Add Certificate Authority functionality for AD #209
Conversation
spoore1
left a comment
spoore1
left a comment
There was a problem hiding this comment.
This is a great start and as I mentioned earlier my main initial concern is around the request()/request_smartcard() methods.
My main thought here is to make request() align more closely with what you wrote for the IPA one so we can abstract it out to the GenericProvider later. I think the current request() could be made request_enrollment() and request_smartcard() renamed to request with some minor changes.
You might also consider a method to generate the INF file based on some basic input like template, subject, keysize. Then use template to select which set of configs to use for the INF based on that.
krishnavema
force-pushed
the
ad-certificate-management
branch
2 times, most recently
from
eedd166 to
bec5310
Compare
krishnavema
force-pushed
the
ad-certificate-management
branch
2 times, most recently
from
fc5e3ee to
e3824a9
Compare
danlavu
left a comment
danlavu
left a comment
There was a problem hiding this comment.
Overall, this looks great, with a few minor nitpicks and a couple of larger requested changes.
|
@krishnavema I'm sorry, I did review this before I left for PTO but I didn't click submit review. |
krishnavema
force-pushed
the
ad-certificate-management
branch
from
e3824a9 to
cc761a8
Compare
spoore1
left a comment
spoore1
left a comment
There was a problem hiding this comment.
Another glance and it's looking very good. Just a question about the PSIni module calls you have in the request methods. I can't seem to find those.
sssd_test_framework/roles/ad.py
Outdated
| self.host.conn.run( | ||
| f""" | ||
| $iniPath = "{inf_path}" | ||
| New-PsIniFile -Path $iniPath |
There was a problem hiding this comment.
I can't find these cmdlets on my AD server and they don't seem to be a part of PSIni from what I can tell. Maybe I'm missing something. Is this from a custom or external module?
There was a problem hiding this comment.
PsIni is loaded into the image, but it is a third-party module.
sssd-ci-containers/src/ansible/roles/ad/tasks/main.yml
- name: Install powershell modules
win_shell: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Get-PackageProvider NuGet -ForceBootstrap
Set-PSRepository -Name 'PSGallery' -InstallationPolicy Trusted
Install-Module PSIni -RequiredVersion 3.1.4 -Confirm:$False
We are using it with the GPO stuff.
There was a problem hiding this comment.
I think that the problem with module i guess so i reverted to normal powershell script .
danlavu
left a comment
danlavu
left a comment
There was a problem hiding this comment.
This is great, nitpicks and missing unit tests for the misc functions.
sssd_test_framework/roles/ad.py
Outdated
| self.host.conn.run( | ||
| f""" | ||
| $iniPath = "{inf_path}" | ||
| New-PsIniFile -Path $iniPath |
There was a problem hiding this comment.
PsIni is loaded into the image, but it is a third-party module.
sssd-ci-containers/src/ansible/roles/ad/tasks/main.yml
- name: Install powershell modules
win_shell: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Get-PackageProvider NuGet -ForceBootstrap
Set-PSRepository -Name 'PSGallery' -InstallationPolicy Trusted
Install-Module PSIni -RequiredVersion 3.1.4 -Confirm:$False
We are using it with the GPO stuff.
krishnavema
force-pushed
the
ad-certificate-management
branch
from
cc761a8 to
c55f41c
Compare
danlavu
left a comment
danlavu
left a comment
There was a problem hiding this comment.
I haven't tested it, but besides the single nitpick, I think this looks great. It does need to be tested; tentative approval until Scott or I can test it.
krishnavema
force-pushed
the
ad-certificate-management
branch
from
c55f41c to
01cd51d
Compare
spoore1
left a comment
spoore1
left a comment
There was a problem hiding this comment.
Some notes after trying to test.
- I believe the __request_enrollment() method in AD may not be necessary.
Most (if not every) smart card certificate case we'll need to cover will require an Enrollment Agent certificate because we're using Administrator to request certificates for other users. In this case, we could just create a default enrollment agent certificate for Administrator during the AD environment setup (still TBD). If we do this, we can simply have a method to get the hash for it that can be used inside of the request() method instead of passing it in to that method.
If you want to keep the code to generate the enrollment agent certificate, I would suggest making __request_enrollment() called only once during class init() or __setup() since we only need one enrollment certificate to issue other certificates.
- I think request() will be used far more than request_basic() so the latter may not be necessary either.
Since request() is what should be in the generic class, and we don't have a request_basic() for IPA, I don't think we'll need this (at least for smart card testing). If you want to keep it around for other potential usage later, I'm ok with that. It should be noted though that currently running requst_basic() even with a user name specified for the subject will return a certificate with subject = CN=Administrator. That's why we have to use the "Enroll On Behalf Of" functionality to get "CN=username" for the issued certificate's subject.
krishnavema
force-pushed
the
ad-certificate-management
branch
from
01cd51d to
1072f70
Compare
Implement certificate authority for AD