From e9840aee2b1290db7f0f8ec785b338b17d57b569 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 13 Jan 2017 20:33:45 +1000
Subject: [PATCH] ca: correctly authorise ca-del, ca-enable and ca-disable

CAs consist of a FreeIPA and a corresponding Dogtag object.  When
executing ca-del, ca-enable and ca-disable, changes are made to the
Dogtag object.  In the case of ca-del, the corresponding FreeIPA
object is deleted after the Dogtag CA is deleted.

These operations were not correctly authorised; the FreeIPA
permissions are not checked before the Dogtag operations are
executed.  This allows any user to delete, enable or disable a
lightweight CA (except the main IPA CA, for which there are
additional check to prevent deletion or disablement).

Add the proper authorisation checks to the ca-del, ca-enable and
ca-disable commands.
---
 ipaserver/plugins/ca.py | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index d9ae8c81fdca51cbfee34e83cbb9ca6873ebad0b..227b08e0e1e9f7f48c4133da77093d58559562d9 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -213,6 +213,12 @@ class ca_del(LDAPDelete):
     def pre_callback(self, ldap, dn, *keys, **options):
         ca_enabled_check()
 
+        # ensure operator has permission to delete CA
+        # before contacting Dogtag
+        if not ldap.can_delete(dn):
+            raise errors.ACIError(info=_(
+                "Insufficient privilege to delete a CA."))
+
         if keys[0] == IPA_CA_CN:
             raise errors.ProtectedEntryError(
                 label=_("CA"),
@@ -251,9 +257,15 @@ class CAQuery(LDAPQuery):
     def execute(self, cn, **options):
         ca_enabled_check()
 
-        ca_id = self.api.Command.ca_show(cn)['result']['ipacaid'][0]
+        ca_obj = self.api.Command.ca_show(cn)['result']
+
+        # ensure operator has permission to modify CAs
+        if not self.api.Backend.ldap2.can_write(ca_obj['dn'], 'description'):
+            raise errors.ACIError(info=_(
+                "Insufficient privilege to modify a CA."))
+
         with self.api.Backend.ra_lightweight_ca as ca_api:
-            self.perform_action(ca_api, ca_id)
+            self.perform_action(ca_api, ca_obj['ipacaid'][0])
 
         return dict(
             result=True,
-- 
2.9.3