590d18
From 61487ce8cbcad43a711931e92c3c2ef9b160cc02 Mon Sep 17 00:00:00 2001
590d18
From: Fraser Tweedale <ftweedal@redhat.com>
590d18
Date: Tue, 4 Aug 2015 01:13:09 -0400
590d18
Subject: [PATCH] Add permission for bypassing CA ACL enforcement
590d18
590d18
Add the "Request Certificate ignoring CA ACLs" permission and
590d18
associated ACI, initially assigned to "Certificate Administrators"
590d18
privilege.
590d18
590d18
Update cert-request command to skip CA ACL enforcement when the bind
590d18
principal has this permission.
590d18
590d18
Fixes: https://fedorahosted.org/freeipa/ticket/5099
590d18
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
590d18
---
590d18
 install/updates/40-delegation.update | 15 +++++++++++++++
590d18
 ipalib/plugins/cert.py               | 13 ++++++++++---
590d18
 2 files changed, 25 insertions(+), 3 deletions(-)
590d18
590d18
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
590d18
index bc0736c5b6c07747586a56c2cbde9596c7522d1c..8d4f6296cbed7fcc968c2193022cb50b488c8561 100644
590d18
--- a/install/updates/40-delegation.update
590d18
+++ b/install/updates/40-delegation.update
590d18
@@ -144,6 +144,21 @@ default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
590d18
 dn: $SUFFIX
590d18
 add:aci:(targetattr = "objectclass")(target = "ldap:///cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate with SubjectAltName"; allow (write) groupdn = "ldap:///cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX";)
590d18
 
590d18
+dn: cn=request certificate ignore caacl,cn=virtual operations,cn=etc,$SUFFIX
590d18
+default:objectClass: top
590d18
+default:objectClass: nsContainer
590d18
+default:cn: request certificate ignore caacl
590d18
+
590d18
+dn: cn=Request Certificate ignoring CA ACLs,cn=permissions,cn=pbac,$SUFFIX
590d18
+default:objectClass: top
590d18
+default:objectClass: groupofnames
590d18
+default:objectClass: ipapermission
590d18
+default:cn: Request Certificate ignoring CA ACLs
590d18
+default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
590d18
+
590d18
+dn: $SUFFIX
590d18
+add:aci:(targetattr = "objectclass")(target = "ldap:///cn=request certificate ignore caacl,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate ignoring CA ACLs"; allow (write) groupdn = "ldap:///cn=Request Certificate ignoring CA ACLs,cn=permissions,cn=pbac,$SUFFIX";)
590d18
+
590d18
 
590d18
 # Read privileges
590d18
 dn: cn=RBAC Readers,cn=privileges,cn=pbac,$SUFFIX
590d18
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
590d18
index 610f2149363eaa74180e9de5c9ee1439446ef409..daa698b54f2cc1b645245d312fae0f0500239ea2 100644
590d18
--- a/ipalib/plugins/cert.py
590d18
+++ b/ipalib/plugins/cert.py
590d18
@@ -345,8 +345,6 @@ class cert_request(VirtualCommand):
590d18
         else:
590d18
             principal_type = SERVICE
590d18
 
590d18
-        caacl_check(principal_type, principal_string, ca, profile_id)
590d18
-
590d18
         bind_principal = split_any_principal(getattr(context, 'principal'))
590d18
         bind_service, bind_name, bind_realm = bind_principal
590d18
 
590d18
@@ -362,6 +360,15 @@ class cert_request(VirtualCommand):
590d18
             self.check_access()
590d18
 
590d18
         try:
590d18
+            self.check_access("request certificate ignore caacl")
590d18
+            bypass_caacl = True
590d18
+        except errors.ACIError:
590d18
+            bypass_caacl = False
590d18
+
590d18
+        if not bypass_caacl:
590d18
+            caacl_check(principal_type, principal_string, ca, profile_id)
590d18
+
590d18
+        try:
590d18
             subject = pkcs10.get_subject(csr)
590d18
             extensions = pkcs10.get_extensions(csr)
590d18
             subjectaltname = pkcs10.get_subjectaltname(csr) or ()
590d18
@@ -469,7 +476,7 @@ class cert_request(VirtualCommand):
590d18
                         raise errors.ACIError(info=_(
590d18
                             "Insufficient privilege to create a certificate "
590d18
                             "with subject alt name '%s'.") % name)
590d18
-                if alt_principal_string is not None:
590d18
+                if alt_principal_string is not None and not bypass_caacl:
590d18
                     caacl_check(
590d18
                         principal_type, alt_principal_string, ca, profile_id)
590d18
             elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME,
590d18
-- 
590d18
2.4.3
590d18