dogtagpki

Clone
Source Code
GIT

#1727 Validate input in pkispawn, add dry run option
Closed: migrated 3 years ago by dmoluguw. Opened 8 years ago by jcholast.

Closed: migrated
Reopen Issue

pkispawn does not validate its input and can create a broken CA instance. This
has been a source of much grief in IPA:

https://bugzilla.redhat.com/show_bug.cgi?id=1111320
https://bugzilla.redhat.com/show_bug.cgi?id=1127838
https://bugzilla.redhat.com/show_bug.cgi?id=1223700

pkispawn should validate its input to prevent bugs like the above. Additionaly,
a dry run option should be added, so that the input can be checked before
running the actual install.

Steps to Reproduce:

1. Run pkispawn with some invalid input, e.g. invalid
pki_external_ca_cert_chain_path file.

Actual results:

pkispawn creates broken CA istance

Expected results:

pkispawn fails with an error

This was discussed in the Dogtag 10.3 Triage meeting of 01/06/2016, and it was determined that rather than a "dry run" option, it would be better to augment the existing validation and focus on using containers to install a test PKI.

This will be revisited in Dogtag 10.4.

Could you reconsider the dry run / validate only option?

Without it, we have to do one of the following in ipa-server-install:

  • Validate everything manually ourselves, so that we have (some) guarantee that pkispawn will not fail. This is no improvement over the current situation.
  • Do not validate anything and roll back the install when pkispawn fails. This way if there is a problem, the user has to sit through several minutes of ipa-server-install only to find out that the certificate files (etc.) they provided are invalid.
  • Install a test PKI in a container for validation. This adds a rather heavy weight container implementation dependency to ipa-server-install and the user has to sit through the whole pkispawn twice (once for validation, once the real thing) if there wasn't a problem in validation.

None of there are very nice.

Also, I would think that the dry run option should not be hard to implement (just exit after the initial validation).

Per Offline Triage of 11/30/2016-12/01/2016: 10.4 - major

Metadata Update from @jcholast:
- Issue set to the milestone: 10.4
7 years ago

Per CS/DS Meeting of August 7, 2017, it was determined to move this issue from 10.4 ==> FUTURE.

Metadata Update from @mharmsen:
- Custom field feature adjusted to None
- Custom field proposedmilestone adjusted to None
- Custom field proposedpriority adjusted to None
- Custom field reviewer adjusted to None
- Custom field version adjusted to None
- Issue close_status updated to: None
- Issue set to the milestone: FUTURE (was: 10.4)
6 years ago

Per 10.5.x/10.6 Triage: 10.6

mharmsen: This feature has been requested for a long time and as it is a feature that will help debugging errors it is a reasonable candidate for 10.6

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.6 (was: FUTURE)
6 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2285

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata Update from @dmoluguw:
- Issue close_status updated to: migrated
- Issue status updated to: Closed (was: Open)
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
major
None
None
defect
None
None
None
None
None
Community
None
None
None
None
None
None
General
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.