URL: https://github.com/freeipa/freeipa/pull/348
Author: jcholast
 Title: #348: ca: fix ca-find with --pkey-only
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/348/head:pr348
git checkout pr348
From fde228a0e0cffe754c7b420a3a1d87af46f7d995 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Fri, 16 Dec 2016 14:19:00 +0100
Subject: [PATCH] ca: fix ca-find with --pkey-only

Since commit 32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d, ca-find will fail
with internal error if --pkey-only is specified, because the code to
look up the CA certificate and certificate chain assumes that the ipaCAId
attribute is always present in the result.

Fix this by not attempting to lookup the certificate / chain at all when
--pkey-only is specified.

 ipaserver/plugins/ca.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index 2510a79..f02c144 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -162,7 +162,10 @@ class ca(LDAPObject):
 def set_certificate_attrs(entry, options, want_cert=True):
-    ca_id = entry['ipacaid'][0]
+    try:
+        ca_id = entry['ipacaid'][0]
+    except KeyError:
+        return
     full = options.get('all', False)
     want_chain = options.get('chain', False)
@@ -192,8 +195,9 @@ class ca_find(LDAPSearch):
     def execute(self, *keys, **options):
         result = super(ca_find, self).execute(*keys, **options)
-        for entry in result['result']:
-            set_certificate_attrs(entry, options, want_cert=False)
+        if not options.get('pkey_only', False):
+            for entry in result['result']:
+                set_certificate_attrs(entry, options, want_cert=False)
         return result
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to