ipa-crlgen-manage: manage the cert status task execution time

ca.certStatusUpdateInterval manages how frequently to update the certificate status in LDAP (expired, etc). By default this is not set on the initial master and pkispawn sets it to 0 on replicas. This can lead to no server running this task and therefore the status attribute not reflecting the current state. On enabling CRL generation remove any value which will cause PKI to use its default. On disabling set it to 0. Only one server should run the update status task to prevent unnecessary replication. Fixes: https://pagure.io/freeipa/issue/9569 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
freeipa · Apr 16, 2024 · 74791ea · 74791ea
1 parent 36d0933
commit 74791ea
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 3 deletions.
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
@@ -1327,6 +1327,8 @@ def is_crlgen_enabled(self):
         generation master:
         - in CS.cfg ca.crl.MasterCRL.enableCRLCache=true
         - in CS.cfg ca.crl.MasterCRL.enableCRLUpdates=true
+        - in CS.cfg ca.listenToCloneModifications=true
+        - in CS.cfg ca.certStatusUpdateInterval != 0
         - in /etc/httpd/conf.d/ipa-pki-proxy.conf the RewriteRule
         ^/ipa/crl/MasterCRL.bin is disabled (commented or removed)
 
@@ -1342,15 +1344,30 @@ def is_crlgen_enabled(self):
             updates = directivesetter.get_directive(
                 self.config, 'ca.crl.MasterCRL.enableCRLUpdates', '=')
             enableCRLUpdates = updates.lower() == 'true'
+            listen = directivesetter.get_directive(
+                self.config, 'ca.listenToCloneModifications', '=')
+            enableToClone = listen.lower() == 'true'
+            updateinterval = directivesetter.get_directive(
+                self.config, 'ca.certStatusUpdateInterval', '=')
 
             # If the values are different, the config is inconsistent
-            if enableCRLCache != enableCRLUpdates:
+            if not (enableCRLCache == enableCRLUpdates == enableToClone):
                 raise InconsistentCRLGenConfigException(
                     "Configuration is inconsistent, please check "
-                    "ca.crl.MasterCRL.enableCRLCache and "
-                    "ca.crl.MasterCRL.enableCRLUpdates in {} and "
+                    "ca.crl.MasterCRL.enableCRLCache, "
+                    "ca.crl.MasterCRL.enableCRLUpdates and "
+                    "ca.listenToCloneModifications in {} and "
                     "run ipa-crlgen-manage [enable|disable] to repair".format(
                         self.config))
+            # If they are the same then we are the CRL renewal master. Ensure
+            # the update task is configured.
+            if enableCRLCache and updateinterval == '0':
+                raise InconsistentCRLGenConfigException(
+                    "Configuration is inconsistent, please check "
+                    "ca.certStatusUpdateInterval in {}. It should "
+                    "be either not present or not zero. Run "
+                    "ipa-crlgen-manage [enable|disable] to repair".format(
+                        self.config))
         except IOError:
             raise RuntimeError(
                 "Unable to read {}".format(self.config))
@@ -1407,6 +1424,11 @@ def setup_crlgen(self, setup_crlgen):
             str_value = str(setup_crlgen).lower()
             ds.set('ca.crl.MasterCRL.enableCRLCache', str_value)
             ds.set('ca.crl.MasterCRL.enableCRLUpdates', str_value)
+            ds.set('ca.listenToCloneModifications', str_value)
+            if setup_crlgen:
+                ds.set('ca.certStatusUpdateInterval', None)
+            else:
+                ds.set('ca.certStatusUpdateInterval', '0')
 
         # Start pki-tomcat
         logger.info("Starting %s", self.service_name)

diff --git a/ipatests/test_integration/test_crlgen_manage.py b/ipatests/test_integration/test_crlgen_manage.py
@@ -61,6 +61,16 @@ def check_crlgen_status(host, rc=0, msg=None, enabled=True, check_crl=False):
                         ext.value.crl_number)
                     assert number_msg in result.stdout_text
 
+        try:
+            value = get_CS_cfg_value(host, 'ca.certStatusUpdateInterval')
+        except IOError:
+            return
+
+        if enabled:
+            assert value is None
+        else:
+            assert value == '0'
+
 
 def check_crlgen_enable(host, rc=0, msg=None, check_crl=False):
     """Check ipa-crlgen-manage enable command
@@ -125,6 +135,23 @@ def break_crlgen_with_CS_cfg(host):
     check_crlgen_status(host, rc=1, msg="Configuration is inconsistent")
 
 
+def get_CS_cfg_value(host, directive):
+    """Retrieve and return the a directive from the CA CS.cfg
+
+       This returns None if the directives is not found.
+    """
+    content = host.get_file_contents(paths.CA_CS_CFG_PATH,
+                                     encoding='utf-8')
+    value = None
+    for line in content.split('\n'):
+        l = line.lower()
+
+        if l.startswith(directive.lower()):
+            value = line.split('=', 1)[1]
+
+    return value
+
+
 class TestCRLGenManage(IntegrationTest):
     """Tests the ipa-crlgen-manage command.
 
@@ -196,6 +223,9 @@ def test_crlgen_enable_on_ca_replica(self):
 
         Install a CA clone and enable CRLgen"""
         tasks.install_ca(self.replicas[0])
+        value = get_CS_cfg_value(self.replicas[0],
+                                 'ca.certStatusUpdateInterval')
+        assert value == '0'
         check_crlgen_enable(
             self.replicas[0], rc=0,
             msg="make sure to have only a single CRL generation master",