summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins/cert.py
diff options
context:
space:
mode:
Diffstat (limited to 'ipalib/plugins/cert.py')
-rw-r--r--ipalib/plugins/cert.py17
1 files changed, 17 insertions, 0 deletions
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index d12290017..1878e5ad5 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -33,6 +33,7 @@ from ipalib.plugins.virtual import *
from ipalib.plugins.baseldap import pkey_to_value
from ipalib.plugins.service import split_any_principal
from ipalib.plugins.certprofile import validate_profile_id
+import ipalib.plugins.caacl
import base64
import traceback
from ipalib.text import _
@@ -326,6 +327,22 @@ class cert_request(VirtualCommand):
else:
principal_type = SERVICE
+ principal_type_map = {USER: 'user', HOST: 'host', SERVICE: 'service'}
+ ca = '.' # top-level CA hardcoded until subca plugin implemented
+ if not ipalib.plugins.caacl.acl_evaluate(
+ principal_type_map[principal_type],
+ principal_string, ca, profile_id):
+ raise errors.ACIError(info=_(
+ "Principal '%(principal)s' "
+ "is not permitted to use CA '%(ca)s' "
+ "with profile '%(profile_id)s' for certificate issuance."
+ ) % dict(
+ principal=principal_string,
+ ca=ca or '.',
+ profile_id=profile_id
+ )
+ )
+
bind_principal = split_any_principal(getattr(context, 'principal'))
bind_service, bind_name, bind_realm = bind_principal
generated by cgit (git 2.34.1) at 2024-06-28 12:06:00 +0000