First pass at enforcing certificates be requested from same host

We want to only allow a machine to request a certificate for itself, not for
other machines. I've added a new taksgroup which will allow this.

The requesting IP is resolved and compared to the subject of the CSR to
determine if they are the same host. The same is done with the service
principal. Subject alt names are not queried yet.

This does not yet grant machines actual permission to request certificates
yet, that is still limited to the taskgroup request_certs.

2 files changed, 3 insertions, 2 deletions

diff --git a/ipaserver/__init__.py b/ipaserver/__init__.py
index ec2a5364..7fdba624 100644
--- a/ipaserver/__init__.py
+++ b/ipaserver/__init__.py
@@ -54,6 +54,7 @@ def xmlrpc(req):
         response = api.Backend.xmlserver.marshaled_dispatch(
             req.read(),
             req.subprocess_env.get('KRB5CCNAME'),
+            req.connection.remote_ip
         )
 
     req.content_type = 'text/xml'
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index c98ca7ab..ab8b4172 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -181,12 +181,12 @@ class xmlserver(WSGIExecutioner):
     def methodHelp(self, *params):
         return u'methodHelp not implemented'
 
-    def marshaled_dispatch(self, data, ccache):
+    def marshaled_dispatch(self, data, ccache, client_ip):
         """
         Execute the XML-RPC request contained in ``data``.
         """
         try:
-            self.create_context(ccache=ccache)
+            self.create_context(ccache=ccache, client_ip=client_ip)
             (params, name) = xml_loads(data)
             if name in self.__system:
                 response = (self.__system[name](*params),)