test(OpenVPNClientExport): ensure model handles crtid ambiguity #756

jaredhendrickson13 · jaredhendrickson13 · commit e90d7157d08f · 2025-10-06T17:00:21.000-06:00
This test ensures that the OpenVPNClientExport model correctly locates the target cert's 'crtid' before providing it to pfSense function. This is necessary as pfSense will change the meaning of crtid for various factors.
diff --git a/pfSense-pkg-RESTAPI/files/usr/local/pkg/RESTAPI/Models/OpenVPNClientExport.inc b/pfSense-pkg-RESTAPI/files/usr/local/pkg/RESTAPI/Models/OpenVPNClientExport.inc
@@ -257,7 +257,7 @@ class OpenVPNClientExport extends Model {
         return openvpn_client_export_config(
             srvid: $this->server->value,
             usrid: $this->username->value ? $this->username->get_related_model()->id : null,
-            crtid: $this->__get_crtid_from_certref(),
+            crtid: $this->locate_crtid(),
             useaddr: $this->useaddr_hostname->value ?? $this->useaddr->value,
             verifyservercn: $this->verifyservercn->value,
             blockoutsidedns: $this->blockoutsidedns->value,
@@ -291,7 +291,7 @@ class OpenVPNClientExport extends Model {
         return openvpn_client_export_installer(
             srvid: $this->server->value,
             usrid: $this->username->value ? $this->username->get_related_model()->id : null,
-            crtid: $this->__get_crtid_from_certref(),
+            crtid: $this->locate_crtid(),
             useaddr: $this->useaddr_hostnam->value ?? $this->useaddr->value,
             verifyservercn: $this->verifyservercn->value,
             blockoutsidedns: $this->blockoutsidedns->value,
@@ -319,7 +319,7 @@ class OpenVPNClientExport extends Model {
         return viscosity_openvpn_client_config_exporter(
             srvid: $this->server->value,
             usrid: $this->username->value ? $this->username->get_related_model()->id : null,
-            crtid: $this->__get_crtid_from_certref(),
+            crtid: $this->locate_crtid(),
             useaddr: $this->useaddr_hostname->value ?? $this->useaddr->value,
             verifyservercn: $this->verifyservercn->value,
             blockoutsidedns: $this->blockoutsidedns->value,
@@ -343,7 +343,7 @@ class OpenVPNClientExport extends Model {
      * 'system/user/{$usrid}/cert' config path.
      * @returns int|null The crtid value pfSense expects for a given certref, or null if no certref is set.
      */
-    private function __get_crtid_from_certref(): int|null {
+    public function locate_crtid(): int|null {
         # If no certref is set, return null
         if (!$this->certref->value) {
             return null;
@@ -361,8 +361,8 @@ class OpenVPNClientExport extends Model {
             $ovpnsrv->mode->value === 'server_tls_user' and
             $ovpnsrv->authmode->value === ['Local Database']
         ) {
-            foreach ($user->cert->get_config() as $idx => $user_cert) {
-                if ($user_cert['refid'] === $cert->id) {
+            foreach ($user->cert->value as $idx => $user_cert) {
+                if ($user_cert === $cert->refid->value) {
                     return $idx;
                 }
             }
diff --git a/pfSense-pkg-RESTAPI/files/usr/local/pkg/RESTAPI/Tests/APIModelsOpenVPNClientExportTestCase.inc b/pfSense-pkg-RESTAPI/files/usr/local/pkg/RESTAPI/Tests/APIModelsOpenVPNClientExportTestCase.inc
@@ -441,4 +441,41 @@ class APIModelsOpenVPNClientExportTestCase extends TestCase {
         $this->assert_is_true(!ctype_print($export->binary_data->value));
         $this->assert_is_false(file_exists("/tmp/{$export->filename->value}"));
     }
+
+    /**
+     * Ensures we can exporta config for a server using the 'server_tls_user' mode, a user cert, and local database
+     * auth. This is a regression test for issue #756. This is a necessary test distinction as pfSense will change the
+     * meaning of the crtid passed into certain pfSense functions based on the server mode and authmode.
+     */
+    public function test_create_with_server_tls_user_and_local_database(): void {
+        # First, update the OpenVPNServer to use the 'server_tls_user' mode and local database auth
+        $this->ovpns->mode->value = 'server_tls_user';
+        $this->ovpns->authmode->value = ["Local Database"];
+        $this->ovpns->update();
+
+        # Setup the export
+        $export = new OpenVPNClientExport(
+            id: $this->ovpnce->id,
+            type: 'confinline',
+            username: $this->user->name->value,
+            certref: $this->user_cert->refid->value,
+        );
+
+        # Ensure the certref's object ID does NOT match the determined crtid. These should not match because
+        # pfSense now refers to the crtid as the index of the cert in the system/user config, NOT the cert config
+        # like usual.
+        $this->assert_not_equals(
+            $this->user_cert->refid->get_related_model()->id,
+            $export->locate_crtid()
+        );
+
+        # Ensure we can complete the export as intended and that the embedded cert is correct
+        $export->create();
+        $this->assert_is_not_empty($export->binary_data->value);
+        $this->assert_str_contains($export->binary_data->value, $this->user_cert->crt->value);
+
+        # Reset the server mode and authmode for other tests
+        $this->ovpns->mode->value = 'server_tls';
+        $this->ovpns->update();
+    }
 }
