Support the certmonger nss-user option

Some certificate operations need to be executed as a specific
user so that underlying files will have the correct ownership.
certmogner normally runs as root. The nss-user option defines
a user to switch to when saving NSS certifciates so if a
software token (e.g. SoftHSM) then the files created will be
owned by the token owner.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

ipalib/install/certmonger.py

@@ -351,7 +351,8 @@ def request_and_wait_for_cert(
         certpath, subject, principal, nickname=None, passwd_fname=None,
         dns=None, ca='IPA', profile=None,
         pre_command=None, post_command=None, storage='NSSDB', perms=None,
-        resubmit_timeout=0, stop_tracking_on_error=False):
+        resubmit_timeout=0, stop_tracking_on_error=False,
+        nss_user=None):
     """Request certificate, wait and possibly resubmit failing requests
 
     Submit a cert request to certmonger and wait until the request has
@@ -366,7 +367,7 @@ def request_and_wait_for_cert(
     """
     req_id = request_cert(
         certpath, subject, principal, nickname, passwd_fname, dns, ca,
-        profile, pre_command, post_command, storage, perms
+        profile, pre_command, post_command, storage, perms, nss_user
     )
     # Don't wait longer than resubmit timeout if it is configured
     certmonger_timeout = api.env.certmonger_wait_timeout
@@ -419,7 +420,8 @@ def request_and_wait_for_cert(
 def request_cert(
         certpath, subject, principal, nickname=None, passwd_fname=None,
         dns=None, ca='IPA', profile=None,
-        pre_command=None, post_command=None, storage='NSSDB', perms=None):
+        pre_command=None, post_command=None, storage='NSSDB', perms=None,
+        nss_user=None):
     """
     Execute certmonger to request a server certificate.
 
@@ -458,6 +460,8 @@ def request_cert(
         request_parameters['KEY_PIN_FILE'] = passwd_fname
     if profile:
         request_parameters['ca-profile'] = profile
+    if nss_user:
+        request_parameters['nss-user'] = nss_user
 
     certmonger_cmd_template = paths.CERTMONGER_COMMAND_TEMPLATE
     if pre_command:
@@ -489,7 +493,7 @@ def request_cert(
 def start_tracking(
         certpath, ca='IPA', nickname=None, pin=None, pinfile=None,
         pre_command=None, post_command=None, profile=None, storage="NSSDB",
-        token_name=None, dns=None):
+        token_name=None, dns=None, nss_user=None):
     """
     Tell certmonger to track the given certificate in either a file or an NSS
     database. The certificate access can be protected by a password_file.
@@ -526,6 +530,8 @@ def start_tracking(
         Hardware token name for HSM support
     :param dns:
         List of DNS names
+    :param nss_user:
+        login of the private key owner
     :returns: certificate tracking nickname.
     """
     if storage == 'FILE':
@@ -572,6 +578,8 @@ def start_tracking(
         params['cert-token'] = token_name
     if dns is not None and len(dns) > 0:
         params['DNS'] = dns
+    if nss_user:
+        params['nss-user'] = nss_user
 
     result = cm.obj_if.add_request(params)
     try:
@@ -753,6 +761,8 @@ def get_pin(token="internal"):
 
     The caller is expected to handle any exceptions raised.
     """
+    if token and token != 'internal':
+        token = 'hardware-' + token
     with open(paths.PKI_TOMCAT_PASSWORD_CONF, 'r') as f:
         for line in f:
             (tok, pin) = line.split('=', 1)