summaryrefslogtreecommitdiffstats
path: root/install
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2011-07-07 11:55:20 -0400
committerRob Crittenden <rcritten@redhat.com>2011-07-17 22:10:03 -0400
commit038089a0c9160221d17796b8d6fd6e4f1fb67850 (patch)
tree7c4e62192efd588de1ae44d82c63036866aa59e4 /install
parentbc8be0a41effbd7a1ffe761829783afa8a59539e (diff)
downloadfreeipa-038089a0c9160221d17796b8d6fd6e4f1fb67850.zip
freeipa-038089a0c9160221d17796b8d6fd6e4f1fb67850.tar.gz
freeipa-038089a0c9160221d17796b8d6fd6e4f1fb67850.tar.xz
Validate that the certificate subject base is in valid DN format.
https://fedorahosted.org/freeipa/ticket/1176
Diffstat (limited to 'install')
-rwxr-xr-xinstall/tools/ipa-server-install27
1 files changed, 26 insertions, 1 deletions
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 35b16da..ca0d139 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -58,10 +58,19 @@ from ipapython.ipautil import *
from ipalib import api, errors, util
from ipalib.parameters import IA5Str
from ipapython.config import IPAOptionParser
+from ipalib.dn import DN
pw_name = None
uninstalling = False
+VALID_SUBJECT_ATTRS = ['cn', 'st', 'o', 'ou', 'dnqualifier', 'c',
+ 'serialnumber', 'l', 'title', 'sn', 'givenname',
+ 'initials', 'generationqualifier', 'dc', 'mail',
+ 'uid', 'postaladdress', 'postalcode', 'postofficebox',
+ 'houseidentifier', 'e', 'street', 'pseudonym',
+ 'incorporationlocality', 'incorporationstate',
+ 'incorporationcountry', 'businesscategory']
+
def zonemgr_callback(option, opt_str, value, parser):
"""
Make sure the zonemgr is an IA5String.
@@ -72,6 +81,21 @@ def zonemgr_callback(option, opt_str, value, parser):
ia._convert_scalar(v)
parser.values.zonemgr = value
+def subject_callback(option, opt_str, value, parser):
+ """
+ Make sure the certificate subject base is a valid DN
+ """
+ name = opt_str.replace('--','')
+ v = unicode(value, 'utf-8')
+ try:
+ dn = DN(v)
+ for x in xrange(len(dn)):
+ if dn[x][0].attr.lower() not in VALID_SUBJECT_ATTRS:
+ raise ValueError('invalid attribute: %s' % dn[x][0].attr.lower())
+ except ValueError, e:
+ raise ValueError('Invalid subject base format: %s' % str(e))
+ parser.values.subject = value
+
def parse_options():
# Guaranteed to give a random 200k range below the 2G mark (uint32_t limit)
namespace = random.randint(1, 10000) * 200000
@@ -142,7 +166,8 @@ def parse_options():
help="The starting value for the IDs range (default random)")
parser.add_option("--idmax", dest="idmax", default=0, type=int,
help="The max value value for the IDs range (default: idstart+199999)")
- parser.add_option("--subject", dest="subject",
+ parser.add_option("--subject", action="callback", callback=subject_callback,
+ type="string",
help="The certificate subject base (default O=<realm-name>)")
parser.add_option("--no_hbac_allow", dest="hbac_allow", default=False,
action="store_true",