From 462e0b9eb16f52b66b723744c4b42c19ef4782c3 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Thu, 2 Jul 2015 04:09:31 -0400
Subject: certprofile: add ability to update profile config in Dogtag

Add the `--file=FILENAME' option to `certprofile-mod' which, when
given, will update the profile configuration in Dogtag to the
contents of the file.

Fixes: https://fedorahosted.org/freeipa/ticket/5093
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 API.txt                       |  3 ++-
 VERSION                       |  4 ++--
 ipalib/plugins/certprofile.py | 35 ++++++++++++++++++++++++++++++++---
 ipaserver/plugins/dogtag.py   | 12 ++++++++++++
 4 files changed, 48 insertions(+), 6 deletions(-)

diff --git a/API.txt b/API.txt
index 4b3fbaac0..fc724d5e1 100644
--- a/API.txt
+++ b/API.txt
@@ -731,12 +731,13 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: certprofile_mod
-args: 1,10,3
+args: 1,11,3
 arg: Str('cn', attribute=True, cli_name='id', multivalue=False, primary_key=True, query=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('delattr*', cli_name='delattr', exclude='webui')
 option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False)
+option: File('file?', cli_name='file')
 option: Bool('ipacertprofilestoreissued', attribute=True, autofill=False, cli_name='store', default=True, multivalue=False, required=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('rename', cli_name='rename', multivalue=False, primary_key=True, required=False)
diff --git a/VERSION b/VERSION
index 9030eb9c6..48448b110 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=140
-# Last change: ftweedal: add certprofile-show --out option
+IPA_API_VERSION_MINOR=141
+# Last change: ftweedal: add certprofile-mod --file option
diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py
index abb62434e..6f9a41875 100644
--- a/ipalib/plugins/certprofile.py
+++ b/ipalib/plugins/certprofile.py
@@ -13,6 +13,7 @@ from ipalib.plugins.baseldap import (
     LDAPDelete, LDAPUpdate, LDAPRetrieve)
 from ipalib import ngettext
 from ipalib.text import _
+from ipapython.version import API_VERSION
 
 from ipalib import errors
 
@@ -245,7 +246,6 @@ class certprofile_import(LDAPCreate):
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         """Import the profile into Dogtag and enable it.
 
-        If the operation succeeds, update the LDAP entry to 'enabled'.
         If the operation fails, remove the LDAP entry.
         """
         try:
@@ -281,6 +281,35 @@ class certprofile_mod(LDAPUpdate):
     __doc__ = _("Modify Certificate Profile configuration.")
     msg_summary = _('Modified Certificate Profile "%(value)s"')
 
-    def execute(self, *args, **kwargs):
+    takes_options = LDAPUpdate.takes_options + (
+        File('file?',
+            label=_('File containing profile configuration'),
+            cli_name='file',
+            flags=('virtual_attribute',),
+        ),
+    )
+
+    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
         ca_enabled_check()
-        return super(certprofile_mod, self).execute(*args, **kwargs)
+        if 'file' in options:
+            with self.api.Backend.ra_certprofile as profile_api:
+                profile_api.disable_profile(keys[0])
+                try:
+                    profile_api.update_profile(keys[0], options['file'])
+                finally:
+                    profile_api.enable_profile(keys[0])
+
+        return dn
+
+    def execute(self, *keys, **options):
+        try:
+            return super(certprofile_mod, self).execute(*keys, **options)
+        except errors.EmptyModlist:
+            if 'file' in options:
+                # The profile data in Dogtag was updated.
+                # Do not fail; return result of certprofile-show instead
+                return self.api.Command.certprofile_show(keys[0],
+                    version=API_VERSION)
+            else:
+                # This case is actually an error; re-raise
+                raise
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index eb2a6ae84..47279921a 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -2089,6 +2089,18 @@ class ra_certprofile(RestClient):
             'GET', profile_id + '/raw')
         return resp_body
 
+    def update_profile(self, profile_id, profile_data):
+        """
+        Update the profile configuration in Dogtag
+        """
+        self._ssldo('PUT', profile_id + '/raw',
+            headers={
+                'Content-type': 'application/xml',
+                'Accept': 'application/json',
+            },
+            body=profile_data
+        )
+
     def enable_profile(self, profile_id):
         """
         Enable the profile in Dogtag
-- 
cgit