Re: [Freeipa-devel] [PATCH] 0034-0035 Allow SAN extension for cert-request self-service

2015-08-11 Thread Martin Babinsky 

On 08/09/2015 09:38 AM, Fraser Tweedale wrote:

Patch 0035 fixes #5190 - Users unable to self-issue certificate with
SAN.

Patch 0034 adds more context to the virtual command ACIError denial
messages.

Thanks,
Fraser





ACK to both patches.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0034-0035 Allow SAN extension for cert-request self-service

2015-08-11 Thread Jan Cholasta 

On 11.8.2015 11:56, Martin Babinsky wrote:

On 08/09/2015 09:38 AM, Fraser Tweedale wrote:

Patch 0035 fixes #5190 - Users unable to self-issue certificate with
SAN.

Patch 0034 adds more context to the virtual command ACIError denial
messages.

Thanks,
Fraser





ACK to both patches.



Pushed to:
master: aafc0e980be43c4956308a39d2ca45c7e50fa3ab
ipa-4-2: 0e44568695e22752c250ead17eeb08e7a1561466

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] 0034-0035 Allow SAN extension for cert-request self-service

2015-08-09 Thread Fraser Tweedale 
Patch 0035 fixes #5190 - Users unable to self-issue certificate with
SAN.

Patch 0034 adds more context to the virtual command ACIError denial
messages.

Thanks,
Fraser
From 9653b4bf835b36bc8e328405b2f19af0ebb3312e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale ftwee...@redhat.com
Date: Sun, 9 Aug 2015 01:54:41 -0400
Subject: [PATCH 34/35] Give more info on virtual command access denial

The current error message upon a virutal command access denial does
not give any information about the virtual operation that was
prohibited.  Add more information to the ACIError message.
---
 ipalib/plugins/virtual.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/plugins/virtual.py b/ipalib/plugins/virtual.py
index 
414de4c0011b4ae49083d7820a3cb3708e3e16b1..3bbe32e538ab108d7abc71785e27664fea5ea248
 100644
--- a/ipalib/plugins/virtual.py
+++ b/ipalib/plugins/virtual.py
@@ -62,7 +62,7 @@ class VirtualCommand(Command):
 try:
 if not ldap.can_write(operationdn, objectclass):
 raise errors.ACIError(
-info=_('not allowed to perform this command'))
+info=_('not allowed to perform operation: %s') % operation)
 except errors.NotFound:
 raise errors.ACIError(info=_('No such virtual command'))
 
-- 
2.4.3

From 40ecb936e0f5b1db1e9623d72a9c9dc53bc2c0dc Mon Sep 17 00:00:00 2001
From: Fraser Tweedale ftwee...@redhat.com
Date: Sun, 9 Aug 2015 03:25:58 -0400
Subject: [PATCH 35/35] Allow SAN extension for cert-request self-service

Users cannot self-issue a certificate with a subjectAltName
extension (e.g. with rfc822Name altNames).  Suppress the
cert-request request certificate with subjectaltname permission
check when the bind principal is the target principal (i.e.
cert-request self-service).

Fixes: https://fedorahosted.org/freeipa/ticket/5190
---
 ipalib/plugins/cert.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index 
341bdd01766d50ba18ce7147d4408851e6f95487..d612e9d38da44e4fd4768d286f930e51c71a1031
 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -369,7 +369,7 @@ class cert_request(VirtualCommand):
 error=_(Failure decoding Certificate Signing Request: %s) % 
e)
 
 # host principals may bypass allowed ext check
-if bind_principal_type != HOST:
+if bind_principal != principal and bind_principal_type != HOST:
 for ext in extensions:
 operation = self._allowed_extensions.get(ext)
 if operation:
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code