[Freeipa-devel] [PATCH] 0034-0035 Allow SAN extension for cert-request self-service
Fraser Tweedale
ftweedal at redhat.com
Sun Aug 9 07:38:48 UTC 2015
Patch 0035 fixes #5190 - Users unable to self-issue certificate with
SAN.
Patch 0034 adds more context to the virtual command ACIError denial
messages.
Thanks,
Fraser
-------------- next part --------------
From 9653b4bf835b36bc8e328405b2f19af0ebb3312e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Sun, 9 Aug 2015 01:54:41 -0400
Subject: [PATCH 34/35] Give more info on virtual command access denial
The current error message upon a virutal command access denial does
not give any information about the virtual operation that was
prohibited. Add more information to the ACIError message.
---
ipalib/plugins/virtual.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipalib/plugins/virtual.py b/ipalib/plugins/virtual.py
index 414de4c0011b4ae49083d7820a3cb3708e3e16b1..3bbe32e538ab108d7abc71785e27664fea5ea248 100644
--- a/ipalib/plugins/virtual.py
+++ b/ipalib/plugins/virtual.py
@@ -62,7 +62,7 @@ class VirtualCommand(Command):
try:
if not ldap.can_write(operationdn, "objectclass"):
raise errors.ACIError(
- info=_('not allowed to perform this command'))
+ info=_('not allowed to perform operation: %s') % operation)
except errors.NotFound:
raise errors.ACIError(info=_('No such virtual command'))
--
2.4.3
-------------- next part --------------
From 40ecb936e0f5b1db1e9623d72a9c9dc53bc2c0dc Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Sun, 9 Aug 2015 03:25:58 -0400
Subject: [PATCH 35/35] Allow SAN extension for cert-request self-service
Users cannot self-issue a certificate with a subjectAltName
extension (e.g. with rfc822Name altNames). Suppress the
cert-request "request certificate with subjectaltname" permission
check when the bind principal is the target principal (i.e.
cert-request self-service).
Fixes: https://fedorahosted.org/freeipa/ticket/5190
---
ipalib/plugins/cert.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index 341bdd01766d50ba18ce7147d4408851e6f95487..d612e9d38da44e4fd4768d286f930e51c71a1031 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -369,7 +369,7 @@ class cert_request(VirtualCommand):
error=_("Failure decoding Certificate Signing Request: %s") % e)
# host principals may bypass allowed ext check
- if bind_principal_type != HOST:
+ if bind_principal != principal and bind_principal_type != HOST:
for ext in extensions:
operation = self._allowed_extensions.get(ext)
if operation:
--
2.4.3
More information about the Freeipa-devel
mailing list