Automatic CSR generation #4
Open
Commits on Aug 8, 2016
-
Add schema to support automatic CSR generation
This adds the schema discussed in http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Schema#Option_A, along with containers for the new ipaCertMappingRuleset objectClass. There are no containers for ipaCertFieldMappingRule and ipaCertTransformationRule because they will be stored as child objects of ipaCertProfile and ipaCertMappingRuleset objects respectively. https://fedorahosted.org/freeipa/ticket/4899
Commits on Aug 10, 2016
-
This plugin will implement the cert-get-requestdata call that returns a config that can be used to generate a CSR. This commit implements only the very basic API of the plugin. Actual functionality will come in later patches. https://fedorahosted.org/freeipa/ticket/4899
-
Add generation rules to the default cert profile
This updates the automation that happens on upgrade to create all the various types of mapping rules, and adds some default rules to the caIPAserviceCert profile. https://fedorahosted.org/freeipa/ticket/4899
-
Add code to support generating configs using mapping rules
Provides a framework that uses jinja2 to format a template for the generated config and then substitute data from the database into it. The rules themselves will be added in a later commit. https://fedorahosted.org/freeipa/ticket/4899
-
-
-
Add ability to import/export mappings with profile
The certprofile_show command now takes a --mappings-out flag that writes mappings to a JSON-formatted file, and the same file format can be read in with the --mappings-file parameter of certprofile_import and certprofile_mod. The exception handling here is a bit complicated, but the new exc_callback functions should take care of making sure that state is restored in the event of a failure. (And with the addition of an exc_callback, overriding execute() is no longer necessary.) https://fedorahosted.org/freeipa/ticket/4899
-
Add tests for mapping rules import/export
Also, for all import calls that are supposed to fail, we now assert that the objects do not exist after the failed import. https://fedorahosted.org/freeipa/ticket/4899
-
Automate full cert request flow
Adds `cert-build` command that pulls down a config with `cert-get-requestdata`, then uses it to build a CSR, and submits the CSR with `cert-request`. To enable this, the format of the returned configs has been changed to a bash script, which produces the CSR when executed. Example usage: $ ipa cert-build --principal blipton --profile-id userCert --helper certutil \ --helper-args '-d /tmp/certs' https://fedorahosted.org/freeipa/ticket/4899
-
This allows non-admin users to read those rules to use the certificate mapping feature, and users with appropriate permissions can modify the rules as well. https://fedorahosted.org/freeipa/ticket/4899
-
Improve error handling for certificate mapping
All calls to jinja2 will now raise an IPA error type if rendering does not succeed, so that broken rules will not generate InternalErrors. Additionally, if the rendering does not generate a subject DN (for example if the wrong certificate profile for a principal is used), an exception is raised, as the CSR creation will not succeed. https://fedorahosted.org/freeipa/ticket/4899
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.