From bdbb1c34a2f5ef864cd3a943dcd047cde20de681 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 1 Dec 2016 14:28:03 +1000 Subject: Remove "Request Certificate with SubjectAltName" permission subjectAltName is required or relevant in most certificate use cases (esp. TLS, where carrying DNS name in Subject DN CN attribute is deprecated). Therefore it does not really make sense to have a special permission for this, over and above "request certificate" permission. Furthermore, we already do rigorously validate SAN contents again the subject principal, and the permission is waived for self-service requests or if the operator is a host principal. So remove the permission, the associated virtual operation, and the associated code in cert_request. Fixes: https://fedorahosted.org/freeipa/ticket/6526 Reviewed-By: Martin Babinsky --- ipatests/test_xmlrpc/test_permission_plugin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'ipatests/test_xmlrpc') diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py index 6336df7c1..7582b24a4 100644 --- a/ipatests/test_xmlrpc/test_permission_plugin.py +++ b/ipatests/test_xmlrpc/test_permission_plugin.py @@ -3125,7 +3125,7 @@ def check_legacy_results(results): legacy_permissions = [p for p in results if not p.get('ipapermissiontype')] print(legacy_permissions) - assert len(legacy_permissions) == 9, len(legacy_permissions) + assert len(legacy_permissions) == 8, len(legacy_permissions) return True -- cgit