Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] "Approve actions" list is empty #659

Open
benoiton opened this issue Sep 4, 2024 · 9 comments
Open

[BUG] "Approve actions" list is empty #659

benoiton opened this issue Sep 4, 2024 · 9 comments
Labels
bug Something isn't working

Comments

@benoiton
Copy link

benoiton commented Sep 4, 2024

There seems to be an issue about approval request listing

Context

We have an approval profile enabled on a certificate profile for "Add/Edit End Entity".
It's a simple partition approval. It can be seen by anybody and one role "validator" can approve.
When an end entity is set to "new", mail is correctly sent.

Behavior

  • On /adminweb/approval/approvalactions.xhtml, no approval request is listed (with either superadmin or validator role).
  • On /ra/managerequests.xhtml?tab=to_approve, no approval request is listed (with either superadmin or validator role).
  • On /ra/managerequests.xhtml?tab=pending, superadmin can see the "Waiting for Approval" request, and validator see nothing.
  • On /ra/managerequests.xhtml?tab=custom_search, the "Waiting for Approval" request is listed for superadmin and validator. The validator can review and approve.

Deployment

Software, EJBCA 8.2.0.1 and 8.3.2 Community

@benoiton benoiton added the bug Something isn't working label Sep 4, 2024
@benoiton
Copy link
Author

benoiton commented Oct 8, 2024

Certificate approval is expected not to be shown on adminweb.

I found query.add(ApprovalMatch.MATCH_WITH_APPROVALTYPE, BasicMatch.MATCH_TYPE_EQUALS, Integer.toString(ApprovalDataVO.APPROVALTYPE_ACTIVATECATOKEN), Query.CONNECTOR_AND); in modules/admin-gui/src/org/ejbca/ui/web/admin/approval/ListApproveActionManagedBean.java.

Searching in release notes, it's bound to ECA-7391: since v7.5, only show CA-related approvals in CA Web (and vice versa).

I go on my investigations on RA behavior.

@benoiton
Copy link
Author

benoiton commented Oct 9, 2024

Expected behavior?

In RaApprovalRequestInfo.java, I see:

/** Is waiting for someone else to do something */
public boolean isPending(final List<Role> roles) {
    return !isWaitingForMe(roles) && !isProcessed();
}

I understand "Pending Approval" is mutually exclusive with "To Approve".

The doc page Managing_Requests_in_the_RA_UI.html says different things about pending approval:

  • At the beginning of the page: "lists currently pending requests you have access to view, including those that you may approve yourself"
  • At the end of the page: "this tab displays the requests that you have made, and that are waiting for approval by another administrator"

The 2nd sentence seems to comply with the code. The first sentence should be corrected.

Real behevior

The RA behavior is unexpected:

  • The user who requested the new EE:
    • To approve: nothing => correct
    • Pending Approval: requested EE listed => correct
  • A user with the approval role:
    • To approve: nothing => bug
    • Pending Approval: nothing => correct
  • Another user without the approval role (with /ra_functionality/approve_end_entity/ right, but without the /endentityprofilesrules/NAME/approve_end_entity/ for the requested EE)
    • To approve: nothing => correct
    • Pending Approval: requested EE listed => bug or not, depending of the "pending" definition. (The user can see but not approve)

In RaManageRequestsBean.java, lines 185 to 193, result is filtered. I don't understand why since it was already filtered in RaMasterApiSessionBean.java, lines 937 to 947. When I remove this 2nd filtering in RaManageRequestsBean.java, the user with approval role is correctly displayed the request they has to approve (or not). My investigation shows the line is filtered by RaManageRequestsBean.java because raInfoMap is empty (line 185).

@primetomas
Copy link
Collaborator

Hi Benoit,

Thanks for the discussion. Approvals is a bit tricky, but I'll try to make an approval run to look at this soon.

@hesunmark
Copy link
Collaborator

Hi! I tried to reproduce this behavior but haven't manged to, so far. However, if the approving role ("validator" in your case) was added to the approval profile after the request was created, then users / admins of that role will not be able to approve the request or see it under the "To Approve" tab.

Perhaps a long-shot but worth a check. Could this be what happened in your case?

@benoiton
Copy link
Author

benoiton commented Dec 4, 2024

Hello!
The request is created after the approver is in the approval profile. The approver is allowed to approve via the "Custom Search tab", even if the "To Approve" tab is empty.

I've just tested: an EE added in the approval profile after the approval workflow is created, can approve the workflow. It seems correct to me. AFAIK, it was a bug before 6.15.

@benoiton
Copy link
Author

benoiton commented Dec 4, 2024

I've reproduced the issue from a new instance.

  • Create a CA "CN=MyCA" (1 year, P-256)
  • Create a cert profile "mycertprofile" ("server" clone, 1 mo validity, only on MyCA)
  • Create an EE profile "myeeprofile" (on mycertprofile and MyCA)
  • Create a role "approver" with:
    • /administrator/
    • /ca/MyCA/
    • /ca_functionality/approve_caaction/
    • /ca_functionality/create_certificate/
    • /ca_functionality/use_approval_request_id/
    • /ca_functionality/use_username/
    • /endentityprofilesrules/myeeprofile/approve_end_entity/
    • /ra_functionality/approve_end_entity/
  • Create an approval profile "workflow" (partitioned, approval by "approver" role, viewable by everybody)
  • Edit mycertprofile to set "Add/Edit End Entity" approval to "workflow"
  • Create an EE "CN=approver" with EMPTY profile on ManagementCA
  • Add "CN=approver" as member for "approver" role.
  • Retrieve "CN=approver" certificate and add it to a new browser profile.
  • With Superadmin, create an EE "CN=req" with "myeeprofile"
  • With "CN=approver", go and see /ejbca/ra/managerequests.xhtml?tab=to_approve: it's empty
  • With "CN=approver", go and see /ejbca/ra/managerequests.xhtml?tab=custom_search: the "req" request is listed and can be approved.

@hesunmark
Copy link
Collaborator

Thanks for the detailed steps! I've been able to reproduce it.

It appears, granting the approver role
/endentityprofilesrules/myeeprofile/view_end_entity/ in additional to the rules listed above, is required for the request to appear under "To Approve" which in a way makes sense. However, it's inconsistent with the with the listing under "Custom Search" since it's being displayed there in either case.

I'll raise a bug report internally to investigate the proper behavior and fix it.

@benoiton
Copy link
Author

Did you notice the little doc issue?

In RaApprovalRequestInfo.java, I see:

/** Is waiting for someone else to do something */
public boolean isPending(final List<Role> roles) {
    return !isWaitingForMe(roles) && !isProcessed();
}

I understand "Pending Approval" is mutually exclusive with "To Approve".

The doc page Managing_Requests_in_the_RA_UI.html says different things about pending approval:

  • At the beginning of the page: "lists currently pending requests you have access to view, including those that you may approve yourself"
  • At the end of the page: "this tab displays the requests that you have made, and that are waiting for approval by another administrator"

The 2nd sentence seems to comply with the code. The first sentence should be corrected.

@hesunmark
Copy link
Collaborator

The 2nd sentence seems to comply with the code. The first sentence should be corrected.

I agree. Will update the documentation. It will be visible by the next release. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants