diff options
-rw-r--r-- | ipalib/messages.py | 10 | ||||
-rw-r--r-- | ipaserver/plugins/host.py | 31 | ||||
-rw-r--r-- | ipaserver/plugins/service.py | 34 |
3 files changed, 70 insertions, 5 deletions
diff --git a/ipalib/messages.py b/ipalib/messages.py index d8cee9e83..7288606f6 100644 --- a/ipalib/messages.py +++ b/ipalib/messages.py @@ -461,6 +461,16 @@ class ServerRemovalWarning(PublicMessage): type = "warning" +class CertificateInvalid(PublicMessage): + """ + ***13029 Failed to parse a certificate + """ + errno = 13029 + type = "error" + format = _("%(subject)s: Invalid certificate. " + "%(reason)s") + + def iter_messages(variables, base): """Return a tuple with all subclasses """ diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index 15805a3d2..919927c3d 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -1009,7 +1009,21 @@ class host_find(LDAPSearch): if options.get('pkey_only', False): return truncated for entry_attrs in entries: - set_certificate_attrs(entry_attrs) + hostname = entry_attrs['fqdn'] + if isinstance(hostname, (tuple, list)): + hostname = hostname[0] + try: + set_certificate_attrs(entry_attrs) + except errors.CertificateFormatError as e: + self.add_message( + messages.CertificateInvalid( + subject=hostname, + reason=e, + ) + ) + self.log.error("Invalid certificate: {err}".format(err=e)) + del(entry_attrs['usercertificate']) + set_kerberos_attrs(entry_attrs, options) rename_ipaallowedtoperform_from_ldap(entry_attrs, options) self.obj.suppress_netgroup_memberof(ldap, entry_attrs) @@ -1052,7 +1066,20 @@ class host_show(LDAPRetrieve): # fetched anywhere. entry_attrs['has_keytab'] = False - set_certificate_attrs(entry_attrs) + hostname = entry_attrs['fqdn'] + if isinstance(hostname, (tuple, list)): + hostname = hostname[0] + try: + set_certificate_attrs(entry_attrs) + except errors.CertificateFormatError as e: + self.add_message( + messages.CertificateInvalid( + subject=hostname, + reason=e, + ) + ) + del(entry_attrs['usercertificate']) + set_kerberos_attrs(entry_attrs, options) rename_ipaallowedtoperform_from_ldap(entry_attrs, options) diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index 7b8f2a7aa..24031eb42 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -21,7 +21,7 @@ import six -from ipalib import api, errors +from ipalib import api, errors, messages from ipalib import Bytes, StrEnum, Bool, Str, Flag from ipalib.plugable import Registry from .baseldap import ( @@ -698,7 +698,21 @@ class service_find(LDAPSearch): return truncated for entry_attrs in entries: self.obj.get_password_attributes(ldap, entry_attrs.dn, entry_attrs) - set_certificate_attrs(entry_attrs) + principal = entry_attrs['krbprincipalname'] + if isinstance(principal, (tuple, list)): + principal = principal[0] + try: + set_certificate_attrs(entry_attrs) + except errors.CertificateFormatError as e: + self.add_message( + messages.CertificateInvalid( + subject=principal, + reason=e + ) + ) + self.log.error("Invalid certificate: {err}".format(err=e)) + del(entry_attrs['usercertificate']) + set_kerberos_attrs(entry_attrs, options) rename_ipaallowedtoperform_from_ldap(entry_attrs, options) return truncated @@ -721,7 +735,21 @@ class service_show(LDAPRetrieve): assert isinstance(dn, DN) self.obj.get_password_attributes(ldap, dn, entry_attrs) - set_certificate_attrs(entry_attrs) + principal = entry_attrs['krbprincipalname'] + if isinstance(principal, (tuple, list)): + principal = principal[0] + try: + set_certificate_attrs(entry_attrs) + except errors.CertificateFormatError as e: + self.add_message( + messages.CertificateInvalid( + subject=principal, + reason=e, + ) + ) + self.log.error("Invalid certificate: {err}".format(err=e)) + del(entry_attrs['usercertificate']) + set_kerberos_attrs(entry_attrs, options) rename_ipaallowedtoperform_from_ldap(entry_attrs, options) |