From 5fa0ac4a45a4d4330103e3a38332c3758f36799e Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 25 Sep 2024 10:02:16 -0500
Subject: [PATCH] Enable registry for ACME

The default pki_registry_enable for ACME has been changed
to True. This allows pkispawn and pkidestroy to create and
remove ACME properly.

The PKIDeployer.create_acme_subsystem() has been modified
to create the registry. The remove_acme_subsystem() has
been modified to remove the registry.

The PKISubsystem.remove_registry() has been modified to
check whether the files/folders exist before removing them
in case the subsystem was created without registry.

The test for ACME on separate instance has been modified to
no longer create the server and NSS database before calling
pkispawn. Some file/folder permissions have also changed due
to these changes.
---
 .github/workflows/acme-separate-test.yml      | 28 +++++++++----------
 base/server/etc/default.cfg                   |  2 +-
 .../python/pki/server/deployment/__init__.py  |  9 ++++--
 base/server/python/pki/server/subsystem.py    | 19 +++++++------
 4 files changed, 31 insertions(+), 27 deletions(-)

diff --git a/.github/workflows/acme-separate-test.yml b/.github/workflows/acme-separate-test.yml
index 158965008c7..3570b31622c 100644
--- a/.github/workflows/acme-separate-test.yml
+++ b/.github/workflows/acme-separate-test.yml
@@ -99,11 +99,6 @@ jobs:
               --network-alias=acme.example.com \
               acme
 
-      - name: Create PKI server for ACME
-        run: |
-          docker exec acme pki-server create
-          docker exec acme pki-server nss-create --password Secret.123
-
       - name: Set up ACME database
         run: |
           docker exec acme ldapmodify \
@@ -147,13 +142,13 @@ jobs:
           drwxrwx--- pkiuser pkiuser acme
           lrwxrwxrwx pkiuser pkiuser alias -> /var/lib/pki/pki-tomcat/conf/alias
           lrwxrwxrwx pkiuser pkiuser bin -> /usr/share/tomcat/bin
-          drwxr-x--- pkiuser pkiuser common
+          drwxrwx--- pkiuser pkiuser common
           lrwxrwxrwx pkiuser pkiuser conf -> /etc/pki/pki-tomcat
           lrwxrwxrwx pkiuser pkiuser lib -> /usr/share/pki/server/lib
           lrwxrwxrwx pkiuser pkiuser logs -> /var/log/pki/pki-tomcat
-          drwxr-x--- pkiuser pkiuser temp
-          drwxr-x--- pkiuser pkiuser webapps
-          drwxr-x--- pkiuser pkiuser work
+          drwxrwx--- pkiuser pkiuser temp
+          drwxr-xr-x pkiuser pkiuser webapps
+          drwxrwx--- pkiuser pkiuser work
           EOF
 
           diff expected output
@@ -170,12 +165,12 @@ jobs:
 
           # TODO: review permissions
           cat > expected << EOF
-          drwxr-x--- pkiuser pkiuser Catalina
+          drwxrwx--- pkiuser pkiuser Catalina
           drwxrwx--- pkiuser pkiuser acme
           drwxrwx--- pkiuser pkiuser alias
-          -rw-rw---- pkiuser pkiuser catalina.policy
+          -rw-r--r-- pkiuser pkiuser catalina.policy
           lrwxrwxrwx pkiuser pkiuser catalina.properties -> /usr/share/pki/server/conf/catalina.properties
-          drwxr-x--- pkiuser pkiuser certs
+          drwxrwx--- pkiuser pkiuser certs
           lrwxrwxrwx pkiuser pkiuser context.xml -> /etc/tomcat/context.xml
           lrwxrwxrwx pkiuser pkiuser logging.properties -> /usr/share/pki/server/conf/logging.properties
           -rw-rw---- pkiuser pkiuser password.conf
@@ -733,6 +728,7 @@ jobs:
         run: docker exec ca pkidestroy -s CA -v
 
       - name: Check ACME server base dir after removal
+        if: always()
         run: |
           # check file types, owners, and permissions
           docker exec acme ls -l /var/lib/pki/pki-tomcat \
@@ -750,6 +746,7 @@ jobs:
           diff expected output
 
       - name: Check ACME server conf dir after removal
+        if: always()
         run: |
           # check file types, owners, and permissions
           docker exec acme ls -l /etc/pki/pki-tomcat \
@@ -760,12 +757,12 @@ jobs:
 
           # TODO: review permissions
           cat > expected << EOF
-          drwxr-x--- pkiuser pkiuser Catalina
+          drwxrwx--- pkiuser pkiuser Catalina
           drwxrwx--- pkiuser pkiuser acme
           drwxrwx--- pkiuser pkiuser alias
-          -rw-rw---- pkiuser pkiuser catalina.policy
+          -rw-r--r-- pkiuser pkiuser catalina.policy
           lrwxrwxrwx pkiuser pkiuser catalina.properties -> /usr/share/pki/server/conf/catalina.properties
-          drwxr-x--- pkiuser pkiuser certs
+          drwxrwx--- pkiuser pkiuser certs
           lrwxrwxrwx pkiuser pkiuser context.xml -> /etc/tomcat/context.xml
           lrwxrwxrwx pkiuser pkiuser logging.properties -> /usr/share/pki/server/conf/logging.properties
           -rw-rw---- pkiuser pkiuser password.conf
@@ -777,6 +774,7 @@ jobs:
           diff expected output
 
       - name: Check ACME server logs dir after removal
+        if: always()
         run: |
           # check file types, owners, and permissions
           docker exec acme ls -l /var/log/pki/pki-tomcat \
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index aa7bb480fe0..29e77aa2e7e 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -625,7 +625,7 @@ pki_registry_enable=True
 [ACME]
 pki_ds_setup=False
 pki_security_domain_setup=False
-pki_registry_enable=False
+pki_registry_enable=True
 
 # Database params:
 # - acme_database_type
diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
index 953485d51b7..01e6905433e 100644
--- a/base/server/python/pki/server/deployment/__init__.py
+++ b/base/server/python/pki/server/deployment/__init__.py
@@ -5184,9 +5184,10 @@ def create_acme_subsystem(self):
         logger.info('Creating ACME subsystem')
 
         subsystem = pki.server.subsystem.ACMESubsystem(self.instance)
-        subsystem.create()
-        subsystem.create_conf()
-        subsystem.create_logs()
+        subsystem.create(exist_ok=True)
+        subsystem.create_conf(exist_ok=True)
+        subsystem.create_logs(exist_ok=True)
+        subsystem.create_registry(exist_ok=True)
 
         return subsystem
 
@@ -5489,6 +5490,8 @@ def remove_acme_subsystem(self, subsystem):
 
         logger.info('Removing ACME subsystem')
 
+        subsystem.remove_registry(force=self.force)
+
         if self.remove_logs:
             subsystem.remove_logs(force=self.force)
 
diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py
index bcf547ebd6c..113ce4f346d 100644
--- a/base/server/python/pki/server/subsystem.py
+++ b/base/server/python/pki/server/subsystem.py
@@ -287,17 +287,20 @@ def load(self):
 
     def remove_registry(self, force=False):
 
-        # Remove /etc/sysconfig/pki/tomcat/<instance>/<subsystem>/default.cfg
+        if os.path.exists(self.default_cfg):
 
-        default_cfg = os.path.join(self.registry_dir, 'default.cfg')
-        logger.info('Removing %s', default_cfg)
-        pki.util.remove(default_cfg, force=force)
+            # Remove /etc/sysconfig/pki/tomcat/<instance>/<subsystem>/default.cfg
 
-        # Remove subsystem registry folder at
-        # /etc/sysconfig/pki/tomcat/<instance>/<subsystem>
+            logger.info('Removing %s', self.default_cfg)
+            pki.util.remove(self.default_cfg, force=force)
+
+        if os.path.exists(self.registry_dir):
+
+            # Remove subsystem registry folder at
+            # /etc/sysconfig/pki/tomcat/<instance>/<subsystem>
 
-        logger.info('Removing %s', self.registry_dir)
-        pki.util.rmtree(self.registry_dir, force=force)
+            logger.info('Removing %s', self.registry_dir)
+            pki.util.rmtree(self.registry_dir, force=force)
 
     def remove_logs(self, force=False):