URL: https://github.com/freeipa/freeipa/pull/299 Author: frasertweedale Title: #299: Remove "Request Certificate with SubjectAltName" permission Action: opened
PR body: """ Fixes: https://fedorahosted.org/freeipa/ticket/6526 *Note: the ticket hasn't been triaged or even agreed to. But here is the code ^_^* subjectAltName is required or relevant in most certificate use cases (esp. TLS, where carrying DNS name in Subject DN CN attribute is deprecated). Therefore it does not really make sense to have a special permission for this, over and above "request certificate" permission. Furthermore, we already do rigorously validate SAN contents again the subject principal, and the permission is waived for self-service requests or if the operator is a host principal. So remove the permission, the associated virtual operation, and the associated code in cert_request. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/299/head:pr299 git checkout pr299
From 524e1ab10f51b530c440ac2f3c92154b165e91b4 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Thu, 1 Dec 2016 14:28:03 +1000 Subject: [PATCH] Remove "Request Certificate with SubjectAltName" permission subjectAltName is required or relevant in most certificate use cases (esp. TLS, where carrying DNS name in Subject DN CN attribute is deprecated). Therefore it does not really make sense to have a special permission for this, over and above "request certificate" permission. Furthermore, we already do rigorously validate SAN contents again the subject principal, and the permission is waived for self-service requests or if the operator is a host principal. So remove the permission, the associated virtual operation, and the associated code in cert_request. Fixes: https://fedorahosted.org/freeipa/ticket/6526 --- install/updates/40-delegation.update | 15 --------------- ipaserver/plugins/cert.py | 6 ------ 2 files changed, 21 deletions(-) diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 259cbdb..f48d23a 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -133,21 +133,6 @@ default:objectClass: top default:objectClass: nsContainer default:cn: certificate remove hold -dn: cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX -default:objectClass: top -default:objectClass: nsContainer -default:cn: request certificate with subjectaltname - -dn: cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX -default:objectClass: top -default:objectClass: groupofnames -default:objectClass: ipapermission -default:cn: Request Certificate with SubjectAltName -default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX - -dn: $SUFFIX -add:aci:(targetattr = "objectclass")(target = "ldap:///cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate with SubjectAltName"; allow (write) groupdn = "ldap:///cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX";) - dn: cn=request certificate ignore caacl,cn=virtual operations,cn=etc,$SUFFIX default:objectClass: top default:objectClass: nsContainer diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 3571ef1..d735f9f 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -603,12 +603,6 @@ def execute(self, csr, all=False, raw=False, **kw): except cryptography.x509.extensions.ExtensionNotFound: ext_san = None - # self-service and host principals may bypass SAN permission check - if (bind_principal_string != principal_string - and bind_principal_type != HOST): - if ext_san is not None: - self.check_access('request certificate with subjectaltname') - dn = None principal_obj = None # See if the service exists and punt if it doesn't and we aren't
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
