Allow SAN extension for cert-request self-service

Users cannot self-issue a certificate with a subjectAltName extension (e.g. with rfc822Name altNames). Suppress the cert-request "request certificate with subjectaltname" permission check when the bind principal is the target principal (i.e. cert-request self-service). Fixes: https://fedorahosted.org/freeipa/ticket/5190 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
author: Fraser Tweedale <ftweedal@redhat.com> 2015-08-09 03:25:58 -0400
committer: Jan Cholasta <jcholast@redhat.com> 2015-08-11 12:25:51 +0200
commit: 0e44568695e22752c250ead17eeb08e7a1561466 (patch)
tree: 1f5cc5f9dd01b60ecc0dd99d9443b274f6bcdc65 /ipalib
parent: 8cc61cc42c3e3422e79da69c7a2c3e594b5931ca (diff)
download: freeipa-0e44568695e22752c250ead17eeb08e7a1561466.tar.gz
freeipa-0e44568695e22752c250ead17eeb08e7a1561466.tar.xz
freeipa-0e44568695e22752c250ead17eeb08e7a1561466.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index 341bdd017..d612e9d38 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -369,7 +369,7 @@ class cert_request(VirtualCommand):
                 error=_("Failure decoding Certificate Signing Request: %s") % e)
 
         # host principals may bypass allowed ext check
-        if bind_principal_type != HOST:
+        if bind_principal != principal and bind_principal_type != HOST:
             for ext in extensions:
                 operation = self._allowed_extensions.get(ext)
                 if operation:
author	Fraser Tweedale <ftweedal@redhat.com>	2015-08-09 03:25:58 -0400
committer	Jan Cholasta <jcholast@redhat.com>	2015-08-11 12:25:51 +0200
commit	0e44568695e22752c250ead17eeb08e7a1561466 (patch)
tree	1f5cc5f9dd01b60ecc0dd99d9443b274f6bcdc65 /ipalib
parent	8cc61cc42c3e3422e79da69c7a2c3e594b5931ca (diff)
download	freeipa-0e44568695e22752c250ead17eeb08e7a1561466.tar.gz freeipa-0e44568695e22752c250ead17eeb08e7a1561466.tar.xz freeipa-0e44568695e22752c250ead17eeb08e7a1561466.zip