From 61487ce8cbcad43a711931e92c3c2ef9b160cc02 Mon Sep 17 00:00:00 2001

From: Fraser Tweedale <ftweedal@redhat.com>

Date: Tue, 4 Aug 2015 01:13:09 -0400

Subject: [PATCH] Add permission for bypassing CA ACL enforcement

Add the "Request Certificate ignoring CA ACLs" permission and

associated ACI, initially assigned to "Certificate Administrators"

privilege.

Update cert-request command to skip CA ACL enforcement when the bind

principal has this permission.

Fixes: https://fedorahosted.org/freeipa/ticket/5099

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

---

 install/updates/40-delegation.update | 15 +++++++++++++++

 ipalib/plugins/cert.py               | 13 ++++++++++---

 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update

index bc0736c5b6c07747586a56c2cbde9596c7522d1c..8d4f6296cbed7fcc968c2193022cb50b488c8561 100644

--- a/install/updates/40-delegation.update

+++ b/install/updates/40-delegation.update

@@ -144,6 +144,21 @@ default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX

 dn: $SUFFIX

 add:aci:(targetattr = "objectclass")(target = "ldap:///cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate with SubjectAltName"; allow (write) groupdn = "ldap:///cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX";)

+dn: cn=request certificate ignore caacl,cn=virtual operations,cn=etc,$SUFFIX

+default:objectClass: top

+default:objectClass: nsContainer

+default:cn: request certificate ignore caacl

+

+dn: cn=Request Certificate ignoring CA ACLs,cn=permissions,cn=pbac,$SUFFIX

+default:objectClass: top

+default:objectClass: groupofnames

+default:objectClass: ipapermission

+default:cn: Request Certificate ignoring CA ACLs

+default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX

+

+dn: $SUFFIX

+add:aci:(targetattr = "objectclass")(target = "ldap:///cn=request certificate ignore caacl,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate ignoring CA ACLs"; allow (write) groupdn = "ldap:///cn=Request Certificate ignoring CA ACLs,cn=permissions,cn=pbac,$SUFFIX";)

+

 # Read privileges

 dn: cn=RBAC Readers,cn=privileges,cn=pbac,$SUFFIX

diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py

index 610f2149363eaa74180e9de5c9ee1439446ef409..daa698b54f2cc1b645245d312fae0f0500239ea2 100644

--- a/ipalib/plugins/cert.py

+++ b/ipalib/plugins/cert.py

@@ -345,8 +345,6 @@ class cert_request(VirtualCommand):

         else:

             principal_type = SERVICE

-        caacl_check(principal_type, principal_string, ca, profile_id)

-

         bind_principal = split_any_principal(getattr(context, 'principal'))

         bind_service, bind_name, bind_realm = bind_principal

@@ -362,6 +360,15 @@ class cert_request(VirtualCommand):

             self.check_access()

         try:

+            self.check_access("request certificate ignore caacl")

+            bypass_caacl = True

+        except errors.ACIError:

+            bypass_caacl = False

+

+        if not bypass_caacl:

+            caacl_check(principal_type, principal_string, ca, profile_id)

+

+        try:

             subject = pkcs10.get_subject(csr)

             extensions = pkcs10.get_extensions(csr)

             subjectaltname = pkcs10.get_subjectaltname(csr) or ()

@@ -469,7 +476,7 @@ class cert_request(VirtualCommand):

                         raise errors.ACIError(info=_(

                             "Insufficient privilege to create a certificate "

                             "with subject alt name '%s'.") % name)

-                if alt_principal_string is not None:

+                if alt_principal_string is not None and not bypass_caacl:

                     caacl_check(

                         principal_type, alt_principal_string, ca, profile_id)

             elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME,

-- 

2.4.3