ipa/0005-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch

61 lines
2.3 KiB
Diff
Raw Normal View History

From e9840aee2b1290db7f0f8ec785b338b17d57b569 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 13 Jan 2017 20:33:45 +1000
Subject: [PATCH] ca: correctly authorise ca-del, ca-enable and ca-disable
CAs consist of a FreeIPA and a corresponding Dogtag object. When
executing ca-del, ca-enable and ca-disable, changes are made to the
Dogtag object. In the case of ca-del, the corresponding FreeIPA
object is deleted after the Dogtag CA is deleted.
These operations were not correctly authorised; the FreeIPA
permissions are not checked before the Dogtag operations are
executed. This allows any user to delete, enable or disable a
lightweight CA (except the main IPA CA, for which there are
additional check to prevent deletion or disablement).
Add the proper authorisation checks to the ca-del, ca-enable and
ca-disable commands.
---
ipaserver/plugins/ca.py | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index d9ae8c81fdca51cbfee34e83cbb9ca6873ebad0b..227b08e0e1e9f7f48c4133da77093d58559562d9 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -213,6 +213,12 @@ class ca_del(LDAPDelete):
def pre_callback(self, ldap, dn, *keys, **options):
ca_enabled_check()
+ # ensure operator has permission to delete CA
+ # before contacting Dogtag
+ if not ldap.can_delete(dn):
+ raise errors.ACIError(info=_(
+ "Insufficient privilege to delete a CA."))
+
if keys[0] == IPA_CA_CN:
raise errors.ProtectedEntryError(
label=_("CA"),
@@ -251,9 +257,15 @@ class CAQuery(LDAPQuery):
def execute(self, cn, **options):
ca_enabled_check()
- ca_id = self.api.Command.ca_show(cn)['result']['ipacaid'][0]
+ ca_obj = self.api.Command.ca_show(cn)['result']
+
+ # ensure operator has permission to modify CAs
+ if not self.api.Backend.ldap2.can_write(ca_obj['dn'], 'description'):
+ raise errors.ACIError(info=_(
+ "Insufficient privilege to modify a CA."))
+
with self.api.Backend.ra_lightweight_ca as ca_api:
- self.perform_action(ca_api, ca_id)
+ self.perform_action(ca_api, ca_obj['ipacaid'][0])
return dict(
result=True,
--
2.9.3