CA-398341: Populate fingerprints of CA certificates on startup #6006
Conversation
| @@ -378,8 +378,10 @@ let rec cmdtable_data : (string * cmd_spec) list = | |||
| ; ( "pool-certificate-uninstall" | |||
| , { | |||
| reqd= ["name"] | |||
| ; optn= [] | |||
| ; help= "Uninstall a pool-wide TLS CA certificate." | |||
| ; optn= ["force"] | |||
There was a problem hiding this comment.
pool-certificate-uninstall is deprecated, so should I be updating it or leaving it as-is? My initial instinct was the latter, but they both use the same underlying function Cli_operations.pool_uninstall_ca_certificate and so the --force option functionality is included in pool-certificate-uninstall regardless.
There was a problem hiding this comment.
Please leave it as-is, same as the api call
There was a problem hiding this comment.
I've removed force from both this and certificate_uninstall in datamodel_pool.ml, but when testing pool-certificate-uninstall, force still works. This is expected because as I say, certificate-uninstall is using Cli_operations.pool_uninstall_ca_certificate, the same as pool-uninstall-ca-certificate. Is this what you intended? It adds functionality to the deprecated function but doesn't change the documentation.
(datamodel_pool.certificate_uninstall is completed unused AFAICT)
| ; optn= ["force"] | ||
| ; help= "Uninstall a pool-wide TLS CA certificate. The optional parameter \ | ||
| '--force' will remove the DB entry even if the certificate file is \ | ||
| non-existent" | ||
| ; implementation= No_fd Cli_operations.pool_uninstall_ca_certificate | ||
| ; flags= [Deprecated ["Use pool-uninstall-ca-certificate"]] |
There was a problem hiding this comment.
What does this Deprecated flag actually do? It doesn't show when you do xe help pool-certificate-uninstall and it didn't show when I ran the command itself.
There was a problem hiding this comment.
This is probably because there's very little autogenerated code. The cli server should let the client print a message, probably. (will it break the internal regression tests, though?)
snwoods
force-pushed
the
private/stevenwo/CA-398341
branch
from
7104aae
to
ad30824
Compare
| @@ -1397,9 +1397,9 @@ let certificate_install ~__context ~name ~cert = | |||
|
|
|||
| let install_ca_certificate = certificate_install | |||
|
|
|||
| let certificate_uninstall ~__context ~name = | |||
There was a problem hiding this comment.
Trying to understand how the legacy names work. Why is the legacy name "certificate_uninstall" still needed (here and in message_forwarding.ml and datamodel_pool.ml if the deprecated xe command doesn't even use it? It calls pool_install_ca_certificate which calls uninstall_ca_certificate, not certificate_uninstall. What is it providing compatibility with, is this for upgrades from much older xapis?
There was a problem hiding this comment.
API clients might still use this function, this is why it needs to be kept.
ocaml/xapi/certificates.ml
Outdated
| ( Eq (Field "fingerprint_sha256", Literal "") | ||
| , Eq (Field "fingerprint_sha1", Literal "") | ||
| ) | ||
| , Eq (Field "type", Literal "ca") |
There was a problem hiding this comment.
May I know do we also need to upgrade for the "host" certificate, thank you~
There was a problem hiding this comment.
Yes we do, but I added this already in certificates_sync.sync (https://github.com/xapi-project/xen-api/blob/master/ocaml/xapi/certificates_sync.ml#L96-L104). This PR is because I originally missed updating the user/ca certificates too 😅
There was a problem hiding this comment.
OK, I see, thank you!
Then can we also cover the "host" certificate upgrade here and then we don't need the same functionality in two places.
There was a problem hiding this comment.
Yeah, I wondered about that, but certificates_sync.sync already existed (it does more than just update the fingerprint_sha* fields) so it makes sense for host certificates to be updated there. However, it currently only updates host certs. Would it make sense to expand certificates_sync.sync to include user certificates too so that we have it in one place? What do you think @psafont ?
There was a problem hiding this comment.
I don't think it makes sense as it is, currently. It's used for host certificates, exclusively, when the before the stunnel component gets started.
These certificates gets used by the client part, so the update needs to happen at a time that's independent (or risk introducing races) Maybe we can consolidate some of the modules, because the certificate handling is a bit disperse now.
There was a problem hiding this comment.
So, leave it as it is in this PR for now but with the potential to consolidate the certificate handling code in the future?
ocaml/xapi/certificates.ml
Outdated
| let sha256 = pp_fingerprint ~hash_type:`SHA256 certificate in | ||
| Ok (sha1, sha256) | ||
| with Unix.Unix_error (Unix.ENOENT, _, _) -> | ||
| Error (`Msg (Printf.sprintf "filename %s does not exist" filename)) |
There was a problem hiding this comment.
Can you add another catch for any exception? This is out of cautiosness. Because the function is called on startup, it cannot raise any exception.
| exn ->
Error (`Msg (Printexc.to_string exn))
ocaml/idl/datamodel_pool.ml
Outdated
| (String, "name", "The certificate name") | ||
| ; ( Bool | ||
| , "force" | ||
| , "If true, remove the DB entry even if the file is non-existent" |
There was a problem hiding this comment.
This call is deprecated, please don't modify it. (we have to change the lifecycle, but the last entry is the deprecation!)
ocaml/idl/datamodel_host.ml
Outdated
| ; ( Bool | ||
| , "force" | ||
| , "If true, remove the DB entry even if the file is non-existent" | ||
| ) | ||
| ] | ||
| ~allowed_roles:_R_LOCAL_ROOT_ONLY | ||
| ~lifecycle:[(Published, "1.290.0", "Uninstall TLS CA certificate")] |
There was a problem hiding this comment.
Please add an entry to the lifecycle stating it has been modified
ocaml/idl/datamodel_pool.ml
Outdated
| , "force" | ||
| , "If true, remove the DB entry even if the file is non-existent" | ||
| ) | ||
| ] | ||
| ~allowed_roles:(_R_POOL_OP ++ _R_CLIENT_CERT) | ||
| ~lifecycle:[(Published, "1.290.0", "Uninstall TLS CA certificate")] |
There was a problem hiding this comment.
Please add an entry to the lifecycle, as in the other call
snwoods
force-pushed
the
private/stevenwo/CA-398341
branch
from
ad30824
to
12e4c1d
Compare
ocaml/xapi/certificates.ml
Outdated
| @@ -342,17 +345,21 @@ let host_install kind ~name ~cert = | |||
| (ExnHelper.string_of_exn e) ; | |||
| raise_library_corrupt () | |||
|
|
|||
| let host_uninstall kind ~name = | |||
| let host_uninstall ?(force = false) kind ~name = | |||
There was a problem hiding this comment.
| let host_uninstall ?(force = false) kind ~name = | |
| let host_uninstall kind ~name ~force = |
There's no need to make the parameter optional. Optional parameters complicate usage in some occasions, because of their interaction with currying; and they are really only useful in situations where compatibility needs to be maintained, or other contrived situations.
In cases where we control all the users, such as this one, it's better to use named arguments
There was a problem hiding this comment.
That's fair, I think I made it optional to reduce how many places were changed and because the cli call is optional and I didn't initially realise that it defaults to false when the option is not supplied. But that makes sense!
ocaml/xapi/certificates.ml
Outdated
| @@ -448,8 +456,9 @@ let pool_install kind ~__context ~name ~cert = | |||
| ) ; | |||
| raise exn | |||
|
|
|||
| let pool_uninstall kind ~__context ~name = | |||
| host_uninstall kind ~name ; pool_sync ~__context | |||
| let pool_uninstall ?(force = false) kind ~__context ~name = | |||
There was a problem hiding this comment.
| let pool_uninstall ?(force = false) kind ~__context ~name = | |
| let pool_uninstall kind ~__context ~name ~force = |
snwoods
force-pushed
the
private/stevenwo/CA-398341
branch
from
12e4c1d
to
ea59ccf
Compare
ocaml/idl/datamodel_host.ml
Outdated
| [ | ||
| (Published, "1.290.0", "Uninstall TLS CA certificate") | ||
| ; ( Changed | ||
| , "24.29.0" |
There was a problem hiding this comment.
@psafont Is this the correct thing to do? This is currently the correct version but it could change before release. Does this just need to be updated again before release or is there some way to auto-fill it? This only happens when you have lifecycle:[] right?
There was a problem hiding this comment.
These versions are painful to encode because they cannot be calculated atomatically, like the case of lyfecycle:[]. Right now, this should be 24.31.0 (because 24.30.0 has been released)
snwoods
force-pushed
the
private/stevenwo/CA-398341
branch
from
ea59ccf
to
8512a2e
Compare
ocaml/xapi/xapi.ml
Outdated
| @@ -1147,6 +1147,10 @@ let server_init () = | |||
| , [] | |||
| , fun () -> report_tls_verification ~__context | |||
| ) | |||
| ; ( "Update shared certificate's metadata" | |||
| , [Startup.OnlyMaster] | |||
| , fun () -> Certificates.Db_util.upgrade_ca_fingerprints ~__context | |||
There was a problem hiding this comment.
Is this a one-off upgrade case? That is, once you have the xapi version with this change in it and it has run once, you'll never need it anymore? Then it would better fit in xapi_db_upgrade.ml (bump the schema version and add a < rule).
ocaml/idl/datamodel_host.ml
Outdated
| (Ref _host, "host", "The host"); (String, "name", "The certificate name") | ||
| (Ref _host, "host", "The host") | ||
| ; (String, "name", "The certificate name") | ||
| ; ( Bool |
There was a problem hiding this comment.
I think this would break existing clients, because the new param does not have a default. Use ~versioned_params for that.
|
Can we pick this up again? @snwoods |
snwoods
force-pushed
the
private/stevenwo/CA-398341
branch
2 times, most recently
from
69cfd55
to
a210e11
Compare
ocaml/idl/datamodel_host.ml
Outdated
| param_type= Bool | ||
| ; param_name= "force" | ||
| ; param_doc= "Remove the DB entry even if the file is non-existent" | ||
| ; param_release= numbered_release "24.31.0" |
There was a problem hiding this comment.
Please make it 24.32.0, as we have 31 already released.
ocaml/xapi/xapi_db_upgrade.ml
Outdated
| let upgrade_ca_fingerprints = | ||
| { | ||
| description= "Upgrade the fingerprint fields for ca certificates" | ||
| ; version= (fun x -> x < (5, 779)) |
There was a problem hiding this comment.
Why 779? You have used 783 in the datamodel.
There was a problem hiding this comment.
Ah 779 was when the fingerprint_sha256 and fingerprint_sha1 fields were added, so I was thinking anything from that version should already have those fields populated, but of course if they'd previously upgraded from <779 they wouldn't have it, sorry.
| @@ -904,6 +904,66 @@ let upgrade_update_guidance = | |||
| ) | |||
| } | |||
|
|
|||
| let upgrade_ca_fingerprints = | |||
There was a problem hiding this comment.
This is dead code until you add the new function to the rules list below.
SHA256 and SHA1 certificates' fingerprints do not get populated when the database is upgraded, so empty values need to be detected and amended on startup. Signed-off-by: Pau Ruiz Safont <[email protected]> Signed-off-by: Steven Woods <[email protected]>
This allows the CA certificate to be removed from the DB even if the certificate file does not exist. Signed-off-by: Steven Woods <[email protected]>
snwoods
force-pushed
the
private/stevenwo/CA-398341
branch
from
a210e11
to
df94a76
Compare
|
Tested on a toolstack-next host and it worked as expected (updated the fingerprints when updating to this code, but didn't run the upgrade code from then on) |
|
Please remove my commit and rebase on top of master, then it should be good to go |
Also CP-51527: Add --force option to pool-uninstall-ca-certificate.
Addresses the issues raised here by @stormi #5955