diff options
author | Stanislav Laznicka <slaznick@redhat.com> | 2016-06-09 13:13:24 +0200 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-06-22 17:43:14 +0200 |
commit | 9a8c5c9dfd10ab1c0bb66b5f25bf815a43d45f2a (patch) | |
tree | a1c01ad54c629530acdf7641a5957213a9c38511 /ipaserver/plugins | |
parent | be3ad1ed7a34e90c7107380bb2939f737306ba77 (diff) | |
download | freeipa-9a8c5c9dfd10ab1c0bb66b5f25bf815a43d45f2a.tar.gz freeipa-9a8c5c9dfd10ab1c0bb66b5f25bf815a43d45f2a.tar.xz freeipa-9a8c5c9dfd10ab1c0bb66b5f25bf815a43d45f2a.zip |
host/service-show/find shouldn't fail on invalid certificate
host/service-show/find methods would have failed if the first
certificate they had in userCertificate attribute were invalid.
Expected behavior is that they just show the rest of the reqested
attributes.
https://fedorahosted.org/freeipa/ticket/5797
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'ipaserver/plugins')
-rw-r--r-- | ipaserver/plugins/host.py | 31 | ||||
-rw-r--r-- | ipaserver/plugins/service.py | 34 |
2 files changed, 60 insertions, 5 deletions
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index 15805a3d2..919927c3d 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -1009,7 +1009,21 @@ class host_find(LDAPSearch): if options.get('pkey_only', False): return truncated for entry_attrs in entries: - set_certificate_attrs(entry_attrs) + hostname = entry_attrs['fqdn'] + if isinstance(hostname, (tuple, list)): + hostname = hostname[0] + try: + set_certificate_attrs(entry_attrs) + except errors.CertificateFormatError as e: + self.add_message( + messages.CertificateInvalid( + subject=hostname, + reason=e, + ) + ) + self.log.error("Invalid certificate: {err}".format(err=e)) + del(entry_attrs['usercertificate']) + set_kerberos_attrs(entry_attrs, options) rename_ipaallowedtoperform_from_ldap(entry_attrs, options) self.obj.suppress_netgroup_memberof(ldap, entry_attrs) @@ -1052,7 +1066,20 @@ class host_show(LDAPRetrieve): # fetched anywhere. entry_attrs['has_keytab'] = False - set_certificate_attrs(entry_attrs) + hostname = entry_attrs['fqdn'] + if isinstance(hostname, (tuple, list)): + hostname = hostname[0] + try: + set_certificate_attrs(entry_attrs) + except errors.CertificateFormatError as e: + self.add_message( + messages.CertificateInvalid( + subject=hostname, + reason=e, + ) + ) + del(entry_attrs['usercertificate']) + set_kerberos_attrs(entry_attrs, options) rename_ipaallowedtoperform_from_ldap(entry_attrs, options) diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index 7b8f2a7aa..24031eb42 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -21,7 +21,7 @@ import six -from ipalib import api, errors +from ipalib import api, errors, messages from ipalib import Bytes, StrEnum, Bool, Str, Flag from ipalib.plugable import Registry from .baseldap import ( @@ -698,7 +698,21 @@ class service_find(LDAPSearch): return truncated for entry_attrs in entries: self.obj.get_password_attributes(ldap, entry_attrs.dn, entry_attrs) - set_certificate_attrs(entry_attrs) + principal = entry_attrs['krbprincipalname'] + if isinstance(principal, (tuple, list)): + principal = principal[0] + try: + set_certificate_attrs(entry_attrs) + except errors.CertificateFormatError as e: + self.add_message( + messages.CertificateInvalid( + subject=principal, + reason=e + ) + ) + self.log.error("Invalid certificate: {err}".format(err=e)) + del(entry_attrs['usercertificate']) + set_kerberos_attrs(entry_attrs, options) rename_ipaallowedtoperform_from_ldap(entry_attrs, options) return truncated @@ -721,7 +735,21 @@ class service_show(LDAPRetrieve): assert isinstance(dn, DN) self.obj.get_password_attributes(ldap, dn, entry_attrs) - set_certificate_attrs(entry_attrs) + principal = entry_attrs['krbprincipalname'] + if isinstance(principal, (tuple, list)): + principal = principal[0] + try: + set_certificate_attrs(entry_attrs) + except errors.CertificateFormatError as e: + self.add_message( + messages.CertificateInvalid( + subject=principal, + reason=e, + ) + ) + self.log.error("Invalid certificate: {err}".format(err=e)) + del(entry_attrs['usercertificate']) + set_kerberos_attrs(entry_attrs, options) rename_ipaallowedtoperform_from_ldap(entry_attrs, options) |