From efa11d3746c8649f5cb42be9e4787a85413b0f6c Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 22 Jul 2010 16:08:17 -0400
Subject: Fix replacing a certificate in a service.

When a service has a certificate and the CA backend doesn't support
revocation (like selfsign) then we simply drop the old certificate in
preparation for adding a new one. We weren't setting the usercertificate
attribute to None so there was nothing to do in ldap_update().

Added a test case for this situation to ensure that re-issuing a certificate
works.

ticket #88
---
 ipalib/plugins/service.py | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

(limited to 'ipalib/plugins/service.py')

diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index 37de3df4..392ae60e 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -246,17 +246,20 @@ class service_mod(LDAPUpdate):
     member_attributes = ['managedby']
 
     def pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
-        cert = options.get('usercertificate')
-        if cert:
-            (dn, entry_attrs_old) = ldap.get_entry(dn, ['usercertificate'])
-            if 'usercertificate' in entry_attrs_old:
-                # FIXME: what to do here? do we revoke the old cert?
-                fmt = 'entry already has a certificate, serial number: %s' % (
-                    x509.get_serial_number(entry_attrs_old['usercertificate'][0], x509.DER)
-                )
-                raise errors.GenericError(format=fmt)
-            # FIXME: should be in normalizer; see service_add
-            entry_attrs['usercertificate'] = base64.b64decode(cert)
+        if 'usercertificate' in options:
+            cert = options.get('usercertificate')
+            if cert:
+                (dn, entry_attrs_old) = ldap.get_entry(dn, ['usercertificate'])
+                if 'usercertificate' in entry_attrs_old:
+                    # FIXME: what to do here? do we revoke the old cert?
+                    fmt = 'entry already has a certificate, serial number: %s' % (
+                        x509.get_serial_number(entry_attrs_old['usercertificate'][0], x509.DER)
+                    )
+                    raise errors.GenericError(format=fmt)
+                # FIXME: should be in normalizer; see service_add
+                entry_attrs['usercertificate'] = base64.b64decode(cert)
+            else:
+                entry_attrs['usercertificate'] = None
         return dn
 
 api.register(service_mod)
-- 
cgit