Adapt cert-find performance workaround for users

[tiran]

experimental patch

ipa cert-find --users=NAME was slow on system with lots of certificates.
User certificates have CN=$username, therefore the performance tweak
from ticket 7835 also works for user certificates.

Related: https://pagure.io/freeipa/issue/7835
Fixes: https://pagure.io/freeipa/issue/7901
Signed-off-by: Christian Heimes cheimes@redhat.com

[rcritten]

This LGTM.

[frasertweedale]

This code (including the existing workaround) makes some assumptions that I'm not 100% sure about - in particular that the hostname/username is used as the CN in the issued cert (a custom profile may violate this assumption). I need to work through it in more detail, and have run out of week, so I'll resume early next week.

[tiran]

I'm confident that the restriction

freeipa/ipaserver/plugins/cert.py

Lines 747 to 753 in 3509545

	elif principal_type == USER:
	# check user name
	if cn != principal.username:
	raise errors.ValidationError(
	name='csr',
	error=_("DN commonName does not match user's login")
	)

won't allow a custom profile to create certs that do have a different CN.

[rcritten]

Agreed. I had the same concerns as @frasertweedale but after looking at the code I don't see a way for an IPA-issued cert to not have cn=uid in the subject.

[frasertweedale]

@tiran @rcritten it is actually pretty easy - you just import a profile configuration with parameter like:

policyset.serverCertSet.1.default.params.name=UID=$request.req_subject_name.cn$, O=EXMAPLE.COM

...and update or relax the corresponding constraint component.

The CSR comes in with CN=alice, and comes out with UID=alice (but of course how you configure the subject DN to look is arbitrary).

[tiran]

@frasertweedale Oh no :/

We can either decide to ignore this edge case or somebody has to redesign and rewrite the entire cert_find API. The current implementation doesn't scale at all. Several common cases download all certificates from Dogtag, which puts a lot of stress on 389-DS, Dogtag, and the Python API. The BZ mentions > 100k certs.

I have an idea how to optimize the most critical cases for cert revocation. We can use the fact that host certs, service certs, and user certs are always stored on the host, service, or user LDAP entry. For simple host, service, and user cert search, perform _ldap_search before _ca_search. In _ca_search only retrieve certificates with subject CNs or serial numbers of certs as returned by _ldap_search.

There is one catch: It looks like Dogtag does not support list of serial numbers. :/

[frasertweedale]

We can add support on the Dogtag side for that. I'm inclined to ACK this, given the problem only occurs on an edge case, and file tickets to rework the whole thing.

[frasertweedale]

... once you fix the 'users' / 'user' issue that is :)

[frasertweedale]

This should be options.get('user', ()) (the key in options is 'user').

But even with this correction, this PR regresses in the subject DN corner case I mentioned above.

So... I am considering NAKing this. We might need to go back to the drawing board on cert-find.

OTOH the scenario that breaks this code is a corner case. It's not the end of the world if we ship this patch as-is. cert-find has a lot of limitations as it is, and this patch may help in the common case.

[tiran]

Thanks for the view and good catch! I have updated the patch.

Do we already have a ticket to track the comments? GH has a tendency to eat comments on rebased PRs.

[frasertweedale]

@tiran I filed https://pagure.io/freeipa/issue/7904 to capture the comments and discuss re-working cert-find and friends.

[frasertweedale]

One definite bug. And a bug in the Subject DN corner case (see inline discussion).

[frasertweedale]

I'm gonna ACK this and we can address the corner case later.
See https://pagure.io/freeipa/issue/7904

[tiran]

master:

• 8a5dc1b Adapt cert-find performance workaround for users