URL: https://github.com/freeipa/freeipa/pull/773 Author: felipevolpone Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/773/head:pr773 git checkout pr773
From caddd601c9f03af5d1aff7732bca566f6391703f Mon Sep 17 00:00:00 2001 From: Felipe Volpone <felipevolp...@gmail.com> Date: Tue, 9 May 2017 17:06:55 -0300 Subject: [PATCH 1/2] warn in cert-request if CSR doesn't contain SAN --- ipaserver/plugins/cert.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 1a425de..aa960ab 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -771,6 +771,18 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw): cn = cns[-1].value # "most specific" is end of list if principal_type in (SERVICE, HOST): + + has_dns_in_san_ext = False + if ext_san: + for gn in x509.process_othernames(ext_san.value): + if isinstance(gn, cryptography.x509.general_name.DNSName): + has_dns_in_san_ext = True + + if not ext_san or not has_dns_in_san_ext: + print('Warning: The SAN extension ' + 'should be provided. Please, check the RFC 2818.') + + if not _dns_name_matches_principal(cn, principal, principal_obj): raise errors.ValidationError( name='csr', From 9b60d7e904269743e0a4d19821139738db5e02e9 Mon Sep 17 00:00:00 2001 From: Felipe Volpone <felipevolp...@gmail.com> Date: Thu, 11 May 2017 19:53:56 -0300 Subject: [PATCH 2/2] Improving GUI text in "Add DNS Zone" popup. --- install/ui/src/freeipa/dns.js | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/install/ui/src/freeipa/dns.js b/install/ui/src/freeipa/dns.js index 1be8513..f2b110d 100644 --- a/install/ui/src/freeipa/dns.js +++ b/install/ui/src/freeipa/dns.js @@ -294,6 +294,11 @@ return { height: 300, sections: [ { + name: 'dnszone_title', + label: 'Select the required zone type.', + fields: [] + }, + { name: 'name', layout: IPA.dnszone_name_section_layout, fields: [ @@ -307,6 +312,7 @@ return { $type: 'dnszone_name', name: 'name_from_ip', radio_name: 'dnszone_name_type', + required: false, validators: ['network'] } ] @@ -750,9 +756,6 @@ IPA.add_dns_zone_name_policy = function() { idnsname_w.input.prop('disabled', false); name_from_ip_w.input.prop('disabled', true); - idnsname_f.set_required(true); - name_from_ip_f.set_required(false); - name_from_ip_f.reset(); }); @@ -760,9 +763,6 @@ IPA.add_dns_zone_name_policy = function() { idnsname_w.input.prop('disabled', true); name_from_ip_w.input.prop('disabled', false); - idnsname_f.set_required(false); - name_from_ip_f.set_required(true); - idnsname_f.reset(); }); };
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code