[Freeipa-devel] [freeipa PR#568][synchronized] cert: include certificate chain in cert command output

2017-03-13 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/568
Author: HonzaCholasta
 Title: #568: cert: include certificate chain in cert command output
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/568/head:pr568
git checkout pr568
From 2f08a1e0e6e8ee82d7fa67e8d5d26cdbabc4fc45 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Fri, 10 Mar 2017 09:19:53 +
Subject: [PATCH 1/2] cert: add output file option to cert-request

The certificate returned by cert-request can now be saved to a file in the
CLI using a new --certificate-out option.

Deprecate --out in cert-show in favor of --certificate-out.

https://pagure.io/freeipa/issue/6547
---
 ipaclient/plugins/cert.py | 66 +--
 1 file changed, 52 insertions(+), 14 deletions(-)

diff --git a/ipaclient/plugins/cert.py b/ipaclient/plugins/cert.py
index 348529c..62171e9 100644
--- a/ipaclient/plugins/cert.py
+++ b/ipaclient/plugins/cert.py
@@ -19,6 +19,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see .
 
+import base64
 import subprocess
 from tempfile import NamedTemporaryFile as NTF
 
@@ -38,10 +39,37 @@
 register = Registry()
 
 
-@register(override=True, no_fail=True)
-class cert_request(MethodOverride):
+class CertRetrieveOverride(MethodOverride):
 takes_options = (
 Str(
+'certificate_out?',
+doc=_('Write certificate (chain if --chain used) to file'),
+include='cli',
+cli_metavar='FILE',
+),
+)
+
+def forward(self, *args, **options):
+certificate_out = options.pop('certificate_out', None)
+if certificate_out is not None:
+util.check_writable_file(certificate_out)
+
+result = super(CertRetrieveOverride, self).forward(*args, **options)
+
+if certificate_out is not None:
+certs = [result['result']['certificate']]
+certs = (x509.normalize_certificate(cert) for cert in certs)
+certs = (x509.make_pem(base64.b64encode(cert)) for cert in certs)
+with open(certificate_out, 'w') as f:
+f.write('\n'.join(certs))
+
+return result
+
+
+@register(override=True, no_fail=True)
+class cert_request(CertRetrieveOverride):
+takes_options = CertRetrieveOverride.takes_options + (
+Str(
 'database?',
 label=_('Path to NSS database'),
 doc=_('Path to NSS database to use for private key'),
@@ -135,18 +163,28 @@ def forward(self, csr=None, **options):
 
 
 @register(override=True, no_fail=True)
-class cert_show(MethodOverride):
-def forward(self, *keys, **options):
-if 'out' in options:
-util.check_writable_file(options['out'])
-result = super(cert_show, self).forward(*keys, **options)
-if 'certificate' in result['result']:
-x509.write_certificate(result['result']['certificate'], options['out'])
-return result
-else:
-raise errors.NoCertificateError(entry=keys[-1])
-else:
-return super(cert_show, self).forward(*keys, **options)
+class cert_show(CertRetrieveOverride):
+def get_options(self):
+for option in super(cert_show, self).get_options():
+if option.name == 'out':
+# skip server-defined --out
+continue
+if option.name == 'certificate_out':
+# add --out as a deprecated alias of --certificate-out
+option = option.clone_rename(
+'out',
+cli_name='certificate_out',
+deprecated_cli_aliases={'out'},
+)
+yield option
+
+def forward(self, *args, **options):
+try:
+options['certificate_out'] = options.pop('out')
+except KeyError:
+pass
+
+return super(cert_show, self).forward(*args, **options)
 
 
 @register(override=True, no_fail=True)

From d3b3266018df4390b348ff253dae42b522511c34 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Fri, 10 Mar 2017 09:22:42 +
Subject: [PATCH 2/2] cert: include certificate chain in cert command output

Include the full certificate chain in the output of cert-request, cert-show
and cert-find if --chain or --all is specified.

If output file is specified in the CLI together with --chain, the full
certificate chain is written to the file.

https://pagure.io/freeipa/issue/6547
---
 API.txt   |  6 --
 VERSION.m4|  4 ++--
 ipaclient/plugins/cert.py |  5 -
 ipaserver/plugins/cert.py | 53 ---
 4 files changed, 56 insertions(+), 12 deletions(-)

diff --git a/API.txt b/API.txt
index 90cda74..2d6b401 100644
--- a/API.txt
+++ b/API.txt
@@ -782,11 +782,12 @@ option:

[Freeipa-devel] [freeipa PR#568][synchronized] cert: include certificate chain in cert command output

2017-03-13 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/568
Author: HonzaCholasta
 Title: #568: cert: include certificate chain in cert command output
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/568/head:pr568
git checkout pr568
From aedb67fca0fbb58e101da3300c7fd6b5afeddc0a Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Fri, 10 Mar 2017 09:19:53 +
Subject: [PATCH 1/2] cert: add output file option to cert-request

The certificate returned by cert-request can now be saved to a file in the
CLI using a new --certificate-out option.

Deprecate --out in cert-show in favor of --certificate-out.

https://pagure.io/freeipa/issue/6547
---
 ipaclient/plugins/cert.py | 54 +++
 1 file changed, 40 insertions(+), 14 deletions(-)

diff --git a/ipaclient/plugins/cert.py b/ipaclient/plugins/cert.py
index 348529c..2dcdcf7 100644
--- a/ipaclient/plugins/cert.py
+++ b/ipaclient/plugins/cert.py
@@ -19,6 +19,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see .
 
+import base64
 import subprocess
 from tempfile import NamedTemporaryFile as NTF
 
@@ -38,10 +39,37 @@
 register = Registry()
 
 
-@register(override=True, no_fail=True)
-class cert_request(MethodOverride):
+class CertRetrieveOverride(MethodOverride):
 takes_options = (
 Str(
+'certificate_out?',
+doc=_('Write certificate (chain if --chain used) to file'),
+include='cli',
+cli_metavar='FILE',
+),
+)
+
+def forward(self, *args, **options):
+certificate_out = options.pop('certificate_out', None)
+if certificate_out is not None:
+util.check_writable_file(certificate_out)
+
+result = super(CertRetrieveOverride, self).forward(*args, **options)
+
+if certificate_out is not None:
+certs = [result['result']['certificate']]
+certs = (x509.normalize_certificate(cert) for cert in certs)
+certs = (x509.make_pem(base64.b64encode(cert)) for cert in certs)
+with open(certificate_out, 'w') as f:
+f.write('\n'.join(certs))
+
+return result
+
+
+@register(override=True, no_fail=True)
+class cert_request(CertRetrieveOverride):
+takes_options = CertRetrieveOverride.takes_options + (
+Str(
 'database?',
 label=_('Path to NSS database'),
 doc=_('Path to NSS database to use for private key'),
@@ -135,18 +163,16 @@ def forward(self, csr=None, **options):
 
 
 @register(override=True, no_fail=True)
-class cert_show(MethodOverride):
-def forward(self, *keys, **options):
-if 'out' in options:
-util.check_writable_file(options['out'])
-result = super(cert_show, self).forward(*keys, **options)
-if 'certificate' in result['result']:
-x509.write_certificate(result['result']['certificate'], options['out'])
-return result
-else:
-raise errors.NoCertificateError(entry=keys[-1])
-else:
-return super(cert_show, self).forward(*keys, **options)
+class cert_show(CertRetrieveOverride):
+def get_options(self):
+for option in super(cert_show, self).get_options():
+if option.name == 'out':
+# skip server-defined --out
+continue
+if option.name == 'certificate_out':
+# add --out as a deprecated alias of --certificate-out
+option = option.clone(deprecated_cli_aliases={'out'})
+yield option
 
 
 @register(override=True, no_fail=True)

From 5ca69abd1f423dcc6112cbcb98fd4839ef54ed29 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Fri, 10 Mar 2017 09:22:42 +
Subject: [PATCH 2/2] cert: include certificate chain in cert command output

Include the full certificate chain in the output of cert-request, cert-show
and cert-find if --chain or --all is specified.

If output file is specified in the CLI together with --chain, the full
certificate chain is written to the file.

https://pagure.io/freeipa/issue/6547
---
 API.txt   |  6 --
 VERSION.m4|  4 ++--
 ipaclient/plugins/cert.py |  5 -
 ipaserver/plugins/cert.py | 53 ---
 4 files changed, 56 insertions(+), 12 deletions(-)

diff --git a/API.txt b/API.txt
index 90cda74..2d6b401 100644
--- a/API.txt
+++ b/API.txt
@@ -782,11 +782,12 @@ option: Str('cacn?', autofill=True, cli_name='ca', default=u'ipa')
 option: Str('version?')
 output: Output('result')
 command: cert_request/1
-args: 1,8,3
+args: 1,9,3
 arg: Str('csr', cli_name='csr_file')
 option: Flag('add', autofill=True, default=False)
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('cacn?', autofill=True,