From 7674f9f93ed1e075ca7256677a1559d73fe1be75 Mon Sep 17 00:00:00 2001
From: Waqar Ahmed <waqarahmedjoyia@live.com>
Date: Thu, 5 Sep 2024 06:21:59 +0500
Subject: [PATCH] Account for trusted store key in cert service

---
 .../middlewared/plugins/crypto_/cert_entry.py     |  2 +-
 .../plugins/crypto_/certificate_authorities.py    |  1 -
 .../middlewared/plugins/crypto_/certificates.py   | 15 ++++++++++++---
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/middlewared/middlewared/plugins/crypto_/cert_entry.py b/src/middlewared/middlewared/plugins/crypto_/cert_entry.py
index 0fb8ccd2d6459..38be5d00f2997 100644
--- a/src/middlewared/middlewared/plugins/crypto_/cert_entry.py
+++ b/src/middlewared/middlewared/plugins/crypto_/cert_entry.py
@@ -49,6 +49,7 @@
     Int('lifetime', null=True),
     Int('serial', null=True),
     Int('key_length', null=True),
+    Bool('add_to_trusted_store', default=False),
     Bool('chain', null=True),
     Bool('CA_type_existing'),
     Bool('CA_type_internal'),
@@ -68,5 +69,4 @@
 def get_ca_result_entry():
     entry = copy.deepcopy(CERT_ENTRY)
     entry.name = 'certificateauthority_entry'
-    entry.attrs['add_to_trusted_store'] = Bool('add_to_trusted_store')
     return entry
diff --git a/src/middlewared/middlewared/plugins/crypto_/certificate_authorities.py b/src/middlewared/middlewared/plugins/crypto_/certificate_authorities.py
index a5eca60258885..a53e18cebfb20 100644
--- a/src/middlewared/middlewared/plugins/crypto_/certificate_authorities.py
+++ b/src/middlewared/middlewared/plugins/crypto_/certificate_authorities.py
@@ -203,7 +203,6 @@ def set_defaults(attr):
             ('edit', _set_enum('create_type')),
             ('edit', _set_cert_extensions_defaults('cert_extensions')),
             ('rm', {'name': 'dns_mapping'}),
-            ('add', Bool('add_to_trusted_store', default=False)),
             register=True
         ),
     )
diff --git a/src/middlewared/middlewared/plugins/crypto_/certificates.py b/src/middlewared/middlewared/plugins/crypto_/certificates.py
index 47e5c585387a4..49bd70aed5aaa 100644
--- a/src/middlewared/middlewared/plugins/crypto_/certificates.py
+++ b/src/middlewared/middlewared/plugins/crypto_/certificates.py
@@ -37,6 +37,7 @@ class CertificateModel(sa.Model):
     cert_renew_days = sa.Column(sa.Integer(), nullable=True, default=10)
     cert_acme_id = sa.Column(sa.ForeignKey('system_acmeregistration.id'), index=True, nullable=True)
     cert_revoked_date = sa.Column(sa.DateTime(), nullable=True)
+    cert_add_to_trusted_store = sa.Column(sa.Boolean(), default=False, nullable=False)
 
 
 class CertificateService(CRUDService):
@@ -199,6 +200,7 @@ async def validate_common_attributes(self, data, schema_name):
             Str('digest_algorithm', enum=['SHA224', 'SHA256', 'SHA384', 'SHA512']),
             List('san', items=[Str('san')]),
             Ref('cert_extensions'),
+            Bool('add_to_trusted_store', default=False),
             register=True
         ),
     )
@@ -327,7 +329,7 @@ async def do_create(self, job, data):
             ).items()
             if k in [
                 'name', 'certificate', 'CSR', 'privatekey', 'type', 'signedby', 'acme', 'acme_uri',
-                'domains_authenticators', 'renew_days'
+                'domains_authenticators', 'renew_days', 'add_to_trusted_store',
             ]
         }
 
@@ -554,6 +556,7 @@ async def create_internal(self, job, data):
             'certificate_update',
             Bool('revoked'),
             Int('renew_days', validators=[Range(min_=1, max_=30)]),
+            Bool('add_to_trusted_store'),
             Str('name'),
         ),
     )
@@ -594,7 +597,7 @@ async def do_update(self, job, id_, data):
 
         new.update(data)
 
-        if any(new.get(k) != old.get(k) for k in ('name', 'revoked', 'renew_days')):
+        if any(new.get(k) != old.get(k) for k in ('name', 'revoked', 'renew_days', 'add_to_trusted_store')):
 
             verrors = ValidationErrors()
 
@@ -626,6 +629,12 @@ async def do_update(self, job, id_, data):
                     'Certificate has already been revoked and this cannot be reversed'
                 )
 
+            if not verrors and new['revoked'] and new['add_to_trusted_store']:
+                verrors.add(
+                    'certificate_update.add_to_trusted_store',
+                    'Revoked certificates cannot be added to system\'s trusted store'
+                )
+
             verrors.check()
 
             to_update = {'renew_days': new['renew_days']} if data.get('renew_days') else {}
@@ -636,7 +645,7 @@ async def do_update(self, job, id_, data):
                 'datastore.update',
                 self._config.datastore,
                 id_,
-                {'name': new['name'], **to_update},
+                {'name': new['name'], 'add_to_trusted_store': new['add_to_trusted_store'], **to_update},
                 {'prefix': self._config.datastore_prefix}
             )