Add Certificate Authority functionality for AD #209
Conversation
spoore1
left a comment
spoore1
left a comment
There was a problem hiding this comment.
This is a great start and as I mentioned earlier my main initial concern is around the request()/request_smartcard() methods.
My main thought here is to make request() align more closely with what you wrote for the IPA one so we can abstract it out to the GenericProvider later. I think the current request() could be made request_enrollment() and request_smartcard() renamed to request with some minor changes.
You might also consider a method to generate the INF file based on some basic input like template, subject, keysize. Then use template to select which set of configs to use for the INF based on that.
krishnavema
force-pushed
the
ad-certificate-management
branch
2 times, most recently
from
eedd166 to
bec5310
Compare
krishnavema
force-pushed
the
ad-certificate-management
branch
from
bec5310 to
fc5e3ee
Compare
krishnavema
force-pushed
the
ad-certificate-management
branch
from
fc5e3ee to
e3824a9
Compare
danlavu
left a comment
danlavu
left a comment
There was a problem hiding this comment.
Overall, this looks great, with a few minor nitpicks and a couple of larger requested changes.
| self.ca = ADCertificateAuthority(self.host) | ||
| """ | ||
| AD Certificate Authority management. | ||
| Provides certificate operations: | ||
There was a problem hiding this comment.
nitpick, indentation, no blank lines needed.
| - Retrieve certificate and template details | ||
| Example: |
There was a problem hiding this comment.
Nitpick, code implies it's an example; this line can be removed.
I like consistency, especially within the same file, to avoid these nitpicks. Follow the format as another docstring within the same file.
| cert, key, csr = ad.ca.request_smartcard( | ||
| template="SmartcardLogon", | ||
| subject="CN=Smartcard User", | ||
| enrollment_agent_cert_hash="thumbprint_here", |
|
|
||
| class ADCertificateAuthority: | ||
| """ | ||
| Provides helper methods for Active Directory Certificate Authority operations. |
There was a problem hiding this comment.
Nitpick, Certificate Authority server management.
| This class allows requesting, revoking, placing/removing certificate holds, | ||
| and retrieving certificate information via certreq and certutil commands. | ||
| .. code-block:: python |
There was a problem hiding this comment.
We have an example from when the object is created, which is sufficient.
| :type host: ADHost | ||
| """ | ||
| self.host = host | ||
| self.cli = host.cli |
There was a problem hiding this comment.
We need to clean up the folder on teardown. The easiest thing to do, I think would be to rename the directory to something unique c:\pki then in hosts\ad.py, delete the directory in def restore
| req_path = os.path.join(self.temp_dir, f"{base}.req") | ||
| cert_path = os.path.join(self.temp_dir, f"{base}.cer") | ||
|
|
||
| inf_content = f"""[NewRequest] |
There was a problem hiding this comment.
PSIni 3.1.4 is installed, so you can use that to make the construction of the inf content easier. You can checkout line 2114, creating the gpt.ini file.
| } | ||
| return reason_map[reason] | ||
|
|
||
| def _parse_cert_info(self, output: str) -> dict[str, list[str]]: |
There was a problem hiding this comment.
I think the parsers should go in misc/init.py
|
@krishnavema I'm sorry, I did review this before I left for PTO but I didn't click submit review. |
Implement certificate authority for AD