Bug 1452250
Summary: | Inconsistent CERT_REQUEST_PROCESSED event in ConnectorServlet. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Matthew Harmsen <mharmsen> |
Component: | pki-core | Assignee: | Endi Sukma Dewata <edewata> |
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
Severity: | unspecified | Docs Contact: | Petr Bokoc <pbokoc> |
Priority: | unspecified | ||
Version: | 7.4 | CC: | akahat, arubin, pbokoc |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | pki-core-10.4.1-5.el7 | Doc Type: | Bug Fix |
Doc Text: |
The audit log no longer records success when a certificate request was rejected or canceled
Previously when a certificate request was rejected or canceled, the server generated a `CERT_REQUEST_PROCESSED` audit log entry with `Outcome=Success`. This was incorrect because there was no certificate issued for the request. This bug has been fixed, and the `CERT_REQUEST_PROCESSED` audit log entry for a rejected or canceled request now reads `Outcome=Failure`.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 22:52:53 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Matthew Harmsen
2017-05-18 16:28:50 UTC
On May 16, 2017, cfu wrote: If a cert has already been issued (which seems to be the case of the L642 in the above report), then as far as CertRequestProcessedEvent goes, it is supposed to be considered a SUCCESS (the cert has already been issued!!!!!); The fact that the code is under an Exception catch clause means something else happened, and it should be dealt with outside of the CertRequestProcessedEvent. I suggest you find out what would cause this to happen and see if it deserves any audit-worthy event to be recorded. If not, a debug message should do, since it already rethrown the exception a few lines down. On May 17, 2017, edewata wrote: The queue.processRequest() in line 618 is quite complex. There could be many things that could generate EBaseException, so I'll leave that to be handled by the caller in line 265. I think the original intent of the code was to trigger a CERT_REQUEST_PROCESSED event if a new certificate was generated by queue.processRequest() regardless of the exception, so I'm moving the event trigger into a finally-clause. Please see the following patch: https://review.gerrithub.io/#/c/361202/ On May 17, 2017, edewata pushed these changes: Fixed CERT_REQUEST_PROCESSED events in ConnectorServlet. The code that generates CERT_REQUEST_PROCESSED events in ConnectorServlet.processRequest() has been moved into a finally- clause that wraps around IRequestQueue.processRequest() to ensure that the events are generated properly. If a cert was issued for the request that has just been processed the event outcome is a Success, otherwise it's a Failure. Any exception thrown by the IRequestQueue.processRequest() will be passed to the ConnectorServlet.processRequest()'s callers. https://pagure.io/dogtagpki/issue/2690 Change-Id: I07454afb75328fbee3e50e5852adb5085be0613e https://pagure.io/dogtagpki/issue/2693: Fixed in master: https://github.com/dogtagpki/pki/commit/dcbe7ce08fcf9512a6cf1ecf22ed080c0085e28a https://pagure.io/dogtagpki/issue/2694: Fixed in master: https://github.com/dogtagpki/pki/commit/e54873d6dbb95e82632f888b90dc6d0d7836ad4d I verified this bug on pki 10.4.1-9.el7 build. Steps I followed to verify this bug: 1. Created certificate requests. 2. After rejecting the request, in audit logs, I could see the outcome as a failure and InfoValue as null with certificate request id. 3. After the canceling the request, in audit logs, I could see the outcome as failure and InfoValue as null with certificate request id. Verifying this bug. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2110 *** Bug 1446366 has been marked as a duplicate of this bug. *** |