ejbca-ce icon indicating copy to clipboard operation
ejbca-ce copied to clipboard
verified publisher icon Keyfactor

[BUG] "Approve actions" list is empty

Open benoiton opened this issue 1 year ago • 3 comments

There seems to be an issue about approval request listing

Context

We have an approval profile enabled on a certificate profile for "Add/Edit End Entity". It's a simple partition approval. It can be seen by anybody and one role "validator" can approve. When an end entity is set to "new", mail is correctly sent.

Behavior

  • On /adminweb/approval/approvalactions.xhtml, no approval request is listed (with either superadmin or validator role).
  • On /ra/managerequests.xhtml?tab=to_approve, no approval request is listed (with either superadmin or validator role).
  • On /ra/managerequests.xhtml?tab=pending, superadmin can see the "Waiting for Approval" request, and validator see nothing.
  • On /ra/managerequests.xhtml?tab=custom_search, the "Waiting for Approval" request is listed for superadmin and validator. The validator can review and approve.

Deployment

Software, EJBCA 8.2.0.1 and 8.3.2 Community

benoiton avatar Sep 04 '24 15:09 benoiton

Certificate approval is expected not to be shown on adminweb.

I found query.add(ApprovalMatch.MATCH_WITH_APPROVALTYPE, BasicMatch.MATCH_TYPE_EQUALS, Integer.toString(ApprovalDataVO.APPROVALTYPE_ACTIVATECATOKEN), Query.CONNECTOR_AND); in modules/admin-gui/src/org/ejbca/ui/web/admin/approval/ListApproveActionManagedBean.java.

Searching in release notes, it's bound to ECA-7391: since v7.5, only show CA-related approvals in CA Web (and vice versa).

I go on my investigations on RA behavior.

benoiton avatar Oct 08 '24 09:10 benoiton

Expected behavior?

In RaApprovalRequestInfo.java, I see:

/** Is waiting for someone else to do something */
public boolean isPending(final List<Role> roles) {
    return !isWaitingForMe(roles) && !isProcessed();
}

I understand "Pending Approval" is mutually exclusive with "To Approve".

The doc page Managing_Requests_in_the_RA_UI.html says different things about pending approval:

  • At the beginning of the page: "lists currently pending requests you have access to view, including those that you may approve yourself"
  • At the end of the page: "this tab displays the requests that you have made, and that are waiting for approval by another administrator"

The 2nd sentence seems to comply with the code. The first sentence should be corrected.

Real behevior

The RA behavior is unexpected:

  • The user who requested the new EE:
    • To approve: nothing => correct
    • Pending Approval: requested EE listed => correct
  • A user with the approval role:
    • To approve: nothing => bug
    • Pending Approval: nothing => correct
  • Another user without the approval role (with /ra_functionality/approve_end_entity/ right, but without the /endentityprofilesrules/NAME/approve_end_entity/ for the requested EE)
    • To approve: nothing => correct
    • Pending Approval: requested EE listed => bug or not, depending of the "pending" definition. (The user can see but not approve)

In RaManageRequestsBean.java, lines 185 to 193, result is filtered. I don't understand why since it was already filtered in RaMasterApiSessionBean.java, lines 937 to 947. When I remove this 2nd filtering in RaManageRequestsBean.java, the user with approval role is correctly displayed the request they has to approve (or not). My investigation shows the line is filtered by RaManageRequestsBean.java because raInfoMap is empty (line 185).

benoiton avatar Oct 09 '24 18:10 benoiton

Hi Benoit,

Thanks for the discussion. Approvals is a bit tricky, but I'll try to make an approval run to look at this soon.

primetomas avatar Oct 21 '24 11:10 primetomas

Hi! I tried to reproduce this behavior but haven't manged to, so far. However, if the approving role ("validator" in your case) was added to the approval profile after the request was created, then users / admins of that role will not be able to approve the request or see it under the "To Approve" tab.

Perhaps a long-shot but worth a check. Could this be what happened in your case?

hesunmark avatar Dec 03 '24 13:12 hesunmark

Hello! The request is created after the approver is in the approval profile. The approver is allowed to approve via the "Custom Search tab", even if the "To Approve" tab is empty.

I've just tested: an EE added in the approval profile after the approval workflow is created, can approve the workflow. It seems correct to me. AFAIK, it was a bug before 6.15.

benoiton avatar Dec 04 '24 17:12 benoiton

I've reproduced the issue from a new instance.

  • Create a CA "CN=MyCA" (1 year, P-256)
  • Create a cert profile "mycertprofile" ("server" clone, 1 mo validity, only on MyCA)
  • Create an EE profile "myeeprofile" (on mycertprofile and MyCA)
  • Create a role "approver" with:
    • /administrator/
    • /ca/MyCA/
    • /ca_functionality/approve_caaction/
    • /ca_functionality/create_certificate/
    • /ca_functionality/use_approval_request_id/
    • /ca_functionality/use_username/
    • /endentityprofilesrules/myeeprofile/approve_end_entity/
    • /ra_functionality/approve_end_entity/
  • Create an approval profile "workflow" (partitioned, approval by "approver" role, viewable by everybody)
  • Edit mycertprofile to set "Add/Edit End Entity" approval to "workflow"
  • Create an EE "CN=approver" with EMPTY profile on ManagementCA
  • Add "CN=approver" as member for "approver" role.
  • Retrieve "CN=approver" certificate and add it to a new browser profile.
  • With Superadmin, create an EE "CN=req" with "myeeprofile"
  • With "CN=approver", go and see /ejbca/ra/managerequests.xhtml?tab=to_approve: it's empty
  • With "CN=approver", go and see /ejbca/ra/managerequests.xhtml?tab=custom_search: the "req" request is listed and can be approved.

benoiton avatar Dec 04 '24 17:12 benoiton

Thanks for the detailed steps! I've been able to reproduce it.

It appears, granting the approver role /endentityprofilesrules/myeeprofile/view_end_entity/ in additional to the rules listed above, is required for the request to appear under "To Approve" which in a way makes sense. However, it's inconsistent with the with the listing under "Custom Search" since it's being displayed there in either case.

I'll raise a bug report internally to investigate the proper behavior and fix it.

hesunmark avatar Dec 17 '24 14:12 hesunmark

Did you notice the little doc issue?

In RaApprovalRequestInfo.java, I see:

/** Is waiting for someone else to do something */
public boolean isPending(final List<Role> roles) {
    return !isWaitingForMe(roles) && !isProcessed();
}

I understand "Pending Approval" is mutually exclusive with "To Approve".

The doc page Managing_Requests_in_the_RA_UI.html says different things about pending approval:

  • At the beginning of the page: "lists currently pending requests you have access to view, including those that you may approve yourself"
  • At the end of the page: "this tab displays the requests that you have made, and that are waiting for approval by another administrator"

The 2nd sentence seems to comply with the code. The first sentence should be corrected.

benoiton avatar Dec 17 '24 14:12 benoiton

The 2nd sentence seems to comply with the code. The first sentence should be corrected.

I agree. Will update the documentation. It will be visible by the next release. Thank you!

hesunmark avatar Dec 17 '24 14:12 hesunmark