_path) as rule_file: + ruleset = json.load(rule_file) + try: + rule = [r for r in ruleset['rules'] + if r['helper'] == helper][0] + except IndexError: + raise errors.NotFound( + reason=_('No transformation in "%(ruleset)s" rule supports' + ' helper "%(helper)s"') % + {'ruleset': rule_name, 'helper': helper}) + + options = {} + if 'options' in ruleset: + options.update(ruleset['options']) + if 'options' in rule: + options.update(rule['options']) + self.rules[(rule_name, helper)] = Rule(rule_name, rule['template'], options) + return self.rules[(rule_name, helper)] + + def rules_for_profile(self, profile_id, helper): + profile_path = os.path.join(CSR_DATA_DIR, 'profiles', + '%s.json' % profile_id) + with open(profile_path) as profile_file: + profile = json.load(profile_file) + + field_mappings = [] + for field in profile: + syntax_rule = self._rule(field['syntax'], helper) + data_rules = [self._rule(name, helper) for name in field['data']] + field_mappings.append(FieldMapping( + syntax_rule.name, syntax_rule, data_rules)) + return field_mappings + + +class CSRGenerator(object): + FORMATTERS = { + 'openssl': OpenSSLFormatter, + 'certutil': CertutilFormatter, + } + + def __init__(self, rule_provider): + self.rule_provider = rule_provider + + def csr_script(self, principal, profile_id, helper): + config = api.Command.config_show()['result'] + render_data = {'subject': principal, 'config': config} + + formatter = self.FORMATTERS[helper]() + rules = self.rule_provider.rules_for_profile(profile_id, helper) + template = formatter.build_template(rules) + + try: + script = template.render(render_data) + except jinja2.UndefinedError: + root_logger.debug(traceback.format_exc()) + raise errors.CertificateMappingError(reason=_( + 'Template error when formatting certificate data')) + + return script diff --git a/ipalib/errors.py b/ipalib/errors.py index 4cc4455..b1fb503 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1697,6 +1697,15 @@ class CertificateFormatError(CertificateError): format = _('Certificate format error: %(error)s') +class CertificateMappingError(CertificateError): + """ + **4303** Raised when a valid cert request config can not be generated + """ + + errno = 4303 + format = _('%(reason)s') + + class MutuallyExclusiveError(ExecutionError): """ **4303** Raised when an operation would result in setting two attributes which are mutually exlusive. diff --git a/ipapython/templating.py b/ipapython/templating.py new file mode 100644 index 0000000..1302e0a --- /dev/null +++ b/ipapython/templating.py @@ -0,0 +1,31 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +import pipes + +from jinja2.ext import Extension + +from ipalib import errors +from ipalib.text import _ + +class IPAExtension(Extension): + """Jinja2 extension providing useful features for cert mapping rules.""" + + def __init__(self, environment): + super(IPAExtension, self).__init__(environment) + + environment.filters.update( + quote=self.quote, + required=self.required, + ) + + def quote(self, data): + return pipes.quote(data) + + def required(self, data, name): + if not data: + raise errors.CertificateMappingError( + reason=_('Required mapping rule %(name)s is missing data') % + {'name': name}) + return data From 9ec23fed790f18f5645cda2f91576983b90f3c78 Mon Sep 17 00:00:00 2001 From: Ben Lipton <blip...@redhat.com> Date: Mon, 22 Aug 2016 10:43:49 -0400 Subject: [PATCH 02/11] Add certificate mappings for caIPAserviceCert https://fedorahosted.org/freeipa/ticket/4899 --- install/share/csr/Makefile.am | 5 +++++ install/share/csr/profiles/caIPAserviceCert.json | 14 ++++++++++++++ install/share/csr/rules/dataDNS.json | 12 ++++++++++++ install/share/csr/rules/dataHostCN.json | 12 ++++++++++++ install/share/csr/rules/syntaxSAN.json | 15 +++++++++++++++ install/share/csr/rules/syntaxSubject.json | 15 +++++++++++++++ 6 files changed, 73 insertions(+) create mode 100644 install/share/csr/profiles/caIPAserviceCert.json create mode 100644 install/share/csr/rules/dataDNS.json create mode 100644 install/share/csr/rules/dataHostCN.json create mode 100644 install/share/csr/rules/syntaxSAN.json create mode 100644 install/share/csr/rules/syntaxSubject.json diff --git a/install/share/csr/Makefile.am b/install/share/csr/Makefile.am index 5a8ef5c..2ae99ed 100644 --- a/install/share/csr/Makefile.am +++ b/install/share/csr/Makefile.am @@ -2,10 +2,15 @@ NULL = profiledir = $(IPA_DATA_DIR)/csr/profiles profile_DATA = \ + profiles/caIPAserviceCert.json \ $(NULL) ruledir = $(IPA_DATA_DIR)/csr/rules rule_DATA = \ + rules/dataDNS.json \ + rules/dataHostCN.json \ + rules/syntaxSAN.json \ + rules/syntaxSubject.json \ $(NULL) templatedir = $(IPA_DATA_DIR)/csr/templates diff --git a/install/share/csr/profiles/caIPAserviceCert.json b/install/share/csr/profiles/caIPAserviceCert.json new file mode 100644 index 0000000..0d1be5e --- /dev/null +++ b/install/share/csr/profiles/caIPAserviceCert.json @@ -0,0 +1,14 @@ +[ + { + "syntax": "syntaxSubject", + "data": [ + "dataHostCN" + ] + }, + { + "syntax": "syntaxSAN", + "data": [ + "dataDNS" + ] + } +] diff --git a/install/share/csr/rules/dataDNS.json b/install/share/csr/rules/dataDNS.json new file mode 100644 index 0000000..f0aadca --- /dev/null +++ b/install/share/csr/rules/dataDNS.json @@ -0,0 +1,12 @@ +{ + "rules": [ + { + "helper": "openssl", + "template": "DNS = {{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])}}" + }, + { + "helper": "certutil", + "template": "dns:{{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])|quote}}" + } + ] +} diff --git a/install/share/csr/rules/dataHostCN.json b/install/share/csr/rules/dataHostCN.json new file mode 100644 index 0000000..172c7ec --- /dev/null +++ b/install/share/csr/rules/dataHostCN.json @@ -0,0 +1,12 @@ +{ + "rules": [ + { + "helper": "openssl", + "template": "{{ipa.datafield(config.ipacertificatesubjectbase.0)}}\nCN={{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])}}" + }, + { + "helper": "certutil", + "template": "CN={{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])|quote}},{{ipa.datafield(config.ipacertificatesubjectbase.0)|quote}}" + } + ] +} diff --git a/install/share/csr/rules/syntaxSAN.json b/install/share/csr/rules/syntaxSAN.json new file mode 100644 index 0000000..122eb12 --- /dev/null +++ b/install/share/csr/rules/syntaxSAN.json @@ -0,0 +1,15 @@ +{ + "rules": [ + { + "helper": "openssl", + "template": "subjectAltName = @{% call openssl.section() %}{{ datarules|join('\n') }}{% endcall %}", + "options": { + "extension": true + } + }, + { + "helper": "certutil", + "template": "--extSAN {{ datarules|join(',') }}" + } + ] +} diff --git a/install/share/csr/rules/syntaxSubject.json b/install/share/csr/rules/syntaxSubject.json new file mode 100644 index 0000000..7dfa932 --- /dev/null +++ b/install/share/csr/rules/syntaxSubject.json @@ -0,0 +1,15 @@ +{ + "rules": [ + { + "helper": "openssl", + "template": "distinguished_name = {% call openssl.section() %}{{ datarules|first }}{% endcall %}" + }, + { + "helper": "certutil", + "template": "-s {{ datarules|first }}" + } + ], + "options": { + "required": true + } +} From 53c7832a19f5a12fe923d14e077cc20e55748a82 Mon Sep 17 00:00:00 2001 From: Ben Lipton <blip...@redhat.com> Date: Mon, 22 Aug 2016 10:45:04 -0400 Subject: [PATCH 03/11] Add a new cert profile for users https://fedorahosted.org/freeipa/ticket/4899 --- install/share/csr/Makefile.am | 3 + install/share/csr/profiles/userCert.json | 14 +++++ install/share/csr/rules/dataEmail.json | 12 ++++ install/share/csr/rules/dataUsernameCN.json | 12 ++++ install/share/profiles/Makefile.am | 1 + install/share/profiles/userCert.cfg | 97 +++++++++++++++++++++++++++++ ipapython/dogtag.py | 1 + 7 files changed, 140 insertions(+) create mode 100644 install/share/csr/profiles/userCert.json create mode 100644 install/share/csr/rules/dataEmail.json create mode 100644 install/share/csr/rules/dataUsernameCN.json create mode 100644 install/share/profiles/userCert.cfg diff --git a/install/share/csr/Makefile.am b/install/share/csr/Makefile.am index 2ae99ed..76e684c 100644 --- a/install/share/csr/Makefile.am +++ b/install/share/csr/Makefile.am @@ -3,12 +3,15 @@ NULL = profiledir = $(IPA_DATA_DIR)/csr/profiles profile_DATA = \ profiles/caIPAserviceCert.json \ + profiles/userCert.json \ $(NULL) ruledir = $(IPA_DATA_DIR)/csr/rules rule_DATA = \ rules/dataDNS.json \ + rules/dataEmail.json \ rules/dataHostCN.json \ + rules/dataUsernameCN.json \ rules/syntaxSAN.json \ rules/syntaxSubject.json \ $(NULL) diff --git a/install/share/csr/profiles/userCert.json b/install/share/csr/profiles/userCert.json new file mode 100644 index 0000000..d5f822e --- /dev/null +++ b/install/share/csr/profiles/userCert.json @@ -0,0 +1,14 @@ +[ + { + "syntax": "syntaxSubject", + "data": [ + "dataUsernameCN" + ] + }, + { + "syntax": "syntaxSAN", + "data": [ + "dataEmail" + ] + } +] diff --git a/install/share/csr/rules/dataEmail.json b/install/share/csr/rules/dataEmail.json new file mode 100644 index 0000000..cfc1f60 --- /dev/null +++ b/install/share/csr/rules/dataEmail.json @@ -0,0 +1,12 @@ +{ + "rules": [ + { + "helper": "openssl", + "template": "email = {{ipa.datafield(subject.mail.0)}}" + }, + { + "helper": "certutil", + "template": "email:{{ipa.datafield(subject.mail.0)|quote}}" + } + ] +} diff --git a/install/share/csr/rules/dataUsernameCN.json b/install/share/csr/rules/dataUsernameCN.json new file mode 100644 index 0000000..c3e2409 --- /dev/null +++ b/install/share/csr/rules/dataUsernameCN.json @@ -0,0 +1,12 @@ +{ + "rules": [ + { + "helper": "openssl", + "template": "{{ipa.datafield(config.ipacertificatesubjectbase.0)}}\nCN={{ipa.datafield(subject.uid.0)}}" + }, + { + "helper": "certutil", + "template": "CN={{ipa.datafield(subject.uid.0)|quote}},{{ipa.datafield(config.ipacertificatesubjectbase.0)|quote}}" + } + ] +} diff --git a/install/share/profiles/Makefile.am b/install/share/profiles/Makefile.am index b5ccb6e..2e0166b 100644 --- a/install/share/profiles/Makefile.am +++ b/install/share/profiles/Makefile.am @@ -4,6 +4,7 @@ appdir = $(IPA_DATA_DIR)/profiles app_DATA = \ caIPAserviceCert.cfg \ IECUserRoles.cfg \ + userCert.cfg \ $(NULL) EXTRA_DIST = \ diff --git a/install/share/profiles/userCert.cfg b/install/share/profiles/userCert.cfg new file mode 100644 index 0000000..3c2eeb5 --- /dev/null +++ b/install/share/profiles/userCert.cfg @@ -0,0 +1,97 @@ +profileId=userCert +classId=caEnrollImpl +desc=This certificate profile is for enrolling user certificates with S/MIME key usage permitted +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=Manual User Dual-Use S/MIME capabilities Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=userCertSet +policyset.userCertSet.list=1,2,3,4,5,6,7,8,9,10 +policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.userCertSet.1.constraint.name=Subject Name Constraint +policyset.userCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.userCertSet.1.constraint.params.accept=true +policyset.userCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.userCertSet.1.default.name=Subject Name Default +policyset.userCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.userCertSet.2.constraint.class_id=validityConstraintImpl +policyset.userCertSet.2.constraint.name=Validity Constraint +policyset.userCertSet.2.constraint.params.range=365 +policyset.userCertSet.2.constraint.params.notBeforeCheck=false +policyset.userCertSet.2.constraint.params.notAfterCheck=false +policyset.userCertSet.2.default.class_id=validityDefaultImpl +policyset.userCertSet.2.default.name=Validity Default +policyset.userCertSet.2.default.params.range=180 +policyset.userCertSet.2.default.params.startTime=0 +policyset.userCertSet.3.constraint.class_id=keyConstraintImpl +policyset.userCertSet.3.constraint.name=Key Constraint +policyset.userCertSet.3.constraint.params.keyType=RSA +policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.userCertSet.3.default.class_id=userKeyDefaultImpl +policyset.userCertSet.3.default.name=Key Default +policyset.userCertSet.4.constraint.class_id=noConstraintImpl +policyset.userCertSet.4.constraint.name=No Constraint +policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.userCertSet.4.default.name=Authority Key Identifier Default +policyset.userCertSet.5.constraint.class_id=noConstraintImpl +policyset.userCertSet.5.constraint.name=No Constraint +policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.userCertSet.5.default.name=AIA Extension Default +policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.userCertSet.5.default.params.authInfoAccessADLocation_0=http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp +policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.userCertSet.5.default.params.authInfoAccessCritical=false +policyset.userCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.userCertSet.6.constraint.params.keyUsageCritical=true +policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.userCertSet.6.default.name=Key Usage Default +policyset.userCertSet.6.default.params.keyUsageCritical=true +policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.userCertSet.6.default.params.keyUsageCrlSign=false +policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.userCertSet.7.constraint.class_id=noConstraintImpl +policyset.userCertSet.7.constraint.name=No Constraint +policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.userCertSet.7.default.name=Extended Key Usage Extension Default +policyset.userCertSet.7.default.params.exKeyUsageCritical=false +policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +policyset.userCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.userCertSet.8.constraint.name=No Constraint +policyset.userCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.userCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.userCertSet.8.default.name=Signing Alg +policyset.userCertSet.8.default.params.signingAlg=- +policyset.userCertSet.9.constraint.class_id=noConstraintImpl +policyset.userCertSet.9.constraint.name=No Constraint +policyset.userCertSet.9.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.userCertSet.9.default.name=Subject Key Identifier Extension Default +policyset.userCertSet.9.default.params.critical=false +policyset.userCertSet.10.constraint.class_id=noConstraintImpl +policyset.userCertSet.10.constraint.name=No Constraint +policyset.userCertSet.10.default.class_id=userExtensionDefaultImpl +policyset.userCertSet.10.default.name=User Supplied Extension Default +policyset.userCertSet.10.default.params.userExtOID=2.5.29.17 diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 6f13880..3b4e205 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -44,6 +44,7 @@ INCLUDED_PROFILES = { Profile(u'caIPAserviceCert', u'Standard profile for network services', True), + Profile(u'userCert', u'Standard profile for users', True), Profile(u'IECUserRoles', u'User profile that includes IECUserRoles extension from request', True), } From 207eb51b7245f9b6982ff82a662842e126c53bfd Mon Sep 17 00:00:00 2001 From: Ben Lipton <blip...@redhat.com> Date: Fri, 26 Aug 2016 18:04:23 -0400 Subject: [PATCH 04/11] fixup! Add code to generate scripts that generate CSRs --- freeipa.spec.in | 1 + 1 file changed, 1 insertion(+) diff --git a/freeipa.spec.in b/freeipa.spec.in index ab8e8e6..e99761b 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -109,6 +109,7 @@ BuildRequires: dbus-python BuildRequires: python-netifaces >= 0.10.4 BuildRequires: python-libsss_nss_idmap BuildRequires: python-sss +BuildRequires: python-jinja2 # Build dependencies for unit tests BuildRequires: libcmocka-devel From 154ae4f99356c4038398c80d271aabb6a69eeb4d Mon Sep 17 00:00:00 2001 From: Ben Lipton <blip...@redhat.com> Date: Tue, 6 Sep 2016 14:32:14 -0400 Subject: [PATCH 05/11] fixup! Add code to generate scripts that generate CSRs --- ipalib/certmapping.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/ipalib/certmapping.py b/ipalib/certmapping.py index 2259685..d211f24 100644 --- a/ipalib/certmapping.py +++ b/ipalib/certmapping.py @@ -112,16 +112,16 @@ def _wrap_rule(self, rule, rule_type): return template - def _wrap_required(self, rule, name): + def _wrap_required(self, rule, description): template = '{%% filter required("%s") %%}%s{%% endfilter %%}' % ( - name, rule) + description, rule) return template def _prepare_data_rule(self, data_rule): return self._wrap_rule(data_rule.template, 'data') - def _prepare_syntax_rule(self, syntax_rule, data_rules, name): + def _prepare_syntax_rule(self, syntax_rule, data_rules, description): root_logger.debug('Syntax rule template: %s' % syntax_rule.template) template = self.jinja2.from_string( syntax_rule.template, globals=self.passthrough_globals) @@ -135,7 +135,7 @@ def _prepare_syntax_rule(self, syntax_rule, data_rules, name): prepared_template = self._wrap_rule(rendered, 'syntax') if is_required: - prepared_template = self._wrap_required(prepared_template, name) + prepared_template = self._wrap_required(prepared_template, description) return prepared_template @@ -173,10 +173,10 @@ def _get_template_params(self, syntax_rules): return {'parameters': parameters, 'extensions': extensions} - def _prepare_syntax_rule(self, syntax_rule, data_rules, name): + def _prepare_syntax_rule(self, syntax_rule, data_rules, description): """Overrides method to pull out whether rule is an extension or not.""" prepared_template = super(OpenSSLFormatter, self)._prepare_syntax_rule( - syntax_rule, data_rules, name) + syntax_rule, data_rules, description) is_extension = syntax_rule.options.get('extension', False) return self.SyntaxRule(prepared_template, is_extension) From 1bcbc6f43b7f56858286836d8f9e1d2f4b17d46e Mon Sep 17 00:00:00 2001 From: Ben Lipton <blip...@redhat.com> Date: Tue, 6 Sep 2016 14:58:24 -0400 Subject: [PATCH 06/11] Use data_sources option to define which fields are rendered This removes the ipa.syntaxrule and ipa.datarule macros in favor of simple 'if' statements based on the data referenced in the rules. The 'if' statement for a syntax rule is generated based on the data rules it contains. The Subject DN should not be generated unless all data rules are in place, so the ability to override the logical operator that combines data_sources (from 'or' to 'and') is added. --- install/share/csr/Makefile.am | 2 +- install/share/csr/profiles/caIPAserviceCert.json | 3 +- install/share/csr/profiles/userCert.json | 3 +- install/share/csr/rules/dataDNS.json | 9 +++-- install/share/csr/rules/dataEmail.json | 9 +++-- install/share/csr/rules/dataHostCN.json | 9 +++-- install/share/csr/rules/dataSubjectBase.json | 15 +++++++++ install/share/csr/rules/dataUsernameCN.json | 9 +++-- install/share/csr/rules/syntaxSubject.json | 7 ++-- install/share/csr/templates/certutil_base.tmpl | 3 -- install/share/csr/templates/ipa_macros.tmpl | 42 ------------------------ install/share/csr/templates/openssl_base.tmpl | 1 - ipalib/certmapping.py | 38 +++++++++++++-------- 13 files changed, 73 insertions(+), 77 deletions(-) create mode 100644 install/share/csr/rules/dataSubjectBase.json delete mode 100644 install/share/csr/templates/ipa_macros.tmpl diff --git a/install/share/csr/Makefile.am b/install/share/csr/Makefile.am index 76e684c..2a8eb0c 100644 --- a/install/share/csr/Makefile.am +++ b/install/share/csr/Makefile.am @@ -12,6 +12,7 @@ rule_DATA = \ rules/dataEmail.json \ rules/dataHostCN.json \ rules/dataUsernameCN.json \ + rules/dataSubjectBase.json \ rules/syntaxSAN.json \ rules/syntaxSubject.json \ $(NULL) @@ -21,7 +22,6 @@ template_DATA = \ templates/certutil_base.tmpl \ templates/openssl_base.tmpl \ templates/openssl_macros.tmpl \ - templates/ipa_macros.tmpl \ $(NULL) EXTRA_DIST = \ diff --git a/install/share/csr/profiles/caIPAserviceCert.json b/install/share/csr/profiles/caIPAserviceCert.json index 0d1be5e..114d2ff 100644 --- a/install/share/csr/profiles/caIPAserviceCert.json +++ b/install/share/csr/profiles/caIPAserviceCert.json @@ -2,7 +2,8 @@ { "syntax": "syntaxSubject", "data": [ - "dataHostCN" + "dataHostCN", + "dataSubjectBase" ] }, { diff --git a/install/share/csr/profiles/userCert.json b/install/share/csr/profiles/userCert.json index d5f822e..d6cf5cf 100644 --- a/install/share/csr/profiles/userCert.json +++ b/install/share/csr/profiles/userCert.json @@ -2,7 +2,8 @@ { "syntax": "syntaxSubject", "data": [ - "dataUsernameCN" + "dataUsernameCN", + "dataSubjectBase" ] }, { diff --git a/install/share/csr/rules/dataDNS.json b/install/share/csr/rules/dataDNS.json index f0aadca..2663f11 100644 --- a/install/share/csr/rules/dataDNS.json +++ b/install/share/csr/rules/dataDNS.json @@ -2,11 +2,14 @@ "rules": [ { "helper": "openssl", - "template": "DNS = {{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])}}" + "template": "DNS = {{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]}}" }, { "helper": "certutil", - "template": "dns:{{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])|quote}}" + "template": "dns:{{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]|quote}}" } - ] + ], + "options": { + "data_source": "subject.krbprincipalname.0.partition('/')[2].partition('@')[0]" + } } diff --git a/install/share/csr/rules/dataEmail.json b/install/share/csr/rules/dataEmail.json index cfc1f60..2eae9fb 100644 --- a/install/share/csr/rules/dataEmail.json +++ b/install/share/csr/rules/dataEmail.json @@ -2,11 +2,14 @@ "rules": [ { "helper": "openssl", - "template": "email = {{ipa.datafield(subject.mail.0)}}" + "template": "email = {{subject.mail.0}}" }, { "helper": "certutil", - "template": "email:{{ipa.datafield(subject.mail.0)|quote}}" + "template": "email:{{subject.mail.0|quote}}" } - ] + ], + "options": { + "data_source": "subject.mail.0" + } } diff --git a/install/share/csr/rules/dataHostCN.json b/install/share/csr/rules/dataHostCN.json index 172c7ec..5c415bb 100644 --- a/install/share/csr/rules/dataHostCN.json +++ b/install/share/csr/rules/dataHostCN.json @@ -2,11 +2,14 @@ "rules": [ { "helper": "openssl", - "template": "{{ipa.datafield(config.ipacertificatesubjectbase.0)}}\nCN={{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])}}" + "template": "CN={{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]}}" }, { "helper": "certutil", - "template": "CN={{ipa.datafield(subject.krbprincipalname.0.partition('/')[2].partition('@')[0])|quote}},{{ipa.datafield(config.ipacertificatesubjectbase.0)|quote}}" + "template": "CN={{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]|quote}}" } - ] + ], + "options": { + "data_source": "subject.krbprincipalname.0.partition('/')[2].partition('@')[0]" + } } diff --git a/install/share/csr/rules/dataSubjectBase.json b/install/share/csr/rules/dataSubjectBase.json new file mode 100644 index 0000000..309dfb1 --- /dev/null +++ b/install/share/csr/rules/dataSubjectBase.json @@ -0,0 +1,15 @@ +{ + "rules": [ + { + "helper": "openssl", + "template": "{{config.ipacertificatesubjectbase.0}}" + }, + { + "helper": "certutil", + "template": "{{config.ipacertificatesubjectbase.0|quote}}" + } + ], + "options": { + "data_source": "config.ipacertificatesubjectbase.0" + } +} diff --git a/install/share/csr/rules/dataUsernameCN.json b/install/share/csr/rules/dataUsernameCN.json index c3e2409..37e7e01 100644 --- a/install/share/csr/rules/dataUsernameCN.json +++ b/install/share/csr/rules/dataUsernameCN.json @@ -2,11 +2,14 @@ "rules": [ { "helper": "openssl", - "template": "{{ipa.datafield(config.ipacertificatesubjectbase.0)}}\nCN={{ipa.datafield(subject.uid.0)}}" + "template": "CN={{subject.uid.0}}" }, { "helper": "certutil", - "template": "CN={{ipa.datafield(subject.uid.0)|quote}},{{ipa.datafield(config.ipacertificatesubjectbase.0)|quote}}" + "template": "CN={{subject.uid.0|quote}}" } - ] + ], + "options": { + "data_source": "subject.uid.0" + } } diff --git a/install/share/csr/rules/syntaxSubject.json b/install/share/csr/rules/syntaxSubject.json index 7dfa932..af6ec03 100644 --- a/install/share/csr/rules/syntaxSubject.json +++ b/install/share/csr/rules/syntaxSubject.json @@ -2,14 +2,15 @@ "rules": [ { "helper": "openssl", - "template": "distinguished_name = {% call openssl.section() %}{{ datarules|first }}{% endcall %}" + "template": "distinguished_name = {% call openssl.section() %}{{ datarules|reverse|join('\n') }}{% endcall %}" }, { "helper": "certutil", - "template": "-s {{ datarules|first }}" + "template": "-s {{ datarules|join(',') }}" } ], "options": { - "required": true + "required": true, + "data_source_combinator": "and" } } diff --git a/install/share/csr/templates/certutil_base.tmpl b/install/share/csr/templates/certutil_base.tmpl index 6c6425f..a5556fd 100644 --- a/install/share/csr/templates/certutil_base.tmpl +++ b/install/share/csr/templates/certutil_base.tmpl @@ -1,6 +1,3 @@ -{% raw -%} -{% import "ipa_macros.tmpl" as ipa -%} -{%- endraw %} #!/bin/bash -e if [[ $# -lt 1 ]]; then diff --git a/install/share/csr/templates/ipa_macros.tmpl b/install/share/csr/templates/ipa_macros.tmpl deleted file mode 100644 index e790d4e..0000000 --- a/install/share/csr/templates/ipa_macros.tmpl +++ /dev/null @@ -1,42 +0,0 @@ -{% set rendersyntax = {} %} - -{% set renderdata = {} %} - -{# Wrapper for syntax rules. We render the contents of the rule into a -variable, so that if we find that none of the contained data rules rendered we -can suppress the whole syntax rule. That is, a syntax rule is rendered either -if no data rules are specified (unusual) or if at least one of the data rules -rendered successfully. #} -{% macro syntaxrule() -%} -{% do rendersyntax.update(none=true, any=false) -%} -{% set contents -%} -{{ caller() -}} -{% endset -%} -{% if rendersyntax['none'] or rendersyntax['any'] -%} -{{ contents -}} -{% endif -%} -{% endmacro %} - -{# Wrapper for data rules. A data rule is rendered only when all of the data -fields it contains have data available. #} -{% macro datarule() -%} -{% do rendersyntax.update(none=false) -%} -{% do renderdata.update(all=true) -%} -{% set contents -%} -{{ caller() -}} -{% endset -%} -{% if renderdata['all'] -%} -{% do rendersyntax.update(any=true) -%} -{{ contents -}} -{% endif -%} -{% endmacro %} - -{# Wrapper for fields in data rules. If any value wrapped by this macro -produces an empty string, the entire data rule will be suppressed. #} -{% macro datafield(value) -%} -{% if value -%} -{{ value -}} -{% else -%} -{% do renderdata.update(all=false) -%} -{% endif -%} -{% endmacro %} diff --git a/install/share/csr/templates/openssl_base.tmpl b/install/share/csr/templates/openssl_base.tmpl index 597577b..2d6c070 100644 --- a/install/share/csr/templates/openssl_base.tmpl +++ b/install/share/csr/templates/openssl_base.tmpl @@ -1,6 +1,5 @@ {% raw -%} {% import "openssl_macros.tmpl" as openssl -%} -{% import "ipa_macros.tmpl" as ipa -%} {%- endraw %} #!/bin/bash -e diff --git a/ipalib/certmapping.py b/ipalib/certmapping.py index d211f24..b2364b0 100644 --- a/ipalib/certmapping.py +++ b/ipalib/certmapping.py @@ -58,8 +58,6 @@ def __init__(self): keep_trailing_newline=True, undefined=IndexableUndefined) self.passthrough_globals = {} - self._define_passthrough('ipa.syntaxrule') - self._define_passthrough('ipa.datarule') def _define_passthrough(self, call): @@ -86,8 +84,15 @@ def build_template(self, rules): for description, syntax_rule, data_rules in rules: data_rules_prepared = [ self._prepare_data_rule(rule) for rule in data_rules] + + data_sources = [] + for rule in data_rules: + data_source = rule.options.get('data_source') + if data_source: + data_sources.append(data_source) + syntax_rules.append(self._prepare_syntax_rule( - syntax_rule, data_rules_prepared, description)) + syntax_rule, data_rules_prepared, description, data_sources)) template_params = self._get_template_params(syntax_rules) base_template = self.jinja2.get_template( @@ -106,11 +111,9 @@ def build_template(self, rules): return combined_template - def _wrap_rule(self, rule, rule_type): - template = '{%% call ipa.%srule() %%}%s{%% endcall %%}' % ( - rule_type, rule) - - return template + def _wrap_conditional(self, rule, condition): + rule = '{%% if %s %%}%s{%% endif %%}' % (condition, rule) + return rule def _wrap_required(self, rule, description): template = '{%% filter required("%s") %%}%s{%% endfilter %%}' % ( @@ -119,9 +122,15 @@ def _wrap_required(self, rule, description): return template def _prepare_data_rule(self, data_rule): - return self._wrap_rule(data_rule.template, 'data') + template = data_rule.template + + data_source = data_rule.options.get('data_source') + if data_source: + template = self._wrap_conditional(template, data_source) + + return template - def _prepare_syntax_rule(self, syntax_rule, data_rules, description): + def _prepare_syntax_rule(self, syntax_rule, data_rules, description, data_sources): root_logger.debug('Syntax rule template: %s' % syntax_rule.template) template = self.jinja2.from_string( syntax_rule.template, globals=self.passthrough_globals) @@ -133,7 +142,10 @@ def _prepare_syntax_rule(self, syntax_rule, data_rules, description): raise errors.CertificateMappingError(reason=_( 'Template error when formatting certificate data')) - prepared_template = self._wrap_rule(rendered, 'syntax') + combinator = ' %s ' % syntax_rule.options.get( + 'data_source_combinator', 'or') + condition = combinator.join(data_sources) + prepared_template = self._wrap_conditional(rendered, condition) if is_required: prepared_template = self._wrap_required(prepared_template, description) @@ -173,10 +185,10 @@ def _get_template_params(self, syntax_rules): return {'parameters': parameters, 'extensions': extensions} - def _prepare_syntax_rule(self, syntax_rule, data_rules, description): + def _prepare_syntax_rule(self, syntax_rule, data_rules, description, data_sources): """Overrides method to pull out whether rule is an extension or not.""" prepared_template = super(OpenSSLFormatter, self)._prepare_syntax_rule( - syntax_rule, data_rules, description) + syntax_rule, data_rules, description, data_sources) is_extension = syntax_rule.options.get('extension', False) return self.SyntaxRule(prepared_template, is_extension) From d02b434aaf0e9f1b30823dc75492903a207a2787 Mon Sep 17 00:00:00 2001 From: Ben Lipton <blip...@redhat.com> Date: Wed, 7 Sep 2016 17:40:21 -0400 Subject: [PATCH 07/11] fixup! Add code to generate scripts that generate CSRs --- ipaclient/plugins/certmapping.py | 18 +++++++++++------- ipalib/certmapping.py | 8 +++++--- ipapython/templating.py | 1 + 3 files changed, 17 insertions(+), 10 deletions(-) diff --git a/ipaclient/plugins/certmapping.py b/ipaclient/plugins/certmapping.py index d48dd00..ab0b017 100644 --- a/ipaclient/plugins/certmapping.py +++ b/ipaclient/plugins/certmapping.py @@ -13,38 +13,43 @@ from ipalib.text import _ from ipaserver.plugins.certprofile import validate_profile_id -register = Registry() - import six if six.PY3: unicode = str +register = Registry() + __doc__ = _(""" Commands to build certificate requests automatically """) + @register() class cert_get_requestdata(Command): __doc__ = _('Gather data for a certificate signing request.') takes_options = ( - Principal('principal', + Principal( + 'principal', label=_('Principal'), doc=_('Principal for this certificate (e.g.' ' HTTP/test.example.com)'), ), - Str('profile_id', + Str( + 'profile_id', validate_profile_id, label=_('Profile ID'), doc=_('Certificate Profile to use'), ), - Str('helper', + Str( + 'helper', label=_('Name of CSR generation tool'), doc=_('Name of tool (e.g. openssl, certutil) that will be used to' ' create CSR'), ), - Str('out?', + Str( + 'out?', doc=_('Write CSR generation script to file'), ), ) @@ -64,7 +69,6 @@ class cert_get_requestdata(Command): ) ) - def forward(self, *args, **options): if 'out' in options: util.check_writable_file(options['out']) diff --git a/ipalib/certmapping.py b/ipalib/certmapping.py index b2364b0..758fbae 100644 --- a/ipalib/certmapping.py +++ b/ipalib/certmapping.py @@ -147,7 +147,8 @@ def _prepare_syntax_rule(self, syntax_rule, data_rules, description, data_source condition = combinator.join(data_sources) prepared_template = self._wrap_conditional(rendered, condition) if is_required: - prepared_template = self._wrap_required(prepared_template, description) + prepared_template = self._wrap_required( + prepared_template, description) return prepared_template @@ -244,7 +245,7 @@ def _rule(self, rule_name, helper): except IndexError: raise errors.NotFound( reason=_('No transformation in "%(ruleset)s" rule supports' - ' helper "%(helper)s"') % + ' helper "%(helper)s"') % {'ruleset': rule_name, 'helper': helper}) options = {} @@ -252,7 +253,8 @@ def _rule(self, rule_name, helper): options.update(ruleset['options']) if 'options' in rule: options.update(rule['options']) - self.rules[(rule_name, helper)] = Rule(rule_name, rule['template'], options) + self.rules[(rule_name, helper)] = Rule( + rule_name, rule['template'], options) return self.rules[(rule_name, helper)] def rules_for_profile(self, profile_id, helper): diff --git a/ipapython/templating.py b/ipapython/templating.py index 1302e0a..461d4fe 100644 --- a/ipapython/templating.py +++ b/ipapython/templating.py @@ -9,6 +9,7 @@ from ipalib import errors from ipalib.text import _ + class IPAExtension(Extension): """Jinja2 extension providing useful features for cert mapping rules.""" From ee62f623be424550d3135a70b0ee6dbd73ba8e20 Mon Sep 17 00:00:00 2001 From: Ben Lipton <blip...@redhat.com> Date: Wed, 7 Sep 2016 17:40:38 -0400 Subject: [PATCH 08/11] fixup! Use data_sources option to define which fields are rendered --- ipalib/certmapping.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ipalib/certmapping.py b/ipalib/certmapping.py index 758fbae..d7ec7b4 100644 --- a/ipalib/certmapping.py +++ b/ipalib/certmapping.py @@ -130,7 +130,8 @@ def _prepare_data_rule(self, data_rule): return template - def _prepare_syntax_rule(self, syntax_rule, data_rules, description, data_sources): + def _prepare_syntax_rule( + self, syntax_rule, data_rules, description, data_sources): root_logger.debug('Syntax rule template: %s' % syntax_rule.template) template = self.jinja2.from_string( syntax_rule.template, globals=self.passthrough_globals) @@ -186,7 +187,8 @@ def _get_template_params(self, syntax_rules): return {'parameters': parameters, 'extensions': extensions} - def _prepare_syntax_rule(self, syntax_rule, data_rules, description, data_sources): + def _prepare_syntax_rule( + self, syntax_rule, data_rules, description, data_sources): """Overrides method to pull out whether rule is an extension or not.""" prepared_template = super(OpenSSLFormatter, self)._prepare_syntax_rule( syntax_rule, data_rules, description, data_sources) From 793ff82d99b3752c9cb56e685672ea36ff8932e6 Mon Sep 17 00:00:00 2001 From: Ben Lipton <blip...@redhat.com> Date: Thu, 8 Sep 2016 18:29:46 -0400 Subject: [PATCH 09/11] Add tests for CSR autogeneration Some tests are failing and will be fixed in the next commit. This patch also contains some code changes to make the code easier to test. --- ipaclient/plugins/certmapping.py | 3 +- ipalib/certmapping.py | 67 +++-- ipatests/setup.py.in | 1 + .../data/test_certmapping/profiles/profile.json | 8 + .../data/test_certmapping/rules/basic.json | 12 + .../data/test_certmapping/rules/options.json | 18 ++ .../scripts/caIPAserviceCert_certutil.sh | 11 + .../scripts/caIPAserviceCert_openssl.sh | 33 +++ .../test_certmapping/scripts/userCert_certutil.sh | 11 + .../test_certmapping/scripts/userCert_openssl.sh | 33 +++ .../test_certmapping/templates/identity_base.tmpl | 1 + ipatests/test_ipalib/test_certmapping.py | 298 +++++++++++++++++++++ 12 files changed, 470 insertions(+), 26 deletions(-) create mode 100644 ipatests/test_ipalib/data/test_certmapping/profiles/profile.json create mode 100644 ipatests/test_ipalib/data/test_certmapping/rules/basic.json create mode 100644 ipatests/test_ipalib/data/test_certmapping/rules/options.json create mode 100644 ipatests/test_ipalib/data/test_certmapping/scripts/caIPAserviceCert_certutil.sh create mode 100644 ipatests/test_ipalib/data/test_certmapping/scripts/caIPAserviceCert_openssl.sh create mode 100644 ipatests/test_ipalib/data/test_certmapping/scripts/userCert_certutil.sh create mode 100644 ipatests/test_ipalib/data/test_certmapping/scripts/userCert_openssl.sh create mode 100644 ipatests/test_ipalib/data/test_certmapping/templates/identity_base.tmpl create mode 100644 ipatests/test_ipalib/test_certmapping.py diff --git a/ipaclient/plugins/certmapping.py b/ipaclient/plugins/certmapping.py index ab0b017..4d438fa 100644 --- a/ipaclient/plugins/certmapping.py +++ b/ipaclient/plugins/certmapping.py @@ -91,11 +91,12 @@ def forward(self, *args, **options): raise errors.NotFound( reason=_("The principal for this request doesn't exist.")) principal_obj = principal_obj['result'] + config = api.Command.config_show()['result'] generator = CSRGenerator(FileRuleProvider()) script = generator.csr_script( - principal_obj, profile_id, helper) + principal_obj, config, profile_id, helper) result = {} if 'out' in options: diff --git a/ipalib/certmapping.py b/ipalib/certmapping.py index d7ec7b4..fc37540 100644 --- a/ipalib/certmapping.py +++ b/ipalib/certmapping.py @@ -10,7 +10,6 @@ import os.path import traceback -from ipalib import api from ipalib import errors from ipalib.text import _ from ipapython.ipa_log_manager import root_logger @@ -50,10 +49,10 @@ class Formatter(object): """ base_template_name = None - def __init__(self): + def __init__(self, csr_data_dir=CSR_DATA_DIR): self.jinja2 = jinja2.sandbox.SandboxedEnvironment( loader=jinja2.FileSystemLoader( - os.path.join(CSR_DATA_DIR, 'templates')), + os.path.join(csr_data_dir, 'templates')), extensions=[jinja2.ext.ExprStmtExtension, IPAExtension], keep_trailing_newline=True, undefined=IndexableUndefined) @@ -81,18 +80,20 @@ def build_template(self, rules): :returns: jinja2.Template that can be rendered to produce the CSR data. """ syntax_rules = [] - for description, syntax_rule, data_rules in rules: + for field_mapping in rules: data_rules_prepared = [ - self._prepare_data_rule(rule) for rule in data_rules] + self._prepare_data_rule(rule) + for rule in field_mapping.data_rules] data_sources = [] - for rule in data_rules: + for rule in field_mapping.data_rules: data_source = rule.options.get('data_source') if data_source: data_sources.append(data_source) syntax_rules.append(self._prepare_syntax_rule( - syntax_rule, data_rules_prepared, description, data_sources)) + field_mapping.syntax_rule, data_rules_prepared, + field_mapping.description, data_sources)) template_params = self._get_template_params(syntax_rules) base_template = self.jinja2.get_template( @@ -175,8 +176,8 @@ class OpenSSLFormatter(Formatter): SyntaxRule = collections.namedtuple( 'SyntaxRule', ['template', 'is_extension']) - def __init__(self): - super(OpenSSLFormatter, self).__init__() + def __init__(self, *args, **kwargs): + super(OpenSSLFormatter, self).__init__(*args, **kwargs) self._define_passthrough('openssl.section') def _get_template_params(self, syntax_rules): @@ -203,17 +204,31 @@ def _get_template_params(self, syntax_rules): return {'options': syntax_rules} -# FieldMapping - representation of the rules needed to construct a complete -# certificate field. -# - description: str, a name or description of this field, to be used in -# messages -# - syntax_rule: Rule, the rule defining the syntax of this field -# - data_rules: list of Rule, the rules that produce data to be stored in this -# field -FieldMapping = collections.namedtuple( - 'FieldMapping', ['description', 'syntax_rule', 'data_rules']) -Rule = collections.namedtuple( - 'Rule', ['name', 'template', 'options']) +class FieldMapping(object): + """Representation of the rules needed to construct a complete cert field. + + Attributes: + description: str, a name or description of this field, to be used in + messages + syntax_rule: Rule, the rule defining the syntax of this field + data_rules: list of Rule, the rules that produce data to be stored in + this field + """ + __slots__ = ['description', 'syntax_rule', 'data_rules'] + + def __init__(self, description, syntax_rule, data_rules): + self.description = description + self.syntax_rule = syntax_rule + self.data_rules = data_rules + + +class Rule(object): + __slots__ = ['name', 'template', 'options'] + + def __init__(self, name, template, options): + self.name = name + self.template = template + self.options = options class RuleProvider(object): @@ -232,12 +247,13 @@ def rules_for_profile(self, profile_id, helper): class FileRuleProvider(RuleProvider): - def __init__(self): + def __init__(self, csr_data_dir=CSR_DATA_DIR): self.rules = {} + self.csr_data_dir = csr_data_dir def _rule(self, rule_name, helper): if (rule_name, helper) not in self.rules: - rule_path = os.path.join(CSR_DATA_DIR, 'rules', + rule_path = os.path.join(self.csr_data_dir, 'rules', '%s.json' % rule_name) with open(rule_path) as rule_file: ruleset = json.load(rule_file) @@ -255,12 +271,14 @@ def _rule(self, rule_name, helper): options.update(ruleset['options']) if 'options' in rule: options.update(rule['options']) + self.rules[(rule_name, helper)] = Rule( rule_name, rule['template'], options) + return self.rules[(rule_name, helper)] def rules_for_profile(self, profile_id, helper): - profile_path = os.path.join(CSR_DATA_DIR, 'profiles', + profile_path = os.path.join(self.csr_data_dir, 'profiles', '%s.json' % profile_id) with open(profile_path) as profile_file: profile = json.load(profile_file) @@ -283,8 +301,7 @@ class CSRGenerator(object): def __init__(self, rule_provider): self.rule_provider = rule_provider - def csr_script(self, principal, profile_id, helper): - config = api.Command.config_show()['result'] + def csr_script(self, principal, config, profile_id, helper): render_data = {'subject': principal, 'config': config} formatter = self.FORMATTERS[helper]() diff --git a/ipatests/setup.py.in b/ipatests/setup.py.in index cb5f722..ae4f4cf 100644 --- a/ipatests/setup.py.in +++ b/ipatests/setup.py.in @@ -83,6 +83,7 @@ def setup_package(): 'ipatests.test_install': ['*.update'], 'ipatests.test_integration': ['scripts/*'], 'ipatests.test_pkcs10': ['*.csr'], + "ipatests.test_ipalib": ['data/*/*/*'], "ipatests.test_ipaserver": ['data/*'], 'ipatests.test_xmlrpc': ['data/*'], } diff --git a/ipatests/test_ipalib/data/test_certmapping/profiles/profile.json b/ipatests/test_ipalib/data/test_certmapping/profiles/profile.json new file mode 100644 index 0000000..676f91b --- /dev/null +++ b/ipatests/test_ipalib/data/test_certmapping/profiles/profile.json @@ -0,0 +1,8 @@ +[ + { + "syntax": "basic", + "data": [ + "options" + ] + } +] diff --git a/ipatests/test_ipalib/data/test_certmapping/rules/basic.json b/ipatests/test_ipalib/data/test_certmapping/rules/basic.json new file mode 100644 index 0000000..feba3e9 --- /dev/null +++ b/ipatests/test_ipalib/data/test_certmapping/rules/basic.json @@ -0,0 +1,12 @@ +{ + "rules": [ + { + "helper": "openssl", + "template": "openssl_rule" + }, + { + "helper": "certutil", + "template": "certutil_rule" + } + ] +} diff --git a/ipatests/test_ipalib/data/test_certmapping/rules/options.json b/ipatests/test_ipalib/data/test_certmapping/rules/options.json new file mode 100644 index 0000000..111a6d8 --- /dev/null +++ b/ipatests/test_ipalib/data/test_certmapping/rules/options.json @@ -0,0 +1,18 @@ +{ + "rules": [ + { + "helper": "openssl", + "template": "openssl_rule", + "options": { + "helper_option": true + } + }, + { + "helper": "certutil", + "template": "certutil_rule" + } + ], + "options": { + "global_option": true + } +} diff --git a/ipatests/test_ipalib/data/test_certmapping/scripts/caIPAserviceCert_certutil.sh b/ipatests/test_ipalib/data/test_certmapping/scripts/caIPAserviceCert_certutil.sh new file mode 100644 index 0000000..74a704c --- /dev/null +++ b/ipatests/test_ipalib/data/test_certmapping/scripts/caIPAserviceCert_certutil.sh @@ -0,0 +1,11 @@ +#!/bin/bash -e + +if [[ $# -lt 1 ]]; then +echo "Usage: $0 <outfile> [<any> <certutil> <args>]" +echo "Called as: $0 $@" +exit 1 +fi + +CSR="$1" +shift +certutil -R -a -z <(head -c 4096 /dev/urandom) -o "$CSR" -s CN=machine.example.com,O=DOMAIN.EXAMPLE.COM --extSAN dns:machine.example.com "$@" diff --git a/ipatests/test_ipalib/data/test_certmapping/scripts/caIPAserviceCert_openssl.sh b/ipatests/test_ipalib/data/test_certmapping/scripts/caIPAserviceCert_openssl.sh new file mode 100644 index 0000000..c621a69 --- /dev/null +++ b/ipatests/test_ipalib/data/test_certmapping/scripts/caIPAserviceCert_openssl.sh @@ -0,0 +1,33 @@ +#!/bin/bash -e + +if [[ $# -ne 2 ]]; then +echo "Usage: $0 <outfile> <keyfile>" +echo "Called as: $0 $@" +exit 1 +fi + +CONFIG="$(mktemp)" +CSR="$1" +shift + +echo \ +'[ req ] +prompt = no +encrypt_key = no + +distinguished_name = sec0 +req_extensions = sec2 + +[ sec0 ] +O=DOMAIN.EXAMPLE.COM +CN=machine.example.com + +[ sec1 ] +DNS = machine.example.com + +[ sec2 ] +subjectAltName = @sec1 +' > "$CONFIG" + +openssl req -new -config "$CONFIG" -out "$CSR" -key $1 +rm "$CONFIG" diff --git a/ipatests/test_ipalib/data/test_certmapping/scripts/userCert_certutil.sh b/ipatests/test_ipalib/data/test_certmapping/scripts/userCert_certutil.sh new file mode 100644 index 0000000..4aaeda0 --- /dev/null +++ b/ipatests/test_ipalib/data/test_certmapping/scripts/userCert_certutil.sh @@ -0,0 +1,11 @@ +#!/bin/bash -e + +if [[ $# -lt 1 ]]; then +echo "Usage: $0 <outfile> [<any> <certutil> <args>]" +echo "Called as: $0 $@" +exit 1 +fi + +CSR="$1" +shift +certutil -R -a -z <(head -c 4096 /dev/urandom) -o "$CSR" -s CN=testuser,O=DOMAIN.EXAMPLE.COM --extSAN email:testu...@example.com "$@" diff --git a/ipatests/test_ipalib/data/test_certmapping/scripts/userCert_openssl.sh b/ipatests/test_ipalib/data/test_certmapping/scripts/userCert_openssl.sh new file mode 100644 index 0000000..cdbe8a1 --- /dev/null +++ b/ipatests/test_ipalib/data/test_certmapping/scripts/userCert_openssl.sh @@ -0,0 +1,33 @@ +#!/bin/bash -e + +if [[ $# -ne 2 ]]; then +echo "Usage: $0 <outfile> <keyfile>" +echo "Called as: $0 $@" +exit 1 +fi + +CONFIG="$(mktemp)" +CSR="$1" +shift + +echo \ +'[ req ] +prompt = no +encrypt_key = no + +distinguished_name = sec0 +req_extensions = sec2 + +[ sec0 ] +O=DOMAIN.EXAMPLE.COM +CN=testuser + +[ sec1 ] +email = testu...@example.com + +[ sec2 ] +subjectAltName = @sec1 +' > "$CONFIG" + +openssl req -new -config "$CONFIG" -out "$CSR" -key $1 +rm "$CONFIG" diff --git a/ipatests/test_ipalib/data/test_certmapping/templates/identity_base.tmpl b/ipatests/test_ipalib/data/test_certmapping/templates/identity_base.tmpl new file mode 100644 index 0000000..79111ab --- /dev/null +++ b/ipatests/test_ipalib/data/test_certmapping/templates/identity_base.tmpl @@ -0,0 +1 @@ +{{ options|join(";") }} diff --git a/ipatests/test_ipalib/test_certmapping.py b/ipatests/test_ipalib/test_certmapping.py new file mode 100644 index 0000000..a9b1644 --- /dev/null +++ b/ipatests/test_ipalib/test_certmapping.py @@ -0,0 +1,298 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +import os +import pytest + +from ipalib import certmapping +from ipalib import errors + +BASE_DIR = os.path.dirname(__file__) +CSR_DATA_DIR = os.path.join(BASE_DIR, 'data', 'test_certmapping') + + +@pytest.fixture +def formatter(): + return certmapping.Formatter(csr_data_dir=CSR_DATA_DIR) + + +@pytest.fixture +def rule_provider(): + return certmapping.FileRuleProvider(csr_data_dir=CSR_DATA_DIR) + + +@pytest.fixture +def generator(): + return certmapping.CSRGenerator(certmapping.FileRuleProvider()) + + +class StubRuleProvider(certmapping.RuleProvider): + def __init__(self): + self.syntax_rule = certmapping.Rule( + 'syntax', '{{datarules|join(",")}}', {}) + self.data_rule = certmapping.Rule('data', 'data_template', {}) + self.field_mapping = certmapping.FieldMapping( + 'example', self.syntax_rule, [self.data_rule]) + self.rules = [self.field_mapping] + + def rules_for_profile(self, profile_id, helper): + return self.rules + + +class IdentityFormatter(certmapping.Formatter): + base_template_name = 'identity_base.tmpl' + + def __init__(self): + super(IdentityFormatter, self).__init__(csr_data_dir=CSR_DATA_DIR) + + def _get_template_params(self, syntax_rules): + return {'options': syntax_rules} + + +class IdentityCSRGenerator(certmapping.CSRGenerator): + FORMATTERS = {'identity': IdentityFormatter} + + +class test_Formatter(object): + def test_prepare_data_rule_with_data_source(self, formatter): + data_rule = certmapping.Rule('uid', '{{subject.uid.0}}', + {'data_source': 'subject.uid.0'}) + prepared = formatter._prepare_data_rule(data_rule) + assert prepared == '{% if subject.uid.0 %}{{subject.uid.0}}{% endif %}' + + def test_prepare_data_rule_no_data_source(self, formatter): + """Not a normal case, but we should handle it anyway""" + data_rule = certmapping.Rule('uid', 'static_text', {}) + prepared = formatter._prepare_data_rule(data_rule) + assert prepared == 'static_text' + + def test_prepare_syntax_rule_with_data_sources(self, formatter): + syntax_rule = certmapping.Rule( + 'example', '{{datarules|join(",")}}', {}) + data_rules = ['{{subject.field1}}', '{{subject.field2}}'] + data_sources = ['subject.field1', 'subject.field2'] + prepared = formatter._prepare_syntax_rule( + syntax_rule, data_rules, 'example', data_sources) + + assert prepared == ( + '{% if subject.field1 or subject.field2 %}{{subject.field1}},' + '{{subject.field2}}{% endif %}') + + def test_prepare_syntax_rule_with_combinator(self, formatter): + syntax_rule = certmapping.Rule('example', '{{datarules|join(",")}}', + {'data_source_combinator': 'and'}) + data_rules = ['{{subject.field1}}', '{{subject.field2}}'] + data_sources = ['subject.field1', 'subject.field2'] + prepared = formatter._prepare_syntax_rule( + syntax_rule, data_rules, 'example', data_sources) + + assert prepared == ( + '{% if subject.field1 and subject.field2 %}{{subject.field1}},' + '{{subject.field2}}{% endif %}') + + def test_prepare_syntax_rule_required(self, formatter): + syntax_rule = certmapping.Rule('example', '{{datarules|join(",")}}', + {'required': True}) + data_rules = ['{{subject.field1}}'] + data_sources = ['subject.field1'] + prepared = formatter._prepare_syntax_rule( + syntax_rule, data_rules, 'example', data_sources) + + assert prepared == ( + '{% filter required("example") %}{% if subject.field1 %}' + '{{subject.field1}}{% endif %}{% endfilter %}') + + def test_prepare_syntax_rule_passthrough(self, formatter): + """ + Calls to macros defined as passthrough are still call tags in the final + template. + """ + formatter._define_passthrough('example.macro') + + syntax_rule = certmapping.Rule( + 'example', + '{% call example.macro() %}{{datarules|join(",")}}{% endcall %}', + {}) + data_rules = ['{{subject.field1}}'] + data_sources = ['subject.field1'] + prepared = formatter._prepare_syntax_rule( + syntax_rule, data_rules, 'example', data_sources) + + assert prepared == ( + '{% if subject.field1 %}{% call example.macro() %}' + '{{subject.field1}}{% endcall %}{% endif %}') + + def test_prepare_syntax_rule_no_data_sources(self, formatter): + """Not a normal case, but we should handle it anyway""" + syntax_rule = certmapping.Rule( + 'example', '{{datarules|join(",")}}', {}) + data_rules = ['rule1', 'rule2'] + data_sources = [] + prepared = formatter._prepare_syntax_rule( + syntax_rule, data_rules, 'example', data_sources) + + assert prepared == 'rule1,rule2' + + +class test_FileRuleProvider(object): + def test_rule_basic(self, rule_provider): + rule_name = 'basic' + + rule1 = rule_provider._rule(rule_name, 'openssl') + rule2 = rule_provider._rule(rule_name, 'certutil') + + assert rule1.template == 'openssl_rule' + assert rule2.template == 'certutil_rule' + + def test_rule_global_options(self, rule_provider): + rule_name = 'options' + + rule1 = rule_provider._rule(rule_name, 'openssl') + rule2 = rule_provider._rule(rule_name, 'certutil') + + assert rule1.options['global_option'] is True + assert rule2.options['global_option'] is True + + def test_rule_helper_options(self, rule_provider): + rule_name = 'options' + + rule1 = rule_provider._rule(rule_name, 'openssl') + rule2 = rule_provider._rule(rule_name, 'certutil') + + assert rule1.options['helper_option'] is True + assert 'helper_option' not in rule2.options + + def test_rule_nosuchrule(self, rule_provider): + with pytest.raises(errors.CertificateMappingError): + rule_provider._rule('nosuchrule', 'openssl') + + def test_rule_nosuchhelper(self, rule_provider): + with pytest.raises(errors.CertificateMappingError): + rule_provider._rule('basic', 'nosuchhelper') + + def test_rules_for_profile_success(self, rule_provider): + rules = rule_provider.rules_for_profile('profile', 'certutil') + + assert len(rules) == 1 + field_mapping = rules[0] + assert field_mapping.syntax_rule.name == 'basic' + assert len(field_mapping.data_rules) == 1 + assert field_mapping.data_rules[0].name == 'options' + + def test_rules_for_profile_nosuchprofile(self, rule_provider): + with pytest.raises(errors.CertificateMappingError): + rule_provider.rules_for_profile('nosuchprofile', 'certutil') + + +class test_CSRGenerator(object): + def test_userCert_OpenSSL(self, generator): + principal = { + 'uid': ['testuser'], + 'mail': ['testu...@example.com'], + } + config = { + 'ipacertificatesubjectbase': [ + 'O=DOMAIN.EXAMPLE.COM' + ], + } + + script = generator.csr_script(principal, config, 'userCert', 'openssl') + with open(os.path.join( + CSR_DATA_DIR, 'scripts', 'userCert_openssl.sh')) as f: + expected_script = f.read() + assert script == expected_script + + def test_userCert_Certutil(self, generator): + principal = { + 'uid': ['testuser'], + 'mail': ['testu...@example.com'], + } + config = { + 'ipacertificatesubjectbase': [ + 'O=DOMAIN.EXAMPLE.COM' + ], + } + + script = generator.csr_script( + principal, config, 'userCert', 'certutil') + + with open(os.path.join( + CSR_DATA_DIR, 'scripts', 'userCert_certutil.sh')) as f: + expected_script = f.read() + assert script == expected_script + + def test_caIPAserviceCert_OpenSSL(self, generator): + principal = { + 'krbprincipalname': [ + 'HTTP/machine.example....@domain.example.com' + ], + } + config = { + 'ipacertificatesubjectbase': [ + 'O=DOMAIN.EXAMPLE.COM' + ], + } + + script = generator.csr_script( + principal, config, 'caIPAserviceCert', 'openssl') + with open(os.path.join( + CSR_DATA_DIR, 'scripts', 'caIPAserviceCert_openssl.sh')) as f: + expected_script = f.read() + assert script == expected_script + + def test_caIPAserviceCert_Certutil(self, generator): + principal = { + 'krbprincipalname': [ + 'HTTP/machine.example....@domain.example.com' + ], + } + config = { + 'ipacertificatesubjectbase': [ + 'O=DOMAIN.EXAMPLE.COM' + ], + } + + script = generator.csr_script( + principal, config, 'caIPAserviceCert', 'certutil') + with open(os.path.join( + CSR_DATA_DIR, 'scripts', 'caIPAserviceCert_certutil.sh')) as f: + expected_script = f.read() + assert script == expected_script + + +class test_rule_handling(object): + def test_optionalAttributeMissing(self, generator): + principal = {'uid': 'testuser'} + rule_provider = StubRuleProvider() + rule_provider.data_rule.template = '{{subject.mail}}' + rule_provider.data_rule.options = {'data_source': 'subject.mail'} + generator = IdentityCSRGenerator(rule_provider) + + script = generator.csr_script( + principal, {}, 'example', 'identity') + assert script == '\n' + + def test_twoDataRulesOneMissing(self, generator): + principal = {'uid': 'testuser'} + rule_provider = StubRuleProvider() + rule_provider.data_rule.template = '{{subject.mail}}' + rule_provider.data_rule.options = {'data_source': 'subject.mail'} + rule_provider.field_mapping.data_rules.append(certmapping.Rule( + 'data2', '{{subject.uid}}', {'data_source': 'subject.uid'})) + generator = IdentityCSRGenerator(rule_provider) + + script = generator.csr_script(principal, {}, 'example', 'identity') + assert script == ',testuser\n' + + def test_requiredAttributeMissing(self): + principal = {'uid': 'testuser'} + rule_provider = StubRuleProvider() + rule_provider.data_rule.template = '{{subject.mail}}' + rule_provider.data_rule.options = {'data_source': 'subject.mail'} + rule_provider.syntax_rule.options = {'required': True} + generator = IdentityCSRGenerator(rule_provider) + + with pytest.raises(errors.CertificateMappingError): + script = generator.csr_script( + principal, {}, 'example', 'identity') From fd161cb188cf5afe626c87cd41f629ac2c792b86 Mon Sep 17 00:00:00 2001 From: Ben Lipton <blip...@redhat.com> Date: Thu, 8 Sep 2016 19:54:48 -0400 Subject: [PATCH 10/11] Fix broken tests in CSR autogeneration --- ipalib/certmapping.py | 39 +++++++++++++++++++++++++++++---------- 1 file changed, 29 insertions(+), 10 deletions(-) diff --git a/ipalib/certmapping.py b/ipalib/certmapping.py index fc37540..d558157 100644 --- a/ipalib/certmapping.py +++ b/ipalib/certmapping.py @@ -59,6 +59,11 @@ def __init__(self, csr_data_dir=CSR_DATA_DIR): self.passthrough_globals = {} def _define_passthrough(self, call): + """Some macros are meant to be interpreted during the final render, not + when data rules are interpolated into syntax rules. This method allows + those macros to be registered so that calls to them are passed through + to the prepared rule rather than interpreted. + """ def passthrough(caller): return u'{%% call %s() %%}%s{%% endcall %%}' % (call, caller()) @@ -138,16 +143,19 @@ def _prepare_syntax_rule( syntax_rule.template, globals=self.passthrough_globals) is_required = syntax_rule.options.get('required', False) try: - rendered = template.render(datarules=data_rules) + prepared_template = template.render(datarules=data_rules) except jinja2.UndefinedError: root_logger.debug(traceback.format_exc()) raise errors.CertificateMappingError(reason=_( 'Template error when formatting certificate data')) - combinator = ' %s ' % syntax_rule.options.get( - 'data_source_combinator', 'or') - condition = combinator.join(data_sources) - prepared_template = self._wrap_conditional(rendered, condition) + if data_sources: + combinator = ' %s ' % syntax_rule.options.get( + 'data_source_combinator', 'or') + condition = combinator.join(data_sources) + prepared_template = self._wrap_conditional( + prepared_template, condition) + if is_required: prepared_template = self._wrap_required( prepared_template, description) @@ -255,13 +263,19 @@ def _rule(self, rule_name, helper): if (rule_name, helper) not in self.rules: rule_path = os.path.join(self.csr_data_dir, 'rules', '%s.json' % rule_name) - with open(rule_path) as rule_file: - ruleset = json.load(rule_file) + try: + with open(rule_path) as rule_file: + ruleset = json.load(rule_file) + except IOError: + raise errors.CertificateMappingError( + reason=_('Ruleset %(ruleset)s is configured in profile but' + ' does not exist.') % {'ruleset': rule_name}) + try: rule = [r for r in ruleset['rules'] if r['helper'] == helper][0] except IndexError: - raise errors.NotFound( + raise errors.CertificateMappingError( reason=_('No transformation in "%(ruleset)s" rule supports' ' helper "%(helper)s"') % {'ruleset': rule_name, 'helper': helper}) @@ -280,8 +294,13 @@ def _rule(self, rule_name, helper): def rules_for_profile(self, profile_id, helper): profile_path = os.path.join(self.csr_data_dir, 'profiles', '%s.json' % profile_id) - with open(profile_path) as profile_file: - profile = json.load(profile_file) + try: + with open(profile_path) as profile_file: + profile = json.load(profile_file) + except IOError: + raise errors.CertificateMappingError( + reason=_('No certificate mappings are defined for profile' + ' %(profile_id)s') % {'profile_id': profile_id}) field_mappings = [] for field in profile: From 13eae6a4aee95bb45f9ac0228961481cb1228ebf Mon Sep 17 00:00:00 2001 From: Ben Lipton <blip...@redhat.com> Date: Thu, 15 Sep 2016 15:53:01 -0400 Subject: [PATCH 11/11] fixup! Add code to generate scripts that generate CSRs --- ipalib/certmapping.py | 75 ++++++++++++++++++++++---------- ipaplatform/base/paths.py | 1 + ipapython/templating.py | 32 -------------- ipatests/test_ipalib/test_certmapping.py | 6 +-- 4 files changed, 56 insertions(+), 58 deletions(-) delete mode 100644 ipapython/templating.py diff --git a/ipalib/certmapping.py b/ipalib/certmapping.py index d558157..45152ad 100644 --- a/ipalib/certmapping.py +++ b/ipalib/certmapping.py @@ -3,17 +3,19 @@ # import collections -import jinja2 -import jinja2.ext -import jinja2.sandbox import json import os.path +import pipes import traceback +import jinja2 +import jinja2.ext +import jinja2.sandbox + from ipalib import errors from ipalib.text import _ -from ipapython.ipa_log_manager import root_logger -from ipapython.templating import IPAExtension +from ipaplatform.paths import paths +from ipapython.ipa_log_manager import log_mgr import six @@ -25,7 +27,7 @@ stored mapping rules. """) -CSR_DATA_DIR = '/usr/share/ipa/csr' +logger = log_mgr.get_logger(__name__) class IndexableUndefined(jinja2.Undefined): @@ -35,6 +37,28 @@ def __getitem__(self, key): name=self._undefined_name, exc=self._undefined_exception) +class IPAExtension(jinja2.ext.Extension): + """Jinja2 extension providing useful features for cert mapping rules.""" + + def __init__(self, environment): + super(IPAExtension, self).__init__(environment) + + environment.filters.update( + quote=self.quote, + required=self.required, + ) + + def quote(self, data): + return pipes.quote(data) + + def required(self, data, name): + if not data: + raise errors.CertificateMappingError( + reason=_('Required mapping rule %(name)s is missing data') % + {'name': name}) + return data + + class Formatter(object): """ Class for processing a set of mapping rules into a template. @@ -49,7 +73,7 @@ class Formatter(object): """ base_template_name = None - def __init__(self, csr_data_dir=CSR_DATA_DIR): + def __init__(self, csr_data_dir=paths.CSR_DATA_DIR): self.jinja2 = jinja2.sandbox.SandboxedEnvironment( loader=jinja2.FileSystemLoader( os.path.join(csr_data_dir, 'templates')), @@ -107,11 +131,11 @@ def build_template(self, rules): try: combined_template_source = base_template.render(**template_params) except jinja2.UndefinedError: - root_logger.debug(traceback.format_exc()) + logger.debug(traceback.format_exc()) raise errors.CertificateMappingError(reason=_( 'Template error when formatting certificate data')) - root_logger.debug( + logger.debug( 'Formatting with template: %s' % combined_template_source) combined_template = self.jinja2.from_string(combined_template_source) @@ -138,14 +162,14 @@ def _prepare_data_rule(self, data_rule): def _prepare_syntax_rule( self, syntax_rule, data_rules, description, data_sources): - root_logger.debug('Syntax rule template: %s' % syntax_rule.template) + logger.debug('Syntax rule template: %s' % syntax_rule.template) template = self.jinja2.from_string( syntax_rule.template, globals=self.passthrough_globals) is_required = syntax_rule.options.get('required', False) try: prepared_template = template.render(datarules=data_rules) except jinja2.UndefinedError: - root_logger.debug(traceback.format_exc()) + logger.debug(traceback.format_exc()) raise errors.CertificateMappingError(reason=_( 'Template error when formatting certificate data')) @@ -255,7 +279,7 @@ def rules_for_profile(self, profile_id, helper): class FileRuleProvider(RuleProvider): - def __init__(self, csr_data_dir=CSR_DATA_DIR): + def __init__(self, csr_data_dir=paths.CSR_DATA_DIR): self.rules = {} self.csr_data_dir = csr_data_dir @@ -267,18 +291,23 @@ def _rule(self, rule_name, helper): with open(rule_path) as rule_file: ruleset = json.load(rule_file) except IOError: - raise errors.CertificateMappingError( - reason=_('Ruleset %(ruleset)s is configured in profile but' - ' does not exist.') % {'ruleset': rule_name}) - - try: - rule = [r for r in ruleset['rules'] - if r['helper'] == helper][0] - except IndexError: - raise errors.CertificateMappingError( + raise errors.NotFound( + reason=_('Ruleset %(ruleset)s does not exist.') % + {'ruleset': rule_name}) + + matching_rules = [r for r in ruleset['rules'] + if r['helper'] == helper] + if len(matching_rules) == 0: + raise errors.EmptyResult( reason=_('No transformation in "%(ruleset)s" rule supports' ' helper "%(helper)s"') % {'ruleset': rule_name, 'helper': helper}) + elif len(matching_rules) > 1: + raise errors.CertificateMappingError( + reason=_('More than one transformation in "%(ruleset)s"' + ' matches helper "%(helper)s"') % + {'ruleset': rule_name, 'helper': helper}) + rule = matching_rules[0] options = {} if 'options' in ruleset: @@ -298,7 +327,7 @@ def rules_for_profile(self, profile_id, helper): with open(profile_path) as profile_file: profile = json.load(profile_file) except IOError: - raise errors.CertificateMappingError( + raise errors.NotFound( reason=_('No certificate mappings are defined for profile' ' %(profile_id)s') % {'profile_id': profile_id}) @@ -330,7 +359,7 @@ def csr_script(self, principal, config, profile_id, helper): try: script = template.render(render_data) except jinja2.UndefinedError: - root_logger.debug(traceback.format_exc()) + logger.debug(traceback.format_exc()) raise errors.CertificateMappingError(reason=_( 'Template error when formatting certificate data')) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index f927a7a..464cfca 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -243,6 +243,7 @@ class BasePathNamespace(object): SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/schema_compat.uldif" IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins" UPDATES_DIR = "/usr/share/ipa/updates/" + CSR_DATA_DIR = "/usr/share/ipa/csr" DICT_WORDS = "/usr/share/dict/words" CACHE_IPA_SESSIONS = "/var/cache/ipa/sessions" VAR_KERBEROS_KRB5KDC_DIR = "/var/kerberos/krb5kdc/" diff --git a/ipapython/templating.py b/ipapython/templating.py deleted file mode 100644 index 461d4fe..0000000 --- a/ipapython/templating.py +++ /dev/null @@ -1,32 +0,0 @@ -# -# Copyright (C) 2016 FreeIPA Contributors see COPYING for license -# - -import pipes - -from jinja2.ext import Extension - -from ipalib import errors -from ipalib.text import _ - - -class IPAExtension(Extension): - """Jinja2 extension providing useful features for cert mapping rules.""" - - def __init__(self, environment): - super(IPAExtension, self).__init__(environment) - - environment.filters.update( - quote=self.quote, - required=self.required, - ) - - def quote(self, data): - return pipes.quote(data) - - def required(self, data, name): - if not data: - raise errors.CertificateMappingError( - reason=_('Required mapping rule %(name)s is missing data') % - {'name': name}) - return data diff --git a/ipatests/test_ipalib/test_certmapping.py b/ipatests/test_ipalib/test_certmapping.py index a9b1644..2e1cf11 100644 --- a/ipatests/test_ipalib/test_certmapping.py +++ b/ipatests/test_ipalib/test_certmapping.py @@ -164,11 +164,11 @@ def test_rule_helper_options(self, rule_provider): assert 'helper_option' not in rule2.options def test_rule_nosuchrule(self, rule_provider): - with pytest.raises(errors.CertificateMappingError): + with pytest.raises(errors.NotFound): rule_provider._rule('nosuchrule', 'openssl') def test_rule_nosuchhelper(self, rule_provider): - with pytest.raises(errors.CertificateMappingError): + with pytest.raises(errors.EmptyResult): rule_provider._rule('basic', 'nosuchhelper') def test_rules_for_profile_success(self, rule_provider): @@ -181,7 +181,7 @@ def test_rules_for_profile_success(self, rule_provider): assert field_mapping.data_rules[0].name == 'options' def test_rules_for_profile_nosuchprofile(self, rule_provider): - with pytest.raises(errors.CertificateMappingError): + with pytest.raises(errors.NotFound): rule_provider.rules_for_profile('nosuchprofile', 'certutil')
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
