From 285da2b3d7a103f7ab7f5081eeba869b385de434 Mon Sep 17 00:00:00 2001
From: Marco Fargetta <mfargett@redhat.com>
Date: Tue, 10 Sep 2024 12:47:01 +0200
Subject: [PATCH] PKI EST CI using subsystem certificate

---
 .github/workflows/ca-admin-user-test.yml      |  1 +
 .github/workflows/est-default-realm-test.yml  | 32 +++++++------------
 .../python/pki/server/deployment/__init__.py  |  2 +-
 base/server/python/pki/server/pkispawn.py     | 13 ++++++--
 base/server/python/pki/server/subsystem.py    |  7 ++--
 5 files changed, 27 insertions(+), 28 deletions(-)

diff --git a/.github/workflows/ca-admin-user-test.yml b/.github/workflows/ca-admin-user-test.yml
index 20f8a3d7ba8..4549f945377 100644
--- a/.github/workflows/ca-admin-user-test.yml
+++ b/.github/workflows/ca-admin-user-test.yml
@@ -191,6 +191,7 @@ jobs:
           echo "Administrators" > expected
           echo "Certificate Manager Agents" >> expected
           echo "Enterprise CA Administrators" >> expected
+          echo "Enterprise EST Administrators" >> expected
           echo "Enterprise KRA Administrators" >> expected
           echo "Enterprise OCSP Administrators" >> expected
           echo "Enterprise RA Administrators" >> expected
diff --git a/.github/workflows/est-default-realm-test.yml b/.github/workflows/est-default-realm-test.yml
index 443b2563dc4..f1e8c0e0b2e 100644
--- a/.github/workflows/est-default-realm-test.yml
+++ b/.github/workflows/est-default-realm-test.yml
@@ -71,23 +71,6 @@ jobs:
 
           docker exec pki pki info
 
-      - name: Add est user
-        run: |
-          docker exec pki pki -n caadmin ca-group-add "EST RA Agents"
-
-          docker exec pki pki -n caadmin ca-user-add \
-              est-ra-1 --fullName "EST RA 1" --password Secret.123
-
-          docker exec pki pki -n caadmin ca-group-member-add "EST RA Agents" est-ra-1
-
-      - name: Configure est profile
-        run: |
-          docker exec pki pki -n caadmin -n caadmin \
-              ca-profile-add --raw /usr/share/pki/ca/profiles/ca/estServiceCert.cfg
-
-          docker exec pki pki -n caadmin ca-profile-enable estServiceCert
-          docker exec pki pki-server restart --wait
-
       - name: Install EST
         run: |
           docker exec pki pkispawn \
@@ -184,8 +167,6 @@ jobs:
 
           diff expected output
 
-          diff expected actual
-
       - name: Check webapps
         run: |
           docker exec pki pki-server webapp-find | tee output
@@ -193,7 +174,7 @@ jobs:
           # CA instance should have ROOT, ca, and pki webapps
           echo "ROOT" > expected
           echo "ca" >> expected
-          echo "esst" >> expected
+          echo "est" >> expected
           echo "pki" >> expected
           sed -n 's/^ *Webapp ID: *\(.*\)$/\1/p' output > actual
           diff expected actual
@@ -203,7 +184,16 @@ jobs:
           docker exec pki pki-server webapp-show est
           docker exec pki pki-server webapp-show pki
 
-      - name: Check est subsystem
+      - name: Configure CA est profile
+        run: |
+          docker exec pki cp /usr/share/pki/ca/profiles/ca/estServiceCert.cfg estServiceCert.cfg
+          docker exec pki sed -i 's/EST RA Agents/Subsystem Group/' estServiceCert.cfg
+          docker exec pki pki -n caadmin ca-profile-add \
+              --raw ./estServiceCert.cfg
+          docker exec pki pki -n caadmin ca-profile-enable estServiceCert
+          docker exec pki pki-server restart --wait
+
+      - name: Check EST subsystem
         run: |
           docker exec pki pki-server subsystem-show est | tee output
 
diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
index 3d4eac261a4..0ae3a9c90bc 100644
--- a/base/server/python/pki/server/deployment/__init__.py
+++ b/base/server/python/pki/server/deployment/__init__.py
@@ -5002,7 +5002,7 @@ def finalize_est(self, subsystem):
 if not ALLOWED_ROLE in obj['authzData']['principal']['roles']:
     print(f'Principal does not have required role {ALLOWED_ROLE!r}')
     sys.exit(1)'''
-        with open('/usr/local/libexec/estauthz', 'w', ) as auth_exec:
+        with open('/usr/local/libexec/estauthz', 'w', encoding='utf-8') as auth_exec:
             auth_exec.write(est_auth_exec)
         os.chmod("/usr/local/libexec/estauthz", 0o755)
         authorizer_config = {
diff --git a/base/server/python/pki/server/pkispawn.py b/base/server/python/pki/server/pkispawn.py
index 3160f1df3e2..bc3e7d22cd7 100644
--- a/base/server/python/pki/server/pkispawn.py
+++ b/base/server/python/pki/server/pkispawn.py
@@ -684,7 +684,8 @@ def validate_user_deployment_cfg(user_deployment_cfg):
         line = line.strip()
         if not line.startswith('['):
             continue
-        if line not in ['[DEFAULT]', '[Tomcat]', '[CA]', '[KRA]', '[OCSP]', '[TKS]', '[TPS]', '[EST]']:
+        if line not in ['[DEFAULT]', '[Tomcat]', '[CA]', '[KRA]',
+                        '[OCSP]', '[TKS]', '[TPS]', '[EST]']:
             raise Exception('Invalid deployment configuration section: %s' % line)
 
 
@@ -909,13 +910,19 @@ def print_tps_step_one_information(mdict, instance):
     print(log.PKI_RUN_INSTALLATION_STEP_TWO)
     print(log.PKI_SPAWN_INFORMATION_FOOTER)
 
-def print_tps_step_one_information(mdict, instance):
+
+def print_est_step_one_information(mdict, instance):
 
     print(log.PKI_SPAWN_INFORMATION_HEADER)
-    print("TO BE COMPLETED")
+    print("      The %s subsystem of the '%s' instance is still incomplete." %
+          (deployer.subsystem_type, instance.name))
+    print()
+    print("      NSS database: %s" % instance.nssdb_dir)
+    print()
     print(log.PKI_RUN_INSTALLATION_STEP_TWO)
     print(log.PKI_SPAWN_INFORMATION_FOOTER)
 
+
 def print_skip_configuration_information(mdict, instance):
 
     print(log.PKI_SPAWN_INFORMATION_HEADER)
diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py
index b6c67975217..96e1c7d1bc1 100644
--- a/base/server/python/pki/server/subsystem.py
+++ b/base/server/python/pki/server/subsystem.py
@@ -2654,6 +2654,7 @@ class KRASubsystem(PKISubsystem):
     def __init__(self, instance):
         super().__init__(instance, 'kra')
 
+
 class OCSPSubsystem(PKISubsystem):
 
     def __init__(self, instance):
@@ -2728,7 +2729,7 @@ def __init__(self, instance):
     def add_realm(self, params):
         realm_conf = os.path.join(self.conf_dir, 'realm.conf')
         self.instance.touch(realm_conf)
-        with open(realm_conf, 'w') as realm:
+        with open(realm_conf, 'w', encoding='utf-8') as realm:
             for key, value in params.items():
                 if value:
                     realm.write('{}={}\n'.format(key, value))
@@ -2736,7 +2737,7 @@ def add_realm(self, params):
     def add_authorizer(self, params):
         authorizer_conf = os.path.join(self.conf_dir, 'authorizer.conf')
         self.instance.touch(authorizer_conf)
-        with open(authorizer_conf, 'w') as authorizer:
+        with open(authorizer_conf, 'w', encoding='utf-8') as authorizer:
             for key, value in params.items():
                 if value:
                     authorizer.write('{}={}\n'.format(key, value))
@@ -2744,7 +2745,7 @@ def add_authorizer(self, params):
     def add_backend(self, params):
         backend_conf = os.path.join(self.conf_dir, 'backend.conf')
         self.instance.touch(backend_conf)
-        with open(backend_conf, 'w') as backend:
+        with open(backend_conf, 'w', encoding='utf-8') as backend:
             for key, value in params.items():
                 if value:
                     backend.write('{}={}\n'.format(key, value))