Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EST with postgresql based authentication #4856

Merged
merged 3 commits into from
Sep 25, 2024
Merged

Conversation

fmarco76
Copy link
Member

PKIPostgreSQLRealm class has been modified to avoid and change in DB. The DB has to be ready before configuring the realm. A new test working with this realm is included.

Additionally, the realm test on separate instance has been modified to authenticate the EST subsystem into the CA using a certificate.

@fmarco76 fmarco76 requested a review from edewata September 24, 2024 12:17
@fmarco76
Copy link
Member Author

@edewata I'll wait #4854 and update the CI before merge.

@edewata
Copy link
Contributor

edewata commented Sep 24, 2024

@fmarco76 I've merged PR #4854. FYI, I'm planning to modify pkispawn so that it can create an SSL server cert for ACME automatically, and I'll modify the ACME test with a separate instance to use that automation, but I'll keep the original test with manual cert creation as a separate test (i.e. ACME with existing NSS database) to make sure it will support reinstallation or containers (where the NSS database already exists).

@fmarco76 fmarco76 force-pushed the EST_CI branch 2 times, most recently from b711e45 to 5f80007 Compare September 24, 2024 17:59
@fmarco76
Copy link
Member Author

@edewata I have updated the actions

Copy link
Contributor

@edewata edewata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks good in general, but please see my comments below.

docker exec ca pki -n caadmin ca-cert-export --output-file estUser.crt $CERT_ID
docker exec ca pki nss-cert-import --cert estUser.crt estUser

docker exec ca pk12util -d /root/.dogtag/nssdb -o $SHARED/est_user.p12 -n estUser -W Secret.123
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be possible to import the admin cert & key using pki pkcs12-cert-import --append into est_server.p12 so they can be imported by pkispawn.

https://github.com/dogtagpki/pki/wiki/PKI-PKCS12-Certificate-CLI

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was looking a way to easily append to the same p12 but I did not find it. This is way better, thanks!

Comment on lines 97 to 104
docker exec ca pki client-cert-request uid=estUser | tee output
REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output)

docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output)

docker exec ca pki -n caadmin ca-user-cert-add est-ra-1 --serial $CERT_ID
docker exec ca pki -n caadmin ca-cert-export --output-file estUser.crt $CERT_ID
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be possible to use pki ca-cert-issue to issue the cert, then use pki ca-user-cert-add --input to assign the cert.

https://github.com/dogtagpki/pki/wiki/PKI-User-Certificate-CLI

Comment on lines 127 to 158
public void setup() throws Exception {

logger.info("Setting up PostgreSQL realm");

String filename = "/usr/share/pki/acme/realm/postgresql/create.sql";
String content = new String(Files.readAllBytes(Paths.get(filename)));

String[] stats = content.split(";");
for (String sql : stats) {
sql = sql.trim();
if (StringUtils.isEmpty(sql)) continue;
logger.info("SQL: " + sql);

try (PreparedStatement ps = connection.prepareStatement(sql)) {
ps.executeUpdate();

} catch (SQLException e) {

// https://www.postgresql.org/docs/current/errcodes-appendix.html
String sqlState = e.getSQLState();

// If table already exists, ignore
if (!"42P07".equals(sqlState)) {

logger.error("Unable to set up PostgreSQL realm: " + e.getMessage());
logger.error("SQL state: " + sqlState);

throw e;
}
}
}
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible to keep this code? I think it was meant to make ACME easier to use, i.e. just run PostgreSQL and ACME, and it's ready to use (ACME doesn't require initial users). If necessary (e.g. for EST) the tables can be created first and this code will not alter the tables. We probably can add a new param in realm.conf to specify the path, for example:

create=/usr/share/pki/acme/realm/postgresql/create.sql

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem of this code is that it check for the table and if not present then it will create the tables. If the DB is provided by the user and the table names do not match the new table should not be created. We can make this optional.

@fmarco76 fmarco76 force-pushed the EST_CI branch 4 times, most recently from f924e7e to a8301ca Compare September 25, 2024 12:57
@fmarco76 fmarco76 requested a review from edewata September 25, 2024 13:13
Copy link
Contributor

@edewata edewata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates! I have a few more comments but I'll let you decide. Feel free to update/merge.

Comment on lines 109 to 110
CERT_ID=$(docker exec ca pki nss-cert-show estUser |sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p")
docker exec ca pki -n caadmin ca-user-cert-add est-ra-1 --serial $CERT_ID
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can use pki ca-user-cert-add --input so no need to parse the serial number.

https://github.com/dogtagpki/pki/wiki/PKI-User-Certificate-CLI

Comment on lines 122 to 132

String createFile = info.getProperty("dbcreate.file");
if (createFile != null) {
try{
connect();
setup(createFile);
} catch (Exception e) {
throw new LifecycleException("DB creation failed. Creation file: " + createFile, e);
}
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the setup() was originally called from connect() because there is no guarantee that containers will be started in certain orders. For example, sometimes the ACME container is started first, then the PostgreSQL container is added later or it was not running when ACME container is started. With the new code that probably won't work anymore. My suggestion is to return setup() to its original position, but we can keep the dbcreate.file param. What do you think?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not think this parameter should be used after the installation. If we have it in the init then at the server start the DB should be created and the parameter should be removed. This could be done during pkispawn by the user.

In a container environment there is no reason to provide a DB without table after the initial setup. Who should fill the table with the user? In any case it should be possible to define a startup order although it is not needed in this case.

Since the current implementation perform the check in the connect() I am reverting it and evaluate again when we will move to container.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Yeah, ACME doesn't require any user unless we want to manage something remotely (which there isn't much that can be done anyway). EST seems to require a pre-existing realm, so the requirement is different. We can certainly revisit this requirement again.

The realm should not modify the user database but it has to be provided
and configured in advance.
However, if a file is provided it is used during the initialisation and
not during the authentication.
Adding a new test to verify the connection between the EST subsystem
and a realm user database handled with Postgresql.

Additionally, the realm test on separate instance has been modified to
authenticate the EST subsystem into the CA using a certificate.
Since DB could be not available before the connection the setup is moved
back to the connection method.
Copy link

@fmarco76
Copy link
Member Author

@edewata Thanks!

@fmarco76 fmarco76 merged commit 5f28b99 into dogtagpki:master Sep 25, 2024
157 of 164 checks passed
@fmarco76 fmarco76 deleted the EST_CI branch September 25, 2024 16:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants