Fix cert revocation when removing all certs via host/service-mod

When removing all host/service certificates via host/service-mod --certificate=, the removed certificates should be revoked, but they are not. Examine whether the --certificate option was provided to determine whether certs should be revoked, instead of looking for a cert list in the options (which in this case is empty). Fixes: https://fedorahosted.org/freeipa/ticket/6305 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-09-07 19:00:18 +10:00 · 2016-09-07 19:00:18 +10:00 · 97d4ffc2dc
commit 97d4ffc2dc
parent 71b3352ad0
2 changed files with 4 additions and 2 deletions
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@ -898,7 +898,8 @@ class host_mod(LDAPUpdate):
        certs_der = [x509.normalize_certificate(c) for c in certs]

        # revoke removed certificates
-        if certs and self.api.Command.ca_is_enabled()['result']:
+        ca_is_enabled = self.api.Command.ca_is_enabled()['result']
+        if 'usercertificate' in options and ca_is_enabled:
            try:
                entry_attrs_old = ldap.get_entry(dn, ['usercertificate'])
            except errors.NotFound:
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@ -701,7 +701,8 @@ class service_mod(LDAPUpdate):
        certs = entry_attrs.get('usercertificate') or []
        certs_der = [x509.normalize_certificate(c) for c in certs]
        # revoke removed certificates
-        if certs and self.api.Command.ca_is_enabled()['result']:
+        ca_is_enabled = self.api.Command.ca_is_enabled()['result']
+        if 'usercertificate' in options and ca_is_enabled:
            try:
                entry_attrs_old = ldap.get_entry(dn, ['usercertificate'])
            except errors.NotFound: