feat: pass the enrollment CSR to Person creation and skip keypair generation if CSR is provided

rambo · rambo · commit d428f1e7a85c · 2025-05-17T12:51:37.000+03:00
diff --git a/src/rasenmaeher_api/db/enrollments.py b/src/rasenmaeher_api/db/enrollments.py
@@ -181,7 +181,7 @@ async def by_pk_or_callsign(cls, inval: Union[str, uuid.UUID]) -> "Enrollment":
     async def approve(self, approver: Person) -> Person:
         """Creates the person record, their certs etc"""
         with EngineWrapper.get_session() as session:
-            person = await Person.create_with_cert(self.callsign, extra=self.extra)
+            person = await Person.create_with_cert(self.callsign, extra=self.extra, csrpem=self.csr)
             self.state = EnrollmentState.APPROVED
             self.decided_by = approver.pk
             self.decided_on = datetime.datetime.now(datetime.UTC)
diff --git a/src/rasenmaeher_api/db/people.py b/src/rasenmaeher_api/db/people.py
@@ -90,8 +90,11 @@ async def by_pk_or_callsign(cls, inval: Union[str, uuid.UUID], allow_deleted: bo
             return await cls.by_callsign(str(inval), allow_deleted)
 
     @classmethod
-    async def create_with_cert(cls, callsign: str, extra: Optional[Dict[str, Any]] = None) -> "Person":
+    async def create_with_cert(
+        cls, callsign: str, extra: Optional[Dict[str, Any]] = None, csrpem: Optional[str] = None
+    ) -> "Person":
         """Create the cert etc and save the person"""
+        # FIXME: Verify the CSR has the callsign as CN
         cnf = RMSettings.singleton()
         if callsign in cnf.valid_product_cns:
             raise CallsignReserved("Using product CNs as callsigns is forbidden")
@@ -110,8 +113,11 @@ async def create_with_cert(cls, callsign: str, extra: Optional[Dict[str, Any]] =
                 newperson = Person(pk=puuid, callsign=callsign, certspath=str(certspath), extra=extra)
                 session.add(newperson)
                 session.commit()
-                ckp = await async_create_keypair(newperson.privkeyfile, newperson.pubkeyfile)
-                csrpem = await async_create_client_csr(ckp, newperson.csrfile, newperson.certsubject)
+                if csrpem:
+                    newperson.csrfile.write_text(csrpem, encoding="utf-8")
+                else:
+                    ckp = await async_create_keypair(newperson.privkeyfile, newperson.pubkeyfile)
+                    csrpem = await async_create_client_csr(ckp, newperson.csrfile, newperson.certsubject)
                 certpem = (await sign_csr(csrpem)).replace("\\n", "\n")
                 newperson.certfile.write_text(certpem)
             except Exception as exc:
@@ -150,7 +156,10 @@ async def create_pfx(self) -> Path:
         def write_pfx() -> None:
             """Do the IO"""
             nonlocal self
-            p12bytes = convert_pem_to_pkcs12(self.certfile, self.privkeyfile, self.callsign, None, self.callsign)
+            if self.privkeyfile.exists():
+                p12bytes = convert_pem_to_pkcs12(self.certfile, self.privkeyfile, self.callsign, None, self.callsign)
+            else:
+                p12bytes = convert_pem_to_pkcs12(self.certfile, None, self.callsign, None, self.callsign)
             self.pfxfile.write_bytes(p12bytes)
 
         await asyncio.get_event_loop().run_in_executor(None, write_pfx)
