URL: https://github.com/freeipa/freeipa/pull/299
Author: frasertweedale
 Title: #299: Remove "Request Certificate with SubjectAltName" permission
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/299/head:pr299
git checkout pr299
From 837a225bc5d7fa4672ac9833747cf1de4a4521ad Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Thu, 1 Dec 2016 14:28:03 +1000
Subject: [PATCH] Remove "Request Certificate with SubjectAltName" permission

subjectAltName is required or relevant in most certificate use cases
(esp. TLS, where carrying DNS name in Subject DN CN attribute is
deprecated).  Therefore it does not really make sense to have a
special permission for this, over and above "request certificate"

Furthermore, we already do rigorously validate SAN contents again
the subject principal, and the permission is waived for self-service
requests or if the operator is a host principal.

So remove the permission, the associated virtual operation, and the
associated code in cert_request.

Fixes: https://fedorahosted.org/freeipa/ticket/6526
 install/updates/40-delegation.update           | 15 ---------------
 ipaserver/plugins/cert.py                      |  6 ------
 ipatests/test_xmlrpc/test_permission_plugin.py |  2 +-
 3 files changed, 1 insertion(+), 22 deletions(-)

diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 259cbdb..f48d23a 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -133,21 +133,6 @@ default:objectClass: top
 default:objectClass: nsContainer
 default:cn: certificate remove hold
-dn: cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX
-default:objectClass: top
-default:objectClass: nsContainer
-default:cn: request certificate with subjectaltname
-dn: cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX
-default:objectClass: top
-default:objectClass: groupofnames
-default:objectClass: ipapermission
-default:cn: Request Certificate with SubjectAltName
-default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
-dn: $SUFFIX
-add:aci:(targetattr = "objectclass")(target = "ldap:///cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate with SubjectAltName"; allow (write) groupdn = "ldap:///cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX";)
 dn: cn=request certificate ignore caacl,cn=virtual operations,cn=etc,$SUFFIX
 default:objectClass: top
 default:objectClass: nsContainer
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 81872cf..4c1248f 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -620,12 +620,6 @@ def execute(self, csr, all=False, raw=False, **kw):
         except cryptography.x509.extensions.ExtensionNotFound:
             ext_san = None
-        # self-service and host principals may bypass SAN permission check
-        if (bind_principal_string != principal_string
-                and bind_principal_type != HOST):
-            if ext_san is not None:
-                self.check_access('request certificate with subjectaltname')
         dn = None
         principal_obj = None
         # See if the service exists and punt if it doesn't and we aren't
diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py
index 6336df7..7582b24 100644
--- a/ipatests/test_xmlrpc/test_permission_plugin.py
+++ b/ipatests/test_xmlrpc/test_permission_plugin.py
@@ -3125,7 +3125,7 @@ def check_legacy_results(results):
     legacy_permissions = [p for p in results
                           if not p.get('ipapermissiontype')]
-    assert len(legacy_permissions) == 9, len(legacy_permissions)
+    assert len(legacy_permissions) == 8, len(legacy_permissions)
     return True
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to