From dcb6aeca65c148bf8ca3cfb6bc9f624cd9bebd56 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Tue, 5 May 2026 14:39:42 -0400
Subject: [PATCH] Add ca-only policy

This policy forces CA validation every time.

This also checks things like date validity.
---
 confluent_server/confluent/util.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/confluent_server/confluent/util.py b/confluent_server/confluent/util.py
index b2ae887c..fcafd5ad 100644
--- a/confluent_server/confluent/util.py
+++ b/confluent_server/confluent/util.py
@@ -306,7 +306,7 @@ class TLSCertVerifier(object):
                 self.cfm.set_node_attributes(
                     {self.node: {self.fieldname: fingerprint}})
                 return True
-        elif cert_matches(storedprint, certificate):
+        elif cert_matches(storedprint, certificate) and newpolicy != 'ca-only':
             return True
         fingerprint = get_fingerprint(certificate, 'sha256')
         # No pinned certificate match, try to validate by CA if possible
@@ -320,7 +320,8 @@ class TLSCertVerifier(object):
                         {self.node: {self.fieldname: fingerprint}})
                     return True
             except Exception:
-                pass
+                if newpolicy == 'ca-only':
+                    raise
         raise cexc.PubkeyInvalid(
             'Mismatched certificate detected', certificate, fingerprint,
             self.fieldname, 'mismatch')