From a7532af44e518994b8124b09e32fb3f494150ba6 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Sun, 9 Aug 2015 03:25:58 -0400
Subject: [PATCH] Allow SAN extension for cert-request self-service

Users cannot self-issue a certificate with a subjectAltName
extension (e.g. with rfc822Name altNames).  Suppress the
cert-request "request certificate with subjectaltname" permission
check when the bind principal is the target principal (i.e.
cert-request self-service).

Fixes: https://fedorahosted.org/freeipa/ticket/5190
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipalib/plugins/cert.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index 341bdd01766d50ba18ce7147d4408851e6f95487..d612e9d38da44e4fd4768d286f930e51c71a1031 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -369,7 +369,7 @@ class cert_request(VirtualCommand):
                 error=_("Failure decoding Certificate Signing Request: %s") % e)
 
         # host principals may bypass allowed ext check
-        if bind_principal_type != HOST:
+        if bind_principal != principal and bind_principal_type != HOST:
             for ext in extensions:
                 operation = self._allowed_extensions.get(ext)
                 if operation:
-- 
2.4.3