From 0eafb03110b6ae4c80680e5c451661e1cf41db77 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 21 Nov 2024 11:39:12 -0500
Subject: [PATCH] Don't drop certificates in cert-find if the LWCA was removed

The cert-find command wants to return the IPA CA name of the
issued certificates. If the CA was removed then the certificate
is skipped in the output. This basically black holes any certificates
issued by the LWCA.

It is also breaking the cert_find tests with RSNv3 enabled at
times depending on the certificate order returned. Some of them
may be certificates issued by a now-deleted CA.

This was discovered in test_xmlrpc/test_cert.py with the
cert-find tests where the expected number of certificates wasn't
returned. This is because ra.find() retrieved exactly 10 certificates
and then some were removed when trying to identify the CA.

Related: https://pagure.io/freeipa/issue/9661

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
---
 ipaserver/plugins/cert.py | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 6249c6d6f24acdca4fc3e9dd989f58344192b567..b8012c62a7809a85faec9cbb710f187fa16d90f4 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -1721,7 +1721,8 @@ class cert_find(Search, CertMethod):
             try:
                 ca_obj = ca_objs[issuer]
             except KeyError:
-                continue
+                # A deleted LWCA? Return the issuer DN as a string
+                ca_obj = {'cn': [str(issuer)]}
 
             if pkey_only:
                 obj = {'serial_number': serial_number}
@@ -1905,8 +1906,16 @@ class cert_find(Search, CertMethod):
                     try:
                         ca_obj = ca_objs[cacn]
                     except KeyError:
-                        ca_obj = ca_objs[cacn] = (
-                            self.api.Command.ca_show(cacn, all=True)['result'])
+                        try:
+                            ca_obj = ca_objs[cacn] = (
+                                self.api.Command.ca_show(
+                                    cacn, all=True)['result'])
+                        except errors.NotFound:
+                            # If we have inserted a CA DN because the
+                            # LWCA was deleted then ca-show of it will
+                            # fail as NotFound. There is no chain to
+                            # retrieve.
+                            ca_obj = []
 
                     obj.update(
                         ra.get_certificate(serial_number)
-- 
2.47.0