> Anything bound to IPA can potentially retrieve a certificate. This code
> adds special handling for hosts and probably should cover services as
> well now that I think about it. I don't think services could be included
> in ACIs when this was originally written.
>
> The idea was that hosts have no need to be able to query random serial
> numbers so it should be limited to viewing its own. Removing the if
> hostname: applies this logic to ALL retrieval which is by far overkill
> and limits all non-admin entries to only be able to view certs they own
> (or can write) which sort of kills the reason for the 'retrieve
> certificate' permission.

OK, anyway I don't think I am able to refactor right now to include
also the services.

I am attaching new simple patch.
From de2f71384e72cacf3f8b1deb864518246835942b Mon Sep 17 00:00:00 2001
From: Jan Orel <jan.o...@gooddata.com>
Date: Thu, 15 Oct 2015 16:59:14 +0200
Subject: [PATCH] cert-show: verify write access to usercertificate

---
 ipalib/plugins/cert.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index e459320..55f9484 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -625,9 +625,12 @@ class cert_show(VirtualCommand):
         result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
         result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
         if hostname:
-            # If we have a hostname we want to verify that the subject
-            # of the certificate matches it, otherwise raise an error
-            if hostname != cert.subject.common_name:    #pylint: disable=E1101
+            # If we have a hostname we want to verify that we can
+            # write to the usercertificate attr of the target
+            ldap = self.api.Backend.ldap2
+            entry = ldap.find_entry_by_attr("cn", cert.subject.common_name,
+                    "ipahost", base_dn=api.env.basedn)
+            if not ldap.can_write(entry.dn, 'usercertificate'):
                 raise acierr
 
         return dict(result=result)
-- 
2.4.3
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to