Bug 1446366

Summary: CC: Misleading audit log for certificate request rejected by agent.
Product: Red Hat Enterprise Linux 7 Reporter: Matthew Harmsen <mharmsen>
Component: pki-coreAssignee: Endi Sukma Dewata <edewata>
Status: CLOSED DUPLICATE QA Contact: Asha Akkiangady <aakkiang>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.4CC: arubin, cfu, msauton
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-02 01:33:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthew Harmsen 2017-04-27 18:29:36 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/dogtagpki/issue/2663

When an agent rejects a certificate request the server will trigger a CERT_REQUEST_PROCESSED audit event with a Success outcome. From agent's perspective the request is processed, so a Success is correct. However, from auditor/user's perspective the certificate is not issued (i.e. not processed), so the outcome should have been a Failure.

Steps to reproduce:
1. Install CA
2. Submit a cert request
3. As an agent, reject the request. With PKI CLI it can be done with the following command:

    $ pki -d ~/.dogtag/pki-tomcat/ca/alias/ -c Secret.123 -n caadmin ca-cert-request-review 7 --action reject

Actual result: The server will generate the following audit log:

    [AuditEvent=CERT_REQUEST_PROCESSED]
        [SubjectID=caadmin]
        [Outcome=Success]
        [ReqID=7]
        [InfoName=rejectReason]
        [InfoValue=<null>]
        certificate request processed

Expected result: The outcome for certificate request rejected by agent should be a Failure.

As a comparison, when a certificate is rejected due to profile violation, the outcome is a Failure:

    [AuditEvent=CERT_REQUEST_PROCESSED]
        [SubjectID=$NonRoleUser$]
        [Outcome=Failure]
        [ReqID=7]
        [InfoName=rejectReason]
        [InfoValue=Request 7 Rejected - Subject Name Not Matched UID=testuser]
        certificate request processed

See also http://pki.fedoraproject.org/wiki/CA_Audit_Events.
Comment 3 Christina Fu 2017-09-21 21:56:19 UTC 
I am not sure.  I think it is correct the way it is.
Comment 4 Endi Sukma Dewata 2017-11-02 01:33:03 UTC 
This was actually already fixed in RHEL 7.4 in bug #1452250.

If the current behavior is incorrect, please define the correct behavior in this ticket: https://pagure.io/dogtagpki/issue/2838

*** This bug has been marked as a duplicate of bug 1452250 ***