areguera / rpms / ipa

Forked from rpms/ipa 5 years ago
Clone

Blame SOURCES/0052-ipatests-add-upgrade-test-for-double-encoded-cacert.patch

ad1545
From 57a473bd41fbd3520871dbd7ed7dc9524946a48e Mon Sep 17 00:00:00 2001
ad1545
From: Florence Blanc-Renaud <flo@redhat.com>
ad1545
Date: Thu, 29 Nov 2018 15:41:33 +0100
ad1545
Subject: [PATCH] ipatests: add upgrade test for double-encoded cacert
ad1545
ad1545
Create a test for upgrade with the following scenario:
ad1545
- install master
ad1545
- write a double-encoded cert in the entry
ad1545
cn=cacert,,cn=ipa,cn=etc,$basedn
ad1545
to simulate bug 7775
ad1545
- call ipa-server-upgrade
ad1545
- check that the upgrade fixed the value
ad1545
ad1545
The upgrade should finish successfully and repair
ad1545
the double-encoded cert.
ad1545
ad1545
Related to https://pagure.io/freeipa/issue/7775
ad1545
ad1545
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ad1545
---
ad1545
 ipatests/test_integration/test_upgrade.py | 35 +++++++++++++++++++++++
ad1545
 1 file changed, 35 insertions(+)
ad1545
ad1545
diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py
ad1545
index 951747b0b37cd62459a241255190baebdf0f728a..7dbe52d57052d3c640df644705fc3e22fab14334 100644
ad1545
--- a/ipatests/test_integration/test_upgrade.py
ad1545
+++ b/ipatests/test_integration/test_upgrade.py
ad1545
@@ -6,6 +6,9 @@
ad1545
 Module provides tests to verify that the upgrade script works.
ad1545
 """
ad1545
 
ad1545
+import base64
ad1545
+from cryptography.hazmat.primitives import serialization
ad1545
+from ipapython.dn import DN
ad1545
 from ipatests.test_integration.base import IntegrationTest
ad1545
 from ipatests.pytest_plugins.integration import tasks
ad1545
 
ad1545
@@ -19,3 +22,35 @@ class TestUpgrade(IntegrationTest):
ad1545
         cmd = self.master.run_command(['ipa-server-upgrade'],
ad1545
                                       raiseonerr=False)
ad1545
         assert cmd.returncode == 0
ad1545
+
ad1545
+    def test_double_encoded_cacert(self):
ad1545
+        """Test for BZ 1644874
ad1545
+
ad1545
+        In old IPA version, the entry cn=CAcert,cn=ipa,cn=etc,$basedn
ad1545
+        could contain a double-encoded cert, which leads to ipa-server-upgrade
ad1545
+        failure.
ad1545
+        Force a double-encoded value then call upgrade to check the fix.
ad1545
+        """
ad1545
+        # Read the current entry from LDAP
ad1545
+        ldap = self.master.ldap_connect()
ad1545
+        basedn = self.master.domain.basedn  # pylint: disable=no-member
ad1545
+        dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'), basedn)
ad1545
+        entry = ldap.get_entry(dn)  # pylint: disable=no-member
ad1545
+        # Extract the certificate as DER then double-encode
ad1545
+        cacert = entry['cacertificate;binary'][0]
ad1545
+        cacert_der = cacert.public_bytes(serialization.Encoding.DER)
ad1545
+        cacert_b64 = base64.b64encode(cacert_der)
ad1545
+        # overwrite the value with double-encoded cert
ad1545
+        entry.single_value['cACertificate;binary'] = cacert_b64
ad1545
+        ldap.update_entry(entry)  # pylint: disable=no-member
ad1545
+
ad1545
+        # try the upgrade
ad1545
+        self.master.run_command(['ipa-server-upgrade'])
ad1545
+
ad1545
+        # read the value after upgrade, should be fixed
ad1545
+        entry = ldap.get_entry(dn)  # pylint: disable=no-member
ad1545
+        try:
ad1545
+            _cacert = entry['cacertificate;binary']
ad1545
+        except ValueError:
ad1545
+            raise AssertionError('%s contains a double-encoded cert'
ad1545
+                                 % entry.dn)
ad1545
-- 
ad1545
2.17.2
ad1545