diff options
Diffstat (limited to 'ipaclient/remote_plugins/2_114/cert.py')
-rw-r--r-- | ipaclient/remote_plugins/2_114/cert.py | 376 |
1 files changed, 376 insertions, 0 deletions
diff --git a/ipaclient/remote_plugins/2_114/cert.py b/ipaclient/remote_plugins/2_114/cert.py new file mode 100644 index 000000000..763f63e37 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/cert.py @@ -0,0 +1,376 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +IPA certificate operations + +Implements a set of commands for managing server SSL certificates. + +Certificate requests exist in the form of a Certificate Signing Request (CSR) +in PEM format. + +The dogtag CA uses just the CN value of the CSR and forces the rest of the +subject to values configured in the server. + +A certificate is stored with a service principal and a service principal +needs a host. + +In order to request a certificate: + +* The host must exist +* The service must exist (or you use the --add option to automatically add it) + +SEARCHING: + +Certificates may be searched on by certificate subject, serial number, +revocation reason, validity dates and the issued date. + +When searching on dates the _from date does a >= search and the _to date +does a <= search. When combined these are done as an AND. + +Dates are treated as GMT to match the dates in the certificates. + +The date format is YYYY-mm-dd. + +EXAMPLES: + + Request a new certificate and add the principal: + ipa cert-request --add --principal=HTTP/lion.example.com example.csr + + Retrieve an existing certificate: + ipa cert-show 1032 + + Revoke a certificate (see RFC 5280 for reason details): + ipa cert-revoke --revocation-reason=6 1032 + + Remove a certificate from revocation hold status: + ipa cert-remove-hold 1032 + + Check the status of a signing request: + ipa cert-status 10 + + Search for certificates by hostname: + ipa cert-find --subject=ipaserver.example.com + + Search for revoked certificates by reason: + ipa cert-find --revocation-reason=5 + + Search for certificates based on issuance date + ipa cert-find --issuedon-from=2013-02-01 --issuedon-to=2013-02-07 + +IPA currently immediately issues (or declines) all certificate requests so +the status of a request is not normally useful. This is for future use +or the case where a CA does not immediately issue a certificate. + +The following revocation reasons are supported: + + * 0 - unspecified + * 1 - keyCompromise + * 2 - cACompromise + * 3 - affiliationChanged + * 4 - superseded + * 5 - cessationOfOperation + * 6 - certificateHold + * 8 - removeFromCRL + * 9 - privilegeWithdrawn + * 10 - aACompromise + +Note that reason code 7 is not used. See RFC 5280 for more details: + +http://www.ietf.org/rfc/rfc5280.txt +""") + +register = Registry() + + +@register() +class ca_is_enabled(Command): + __doc__ = _("Checks if any of the servers has the CA service enabled.") + + NO_CLI = True + + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class cert_find(Command): + __doc__ = _("Search for existing certificates.") + + takes_options = ( + parameters.Str( + 'subject', + required=False, + label=_(u'Subject'), + ), + parameters.Int( + 'revocation_reason', + required=False, + label=_(u'Reason'), + doc=_(u'Reason for revoking the certificate (0-10)'), + ), + parameters.Int( + 'min_serial_number', + required=False, + doc=_(u'minimum serial number'), + ), + parameters.Int( + 'max_serial_number', + required=False, + doc=_(u'maximum serial number'), + ), + parameters.Flag( + 'exactly', + required=False, + doc=_(u'match the common name exactly'), + default=False, + autofill=True, + ), + parameters.Str( + 'validnotafter_from', + required=False, + doc=_(u'Valid not after from this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'validnotafter_to', + required=False, + doc=_(u'Valid not after to this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'validnotbefore_from', + required=False, + doc=_(u'Valid not before from this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'validnotbefore_to', + required=False, + doc=_(u'Valid not before to this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'issuedon_from', + required=False, + doc=_(u'Issued on from this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'issuedon_to', + required=False, + doc=_(u'Issued on to this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'revokedon_from', + required=False, + doc=_(u'Revoked on from this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'revokedon_to', + required=False, + doc=_(u'Revoked on to this date (YYYY-mm-dd)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of certs returned'), + default=100, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class cert_remove_hold(Command): + __doc__ = _("Take a revoked certificate off hold.") + + takes_args = ( + parameters.Str( + 'serial_number', + label=_(u'Serial number'), + doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'), + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class cert_request(Command): + __doc__ = _("Submit a certificate signing request.") + + takes_args = ( + parameters.Str( + 'csr', + cli_name='csr_file', + label=_(u'CSR'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'principal', + label=_(u'Principal'), + doc=_(u'Service principal for this certificate (e.g. HTTP/test.example.com)'), + ), + parameters.Str( + 'request_type', + default=u'pkcs10', + autofill=True, + ), + parameters.Flag( + 'add', + doc=_(u"automatically add the principal if it doesn't exist"), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + dict, + doc=_(u'Dictionary mapping variable name to value'), + ), + ) + + +@register() +class cert_revoke(Command): + __doc__ = _("Revoke a certificate.") + + takes_args = ( + parameters.Str( + 'serial_number', + label=_(u'Serial number'), + doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Int( + 'revocation_reason', + label=_(u'Reason'), + doc=_(u'Reason for revoking the certificate (0-10)'), + default=0, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class cert_show(Command): + __doc__ = _("Retrieve an existing certificate.") + + takes_args = ( + parameters.Str( + 'serial_number', + label=_(u'Serial number'), + doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'out', + required=False, + label=_(u'Output filename'), + doc=_(u'File to store the certificate in.'), + exclude=('webui',), + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class cert_status(Command): + __doc__ = _("Check the status of a certificate signing request.") + + takes_args = ( + parameters.Str( + 'request_id', + label=_(u'Request id'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) |