ca: correctly authorise ca-del, ca-enable and ca-disable

CAs consist of a FreeIPA and a corresponding Dogtag object.  When
executing ca-del, ca-enable and ca-disable, changes are made to the
Dogtag object.  In the case of ca-del, the corresponding FreeIPA
object is deleted after the Dogtag CA is deleted.

These operations were not correctly authorised; the FreeIPA
permissions are not checked before the Dogtag operations are
executed.  This allows any user to delete, enable or disable a
lightweight CA (except the main IPA CA, for which there are
additional check to prevent deletion or disablement).

Add the proper authorisation checks to the ca-del, ca-enable and
ca-disable commands.

https://pagure.io/freeipa/issue/6713

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

ipaserver/plugins/ca.py

@@ -213,6 +213,12 @@ class ca_del(LDAPDelete):
     def pre_callback(self, ldap, dn, *keys, **options):
         ca_enabled_check()
 
+        # ensure operator has permission to delete CA
+        # before contacting Dogtag
+        if not ldap.can_delete(dn):
+            raise errors.ACIError(info=_(
+                "Insufficient privilege to delete a CA."))
+
         if keys[0] == IPA_CA_CN:
             raise errors.ProtectedEntryError(
                 label=_("CA"),
@@ -251,9 +257,15 @@ class CAQuery(LDAPQuery):
     def execute(self, cn, **options):
         ca_enabled_check()
 
-        ca_id = self.api.Command.ca_show(cn)['result']['ipacaid'][0]
+        ca_obj = self.api.Command.ca_show(cn)['result']
+
+        # ensure operator has permission to modify CAs
+        if not self.api.Backend.ldap2.can_write(ca_obj['dn'], 'description'):
+            raise errors.ACIError(info=_(
+                "Insufficient privilege to modify a CA."))
+
         with self.api.Backend.ra_lightweight_ca as ca_api:
-            self.perform_action(ca_api, ca_id)
+            self.perform_action(ca_api, ca_obj['ipacaid'][0])
 
         return dict(
             result=True,