Merge branch 'master' of https://github.com/freeipa/freeipa

freeipa-pr-ci2 · Nov 22, 2024 · 2488a56 · 2488a56
2 parents ce325c9 + 0eafb03
commit 2488a56
Show file tree

Hide file tree

Showing 16 changed files with 571 additions and 788 deletions.
diff --git a/freeipa.spec.in b/freeipa.spec.in
@@ -127,6 +127,10 @@
 # version supporting LMDB and lib389.cli_ctl.dblib.run_dbscan utility
 %if 0%{?fedora} < 34
 %global ds_version 1.4.4.16-1
+%elif 0%{?fedora} == 40
+%global ds_version 3.0.4-3
+%elif 0%{?fedora} >= 41
+%global ds_version 3.1.1-3
 %else
 %global ds_version 2.1.0
 %endif

diff --git a/install/tools/ipa-ca-install.in b/install/tools/ipa-ca-install.in
@@ -301,7 +301,11 @@ def install(safe_options, options):
             install_master(safe_options, options)
         else:
             if options.random_serial_numbers:
-                if ca.lookup_random_serial_number_version(api) == 0:
+                ldap_backend = cainstance.lookup_ldap_backend(api)
+                if (
+                    ca.lookup_random_serial_number_version(api) == 0
+                    and ldap_backend == "bdb"
+                ):
                     sys.exit(
                         "\nRandom serial numbers cannot be enabled in an "
                         "existing CA installation.\n")

diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1
@@ -83,7 +83,7 @@ Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SH
 Do not use DNS for hostname lookup during installation
 .TP
 \fB\-\-random\-serial\-numbers\fR
-Enable Random Serial Numbers. Random serial numbers cannot be used in a mixed environment. Either all CA's have it enabled or none do.
+Enable Random Serial Numbers (RSN) and certificate pruning. This option is enabled by default if the system is installed with a 389-ds version that supports LMDB or if another CA in the topology is configured with Random Serial Numbers. This option remains present to avoid issues with automation. In mixed environments where existing CA servers are configured with sequential numbers, it is recommended to replace the sequential servers as soon as reasonably possible.
 .TP
 \fB\-\-token\-name\fR=\fITOKEN_NAME\fR
 The PKCS#11 token name if using an HSM to store and generate private keys.

diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
@@ -126,7 +126,7 @@ If no template is specified, the template name "SubCA" is used.
 File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
 .TP
 \fB\-\-random\-serial\-numbers\fR
-Enable Random Serial Numbers. Random serial numbers cannot be used in a mixed environment. Either all CA's have it enabled or none do.
+Enable Random Serial Numbers (RSN) and certificate pruning. This option is enabled by default if the system is installed with a 389-ds version that supports LMDB or if another CA in the topology is configured with Random Serial Numbers. This option remains present to avoid issues with automation. In mixed environments where existing CA servers are configured with sequential numbers, it is recommended to replace the sequential servers as soon as reasonably possible.
 .TP
 \fB\-\-no\-pkinit\fR
 Disables pkinit setup steps.

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
@@ -259,6 +259,18 @@ def is_ca_installed_locally():
     return os.path.exists(paths.CA_CS_CFG_PATH)
 
 
+def lookup_ldap_backend(api):
+    """Look up the LDAP backend database value and return it"""
+    dn = DN("cn=config,cn=ldbm database,cn=plugins,cn=config")
+    try:
+        entry = api.Backend.ldap2.get_entry(dn)
+    except errors.NotFound:
+        ldap_backend = 'bdb'
+    else:
+        ldap_backend = entry.get('nsslapd-backend-implement', ['bdb'])[0]
+    return ldap_backend
+
+
 class InconsistentCRLGenConfigException(Exception):
     pass
 
@@ -388,6 +400,15 @@ def configure_instance(self, host_name, dm_password, admin_password,
             self.ca_type = x509.ExternalCAType.GENERIC.value
         self.external_ca_profile = external_ca_profile
         self.random_serial_numbers = random_serial_numbers
+        ldap_backend = lookup_ldap_backend(api)
+
+        if ldap_backend != 'bdb' and not random_serial_numbers:
+            # override selection for lmdb due to VLV performance issues.
+            logger.info(
+                'Forcing random serial numbers to be enabled for the %s '
+                'backend', ldap_backend
+            )
+            self.random_serial_numbers = True
 
         self.no_db_setup = promote
         self.use_ldaps = use_ldaps
@@ -450,6 +471,8 @@ def configure_instance(self, host_name, dm_password, admin_password,
             self.step(
                 "Ensuring backward compatibility",
                 self.__dogtag10_migration)
+            if self.random_serial_numbers:
+                self.step("enable certificate pruning", self.enable_pruning)
             if promote:
                 self.step("destroying installation admin user",
                           self.teardown_admin)
@@ -507,6 +530,9 @@ def configure_instance(self, host_name, dm_password, admin_password,
 
                 self.step("configuring certmonger renewal for lightweight CAs",
                           self.add_lightweight_ca_tracking_requests)
+                if self.clone and self.random_serial_numbers:
+                    self.step("Recording random serial number state",
+                              self.__store_random_serial_number_state)
                 if minimum_acme_support():
                     self.step("deploying ACME service", self.setup_acme)
 
@@ -766,6 +792,17 @@ def enable_pkix(self):
                                    'NSS_ENABLE_PKIX_VERIFY', '1',
                                    quotes=False, separator='=')
 
+    def enable_pruning(self):
+        directivesetter.set_directive(paths.CA_CS_CFG_PATH,
+                                      'jobsScheduler.enabled', 'true',
+                                      quotes=False, separator='=')
+        directivesetter.set_directive(paths.CA_CS_CFG_PATH,
+                                      'jobsScheduler.job.pruning.enabled',
+                                      'true', quotes=False, separator='=')
+        directivesetter.set_directive(paths.CA_CS_CFG_PATH,
+                                      'jobsScheduler.job.pruning.owner',
+                                      'ipara', quotes=False, separator='=')
+
     def __import_ra_cert(self):
         """
         Helper method for IPA domain level 0 replica install
@@ -1650,6 +1687,11 @@ def __store_random_serial_number_state(self):
         dn = DN(('cn', ipalib.constants.IPA_CA_CN), api.env.container_ca,
                 api.env.basedn)
         entry_attrs = api.Backend.ldap2.get_entry(dn)
+        version = entry_attrs.single_value.get(
+            "ipaCaRandomSerialNumberVersion", "0"
+        )
+        if str(version) == str(value):
+            return
         entry_attrs['ipaCaRandomSerialNumberVersion'] = value
         api.Backend.ldap2.update_entry(entry_attrs)
 

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
@@ -1721,7 +1721,8 @@ def _ca_search(self, raw, pkey_only, exactly, **options):
             try:
                 ca_obj = ca_objs[issuer]
             except KeyError:
-                continue
+                # A deleted LWCA? Return the issuer DN as a string
+                ca_obj = {'cn': [str(issuer)]}
 
             if pkey_only:
                 obj = {'serial_number': serial_number}
@@ -1905,8 +1906,16 @@ def execute(self, criteria=None, all=False, raw=False, pkey_only=False,
                     try:
                         ca_obj = ca_objs[cacn]
                     except KeyError:
-                        ca_obj = ca_objs[cacn] = (
-                            self.api.Command.ca_show(cacn, all=True)['result'])
+                        try:
+                            ca_obj = ca_objs[cacn] = (
+                                self.api.Command.ca_show(
+                                    cacn, all=True)['result'])
+                        except errors.NotFound:
+                            # If we have inserted a CA DN because the
+                            # LWCA was deleted then ca-show of it will
+                            # fail as NotFound. There is no chain to
+                            # retrieve.
+                            ca_obj = []
 
                     obj.update(
                         ra.get_certificate(serial_number)

diff --git a/ipatests/prci_definitions/nightly_latest.yaml b/ipatests/prci_definitions/nightly_latest.yaml
@@ -1897,9 +1897,11 @@ jobs:
       class: RunPytest
       args:
         build_url: '{fedora-latest/build_url}'
-        test_suite: test_integration/test_random_serial_numbers.py::TestServerCALessToExternalCA_RSN
+        test_suite: >-
+            test_integration/test_random_serial_numbers.py::TestServerCALessToExternalCA_RSN
+            test_integration/test_random_serial_numbers.py::TestInstall_RSN_MDB
         template: *ci-master-latest
-        timeout: 5400
+        timeout: 7200
         topology: *master_1repl
 
   fedora-latest/test_random_serial_numbers_TestRSNPKIConfig:

diff --git a/ipatests/prci_definitions/nightly_latest_pki.yaml b/ipatests/prci_definitions/nightly_latest_pki.yaml
@@ -1072,9 +1072,11 @@ jobs:
         build_url: '{pki-fedora/build_url}'
         update_packages: True
         copr: '@pki/master'
-        test_suite: test_integration/test_random_serial_numbers.py::TestServerCALessToExternalCA_RSN
+        test_suite: >-
+            test_integration/test_random_serial_numbers.py::TestServerCALessToExternalCA_RSN
+            test_integration/test_random_serial_numbers.py::TestInstall_RSN_MDB
         template: *ci-master-latest
-        timeout: 5400
+        timeout: 7200
         topology: *master_1repl
 
   pki-fedora/test_random_serial_numbers_TestRSNPKIConfig:

diff --git a/ipatests/prci_definitions/nightly_latest_selinux.yaml b/ipatests/prci_definitions/nightly_latest_selinux.yaml
@@ -2048,9 +2048,11 @@ jobs:
       args:
         build_url: '{fedora-latest/build_url}'
         selinux_enforcing: True
-        test_suite: test_integration/test_random_serial_numbers.py::TestServerCALessToExternalCA_RSN
+        test_suite: >-
+            test_integration/test_random_serial_numbers.py::TestServerCALessToExternalCA_RSN
+            test_integration/test_random_serial_numbers.py::TestInstall_RSN_MDB
         template: *ci-master-latest
-        timeout: 5400
+        timeout: 7200
         topology: *master_1repl
 
   fedora-latest/test_random_serial_numbers_TestRSNPKIConfig:

diff --git a/ipatests/prci_definitions/nightly_latest_testing.yaml b/ipatests/prci_definitions/nightly_latest_testing.yaml
@@ -2200,9 +2200,11 @@ jobs:
         build_url: '{testing-fedora/build_url}'
         update_packages: True
         enable_testing_repo: True
-        test_suite: test_integration/test_random_serial_numbers.py::TestServerCALessToExternalCA_RSN
+        test_suite: >-
+            test_integration/test_random_serial_numbers.py::TestServerCALessToExternalCA_RSN
+            test_integration/test_random_serial_numbers.py::TestInstall_RSN_MDB
         template: *ci-master-latest
-        timeout: 5400
+        timeout: 7200
         topology: *master_1repl
 
   testing-fedora/test_random_serial_numbers_TestRSNPKIConfig:

diff --git a/ipatests/prci_definitions/nightly_latest_testing_selinux.yaml b/ipatests/prci_definitions/nightly_latest_testing_selinux.yaml
@@ -2351,9 +2351,11 @@ jobs:
         update_packages: True
         selinux_enforcing: True
         enable_testing_repo: True
-        test_suite: test_integration/test_random_serial_numbers.py::TestServerCALessToExternalCA_RSN
+        test_suite: >-
+            test_integration/test_random_serial_numbers.py::TestServerCALessToExternalCA_RSN
+            test_integration/test_random_serial_numbers.py::TestInstall_RSN_MDB
         template: *ci-master-latest
-        timeout: 5400
+        timeout: 7200
         topology: *master_1repl
 
   testing-fedora/test_random_serial_numbers_TestRSNPKIConfig:

diff --git a/ipatests/prci_definitions/nightly_previous.yaml b/ipatests/prci_definitions/nightly_previous.yaml
@@ -1897,9 +1897,11 @@ jobs:
       class: RunPytest
       args:
         build_url: '{fedora-previous/build_url}'
-        test_suite: test_integration/test_random_serial_numbers.py::TestServerCALessToExternalCA_RSN
+        test_suite: >-
+            test_integration/test_random_serial_numbers.py::TestServerCALessToExternalCA_RSN
+            test_integration/test_random_serial_numbers.py::TestInstall_RSN_MDB
         template: *ci-master-previous
-        timeout: 5400
+        timeout: 7200
         topology: *master_1repl
 
   fedora-previous/test_random_serial_numbers_TestRSNPKIConfig:

diff --git a/ipatests/prci_definitions/nightly_rawhide.yaml b/ipatests/prci_definitions/nightly_rawhide.yaml
@@ -2048,9 +2048,11 @@ jobs:
       args:
         build_url: '{fedora-rawhide/build_url}'
         update_packages: True
-        test_suite: test_integration/test_random_serial_numbers.py::TestServerCALessToExternalCA_RSN
+        test_suite: >-
+            test_integration/test_random_serial_numbers.py::TestServerCALessToExternalCA_RSN
+            test_integration/test_random_serial_numbers.py::TestInstall_RSN_MDB
         template: *ci-master-frawhide
-        timeout: 5400
+        timeout: 7200
         topology: *master_1repl
 
   fedora-rawhide/test_random_serial_numbers_TestRSNPKIConfig:

diff --git a/ipatests/test_integration/test_random_serial_numbers.py b/ipatests/test_integration/test_random_serial_numbers.py
@@ -3,10 +3,12 @@
 #
 
 import pytest
+import textwrap
 
 from ipaplatform.paths import paths
 
 from ipatests.pytest_ipa.integration import tasks
+from ipatests.test_integration.base import IntegrationTest
 from ipatests.test_integration.test_installation import (
     TestInstallWithCA_DNS1,
     TestInstallWithCA_KRA1,
@@ -119,3 +121,72 @@ def install(cls, mh):
         if not pki_supports_RSNv3(mh.master):
             raise pytest.skip("RSNv3 not supported")
         super(TestRSNVault, cls).install(mh)
+
+
+class TestInstall_RSN_MDB(IntegrationTest):
+    """
+    Test installation when the 389-ds mdb backend is used. This has
+    poor performance for VLV compared to the older bdb backend so
+    RSN will be required.
+    """
+    num_replicas = 1
+
+    def disable_rsn(self):
+        """Mark RSN as disabled in the topology by setting
+           ipaCaRandomSerialNumberVersion to 0.
+        """
+        entry_ldif = textwrap.dedent("""
+            dn: cn=ipa,cn=cas,cn=ca,{base_dn}
+            changetype: modify
+            replace: ipaCaRandomSerialNumberVersion
+            ipaCaRandomSerialNumberVersion: 0
+        """).format(base_dn=str(self.master.domain.basedn))
+        tasks.ldapmodify_dm(self.master, entry_ldif)
+
+    def check_rsn_status(self, host):
+        """Verify that RSN is enabled on a host"""
+        base_dn = str(host.domain.basedn)
+        result = tasks.ldapsearch_dm(
+            host,
+            'cn=ipa,cn=cas,cn=ca,{base_dn}'.format(
+                base_dn=base_dn),
+            ['ipacarandomserialnumberversion',],
+            scope='base'
+        )
+        output = result.stdout_text.lower()
+        assert 'ipacarandomserialnumberversion: 3' in output
+
+        cs_cfg = host.get_file_contents(paths.CA_CS_CFG_PATH)
+        assert "dbs.cert.id.generator=random".encode() in cs_cfg
+
+    @classmethod
+    def install(cls, mh):
+        if not pki_supports_RSNv3(mh.master):
+            raise pytest.skip("RNSv3 not supported")
+        result = cls.replicas[0].run_command(
+            "python -c 'from lib389.utils import get_default_db_lib; "
+            "print(get_default_db_lib())'"
+        )
+        if 'mdb' not in result.stdout_text:
+            raise pytest.skip("MDB not supported")
+        tasks.install_master(cls.master, setup_dns=True)
+
+    def test_replica_install(self):
+        self.disable_rsn()
+        tasks.install_replica(
+            self.master, self.replicas[0], setup_ca=True)
+        self.check_rsn_status(self.replicas[0])
+        tasks.run_server_del(
+            self.master, self.replicas[0].hostname, force=True,
+            ignore_topology_disconnect=True, ignore_last_of_role=True)
+        tasks.uninstall_replica(
+            master=self.master,
+            replica=self.replicas[0]
+        )
+
+    def test_replica_install_noca(self):
+        self.disable_rsn()
+        tasks.install_replica(
+            self.master, self.replicas[0], setup_ca=False)
+        tasks.install_ca(self.replicas[0])
+        self.check_rsn_status(self.replicas[0])
diff --git a/ipatests/test_xmlrpc/tracker/ca_plugin.py b/ipatests/test_xmlrpc/tracker/ca_plugin.py
@@ -4,6 +4,7 @@
 from __future__ import absolute_import
 
 import six
+from lib389.utils import get_default_db_lib
 
 from ipapython.dn import DN
 from ipatests.test_xmlrpc.tracker.base import Tracker, EnableTracker
@@ -83,7 +84,10 @@ def track_create(self):
             objectclass=objectclasses.ca
         )
         if self.description == 'IPA CA':
-            self.attrs['ipacarandomserialnumberversion'] = ('0',)
+            if get_default_db_lib() == 'bdb':
+                self.attrs['ipacarandomserialnumberversion'] = ('0',)
+            else:
+                self.attrs['ipacarandomserialnumberversion'] = ('3',)
         self.exists = True
 
     def make_disable_command(self):