From 61156c5157ec3f8982f4f6efdbf8dfa281cb5a11 Mon Sep 17 00:00:00 2001

From: Fraser Tweedale <ftweedal@redhat.com>

Date: Fri, 13 Jan 2017 20:33:45 +1000

Subject: [PATCH] ca: correctly authorise ca-del, ca-enable and ca-disable

CAs consist of a FreeIPA and a corresponding Dogtag object.  When

executing ca-del, ca-enable and ca-disable, changes are made to the

Dogtag object.  In the case of ca-del, the corresponding FreeIPA

object is deleted after the Dogtag CA is deleted.

These operations were not correctly authorised; the FreeIPA

permissions are not checked before the Dogtag operations are

executed.  This allows any user to delete, enable or disable a

lightweight CA (except the main IPA CA, for which there are

additional check to prevent deletion or disablement).

Add the proper authorisation checks to the ca-del, ca-enable and

ca-disable commands.

https://pagure.io/freeipa/issue/6713

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

---

 ipaserver/plugins/ca.py | 6 ++++++

 1 file changed, 6 insertions(+)

diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py

index 966ae2b1bdb4bb0207dfa58f0e9c951bc930f766..b642a5d1d6e03b415ba562491e8a38569b116563 100644

--- a/ipaserver/plugins/ca.py

+++ b/ipaserver/plugins/ca.py

@@ -192,6 +192,12 @@ class ca_del(LDAPDelete):

     def pre_callback(self, ldap, dn, *keys, **options):

         ca_enabled_check()

+        # ensure operator has permission to delete CA

+        # before contacting Dogtag

+        if not ldap.can_delete(dn):

+            raise errors.ACIError(info=_(

+                "Insufficient privilege to delete a CA."))

+

         if keys[0] == IPA_CA_CN:

             raise errors.ProtectedEntryError(

                 label=_("CA"),

-- 

2.9.3