From 1fa94e536b1f0b3dfed3732680d8a930ae86ebfc Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Jun 18 2020 03:36:13 +0000 Subject: dogtag: use POST for profileProcess requests An upcoming change to Dogtag requires HTTP POST method for profileProcess operations. Update certmonger to use POST for these operations. Fixes: https://pagure.io/freeipa/issue/8373 --- diff --git a/src/dogtag.c b/src/dogtag.c index c43664e..6bb7c66 100644 --- a/src/dogtag.c +++ b/src/dogtag.c @@ -114,6 +114,7 @@ int main(int argc, const char **argv) { const char *eeurl = NULL, *agenturl = NULL, *url = NULL, *url2 = NULL; + const char *method = NULL, *method2 = NULL; const char *ssldir = NULL, *cainfo = NULL, *capath = NULL; const char *sslcert = NULL, *sslkey = NULL; const char *sslpin = NULL, *sslpinfile = NULL; @@ -498,10 +499,11 @@ main(int argc, const char **argv) return CM_SUBMIT_STATUS_UNCONFIGURED; break; case op_submit: + method = DOGTAG_PROFILE_SUBMIT_METHOD; url = talloc_asprintf(ctx, "%s/%s", eeurl, use_agent_submission ? - "profileSubmitSSLClient" : - "profileSubmit"); + DOGTAG_PROFILE_SUBMIT_AGENT_RESOURCE : + DOGTAG_PROFILE_SUBMIT_RESOURCE); template = cm_submit_u_url_encode(template); if ((serial != NULL) && (strlen(serial) > 0) && !force_new) { /* Renew-by-serial. */ @@ -595,7 +597,8 @@ main(int argc, const char **argv) break; case op_check: /* Check if the certificate has been issued or rejected. */ - url = talloc_asprintf(ctx, "%s/checkRequest", eeurl); + method = DOGTAG_CHECK_REQUEST_METHOD; + url = talloc_asprintf(ctx, "%s/%s", eeurl, DOGTAG_CHECK_REQUEST_RESOURCE); params = talloc_asprintf(ctx, "%s&" "xml=true", @@ -617,8 +620,10 @@ main(int argc, const char **argv) } /* Reading profile defaults for this certificate, then applying * them and issuing a new certificate. */ - url = talloc_asprintf(ctx, "%s/profileReview", agenturl); - url2 = talloc_asprintf(ctx, "%s/profileProcess", agenturl); + method = DOGTAG_PROFILE_REVIEW_METHOD; + url = talloc_asprintf(ctx, "%s/%s", agenturl, DOGTAG_PROFILE_REVIEW_RESOURCE); + method2 = DOGTAG_PROFILE_PROCESS_METHOD; + url2 = talloc_asprintf(ctx, "%s/%s", agenturl, DOGTAG_PROFILE_PROCESS_RESOURCE); params = talloc_asprintf(ctx, "%s&" "xml=true", @@ -631,7 +636,8 @@ main(int argc, const char **argv) break; case op_retrieve: /* Retrieving the new certificate. */ - url = talloc_asprintf(ctx, "%s/displayCertFromRequest", eeurl); + method = DOGTAG_DISPLAY_CERT_METHOD; + url = talloc_asprintf(ctx, "%s/%s", eeurl, DOGTAG_DISPLAY_CERT_RESOURCE); params = talloc_asprintf(ctx, "%s&" "importCert=true&" @@ -641,7 +647,8 @@ main(int argc, const char **argv) break; case op_profiles: /* Retrieving the list of profiles. */ - url = talloc_asprintf(ctx, "%s/profileList", eeurl); + method = DOGTAG_PROFILE_LIST_METHOD; + url = talloc_asprintf(ctx, "%s/%s", eeurl, DOGTAG_PROFILE_LIST_RESOURCE); if (strlen(params) > 0) { params = talloc_asprintf(ctx, "%s&" @@ -669,7 +676,7 @@ main(int argc, const char **argv) /* Submit the form(s). */ hctx = NULL; while (url != NULL) { - hctx = cm_submit_h_init(ctx, "GET", url, params, NULL, NULL, + hctx = cm_submit_h_init(ctx, method, url, params, NULL, NULL, cainfo, capath, sslcert, sslkey, sslpin, cm_submit_h_negotiate_off, cm_submit_h_delegate_off, @@ -684,10 +691,10 @@ main(int argc, const char **argv) lastparams = params; cm_submit_h_run(hctx); if (verbose > 0) { - fprintf(stderr, "%s \"%s?%s\"\n", "GET", url, params); + fprintf(stderr, "%s \"%s?%s\"\n", method, url, params); fprintf(stderr, "code = %d\n", cm_submit_h_result_code(hctx)); fprintf(stderr, "code_text = \"%s\"\n", cm_submit_h_result_code_text(hctx)); - syslog(LOG_DEBUG, "%s %s?%s\n", "GET", url, params); + syslog(LOG_DEBUG, "%s %s?%s\n", method, url, params); } results = cm_submit_h_results(hctx, NULL); if (verbose > 0) { @@ -762,6 +769,8 @@ main(int argc, const char **argv) url2 = NULL; params = params2; params2 = NULL; + method = method2; + method2 = NULL; } /* Figure out what to output. */ diff --git a/src/submit-d.c b/src/submit-d.c index 5a4edb3..149eaad 100644 --- a/src/submit-d.c +++ b/src/submit-d.c @@ -1013,8 +1013,8 @@ restart: ctx = talloc_new(NULL); switch (op) { case op_submit_csr: - method = "POST"; - cgi = "profileSubmit"; + method = DOGTAG_PROFILE_SUBMIT_METHOD; + cgi = DOGTAG_PROFILE_SUBMIT_RESOURCE; p = cm_submit_u_from_file_single(file); if (p == NULL) { printf("Error reading CSR from \"%s\".\n", file); @@ -1046,8 +1046,8 @@ restart: } break; case op_submit_serial: - method = "POST"; - cgi = "profileSubmit"; + method = DOGTAG_PROFILE_SUBMIT_METHOD; + cgi = DOGTAG_PROFILE_SUBMIT_RESOURCE; params = talloc_asprintf(ctx, "profileId=%s&" "serial_num=%s&" @@ -1069,16 +1069,16 @@ restart: } break; case op_review: - method = "GET"; - cgi = "profileReview"; + method = DOGTAG_PROFILE_REVIEW_METHOD; + cgi = DOGTAG_PROFILE_REVIEW_RESOURCE; params = talloc_asprintf(ctx, "requestId=%d&" "xml=true", id); break; case op_reject: - method = "GET"; - cgi = "profileProcess"; + method = DOGTAG_PROFILE_PROCESS_METHOD; + cgi = DOGTAG_PROFILE_PROCESS_RESOURCE; params = talloc_asprintf(ctx, "requestId=%d&" "op=reject&" @@ -1088,8 +1088,8 @@ restart: case op_approve: if ((defaults == NULL) && (specified_values == NULL)) { /* ask the server for its defaults */ - method = "GET"; - cgi = "profileReview"; + method = DOGTAG_PROFILE_REVIEW_METHOD; + cgi = DOGTAG_PROFILE_REVIEW_RESOURCE; params = talloc_asprintf(ctx, "requestId=%d&" "xml=true", @@ -1097,8 +1097,8 @@ restart: } else if (specified_values != NULL) { /* use values specified as CLI options */ - method = "GET"; - cgi = "profileProcess"; + method = DOGTAG_PROFILE_PROCESS_METHOD; + cgi = DOGTAG_PROFILE_PROCESS_RESOURCE; params = talloc_asprintf(ctx, "requestId=%d&" "op=approve&" @@ -1106,8 +1106,8 @@ restart: id, specified_values); } else { /* use previously-retrieved defaults */ - method = "GET"; - cgi = "profileProcess"; + method = DOGTAG_PROFILE_PROCESS_METHOD; + cgi = DOGTAG_PROFILE_PROCESS_RESOURCE; params = talloc_asprintf(ctx, "requestId=%d&" "op=approve&" @@ -1130,8 +1130,8 @@ restart: } break; case op_check: - method = "GET"; - cgi = "checkRequest"; + method = DOGTAG_CHECK_REQUEST_METHOD; + cgi = DOGTAG_CHECK_REQUEST_RESOURCE; params = talloc_asprintf(ctx, "requestId=%d&" "importCert=true&" @@ -1139,8 +1139,8 @@ restart: id); break; case op_fetch: - method = "GET"; - cgi = "displayCertFromRequest"; + method = DOGTAG_DISPLAY_CERT_METHOD; + cgi = DOGTAG_DISPLAY_CERT_RESOURCE; params = talloc_asprintf(ctx, "requestId=%d&" "importCert=true&" diff --git a/src/submit-d.h b/src/submit-d.h index 75623c4..912cca1 100644 --- a/src/submit-d.h +++ b/src/submit-d.h @@ -18,6 +18,23 @@ #ifndef cmsubmitd_h #define cmsubmitd_h +#define HTTP_METHOD_GET "GET" +#define HTTP_METHOD_POST "POST" + +#define DOGTAG_PROFILE_SUBMIT_METHOD HTTP_METHOD_POST +#define DOGTAG_PROFILE_SUBMIT_RESOURCE "profileSubmit" +#define DOGTAG_PROFILE_SUBMIT_AGENT_RESOURCE "profileSubmitSSLClient" +#define DOGTAG_PROFILE_REVIEW_METHOD HTTP_METHOD_GET +#define DOGTAG_PROFILE_REVIEW_RESOURCE "profileReview" +#define DOGTAG_PROFILE_PROCESS_METHOD HTTP_METHOD_POST +#define DOGTAG_PROFILE_PROCESS_RESOURCE "profileProcess" +#define DOGTAG_PROFILE_LIST_METHOD HTTP_METHOD_GET +#define DOGTAG_PROFILE_LIST_RESOURCE "profileList" +#define DOGTAG_CHECK_REQUEST_METHOD HTTP_METHOD_GET +#define DOGTAG_CHECK_REQUEST_RESOURCE "checkRequest" +#define DOGTAG_DISPLAY_CERT_METHOD HTTP_METHOD_GET +#define DOGTAG_DISPLAY_CERT_RESOURCE "displayCertFromRequest" + int cm_submit_d_submit_result(void *parent, const char *xml, char **error_code, char **error_reason, char **error, char **status,