Pavel Zuna wrote:
Rob Crittenden wrote:
In the service plugin we will attempt to revoke a server cert when a
service is deleted. Add some error handling around that effort.
This fixes the self-tests.
rob
nack.
Your 269 external CA signing, abstract RA already handles them inside
get_serial(). However, there is a difference. This patch allows the
entry to be deleted even if the it fails to revoke the certificate. If
that is the main purpose, we still need to rewrite it to apply against
your 269 patch (in which case I will probably have to do some small
fixes to my service patch, but don't worry about that).
Ok, good catch and good point.
Upon further reflection, I'm not sure what we should do if we can't
decode a certificate, may need to ask Andrew.
Remember that this deletion can take place in the context of deleting a
host. I'm not sure if stopping the whole process should be stopped or not.
I think we should probably catch different levels of errors. If we
simply can't decode the cert then perhaps, as in the case of my bogus
test case, we stick junk in there. If we can't decode the cert then
there is no chance of revoking it.
We also need a separate catch around the revocation so we can catch
errors there, such as you are not allowed to perform this operation.
This could easily happen if someone that can create/delete hosts and
services but not manage certificates removes a host. Seems like this
opens a pretty big bag of worms.
rob
smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
