From d95feb4950162d8e44fe17b53ef71058876d2ddb Mon Sep 17 00:00:00 2001
From: Andrew Jaffie <ajaffie@gmail.com>
Date: Wed, 8 Aug 2018 14:59:58 -0400
Subject: [PATCH] Log messages now use CN, file permissions fixed, ca remove
 now will not remove CSR's that have already been signed.

---
 lib/cli/CMakeLists.txt       |  2 +-
 lib/cli/caremovecommand.cpp  | 17 +++++++++++++++--
 lib/cli/carestorecommand.cpp | 13 +++++++++++--
 3 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/lib/cli/CMakeLists.txt b/lib/cli/CMakeLists.txt
index a87ee0e39..38756b5ce 100644
--- a/lib/cli/CMakeLists.txt
+++ b/lib/cli/CMakeLists.txt
@@ -5,8 +5,8 @@ set(cli_SOURCES
   apisetupcommand.cpp apisetupcommand.hpp
   apisetuputility.cpp apisetuputility.hpp
   calistcommand.cpp calistcommand.hpp
-  carestorecommand.cpp carestorecommand.hpp
   caremovecommand.cpp caremovecommand.hpp
+  carestorecommand.cpp carestorecommand.hpp
   casigncommand.cpp casigncommand.hpp
   clicommand.cpp clicommand.hpp
   consolecommand.cpp consolecommand.hpp
diff --git a/lib/cli/caremovecommand.cpp b/lib/cli/caremovecommand.cpp
index a174d9e57..b833750f9 100644
--- a/lib/cli/caremovecommand.cpp
+++ b/lib/cli/caremovecommand.cpp
@@ -61,12 +61,25 @@ int CARemoveCommand::Run(const boost::program_options::variables_map& vm, const
 			<< "No request exists for fingerprint '" << ap[0] << "'.";
 		return 1;
 	}
-	Utility::SaveJsonFile(ApiListener::GetCertificateRequestsDir() + "/" + ap[0] + ".removed", 700, Utility::LoadJsonFile(requestFile));
+
+	Dictionary::Ptr request = Utility::LoadJsonFile(requestFile);
+	std::shared_ptr<X509> certRequest = StringToCertificate(request->Get("cert_request"));
+
+	if (!certRequest) {
+		Log(LogCritical, "cli", "Certificate request is invalid. Could not parse X.509 certificate for the 'cert_request' attribute.");
+		return 1;
+	}
+	if (request->Contains("cert_response")) {
+		Log(LogCritical, "cli", "Certificate request already signed, you cannot remove it.");
+		return 1;
+	}
+
+	Utility::SaveJsonFile(ApiListener::GetCertificateRequestsDir() + "/" + ap[0] + ".removed", 0600, request);
 	if(remove(requestFile.CStr()) != 0)
 		return 1;
 
 	Log(LogInformation, "cli")
-		<< "Certificate " << ap[0] << " removed.";
+		<< "Certificate for CN " << GetCertificateCN(certRequest) << " removed.";
 
 	return 0;
 }
diff --git a/lib/cli/carestorecommand.cpp b/lib/cli/carestorecommand.cpp
index 0a232a84d..8a01acb91 100644
--- a/lib/cli/carestorecommand.cpp
+++ b/lib/cli/carestorecommand.cpp
@@ -61,12 +61,21 @@ int CARestoreCommand::Run(const boost::program_options::variables_map& vm, const
 			<< "No removed request exists for fingerprint '" << ap[0] << "'.";
 		return 1;
 	}
-	Utility::SaveJsonFile(ApiListener::GetCertificateRequestsDir() + "/" + ap[0] + ".json", 700, Utility::LoadJsonFile(requestFile));
+
+	Dictionary::Ptr request = Utility::LoadJsonFile(requestFile);
+	std::shared_ptr<X509> certRequest = StringToCertificate(request->Get("cert_request"));
+
+	if (!certRequest) {
+		Log(LogCritical, "cli", "Certificate request is invalid. Could not parse X.509 certificate for the 'cert_request' attribute.");
+		return 1;
+	}
+
+	Utility::SaveJsonFile(ApiListener::GetCertificateRequestsDir() + "/" + ap[0] + ".json", 0600, request);
 	if(remove(requestFile.CStr()) != 0)
 		return 1;
 
 	Log(LogInformation, "cli")
-		<< "Certificate " << ap[0] << " restored, you can now sign it using:\n"
+		<< "Certificate " << GetCertificateCN(certRequest) << " restored, you can now sign it using:\n"
 	       	<< "\"icinga2 ca sign " << ap[0] << "\"";
 
 	return 0;