Re: [Freeipa-devel] [PATCH] 0107 Fix cert revocation when removing all certs via host/service-mod
On 23.9.2016 05:30, Fraser Tweedale wrote: Bump for review. Works for me, ACK. Pushed to master: 97d4ffc2dc5db00fd7ed10b0b290cc97a506d0ef -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0107 Fix cert revocation when removing all certs via host/service-mod
Bump for review. On Wed, Sep 07, 2016 at 04:06:25PM +0700, Fraser Tweedale wrote: > Attached patch fixes https://fedorahosted.org/freeipa/ticket/6305 > > Thanks, > Fraser > From d4d7e77795f96a4970058e61d99c70522689b22d Mon Sep 17 00:00:00 2001 > From: Fraser Tweedale > Date: Wed, 7 Sep 2016 19:00:18 +1000 > Subject: [PATCH] Fix cert revocation when removing all certs via > host/service-mod > > When removing all host/service certificates via host/service-mod > --certificate=, the removed certificates should be revoked, but they > are not. Examine whether the --certificate option was provided to > determine whether certs should be revoked, instead of looking for a > cert list in the options (which in this case is empty). > > Fixes: https://fedorahosted.org/freeipa/ticket/6305 > --- > ipaserver/plugins/host.py| 3 ++- > ipaserver/plugins/service.py | 3 ++- > 2 files changed, 4 insertions(+), 2 deletions(-) > > diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py > index > 2362b6247af87b4ce63c21083e6bc8ac39db0804..7f63e94849b4a6f2ce871ec77b188c54d640ba94 > 100644 > --- a/ipaserver/plugins/host.py > +++ b/ipaserver/plugins/host.py > @@ -898,7 +898,8 @@ class host_mod(LDAPUpdate): > certs_der = [x509.normalize_certificate(c) for c in certs] > > # revoke removed certificates > -if certs and self.api.Command.ca_is_enabled()['result']: > +ca_is_enabled = self.api.Command.ca_is_enabled()['result'] > +if 'usercertificate' in options and ca_is_enabled: > try: > entry_attrs_old = ldap.get_entry(dn, ['usercertificate']) > except errors.NotFound: > diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py > index > 093525f2e7cb84b18f0658dcb5d7c786e45c6ab6..c0590732470ac1200d4dd4ea1f089e4384a509b3 > 100644 > --- a/ipaserver/plugins/service.py > +++ b/ipaserver/plugins/service.py > @@ -701,7 +701,8 @@ class service_mod(LDAPUpdate): > certs = entry_attrs.get('usercertificate') or [] > certs_der = [x509.normalize_certificate(c) for c in certs] > # revoke removed certificates > -if certs and self.api.Command.ca_is_enabled()['result']: > +ca_is_enabled = self.api.Command.ca_is_enabled()['result'] > +if 'usercertificate' in options and ca_is_enabled: > try: > entry_attrs_old = ldap.get_entry(dn, ['usercertificate']) > except errors.NotFound: > -- > 2.5.5 > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 0107 Fix cert revocation when removing all certs via host/service-mod
Attached patch fixes https://fedorahosted.org/freeipa/ticket/6305 Thanks, Fraser From d4d7e77795f96a4970058e61d99c70522689b22d Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 7 Sep 2016 19:00:18 +1000 Subject: [PATCH] Fix cert revocation when removing all certs via host/service-mod When removing all host/service certificates via host/service-mod --certificate=, the removed certificates should be revoked, but they are not. Examine whether the --certificate option was provided to determine whether certs should be revoked, instead of looking for a cert list in the options (which in this case is empty). Fixes: https://fedorahosted.org/freeipa/ticket/6305 --- ipaserver/plugins/host.py| 3 ++- ipaserver/plugins/service.py | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index 2362b6247af87b4ce63c21083e6bc8ac39db0804..7f63e94849b4a6f2ce871ec77b188c54d640ba94 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -898,7 +898,8 @@ class host_mod(LDAPUpdate): certs_der = [x509.normalize_certificate(c) for c in certs] # revoke removed certificates -if certs and self.api.Command.ca_is_enabled()['result']: +ca_is_enabled = self.api.Command.ca_is_enabled()['result'] +if 'usercertificate' in options and ca_is_enabled: try: entry_attrs_old = ldap.get_entry(dn, ['usercertificate']) except errors.NotFound: diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index 093525f2e7cb84b18f0658dcb5d7c786e45c6ab6..c0590732470ac1200d4dd4ea1f089e4384a509b3 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -701,7 +701,8 @@ class service_mod(LDAPUpdate): certs = entry_attrs.get('usercertificate') or [] certs_der = [x509.normalize_certificate(c) for c in certs] # revoke removed certificates -if certs and self.api.Command.ca_is_enabled()['result']: +ca_is_enabled = self.api.Command.ca_is_enabled()['result'] +if 'usercertificate' in options and ca_is_enabled: try: entry_attrs_old = ldap.get_entry(dn, ['usercertificate']) except errors.NotFound: -- 2.5.5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code