Backported from master.

From de03df73802956143fd1fa743706b803938a610f Mon Sep 17 00:00:00 2001

From: Jan Cholasta <jcholast@redhat.com>

Date: Tue, 18 Nov 2014 13:25:08 +0000

Subject: [PATCH] Allow overriding parameter values in Dogtag request approval

---

 src/certmonger-dogtag-ipa-renew-agent-submit.8.in |  8 +++

 src/dogtag.c                                      | 61 ++++++++++++++++++++++-

 2 files changed, 68 insertions(+), 1 deletion(-)

diff --git a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in

index 45129d4818aad0d91960a1bfe35a79e4e2406f02..d6d0c4c122014ac77e04ab8c3fc4a2742dfb8bdb 100644

--- a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in

+++ b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in

@@ -17,6 +17,7 @@ dogtag-ipa-renew-agent-submit -E EE-URL -A AGENT-URL

 [-D serial (decimal)]

 [-S state]

 [-T profile]

+[-O param=value]

 [-v]

 [csrfile]

@@ -125,6 +126,13 @@ The name of the type of certificate which the client should request from the CA

 if it is not renewing a certificate (per the \fB-s\fR option above).  The

 default value is \fBcaServerCert\fP.

 .TP

+\fB-O\fR param=value

+An additional parameter to pass to the server when approving the signing

+request using the agent's credentials.  By default, any server-supplied default

+settings are applied.  This option can be used either to override a

+server-supplied default setting, or to supply one which would otherwise have

+not been used.

+.TP

 \fB-v\fR

 Increases the logging level.  Use twice for more logging.  This option is mainly

 useful for troubleshooting.

diff --git a/src/dogtag.c b/src/dogtag.c

index 700fe7f516a54f0581d94068e9066de9e4621f5d..6bd284327ffc1ab29d32deb8529fc5ef69314295 100644

--- a/src/dogtag.c

+++ b/src/dogtag.c

@@ -76,6 +76,7 @@ help(const char *cmd)

 		"\t[-D serial (decimal)]\n"

 		"\t[-S state]\n"

 		"\t[-T profile]\n"

+		"\t[-O param=value]\n"

 		"\t[-v]\n"

 		"\t[-N]\n"

 		"\t[-V dogtag_version]\n"

@@ -140,6 +141,11 @@ main(int argc, char **argv)

 	const char *sslcert = NULL, *sslkey = NULL;

 	const char *sslpin = NULL, *sslpinfile = NULL;

 	const char *host = NULL, *csr = NULL, *serial = NULL, *template = NULL;

+	struct {

+		char *name;

+		char *value;

+	} *options = NULL;

+	size_t num_options = 0, j;

 	const char *dogtag_version = NULL;

 	char *ipaconfig = NULL, *savedstate = NULL;

 	char *p, *q, *params = NULL, *params2 = NULL;

@@ -178,7 +184,7 @@ main(int argc, char **argv)

 	savedstate = getenv(CM_SUBMIT_COOKIE_ENV);

-	while ((c = getopt(argc, argv, "E:A:d:n:i:C:c:k:p:P:s:D:S:T:vV:NR")) != -1) {

+	while ((c = getopt(argc, argv, "E:A:d:n:i:C:c:k:p:P:s:D:S:T:O:vV:NR")) != -1) {

 		switch (c) {

 		case 'E':

 			eeurl = optarg;

@@ -220,6 +226,26 @@ main(int argc, char **argv)

 		case 'T':

 			template = optarg;

 			break;

+		case 'O':

+			if (strchr(optarg, '=') == NULL) {

+				printf(_("Profile params (-O) must be in the form of param=value.\n"));

+				help(argv[0]);

+				return CM_SUBMIT_STATUS_UNCONFIGURED;

+			}

+			options = realloc(options,

+					  ++num_options * sizeof(*options));

+			if (options == NULL) {

+				printf(_("Out of memory.\n"));

+				return CM_SUBMIT_STATUS_UNCONFIGURED;

+			}

+			options[num_options - 1].name = strdup(optarg);

+			if (options[num_options - 1].name == NULL) {

+				printf(_("Out of memory.\n"));

+				return CM_SUBMIT_STATUS_UNCONFIGURED;

+			}

+			*strchr(options[num_options - 1].name, '=') = '\0';

+			options[num_options - 1].value = strchr(optarg, '=') + 1;

+			break;

 		case 'v':

 			verbose++;

 			break;

@@ -374,6 +400,18 @@ main(int argc, char **argv)

 		printf(_("No profile/template (-T) given, and no default known.\n"));

 		missing_args = TRUE;

 	}

+	if (options != NULL) {

+		if (agenturl == NULL) {

+			printf(_("No agent URL (-A) given, and no default "

+				 "known.\n"));

+			missing_args = TRUE;

+		}

+		if (!can_agent) {

+			printf(_("No agent credentials specified, and no "

+				 "default known.\n"));

+			missing_args = TRUE;

+		}

+	}

 	if (missing_args) {

 		help(argv[0]);

 		return CM_SUBMIT_STATUS_UNCONFIGURED;

@@ -544,12 +582,33 @@ main(int argc, char **argv)

 			for (i = 0;

 			     (defaults != NULL) && (defaults[i] != NULL);

 			     i++) {

+				/* Check if this default is one of the

+				 * paramters we've been explicitly provided. */

+				for (j = 0; j < num_options; j++) {

+					if (strcmp(defaults[i]->name,

+						   options[j].name) == 0) {

+						break;

+					}

+				}

+				/* If we have a non-default value for it, skip

+				 * this default. */

+				if (j < num_options) {

+					continue;

+				}

 				p = cm_submit_u_url_encode(defaults[i]->name);

 				q = cm_submit_u_url_encode(defaults[i]->value);

 				params2 = talloc_asprintf(ctx,

 							  "%s&%s=%s",

 							  params2, p, q);

 			};

+			/* Add parameters specified on command line */

+			for (j = 0; j < num_options; j++) {

+				p = cm_submit_u_url_encode(options[j].name);

+				q = cm_submit_u_url_encode(options[j].value);

+				params2 = talloc_asprintf(ctx,

+							  "%s&%s=%s",

+							  params2, p, q);

+			}

 			break;

 		case op_none:

 		case op_submit:

-- 

2.1.0