1452250 – Inconsistent CERT_REQUEST_PROCESSED event in ConnectorServlet.

Bug 1452250 - Inconsistent CERT_REQUEST_PROCESSED event in ConnectorServlet.

Summary: Inconsistent CERT_REQUEST_PROCESSED event in ConnectorServlet.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Endi Sukma Dewata
QA Contact:	Asha Akkiangady
Docs Contact:	Petr Bokoc
URL:
Whiteboard:
Duplicates (1):	1446366 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-05-18 16:28 UTC by Matthew Harmsen
Modified:	2020-10-04 21:29 UTC (History)
CC List:	3 users (show)
Fixed In Version:	pki-core-10.4.1-5.el7
Doc Type:	Bug Fix
Doc Text:	The audit log no longer records success when a certificate request was rejected or canceled Previously when a certificate request was rejected or canceled, the server generated a `CERT_REQUEST_PROCESSED` audit log entry with `Outcome=Success`. This was incorrect because there was no certificate issued for the request. This bug has been fixed, and the `CERT_REQUEST_PROCESSED` audit log entry for a rejected or canceled request now reads `Outcome=Failure`.
Clone Of:
Environment:
Last Closed:	2017-08-01 22:52:53 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 2810	None	None	None	2020-10-04 21:29:39 UTC
Github	dogtagpki pki issues 2813	None	None	None	2020-10-04 21:29:48 UTC
Github	dogtagpki pki issues 2814	None	None	None	2020-10-04 21:29:52 UTC
Red Hat Product Errata	RHBA-2017:2110	normal	SHIPPED_LIVE	pki-core bug fix and enhancement update	2017-08-01 19:36:59 UTC

Description Matthew Harmsen 2017-05-18 16:28:50 UTC

This bug is created as a clone of upstream ticket:
https://pagure.io/dogtagpki/issue/2690

Normally a successful CERT_REQUEST_PROCESSED event would be accompanied by a cert object, and a failed one would be accompanied by a request object.

However, the following code logs a failure with a cert object:

https://github.com/dogtagpki/pki/blob/master/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java#L642

    audit(new CertRequestProcessedEvent(
        auditSubjectID,
        ILogger.FAILURE,
        auditRequesterID,
        ILogger.SIGNED_AUDIT_ACCEPTANCE,
        x509cert));

Comment 2 Matthew Harmsen 2017-05-18 16:30:34 UTC

On May 16, 2017, cfu wrote:

If a cert has already been issued (which seems to be the case of the L642 in the above report), then as far as CertRequestProcessedEvent goes, it is supposed to be considered a SUCCESS (the cert has already been issued!!!!!);
The fact that the code is under an Exception catch clause means something else happened, and it should be dealt with outside of the CertRequestProcessedEvent.
I suggest you find out what would cause this to happen and see if it deserves any audit-worthy event to be recorded. If not, a debug message should do, since it already rethrown the exception a few lines down.

Comment 3 Matthew Harmsen 2017-05-18 16:32:34 UTC

On May 17, 2017, edewata wrote:

The queue.processRequest() in line 618 is quite complex. There could be many things that could generate EBaseException, so I'll leave that to be handled by the caller in line 265.

I think the original intent of the code was to trigger a CERT_REQUEST_PROCESSED event if a new certificate was generated by queue.processRequest() regardless of the exception, so I'm moving the event trigger into a finally-clause.

Please see the following patch:

    https://review.gerrithub.io/#/c/361202/

Comment 4 Matthew Harmsen 2017-05-18 16:36:02 UTC

On May 17, 2017, edewata pushed these changes:

Fixed CERT_REQUEST_PROCESSED events in ConnectorServlet.

The code that generates CERT_REQUEST_PROCESSED events in ConnectorServlet.processRequest() has been moved into a finally- clause that wraps around IRequestQueue.processRequest() to ensure that the events are generated properly. If a cert was issued for the request that has just been processed the event outcome is a Success, otherwise it's a Failure. Any exception thrown by the IRequestQueue.processRequest() will be passed to the ConnectorServlet.processRequest()'s callers.

https://pagure.io/dogtagpki/issue/2690
Change-Id: I07454afb75328fbee3e50e5852adb5085be0613e

Comment 5 Matthew Harmsen 2017-05-18 16:50:37 UTC

https://pagure.io/dogtagpki/issue/2693:

Fixed in master:

    https://github.com/dogtagpki/pki/commit/dcbe7ce08fcf9512a6cf1ecf22ed080c0085e28a



https://pagure.io/dogtagpki/issue/2694:

Fixed in master:

    https://github.com/dogtagpki/pki/commit/e54873d6dbb95e82632f888b90dc6d0d7836ad4d

Comment 7 Amol K 2017-06-19 15:08:39 UTC

I verified this bug on pki 10.4.1-9.el7 build.

Steps I followed to verify this bug:

 1. Created certificate requests.

 2. After rejecting the request, in audit logs, I could see the outcome as a failure and InfoValue as null with certificate request id.

 3. After the canceling the request, in audit logs, I could see the outcome as failure and InfoValue as null with certificate request id.

Verifying this bug.

Comment 8 errata-xmlrpc 2017-08-01 22:52:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110

Comment 9 Endi Sukma Dewata 2017-11-02 01:33:03 UTC

*** Bug 1446366 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.