From 560ee3c0b512cbb8cdc4099a81204e745a515f7c Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Oct 04 2017 08:09:18 +0000
Subject: certmonger: add support for MS V2 template


Update certmonger.resubmit_request() and .modify() to support
specifying the Microsoft V2 certificate template extension.

This feature was introduced in certmonger-0.79.5 so bump the minimum
version in the spec file.

Part of: https://pagure.io/freeipa/issue/6858

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

---

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 6d992ba..8b7f179 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -320,8 +320,7 @@ Requires(preun): python systemd-units
 Requires(postun): python systemd-units
 Requires: policycoreutils >= 2.1.12-5
 Requires: tar
-# certmonger-0.79.4-2 fixes newlines in PEM files
-Requires(pre): certmonger >= 0.79.4-2
+Requires(pre): certmonger >= 0.79.5-1
 Requires(pre): 389-ds-base >= 1.3.5.14
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
@@ -540,8 +539,7 @@ Requires: libcurl >= 7.21.7-2
 Requires: xmlrpc-c >= 1.27.4
 Requires: sssd >= 1.14.0
 Requires: python-sssdconfig
-# certmonger-0.79.4-2 fixes newlines in PEM files
-Requires: certmonger >= 0.79.4-2
+Requires: certmonger >= 0.79.5-1
 Requires: nss-tools
 Requires: bind-utils
 Requires: oddjob-mkhomedir
diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py
index 2c37899..e52005c 100644
--- a/ipalib/install/certmonger.py
+++ b/ipalib/install/certmonger.py
@@ -507,23 +507,36 @@ def stop_tracking(secdir=None, request_id=None, nickname=None, certfile=None):
         request.parent.obj_if.remove_request(request.path)
 
 
-def modify(request_id, ca=None, profile=None):
+def modify(request_id, ca=None, profile=None, template_v2=None):
     update = {}
     if ca is not None:
         cm = _certmonger()
         update['CA'] = cm.obj_if.find_ca_by_nickname(ca)
     if profile is not None:
         update['template-profile'] = profile
+    if template_v2 is not None:
+        update['template-ms-certificate-template'] = template_v2
+
     if len(update) > 0:
         request = _get_request({'nickname': request_id})
         request.obj_if.modify(update)
 
 
-def resubmit_request(request_id, ca=None, profile=None, is_ca=False):
+def resubmit_request(
+        request_id,
+        ca=None,
+        profile=None,
+        template_v2=None,
+        is_ca=False):
     """
     :param request_id: the certmonger numeric request ID
     :param ca: the nickname for the certmonger CA, e.g. IPA or SelfSign
-    :param profile: the dogtag template profile to use, e.g. SubCA
+    :param profile: the profile to use, e.g. SubCA.  For requests using the
+                    Dogtag CA, this is the profile to use.  This also causes
+                    the Microsoft certificate tempalte name extension to the
+                    CSR (for telling AD CS what template to use).
+    :param template_v2: Microsoft V2 template specifier extension value.
+                        Format: <oid>:<major-version>[:<minor-version>]
     :param is_ca: boolean that if True adds the CA basic constraint
     """
     request = _get_request({'nickname': request_id})
@@ -534,6 +547,8 @@ def resubmit_request(request_id, ca=None, profile=None, is_ca=False):
             update['CA'] = cm.obj_if.find_ca_by_nickname(ca)
         if profile is not None:
             update['template-profile'] = profile
+        if template_v2 is not None:
+            update['template-ms-certificate-template'] = template_v2
         if is_ca:
             update['template-is-ca'] = True
             update['template-ca-path-length'] = -1  # no path length