fix iPAddress cert issuance for >1 host/service

The 'cert_request' command accumulates DNS names from the CSR, before checking that all IP addresses in the CSR are reachable from those DNS names. Before adding a DNS name to the set, we check that that it corresponds to the FQDN of a known host/service principal (including principal aliases). When a DNS name maps to a "alternative" principal (i.e. not the one given via the 'principal' argument), this check was not being performed correctly. Specifically, we were looking for the 'krbprincipalname' field on the RPC response object directly, instead of its 'result' field. To resolve the issue, dereference the RPC response to its 'result' field before invoking the '_dns_name_matches_principal' subroutine. Fixes: https://pagure.io/freeipa/issue/8368 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-06-11 22:42:38 +10:00
parent c2ba333b96
commit 68ada5f204
2 changed files with 61 additions and 7 deletions
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -827,13 +827,13 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
                try:
                    if principal_type == HOST:
                        alt_principal_obj = api.Command['host_show'](
-                            name, all=True)
+                            name, all=True)['result']
                    elif principal_type == KRBTGT:
                        alt_principal = kerberos.Principal(
                            (u'host', name), principal.realm)
                    elif principal_type == SERVICE:
                        alt_principal_obj = api.Command['service_show'](
-                            alt_principal, all=True)
+                            alt_principal, all=True)['result']
                except errors.NotFound:
                    # We don't want to issue any certificates referencing
                    # machines we don't know about. Nothing is stored in this
@@ -866,7 +866,7 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
                        pass

                    # Now check write access and caacl
-                    altdn = alt_principal_obj['result']['dn']
+                    altdn = alt_principal_obj['dn']
                    if not ldap.can_write(altdn, "usercertificate"):
                        raise errors.ACIError(info=_(
                            "Insufficient privilege to create a certificate "