certprofile: reject config with multiple profileIds

In certprofile-import if the config file contains two profileId directives with different values, with the first matching the profile ID CLI argument and the second differing, the profile gets imported under the second ID. This leads to: - failure to enable the profile - failure to add the IPA "tracking" certprofile object - inability to delete the misnamed profile from Dogtag (via ipa CLI) To avert this scenario, detect and reject profile configurations where profileId is specified multiple times (whether or not the values differ). https://pagure.io/freeipa/issue/7503 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2018-04-18 17:10:10 +10:00 · 2018-04-18 17:10:10 +10:00 · a7b18372ed
commit a7b18372ed
parent 1a6e360119
1 changed files with 17 additions and 6 deletions
--- a/ipaserver/plugins/certprofile.py
+++ b/ipaserver/plugins/certprofile.py
@ -236,14 +236,25 @@ class certprofile_import(LDAPCreate):
        ca_enabled_check(self.api)
        context.profile = options['file']

-        match = self.PROFILE_ID_PATTERN.search(options['file'])
-        if match is None:
+        matches = self.PROFILE_ID_PATTERN.findall(options['file'])
+        if len(matches) == 0:
            # no profileId found, use CLI value as profileId.
            context.profile = u'profileId=%s\n%s' % (keys[0], context.profile)
-        elif keys[0] != match.group(1):
-            raise errors.ValidationError(name='file',
-                error=_("Profile ID '%(cli_value)s' does not match profile data '%(file_value)s'")
-                    % {'cli_value': keys[0], 'file_value': match.group(1)}
+        elif len(matches) > 1:
+            raise errors.ValidationError(
+                name='file',
+                error=_(
+                    "Profile data specifies profileId multiple times: "
+                    "%(values)s"
+                ) % dict(values=matches)
+            )
+        elif keys[0] != matches[0]:
+            raise errors.ValidationError(
+                name='file',
+                error=_(
+                    "Profile ID '%(cli_value)s' "
+                    "does not match profile data '%(file_value)s'"
+                ) % dict(cli_value=keys[0], file_value=matches[0])
            )
        return dn