[Freeipa-devel] [PATCH 0052] store user certificates in 'userCertificate; binary' attributes

Jan Cholasta jcholast at redhat.com
Mon Aug 3 13:39:36 UTC 2015 

Dne 3.8.2015 v 14:58 Martin Babinsky napsal(a):
> On 08/03/2015 02:46 PM, Jan Cholasta wrote:
>> Dne 3.8.2015 v 14:14 Jan Cholasta napsal(a):
>>> Hi,
>>>
>>> Dne 3.8.2015 v 14:00 Martin Babinsky napsal(a):
>>>> This patch fixes the inconsistency between storing certificates in
>>>> 'userCertificate'/'userCertificate;binary' attribute for the user
>>>> entries: the certificate must be stored in the latter attribute only.
>>>>
>>>> Since a more general fix is out of 4.2.1 scope, I have implemented some
>>>> workarounds in pre/post callbacks of user-* commands in order to
>>>> enforce
>>>> this behavior.
>>>
>>> 1)
>>>
>>> +    def convert_usercertificate_pre(self, entry_attrs, **options):
>>> +        if options.get('all', False):
>>> +            return
>>>
>>> We don't want to do any renaming when --raw is specified, not --all.
>>> Same for convert_usercertificate_post.
>>
>> Actually, the attribute should be always renamed in
>> convert_usercertificate_pre, otherwise we would modify the wrong
>> attribute. In convert_usercertificate_post, it should actually be
>> renamed only when --raw is specified.
>>
>
> If you do the rename in `convert_usercertificate_post` only when '--raw'
> is specified, then you get no certificate displayed when you do `ipa
> user-show` on user with userCertificate;binary attribute. Is this
> intended? (Keep in mind that `convert_usercertificate_post` should be
> called in post-callback when returning results back to user/client).

Oops, I meant "rename only when --raw is *not* specified".

>>>
>>>
>>> 2)
>>>
>>> +        self.obj.convert_usercertificate_pre(entry_attrs, **options)
>>>
>>> Rather than calling this directly from user_add, this should be called
>>> from baseuser.pre_common_callback(), which should be called from
>>> user_add.post_callback().
>>>
>>>
>>> 3) IMO you should change user_{add,remove}_cert to call
>>> baseuser.convert_usercertificate_{pre,post} as well, to avoid code
>>> duplication.
>>>
>>>
>>> Honza
>>>
>>
>>
>
>


-- 
Jan Cholasta

More information about the Freeipa-devel mailing list