Add CLI command to dump certificate enroll script

Similar to the adsys-gpolist, provide a way for users to dump the certificate autoenrollment script for debugging purposes.
ubuntu · Jul 25, 2023 · d0414fc · d0414fc
1 parent 9d9d604
commit d0414fc
Show file tree

Hide file tree

Showing 5 changed files with 135 additions and 18 deletions.
diff --git a/adsys.pb.go b/adsys.pb.go
diff --git a/adsys.proto b/adsys.proto
@@ -14,6 +14,7 @@ service service {
   rpc ListDoc(ListDocRequest) returns (stream StringResponse);
   rpc ListUsers(ListUsersRequest) returns (stream StringResponse);
   rpc GPOListScript(Empty) returns (stream StringResponse);
+  rpc CertAutoEnrollScript(Empty) returns (stream StringResponse);
 }
 
 message Empty {}

diff --git a/adsys_grpc.pb.go b/adsys_grpc.pb.go
diff --git a/cmd/adsysd/client/policy.go b/cmd/adsysd/client/policy.go
@@ -80,12 +80,20 @@ func (a *App) installPolicy() {
 	policyCmd.AddCommand(debugCmd)
 	gpoListCmd := &cobra.Command{
 		Use:               "gpolist-script",
-		Short:             i18n.G("Write GPO list python embeeded script in current directory"),
+		Short:             i18n.G("Write GPO list python embedded script in current directory"),
 		Args:              cobra.NoArgs,
 		ValidArgsFunction: cmdhandler.NoValidArgs,
 		RunE:              func(cmd *cobra.Command, args []string) error { return a.dumpGPOListScript() },
 	}
 	debugCmd.AddCommand(gpoListCmd)
+	certEnrollCmd := &cobra.Command{
+		Use:               "cert-autoenroll-script",
+		Short:             i18n.G("Write certificate autoenrollment python embedded script in current directory"),
+		Args:              cobra.NoArgs,
+		ValidArgsFunction: cmdhandler.NoValidArgs,
+		RunE:              func(cmd *cobra.Command, args []string) error { return a.dumpCertEnrollScript() },
+	}
+	debugCmd.AddCommand(certEnrollCmd)
 
 	var updateMachine, updateAll *bool
 	updateCmd := &cobra.Command{
@@ -271,6 +279,26 @@ func (a *App) dumpGPOListScript() error {
 	return os.WriteFile("adsys-gpolist", []byte(script), 0600)
 }
 
+func (a *App) dumpCertEnrollScript() error {
+	client, err := adsysservice.NewClient(a.config.Socket, a.getTimeout())
+	if err != nil {
+		return err
+	}
+	defer client.Close()
+
+	stream, err := client.CertAutoEnrollScript(a.ctx, &adsys.Empty{})
+	if err != nil {
+		return err
+	}
+
+	script, err := singleMsg(stream)
+	if err != nil {
+		return err
+	}
+
+	return os.WriteFile("cert-autoenroll", []byte(script), 0600)
+}
+
 func colorizePolicies(policies string) (string, error) {
 	first := true
 	var out stringsBuilderWithError

diff --git a/internal/adsysservice/policy.go b/internal/adsysservice/policy.go
@@ -11,6 +11,7 @@ import (
 	log "github.com/ubuntu/adsys/internal/grpc/logstreamer"
 	"github.com/ubuntu/adsys/internal/i18n"
 	"github.com/ubuntu/adsys/internal/policies"
+	"github.com/ubuntu/adsys/internal/policies/certificate"
 	"github.com/ubuntu/decorate"
 	"golang.org/x/sync/errgroup"
 )
@@ -156,4 +157,21 @@ func (s *Service) GPOListScript(_ *adsys.Empty, stream adsys.Service_GPOListScri
 	return nil
 }
 
+// CertAutoEnrollScript returns the embedded certificate autoenrollment python script.
+func (s *Service) CertAutoEnrollScript(_ *adsys.Empty, stream adsys.Service_CertAutoEnrollScriptServer) (err error) {
+	defer decorate.OnError(&err, i18n.G("error while getting certificate autoenrollment script"))
+
+	if err := s.authorizer.IsAllowedFromContext(stream.Context(), authorizer.ActionAlwaysAllowed); err != nil {
+		return err
+	}
+
+	if err := stream.Send(&adsys.StringResponse{
+		Msg: certificate.CertEnrollCode,
+	}); err != nil {
+		log.Warningf(stream.Context(), "couldn't send certificate autoenrollment script to client: %v", err)
+	}
+
+	return nil
+}
+
 // FIXME: check cache file permission