diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2017-01-13 20:33:45 +1000 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2017-02-28 14:30:23 +0000 |
| commit | b81ac59640f0b76fa9f53cf8be441f085a7089c4 (patch) | |
| tree | 7d8033eeb839ae00bbcab315733ab19141b20f08 /ipaserver | |
| parent | ada91c20588046bb147fc701718d3da4d2c080ca (diff) | |
| download | freeipa-b81ac59640f0b76fa9f53cf8be441f085a7089c4.tar.gz freeipa-b81ac59640f0b76fa9f53cf8be441f085a7089c4.tar.xz freeipa-b81ac59640f0b76fa9f53cf8be441f085a7089c4.zip | |
ca: correctly authorise ca-del, ca-enable and ca-disable
CAs consist of a FreeIPA and a corresponding Dogtag object. When
executing ca-del, ca-enable and ca-disable, changes are made to the
Dogtag object. In the case of ca-del, the corresponding FreeIPA
object is deleted after the Dogtag CA is deleted.
These operations were not correctly authorised; the FreeIPA
permissions are not checked before the Dogtag operations are
executed. This allows any user to delete, enable or disable a
lightweight CA (except the main IPA CA, for which there are
additional check to prevent deletion or disablement).
Add the proper authorisation checks to the ca-del, ca-enable and
ca-disable commands.
https://pagure.io/freeipa/issue/6713
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/plugins/ca.py | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py index 3a052a117..f774f78bd 100644 --- a/ipaserver/plugins/ca.py +++ b/ipaserver/plugins/ca.py @@ -276,6 +276,12 @@ class ca_del(LDAPDelete): def pre_callback(self, ldap, dn, *keys, **options): ca_enabled_check(self.api) + # ensure operator has permission to delete CA + # before contacting Dogtag + if not ldap.can_delete(dn): + raise errors.ACIError(info=_( + "Insufficient privilege to delete a CA.")) + if keys[0] == IPA_CA_CN: raise errors.ProtectedEntryError( label=_("CA"), @@ -314,9 +320,15 @@ class CAQuery(LDAPQuery): def execute(self, cn, **options): ca_enabled_check(self.api) - ca_id = self.api.Command.ca_show(cn)['result']['ipacaid'][0] + ca_obj = self.api.Command.ca_show(cn)['result'] + + # ensure operator has permission to modify CAs + if not self.api.Backend.ldap2.can_write(ca_obj['dn'], 'description'): + raise errors.ACIError(info=_( + "Insufficient privilege to modify a CA.")) + with self.api.Backend.ra_lightweight_ca as ca_api: - self.perform_action(ca_api, ca_id) + self.perform_action(ca_api, ca_obj['ipacaid'][0]) return dict( result=True, |