If the cafile is not present or readable then raise an exception

This can happen on the API level if a user passes in None as
cafile or if the value passed in does not exist or is not
readable by the IPA framework user.

This will also catch situations where /etc/ipa/ca.crt has
incorrect permissions and will provide more useful information
than just [Errno 13] Permission denied.

https://pagure.io/freeipa/issue/7145

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
Rob Crittenden
2017-09-06 16:24:39 -04:00
parent e8a26afb94
commit 01bfe2247e

View File

@@ -313,6 +313,10 @@ def create_https_connection(
raise RuntimeError("cafile argument is required to perform server "
"certificate verification")
if not os.path.isfile(cafile) or not os.access(cafile, os.R_OK):
raise RuntimeError("cafile \'{file}\' doesn't exist or is unreadable".
format(file=cafile))
# remove the slice of negating protocol options according to options
tls_span = get_proper_tls_version_span(tls_version_min, tls_version_max)