The execute method of ipa cert-request is a complex piece of code which interleaves CSR parsing (getting extensions), checking and validating accepting principals and ACL rules evaluation. This makes the execution flow hard to follow and its modifications fragile and error-prone as was witnessed during 4.4/4.5 development.
ipa cert-request
The code should be refactored to achieve logical separation between the three problem domains. Moreover, he lookup and validation of acceptor principals should also be simplified; for example, we could search directly for krbprincipalname/krbcanonicalname to fetch the raw LDAP entry, and then determine entity types requiring for etc. SAN evaluation by either principal name structure (using properties of ipapython.kerberos.Principal class) or by the objectclasses associated with he retrieved entry.
Ideally should be done in 4.6.
See also proposed principal lookup heuristic from this GitHub comment: https://github.com/freeipa/freeipa/pull/227#issuecomment-260324953
Replying to [comment:4 ftweedal]:
Just to add some additional info, once we retrieve the entry from LDAP by its principal name, we no longer have to parse the principal to determine its' type, we can just check the entries' objectclasses to infer the principal type for free.
As a bonus of this refactoring, implementing alias support in '--principal' option becomes almost trivial.
Metadata Update from @mbabinsk: - Issue assigned to ftweedal - Issue set to the milestone: Future Releases
PR: https://github.com/freeipa/freeipa/pull/869
Metadata Update from @ftweedal: - Issue close_status updated to: None
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.6 (was: Future Releases)
master:
Metadata Update from @tkrizek: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Please ignore the commits above, I accidentally pushed the code into a mirror repo instead of upstream. Sorry about that.
Metadata Update from @tkrizek: - Issue status updated to: Open (was: Closed)
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.6.1 (was: FreeIPA 4.6)
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.6.2 (was: FreeIPA 4.6.1)
Metadata Update from @tdudlak: - Issue set to the milestone: FreeIPA 4.6.3 (was: FreeIPA 4.6.2)
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.6.4 (was: FreeIPA 4.6.3)
FreeIPA 4.6.3 has been released, moving to FreeIPA 4.6.4 milestone
This was merged ages ago: 227cf8d. It's in master and ipa-4-6 branches.
master
ipa-4-6
Metadata Update from @ftweedal: - Issue close_status updated to: fixed
Login to comment on this ticket.