|
 |
3f51ca |
From 7d28e12612ec08e80cf1351ea523bf4a9adfc255 Mon Sep 17 00:00:00 2001
|
|
|
3f51ca |
From: Felipe Volpone <felipevolpone@gmail.com>
|
|
|
3f51ca |
Date: Thu, 11 May 2017 10:20:02 -0300
|
|
|
3f51ca |
Subject: [PATCH] Fixing the cert-request comparing whole email address
|
|
|
3f51ca |
case-sensitively.
|
|
|
3f51ca |
|
|
|
3f51ca |
Now, the cert-request command compares the domain part of the
|
|
|
3f51ca |
email case-insensitively.
|
|
|
3f51ca |
|
|
|
3f51ca |
https://pagure.io/freeipa/issue/5919
|
|
|
3f51ca |
|
|
|
3f51ca |
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
3f51ca |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
3f51ca |
---
|
|
|
3f51ca |
ipaserver/plugins/cert.py | 27 ++++++++++++++++++++++++---
|
|
|
3f51ca |
ipatests/test_xmlrpc/test_cert_plugin.py | 23 +++++++++++++++++++++++
|
|
|
3f51ca |
2 files changed, 47 insertions(+), 3 deletions(-)
|
|
|
3f51ca |
|
|
|
3f51ca |
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
|
|
|
3f51ca |
index c1d389217265f44e646ac27d9adc8d5524c74ce7..501fc9015468c864215cfb604de37cdf6d805e52 100644
|
|
|
3f51ca |
--- a/ipaserver/plugins/cert.py
|
|
|
3f51ca |
+++ b/ipaserver/plugins/cert.py
|
|
|
3f51ca |
@@ -710,7 +710,9 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
|
|
|
3f51ca |
# fail if any email addr from DN does not appear in ldap entry
|
|
|
3f51ca |
email_addrs = csr_obj.subject.get_attributes_for_oid(
|
|
|
3f51ca |
cryptography.x509.oid.NameOID.EMAIL_ADDRESS)
|
|
|
3f51ca |
- if len(set(email_addrs) - set(principal_obj.get('mail', []))) > 0:
|
|
|
3f51ca |
+ csr_emails = [attr.value for attr in email_addrs]
|
|
|
3f51ca |
+ if not _emails_are_valid(csr_emails,
|
|
|
3f51ca |
+ principal_obj.get('mail', [])):
|
|
|
3f51ca |
raise errors.ValidationError(
|
|
|
3f51ca |
name='csr',
|
|
|
3f51ca |
error=_(
|
|
|
3f51ca |
@@ -796,8 +798,8 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
|
|
|
3f51ca |
"match requested principal") % gn.name)
|
|
|
3f51ca |
elif isinstance(gn, cryptography.x509.general_name.RFC822Name):
|
|
|
3f51ca |
if principal_type == USER:
|
|
|
3f51ca |
- if principal_obj and gn.value not in principal_obj.get(
|
|
|
3f51ca |
- 'mail', []):
|
|
|
3f51ca |
+ if not _emails_are_valid([gn.value],
|
|
|
3f51ca |
+ principal_obj.get('mail', [])):
|
|
|
3f51ca |
raise errors.ValidationError(
|
|
|
3f51ca |
name='csr',
|
|
|
3f51ca |
error=_(
|
|
|
3f51ca |
@@ -865,6 +867,25 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
|
|
|
3f51ca |
)
|
|
|
3f51ca |
|
|
|
3f51ca |
|
|
|
3f51ca |
+def _emails_are_valid(csr_emails, principal_emails):
|
|
|
3f51ca |
+ """
|
|
|
3f51ca |
+ Checks if any email address from certificate request does not
|
|
|
3f51ca |
+ appear in ldap entry, comparing the domain part case-insensitively.
|
|
|
3f51ca |
+ """
|
|
|
3f51ca |
+
|
|
|
3f51ca |
+ def lower_domain(email):
|
|
|
3f51ca |
+ email_splitted = email.split('@', 1)
|
|
|
3f51ca |
+ if len(email_splitted) > 1:
|
|
|
3f51ca |
+ email_splitted[1] = email_splitted[1].lower()
|
|
|
3f51ca |
+
|
|
|
3f51ca |
+ return '@'.join(email_splitted)
|
|
|
3f51ca |
+
|
|
|
3f51ca |
+ principal_emails_lower = set(map(lower_domain, principal_emails))
|
|
|
3f51ca |
+ csr_emails_lower = set(map(lower_domain, csr_emails))
|
|
|
3f51ca |
+
|
|
|
3f51ca |
+ return csr_emails_lower.issubset(principal_emails_lower)
|
|
|
3f51ca |
+
|
|
|
3f51ca |
+
|
|
|
3f51ca |
def principal_to_principal_type(principal):
|
|
|
3f51ca |
if principal.is_user:
|
|
|
3f51ca |
return USER
|
|
|
3f51ca |
diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py
|
|
|
3f51ca |
index 0b8277b8a6d67777db2eb328116ed0a761914663..dc9e8cba7b40e7b655ea7c0e3bed7706ac78ed1a 100644
|
|
|
3f51ca |
--- a/ipatests/test_xmlrpc/test_cert_plugin.py
|
|
|
3f51ca |
+++ b/ipatests/test_xmlrpc/test_cert_plugin.py
|
|
|
3f51ca |
@@ -253,6 +253,29 @@ class test_cert(BaseCert):
|
|
|
3f51ca |
res = api.Command['service_find'](self.service_princ)
|
|
|
3f51ca |
assert res['count'] == 0
|
|
|
3f51ca |
|
|
|
3f51ca |
+ def test_00011_emails_are_valid(self):
|
|
|
3f51ca |
+ """
|
|
|
3f51ca |
+ Verify the different scenarios when checking if any email addr
|
|
|
3f51ca |
+ from DN or SAN extension does not appear in ldap entry.
|
|
|
3f51ca |
+ """
|
|
|
3f51ca |
+
|
|
|
3f51ca |
+ from ipaserver.plugins.cert import _emails_are_valid
|
|
|
3f51ca |
+ email_addrs = [u'any@EmAiL.CoM']
|
|
|
3f51ca |
+ result = _emails_are_valid(email_addrs, [u'any@email.com'])
|
|
|
3f51ca |
+ assert True == result, result
|
|
|
3f51ca |
+
|
|
|
3f51ca |
+ email_addrs = [u'any@EmAiL.CoM']
|
|
|
3f51ca |
+ result = _emails_are_valid(email_addrs, [u'any@email.com',
|
|
|
3f51ca |
+ u'another@email.com'])
|
|
|
3f51ca |
+ assert True == result, result
|
|
|
3f51ca |
+
|
|
|
3f51ca |
+ result = _emails_are_valid([], [u'any@email.com'])
|
|
|
3f51ca |
+ assert True == result, result
|
|
|
3f51ca |
+
|
|
|
3f51ca |
+ email_addrs = [u'invalidEmailAddress']
|
|
|
3f51ca |
+ result = _emails_are_valid(email_addrs, [])
|
|
|
3f51ca |
+ assert False == result, result
|
|
|
3f51ca |
+
|
|
|
3f51ca |
|
|
|
3f51ca |
@pytest.mark.tier1
|
|
|
3f51ca |
class test_cert_find(XMLRPC_test):
|
|
|
3f51ca |
--
|
|
|
3f51ca |
2.13.6
|
|
|
3f51ca |
|