Allow SAN extension for cert-request self-service

Users cannot self-issue a certificate with a subjectAltName extension (e.g. with rfc822Name altNames). Suppress the cert-request "request certificate with subjectaltname" permission check when the bind principal is the target principal (i.e. cert-request self-service). Fixes: https://fedorahosted.org/freeipa/ticket/5190 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
author: Fraser Tweedale <ftweedal@redhat.com> 2015-08-09 03:25:58 -0400
committer: Jan Cholasta <jcholast@redhat.com> 2015-08-11 12:25:51 +0200
commit: aafc0e980be43c4956308a39d2ca45c7e50fa3ab (patch)
tree: 83582906390170343106b7efbb3bb88bf0f3739e
parent: 6f8b0ed4fa8cb20a89915e74d805d4e7db90b6f9 (diff)
download: freeipa-aafc0e980be43c4956308a39d2ca45c7e50fa3ab.tar.gz
freeipa-aafc0e980be43c4956308a39d2ca45c7e50fa3ab.tar.xz
freeipa-aafc0e980be43c4956308a39d2ca45c7e50fa3ab.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index 341bdd017..d612e9d38 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -369,7 +369,7 @@ class cert_request(VirtualCommand):
                 error=_("Failure decoding Certificate Signing Request: %s") % e)
 
         # host principals may bypass allowed ext check
-        if bind_principal_type != HOST:
+        if bind_principal != principal and bind_principal_type != HOST:
             for ext in extensions:
                 operation = self._allowed_extensions.get(ext)
                 if operation:
author	Fraser Tweedale <ftweedal@redhat.com>	2015-08-09 03:25:58 -0400
committer	Jan Cholasta <jcholast@redhat.com>	2015-08-11 12:25:51 +0200
commit	aafc0e980be43c4956308a39d2ca45c7e50fa3ab (patch)
tree	83582906390170343106b7efbb3bb88bf0f3739e
parent	6f8b0ed4fa8cb20a89915e74d805d4e7db90b6f9 (diff)
download	freeipa-aafc0e980be43c4956308a39d2ca45c7e50fa3ab.tar.gz freeipa-aafc0e980be43c4956308a39d2ca45c7e50fa3ab.tar.xz freeipa-aafc0e980be43c4956308a39d2ca45c7e50fa3ab.zip