IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

host/service-show/find shouldn't fail on invalid certificate

Browse Source 
host/service-show/find methods would have failed if the first
certificate they had in userCertificate attribute were invalid.
Expected behavior is that they just show the rest of the reqested
attributes.

https://fedorahosted.org/freeipa/ticket/5797

Reviewed-By: Martin Basti <mbasti@redhat.com>
This commit is contained in:
Stanislav Laznicka
2016-06-09 13:13:24 +02:00
committed by Martin Basti
parent be3ad1ed7a
commit 9a8c5c9dfd
3 changed files with 70 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
ipalib/messages.py
View File

@@ -461,6 +461,16 @@ class ServerRemovalWarning(PublicMessage):
type = "warning"
class CertificateInvalid(PublicMessage):
"""
***13029 Failed to parse a certificate
"""
errno = 13029
type = "error"
format = _("%(subject)s: Invalid certificate. "
"%(reason)s")
def iter_messages(variables, base):
"""Return a tuple with all subclasses
"""

31
ipaserver/plugins/host.py
View File

@@ -1009,7 +1009,21 @@ class host_find(LDAPSearch):
if options.get('pkey_only', False):
return truncated
for entry_attrs in entries:
set_certificate_attrs(entry_attrs)
hostname = entry_attrs['fqdn']
if isinstance(hostname, (tuple, list)):
hostname = hostname[0]
try:
set_certificate_attrs(entry_attrs)
except errors.CertificateFormatError as e:
self.add_message(
messages.CertificateInvalid(
subject=hostname,
reason=e,
)
)
self.log.error("Invalid certificate: {err}".format(err=e))
del(entry_attrs['usercertificate'])
set_kerberos_attrs(entry_attrs, options)
rename_ipaallowedtoperform_from_ldap(entry_attrs, options)
self.obj.suppress_netgroup_memberof(ldap, entry_attrs)
@@ -1052,7 +1066,20 @@ class host_show(LDAPRetrieve):
# fetched anywhere.
entry_attrs['has_keytab'] = False
set_certificate_attrs(entry_attrs)
hostname = entry_attrs['fqdn']
if isinstance(hostname, (tuple, list)):
hostname = hostname[0]
try:
set_certificate_attrs(entry_attrs)
except errors.CertificateFormatError as e:
self.add_message(
messages.CertificateInvalid(
subject=hostname,
reason=e,
)
)
del(entry_attrs['usercertificate'])
set_kerberos_attrs(entry_attrs, options)
rename_ipaallowedtoperform_from_ldap(entry_attrs, options)

34
ipaserver/plugins/service.py
View File

@@ -21,7 +21,7 @@
import six
from ipalib import api, errors
from ipalib import api, errors, messages
from ipalib import Bytes, StrEnum, Bool, Str, Flag
from ipalib.plugable import Registry
from .baseldap import (
@@ -698,7 +698,21 @@ class service_find(LDAPSearch):
return truncated
for entry_attrs in entries:
self.obj.get_password_attributes(ldap, entry_attrs.dn, entry_attrs)
set_certificate_attrs(entry_attrs)
principal = entry_attrs['krbprincipalname']
if isinstance(principal, (tuple, list)):
principal = principal[0]
try:
set_certificate_attrs(entry_attrs)
except errors.CertificateFormatError as e:
self.add_message(
messages.CertificateInvalid(
subject=principal,
reason=e
)
)
self.log.error("Invalid certificate: {err}".format(err=e))
del(entry_attrs['usercertificate'])
set_kerberos_attrs(entry_attrs, options)
rename_ipaallowedtoperform_from_ldap(entry_attrs, options)
return truncated
@@ -721,7 +735,21 @@ class service_show(LDAPRetrieve):
assert isinstance(dn, DN)
self.obj.get_password_attributes(ldap, dn, entry_attrs)
set_certificate_attrs(entry_attrs)
principal = entry_attrs['krbprincipalname']
if isinstance(principal, (tuple, list)):
principal = principal[0]
try:
set_certificate_attrs(entry_attrs)
except errors.CertificateFormatError as e:
self.add_message(
messages.CertificateInvalid(
subject=principal,
reason=e,
)
)
self.log.error("Invalid certificate: {err}".format(err=e))
del(entry_attrs['usercertificate'])
set_kerberos_attrs(entry_attrs, options)
rename_ipaallowedtoperform_from_ldap(entry_attrs, options)