diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2009-10-20 11:59:07 -0400 |
|---|---|---|
| committer | Jason Gerard DeRose <jderose@redhat.com> | 2009-10-21 03:22:44 -0600 |
| commit | 453a19fcaca9c2be1e3d0e78b734bd05e7d50764 (patch) | |
| tree | 76d5a8516f1d515e74da848050eae32732a64fad /ipalib/plugins/virtual.py | |
| parent | aa2183578cb58d9f55b5f1b64c13627b88dae37c (diff) | |
| download | freeipa-453a19fcaca9c2be1e3d0e78b734bd05e7d50764.tar.gz freeipa-453a19fcaca9c2be1e3d0e78b734bd05e7d50764.tar.xz freeipa-453a19fcaca9c2be1e3d0e78b734bd05e7d50764.zip | |
First pass at enforcing certificates be requested from same host
We want to only allow a machine to request a certificate for itself, not for
other machines. I've added a new taksgroup which will allow this.
The requesting IP is resolved and compared to the subject of the CSR to
determine if they are the same host. The same is done with the service
principal. Subject alt names are not queried yet.
This does not yet grant machines actual permission to request certificates
yet, that is still limited to the taskgroup request_certs.
Diffstat (limited to 'ipalib/plugins/virtual.py')
| -rw-r--r-- | ipalib/plugins/virtual.py | 37 |
1 files changed, 15 insertions, 22 deletions
diff --git a/ipalib/plugins/virtual.py b/ipalib/plugins/virtual.py index d21a58f1..3ac96301 100644 --- a/ipalib/plugins/virtual.py +++ b/ipalib/plugins/virtual.py @@ -40,34 +40,27 @@ class VirtualCommand(Command): """ operation = None - def execute(self, *args, **kw): + def check_access(self, operation=None): """ - Perform the LDAP query to determine authorization. + Perform an LDAP query to determine authorization. - This should be executed via super() before any actual work is done. + This should be executed before any actual work is done. """ - if self.operation is None: + if self.operation is None and operation is None: raise errors.ACIError(info='operation not defined') + if operation is None: + operation = self.operation + ldap = self.api.Backend.ldap2 - self.log.info("IPA: virtual verify %s" % self.operation) + self.log.info("IPA: virtual verify %s" % operation) - operationdn = "cn=%s,%s,%s" % (self.operation, self.api.env.container_virtual, self.api.env.basedn) + operationdn = "cn=%s,%s,%s" % (operation, self.api.env.container_virtual, self.api.env.basedn) - # By adding this unknown objectclass we do several things. - # DS checks ACIs before the objectclass so we can test for ACI - # errors to know if we have rights. If we do have rights then the - # update will fail anyway with a Database error because of an - # unknown objectclass, so we can catch that gracefully as well. try: - updatekw = {'objectclass': ['somerandomunknownclass']} - ldap.update(operationdn, **updatekw) - except errors.ACIError, e: - self.log.debug("%s" % str(e)) - raise errors.ACIError(info='not allowed to perform this command') - except errors.ObjectclassViolation: - return - except Exception, e: - # Something unexpected happened. Log it and deny access to be safe. - self.log.info("Virtual verify failed: %s %s" % (type(e), str(e))) - raise errors.ACIError(info='not allowed to perform this command') + if not ldap.can_write(operationdn, "objectclass"): + raise errors.ACIError(info='not allowed to perform this command') + except errors.NotFound: + raise errors.ACIError(info='No such virtual command') + + return True |