The attached patch fixes https://fedorahosted.org/freeipa/ticket/5099.
Thanks, Fraser
From 294205795f595095f14eecb451f974cbf867ebe3 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <[email protected]> Date: Tue, 4 Aug 2015 01:13:09 -0400 Subject: [PATCH] Add permission for bypassing CA ACL enforcement Add the "Request Certificate ignoring CA ACLs" permission and associated ACI, initially assigned to "Certificate Administrators" privilege. Update cert-request command to skip CA ACL enforcement when the bind principal has this permission. Fixes: https://fedorahosted.org/freeipa/ticket/5099 --- install/updates/40-delegation.update | 15 +++++++++++++++ ipalib/plugins/cert.py | 13 ++++++++++--- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index bc0736c5b6c07747586a56c2cbde9596c7522d1c..8d4f6296cbed7fcc968c2193022cb50b488c8561 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -144,6 +144,21 @@ default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX dn: $SUFFIX add:aci:(targetattr = "objectclass")(target = "ldap:///cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate with SubjectAltName"; allow (write) groupdn = "ldap:///cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX";) +dn: cn=request certificate ignore caacl,cn=virtual operations,cn=etc,$SUFFIX +default:objectClass: top +default:objectClass: nsContainer +default:cn: request certificate ignore caacl + +dn: cn=Request Certificate ignoring CA ACLs,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: ipapermission +default:cn: Request Certificate ignoring CA ACLs +default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX + +dn: $SUFFIX +add:aci:(targetattr = "objectclass")(target = "ldap:///cn=request certificate ignore caacl,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate ignoring CA ACLs"; allow (write) groupdn = "ldap:///cn=Request Certificate ignoring CA ACLs,cn=permissions,cn=pbac,$SUFFIX";) + # Read privileges dn: cn=RBAC Readers,cn=privileges,cn=pbac,$SUFFIX diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index 341bdd01766d50ba18ce7147d4408851e6f95487..8c06a9269d00d9bb4095944f965f942b8384aa0f 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -344,8 +344,6 @@ class cert_request(VirtualCommand): else: principal_type = SERVICE - caacl_check(principal_type, principal_string, ca, profile_id) - bind_principal = split_any_principal(getattr(context, 'principal')) bind_service, bind_name, bind_realm = bind_principal @@ -361,6 +359,15 @@ class cert_request(VirtualCommand): self.check_access() try: + self.check_access("request certificate ignore caacl") + bypass_caacl = True + except errors.ACIError: + bypass_caacl = False + + if not bypass_caacl: + caacl_check(principal_type, principal_string, ca, profile_id) + + try: subject = pkcs10.get_subject(csr) extensions = pkcs10.get_extensions(csr) subjectaltname = pkcs10.get_subjectaltname(csr) or () @@ -468,7 +475,7 @@ class cert_request(VirtualCommand): raise errors.ACIError(info=_( "Insufficient privilege to create a certificate " "with subject alt name '%s'.") % name) - if alt_principal_string is not None: + if alt_principal_string is not None and not bypass_caacl: caacl_check( principal_type, alt_principal_string, ca, profile_id) elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME, -- 2.4.3
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
