fix: filter CA ID from OU only when certificate not generated

The CA ID (libresign-ca-id:...) in OrganizationalUnit should only be
filtered out when the certificate is not generated (isSetupOk() returns
false). When the certificate is successfully generated, the CA ID must
be preserved in the API response.

This ensures:
- Generated certificates: CA ID is visible (expected behavior)
- Failed/not generated: CA ID is filtered to prevent stale data in form

Integration tests validated:
- features/account/signature.feature:2 (OpenSSL)
- features/account/signature.feature:23 (CFSSL)
- features/admin/certificate_openssl.feature:2
- features/admin/certificate_openssl.feature:35

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>

lib/Handler/CertificateEngine/AEngineHandler.php

@@ -738,7 +738,7 @@ abstract class AEngineHandler implements IEngineHandler {
 		foreach ($names as $name => $value) {
 			$return['rootCert']['names'][] = [
 				'id' => $name,
-				'value' => $this->filterNameValue($name, $value),
+				'value' => $this->filterNameValue($name, $value, $generated),
 			];
 		}
 		return $return;
@@ -748,9 +748,10 @@ abstract class AEngineHandler implements IEngineHandler {
 		return $generated ? $this->getCurrentConfigPath() : '';
 	}
 
-	private function filterNameValue(string $name, mixed $value): mixed {
+	private function filterNameValue(string $name, mixed $value, bool $generated): mixed {
-		if ($name === 'OU' && is_array($value)) {
+		if ($name === 'OU' && is_array($value) && !$generated) {
-			return $this->removeCaIdFromOrganizationalUnit($value);
+			$filtered = $this->removeCaIdFromOrganizationalUnit($value);
+			return empty($filtered) ? null : $filtered;
 		}
 		return $value;
 	}

tests/php/Unit/Handler/CertificateEngine/AEngineHandlerTest.php

@@ -291,35 +291,43 @@ final class AEngineHandlerTest extends \OCA\Libresign\Tests\Unit\TestCase {
 	}
 
 	#[DataProvider('dataProviderToArrayCaIdFiltering')]
-	public function testToArrayFiltersCaIdFromOrganizationalUnit(
+	public function testToArrayFiltersCaIdFromOrganizationalUnitWhenNotGenerated(
+		bool $certificateGenerated,
 		array $organizationalUnits,
 		array $expectedOuValues,
 		string $description,
 	): void {
 		$instance = $this->getInstance();
 
+		$tempPath = $this->tempManager->getTemporaryFolder('test-config');
+		$instance->setConfigPath($tempPath);
 		$instance->setOrganizationalUnit($organizationalUnits);
 		$instance->setCountry('BR');
 
+		if ($certificateGenerated) {
+			file_put_contents($tempPath . DIRECTORY_SEPARATOR . 'ca.pem', 'fake-cert');
+			file_put_contents($tempPath . DIRECTORY_SEPARATOR . 'ca-key.pem', 'fake-key');
+		}
+
 		$result = $instance->toArray();
 
-		$ouFound = false;
+		$ouFound = null;
 		foreach ($result['rootCert']['names'] as $name) {
 			if ($name['id'] === 'OU') {
-				$ouFound = true;
+				$ouFound = $name['value'];
-				$this->assertEquals(
-					$expectedOuValues,
-					$name['value'],
-					"OrganizationalUnit should filter CA IDs: $description"
-				);
 				break;
 			}
 		}
 
 		if (!empty($expectedOuValues)) {
-			$this->assertTrue($ouFound, "OU should be present in names array: $description");
+			$this->assertNotNull($ouFound, "OU should be present in names array: $description");
+			$this->assertEquals(
+				$expectedOuValues,
+				$ouFound,
+				"OrganizationalUnit filtering: $description"
+			);
 		} else {
-			$this->assertFalse($ouFound, "OU should not be present when filtered to empty: $description");
+			$this->assertNull($ouFound, "OU should not be present when filtered to empty: $description");
 		}
 	}
 
@@ -364,30 +372,41 @@ final class AEngineHandlerTest extends \OCA\Libresign\Tests\Unit\TestCase {
 
 	public static function dataProviderToArrayCaIdFiltering(): array {
 		return [
-			'OU without CA ID' => [
+			'OU without CA ID - not generated' => [
+				false,
 				['Engineering', 'Security'],
 				['Engineering', 'Security'],
-				'normal OU values should pass through',
+				'normal OU values should pass through when not generated',
 			],
-			'OU with CA ID at start' => [
+			'OU without CA ID - generated' => [
+				true,
+				['Engineering', 'Security'],
+				['Engineering', 'Security'],
+				'normal OU values should pass through when generated',
+			],
+			'OU with CA ID - not generated (filtered)' => [
+				false,
 				['libresign-ca-id:abc123_g:1_e:openssl', 'Engineering', 'Security'],
 				['Engineering', 'Security'],
-				'CA ID at start should be filtered out',
+				'CA ID should be filtered when certificate not generated',
 			],
-			'OU with CA ID in middle' => [
+			'OU with CA ID - generated (kept)' => [
-				['Engineering', 'libresign-ca-id:abc123_g:1_e:openssl', 'Security'],
+				true,
-				['Engineering', 'Security'],
+				['libresign-ca-id:abc123_g:1_e:openssl', 'Engineering', 'Security'],
-				'CA ID in middle should be filtered out',
+				['libresign-ca-id:abc123_g:1_e:openssl', 'Engineering', 'Security'],
+				'CA ID should be kept when certificate is generated',
 			],
-			'OU with CA ID at end' => [
+			'OU with only CA ID - not generated' => [
-				['Engineering', 'Security', 'libresign-ca-id:abc123_g:1_e:openssl'],
+				false,
-				['Engineering', 'Security'],
+				['libresign-ca-id:abc123_g:1_e:openssl'],
-				'CA ID at end should be filtered out',
+				[],
+				'OU should be empty when only CA ID and not generated',
 			],
-			'OU with multiple CA IDs' => [
+			'OU with only CA ID - generated' => [
-				['libresign-ca-id:abc123_g:1_e:openssl', 'Engineering', 'libresign-ca-id:xyz789_g:2_e:cfssl', 'Security'],
+				true,
-				['Engineering', 'Security'],
+				['libresign-ca-id:abc123_g:1_e:openssl'],
-				'multiple CA IDs should be filtered out',
+				['libresign-ca-id:abc123_g:1_e:openssl'],
+				'OU with only CA ID should be kept when generated',
 			],
 		];
 	}