[Freeipa-devel] [PATCH] 0107 Fix cert revocation when removing all certs via host/service-mod
Fraser Tweedale
ftweedal at redhat.com
Wed Sep 7 09:06:25 UTC 2016
Attached patch fixes https://fedorahosted.org/freeipa/ticket/6305
Thanks,
Fraser
-------------- next part --------------
From d4d7e77795f96a4970058e61d99c70522689b22d Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Wed, 7 Sep 2016 19:00:18 +1000
Subject: [PATCH] Fix cert revocation when removing all certs via
host/service-mod
When removing all host/service certificates via host/service-mod
--certificate=, the removed certificates should be revoked, but they
are not. Examine whether the --certificate option was provided to
determine whether certs should be revoked, instead of looking for a
cert list in the options (which in this case is empty).
Fixes: https://fedorahosted.org/freeipa/ticket/6305
---
ipaserver/plugins/host.py | 3 ++-
ipaserver/plugins/service.py | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 2362b6247af87b4ce63c21083e6bc8ac39db0804..7f63e94849b4a6f2ce871ec77b188c54d640ba94 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -898,7 +898,8 @@ class host_mod(LDAPUpdate):
certs_der = [x509.normalize_certificate(c) for c in certs]
# revoke removed certificates
- if certs and self.api.Command.ca_is_enabled()['result']:
+ ca_is_enabled = self.api.Command.ca_is_enabled()['result']
+ if 'usercertificate' in options and ca_is_enabled:
try:
entry_attrs_old = ldap.get_entry(dn, ['usercertificate'])
except errors.NotFound:
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index 093525f2e7cb84b18f0658dcb5d7c786e45c6ab6..c0590732470ac1200d4dd4ea1f089e4384a509b3 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -701,7 +701,8 @@ class service_mod(LDAPUpdate):
certs = entry_attrs.get('usercertificate') or []
certs_der = [x509.normalize_certificate(c) for c in certs]
# revoke removed certificates
- if certs and self.api.Command.ca_is_enabled()['result']:
+ ca_is_enabled = self.api.Command.ca_is_enabled()['result']
+ if 'usercertificate' in options and ca_is_enabled:
try:
entry_attrs_old = ldap.get_entry(dn, ['usercertificate'])
except errors.NotFound:
--
2.5.5
More information about the Freeipa-devel
mailing list