From 16f33ddb51523fe9a4c68e91519099991ece10a5 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 24 Jun 2016 17:29:51 +1000
Subject: Check for CA subject name collision before attempting creation

Lightweight CA subject name collisions are prevented by Dogtag
(response code 409 Conflict), however, we do not want to expose the
Dogtag error.  Perform the check in the IPA framework as well,
raising DuplicateEntry on collision.

Fixes: https://fedorahosted.org/freeipa/ticket/5981
Reviewed-By: Milan Kubik <mkubik@redhat.com>
---
 ipaserver/plugins/ca.py | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'ipaserver')

diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index ee98f0a2a..966ae2b1b 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -163,6 +163,13 @@ class ca_add(LDAPCreate):
         except errors.NotFound:
             pass
 
+        # check for subject collision before creating CA in Dogtag
+        result = api.Command.ca_find(ipacasubjectdn=options['ipacasubjectdn'])
+        if result['count'] > 0:
+            raise errors.DuplicateEntry(message=_(
+                "Subject DN is already used by CA '%s'"
+                ) % result['result'][0]['cn'][0])
+
         # Create the CA in Dogtag.
         with self.api.Backend.ra_lightweight_ca as ca_api:
             resp = ca_api.create_ca(options['ipacasubjectdn'])
-- 
cgit