Add permission for bypassing CA ACL enforcement

Add the "Request Certificate ignoring CA ACLs" permission and
associated ACI, initially assigned to "Certificate Administrators"
privilege.

Update cert-request command to skip CA ACL enforcement when the bind
principal has this permission.

Fixes: https://fedorahosted.org/freeipa/ticket/5099
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

1 files changed, 10 insertions, 3 deletions

diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index 610f21493..daa698b54 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -345,8 +345,6 @@ class cert_request(VirtualCommand):
         else:
             principal_type = SERVICE
 
-        caacl_check(principal_type, principal_string, ca, profile_id)
-
         bind_principal = split_any_principal(getattr(context, 'principal'))
         bind_service, bind_name, bind_realm = bind_principal
 
@@ -362,6 +360,15 @@ class cert_request(VirtualCommand):
             self.check_access()
 
         try:
+            self.check_access("request certificate ignore caacl")
+            bypass_caacl = True
+        except errors.ACIError:
+            bypass_caacl = False
+
+        if not bypass_caacl:
+            caacl_check(principal_type, principal_string, ca, profile_id)
+
+        try:
             subject = pkcs10.get_subject(csr)
             extensions = pkcs10.get_extensions(csr)
             subjectaltname = pkcs10.get_subjectaltname(csr) or ()
@@ -469,7 +476,7 @@ class cert_request(VirtualCommand):
                         raise errors.ACIError(info=_(
                             "Insufficient privilege to create a certificate "
                             "with subject alt name '%s'.") % name)
-                if alt_principal_string is not None:
+                if alt_principal_string is not None and not bypass_caacl:
                     caacl_check(
                         principal_type, alt_principal_string, ca, profile_id)
             elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME,