[Freeipa-devel] [PATCH] 0006 Raise ACI error when CSR has no subject hostname

Rob Crittenden rcritten at redhat.com
Tue Dec 11 13:12:52 UTC 2012


Martin Kosek wrote:
> On 12/10/2012 05:32 PM, Lynn Root wrote:
>> On 12/10/2012 05:01 PM, Martin Kosek wrote:
>>> On 12/10/2012 03:53 PM, Lynn Root wrote:
>>>> Raise ACI error when CSR does not have a subject hostname.
>>>>
>>>> Ticket:https://fedorahosted.org/freeipa/ticket/3123
>>>>
>>> Why an ACIError? I know there are are a lot of ACIErrors thrown in cert-request
>>> command processing, but they are all related to authorization of the request.
>>> In this case, this is rather a missing required field of the CSR, so
>>> ValidationError may be a better choice.
>>>
>>> Martin
>>>
>> I elected ACIError simply because the immediately following ACIError raises the
>> issue that hostname of principal doesn't match the subject hostname of the CSR
>> - seemed a similar case of "doesn't match" with "doesn't exists." But right -
>> it's not related to Auth.
>>
>> Would ValidationError be appropriate, or would RequirementError or NotFound be
>> more so?
>>
>
> The following raises ACIError because of failed authorization check, I think
> its ok.
>
> RequirementError is only thrown when a command option that is required is not
> passed by the user. I am not fond of expanding its use to the validation of
> user content, like CSR file.
>
> NotFound error is used when an _entry_ is not found - so not an ideal candidate
> either for this case.
>
> IMHO, ValidationError is fine for this situation - but maybe somebody else may
> have other opinion...

I think I raised an ACIError when the hostname doesn't match the 
principal because that could be more than an oops and more of an attempt 
to get a cert for a hostname you shouldn't.

I agree that ValidationError is the way to go.

rob




More information about the Freeipa-devel mailing list