cainstance: add function to determine ca_renewal nickname

The ipa-cert-fix program needs to know where to put shared certificates. Extract the logic that computes the nickname from dogtag-ipa-ca-renew-agent to new subroutine cainstance.get_ca_renewal_nickname(). Part of: https://pagure.io/freeipa/issue/7885 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-03-22 15:22:21 +11:00 · 2019-03-22 15:22:21 +11:00 · c28a42e27e
commit c28a42e27e
parent a2a006c746
2 changed files with 28 additions and 14 deletions
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in
@ -85,20 +85,8 @@ def get_nickname():

    ca_subject_dn = ca.lookup_ca_subject(api, subject_base)

-    nickname_by_subject_dn = {
-        DN(ca_subject_dn): 'caSigningCert cert-pki-ca',
-        DN('CN=CA Audit', subject_base): 'auditSigningCert cert-pki-ca',
-        DN('CN=OCSP Subsystem', subject_base): 'ocspSigningCert cert-pki-ca',
-        DN('CN=CA Subsystem', subject_base): 'subsystemCert cert-pki-ca',
-        DN('CN=KRA Audit', subject_base): 'auditSigningCert cert-pki-kra',
-        DN('CN=KRA Transport Certificate', subject_base):
-            'transportCert cert-pki-kra',
-        DN('CN=KRA Storage Certificate', subject_base):
-            'storageCert cert-pki-kra',
-        DN('CN=IPA RA', subject_base): 'ipaCert',
-    }
-
-    return nickname_by_subject_dn.get(DN(subject))
+    return cainstance.get_ca_renewal_nickname(
+        subject_base, ca_subject_dn, DN(subject))


 def is_replicated():
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -1619,6 +1619,32 @@ def update_authority_entry(cert):
    return __update_entry_from_cert(make_filter, make_entry, cert)


+def get_ca_renewal_nickname(subject_base, ca_subject_dn, sdn):
+    """
+    Get the nickname for storage in the cn_renewal container.
+
+    :param subject_base: Certificate subject base
+    :param ca_subject_dn: IPA CA subject DN
+    :param sdn: Subject DN
+    :return: string, or None if nickname cannot be determined.
+
+    """
+    assert isinstance(sdn, DN)
+    nickname_by_subject_dn = {
+        DN(ca_subject_dn): 'caSigningCert cert-pki-ca',
+        DN('CN=CA Audit', subject_base): 'auditSigningCert cert-pki-ca',
+        DN('CN=OCSP Subsystem', subject_base): 'ocspSigningCert cert-pki-ca',
+        DN('CN=CA Subsystem', subject_base): 'subsystemCert cert-pki-ca',
+        DN('CN=KRA Audit', subject_base): 'auditSigningCert cert-pki-kra',
+        DN('CN=KRA Transport Certificate', subject_base):
+            'transportCert cert-pki-kra',
+        DN('CN=KRA Storage Certificate', subject_base):
+            'storageCert cert-pki-kra',
+        DN('CN=IPA RA', subject_base): 'ipaCert',
+    }
+    return nickname_by_subject_dn.get(sdn)
+
+
 def update_ca_renewal_entry(conn, nickname, cert):
    """
    Update the ca_renewal entry for the given nickname.