diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2015-08-04 01:13:09 -0400 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2015-08-14 14:02:05 +0200 |
commit | ef8f431c93b5587247eeb7de9e74d15e5fc6f616 (patch) | |
tree | 162fd7247435cd4acf02a59edcf795b97ff1ddf7 /ipalib | |
parent | 7a509980d24b2bd445633026e64db48bb4203ba0 (diff) | |
download | freeipa-ef8f431c93b5587247eeb7de9e74d15e5fc6f616.tar.gz freeipa-ef8f431c93b5587247eeb7de9e74d15e5fc6f616.tar.xz freeipa-ef8f431c93b5587247eeb7de9e74d15e5fc6f616.zip |
Add permission for bypassing CA ACL enforcement
Add the "Request Certificate ignoring CA ACLs" permission and
associated ACI, initially assigned to "Certificate Administrators"
privilege.
Update cert-request command to skip CA ACL enforcement when the bind
principal has this permission.
Fixes: https://fedorahosted.org/freeipa/ticket/5099
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'ipalib')
-rw-r--r-- | ipalib/plugins/cert.py | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index 610f21493..daa698b54 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -345,8 +345,6 @@ class cert_request(VirtualCommand): else: principal_type = SERVICE - caacl_check(principal_type, principal_string, ca, profile_id) - bind_principal = split_any_principal(getattr(context, 'principal')) bind_service, bind_name, bind_realm = bind_principal @@ -362,6 +360,15 @@ class cert_request(VirtualCommand): self.check_access() try: + self.check_access("request certificate ignore caacl") + bypass_caacl = True + except errors.ACIError: + bypass_caacl = False + + if not bypass_caacl: + caacl_check(principal_type, principal_string, ca, profile_id) + + try: subject = pkcs10.get_subject(csr) extensions = pkcs10.get_extensions(csr) subjectaltname = pkcs10.get_subjectaltname(csr) or () @@ -469,7 +476,7 @@ class cert_request(VirtualCommand): raise errors.ACIError(info=_( "Insufficient privilege to create a certificate " "with subject alt name '%s'.") % name) - if alt_principal_string is not None: + if alt_principal_string is not None and not bypass_caacl: caacl_check( principal_type, alt_principal_string, ca, profile_id) elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME, |