From abef79e45f5a4f6d166dce93e60a416db8daea41 Mon Sep 17 00:00:00 2001
From: Manoel Benedito Neto <Manoel.BeneditoNeto@windriver.com>
Date: Thu, 21 Mar 2024 15:13:37 -0300
Subject: [PATCH] Update swanctl.conf cacerts w/ system-local-ca files

This commit introduces a new configuration for swanctl.conf file
where cacerts references two system-local-ca files. The two files
represents the last (system-local-ca-0.crt) and the current
(system-local-ca-1.crt) certificates associated with system-local-ca.

The main goal of this implementation is to maintain SAs in all nodes
during the update of system-local-ca certificate.

Test plan:
PASS: In a DX system with available enabled active status with IPsec
      server being executed from controller-0. Run "ipsec-client
      pxecontroller --opcode 1" in worker-0. Observe that certificates,
      keys and swanctl.conf files are created in worker-0 node. Observe
      that a security association is established between the hosts via
      "sudo swanctl --list-sas" command.
PASS: In a DX system with available enabled active status with IPsec
      server being executed from controller-0. Run "ipsec-client
      pxecontroller --opcode 2" in controller-1. Observe the previously
      created CertificateRequest was deleted and generated a new one for
      controller-1's node. The new certificate is sent to IPsec Client
      and stored with the swanctl rekey command executed sucessfully.

Story: 2010940
Task: 49777

Change-Id: I638932a602ed9423d20ed448e5aada499ef65d77
Signed-off-by: Manoel Benedito Neto <Manoel.BeneditoNeto@windriver.com>
---
 .../sysinv/sysinv/sysinv/ipsec_auth/client/client.py |  8 +++++---
 .../sysinv/sysinv/sysinv/ipsec_auth/client/config.py |  2 +-
 .../sysinv/sysinv/ipsec_auth/common/constants.py     | 12 ++++++++++--
 3 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/sysinv/sysinv/sysinv/sysinv/ipsec_auth/client/client.py b/sysinv/sysinv/sysinv/sysinv/ipsec_auth/client/client.py
index 5399160bf0..64fdd1ba4b 100644
--- a/sysinv/sysinv/sysinv/sysinv/ipsec_auth/client/client.py
+++ b/sysinv/sysinv/sysinv/sysinv/ipsec_auth/client/client.py
@@ -98,7 +98,7 @@ class Client(object):
         message = {}
 
         puk1_data = utils.load_data(constants.TMP_PUK1_FILE)
-        puc_data = utils.load_data(constants.TRUSTED_CA_CERT_PATH)
+        puc_data = utils.load_data(constants.TRUSTED_CA_CERT_1_PATH)
 
         LOG.info("Generate RSA Private Key (PRK2).")
         prk2 = self._generate_prk2()
@@ -154,14 +154,16 @@ class Client(object):
                 return False
 
             utils.save_data(constants.TMP_PUK1_FILE, key)
-            utils.save_data(constants.TRUSTED_CA_CERT_PATH, ca_cert)
+            utils.save_data(constants.TRUSTED_CA_CERT_1_PATH, ca_cert)
+            if self.op_code == constants.OP_CODE_INITIAL_AUTH:
+                utils.save_data(constants.TRUSTED_CA_CERT_0_PATH, ca_cert)
 
         if self.state == State.STAGE_4:
             LOG.info("Received IPSec Auth CSR Response")
             cert = base64.b64decode(msg['cert'])
             digest = base64.b64decode(msg['hash'])
 
-            ca_cert = utils.load_data(constants.TRUSTED_CA_CERT_PATH)
+            ca_cert = utils.load_data(constants.TRUSTED_CA_CERT_1_PATH)
 
             data = msg['cert'].encode('utf-8')
             if self.op_code == constants.OP_CODE_INITIAL_AUTH:
diff --git a/sysinv/sysinv/sysinv/sysinv/ipsec_auth/client/config.py b/sysinv/sysinv/sysinv/sysinv/ipsec_auth/client/config.py
index 78e2ec0089..0a1d725add 100644
--- a/sysinv/sysinv/sysinv/sysinv/ipsec_auth/client/config.py
+++ b/sysinv/sysinv/sysinv/sysinv/ipsec_auth/client/config.py
@@ -172,7 +172,7 @@ class StrongswanPuppet(object):
         # swanctl.add_remote('id', 'CN=ipsec-*')
         swanctl.add_remote('id', 'CN=*')
         swanctl.add_remote('auth', 'pubkey')
-        swanctl.add_remote('cacerts', constants.TRUSTED_CA_CERT_FILE)
+        swanctl.add_remote('cacerts', constants.TRUSTED_CA_CERT_FILES)
 
         swanctl.add_node('mode', 'transport')
         swanctl.add_node('start_action', 'trap')
diff --git a/sysinv/sysinv/sysinv/sysinv/ipsec_auth/common/constants.py b/sysinv/sysinv/sysinv/sysinv/ipsec_auth/common/constants.py
index 4bde84f949..abc6a5b65d 100644
--- a/sysinv/sysinv/sysinv/sysinv/ipsec_auth/common/constants.py
+++ b/sysinv/sysinv/sysinv/sysinv/ipsec_auth/common/constants.py
@@ -24,9 +24,17 @@ NAMESPACE_DEPLOYMENT = 'deployment'
 CLUSTER_ISSUER_SYSTEM_LOCAL_CA = 'system-local-ca'
 SECRET_SYSTEM_LOCAL_CA = 'system-local-ca'
 
-TRUSTED_CA_CERT_FILE = 'system-local-ca.crt'
+# The system-local-ca certificates are stored by IPsec client
+# named w/ 0 or 1 in their names. The system-local-ca-0.crt file represents
+# the last tls certificate associated with system-local-ca,
+# while system-local-ca-1.crt file is the current certificate
+# associated with system-local-ca.
+TRUSTED_CA_CERT_FILE_0 = 'system-local-ca-0.crt'
+TRUSTED_CA_CERT_FILE_1 = 'system-local-ca-1.crt'
+TRUSTED_CA_CERT_FILES = TRUSTED_CA_CERT_FILE_0 + ',' + TRUSTED_CA_CERT_FILE_1
 TRUSTED_CA_CERT_DIR = '/etc/swanctl/x509ca/'
-TRUSTED_CA_CERT_PATH = TRUSTED_CA_CERT_DIR + TRUSTED_CA_CERT_FILE
+TRUSTED_CA_CERT_0_PATH = TRUSTED_CA_CERT_DIR + TRUSTED_CA_CERT_FILE_0
+TRUSTED_CA_CERT_1_PATH = TRUSTED_CA_CERT_DIR + TRUSTED_CA_CERT_FILE_1
 
 CERT_SYSTEM_LOCAL_DIR = '/etc/swanctl/x509/'
 CERT_SYSTEM_LOCAL_PRIVATE_DIR = '/etc/swanctl/private/'