URL: https://github.com/freeipa/freeipa/pull/415
Author: frasertweedale
 Title: #415: ca-del: require CA to already be disabled
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/415/head:pr415
git checkout pr415
From ebfbdbf2524e98aee5d14886f9345fa1d3f88c3f Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 23 Jan 2017 11:37:37 +1000
Subject: [PATCH] ca-del: require CA to already be disabled

Currently ca-del disables the target CA before deleting it.
Conceptually, this involves two separate permissions: modify and
delete.  A user with delete permission does not necessarily have
modify permission.

As we move toward enforcing IPA permissions in Dogtag, it is
necessary to decouple disablement from deletion, otherwise the
disable operation would fail if the user does not have modify
permission.  Although it introduces an additional step for
administrators, the process is consistent, required permissions are
clear, and errors are human-friendly.

Part of: https://fedorahosted.org/freeipa/ticket/5011
 ipaserver/plugins/ca.py                   | 7 ++++++-
 ipatests/test_xmlrpc/test_ca_plugin.py    | 4 ++++
 ipatests/test_xmlrpc/tracker/ca_plugin.py | 6 +++++-
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index 4f24278..0d3d7d0 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -286,7 +286,12 @@ def pre_callback(self, ldap, dn, *keys, **options):
         ca_id = self.api.Command.ca_show(keys[0])['result']['ipacaid'][0]
         with self.api.Backend.ra_lightweight_ca as ca_api:
-            ca_api.disable_ca(ca_id)
+            data = ca_api.read_ca(ca_id)
+            if data['enabled']:
+                raise errors.ProtectedEntryError(
+                    label=_("CA"),
+                    key=keys[0],
+                    reason=_("Must be disabled first"))
         return dn
diff --git a/ipatests/test_xmlrpc/test_ca_plugin.py b/ipatests/test_xmlrpc/test_ca_plugin.py
index 1e0e52f..ee826aa 100644
--- a/ipatests/test_xmlrpc/test_ca_plugin.py
+++ b/ipatests/test_xmlrpc/test_ca_plugin.py
@@ -87,6 +87,10 @@ def test_retrieve(self, crud_subca):
     def test_retrieve_all(self, crud_subca):
+    def test_delete_while_not_disabled(self, crud_subca):
+        with pytest.raises(errors.ProtectedEntryError):
+            crud_subca.make_command('ca_del', crud_subca.name)()
     def test_delete(self, crud_subca):
diff --git a/ipatests/test_xmlrpc/tracker/ca_plugin.py b/ipatests/test_xmlrpc/tracker/ca_plugin.py
index e18b1c1..cb3fb70 100644
--- a/ipatests/test_xmlrpc/tracker/ca_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/ca_plugin.py
@@ -82,7 +82,11 @@ def track_create(self):
     def make_delete_command(self):
         """Make function that deletes the plugin entry object."""
-        return self.make_command('ca_del', self.name)
+        def disable_then_delete():
+            self.make_command('ca_disable', self.name)()
+            return self.make_command('ca_del', self.name)()
+        return disable_then_delete
     def check_delete(self, result):
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to