CODEWITHSUNDEEP
certificaterpcopenxpki
Aguirre23
Aguirre23

Reputation: 1

OpenXPKI API customizing worklows to output certificate lists via curl

I am struggling to get somewhat usable curl outputs out of the openxpki rpc server api. I fiddled with trying to customize my own workflows in /etc/openxpki/config.d/realm.tpl/workflow/def but none of those worked. Instead I tried editing the basic SearchCertificate method:

action:
    initialize:
        class: OpenXPKI::Server::Workflow::Activity::Tools::SearchCertificates
        param:
            _map_cert_subject: "CN=[% context.common_name %],*"
            order: notbefore desc
            include_revoked: 0
            include_expired: 1
            limit: 50

        input:
          - common_name

        validator:
          - common_name

    get_certificate_data:
        class: OpenXPKI::Server::Workflow::Activity::Tools::SetContext
        param:
            _map_notbefore: "[% USE Certificate %][% Certificate.notbefore(context.cert_identifier) %]"
            _map_notafter: "[% USE Certificate %][% Certificate.notafter(context.cert_identifier) %]"
            _map_status: "[% USE Certificate %][% Certificate.status(context.cert_identifier) %]"

condition:
    has_result:
         class: Workflow::Condition::Evaluate
         param:
             test: $context->{cert_identifier}

validator:
    common_name:
        class: OpenXPKI::Server::Workflow::Validator::Regex
        arg:
          - $common_name
        param:
            regex: "\\A [a-zA-Z0-9-\\.\\:]+"
            modifier: xi

field:
    common_name:
        name: common_name
        required: 0
        type: server

My aim here is to get a list of expiring certificates without having to script-feed the curl numerous hostnames. Sadly, this workflow doesnt seem to output multiple regex captured hosts, something like ..mydomain.com*, without a common_name it just outputs nothing (see param:limit, field:required). I also tried custom params like notafter, fruitless so far. Official documentation also seems quite lacking for custom workflows. I'd highly appreciate any pointers, greetings!

EDIT Sample output from curl:

curl -F "method=SearchCertificate" -F "common_name=hostname1"  http://localhost:80/rpc    
{"result":{"pid":8045,"id":0,"data":{"cert_identifier":"ZzWtdso_jTxpnDcb_cckUn5X6A0","status":"ISSUED","notafter":"2025-07-20T08:11:05","notbefore":"2022-07-20T08:11:05"},"proc_state":"finished","state":"SUCCESS"}}[09:52:40]

Upvotes: 0

Views: 358

Answers (1)

mount_ash
mount_ash

Reputation: 21

By default in state it is defined like that

state:
INITIAL:
    action:
      - initialize > RESULT

RESULT:
    autorun: 1
    action:
      - get_certificate_data > SUCCESS ? has_result
      - global_noop > NORESULT ? !has_result

NORESULT: ~

SUCCESS: ~

That means that first in initialize we query one certificate and then pass it to get_certificate_data action.

If you want to get a list. You need to remove limit: single, after that pack the result in array and call get_certificate_data for each element and pack it in result. See revoke_workflow as help example.

Upvotes: 0

Related Questions