From 45fcdf153bdc1439cb35f6eb8ad7b3b5c488c6d8 Mon Sep 17 00:00:00 2001
From: Marco Fargetta <mfargett@redhat.com>
Date: Tue, 17 Oct 2023 10:33:16 +0200
Subject: [PATCH] Concert CSR file name to cert_id

---
 .github/workflows/ipa-clone-test.yml          | 12 +++------
 .../python/pki/server/deployment/__init__.py  | 27 +++++++++++++------
 base/server/python/pki/server/subsystem.py    |  4 ++-
 .../11.5.0/04-RemoveCertCSRfromConfig.py      | 20 +++++---------
 4 files changed, 31 insertions(+), 32 deletions(-)

diff --git a/.github/workflows/ipa-clone-test.yml b/.github/workflows/ipa-clone-test.yml
index c82f244a8f3..113868c3ecb 100644
--- a/.github/workflows/ipa-clone-test.yml
+++ b/.github/workflows/ipa-clone-test.yml
@@ -275,18 +275,12 @@ jobs:
 
       - name: Check CA CSR copied correctly 
         run: |
-          docker exec primary pki-server ca-config-find \
-          | grep -oP '^ca\.(\w*)\.nickname=(.*)$' \
-          | grep -v sslserver \
-          | sed -E 's/^ca\.(.*)\.nickname=(.*)$/\2/g' \
-          | tee listCerts
-          
           docker cp primary:/etc/pki/pki-tomcat/certs primary-certs
           docker cp secondary:/etc/pki/pki-tomcat/certs secondary-certs
 
-          while IFS="" read -r cert ; do \
-              diff "primary-certs/$cert.csr" "secondary-certs/$cert.csr" || exit 1 ; \
-              done < listCerts
+          diff primary-certs/ca_audit_signing.csr secondary-certs/ca_audit_signing.csr
+          diff primary-certs/ca_ocsp_signing.csr secondary-certs/ca_ocsp_signing.csr
+          diff primary-certs/ca_signing.csr secondary-certs/ca_signing.csr
 
       - name: Check CRL generation config
         run: |
diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
index 4ab628cb4ed..e9f2a0f20d7 100644
--- a/base/server/python/pki/server/deployment/__init__.py
+++ b/base/server/python/pki/server/deployment/__init__.py
@@ -1438,10 +1438,10 @@ def import_master_config(self, subsystem):
         return master_config
 
     def store_master_cert_request(self, subsystem, key, csr):
-
-        nickname = subsystem.config.get(key.replace('.certreq', '.nickname'))
-
-        csr_path = os.path.join(self.instance.conf_dir, 'certs', nickname + '.csr')
+        cert_id = key.split('.')[1]
+        if cert_id != 'sslserver' and cert_id != 'subsystem':
+            cert_id = subsystem.name + '_' + cert_id
+        csr_path = os.path.join(self.instance.conf_dir, 'certs', cert_id + '.csr')
         try:
             self.file.create(csr_path)
             with open(csr_path, 'w', encoding='utf-8') as f:
@@ -1931,10 +1931,12 @@ def import_system_cert_request(self, subsystem, tag):
         if not os.path.exists(csr_path):
             raise Exception('Invalid path in %s: %s' % (param, csr_path))
 
-        cert_nickname = subsystem.config.get('%s.%s.nickname' % (subsystem.name, tag))
+        if tag != 'sslserver' and tag != 'subsystem':
+            tag = subsystem.name + '_' + cert_id
+
         self.file.copy(
             old_name=csr_path,
-            new_name=os.path.join(certs_folder, cert_nickname + '.csr'),
+            new_name=os.path.join(certs_folder, tag + '.csr'),
             overwrite_flag=True)
 
     def import_system_cert_requests(self, subsystem):
@@ -2727,7 +2729,11 @@ def create_cert_setup_request(self, subsystem, tag, cert):
 
         request.systemCert.requestType = 'pkcs10'
         try:
-            csr_path = os.path.join(self.instance.conf_dir, 'certs', cert.get('nickname') + '.csr')
+            if tag != 'sslserver' and tag != 'subsystem':
+                csr_name = subsystem.name + '_' + tag + '.csr'
+            else:
+                csr_name = tag + '.csr'
+            csr_path = os.path.join(self.instance.conf_dir, 'certs', csr_name)
             with open(csr_path, 'r', encoding='utf-8') as f:
                 csr_data = f.read()
                 request.systemCert.request = pki.nssdb.convert_csr(csr_data, 'pem', 'base64')
@@ -2882,9 +2888,14 @@ def generate_csr(self,
             shutil.move(csr_pathname, csr_path)
 
         certs_folder = os.path.join(self.instance.conf_dir, 'certs')
+        if tag != 'sslserver' and tag != 'subsystem':
+            csr_name = subsystem.name + '_' + tag + '.csr'
+        else:
+            csr_name = tag + '.csr'
+
         self.file.copy(
             old_name=csr_path,
-            new_name=os.path.join(certs_folder, cert_id + '.csr'),
+            new_name=os.path.join(certs_folder, csr_name),
             overwrite_flag=True)
 
     def create_cert_request(self, nssdb, tag, request):
diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py
index 830f546bc4d..41abad2ce88 100644
--- a/base/server/python/pki/server/subsystem.py
+++ b/base/server/python/pki/server/subsystem.py
@@ -330,7 +330,9 @@ def update_system_cert(self, cert):
         self.config['%s.%s.tokenname' % (self.name, cert_id)] = cert.get('token')
         certs_path = os.path.join(self.instance.conf_dir, 'certs')
         self.instance.makedirs(certs_path, exist_ok=True)
-        csr_file = os.path.join(certs_path, cert.get('nickname') + '.csr')
+        if cert_id != 'sslserver' and cert_id != 'subsystem':
+            cert_id = self.name + '_' + cert_id
+        csr_file = os.path.join(certs_path, cert_id + '.csr')
         with open(csr_file, "w", encoding='utf-8') as f:
             f.write(pki.nssdb.convert_csr(cert.get('request'), 'base64', 'pem'))
         os.chown(csr_file, self.instance.uid, self.instance.gid)
diff --git a/base/server/upgrade/11.5.0/04-RemoveCertCSRfromConfig.py b/base/server/upgrade/11.5.0/04-RemoveCertCSRfromConfig.py
index e64107b37fe..ca94c461d25 100644
--- a/base/server/upgrade/11.5.0/04-RemoveCertCSRfromConfig.py
+++ b/base/server/upgrade/11.5.0/04-RemoveCertCSRfromConfig.py
@@ -25,28 +25,20 @@ def upgrade_subsystem(self, instance, subsystem):
         certs_path = os.path.join(instance.conf_dir, 'certs')
         instance.makedirs(certs_path, exist_ok=True)
         logger.info('Removing certs data')
-        if subsystem.name == 'ca':
-            self.clean_cert_csr('signing', subsystem, certs_path)
-            self.clean_cert_csr('ocsp_signing', subsystem, certs_path)
-        if subsystem.name == 'kra':
-            self.clean_cert_csr('storage', subsystem, certs_path)
-            self.clean_cert_csr('transport', subsystem, certs_path)
-        if subsystem.name == 'ocsp':
-            self.clean_cert_csr('signing', subsystem, certs_path)
-
-        self.clean_cert_csr('sslserver', subsystem, certs_path)
-        self.clean_cert_csr('subsystem', subsystem, certs_path)
-        self.clean_cert_csr('audit_signing', subsystem, certs_path)
+        certs = subsystem.find_system_certs()
+        for cert in certs:
+            self.clean_cert_csr(cert['id'], subsystem, certs_path)
 
         subsystem.save()
 
     def clean_cert_csr(self, tag, subsystem, dest_path):
         subsystem.config.pop('%s.%s.cert' % (subsystem.name, tag), None)
         cert_req = subsystem.config.pop('%s.%s.certreq' % (subsystem.name, tag), None)
-        nickname = subsystem.config.get('%s.%s.nickname' % (subsystem.name, tag))
+        if tag != 'sslserver' and tag != 'subsystem':
+            tag = subsystem.name + '_' + tag
         if cert_req:
             csr_data = pki.nssdb.convert_csr(cert_req, 'base64', 'pem')
-            csr_file = os.path.join(dest_path, nickname + '.csr')
+            csr_file = os.path.join(dest_path, tag + '.csr')
             with open(csr_file, 'w', encoding='utf-8') as f:
                 f.write(csr_data)
             os.chown(csr_file, subsystem.instance.uid, subsystem.instance.gid)