Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CRLIssuingPoint: reinit from LDAP when re-enabled #138

Merged
merged 3 commits into from May 1, 2019
Merged

CRLIssuingPoint: reinit from LDAP when re-enabled #138

merged 3 commits into from May 1, 2019

Conversation

frasertweedale
Copy link
Contributor

Dogtag only reads from LDAP when it initializes the CRLIssuingPoint object.
After the object is initizialized, the plugin never syncs back from LDAP.
In the following scenario, this can cause the CRL number to jump back (a
violation of RFC 5280; the CRL number must monotonically increase):

  • disabled MasterCRL on one server with:
OP_TYPE=OP_MODIFY&OP_SCOPE=crlIPs&id=MasterCRL&description=CRL&enable=false
request to /ca/caadmin

  • enable MasterCRL on another PKI clone

  • reverse settings on both servers after some CRLs have been generated by the second server

This patch resolves the issue by forcing the CRLIssuingPoint to read the CRL
from LDAP each time its update thread (re)starts.

Fixes: https://pagure.io/dogtagpki/issue/3085
Related: https://pagure.io/freeipa/issue/7815

This PR also includes some minor cleanup and refactor commits.

@frasertweedale
CRLIssuingPoint: drive-by cleanups
6722200 
Clean up some obsolete comments and dead code.
@frasertweedale
CRLIssuingPoint: use enum for status
8a4f0c0 
For type safety, use an enum instead of int for expressing
CRLIssuingPoint initialisation status.
@frasertweedale
CRLIssuingPoint: reinit from LDAP when re-enabled
0592878 
Dogtag only reads from LDAP when it initializes the CRLIssuingPoint
object.  After the object is initizialized, the plugin never syncs
back from LDAP.  In the following scenario, this can cause the CRL
number to jump back (a violation of RFC 5280; the CRL number must
monotonically increase):

- disabled MasterCRL on one server with
  OP_TYPE=OP_MODIFY&OP_SCOPE=crlIPs&id=MasterCRL&description=CRL&enable=false
  request to /ca/caadmin

- enable MasterCRL on another PKI clone

- reverse settings on both servers after some CRLs have been
  generated by the second server

This patch resolves the issue by forcing the CRLIssuingPoint to read
the CRL from LDAP each time its update thread (re)starts.

Fixes: https://pagure.io/dogtagpki/issue/3085
edewata
edewata approved these changes Feb 1, 2019
View reviewed changes
Copy link
Contributor

@edewata edewata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not super familiar with this, but it LGTM. Feel free to push unless @jmagne has any other comments.

Please note that 10.6 has branched and master is now 10.7. If this needs to go to 10.6 feel free to cherry pick it to that branch.

@edewata edewata requested a review from jmagne February 14, 2019 20:09
@frasertweedale
Copy link
Contributor Author

There were no further comments so I'll merge this. I'm only merging to master. If backport is needed later it will be straightforward.

@frasertweedale frasertweedale merged commit 2ef387e into dogtagpki:master May 1, 2019
@frasertweedale frasertweedale deleted the fix/3085-crl-reinit branch May 1, 2019 01:44
This was referenced Oct 1, 2020
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edewata edewata edewata approved these changes

@jmagne jmagne Awaiting requested review from jmagne

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@frasertweedale @edewata