Fix/policy attachment (#449)

tombosmansibm · web-flow · commit e68760ce47e6 · 2025-09-26T15:20:07.000+02:00
* fix: don't use policyCombining algoritm for application

* fix: update test

* fix: update scim test

* documentation: wip

* feature: also support cert as a string

* fix: trivial typo

* feature: import signer cert as string

* feature: test signer certs

* fix: change test

* build: don't include test directory

* documentation: update changelog

* documentation: update changelog

* build: exclude test

* build: exclude test, in MANIFEST.in (does not work for me in pyproject nor setup)
diff --git a/.gitignore b/.gitignore
@@ -98,6 +98,7 @@ ENV/
 
 # Test Script
 test.py
+/test/scripts/
 
 # Read the docs
 _readthedocs/
diff --git a/MANIFEST.in b/MANIFEST.in
@@ -1 +1,2 @@
-include LICENSE.txt
+include LICENSE
+prune test
diff --git a/docs/changelog.md b/docs/changelog.md
@@ -2,6 +2,14 @@
 
 ## Latest
 
+## 2025.9.26.0
+
+- fix: policy attachments application can take 2 formats, /uri or urn:x:y
+- fix: Update scim test
+- fix: fed/federations.py - handle exception when retrieving existing mapping rules (#448)
+- build: exclude test folder from build
+- feature: signer cert support for string (in addition to file)
+
 ## 2025.7.14.0
 
 - fix: certificate_databases : python syntax (indentation)
diff --git a/ibmsecurity/isam/aac/access_control/policy_attachments.py b/ibmsecurity/isam/aac/access_control/policy_attachments.py
@@ -158,7 +158,12 @@ def config(
 
     json_data["policies"] = _convert_policy_name_to_id(isamAppliance, policies)
     if policyCombiningAlgorithm is not None:
-        json_data["policyCombiningAlgorithm"] = policyCombiningAlgorithm
+        if policyType is not None and policyType == "application":
+            warnings.append(
+                "Do not set policy combining algorithm for application type"
+            )
+        else:
+            json_data["policyCombiningAlgorithm"] = policyCombiningAlgorithm
     if cache is not None:
         if tools.version_compare(isamAppliance.facts["version"], "9.0.3.0") < 0:
             warnings.append(
@@ -325,7 +330,8 @@ def publish(isamAppliance, server, resourceUri, check_mode=False, force=False):
     ret_obj = get(isamAppliance, server, resourceUri)
 
     deploy_required = False
-    if ret_obj.get("data", {}).get("deployrequired", False) or not ret_obj.get("data", {}).get("deployed", False):
+    # skip application type for deployment.
+    if (ret_obj.get("data", {}).get("type", "reverse_proxy") == "reverse_proxy") and (ret_obj.get("data", {}).get("deployrequired", False) or not ret_obj.get("data", {}).get("deployed", False)):
         deploy_required = True
 
     logger.debug(f"\n\nDeploy required: {deploy_required}\n\n")
diff --git a/ibmsecurity/isam/base/ssl_certificates/signer_certificate.py b/ibmsecurity/isam/base/ssl_certificates/signer_certificate.py
@@ -85,8 +85,7 @@ def _check_load(isamAppliance, kdb_id, label, server, port):
         cert_id = cert_data['id']
         cert_pem = get(isamAppliance, kdb_id, cert_id)['data']['contents']
         if cert_id == label:  # label exists on appliance already
-            logger.debug(f"Comparing certificates: appliance[{cert_pem}] remote[{remote_cert_pem}].")
-            if cert_pem == remote_cert_pem:  # certificate data is the same
+            if cert_pem == remote_cert_pem:
                 logger.debug("The certificate already exits on the appliance with the same label name and same content.")
                 return True  # both the labels and certificates match
             else:
@@ -136,7 +135,7 @@ def export_cert(isamAppliance, kdb_id, cert_id, filename, check_mode=False, forc
     """
     import os.path
 
-    if force is True or _check(isamAppliance, kdb_id, cert_id) is True:
+    if force or _check(isamAppliance, kdb_id, cert_id):
         if check_mode is False:  # No point downloading a file if in check_mode
             return isamAppliance.invoke_get_file(
                 "Export a certificate database",
@@ -149,36 +148,55 @@ def export_cert(isamAppliance, kdb_id, cert_id, filename, check_mode=False, forc
 def import_cert(isamAppliance, kdb_id, cert, label, preserve_label='false', check_mode=False, force=False):
     """
     Importing a signer certificate into a certificate database
+    cert can be a file or a string
     """
-    if force is True or _check_import(isamAppliance, kdb_id, label, cert, check_mode=check_mode):
-        if check_mode is True:
-            return isamAppliance.create_return_object(changed=True)
-        else:
-            if version_compare(isamAppliance.facts['version'], "10.0.5.0") < 0:
-                return isamAppliance.invoke_post_files(
-                    "Importing a signer certificate into a certificate database",
-                    f"/isam/ssl_certificates/{kdb_id}/signer_cert",
-                    [
-                        {
-                            'file_formfield': 'cert',
-                            'filename': cert,
-                            'mimetype': 'application/octet-stream'
-                        }
-                    ],
-                    {'label': label})
-            else:
-                return isamAppliance.invoke_post_files(
-                    "Importing a signer certificate into a certificate database",
-                    f"/isam/ssl_certificates/{kdb_id}/signer_cert",
-                    [
-                        {
-                            'file_formfield': 'cert',
-                            'filename': cert,
-                            'mimetype': 'application/octet-stream'
-                        }
-                    ],
-                    {'label': label,
-                    'preserve_label': preserve_label})
+    # Let's do some simple check
+    # check if the string begins with -----BEGIN CERTIFICATE-----
+    # so simply check if it's a long string
+    if cert.startswith('-----BEGIN CERTIFICATE-----'):
+      if force or _check_import_string(isamAppliance, kdb_id, label, cert, check_mode=check_mode):
+          if check_mode:
+              return isamAppliance.create_return_object(changed=True)
+          else:
+              json_data = {}
+              json_data['label'] = label
+              json_data['cert'] = cert
+              json_data['operation'] = "import" # this is missing from the documentation.
+              if version_compare(isamAppliance.facts['version'], "10.0.5.0") >= 0:
+                  json_data['preserve_label'] = preserve_label
+              return isamAppliance.invoke_post("Create signer cert from certificate string",
+                                               f"/isam/ssl_certificates/{kdb_id}/signer_cert",
+                                               json_data)
+    else:
+      if force or _check_import(isamAppliance, kdb_id, label, cert, check_mode=check_mode):
+          if check_mode:
+              return isamAppliance.create_return_object(changed=True)
+          else:
+              if version_compare(isamAppliance.facts['version'], "10.0.5.0") < 0:
+                  return isamAppliance.invoke_post_files(
+                      "Importing a signer certificate into a certificate database",
+                      f"/isam/ssl_certificates/{kdb_id}/signer_cert",
+                      [
+                          {
+                              'file_formfield': 'cert',
+                              'filename': cert,
+                              'mimetype': 'application/octet-stream'
+                          }
+                      ],
+                      {'label': label})
+              else:
+                  return isamAppliance.invoke_post_files(
+                      "Importing a signer certificate into a certificate database",
+                      f"/isam/ssl_certificates/{kdb_id}/signer_cert",
+                      [
+                          {
+                              'file_formfield': 'cert',
+                              'filename': cert,
+                              'mimetype': 'application/octet-stream'
+                          }
+                      ],
+                      {'label': label,
+                       'preserve_label': preserve_label})
 
     return isamAppliance.create_return_object()
 
@@ -196,6 +214,16 @@ def _check(isamAppliance, kdb_id, cert_id):
     return False
 
 
+def _check_import_string(isamAppliance, kdb_id, label, certstring, check_mode=False):
+    # TODO: DO SOMETHING
+    cert_pem = get(isamAppliance, kdb_id, label)['data']['contents']
+    if cert_pem.replace("\n", "") == certstring.replace("\n", ""):
+        logger.debug(f"Certificate already exists with same label {label}")
+        return False
+    else:
+        return True
+
+
 def _check_import(isamAppliance, kdb_id, cert_id, filename, check_mode=False):
     """
     Checks if certificate on the Appliance  exists and if so, whether it is different from
diff --git a/pyproject.toml b/pyproject.toml
@@ -7,7 +7,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "ibmsecurity"
-version = "2025.7.14.0"
+version = "2025.9.26.0"
 authors = [
   { name="IBM", email="secorch@wwpdl.vnet.ibm.com" },
 ]
@@ -34,6 +34,13 @@ dependencies = {file = [".config/requirements.in"]}
 optional-dependencies.docs = {file = [".config/requirements-docs.in"]}
 optional-dependencies.test = {file = [".config/requirements-test.in"]}
 
+[tool.setuptools.packages.find]
+exclude = [
+    "test",
+    "test.*"
+]
+namespaces = false
+
 [tool.pytest]
 env_files = ".env"
 
diff --git a/setup.py b/setup.py
@@ -2,10 +2,10 @@
 
 setup(
     name="ibmsecurity",
-    packages=find_packages(),
+    packages=find_packages(exclude=["test.*","test"]),
     # Date of release used for version - please be sure to use YYYY.MM.DD.seq#, MM and DD should be two digits e.g. 2017.02.05.0
     # seq# will be zero unless there are multiple release on a given day - then increment by one for additional release for that date
-    version="2025.7.14.0",
+    version="2025.9.26.0",
     description="Idempotent functions for IBM Security Appliance REST APIs",
     author="IBM",
     author_email="secorch@wwpdl.vnet.ibm.com",
diff --git a/test/test_aac_access_control.py b/test/test_aac_access_control.py
@@ -167,13 +167,8 @@ def getPolicyAttachmentData():
          "cache": 0
          },
         {"server": "mobileApp",
-         "resourceUri": "/somethingelseApp",
-         "policyCombiningAlgorithm": "denyOverrides",
-         "policies": [
-             {"name": "Test Access Control Policy",
-              "type": "policy"
-              }
-         ],
+         "resourceUri": "urn:isbn:0-486-27557-4",
+         "policies": [],
          "type": "application",
          "cache": 0
          },
diff --git a/test/test_aac_scim.py b/test/test_aac_scim.py
diff --git a/test/test_base_management_authentication.py b/test/test_base_management_authentication.py
diff --git a/test/test_base_runtime_tuning.py b/test/test_base_runtime_tuning.py
diff --git a/test/test_base_signercerts.py b/test/test_base_signercerts.py

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		`-include LICENSE.txt`
	`1`	`+include LICENSE`
	`2`	`+prune test`