summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--install/updates/40-delegation.update139
-rw-r--r--ipalib/constants.py1
-rw-r--r--ipalib/errors.py2
-rw-r--r--ipalib/plugins/cert.py21
-rw-r--r--ipalib/plugins/virtual.py73
5 files changed, 230 insertions, 6 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 8532e500..220c489d 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -66,6 +66,12 @@ add:objectClass: groupofnames
add:cn: dnsserver
add:description: DNS Servers
+dn: cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: certadmin
+add:description: Certificate Administrators
+
# Add the taskgroups referenced by the ACIs for user administration
dn: cn=taskgroups,cn=accounts,$SUFFIX
@@ -456,3 +462,136 @@ add:cn: manage_host_keytab
add:description: Updates DNS
add:member:'cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX'
add:member:'cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX'
+
+# Create virtual operations entry. This is used to control access to
+# operations that don't rely on LDAP directly.
+dn: cn=virtual operations,$SUFFIX
+add:objectClass: top
+add:objectClass: nsContainer
+add:cn: virtual operations
+
+# Retrieve Certificate virtual op
+dn: cn=retrieve certificate,cn=virtual operations,$SUFFIX
+add:objectClass: top
+add:objectClass: nsContainer
+add:cn: retrieve certificate
+
+# Taskgroup for retrieving certs
+dn: cn=retrieve_certs,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: retrieve_certs
+add:description: Retrieve SSL Certificates
+add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
+
+dn: $SUFFIX
+add: aci: '(targetattr = "objectClass")(target =
+ "ldap:///cn=retrieve certificate,cn=virtual operations,
+ $SUFFIX" )(version 3.0 ; acl "Retrieve Certificates from the
+ CA" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=taskgroups,
+ cn=accounts,dc=greyoak,dc=com";)'
+
+# Request Certificate virtual op
+dn: cn=request certificate,cn=virtual operations,$SUFFIX
+add:objectClass: top
+add:objectClass: nsContainer
+add:cn: request certificate
+
+# Taskgroup for requesting certs
+dn: cn=request_certs,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: reqeust_certs
+add:description: Request a SSL Certificate
+add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
+
+dn: $SUFFIX
+add: aci: '(targetattr = "objectClass")(target =
+ "ldap:///cn=request certificate,cn=virtual operations,
+ $SUFFIX" )(version 3.0 ; acl "Request Certificates from the
+ CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=taskgroups,
+ cn=accounts,dc=greyoak,dc=com";)'
+
+# Certificate Status virtual op
+dn: cn=certificate status,cn=virtual operations,$SUFFIX
+add:objectClass: top
+add:objectClass: nsContainer
+add:cn: certificate status
+
+# Taskgroup for requesting certs
+dn: cn=certificate_status,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: reqeust_certs
+add:description: Status of cert request
+add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
+
+dn: $SUFFIX
+add: aci: '(targetattr = "objectClass")(target =
+ "ldap:///cn=certificate status,cn=virtual operations,
+ $SUFFIX" )(version 3.0 ; acl "Get Certificates status from the
+ CA" ; allow (write) groupdn = "ldap:///cn=certificate_status,
+ cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)'
+
+# Revoke Certificate virtual op
+dn: cn=revoke certificate,cn=virtual operations,$SUFFIX
+add:objectClass: top
+add:objectClass: nsContainer
+add:cn: revoke certificate
+
+# Taskgroup for requesting certs
+dn: cn=revoke_certificate,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: reqeust_certs
+add:description: Revoke Certificate
+add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
+
+dn: $SUFFIX
+add: aci: '(targetattr = "objectClass")(target =
+ "ldap:///cn=revoke certificate,cn=virtual operations,
+ $SUFFIX" )(version 3.0 ; acl "Revoke Certificate"
+ ; allow (write) groupdn = "ldap:///cn=revoke_certificate,
+ cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)'
+
+# Revoke Certificate virtual op
+dn: cn=revoke certificate,cn=virtual operations,$SUFFIX
+add:objectClass: top
+add:objectClass: nsContainer
+add:cn: revoke certificate
+
+# Taskgroup for requesting certs
+dn: cn=revoke_certificate,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: reqeust_certs
+add:description: Revoke Certificate
+add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
+
+dn: $SUFFIX
+add: aci: '(targetattr = "objectClass")(target =
+ "ldap:///cn=revoke certificate,cn=virtual operations,
+ $SUFFIX" )(version 3.0 ; acl "Revoke Certificate"
+ ; allow (write) groupdn = "ldap:///cn=revoke_certificate,
+ cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)'
+
+# Certificate Remove Hold virtual op
+dn: cn=certificate remove hold,cn=virtual operations,$SUFFIX
+add:objectClass: top
+add:objectClass: nsContainer
+add:cn: certificate remove hold
+
+# Taskgroup for requesting certs
+dn: cn=certificate_remove_hold,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: groupofnames
+add:cn: reqeust_certs
+add:description: Certificate Remove Hold
+add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
+
+dn: $SUFFIX
+add: aci: '(targetattr = "objectClass")(target =
+ "ldap:///cn=certificate remove hold,cn=virtual operations,
+ $SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold"
+ ; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,
+ cn=taskgroups,cn=accounts,dc=greyoak,dc=com";)'
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 60d2510b..e9216be0 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -96,6 +96,7 @@ DEFAULT_CONFIG = (
('container_netgroup', 'cn=ng,cn=alt'),
('container_hbac', 'cn=hbac'),
('container_dns', 'cn=dns'),
+ ('container_virtual', 'cn=virtual operations'),
# Ports, hosts, and URIs:
('lite_xmlrpc_port', 8888),
diff --git a/ipalib/errors.py b/ipalib/errors.py
index e3dfc14d..a08ee959 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -563,7 +563,7 @@ class ACIError(AuthorizationError):
"""
errno = 2100
- format = _('Insufficient access: %(info)r')
+ format = _('Insufficient access: %(info)s')
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index 2136bacf..e38ec181 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -28,6 +28,7 @@ if api.env.enable_ra is not True:
raise SkipPluginModule(reason='env.enable_ra is not True')
from ipalib import Command, Str, Int, Bytes, Flag
from ipalib import errors
+from ipalib.plugins.virtual import *
import base64
def validate_csr(ugettext, csr):
@@ -40,12 +41,13 @@ def validate_csr(ugettext, csr):
raise errors.Base64DecodeError(reason=str(e))
-class cert_request(Command):
+class cert_request(VirtualCommand):
"""
Submit a certificate singing request.
"""
takes_args = (Str('csr', validate_csr),)
+ operation="request certificate"
takes_options = (
Str('principal',
@@ -63,6 +65,7 @@ class cert_request(Command):
)
def execute(self, csr, **kw):
+ super(cert_request, self).execute()
skw = {"all": True}
principal = kw.get('principal')
add = kw.get('add')
@@ -104,15 +107,17 @@ class cert_request(Command):
api.register(cert_request)
-class cert_status(Command):
+class cert_status(VirtualCommand):
"""
Check status of a certificate signing request.
"""
takes_args = ('request_id')
+ operation = "certificate status"
def execute(self, request_id, **kw):
+ super(cert_status, self).execute()
return self.Backend.ra.check_request_status(request_id)
def output_for_cli(self, textui, result, *args, **kw):
@@ -124,14 +129,16 @@ class cert_status(Command):
api.register(cert_status)
-class cert_get(Command):
+class cert_get(VirtualCommand):
"""
Retrieve an existing certificate.
"""
takes_args = ('serial_number')
+ operation="retrieve certificate"
def execute(self, serial_number):
+ super(cert_get, self).execute()
return self.Backend.ra.get_certificate(serial_number)
def output_for_cli(self, textui, result, *args, **kw):
@@ -143,12 +150,13 @@ class cert_get(Command):
api.register(cert_get)
-class cert_revoke(Command):
+class cert_revoke(VirtualCommand):
"""
Revoke a certificate.
"""
takes_args = ('serial_number')
+ operation = "revoke certificate"
# FIXME: The default is 0. Is this really an Int param?
takes_options = (
@@ -162,6 +170,7 @@ class cert_revoke(Command):
def execute(self, serial_number, **kw):
+ super(cert_revoke, self).execute()
return self.Backend.ra.revoke_certificate(serial_number, **kw)
def output_for_cli(self, textui, result, *args, **kw):
@@ -173,14 +182,16 @@ class cert_revoke(Command):
api.register(cert_revoke)
-class cert_remove_hold(Command):
+class cert_remove_hold(VirtualCommand):
"""
Take a revoked certificate off hold.
"""
takes_args = ('serial_number')
+ operation = "certificate remove hold"
def execute(self, serial_number, **kw):
+ super(cert_remove_hold, self).execute()
return self.Backend.ra.take_certificate_off_hold(serial_number)
def output_for_cli(self, textui, result, *args, **kw):
diff --git a/ipalib/plugins/virtual.py b/ipalib/plugins/virtual.py
new file mode 100644
index 00000000..a1dfbdf6
--- /dev/null
+++ b/ipalib/plugins/virtual.py
@@ -0,0 +1,73 @@
+# Authors:
+# Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2009 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+"""
+Base classes for non-LDAP backend plugins.
+"""
+from ipalib import api
+from ipalib import Command
+from ipalib import errors
+
+class VirtualCommand(Command):
+ """
+ A command that doesn't use the LDAP backend but wants to use the
+ LDAP access control system to make authorization decisions.
+
+ The class variable operation is the commonName attribute of the
+ entry to be tested against.
+
+ In advance, you need to create an entry of the form:
+ cn=<operation>, api.env.container_virtual, api.env.basedn
+
+ Ex.
+ cn=request certificate, cn=virtual operations, dc=example, dc=com
+ """
+ operation = None
+
+ def execute(self, *args, **kw):
+ """
+ Perform the LDAP query to determine authorization.
+
+ This should be executed via super() before any actual work is done.
+ """
+ if self.operation is None:
+ raise errors.ACIError(info='operation not defined')
+
+ ldap = self.api.Backend.ldap
+ self.log.info("IPA: virtual verify %s" % self.operation)
+
+ operationdn = "cn=%s,%s,%s" % (self.operation, self.api.env.container_virtual, self.api.env.basedn)
+
+ # By adding this unknown objectclass we do several things.
+ # DS checks ACIs before the objectclass so we can test for ACI
+ # errors to know if we have rights. If we do have rights then the
+ # update will fail anyway with a Database error because of an
+ # unknown objectclass, so we can catch that gracefully as well.
+ try:
+ updatekw = {'objectclass': ['somerandomunknownclass']}
+ ldap.update(operationdn, **updatekw)
+ except errors.ACIError, e:
+ self.log.debug("%s" % str(e))
+ raise errors.ACIError(info='not allowed to perform this command')
+ except errors.DatabaseError:
+ return
+ except Exception, e:
+ # Something unexpected happened. Log it and deny access to be safe.
+ self.log.info("Virtual verify failed: %s" % str(e))
+ raise errors.ACIError(info='not allowed to perform this command')