The attached patch fixes
https://fedorahosted.org/freeipa/ticket/5099.

Thanks,
Fraser
From 294205795f595095f14eecb451f974cbf867ebe3 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Tue, 4 Aug 2015 01:13:09 -0400
Subject: [PATCH] Add permission for bypassing CA ACL enforcement

Add the "Request Certificate ignoring CA ACLs" permission and
associated ACI, initially assigned to "Certificate Administrators"
privilege.

Update cert-request command to skip CA ACL enforcement when the bind
principal has this permission.

Fixes: https://fedorahosted.org/freeipa/ticket/5099
---
 install/updates/40-delegation.update | 15 +++++++++++++++
 ipalib/plugins/cert.py               | 13 ++++++++++---
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/install/updates/40-delegation.update 
b/install/updates/40-delegation.update
index 
bc0736c5b6c07747586a56c2cbde9596c7522d1c..8d4f6296cbed7fcc968c2193022cb50b488c8561
 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -144,6 +144,21 @@ default:member: cn=Certificate 
Administrators,cn=privileges,cn=pbac,$SUFFIX
 dn: $SUFFIX
 add:aci:(targetattr = "objectclass")(target = "ldap:///cn=request certificate 
with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl 
"permission:Request Certificate with SubjectAltName"; allow (write) groupdn = 
"ldap:///cn=Request Certificate with 
SubjectAltName,cn=permissions,cn=pbac,$SUFFIX";)
 
+dn: cn=request certificate ignore caacl,cn=virtual operations,cn=etc,$SUFFIX
+default:objectClass: top
+default:objectClass: nsContainer
+default:cn: request certificate ignore caacl
+
+dn: cn=Request Certificate ignoring CA ACLs,cn=permissions,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: ipapermission
+default:cn: Request Certificate ignoring CA ACLs
+default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
+
+dn: $SUFFIX
+add:aci:(targetattr = "objectclass")(target = "ldap:///cn=request certificate 
ignore caacl,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl 
"permission:Request Certificate ignoring CA ACLs"; allow (write) groupdn = 
"ldap:///cn=Request Certificate ignoring CA 
ACLs,cn=permissions,cn=pbac,$SUFFIX";)
+
 
 # Read privileges
 dn: cn=RBAC Readers,cn=privileges,cn=pbac,$SUFFIX
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index 
341bdd01766d50ba18ce7147d4408851e6f95487..8c06a9269d00d9bb4095944f965f942b8384aa0f
 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -344,8 +344,6 @@ class cert_request(VirtualCommand):
         else:
             principal_type = SERVICE
 
-        caacl_check(principal_type, principal_string, ca, profile_id)
-
         bind_principal = split_any_principal(getattr(context, 'principal'))
         bind_service, bind_name, bind_realm = bind_principal
 
@@ -361,6 +359,15 @@ class cert_request(VirtualCommand):
             self.check_access()
 
         try:
+            self.check_access("request certificate ignore caacl")
+            bypass_caacl = True
+        except errors.ACIError:
+            bypass_caacl = False
+
+        if not bypass_caacl:
+            caacl_check(principal_type, principal_string, ca, profile_id)
+
+        try:
             subject = pkcs10.get_subject(csr)
             extensions = pkcs10.get_extensions(csr)
             subjectaltname = pkcs10.get_subjectaltname(csr) or ()
@@ -468,7 +475,7 @@ class cert_request(VirtualCommand):
                         raise errors.ACIError(info=_(
                             "Insufficient privilege to create a certificate "
                             "with subject alt name '%s'.") % name)
-                if alt_principal_string is not None:
+                if alt_principal_string is not None and not bypass_caacl:
                     caacl_check(
                         principal_type, alt_principal_string, ca, profile_id)
             elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME,
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to