If the cafile is not present or readable then raise an exception

This can happen on the API level if a user passes in None as cafile or if the value passed in does not exist or is not readable by the IPA framework user. This will also catch situations where /etc/ipa/ca.crt has incorrect permissions and will provide more useful information than just [Errno 13] Permission denied. https://pagure.io/freeipa/issue/7145 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-09-06 16:24:39 -04:00
parent e8a26afb94
commit 01bfe2247e
1 changed files with 4 additions and 0 deletions
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -313,6 +313,10 @@ def create_https_connection(
        raise RuntimeError("cafile argument is required to perform server "
                           "certificate verification")

+    if not os.path.isfile(cafile) or not os.access(cafile, os.R_OK):
+        raise RuntimeError("cafile \'{file}\' doesn't exist or is unreadable".
+                           format(file=cafile))
+
    # remove the slice of negating protocol options according to options
    tls_span = get_proper_tls_version_span(tls_version_min, tls_version_max)