Remove "Request Certificate with SubjectAltName" permission

subjectAltName is required or relevant in most certificate use cases
(esp. TLS, where carrying DNS name in Subject DN CN attribute is
deprecated).  Therefore it does not really make sense to have a
special permission for this, over and above "request certificate"
permission.

Furthermore, we already do rigorously validate SAN contents again
the subject principal, and the permission is waived for self-service
requests or if the operator is a host principal.

So remove the permission, the associated virtual operation, and the
associated code in cert_request.

Fixes: https://fedorahosted.org/freeipa/ticket/6526
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

1 files changed, 0 insertions, 6 deletions

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 81872cffd..4c1248f93 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -620,12 +620,6 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
         except cryptography.x509.extensions.ExtensionNotFound:
             ext_san = None
 
-        # self-service and host principals may bypass SAN permission check
-        if (bind_principal_string != principal_string
-                and bind_principal_type != HOST):
-            if ext_san is not None:
-                self.check_access('request certificate with subjectaltname')
-
         dn = None
         principal_obj = None
         # See if the service exists and punt if it doesn't and we aren't