On Wed, 2014-01-22 at 10:40 +0100, Jan Cholasta wrote: > On 21.1.2014 17:12, Simo Sorce wrote: > > On Tue, 2014-01-21 at 14:02 +0100, Jan Cholasta wrote: > >> + request = None > >> + try: > >> + request = pkcs10.load_certificate_request(csr) > >> + subject = pkcs10.get_subject(request) > >> + subjectaltname = pkcs10.get_subjectaltname(request) > > > > Will this make the request fail if there is no subjectaltname ? > > No.
Good. > > Later in the patch you seem to be changing from needing managedby_host > > to needing write access to an entry, I am not sure I understand why that > > was changed. not saying it is necessarily wrong, but why the original > > check is not right anymore ? > > The original check is wrong, see > <https://fedorahosted.org/freeipa/ticket/3977#comment:23>. > > The check in my patch allows SAN only if the requesting host has write > access to all of the SAN services. I'm not entirely sure if this is > right, but even if it is not, I think we should still check for write > access to the SAN services, so that access control can be (partially) > handled by ACIs. Right, I remembered that comment, but it just says to check the right object's managed-by, here instead you changed it to check if you can write the usercertificate. I guess it is the same *if* there is an ACI that gives write permission when the host is in the managed-by attribute, is that the reasoning ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
