Use a new mechanism for delegating certificate issuance.

Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
author: Rob Crittenden <rcritten@redhat.com> 2009-11-03 09:35:19 -0500
committer: Jason Gerard DeRose <jderose@redhat.com> 2009-11-03 09:04:05 -0700
commit: bd619adb5c1cfcd9e72c18896aded82e2ab33faa (patch)
tree: 749d6ef90707772a5146d03c6bc78ef59a5f664c /ipalib/plugins/cert.py
parent: e4c119ed4b05fe600377360e697483bd59000b37 (diff)
download: freeipa-bd619adb5c1cfcd9e72c18896aded82e2ab33faa.tar.gz
freeipa-bd619adb5c1cfcd9e72c18896aded82e2ab33faa.tar.xz
freeipa-bd619adb5c1cfcd9e72c18896aded82e2ab33faa.zip
1 files changed, 11 insertions, 40 deletions
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index 9750de6f4..0416730f8 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -102,6 +102,7 @@ class cert_request(VirtualCommand):
     )
 
     def execute(self, csr, **kw):
+        ldap = self.api.Backend.ldap2
         skw = {"all": True}
         principal = kw.get('principal')
         add = kw.get('add')
@@ -121,35 +122,6 @@ class cert_request(VirtualCommand):
         if subject_host.lower() != hostname.lower():
             raise errors.ACIError(info="hostname in subject of request '%s' does not match principal hostname '%s'" % (subject_host, hostname))
 
-        # Get the IP address of the machine that submitted the request. We
-        # will compare this to the subjectname of the CSR.
-        client_ip = getattr(context, 'client_ip')
-        rhost = None
-        if client_ip not in (None, ''):
-            rev = client_ip.split('.')
-            if len(rev) == 0:
-                rev = client_ip.split(':')
-                rev.reverse()
-                addr = "%s.in-addr.arpa." % ".".join(rev)
-            else:
-                rev.reverse()
-                addr = "%s.in-addr.arpa." % ".".join(rev)
-            rs = dnsclient.query(addr, dnsclient.DNS_C_IN, dnsclient.DNS_T_PTR)
-            if len(rs) == 0:
-                raise errors.ACIError(info='DNS lookup on client failed for IP %s' % client_ip)
-            for rsn in rs:
-                if rsn.dns_type == dnsclient.DNS_T_PTR:
-                    rhost = rsn
-                    break
-
-        if rhost is None:
-            raise errors.ACIError(info='DNS lookup on client failed for IP %s' % client_ip)
-
-        client_hostname = rhost.rdata.ptrdname[:-1]
-        if subject_host.lower() != client_hostname.lower():
-             self.log.debug("IPA: hostname in subject of request '%s' does not match requesting hostname '%s'" % (subject_host, client_hostname))
-             self.check_access(operation="request certificate different host")
-
         # See if the service exists and punt if it doesn't and we aren't
         # going to add it
         try:
@@ -157,24 +129,23 @@ class cert_request(VirtualCommand):
             if 'usercertificate' in service:
                 # FIXME, what to do here? Do we revoke the old cert?
                 raise errors.GenericError(format='entry already has a certificate, serial number %s' % get_serial(service['usercertificate']))
-            if not can_write(dn, "usercertificate"):
-                raise errors.ACIError(info='You need to be a member of the serviceadmin role to update services')
-
         except errors.NotFound, e:
             if not add:
                 raise errors.NotFound(reason="The service principal for this request doesn't exist.")
+            try:
+                (dn, service) = api.Command['service_add'](principal, **{})
+            except errors.ACIError:
+                raise errors.ACIError(info='You need to be a member of the serviceadmin role to add services')
+
+        # We got this far so the service entry exists, can we write it?
+        if not ldap.can_write(dn, "usercertificate"):
+            raise errors.ACIError(info="Insufficient 'write' privilege to the 'userCertificate' attribute of entry '%s'." % dn)
 
         # Request the certificate
         result = self.Backend.ra.request_certificate(csr, **kw)
 
-        # Success? Then add it to the service entry. We know that it
-        # either exists or we should add it.
-        if result.get('status') == '0':
-            if service is None:
-                try:
-                    service = api.Command['service_add'](principal, **{})
-                except errors.ACIError:
-                    raise errors.ACIError(info='You need to be a member of the serviceadmin role to add services')
+        # Success? Then add it to the service entry.
+        if result.get('status') == 0:
             skw = {"usercertificate": str(result.get('certificate'))}
             api.Command['service_mod'](principal, **skw)
author	Rob Crittenden <rcritten@redhat.com>	2009-11-03 09:35:19 -0500
committer	Jason Gerard DeRose <jderose@redhat.com>	2009-11-03 09:04:05 -0700
commit	bd619adb5c1cfcd9e72c18896aded82e2ab33faa (patch)
tree	749d6ef90707772a5146d03c6bc78ef59a5f664c /ipalib/plugins/cert.py
parent	e4c119ed4b05fe600377360e697483bd59000b37 (diff)
download	freeipa-bd619adb5c1cfcd9e72c18896aded82e2ab33faa.tar.gz freeipa-bd619adb5c1cfcd9e72c18896aded82e2ab33faa.tar.xz freeipa-bd619adb5c1cfcd9e72c18896aded82e2ab33faa.zip