[Freeipa-devel] [PATCH] 0107 Fix cert revocation when removing all certs via host/service-mod

Wed Sep 7 09:06:25 UTC 2016

Attached patch fixes https://fedorahosted.org/freeipa/ticket/6305

Thanks,
Fraser
-------------- next part --------------
From d4d7e77795f96a4970058e61d99c70522689b22d Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Wed, 7 Sep 2016 19:00:18 +1000
Subject: [PATCH] Fix cert revocation when removing all certs via
 host/service-mod

When removing all host/service certificates via host/service-mod
--certificate=, the removed certificates should be revoked, but they
are not.  Examine whether the --certificate option was provided to
determine whether certs should be revoked, instead of looking for a
cert list in the options (which in this case is empty).

Fixes: https://fedorahosted.org/freeipa/ticket/6305
---
 ipaserver/plugins/host.py    | 3 ++-
 ipaserver/plugins/service.py | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 2362b6247af87b4ce63c21083e6bc8ac39db0804..7f63e94849b4a6f2ce871ec77b188c54d640ba94 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -898,7 +898,8 @@ class host_mod(LDAPUpdate):
         certs_der = [x509.normalize_certificate(c) for c in certs]
 
         # revoke removed certificates
-        if certs and self.api.Command.ca_is_enabled()['result']:
+        ca_is_enabled = self.api.Command.ca_is_enabled()['result']
+        if 'usercertificate' in options and ca_is_enabled:
             try:
                 entry_attrs_old = ldap.get_entry(dn, ['usercertificate'])
             except errors.NotFound:
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index 093525f2e7cb84b18f0658dcb5d7c786e45c6ab6..c0590732470ac1200d4dd4ea1f089e4384a509b3 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -701,7 +701,8 @@ class service_mod(LDAPUpdate):
         certs = entry_attrs.get('usercertificate') or []
         certs_der = [x509.normalize_certificate(c) for c in certs]
         # revoke removed certificates
-        if certs and self.api.Command.ca_is_enabled()['result']:
+        ca_is_enabled = self.api.Command.ca_is_enabled()['result']
+        if 'usercertificate' in options and ca_is_enabled:
             try:
                 entry_attrs_old = ldap.get_entry(dn, ['usercertificate'])
             except errors.NotFound:
-- 
2.5.5

