[Freeipa-devel] [DESIGN] Text-based rules for CSR autogeneration using Jinja2
Ben Lipton
blipton at redhat.com
Fri Sep 2 02:19:08 UTC 2016
On 07/27/2016 02:42 PM, Ben Lipton wrote:
> On 07/21/2016 11:43 AM, Petr Spacek wrote:
>> Besides this nit,
>> http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Mapping_Rules#Planned_implementation
>> sounds reasonable. I like how it prevents bad data from template-injection.
>
> That's what I like about it, too. It does turn out to make things a
> little tricky when it comes to writing rules that won't render if the
> data they depend on is unavailable. (Because instead of rendering
> individual rules which we can drop if they're missing data, we build
> one big template that has to handle missing data correctly on its
> own.) I think it's probably still worth it, though. I added this to
> the "Alternatives considered" section of the above document.
By the way, I just wrote a followup blog post on this subject:
describing the challenges I've had with suppressing rules when the data
isn't available, and wondering if it's worth it. The post is here:
http://blog.benjaminlipton.com/2016/09/01/rule-suppression.html. It
might be a bit of a dense read, but I wanted to have the considerations
documented at least. As always, please let me know if there's anything I
can clarify. And if you do happen to read it and it makes you prefer one
solution over the others, I'd love to hear your opinion.
Ben
More information about the Freeipa-devel
mailing list