From 5ac7143f42b325da04f04dade13b810c72ec08b6 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Thu, 20 Jun 2024 15:14:47 +0200
Subject: [PATCH] ipareplica: After an HSM replica install ensure all certs are
 visible

FreeIPA commit ea0bf4020ce0b1e32572e128e9323c5af60ec93d

    After an HSM replica install ensure all certs are visible

    If a certificate on a token does not have NSS trust set then
    it won't be visible in the softoken. This can be disconcerting
    for those used to seeing all the certificates.

    Loop through the possibilities and set no trust (or Peer) for
    all the certificates on the token.

    Also ensure that the CA certificate has the correct nickname.

    Related: https://pagure.io/freeipa/issue/9273
---
 roles/ipareplica/library/ipareplica_enable_ipa.py    | 5 ++++-
 roles/ipareplica/module_utils/ansible_ipa_replica.py | 7 ++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/roles/ipareplica/library/ipareplica_enable_ipa.py b/roles/ipareplica/library/ipareplica_enable_ipa.py
index a974165e..87582b81 100644
--- a/roles/ipareplica/library/ipareplica_enable_ipa.py
+++ b/roles/ipareplica/library/ipareplica_enable_ipa.py
@@ -90,7 +90,7 @@ from ansible.module_utils.ansible_ipa_replica import (
     check_imports, AnsibleModuleLog, setup_logging, installer, DN, paths,
     gen_env_boostrap_finalize_core, constants, api_bootstrap_finalize,
     gen_ReplicaConfig, gen_remote_api, api, redirect_stdout, service,
-    find_providing_servers, services
+    find_providing_servers, services, clean_up_hsm_nicknames
 )
 
 
@@ -168,6 +168,9 @@ def main():
         # Everything installed properly, activate ipa service.
         services.knownservices.ipa.enable()
 
+        if options.setup_ca and clean_up_hsm_nicknames is not None:
+            clean_up_hsm_nicknames(api)
+
         # Print a warning if CA role is only installed on one server
         if len(ca_servers) == 1:
             msg = u'''
diff --git a/roles/ipareplica/module_utils/ansible_ipa_replica.py b/roles/ipareplica/module_utils/ansible_ipa_replica.py
index c244e288..c5efa8da 100644
--- a/roles/ipareplica/module_utils/ansible_ipa_replica.py
+++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py
@@ -49,7 +49,7 @@ __all__ = ["contextlib", "dnsexception", "dnsresolver", "dnsreversename",
            "dnsname", "kernel_keyring", "krbinstance", "getargspec",
            "adtrustinstance", "paths", "api", "dsinstance", "ipaldap", "Env",
            "ipautil", "installutils", "IPA_PYTHON_VERSION", "NUM_VERSION",
-           "ReplicaConfig", "create_api"]
+           "ReplicaConfig", "create_api", "clean_up_hsm_nicknames"]
 
 import sys
 import logging
@@ -162,6 +162,11 @@ try:
                 install_ca_cert
         except ImportError:
             install_ca_cert = None
+        try:
+            from ipaserver.install.server.replicainstall import \
+                clean_up_hsm_nicknames
+        except ImportError:
+            clean_up_hsm_nicknames = None
         import SSSDConfig
         from subprocess import CalledProcessError
 
-- 
GitLab