Allow SAN extension for cert-request self-service

Users cannot self-issue a certificate with a subjectAltName extension (e.g. with rfc822Name altNames). Suppress the cert-request "request certificate with subjectaltname" permission check when the bind principal is the target principal (i.e. cert-request self-service). Fixes: https://fedorahosted.org/freeipa/ticket/5190 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-08-09 03:25:58 -04:00 · 2015-08-09 03:25:58 -04:00 · aafc0e980b
commit aafc0e980b
parent 6f8b0ed4fa
1 changed files with 1 additions and 1 deletions
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@ -369,7 +369,7 @@ class cert_request(VirtualCommand):
                error=_("Failure decoding Certificate Signing Request: %s") % e)

        # host principals may bypass allowed ext check
-        if bind_principal_type != HOST:
+        if bind_principal != principal and bind_principal_type != HOST:
            for ext in extensions:
                operation = self._allowed_extensions.get(ext)
                if operation: