Backported from master.

From de03df73802956143fd1fa743706b803938a610f Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 18 Nov 2014 13:25:08 +0000
Subject: [PATCH] Allow overriding parameter values in Dogtag request approval

---
 src/certmonger-dogtag-ipa-renew-agent-submit.8.in |  8 +++
 src/dogtag.c                                      | 61 ++++++++++++++++++++++-
 2 files changed, 68 insertions(+), 1 deletion(-)

diff --git a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in
index 45129d4818aad0d91960a1bfe35a79e4e2406f02..d6d0c4c122014ac77e04ab8c3fc4a2742dfb8bdb 100644
--- a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in
+++ b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in
@@ -17,6 +17,7 @@ dogtag-ipa-renew-agent-submit -E EE-URL -A AGENT-URL
 [-D serial (decimal)]
 [-S state]
 [-T profile]
+[-O param=value]
 [-v]
 [csrfile]
 
@@ -125,6 +126,13 @@ The name of the type of certificate which the client should request from the CA
 if it is not renewing a certificate (per the \fB-s\fR option above).  The
 default value is \fBcaServerCert\fP.
 .TP
+\fB-O\fR param=value
+An additional parameter to pass to the server when approving the signing
+request using the agent's credentials.  By default, any server-supplied default
+settings are applied.  This option can be used either to override a
+server-supplied default setting, or to supply one which would otherwise have
+not been used.
+.TP
 \fB-v\fR
 Increases the logging level.  Use twice for more logging.  This option is mainly
 useful for troubleshooting.
diff --git a/src/dogtag.c b/src/dogtag.c
index 700fe7f516a54f0581d94068e9066de9e4621f5d..6bd284327ffc1ab29d32deb8529fc5ef69314295 100644
--- a/src/dogtag.c
+++ b/src/dogtag.c
@@ -76,6 +76,7 @@ help(const char *cmd)
 		"\t[-D serial (decimal)]\n"
 		"\t[-S state]\n"
 		"\t[-T profile]\n"
+		"\t[-O param=value]\n"
 		"\t[-v]\n"
 		"\t[-N]\n"
 		"\t[-V dogtag_version]\n"
@@ -140,6 +141,11 @@ main(int argc, char **argv)
 	const char *sslcert = NULL, *sslkey = NULL;
 	const char *sslpin = NULL, *sslpinfile = NULL;
 	const char *host = NULL, *csr = NULL, *serial = NULL, *template = NULL;
+	struct {
+		char *name;
+		char *value;
+	} *options = NULL;
+	size_t num_options = 0, j;
 	const char *dogtag_version = NULL;
 	char *ipaconfig = NULL, *savedstate = NULL;
 	char *p, *q, *params = NULL, *params2 = NULL;
@@ -178,7 +184,7 @@ main(int argc, char **argv)
 
 	savedstate = getenv(CM_SUBMIT_COOKIE_ENV);
 
-	while ((c = getopt(argc, argv, "E:A:d:n:i:C:c:k:p:P:s:D:S:T:vV:NR")) != -1) {
+	while ((c = getopt(argc, argv, "E:A:d:n:i:C:c:k:p:P:s:D:S:T:O:vV:NR")) != -1) {
 		switch (c) {
 		case 'E':
 			eeurl = optarg;
@@ -220,6 +226,26 @@ main(int argc, char **argv)
 		case 'T':
 			template = optarg;
 			break;
+		case 'O':
+			if (strchr(optarg, '=') == NULL) {
+				printf(_("Profile params (-O) must be in the form of param=value.\n"));
+				help(argv[0]);
+				return CM_SUBMIT_STATUS_UNCONFIGURED;
+			}
+			options = realloc(options,
+					  ++num_options * sizeof(*options));
+			if (options == NULL) {
+				printf(_("Out of memory.\n"));
+				return CM_SUBMIT_STATUS_UNCONFIGURED;
+			}
+			options[num_options - 1].name = strdup(optarg);
+			if (options[num_options - 1].name == NULL) {
+				printf(_("Out of memory.\n"));
+				return CM_SUBMIT_STATUS_UNCONFIGURED;
+			}
+			*strchr(options[num_options - 1].name, '=') = '\0';
+			options[num_options - 1].value = strchr(optarg, '=') + 1;
+			break;
 		case 'v':
 			verbose++;
 			break;
@@ -374,6 +400,18 @@ main(int argc, char **argv)
 		printf(_("No profile/template (-T) given, and no default known.\n"));
 		missing_args = TRUE;
 	}
+	if (options != NULL) {
+		if (agenturl == NULL) {
+			printf(_("No agent URL (-A) given, and no default "
+				 "known.\n"));
+			missing_args = TRUE;
+		}
+		if (!can_agent) {
+			printf(_("No agent credentials specified, and no "
+				 "default known.\n"));
+			missing_args = TRUE;
+		}
+	}
 	if (missing_args) {
 		help(argv[0]);
 		return CM_SUBMIT_STATUS_UNCONFIGURED;
@@ -544,12 +582,33 @@ main(int argc, char **argv)
 			for (i = 0;
 			     (defaults != NULL) && (defaults[i] != NULL);
 			     i++) {
+				/* Check if this default is one of the
+				 * paramters we've been explicitly provided. */
+				for (j = 0; j < num_options; j++) {
+					if (strcmp(defaults[i]->name,
+						   options[j].name) == 0) {
+						break;
+					}
+				}
+				/* If we have a non-default value for it, skip
+				 * this default. */
+				if (j < num_options) {
+					continue;
+				}
 				p = cm_submit_u_url_encode(defaults[i]->name);
 				q = cm_submit_u_url_encode(defaults[i]->value);
 				params2 = talloc_asprintf(ctx,
 							  "%s&%s=%s",
 							  params2, p, q);
 			};
+			/* Add parameters specified on command line */
+			for (j = 0; j < num_options; j++) {
+				p = cm_submit_u_url_encode(options[j].name);
+				q = cm_submit_u_url_encode(options[j].value);
+				params2 = talloc_asprintf(ctx,
+							  "%s&%s=%s",
+							  params2, p, q);
+			}
 			break;
 		case op_none:
 		case op_submit:
-- 
2.1.0