[Freeipa-devel] [DESIGN] Text-based rules for CSR autogeneration using Jinja2
Ben Lipton
blipton at redhat.com
Tue Jul 19 20:20:40 UTC 2016
Hi,
I have updated the design page
http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Mapping_Rules
with my plan for implementing user-configurable rules for mapping IPA
data into certificate requests. In brief: we will use Jinja2 for
templating. Data rules (which map individual data items) and syntax
rules (which group them into certificate fields) will both be snippets
of Jinja2 markup. The formatting process will be as follows:
1. Syntax rules will be rendered using Jinja2. Data rules (rule text,
not rendered) will be passed as the datarules attribute.
2. Rendered syntax rules will be processed by the Formatter class for
the selected CSR generation helper (e.g. openssl or certutil). The
formatter combines these partial rules into a full template for the config.
3. The template will be rendered using Jinja2. Relevant data from the
IPA database will be available in the context for this rendering.
4. The final rendered template will be returned to the caller, labeled
with its function (e.g. a command line or a config file).
Are there any comments or objections to this approach? Here's an example
to show what it might look like in practice.
Example data rules:
email={{subject.email}}
O={{config.ipacertificatesubjectbase}}\nCN={{subject.username}}
Example syntax rule:
subjectAltName=@{% section %}{{datarules|join('\n')}}{% endsection %}
Example composed config template:
[ req ]
prompt = no
encrypt_key = no
distinguished_name = {% section %}O={{config.ipacertificatesubjectbase}}
CN={{subject.username}}{% endsection %}
req_extensions = exts
[ exts ]
subjectAltName=@{% section %}email={{subject.email}}{% endsection %}
There's a lot more information about the thinking behind this at
http://blog.benjaminlipton.com/2016/07/19/csr-generation-templating.html
if you're interested, as well.
Thanks,
Ben
More information about the Freeipa-devel
mailing list