Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable cert healthcheck #4590

Merged
merged 1 commit into from
Oct 19, 2023
Merged

Enable cert healthcheck #4590

merged 1 commit into from
Oct 19, 2023

Conversation

fmarco76
Copy link
Member

Cert healtcheck was disabled while the system certificate storage was modified to avoid double copy of the certificate in CS.cfg and NSS DB (PRs: #4588 and #4584).

The check is modified to work again but actually it verify that the certs used inside the subsystem are the one in NSSDB. This is not a valuable check IMHO so it could be totally removed or modified to add extra checks. As an example it could integrate checks for certificate validity, presence of CSR (this is not mandatory, a subsystem works correctly without CSR so not sure if it make sense to check).

In my opinion we can leave this check as it is now (or remove if it is considered useless). @edewata @rcritten what do you think?

@fmarco76 fmarco76 added the WIP Work In Progress label Oct 18, 2023
@fmarco76 fmarco76 requested review from rcritten and edewata October 18, 2023 14:33
edewata
edewata reviewed Oct 18, 2023
View reviewed changes
Copy link
Contributor

@edewata edewata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC this test will now be basically comparing the cert data in the NSS database against itself which is redundant. There's already some other tests (called selftests) that will check the cert validity, trust flags, etc. and they will run when the server is started. Since those properties do not change unless the cert is updated I don't think they need to be constantly checked. So I think this healthcheck test can be removed. No need to check the CSR either since it's not essential for the server to run.

base/server/healthcheck/pki/server/healthcheck/meta/csconfig.py Outdated
Comment on lines 40 to 46

# get cert info from NSS database
cert_nssdb = subsystem.get_nssdb_cert_info(cert_tag)

if cert_nssdb:
cert.update(cert_nssdb)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the cert_nssdb variable name is confusing because here it's a dictionary object, then in line 54 it changes into binary cert data.

@rcritten
Copy link
Contributor

So did we determine that the cert value, stored in CS.cfg, or elsewhere is significant at all? Does it tell us anything about the deployment?

If not then I think this check can be dropped altogether.

@fmarco76
Remove cert healthcheck
6a9ada9 
Since certs will not be stored in CS.cfg in the future this test is
useless so it is removed.
@fmarco76 fmarco76 force-pushed the ModifySysCertHealthCheck branch from ef796a5 to 6a9ada9 Compare October 18, 2023 16:02
@fmarco76
Copy link
Member Author

OK, since all agree I have fully removed the test.

@fmarco76 fmarco76 requested a review from edewata October 18, 2023 16:04
@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

edewata
edewata approved these changes Oct 18, 2023
View reviewed changes
Copy link
Contributor

@edewata edewata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fmarco76 LGTM

@rcritten We won't fully know until QE complete their tests, but if they find a problem, i.e. turns out the cert data/CSR in CS.cfg is still needed by some code, we can either fix that code or move the data/CSR back into CS.cfg if necessary.

@fmarco76
Copy link
Member Author

@edewata Thanks!

@fmarco76 fmarco76 merged commit aaead49 into dogtagpki:master Oct 19, 2023
142 of 144 checks passed
@fmarco76 fmarco76 deleted the ModifySysCertHealthCheck branch October 19, 2023 07:33
@fmarco76 fmarco76 removed the WIP Work In Progress label Nov 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edewata edewata edewata approved these changes

@rcritten rcritten Awaiting requested review from rcritten

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fmarco76 @rcritten @edewata