From f57f4fad3be37fbcd15a8c65aed7dc6438f7d080 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= <tibor.dudlak@gmail.com>
Date: Wed, 24 May 2017 11:02:19 +0200
Subject: [PATCH] Add permission to grant 'add' on cas container

Fixes: https://pagure.io/freeipa/issue/6609
---
 ACI.txt                 |  2 ++
 ipaserver/plugins/ca.py | 12 ++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/ACI.txt b/ACI.txt
index 185812a881..30b8efab88 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -414,6 +414,8 @@ dn: cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipacertificate)")(version 3.0;acl "permission:System: Add Certificate Store Entry";allow (add) groupdn = "ldap:///cn=System: Add Certificate Store Entry,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
 aci: (targetattr = "ipaanchoruuid")(target = "ldap:///cn=*,cn=compat,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaOverrideTarget)")(version 3.0;acl "permission:System: Compat Tree ID View targets";allow (compare,read,search) userdn = "ldap:///anyone";)
+dn: cn=cas,cn=ca,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=nscontainer)")(version 3.0;acl "permission:System: Grant add on CAS container";allow (add) groupdn = "ldap:///cn=System: Grant add on CAS container,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=CAcert,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cacertificate")(targetfilter = "(objectclass=pkica)")(version 3.0;acl "permission:System: Modify CA Certificate";allow (write) groupdn = "ldap:///cn=System: Modify CA Certificate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example
diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index 9bb163dffa..f209b8ec1e 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -138,6 +138,18 @@ class ca(LDAPObject):
             ],
             'default_privileges': {'CA Administrator'},
         },
+        'System: Grant add on CAS container': {
+            # 'replaces_global_anonymous_aci': True,
+            'ipapermtargetfilter': {'(objectclass=nscontainer)'},
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'add'},
+            'replaces': [' \
+                (target = "ldap:///cn=cas,cn=ca,$SUFFIX") \
+                (version 3.0;acl "permission:Grant add on CAS container"; \
+                allow (add) groupdn = "ldap:///cn=Grabt add on CAS container, \
+                cn=permissions, cn=pbac,$SUFFIX";)', ],
+            'default_privileges': {'CA Administrator'},
+        },
         'System: Delete CA': {
             'ipapermright': {'delete'},
             'replaces': [