Add permission for bypassing CA ACL enforcement

Add the "Request Certificate ignoring CA ACLs" permission and associated ACI, initially assigned to "Certificate Administrators" privilege. Update cert-request command to skip CA ACL enforcement when the bind principal has this permission. Fixes: https://fedorahosted.org/freeipa/ticket/5099 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-08-04 01:13:09 -04:00
parent 6b978d74ae
commit 6fa14fd21e
2 changed files with 25 additions and 3 deletions
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -144,6 +144,21 @@ default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
 dn: $SUFFIX
 add:aci:(targetattr = "objectclass")(target = "ldap:///cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate with SubjectAltName"; allow (write) groupdn = "ldap:///cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX";)

+dn: cn=request certificate ignore caacl,cn=virtual operations,cn=etc,$SUFFIX
+default:objectClass: top
+default:objectClass: nsContainer
+default:cn: request certificate ignore caacl
+
+dn: cn=Request Certificate ignoring CA ACLs,cn=permissions,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: ipapermission
+default:cn: Request Certificate ignoring CA ACLs
+default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX
+
+dn: $SUFFIX
+add:aci:(targetattr = "objectclass")(target = "ldap:///cn=request certificate ignore caacl,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate ignoring CA ACLs"; allow (write) groupdn = "ldap:///cn=Request Certificate ignoring CA ACLs,cn=permissions,cn=pbac,$SUFFIX";)
+

 # Read privileges
 dn: cn=RBAC Readers,cn=privileges,cn=pbac,$SUFFIX
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -345,8 +345,6 @@ class cert_request(VirtualCommand):
        else:
            principal_type = SERVICE

-        caacl_check(principal_type, principal_string, ca, profile_id)
-
        bind_principal = split_any_principal(getattr(context, 'principal'))
        bind_service, bind_name, bind_realm = bind_principal

@@ -361,6 +359,15 @@ class cert_request(VirtualCommand):
            # Can the bound principal request certs for another principal?
            self.check_access()

+        try:
+            self.check_access("request certificate ignore caacl")
+            bypass_caacl = True
+        except errors.ACIError:
+            bypass_caacl = False
+
+        if not bypass_caacl:
+            caacl_check(principal_type, principal_string, ca, profile_id)
+
        try:
            subject = pkcs10.get_subject(csr)
            extensions = pkcs10.get_extensions(csr)
@@ -469,7 +476,7 @@ class cert_request(VirtualCommand):
                        raise errors.ACIError(info=_(
                            "Insufficient privilege to create a certificate "
                            "with subject alt name '%s'.") % name)
-                if alt_principal_string is not None:
+                if alt_principal_string is not None and not bypass_caacl:
                    caacl_check(
                        principal_type, alt_principal_string, ca, profile_id)
            elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME,