Add Certificate Authority functionality for AD#209
Conversation
spoore1
left a comment
spoore1
left a comment
There was a problem hiding this comment.
This is a great start and as I mentioned earlier my main initial concern is around the request()/request_smartcard() methods.
My main thought here is to make request() align more closely with what you wrote for the IPA one so we can abstract it out to the GenericProvider later. I think the current request() could be made request_enrollment() and request_smartcard() renamed to request with some minor changes.
You might also consider a method to generate the INF file based on some basic input like template, subject, keysize. Then use template to select which set of configs to use for the INF based on that.
krishnavema
force-pushed
the
ad-certificate-management
branch
2 times, most recently
from
eedd166 to
bec5310
Compare
krishnavema
force-pushed
the
ad-certificate-management
branch
2 times, most recently
from
fc5e3ee to
e3824a9
Compare
danlavu
left a comment
danlavu
left a comment
There was a problem hiding this comment.
Overall, this looks great, with a few minor nitpicks and a couple of larger requested changes.
|
@krishnavema I'm sorry, I did review this before I left for PTO but I didn't click submit review. |
krishnavema
force-pushed
the
ad-certificate-management
branch
from
e3824a9 to
cc761a8
Compare
spoore1
left a comment
spoore1
left a comment
There was a problem hiding this comment.
Another glance and it's looking very good. Just a question about the PSIni module calls you have in the request methods. I can't seem to find those.
danlavu
left a comment
danlavu
left a comment
There was a problem hiding this comment.
This is great, nitpicks and missing unit tests for the misc functions.
krishnavema
force-pushed
the
ad-certificate-management
branch
from
cc761a8 to
c55f41c
Compare
danlavu
left a comment
danlavu
left a comment
There was a problem hiding this comment.
I haven't tested it, but besides the single nitpick, I think this looks great. It does need to be tested; tentative approval until Scott or I can test it.
krishnavema
force-pushed
the
ad-certificate-management
branch
from
c55f41c to
01cd51d
Compare
spoore1
left a comment
spoore1
left a comment
There was a problem hiding this comment.
Some notes after trying to test.
- I believe the __request_enrollment() method in AD may not be necessary.
Most (if not every) smart card certificate case we'll need to cover will require an Enrollment Agent certificate because we're using Administrator to request certificates for other users. In this case, we could just create a default enrollment agent certificate for Administrator during the AD environment setup (still TBD). If we do this, we can simply have a method to get the hash for it that can be used inside of the request() method instead of passing it in to that method.
If you want to keep the code to generate the enrollment agent certificate, I would suggest making __request_enrollment() called only once during class init() or __setup() since we only need one enrollment certificate to issue other certificates.
- I think request() will be used far more than request_basic() so the latter may not be necessary either.
Since request() is what should be in the generic class, and we don't have a request_basic() for IPA, I don't think we'll need this (at least for smart card testing). If you want to keep it around for other potential usage later, I'm ok with that. It should be noted though that currently running requst_basic() even with a user name specified for the subject will return a certificate with subject = CN=Administrator. That's why we have to use the "Enroll On Behalf Of" functionality to get "CN=username" for the issued certificate's subject.
krishnavema
force-pushed
the
ad-certificate-management
branch
from
01cd51d to
1072f70
Compare
spoore1
left a comment
spoore1
left a comment
There was a problem hiding this comment.
Updates from test findings.
krishnavema
force-pushed
the
ad-certificate-management
branch
from
1072f70 to
1fe7c92
Compare
spoore1
left a comment
spoore1
left a comment
There was a problem hiding this comment.
Ok, after a lot of digging and working through some test environment issues, I got a good test with the following changes I suggest. I'll send more info directly on some test env setup changes you'll need to make as well.
krishnavema
force-pushed
the
ad-certificate-management
branch
from
1fe7c92 to
2d0bd8c
Compare
spoore1
left a comment
spoore1
left a comment
There was a problem hiding this comment.
I think there are some places you might be able to simplify the code a little and make it easier to read like:
- use of raise_on_error=False with result checks instead of relying on raising an exception in the host.conn.run() failures.
- indentation of some of the powershell code. maybe we can move the content into variables indented and use textwrap.dedent() to make it a little easier to read?
I'd like to get feedback from you and @danlavu on some of those points. Overall it looks good. My tests are working with this code as it is now so that's awesome!
krishnavema
force-pushed
the
ad-certificate-management
branch
from
2d0bd8c to
30c78fc
Compare
krishnavema
force-pushed
the
ad-certificate-management
branch
from
30c78fc to
9a6668a
Compare
krishnavema
force-pushed
the
ad-certificate-management
branch
from
9a6668a to
c080630
Compare
danlavu
left a comment
danlavu
left a comment
There was a problem hiding this comment.
Looks good, the identical parser functions I'd like to clarify on, would like to start the discussion to determine the differences for ipa.
krishnavema
force-pushed
the
ad-certificate-management
branch
from
c080630 to
a7ccfad
Compare
danlavu
left a comment
danlavu
left a comment
There was a problem hiding this comment.
Thanks for the big patch, good stuff.
|
LGTM. I was able to test the code with some additional setup on AD and with DNS updates in sssd-ci-containers that is in progress now. Also it should be noted that in order to test properly with Kerberos I had to change the crypto policy on the client to allow SHA1 for AD. Tested with a slightly modified version of test mentioned elsewhere: I'm holding off approving until the test issue is resolved. I believe you just need to rebase with master to fix the issue though. After that and letting the tests run again, I believe I'll be able to approve and merge this. |
krishnavema
force-pushed
the
ad-certificate-management
branch
from
a7ccfad to
88deb94
Compare
spoore1
left a comment
spoore1
left a comment
There was a problem hiding this comment.
LGTM. All tests now passing after rebase. Thank you!
3 participants
Implement certificate authority for AD