Revert "Only request VALID certs when revoking certs for a host/service"

This reverts commit aa1350384a. The search for certificates is a complex, three-step process, which filters results in subsequent searches. This filters out non-relevant certificates when deleting a host or service. This patch breaks that so deleting one service of a host will revoke *all* certificates for that host. Another attempt will be made separately to implement this. https://pagure.io/freeipa/issue/7835 Signed-off-by: Rob Crittenden rcritten@redhat.com Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-12-23 07:33:27 -06:00 · 2021-05-20 11:22:41 -04:00 · 2021-05-20 11:22:41 -04:00 · c5e8274010
commit c5e8274010
parent 64d6c6cc6b
3 changed files with 12 additions and 27 deletions
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@ -1687,6 +1687,8 @@ class cert_find(Search, CertMethod):
                ra_options['subject'] = hosts[0]
            elif len(users) == 1 and not services and not hosts:
                ra_options['subject'] = users[0]
        if 'status' in options:
            ra_options['status'] = options.get('status')
        try:
            ca_enabled_check(self.api)
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@ -871,9 +871,7 @@ class host_del(LDAPDelete):
                )
        if self.api.Command.ca_is_enabled()['result']:
-            certs = self.api.Command.cert_find(
+            certs = self.api.Command.cert_find(host=keys)['result']
                subject=fqdn, status='VALID'
            )['result']
            revoke_certs(certs)
        return dn
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@ -825,16 +825,8 @@ class service_del(LDAPDelete):
        # custom services allow them to manage them.
        check_required_principal(ldap, keys[-1])
        if self.api.Command.ca_is_enabled()['result']:
-            # only try to revoke certs for valid principals
+            certs = self.api.Command.cert_find(service=keys)['result']
-            try:
+            revoke_certs(certs)
                subject = keys[-1].hostname
            except ValueError:
                pass
            else:
                certs = self.api.Command.cert_find(
                    subject=subject, status='VALID'
                )['result']
                revoke_certs(certs)
        return dn
@ -1108,21 +1100,14 @@ class service_disable(LDAPQuery):
        done_work = False
        if self.api.Command.ca_is_enabled()['result']:
-            try:
+            certs = self.api.Command.cert_find(service=keys)['result']
                subject = keys[-1].hostname
            except ValueError:
                pass
            else:
                certs = self.api.Command.cert_find(
                    subject=subject, status='VALID'
                )['result']
-                if len(certs) > 0:
+            if len(certs) > 0:
-                    revoke_certs(certs)
+                revoke_certs(certs)
-                    # Remove the usercertificate altogether
+                # Remove the usercertificate altogether
-                    entry_attrs['usercertificate'] = None
+                entry_attrs['usercertificate'] = None
-                    ldap.update_entry(entry_attrs)
+                ldap.update_entry(entry_attrs)
-                    done_work = True
+                done_work = True
        self.obj.get_password_attributes(ldap, dn, entry_attrs)
        if entry_attrs['has_keytab']: