Bug 1445088 - profile modification cannot remove existing config parameters
Summary: profile modification cannot remove existing config parameters
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Fraser Tweedale
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-24 21:54 UTC by Matthew Harmsen
Modified: 2020-10-04 21:22 UTC (History)
3 users (show)

Fixed In Version: pki-core-10.4.1-3.el7
Doc Type: Bug Fix
Doc Text:
Updating the `LDAPProfileSubsystem` profile now supports removing attributes Previously, when updating the `LDAPProfileSubsystem` profile on PKI Server, attributes could not be removed. As a result, PKI Server was unable to load the profile or issue certificates after updating the profile in certain situations. A patch has been applied, and now PKI Server clears the existing profile configuration before loading the new configuration. As a result, updates in the `LDAPProfileSubsystem` profile can now remove configuration attributes.
Clone Of:
Environment:
Last Closed: 2017-08-01 22:50:57 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 2708 0 None None None 2020-10-04 21:22:06 UTC
Red Hat Product Errata RHBA-2017:2110 0 normal SHIPPED_LIVE pki-core bug fix and enhancement update 2017-08-01 19:36:59 UTC

Description Matthew Harmsen 2017-04-24 21:54:56 UTC
This bug is created as a clone of upstream ticket:
https://pagure.io/dogtagpki/issue/2588

When modifying a profile via `PUT /ca/rest/profile/{id}/raw`,
existing config parameters that are not present
in the updated configuration remain after update.

Comment 3 Fraser Tweedale 2017-04-26 07:53:10 UTC
Fixed upstream:

* 62419afd831039e7487ba184c6bf8f876f4d21da ProfileService: clear profile attributes when modifying
* 6562b05a73090c0f7882a9684a8ceac2666e4401 ISourceConfigStore: add clear() method to interface
* 8caedd6723f4885d4aff2348aa3d9fc850627aa1 LDAPProfileSubsystem: avoid duplicating logic in superclass

Comment 5 bhavik 2017-05-12 10:53:36 UTC
Hi Fraser, could you please add verification steps for this bug?

Comment 6 Endi Sukma Dewata 2017-05-18 16:41:19 UTC
Here's the verification steps:

1. Disable a profile. For example:

  $ pki -d ~/.dogtag/pki-tomcat/ca/alias/ -c Secret.123 -n caadmin ca-profile-disable caServerCert

2. Edit the profile configuration using the pki CLI. For example:

  $ pki -d ~/.dogtag/pki-tomcat/ca/alias/ -c Secret.123 -n caadmin ca-profile-edit caServerCert

3. Delete some attributes from the configuration. For example, remove policy #8:

  policyset.serverCertSet.list=1,2,3,4,5,6,7  (remove 8)
  policyset.serverCertSet.8.*=...             (remove lines)

4. Retrieve the profile configuration. For example:

  $ pki -d ~/.dogtag/pki-tomcat/ca/alias/ -c Secret.123 -n caadmin ca-profile-show caServerCert

The deleted attributes (i.e. policy #8) should no longer exist.

Comment 7 bhavik 2017-05-22 09:20:12 UTC
Bug verified on build

root@pki1 ansible # rpm -qi pki-base
Name        : pki-base
Version     : 10.4.1
Release     : 4.el7
Architecture: noarch
Install Date: Mon 15 May 2017 05:29:53 PM IST
Group       : System Environment/Base
Size        : 2086209
License     : GPLv2
Signature   : RSA/SHA256, Wed 10 May 2017 09:03:58 AM IST, Key ID 199e2f91fd431d51
Source RPM  : pki-core-10.4.1-4.el7.src.rpm
Build Date  : Wed 10 May 2017 06:53:16 AM IST
Build Host  : ppc-021.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - PKI Framework

Steps followed:

root@pki1 ansible # pki -d /tmp/nssdb/ -c Secret123 -h pki1.example.com -p 20080 -n "PKI CA Administrator for Example.Org" ca-profile-disable caServerCert
-------------------------------
Disabled profile "caServerCert"
-------------------------------

root@pki1 ansible # pki -d /tmp/nssdb2/ -c Secret123 -h pki1.example.com -p 20080 -n "PKI CA Administrator for Example.Org" ca-profile-show caServerCert --output beforeprofilemodify
----------------------
Profile "caServerCert"
----------------------
-------------------------------------------------
Saved profile caServerCert to beforeprofilemodify
-------------------------------------------------


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Delete some attributes from the configuration. For example, remove policy #8:
 
  policyset.serverCertSet.list=1,2,3,4,5,6,7  (remove 8)
  policyset.serverCertSet.8.*=...             (remove lines)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


root@pki1 ansible # pki -d /tmp/nssdb/ -c Secret123 -h pki1.example.com -p 20080 -n "PKI CA Administrator for Example.Org" ca-profile-show caServerCert 
----------------------
Profile "caServerCert"
----------------------
  Profile ID: caServerCert
  Name: Manual Server Certificate Enrollment
  Description: This certificate profile is for enrolling server certificates.

  Name: Certificate Request Input
  Class: certReqInputImpl

    Attribute Name: cert_request_type
    Attribute Description: Certificate Request Type
    Attribute Syntax: cert_request_type

    Attribute Name: cert_request
    Attribute Description: Certificate Request
    Attribute Syntax: cert_request

  Name: Requestor Information
  Class: submitterInfoInputImpl

    Attribute Name: requestor_name
    Attribute Description: Requestor Name
    Attribute Syntax: string

    Attribute Name: requestor_email
    Attribute Description: Requestor Email
    Attribute Syntax: string

    Attribute Name: requestor_phone
    Attribute Description: Requestor Phone
    Attribute Syntax: string

  Name: Certificate Output
  Class: certOutputImpl

    Attribute Name: pretty_cert
    Attribute Description: Certificate Pretty Print
    Attribute Syntax: pretty_print

    Attribute Name: b64_cert
    Attribute Description: Certificate Base-64 Encoded
    Attribute Syntax: pretty_print


root@pki1 ansible # pki -d /tmp/nssdb/ -c Secret123 -h pki1.example.com -p 20080 -n "PKI CA Administrator for Example.Org" ca-profile-show caServerCert --raw

#Fri May 19 20:35:50 IST 2017
policyset.serverCertSet.4.constraint.name=No Constraint
policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
policyset.serverCertSet.2.default.params.range=720
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
input.i2.class_id=submitterInfoInputImpl
policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
output.o1.class_id=certOutputImpl
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.serverCertSet.3.constraint.name=Key Constraint
policyset.serverCertSet.3.constraint.params.keyType=-
policyset.serverCertSet.2.constraint.params.range=720
policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
output.list=o1
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
input.list=i1,i2
policyset.serverCertSet.3.default.name=Key Default
policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
visible=true
policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
desc=This certificate profile is for enrolling server certificates.
policyset.serverCertSet.2.constraint.name=Validity Constraint
policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
profileId=caServerCert
policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
auth.class_id=
policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
policyset.serverCertSet.2.default.name=Validity Default
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
enable=false
policyset.serverCertSet.1.constraint.params.pattern=.*CN\=.*
policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
policyset.serverCertSet.2.constraint.params.notAfterCheck=false
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
input.i1.class_id=certReqInputImpl
enableBy=admin
policyset.serverCertSet.7.constraint.name=No Constraint
policyset.serverCertSet.list=1,2,3,4,5,6,7
policyset.serverCertSet.1.default.name=Subject Name Default
policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
name=Manual Server Certificate Enrollment
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
policyset.serverCertSet.2.default.class_id=validityDefaultImpl
policyset.serverCertSet.6.default.name=Key Usage Default
/bin/bash=indent\: command not found
policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.default.params.keyUsageCritical=true
policyset.serverCertSet.1.default.params.name=
policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
policyset.serverCertSet.2.default.params.startTime=0
policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
policyset.list=serverCertSet
policyset.serverCertSet.5.constraint.name=No Constraint
policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.serverCertSet.5.default.name=AIA Extension Default
classId=caEnrollImpl
policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
policyset.serverCertSet.4.default.name=Authority Key Identifier Default
policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
policyset.serverCertSet.1.constraint.params.accept=true


root@pki1 ~ # pki -d /tmp/nssdb2/ -c Secret123 -h pki1.example.com -p 20080 -n "PKI CA Administrator for Example.Org" ca-profile-show caServerCert --output aftereditingprofile
----------------------
Profile "caServerCert"
----------------------
-------------------------------------------------
Saved profile caServerCert to aftereditingprofile
-------------------------------------------------

root@pki1 ~ # diff beforeprofilemodify aftereditingprofile
8c8
<     <enabledBy>admin</enabledBy>
---
>     <enabledBy>caadmin</enabledBy>
496,522d495
<                 </constraint>
<             </value>
<             <value id="8">
<                 <def id="Signing Alg" classId="signingAlgDefaultImpl">
<                     <description>This default populates the Certificate Signing Algorithm. The default values are Algorithm=SHA512withRSA</description>
<                     <policyAttribute name="signingAlg">
<                         <Descriptor>
<                             <Syntax>choice</Syntax>
<                             <Constraint>SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA</Constraint>
<                             <Description>Signing Algorithm</Description>
<                         </Descriptor>
<                     </policyAttribute>
<                     <params name="signingAlg">
<                         <value>-</value>
<                     </params>
<                 </def>
<                 <constraint id="No Constraint">
<                     <description>This constraint accepts only the Signing Algorithms of SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC</description>
<                     <classId>signingAlgConstraintImpl</classId>
<                     <constraint id="signingAlgsAllowed">
<                         <descriptor>
<                             <Syntax>string</Syntax>
<                             <Description>Allowed Signing Algorithms</Description>
<                             <DefaultValue>SHA1withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC</DefaultValue>
<                         </descriptor>
<                         <value>SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC</value>
<                     </constraint>

Comment 9 Fraser Tweedale 2017-07-24 01:06:10 UTC
Doc text is perfect.

Comment 10 errata-xmlrpc 2017-08-01 22:50:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110


Note You need to log in before you can comment on or make changes to this bug.