[OpenXPKI-users] Create a Custom Role for signing/revoking certificates

[Cho Chan]

Hello list,

I am trying to create a custom role (like 'SA Operator') to be used only
for signing/revoking/searching certificates.

My steps are:
1. Create a custom role in '/etc/openxpki/config.d/realm/testca/roles.yaml'
2. Create proper connector, handler and stack for the custom role
3. Create '/etc/openxpki/config.d/realm/testca/uicontrol/SA Operator'
directory with configs for needed menus/actions
4. Add the role to the 'acl' object in the needed workflows in
'/etc/openxpki/config.d/realm/testca/workflow/def'
- certificate_signing_request_v2.yaml
- certificate_revocation_request_v2.yaml
- metadata workflows
- etc.

For now I am able to login with a user mapped to the custom 'SA Operator'
role. I can see all the defined menus, I can search for certificates, I can
see workflows, I can check CSR(s), but I am having problems when the user
has to approve/reject a certificate.

My tests are:
1. A user mapped to 'User' role uploads a CSR -> workflow goes to PENDING
2. A user mapped to 'SA Operator' role goes to My Tasks and see the PENDING
task/workflow
- when it opens the task -> only the recheck status button is visible

After some troubleshooting I found out that I have to add the custom role
in
'/etc/openxpki/config.d/realm/testca/workflow/global/condition/is_operator.yaml'.
After that the user is able to see also the buttons for approve/reject,
edit custom metadata, etc.

- when the user click on the Approve button -> nothing happens

in the logs I am seeing:

2024/08/19 15:10:07 openxpki.application.INFO Unsigned approval for
workflow 6911 by user XXXXXXXXX, role SA Operator
[pid=223036|sid=w1oa|rid=561037963ce0|wftype=certificate_signing_request_v2|wfid=6911]
2024/08/19 15:10:07 openxpki.audit.approval.INFO operator approval
givenHASH(0x55d238cbe028)
[pid=223036|sid=w1oa|rid=561037963ce0|wftype=certificate_signing_request_v2|wfid=6911]

I did a little digging in 'certificate_signing_request_v2.yaml' workflow
and found out

    CHECK_APPROVALS:
        autorun: 1
        action:
          - notify_approval > APPROVED ? is_approved
          - global_noop > NOTIFY_CSR_PENDING ?  !is_approved

 condition:
    # If you want a 4-eyes approval, just add a second "RA Operator"
    # e.g. "role: RA Operator, RA Operator" - you should add also
    # add current approval count to the output in the relevant states
    is_approved:
        class: OpenXPKI::Server::Workflow::Condition::Approved
        param:
            role: RA Operator

When I change the role to be 'SA Operator' -> user is able to approve the
request, but then a user mapped to 'RA Operator' role is not able to
approve the request.

Is there a way how I can make it work for users mapped to 'RA Operator' OR
'SA Operator' roles?

Regards,
Cho


_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users