#8059 Revocation self-service
Opened 2 months ago by ftweedal. Modified a month ago

Clone of https://bugzilla.redhat.com/show_bug.cgi?id=1730363.

Description of problem:
When a user creates a cert using IPA they are unable to revoke that cert. 




Version-Release number of selected component (if applicable):
ipa-server-4.6.4-10.el7_6.2.x86_64


How reproducible:
Always


Steps to Reproduce:

[root@shell01 3]# kinit rbac1test
Password for rbac1test@IPA.REDHAT.COM: 

[root@shell01 3]# MUSER=rbac1test

[root@shell01 3]# openssl req -newkey rsa:4096 -keyout ${MUSER}.key -new -sha256 -nodes -days 730 -subj "/emailAddress=${MUSER}@redhat.com/CN=${MUSER}/O=IPA.REDHAT.COM/UID=${MUSER},cn=users,cn=accounts,dc=ipa,dc=redhat,dc=com" -out ${MUSER}.csr && chmod 600 ${MUSER}.key
Generating a 4096 bit RSA private key
.........................................................................................++
.........................................++
writing new private key to 'rbac1test.key'
-----

[root@shell01 3]# ipa cert-request --profile-id=caIPAuserCert --ca=ipa --principal="${MUSER}@IPA.REDHAT.COM" ${MUSER}.csr --certificate-out=${MUSER}.crt
  Issuing CA: ipa
  Certificate: ...
  Subject: UID=rbac1test,CN=users,CN=accounts,DC=ipa,DC=redhat,DC=com,E=$request.auth_token.mail[0]$
  Issuer: CN=Certificate Authority,O=IPA.REDHAT.COM
  Not Before: Tue Jul 16 14:09:54 2019 UTC
  Not After: Fri Jul 16 14:09:54 2021 UTC
  Serial number: 12085
  Serial number (hex): 0x2F35


[dminnich@dminnichlt ~]$ ipa cert-show 0x2F35 --raw --all
  certificate: ..
  certificate_chain: ...
  certificate_chain: ..
  certificate_chain: ...
  certificate_chain: ..
  serial_number: 12085
  serial_number_hex: 0x2F35
  owner: uid=rbac1test,cn=users,cn=accounts,dc=ipa,dc=redhat,dc=com


[root@shell01 3]# ipa cert-revoke 0x2F35 --revocation-reason=0
ipa: ERROR: Insufficient access: not allowed to perform operation: revoke certificate


I do not want to give the user the "Revoke Certificate" permission which would allow them to revoke any certificate.  

IPA allows a kinited /etc/krb5.keytab host to revoke its cert but not other hosts certs.  I'd like to see the same thing for users.  

Perhaps checking "owner" on the cert entry or for certs stored in "certificate" in their record would allow for some authorization?


Actual results:
ipa: ERROR: Insufficient access: not allowed to perform operation: revoke certificate

Expected results:
Certificate revoked


Additional info:
We use a lot of mutual TLS authentication.  Allowing a development team to revoke and issue a new certificate when somebody leaves their team instead of reaching out to the centralized IAM team for the initial revoke would be a win.

Metadata Update from @ftweedal:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1730363

2 months ago

Metadata Update from @pcech:
- Issue tagged with: Falcon

a month ago

Login to comment on this ticket.

Metadata