csrgen: Automate full cert request flow #434
Conversation
for unicode you can use etiher
|
ipaclient/plugins/cert.py
Outdated
| yield arg | ||
|
|
||
| def forward(self, *keys, **options): | ||
| autogenerate = options.pop('autogenerate', False) |
There was a problem hiding this comment.
I don't think autogenerate needs to (or should) be a separate option:
def forward(self, csr=None, **options):
autogenerate = csr is None
...| 'private_key?', | ||
| label=_('Path to private key file'), | ||
| doc=_('Path to PEM file containing a private key'), | ||
| ), |
There was a problem hiding this comment.
You will most certainly need a password (file) as well for the NSS database or private key.
ipaclient/plugins/cert.py
Outdated
| helper_args = [private_key] | ||
| else: | ||
| raise errors.InvocationError( | ||
| format="One of 'database' or 'private_key' is required") |
There was a problem hiding this comment.
You should use message= here.
ipaclient/plugins/cert.py
Outdated
| scriptfile.close() | ||
| csrfile = tempfile.NamedTemporaryFile(delete=False) | ||
| csrfile.close() | ||
| csrfilename = csrfile.name |
There was a problem hiding this comment.
It would be better to put these into a with statement so that they are deleted automatically after use:
with NamedTemporaryFile() as scriptfile, NamedTemporaryFile() as csrfile:
...
ipaclient/plugins/cert.py
Outdated
| # necessary | ||
| profile_id = options.get('profile_id') | ||
| if profile_id is None: | ||
| profile_id = self.get_default_of('profile_id') |
There was a problem hiding this comment.
I know I suggested this to you, but I didn't realize it would require hard-coding the default profile name into profile_id in server-side cert_request. I would rather not do that and instead use dogtag.DEFAULT_PROFILE as the default value of profile_id in cert_get_requestdata. I'm aware that this goes against the idea of having the server decide what is the default profile, but cert_get_requestdata will be moved to the server, so this is only temporary.
ipaclient/plugins/cert.py
Outdated
| raise errors.CertificateOperationError( | ||
| error=( | ||
| _('Error running "%(cmd)s" to generate CSR') % | ||
| {'cmd': ' '.join(helper_cmd)})) |
There was a problem hiding this comment.
It would be nice to at least log the original error, or use it as part of the new error message. Ditto for the IOError below.
ipaclient/plugins/cert.py
Outdated
| return rv | ||
| else: | ||
| if database is not None or private_key is not None: | ||
| raise errors.OptionError(format=_( |
There was a problem hiding this comment.
This should be a MutuallyExclusiveError.
LiptonB
force-pushed
the
local-cert-build
branch
from
5e1ab64
to
79786f2
Compare
|
Thanks for the comments, and sorry about submitting this with lint errors. I think I've followed all of your suggestions, let me know what you think. |
ipaclient/plugins/cert.py
Outdated
| message=u"One of 'database' or 'private_key' is required") | ||
|
|
||
| with tempfile.NamedTemporaryFile( | ||
| ) as scriptfile, tempfile.NamedTemporaryFile() as csrfile: |
There was a problem hiding this comment.
Nitpick: if you from tempfile import NamedTemporaryFile, the you might be able to fit this into a single line.
There was a problem hiding this comment.
Had to shorten the name more to keep the descriptive variable names, is this ok?
ipaclient/plugins/cert.py
Outdated
| raise errors.MutuallyExclusiveError(reason=_( | ||
| "Options 'database' and 'private_key' are not compatible" | ||
| " with 'csr'")) | ||
| return super(cert_request, self).forward(csr, **options) |
There was a problem hiding this comment.
Nitpick: if you move this call one intendation level to the left, you will be able to remove the same call above.
|
Thank you. LGTM, but please squash the fixup commit. |
Allows the `ipa cert-request` command to generate its own CSR. It no longer requires a CSR passed on the command line, instead it creates a config (bash script) with `cert-get-requestdata`, then runs it to build a CSR, and submits that CSR. Example usage (NSS database): $ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --database /tmp/certs Example usage (PEM private key file): $ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --private-key /tmp/key.pem https://fedorahosted.org/freeipa/ticket/4899
In case users want multiple CSR generation profiles that work with the same dogtag profile, or in case the profiles are not named the same, this flag allows specifying an alternative CSR generation profile. https://fedorahosted.org/freeipa/ticket/4899
LiptonB
force-pushed
the
local-cert-build
branch
from
5f34122
to
83f4e89
Compare
|
@HonzaCholasta thanks, updated! |
Adds
--autogenerateflag toipa cert-requestcommand. It no longerrequires a CSR passed on the command line, instead it creates a config
(bash script) with
cert-get-requestdata, then runs it to build a CSR,and submits that CSR.
Example usage (NSS database):
$ ipa cert-request --autogenerate --principal blipton --profile-id userCert --database /tmp/certs
Example usage (PEM private key file):
$ ipa cert-request --autogenerate --principal blipton --profile-id userCert --private-key /tmp/key.pem