From 61156c5157ec3f8982f4f6efdbf8dfa281cb5a11 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 13 Jan 2017 20:33:45 +1000
Subject: [PATCH] ca: correctly authorise ca-del, ca-enable and ca-disable

CAs consist of a FreeIPA and a corresponding Dogtag object.  When
executing ca-del, ca-enable and ca-disable, changes are made to the
Dogtag object.  In the case of ca-del, the corresponding FreeIPA
object is deleted after the Dogtag CA is deleted.

These operations were not correctly authorised; the FreeIPA
permissions are not checked before the Dogtag operations are
executed.  This allows any user to delete, enable or disable a
lightweight CA (except the main IPA CA, for which there are
additional check to prevent deletion or disablement).

Add the proper authorisation checks to the ca-del, ca-enable and
ca-disable commands.

https://pagure.io/freeipa/issue/6713

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/plugins/ca.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index 966ae2b1bdb4bb0207dfa58f0e9c951bc930f766..b642a5d1d6e03b415ba562491e8a38569b116563 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -192,6 +192,12 @@ class ca_del(LDAPDelete):
     def pre_callback(self, ldap, dn, *keys, **options):
         ca_enabled_check()
 
+        # ensure operator has permission to delete CA
+        # before contacting Dogtag
+        if not ldap.can_delete(dn):
+            raise errors.ACIError(info=_(
+                "Insufficient privilege to delete a CA."))
+
         if keys[0] == IPA_CA_CN:
             raise errors.ProtectedEntryError(
                 label=_("CA"),
-- 
2.9.3