#7288 set_directive can overwrite wrong directives
Closed: fixed 2 years ago Opened 2 years ago by ftweedal.

Issue

set_directive only checks that a lines startswith the given directive (key) before
writing the new directive. This means that any key that starts with the given key
will be clobbered and no longer exist.

This causes real problems like, e.g. the removal from Dogtag CS.cfg of the
ca.sslserver.certreq parameter when the ca.sslserver.cert directive gets
updated during Dogtag Server-Cert renewal. This causes subsequent KRA
installation failure.

Steps to Reproduce

  1. observe that the ca.sslserver.certreq key exists in CS.cfg
  2. renew the Server-Cert cert-pki-ca certificate via certmonger.
  3. observe that the ca.sslserver.certreq key no longer appears in CS.cfg.

The routine should leave alone keys that are not exactly the key to be replaced.


Metadata Update from @ftweedal:
- Issue assigned to ftweedal

2 years ago

Metadata Update from @ftweedal:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1347

2 years ago

master:

  • 2546ef6 Prevent set_directive from clobbering other keys
  • 1b04718 pep8: reduce line lengths in CAInstance.__enable_crl_publish
  • c77f3a5 installutils: refactor set_directive
  • f688b5d Add tests for installutils.set_directive
  • f4001e1 Add safe DirectiveSetter context manager

ipa-4-6:

  • fd316b9 Prevent set_directive from clobbering other keys
  • 7a29a5d pep8: reduce line lengths in CAInstance.__enable_crl_publish
  • 241b83d installutils: refactor set_directive
  • 808b143 Add tests for installutils.set_directive
  • 342a141 Add safe DirectiveSetter context manager

ipa-4-5:

  • c60fcac Prevent set_directive from clobbering other keys
  • 929491d pep8: reduce line lengths in CAInstance.__enable_crl_publish
  • a1a5853 installutils: refactor set_directive
  • d3af8f6 Add tests for installutils.set_directive
  • a70ce13 Add safe DirectiveSetter context manager
  • 1b87101 Old pylint doesn't support bad python3 option

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1512482

2 years ago

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.5.5

2 years ago

master:

  • b7ae9f7 Test KRA installtion after ca agent cert renewal

ipa-4-7:

  • f382272 Test KRA installtion after ca agent cert renewal

Login to comment on this ticket.

Metadata