acme: add Dogtag ACL to allow ACME agents to revoke certs

Add an ACL to allow ACME agents to revoke certificates.  Although
the operation "execute" sounds quite scary (as though it would have
a wide scope), in fact it only allows revocation (and unrevocation).
See CertResource.java and base/ca/shared/conf/acl.properties in the
Dogtag source.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Fraser Tweedale 2020-05-28 12:10:22 +10:00 committed by Rob Crittenden
parent b3565290fe
commit c309d4a4d0

View File

@ -1533,6 +1533,8 @@ class CAInstance(DogtagInstance):
logger.debug('ACME service is already deployed') logger.debug('ACME service is already deployed')
return False return False
configure_acme_acls()
# create ACME agent group (if not exist already) and user # create ACME agent group (if not exist already) and user
self.ensure_group(ACME_AGENT_GROUP, "ACME RA accounts") self.ensure_group(ACME_AGENT_GROUP, "ACME RA accounts")
acme_user = f"acme-{self.fqdn}" acme_user = f"acme-{self.fqdn}"
@ -1857,6 +1859,21 @@ def configure_lightweight_ca_acls():
return __add_acls(new_rules) return __add_acls(new_rules)
def configure_acme_acls():
"""Allow the ACME Agents to modify profiles."""
# The "execute" operation sounds scary, but it actually only allows
# revocation and unrevocation. See CertResource.java and
# base/ca/shared/conf/acl.properties in the Dogtag source.
new_rules = [
'certServer.ca.certs:execute'
f':allow (execute) group="{ACME_AGENT_GROUP}"'
':ACME Agents may execute cert operations',
]
return __add_acls(new_rules)
def __add_acls(new_rules): def __add_acls(new_rules):
"""Add the given Dogtag ACLs. """Add the given Dogtag ACLs.