freeipa/ipaserver/plugins
Fraser Tweedale fec4c32ff1 certprofile-mod: correctly authorise config update
Certificate profiles consist of an FreeIPA object, and a
corresponding Dogtag configuration object.  When updating profile
configuration, changes to the Dogtag configuration are not properly
authorised, allowing unprivileged operators to modify (but not
create or delete) profiles.  This could result in issuance of
certificates with fraudulent subject naming information, improper
key usage, or other badness.

Update certprofile-mod to ensure that the operator has permission to
modify FreeIPA certprofile objects before modifying the Dogtag
configuration.

https://fedorahosted.org/freeipa/ticket/6560

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-12-14 18:08:33 +01:00
..
__init__.py Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
aci.py wrap long line 2016-11-25 16:18:22 +01:00
automember.py allow 'value' output param in commands without primary key 2016-07-20 13:57:01 +02:00
automount.py ipalib: move server-side plugins to ipaserver 2016-06-03 09:00:34 +02:00
baseldap.py Generalize filter generation in LDAPSearch 2016-12-07 13:01:58 +01:00
baseuser.py Use constant for user and group patterns 2016-09-20 17:35:28 +02:00
batch.py remove trailing newlines form python modules 2016-10-12 10:38:52 +02:00
ca.py Fix regression in test suite 2016-12-13 17:25:59 +01:00
caacl.py caacl: fix regression in rule instantiation 2016-08-05 11:51:43 +02:00
cert.py Configure Anonymous PKINIT on server install 2016-12-12 13:39:44 +01:00
certprofile.py certprofile-mod: correctly authorise config update 2016-12-14 18:08:33 +01:00
config.py fix missing translation string 2016-12-06 13:09:00 +01:00
delegation.py remove trailing newlines form python modules 2016-10-12 10:38:52 +02:00
dns.py Fix Python 3 bugs discovered by pylint 2016-11-25 16:18:22 +01:00
dnsserver.py help: Add dnsserver commands to help topic 'dns' 2016-07-22 13:52:09 +02:00
dogtag.py Configure Anonymous PKINIT on server install 2016-12-12 13:39:44 +01:00
domainlevel.py Check for conflict entries before raising domain level 2016-12-13 12:25:07 +01:00
group.py remove trailing newlines form python modules 2016-10-12 10:38:52 +02:00
hbac.py ipalib: move server-side plugins to ipaserver 2016-06-03 09:00:34 +02:00
hbacrule.py remove trailing newlines form python modules 2016-10-12 10:38:52 +02:00
hbacsvc.py remove trailing newlines form python modules 2016-10-12 10:38:52 +02:00
hbacsvcgroup.py remove trailing newlines form python modules 2016-10-12 10:38:52 +02:00
hbactest.py Remove unused variables in the code 2016-09-27 13:35:58 +02:00
host.py Remove unused variables in the code 2016-09-27 13:35:58 +02:00
hostgroup.py remove trailing newlines form python modules 2016-10-12 10:38:52 +02:00
idrange.py remove trailing newlines form python modules 2016-10-12 10:38:52 +02:00
idviews.py Pylint: remove unused variables in ipaserver package 2016-10-06 10:43:36 +02:00
internal.py WebUI: fix API Browser menu label 2016-10-11 17:24:43 +02:00
join.py ipalib: move server-side plugins to ipaserver 2016-06-03 09:00:34 +02:00
krbtpolicy.py ipalib: move server-side plugins to ipaserver 2016-06-03 09:00:34 +02:00
ldap2.py constants: remove CACERT 2016-11-29 14:50:51 +01:00
location.py DNS Location: add list of roles and DNS servers to location-show 2016-06-17 18:05:03 +02:00
migration.py Fix ipa migrate-ds when it finds a search reference 2016-11-17 01:01:05 +01:00
misc.py Make env and plugins commands local again 2016-12-02 13:00:06 +01:00
netgroup.py netgroup: avoid extraneous LDAP search when retrieving primary key from DN 2016-09-09 16:27:53 +02:00
otp.py ipalib: move server-side plugins to ipaserver 2016-06-03 09:00:34 +02:00
otpconfig.py ipalib: move server-side plugins to ipaserver 2016-06-03 09:00:34 +02:00
otptoken.py do not use keys() method when iterating through dictionaries 2016-10-12 10:38:52 +02:00
passwd.py remove trailing newlines form python modules 2016-10-12 10:38:52 +02:00
permission.py Fix permission-find with sizelimit set 2016-12-07 13:01:58 +01:00
ping.py ipalib: move server-side plugins to ipaserver 2016-06-03 09:00:34 +02:00
pkinit.py remove trailing newlines form python modules 2016-10-12 10:38:52 +02:00
privilege.py Remove unused variables in the code 2016-09-27 13:35:58 +02:00
pwpolicy.py pwpolicy: do not run klist on import 2016-10-24 14:11:08 +02:00
rabase.py Add CA argument to ra.request_certificate 2016-06-15 07:13:38 +02:00
radiusproxy.py prevent search for RADIUS proxy servers by secret 2016-07-21 10:49:10 +02:00
realmdomains.py ipautil: remove get_domain_name() 2016-11-29 14:50:51 +01:00
role.py remove trailing newlines form python modules 2016-10-12 10:38:52 +02:00
schema.py schema: Fix subtopic -> topic mapping 2016-07-15 14:02:17 +02:00
selfservice.py remove trailing newlines form python modules 2016-10-12 10:38:52 +02:00
selinuxusermap.py remove trailing newlines form python modules 2016-10-12 10:38:52 +02:00
server.py Break ipaplatform / ipalib import cycle of hell 2016-11-24 16:30:32 +01:00
serverrole.py Fix minor typos 2016-06-16 08:47:20 +02:00
serverroles.py Do not update result of *-config-show with empty server attributes 2016-06-21 13:07:24 +02:00
service.py x509: use python-cryptography to process certs 2016-11-10 10:21:47 +01:00
servicedelegation.py Fix regexp patterns in parameters to not enforce length 2016-09-20 17:35:28 +02:00
session.py session: do not initialize session manager on import 2016-06-30 14:09:24 +02:00
stageuser.py Pylint: remove unused variables in ipaserver package 2016-10-06 10:43:36 +02:00
sudo.py ipalib: move server-side plugins to ipaserver 2016-06-03 09:00:34 +02:00
sudocmd.py remove trailing newlines form python modules 2016-10-12 10:38:52 +02:00
sudocmdgroup.py remove trailing newlines form python modules 2016-10-12 10:38:52 +02:00
sudorule.py sudorule: add SELinux transition examples to plugin doc 2016-09-23 14:59:43 +02:00
topology.py Fix regexp patterns in parameters to not enforce length 2016-09-20 17:35:28 +02:00
trust.py trustdomain-del: fix the way how subdomain is searched 2016-11-01 11:24:26 +01:00
user.py Pylint: remove unused variables in ipaserver package 2016-10-06 10:43:36 +02:00
vault.py Fix: container owner should be able to add vault 2016-08-18 13:02:38 +02:00
virtual.py ipalib: move server-side plugins to ipaserver 2016-06-03 09:00:34 +02:00
xmlserver.py Added new authentication method 2016-08-17 16:55:49 +02:00