URL: https://github.com/freeipa/freeipa/pull/1047 Author: rcritten Title: #1047: Use the user-provided CA chain file in connections & check for file existence Action: opened
PR body: """ The user now may provide their own CA chain to the make API commands but it isn't honored. The value is also not checked for existence throwing a generic "no such file" error rather than "file <foo> doesn't exist" """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1047/head:pr1047 git checkout pr1047
From fabeae731ccc8546060211f795634c29e7a08da4 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Wed, 6 Sep 2017 16:23:03 -0400 Subject: [PATCH 1/2] Use the CA chain file from the RPC context The value can be passed in the create_connection() call but wasn't used outside that call. It already defaults to api.env.tls_ca_cert so that value should be used instead. https://pagure.io/freeipa/issue/7145 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- ipalib/rpc.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 4b81e89975..1355ec4bf6 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -556,7 +556,7 @@ def make_connection(self, host): conn = create_https_connection( host, 443, - api.env.tls_ca_cert, + getattr(context, 'ca_certfile', None), tls_version_min=api.env.tls_version_min, tls_version_max=api.env.tls_version_max) From aa45e80a8fe170593340ec8194c735eac1caf008 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Wed, 6 Sep 2017 16:24:39 -0400 Subject: [PATCH 2/2] If the cafile is not present then raise an exception This is more likely if the user passes in a custom location for the CA cert chain but raise an error if the CA chain does not exist including the path to the file. https://pagure.io/freeipa/issue/7145 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- ipalib/util.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ipalib/util.py b/ipalib/util.py index 91d6e469a5..68e1503291 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -291,6 +291,8 @@ def create_https_connection( if cafile is None: raise RuntimeError("cafile argument is required to perform server " "certificate verification") + if not os.path.isfile(cafile): + raise RuntimeError("cafile %s does not exist" % cafile) # remove the slice of negating protocol options according to options tls_span = get_proper_tls_version_span(tls_version_min, tls_version_max)
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
