From 2b2f10c2eb7f3b796c68771bc8cbf5dbaa646481 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Apr 26 2023 18:21:33 +0000
Subject: Enforce sizelimit in cert-find


The sizelimit option was not being passed into the dogtag
ra_find() command so it always returned all available certificates.

A value of 0 will retain old behavior and return all certificates.

The default value is the LDAP searchsizelimit.

Related: https://pagure.io/freeipa/issue/9331

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>

---

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 1ab8859..36a0e8c 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -1658,6 +1658,13 @@ class cert_find(Search, CertMethod):
             ra_options[name] = value
         if exactly:
             ra_options['exactly'] = True
+        if 'sizelimit' in options:
+            # sizelimit = 0 means return everything, drop it and let
+            # ra_find() handle the value.
+            if options['sizelimit'] > 0:
+                ra_options['sizelimit'] = options['sizelimit']
+        else:
+            ra_options['sizelimit'] = self.api.Backend.ldap2.size_limit
 
         result = collections.OrderedDict()
         complete = bool(ra_options)
@@ -1837,6 +1844,7 @@ class cert_find(Search, CertMethod):
             timelimit = self.api.Backend.ldap2.time_limit
         if sizelimit is None:
             sizelimit = self.api.Backend.ldap2.size_limit
+        options['sizelimit'] = sizelimit
 
         result = collections.OrderedDict()
         truncated = False
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index e3fa62a..e9189f5 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1821,11 +1821,12 @@ class ra(rabase.rabase, RestClient):
                                  xml_declaration=True, encoding='UTF-8')
         logger.debug('%s.find(): request: %s', type(self).__name__, payload)
 
+        url = '/ca/rest/certs/search?size=%d' % (
+            options.get('sizelimit', 0x7fffffff))
         # pylint: disable=unused-variable
         status, _, data = dogtag.https_request(
             self.ca_host, 443,
-            url='/ca/rest/certs/search?size=%d' % (
-                 options.get('sizelimit', 0x7fffffff)),
+            url=url,
             client_certfile=None,
             client_keyfile=None,
             cafile=self.ca_cert,