freeipa

Clone
Source Code
GIT

bdbb1c3 Remove "Request Certificate with SubjectAltName" permission

3 files Authored by ftweedal 7 years ago, Committed by mbabinsk 7 years ago,
raw patch tree parent
3 files changed. 1 lines added. 22 lines removed.
install/updates/40-delegation.update
file modified
+0 -15
ipaserver/plugins/cert.py
file modified
+0 -6
ipatests/test_xmlrpc/test_permission_plugin.py
file modified
+1 -1 
    Remove "Request Certificate with SubjectAltName" permission
    
    subjectAltName is required or relevant in most certificate use cases
    (esp. TLS, where carrying DNS name in Subject DN CN attribute is
    deprecated).  Therefore it does not really make sense to have a
    special permission for this, over and above "request certificate"
    permission.
    
    Furthermore, we already do rigorously validate SAN contents again
    the subject principal, and the permission is waived for self-service
    requests or if the operator is a host principal.
    
    So remove the permission, the associated virtual operation, and the
    associated code in cert_request.
    
    Fixes: https://fedorahosted.org/freeipa/ticket/6526
    Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
file modified
+0 -15
file modified
+0 -6
file modified
+1 -1
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.