From c5e827401045dbecabcbe7b800add66a3729c80d Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 20 May 2021 11:22:41 -0400 Subject: [PATCH] Revert "Only request VALID certs when revoking certs for a host/service" This reverts commit aa1350384ad6a7d6b2f6056d99fbb43c5c5a6be7. The search for certificates is a complex, three-step process, which filters results in subsequent searches. This filters out non-relevant certificates when deleting a host or service. This patch breaks that so deleting one service of a host will revoke *all* certificates for that host. Another attempt will be made separately to implement this. https://pagure.io/freeipa/issue/7835 Signed-off-by: Rob Crittenden rcritten@redhat.com Reviewed-By: Florence Blanc-Renaud --- ipaserver/plugins/cert.py | 2 ++ ipaserver/plugins/host.py | 4 +--- ipaserver/plugins/service.py | 33 +++++++++------------------------ 3 files changed, 12 insertions(+), 27 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 7decee439..93ed9fa33 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -1687,6 +1687,8 @@ class cert_find(Search, CertMethod): ra_options['subject'] = hosts[0] elif len(users) == 1 and not services and not hosts: ra_options['subject'] = users[0] + if 'status' in options: + ra_options['status'] = options.get('status') try: ca_enabled_check(self.api) diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index 8d5cf3c60..a3a0b0b53 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -871,9 +871,7 @@ class host_del(LDAPDelete): ) if self.api.Command.ca_is_enabled()['result']: - certs = self.api.Command.cert_find( - subject=fqdn, status='VALID' - )['result'] + certs = self.api.Command.cert_find(host=keys)['result'] revoke_certs(certs) return dn diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index 27d3fc8db..1c9347804 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -825,16 +825,8 @@ class service_del(LDAPDelete): # custom services allow them to manage them. check_required_principal(ldap, keys[-1]) if self.api.Command.ca_is_enabled()['result']: - # only try to revoke certs for valid principals - try: - subject = keys[-1].hostname - except ValueError: - pass - else: - certs = self.api.Command.cert_find( - subject=subject, status='VALID' - )['result'] - revoke_certs(certs) + certs = self.api.Command.cert_find(service=keys)['result'] + revoke_certs(certs) return dn @@ -1108,21 +1100,14 @@ class service_disable(LDAPQuery): done_work = False if self.api.Command.ca_is_enabled()['result']: - try: - subject = keys[-1].hostname - except ValueError: - pass - else: - certs = self.api.Command.cert_find( - subject=subject, status='VALID' - )['result'] + certs = self.api.Command.cert_find(service=keys)['result'] - if len(certs) > 0: - revoke_certs(certs) - # Remove the usercertificate altogether - entry_attrs['usercertificate'] = None - ldap.update_entry(entry_attrs) - done_work = True + if len(certs) > 0: + revoke_certs(certs) + # Remove the usercertificate altogether + entry_attrs['usercertificate'] = None + ldap.update_entry(entry_attrs) + done_work = True self.obj.get_password_attributes(ldap, dn, entry_attrs) if entry_attrs['has_keytab']: