mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
Check for CA subject name collision before attempting creation
Lightweight CA subject name collisions are prevented by Dogtag (response code 409 Conflict), however, we do not want to expose the Dogtag error. Perform the check in the IPA framework as well, raising DuplicateEntry on collision. Fixes: https://fedorahosted.org/freeipa/ticket/5981 Reviewed-By: Milan Kubik <mkubik@redhat.com>
This commit is contained in:
parent
669da99183
commit
16f33ddb51
@ -163,6 +163,13 @@ class ca_add(LDAPCreate):
|
||||
except errors.NotFound:
|
||||
pass
|
||||
|
||||
# check for subject collision before creating CA in Dogtag
|
||||
result = api.Command.ca_find(ipacasubjectdn=options['ipacasubjectdn'])
|
||||
if result['count'] > 0:
|
||||
raise errors.DuplicateEntry(message=_(
|
||||
"Subject DN is already used by CA '%s'"
|
||||
) % result['result'][0]['cn'][0])
|
||||
|
||||
# Create the CA in Dogtag.
|
||||
with self.api.Backend.ra_lightweight_ca as ca_api:
|
||||
resp = ca_api.create_ca(options['ipacasubjectdn'])
|
||||
|
Loading…
Reference in New Issue
Block a user