Fix cert revocation when removing all certs via host/service-mod

When removing all host/service certificates via host/service-mod
--certificate=, the removed certificates should be revoked, but they
are not.  Examine whether the --certificate option was provided to
determine whether certs should be revoked, instead of looking for a
cert list in the options (which in this case is empty).

Fixes: https://fedorahosted.org/freeipa/ticket/6305
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

2 files changed, 4 insertions, 2 deletions

diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index d3e3c2788..6da1afb42 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -898,7 +898,8 @@ class host_mod(LDAPUpdate):
         certs_der = [x509.normalize_certificate(c) for c in certs]
 
         # revoke removed certificates
-        if certs and self.api.Command.ca_is_enabled()['result']:
+        ca_is_enabled = self.api.Command.ca_is_enabled()['result']
+        if 'usercertificate' in options and ca_is_enabled:
             try:
                 entry_attrs_old = ldap.get_entry(dn, ['usercertificate'])
             except errors.NotFound:
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index 093525f2e..c05907324 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -701,7 +701,8 @@ class service_mod(LDAPUpdate):
         certs = entry_attrs.get('usercertificate') or []
         certs_der = [x509.normalize_certificate(c) for c in certs]
         # revoke removed certificates
-        if certs and self.api.Command.ca_is_enabled()['result']:
+        ca_is_enabled = self.api.Command.ca_is_enabled()['result']
+        if 'usercertificate' in options and ca_is_enabled:
             try:
                 entry_attrs_old = ldap.get_entry(dn, ['usercertificate'])
             except errors.NotFound: