From cc70dcfa2b491e9bc6966c69625180f20e358530 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Tue, 5 May 2026 14:39:42 -0400
Subject: [PATCH] Add ca-only policy

This policy forces CA validation every time.

This also checks things like date validity.
---
 confluent_server/confluent/util.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/confluent_server/confluent/util.py b/confluent_server/confluent/util.py
index d74695ff..f1060aec 100644
--- a/confluent_server/confluent/util.py
+++ b/confluent_server/confluent/util.py
@@ -314,7 +314,7 @@ class TLSCertVerifier(object):
                 tasks.spawn(self.cfm.set_node_attributes(
                     {self.node: {self.fieldname: fingerprint}}))
                 return True
-        elif cert_matches(storedprint, certificate):
+        elif cert_matches(storedprint, certificate) and newpolicy != 'ca-only':
             return True
         fingerprint = get_fingerprint(certificate, 'sha256')
         # No pinned certificate match
@@ -328,7 +328,8 @@ class TLSCertVerifier(object):
                         {self.node: {self.fieldname: fingerprint}}))
                     return True
             except Exception:
-                pass
+                if newpolicy == 'ca-only':
+                    raise
         raise cexc.PubkeyInvalid(
             'Mismatched certificate detected', certificate, fingerprint,
             self.fieldname, 'mismatch')