590d18
From a7532af44e518994b8124b09e32fb3f494150ba6 Mon Sep 17 00:00:00 2001
590d18
From: Fraser Tweedale <ftweedal@redhat.com>
590d18
Date: Sun, 9 Aug 2015 03:25:58 -0400
590d18
Subject: [PATCH] Allow SAN extension for cert-request self-service
590d18
590d18
Users cannot self-issue a certificate with a subjectAltName
590d18
extension (e.g. with rfc822Name altNames).  Suppress the
590d18
cert-request "request certificate with subjectaltname" permission
590d18
check when the bind principal is the target principal (i.e.
590d18
cert-request self-service).
590d18
590d18
Fixes: https://fedorahosted.org/freeipa/ticket/5190
590d18
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
590d18
---
590d18
 ipalib/plugins/cert.py | 2 +-
590d18
 1 file changed, 1 insertion(+), 1 deletion(-)
590d18
590d18
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
590d18
index 341bdd01766d50ba18ce7147d4408851e6f95487..d612e9d38da44e4fd4768d286f930e51c71a1031 100644
590d18
--- a/ipalib/plugins/cert.py
590d18
+++ b/ipalib/plugins/cert.py
590d18
@@ -369,7 +369,7 @@ class cert_request(VirtualCommand):
590d18
                 error=_("Failure decoding Certificate Signing Request: %s") % e)
590d18
 
590d18
         # host principals may bypass allowed ext check
590d18
-        if bind_principal_type != HOST:
590d18
+        if bind_principal != principal and bind_principal_type != HOST:
590d18
             for ext in extensions:
590d18
                 operation = self._allowed_extensions.get(ext)
590d18
                 if operation:
590d18
-- 
590d18
2.4.3
590d18