internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-05-07 13:53:23 +00:00
Code Issues Projects Releases Wiki Activity

ipacert: Revoking with removeFromCRL should be handled as cert release

Browse Source 
When a revoked certificate with reason 6 (certificateHold) is revoked
with reason 8 (removeFromCRL), the effect is that the certificate is
valid again, as it is the same procedure as 'state: release'.

This is, at least, the behavior with IPA CLI comands, which is
implemented by this patch.

A new test is added to verify this behavior:

    tests/cert/test_cert_remove_hold_with_removeFromCRL.yml
This commit is contained in:
Rafael Guterres Jeffman
2024-12-05 15:33:30 -03:00
parent 8fc2de1673
commit bc16ccaef7
2 changed files with 70 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
plugins/modules/ipacert.py
View File

@@ -487,6 +487,8 @@ def main():
# revoked
reason = ansible_module.params_get("revocation_reason")
if reason is not None:
reason = get_revocation_reason(ansible_module, reason)
# general
serial_number = ansible_module.params.get("serial_number")
@@ -521,6 +523,9 @@ def main():
invalid.append("revocation_reason")
if state == "revoked":
invalid.extend(["certificate_out", "chain"])
# Reason 8 (revomeFromCRL) is the same as release hold
if reason == 8:
state = "released"
elif state == "held":
reason = 6 # certificateHold