diff options
author | Rob Crittenden <rcritten@redhat.com> | 2010-12-10 10:53:20 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2010-12-13 09:58:26 -0500 |
commit | 5f8a9b9849ea81d0400d915dee055968d8c680e6 (patch) | |
tree | 82c89b477165a06b1905c4ae70cf272ba214c296 /ipalib/plugins | |
parent | c9807f4b252055107118493b7d6b66309e3e0d27 (diff) | |
download | freeipa-5f8a9b9849ea81d0400d915dee055968d8c680e6.tar.gz freeipa-5f8a9b9849ea81d0400d915dee055968d8c680e6.tar.xz freeipa-5f8a9b9849ea81d0400d915dee055968d8c680e6.zip |
Add --out option to service, host and cert-show to save the cert to a file.
Override forward() to grab the result and if a certificate is in the entry
and the file is writable then dump the certificate in PEM format.
ticket 473
Diffstat (limited to 'ipalib/plugins')
-rw-r--r-- | ipalib/plugins/cert.py | 22 | ||||
-rw-r--r-- | ipalib/plugins/host.py | 21 | ||||
-rw-r--r-- | ipalib/plugins/service.py | 56 |
3 files changed, 98 insertions, 1 deletions
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index 60161cf1c..9dafe702a 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -71,6 +71,8 @@ from ipalib import pkcs10 from ipalib import x509 from ipalib.plugins.virtual import * from ipalib.plugins.service import split_principal +from ipalib.plugins.service import make_pem, check_writable_file +from ipalib.plugins.service import write_certificate import base64 import logging import traceback @@ -414,6 +416,12 @@ class cert_show(VirtualCommand): ), ) + takes_options = ( + Str('out?', + doc=_('file to store certificate in'), + ), + ) + operation="retrieve certificate" def execute(self, serial_number): @@ -443,6 +451,20 @@ class cert_show(VirtualCommand): return dict(result=result) + def forward(self, *keys, **options): + if 'out' in options: + check_writable_file(options['out']) + result = super(cert_show, self).forward(*keys, **options) + if 'usercertificate' in result['result']: + write_certificate(result['result']['usercertificate'][0], options['out']) + result['summary'] = _('Certificate stored in file \'%(file)s\'') % dict(file=options['out']) + return result + else: + raise errors.NoCertificateError(entry=keys[-1]) + else: + return super(cert_show, self).forward(*keys, **options) + + api.register(cert_show) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index a823fe001..22cd424ed 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -81,6 +81,8 @@ from ipalib.plugins.service import split_principal from ipalib.plugins.service import validate_certificate from ipalib.plugins.service import normalize_certificate from ipalib.plugins.service import set_certificate_attrs +from ipalib.plugins.service import make_pem, check_writable_file +from ipalib.plugins.service import write_certificate from ipalib.plugins.dns import dns_container_exists, _attribute_types from ipalib import _, ngettext from ipalib import x509 @@ -577,6 +579,12 @@ class host_show(LDAPRetrieve): Display information about a host. """ has_output_params = LDAPRetrieve.has_output_params + host_output_params + takes_options = LDAPRetrieve.takes_options + ( + Str('out?', + doc=_('file to store certificate in'), + ), + ) + member_attributes = ['managedby'] def post_callback(self, ldap, dn, entry_attrs, *keys, **options): @@ -591,6 +599,19 @@ class host_show(LDAPRetrieve): return dn + def forward(self, *keys, **options): + if 'out' in options: + check_writable_file(options['out']) + result = super(host_show, self).forward(*keys, **options) + if 'usercertificate' in result['result']: + write_certificate(result['result']['usercertificate'][0], options['out']) + result['summary'] = _('Certificate stored in file \'%(file)s\'') % dict(file=options['out']) + return result + else: + raise errors.NoCertificateError(entry=keys[-1]) + else: + return super(host_show, self).forward(*keys, **options) + api.register(host_show) diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 1e555998d..7ea14d934 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -69,6 +69,7 @@ EXAMPLES: """ import base64 +import os from ipalib import api, errors, util from ipalib import Str, Flag, Bytes @@ -78,6 +79,7 @@ from ipalib import _, ngettext from ipalib import util import nss.nss as nss from nss.error import NSPRError +from ipapython.ipautil import file_exists output_params = ( @@ -219,6 +221,41 @@ def set_certificate_attrs(entry_attrs): entry_attrs['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0]) entry_attrs['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0]) +def check_writable_file(filename): + """ + Determine if the file is writable. If the file doesn't exist then + open the file to test writability. + """ + try: + if file_exists(filename): + if not os.access(filename, os.W_OK): + raise errors.FileError(reason=_('Permission denied: %(file)s') % dict(file=filename)) + else: + fp = open(filename, 'w') + fp.close() + except (IOError, OSError), e: + raise errors.FileError(reason=str(e)) + +def make_pem(data): + """ + Convert a raw base64-encoded blob into something that looks like a PE + file with lines split to 64 characters and proper headers. + """ + cert = '\n'.join([data[x:x+64] for x in range(0, len(data), 64)]) + return '-----BEGIN CERTIFICATE-----\n' + \ + cert + \ + '\n-----END CERTIFICATE-----' + +def write_certificate(cert, filename): + """ + Check to see if the certificate should be written to a file and do so. + """ + try: + fp = open(filename, 'w') + fp.write(make_pem(base64.b64encode(cert))) + fp.close() + except (IOError, OSError), e: + raise errors.FileError(reason=str(e)) class service(LDAPObject): """ @@ -411,7 +448,11 @@ class service_show(LDAPRetrieve): Display information about an IPA service. """ member_attributes = ['managedby'] - takes_options = LDAPRetrieve.takes_options + takes_options = LDAPRetrieve.takes_options + ( + Str('out?', + doc=_('file to store certificate in'), + ), + ) def post_callback(self, ldap, dn, entry_attrs, *keys, **options): if 'krblastpwdchange' in entry_attrs: @@ -425,6 +466,19 @@ class service_show(LDAPRetrieve): return dn + def forward(self, *keys, **options): + if 'out' in options: + check_writable_file(options['out']) + result = super(service_show, self).forward(*keys, **options) + if 'usercertificate' in result['result']: + write_certificate(result['result']['usercertificate'][0], options['out']) + result['summary'] = _('Certificate stored in file \'%(file)s\'') % dict(file=options['out']) + return result + else: + raise errors.NoCertificateError(entry=keys[-1]) + else: + return super(service_show, self).forward(*keys, **options) + api.register(service_show) class service_add_host(LDAPAddMember): |