rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0030-Fixing-the-cert-request-comparing-whole-email-addres.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   c586294a7bcaaf5b93ec2a92584bf3b09dccef74
  2.   SOURCES
  3.   0030-Fixing-the-cert-request-comparing-whole-email-addres.patch
Blob History Raw
c58629 
From 7d28e12612ec08e80cf1351ea523bf4a9adfc255 Mon Sep 17 00:00:00 2001
c58629 
From: Felipe Volpone <felipevolpone@gmail.com>
c58629 
Date: Thu, 11 May 2017 10:20:02 -0300
c58629 
Subject: [PATCH] Fixing the cert-request comparing whole email address
c58629 
 case-sensitively.
c58629
c58629 
Now, the cert-request command compares the domain part of the
c58629 
email case-insensitively.
c58629
c58629 
https://pagure.io/freeipa/issue/5919
c58629
c58629 
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
c58629 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
c58629 
---
c58629 
 ipaserver/plugins/cert.py                | 27 ++++++++++++++++++++++++---
c58629 
 ipatests/test_xmlrpc/test_cert_plugin.py | 23 +++++++++++++++++++++++
c58629 
 2 files changed, 47 insertions(+), 3 deletions(-)
c58629
c58629 
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
c58629 
index c1d389217265f44e646ac27d9adc8d5524c74ce7..501fc9015468c864215cfb604de37cdf6d805e52 100644
c58629 
--- a/ipaserver/plugins/cert.py
c58629 
+++ b/ipaserver/plugins/cert.py
c58629 
@@ -710,7 +710,9 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
c58629 
             # fail if any email addr from DN does not appear in ldap entry
c58629 
             email_addrs = csr_obj.subject.get_attributes_for_oid(
c58629 
                     cryptography.x509.oid.NameOID.EMAIL_ADDRESS)
c58629 
-            if len(set(email_addrs) - set(principal_obj.get('mail', []))) > 0:
c58629 
+            csr_emails = [attr.value for attr in email_addrs]
c58629 
+            if not _emails_are_valid(csr_emails,
c58629 
+                                     principal_obj.get('mail', [])):
c58629 
                 raise errors.ValidationError(
c58629 
                     name='csr',
c58629 
                     error=_(
c58629 
@@ -796,8 +798,8 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
c58629 
                             "match requested principal") % gn.name)
c58629 
             elif isinstance(gn, cryptography.x509.general_name.RFC822Name):
c58629 
                 if principal_type == USER:
c58629 
-                    if principal_obj and gn.value not in principal_obj.get(
c58629 
-                            'mail', []):
c58629 
+                    if not _emails_are_valid([gn.value],
c58629 
+                                             principal_obj.get('mail', [])):
c58629 
                         raise errors.ValidationError(
c58629 
                             name='csr',
c58629 
                             error=_(
c58629 
@@ -865,6 +867,25 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
c58629 
         )
c58629
c58629
c58629 
+def _emails_are_valid(csr_emails, principal_emails):
c58629 
+    """
c58629 
+    Checks if any email address from certificate request does not
c58629 
+    appear in ldap entry, comparing the domain part case-insensitively.
c58629 
+    """
c58629 
+
c58629 
+    def lower_domain(email):
c58629 
+        email_splitted = email.split('@', 1)
c58629 
+        if len(email_splitted) > 1:
c58629 
+            email_splitted[1] = email_splitted[1].lower()
c58629 
+
c58629 
+        return '@'.join(email_splitted)
c58629 
+
c58629 
+    principal_emails_lower = set(map(lower_domain, principal_emails))
c58629 
+    csr_emails_lower = set(map(lower_domain, csr_emails))
c58629 
+
c58629 
+    return csr_emails_lower.issubset(principal_emails_lower)
c58629 
+
c58629 
+
c58629 
 def principal_to_principal_type(principal):
c58629 
     if principal.is_user:
c58629 
         return USER
c58629 
diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py
c58629 
index 0b8277b8a6d67777db2eb328116ed0a761914663..dc9e8cba7b40e7b655ea7c0e3bed7706ac78ed1a 100644
c58629 
--- a/ipatests/test_xmlrpc/test_cert_plugin.py
c58629 
+++ b/ipatests/test_xmlrpc/test_cert_plugin.py
c58629 
@@ -253,6 +253,29 @@ class test_cert(BaseCert):
c58629 
         res = api.Command['service_find'](self.service_princ)
c58629 
         assert res['count'] == 0
c58629
c58629 
+    def test_00011_emails_are_valid(self):
c58629 
+        """
c58629 
+        Verify the different scenarios when checking if any email addr
c58629 
+        from DN or SAN extension does not appear in ldap entry.
c58629 
+        """
c58629 
+
c58629 
+        from ipaserver.plugins.cert import _emails_are_valid
c58629 
+        email_addrs = [u'any@EmAiL.CoM']
c58629 
+        result = _emails_are_valid(email_addrs, [u'any@email.com'])
c58629 
+        assert True == result, result
c58629 
+
c58629 
+        email_addrs = [u'any@EmAiL.CoM']
c58629 
+        result = _emails_are_valid(email_addrs, [u'any@email.com',
c58629 
+                                                 u'another@email.com'])
c58629 
+        assert True == result, result
c58629 
+
c58629 
+        result = _emails_are_valid([], [u'any@email.com'])
c58629 
+        assert True == result, result
c58629 
+
c58629 
+        email_addrs = [u'invalidEmailAddress']
c58629 
+        result = _emails_are_valid(email_addrs, [])
c58629 
+        assert False == result, result
c58629 
+
c58629
c58629 
 @pytest.mark.tier1
c58629 
 class test_cert_find(XMLRPC_test):
c58629 
--
c58629 
2.13.6
c58629

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation