On Wed, 2014-01-22 at 16:05 +0100, Jan Cholasta wrote:
> On 22.1.2014 15:34, Simo Sorce wrote:
> > On Wed, 2014-01-22 at 10:40 +0100, Jan Cholasta wrote:
> >> On 21.1.2014 17:12, Simo Sorce wrote:
> >>> On Tue, 2014-01-21 at 14:02 +0100, Jan Cholasta wrote:
> >>>> +        request = None
> >>>> +        try:
> >>>> +            request = pkcs10.load_certificate_request(csr)
> >>>> +            subject = pkcs10.get_subject(request)
> >>>> +            subjectaltname = pkcs10.get_subjectaltname(request)
> >>>
> >>> Will this make the request fail if there is no subjectaltname ?
> >>
> >> No.
> >
> > Good.
> >
> >>> Later in the patch you seem to be changing from needing managedby_host
> >>> to needing write access to an entry, I am not sure I understand why that
> >>> was changed. not saying it is necessarily wrong,  but why the original
> >>> check is not right anymore ?
> >>
> >> The original check is wrong, see
> >> <https://fedorahosted.org/freeipa/ticket/3977#comment:23>.
> >>
> >> The check in my patch allows SAN only if the requesting host has write
> >> access to all of the SAN services. I'm not entirely sure if this is
> >> right, but even if it is not, I think we should still check for write
> >> access to the SAN services, so that access control can be (partially)
> >> handled by ACIs.
> >
> > Right, I remembered that comment, but it just says to check the right
> > object's managed-by, here instead you changed it to check if you can
> > write the usercertificate.
> >
> > I guess it is the same *if* there is an ACI that gives write permission
> > when the host is in the managed-by attribute, is that the reasoning ?
> 
> Exactly. The ACIs that allow this by default are named "Hosts can manage 
> service Certificates and kerberos keys" and "Hosts can manage other host 
> Certificates and kerberos keys".
> 
> I think the check can be extended to users as well, so that requesting 
> certificate with SAN is allowed only to users which have write access to 
> the SAN services.

Sounds good to me then, thanks for explaining.

The patches also look good, but I would like someone to give them a try
for a formal ack.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to