From 453a19fcaca9c2be1e3d0e78b734bd05e7d50764 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 20 Oct 2009 11:59:07 -0400
Subject: First pass at enforcing certificates be requested from same host

We want to only allow a machine to request a certificate for itself, not for
other machines. I've added a new taksgroup which will allow this.

The requesting IP is resolved and compared to the subject of the CSR to
determine if they are the same host. The same is done with the service
principal. Subject alt names are not queried yet.

This does not yet grant machines actual permission to request certificates
yet, that is still limited to the taskgroup request_certs.
---
 ipalib/backend.py | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'ipalib/backend.py')

diff --git a/ipalib/backend.py b/ipalib/backend.py
index b123ed14..7c964b79 100644
--- a/ipalib/backend.py
+++ b/ipalib/backend.py
@@ -97,10 +97,15 @@ class Executioner(Backend):
 
 
     def create_context(self, ccache=None, client_ip=None):
+        """
+        client_ip: The IP address of the remote client.
+        """
         if self.env.in_server:
             self.Backend.ldap2.connect(ccache=ccache)
         else:
             self.Backend.xmlclient.connect()
+        if client_ip is not None:
+            setattr(context, "client_ip", client_ip)
 
     def destroy_context(self):
         destroy_context()
-- 
cgit