Clean up ca.crl.MasterCRL.enable configuration

The code that configures ca.crl.MasterCRL.enable has been moved into PKIDeployer.finalize_ca(). The IPA clone test has been modified to validate the param. A temporarily fix was added due to pending changes in IPA: freeipa/freeipa#6971
dogtagpki · Oct 25, 2023 · 56addd2 · 56addd2
1 parent 1e50c67
commit 56addd2
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 6 deletions.
diff --git a/.github/workflows/ipa-clone-test.yml b/.github/workflows/ipa-clone-test.yml
@@ -330,14 +330,20 @@ jobs:
           docker exec primary pki-server ca-config-find | grep ca.crl.MasterCRL
 
           # normalize expected result:
-          # - CRL cache and CRL updates should be disabled in primary CA
-          sed -e 's/^\(ca.crl.MasterCRL.enableCRLCache\)=.*$/\1=false/' \
+          # - CRL, cache, and updates should be disabled in primary CA
+          sed -e 's/^\(ca.crl.MasterCRL.enable\)=.*$/\1=false/' \
+              -e 's/^\(ca.crl.MasterCRL.enableCRLCache\)=.*$/\1=false/' \
               -e 's/^\(ca.crl.MasterCRL.enableCRLUpdates\)=.*$/\1=false/' \
               CS.cfg.primary.after-renewal-update \
               | sort > expected
 
           # normalize actual result
-          sort CS.cfg.primary.after-crl-update > actual
+          # - temporarily change ca.crl.MasterCRL.enable to false
+          #   TODO: remove this change once the following PR is merged:
+          #   https://github.com/freeipa/freeipa/pull/6971
+          sed -e 's/^\(ca.crl.MasterCRL.enable\)=.*$/\1=false/' \
+              CS.cfg.primary.after-crl-update \
+              | sort > actual
 
           diff expected actual
 
@@ -349,8 +355,9 @@ jobs:
           docker exec secondary pki-server ca-config-find | grep ca.crl.MasterCRL
 
           # normalize expected result:
-          # - CRL cache and CRL updates should be enabled in secondary CA
-          sed -e 's/^\(ca.crl.MasterCRL.enableCRLCache\)=.*$/\1=true/' \
+          # - CRL, cache, and updates should be enabled in secondary CA
+          sed -e 's/^\(ca.crl.MasterCRL.enable\)=.*$/\1=true/' \
+              -e 's/^\(ca.crl.MasterCRL.enableCRLCache\)=.*$/\1=true/' \
               -e 's/^\(ca.crl.MasterCRL.enableCRLUpdates\)=.*$/\1=true/' \
               CS.cfg.secondary.after-renewal-update \
               | sort > expected

diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
@@ -535,7 +535,7 @@ ca.crl.MasterCRL.unexpectedExceptionLoopMax=10
 ca.crl.MasterCRL.class=com.netscape.ca.CRLIssuingPoint
 ca.crl.MasterCRL.dailyUpdates=1:00
 ca.crl.MasterCRL.description=CA's complete Certificate Revocation List
-ca.crl.MasterCRL.enable=[pki_master_crl_enable]
+ca.crl.MasterCRL.enable=true
 ca.crl.MasterCRL.enableCRLCache=true
 ca.crl.MasterCRL.enableCRLUpdates=true
 ca.crl.MasterCRL.enableCacheTesting=false

diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
@@ -4395,6 +4395,13 @@ def setup_shared_secret(self, subsystem):
 
     def finalize_ca(self, subsystem):
 
+        if config.str2bool(self.mdict['pki_master_crl_enable']):
+            logger.info('Enabling CRL')
+            subsystem.config['ca.crl.MasterCRL.enable'] = 'true'
+        else:
+            logger.info('Disabling CRL')
+            subsystem.config['ca.crl.MasterCRL.enable'] = 'false'
+
         clone = self.configuration_file.clone
 
         if clone: