From b1e72cb12e3b0357edfb37652e564529528271a9 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Feb 15 2021 07:57:07 +0000
Subject: Add versions to the ACME config templates and update on upgrade


Put the ACME config files under normal IPA versioning so we
can more seamlessly do updates to them.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

https://pagure.io/freeipa/issue/8712

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

---

diff --git a/install/share/pki-acme-configsources.conf.template b/install/share/pki-acme-configsources.conf.template
index f82ac21..20555f6 100644
--- a/install/share/pki-acme-configsources.conf.template
+++ b/install/share/pki-acme-configsources.conf.template
@@ -1,2 +1,3 @@
+# VERSION 2 - DO NOT REMOVE THIS LINE
 engine.class=org.dogtagpki.acme.server.ACMEEngineConfigFileSource
 engine.filename=/etc/pki/pki-tomcat/acme/engine.conf
diff --git a/install/share/pki-acme-database.conf.template b/install/share/pki-acme-database.conf.template
index 4341523..91e56d8 100644
--- a/install/share/pki-acme-database.conf.template
+++ b/install/share/pki-acme-database.conf.template
@@ -1,3 +1,4 @@
+# VERSION 2 - DO NOT REMOVE THIS LINE
 class=org.dogtagpki.acme.database.LDAPDatabase
 basedn=ou=acme,o=ipaca
 configFile=/etc/pki/pki-tomcat/ca/CS.cfg
diff --git a/install/share/pki-acme-engine.conf.template b/install/share/pki-acme-engine.conf.template
index 7085cd7..b6f658d 100644
--- a/install/share/pki-acme-engine.conf.template
+++ b/install/share/pki-acme-engine.conf.template
@@ -1,3 +1,4 @@
+# VERSION 2 - DO NOT REMOVE THIS LINE
 # Parameters read by ACMEEngineConfigFileSource, i.e. these are
 # expected to be in the file pointed to by the 'filename' directive
 # above.
diff --git a/install/share/pki-acme-issuer.conf.template b/install/share/pki-acme-issuer.conf.template
index 968d08f..5f7bcd0 100644
--- a/install/share/pki-acme-issuer.conf.template
+++ b/install/share/pki-acme-issuer.conf.template
@@ -1,3 +1,4 @@
+# VERSION 2 - DO NOT REMOVE THIS LINE
 class=org.dogtagpki.acme.issuer.PKIIssuer
 url=https://$FQDN:8443
 profile=acmeIPAServerCert
diff --git a/install/share/pki-acme-realm.conf.template b/install/share/pki-acme-realm.conf.template
index 2e9c160..e26e870 100644
--- a/install/share/pki-acme-realm.conf.template
+++ b/install/share/pki-acme-realm.conf.template
@@ -1,3 +1,4 @@
+# VERSION 2 - DO NOT REMOVE THIS LINE
 authType=BasicAuth
 class=org.dogtagpki.acme.realm.DSRealm
 groupsDN=ou=groups,o=ipaca
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 8196e3d..e632fdc 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -77,6 +77,15 @@ ACME_AGENT_GROUP = 'Enterprise ACME Administrators'
 
 PROFILES_DN = DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca'))
 
+ACME_CONFIG_FILES = (
+    ('pki-acme-configsources.conf.template',
+        paths.PKI_ACME_CONFIGSOURCES_CONF),
+    ('pki-acme-database.conf.template', paths.PKI_ACME_DATABASE_CONF),
+    ('pki-acme-engine.conf.template', paths.PKI_ACME_ENGINE_CONF),
+    ('pki-acme-issuer.conf.template', paths.PKI_ACME_ISSUER_CONF),
+    ('pki-acme-realm.conf.template', paths.PKI_ACME_REALM_CONF),
+)
+
 
 def check_ports():
     """Check that dogtag ports (8080, 8443) are available.
@@ -1524,20 +1533,12 @@ class CAInstance(DogtagInstance):
         ipautil.run(['pki-server', 'acme-create'])
 
         # write configuration files
-        files = [
-            ('pki-acme-configsources.conf.template',
-                paths.PKI_ACME_CONFIGSOURCES_CONF),
-            ('pki-acme-database.conf.template', paths.PKI_ACME_DATABASE_CONF),
-            ('pki-acme-engine.conf.template', paths.PKI_ACME_ENGINE_CONF),
-            ('pki-acme-issuer.conf.template', paths.PKI_ACME_ISSUER_CONF),
-            ('pki-acme-realm.conf.template', paths.PKI_ACME_REALM_CONF),
-        ]
         sub_dict = dict(
             FQDN=self.fqdn,
             USER=acme_user,
             PASSWORD=password,
         )
-        for template_name, target in files:
+        for template_name, target in ACME_CONFIG_FILES:
             template_filename = \
                 os.path.join(paths.USR_SHARE_IPA_DIR, template_name)
             filled = ipautil.template_file(template_filename, sub_dict)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index af8eb45..a5f96c8 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1526,6 +1526,26 @@ def bind_old_upgrade_states():
         sysupgrade.remove_upgrade_state("dns", state)
 
 
+def ca_update_acme_configuration(ca, fqdn):
+    """
+    Re-apply the templates in case anyting has been updated.
+    """
+    password = directivesetter.get_directive(
+        paths.PKI_ACME_ISSUER_CONF,
+        'password',
+        separator='=')
+    acme_user = ca.acme_uid(fqdn)
+    sub_dict = dict(
+        FQDN=fqdn,
+        USER=acme_user,
+        PASSWORD=password,
+    )
+    for template_name, target in cainstance.ACME_CONFIG_FILES:
+        upgrade_file(sub_dict, target,
+                     os.path.join(paths.USR_SHARE_IPA_DIR,
+                                  template_name))
+
+
 def upgrade_configuration():
     """
     Execute configuration upgrade of the IPA services
@@ -1797,6 +1817,7 @@ def upgrade_configuration():
         ca.setup_lightweight_ca_key_retrieval()
         cainstance.ensure_ipa_authority_entry()
         ca.setup_acme()
+        ca_update_acme_configuration(ca, fqdn)
         ca_initialize_hsm_state(ca)
 
     migrate_to_authselect()