On 21.1.2014 17:12, Simo Sorce wrote:
On Tue, 2014-01-21 at 14:02 +0100, Jan Cholasta wrote:
+ request = None
+ try:
+ request = pkcs10.load_certificate_request(csr)
+ subject = pkcs10.get_subject(request)
+ subjectaltname = pkcs10.get_subjectaltname(request)
Will this make the request fail if there is no subjectaltname ?
No.
Later in the patch you seem to be changing from needing managedby_host
to needing write access to an entry, I am not sure I understand why that
was changed. not saying it is necessarily wrong, but why the original
check is not right anymore ?
The original check is wrong, see
<https://fedorahosted.org/freeipa/ticket/3977#comment:23>.
The check in my patch allows SAN only if the requesting host has write
access to all of the SAN services. I'm not entirely sure if this is
right, but even if it is not, I think we should still check for write
access to the SAN services, so that access control can be (partially)
handled by ACIs.
Simo.
--
Jan Cholasta
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
