IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

cert-request: restrict IPAddress SAN to host/service principals

Browse Source 
Part of: https://pagure.io/freeipa/issue/7451

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Fraser Tweedale 2018-04-23 15:02:36 +10:00 committed by Florence Blanc-Renaud
parent dccb2e0eb8
commit 8ec4868a64
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ipaserver/plugins/cert.py
View File

@ -864,6 +864,13 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
"for non-user principals") % "RFC822Name" "for non-user principals") % "RFC822Name"
) )
elif isinstance(gn, cryptography.x509.general_name.IPAddress): elif isinstance(gn, cryptography.x509.general_name.IPAddress):
if principal.is_user:
raise errors.ValidationError(
name='csr',
error=_(
"subject alt name type %s is forbidden "
"for user principals") % "IPAddress"
)
san_ipaddrs.add(gn.value) san_ipaddrs.add(gn.value)
else: else:
raise errors.ACIError( raise errors.ACIError(