Bump for review.
On Wed, Sep 07, 2016 at 04:06:25PM +0700, Fraser Tweedale wrote:
> Attached patch fixes https://fedorahosted.org/freeipa/ticket/6305
>
> Thanks,
> Fraser
> From d4d7e77795f96a4970058e61d99c70522689b22d Mon Sep 17 00:00:00 2001
> From: Fraser Tweedale
> Date: Wed, 7 Sep 2016 19:00:18 +1000
> Subject: [PATCH] Fix cert revocation when removing all certs via
> host/service-mod
>
> When removing all host/service certificates via host/service-mod
> --certificate=, the removed certificates should be revoked, but they
> are not. Examine whether the --certificate option was provided to
> determine whether certs should be revoked, instead of looking for a
> cert list in the options (which in this case is empty).
>
> Fixes: https://fedorahosted.org/freeipa/ticket/6305
> ---
> ipaserver/plugins/host.py| 3 ++-
> ipaserver/plugins/service.py | 3 ++-
> 2 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
> index
> 2362b6247af87b4ce63c21083e6bc8ac39db0804..7f63e94849b4a6f2ce871ec77b188c54d640ba94
> 100644
> --- a/ipaserver/plugins/host.py
> +++ b/ipaserver/plugins/host.py
> @@ -898,7 +898,8 @@ class host_mod(LDAPUpdate):
> certs_der = [x509.normalize_certificate(c) for c in certs]
>
> # revoke removed certificates
> -if certs and self.api.Command.ca_is_enabled()['result']:
> +ca_is_enabled = self.api.Command.ca_is_enabled()['result']
> +if 'usercertificate' in options and ca_is_enabled:
> try:
> entry_attrs_old = ldap.get_entry(dn, ['usercertificate'])
> except errors.NotFound:
> diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
> index
> 093525f2e7cb84b18f0658dcb5d7c786e45c6ab6..c0590732470ac1200d4dd4ea1f089e4384a509b3
> 100644
> --- a/ipaserver/plugins/service.py
> +++ b/ipaserver/plugins/service.py
> @@ -701,7 +701,8 @@ class service_mod(LDAPUpdate):
> certs = entry_attrs.get('usercertificate') or []
> certs_der = [x509.normalize_certificate(c) for c in certs]
> # revoke removed certificates
> -if certs and self.api.Command.ca_is_enabled()['result']:
> +ca_is_enabled = self.api.Command.ca_is_enabled()['result']
> +if 'usercertificate' in options and ca_is_enabled:
> try:
> entry_attrs_old = ldap.get_entry(dn, ['usercertificate'])
> except errors.NotFound:
> --
> 2.5.5
>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code