Authority entry without entryUSN is skipped even if USN plugin enabled

[pki-bot]

This issue was migrated from Pagure Issue #2444. Originally filed by ftweedal (@frasertweedale) on 2016-08-24 06:50:56:

• Closed as Fixed
• Assigned to ftweedal (@frasertweedale)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1367140

---

Currently we abort adding a lightweight CA if its entry does not
have an 'entryUSN' attribute, and log a failure, even if the USN
plugin is enabled. But if the plugin is enabled, it's fine to
proceed.

Update the authority monitor to check if the USN plugin is enabled
and only log the failure if it is not. Clarify the log message
accordingly.

This scenario also results in an additional authority entry for the
host CA being added, because the skip due to entryUSN processing
makes it seem that there is no entry for the host authority.

[pki-bot]

Comment from mharmsen (@mharmsen) at 2016-08-31 21:18:09

Per PKI Bug Council of 08/31/2016: 10.3.6

[pki-bot]

Comment from mharmsen (@mharmsen) at 2016-09-07 01:11:32

Checked into master:

commit e457cb8

Author: Fraser Tweedale <frasertweedale@redhat.com>
Date:   Wed Aug 24 14:10:55 2016 +1000

    Perform host authority check before entryUSN check
    
    When processing lightweight CAs, currently we perform the entryUSN
    check before the host authority check.  If the entry does not have
    an entryUSN attribute, and if the DS USN plugin is not enabled, the
    entry gets skipped and we do not reach the host authority check.
    This causes the CA to believe that it has not seen the host
    authority entry, and results in additional entries being added.
    
    Move the host authority check before the entryUSN check to avoid
    this scenario.
    
    Fixes: https://fedorahosted.org/pki/ticket/2444

commit d1aa1ec

Author: Fraser Tweedale <frase@frase.id.au>
Date:   Tue Aug 23 14:50:03 2016 +1000

    Accept LWCA entry with missing entryUSN if plugin enabled
    
    Currently we abort adding a lightweight CA if its entry does not
    have an 'entryUSN' attribute, and log a failure, even if the USN
    plugin is enabled.  But if the plugin is enabled, it's fine to
    proceed.
    
    Update the authority monitor to check if the USN plugin is enabled
    and only log the failure if it is not.  Clarify the log message
    accordingly.
    
    Part of: https://fedorahosted.org/pki/ticket/2444

[pki-bot]

Comment from mharmsen (@mharmsen) at 2016-09-07 23:18:15

Cherry-picked into DOGTAG_10_3_BRANCH:

From 3a97c5f Mon Sep 17 00:00:00 2001
From: Fraser Tweedale frasertweedale@redhat.com
Date: Wed, 24 Aug 2016 14:10:55 +1000
Subject: [PATCH 08/10] Perform host authority check before entryUSN check

When processing lightweight CAs, currently we perform the entryUSN
check before the host authority check. If the entry does not have
an entryUSN attribute, and if the DS USN plugin is not enabled, the
entry gets skipped and we do not reach the host authority check.
This causes the CA to believe that it has not seen the host
authority entry, and results in additional entries being added.

Move the host authority check before the entryUSN check to avoid
this scenario.

Fixes: https://fedorahosted.org/pki/ticket/2444
(cherry picked from commit e457cb8)

From 21e268a Mon Sep 17 00:00:00 2001
From: Fraser Tweedale frase@frase.id.au
Date: Tue, 23 Aug 2016 14:50:03 +1000
Subject: [PATCH 07/10] Accept LWCA entry with missing entryUSN if plugin
enabled

Currently we abort adding a lightweight CA if its entry does not
have an 'entryUSN' attribute, and log a failure, even if the USN
plugin is enabled. But if the plugin is enabled, it's fine to
proceed.

Update the authority monitor to check if the USN plugin is enabled
and only log the failure if it is not. Clarify the log message
accordingly.

Part of: https://fedorahosted.org/pki/ticket/2444

(cherry picked from commit d1aa1ec)

[pki-bot]

Comment from ftweedal (@frasertweedale) at 2017-02-27 14:11:28

Metadata Update from @frasertweedale:

• Issue assigned to frasertweedale
• Issue set to the milestone: 10.3.6