From b81ac59640f0b76fa9f53cf8be441f085a7089c4 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Feb 28 2017 14:30:23 +0000 Subject: ca: correctly authorise ca-del, ca-enable and ca-disable CAs consist of a FreeIPA and a corresponding Dogtag object. When executing ca-del, ca-enable and ca-disable, changes are made to the Dogtag object. In the case of ca-del, the corresponding FreeIPA object is deleted after the Dogtag CA is deleted. These operations were not correctly authorised; the FreeIPA permissions are not checked before the Dogtag operations are executed. This allows any user to delete, enable or disable a lightweight CA (except the main IPA CA, for which there are additional check to prevent deletion or disablement). Add the proper authorisation checks to the ca-del, ca-enable and ca-disable commands. https://pagure.io/freeipa/issue/6713 Reviewed-By: Jan Cholasta --- diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py index 3a052a1..f774f78 100644 --- a/ipaserver/plugins/ca.py +++ b/ipaserver/plugins/ca.py @@ -276,6 +276,12 @@ class ca_del(LDAPDelete): def pre_callback(self, ldap, dn, *keys, **options): ca_enabled_check(self.api) + # ensure operator has permission to delete CA + # before contacting Dogtag + if not ldap.can_delete(dn): + raise errors.ACIError(info=_( + "Insufficient privilege to delete a CA.")) + if keys[0] == IPA_CA_CN: raise errors.ProtectedEntryError( label=_("CA"), @@ -314,9 +320,15 @@ class CAQuery(LDAPQuery): def execute(self, cn, **options): ca_enabled_check(self.api) - ca_id = self.api.Command.ca_show(cn)['result']['ipacaid'][0] + ca_obj = self.api.Command.ca_show(cn)['result'] + + # ensure operator has permission to modify CAs + if not self.api.Backend.ldap2.can_write(ca_obj['dn'], 'description'): + raise errors.ACIError(info=_( + "Insufficient privilege to modify a CA.")) + with self.api.Backend.ra_lightweight_ca as ca_api: - self.perform_action(ca_api, ca_id) + self.perform_action(ca_api, ca_obj['ipacaid'][0]) return dict( result=True,