The attached patch is part of lightweight CA support.  It just adds
some ACL rules to Dogtag database, and does not depend the version
of Dogtag (so it's ok to merge immediately, when ACKed).

Thanks,
Fraser
From 362f7f9ec385cc2625d852ccf514508e231e78db Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Thu, 21 Apr 2016 15:09:18 +1000
Subject: [PATCH] Authorise CA Agent to manage lightweight CAs

Add Dogtag ACLs that authorise the CA Agent certificate to manage
lightweight CAs.

Part of: https://fedorahosted.org/freeipa/ticket/4559
---
 ipaserver/install/cainstance.py     | 45 ++++++++++++++++++++++++++++++++-----
 ipaserver/install/server/upgrade.py | 11 +++++++++
 2 files changed, 51 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 
7e1aaf5d7ae5744d043787d1b5d3ab6bf6fc7333..54159dd052640618dd1952d1501e8acb82bb91e2
 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -417,6 +417,7 @@ class CAInstance(DogtagInstance):
                 self.step("importing RA certificate from PKCS #12 file",
                           lambda: self.import_ra_cert(ra_p12, 
configure_renewal=False))
             self.step("authorizing RA to modify profiles", 
configure_profiles_acl)
+            self.step("authorizing RA to manage lightweight CAs", 
configure_lightweight_ca_acls)
             self.step("configure certmonger for renewals", 
self.configure_certmonger_renewal)
             self.step("configure certificate renewals", self.configure_renewal)
             if not self.clone:
@@ -1635,11 +1636,6 @@ def ensure_entry(dn, **attrs):
 
 def configure_profiles_acl():
     """Allow the Certificate Manager Agents group to modify profiles."""
-    server_id = installutils.realm_to_serverid(api.env.realm)
-    dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
-    updated = False
-
-    dn = DN(('cn', 'aclResources'), ('o', 'ipaca'))
     new_rules = [
         'certServer.profile.configuration:read,modify:allow (read,modify) '
         'group="Certificate Manager Agents":'
@@ -1648,6 +1644,45 @@ def configure_profiles_acl():
         'certServer.ca.account:login,logout:allow (login,logout) '
         'user="anybody":Anybody can login and logout',
     ]
+    return __add_acls(new_rules)
+
+
+def configure_lightweight_ca_acls():
+    """Allow Certificate Manager Agents to manage lightweight CAs."""
+    new_rules = [
+        'certServer.ca.authorities:list,read'
+        ':allow (list,read) user="anybody"'
+        ':Anybody may list and read lightweight authorities',
+
+        'certServer.ca.authorities:create,modify'
+        ':allow (create,modify) group="Administrators"'
+        ':Administrators may create and modify lightweight authorities',
+
+        'certServer.ca.authorities:delete'
+        ':allow (delete) group="Administrators"'
+        ':Administrators may delete lightweight authorities',
+
+        'certServer.ca.authorities:create,modify,delete'
+        ':allow (create,modify,delete) group="Certificate Manager Agents"'
+        ':Certificate Manager Agents may manage lightweight authorities',
+    ]
+    return __add_acls(new_rules)
+
+
+def __add_acls(new_rules):
+    """Add the given Dogtag ACLs.
+
+    ``new_rules``
+        Iterable of ACL rule values to add
+
+    Return ``True`` if any ACLs were added otherwise ``False``.
+
+    """
+    server_id = installutils.realm_to_serverid(api.env.realm)
+    dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
+    updated = False
+
+    dn = DN(('cn', 'aclResources'), ('o', 'ipaca'))
 
     conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)
     if not conn.isconnected():
diff --git a/ipaserver/install/server/upgrade.py 
b/ipaserver/install/server/upgrade.py
index 
cc003c7146d547b5778f4d5d8d1c4f7eedc69ec7..ed7e54882de947aac0088981898b0aaa926b7137
 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -302,6 +302,16 @@ def ca_configure_profiles_acl(ca):
     return cainstance.configure_profiles_acl()
 
 
+def ca_configure_lightweight_ca_acls(ca):
+    root_logger.info('[Authorizing RA Agent to manage lightweight CAs]')
+
+    if not ca.is_configured():
+        root_logger.info('CA is not configured')
+        return False
+
+    return cainstance.configure_lightweight_ca_acls()
+
+
 def ca_enable_ldap_profile_subsystem(ca):
     root_logger.info('[Ensuring CA is using LDAPProfileSubsystem]')
     if not ca.is_configured():
@@ -1640,6 +1650,7 @@ def upgrade_configuration():
         certificate_renewal_update(ca, ds, http),
         ca_enable_pkix(ca),
         ca_configure_profiles_acl(ca),
+        ca_configure_lightweight_ca_acls(ca),
     ])
 
     if ca_restart:
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to