From 370fb9b1b3af5881373700b1505bda3e7ee9194d Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 30 Nov 2023 13:26:34 +0700
Subject: [PATCH] Clean up default security domain params

The default security domain params in CS.cfg have been moved
into PKIDeployer.setup_security_domain_manager() such that
they will be added only if security domain setup is enabled
in pkispawn.
---
 .github/workflows/kra-standalone-test.yml            | 10 ++--------
 .github/workflows/ocsp-standalone-test.yml           | 10 ++--------
 base/ca/shared/conf/CS.cfg                           |  4 ----
 base/server/python/pki/server/deployment/__init__.py |  9 +++++++++
 4 files changed, 13 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/kra-standalone-test.yml b/.github/workflows/kra-standalone-test.yml
index 348e8a83702..ca749ad456b 100644
--- a/.github/workflows/kra-standalone-test.yml
+++ b/.github/workflows/kra-standalone-test.yml
@@ -60,15 +60,9 @@ jobs:
 
       - name: Check CA security domain
         run: |
-          # security domain should be disabled (i.e. no securitydomain.select=new)
-          cat > expected << EOF
-          securitydomain.checkIP=false
-          securitydomain.checkinterval=300000
-          securitydomain.flushinterval=86400000
-          securitydomain.source=ldap
-          EOF
+          # security domain should be disabled
           docker exec ca pki-server ca-config-find | grep ^securitydomain. | sort | tee actual
-          diff expected actual
+          diff /dev/null actual
 
           docker exec ca pki-server cert-export ca_signing --cert-file ${SHARED}/ca_signing.crt
           docker exec ca pki client-cert-import ca_signing --ca-cert ${SHARED}/ca_signing.crt
diff --git a/.github/workflows/ocsp-standalone-test.yml b/.github/workflows/ocsp-standalone-test.yml
index e16733663de..9113012d1c4 100644
--- a/.github/workflows/ocsp-standalone-test.yml
+++ b/.github/workflows/ocsp-standalone-test.yml
@@ -61,15 +61,9 @@ jobs:
 
       - name: Check CA security domain
         run: |
-          # security domain should be disabled (i.e. no securitydomain.select=new)
-          cat > expected << EOF
-          securitydomain.checkIP=false
-          securitydomain.checkinterval=300000
-          securitydomain.flushinterval=86400000
-          securitydomain.source=ldap
-          EOF
+          # security domain should be disabled
           docker exec ca pki-server ca-config-find | grep ^securitydomain. | sort | tee actual
-          diff expected actual
+          diff /dev/null actual
 
           docker exec ca pki-server cert-export ca_signing --cert-file ${SHARED}/ca_signing.crt
           docker exec ca pki client-cert-import ca_signing --ca-cert ${SHARED}/ca_signing.crt
diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
index 411ee9e578d..cbba23101b0 100644
--- a/base/ca/shared/conf/CS.cfg
+++ b/base/ca/shared/conf/CS.cfg
@@ -13,10 +13,6 @@ authType=pwd
 admin.interface.uri=ca/admin/console/config/wizard
 ee.interface.uri=ca/ee/ca
 agent.interface.uri=ca/agent/ca
-securitydomain.checkIP=false
-securitydomain.flushinterval=86400000
-securitydomain.source=ldap
-securitydomain.checkinterval=300000
 machineName=[pki_hostname]
 instanceId=[pki_instance_name]
 pidDir=/var/run/pki/tomcat
diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
index 8f07aceffbe..4a3949fe1b7 100644
--- a/base/server/python/pki/server/deployment/__init__.py
+++ b/base/server/python/pki/server/deployment/__init__.py
@@ -2624,6 +2624,8 @@ def setup_security_domain_manager(self, subsystem):
 
             subsystem.create_security_domain(name=sd_name)
 
+            domain_manager = True
+
             logger.info('Adding security domain manager')
             subsystem.add_security_domain_subsystem(
                 self.mdict['pki_subsystem_name'],
@@ -2633,6 +2635,13 @@ def setup_security_domain_manager(self, subsystem):
                 secure_port=proxySecurePort,
                 domain_manager=True)
 
+        if domain_manager:
+            logger.info('Adding security domain sessions')
+            subsystem.config['securitydomain.checkIP'] = 'false'
+            subsystem.config['securitydomain.checkinterval'] = '300000'
+            subsystem.config['securitydomain.flushinterval'] = '86400000'
+            subsystem.config['securitydomain.source'] = 'ldap'
+
     def pki_connect(self):
 
         ca_cert = os.path.join(self.instance.nssdb_dir, "ca.crt")