certmonger

Clone

#157 dogtag: use POST for profileProcess requests
Merged 3 years ago by rcritten. Opened 3 years ago by ftweedal.
ftweedal/certmonger fix/ipa8373-profileProcess-POST  into  master

file modified
+19 -10 
@@ -114,6 +114,7 @@ 
 

  main(int argc, const char **argv)
 

  {
 

  	const char *eeurl = NULL, *agenturl = NULL, *url = NULL, *url2 = NULL;
 

+ 	const char *method = NULL, *method2 = NULL;
 

  	const char *ssldir = NULL, *cainfo = NULL, *capath = NULL;
 

  	const char *sslcert = NULL, *sslkey = NULL;
 

  	const char *sslpin = NULL, *sslpinfile = NULL;
 
@@ -498,10 +499,11 @@ 
 

  		return CM_SUBMIT_STATUS_UNCONFIGURED;
 

  		break;
 

  	case op_submit:
 

+ 		method = DOGTAG_PROFILE_SUBMIT_METHOD;
 

  		url = talloc_asprintf(ctx, "%s/%s", eeurl,
 

  				      use_agent_submission ?
 

- 				      "profileSubmitSSLClient" :
 

- 				      "profileSubmit");
 

+ 				      DOGTAG_PROFILE_SUBMIT_AGENT_RESOURCE :
 

+ 				      DOGTAG_PROFILE_SUBMIT_RESOURCE);
 

  		template = cm_submit_u_url_encode(template);
 

  		if ((serial != NULL) && (strlen(serial) > 0) && !force_new) {
 

  			/* Renew-by-serial. */
 
@@ -595,7 +597,8 @@ 
 

  		break;
 

  	case op_check:
 

  		/* Check if the certificate has been issued or rejected. */
 

- 		url = talloc_asprintf(ctx, "%s/checkRequest", eeurl);
 

+ 		method = DOGTAG_CHECK_REQUEST_METHOD;
 

+ 		url = talloc_asprintf(ctx, "%s/%s", eeurl, DOGTAG_CHECK_REQUEST_RESOURCE);
 

  		params = talloc_asprintf(ctx,
 

  					 "%s&"
 

  					 "xml=true",
 
@@ -617,8 +620,10 @@ 
 

  		}
 

  		/* Reading profile defaults for this certificate, then applying
 

  		 * them and issuing a new certificate. */
 

- 		url = talloc_asprintf(ctx, "%s/profileReview", agenturl);
 

- 		url2 = talloc_asprintf(ctx, "%s/profileProcess", agenturl);
 

+ 		method = DOGTAG_PROFILE_REVIEW_METHOD;
 

+ 		url = talloc_asprintf(ctx, "%s/%s", agenturl, DOGTAG_PROFILE_REVIEW_RESOURCE);
 

+ 		method2 = DOGTAG_PROFILE_PROCESS_METHOD;
 

+ 		url2 = talloc_asprintf(ctx, "%s/%s", agenturl, DOGTAG_PROFILE_PROCESS_RESOURCE);
 

  		params = talloc_asprintf(ctx,
 

  					 "%s&"
 

  					 "xml=true",
 
@@ -631,7 +636,8 @@ 
 

  		break;
 

  	case op_retrieve:
 

  		/* Retrieving the new certificate. */
 

- 		url = talloc_asprintf(ctx, "%s/displayCertFromRequest", eeurl);
 

+ 		method = DOGTAG_DISPLAY_CERT_METHOD;
 

+ 		url = talloc_asprintf(ctx, "%s/%s", eeurl, DOGTAG_DISPLAY_CERT_RESOURCE);
 

  		params = talloc_asprintf(ctx,
 

  					 "%s&"
 

  					 "importCert=true&"
 
@@ -641,7 +647,8 @@ 
 

  		break;
 

  	case op_profiles:
 

  		/* Retrieving the list of profiles. */
 

- 		url = talloc_asprintf(ctx, "%s/profileList", eeurl);
 

+ 		method = DOGTAG_PROFILE_LIST_METHOD;
 

+ 		url = talloc_asprintf(ctx, "%s/%s", eeurl, DOGTAG_PROFILE_LIST_RESOURCE);
 

  		if (strlen(params) > 0) {
 

  			params = talloc_asprintf(ctx,
 

  						 "%s&"
 
@@ -669,7 +676,7 @@ 
 

  	/* Submit the form(s). */
 

  	hctx = NULL;
 

  	while (url != NULL) {
 

- 		hctx = cm_submit_h_init(ctx, "GET", url, params, NULL, NULL,
 

+ 		hctx = cm_submit_h_init(ctx, method, url, params, NULL, NULL,
 

  					cainfo, capath, sslcert, sslkey, sslpin,
 

  					cm_submit_h_negotiate_off,
 

  					cm_submit_h_delegate_off,
 
@@ -684,10 +691,10 @@ 
 

  		lastparams = params;
 

  		cm_submit_h_run(hctx);
 

  		if (verbose > 0) {
 

- 			fprintf(stderr, "%s \"%s?%s\"\n", "GET", url, params);
 

+ 			fprintf(stderr, "%s \"%s?%s\"\n", method, url, params);
 

  			fprintf(stderr, "code = %d\n", cm_submit_h_result_code(hctx));
 

  			fprintf(stderr, "code_text = \"%s\"\n", cm_submit_h_result_code_text(hctx));
 

- 			syslog(LOG_DEBUG, "%s %s?%s\n", "GET", url, params);
 

+ 			syslog(LOG_DEBUG, "%s %s?%s\n", method, url, params);
 

  		}
 

  		results = cm_submit_h_results(hctx, NULL);
 

  		if (verbose > 0) {
 
@@ -762,6 +769,8 @@ 
 

  		url2 = NULL;
 

  		params = params2;
 

  		params2 = NULL;
 

+ 		method = method2;
 

+ 		method2 = NULL;
 

  	}
 

  

  	/* Figure out what to output. */

file modified
+18 -18 
@@ -1013,8 +1013,8 @@ 
 

  	ctx = talloc_new(NULL);
 

  	switch (op) {
 

  	case op_submit_csr:
 

- 		method = "POST";
 

- 		cgi = "profileSubmit";
 

+ 		method = DOGTAG_PROFILE_SUBMIT_METHOD;
 

+ 		cgi = DOGTAG_PROFILE_SUBMIT_RESOURCE;
 

  		p = cm_submit_u_from_file_single(file);
 

  		if (p == NULL) {
 

  			printf("Error reading CSR from \"%s\".\n", file);
 
@@ -1046,8 +1046,8 @@ 
 

  		}
 

  		break;
 

  	case op_submit_serial:
 

- 		method = "POST";
 

- 		cgi = "profileSubmit";
 

+ 		method = DOGTAG_PROFILE_SUBMIT_METHOD;
 

+ 		cgi = DOGTAG_PROFILE_SUBMIT_RESOURCE;
 

  		params = talloc_asprintf(ctx,
 

  					 "profileId=%s&"
 

  					 "serial_num=%s&"
 
@@ -1069,16 +1069,16 @@ 
 

  		}
 

  		break;
 

  	case op_review:
 

- 		method = "GET";
 

- 		cgi = "profileReview";
 

+ 		method = DOGTAG_PROFILE_REVIEW_METHOD;
 

+ 		cgi = DOGTAG_PROFILE_REVIEW_RESOURCE;
 

  		params = talloc_asprintf(ctx,
 

  					 "requestId=%d&"
 

  					 "xml=true",
 

  					 id);
 

  		break;
 

  	case op_reject:
 

- 		method = "GET";
 

- 		cgi = "profileProcess";
 

+ 		method = DOGTAG_PROFILE_PROCESS_METHOD;
 

+ 		cgi = DOGTAG_PROFILE_PROCESS_RESOURCE;
 

  		params = talloc_asprintf(ctx,
 

  					 "requestId=%d&"
 

  					 "op=reject&"
 
@@ -1088,8 +1088,8 @@ 
 

  	case op_approve:
 

  		if ((defaults == NULL) && (specified_values == NULL)) {
 

  			/* ask the server for its defaults */
 

- 			method = "GET";
 

- 			cgi = "profileReview";
 

+ 			method = DOGTAG_PROFILE_REVIEW_METHOD;
 

+ 			cgi = DOGTAG_PROFILE_REVIEW_RESOURCE;
 

  			params = talloc_asprintf(ctx,
 

  						 "requestId=%d&"
 

  						 "xml=true",
 
@@ -1097,8 +1097,8 @@ 
 

  		} else
 

  		if (specified_values != NULL) {
 

  			/* use values specified as CLI options */
 

- 			method = "GET";
 

- 			cgi = "profileProcess";
 

+ 			method = DOGTAG_PROFILE_PROCESS_METHOD;
 

+ 			cgi = DOGTAG_PROFILE_PROCESS_RESOURCE;
 

  			params = talloc_asprintf(ctx,
 

  						 "requestId=%d&"
 

  						 "op=approve&"
 
@@ -1106,8 +1106,8 @@ 
 

  						 id, specified_values);
 

  		} else {
 

  			/* use previously-retrieved defaults */
 

- 			method = "GET";
 

- 			cgi = "profileProcess";
 

+ 			method = DOGTAG_PROFILE_PROCESS_METHOD;
 

+ 			cgi = DOGTAG_PROFILE_PROCESS_RESOURCE;
 

  			params = talloc_asprintf(ctx,
 

  						 "requestId=%d&"
 

  						 "op=approve&"
 
@@ -1130,8 +1130,8 @@ 
 

  		}
 

  		break;
 

  	case op_check:
 

- 		method = "GET";
 

- 		cgi = "checkRequest";
 

+ 		method = DOGTAG_CHECK_REQUEST_METHOD;
 

+ 		cgi = DOGTAG_CHECK_REQUEST_RESOURCE;
 

  		params = talloc_asprintf(ctx,
 

  					 "requestId=%d&"
 

  					 "importCert=true&"
 
@@ -1139,8 +1139,8 @@ 
 

  					 id);
 

  		break;
 

  	case op_fetch:
 

- 		method = "GET";
 

- 		cgi = "displayCertFromRequest";
 

+ 		method = DOGTAG_DISPLAY_CERT_METHOD;
 

+ 		cgi = DOGTAG_DISPLAY_CERT_RESOURCE;
 

  		params = talloc_asprintf(ctx,
 

  					 "requestId=%d&"
 

  					 "importCert=true&"

file modified
+17 
@@ -18,6 +18,23 @@ 
 

  #ifndef cmsubmitd_h
 

  #define cmsubmitd_h
 

  

+ #define HTTP_METHOD_GET "GET"
 

+ #define HTTP_METHOD_POST "POST"
 

+ 

+ #define DOGTAG_PROFILE_SUBMIT_METHOD HTTP_METHOD_POST
 

+ #define DOGTAG_PROFILE_SUBMIT_RESOURCE "profileSubmit"
 

+ #define DOGTAG_PROFILE_SUBMIT_AGENT_RESOURCE "profileSubmitSSLClient"
 

+ #define DOGTAG_PROFILE_REVIEW_METHOD HTTP_METHOD_GET
 

+ #define DOGTAG_PROFILE_REVIEW_RESOURCE "profileReview"
 

+ #define DOGTAG_PROFILE_PROCESS_METHOD HTTP_METHOD_POST
 

+ #define DOGTAG_PROFILE_PROCESS_RESOURCE "profileProcess"
 

+ #define DOGTAG_PROFILE_LIST_METHOD HTTP_METHOD_GET
 

+ #define DOGTAG_PROFILE_LIST_RESOURCE "profileList"
 

+ #define DOGTAG_CHECK_REQUEST_METHOD HTTP_METHOD_GET
 

+ #define DOGTAG_CHECK_REQUEST_RESOURCE "checkRequest"
 

+ #define DOGTAG_DISPLAY_CERT_METHOD HTTP_METHOD_GET
 

+ #define DOGTAG_DISPLAY_CERT_RESOURCE "displayCertFromRequest"
 

+ 

  int cm_submit_d_submit_result(void *parent, const char *xml,
 

  			      char **error_code, char **error_reason,
 

  			      char **error, char **status,

An upcoming change to Dogtag requires HTTP POST method for
profileProcess operations. Update certmonger to use POST for these
operations.

Fixes: https://pagure.io/freeipa/issue/8373

Metadata Update from @rcritten:
- Request assigned
3 years ago

This looks good. What is the timeline for the dogtag change?

I tested this against current dogtag vIa freeIPA in F31 and it installs fine and was able to renew a couple of certs just fine.

@rcritten the change was reverted from the active PR (which has now been merged) and will be deferred until after this certmonger change lands and sees a release. (See https://github.com/dogtagpki/pki/pull/446 ). @dmoluguw can best answer what the desired timeframe is.

I just want to be sure that if I commit and ship this I'm not going to break existing installations and will future-proof for the upcoming dogtag.

@rcritten I've tested with current and patched Dogtag. I am not worried about breakage.

Ok, ack.

Pull-Request has been merged by rcritten
3 years ago
Metadata
No Tags
Changes Summary 3
+19 -10
file changed
src/dogtag.c
+18 -18
file changed
src/submit-d.c
+17 -0
file changed
src/submit-d.h
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.