Patch 0035 fixes #5190 - Users unable to self-issue certificate with
SAN.

Patch 0034 adds more context to the virtual command ACIError denial
messages.

Thanks,
Fraser
From 9653b4bf835b36bc8e328405b2f19af0ebb3312e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Sun, 9 Aug 2015 01:54:41 -0400
Subject: [PATCH 34/35] Give more info on virtual command access denial

The current error message upon a virutal command access denial does
not give any information about the virtual operation that was
prohibited.  Add more information to the ACIError message.
---
 ipalib/plugins/virtual.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/plugins/virtual.py b/ipalib/plugins/virtual.py
index 
414de4c0011b4ae49083d7820a3cb3708e3e16b1..3bbe32e538ab108d7abc71785e27664fea5ea248
 100644
--- a/ipalib/plugins/virtual.py
+++ b/ipalib/plugins/virtual.py
@@ -62,7 +62,7 @@ class VirtualCommand(Command):
         try:
             if not ldap.can_write(operationdn, "objectclass"):
                 raise errors.ACIError(
-                    info=_('not allowed to perform this command'))
+                    info=_('not allowed to perform operation: %s') % operation)
         except errors.NotFound:
             raise errors.ACIError(info=_('No such virtual command'))
 
-- 
2.4.3

From 40ecb936e0f5b1db1e9623d72a9c9dc53bc2c0dc Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Sun, 9 Aug 2015 03:25:58 -0400
Subject: [PATCH 35/35] Allow SAN extension for cert-request self-service

Users cannot self-issue a certificate with a subjectAltName
extension (e.g. with rfc822Name altNames).  Suppress the
cert-request "request certificate with subjectaltname" permission
check when the bind principal is the target principal (i.e.
cert-request self-service).

Fixes: https://fedorahosted.org/freeipa/ticket/5190
---
 ipalib/plugins/cert.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index 
341bdd01766d50ba18ce7147d4408851e6f95487..d612e9d38da44e4fd4768d286f930e51c71a1031
 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -369,7 +369,7 @@ class cert_request(VirtualCommand):
                 error=_("Failure decoding Certificate Signing Request: %s") % 
e)
 
         # host principals may bypass allowed ext check
-        if bind_principal_type != HOST:
+        if bind_principal != principal and bind_principal_type != HOST:
             for ext in extensions:
                 operation = self._allowed_extensions.get(ext)
                 if operation:
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to