store certificates issued for user entries as userCertificate;binary

This patch forces the user management CLI command to store certificates as userCertificate;binary attribute. The code to retrieve of user information was modified to enable outputting of userCertificate;binary attribute to the command line. The modification also fixes https://fedorahosted.org/freeipa/ticket/5173 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-08-03 13:36:29 +02:00
parent 555229e33e
commit 3257ac6b87
2 changed files with 31 additions and 13 deletions
--- a/ipalib/plugins/baseuser.py
+++ b/ipalib/plugins/baseuser.py
@@ -187,7 +187,7 @@ class baseuser(LDAPObject):
        'telephonenumber', 'title', 'memberof', 'nsaccountlock',
        'memberofindirect', 'ipauserauthtype', 'userclass',
        'ipatokenradiusconfiglink', 'ipatokenradiususername',
-        'krbprincipalexpiration', 'usercertificate',
+        'krbprincipalexpiration', 'usercertificate;binary',
    ]
    search_display_attributes = [
        'uid', 'givenname', 'sn', 'homedirectory', 'loginshell',
@@ -465,10 +465,27 @@ class baseuser(LDAPObject):
        assert isinstance(user, DN)
        return self._user_status(user, DN(self.delete_container_dn, api.env.basedn))

+    def convert_usercertificate_pre(self, entry_attrs):
+        if 'usercertificate' in entry_attrs:
+            entry_attrs['usercertificate;binary'] = entry_attrs.pop(
+                'usercertificate')
+
+    def convert_usercertificate_post(self, entry_attrs, **options):
+        if 'usercertificate;binary' in entry_attrs:
+            entry_attrs['usercertificate'] = entry_attrs.pop(
+                'usercertificate;binary')
+
 class baseuser_add(LDAPCreate):
    """
    Prototype command plugin to be implemented by real plugin
    """
+    def pre_common_callback(self, ldap, dn, entry_attrs, **options):
+        assert isinstance(dn, DN)
+        self.obj.convert_usercertificate_pre(entry_attrs)
+
+    def post_common_callback(self, ldap, dn, entry_attrs, **options):
+        assert isinstance(dn, DN)
+        self.obj.convert_usercertificate_post(entry_attrs, **options)

 class baseuser_del(LDAPDelete):
    """
@@ -542,6 +559,7 @@ class baseuser_mod(LDAPUpdate):
        self.check_userpassword(entry_attrs, **options)

        self.check_objectclass(ldap, dn, entry_attrs)
+        self.obj.convert_usercertificate_pre(entry_attrs)

    def post_common_callback(self, ldap, dn, entry_attrs, **options):
        assert isinstance(dn, DN)
@@ -554,6 +572,7 @@ class baseuser_mod(LDAPUpdate):
        convert_nsaccountlock(entry_attrs)
        self.obj.convert_manager(entry_attrs, **options)
        self.obj.get_password_attributes(ldap, dn, entry_attrs)
+        self.obj.convert_usercertificate_post(entry_attrs, **options)
        convert_sshpubkey_post(ldap, dn, entry_attrs)
        radius_dn2pk(self.api, entry_attrs)

@@ -584,6 +603,7 @@ class baseuser_find(LDAPSearch):
        for attrs in entries:
            self.obj.convert_manager(attrs, **options)
            self.obj.get_password_attributes(ldap, attrs.dn, attrs)
+            self.obj.convert_usercertificate_post(attrs, **options)
            if (lockout):
                attrs['nsaccountlock'] = True
            else:
@@ -598,5 +618,6 @@ class baseuser_show(LDAPRetrieve):
        assert isinstance(dn, DN)
        self.obj.convert_manager(entry_attrs, **options)
        self.obj.get_password_attributes(ldap, dn, entry_attrs)
+        self.obj.convert_usercertificate_post(entry_attrs, **options)
        convert_sshpubkey_post(ldap, dn, entry_attrs)
        radius_dn2pk(self.api, entry_attrs)
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -510,6 +510,8 @@ class user_add(baseuser_add):
            answer = self.api.Object['radiusproxy'].get_dn_if_exists(rcl)
            entry_attrs['ipatokenradiusconfiglink'] = answer

+        self.pre_common_callback(ldap, dn, entry_attrs, **options)
+
        return dn

    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
@@ -557,6 +559,9 @@ class user_add(baseuser_add):
        convert_sshpubkey_post(ldap, dn, entry_attrs)
        radius_dn2pk(self.api, entry_attrs)
        self.obj.get_preserved_attribute(entry_attrs, options)
+
+        self.post_common_callback(ldap, dn, entry_attrs, **options)
+
        return dn


@@ -1034,18 +1039,14 @@ class user_add_cert(LDAPAddAttribute):
                     **options):
        assert isinstance(dn, DN)

-        new_attr_name = '%s;binary' % self.attribute
-        if self.attribute in entry_attrs:
-            entry_attrs[new_attr_name] = entry_attrs.pop(self.attribute)
+        self.obj.convert_usercertificate_pre(entry_attrs)

        return dn

    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
        assert isinstance(dn, DN)

-        old_attr_name = '%s;binary' % self.attribute
-        if old_attr_name in entry_attrs:
-            entry_attrs[self.attribute] = entry_attrs.pop(old_attr_name)
+        self.obj.convert_usercertificate_post(entry_attrs, **options)

        return dn

@@ -1060,17 +1061,13 @@ class user_remove_cert(LDAPRemoveAttribute):
                     **options):
        assert isinstance(dn, DN)

-        new_attr_name = '%s;binary' % self.attribute
-        if self.attribute in entry_attrs:
-            entry_attrs[new_attr_name] = entry_attrs.pop(self.attribute)
+        self.obj.convert_usercertificate_pre(entry_attrs)

        return dn

    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
        assert isinstance(dn, DN)

-        old_attr_name = '%s;binary' % self.attribute
-        if old_attr_name in entry_attrs:
-            entry_attrs[self.attribute] = entry_attrs.pop(old_attr_name)
+        self.obj.convert_usercertificate_post(entry_attrs, **options)

        return dn